Binary Authorization issue for google-beta provider with terraform version 0.12.14.

[RaniHirave]

Terraform Version

0.12.14

Affected Resource(s)

Binary Authorization Attestor Kms

Terraform Configuration Files

resource "google_binary_authorization_attestor" "attestor" {
  name = "test-attestor"
  attestation_authority_note {
    note_reference = google_container_analysis_note.note.name
    public_keys {
      id = data.google_kms_crypto_key_version.version.id
      pkix_public_key {
        public_key_pem      = data.google_kms_crypto_key_version.version.public_key[0].pem
        signature_algorithm = data.google_kms_crypto_key_version.version.public_key[0].algorithm
      }
    }
  }
}

data "google_kms_crypto_key_version" "version" {
  crypto_key = google_kms_crypto_key.crypto-key.self_link
}

resource "google_container_analysis_note" "note" {
  name = "test-attestor-note"
  attestation_authority {
    hint {
      human_readable_name = "Attestor Note"
    }
  }
}

resource "google_kms_crypto_key" "crypto-key" {
  name     = "test-attestor-key"
  key_ring = google_kms_key_ring.keyring.self_link
  purpose  = "ASYMMETRIC_SIGN"

  version_template {
    algorithm = "RSA_SIGN_PKCS1_4096_SHA512"
  }

  lifecycle {
    prevent_destroy = true
  }
}

resource "google_kms_key_ring" "keyring" {
  name     = "test-attestor-key-ring"
  location = "global"
}

Issue Description

I am getting below error.

Error: Invalid index

resource "google_binary_authorization_attestor" "attestor":
public_key_pem = data.google_kms_crypto_key_version.version.public_key[0].pem
|----------------
| data.google_kms_crypto_key_version.version.public_key is empty list of object

The given key does not identify an element in this collection value.

Error: Invalid index

resource "google_binary_authorization_attestor" "attestor":
signature_algorithm = data.google_kms_crypto_key_version.version.public_key[0].algorithm
|----------------
| data.google_kms_crypto_key_version.version.public_key is empty list of object

The given key does not identify an element in this collection value.

[edwardmedia]

@RaniHirave can you post the full debug log? Thanks

[edwardmedia]

@RaniHirave I can't repo it. Can you run below commands to see what you have?

gcloud kms keyrings describe test-attestor-key-ring --location=global
gcloud kms keys describe test-attestor-key --location=global --keyring=test-attestor-key-ring

[RaniHirave]

@edwardmedia This is working with command line but when do the same using terraform code and uses a example given in official document I am getting above error.

[RaniHirave]

I am uses the same example code given at below link.
https://github.com/terraform-providers/terraform-provider-google/blob/master/website/docs/r/binary_authorization_attestor.html.markdown

[RaniHirave]

Let me know if you need any further information from my end.

[edwardmedia]

@RaniHirave I'd like you to run two gcloud commands to see if there are existing keyrings & keys. What version of terraform-provider-google are you using? Can you post full debug log?

[RaniHirave]

I have ran the above two command and output is below.

➜ gcloud kms keyrings describe test-attestor-key-ring --location=global

createTime: '2019-12-05T05:44:58.116454932Z'
name: projects//locations/global/keyRings/test-attestor-key-ring
➜ gcloud kms keys describe test-attestor-key --location=global --keyring=test-attestor-key-ring
createTime: '2019-12-05T05:44:59.701989185Z'
name: projects//locations/global/keyRings/test-attestor-key-ring/cryptoKeys/test-attestor-key
purpose: ASYMMETRIC_SIGN
versionTemplate:
algorithm: RSA_SIGN_PKCS1_4096_SHA512
protectionLevel: SOFTWARE

Also I am using 'google-beta' provider

[edwardmedia]

@RaniHirave I can't repro this issue. Have you enabled binaryauthorization.googleapis.com? Can you post the full debug log?

[stephenashank]

@RaniHirave @edwardmedia I just ran into the same error while following the same example. The solution for me was to change the crypto key version definition to this:

data "google_kms_crypto_key_version" "version" {
  crypto_key = google_kms_crypto_key.crypto-key.self_link
  public_key {}
}

After adding this and running terraform plan, no errors.

[edwardmedia]

Now I can repro the issue

[RaniHirave]

@stephenashank I just ran the same solution that is
data "google_kms_crypto_key_version" "version" {
crypto_key = google_kms_crypto_key.crypto-key.self_link
public_key {}
}

After adding this and running terraform apply, I am getting below error.

Error: Invalid index

resource "google_binary_authorization_attestor" "attestor":

public_key_pem = data.google_kms_crypto_key_version.version.public_key[0].pem
data.google_kms_crypto_key_version.version.public_key is empty list of object

The given key does not identify an element in this collection value.

Error: Invalid index

resource "google_binary_authorization_attestor" "attestor":

signature_algorithm = data.google_kms_crypto_key_version.version.public_key[0].algorithm
data.google_kms_crypto_key_version.version.public_key is empty list of object

The given key does not identify an element in this collection value.

[stephenashank]

@RaniHirave If you run terraform apply a second time, it should work. Otherwise I have a work around that works in one apply command on the other issue here: #5552 (comment)

[c2thorn]

Hi folks. The fix should be available in the v3.9 releases of the TPG and TPGB providers next week. With it, you should be able to implement the original example without any modifications.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!