Changes not being detected when key_access_justifications_policy block is removed from google_kms_crypto_key resource

[kieras]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.1
on darwin_amd64

provider registry.terraform.io/hashicorp/google v6.4.0
provider registry.terraform.io/hashicorp/google-beta v6.4.0
provider registry.terraform.io/hashicorp/null v3.2.3
provider registry.terraform.io/hashicorp/random v3.6.3

Your version of Terraform is out of date! The latest version
is 1.9.5. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

google_kms_crypto_key

Terraform Configuration

https://github.com/kieras/aw-bugreport

Debug Output

https://gist.github.com/kieras/56120c4f54fb7f5a7593a6cec5d24064

Expected Behavior

Terraform should detect that the key_access_justifications_policy block was removed from the state.

Actual Behavior

Terraform says there's no change when you remove the key_access_justifications_policy block from the code, and it has previously added this block (values are present in the state).

Steps to reproduce

1. Uncomment line 27 of examples/assured-workloads-example/main.tf file.
2. terraform apply (in folder examples/assured-workloads-example)
3. Comment key_access_justifications_policy block (lines 35, 36 and 37) from 'assured-workloads/kms.tf' file.
4. terraform apply (terraform says there's no changes, but should have detected the removal of the key_access_justifications_policy block)
5. terraform state show module.assured_workloads.google_kms_crypto_key.hsm_encrypt_decrypt (shows the key_access_justifications_policy is still in the state - it was not detected as a change and removed, this is the issue)

Important Factoids

No response

References

Not exactly related, but impact the same resource block (key_access_justifications_policy): #19638

[tdbhacks]

The field was added in GoogleCloudPlatform/magic-modules#10792, I'd like to get the Terraform team's input on this because we probably need to tweak something in the yaml definition?

My first two blind guesses of what could be causing this are:

1. update_mask_fields being set, based on document usage of update_mask and update_mask_fields #12440
2. maybe we need to set send_empty_value? this sounds like the more likely issue to me

[ggtisc]

Hi @kieras!

Could you please share your resource configuration here to replicate this issue?

[kieras]

Hi @ggtisc! Sure, you can find the complete code here: https://github.com/kieras/aw-bugreport. The resource is defined in this file: assured-workloads/kms.tf

resource "google_kms_crypto_key" "hsm_encrypt_decrypt" {
  # TODO: As soon as it supports the "key_access_justifications_policy" field, let's use the "production" provider and the Terraform Google KMS module to create the key.
  provider = google-beta

  name     = "${var.aw_base_id}-encrypt-decrypt-key-${local.default_suffix}"
  key_ring = "projects/${local.encryption_keys_project_id}/locations/${var.aw_location}/keyRings/${local.keyring_id}"

  purpose = "ENCRYPT_DECRYPT"

  version_template {
    algorithm        = "GOOGLE_SYMMETRIC_ENCRYPTION"
    protection_level = "HSM"
  }

  lifecycle {
    prevent_destroy = false
  }

  dynamic "key_access_justifications_policy" {
    for_each = var.cryptokey_allowed_access_reasons == null ? [] : ["1"]
    content {
      allowed_access_reasons = sort(var.cryptokey_allowed_access_reasons)
    }
  }

  depends_on = [google_assured_workloads_workload.primary]
}

Thank you for your support, and let me know if you need anything else.

[ggtisc]

Hi @kieras!

I detect the same issue with the google_assured_workloads_workload

In the code of this resource you are depending on the same resource itself on the depends_on block:

resource "google_assured_workloads_workload" "primary" {
  provider = google-beta

  compliance_regime = var.aw_compliance_regime
  display_name      = local.aw_folder_name
  location          = var.aw_location
  organization      = var.org_id
  billing_account   = "billingAccounts/${var.billing_account}"

  provisioned_resources_parent = "folders/${var.folder_id}"

  resource_settings {
    resource_type = "CONSUMER_FOLDER"
    display_name  = local.aw_folder_name
  }

  resource_settings {
    resource_type = "ENCRYPTION_KEYS_PROJECT"
    resource_id   = local.encryption_keys_project_id
  }


  resource_settings {
    resource_type = "KEYRING"
    resource_id   = local.keyring_id
  }
}

data "google_folder_organization_policy" "aw_policy_restrict_service_usage_current" {
  folder     = "folders/${local.aw_consumer_folder_id}"
  constraint = "constraints/gcp.restrictServiceUsage"
}

module "org-policy" {
  source  = "terraform-google-modules/org-policy/google"
  version = "~> 5.3"

  constraint       = "constraints/gcp.restrictServiceUsage"
  policy_type      = "list"
  policy_for       = "folder"
  folder_id        = local.aw_consumer_folder_id
  enforce          = null
  exclude_folders  = []
  exclude_projects = []

  allow             = setunion(local.current_allowed_restricted_services, var.new_allowed_restricted_services)
  allow_list_length = 1

  depends_on = [google_assured_workloads_workload.primary]
}

In other words the google_assured_workloads_workload is depending on itself in this line:

depends_on = [google_assured_workloads_workload.primary]

[ggtisc]

You could also change the use of null in the cryptokey_allowed_access_reasons variable for [] like this:

variable "cryptokey_allowed_access_reasons" {
  description = "The list of allowed reasons for access to this CryptoKey. You can check the supported values in https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes."
  type        = list(string)
  default     = []
}

[kieras]

Hi @ggtisc! I have updated/simplified the code, remaining only the essential parts to investigate the issue:

Terraform Configuration
https://github.com/kieras/aw-bugreport

Debug Output
https://gist.github.com/kieras/56120c4f54fb7f5a7593a6cec5d24064

The issue persisted. The removal of the key_access_justification_policy block from the code was not detected as a change in the resource.