Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[KP] ibm_kms_instance_policies- issue on subsequent plan #5342

Closed
Ak-sky opened this issue May 9, 2024 · 5 comments
Closed

[KP] ibm_kms_instance_policies- issue on subsequent plan #5342

Ak-sky opened this issue May 9, 2024 · 5 comments
Labels
service/Key Management Services Issues related to Key Management Release

Comments

@Ak-sky
Copy link

Ak-sky commented May 9, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Terraform Version v1.5.7
Terraform IBM Provider Version v1.65.0

Affected Resource(s)

  • ibm_kms_instance_policies

Terraform Configuration Files

We have been facing this issue when deploying this solution, on subsequent TF plan, it shows an update in place.

  ~ update in-place

Terraform will perform the following actions:

  # module.kms.module.key_protect[0].ibm_kms_instance_policies.key_protect_instance_policies will be updated in-place
  ~ resource "ibm_kms_instance_policies" "key_protect_instance_policies" {
        id            = "crn:v1:bluemix:public:kms:us-south:a/52a1d940412a4e67b109175bd1fb6513:725341f1-12c7-4575-aa39-2c16f20fafda::"
        # (2 unchanged attributes hidden)

      + dual_auth_delete {
          + enabled = false
        }

      + key_create_import_access {
          + create_root_key     = true
          + create_standard_key = true
          + enabled             = false
          + enforce_token       = false
          + import_root_key     = true
          + import_standard_key = true
        }

      + metrics {
          + enabled = true
        }

      + rotation {
          + enabled        = true
          + interval_month = 3
        }
    }

And on TF apply it fails with the below error

│ Error: Could not update the policies: [ERROR] Error while setting instance policies: kp.Error: correlation_id='84935c42-b102-4982-934b-e4a92ad5466e', msg='Bad Request: Instance policy could not be created: Please see `reasons` for more details (INVALID_FIELD_ERR)', reasons='[INVALID_FIELD_ERR: The field `attributes` must be: provided only if policy is being enabled - FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'
│
│   with module.kms.module.key_protect[0].ibm_kms_instance_policies.key_protect_instance_policies,
│   on .terraform/modules/kms.key_protect/main.tf line 26, in resource "ibm_kms_instance_policies" "key_protect_instance_policies":
│   26: resource "ibm_kms_instance_policies" "key_protect_instance_policies" {
│

This is reproducible in both schematics and in local.

Debug Output

Attached TF Trace Logs - kms-all-inclusive-standard_Trace_TFA_09.05.2024-21.50.04.log

Attached TF Aplly std output kms-all-inclusive-standard_TFA_09.05.2024-21.50.04.log

Panic Output

Expected Behavior

  • There should not be any update in place.

Actual Behavior

TF subsequent plan shows update in place.

Steps to Reproduce

  1. terraform apply

Important Factoids

References

  • #0000
@github-actions github-actions bot added the service/Key Management Services Issues related to Key Management Release label May 9, 2024
@bhakta-ibm
Copy link

@william8siew Can you please take a look? This is a blocker for others.

@stephaniegalang
Copy link
Contributor

Hi there!
I have a fix in the works which involves correcting the failing inputs from the Key Protect Go SDK side. Please hold tight while we get a new Go SDK version out. Once the new version is out, I will open a PR here to update go.mod and provide test results.

@ocofaigh ocofaigh mentioned this issue May 10, 2024
Closed
@stephaniegalang stephaniegalang mentioned this issue May 13, 2024
Merged
@william8siew william8siew mentioned this issue May 13, 2024
Merged
@stephaniegalang
Copy link
Contributor

Fix PR has been opened: #5346. With this change, users will be able to disable keyCreateImportAccess instance policies via Terraform.

@william8siew
Copy link
Contributor

Hi @Ak-sky
Can you test the fix using terraform provider version 1.65.1? Thanks

@Ak-sky
Copy link
Author

Ak-sky commented May 23, 2024

We tested it and is fixed now, thank you @william8siew.

@Ak-sky Ak-sky changed the title ibm_kms_instance_policies- issue on subsequent plan [KP] ibm_kms_instance_policies- issue on subsequent plan Jul 5, 2024
@Ak-sky Ak-sky closed this as completed Jul 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/Key Management Services Issues related to Key Management Release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Ak-sky @william8siew @stephaniegalang @bhakta-ibm