New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kms_key_v1: Please check state before trying to create a key #1804
Comments
@rramge Hi, we can add smth like "desired_state" option and reenable the key if it exist (https://docs.otc.t-systems.com/en-us/api/kms/kms_02_0016.html) |
Will continue after: opentelekomcloud/gophertelekomcloud#369 |
Sounds okay to me. Important thing is that a "terraform apply" does not lead into an error, and re-enabling the key would work. |
[KMS] Add `desired_state` in schema of `kms_key_v1` Summary of the Pull Request Added ability to canceling the Scheduled Deletion of a CMK PR Checklist Refers to: #1804 Tests added/passed. Documentation updated. Schema updated. Release notes added. Acceptance Steps Performed === RUN TestAccKmsKeyV1_basic --- PASS: TestAccKmsKeyV1_basic (83.71s) === RUN TestAccKmsKey_isEnabled --- PASS: TestAccKmsKey_isEnabled (115.14s) === RUN TestAccKmsKey_rotation --- PASS: TestAccKmsKey_rotation (50.18s) === RUN TestAccKmsKey_cancelDeletion --- PASS: TestAccKmsKey_cancelDeletion(51.07s) PASS Process finished with the exit code 0 Reviewed-by: Artem Lifshits <None> Reviewed-by: Vladimir Vshivkov <None> Reviewed-by: Anton Sidelnikov <None>
Released, please check. |
You did something, yes, but the problem is still not solved. 'terraform apply' still breaks, the given example is still valid. It's nice you added a desired_state flag or something, but you also need to validate it and act accordingly during the apply or update phase. Notable difference is, that now even a manual "terraform import" doesn't work anymore:
|
@rramge Did you add allow_cancel_deletion=true key into your code? |
I was not aware of allow_cancel_deletion, it's not in the documentation (yet). But now I am, so I hardcoded it in the module. Effect is that it works with key1 in the following example, but not with key2.
This leads to a follow-up error: {"error":{"error_msg":"The rotation state of key is not disabled.","error_code":"KMS.2901"}}. |
Depends-on: #1821 |
[KMS] fix kms deletion with enabled rotation Summary of the Pull Request When reenable key, which was created with rotation: {"error":{"error_msg":"The rotation state of key is not disabled.","error_code":"KMS.2901"}}. PR Checklist Refers to: #1804 #1821 Tests added/passed. Documentation updated. Schema updated. Release notes added. Acceptance Steps Performed === RUN TestAccKmsKeyV1_basic --- PASS: TestAccKmsKeyV1_basic (83.19s) === RUN TestAccKmsKey_isEnabled --- PASS: TestAccKmsKey_isEnabled (116.61s) === RUN TestAccKmsKey_rotation --- PASS: TestAccKmsKey_rotation (51.10s) === RUN TestAccKmsKey_cancelDeletion --- PASS: TestAccKmsKey_cancelDeletion (50.83s) === RUN TestAccKmsKey_cancelDeletionWithRotation --- PASS: TestAccKmsKey_cancelDeletionWithRotation (52.38s) PASS Process finished with the exit code 0 Reviewed-by: Vladimir Vshivkov <None> Reviewed-by: Artem Lifshits <None>
@rramge Please check on new version |
@anton-sidelnikov I tested with 1.30.1 and it looks good now. Thank you very much :-) |
Terraform provider version
Affected Resource(s)
opentelekomcloud_kms_key_v1
Terraform Configuration Files
Debug Output/Panic Output
Steps to Reproduce
terraform apply
terraform destroy
terraform apply
Expected Behavior
After a
destroy
, anotherapply
on the same terraform code should work.Actual Behavior
During the
destroy
, the kms resource gets removed from the state, even though it still exists in OTC for a minimum of 7 and a maximum of 1096 days. During this period, which in production environments can pretty much effectively feel like "forever", otherapply
runs will loead into this error since the KMS is within OTC in the state "Pending deletion".The only workaround on terraform level which I see at the moment would be appending random values to the key_alias to make the keys effectively unique, but this is visible for the customer and thus pretty ugly.
So, to avoid breaking customer's production environment, I see two possibilities:
(Preferred) The provider should check if a key already exists, and if the state of the kms key is "Pending deletion" the creation should be skipped and optionally a Warning be generated on stdout. Or any other kind of error handling which seems more appropriate. Other cloud providers like Oracle already implement this in the backend and check this during refresh in the planning stage, so it should somehow be possible here, too I think.
The quick & dirty solution which comes to my mind would be the introduction of a display_name and turning the key_alias unique.
Important Factoids
References
The text was updated successfully, but these errors were encountered: