smjtd
commented
4 years ago Currently the key-protect sdk does not support force delete parameter. Updated the issue on the sdk and Raised a PR for the same: https://github.com/IBM/keyprotect-go-client/pull/5 will integrate this to the provider once the feature becomes available.
hkantare
Problem: There is an issue around automation in IBM Cloud for key deletion for Key Protect keys used by ICD. The problem is that when a Key Protect key is used for an ICD instance provisioning the key can't be deleted via Terraform (both through resource code removal and through Terraform Destroy, the larger issue being via Terraform Destroy). The reason is that even after ICD is deleted, ICD holds a registration on the key for ~24 hours blocking the client from deleting the key. The end result in Terraform are Terraform Apply/Terraform Destroy Failures. The development process for clients becomes extremely difficult & lengthy as these deletions need to be handled manually. This makes Terraform virtually unusable for the ICD Key Protect encryption usecase (which is one of the most common usecases)
The Fix & Feature Description: We have a potential fix that the Terraform Provider team can implement that will help BNPP resolve this issue. The Key Protect key deletion API has a
forceparameter which allows the client to force delete a key despite a registration (https://cloud.ibm.com/apidocs/key-protect#delete-a-key). We recommend a parameter on theibm_kp_keyresource that allows the user to specify if deletions can be forced. The recommendation is that this field is false by default but if a user is using Key Protect in the way described above (storage integration) then they will want to set this to true. https://ibm-cloud.github.io/tf-ibm-docs/v1.2.4/r/kp_key.html . In the case where a client sets this parameter totrue, the Key Protect API that is called during a Terraform Destroy will also have this parameter set to true.