diff --git a/.changelog/3907.txt b/.changelog/3907.txt new file mode 100644 index 00000000000..b70489f4def --- /dev/null +++ b/.changelog/3907.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +kms: added `skip_initial_version_creation` to `google_kms_crypto_key` +``` diff --git a/google/resource_app_engine_service_split_traffic.go b/google/resource_app_engine_service_split_traffic.go index c35b7090fb2..6df4ea73e86 100644 --- a/google/resource_app_engine_service_split_traffic.go +++ b/google/resource_app_engine_service_split_traffic.go @@ -284,8 +284,8 @@ func resourceAppEngineServiceSplitTrafficUpdate(d *schema.ResourceData, meta int func resourceAppEngineServiceSplitTrafficDelete(d *schema.ResourceData, meta interface{}) error { log.Printf("[WARNING] AppEngine ServiceSplitTraffic resources"+ - " cannot be deleted from GCP. The resource %s will be removed from Terraform"+ - " state, but will still be present on the server.", d.Id()) + " cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+ + " state, but will still be present on Google Cloud.", d.Id()) d.SetId("") return nil diff --git a/google/resource_big_query_job.go b/google/resource_big_query_job.go index 87ff297f89a..79716e028af 100644 --- a/google/resource_big_query_job.go +++ b/google/resource_big_query_job.go @@ -1032,8 +1032,8 @@ func resourceBigQueryJobRead(d *schema.ResourceData, meta interface{}) error { func resourceBigQueryJobDelete(d *schema.ResourceData, meta interface{}) error { log.Printf("[WARNING] BigQuery Job resources"+ - " cannot be deleted from GCP. The resource %s will be removed from Terraform"+ - " state, but will still be present on the server.", d.Id()) + " cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+ + " state, but will still be present on Google Cloud.", d.Id()) d.SetId("") return nil diff --git a/google/resource_compute_network_peering_routes_config.go b/google/resource_compute_network_peering_routes_config.go index 07f8583af25..888f9020c4e 100644 --- a/google/resource_compute_network_peering_routes_config.go +++ b/google/resource_compute_network_peering_routes_config.go @@ -296,8 +296,8 @@ func resourceComputeNetworkPeeringRoutesConfigUpdate(d *schema.ResourceData, met func resourceComputeNetworkPeeringRoutesConfigDelete(d *schema.ResourceData, meta interface{}) error { log.Printf("[WARNING] Compute NetworkPeeringRoutesConfig resources"+ - " cannot be deleted from GCP. The resource %s will be removed from Terraform"+ - " state, but will still be present on the server.", d.Id()) + " cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+ + " state, but will still be present on Google Cloud.", d.Id()) d.SetId("") return nil diff --git a/google/resource_iap_brand.go b/google/resource_iap_brand.go index 4e53cb5090f..d96fc88704d 100644 --- a/google/resource_iap_brand.go +++ b/google/resource_iap_brand.go @@ -249,8 +249,8 @@ func resourceIapBrandRead(d *schema.ResourceData, meta interface{}) error { func resourceIapBrandDelete(d *schema.ResourceData, meta interface{}) error { log.Printf("[WARNING] Iap Brand resources"+ - " cannot be deleted from GCP. The resource %s will be removed from Terraform"+ - " state, but will still be present on the server.", d.Id()) + " cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+ + " state, but will still be present on Google Cloud.", d.Id()) d.SetId("") return nil diff --git a/google/resource_kms_crypto_key.go b/google/resource_kms_crypto_key.go index 07d42c76982..7257374d3f7 100644 --- a/google/resource_kms_crypto_key.go +++ b/google/resource_kms_crypto_key.go @@ -93,6 +93,14 @@ The first rotation will take place after the specified period. The rotation peri the format of a decimal number with up to 9 fractional digits, followed by the letter 's' (seconds). It must be greater than a day (ie, 86400).`, }, + "skip_initial_version_creation": { + Type: schema.TypeBool, + Optional: true, + ForceNew: true, + Description: `If set to true, the request will create a CryptoKey without any CryptoKeyVersions. +You must use the 'google_kms_key_ring_import_job' resource to import the CryptoKeyVersion.`, + Default: false, + }, "version_template": { Type: schema.TypeList, Computed: true, @@ -164,7 +172,7 @@ func resourceKMSCryptoKeyCreate(d *schema.ResourceData, meta interface{}) error return err } - url, err := replaceVars(d, config, "{{KMSBasePath}}{{key_ring}}/cryptoKeys?cryptoKeyId={{name}}") + url, err := replaceVars(d, config, "{{KMSBasePath}}{{key_ring}}/cryptoKeys?cryptoKeyId={{name}}&skipInitialVersionCreation={{skip_initial_version_creation}}") if err != nil { return err } @@ -348,7 +356,7 @@ func resourceKMSCryptoKeyDelete(d *schema.ResourceData, meta interface{}) error log.Printf(` [WARNING] KMS CryptoKey resources cannot be deleted from GCP. The CryptoKey %s will be removed from Terraform state, -and all its CryptoKeyVersions will be destroyed, but it will still be present on the server.`, cryptoKeyId.cryptoKeyId()) +and all its CryptoKeyVersions will be destroyed, but it will still be present in the project.`, cryptoKeyId.cryptoKeyId()) // Delete all versions of the key if err := clearCryptoKeyVersions(cryptoKeyId, userAgent, config); err != nil { @@ -384,6 +392,10 @@ func resourceKMSCryptoKeyImport(d *schema.ResourceData, meta interface{}) ([]*sc return nil, fmt.Errorf("Error setting name: %s", err) } + if err := d.Set("skip_initial_version_creation", false); err != nil { + return nil, fmt.Errorf("Error setting skip_initial_version_creation: %s", err) + } + return []*schema.ResourceData{d}, nil } diff --git a/google/resource_kms_key_ring.go b/google/resource_kms_key_ring.go index 11dd952d9a1..977f53ea6c3 100644 --- a/google/resource_kms_key_ring.go +++ b/google/resource_kms_key_ring.go @@ -183,8 +183,8 @@ func resourceKMSKeyRingRead(d *schema.ResourceData, meta interface{}) error { func resourceKMSKeyRingDelete(d *schema.ResourceData, meta interface{}) error { log.Printf("[WARNING] KMS KeyRing resources"+ - " cannot be deleted from GCP. The resource %s will be removed from Terraform"+ - " state, but will still be present on the server.", d.Id()) + " cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+ + " state, but will still be present on Google Cloud.", d.Id()) d.SetId("") return nil diff --git a/google/resource_kms_secret_ciphertext.go b/google/resource_kms_secret_ciphertext.go index 81a34d8725e..34830b4a05e 100644 --- a/google/resource_kms_secret_ciphertext.go +++ b/google/resource_kms_secret_ciphertext.go @@ -182,8 +182,8 @@ func resourceKMSSecretCiphertextRead(d *schema.ResourceData, meta interface{}) e func resourceKMSSecretCiphertextDelete(d *schema.ResourceData, meta interface{}) error { log.Printf("[WARNING] KMS SecretCiphertext resources"+ - " cannot be deleted from GCP. The resource %s will be removed from Terraform"+ - " state, but will still be present on the server.", d.Id()) + " cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+ + " state, but will still be present on Google Cloud.", d.Id()) d.SetId("") return nil diff --git a/google/resource_security_center_source.go b/google/resource_security_center_source.go index 715b0714e10..2c0ecf7ec06 100644 --- a/google/resource_security_center_source.go +++ b/google/resource_security_center_source.go @@ -248,8 +248,8 @@ func resourceSecurityCenterSourceUpdate(d *schema.ResourceData, meta interface{} func resourceSecurityCenterSourceDelete(d *schema.ResourceData, meta interface{}) error { log.Printf("[WARNING] SecurityCenter Source resources"+ - " cannot be deleted from GCP. The resource %s will be removed from Terraform"+ - " state, but will still be present on the server.", d.Id()) + " cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+ + " state, but will still be present on Google Cloud.", d.Id()) d.SetId("") return nil diff --git a/website/docs/r/kms_crypto_key.html.markdown b/website/docs/r/kms_crypto_key.html.markdown index ed818dfac70..1bd6136f15a 100644 --- a/website/docs/r/kms_crypto_key.html.markdown +++ b/website/docs/r/kms_crypto_key.html.markdown @@ -28,7 +28,7 @@ A `CryptoKey` represents a logical key that can be used for cryptographic operat ~> **Note:** CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but *will -not delete the resource on the server.* When Terraform destroys these keys, +not delete the resource from the project.* When Terraform destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction. @@ -125,6 +125,11 @@ The following arguments are supported: A template describing settings for new crypto key versions. Structure is documented below. +* `skip_initial_version_creation` - + (Optional) + If set to true, the request will create a CryptoKey without any CryptoKeyVersions. + You must use the `google_kms_key_ring_import_job` resource to import the CryptoKeyVersion. + The `version_template` block supports: diff --git a/website/docs/r/kms_key_ring.html.markdown b/website/docs/r/kms_key_ring.html.markdown index 997ef478baf..c296a302e46 100644 --- a/website/docs/r/kms_key_ring.html.markdown +++ b/website/docs/r/kms_key_ring.html.markdown @@ -27,7 +27,7 @@ A `KeyRing` is a toplevel logical grouping of `CryptoKeys`. ~> **Note:** KeyRings cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed KeyRing will remove it from state but -*will not delete the resource on the server.* +*will not delete the resource from the project.* To get more information about KeyRing, see: diff --git a/website/docs/r/kms_key_ring_import_job.html.markdown b/website/docs/r/kms_key_ring_import_job.html.markdown index 7c82ce2018c..bd2ec48d6cb 100644 --- a/website/docs/r/kms_key_ring_import_job.html.markdown +++ b/website/docs/r/kms_key_ring_import_job.html.markdown @@ -31,7 +31,7 @@ was wrapped with the `KeyRingImportJob`'s public key. ~> **Note:** KeyRingImportJobs cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed KeyRingImportJob will remove it from state but -*will not delete the resource on the server.* +*will not delete the resource from the project.* To get more information about KeyRingImportJob, see: @@ -49,6 +49,12 @@ resource "google_kms_key_ring" "keyring" { location = "global" } +resource "google_kms_crypto_key" "example-key" { + name = "cryptokey-example"" + key_ring = google_kms_key_ring.keyring.id + skip_initial_version_creation = true +} + resource "google_kms_key_ring_import_job" "import-job" { key_ring = google_kms_key_ring.keyring.id import_job_id = "my-import-job"