Add 'primary' version of cryptokey to google_kms_crypto_key

[rvdh]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

To update the crypto key version to be used in MongoDB's Atlas encryption at rest resource (https://www.terraform.io/docs/providers/mongodbatlas/r/encryption_at_rest.html) we need to specify the crypto key version resource ID.

The GCP API returns, as part of the 'Primary' field of the crypto key, the current key version (https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#get). This should be returned by the google_kms_crypto_key resource or data source so we can return it as an output and pass it to the MongoDB Atlas provider.

New or Affected Resource(s)

• google_kms_crypto_key

Potential Terraform Configuration

data "google_kms_key_ring" "key_ring" {
  name     = "my_keyring"
  location = "europe-west1"
}

data "google_kms_crypto_key" "crypto_key" {
  name     = "my_crypto_key"
  key_ring = data.google_kms_key_ring.key_ring.self_link
}

resource "mongodbatlas_encryption_at_rest" "encryption" {
  project_id = var.mongodbatlas_project_id

  google_cloud_kms = {
    enabled                 = true
    service_account_key     = var.gcp_service_account_key
    key_version_resource_id = data.google_kms_crypto_key.crypto_key.primary.self_link 
  }
}

• 0000

  b/299683844

[bdelage]

Hi I'm encountering the same situation, I know It's been 2 years but I was wondering if you solved it or circumvented it somehow ?

[rvdh]

Hi I'm encountering the same situation, I know It's been 2 years but I was wondering if you solved it or circumvented it somehow ?

Nope, unfortunately we're still updating the key version ID manually every 90 days..

[bdelage]

Thanks Rick, I opened a suggestion for them to improve this https://feedback.mongodb.com/forums/924145-atlas/suggestions/44834422-atlas-does-not-automatically-rotate-the-key-versio

[saad-uddin]

Hi, am facing the same issue. We need to manually change the cryptokeyversion in the datasource of our tfcode. Its been 2 years since this was reported, is there any solution to this yet ? or any workaround ??

@rvdh @danawillow @bdelage @topfunky @fd

Thanks in advance.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.