From 391abc3080cd814b8ab67f37a3bc10b427cd2dd6 Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Mon, 7 Apr 2025 19:40:32 +0200
Subject: [PATCH 1/2] feat: import key handle on instance recreate

---
 modules/postgresql/main.tf | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
index f9f209c2..d9ab3fb8 100644
--- a/modules/postgresql/main.tf
+++ b/modules/postgresql/main.tf
@@ -47,6 +47,9 @@ locals {
   database_name = var.enable_default_db ? var.db_name : (length(var.additional_databases) > 0 ? var.additional_databases[0].name : "")
 
   encryption_key = var.encryption_key_name != null ? var.encryption_key_name : var.use_autokey ? google_kms_key_handle.default[0].kms_key : null
+
+  autokey_location = coalesce(var.region, join("-", slice(split("-", var.zone), 0, 2)))
+  autokey_handle   = try({ "handle" = [for handle in data.google_kms_key_handles.existing.key_handles : handle.name if endswith(handle.name, "/${var.name}")][0] }, {})
 }
 
 resource "random_id" "suffix" {
@@ -214,12 +217,25 @@ resource "google_sql_database_instance" "default" {
   depends_on = [null_resource.module_depends_on]
 }
 
+data "google_kms_key_handles" "existing" {
+  provider               = google-beta
+  project                = var.project_id
+  location               = local.autokey_location
+  resource_type_selector = "sqladmin.googleapis.com/Instance"
+}
+
+import {
+  for_each = local.autokey_handle
+  id       = each.value
+  to       = google_kms_key_handle.default[0]
+}
+
 resource "google_kms_key_handle" "default" {
   count                  = var.use_autokey ? 1 : 0
   provider               = google-beta
   project                = var.project_id
   name                   = local.instance_name
-  location               = coalesce(var.region, join("-", slice(split("-", var.zone), 0, 2)))
+  location               = local.autokey_location
   resource_type_selector = "sqladmin.googleapis.com/Instance"
 }
 

From b5f03e0f3ade14845ab19b07b50dd0a63d8e33d5 Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Fri, 23 May 2025 12:44:36 +0200
Subject: [PATCH 2/2] chore: remove use of import

---
 modules/postgresql/main.tf      | 17 +++++++----------
 modules/postgresql/variables.tf |  6 ++++++
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
index 2bc31f66..46fa0da1 100644
--- a/modules/postgresql/main.tf
+++ b/modules/postgresql/main.tf
@@ -46,10 +46,13 @@ locals {
 
   database_name = var.enable_default_db ? var.db_name : (length(var.additional_databases) > 0 ? var.additional_databases[0].name : "")
 
-  encryption_key = var.encryption_key_name != null ? var.encryption_key_name : var.use_autokey ? google_kms_key_handle.default[0].kms_key : null
-
+  encryption_key = var.encryption_key_name != null ? var.encryption_key_name : var.use_autokey ? local.autokey_kms_key : null
   autokey_location = coalesce(var.region, join("-", slice(split("-", var.zone), 0, 2)))
-  autokey_handle   = try({ "handle" = [for handle in data.google_kms_key_handles.existing.key_handles : handle.name if endswith(handle.name, "/${var.name}")][0] }, {})
+
+  // Get autokey kms key
+  existing_handle_key = var.use_existing_key_handle ? try([for handle in data.google_kms_key_handles.existing.key_handles : handle.kms_key  if endswith(handle.name, "/${var.name}")][0], null) : null
+  create_handle = var.use_autokey && local.existing_handle_key == null
+  autokey_kms_key = local.create_handle ? google_kms_key_handle.default[0].kms_key : local.existing_handle_key
 }
 
 resource "random_id" "suffix" {
@@ -224,14 +227,8 @@ data "google_kms_key_handles" "existing" {
   resource_type_selector = "sqladmin.googleapis.com/Instance"
 }
 
-import {
-  for_each = local.autokey_handle
-  id       = each.value
-  to       = google_kms_key_handle.default[0]
-}
-
 resource "google_kms_key_handle" "default" {
-  count                  = var.use_autokey ? 1 : 0
+  count                  = local.create_handle ? 1 : 0
   provider               = google-beta
   project                = var.project_id
   name                   = local.instance_name
diff --git a/modules/postgresql/variables.tf b/modules/postgresql/variables.tf
index 44ecabef..5022f6cf 100644
--- a/modules/postgresql/variables.tf
+++ b/modules/postgresql/variables.tf
@@ -468,3 +468,9 @@ variable "use_autokey" {
   type        = bool
   default     = false
 }
+
+variable "use_existing_key_handle" {
+  description = "kms_key_handle resource can not be delete from GCP (https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_key_handle). If you recreate cloudsql instance with same name module will try to create kms_key_handle resource again. This will fail if you have existing key handle. Set this to true to use existing key handle with same name and fail. In that case make this variable true."
+  type        = bool
+  default     = false
+}