Failing test(s): TestAccComputeInstanceTemplate_sourceImageEncryptionKey (beta)

[SarahFrench]

Failure rates

• 70.3% since 2023-08-10

Impacted tests

• TestAccComputeInstanceTemplate_sourceImageEncryptionKey (Beta)

Affected Resource(s)

• google_XXXXX - leaving this unchanged as it's not relevant to service teams

Nightly build test history

• TestAccComputeInstanceTemplate_sourceImageEncryptionKey (Beta)

  Message(s)

Error:
    Error creating Image: googleapi:
        Error 400: Cloud KMS error when using key projects/ci-test-project-nightly-ga/locations/us-central1/keyRings/tftest-shared-keyring-1/cryptoKeys/tftest-shared-key-1: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/ci-test-project-nightly-ga/locations/us-central1/keyRings/tftest-shared-keyring-1/cryptoKeys/tftest-shared-key-1' (or it may not exist)., kmsPermissionDenied

[SarahFrench]

I think this test failure could be related to how there are authoritative IAM resources changing IAM policies on shared KMS resources in acceptance tests : https://github.com/hashicorp/terraform-provider-google-beta/blob/9779b44720e8e47f056a7f7fc608c5380eefb06c/google-beta/services/cloudfunctions2/resource_cloudfunctions2_function_generated_test.go#L848-L865

That code's in the TestAccCloudfunctions2function_cloudfunctions2CmekExample test, but I think it's affecting other tests that use bootstrapped KMS keys

[SarahFrench]

Just merged the PR I opened due to this issue - I want to check on the affected tests before closing this

That PR stopped TestAccCloudfunctions2function_cloudfunctions2CmekExample (Beta only) authoritatively controlling the binding for roles/cloudkms.cryptoKeyEncrypterDecrypter on a bootstrapped crypto key, so I'm hoping to see fewer permissions-related failures in the Beta tests.

These are tests in the TPGB nightly test project that fail due to missing permissions:

• TestAccComputeInstanceTemplate_sourceImageEncryptionKey (this issue)
• TestAccCloudFunctionsFunction_cmek
• TestAccComputeInstanceTemplate_sourceImageEncryptionKey
• TestAccComputeRegionInstanceTemplate_sourceImageEncryptionKey

Also in that PR, I added a missing depends_on argument to the TestAccComputeInstanceTemplate_sourceImageEncryptionKey tests

[SarahFrench]

Following https://github.com/hashicorp/terraform-provider-google/issues/16687#issuecomment-1849824203, where I described adding a depends_on field to the TestAccComputeInstanceTemplate_sourceImageEncryptionKey test, the test has passed in recent few days:

GA:

Beta:

Hopefully it'll continue

[SarahFrench]

These tests have continued to pass 100% of the time, so I'm closing this issue:

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.