Creating ibm_kms_key with IBMCLOUD_VISIBILITY=private requires a call to public IAM API

l2fprod commented 3 years ago

Template

terraform {
  required_providers {
    ibm = {
      source  = "IBM-Cloud/ibm"
      version = ">= 1.29"
    }
  }
}

provider "ibm" {
  visibility = "private"
}

resource "random_string" "random" {
  length = 8
  special = false
  lower = true
  upper = false
  number = false
}

resource "ibm_resource_group" "group" {
  name = "${random_string.random.result}-group"
}

resource "ibm_resource_instance" "keyprotect" {
  name              = "${random_string.random.result}-kms"
  resource_group_id = ibm_resource_group.group.id
  service           = "kms"
  plan              = "tiered-pricing"
  location.      = "us-south"
}

resource "ibm_kms_key" "key" {
  instance_id  = ibm_resource_instance.keyprotect.guid
  key_name     = "root_key"
  standard_key = false
  force_delete = true
}

Terraform Version

$ terraform version
Terraform v1.0.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/ibm-cloud/ibm v1.29.0

Failure

debugging DNS lookups, during `apply, shows these endpoints:

bss.us-south.proxy.serviceendpoint.cloud.ibm.com
iam.cloud.ibm.com
private.us-south.globalcatalog.cloud.ibm.com
private.us-south.iam.cloud.ibm.com
private.us-south.kms.cloud.ibm.com
private.us-south.resource-controller.cloud.ibm.com
tags.private.us-south.global-search-tagging.cloud.ibm.com

I narrowed it down to ibm_kms_key, and likely this code https://github.com/IBM/keyprotect-go-client/blob/88feabbd3d762f6940726cc9f34231b8c3606748/iam/iam.go#L32 which hardcodes IAM endpoint :(

harshit777 commented 3 years ago

@l2fprod We are working on with the SDK Team for the same and will update this thread.

mattarnoatibm commented 2 years ago

Hi. This issue is now blocking an important internal project for Z as a Service Infrastructure as a Service, because we cannot use Terraform to create keys in a Key Protect instance in Staging due to this issue.

Can we get an outlook on when this issue will be fixed and released, since the internal project is blocked without it.

I could contribute a fix for the issue, it looks like https://github.com/IBM/keyprotect-go-client/blob/master/iam/iam.go needs updating, as Frederic says. Are there any other files or modules that need to be updated to fix this issue?

harshit777 commented 2 years ago

Hi! @mattarnoatibm, We are looking into the issue and will get back with an update shortly

IBM-Cloud / terraform-provider-ibm