From 34136b09de1841729383f1444233b1fd316eb5e7 Mon Sep 17 00:00:00 2001 From: The Magician Date: Fri, 11 Nov 2022 12:55:28 -0800 Subject: [PATCH] Bigtable: Check ForceNew for kms_key_name field in the diff function (#6765) (#13018) Signed-off-by: Modular Magician Signed-off-by: Modular Magician --- .changelog/6765.txt | 3 +++ google/resource_bigtable_instance.go | 9 ++++++++- google/resource_bigtable_instance_test.go | 11 +++++++++-- website/docs/r/bigtable_instance.html.markdown | 6 ++---- 4 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 .changelog/6765.txt diff --git a/.changelog/6765.txt b/.changelog/6765.txt new file mode 100644 index 00000000000..d0842d7f9a3 --- /dev/null +++ b/.changelog/6765.txt @@ -0,0 +1,3 @@ +```release-note:bug +bigtable: update checking ForceNew logic for `kms_key_name` +``` diff --git a/google/resource_bigtable_instance.go b/google/resource_bigtable_instance.go index aef69c7c4e9..2029e113e7c 100644 --- a/google/resource_bigtable_instance.go +++ b/google/resource_bigtable_instance.go @@ -81,7 +81,6 @@ func resourceBigtableInstance() *schema.Resource { "kms_key_name": { Type: schema.TypeString, Optional: true, - ForceNew: true, Computed: true, Description: `Describes the Cloud KMS encryption key that will be used to protect the destination Bigtable cluster. The requirements for this key are: 1) The Cloud Bigtable service account associated with the project that contains this cluster must be granted the cloudkms.cryptoKeyEncrypterDecrypter role on the CMEK key. 2) Only regional keys can be used and the region of the CMEK key must match the region of the cluster. 3) All clusters within an instance must use the same CMEK key. Values are of the form projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}`, }, @@ -561,6 +560,14 @@ func resourceBigtableInstanceClusterReorderTypeList(_ context.Context, diff *sch return fmt.Errorf("Error setting cluster diff: %s", err) } } + + oKey, nKey := diff.GetChange(fmt.Sprintf("cluster.%d.kms_key_name", i)) + if oKey != nKey { + err := diff.ForceNew(fmt.Sprintf("cluster.%d.kms_key_name", i)) + if err != nil { + return fmt.Errorf("Error setting cluster diff: %s", err) + } + } } return nil diff --git a/google/resource_bigtable_instance_test.go b/google/resource_bigtable_instance_test.go index 4705192787a..c9a596ad7b9 100644 --- a/google/resource_bigtable_instance_test.go +++ b/google/resource_bigtable_instance_test.go @@ -172,7 +172,8 @@ func TestAccBigtableInstance_kms(t *testing.T) { skipIfVcr(t) t.Parallel() - kms := BootstrapKMSKeyInLocation(t, "us-central1") + kms1 := BootstrapKMSKeyInLocation(t, "us-central1") + kms2 := BootstrapKMSKeyInLocation(t, "us-east1") pid := getTestProjectFromEnv() instanceName := fmt.Sprintf("tf-test-%s", randString(t, 10)) @@ -182,7 +183,7 @@ func TestAccBigtableInstance_kms(t *testing.T) { CheckDestroy: testAccCheckBigtableInstanceDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccBigtableInstance_kms(pid, instanceName, kms.CryptoKey.Name, 3), + Config: testAccBigtableInstance_kms(pid, instanceName, kms1.CryptoKey.Name, 3), }, { ResourceName: "google_bigtable_instance.instance", @@ -190,6 +191,12 @@ func TestAccBigtableInstance_kms(t *testing.T) { ImportStateVerify: true, ImportStateVerifyIgnore: []string{"deletion_protection", "instance_type"}, // we don't read instance type back }, + // TODO(kevinsi4508): Verify that the instance can be recreated due to `kms_key_name` change. + { + Config: testAccBigtableInstance_kms(pid, instanceName, kms2.CryptoKey.Name, 3), + PlanOnly: true, + ExpectNonEmptyPlan: true, + }, }, }) } diff --git a/website/docs/r/bigtable_instance.html.markdown b/website/docs/r/bigtable_instance.html.markdown index 5ba8a5c3be4..47829c87c48 100644 --- a/website/docs/r/bigtable_instance.html.markdown +++ b/website/docs/r/bigtable_instance.html.markdown @@ -131,11 +131,9 @@ for a `DEVELOPMENT` instance. * `kms_key_name` - (Optional) Describes the Cloud KMS encryption key that will be used to protect the destination Bigtable cluster. The requirements for this key are: 1) The Cloud Bigtable service account associated with the project that contains this cluster must be granted the `cloudkms.cryptoKeyEncrypterDecrypter` role on the CMEK key. 2) Only regional keys can be used and the region of the CMEK key must match the region of the cluster. -!> **Warning**: Modifying this field will cause Terraform to delete/recreate the entire resource. +-> **Note**: Removing the field entirely from the config will cause the provider to default to the backend value. --> **Note**: To remove this field once it is set, set the value to an empty string. Removing the field entirely from the config will cause the provider to default to the backend value. - -!> **Warning:** Modifying the `storage_type` or `zone` of an existing cluster (by +!> **Warning:** Modifying the `storage_type`, `zone` or `kms_key_name` of an existing cluster (by `cluster_id`) will cause Terraform to delete/recreate the entire `google_bigtable_instance` resource. If these values are changing, use a new `cluster_id`.