From 44355f6a5e2a16eef0e993c12af1cb16790991d2 Mon Sep 17 00:00:00 2001
From: The Magician <magic-modules@google.com>
Date: Mon, 10 Oct 2022 14:16:01 -0700
Subject: [PATCH] skip destroyed key versions (#6669) (#12752)

Co-authored-by: Edward Sun <sunedward@google.com>
Signed-off-by: Modular Magician <magic-modules@google.com>

Signed-off-by: Modular Magician <magic-modules@google.com>
Co-authored-by: Edward Sun <sunedward@google.com>
---
 .changelog/6669.txt |  3 +++
 google/kms_utils.go | 21 ++++++++++++---------
 2 files changed, 15 insertions(+), 9 deletions(-)
 create mode 100644 .changelog/6669.txt

diff --git a/.changelog/6669.txt b/.changelog/6669.txt
new file mode 100644
index 00000000000..1c793ca75cc
--- /dev/null
+++ b/.changelog/6669.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+kms: fixed apply failure when `google_kms_crypto_key` is removed after its versions were destroyed earlier
+```
diff --git a/google/kms_utils.go b/google/kms_utils.go
index 135f8bb7f7b..5bf53094159 100644
--- a/google/kms_utils.go
+++ b/google/kms_utils.go
@@ -188,15 +188,18 @@ func clearCryptoKeyVersions(cryptoKeyId *kmsCryptoKeyId, userAgent string, confi
 	}
 
 	for _, version := range versionsResponse.CryptoKeyVersions {
-		request := &cloudkms.DestroyCryptoKeyVersionRequest{}
-		destroyCall := versionsClient.Destroy(version.Name, request)
-		if config.UserProjectOverride {
-			destroyCall.Header().Set("X-Goog-User-Project", cryptoKeyId.KeyRingId.Project)
-		}
-		_, err = destroyCall.Do()
-
-		if err != nil {
-			return err
+		// skip the versions that have been destroyed earlier
+		if version.State == "ENABLED" {
+			request := &cloudkms.DestroyCryptoKeyVersionRequest{}
+			destroyCall := versionsClient.Destroy(version.Name, request)
+			if config.UserProjectOverride {
+				destroyCall.Header().Set("X-Goog-User-Project", cryptoKeyId.KeyRingId.Project)
+			}
+			_, err = destroyCall.Do()
+
+			if err != nil {
+				return err
+			}
 		}
 	}