ibm_kms_key is_instance_id should accept an instance id

[willholley]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Terraform v1.0.2
on darwin_amd64
+ provider registry.terraform.io/hashicorp/helm v2.2.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.3.2
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/time v0.7.2
+ provider registry.terraform.io/ibm-cloud/ibm v1.27.1

Affected Resource(s)

• ibm_kms_key

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "ibm_resource_instance" "kp_instance" {
  name     = "test_kp"
  service  = "kms"
  plan     = "tiered-pricing"
  location = "us-south"
}
resource "ibm_kms_key" "key" {
  instance_id = ibm_resource_instance.kp_instance.id
  key_name       = "key"
  standard_key   = false
  payload = "aW1wb3J0ZWQucGF5bG9hZA=="
}

Debug Output

n/a

Panic Output

n/a

Expected Behavior

instance_id should accept a full Cloud CRN as input. I'd expect the following to work:

resource "ibm_kms_key" "key" {
  instance_id = ibm_resource_instance.kp_instance.id
}

Actual Behavior

instance_id only accepts the guid property of the kp_instance. As per the example:

resource "ibm_kms_key" "key" {
  instance_id = ibm_resource_instance.kp_instance.guid
}

Steps to Reproduce

1. terraform apply

Important Factoids

References

[harshit777]

@willholley While provisioning an instance we create a Bluemix-Instance id, which we refer to as guid (unique identifier), and thereby we utilise this guid as instance id for every other resource we provision under that instance. If you check the tf state file, under resource instance you won't find instance_id as an exported attribute.

[willholley]

@harshit777 for consistency with the rest of the provider I'd expect instance_id to accept the id attribute (the CRN) of the keyprotect instance. If the instance guid is required then the instance_id input variable should be renamed instance_guid really.

[willholley]

this isn't limited to the ibm_kms_key - here's an example that took me a while to debug today:

resource "ibm_kms_key" "flow_log_key" {
  instance_id  = module.cg.context.kp.instance.guid
  key_name     = local.flow_log_bucket_name
  standard_key = false # is a root key

  policies {
    dual_auth_delete {
      enabled = true
    }
  }
}

// IAM authorization policy and permit flow log collector to access COS service with Writer role
resource "ibm_iam_authorization_policy" "flowlog2cos" {
  source_service_name         = "is"
  source_resource_type        = "flow-log-collector"
  target_service_name         = "cloud-object-storage"
  target_resource_instance_id = module.cg.context.cos.instance.guid
  roles                       = ["Writer"]
}

// COS bucket to store the logs in
resource "ibm_cos_bucket" "flow_log" {
  bucket_name          = local.flow_log_bucket_name
  resource_instance_id = module.cg.context.cos.instance.id
  region_location      = local.ibm_region
  storage_class        = "smart"

  expire_rule {
    rule_id = "flow-log-expire"
    enable  = true
    days    = 1
  }

  key_protect = ibm_kms_key.flow_log_key.id
}

So we have:

• instance_id = module.cg.context.kp.instance.guid
• target_resource_instance_id = module.cg.context.cos.instance.guid
• resource_instance_id = module.cg.context.cos.instance.id (this makes sense, but is different!)

[kavya498]

Fixed in latest 1.33.0 release.. Closing this issue.. Thanks..