From efbf1533a1b37c5842d04e92a2191937bb00c7b4 Mon Sep 17 00:00:00 2001
From: stephengaudet <stephen.gaudet@shaw.ca>
Date: Thu, 29 Jun 2023 16:03:36 -0700
Subject: [PATCH 1/2] fix-383 destroyed key gcp - only fetch pk for enabled
 version

---
 pkg/vault/cloudkms/cloudkms.go | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/pkg/vault/cloudkms/cloudkms.go b/pkg/vault/cloudkms/cloudkms.go
index 3e252860..74c46dad 100644
--- a/pkg/vault/cloudkms/cloudkms.go
+++ b/pkg/vault/cloudkms/cloudkms.go
@@ -131,19 +131,21 @@ func (c *cloudKMSIterator) Next() (vault.StoredKey, error) {
 			// get key versions
 			c.verIter = c.vault.client.ListCryptoKeyVersions(c.ctx, &kmspb.ListCryptoKeyVersionsRequest{Parent: key.Name})
 		} else {
-			pub, err := c.vault.getPublicKey(c.ctx, ver.Name)
-			if err != nil {
-				return nil, fmt.Errorf("(CloudKMS/%s) getPublicKey: %w", c.vault.config.keyRingName(), err)
-			}
-			if err != nil {
-				if err != crypt.ErrUnsupportedKeyType {
+			if ver.State == kmspb.CryptoKeyVersion_ENABLED {
+				pub, err := c.vault.getPublicKey(c.ctx, ver.Name)
+				if err != nil {
 					return nil, fmt.Errorf("(CloudKMS/%s) getPublicKey: %w", c.vault.config.keyRingName(), err)
 				}
-			} else {
-				return &cloudKMSKey{
-					key: ver,
-					pub: pub,
-				}, nil
+				if err != nil {
+					if err != crypt.ErrUnsupportedKeyType {
+						return nil, fmt.Errorf("(CloudKMS/%s) getPublicKey: %w", c.vault.config.keyRingName(), err)
+					}
+				} else {
+					return &cloudKMSKey{
+						key: ver,
+						pub: pub,
+					}, nil
+				}
 			}
 		}
 	}

From 486753ed4fc6822b49ffb865c15ed39ee1c298f3 Mon Sep 17 00:00:00 2001
From: stephengaudet <stephen.gaudet@shaw.ca>
Date: Thu, 29 Jun 2023 16:06:32 -0700
Subject: [PATCH 2/2] remove unreachable code

---
 pkg/vault/cloudkms/cloudkms.go | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/pkg/vault/cloudkms/cloudkms.go b/pkg/vault/cloudkms/cloudkms.go
index 74c46dad..c838d950 100644
--- a/pkg/vault/cloudkms/cloudkms.go
+++ b/pkg/vault/cloudkms/cloudkms.go
@@ -135,11 +135,6 @@ func (c *cloudKMSIterator) Next() (vault.StoredKey, error) {
 				pub, err := c.vault.getPublicKey(c.ctx, ver.Name)
 				if err != nil {
 					return nil, fmt.Errorf("(CloudKMS/%s) getPublicKey: %w", c.vault.config.keyRingName(), err)
-				}
-				if err != nil {
-					if err != crypt.ErrUnsupportedKeyType {
-						return nil, fmt.Errorf("(CloudKMS/%s) getPublicKey: %w", c.vault.config.keyRingName(), err)
-					}
 				} else {
 					return &cloudKMSKey{
 						key: ver,