Bigtable: Check ForceNew for kms_key_name field in the diff function (#6765) (#13018)

Signed-off-by: Modular Magician <[email protected]>

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/6765.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+bigtable: update checking ForceNew logic for `kms_key_name`
+```

google/resource_bigtable_instance.go

@@ -81,7 +81,6 @@ func resourceBigtableInstance() *schema.Resource {
 						"kms_key_name": {
 							Type:        schema.TypeString,
 							Optional:    true,
-							ForceNew:    true,
 							Computed:    true,
 							Description: `Describes the Cloud KMS encryption key that will be used to protect the destination Bigtable cluster. The requirements for this key are: 1) The Cloud Bigtable service account associated with the project that contains this cluster must be granted the cloudkms.cryptoKeyEncrypterDecrypter role on the CMEK key. 2) Only regional keys can be used and the region of the CMEK key must match the region of the cluster. 3) All clusters within an instance must use the same CMEK key. Values are of the form projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}`,
 						},
@@ -561,6 +560,14 @@ func resourceBigtableInstanceClusterReorderTypeList(_ context.Context, diff *sch
 				return fmt.Errorf("Error setting cluster diff: %s", err)
 			}
 		}
+
+		oKey, nKey := diff.GetChange(fmt.Sprintf("cluster.%d.kms_key_name", i))
+		if oKey != nKey {
+			err := diff.ForceNew(fmt.Sprintf("cluster.%d.kms_key_name", i))
+			if err != nil {
+				return fmt.Errorf("Error setting cluster diff: %s", err)
+			}
+		}
 	}
 
 	return nil

google/resource_bigtable_instance_test.go

@@ -172,7 +172,8 @@ func TestAccBigtableInstance_kms(t *testing.T) {
 	skipIfVcr(t)
 	t.Parallel()
 
-	kms := BootstrapKMSKeyInLocation(t, "us-central1")
+	kms1 := BootstrapKMSKeyInLocation(t, "us-central1")
+	kms2 := BootstrapKMSKeyInLocation(t, "us-east1")
 	pid := getTestProjectFromEnv()
 	instanceName := fmt.Sprintf("tf-test-%s", randString(t, 10))
 
@@ -182,14 +183,20 @@ func TestAccBigtableInstance_kms(t *testing.T) {
 		CheckDestroy: testAccCheckBigtableInstanceDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccBigtableInstance_kms(pid, instanceName, kms.CryptoKey.Name, 3),
+				Config: testAccBigtableInstance_kms(pid, instanceName, kms1.CryptoKey.Name, 3),
 			},
 			{
 				ResourceName:            "google_bigtable_instance.instance",
 				ImportState:             true,
 				ImportStateVerify:       true,
 				ImportStateVerifyIgnore: []string{"deletion_protection", "instance_type"}, // we don't read instance type back
 			},
+			// TODO(kevinsi4508): Verify that the instance can be recreated due to `kms_key_name` change.
+			{
+				Config:             testAccBigtableInstance_kms(pid, instanceName, kms2.CryptoKey.Name, 3),
+				PlanOnly:           true,
+				ExpectNonEmptyPlan: true,
+			},
 		},
 	})
 }

website/docs/r/bigtable_instance.html.markdown

@@ -131,11 +131,9 @@ for a `DEVELOPMENT` instance.
 
 * `kms_key_name` - (Optional) Describes the Cloud KMS encryption key that will be used to protect the destination Bigtable cluster. The requirements for this key are: 1) The Cloud Bigtable service account associated with the project that contains this cluster must be granted the `cloudkms.cryptoKeyEncrypterDecrypter` role on the CMEK key. 2) Only regional keys can be used and the region of the CMEK key must match the region of the cluster.
 
-!> **Warning**: Modifying this field will cause Terraform to delete/recreate the entire resource. 
+-> **Note**: Removing the field entirely from the config will cause the provider to default to the backend value.
 
--> **Note**: To remove this field once it is set, set the value to an empty string. Removing the field entirely from the config will cause the provider to default to the backend value.
-
-!> **Warning:** Modifying the `storage_type` or `zone` of an existing cluster (by
+!> **Warning:** Modifying the `storage_type`, `zone` or `kms_key_name` of an existing cluster (by
 `cluster_id`) will cause Terraform to delete/recreate the entire
 `google_bigtable_instance` resource. If these values are changing, use a new
 `cluster_id`.