Problem encryption_at_rest about terraform-provider-mongodbatlas HOT 4 CLOSED

@aliciaalcalde I'll try to assist here - we'll be posting soon that support for the provider will go through MongoDB Atlas support but in the mean time let's work together here.

For the cluster creation section: encryption_at_rest_provider doesn't take a boolean but a string, in this case set it to GCP (and I'll make a todo to update the doc there to be more clear). Make sure all the options match as well (they are documented in more depth here: https://docs.atlas.mongodb.com/reference/api/clusters-create-one/ ) but for GCP they are: providerSettings .instanceSizeName | M10 or greater backupEnabled | false or omitted

Without "count" it works.

resource "google_service_account" "encryption_at_rest" {
  project       = var.gcp_project
  account_id    = "atlas-encrypt-sar"
  display_name  = "atlas-encrypt-${var.cluster_name}"
}

resource "google_project_iam_member" "encryption_at_rest" {
  for_each  = toset([
    "roles/cloudkms.admin",
    "roles/cloudkms.cryptoKeyEncrypterDecrypter",  ])
  project   = var.gcp_project
  role      = each.value
  member    = "serviceAccount:atlas-encrypt-sar@${var.gcp_project}.iam.gserviceaccount.com"
}

#Create service account key
resource "google_service_account_key" "encryption_at_rest" {
  service_account_id = "atlas-encrypt-sar@${var.gcp_project}.iam.gserviceaccount.com"
  
  public_key_type     = "TYPE_X509_PEM_FILE"

}

#######################
#        KMS          #
#######################

# Create keyring for encryption_at_rest
resource "google_kms_key_ring" "encryption_at_rest" {
  project   = var.gcp_project
  name      = "atlas-keyring"
  location  = "global"
}

resource "google_kms_crypto_key" "crypto_key" {
  name      = "atlas-crypto-key"
  key_ring  = google_kms_key_ring.encryption_at_rest.id

  depends_on = [google_kms_key_ring.encryption_at_rest]
}

# Atlas encryption_at_rest
resource "mongodbatlas_encryption_at_rest" "kms" {
  project_id                = var.project_id_mongo
  google_cloud_kms_config {
    enabled                 = true
    service_account_key     = base64decode(google_service_account_key.encryption_at_rest.private_key)
    key_version_resource_id = "${google_kms_crypto_key.crypto_key.id}/cryptoKeyVersions/1"
  }

  depends_on = [google_kms_crypto_key.crypto_key, google_service_account_key.encryption_at_rest]
}

from terraform-provider-mongodbatlas.

@aliciaalcalde I'll try to assist here - we'll be posting soon that support for the provider will go through MongoDB Atlas support but in the mean time let's work together here.

For the cluster creation section:
encryption_at_rest_provider doesn't take a boolean but a string, in this case set it to GCP (and I'll make a todo to update the doc there to be more clear). Make sure all the options match as well (they are documented in more depth here: https://docs.atlas.mongodb.com/reference/api/clusters-create-one/ ) but for GCP they are:
providerSettings .instanceSizeName | M10 or greater
backupEnabled | false or omitted

For setting up encryption at rest for the project before you create the cluster:
The resource looks correct (make sure the encryption at rest variable there is a boolean). Could there be an issue with GCP in creating the the service acct? The error seems to be the key isn't found as passed in.

from terraform-provider-mongodbatlas.

@aliciaalcalde since I've not heard back I'm going to close this. Feel free to reach out if you have more issues.

from terraform-provider-mongodbatlas.

Hi @themantissa , I am experiencing a similar issue as well. I have added the appropriate roles to allow for cryptoKeyEncryptDecrypt and get the service account key. However, I still see the "Invalid Google Credentials" error. After setting the permission on the service account to Owner (full permissions), the error goes away; suggesting that this is a permissions-related issue.

It'd be helpful if the error message can show the specific Google IAM scopes missing.

from terraform-provider-mongodbatlas.