terraform-google-kms icon indicating copy to clipboard operation
terraform-google-kms copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Keyring import

Open unb9rn opened this issue 3 years ago • 4 comments

How do I import existing keyring to this module? I have some terraform code:

module "kms-keys" {
  source  = "terraform-google-modules/kms/google"
  version = "~>2.0"

  project_id              = module.project.project_id

  keyring                 = var.kms_keyring_name
  location                = var.kms_keyring_location
  
  key_algorithm           = "GOOGLE_SYMMETRIC_ENCRYPTION"
  key_protection_level    = var.kms_key_protection
  
  keys                    = tolist([var.kms_gke_key_name])
  
  prevent_destroy         = false
}

And I have a keyring named "main-keyring". I'm trying to import state like this:

terraform import "module.kms-keys.google_kms_key_ring.key_ring" "myproject-631c/europe-west3-a/main-keyring"

And I'm getting an error:

module.kms-keys.google_kms_key_ring.key_ring: Refreshing state... [id=projects/myproject-631c/locations/europe-west3-a/keyRings/main-keyring]
╷
│ Error: Invalid function argument
│ 
│   on .terraform/modules/kms-keys/main.tf line 18, in locals:
│   18:   keys_by_name = zipmap(var.keys, var.prevent_destroy ? slice(google_kms_crypto_key.key[*].self_link, 0, length(var.keys)) : slice(google_kms_crypto_key.key_ephemeral[*].self_link, 0, length(var.keys)))
│     ├────────────────
│     │ var.keys is list of string with 1 element
│ 
│ Invalid value for "end_index" parameter: end index must not be greater than the length of the list.

Is it a bug?

unb9rn avatar Jun 01 '21 16:06 unb9rn

This looks like a minor bug in how we compute the index length when importing. We probably need to use max(length(google_kms_crypto_key.key), length(var.keys)).

morgante avatar Jun 01 '21 17:06 morgante

I wasnt able to fix it just buy what @morgante suggested. If you only have a keyring to import with no keys, it will complain about google_kms_crypto_key.key is empty tuple

however I was able to work around this and import the keyring:

  • use a local copy of this module
  • comment out all outputs.tf
  • comment out all but the resource google_kms_key_ring.. in main.tf
  • import the keyring to tf state
  • roll back to using the upstream module and create keys with it as you wish

philicious avatar Oct 04 '21 14:10 philicious

Seeing this issue as well.

I was able to import my keyring and key[0] with no issue, however, any additional keys are giving me this:

module.kms.google_kms_crypto_key.key[1]: Refreshing state... [id=projects/<project>/locations/global/keyRings/<keyring>/cryptoKeys/<key1>]
╷
│ Error: Invalid function argument
│
│   on .terraform/modules/kms/main.tf line 18, in locals:
│   18:   keys_by_name = zipmap(var.keys, var.prevent_destroy ? slice(google_kms_crypto_key.key[*].id, 0, length(var.keys)) : slice(google_kms_crypto_key.key_ephemeral[*].id, 0, length(var.keys)))
│     ├────────────────
│     │ var.keys is list of string with 6 elements
│
│ Invalid value for "end_index" parameter: end index must not be greater than
│ the length of the list.
╵

hjoh95 avatar Jan 12 '23 15:01 hjoh95

someone provided a fix twice for this and they both went stale. Wonder if the maintainer/author is watching this repo anymore

CrackerJackMack avatar Aug 23 '23 22:08 CrackerJackMack