search

pulumi / pulumi-gcp

A Google Cloud Platform (GCP) Pulumi resource package, providing multi-language access to GCP
Apache License 2.0
183 stars 53 forks source link

Unable to destroy stack with key ring #587

Closed yarinm closed 3 weeks ago

yarinm commented 3 years ago 
 -  gcp:kms:CryptoKey gkeKey deleting 
 -  gcp:kms:CryptoKey gkeKey deleting error: deleting urn:pulumi:prod_gcp_wiz-managed_us-west2_infra::wiz-diskanalyzer::gcp:kms/cryptoKey:CryptoKey::gkeKey: 1 error occurred:
 -  gcp:kms:CryptoKey gkeKey **deleting failed** error: deleting urn:pulumi:prod_gcp_wiz-managed_us-west2_infra::wiz-diskanalyzer::gcp:kms/cryptoKey:CryptoKey::gkeKey: 1 error occurred:
    pulumi:pulumi:Stack wiz-diskanalyzer-prod_gcp_wiz-managed_us-west2_infra  error: update failed
    pulumi:pulumi:Stack wiz-diskanalyzer-prod_gcp_wiz-managed_us-west2_infra **failed** 1 error

Diagnostics:
  gcp:kms:CryptoKey (gkeKey):
    error: deleting urn:pulumi:prod_gcp_wiz-managed_us-west2_infra::wiz-diskanalyzer::gcp:kms/cryptoKey:CryptoKey::gkeKey: 1 error occurred:
        * googleapi: Error 400: The request cannot be fulfilled. Resource projects/prod-us1-300113/locations/us-west2/keyRings/prod-us1-us-west2-wiz-ring-rfed/cryptoKeys/prod-us1-us-west2-wiz-gke-key-rfed/cryptoKeyVersions/1 has value DESTROY_SCHEDULED in field crypto_key_version.state., failedPrecondition

  pulumi:pulumi:Stack (wiz-diskanalyzer-prod_gcp_wiz-managed_us-west2_infra):
    error: update failed

I'd expect that if this is the state of the key pulumi will consider it as deleted.

At the moment I need to wait 24 hours before I can retry to destroy the stack

yarinm commented 3 years ago

I also noticed that since they CryptoKey has rotation it still keeps rotating new keys which are not destroyed I probably need to manually stop the key rotation -> destroy -> wait 24h?

Really bad experience, is there a way to overcome this?

lukehoban commented 3 years ago

This appears to be part of the intentional design of the upstream provider - as part of https://github.com/hashicorp/terraform-provider-google/issues/3612 and related issues. We will need to revisit this experience as part of https://github.com/pulumi/pulumi-google-native.

yarinm commented 3 years ago

@lukehoban the issue you attached seems to mention this as fixed - TF is supposed to disable rotation and destroy all key materials and remove the keyring from the stack as it is. Pulumi doesn't do that.. is there a way to provide a fix for this?

Saying it will be solved in a future provider refactor is nice but it can happen months from now.

At the moment I'm unable to delete my GCP stacks unless I do them manually. This is critical for our system to be able to do these things automatically without faults.

moranCohen26 commented 2 years ago

According to the documentation [https://www.pulumi.com/registry/packages/gcp/api-docs/kms/keyring/#keyring]() pulumi should not try to delete the key ring.

Note: KeyRings cannot be deleted from Google Cloud Platform. Destroying a provider-managed KeyRing will remove it from state but will not delete the resource from the project.

I checked now and also still get googleapi: Error 400: The request cannot be fulfilled. using github.com/pulumi/pulumi-gcp/sdk/v6 v6.20.0

Any idea why the behavior is not aligned with the documentation ?

mnlumi commented 1 year ago

Needs a repro to see if still applicable.

mjeffryes commented 1 month ago

Unfortunately, it looks like this issue hasn't seen any updates in a while. If you're still encountering this problem, could you leave a quick comment to let us know so we can prioritize it?