search

IBM-Cloud / terraform-provider-ibm

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs
Mozilla Public License 2.0
340 stars 662 forks source link

provider issue: For KMS resource #5079

Open surajsbharadwaj opened 7 months ago

surajsbharadwaj commented 7 months ago

Hello Team,

I am getting this error with the ibm_resource_instance for kms resource: "MISSING_FIELD_ERR: The fieldallowed_networkis required: Allowed Network parameter must be set", on reapply again, it passes.

PATCH /v2/resource_instances/crn:v1:bluemix:public:kms:au-syd:a%2F719e669b325b4d888c6f45401fef8bc1:8a634ddb-82de-4a4b-b0e2-66c1209dacca:: HTTP/1.1
Host: resource-controller.cloud.ibm.com
User-Agent: platform-services-go-sdk/0.55.0 (lang=go; arch=amd64; os=darwin; go.version=go1.19.13)
Content-Length: 58
Accept: application/json
Authorization: [redacted]
Content-Type: application/json
X-Original-User-Agent: terraform-provider-ibm/1.61.0
Accept-Encoding: gzip

{"parameters":{"service-endpoints":"public-and-private"}}: timestamp=2024-01-24T14:36:34.850+0100
2024-01-24T14:36:34.850+0100 [INFO]  provider.terraform-provider-ibm_v1.61.0: 2024/01/24 14:36:34 [DEBUG] PATCH https://resource-controller.cloud.ibm.com/v2/resource_instances/crn:v1:bluemix:public:kms:au-syd:a%!F(MISSING)719e669b325b4d888c6f45401fef8bc1:8a634ddb-82de-4a4b-b0e2-66c1209dacca::: timestamp=2024-01-24T14:36:34.850+0100
2024-01-24T14:36:36.192+0100 [INFO]  provider.terraform-provider-ibm_v1.61.0: 2024/01/24 14:36:36 [Debug] Response:
HTTP/2.0 422 Unprocessable Entity

Its trying to update Key Protect with {"parameters":{"service-endpoints":"public-and-private"}}since in version v5.10.0 of landing zone it was added . @Key Protect team why this patch is causing the error: "MISSING_FIELD_ERR: The fieldallowed_networkis required: Allowed Network parameter must be set" The api is saying that allowed_network is required, so I bet they are incorrectly calling the api ?

# module.fullstack.module.landing_zone.module.landing_zone.module.key_management.ibm_resource_instance.kms[0] will be updated in-place
  ~ resource "ibm_resource_instance" "kms" {
        id                      = "crn:v1:bluemix:public:kms:au-syd:a/719e669b325b4d888c6f45401fef8bc1:8dd0fe10-9be8-46ba-94a2-ca2fe0805b4c::"
        name                    = "slz-kms"
      + service_endpoints       = "public-and-private"
        tags                    = []
        # (32 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.fullstack.module.landing_zone.module.landing_zone.module.key_management.ibm_resource_instance.kms[0]: Modifying... [id=crn:v1:bluemix:public:kms:au-syd:a/719e669b325b4d888c6f45401fef8bc1:8dd0fe10-9be8-46ba-94a2-ca2fe0805b4c::]
╷
│ Error: [ERROR] Error updating resource instance: Please contact the Service Provider for this error. Service Broker returned error status code 422 with resp code: {
│     "StatusCode": 422,
│     "Headers": {
│         "Cache-Control": [
│             "max-age=0, no-cache, no-store"
│         ],
│         "Content-Length": [
│             "325"
│         ],
│         "Content-Type": [
│             "application/json; charset=utf-8"
│         ],
│         "Date": [
│             "Wed, 24 Jan 2024 10:23:11 GMT"
│         ],
│         "Expires": [
│             "Wed, 24 Jan 2024 10:23:11 GMT"
│         ],
│         "Pragma": [
│             "no-cache"
│         ],
│         "Request-Id": [
│             "5cbd2598-3445-406f-aebd-a582360ec375"
│         ],
│         "Retry-After": [
│             "0"
│         ],
│         "Server": [
│             "istio-envoy"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000;includeSubDomains"
│         ],
│         "Transaction-Id": [
│             "bss-605c0d2c88b3654e"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Envoy-Upstream-Service-Time": [
│             "1230"
│         ],
│         "X-Global-Transaction-Id": [
│             "bss-605c0d2c88b3654e"
│         ],
│         "X-Op-Completion-Time": [
│             ""
│         ],
│         "X-Ratelimit-Limit": [
│             "100"
│         ],
│         "X-Ratelimit-Remaining": [
│             "99"
│         ],
│         "X-Ratelimit-Reset": [
│             "0"
│         ],
│         "X-Request-Id": [
│             "5cbd2598-3445-406f-aebd-a582360ec375"
│         ],
│         "X-Transaction-Id": [
│             "bss-605c0d2c88b3654e"
│         ]
│     },
│     "Result": {
│         "details": "MISSING_FIELD_ERR: The field `allowed_network` is required: Allowed Network parameter must be set",
│         "error_code": "RC-ServiceBrokerErrorResponse",
│         "message": "Please contact the Service Provider for this error. Service Broker returned error status code 422",
│         "status_code": 422,
│         "transaction_id": "bss-605c0d2c88b3654e"
│     },
│     "RawResult": null
│ }
│ 
│ 
│   with module.fullstack.module.landing_zone.module.landing_zone.module.key_management.ibm_resource_instance.kms[0],
│   on .terraform/modules/fullstack.landing_zone/kms/main.tf line 20, in resource "ibm_resource_instance" "kms":
│   20: resource "ibm_resource_instance" "kms" {
(edited)

Message terraform-ibmcloud-users

surajsbharadwaj commented 7 months ago

Logs.zip Trace Logs

ocofaigh commented 7 months ago

@BrunoHenriques @william8siew Is it something you can help with?

william8siew commented 7 months ago

I believe it is as you said, Resource Controller is incorrectly calling our policies API. The error

Allowed Network parameter must be set

is from KMS teams api.

This terraform resource code

resource "ibm_resource_instance" "kms" {

is managed by a different team from the KMS team https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance You will need to reach out to the Resource Controller team

ocofaigh commented 7 months ago

As per internal debug:

this difference is because of different services have their own implementation of service_endpoints. Some services requires us to send it as part of parameters with key params[service_endpoints] some other services requires to send it as params[allowed_network] (mainly hpcs and keyprotect I think) since resource_instance is a generic resource it did n't supported corner case of KMS and HPCS.

Can we update service_endpoints as part of parameters instead of service_endpoints something like

 parameters = {
   allowed_network: "public-and-private",
 }

I'm trying this out now, however if this is the solution, I think a new Key Protect provision example needs to be added into the docs that shows passing service endpoint as a parameter. Similar to this example. Also, if logic was added to provider code to fail if someone tries to pass the endpoint value directly in ibm_resource_instance when provisioning Key Protect - that would also be nice too, otherwise consumers don't know they have a misconfiguration at all.

ocofaigh commented 7 months ago

@hkantare FYI, using parameters block worked fine - do you want to keep this issue open to track doc update and logic to catch the misconfiguration?

william8siew commented 6 months ago

https://ibm-cloudplatform.slack.com/archives/C53NF5MB4/p1706518011466959

william8siew commented 6 months ago

Issue seems to have been resolved by core terraform team @surajsbharadwaj can you resolve this?