Comments (4)
@aliciaalcalde I'll try to assist here - we'll be posting soon that support for the provider will go through MongoDB Atlas support but in the mean time let's work together here.
For the cluster creation section: encryption_at_rest_provider doesn't take a boolean but a string, in this case set it to GCP (and I'll make a todo to update the doc there to be more clear). Make sure all the options match as well (they are documented in more depth here: https://docs.atlas.mongodb.com/reference/api/clusters-create-one/ ) but for GCP they are: providerSettings .instanceSizeName | M10 or greater backupEnabled | false or omitted
Without "count" it works.
resource "google_service_account" "encryption_at_rest" {
project = var.gcp_project
account_id = "atlas-encrypt-sar"
display_name = "atlas-encrypt-${var.cluster_name}"
}
resource "google_project_iam_member" "encryption_at_rest" {
for_each = toset([
"roles/cloudkms.admin",
"roles/cloudkms.cryptoKeyEncrypterDecrypter", ])
project = var.gcp_project
role = each.value
member = "serviceAccount:atlas-encrypt-sar@${var.gcp_project}.iam.gserviceaccount.com"
}
#Create service account key
resource "google_service_account_key" "encryption_at_rest" {
service_account_id = "atlas-encrypt-sar@${var.gcp_project}.iam.gserviceaccount.com"
public_key_type = "TYPE_X509_PEM_FILE"
}
#######################
# KMS #
#######################
# Create keyring for encryption_at_rest
resource "google_kms_key_ring" "encryption_at_rest" {
project = var.gcp_project
name = "atlas-keyring"
location = "global"
}
resource "google_kms_crypto_key" "crypto_key" {
name = "atlas-crypto-key"
key_ring = google_kms_key_ring.encryption_at_rest.id
depends_on = [google_kms_key_ring.encryption_at_rest]
}
# Atlas encryption_at_rest
resource "mongodbatlas_encryption_at_rest" "kms" {
project_id = var.project_id_mongo
google_cloud_kms_config {
enabled = true
service_account_key = base64decode(google_service_account_key.encryption_at_rest.private_key)
key_version_resource_id = "${google_kms_crypto_key.crypto_key.id}/cryptoKeyVersions/1"
}
depends_on = [google_kms_crypto_key.crypto_key, google_service_account_key.encryption_at_rest]
}
from terraform-provider-mongodbatlas.
@aliciaalcalde I'll try to assist here - we'll be posting soon that support for the provider will go through MongoDB Atlas support but in the mean time let's work together here.
For the cluster creation section:
encryption_at_rest_provider doesn't take a boolean but a string, in this case set it to GCP (and I'll make a todo to update the doc there to be more clear). Make sure all the options match as well (they are documented in more depth here: https://docs.atlas.mongodb.com/reference/api/clusters-create-one/ ) but for GCP they are:
providerSettings .instanceSizeName | M10 or greater
backupEnabled | false or omitted
For setting up encryption at rest for the project before you create the cluster:
The resource looks correct (make sure the encryption at rest variable there is a boolean). Could there be an issue with GCP in creating the the service acct? The error seems to be the key isn't found as passed in.
from terraform-provider-mongodbatlas.
@aliciaalcalde since I've not heard back I'm going to close this. Feel free to reach out if you have more issues.
from terraform-provider-mongodbatlas.
Hi @themantissa , I am experiencing a similar issue as well. I have added the appropriate roles to allow for cryptoKeyEncryptDecrypt and get the service account key. However, I still see the "Invalid Google Credentials" error. After setting the permission on the service account to Owner (full permissions), the error goes away; suggesting that this is a permissions-related issue.
It'd be helpful if the error message can show the specific Google IAM scopes missing.
from terraform-provider-mongodbatlas.
Related Issues (20)
- [Bug]: backup_compliance_policy resource missing required attribute HOT 3
- [Bug]: Provider produces inconsistent result after importing encryption_at_rest HOT 4
- [Bug]: <oplog_min_retention_hours is not expected here> HOT 1
- [Bug]: Changing Scope block in the databaseuser resource results in a replacement HOT 8
- Serverless aws_vpc_endpoint creation fails HOT 3
- Error creating user (mongodbatlas_database_user) HOT 2
- CANNOT_DISABLE_PIT_WITH_BACKUP_COMPLIANCE_POLICY HOT 5
- [Bug]: Undocumented behaviour privatelink_endpoint / circle dependency HOT 6
- [Bug]: Can't setup privatelink_endpoint_service_data_federation_online_archive region or VPC Endpoint DNS Name for AWS HOT 13
- [Bug]: Unable to create billing alert configuration. HOT 3
- [Feature]: unable to setup log forwarding to S3 HOT 2
- [Bug]: missing data source for app_id & service_id HOT 2
- [Bug]: Many provider crashes when running from GitLab CI pipeline HOT 6
- [Feature]: Add resources to automatically create mongodbatlas_event_trigger resource HOT 2
- What will happen to the password field when DB user is imported? HOT 4
- [Feature]: Add resources to create function HOT 3
- [Bug]: Impossible to create a database scope (database watch against) in mongodbatlas_event_trigger HOT 4
- [Bug]: mongodbatlas_privatelink_endpoint_service for GCP - Provider produced inconsistent final plan HOT 12
- [Bug] mongodbatlas_custom_db_role created with the wrong permissions HOT 5
- [Feature]: mongodbatlas_event_trigger does not support Database operations HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-mongodbatlas.