Open Aashiq-J opened 1 year ago
@Aashiq-J It looks like its already supported https://registry.terraform.io/providers/IBM-Cloud/ibm/1.55.0/docs/resources/container_vpc_cluster#kms_account_id
NOTE:
The provider does support passing an account ID for the encryption of the worker nodes boot volumes:
HOWEVER, the IBM provider does not support passing an account ID in the cluster encryption block. It only supports:
kms_config {
instance_id = "12043812-757f-4e1e-8436-6af3245e6a69"
crk_id = "0792853c-b9f9-4b35-9d9e-ffceab51d3c1"
private_endpoint = false
}
From the UI, all that is required is to pass the Key CRN, which can be from any account, so I'm guessing its parsing the account ID from that. The provider needs to support this too.
Looking at the api (https://cloud.ibm.com/apidocs/kubernetes/containers-v1-v2#createkmsconfig), it supports optionally passing accountID
. So I think the change to the provider code should be straightforward. In resource_ibm_container_cluster.go update the ResourceIBMContainerCluster
function to support optionally passing an account_id
value in the kms_config
map and then pass the value as part of the call to kmsAPI.EnableKms
@hasan4791 Is this something you or your team could help with?
Looks like the feature is in https://github.com/IBM-Cloud/terraform-provider-ibm/releases/tag/v1.60.0-beta1
@Aashiq-J the feature was released as part of https://github.com/IBM-Cloud/terraform-provider-ibm/releases/tag/v1.60.0
Thanks, we are rolling it out to our module https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/pull/301
Community Note
Description
This is a feature request which is already available when deploying through UI.
https://registry.terraform.io/providers/IBM-Cloud/ibm/1.55.0/docs/resources/container_vpc_cluster#kms_config
According to the above terraform documentation, the only possible way to enable cluster encryption is by passing the
instance_id
and the keycrk_id
that means the kms has to be from the same account as the cluster. But from the UI we have two option either pass the instance and key details or pass the key crn.We have a use case of using the a common kms in another account for all the encryption.
The boot volume encryption supports passing kms from another account using the
kms_account_id
variable. https://registry.terraform.io/providers/IBM-Cloud/ibm/1.56.0/docs/resources/container_vpc_cluster#kms_account_id We require a similar functionality for kms_config which is used for cluster encryption.New or Affected Resource(s)
Potential Terraform Configuration
References
0000