Unable to destroy stack with key ring

[yarinm]

 -  gcp:kms:CryptoKey gkeKey deleting 
 -  gcp:kms:CryptoKey gkeKey deleting error: deleting urn:pulumi:prod_gcp_wiz-managed_us-west2_infra::wiz-diskanalyzer::gcp:kms/cryptoKey:CryptoKey::gkeKey: 1 error occurred:
 -  gcp:kms:CryptoKey gkeKey **deleting failed** error: deleting urn:pulumi:prod_gcp_wiz-managed_us-west2_infra::wiz-diskanalyzer::gcp:kms/cryptoKey:CryptoKey::gkeKey: 1 error occurred:
    pulumi:pulumi:Stack wiz-diskanalyzer-prod_gcp_wiz-managed_us-west2_infra  error: update failed
    pulumi:pulumi:Stack wiz-diskanalyzer-prod_gcp_wiz-managed_us-west2_infra **failed** 1 error
 
Diagnostics:
  gcp:kms:CryptoKey (gkeKey):
    error: deleting urn:pulumi:prod_gcp_wiz-managed_us-west2_infra::wiz-diskanalyzer::gcp:kms/cryptoKey:CryptoKey::gkeKey: 1 error occurred:
    	* googleapi: Error 400: The request cannot be fulfilled. Resource projects/prod-us1-300113/locations/us-west2/keyRings/prod-us1-us-west2-wiz-ring-rfed/cryptoKeys/prod-us1-us-west2-wiz-gke-key-rfed/cryptoKeyVersions/1 has value DESTROY_SCHEDULED in field crypto_key_version.state., failedPrecondition
 
  pulumi:pulumi:Stack (wiz-diskanalyzer-prod_gcp_wiz-managed_us-west2_infra):
    error: update failed

I'd expect that if this is the state of the key pulumi will consider it as deleted.

At the moment I need to wait 24 hours before I can retry to destroy the stack

[yarinm]

I also noticed that since they CryptoKey has rotation it still keeps rotating new keys which are not destroyed
I probably need to manually stop the key rotation -> destroy -> wait 24h?

Really bad experience, is there a way to overcome this?

[lukehoban]

This appears to be part of the intentional design of the upstream provider - as part of hashicorp/terraform-provider-google#3612 and related issues. We will need to revisit this experience as part of https://github.com/pulumi/pulumi-google-native.

[yarinm]

@lukehoban the issue you attached seems to mention this as fixed - TF is supposed to disable rotation and destroy all key materials and remove the keyring from the stack as it is. Pulumi doesn't do that.. is there a way to provide a fix for this?

Saying it will be solved in a future provider refactor is nice but it can happen months from now.

At the moment I'm unable to delete my GCP stacks unless I do them manually. This is critical for our system to be able to do these things automatically without faults.

[moranCohen26]

According to the documentation https://www.pulumi.com/registry/packages/gcp/api-docs/kms/keyring/#keyring pulumi should not try to delete the key ring.

Note: KeyRings cannot be deleted from Google Cloud Platform. Destroying a provider-managed KeyRing will remove it from state but will not delete the resource from the project.

I checked now and also still get googleapi: Error 400: The request cannot be fulfilled. using github.com/pulumi/pulumi-gcp/sdk/v6 v6.20.0

Any idea why the behavior is not aligned with the documentation ?

[mnlumi]

Needs a repro to see if still applicable.

[mjeffryes]

Unfortunately, it looks like this issue hasn't seen any updates in a while. If you're still encountering this problem, could you leave a quick comment to let us know so we can prioritize it?