https://github.com/gcp-stellar-engine/stellar-engine/blob/fac47f0004befddffd81049491f2e6cd27b85742/fast/stages-aw/0-bootstrap/data/custom-constraint-policies/cloudkms.yaml#L14
This constraint fails when terraform tries to delete a key. When the GCP provider deletes a key version, it also explicitly unsets the key rotation period to prevent a new key from being created. See https://github.com/GoogleCloudPlatform/magic-modules/blob/main/mmv1/templates/terraform/custom_delete/kms_crypto_key.tmpl
This is due to the unique feature of KMS where it is impossible to delete a keyring or key, key material can only be destroyed.
Currently my only workaround is to disable this constraint if I need to delete a key, or remove the old key from terraform state files. It would be nice if the org policy could handle this challenge gracefully. I submitted a separate issue to potentially modify this behavior within the terraform provider itself, but it looks to be by design, so I am doubtful this will get changed on the provider side. hashicorp/terraform-provider-google#24503
https://github.com/gcp-stellar-engine/stellar-engine/blob/fac47f0004befddffd81049491f2e6cd27b85742/fast/stages-aw/0-bootstrap/data/custom-constraint-policies/cloudkms.yaml#L14
This constraint fails when terraform tries to delete a key. When the GCP provider deletes a key version, it also explicitly unsets the key rotation period to prevent a new key from being created. See https://github.com/GoogleCloudPlatform/magic-modules/blob/main/mmv1/templates/terraform/custom_delete/kms_crypto_key.tmpl
This is due to the unique feature of KMS where it is impossible to delete a keyring or key, key material can only be destroyed.
Currently my only workaround is to disable this constraint if I need to delete a key, or remove the old key from terraform state files. It would be nice if the org policy could handle this challenge gracefully. I submitted a separate issue to potentially modify this behavior within the terraform provider itself, but it looks to be by design, so I am doubtful this will get changed on the provider side. hashicorp/terraform-provider-google#24503