Due to the way the Event Streams service handles de-registration of an instance from a KMS root key, it make it impossible to manage the KMS key and the Event Streams instance in the same terraform state.
Here is how the Event Streams service handles de-registration:
When delete of instance occurs, it goes into the reclamation list
Only when that reclamation expires (or if someone forcefully deletes the reclamation) does the re-registration of the instance from the key occur. NOTE: The auth policy must be still in place at this point for de-registration to occur.
Due to this it makes it impossible to manage the key, auth policy and the instance in the same terraform.
In the Terraform Configuration Files section below, I have included a code snippet that can be used to verify this. If you do terraform apply and then terraform destroy on it, the destroy failed with this:
│ Error: [ERROR] Error while deleting: kp.Error: correlation_id='f57445b8-8886-429c-9f44-ba130043b868', msg='Conflict: Key could not be deleted: Please see `reasons` for more details (PREV_KEY_DEL_ERR)', reasons='[PREV_KEY_DEL_ERR: The key cannot be deleted because it's protecting a cloud resource that has a retention policy: Before you delete this key, contact an account owner to remove the retention policy on each resource that is associated with the key - FOR_MORE_INFO_REFER: https://cloud.ibm.com/docs/key-protect?topic=key-protect-delete-keys#delete-key-force]'. The key has the following active registrations which may interfere with deletion: [crn:v1:bluemix:public:messagehub:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e62e3d5d-93e1-4a8a-acc7-a5113d093adc::]
│
│ ---
│ id: terraform-a05cda1f
│ summary: '[ERROR] Error while deleting: kp.Error: correlation_id=''f57445b8-8886-429c-9f44-ba130043b868'',
│ msg=''Conflict: Key could not be deleted: Please see `reasons` for more details
│ (PREV_KEY_DEL_ERR)'', reasons=''[PREV_KEY_DEL_ERR: The key cannot be deleted because
│ it''s protecting a cloud resource that has a retention policy: Before you delete
│ this key, contact an account owner to remove the retention policy on each resource
│ that is associated with the key - FOR_MORE_INFO_REFER: https://cloud.ibm.com/docs/key-protect?topic=key-protect-delete-keys#delete-key-force]''.
│ The key has the following active registrations which may interfere with deletion:
│ [crn:v1:bluemix:public:messagehub:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e62e3d5d-93e1-4a8a-acc7-a5113d093adc::]'
│ severity: error
│ resource: ibm_kms_key
│ operation: delete
│ component:
│ name: github.com/IBM-Cloud/terraform-provider-ibm
│ version: 1.66.0
│ ---
Community Note
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform CLI and Terraform IBM Provider Version
tf 1.6.6
ibm provider 1.66.0
Affected Resource(s)
ibm_resource_instance
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Due to the way the Event Streams service handles de-registration of an instance from a KMS root key, it make it impossible to manage the KMS key and the Event Streams instance in the same terraform state.
Here is how the Event Streams service handles de-registration:
Due to this it makes it impossible to manage the key, auth policy and the instance in the same terraform.
In the
Terraform Configuration Files
section below, I have included a code snippet that can be used to verify this. If you do terraform apply and then terraform destroy on it, the destroy failed with this:Community Note
Terraform CLI and Terraform IBM Provider Version
tf 1.6.6 ibm provider 1.66.0
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Debug Output
Panic Output
Expected Behavior
The use case is a standard pattern used by many other services - so I expect it to also work for Event Streams
Actual Behavior
Cannot manage KMS key and Event Streams in same terraform
Steps to Reproduce
terraform apply
terraform destroy
Important Factoids
References
0000