In some customer environments a single demo GCP project might be provisioned for experimenting with these terraform modules.
KMS keyrings cannot be deleted and live as long as the hosting GCP project.
When doing a terraform destroy and re apply the re apply will fail as the key rings already exist.
Consider use of terraform data keyword and boolean kms create flags so that the second time around the existing key rings are re-used.
Below suggestions are from Chat GPT-4 and NOT validated,
Quote:
"In this scenario, you can use a combination of data and resource blocks, along with a variable, to conditionally create the keyring or use an existing one. This way, when you run terraform apply after terraform destroy, the configuration will not attempt to create a new keyring if it already exists.
First, add a new boolean variable in your Terraform configuration file to decide whether to create a new keyring or use an existing one:
variable "create_keyring" { description = "Whether to create a new keyring or use an existing one." type = bool default = true }
Next, add the following data block to fetch the existing keyring:
In some customer environments a single demo GCP project might be provisioned for experimenting with these terraform modules.
KMS keyrings cannot be deleted and live as long as the hosting GCP project.
When doing a terraform destroy and re apply the re apply will fail as the key rings already exist.
Consider use of terraform data keyword and boolean kms create flags so that the second time around the existing key rings are re-used.
Below suggestions are from Chat GPT-4 and NOT validated,
Quote:
"In this scenario, you can use a combination of data and resource blocks, along with a variable, to conditionally create the keyring or use an existing one. This way, when you run terraform apply after terraform destroy, the configuration will not attempt to create a new keyring if it already exists.
First, add a new boolean variable in your Terraform configuration file to decide whether to create a new keyring or use an existing one:
variable "create_keyring" { description = "Whether to create a new keyring or use an existing one." type = bool default = true }Next, add the following data block to fetch the existing keyring:
data "google_kms_key_ring" "existing_keyring" { count = var.create_keyring ? 0 : 1 project_id = var.project_id location = var.keyring_location name = var.keyring_name }Then, update the google_kms_key_ring resource block to conditionally create the keyring using the count parameter:
resource "google_kms_key_ring" "default" { count = var.create_keyring ? 1 : 0 project_id = var.project_id location = var.keyring_location name = var.keyring_name }Now, create a local variable to hold the keyring ID, which will be used by other resources in the configuration:
locals { keyring_id = merge( google_kms_key_ring.default[*].id, data.google_kms_key_ring.existing_keyring[*].id )[0] }Replace any reference to google_kms_key_ring.default.id in your configuration with local.keyring_id.
Finally, update the create_keyring variable in your Terraform configuration, setting it to false if you want to use the existing keyring: