KMS Module causes Build Pipeline to fail due to unmet dependencies

[rutalreja-deloitte]

GCS-CMEK

When the above linked GCS-CMEK is run in the terraform-example-foundation Cloud Build pipeline, it creates Keyrings, Keys, and GCS buckets encrypted with the generated keys in multiple projects parallelly; this produces an error.

Error: googleapi: Error 403: Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key., forbidden

Causality: The GCS module only requires the key as input, creating the implicit dependency only to the key self-link being available, ignoring the IAM bindings.

As such, Terraform tries to create the GCS bucket before the IAM binding for Role: Encrypter/Decrypter is linked to the KMS Key in many cases, the test even goes further after the failure point and completes the IAM Binding, thus leaving no trace that it was the root cause, if not looking closely at the output. It can only be detected by comparing the line numbers of successfully deployed buckets vs. unsuccessful buckets; in cases where the bucket randomly deploys after the binding has been set, it is successful and fails with the above error when the opposite occurs.

In the linked module, the above was resolved by adding an explicit dependency on the entire KMS module (Only possible in Terraform 0.13+) depends_on = [module.kms]

Suggested Improvement to KMS module until a better solution is ascertained

• [ ] Add Key IAM Binding output variable if someone needs to add a specific binding dependency and not on the entire module. Output Variable

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[morgante]

I think it would be a good idea to make the outputs in this module dependent on the IAM bindings.

[bharathkkb]

@daniel-cit This should let us remove the explicit module level depends on DWH, PTAL

[meons]

Same issue here