terraform-provider-google: "boot_disk.0.kms_key_self_link": conflicts with boot_disk.0.disk_encryption_key_raw
Community Note
- Please vote on this issue by adding a π reaction to the original issue to help the community and maintainers prioritize this request.
- Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
- If an issue is assigned to the
modular-magicianuser, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot, a community member has claimed the issue already.
Terraform Version
0.14.0 (also failing under 0.13.5 and 0.12.29) Provider 3.49.0 (also tried 2-3 random versions clear back to 3.19)
Affected Resource(s)
- google_compute_instance
Terraform Configuration Files
resource "google_compute_instance" "this" {
count = var.instance_count
project = var.gcp_project
allow_stopping_for_update = true
name = module.names.shortname[count.index]
machine_type = var.machine_type
zone = element(data.google_compute_zones.available.names, lookup({ "a" = 1, "b" = 2, "c" = 3, "d" = 4 }, var.az) - 1)
tags = var.tags
labels = merge(
{
"managed" = "true"
"environment" = lower(var.env_name)
"hostname" = substr(replace(module.names.hostname[count.index],
".", "_"), 0, 62)
},
var.labels,
)
shielded_instance_config {
enable_vtpm = true
enable_integrity_monitoring = true
enable_secure_boot = false
}
metadata = merge(
var.metadata,
map(local.startup_script_key_name, data.template_file.boot_script[count.index].rendered),
{ block-project-ssh-keys = true },
{ enable-oslogin = true }
)
boot_disk {
initialize_params {
size = var.boot_disk_size
image = local.image
}
disk_encryption_key_raw = data.terraform_remote_state.atom.outputs.csek-raw-key == "" ? null : data.terraform_remote_state.atom.outputs.csek-raw-key
}
dynamic "service_account" {
for_each = var.service_account
content {
email = lookup(service_account.value, "email", null)
scopes = lookup(service_account.value, "scopes", null)
}
}
network_interface {
subnetwork = var.subnet_id
network_ip = element(concat(var.ip_address, [""]), count.index)
dynamic "access_config" {
for_each = var.access_config
content {
network_tier = access_config.value.network_tier
}
}
}
lifecycle {
ignore_changes = [
metadata["startup-script"],
boot_disk,
attached_disk,
id,
]
}
}
# Copy-paste your Terraform configurations here.
#
# For large Terraform configs, please use a service like Dropbox and share a link to the ZIP file.
# For security, you can also encrypt the files using our GPG public key:
# https://www.hashicorp.com/security
#
# If reproducing the bug involves modifying the config file (e.g., apply a config,
# change a value, apply the config again, see the bug), then please include both:
# * the version of the config before the change, and
# * the version of the config after the change.
Debug Output
Error: "boot_disk.0.disk_encryption_key_raw": conflicts with boot_disk.0.kms_key_self_link
on .terraform/modules/app-demo_gcp_ams.atom_a/main.tf line 78, in resource "google_compute_instance" "this":
78: resource "google_compute_instance" "this" {
Error: "boot_disk.0.disk_encryption_key_sha256": this field cannot be set
on .terraform/modules/app-demo_gcp_ams.atom_a/main.tf line 78, in resource "google_compute_instance" "this":
78: resource "google_compute_instance" "this" {
Error: "boot_disk.0.kms_key_self_link": conflicts with boot_disk.0.disk_encryption_key_raw
on .terraform/modules/app-demo_gcp_ams.atom_a/main.tf line 78, in resource "google_compute_instance" "this":
78: resource "google_compute_instance" "this" {
Note, that in tf 12 or 13 the provider segfaults instead of giving an error.
Panic Output
Expected Behavior
Trying to do a terraform apply -var-file=b1-scratch.tfvars in a green field situation works fine. Doing a destroy works fine. Doing another terraform apply to check for changes (there are none) causes that error to happen every time.
Should have told me there were no changes (or if there were, showed me)
Actual Behavior
The error above.
Steps to Reproduce
terraform apply -var-file=b1-scratch.tfvarsterraform apply -var-file=b1-scratch.tfvars
Note, in the code, the reference to the csek key yields a string thatβs the base64 encoded raw key, since the provider has no way of accepting the wrapped key. At no point do we provide a kms key as you can see, or try to change the sha256 value.
The raw string, in a different terraform file entirely was decrypted by using a kms key to decrypt the value in the tf file, then the plaintext version was written into state, where itβs being referenced here.
Important Factoids
References
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 4
- Comments: 23 (3 by maintainers)
Commits related to this issue
- Check output of finalizeDiff before using it. Previously, we'd assign the result of finalizeDiff to the resource diff without checking its return. This caused problems because a "finalized" diff for ... — committed to hashicorp/terraform-plugin-sdk by paddycarver 3 years ago
- Check output of finalizeDiff before using it. Previously, we'd assign the result of finalizeDiff to the resource diff without checking its return. This caused problems because a "finalized" diff for ... — committed to hashicorp/terraform-plugin-sdk by paddycarver 3 years ago
@ronjarrell closing this issue as we need to be able to repro the issue. Please feel free to reopen it once you are able to help repro