Skip to content
This repository was archived by the owner on Jan 5, 2026. It is now read-only.
This repository was archived by the owner on Jan 5, 2026. It is now read-only.

Re-use of key rings #112

Open
Open
Re-use of key rings#112
Assignees
danistrebel
@Red-Five

Description

@Red-Five
Red-Five
opened on Apr 14, 2023

In some customer environments a single demo GCP project might be provisioned for experimenting with these terraform modules.

KMS keyrings cannot be deleted and live as long as the hosting GCP project.

When doing a terraform destroy and re apply the re apply will fail as the key rings already exist.

Consider use of terraform data keyword and boolean kms create flags so that the second time around the existing key rings are re-used.

Below suggestions are from Chat GPT-4 and NOT validated,

Quote:

"In this scenario, you can use a combination of data and resource blocks, along with a variable, to conditionally create the keyring or use an existing one. This way, when you run terraform apply after terraform destroy, the configuration will not attempt to create a new keyring if it already exists.

First, add a new boolean variable in your Terraform configuration file to decide whether to create a new keyring or use an existing one:

variable "create_keyring" { description = "Whether to create a new keyring or use an existing one." type = bool default = true }

Next, add the following data block to fetch the existing keyring:

data "google_kms_key_ring" "existing_keyring" { count = var.create_keyring ? 0 : 1 project_id = var.project_id location = var.keyring_location name = var.keyring_name }

Then, update the google_kms_key_ring resource block to conditionally create the keyring using the count parameter:

resource "google_kms_key_ring" "default" { count = var.create_keyring ? 1 : 0 project_id = var.project_id location = var.keyring_location name = var.keyring_name }

Now, create a local variable to hold the keyring ID, which will be used by other resources in the configuration:

locals { keyring_id = merge( google_kms_key_ring.default[*].id, data.google_kms_key_ring.existing_keyring[*].id )[0] }

Replace any reference to google_kms_key_ring.default.id in your configuration with local.keyring_id.

Finally, update the create_keyring variable in your Terraform configuration, setting it to false if you want to use the existing keyring:

module "kms-inst-disk" {
  # ...
  create_keyring = false
  # ...
}
`
" End Quote

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions