-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes not being detected when key_access_justifications_policy
block is removed from google_kms_crypto_key
resource
#19639
Comments
The field was added in GoogleCloudPlatform/magic-modules#10792, I'd like to get the Terraform team's input on this because we probably need to tweak something in the yaml definition? My first two blind guesses of what could be causing this are:
|
Hi @kieras! Could you please share your resource configuration here to replicate this issue? |
Hi @ggtisc! Sure, you can find the complete code here: https://github.com/kieras/aw-bugreport. The resource is defined in this file: assured-workloads/kms.tf resource "google_kms_crypto_key" "hsm_encrypt_decrypt" {
# TODO: As soon as it supports the "key_access_justifications_policy" field, let's use the "production" provider and the Terraform Google KMS module to create the key.
provider = google-beta
name = "${var.aw_base_id}-encrypt-decrypt-key-${local.default_suffix}"
key_ring = "projects/${local.encryption_keys_project_id}/locations/${var.aw_location}/keyRings/${local.keyring_id}"
purpose = "ENCRYPT_DECRYPT"
version_template {
algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION"
protection_level = "HSM"
}
lifecycle {
prevent_destroy = false
}
dynamic "key_access_justifications_policy" {
for_each = var.cryptokey_allowed_access_reasons == null ? [] : ["1"]
content {
allowed_access_reasons = sort(var.cryptokey_allowed_access_reasons)
}
}
depends_on = [google_assured_workloads_workload.primary]
} Thank you for your support, and let me know if you need anything else. |
Hi @kieras! I detect the same issue with the In the code of this resource you are depending on the same resource itself on the
In other words the
|
You could also change the use of
|
Hi @ggtisc! I have updated/simplified the code, remaining only the essential parts to investigate the issue: Terraform Configuration Debug Output The issue persisted. The removal of the |
Community Note
Terraform Version & Provider Version(s)
Terraform v1.9.1
on darwin_amd64
provider registry.terraform.io/hashicorp/google v6.4.0
provider registry.terraform.io/hashicorp/google-beta v6.4.0
provider registry.terraform.io/hashicorp/null v3.2.3
provider registry.terraform.io/hashicorp/random v3.6.3
Your version of Terraform is out of date! The latest version
is 1.9.5. You can update by downloading from https://www.terraform.io/downloads.html
Affected Resource(s)
google_kms_crypto_key
Terraform Configuration
https://github.com/kieras/aw-bugreport
Debug Output
https://gist.github.com/kieras/56120c4f54fb7f5a7593a6cec5d24064
Expected Behavior
Terraform should detect that the
key_access_justifications_policy
block was removed from the state.Actual Behavior
Terraform says there's no change when you remove the
key_access_justifications_policy
block from the code, and it has previously added this block (values are present in the state).Steps to reproduce
examples/assured-workloads-example/main.tf
file.terraform apply
(in folderexamples/assured-workloads-example
)key_access_justifications_policy
block (lines 35, 36 and 37) from 'assured-workloads/kms.tf' file.terraform apply
(terraform says there's no changes, but should have detected the removal of thekey_access_justifications_policy
block)terraform state show module.assured_workloads.google_kms_crypto_key.hsm_encrypt_decrypt
(shows thekey_access_justifications_policy
is still in the state - it was not detected as a change and removed, this is the issue)Important Factoids
No response
References
Not exactly related, but impact the same resource block (
key_access_justifications_policy
): #19638The text was updated successfully, but these errors were encountered: