Open
Description
TL;DR
When you want to create a new cluster and have the Org Policy constraints/gcp.restrictNonCmekServices activated, it will fail. You can set the KMS key for your nodepools, as well as for the database encryption, however, you can't set it for the default nodepool, which will always be created in the beginning. I suspect that somewhere here the KMS key should also be configurable.
Expected behavior
Cluster can be created when constraints/gcp.restrictNonCmekServices is activated.
Observed behavior
Creation fails with the following error:
Error: googleapi: Error 400: Failed precondition: Constraint `constraints/gcp.restrictNonCmekServices` violated for `projects/xxx` attempting to create a resource without specifying a KMS CryptoKey.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.RequestInfo",
│ "requestId": "0x7c2dea49178255f2"
│ }
│ ]
│ , failedPrecondition
│
│ with module.k8s.module.cluster.google_container_cluster.primary,
│ on .terraform/modules/k8s.cluster/modules/private-cluster/cluster.tf line 22, in resource "google_container_cluster" "primary":
│ 22: resource "google_container_cluster" "primary" {
Terraform Configuration
We have abstracted it into our own module - not so easy to shareTerraform Version
Opentofu 1.9.0Terraform Provider Versions
hashicorp/google-beta v6.33.0
hashicorp/google v6.33.0Additional information
No response