Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pub/Sub Topic CMEK/KMS support #1982

Merged
merged 4 commits into from
Jul 2, 2019
Merged

Pub/Sub Topic CMEK/KMS support #1982

merged 4 commits into from
Jul 2, 2019

Conversation

drebes
Copy link
Member

@drebes drebes commented Jun 25, 2019

Release Note for Downstream PRs (will be copied)

pubsub: `google_pubsub_topic` support for `kms_key_name` for customer-managed encryption keys (KMS)

@drebes
Copy link
Member Author

drebes commented Jun 25, 2019
edited
Loading

Acceptance test is currently failing:

$ make testacc TEST=./google TESTARGS='-run=TestAccPubsubTopic_cmek' 
==> Checking source code against gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 TF_SCHEMA_PANIC_ON_ERROR=1 go test ./google -v -run=TestAccPubsubTopic_cmek -timeout 240m -ldflags="-X=github.com/terraform-providers/terraform-provider-google/version.ProviderVersion=acc"
=== RUN   TestAccPubsubTopic_cmek
=== PAUSE TestAccPubsubTopic_cmek
=== CONT  TestAccPubsubTopic_cmek
--- FAIL: TestAccPubsubTopic_cmek (60.39s)
    testing.go:568: Step 0 error: errors during apply:
        
        Error: Error creating Topic: googleapi: Error 400: The topic projects/terraform-nvu1vl4xx1/topics/tf-test-99unm4hfsf cannot be created or updated due to an organization policy specified at the project or organization level. The organization policy does not allow message storage in any GCP region where Cloud Pub/Sub is present. The organization policy may be updated by your project or organization administrator. See https://console.cloud.google.com/iam-admin/orgpolicies/gcp-resourceLocations?project=terraform-nvu1vl4xx1. If the topic's project was recently created, you may need to wait a few minutes for the project's organization policy to be properly initialized, and then retry this operation.
        
          on /var/folders/zp/nbv834pd1dz433q33085ldv80000gp/T/tf-test111227742/main.tf line 35:
          (source code not available)
        
        
FAIL
FAIL	github.com/terraform-providers/terraform-provider-google/google	60.440s
make: *** [testacc] Error 1

I confirm that this is related to the project being created too recently and the gcp-resourceLocations message is unrelated: attempting to create the Topic with a KMS CryptoKey project after a couple of minutes succeeds. I'm not sure how to force a delay in the acceptance tests.

@modular-magician
Copy link
Collaborator

Hi! I'm the modular magician, I work on Magic Modules.
This PR seems not to have generated downstream PRs before, as of 28d7d07.

Pull request statuses

New Pull Requests

I built this PR into one or more new PRs on other repositories, and when those are closed, this PR will also be merged and closed.
depends: hashicorp/terraform-provider-google-beta#894
depends: GoogleCloudPlatform/terraform-google-conversion#119
depends: hashicorp/terraform-provider-google#3925
depends: modular-magician/ansible#291
depends: modular-magician/inspec-gcp#168

@rileykarson rileykarson self-requested a review June 26, 2019 17:47
@drebes
Copy link
Member Author

drebes commented Jun 26, 2019

Acceptance pass now:

$ make testacc TEST=./google TESTARGS='-run=TestAccPubsubTopic_cmek' 
==> Checking source code against gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 TF_SCHEMA_PANIC_ON_ERROR=1 go test ./google -v -run=TestAccPubsubTopic_cmek -timeout 240m -ldflags="-X=github.com/terraform-providers/terraform-provider-google/version.ProviderVersion=acc"
=== RUN   TestAccPubsubTopic_cmek
=== PAUSE TestAccPubsubTopic_cmek
=== CONT  TestAccPubsubTopic_cmek
[...]
--- PASS: TestAccPubsubTopic_cmek (16.60s)
PASS
ok  	github.com/terraform-providers/terraform-provider-google/google	16.634s

@modular-magician
Copy link
Collaborator

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 0132d70.

Pull request statuses

terraform-provider-google-beta already has an open PR.
terraform-google-conversion already has an open PR.
terraform-provider-google already has an open PR.
Ansible already has an open PR.
InSpec already has an open PR.

New Pull Requests

I didn't open any new pull requests because of this PR.

rileykarson
rileykarson reviewed Jun 26, 2019
View reviewed changes
Copy link
Member

@rileykarson rileykarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I got a test failure in CI because of a required permission on the project's PubSub service account. For the test, wdyt about requiring it be preconfigured?

third_party/terraform/tests/resource_pubsub_topic_test.go
project_id = "%s"
}
resource "google_project_iam_member" "kms-project-binding" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As-is, there's a race condition between the topic and this permission. While we could add this dependency with depends_on, I'd rather remove it altogether and just rely on the user having configured it in their project. Alternatively, we could add the permission during the kmsKeyBootstrap function but that isn't necessary.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since I create projects specifically for the acceptance test to not leave the KMS keys behind, I would prefer to leave the dependency in. I just pushed a change that adds an implicit dependency making the topic project be the IAM member binding, which seems to address the race condition for me. Can we keep this, or does it still trigger the race condition for you (due to the IAM change propagation)?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our CI system is a single project so there's a risk of a race condition here, but I don't think the risk is enough to block on. It'll be resolved on next run anyways, so if we actually encounter this flake we can resolve the issue.

third_party/terraform/tests/resource_pubsub_topic_test.go
@@ -40,6 +40,29 @@ func TestAccPubsubTopic_update(t *testing.T) {
})
}

func TestAccPubsubTopic_cmek(t *testing.T) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
func TestAccPubsubTopic_cmek(t *testing.T) {
// This test requires your project's PubSub service account (service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com)
// to have `roles/cloudkms.cryptoKeyEncrypterDecrypter`.
func TestAccPubsubTopic_cmek(t *testing.T) {

products/pubsub/api.yaml Outdated Show resolved Hide resolved
@modular-magician
Copy link
Collaborator

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 0f5b697.

Pull request statuses

terraform-provider-google-beta already has an open PR.
terraform-google-conversion already has an open PR.
terraform-provider-google already has an open PR.
Ansible already has an open PR.
InSpec already has an open PR.

New Pull Requests

I didn't open any new pull requests because of this PR.

@modular-magician
Copy link
Collaborator

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 17cf443.

Pull request statuses

terraform-provider-google-beta already has an open PR.
terraform-google-conversion already has an open PR.
terraform-provider-google already has an open PR.
Ansible already has an open PR.
InSpec already has an open PR.

New Pull Requests

I didn't open any new pull requests because of this PR.

rileykarson
rileykarson approved these changes Jul 1, 2019
View reviewed changes
Copy link
Member

@rileykarson rileykarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @drebes!

third_party/terraform/tests/resource_pubsub_topic_test.go
project_id = "%s"
}
resource "google_project_iam_member" "kms-project-binding" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our CI system is a single project so there's a risk of a race condition here, but I don't think the risk is enough to block on. It'll be resolved on next run anyways, so if we actually encounter this flake we can resolve the issue.

@modular-magician modular-magician merged commit cd0c3ca into GoogleCloudPlatform:master Jul 2, 2019
@drebes drebes deleted the pubsub-cmek branch July 19, 2019 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rileykarson rileykarson rileykarson approved these changes

Assignees
No one assigned
Labels
ansible automerged cla: yes downstream-generated inspec terraform-google-conversion terraform-provider-google terraform-provider-google-beta
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@drebes @modular-magician @rileykarson @googlebot