Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-use of key rings #112

Open
Red-Five opened this issue Apr 14, 2023 · 0 comments
Open

Re-use of key rings #112

Red-Five opened this issue Apr 14, 2023 · 0 comments
Assignees
@danistrebel

Comments

@Red-Five
Copy link

In some customer environments a single demo GCP project might be provisioned for experimenting with these terraform modules.

KMS keyrings cannot be deleted and live as long as the hosting GCP project.

When doing a terraform destroy and re apply the re apply will fail as the key rings already exist.

Consider use of terraform data keyword and boolean kms create flags so that the second time around the existing key rings are re-used.

Below suggestions are from Chat GPT-4 and NOT validated,

Quote:

"In this scenario, you can use a combination of data and resource blocks, along with a variable, to conditionally create the keyring or use an existing one. This way, when you run terraform apply after terraform destroy, the configuration will not attempt to create a new keyring if it already exists.

First, add a new boolean variable in your Terraform configuration file to decide whether to create a new keyring or use an existing one:

variable "create_keyring" { description = "Whether to create a new keyring or use an existing one." type = bool default = true }

Next, add the following data block to fetch the existing keyring:

data "google_kms_key_ring" "existing_keyring" { count = var.create_keyring ? 0 : 1 project_id = var.project_id location = var.keyring_location name = var.keyring_name }

Then, update the google_kms_key_ring resource block to conditionally create the keyring using the count parameter:

resource "google_kms_key_ring" "default" { count = var.create_keyring ? 1 : 0 project_id = var.project_id location = var.keyring_location name = var.keyring_name }

Now, create a local variable to hold the keyring ID, which will be used by other resources in the configuration:

locals { keyring_id = merge( google_kms_key_ring.default[*].id, data.google_kms_key_ring.existing_keyring[*].id )[0] }

Replace any reference to google_kms_key_ring.default.id in your configuration with local.keyring_id.

Finally, update the create_keyring variable in your Terraform configuration, setting it to false if you want to use the existing keyring:

module "kms-inst-disk" {
  # ...
  create_keyring = false
  # ...
}
`
" End Quote
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danistrebel danistrebel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danistrebel @Red-Five