InvalidRequest: Server Side Encryption with hs-crypto is not enabled.

Aashiq-J commented 7 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

v1.59.0

Affected Resource(s)

ibm_cos_bucket

Terraform Configuration Files

resource "ibm_cos_bucket" "cos_bucket" {
  count                 = (var.kms_encryption_enabled && var.create_cos_bucket) ? 1 : 0
  depends_on            = [ibm_iam_authorization_policy.policy]
  bucket_name           = var.add_bucket_name_suffix ? "${var.bucket_name}-${random_string.bucket_name_suffix[0].result}" : var.bucket_name
  resource_instance_id  = local.cos_instance_id
  region_location       = var.region
  cross_region_location = var.cross_region_location
  endpoint_type         = var.management_endpoint_type_for_bucket
  storage_class         = var.bucket_storage_class
  key_protect           = var.kms_key_crn
  ## This for_each block is NOT a loop to attach to multiple retention blocks.
  ## This block is only used to conditionally add retention block depending on retention is enabled.
  dynamic "retention_rule" {
    for_each = local.retention_enabled
    content {
      default   = var.retention_default
      maximum   = var.retention_maximum
      minimum   = var.retention_minimum
      permanent = var.retention_permanent
    }
  }
  ## This for_each block is NOT a loop to attach to multiple archive blocks.
  ## This block is only used to conditionally add retention block depending on archive rule is enabled.
  dynamic "archive_rule" {
    for_each = local.archive_enabled
    content {
      enable = true
      days   = var.archive_days
      type   = var.archive_type
    }
  }
  ## This for_each block is NOT a loop to attach to multiple expire blocks.
  ## This block is only used to conditionally add retention block depending on expire rule is enabled.
  dynamic "expire_rule" {
    for_each = local.expire_enabled
    content {
      enable = true
      days   = var.expire_days
    }
  }
  ## This for_each block is NOT a loop to attach to multiple Activity Tracker instances.
  ## This block is only used to conditionally attach activity tracker depending on AT CRN is provided.
  dynamic "activity_tracking" {
    for_each = local.at_enabled
    content {
      read_data_events     = true
      write_data_events    = true
      activity_tracker_crn = var.activity_tracker_crn
    }
  }
  ## This for_each block is NOT a loop to attach to multiple Sysdig instances.
  ## This block is only used to conditionally attach monitoring depending on Sydig CRN is provided.
  dynamic "metrics_monitoring" {
    for_each = local.metrics_enabled
    content {
      usage_metrics_enabled   = true
      request_metrics_enabled = true
      metrics_monitoring_crn  = var.sysdig_crn
    }
  }
  ## This for_each block is NOT a loop to attach to multiple versioning blocks.
  ## This block is only used to conditionally attach a single versioning block.
  dynamic "object_versioning" {
    for_each = local.object_versioning_enabled
    content {
      enable = var.object_versioning_enabled
    }
  }
}

Complete code : https://github.com/terraform-ibm-modules/terraform-ibm-cos/blob/main/main.tf

Debug Output

│ Error: InvalidRequest: Server Side Encryption with hs-crypto is not enabled.
│   status code: 400, request id: 866408a2-372f-47ca-8bff-cfc0a8251eb2, host id: 
│ 
│   with module.flowlogs_bucket.module.buckets["base-ocp-fscloud-izzi3g-vpc-flowlogs"].ibm_cos_bucket.cos_bucket[0],
│   on .terraform/modules/flowlogs_bucket/main.tf line 109, in resource "ibm_cos_bucket" "cos_bucket":
│  109: resource "ibm_cos_bucket" "cos_bucket" {
│ 
╵}

Panic Output

: timestamp=2023-11-16T00:37:12.792Z
2023-11-16T00:37:12.792Z [INFO]  provider.terraform-provider-ibm_v1.59.0: 2023/11/16 00:37:12 [DEBUG] GET https://iam.cloud.ibm.com/v2/roles?account_id=abac0df06b644a9cabc6e44f55b3880e&service_name=sysdig-monitor: timestamp=2023-11-16T00:37:12.792Z
2023-11-16T00:37:12.818Z [TRACE] provider.terraform-provider-ibm_v1.59.0: Called downstream: @module=sdk.helper_schema tf_provider_addr=provider tf_req_id=3e3e5eb7-2c2e-97c2-8653-46cd5842f4ba tf_resource_type=ibm_cos_bucket tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.24.0/helper/schema/resource.go:838 timestamp=2023-11-16T00:37:12.818Z
2023-11-16T00:37:12.818Z [TRACE] provider.terraform-provider-ibm_v1.59.0: Received downstream response: diagnostic_error_count=1 diagnostic_warning_count=0 tf_proto_version=5.3 tf_provider_addr=provider tf_req_duration_ms=1548 @caller=github.com/hashicorp/terraform-plugin-go@v0.14.0/tfprotov5/internal/tf5serverlogging/downstream_request.go:37 tf_resource_type=ibm_cos_bucket tf_req_id=3e3e5eb7-2c2e-97c2-8653-46cd5842f4ba tf_rpc=ApplyResourceChange @module=sdk.proto timestamp=2023-11-16T00:37:12.818Z
2023-11-16T00:37:12.819Z [ERROR] provider.terraform-provider-ibm_v1.59.0: Response contains error diagnostic: @module=sdk.proto diagnostic_summary="InvalidRequest: Server Side Encryption with hs-crypto is not enabled.
    status code: 400, request id: 866408a2-372f-47ca-8bff-cfc0a8251eb2, host id: " tf_proto_version=5.3 tf_req_id=3e3e5eb7-2c2e-97c2-8653-46cd5842f4ba @caller=github.com/hashicorp/terraform-plugin-go@v0.14.0/tfprotov5/internal/diag/diagnostics.go:55 diagnostic_detail= diagnostic_severity=ERROR tf_provider_addr=provider tf_resource_type=ibm_cos_bucket tf_rpc=ApplyResourceChange timestamp=2023-11-16T00:37:12.818Z
2023-11-16T00:37:12.819Z [TRACE] provider.terraform-provider-ibm_v1.59.0: Served request: tf_resource_type=ibm_cos_bucket @caller=github.com/hashicorp/terraform-plugin-go@v0.14.0/tfprotov5/tf5server/server.go:831 tf_proto_version=5.3 tf_req_id=3e3e5eb7-2c2e-97c2-8653-46cd5842f4ba tf_rpc=ApplyResourceChange @module=sdk.proto tf_provider_addr=provider timestamp=2023-11-16T00:37:12.818Z
2023-11-16T00:37:12.820Z [TRACE] maybeTainted: module.flowlogs_bucket.module.buckets["base-ocp-fscloud-izzi3g-vpc-flowlogs"].ibm_cos_bucket.cos_bucket[0] encountered an error during creation, so it is now marked as tainted
2023-11-16T00:37:12.820Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.flowlogs_bucket.module.buckets["base-ocp-fscloud-izzi3g-vpc-flowlogs"].ibm_cos_bucket.cos_bucket[0]
2023-11-16T00:37:12.821Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for module.flowlogs_bucket.module.buckets["base-ocp-fscloud-izzi3g-vpc-flowlogs"].ibm_cos_bucket.cos_bucket[0]
2023-11-16T00:37:12.821Z [TRACE] evalApplyProvisioners: module.flowlogs_bucket.module.buckets["base-ocp-fscloud-izzi3g-vpc-flowlogs"].ibm_cos_bucket.cos_bucket[0] is tainted, so skipping provisioning
2023-11-16T00:37:12.821Z [TRACE] maybeTainted: module.flowlogs_bucket.module.buckets["base-ocp-fscloud-izzi3g-vpc-flowlogs"].ibm_cos_bucket.cos_bucket[0] was already tainted, so nothing to do
2023-11-16T00:37:12.821Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.flowlogs_bucket.module.buckets["base-ocp-fscloud-izzi3g-vpc-flowlogs"].ibm_cos_bucket.cos_bucket[0]
2023-11-16T00:37:12.821Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for module.flowlogs_bucket.module.buckets["base-ocp-fscloud-izzi3g-vpc-flowlogs"].ibm_cos_bucket.cos_bucket[0]
2023-11-16T00:37:12.822Z [TRACE] statemgr.Filesystem: no original state snapshot to back up
2023-11-16T00:37:12.826Z [TRACE] statemgr.Filesystem: state has changed since last snapshot, so incrementing serial to 7
2023-11-16T00:37:12.826Z [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2023-11-16T00:37:12.829Z [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot
2023-11-16T00:37:12.829Z [ERROR] vertex "module.flowlogs_bucket.module.buckets[\"base-ocp-fscloud-izzi3g-vpc-flowlogs\"].ibm_cos_bucket.cos_bucket[0]" error: InvalidRequest: Server Side Encryption with hs-crypto is not enabled.
    status code: 400, request id: 866408a2-372f-47ca-8bff-cfc0a8251eb2, host id:
2023-11-16T00:37:12.829Z [TRACE] vertex "module.flowlogs_bucket.module.buckets[\"base-ocp-fscloud-izzi3g-vpc-flowlogs\"].ibm_cos_bucket.cos_bucket[0]": visit complete, with errors
2023-11-16T00:37:12.830Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.local.bucket_storage_class (expand)" errored, so skipping
2023-11-16T00:37:12.830Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.output.bucket_storage_class (expand)" errored, so skipping
2023-11-16T00:37:12.830Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.local.bucket_id (expand)" errored, so skipping
2023-11-16T00:37:12.830Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.output.bucket_id (expand)" errored, so skipping
2023-11-16T00:37:12.831Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.local.bucket_name (expand)" errored, so skipping
2023-11-16T00:37:12.831Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.output.bucket_name (expand)" errored, so skipping
2023-11-16T00:37:12.831Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.local.bucket_crn (expand)" errored, so skipping
2023-11-16T00:37:12.831Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.local.s3_endpoint_private (expand)" errored, so skipping
2023-11-16T00:37:12.831Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.local.s3_endpoint_public (expand)" errored, so skipping
2023-11-16T00:37:12.832Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.local.s3_endpoint_direct (expand)" errored, so skipping
2023-11-16T00:37:12.832Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.output.bucket_crn (expand)" errored, so skipping
2023-11-16T00:37:12.832Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.output.s3_endpoint_private (expand)" errored, so skipping
2023-11-16T00:37:12.832Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.output.s3_endpoint_public (expand)" errored, so skipping
2023-11-16T00:37:12.832Z [TRACE] dag/walk: upstream of "module.flowlogs_bucket.module.buckets.output.s3_endpoint_direct (expand)" errored, so skipping
2023-11-16T00:37:12.892Z [INFO]  provider.terraform-provider-ibm_v1.59.0: 2023/11/16 00:37:12 [Debug] Request:
GET /v2/resource_instances/85960da8-e74c-4a1e-a625-2b1317cbbb08 HTTP/1.1
Host: resource-controller.cloud.ibm.com
User-Agent: platform-services-go-sdk/0.52.0 (lang=go; arch=amd64; os=linux; go.version=go1.18.10)
Accept: application/json
Authorization: [redacted]
X-Original-User-Agent: terraform-provider-ibm/1.59.0
Accept-Encoding: gzip

Expected Behavior

Apply without error

Actual Behavior

Cannot reproduce at will.

This provider crash happens intermittently, and is not consistent.

Steps to Reproduce

terraform apply

Important Factoids

References

0000

IBM-diksha commented 7 months ago

@Aashiq-J We are looking into this one.

IBM-diksha commented 6 months ago

@Aashiq-J The reason you are facing this issue is that jp-osa region does not support COS association with HPCS and hence you are facing that issue with COS bucket creation in JP-OSA region. Here is the the documentation that you can refer to in for the same : https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-service-availability

You can use other region that is supported to create the COS bucket and associate with HPCS.

Aashiq-J commented 6 months ago

Sure, thanks for help. Closing issue.

IBM-Cloud / terraform-provider-ibm