search

apigee / terraform-modules

Terraform modules and ready to use end-to-end examples for Apigee.
Apache License 2.0
54 stars 61 forks source link

[Fix] Failed to recreate APigee organisation in the same Project #155

Open mhdjomaa3450 opened 2 months ago

mhdjomaa3450 commented 2 months ago

Once an Apigee organization is created in a specific project, two resources (Key Rings) are also created within that project. These resources are managed by the apigee-x-core module, specifically the kms-org-db and kms-inst-disk . However, when you destroy the environment using the terraform destroy command, these two resources are not deleted permanently

KeyRings cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed KeyRing will remove it from state but will not delete the resource from the project. for more details pls check out this link: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_key_ring

Delete an Apigee organization.

For organizations with BillingType EVALUATION, an immediate deletion is performed. For paid organizations (Subscription or Pay-as-you-go), a soft-deletion is performed. The organization can be restored within the soft-deletion period, which is specified using the retention field in the request or by filing a support ticket with Apigee. During the data retention period specified in the request, the Apigee organization cannot be recreated in the same Google Cloud project. The default data retention setting for this operation is 7 days. To permanently delete the organization in 24 hours, set the retention parameter to MINIMUM. https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/v1/organizations/delete#deletionretention

When running terraform apply again to recreate the apigee in the same project , you might encounter the following error:

Error: Error creating KeyRing: googleapi: Error 409: KeyRing projects/bespin-apigee-test-2-433209/locations/me-central2/keyRings/apigee-instance already exists.
with module.apigee-x-core.module.kms-inst-disk["instance"].google_kms_key_ring.default[0], on .terraform/modules/apigee-x-core.kms-inst-disk/modules/kms/main.tf line 32, in resource "google_kms_key_ring" "default":
32: resource "google_kms_key_ring" "default" {

Error: Error creating KeyRing: googleapi: Error 409: KeyRing projects/bespin-apigee-test-2-433209/locations/me-central2/keyRings/apigee-x-org already exists.
with module.apigee-x-core.module.kms-org-db.google_kms_key_ring.default[0],
on .terraform/modules/apigee-x-core.kms-org-db/modules/kms/main.tf line 32, in resource "google_kms_key_ring" "default":
32: resource "google_kms_key_ring" "default" {

The solution to remove the project and create the Apigee in a new project is not considered best practice. To address this issue, We can add a random_string resource and use it as a postfix in the names of these two resources as shown below.


resource "random_string" "key_random_suffix" {
  length  = 6
  special = false
}

module "kms-org-db" {
  source     = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/kms?ref=v28.0.0"
  project_id = var.project_id
  iam = {
    "roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${google_project_service_identity.apigee_sa.email}"]
  }
  keyring = {
    location = coalesce(var.org_kms_keyring_location, var.ax_region)
    # name     = var.org_kms_keyring_name --> delete this line
     name     = "${var.org_kms_keyring_name}-${random_string.key_random_suffix.result}"
  }
  keyring_create = var.org_kms_keyring_create
  keys = {
    org-db = { rotation_period = var.org_key_rotation_period, labels = null }
  }
}

module "kms-inst-disk" {
  for_each   = var.apigee_instances
  source     = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/kms?ref=v28.0.0"
  project_id = var.project_id
  iam = {
    "roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${google_project_service_identity.apigee_sa.email}"]
  }
  keyring = {
    location = coalesce(each.value.keyring_location, each.value.region)
    name     = "${coalesce(each.value.keyring_name, "apigee-${each.key}")}-${random_string.key_random_suffix.result}"
   # name     = coalesce(each.value.keyring_name, "apigee-${each.key}") --> delete this line
  }
  keyring_create = each.value.keyring_create
  keys = {
    (each.value.key_name) = {
      rotation_period = each.value.key_rotation_period
      labels          = each.value.key_labels
    }
  }
}