Open ThomasUllrich666 opened 1 year ago
looking
try using root key by standard_key = false
in ibm_kp_key
resource.
this is a working config
resource "ibm_kp_key" "test" {
key_protect_id = "${ibm_resource_instance.test.guid}"
key_name = "${var.name}-key"
standard_key = false
}
resource "ibm_is_instance" "bastion_host" {
for_each = {
"vsi1" = "bx2-2x8"
"vsi2" = "cx2-2x4"
}
name = "${var.name}-${each.key}"
image = data.ibm_is_image.example.id
profile = each.value
boot_volume {
encryption = ibm_kp_key.test.id
}
primary_network_interface {
subnet = ibm_is_subnet.example.id
}
vpc = ibm_is_vpc.example.id
zone = ibm_is_subnet.example.zone
keys = [ibm_is_ssh_key.example.id]
}
I have encountered this issue as well, providing the CRN for an existing KP root key, with the same error during VSI creation, specifying the key CRN for encryption
directly.
time="2023-10-11T16:05:04Z" level=error msg="Error: The CRN specified in the request is not valid."
time="2023-10-11T16:05:04Z" level=error
time="2023-10-11T16:05:04Z" level=error msg=" with ibm_is_instance.bootstrap_node,"
time="2023-10-11T16:05:04Z" level=error msg=" on main.tf line 33, in resource \"ibm_is_instance\" \"bootstrap_node\":"
time="2023-10-11T16:05:04Z" level=error msg=" 33: resource \"ibm_is_instance\" \"bootstrap_node\" {"
time="2023-10-11T16:05:04Z" level=error
time="2023-10-11T16:05:04Z" level=error msg="failed to fetch Cluster: failed to generate asset \"Cluster\": failure applying terraform for \"bootstrap\" stage: failed to create cluster: failed to apply Terraform: exit status 1\n\nError: The CRN specified in the request is not valid.\n\n with ibm_is_instance.bootstrap_node,\n on main.tf line 33, in resource \"ibm_is_instance\" \"bootstrap_node\":\n 33: resource \"ibm_is_instance\" \"bootstrap_node\" {\n\n"
This is using the 1.56.0
release of this TF provider. I don't see any bugfix reports related to this issue with any newer releases. I will see what more information I can determine by hacking up the provider further.
I modified my existing IAM Authorization for COS to Key Protect and that appears to have resolved the issue (it was previously scoped to a my Key Protect instance, containing my root key).
That appears to allow my direct use of a CRN for the boot volume encryption (without creating/managing one within TF).
Not sure what is the cause of this error, but assuming the TF provider or IBM Cloud API is hitting it, although I had failed to find the source to know how/where/why.
level=error msg="Error: The CRN specified in the request is not valid."
Community Note
Question
I try to create a VM with a boot volume encryption. Therefore I created a standard key within key protect and try to use the crn of the key to create the vm (see documentation: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_instance)
Every time I try to execute the plan I receive this error message:
Code:
terraform plan output:
New or Affected Resource(s) or Datasource(s)
Potential Terraform Configuration
References
0000