Treat skip_initial_version_creation as a create-only parameter for Cloud KMS keys (#14802) (#23984)

[upstream:09ea20ad848581c4ac7d98371ec8737624580b41]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14802.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+kms: `skip_initial_version_creation` field is no longer immutable in `google_kms_crypto_key`, but is still only settable at-creation
+```

google/services/kms/resource_kms_crypto_key.go

@@ -137,10 +137,10 @@ letter 's' (seconds). It must be greater than a day (ie, 86400).`,
 			"skip_initial_version_creation": {
 				Type:     schema.TypeBool,
 				Optional: true,
-				ForceNew: true,
 				Description: `If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
 You must use the 'google_kms_crypto_key_version' resource to create a new CryptoKeyVersion
-or 'google_kms_key_ring_import_job' resource to import the CryptoKeyVersion.`,
+or 'google_kms_key_ring_import_job' resource to import the CryptoKeyVersion.
+This field is only applicable during initial CryptoKey creation.`,
 			},
 			"version_template": {
 				Type:        schema.TypeList,
@@ -530,10 +530,6 @@ func resourceKMSCryptoKeyImport(d *schema.ResourceData, meta interface{}) ([]*sc
 		return nil, fmt.Errorf("Error setting name: %s", err)
 	}
 
-	if err := d.Set("skip_initial_version_creation", false); err != nil {
-		return nil, fmt.Errorf("Error setting skip_initial_version_creation: %s", err)
-	}
-
 	id, err := tpgresource.ReplaceVars(d, config, "{{key_ring}}/cryptoKeys/{{name}}")
 	if err != nil {
 		return nil, fmt.Errorf("Error constructing id: %s", err)

google/services/kms/resource_kms_crypto_key_test.go

@@ -174,15 +174,15 @@ func TestAccKmsCryptoKey_basic(t *testing.T) {
 				ResourceName:            "google_kms_crypto_key.crypto_key",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"skip_initial_version_creation", "labels", "terraform_labels"},
 			},
 			// Test importing with a short id
 			{
 				ResourceName:            "google_kms_crypto_key.crypto_key",
 				ImportState:             true,
 				ImportStateId:           fmt.Sprintf("%s/%s/%s/%s", projectId, location, keyRingName, cryptoKeyName),
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"skip_initial_version_creation", "labels", "terraform_labels"},
 			},
 			// Use a separate TestStep rather than a CheckDestroy because we need the project to still exist.
 			{
@@ -219,25 +219,28 @@ func TestAccKmsCryptoKey_rotation(t *testing.T) {
 				Config: testGoogleKmsCryptoKey_rotation(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, rotationPeriod),
 			},
 			{
-				ResourceName:      "google_kms_crypto_key.crypto_key",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "google_kms_crypto_key.crypto_key",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"skip_initial_version_creation"},
 			},
 			{
 				Config: testGoogleKmsCryptoKey_rotation(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, updatedRotationPeriod),
 			},
 			{
-				ResourceName:      "google_kms_crypto_key.crypto_key",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "google_kms_crypto_key.crypto_key",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"skip_initial_version_creation"},
 			},
 			{
 				Config: testGoogleKmsCryptoKey_rotationRemoved(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName),
 			},
 			{
-				ResourceName:      "google_kms_crypto_key.crypto_key",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "google_kms_crypto_key.crypto_key",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"skip_initial_version_creation"},
 			},
 			// Use a separate TestStep rather than a CheckDestroy because we need the project to still exist.
 			{
@@ -272,17 +275,19 @@ func TestAccKmsCryptoKey_template(t *testing.T) {
 				Config: testGoogleKmsCryptoKey_template(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, algorithm),
 			},
 			{
-				ResourceName:      "google_kms_crypto_key.crypto_key",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "google_kms_crypto_key.crypto_key",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"skip_initial_version_creation"},
 			},
 			{
 				Config: testGoogleKmsCryptoKey_template(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, updatedAlgorithm),
 			},
 			{
-				ResourceName:      "google_kms_crypto_key.crypto_key",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "google_kms_crypto_key.crypto_key",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"skip_initial_version_creation"},
 			},
 			// Use a separate TestStep rather than a CheckDestroy because we need the project to still exist.
 			{
@@ -318,7 +323,7 @@ func TestAccKmsCryptoKey_destroyDuration(t *testing.T) {
 				ResourceName:            "google_kms_crypto_key.crypto_key",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"skip_initial_version_creation", "labels", "terraform_labels"},
 			},
 			// Use a separate TestStep rather than a CheckDestroy because we need the project to still exist.
 			{

website/docs/r/kms_crypto_key.html.markdown

@@ -155,6 +155,7 @@ The following arguments are supported:
   If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
   You must use the `google_kms_crypto_key_version` resource to create a new CryptoKeyVersion
   or `google_kms_key_ring_import_job` resource to import the CryptoKeyVersion.
+  This field is only applicable during initial CryptoKey creation.