Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failing test(s): TestAccComputeInstanceTemplate_sourceImageEncryptionKey (beta) #16687

Closed
SarahFrench opened this issue Dec 6, 2023 · 5 comments

Comments

@SarahFrench
Copy link
Member

SarahFrench commented Dec 6, 2023

Failure rates

  • 70.3% since 2023-08-10

Impacted tests

  • TestAccComputeInstanceTemplate_sourceImageEncryptionKey (Beta)

Affected Resource(s)

  • google_XXXXX - leaving this unchanged as it's not relevant to service teams

Nightly build test history

Message(s)

Error:
    Error creating Image: googleapi:
        Error 400: Cloud KMS error when using key projects/ci-test-project-nightly-ga/locations/us-central1/keyRings/tftest-shared-keyring-1/cryptoKeys/tftest-shared-key-1: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/ci-test-project-nightly-ga/locations/us-central1/keyRings/tftest-shared-keyring-1/cryptoKeys/tftest-shared-key-1' (or it may not exist)., kmsPermissionDenied
@SarahFrench
Copy link
Member Author

SarahFrench commented Dec 6, 2023

I think this test failure could be related to how there are authoritative IAM resources changing IAM policies on shared KMS resources in acceptance tests : https://github.com/hashicorp/terraform-provider-google-beta/blob/9779b44720e8e47f056a7f7fc608c5380eefb06c/google-beta/services/cloudfunctions2/resource_cloudfunctions2_function_generated_test.go#L848-L865

That code's in the TestAccCloudfunctions2function_cloudfunctions2CmekExample test, but I think it's affecting other tests that use bootstrapped KMS keys

@SarahFrench
Copy link
Member Author

SarahFrench commented Dec 11, 2023

Just merged the PR I opened due to this issue - I want to check on the affected tests before closing this

That PR stopped TestAccCloudfunctions2function_cloudfunctions2CmekExample (Beta only) authoritatively controlling the binding for roles/cloudkms.cryptoKeyEncrypterDecrypter on a bootstrapped crypto key, so I'm hoping to see fewer permissions-related failures in the Beta tests.

These are tests in the TPGB nightly test project that fail due to missing permissions:

Also in that PR, I added a missing depends_on argument to the TestAccComputeInstanceTemplate_sourceImageEncryptionKey tests

@SarahFrench
Copy link
Member Author

SarahFrench commented Dec 14, 2023

Following #16687 (comment), where I described adding a depends_on field to the TestAccComputeInstanceTemplate_sourceImageEncryptionKey test, the test has passed in recent few days:

GA:
Screenshot 2023-12-14 at 12 53 33

Beta:
Screenshot 2023-12-14 at 12 55 50

Hopefully it'll continue

@SarahFrench
Copy link
Member Author

These tests have continued to pass 100% of the time, so I'm closing this issue:

Screenshot 2024-01-02 at 20 19 20

Copy link

github-actions bot commented Feb 2, 2024

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant