edwardmedia
commented
1 year ago @deepak-tharanath could you share the debug log that contains the api request and responses? Noticed you can use gist. Not sure what to do here
Open deepak-tharanath opened 1 year ago
edwardmedia
commented
1 year ago @deepak-tharanath could you share the debug log that contains the api request and responses? Noticed you can use gist. Not sure what to do here
deepak-tharanath
commented
1 year ago Below is the complete payload from Google log explorer { "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "status": { "code": 9, "message": "This bucket has advanced analytics enabled. CMEK is not compatible with advanced analytics buckets" }, "authenticationInfo": { "principalEmail": "playpen-xcvcef-sa@playpen-xcvcef.iam.gserviceaccount.com", "serviceAccountKeyName": "//iam.googleapis.com/projects/playpen-xcvcef/serviceAccounts/playpen-xcvcef-sa@playpen-xcvcef.iam.gserviceaccount.com/keys/d8d021e587e12aea8b81e0aa78af412e8dd3acc1", "principalSubject": "serviceAccount:playpen-xcvcef-sa@playpen-xcvcef.iam.gserviceaccount.com" }, "requestMetadata": { "callerIp": "44.211.128.69", "callerSuppliedUserAgent": "Terraform/1.3.9 (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google/4.59.0,gzip(gfe)", "requestAttributes": { "time": "2023-04-04T10:51:11.181904102Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "logging.googleapis.com", "methodName": "google.logging.v2.ConfigServiceV2.UpdateBucket", "authorizationInfo": [ { "resource": "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_10", "permission": "logging.buckets.update", "granted": true, "resourceAttributes": { "service": "logging.googleapis.com", "name": "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_10" } } ], "resourceName": "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_10", "request": { "updateMask": "retentionDays,cmekSettings", "name": "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_10", "@type": "type.googleapis.com/google.logging.v2.UpdateBucketRequest", "bucket": { "retentionDays": 1, "cmekSettings": { "kmsKeyName": "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-10/cryptoKeys/stratos-crypto-key-cmek-10" } } }, "resourceLocation": { "currentLocations": [ "europe-west2" ] } }, "insertId": "ozft42e5oij7", "resource": { "type": "audited_resource", "labels": { "method": "google.logging.v2.ConfigServiceV2.UpdateBucket", "project_id": "playpen-xcvcef", "service": "logging.googleapis.com" } }, "timestamp": "2023-04-04T10:51:11.169937304Z", "severity": "ERROR", "logName": "projects/playpen-xcvcef/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2023-04-04T10:51:12.575231104Z" }
deepak-tharanath
commented
1 year ago TF apply logs with Debug on
tf apply --auto-approve
2023-04-04T11:10:33.297+0100 [INFO] Terraform version: 1.4.4
2023-04-04T11:10:33.298+0100 [DEBUG] using github.com/hashicorp/go-tfe v1.18.0
2023-04-04T11:10:33.298+0100 [DEBUG] using github.com/hashicorp/hcl/v2 v2.16.2
2023-04-04T11:10:33.298+0100 [DEBUG] using github.com/hashicorp/terraform-config-inspect v0.0.0-20210209133302-4fd17a0faac2
2023-04-04T11:10:33.298+0100 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.0
2023-04-04T11:10:33.298+0100 [DEBUG] using github.com/zclconf/go-cty v1.12.1
2023-04-04T11:10:33.298+0100 [INFO] Go runtime version: go1.19.6
2023-04-04T11:10:33.298+0100 [INFO] CLI args: []string{"/usr/local/Cellar/tfenv/3.0.0/versions/1.4.4/terraform", "apply", "--auto-approve"}
2023-04-04T11:10:33.298+0100 [DEBUG] Attempting to open CLI config file: /Users/Deepak.Tharanath/.terraformrc
2023-04-04T11:10:33.298+0100 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2023-04-04T11:10:33.298+0100 [INFO] Loading CLI configuration from /Users/Deepak.Tharanath/.terraform.d/credentials.tfrc.json
2023-04-04T11:10:33.298+0100 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2023-04-04T11:10:33.298+0100 [DEBUG] ignoring non-existing provider search directory /Users/Deepak.Tharanath/.terraform.d/plugins
2023-04-04T11:10:33.298+0100 [DEBUG] ignoring non-existing provider search directory /Users/Deepak.Tharanath/Library/Application Support/io.terraform/plugins
2023-04-04T11:10:33.298+0100 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2023-04-04T11:10:33.299+0100 [INFO] CLI command args: []string{"apply", "--auto-approve"}
2023-04-04T11:10:33.302+0100 [DEBUG] Service discovery for app.terraform.io at https://app.terraform.io/.well-known/terraform.json
2023-04-04T11:10:33.879+0100 [DEBUG] Service discovery for app.terraform.io aliased as localterraform.com
2023-04-04T11:10:35.248+0100 [DEBUG] checking for provisioner in "."
2023-04-04T11:10:35.249+0100 [DEBUG] checking for provisioner in "/usr/local/Cellar/tfenv/3.0.0/versions/1.4.4"
2023-04-04T11:10:35.636+0100 [INFO] cloud: starting Apply operation
Running apply in Terraform Cloud. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.
Preparing the remote apply...
To view this run in a browser, visit:
https://app.terraform.io/app/lbg-cloud-platform/playpen-xcvcef-gcp/runs/run-zxJmMuSG3K7iN7Xa
Waiting for the plan to start...
Terraform v1.3.9
on linux_amd64
Initializing plugins and modules...
module.log_storage.google_kms_crypto_key.key_stratos_cmek_06: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-06/cryptoKeys/stratos-crypto-key-cmek-06]
module.log_storage.google_kms_key_ring.keyring_stratos_cmek_06: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-06]
module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_01: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-01/cryptoKeys/stratos-crypto-key-01/roles/cloudkms.cryptoKeyEncrypterDecrypter]
module.log_storage.google_kms_key_ring.keyring_stratos_cmek_07: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-07]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_06: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_06]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_06: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_06]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_07: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_07]
module.log_storage.google_kms_crypto_key.key_stratos_01: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-01/cryptoKeys/stratos-crypto-key-01]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_05: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_05]
module.log_storage.google_kms_key_ring.keyring_stratos_01: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-01]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_04: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_04]
module.log_storage.google_kms_crypto_key.key_stratos_cmek_07: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-07/cryptoKeys/stratos-crypto-key-cmek-07]
module.log_storage.google_kms_key_ring.keyring_stratos_cmek_03: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-03]
module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_06: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-06/cryptoKeys/stratos-crypto-key-cmek-06/roles/cloudkms.cryptoKeyEncrypterDecrypter]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_07: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_07]
module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_07: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-07/cryptoKeys/stratos-crypto-key-cmek-07/roles/cloudkms.cryptoKeyEncrypterDecrypter]
module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_03: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-03/cryptoKeys/stratos-crypto-key-cmek-03/roles/cloudkms.cryptoKeyEncrypterDecrypter]
module.log_storage.google_kms_crypto_key.key_stratos_cmek_03: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-03/cryptoKeys/stratos-crypto-key-cmek-03]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_03: Refreshing state... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_03]
module.log_storage.data.google_logging_project_cmek_settings.cmek_settings: Refreshing...
module.log_storage.data.google_logging_project_cmek_settings.cmek_settings: Still refreshing... [10s elapsed]
module.log_storage.data.google_logging_project_cmek_settings.cmek_settings: Still refreshing... [20s elapsed]
module.log_storage.data.google_logging_project_cmek_settings.cmek_settings: Refresh complete after 25s [id=projects/playpen-xcvcef/cmekSettings]
module.log_storage.google_kms_crypto_key.key_stratos_cmek_07: Drift detected (update)
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_07: Drift detected (update)
2023-04-04T11:11:20.343+0100 [DEBUG] performing request: method=GET url=https://app.terraform.io/api/v2/plans/plan-tYhnaGCMijkZZXz9/json-output-redacted
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
- destroy
Terraform will perform the following actions:
# module.log_storage.google_kms_crypto_key.key_stratos_01 will be destroyed
# (because google_kms_crypto_key.key_stratos_01 is not in configuration)
- resource "google_kms_crypto_key" "key_stratos_01" {
- destroy_scheduled_duration = "86400s" -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-01/cryptoKeys/stratos-crypto-key-01" -> null
- import_only = false -> null
- key_ring = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-01" -> null
- labels = {} -> null
- name = "stratos-crypto-key-01" -> null
- purpose = "ENCRYPT_DECRYPT" -> null
- rotation_period = "100000s" -> null
- skip_initial_version_creation = false -> null
- version_template {
- algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION" -> null
- protection_level = "SOFTWARE" -> null
}
}
# module.log_storage.google_kms_crypto_key.key_stratos_cmek_03 will be destroyed
# (because google_kms_crypto_key.key_stratos_cmek_03 is not in configuration)
- resource "google_kms_crypto_key" "key_stratos_cmek_03" {
- destroy_scheduled_duration = "86400s" -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-03/cryptoKeys/stratos-crypto-key-cmek-03" -> null
- import_only = false -> null
- key_ring = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-03" -> null
- labels = {} -> null
- name = "stratos-crypto-key-cmek-03" -> null
- purpose = "ENCRYPT_DECRYPT" -> null
- rotation_period = "100000s" -> null
- skip_initial_version_creation = false -> null
- version_template {
- algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION" -> null
- protection_level = "SOFTWARE" -> null
}
}
# module.log_storage.google_kms_crypto_key.key_stratos_cmek_06 will be destroyed
# (because google_kms_crypto_key.key_stratos_cmek_06 is not in configuration)
- resource "google_kms_crypto_key" "key_stratos_cmek_06" {
- destroy_scheduled_duration = "86400s" -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-06/cryptoKeys/stratos-crypto-key-cmek-06" -> null
- import_only = false -> null
- key_ring = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-06" -> null
- labels = {} -> null
- name = "stratos-crypto-key-cmek-06" -> null
- purpose = "ENCRYPT_DECRYPT" -> null
- rotation_period = "100000s" -> null
- skip_initial_version_creation = false -> null
- version_template {
- algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION" -> null
- protection_level = "SOFTWARE" -> null
}
}
# module.log_storage.google_kms_crypto_key.key_stratos_cmek_07 will be destroyed
# (because google_kms_crypto_key.key_stratos_cmek_07 is not in configuration)
- resource "google_kms_crypto_key" "key_stratos_cmek_07" {
- destroy_scheduled_duration = "86400s" -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-07/cryptoKeys/stratos-crypto-key-cmek-07" -> null
- import_only = false -> null
- key_ring = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-07" -> null
- labels = {} -> null
- name = "stratos-crypto-key-cmek-07" -> null
- purpose = "ENCRYPT_DECRYPT" -> null
- rotation_period = "100000s" -> null
- skip_initial_version_creation = false -> null
- version_template {
- algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION" -> null
- protection_level = "SOFTWARE" -> null
}
}
# module.log_storage.google_kms_crypto_key.key_stratos_cmek_08 will be created
+ resource "google_kms_crypto_key" "key_stratos_cmek_08" {
+ destroy_scheduled_duration = (known after apply)
+ id = (known after apply)
+ import_only = (known after apply)
+ key_ring = (known after apply)
+ name = "stratos-crypto-key-cmek-08"
+ purpose = "ENCRYPT_DECRYPT"
+ rotation_period = "100000s"
}
# module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_01 will be destroyed
# (because google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_01 is not in configuration)
- resource "google_kms_crypto_key_iam_binding" "stratos_crypto_key_binding_01" {
- crypto_key_id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-01/cryptoKeys/stratos-crypto-key-01" -> null
- etag = "BwX4bswfWw4=" -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-01/cryptoKeys/stratos-crypto-key-01/roles/cloudkms.cryptoKeyEncrypterDecrypter" -> null
- members = [
- "serviceAccount:cmek-p1098152786644@gcp-sa-logging.iam.gserviceaccount.com",
] -> null
- role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" -> null
}
# module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_03 will be destroyed
# (because google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_03 is not in configuration)
- resource "google_kms_crypto_key_iam_binding" "stratos_crypto_key_binding_cmek_03" {
- crypto_key_id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-03/cryptoKeys/stratos-crypto-key-cmek-03" -> null
- etag = "BwX4b/1IV/4=" -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-03/cryptoKeys/stratos-crypto-key-cmek-03/roles/cloudkms.cryptoKeyEncrypterDecrypter" -> null
- members = [
- "serviceAccount:cmek-p1098152786644@gcp-sa-logging.iam.gserviceaccount.com",
] -> null
- role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" -> null
}
# module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_06 will be destroyed
# (because google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_06 is not in configuration)
- resource "google_kms_crypto_key_iam_binding" "stratos_crypto_key_binding_cmek_06" {
- crypto_key_id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-06/cryptoKeys/stratos-crypto-key-cmek-06" -> null
- etag = "BwX4f3MJUOc=" -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-06/cryptoKeys/stratos-crypto-key-cmek-06/roles/cloudkms.cryptoKeyEncrypterDecrypter" -> null
- members = [
- "serviceAccount:cmek-p1098152786644@gcp-sa-logging.iam.gserviceaccount.com",
] -> null
- role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" -> null
}
# module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_07 will be destroyed
# (because google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_07 is not in configuration)
- resource "google_kms_crypto_key_iam_binding" "stratos_crypto_key_binding_cmek_07" {
- crypto_key_id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-07/cryptoKeys/stratos-crypto-key-cmek-07" -> null
- etag = "BwX4f7OA9gM=" -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-07/cryptoKeys/stratos-crypto-key-cmek-07/roles/cloudkms.cryptoKeyEncrypterDecrypter" -> null
- members = [
- "serviceAccount:cmek-p1098152786644@gcp-sa-logging.iam.gserviceaccount.com",
] -> null
- role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" -> null
}
# module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_08 will be created
+ resource "google_kms_crypto_key_iam_binding" "stratos_crypto_key_binding_cmek_08" {
+ crypto_key_id = (known after apply)
+ etag = (known after apply)
+ id = (known after apply)
+ members = [
+ "serviceAccount:cmek-p1098152786644@gcp-sa-logging.iam.gserviceaccount.com",
]
+ role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}
# module.log_storage.google_kms_key_ring.keyring_stratos_01 will be destroyed
# (because google_kms_key_ring.keyring_stratos_01 is not in configuration)
- resource "google_kms_key_ring" "keyring_stratos_01" {
- id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-01" -> null
- location = "europe-west2" -> null
- name = "stratos-keyring-01" -> null
- project = "playpen-xcvcef" -> null
}
# module.log_storage.google_kms_key_ring.keyring_stratos_cmek_03 will be destroyed
# (because google_kms_key_ring.keyring_stratos_cmek_03 is not in configuration)
- resource "google_kms_key_ring" "keyring_stratos_cmek_03" {
- id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-03" -> null
- location = "europe-west2" -> null
- name = "stratos-keyring-cmek-03" -> null
- project = "playpen-xcvcef" -> null
}
# module.log_storage.google_kms_key_ring.keyring_stratos_cmek_06 will be destroyed
# (because google_kms_key_ring.keyring_stratos_cmek_06 is not in configuration)
- resource "google_kms_key_ring" "keyring_stratos_cmek_06" {
- id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-06" -> null
- location = "europe-west2" -> null
- name = "stratos-keyring-cmek-06" -> null
- project = "playpen-xcvcef" -> null
}
# module.log_storage.google_kms_key_ring.keyring_stratos_cmek_07 will be destroyed
# (because google_kms_key_ring.keyring_stratos_cmek_07 is not in configuration)
- resource "google_kms_key_ring" "keyring_stratos_cmek_07" {
- id = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-07" -> null
- location = "europe-west2" -> null
- name = "stratos-keyring-cmek-07" -> null
- project = "playpen-xcvcef" -> null
}
# module.log_storage.google_kms_key_ring.keyring_stratos_cmek_08 will be created
+ resource "google_kms_key_ring" "keyring_stratos_cmek_08" {
+ id = (known after apply)
+ location = "europe-west2"
+ name = "stratos-keyring-cmek-08"
+ project = (known after apply)
}
# module.log_storage.google_logging_project_bucket_config.stratos_logbucket will be destroyed
# (because google_logging_project_bucket_config.stratos_logbucket is not in configuration)
- resource "google_logging_project_bucket_config" "stratos_logbucket" {
- bucket_id = "stratos_log_bucket" -> null
- enable_analytics = false -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket" -> null
- lifecycle_state = "DELETE_REQUESTED" -> null
- location = "europe-west2" -> null
- name = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket" -> null
- project = "playpen-xcvcef" -> null
- retention_days = 1 -> null
- cmek_settings {
- kms_key_name = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring/cryptoKeys/stratos-crypto-key" -> null
- kms_key_version_name = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring/cryptoKeys/stratos-crypto-key/cryptoKeyVersions/3" -> null
- service_account_id = "cmek-p1098152786644@gcp-sa-logging.iam.gserviceaccount.com" -> null
}
}
# module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_03 will be destroyed
# (because google_logging_project_bucket_config.stratos_logbucket_cmek_03 is not in configuration)
- resource "google_logging_project_bucket_config" "stratos_logbucket_cmek_03" {
- bucket_id = "stratos_log_bucket_la_cmek_03" -> null
- enable_analytics = false -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_03" -> null
- lifecycle_state = "DELETE_REQUESTED" -> null
- location = "europe-west2" -> null
- name = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_03" -> null
- project = "playpen-xcvcef" -> null
- retention_days = 30 -> null
- cmek_settings {
- kms_key_name = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-03/cryptoKeys/stratos-crypto-key-cmek-03" -> null
- kms_key_version_name = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-03/cryptoKeys/stratos-crypto-key-cmek-03/cryptoKeyVersions/1" -> null
- service_account_id = "cmek-p1098152786644@gcp-sa-logging.iam.gserviceaccount.com" -> null
}
}
# module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_06 will be destroyed
# (because google_logging_project_bucket_config.stratos_logbucket_cmek_06 is not in configuration)
- resource "google_logging_project_bucket_config" "stratos_logbucket_cmek_06" {
- bucket_id = "stratos_log_bucket_la_cmek_06" -> null
- enable_analytics = true -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_06" -> null
- lifecycle_state = "DELETE_REQUESTED" -> null
- location = "europe-west2" -> null
- name = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_06" -> null
- project = "playpen-xcvcef" -> null
- retention_days = 1 -> null
}
# module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_07 will be destroyed
# (because google_logging_project_bucket_config.stratos_logbucket_cmek_07 is not in configuration)
- resource "google_logging_project_bucket_config" "stratos_logbucket_cmek_07" {
- bucket_id = "stratos_log_bucket_la_cmek_07" -> null
- enable_analytics = true -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_07" -> null
- lifecycle_state = "ACTIVE" -> null
- location = "europe-west2" -> null
- name = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_07" -> null
- project = "playpen-xcvcef" -> null
- retention_days = 1 -> null
}
# module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_08 will be created
+ resource "google_logging_project_bucket_config" "stratos_logbucket_cmek_08" {
+ bucket_id = "stratos_log_bucket_la_cmek_08"
+ description = (known after apply)
+ id = (known after apply)
+ lifecycle_state = (known after apply)
+ location = "europe-west2"
+ name = (known after apply)
+ project = "playpen-xcvcef"
+ retention_days = 30
+ cmek_settings {
+ kms_key_name = (known after apply)
+ kms_key_version_name = (known after apply)
+ name = (known after apply)
+ service_account_id = (known after apply)
}
}
# module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la will be destroyed
# (because google_logging_project_bucket_config.stratos_logbucket_la is not in configuration)
- resource "google_logging_project_bucket_config" "stratos_logbucket_la" {
- bucket_id = "stratos_log_bucket_la_cmek" -> null
- enable_analytics = false -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek" -> null
- lifecycle_state = "DELETE_REQUESTED" -> null
- location = "europe-west2" -> null
- name = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek" -> null
- project = "playpen-xcvcef" -> null
- retention_days = 1 -> null
- cmek_settings {
- kms_key_name = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-01/cryptoKeys/stratos-crypto-key-cmek-01" -> null
- kms_key_version_name = "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-01/cryptoKeys/stratos-crypto-key-cmek-01/cryptoKeyVersions/1" -> null
- service_account_id = "cmek-p1098152786644@gcp-sa-logging.iam.gserviceaccount.com" -> null
}
}
# module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_04 will be destroyed
# (because google_logging_project_bucket_config.stratos_logbucket_la_04 is not in configuration)
- resource "google_logging_project_bucket_config" "stratos_logbucket_la_04" {
- bucket_id = "stratos_log_bucket_la_cmek_04" -> null
- enable_analytics = true -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_04" -> null
- lifecycle_state = "DELETE_REQUESTED" -> null
- location = "europe-west2" -> null
- name = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_04" -> null
- project = "playpen-xcvcef" -> null
- retention_days = 1 -> null
}
# module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_05 will be destroyed
# (because google_logging_project_bucket_config.stratos_logbucket_la_05 is not in configuration)
- resource "google_logging_project_bucket_config" "stratos_logbucket_la_05" {
- bucket_id = "stratos_log_bucket_la_cmek_05" -> null
- enable_analytics = true -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_05" -> null
- lifecycle_state = "DELETE_REQUESTED" -> null
- location = "europe-west2" -> null
- name = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_05" -> null
- project = "playpen-xcvcef" -> null
- retention_days = 1 -> null
}
# module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_06 will be destroyed
# (because google_logging_project_bucket_config.stratos_logbucket_la_06 is not in configuration)
- resource "google_logging_project_bucket_config" "stratos_logbucket_la_06" {
- bucket_id = "stratos_log_bucket_la_cmek_06" -> null
- enable_analytics = true -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_06" -> null
- lifecycle_state = "DELETE_REQUESTED" -> null
- location = "europe-west2" -> null
- name = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_06" -> null
- project = "playpen-xcvcef" -> null
- retention_days = 1 -> null
}
# module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_07 will be destroyed
# (because google_logging_project_bucket_config.stratos_logbucket_la_07 is not in configuration)
- resource "google_logging_project_bucket_config" "stratos_logbucket_la_07" {
- bucket_id = "stratos_log_bucket_la_cmek_07" -> null
- enable_analytics = true -> null
- id = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_07" -> null
- lifecycle_state = "ACTIVE" -> null
- location = "europe-west2" -> null
- name = "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_07" -> null
- project = "playpen-xcvcef" -> null
- retention_days = 1 -> null
}
# module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_08 will be created
+ resource "google_logging_project_bucket_config" "stratos_logbucket_la_08" {
+ bucket_id = "stratos_log_bucket_la_cmek_08"
+ description = (known after apply)
+ enable_analytics = true
+ id = (known after apply)
+ lifecycle_state = (known after apply)
+ location = "europe-west2"
+ name = (known after apply)
+ project = "playpen-xcvcef"
+ retention_days = 1
}
Plan: 5 to add, 0 to change, 21 to destroy.
------------------------------------------------------------------------
Cost Estimation:
Resources: 0 of 5 estimated
$0.0/mo +$0.0
------------------------------------------------------------------------
Organization Policy Check:
============= Results for policy set: policy-library-meta-terraform ============
Sentinel Result: true
This result means that all Sentinel policies passed and the protected
behavior is allowed.
4 policies evaluated.
## Policy 1: policy-library-meta-terraform/deny-restricted-resources (advisory)
Result: true
./deny-restricted-resources.sentinel:73:1 - Rule "main"
Value:
true
./deny-restricted-resources.sentinel:69:1 - Rule "are_restricted_resources_defined"
Description:
Does the repo define any restricted resources outside of the
allowed modules
Value:
false
## Policy 2: policy-library-meta-terraform/restrict-modules-to-private-registry (advisory)
Result: true
./restrict-modules-to-private-registry.sentinel:54:1 - Rule "main"
Description:
Modules must live in our private module registry.
Value:
true
## Policy 3: policy-library-meta-terraform/restrict-terraform-version (soft-mandatory)
Result: true
Description:
The policy uses the tfplan import to enforce the usage of Terraform version 0.12 or higher
./restrict-terraform-version.sentinel:26:1 - Rule "main"
Description:
The terraform version number must be compliant
Value:
true
## Policy 4: policy-library-meta-terraform/restrict-tf-providers (soft-mandatory)
Result: true
Description:
This policy uses the tfconfig/v2 import to restrict providers to those in an allowed list.
./restrict-tf-providers.sentinel:78:1 - Rule "main"
Description:
Only terraform providers in the platform allow list can be used
Value:
true
====== Results for policy set: policy-library-tfe-project-module-terraform =====
Sentinel Result: true
This result means that all Sentinel policies passed and the protected
behavior is allowed.
2 policies evaluated.
## Policy 1: policy-library-tfe-project-module-terraform/enforce-curated-project-module-use (advisory)
Result: true
./enforce-curated-project-module-use.sentinel:41:1 - Rule "main"
Value:
true
## Policy 2: policy-library-tfe-project-module-terraform/enforce-module-version-constraint (soft-mandatory)
Result: true
./enforce-module-version-constraint.sentinel:48:1 - Rule "main"
Description:
Main rule
Value:
true
===== Results for policy set: policy-library-tfe-workspace-module-terraform ====
Sentinel Result: true
This result means that all Sentinel policies passed and the protected
behavior is allowed.
3 policies evaluated.
## Policy 1: policy-library-tfe-workspace-module-terraform/restrict-workspace-module-version (advisory)
Result: true
./restrict-workspace-module-version.sentinel:39:1 - Rule "main"
Description:
Main rule
Value:
true
## Policy 2: policy-library-tfe-workspace-module-terraform/team-access-permissions (advisory)
Result: true
./team-access-permissions.sentinel:10:1 - Rule "main"
Value:
true
## Policy 3: policy-library-tfe-workspace-module-terraform/tfe-workspace-modules (advisory)
Result: true
./tfe-workspace-modules.sentinel:14:1 - Rule "main"
Value:
true
------------------------------------------------------------------------
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_05: Destroying... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_05]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_04: Destroying... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_04]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_07: Destroying... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_07]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_06: Destroying... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_06]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_08: Creating...
module.log_storage.google_logging_project_bucket_config.stratos_logbucket: Destroying... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la: Destroying... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_03: Destroying... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_03]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_07: Destruction complete after 1s
module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_07: Destroying... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-07/cryptoKeys/stratos-crypto-key-cmek-07/roles/cloudkms.cryptoKeyEncrypterDecrypter]
module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_07: Destruction complete after 5s
module.log_storage.google_kms_crypto_key.key_stratos_cmek_07: Destroying... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-07/cryptoKeys/stratos-crypto-key-cmek-07]
module.log_storage.google_kms_crypto_key.key_stratos_cmek_07: Destruction complete after 1s
module.log_storage.google_kms_key_ring.keyring_stratos_cmek_07: Destroying... [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-07]
module.log_storage.google_kms_key_ring.keyring_stratos_cmek_07: Destruction complete after 0s
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_07: Destroying... [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_07]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_08: Still creating... [10s elapsed]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_08: Still creating... [20s elapsed]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_08: Still creating... [30s elapsed]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_08: Still creating... [40s elapsed]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_la_08: Creation complete after 46s [id=projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_08]
module.log_storage.google_kms_key_ring.keyring_stratos_cmek_08: Creating...
module.log_storage.google_kms_key_ring.keyring_stratos_cmek_08: Creation complete after 1s [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-08]
module.log_storage.google_kms_crypto_key.key_stratos_cmek_08: Creating...
module.log_storage.google_kms_crypto_key.key_stratos_cmek_08: Creation complete after 0s [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-08/cryptoKeys/stratos-crypto-key-cmek-08]
module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_08: Creating...
module.log_storage.google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_08: Creation complete after 6s [id=projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-08/cryptoKeys/stratos-crypto-key-cmek-08/roles/cloudkms.cryptoKeyEncrypterDecrypter]
module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_08: Creating...
╷
│ Error: Error deleting Logging Bucket Config "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_07": googleapi: Error 400: Only buckets in state ACTIVE can be deleted
│
│
╵
╷
│ Error: Error deleting Logging Bucket Config "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_03": googleapi: Error 400: Only buckets in state ACTIVE can be deleted
│
│
╵
╷
│ Error: Error deleting Logging Bucket Config "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_06": googleapi: Error 400: Only buckets in state ACTIVE can be deleted
│
│
╵
╷
│ Error: Error deleting Logging Bucket Config "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_04": googleapi: Error 400: Only buckets in state ACTIVE can be deleted
│
│
╵
╷
│ Error: Error deleting Logging Bucket Config "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket": googleapi: Error 400: Only buckets in state ACTIVE can be deleted
│
│
╵
╷
│ Error: Error deleting Logging Bucket Config "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_05": googleapi: Error 400: Only buckets in state ACTIVE can be deleted
│
│
╵
╷
│ Error: Error updating Logging Bucket Config "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_08": googleapi: Error 400: This bucket has advanced analytics enabled. CMEK is not compatible with advanced analytics buckets
│
│ with module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_08,
│ on modules/log_storage/main.tf line 34, in resource "google_logging_project_bucket_config" "stratos_logbucket_cmek_08":
│ 34: resource "google_logging_project_bucket_config" "stratos_logbucket_cmek_08" {
│
╵
╷
│ Error: Error deleting Logging Bucket Config "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek": googleapi: Error 400: Only buckets in state ACTIVE can be deleted
│
│
╵
Operation failed: failed running terraform apply (exit 1)Sorry for the messy output, don't have any better way to share the logs. Please ignore the logs for storage destroys which are test buckets created for this testing.
edwardmedia
commented
1 year ago Thanks @deepak-tharanath let me take a look
edwardmedia
commented
1 year ago I am seeing this. Wonder how to make the bucket eligible
PATCH /v2/projects/myproject/locations/us-central1/buckets/issue14193?alt=json&updateMask=analyticsEnabled HTTP/1.1
Host: logging.googleapis.com
{
"analyticsEnabled": true
}
---[ RESPONSE ]--------------------------------------
{
"error": {
"code": 400,
"message": "Bucket is not eligible for an upgrade to enable analytics",
"status": "INVALID_ARGUMENT"
}
}If enable_analytics=true is set first and then uncomment cmek_settings block, api returns
googleapi: Error 400: This bucket has advanced analytics enabled. CMEK is not compatible with advanced analytics bucketsresource "google_logging_project_bucket_config" "example-project-bucket-cmek-settings" {
location = "us-central1"
retention_days = 30
bucket_id = "issue14193"
/*
cmek_settings {
kms_key_name = google_kms_crypto_key.key.id
}
*/
enable_analytics = true
}@deepak-tharanath I see api rejects both approaches. You said you were able to set it up via console. Can you share the steps to achieve it and screenshots?
deepak-tharanath
commented
1 year ago Tried this via API explorer
Response: "name": "projects/playpen-xcvcef/locations/europe-west2/buckets/api-stratos-log-bucket-02", "createTime": "2023-04-05T09:35:21.094540724Z", "updateTime": "2023-04-05T09:35:21.094540724Z", "retentionDays": 1, "lifecycleState": "ACTIVE", "analyticsEnabled": true
curl --request PATCH \ 'https://logging.googleapis.com/v2/projects/playpen-xcvcef/locations/europe-west2/buckets/api-stratos-log-bucket-02?updateMask=cmek_settings.kms_key_name&key=[YOUR_API_KEY]' \ --header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]' \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --data '{"cmekSettings":{"kmsKeyName":"projects/playpen-xcvcef/locations/europe-west2/keyRings/keyring-stratos-api/cryptoKeys/crypto-key-api"}}' \ --compressed
Response: { "name": "projects/playpen-xcvcef/locations/europe-west2/buckets/api-stratos-log-bucket-02", "createTime": "2023-04-05T09:35:21.094540724Z", "updateTime": "2023-04-05T09:41:16.590976148Z", "retentionDays": 1, "lifecycleState": "ACTIVE", "analyticsEnabled": true, "cmekSettings": { "kmsKeyName": "projects/playpen-xcvcef/locations/europe-west2/keyRings/keyring-stratos-api/cryptoKeys/crypto-key-api" } }
deepak-tharanath
commented
1 year ago Request and response from the TRACE logs:
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: ---[ REQUEST ]---------------------------------------
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: PATCH /v2/projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_18?alt=json&updateMask=retentionDays%2CcmekSettings HTTP/1.1
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: Host: logging.googleapis.com
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: User-Agent: Terraform/1.3.9 (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google/4.59.0
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: Content-Length: 242
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: Content-Type: application/json
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: Accept-Encoding: gzip
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5:
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: {
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: "cmekSettings": {
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: "kmsKeyName": "projects/playpen-xcvcef/locations/europe-west2/keyRings/stratos-keyring-cmek-18/cryptoKeys/stratos-crypto-key-cmek-18",
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: "kmsKeyVersionName": "",
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: "name": "",
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: "serviceAccountId": ""
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: },
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: "description": "",
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: "retentionDays": 1
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: }
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5:
2023-04-05T14:50:19.953Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: -----------------------------------------------------
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: 2023/04/05 14:50:20 [DEBUG] Google API Response Details:
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: ---[ RESPONSE ]--------------------------------------
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: HTTP/2.0 400 Bad Request
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: Cache-Control: private
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: Content-Type: application/json; charset=UTF-8
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: Date: Wed, 05 Apr 2023 14:50:20 GMT
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: Server: ESF
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: Vary: Origin
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: Vary: X-Origin
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: Vary: Referer
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: X-Content-Type-Options: nosniff
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: X-Frame-Options: SAMEORIGIN
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: X-Xss-Protection: 0
2023-04-05T14:50:20.035Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5:
2023-04-05T14:50:20.036Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: {
2023-04-05T14:50:20.036Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: "error": {
2023-04-05T14:50:20.036Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: "code": 400,
2023-04-05T14:50:20.036Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: "message": "This bucket has advanced analytics enabled. CMEK is not compatible with advanced analytics buckets",
2023-04-05T14:50:20.036Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: "status": "FAILED_PRECONDITION"
2023-04-05T14:50:20.036Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: }
2023-04-05T14:50:20.036Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5: }
2023-04-05T14:50:20.036Z [DEBUG] provider.terraform-provider-google_v4.59.0_x5:I see the diff in the PATCH request.
Call from the provider (not working)
https://logging.googleapis.com/v2/projects/playpen-xcvcef/locations/europe-west2/buckets/api-stratos-log-bucket-02?updateMask=cmek_settingsReceiving 200 from below call (note: the diff: updateMask=cmek_settings.kms_key_name)
https://logging.googleapis.com/v2/projects/playpen-xcvcef/locations/europe-west2/buckets/api-stratos-log-bucket-02?updateMask=cmek_settings.kms_key_name@edwardmedia , Am I right in saying this needs to be corrected from your end? I hope there is no action for me.
trodge
commented
1 year ago @deepak-tharanath could you show the output of a GET request on the logging bucket resource? When I replicate the request to add cmekSettings to a bucket with analytics enabled I get a 200 response from the API but when I get the bucket there is no cmekSettings in the response.
deepak-tharanath
commented
1 year ago Hi Trodge, yes, we observed the same. The Get response doesn't fetch the CMEK settings even after its been enabled.
pengq-google
commented
1 year ago analytics bucket does not support CMEK till May 2023. This issue is opened in April.
Community Note
modular-magicianuser, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot, a community member has claimed the issue already.Terraform Version
Terraform v1.3.9 on darwin_amd64
Affected Resource(s)
google_logging_project_bucket_config google_logging_project_cmek_settings
Terraform Configuration Files
resource "google_logging_project_bucket_config" "stratos_logbucket_la_02" { project = var.project_id location = var.region retention_days = var.data_retention_in_days bucket_id = var.log_bucket_id_la_cmek_02 enable_analytics = true }
data "google_logging_project_cmek_settings" "cmek_settings" { project = var.project_id }
resource "google_kms_key_ring" "keyring_stratos_cmek_02" { name = var.key_ring_cmek_02 location = var.region depends_on = [google_logging_project_bucket_config.stratos_logbucket_la_02] }
resource "google_kms_crypto_key" "key_stratos_cmek_02" { name = var.crypto_key_cmek_02 key_ring = google_kms_key_ring.keyring_stratos_cmek_02.id rotation_period = var.rotation_period }
resource "google_kms_crypto_key_iam_binding" "stratos_crypto_key_binding_cmek_02" { crypto_key_id = google_kms_crypto_key.key_stratos_cmek_02.id role = var.crypto_role
members = [ "serviceAccount:${data.google_logging_project_cmek_settings.cmek_settings.service_account_id}", ] }
resource "google_logging_project_bucket_config" "stratos_logbucket_cmek_02" { project = var.project_id location = var.region bucket_id = var.log_bucket_id_la_cmek_02
cmek_settings { kms_key_name = google_kms_crypto_key.key_stratos_cmek_02.id }
depends_on = [google_logging_project_bucket_config.stratos_logbucket_la_02 , google_kms_crypto_key_iam_binding.stratos_crypto_key_binding_cmek_02] }
Debug Output
Gist is not allowed in the org, pasting the error, if needed I can provide the full output via email
│ Error: Error updating Logging Bucket Config "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_02": googleapi: Error 400: This bucket has advanced analytics enabled. CMEK is not compatible with advanced analytics buckets │ │ with module.log_storage.google_logging_project_bucket_config.stratos_logbucket_cmek_02, │ on modules/log_storage/main.tf line 34, in resource "google_logging_project_bucket_config" "stratos_logbucket_cmek_02": │ 34: resource "google_logging_project_bucket_config" "stratos_logbucket_cmek_02" { │
Panic Output
Expected Behavior
Log Analytics is enabled first and then CMEK is enabled. It should be allowed to apply the CMEK settings on Log Analytics enabled log storage. We are able to create using google API, but not in Terraform.
Actual Behavior
Below error is displayed while CMEK update:
Error: Error updating Logging Bucket Config "projects/playpen-xcvcef/locations/europe-west2/buckets/stratos_log_bucket_la_cmek_02": googleapi: Error 400: This bucket has advanced analytics enabled. CMEK is not compatible with advanced analytics buckets
Steps to Reproduce
terraform applyb/299601014