Closed aliciaalcalde closed 4 years ago
Good morning,
I create an IAM service account, KMS keyring and key in my own GCP account.
#Service Account for KMS resource "google_service_account" "encryption_at_rest" { count = var.encryption_at_rest_provider == "GCP" ? 1 : 0 project = var.gcp_project_id account_id = "atlas-encrypt-${var.cluster_name}" display_name = "atlas-encrypt-${var.cluster_name}" } #IAM Policy for KMS resource "google_project_iam_member" "encryption_at_rest_admin" { count = var.encryption_at_rest_provider == "GCP" ? 1 : 0 project = var.gcp_project_id role = "roles/cloudkms.admin" member = "serviceAccount:atlas-encrypt-${var.cluster_name}@${var.gcp_project_id}.iam.gserviceaccount.com" } resource "google_project_iam_member" "encryption_at_rest_decrypt" { count = var.encryption_at_rest_provider == "GCP" ? 1 : 0 project = var.gcp_project_id role = "roles/ cloudkms.cryptoKeyEncrypterDecrypter" member = "serviceAccount:atlas-encrypt-${var.cluster_name}@${var.gcp_project_id}.iam.gserviceaccount.com" } #Create service account key resource "google_service_account_key" "encryption_at_rest" { count = var.encryption_at_rest_provider == "GCP" ? 1 : 0 service_account_id = google_service_account.encryption_at_rest[count.index].name public_key_type = "TYPE_X509_PEM_FILE" } # Atlas encryption_at_rest resource "mongodbatlas_encryption_at_rest" "kms" { count = var.encryption_at_rest_provider == "GCP" ? 1 : 0 project_id = mongodbatlas_project.project.id google_cloud_kms = { enabled = true service_account_key = jsonencode(base64decode(google_service_account_key.encryption_at_rest[count.index].private_key)) key_version_resource_id = var.encryption_at_rest_key_version } depends_on = [ "mongodbatlas_project.project" ] }
It returns the following error:
# module.atlas.mongodbatlas_encryption_at_rest.kms[0] will be created + resource "mongodbatlas_encryption_at_rest" "kms" { + google_cloud_kms = { + "enabled" = "true" + "key_version_resource_id" = "projects/XXXX/locations/global/keyRings/XXXXX/cryptoKeys/XXXXXX/cryptoKeyVersions/1" + "service_account_key" = jsonencode( { + auth_provider_x509_cert_url = "https://www.googleapis.com/oauth2/v1/certs" + auth_uri = "https://accounts.google.com/o/oauth2/auth" + client_email = "XXXXXX" + client_id = "XXXXXXX" + client_x509_cert_url = "XXXXXXX" + private_key = "-----BEGIN PRIVATE KEY-----\nXXXXXXXXXXXXX\n-----END PRIVATE KEY-----\n" + private_key_id = "XXXX" + project_id = "XXXXXX" + token_uri = "https://oauth2.googleapis.com/token" + type = "service_account" } ) } + id = (known after apply) + project_id = "XXXXXX" module.atlas.mongodbatlas_encryption_at_rest.kms[0]: Creating... Error: rpc error: code = Unavailable desc = transport is closing
I try to create encryption at rest manually with the same service_account_key and key_version_resouce_id and it works.
Is my code right?
Thank you so much!!
Hi @aliciaalcalde per the README file support is provided under the your Atlas support agreement. Please reach out via that channel for a timely response on questions, issues is for bug reports. Thank you!!
Good morning,
I create an IAM service account, KMS keyring and key in my own GCP account.
It returns the following error:
I try to create encryption at rest manually with the same service_account_key and key_version_resouce_id and it works.
Is my code right?
Thank you so much!!