search

terraform-google-modules / terraform-google-kubernetes-engine

Configures opinionated GKE clusters
https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google
Apache License 2.0
1.14k stars 1.16k forks source link

KMS key is not used in node_config in some case #2008

Open johanferguth opened 2 months ago

johanferguth commented 2 months ago

TL;DR

With some configuration the gke module provide an error related to an unused kms key

Expected behavior

the kms key is used by node_config also

Observed behavior

[...].module.gke.google_container_cluster.primary: Creating...
╷
│ Error: googleapi: Error 400: Failed precondition: Constraint `constraints/gcp.restrictNonCmekServices` violated for `projects/427955863992` attempting to create a resource without specifying a KMS CryptoKey.
│ Details:
│ [
│   {
│     "@type": "[type.googleapis.com/google.rpc.RequestInfo](http://type.googleapis.com/google.rpc.RequestInfo)",
│     "requestId": "0x49b9d3b73e2c5556"
│   }
│ ]
│ , failedPrecondition
│
│   with module.environment_cluster.module.cluster.module.gke.google_container_cluster.primary,
│   on .terraform/modules/environment_cluster.cluster.gke/cluster.tf line 22, in resource "google_container_cluster" "primary":
│   22: resource "google_container_cluster" "primary" {
│

Terraform Configuration

module "gke" {
  depends_on = [google_compute_subnetwork.kubernetes_subnet, module.cluster_name_object, module.node_pools_name_object]
  source     = "terraform-google-modules/kubernetes-engine/google"

  boot_disk_kms_key       = var.encryption_key != null ? var.encryption_key.id : ""
  cluster_resource_labels     = local.labels
  create_service_account    = false
  service_account         = "${data.google_project.platform.number}-compute@developer.gserviceaccount.com"
  database_encryption = [
    {
      state    = var.encryption_key != null ? "ENCRYPTED" : "DECRYPTED"
      key_name = var.encryption_key != null ? var.encryption_key.id: null
    }
  ]

  deletion_protection     = false
  ip_range_pods           = "pods"
  ip_range_services       = "services"
  kubernetes_version      = var.kubernetes_version
  name                    = module.cluster_name_object.strings_object.normalized_string
  network                 = var.vpc_network_setup.name
  project_id              = var.project_id
  region                  = var.region
  subnetwork              = google_compute_subnetwork.kubernetes_subnet.name

  node_pools = [
    {
      auto_repair              = true
      autoscaling              = false
      boot_disk_kms_key        = var.encryption_key != null ? var.encryption_key.id : ""
      disk_size_gb             = local.root_disk_size
      machine_type             = var.environment.machine_type
      name                     = module.node_pools_name_object.strings_object.normalized_string
      node_count               = local.is_standby ? 0 : var.environment.machine_count
      node_locations           = var.available_zones[0]
      remove_default_node_pool = true
      spot                     = false
    }
  ]
}

Terraform Version

1.5.7

Additional information

we propose the following fix but cannot test end to end

https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/2006

github-actions[bot] commented 1 day ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days