Error encryption_at_rest rpc unavailable desc

[aliciaalcalde]

Good morning,

I create an IAM service account, KMS keyring and key in my own GCP account.

#Service Account for KMS
resource "google_service_account" "encryption_at_rest" {
  count         = var.encryption_at_rest_provider == "GCP" ? 1 : 0
  project       = var.gcp_project_id
  account_id    = "atlas-encrypt-${var.cluster_name}"
  display_name  = "atlas-encrypt-${var.cluster_name}"
}

#IAM Policy for KMS
resource "google_project_iam_member" "encryption_at_rest_admin" {
  count   = var.encryption_at_rest_provider == "GCP" ? 1 : 0
  project = var.gcp_project_id
  role    = "roles/cloudkms.admin"
  member  = "serviceAccount:atlas-encrypt-${var.cluster_name}@${var.gcp_project_id}.iam.gserviceaccount.com"
}
resource "google_project_iam_member" "encryption_at_rest_decrypt" {
  count   = var.encryption_at_rest_provider == "GCP" ? 1 : 0
  project = var.gcp_project_id
  role    = "roles/
cloudkms.cryptoKeyEncrypterDecrypter"
  member  = "serviceAccount:atlas-encrypt-${var.cluster_name}@${var.gcp_project_id}.iam.gserviceaccount.com"
}

#Create service account key
resource "google_service_account_key" "encryption_at_rest" {
  count               = var.encryption_at_rest_provider == "GCP" ? 1 : 0
  service_account_id  = google_service_account.encryption_at_rest[count.index].name
  public_key_type     = "TYPE_X509_PEM_FILE"
}

# Atlas encryption_at_rest
resource "mongodbatlas_encryption_at_rest" "kms" {
  count      = var.encryption_at_rest_provider == "GCP" ? 1 : 0
  project_id = mongodbatlas_project.project.id

  google_cloud_kms = {
    enabled                 = true
    service_account_key     = jsonencode(base64decode(google_service_account_key.encryption_at_rest[count.index].private_key))
    key_version_resource_id = var.encryption_at_rest_key_version
  }
  depends_on = [ "mongodbatlas_project.project" ]
}

It returns the following error:

  # module.atlas.mongodbatlas_encryption_at_rest.kms[0] will be created
  + resource "mongodbatlas_encryption_at_rest" "kms" {
      + google_cloud_kms = {
          + "enabled"                 = "true"
          + "key_version_resource_id" = "projects/XXXX/locations/global/keyRings/XXXXX/cryptoKeys/XXXXXX/cryptoKeyVersions/1"
          + "service_account_key"     = jsonencode(
                {
                  + auth_provider_x509_cert_url = "https://www.googleapis.com/oauth2/v1/certs"
                  + auth_uri                    = "https://accounts.google.com/o/oauth2/auth"
                  + client_email                = "XXXXXX"
                  + client_id                   = "XXXXXXX"
                  + client_x509_cert_url        = "XXXXXXX"
                  + private_key                 = "-----BEGIN PRIVATE KEY-----\nXXXXXXXXXXXXX\n-----END PRIVATE KEY-----\n"
                  + private_key_id              = "XXXX"
                  + project_id                  = "XXXXXX"
                  + token_uri                   = "https://oauth2.googleapis.com/token"
                  + type                        = "service_account"
                }
            )
        }
      + id               = (known after apply)
      + project_id       = "XXXXXX"
module.atlas.mongodbatlas_encryption_at_rest.kms[0]: Creating...

Error: rpc error: code = Unavailable desc = transport is closing

I try to create encryption at rest manually with the same service_account_key and key_version_resouce_id and it works.

Is my code right?

Thank you so much!!

[themantissa]

Hi @aliciaalcalde per the README file support is provided under the your Atlas support agreement. Please reach out via that channel for a timely response on questions, issues is for bug reports. Thank you!!