search

terraform-google-modules / terraform-google-kubernetes-engine

Configures opinionated GKE clusters
https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google
Apache License 2.0
1.13k stars 1.16k forks source link

boot_disk_kms_key forces cluster replacement on a new terraform plan on an existing cluster #1984

Closed shastryajay closed 1 week ago

shastryajay commented 2 months ago

TL;DR

When a GKE cluster is created that uses a cmek for node boot disk encryption and a new terraform plan is constructed to check for any updates needed to resources, the boot_disk_kms_key argument forces recreation of the cluster even when they key material is still the same.

Expected behavior

As long as the CMEK key material (URI) being used to encrypt the node boot disks has not changed, the boot_disk_kms_key argument should not force the recreation of the cluster.

Observed behavior

Even when the underlying key material and URI have not changed, the new terraform plan still informs that the boot_disk_kms_key argument is forcing the entire cluster to be replaced. This is not acceptable as there maybe production workloads running in the existing cluster which would be massively impacted by this.

Terraform Configuration

auto_provisioning_defaults {
      oauth_scopes = [
        "https://www.googleapis.com/auth/cloud-platform"
      ]
      management {
        auto_upgrade = "true"
        auto_repair  = "true"
      }
      boot_disk_kms_key = "projects/${var.project}/locations/${var.region}/keyRings/${var.key_ring}/cryptoKeys/${var.key}"
    }
  }

Terraform Version

1.5.7

Additional information

No response

github-actions[bot] commented 2 weeks ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days