Creating CMEK enabled Artifact Registry fails if the default service account wasn't previously created

[palo-manel]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

• Terraform v1.5.5 on darwin_amd64
• provider registry.terraform.io/hashicorp/google v4.78.0

Affected Resource(s)

• google_artifact_registry_repository
• google_kms_crypto_key_iam_member
• google_kms_crypto_key

Terraform Configuration Files

provider "google" {
  project = var.project_id
  region  = var.region
}

resource "google_project_service" "gcp_apis" {
  for_each = toset([
    "cloudresourcemanager.googleapis.com",
    "container.googleapis.com",
    "cloudkms.googleapis.com",
    "containerscanning.googleapis.com",
  ])
  project                    = var.project_id
  service                    = each.value
  disable_dependent_services = false
  disable_on_destroy         = false
}

data "google_project" "project" {}

resource "google_kms_key_ring" "keyring" {
  name     = "keyring"
  location = var.region
  depends_on = [
    google_project_service.gcp_apis
  ]
}

resource "google_kms_crypto_key" "docker_key" {
  name            = "docker-key"
  key_ring        = google_kms_key_ring.keyring.id
  rotation_period = var.key-rotation-period

  lifecycle {
    prevent_destroy = true
  }
}

resource "google_kms_crypto_key_iam_member" "docker_key_iam" {
  crypto_key_id = google_kms_crypto_key.docker_key.id
  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member        = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com"
}

resource "google_artifact_registry_repository" "docker_repo" {
  repository_id = "docker-repository"
  description   = "Docker Image repository"
  format        = "DOCKER"
  kms_key_name  = google_kms_crypto_key.docker_key.id
  depends_on = [
    google_project_service.gcp_apis,
    google_kms_crypto_key_iam_member.docker_key_iam
  ]
}

Debug Output

https://gist.github.com/palo-manel/a2ec8eb55935a0904ba351a8993c9afc

Panic Output

N/A

Expected Behavior

I copied from the CMEK example in the artifact_registry_repository resource documentation. Starting with an empty project and running this code I expected a CMEK enabled Artifact Registry to be created.

Actual Behavior

Access to the key needs to be provided to the Artifact Registry service account. As the service account doesn't exist before a repository has been created terraform applyfails.There seems to be a bit of a chicken and egg problem here.

Steps to Reproduce

1. Create a new GCP project
2. terraform apply

Important Factoids

My first thought to solve this issue was manually creating a service account and provide it with access to the key, then have the repository be created with that service account. But it's not possible to do that.

References

• https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/artifact_registry_repository

[edwardmedia]

b/296867224