ibm_is_instance#keys changes key results in conflict re-apply tf

haf-tech commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Terraform: v1.1.5 (via IBM Schematics) IBM-Cloud/ibm v1.40.1

Affected Resource(s)

ibm_is_instance

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.


variable "sshKeyMap" {
  description = "Map of public key owners and the path (relative to the terraform script) to their public key file, used for SSH into the VSIs"
  type        = map
  default     = {
    "user1" = "ssh-keys/user1.pub"
    "user2" = "ssh-keys/user2.pub"
    }
}

resource "ibm_is_ssh_key" "sshKeys" {
  count = length(var.sshKeyMap)
  name  = local.keyOwners[count.index]
  public_key = file(
    join(
      "",
      [
        path.module,
        "/",
        var.sshKeyMap[local.keyOwners[count.index]],
      ],
    ),
  )
}

resource "ibm_is_instance" "w" {
  count          = var.worker_node_quantity
  name           = "${local.titledEnv}-${format("w%d", count.index + 1)}"
  tags           = local.globalTags
  resource_group = data.ibm_resource_group.resourceGroup.id
  vpc            = ibm_is_vpc.vpc1.id
  zone           = data.ibm_is_zone.dc1.name
  profile        = data.ibm_is_instance_profile.worker.name
  image          = data.ibm_is_image.rhel.id
  keys           = ibm_is_ssh_key.sshKeys.*.id
  user_data      = ""

  primary_network_interface {
    name            = "${local.titledEnv}-if-w"
    subnet          = ibm_is_subnet.z1.id
    security_groups = [ibm_is_security_group.allowAll.id]
  }
}

content of the SSH keys

ssh-ed25519 AAAA....T user1@mail.com
ssh-ed25519 AA22....T user2@mail.com

Debug Output

ibm_is_ssh_key.sshKeys[1] must be replaced
 2022/04/30 15:24:39 Terraform plan | -/+ resource "ibm_is_ssh_key" "sshKeys" {
 2022/04/30 15:24:39 Terraform plan |       ~ crn                     = "crn:v1:bluemix:public:is:.." -> (known after apply)
 2022/04/30 15:24:39 Terraform plan |       ~ fingerprint             = "SHA256:mxbAJUwVmg7cAAu..." -> (known after apply)
 2022/04/30 15:24:39 Terraform plan |       ~ id                      = "r010-901a8421-5f6f-4....." -> (known after apply)
 2022/04/30 15:24:39 Terraform plan |       ~ length                  = 4096 -> (known after apply)
 2022/04/30 15:24:39 Terraform plan |         name                    = "user1"
 2022/04/30 15:24:39 Terraform plan |       ~ public_key              = <<-EOT # forces replacement
 2022/04/30 15:24:39 Terraform plan |           - ssh-rsa AAAA
 2022/04/30 15:24:39 Terraform plan |           + ssh-rsa AAAA user1@example.com
 2022/04/30 15:24:39 Terraform plan |         EOT
 2022/04/30 15:24:39 Terraform plan |       ~ resource_controller_url = "https://cloud.ibm.com/vpc-ext/compute/sshKeys" -> (known after apply)
 2022/04/30 15:24:39 Terraform plan |       ~ resource_crn            = "crn:v1:bluemix:public:is:eu" -> (known after apply)
 2022/04/30 15:24:39 Terraform plan |       ~ resource_group          = "cbe5ecb13.." -> (known after apply)
 2022/04/30 15:24:39 Terraform plan |       ~ resource_group_name     = "Default" -> (known after apply)
 2022/04/30 15:24:39 Terraform plan |       ~ resource_name           = "user1" -> (known after apply)
 2022/04/30 15:24:39 Terraform plan |       ~ tags                    = [
 2022/04/30 15:24:39 Terraform plan |           - "schematics:eu-de.workspace....",
 2022/04/30 15:24:39 Terraform plan |         ] -> (known after apply)
 2022/04/30 15:24:39 Terraform plan |       ~ type                    = "rsa" -> (known after apply)
 2022/04/30 15:24:39 Terraform plan |     }

but even with adjusted ssh key (without name), I still receive a must be replaced

 2022/05/01 08:48:16 Terraform apply |   # ibm_is_ssh_key.sshKeys[0] must be replaced
 2022/05/01 08:48:16 Terraform apply | -/+ resource "ibm_is_ssh_key" "sshKeys" {
 2022/05/01 08:48:16 Terraform apply |       ~ crn                     = "crn:v1:bluemix:public:is:eu..." -> (known after apply)
 2022/05/01 08:48:16 Terraform apply |       ~ fingerprint             = "SHA256:IONG3B...." -> (known after apply)
 2022/05/01 08:48:16 Terraform apply |       ~ id                      = "r010-53c2c91f-15b3...." -> (known after apply)
 2022/05/01 08:48:16 Terraform apply |       ~ length                  = 4096 -> (known after apply)
 2022/05/01 08:48:16 Terraform apply |         name                    = "user1"
 2022/05/01 08:48:16 Terraform apply |       ~ public_key              = <<-EOT # forces replacement
 2022/05/01 08:48:16 Terraform apply |             ssh-rsa AAAAB...
 2022/05/01 08:48:16 Terraform apply |         EOT
 2022/05/01 08:48:16 Terraform apply |       ~ resource_controller_url = "https://cloud.ibm.com/vpc-ext/compute/sshKeys" -> (known after apply)
 2022/05/01 08:48:16 Terraform apply |       ~ resource_crn            = "crn:v1:bluemix:public:is:eu" -> (known after apply)
 2022/05/01 08:48:16 Terraform apply |       ~ resource_group          = "cbe5ecb1323247c8..." -> (known after apply)
 2022/05/01 08:48:16 Terraform apply |       ~ resource_group_name     = "Default" -> (known after apply)
 2022/05/01 08:48:16 Terraform apply |       ~ resource_name           = "user1" -> (known after apply)
 2022/05/01 08:48:16 Terraform apply |       ~ tags                    = [
 2022/05/01 08:48:16 Terraform apply |           - "schematics:eu-de.workspace....",
 2022/05/01 08:48:16 Terraform apply |         ] -> (known after apply)
 2022/05/01 08:48:16 Terraform apply |       ~ type                    = "rsa" -> (known after apply)
 2022/05/01 08:48:16 Terraform apply |     }
 2022/05/01 08:48:16 Terraform apply |

Panic Output

Expected Behavior

SSH Keys not changed, resources not changed

Actual Behavior

Somewhat changes the content of the SSH pub keys and removes the name/email at the end of the key This results in a drift and re-applying the same tf (without changes) will results in re-creation of the resource, which fails because the SSH keys are still in use (from the VSI instances)

Steps to Reproduce

terraform apply

Important Factoids

References

julianhahn commented 2 years ago

had the same problem today! Solution seems to be, to trim created whitespace from tls key, before assigning the public key to the ibm_is_ssh resource. Discussed here: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/3639

haf-tech commented 2 years ago

@julianhahn yes, trim is in my case not working because I do not handling the key content, but key files. this is the reason why I already integrate the tf attribute to ignore_changes as workaround.

ujjwal-ibm commented 2 years ago

Resolved here #3701

hkantare commented 2 years ago

Fixed in latest release

IBM-Cloud / terraform-provider-ibm