vpc spoke dns resolver type can not be set to delegated after a ibm_is_vpc_dns_resolution_binding

[powellquiring]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

There isn’t currently a way in terraform to create a delegated system consisting of a hub and spoke VPC in 1 pass that includes an IAM authorization that specifies by the hub and spoke:

1. hub vpc and resolvers
2. spoke vpc
3. IAM authorization hub_vpc, spoke_vpc
4. resource "ibm_is_vpc_dns_resolution_binding" from spoke to hub
5. set the spoke vpc DNS resolver type to delegated

Here is the iam authorization policy, notice it has the hub and spoke ids to narrowed as much as possible.

resource "ibm_iam_authorization_policy" "policy" {
  #"DNSBindingConnector",
  roles = [
    "DNS Binding Connector",
  ]
  subject_attributes {
    name  = "accountId"
    value = local.settings.account_id
  }
  subject_attributes {
    name  = "serviceName"
    value = "is"
  }
  subject_attributes {
    name  = "resourceType"
    value = "vpc"
  }
  subject_attributes {
    name  = "resource"
    value = locl.spoke_vpc.id
  }
  resource_attributes {
    name  = "accountId"
    value = local.settings.account_id
  }
  resource_attributes {
    name  = "serviceName"
    value = "is"
  }
  resource_attributes {
    name  = "vpcId"
    value = local.transit_vpc.id
  }
}

The last step of setting the spoke to delegated currently requires that one goes back to the spoke vpc and make an editing change.

A solution would be to add the type to the binding resource as shown below:

resource "ibm_is_vpc_dns_resolution_binding" "spoke_vpc_dns_resolution_binding_by_id" {
  for_each = { for index, vpc in local.spoke_vpcs : index => vpc }
  name     = each.value.name
  vpc_id   = each.value.id
  type     = "delegated" # THIS IS NEW
  vpc {
    id = local.transit_vpc.id
  }
}

As a work around it is possible to patch the spoke VPC DNS using curl. But this is problematic since the bearer token is persisted in the terraform state file and could (will likely) expire before the destroy operation is executed.

locals {
  api_version      = "2024-04-04"
  vpc_api_endpoint = "https://${local.settings.region}.iaas.cloud.ibm.com"
  vpcs_url         = "${local.vpc_api_endpoint}/v1/vpcs/${each.value.id}?version=${local.api_version}&generation=2"
  patch_delegated = {
    dns = {
      resolver = {
        type = "delegated"
        vpc = {
          id = local.transit_vpc.id
        }
        dns_binding_name = "spoke-to-transit"
      }
    }
  }
  patch_system = {
    dns = {
      resolver = {
        type = "system"
        vpc  = null
      }
    }
  }
  iam_access_token = sensitive(data.ibm_iam_auth_token.tokendata.iam_access_token)
  headers = {
    "Content-Type"  = "application/json"
    "Authorization" = data.ibm_iam_auth_token.tokendata.iam_access_token
  }
}

resource "terracurl_request" "patch_delegated" {
  for_each     = { for index, vpc in local.spoke_vpcs : index => vpc }
  name         = each.value.name
  url          = local.vpcs_url
  method       = "PATCH"
  request_body = jsonencode(local.patch_delegated)
  headers      = local.headers
  response_codes = [
    200,
    204
  ]

  destroy_url          = local.vpcs_url
  destroy_method       = "PATCH"
  destroy_request_body = jsonencode(local.patch_system)
  destroy_headers      = local.headers
  destroy_response_codes = [
    200,
    204
  ]
}

New or Affected Resource(s)

• ibm_is_vpc_dns_resolution_binding

Potential Terraform Configuration

resource "ibm_is_vpc_dns_resolution_binding" "spoke_vpc_dns_resolution_binding_by_id" {
  for_each = { for index, vpc in local.spoke_vpcs : index => vpc }
  name     = each.value.name
  vpc_id   = each.value.id
  type     = "delegated" # THIS IS NEW
  vpc {
    id = local.transit_vpc.id
  }
}

[astha-jain]

hi @powellquiring Fix was added in release v1.61.0 https://github.com/IBM-Cloud/terraform-provider-ibm/pull/5000/files#diff-ce0d6d161b16d61703ebee92b2f35379d225abedba0fb7c2c4d09b2ccb1bb427R86

[sumitkumartiwari]

Closing based on @astha-jain comments.

[sumitkumartiwari]

@powellquiring Please confirm if the issue can be closed ?