0

I am managing kms keys and key rings with gcp terraform provider

resource "google_kms_key_ring" "vault" {
  name     = "vault"
  location = "global"
}

resource "google_kms_crypto_key" "vault_init" {
  name            = "vault"
  key_ring        = google_kms_key_ring.vault.self_link
  rotation_period = "100000s" #
}

When I ran this for the first time, I was able to create the keys and keyrings successfully and doing a terraform destroy allows the terraform code to execute successfully with out any errors.

The next time I do a terraform apply, I just use terraform import to import the resources from GCP and the code execution works fine.

But after a while, certain key version 1 was destroyed. Now everytime I do a terrafrom destroy, I get the below error

module.cluster_vault.google_kms_crypto_key.vault_init: Destroying... [id=projects/<MY-PROJECT>/locations/global/keyRings/vault/cryptoKeys/vault]

Error: googleapi: Error 400: The request cannot be fulfilled. Resource projects/<MY-PROJECT>/locations/global/keyRings/vault/cryptoKeys/vault/cryptoKeyVersions/1 has value DESTROYED in field crypto_key_version.state., failedPrecondition

Is there was way to suppress this particular error ? KeyVersions 1-3 are destroyed.

enter image description here

Jason Stanley
  • 386
  • 1
  • 3
  • 20

1 Answers1

1

At present, Cloud KMS resources cannot be deleted. This is against Terraform's desired behavior to be able to completely destroy and re-create resources. You will need to use a different key name or key ring name to proceed.

sethvargo
  • 26,739
  • 10
  • 86
  • 156
  • I am aware of that. My question is there a way to suppress this error ? Or do I need to do a `terraform state rm` before every `terraform destroy` if I want the code to run successfully ? – Jason Stanley May 04 '20 at 15:35
  • You need to remove it from the state. It's not currently possible to ignore resources during destroy: https://github.com/hashicorp/terraform/issues/23547 – sethvargo May 04 '20 at 15:52