Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failing test(s): TestAccCompute* ("Error 400: Cloud KMS error" permissions denied) #13609

Closed
SarahFrench opened this issue Jan 31, 2023 · 8 comments

Comments

@SarahFrench
Copy link
Member

SarahFrench commented Jan 31, 2023

Failure rate: 38% failure since April 18th 2023

Affected Resource(s)

  • google_compute_instance_template

Impacted tests:

  • TestAccComputeInstanceTemplate_sourceSnapshotEncryptionKey - this is now passing 100%
  • TestAccComputeRegionInstanceTemplate_sourceImageEncryptionKey
  • TestAccComputeRegionInstanceTemplate_sourceSnapshotEncryptionKey - this is now passing 100%
  • TestAccComputeImage_imageEncryptionKey
  • TestAccComputeInstanceTemplate_sourceImageEncryptionKey - this is now passing 100%

Nightly builds:

Message:

Error: Error creating Snapshot: googleapi: Error 400: Cloud KMS error when using key projects/PROJECT_ID/locations/us-central1/keyRings/tftest-shared-keyring-1/cryptoKeys/tftest-shared-key-1: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/PROJECT_ID/locations/us-central1/keyRings/tftest-shared-keyring-1/cryptoKeys/tftest-shared-key-1' (or it may not exist)., kmsPermissionDenied
@rileykarson
Copy link
Collaborator

Note: This shared key may be a predecessor to a bootstrapped key, and we may want to convert it to one.

@rileykarson rileykarson added this to the Goals milestone Feb 6, 2023
@megan07
Copy link
Contributor

megan07 commented Feb 21, 2023

The error has changed here: Error 409: The resource 'projects/ci-test-project-188019/zones/us-central1-a/disks/debian-disk' already exists, alreadyExists, we likely need to randomize the name on that disk.

@roaks3
Copy link
Collaborator

roaks3 commented Apr 4, 2023

This was 100% until Mar 10, 2023 with the "already exists" error. Since then, we have seen the original error again at 32%.

This test appears to use its own service account for encryption, and it is configured to have the roles/cloudkms.cryptoKeyEncrypterDecrypter role (which includes cloudkms.cryptoKeyVersions.useToEncrypt), but I don't see a depends_on field to make sure we wait for the permission to be created. It's possible that all we need is that dependency to ensure the permission is available.

@roaks3 roaks3 added the test-failure-0 0%+ fail rate label Apr 4, 2023
@SarahFrench SarahFrench changed the title Failing test(s): TestAccComputeInstanceTemplate_sourceSnapshotEncryptionKey Failing test(s): TestAccComputeInstanceTemplate_sourceSnapshotEncryptionKey + others Jul 7, 2023
@github-actions github-actions bot added forward/review In review; remove label to forward service/compute-instances labels Oct 25, 2023
@SarahFrench
Copy link
Member Author

SarahFrench commented Dec 11, 2023

TestAccComputeRegionInstanceTemplate_sourceImageEncryptionKey has still been failing due to this issue - 70% failure since migrating to the new TeamCity projects (i.e. as far back as our data goes it's been flaky due to this issue).

I've just been addressing a similar issue (#16687) where I can see lots of failures in the nightly tests for TPGB and I fixed a Beta-specific test that was authoritatively controlling an IAM binding on a cryptokey.

I think this GH issue is due to an acceptance test doing a similar thing, but there must be a test that's present in the GA provider (probably both GA/Beta).


After double checking I don't think there are acc tests in the GA provider that authoritatively affect the IAM policy on the crypto key, so I assume adding the missing depends_on argument to the TestAccComputeInstanceTemplate_sourceImageEncryptionKey test will fix the problem.

@SarahFrench
Copy link
Member Author

TestAccComputeInstanceTemplate_sourceImageEncryptionKey now passing 100%

TestAccComputeRegionInstanceTemplate_sourceImageEncryptionKey should also become the same way now that GoogleCloudPlatform/magic-modules#9644 is merged

@SarahFrench SarahFrench removed forward/review In review; remove label to forward service/compute-instances labels Dec 18, 2023
@SarahFrench
Copy link
Member Author

This PR (GoogleCloudPlatform/magic-modules#9673) will fix TestAccComputeImage_imageEncryptionKey

@melinath
Copy link
Collaborator

melinath commented Dec 21, 2023

Marking as forward/exempt since Sarah's actively working on this.

@SarahFrench
Copy link
Member Author

Closing as stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants