Can't create ibm_is_instance with boot volume encryption

[ThomasUllrich666]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Question

I try to create a VM with a boot volume encryption. Therefore I created a standard key within key protect and try to use the crn of the key to create the vm (see documentation: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_instance)

Every time I try to execute the plan I receive this error message:

 Error: The CRN specified in the request is not valid.
│ 
│   with module.bastionHost.ibm_is_instance.bastion_host["eu-de-1"],
│   on ../modules/pag/main.tf line 19, in resource "ibm_is_instance" "bastion_host":
│   19: resource "ibm_is_instance" "bastion_host" {

Code:

resource "ibm_is_subnet" "pag_subnet" {  
  for_each       = var.subnets_cidr
  name           = format("%s-pag-%s",var.vpc_name,each.key) 
  vpc            = var.vpc_id  
  zone           = each.key
  ipv4_cidr_block = each.value
  resource_group = data.ibm_resource_group.resource_group.id  
  tags           = var.tags
}

resource "ibm_is_instance" "bastion_host" {
  for_each       = var.subnets_cidr
  name           = format("%s-bastion-%s",var.vpc_name,each.key) 
  image   = data.ibm_is_image.bastion_image.id
  profile = var.bastion_profile

  boot_volume {
    encryption = ibm_kp_key.bastion_host_encryption.id
    name = format("%s-bastion-%s-boot",var.vpc_name,each.key)
    tags = var.tags
  }

  primary_network_interface {
    subnet = ibm_is_subnet.pag_subnet[each.key].id    
    allow_ip_spoofing = false
  }

  vpc  = var.vpc_id
  zone = each.key
  keys = [ibm_is_ssh_key.bastion_host.id]
  resource_group =data.ibm_resource_group.resource_group.id 
  tags=var.tags

}

terraform plan output:

# module.bastionHost.ibm_is_instance.bastion_host["eu-de-1"] will be created
  + resource "ibm_is_instance" "bastion_host" {
      ...
      + boot_volume {
          + auto_delete_volume = true
          + encryption         = "crn:v1:bluemix:public:kms:eu-de:a/ed3b49a8893442b4aa8084bda0d7482f:e2010a3e-7a11-4b79-b486-cb2b3715920a:key:b75d0b15-7577-40ab-9048-053bb9ca29f6"
          + iops               = (known after apply)
          + name               = "bastion-eu-de-1-boot"
          + profile            = (known after apply)
          + size               = (known after apply)
          + volume_id          = (known after apply)
        }

    }

New or Affected Resource(s) or Datasource(s)

• ibm_is_instance

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• 0000

[ujjwal-ibm]

looking

[ujjwal-ibm]

try using root key by standard_key = false in ibm_kp_key resource.

this is a working config

resource "ibm_kp_key" "test" {
    key_protect_id  = "${ibm_resource_instance.test.guid}"
    key_name        = "${var.name}-key"
    standard_key    =  false
}

resource "ibm_is_instance" "bastion_host" {
    for_each = {
        "vsi1" = "bx2-2x8"
        "vsi2" = "cx2-2x4"
    }
    name            = "${var.name}-${each.key}"
    image           = data.ibm_is_image.example.id
    profile         = each.value

    boot_volume {
        encryption = ibm_kp_key.test.id
    }

    primary_network_interface {
        subnet = ibm_is_subnet.example.id    
    }

    vpc             = ibm_is_vpc.example.id
    zone            = ibm_is_subnet.example.zone
    keys            = [ibm_is_ssh_key.example.id]
}

[cjschaef]

I have encountered this issue as well, providing the CRN for an existing KP root key, with the same error during VSI creation, specifying the key CRN for encryption directly.

time="2023-10-11T16:05:04Z" level=error msg="Error: The CRN specified in the request is not valid."
time="2023-10-11T16:05:04Z" level=error
time="2023-10-11T16:05:04Z" level=error msg="  with ibm_is_instance.bootstrap_node,"
time="2023-10-11T16:05:04Z" level=error msg="  on main.tf line 33, in resource \"ibm_is_instance\" \"bootstrap_node\":"
time="2023-10-11T16:05:04Z" level=error msg="  33: resource \"ibm_is_instance\" \"bootstrap_node\" {"
time="2023-10-11T16:05:04Z" level=error
time="2023-10-11T16:05:04Z" level=error msg="failed to fetch Cluster: failed to generate asset \"Cluster\": failure applying terraform for \"bootstrap\" stage: failed to create cluster: failed to apply Terraform: exit status 1\n\nError: The CRN specified in the request is not valid.\n\n  with ibm_is_instance.bootstrap_node,\n  on main.tf line 33, in resource \"ibm_is_instance\" \"bootstrap_node\":\n  33: resource \"ibm_is_instance\" \"bootstrap_node\" {\n\n"

This is using the 1.56.0 release of this TF provider. I don't see any bugfix reports related to this issue with any newer releases. I will see what more information I can determine by hacking up the provider further.

[cjschaef]

I modified my existing IAM Authorization for COS to Key Protect and that appears to have resolved the issue (it was previously scoped to a my Key Protect instance, containing my root key).

That appears to allow my direct use of a CRN for the boot volume encryption (without creating/managing one within TF).

Not sure what is the cause of this error, but assuming the TF provider or IBM Cloud API is hitting it, although I had failed to find the source to know how/where/why. level=error msg="Error: The CRN specified in the request is not valid."