You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the above linked GCS-CMEK is run in the terraform-example-foundation Cloud Build pipeline, it creates Keyrings, Keys, and GCS buckets encrypted with the generated keys in multiple projects parallelly; this produces an error.
Error: googleapi: Error 403: Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key., forbidden
Causality: The GCS module only requires the key as input, creating the implicit dependency only to the key self-link being available, ignoring the IAM bindings.
As such, Terraform tries to create the GCS bucket before the IAM binding for Role: Encrypter/Decrypter is linked to the KMS Key in many cases, the test even goes further after the failure point and completes the IAM Binding, thus leaving no trace that it was the root cause, if not looking closely at the output. It can only be detected by comparing the line numbers of successfully deployed buckets vs. unsuccessful buckets; in cases where the bucket randomly deploys after the binding has been set, it is successful and fails with the above error when the opposite occurs.
In the linked module, the above was resolved by adding an explicit dependency on the entire KMS module (Only possible in Terraform 0.13+) depends_on = [module.kms]
Suggested Improvement to KMS module until a better solution is ascertained
Add Key IAM Binding output variable if someone needs to add a specific binding dependency and not on the entire module. Output Variable
The text was updated successfully, but these errors were encountered:
GCS-CMEK
When the above linked GCS-CMEK is run in the terraform-example-foundation Cloud Build pipeline, it creates Keyrings, Keys, and GCS buckets encrypted with the generated keys in multiple projects parallelly; this produces an error.
Error: googleapi: Error 403: Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key., forbidden
Causality: The GCS module only requires the key as input, creating the implicit dependency only to the key self-link being available, ignoring the IAM bindings.
As such, Terraform tries to create the GCS bucket before the IAM binding for Role: Encrypter/Decrypter is linked to the KMS Key in many cases, the test even goes further after the failure point and completes the IAM Binding, thus leaving no trace that it was the root cause, if not looking closely at the output. It can only be detected by comparing the line numbers of successfully deployed buckets vs. unsuccessful buckets; in cases where the bucket randomly deploys after the binding has been set, it is successful and fails with the above error when the opposite occurs.
In the linked module, the above was resolved by adding an explicit dependency on the entire KMS module (Only possible in Terraform 0.13+)
depends_on = [module.kms]
Suggested Improvement to KMS module until a better solution is ascertained
The text was updated successfully, but these errors were encountered: