Atlas does not automatically rotate the Key Version Resource ID used for Google Cloud key management.
Basically, when a new version of the key is being created in GCP, Atlas Terraform provider does not accept primary or newest value for version argument.
We cannot use the data source to filter on the version that is primary or the "newest" https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/kms_crypto_key_version, it will default to 1. We have to specify the version #. But we need this to be fully automated.
I found this issue which seems to show the same situation, but it’s from 2020…
https://github.com/hashicorp/terraform-provider-google/issues/5688
MongoDB Support mentioned we could use the AWS KMS which supports automatic key rotation.
So we are suggesting implementing automatic key rotation for GCP as well.
Bertrand
shared this idea
-
AdminZuhair
(Admin, MongoDB)
commented
Hi thanks for the feedback. Automatic key rotation is not a limitation of the MongoDB Atlas Terraform Provider, but rather of the underlying Atlas Admin API itself. Atlas Admin API does not automatically rotate user-managed encryption keys from any of the cloud vendors. For more information see documentation (https://www.mongodb.com/docs/atlas/reference/api/enable-configure-encryptionatrest/ ).
As an alternative if helpful, MongoDB support is correct you can use Manage Customer Keys with AWS KMS (as well as with Google Cloud KMS) which supports automatic key rotation which you can access via the Atlas UI. hope this helps. to learn more see here: https://www.mongodb.com/docs/atlas/security-gcp-kms/