[Bug]

[JohnHales]

Bug Description

CMEK not enforced on pub/sub logging topics

Environment and Deployment Context

Please provide details about your deployment to help us reproduce the issue.

• Stellar Engine Version/Commit: main branch
• Deployment Type:
  • US Region Restricted (e.g., Access Policy constraint)
  • FedRAMP Medium
  • FedRAMP High
  • DoD IL4
  • DoD IL5
  • Stand-alone / Custom
• FAST Stage (if applicable):
  • Stage 0 (Bootstrap)
  • Stage 1 (Resource Management)
  • Stage 2 (Network Creation)
  • Stage 3 (Security and Audit)
• Affected Component: (e.g., modules/net-vpc, blueprints/il5/bigquery, fast/stage-1): CMEK not being used on logging pub/sub topics
• Terraform Version: (e.g., 1.5.7): v1.15.5
• GCP Provider Version: (e.g., 5.10.0): 6.50.0

Steps to Reproduce

Steps to reproduce the behavior:

1. Deploy stage 0
2. Run command: gcloud pubsub topics list --project=p06102-prod-audit-logs-0 --format="table(name.basename(), kmsKeyName)"
3. See KMS_Key_Name: All are blank (using Google default key)

Expected Behavior

CMEK to be used on the topics

Actual Behavior

Google default key used

Relevant Logs and Errors

Additional Context

It looks to be caused by log-export.tf which is supposed to set kms_key = try(var.logging_kms_key, module.logging-kms.keys["log-sink"]) (and does), but the try() fails when the original condition fails, which it does because var.logging_kms_key is set with default = null. If that got past the null, then the output keys returns the resource object, not the key ID. Looks to be in 4 places in log-export.tf (lines 88, 101, 112, and 123) and could potentially be fixed by using coalesce(var.logging_kms_key, module.logging-kms.keys["log-sink"].id)