search

IBM-Cloud / terraform-provider-ibm

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs
Mozilla Public License 2.0
341 stars 670 forks source link

Cannot encrypt VPC Block Volume with custom KP Key #1177

Closed Mallear closed 4 years ago

Mallear commented 4 years ago

Hi there, I try to create a VPC Volume and encrypt it with my own key

Terraform Version

Terraform v0.12.21 IBM Provider v1.2.1

Affected Resource(s)

Terraform Configuration Files

resource "ibm_kp_key" "kp_key" {
  key_protect_id = var.kp_instance_guid
  key_name       = "kp-block-storage-${var.environment}-${var.project_name}"
  standard_key   = false
}

resource "ibm_is_volume" "block_storage" {
  name           = "k8s-block-vol-${var.environment}-${var.project_name}"
  resource_group = data.ibm_resource_group.resource_group.id

  profile        = var.profile
  zone           = var.zone
  iops           = var.iops
  capacity       = var.capacity

  encryption_key = ibm_kp_key.kp_key.crn
}

Debug Output


module.block_storage.ibm_kp_key.kp_key: Creating...
module.block_storage.ibm_kp_key.kp_key: Creation complete after 1s [id=crn:v1:bluemix:public:kms:eu-de:a/52bf14c611f645629f8f3799ea75d340:1c7ccc48-e292-461d-89c4-6a5c0ffc4b67:key:5f002cd8-978e-499b-9ad9-ab8d9c4182ff]
module.block_storage.ibm_is_volume.block_storage: Creating...
Error: {"errors":[{"code":"volume_crn_invalid","message":"The CRN specified in the request is not valid.","more_info":"https://cloud.ibm.com/docs/vpc-on-classic?topic=vpc-on-classic-rias-error-messages#volume_crn_invalid","target":{"name":"","type":""}}],"trace":"add3600d-1132-4865-abd7-b9def4b677a8"}
  on ../../../modules/block_storage/main.tf line 15, in resource "ibm_is_volume" "block_storage":
  15: resource "ibm_is_volume" "block_storage" {```

### Expected Behavior
VPC Block Volume created and encrypted with given KP Key.

### Actual Behavior
Terraform fails to create the volume because of invalid CRN.

### Steps to Reproduce
1. `terraform apply`
hkantare commented 4 years ago

We need to create a valid Authorization policy between cloud block storage and Key protect https://cloud.ibm.com/docs/vpc-on-classic-block-storage?topic=vpc-on-classic-block-storage-block-storage-encryption

# ibm_is_volume.block_storage:
resource "ibm_is_volume" "block_storage" {
    capacity                = 100
    crn                     = "crn:v1:bluemix:public:is:us-south-1:a/883079c85357a1f3f85d968780e56518::volume:a5d0c6f3-001c-4500-a21c-94bb7f2649a9"
    encryption_key          = "crn:v1:bluemix:public:kms:us-south:a/883079c85357a1f3f85d968780e56518:6140b9dc-205e-4364-83ef-76a6edac6d60:key:8dfc83ad-e677-4ea9-aad6-1a917e64629a"
    id                      = "a5d0c6f3-001c-4500-a21c-94bb7f2649a9"
    iops                    = 1000
    name                    = "k8s-block-vol"
    profile                 = "custom"
    resource_controller_url = "https://cloud.ibm.com/vpc/storage/storageVolumes"
    resource_crn            = "crn:v1:bluemix:public:is:us-south-1:a/883079c85357a1f3f85d968780e56518::volume:a5d0c6f3-001c-4500-a21c-94bb7f2649a9"
    resource_group          = "a7a89ca48da04fb991a4ae687ed332a8"
    resource_name           = "k8s-block-vol"
    resource_status         = "available"
    status                  = "available"
    tags                    = []
    zone                    = "us-south-1"
}

After policy we can create a volume with user encryption key

Mallear commented 4 years ago

Hello @hkantare , which service name should I provide for service source ? I've tryied cloud-block-storage but get this error:

 Error: Request failed with status code: 404, ServerErrorResponse: {"errors":[{"code":"BXNAC12104","response":"not_found_error","message":"Not Found serviceName kms does not has any supportedRoles for sourceServiceName cloud-block-storage","level":"error","statusCode":404,"description":"serviceName kms does not has any supportedRoles for sourceServiceName cloud-block-storage","transactionId":"350bb3e2f72c40feb3a99c23e3d49934","instanceId":"kubernetes"}]}
  on ../../../modules/block_storage/main.tf line 15, in resource "ibm_iam_authorization_policy" "postgres_authorize_policy":
  15: resource "ibm_iam_authorization_policy" "authorize_policy" {

Is there a doc page where I can have the whole service liste for these use cases ? Or CLI command maybe ?

hkantare commented 4 years ago

@Mallear We don't have any doc page I was just debug tools on UI. I found the service name for cloud block storage is server-protect and keyprotect kms

We have command lineic catalog search which list all services

Mallear commented 4 years ago

@hkantare It's working :D Thank you for your help :)