ibm_kms_instance_policies fails when trying to communicate with a private only enabled Key Protect instance

[ocofaigh]

There seems to be a bug with the ibm_kms_instance_policies provider resource when it tries to run on a “private-only” Key Protect instance. The error returned is:

Error: [ERROR] Get Policies failed with error : kp.Error: correlation_id='964cfd54-cfca-4b64-bfc5-f79c23a1806a', msg='Unauthorized: Either the user does not have access to the specified resource, the resource does not exist, or the region is incorrectly set

I am running in a Schematics environment on a VRF enabled account, so it should have access to the private endpoint. When I set the Key Protect instance to allow “public-and-private”, the error does not occur.

Other resources (such as ibm_kms_key) have an endpoint_type argument that can be set to public or private to allow you to choose which endpoint to use. But no such argument exists for ibm_kms_instance_policies so I’m wondering by any chance is the resource hard coded to use public endpoint, and hence failing here?

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

tf 1.5.7
ibm provider 1.62.0

Affected Resource(s)

• ibm_kms_instance_policies

Terraform Configuration Files

The code is in root level of code in https://github.com/terraform-ibm-modules/terraform-ibm-base-security-services-da/pull/2

Debug Output

test.log.zip

Panic Output

Expected Behavior

No error

Actual Behavior

Error: [ERROR] Get Policies failed with error : kp.Error: correlation_id='964cfd54-cfca-4b64-bfc5-f79c23a1806a', msg='Unauthorized: Either the user does not have access to the specified resource, the resource does not exist, or the region is incorrectly set

Steps to Reproduce

1. terraform apply

Important Factoids

(See description at top of this issue)

References

• #0000

[william8siew]

I am currently unable to reproduce the error.
versions

Terraform v1.4.0
on darwin_amd64
+ provider registry.terraform.io/ibm-cloud/ibm v1.62.0

My test setup:

resource "ibm_resource_instance" "kp_instance" {
  name     = "wsiew-2024-mar"
  service  = "kms"
  plan     =  var.kp_plan
  location = "us-south"
  service_endpoints = "private"
}


resource "ibm_kms_instance_policies" "instance_policy" {
  instance_id = ibm_resource_instance.kp_instance.guid
  rotation {
       enabled = true
       interval_month = 3
    }
    dual_auth_delete {
       enabled = false
    }
    metrics {
        enabled = true
    }
    key_create_import_access {
      enabled = true
    }
}

If possible, could you link your tf code again? The link https://github.com/terraform-ibm-modules/terraform-ibm-base-security-services-da/pull/2 is broken(404).
Also if possible, can you provide me a new correlation id. The logs for this correlation id are past

Edit: mistake in my setup,
I was supposed to use
"parameters = {"allowed_network": "private-only"}"
based on your logs to mimic

[william8siew]

After updating to use allowed network flag, I am able to recreate the error

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

ibm_resource_instance.kp_instance: Creating...
ibm_resource_instance.kp_instance: Still creating... [10s elapsed]
ibm_resource_instance.kp_instance: Creation complete after 13s [id=crn:v1:bluemix:public:kms:us-south:a/eba0f7b1166e441ab74ac94e564c72ec:fa971212-e0c7-4fcb-87c6-82e3d5f1bd46::]
ibm_kms_key_rings.key_ring: Creating...
ibm_kms_instance_policies.instance_policy: Creating...
╷
│ Error: [ERROR] Error while creating key ring : kp.Error: correlation_id='98283df4-c85c-4035-b693-1708194ee3b8', msg='Unauthorized: Either the user does not have access to the specified resource, the resource does not exist, or the region is incorrectly set'
│ 
│   with ibm_kms_key_rings.key_ring,
│   on main.tf line 10, in resource "ibm_kms_key_rings" "key_ring":
│   10: resource "ibm_kms_key_rings" "key_ring" {
│ 
╵
╷
│ Error: [ERROR] Get Policies failed with error : kp.Error: correlation_id='86ef5e93-2af1-4e41-bc85-285f71404859', msg='Unauthorized: Either the user does not have access to the specified resource, the resource does not exist, or the region is incorrectly set'
│ 
│   with ibm_kms_instance_policies.instance_policy,
│   on main.tf line 25, in resource "ibm_kms_instance_policies" "instance_policy":
│   25: resource "ibm_kms_instance_policies" "instance_policy" {
│ 
╵
wsiew@cloudshell:~$ 

[william8siew]

This description you provided accurately describes the problem

Other resources (such as [ibm_kms_key](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/kms_key)) have an endpoint_type argument that can be set to public or private to allow you to choose which endpoint to use. But no such argument exists for ibm_kms_instance_policies so I’m wondering by any chance is the resource hard coded to use public endpoint, and hence failing here?

For now, the fastest fix is to add this flag endpoint_type to the instance policy resource. Will work on that. Thanks for reporting this bug