search

IBM-Cloud / terraform-provider-ibm

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs
Mozilla Public License 2.0
340 stars 662 forks source link

"Service does not support VPE extensions" when creating VPE at the same time as an ICD Redis instance #2241

Open l2fprod opened 3 years ago

l2fprod commented 3 years ago

First run of terraform apply fails with:

ibm_database.redis: Creation complete after 10m13s [id=crn:v1:bluemix:public:databases-for-redis:us-south:a/123:710f59d9-b0ad-4a1e-847e-ab0c4e195051::]
ibm_is_virtual_endpoint_gateway.redis: Creating...

Error: Service does not support VPE extensions.

  on main.tf line 164, in resource "ibm_is_virtual_endpoint_gateway" "redis":
 164: resource "ibm_is_virtual_endpoint_gateway" "redis" {

Running it few minutes later, it works

ibm_is_instance.instance[0]: Refreshing state... [id=0717_fe64d61b-a0b4-4188-a040-d49086f669c2]
ibm_is_virtual_endpoint_gateway.redis: Creating...
ibm_is_virtual_endpoint_gateway.redis: Creation complete after 9s [id=r006-7e4cce5e-a7d4-47a6-9a3a-7ea8e7c388cd]
data.ibm_is_virtual_endpoint_gateway_ips.redis_vpe_ips: Reading...
data.ibm_is_virtual_endpoint_gateway_ips.redis_vpe_ips: Read complete after 0s [id=2021-02-08 18:21:18.9025763 +0000 UTC]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

It seems that the ICD Redis database is not ready to have its VPE create right after its creation.

Terraform Version

$ terraform -v
Terraform v0.14.6
+ provider registry.terraform.io/hashicorp/tls v3.0.0
+ provider registry.terraform.io/ibm-cloud/ibm v1.20.1

Terraform Configuration Files

variable "ibmcloud_api_key" {}
variable "region" {}
variable "ibmcloud_timeout" { default = 900 }
variable "basename" { default = "vpe-example" }
variable "resource_group_name" { default = "" }
variable "tags" { default = ["terraform"] }
variable "cidr_blocks" { default = ["10.20.10.0/24", "10.20.11.0/24", "10.20.12.0/24"] }
variable "image_name" { default = "ibm-ubuntu-18-04-1-minimal-amd64-2" }
variable "profile_name" { default = "cx2-2x4" }
variable "vpc_ssh_key_name" { default = "" }

provider "ibm" {
  ibmcloud_api_key = var.ibmcloud_api_key
  region           = var.region
  generation       = 2
  ibmcloud_timeout = var.ibmcloud_timeout
}

terraform {
  required_version = ">= 0.14"

  required_providers {
    ibm = {
      source  = "IBM-Cloud/ibm"
      version = ">= 1.17"
    }
  }
}

# a resource group
resource "ibm_resource_group" "group" {
  count = var.resource_group_name != "" ? 0 : 1
  name  = "${var.basename}-group"
  tags  = var.tags
}

data "ibm_resource_group" "group" {
  count = var.resource_group_name != "" ? 1 : 0
  name  = var.resource_group_name
}

# a ssh key
data "ibm_is_ssh_key" "sshkey" {
  count = var.vpc_ssh_key_name != "" ? 1 : 0
  name  = var.vpc_ssh_key_name
}

resource "tls_private_key" "ssh" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

output "generated_ssh_key" {
  value     = tls_private_key.ssh
  sensitive = true
}

resource "ibm_is_ssh_key" "generated_key" {
  name           = "${var.basename}-${var.region}-key"
  public_key     = tls_private_key.ssh.public_key_openssh
  resource_group = local.resource_group_id
  tags           = var.tags
}

locals {
  ssh_key_ids = var.vpc_ssh_key_name != "" ? [data.ibm_is_ssh_key.sshkey[0].id, ibm_is_ssh_key.generated_key.id] : [ibm_is_ssh_key.generated_key.id]
}

locals {
  resource_group_id = var.resource_group_name != "" ? data.ibm_resource_group.group.0.id : ibm_resource_group.group.0.id
}

# a VPC
resource "ibm_is_vpc" "vpc" {
  name                      = "${var.basename}-vpc"
  resource_group            = local.resource_group_id
  address_prefix_management = "manual"
  tags                      = var.tags
}

resource "ibm_is_vpc_address_prefix" "subnet_prefix" {
  count = "3"

  name = "${var.basename}-prefix-zone-${count.index + 1}"
  zone = "${var.region}-${(count.index % 3) + 1}"
  vpc  = ibm_is_vpc.vpc.id
  cidr = var.cidr_blocks[count.index]
}

resource "ibm_is_network_acl" "network_acl" {
  name           = "${var.basename}-acl"
  vpc            = ibm_is_vpc.vpc.id
  resource_group = local.resource_group_id

  rules {
    name        = "egress"
    action      = "allow"
    source      = "0.0.0.0/0"
    destination = "0.0.0.0/0"
    direction   = "outbound"
  }
  rules {
    name        = "ingress"
    action      = "allow"
    source      = "0.0.0.0/0"
    destination = "0.0.0.0/0"
    direction   = "inbound"
  }
}

# 3 subnets
resource "ibm_is_subnet" "subnet" {
  count = "3"

  name            = "${var.basename}-subnet-${count.index + 1}"
  vpc             = ibm_is_vpc.vpc.id
  zone            = "${var.region}-${count.index + 1}"
  resource_group  = local.resource_group_id
  ipv4_cidr_block = ibm_is_vpc_address_prefix.subnet_prefix[count.index].cidr
  network_acl     = ibm_is_network_acl.network_acl.id
  # public_gateway  = ibm_is_public_gateway.gateway[count.index].id
}

# one VSI per subnet
data "ibm_is_image" "image" {
  name = var.image_name
}

resource "ibm_is_instance" "instance" {
  count = 3

  name           = "${var.basename}-instance-${count.index + 1}"
  vpc            = ibm_is_vpc.vpc.id
  zone            = "${var.region}-${count.index + 1}"
  profile        = var.profile_name
  image          = data.ibm_is_image.image.id
  keys           = local.ssh_key_ids
  resource_group = local.resource_group_id

  primary_network_interface {
    subnet = ibm_is_subnet.subnet[count.index].id
  }

  boot_volume {
    name = "${var.basename}-instance-${count.index + 1}-boot"
  }

  tags = var.tags
}

# one Redis
resource "ibm_database" "redis" {
  name              = "${var.basename}-redis"
  resource_group_id = local.resource_group_id
  plan              = "standard"
  service           = "databases-for-redis"
  location          = var.region

  service_endpoints = "private"
  tags              = var.tags
}

# VPE for Redis
resource "ibm_is_virtual_endpoint_gateway" "redis" {
  name           = "${var.basename}-redis-vpe"
  resource_group = local.resource_group_id
  vpc            = ibm_is_vpc.vpc.id

  target {
    crn           = ibm_database.redis.id
    resource_type = "provider_cloud_service"
  }

  # one Reserved IP for per zone in the VPC
  dynamic "ips" {
    for_each = { for subnet in ibm_is_subnet.subnet : subnet.id => subnet }
    content {
      subnet = ips.key
      name   = "${ips.value.name}-ip"
    }
  }

  tags = var.tags
}

data "ibm_is_virtual_endpoint_gateway_ips" "redis_vpe_ips" {
  gateway = ibm_is_virtual_endpoint_gateway.redis.id
}

output "redis_vpe_ips" {
  value = data.ibm_is_virtual_endpoint_gateway_ips.redis_vpe_ips
}
l2fprod commented 3 years ago

I've added a sleep between the Redis creation and the virtual endpoint gateway creation:

resource "time_sleep" "wait_for_redis_initialization" {
  count = tobool(var.use_vpe) ? 1 : 0

  depends_on = [
    ibm_database.redis
  ]

  create_duration = "5m"
}

and in ibm_is_virtual_endpoint_gateway:

...

  depends_on = [
    time_sleep.wait_for_redis_initialization
  ]
}

this is a workaround

VidyasagarMSC commented 3 years ago

I am seeing the same issue with ICD PostgreSQL DB

 Error: Service does not support VPE extensions.
│
│   with module.create_vpc[0].module.vpe_cloud_services.ibm_is_virtual_endpoint_gateway.vpe["postgresql"],
│   on modules/create_vpe/main.tf line 1, in resource "ibm_is_virtual_endpoint_gateway" "vpe":
│    1: resource "ibm_is_virtual_endpoint_gateway" "vpe" {
VidyasagarMSC commented 2 years ago

@kavya498 We are using the above workaround with time_sleep set to up to 15m but still seeing the below error. The error is specific to postgresql with cos and kms working 

Error: Create Endpoint Gateway failed Service does not support VPE extensions.
│ {
│     "StatusCode": 400,
│     "Headers": {
│         "Cache-Control": [
│             "max-age=0, no-cache, no-store, must-revalidate"
│         ],
│         "Cf-Cache-Status": [
│             "DYNAMIC"
│         ],
│         "Cf-Ray": [
│             "6a090a733e9b4acf-HYD"
│         ],
│         "Content-Length": [
│             "133"
│         ],
│         "Content-Type": [
│             "application/json"
│         ],
│         "Date": [
│             "Tue, 19 Oct 2021 09:39:48 GMT"
│         ],
│         "Expect-Ct": [
│             "max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\""
│         ],
│         "Expires": [
│             "-1"
│         ],
│         "Pragma": [
│             "no-cache"
│         ],
│         "Server": [
│             "cloudflare"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000; includeSubDomains"
│         ],
│         "Vary": [
│             "Accept-Encoding"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Request-Id": [
│             "82266ea8-aeaf-4e19-8862-388f4b389079"
│         ],
│         "X-Xss-Protection": [
│             "1; mode=block"
│         ]
│     },
│     "Result": {
│         "errors": [
│             {
│                 "code": "not_found",
│                 "message": "Service does not support VPE extensions."
│             }
│         ],
│         "trace": "82266ea8-aeaf-4e19-8862-388f4b389079"
│     },
│     "RawResult": null
│ }
│
│
│   with module.create_vpc[0].module.vpe_cloud_services.ibm_is_virtual_endpoint_gateway.vpe["postgresql"],
│   on modules/create_vpe/main.tf line 1, in resource "ibm_is_virtual_endpoint_gateway" "vpe":
│    1: resource "ibm_is_virtual_endpoint_gateway" "vpe" {
lionelmace commented 2 years ago

@l2fprod I created this related issue #3503