IBM-Cloud / terraform-provider-ibm

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs
Mozilla Public License 2.0
341 stars 670 forks source link

Feature Request: Add a "force delete" parameter to the ibm_kp_key resource. Enables a force delete when resource is removed/Terraform destroy is called #1214

Closed rbustami closed 4 years ago

rbustami commented 4 years ago

Problem: There is an issue around automation in IBM Cloud for key deletion for Key Protect keys used by ICD. The problem is that when a Key Protect key is used for an ICD instance provisioning the key can't be deleted via Terraform (both through resource code removal and through Terraform Destroy, the larger issue being via Terraform Destroy). The reason is that even after ICD is deleted, ICD holds a registration on the key for ~24 hours blocking the client from deleting the key. The end result in Terraform are Terraform Apply/Terraform Destroy Failures. The development process for clients becomes extremely difficult & lengthy as these deletions need to be handled manually. This makes Terraform virtually unusable for the ICD Key Protect encryption usecase (which is one of the most common usecases)

The Fix & Feature Description: We have a potential fix that the Terraform Provider team can implement that will help BNPP resolve this issue. The Key Protect key deletion API has a force parameter which allows the client to force delete a key despite a registration (https://cloud.ibm.com/apidocs/key-protect#delete-a-key). We recommend a parameter on the ibm_kp_key resource that allows the user to specify if deletions can be forced. The recommendation is that this field is false by default but if a user is using Key Protect in the way described above (storage integration) then they will want to set this to true. https://ibm-cloud.github.io/tf-ibm-docs/v1.2.4/r/kp_key.html . In the case where a client sets this parameter to true, the Key Protect API that is called during a Terraform Destroy will also have this parameter set to true.

smjtd commented 4 years ago

Currently the key-protect sdk does not support force delete parameter. Updated the issue on the sdk and Raised a PR for the same: https://github.com/IBM/keyprotect-go-client/pull/5 will integrate this to the provider once the feature becomes available.

hkantare commented 4 years ago

completed