KMS key is not used in node_config in some case

[johanferguth]

TL;DR

With some configuration the gke module provide an error related to an unused kms key

Expected behavior

the kms key is used by node_config also

Observed behavior

[...].module.gke.google_container_cluster.primary: Creating...
╷
│ Error: googleapi: Error 400: Failed precondition: Constraint `constraints/gcp.restrictNonCmekServices` violated for `projects/427955863992` attempting to create a resource without specifying a KMS CryptoKey.
│ Details:
│ [
│   {
│     "@type": "[type.googleapis.com/google.rpc.RequestInfo](http://type.googleapis.com/google.rpc.RequestInfo)",
│     "requestId": "0x49b9d3b73e2c5556"
│   }
│ ]
│ , failedPrecondition
│
│   with module.environment_cluster.module.cluster.module.gke.google_container_cluster.primary,
│   on .terraform/modules/environment_cluster.cluster.gke/cluster.tf line 22, in resource "google_container_cluster" "primary":
│   22: resource "google_container_cluster" "primary" {
│

Terraform Configuration

module "gke" {
  depends_on = [google_compute_subnetwork.kubernetes_subnet, module.cluster_name_object, module.node_pools_name_object]
  source     = "terraform-google-modules/kubernetes-engine/google"


  boot_disk_kms_key	      = var.encryption_key != null ? var.encryption_key.id : ""
  cluster_resource_labels     = local.labels
  create_service_account	= false
  service_account         = "${data.google_project.platform.number}-compute@developer.gserviceaccount.com"
  database_encryption = [
    {
      state    = var.encryption_key != null ? "ENCRYPTED" : "DECRYPTED"
      key_name = var.encryption_key != null ? var.encryption_key.id: null
    }
  ]

  deletion_protection     = false
  ip_range_pods           = "pods"
  ip_range_services       = "services"
  kubernetes_version      = var.kubernetes_version
  name                    = module.cluster_name_object.strings_object.normalized_string
  network                 = var.vpc_network_setup.name
  project_id              = var.project_id
  region                  = var.region
  subnetwork              = google_compute_subnetwork.kubernetes_subnet.name


  node_pools = [
    {
      auto_repair              = true
      autoscaling              = false
      boot_disk_kms_key	       = var.encryption_key != null ? var.encryption_key.id : ""
      disk_size_gb             = local.root_disk_size
      machine_type             = var.environment.machine_type
      name                     = module.node_pools_name_object.strings_object.normalized_string
      node_count               = local.is_standby ? 0 : var.environment.machine_count
      node_locations           = var.available_zones[0]
      remove_default_node_pool = true
      spot                     = false
    }
  ]
}

Terraform Version

1.5.7

Additional information

we propose the following fix but cannot test end to end

#2006