Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add skip_initial_version_creation to kms crypto key #3907

Merged
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion products/kms/api.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ objects:
- !ruby/object:Api::Resource
name: 'CryptoKey'
base_url: '{{key_ring}}/cryptoKeys'
create_url: '{{key_ring}}/cryptoKeys?cryptoKeyId={{name}}'
create_url: '{{key_ring}}/cryptoKeys?cryptoKeyId={{name}}&skipInitialVersionCreation={{skipInitialVersionCreation}}'
upodroid marked this conversation as resolved.
Show resolved Hide resolved
self_link: '{{key_ring}}/cryptoKeys/{{name}}'
update_verb: :PATCH
update_mask: true
Expand All @@ -80,6 +80,14 @@ objects:
required: true
input: true
url_param_only: true
- !ruby/object:Api::Type::Boolean
name: 'skipInitialVersionCreation'
description: |
If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the `google_kms_key_ring_import_job` resource to import the CryptoKeyVersion.
default_value: false
input: true
url_param_only: true
properties:
- !ruby/object:Api::Type::String
name: 'name'
Expand Down
7 changes: 4 additions & 3 deletions products/kms/terraform.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides

~> **Note:** KeyRings cannot be deleted from Google Cloud Platform.
Destroying a Terraform-managed KeyRing will remove it from state but
*will not delete the resource on the server.*
*will not delete the resource from the project.*
id_format: "projects/{{project}}/locations/{{location}}/keyRings/{{name}}"
import_format: ["projects/{{project}}/locations/{{location}}/keyRings/{{name}}"]
examples:
Expand Down Expand Up @@ -53,7 +53,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides
~> **Note:** CryptoKeys cannot be deleted from Google Cloud Platform.
Destroying a Terraform-managed CryptoKey will remove it from state
and delete all CryptoKeyVersions, rendering the key unusable, but *will
not delete the resource on the server.* When Terraform destroys these keys,
not delete the resource from the project.* When Terraform destroys these keys,
any data previously encrypted with these keys will be irrecoverable.
For this reason, it is strongly recommended that you add lifecycle hooks
to the resource to prevent accidental destruction.
Expand Down Expand Up @@ -108,7 +108,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides

~> **Note:** KeyRingImportJobs cannot be deleted from Google Cloud Platform.
Destroying a Terraform-managed KeyRingImportJob will remove it from state but
*will not delete the resource on the server.*
*will not delete the resource from the project.*
id_format: "{{name}}"
import_format: ["{{name}}"]
examples:
Expand All @@ -117,6 +117,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides
primary_resource_id: "import-job"
vars:
keyring: "keyring-example"
cryptokey: "cryptokey-example"
skip_test: true
properties:
createTime: !ruby/object:Overrides::Terraform::PropertyOverride
Expand Down
2 changes: 1 addition & 1 deletion templates/terraform/custom_delete/kms_crypto_key.erb
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

log.Printf(`
[WARNING] KMS CryptoKey resources cannot be deleted from GCP. The CryptoKey %s will be removed from Terraform state,
and all its CryptoKeyVersions will be destroyed, but it will still be present on the server.`, cryptoKeyId.cryptoKeyId())
and all its CryptoKeyVersions will be destroyed, but it will still be present in the project.`, cryptoKeyId.cryptoKeyId())

// Delete all versions of the key
if err := clearCryptoKeyVersions(cryptoKeyId, config); err != nil {
Expand Down
6 changes: 6 additions & 0 deletions templates/terraform/examples/kms_key_ring_import_job.tf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,12 @@ resource "google_kms_key_ring" "keyring" {
location = "global"
}

resource "google_kms_crypto_key" "example-key" {
name = "<%= ctx[:vars]['cryptokey'] %>""
key_ring = google_kms_key_ring.keyring.id
skip_initial_version_creation = true
}

resource "google_kms_key_ring_import_job" "<%= ctx[:primary_resource_id] %>" {
key_ring = google_kms_key_ring.keyring.id
import_job_id = "my-import-job"
Expand Down