GCS backend: kms_encryption_key ignored

[HauserV]

Describe the bug

Regardless of kms_encryption_key setting in remote_state.config, Terragrunt creates GCS buckets without CMEK.

Steps To Reproduce

1. Configure organizational policy to enforce CMEK.
2. Configure GCS-backed remote_state in Terragrunt with a bucket that doesn't exist.
3. Run terragrunt backend bootstrap

locals {
  project_id = "my-project"
  region     = "europe-west3"
}

remote_state {
  backend = "gcs"

  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }

  config = {
    bucket                    = "${local.project_id}-tfstate"
    project                   = local.project_id
    prefix                    = path_relative_to_include()
    location                  = local.region
    enable_bucket_policy_only = true
    kms_encryption_key        = "projects/cmek/locations/europe-west3/keyRings/keyring/cryptoKeys/kms-key"
  }
}

Current behavior

$ terragrunt backend bootstrap
Remote state GCS bucket my-project-tfstate does not exist or you don't have permissions to access it. Would you like Terragrunt to create it? (y/n) y
16:39:29.091 ERROR  Create GCS bucket my-project-tfstate returned an error: error creating GCS bucket my-project-tfstate: googleapi: Error 412: A default customer-managed encryption key (CMEK) on the bucket is required by an org policy in effect. Learn more at https://cloud.google.com/kms/docs/cmek-org-policy#require-cmek, conditionNotMet. Retry 0 of 3. Sleeping for 10s and will try again.

Expected behavior

Terragrunt should create the bucket with the provided CMEK.

Nice to haves

• Terminal output
• Screenshots

Versions

• Terragrunt version: 0.81.10
• OpenTofu/Terraform version: 1.12.1
• Environment details (Ubuntu 20.04, Windows 10, etc.): Fedora Linux 41 in WSL

Additional context

N/A

[yhakbar]

Are you interested in contributing a fix for this, @HauserV ?

[HauserV]

@yhakbar Sure, I'll give it a try. :)