Feat: Encrypt bucket with CMEK

[ps-occrp]

This PR encrypts bucket using CMEK if default_kms_key_name is set to null in encryption block for simple_bucket submodule

[ps-occrp]

@apeabody Can you please review this PR?

[apeabody]

/gcbrun

[apeabody]

        	Error:      	Received unexpected error:
        	            	FatalError{Underlying: error while running command: exit status 1; 
        	            	Error: no project value set. `project_id` must be set at the resource level, or a default `project` value must be specified on the provider
        	            	
        	            	  with module.bucket.data.google_project.project,
        	            	  on ../../modules/simple_bucket/main.tf line 123, in data "google_project" "project":
        	            	 123: data "google_project" "project" {
        	            	}
        	Test:       	TestAll/examples/simple_bucket

[ps-occrp]

Can you trigger gcbrun again?

[apeabody]

/gcbrun

[ps-occrp]

assuming last run was successful, can you trigger it again? I just fixed a bug

[apeabody]

/gcbrun

[apeabody]

        	Error:      	Received unexpected error:
        	            	FatalError{Underlying: error while running command: exit status 1; 
        	            	Error: Error applying IAM policy for KMS CryptoKey "projects/ci-cloud-storage-0583/locations/us/keyRings/ci-cloud-storage-0583-bucket/cryptoKeys/ci-cloud-storage-0583-bucket": Error setting IAM policy for KMS CryptoKey "projects/ci-cloud-storage-0583/locations/us/keyRings/ci-cloud-storage-0583-bucket/cryptoKeys/ci-cloud-storage-0583-bucket": googleapi: Error 400: Service account service-443806032995@gs-project-accounts.iam.gserviceaccount.com does not exist., badRequest
        	            	
        	            	  with module.bucket.module.encryption_key[0].google_kms_crypto_key_iam_binding.decrypters[0],
        	            	  on .terraform/modules/bucket.encryption_key/main.tf line 76, in resource "google_kms_crypto_key_iam_binding" "decrypters":
        	            	  76: resource "google_kms_crypto_key_iam_binding" "decrypters" {
        	            	
        	            	
        	            	Error: Error applying IAM policy for KMS CryptoKey "projects/ci-cloud-storage-0583/locations/us/keyRings/ci-cloud-storage-0583-bucket/cryptoKeys/ci-cloud-storage-0583-bucket": Error setting IAM policy for KMS CryptoKey "projects/ci-cloud-storage-0583/locations/us/keyRings/ci-cloud-storage-0583-bucket/cryptoKeys/ci-cloud-storage-0583-bucket": googleapi: Error 400: Service account service-443806032995@gs-project-accounts.iam.gserviceaccount.com does not exist., badRequest
        	            	
        	            	  with module.bucket.module.encryption_key[0].google_kms_crypto_key_iam_binding.encrypters[0],
        	            	  on .terraform/modules/bucket.encryption_key/main.tf line 83, in resource "google_kms_crypto_key_iam_binding" "encrypters":
        	            	  83: resource "google_kms_crypto_key_iam_binding" "encrypters" {
        	            	}
        	Test:       	TestAll/examples/simple_bucket

[ps-occrp]

This looks very similar to this issue hashicorp/terraform-provider-google#7611

Basically service account doesn't get created until api is used and in this case we want to use api after creating keys.

I'm open to implement workaround but for most of actual users this will never be an issue. Do you have any suggestion on how to move forward here?

[ps-occrp]

Latest commit should fix this issue. Please run gcbrun again :)

[apeabody]

/gcbrun

[apeabody]

/gcbrun

[apeabody]

/gcbrun

[ps-occrp]

Can this be merged?

[apeabody]

/gcbrun

[apeabody]

Thanks for the contribution @ps-occrp!