0

I created some crypto-keys manually and now wanted to import them to terraform state so that it's managed by terraform, which I did using following command which completes successfully:

$ terraform import google_kms_crypto_key.some-key some-gcp-project-id/us/some-keyring/some-key
google_kms_crypto_key.some-key: Refreshing state... [id=projects/some-gcp-project-id/locations/us/keyRings/some-keyring/cryptoKeys/some-key]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Even after the import, on doing terraform apply I am still getting resource already exists error:

Error: Error creating CryptoKey: googleapi: Error 409: CryptoKey projects/some-gcp-project-id/locations/us/keyRings/some-keyring/cryptoKeys/some-key already exists.

Since this resource has been imported, I believe I shouldn't be getting this "Error 409". In terrform plan steps, it first destroys the existing key contents and then tries to re-create the key - which leads to error since the key already exists. Since I have already imported the key I do not want terraform to destroy the key. Why is terraform trying to destroy a key which has already been imported?

This is the relevant part of terrform plan output

# google_kms_crypto_key.some-key[1] will be destroyed
  - resource "google_kms_crypto_key" "some-key" {
      - destroy_scheduled_duration    = "86400s" -> null
      - id                            = "projects/some-gcp-project-id/locations/us/keyRings/some-keyring/cryptoKeys/some-key" -> null
      - import_only                   = false -> null
      - key_ring                      = "projects/some-gcp-project-id/locations/us/keyRings/some-keyring" -> null
      - labels                        = {} -> null
      - name                          = "some-key" -> null
      - purpose                       = "ENCRYPT_DECRYPT" -> null
      - rotation_period               = "2592000s" -> null
      - skip_initial_version_creation = false -> null

      - timeouts {}

      - version_template {
          - algorithm        = "GOOGLE_SYMMETRIC_ENCRYPTION" -> null
          - protection_level = "SOFTWARE" -> null
        }
    }

  # google_kms_crypto_key.some-key["some-key"] will be created
  + resource "google_kms_crypto_key" "some-key" {
      + destroy_scheduled_duration = (known after apply)
      + id                         = (known after apply)
      + import_only                = (known after apply)
      + key_ring                   = "projects/some-gcp-project-id/locations/us/keyRings/some-keyring"
      + name                       = "some-key"
      + purpose                    = "ENCRYPT_DECRYPT"
      + rotation_period            = "2592000s"

      + version_template {
          + algorithm        = (known after apply)
          + protection_level = (known after apply)
        }
    }
Tarun Gupta
  • 19
  • 5
  • We need to see the plan output. – Matthew Schuchard Jan 04 '23 at 12:04
  • I figured it out. I was using for_each to generate multiple keys; the parameter `name = each.value`. The problem was that the key_id was printed as `known after apply`. Because of this terraform cannot determine whether the key exists or not (since it cannot compute key_id before apply). So terraform tries to destroy the key-contents first, and then re-create the key which leads to error. Any way to get around this? To resolve this I think we would need `each.value` to be computed before apply (we don't want `known after apply`). – Tarun Gupta Jan 04 '23 at 14:05
  • Also updated the plan output – Tarun Gupta Jan 04 '23 at 14:30

0 Answers0