When a GKE cluster is created that uses a cmek for node boot disk encryption and a new terraform plan is constructed to check for any updates needed to resources, the boot_disk_kms_key argument forces recreation of the cluster even when they key material is still the same.
Expected behavior
As long as the CMEK key material (URI) being used to encrypt the node boot disks has not changed, the boot_disk_kms_key argument should not force the recreation of the cluster.
Observed behavior
Even when the underlying key material and URI have not changed, the new terraform plan still informs that the boot_disk_kms_key argument is forcing the entire cluster to be replaced. This is not acceptable as there maybe production workloads running in the existing cluster which would be massively impacted by this.
TL;DR
When a GKE cluster is created that uses a cmek for node boot disk encryption and a new terraform plan is constructed to check for any updates needed to resources, the boot_disk_kms_key argument forces recreation of the cluster even when they key material is still the same.
Expected behavior
As long as the CMEK key material (URI) being used to encrypt the node boot disks has not changed, the boot_disk_kms_key argument should not force the recreation of the cluster.
Observed behavior
Even when the underlying key material and URI have not changed, the new terraform plan still informs that the boot_disk_kms_key argument is forcing the entire cluster to be replaced. This is not acceptable as there maybe production workloads running in the existing cluster which would be massively impacted by this.
Terraform Configuration
Terraform Version
Additional information
No response