Ability to pass root key crn or support account_id in kms_config of ibm_container_vpc_cluster

Aashiq-J commented 1 year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

This is a feature request which is already available when deploying through UI.

https://registry.terraform.io/providers/IBM-Cloud/ibm/1.55.0/docs/resources/container_vpc_cluster#kms_config

According to the above terraform documentation, the only possible way to enable cluster encryption is by passing the instance_id and the key crk_id that means the kms has to be from the same account as the cluster. But from the UI we have two option either pass the instance and key details or pass the key crn.

We have a use case of using the a common kms in another account for all the encryption.

The boot volume encryption supports passing kms from another account using the kms_account_id variable. https://registry.terraform.io/providers/IBM-Cloud/ibm/1.56.0/docs/resources/container_vpc_cluster#kms_account_id We require a similar functionality for kms_config which is used for cluster encryption.

New or Affected Resource(s)

ibm_container_vpc_cluster

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

0000

ocofaigh commented 1 year ago

@Aashiq-J It looks like its already supported https://registry.terraform.io/providers/IBM-Cloud/ibm/1.55.0/docs/resources/container_vpc_cluster#kms_account_id

ocofaigh commented 1 year ago

NOTE:

The provider does support passing an account ID for the encryption of the worker nodes boot volumes:

HOWEVER, the IBM provider does not support passing an account ID in the cluster encryption block. It only supports:

  kms_config {
      instance_id = "12043812-757f-4e1e-8436-6af3245e6a69"
      crk_id = "0792853c-b9f9-4b35-9d9e-ffceab51d3c1"
      private_endpoint = false
  }

From the UI, all that is required is to pass the Key CRN, which can be from any account, so I'm guessing its parsing the account ID from that. The provider needs to support this too.

ocofaigh commented 1 year ago

Looking at the api (https://cloud.ibm.com/apidocs/kubernetes/containers-v1-v2#createkmsconfig), it supports optionally passing accountID. So I think the change to the provider code should be straightforward. In resource_ibm_container_cluster.go update the ResourceIBMContainerCluster function to support optionally passing an account_id value in the kms_config map and then pass the value as part of the call to kmsAPI.EnableKms

ocofaigh commented 1 year ago

@hasan4791 Is this something you or your team could help with?

ocofaigh commented 10 months ago

Looks like the feature is in https://github.com/IBM-Cloud/terraform-provider-ibm/releases/tag/v1.60.0-beta1

z0za commented 10 months ago

@Aashiq-J the feature was released as part of https://github.com/IBM-Cloud/terraform-provider-ibm/releases/tag/v1.60.0

ocofaigh commented 10 months ago

Thanks, we are rolling it out to our module https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/pull/301

IBM-Cloud / terraform-provider-ibm