hashicorp · modular-magician · Oct 27, 2020 · Oct 27, 2020
diff --git a/.changelog/3907.txt b/.changelog/3907.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+kms: added `skip_initial_version_creation` to `google_kms_crypto_key`
+```
diff --git a/google/resource_app_engine_service_split_traffic.go b/google/resource_app_engine_service_split_traffic.go
@@ -284,8 +284,8 @@ func resourceAppEngineServiceSplitTrafficUpdate(d *schema.ResourceData, meta int
 
 func resourceAppEngineServiceSplitTrafficDelete(d *schema.ResourceData, meta interface{}) error {
 	log.Printf("[WARNING] AppEngine ServiceSplitTraffic resources"+
-		" cannot be deleted from GCP. The resource %s will be removed from Terraform"+
-		" state, but will still be present on the server.", d.Id())
+		" cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+
+		" state, but will still be present on Google Cloud.", d.Id())
 	d.SetId("")
 
 	return nil

diff --git a/google/resource_big_query_job.go b/google/resource_big_query_job.go
@@ -1032,8 +1032,8 @@ func resourceBigQueryJobRead(d *schema.ResourceData, meta interface{}) error {
 
 func resourceBigQueryJobDelete(d *schema.ResourceData, meta interface{}) error {
 	log.Printf("[WARNING] BigQuery Job resources"+
-		" cannot be deleted from GCP. The resource %s will be removed from Terraform"+
-		" state, but will still be present on the server.", d.Id())
+		" cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+
+		" state, but will still be present on Google Cloud.", d.Id())
 	d.SetId("")
 
 	return nil

diff --git a/google/resource_compute_network_peering_routes_config.go b/google/resource_compute_network_peering_routes_config.go
@@ -296,8 +296,8 @@ func resourceComputeNetworkPeeringRoutesConfigUpdate(d *schema.ResourceData, met
 
 func resourceComputeNetworkPeeringRoutesConfigDelete(d *schema.ResourceData, meta interface{}) error {
 	log.Printf("[WARNING] Compute NetworkPeeringRoutesConfig resources"+
-		" cannot be deleted from GCP. The resource %s will be removed from Terraform"+
-		" state, but will still be present on the server.", d.Id())
+		" cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+
+		" state, but will still be present on Google Cloud.", d.Id())
 	d.SetId("")
 
 	return nil

diff --git a/google/resource_iap_brand.go b/google/resource_iap_brand.go
@@ -249,8 +249,8 @@ func resourceIapBrandRead(d *schema.ResourceData, meta interface{}) error {
 
 func resourceIapBrandDelete(d *schema.ResourceData, meta interface{}) error {
 	log.Printf("[WARNING] Iap Brand resources"+
-		" cannot be deleted from GCP. The resource %s will be removed from Terraform"+
-		" state, but will still be present on the server.", d.Id())
+		" cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+
+		" state, but will still be present on Google Cloud.", d.Id())
 	d.SetId("")
 
 	return nil

diff --git a/google/resource_kms_crypto_key.go b/google/resource_kms_crypto_key.go
@@ -93,6 +93,14 @@ The first rotation will take place after the specified period. The rotation peri
 the format of a decimal number with up to 9 fractional digits, followed by the
 letter 's' (seconds). It must be greater than a day (ie, 86400).`,
 			},
+			"skip_initial_version_creation": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				ForceNew: true,
+				Description: `If set to true, the request will create a CryptoKey without any CryptoKeyVersions. 
+You must use the 'google_kms_key_ring_import_job' resource to import the CryptoKeyVersion.`,
+				Default: false,
+			},
 			"version_template": {
 				Type:        schema.TypeList,
 				Computed:    true,
@@ -164,7 +172,7 @@ func resourceKMSCryptoKeyCreate(d *schema.ResourceData, meta interface{}) error
 		return err
 	}
 
-	url, err := replaceVars(d, config, "{{KMSBasePath}}{{key_ring}}/cryptoKeys?cryptoKeyId={{name}}")
+	url, err := replaceVars(d, config, "{{KMSBasePath}}{{key_ring}}/cryptoKeys?cryptoKeyId={{name}}&skipInitialVersionCreation={{skip_initial_version_creation}}")
 	if err != nil {
 		return err
 	}
@@ -348,7 +356,7 @@ func resourceKMSCryptoKeyDelete(d *schema.ResourceData, meta interface{}) error
 
 	log.Printf(`
 [WARNING] KMS CryptoKey resources cannot be deleted from GCP. The CryptoKey %s will be removed from Terraform state,
-and all its CryptoKeyVersions will be destroyed, but it will still be present on the server.`, cryptoKeyId.cryptoKeyId())
+and all its CryptoKeyVersions will be destroyed, but it will still be present in the project.`, cryptoKeyId.cryptoKeyId())
 
 	// Delete all versions of the key
 	if err := clearCryptoKeyVersions(cryptoKeyId, userAgent, config); err != nil {
@@ -384,6 +392,10 @@ func resourceKMSCryptoKeyImport(d *schema.ResourceData, meta interface{}) ([]*sc
 		return nil, fmt.Errorf("Error setting name: %s", err)
 	}
 
+	if err := d.Set("skip_initial_version_creation", false); err != nil {
+		return nil, fmt.Errorf("Error setting skip_initial_version_creation: %s", err)
+	}
+
 	return []*schema.ResourceData{d}, nil
 }
 

diff --git a/google/resource_kms_key_ring.go b/google/resource_kms_key_ring.go
@@ -183,8 +183,8 @@ func resourceKMSKeyRingRead(d *schema.ResourceData, meta interface{}) error {
 
 func resourceKMSKeyRingDelete(d *schema.ResourceData, meta interface{}) error {
 	log.Printf("[WARNING] KMS KeyRing resources"+
-		" cannot be deleted from GCP. The resource %s will be removed from Terraform"+
-		" state, but will still be present on the server.", d.Id())
+		" cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+
+		" state, but will still be present on Google Cloud.", d.Id())
 	d.SetId("")
 
 	return nil

diff --git a/google/resource_kms_secret_ciphertext.go b/google/resource_kms_secret_ciphertext.go
@@ -182,8 +182,8 @@ func resourceKMSSecretCiphertextRead(d *schema.ResourceData, meta interface{}) e
 
 func resourceKMSSecretCiphertextDelete(d *schema.ResourceData, meta interface{}) error {
 	log.Printf("[WARNING] KMS SecretCiphertext resources"+
-		" cannot be deleted from GCP. The resource %s will be removed from Terraform"+
-		" state, but will still be present on the server.", d.Id())
+		" cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+
+		" state, but will still be present on Google Cloud.", d.Id())
 	d.SetId("")
 
 	return nil

diff --git a/google/resource_security_center_source.go b/google/resource_security_center_source.go
@@ -248,8 +248,8 @@ func resourceSecurityCenterSourceUpdate(d *schema.ResourceData, meta interface{}
 
 func resourceSecurityCenterSourceDelete(d *schema.ResourceData, meta interface{}) error {
 	log.Printf("[WARNING] SecurityCenter Source resources"+
-		" cannot be deleted from GCP. The resource %s will be removed from Terraform"+
-		" state, but will still be present on the server.", d.Id())
+		" cannot be deleted from Google Cloud. The resource %s will be removed from Terraform"+
+		" state, but will still be present on Google Cloud.", d.Id())
 	d.SetId("")
 
 	return nil

diff --git a/website/docs/r/kms_crypto_key.html.markdown b/website/docs/r/kms_crypto_key.html.markdown
@@ -28,7 +28,7 @@ A `CryptoKey` represents a logical key that can be used for cryptographic operat
 ~> **Note:** CryptoKeys cannot be deleted from Google Cloud Platform.
 Destroying a Terraform-managed CryptoKey will remove it from state
 and delete all CryptoKeyVersions, rendering the key unusable, but *will
-not delete the resource on the server.* When Terraform destroys these keys,
+not delete the resource from the project.* When Terraform destroys these keys,
 any data previously encrypted with these keys will be irrecoverable.
 For this reason, it is strongly recommended that you add lifecycle hooks
 to the resource to prevent accidental destruction.
@@ -125,6 +125,11 @@ The following arguments are supported:
   A template describing settings for new crypto key versions.
   Structure is documented below.
 
+* `skip_initial_version_creation` -
+  (Optional)
+  If set to true, the request will create a CryptoKey without any CryptoKeyVersions. 
+  You must use the `google_kms_key_ring_import_job` resource to import the CryptoKeyVersion.
+
 
 The `version_template` block supports:
 

diff --git a/website/docs/r/kms_key_ring.html.markdown b/website/docs/r/kms_key_ring.html.markdown
@@ -27,7 +27,7 @@ A `KeyRing` is a toplevel logical grouping of `CryptoKeys`.
 
 ~> **Note:** KeyRings cannot be deleted from Google Cloud Platform.
 Destroying a Terraform-managed KeyRing will remove it from state but
-*will not delete the resource on the server.*
+*will not delete the resource from the project.*
 
 
 To get more information about KeyRing, see:

diff --git a/website/docs/r/kms_key_ring_import_job.html.markdown b/website/docs/r/kms_key_ring_import_job.html.markdown
@@ -31,7 +31,7 @@ was wrapped with the `KeyRingImportJob`'s public key.
 
 ~> **Note:** KeyRingImportJobs cannot be deleted from Google Cloud Platform.
 Destroying a Terraform-managed KeyRingImportJob will remove it from state but
-*will not delete the resource on the server.* 
+*will not delete the resource from the project.* 
 
 
 To get more information about KeyRingImportJob, see:
@@ -49,6 +49,12 @@ resource "google_kms_key_ring" "keyring" {
   location = "global"
 }
 
+resource "google_kms_crypto_key" "example-key" {
+  name            = "cryptokey-example""
+  key_ring        = google_kms_key_ring.keyring.id
+  skip_initial_version_creation = true
+}
+
 resource "google_kms_key_ring_import_job" "import-job" {
   key_ring = google_kms_key_ring.keyring.id
   import_job_id = "my-import-job"