Create oci_kms_key 404 with Terraform but succeeds in console.

[bassg0navy]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Terraform v1.8.3 on darwin_arm64 provider registry.terraform.io/hashicorp/oci v5.41.0

Affected Resource(s)

oci_kms_key

Terraform Configuration Files

resource "oci_kms_key" "master_key" {
    compartment_id = var.compartment_id
    display_name = "xxx-kms-master-key"
    key_shape {
        algorithm = "ECDSA"
        length = 48

        # curve_id = oci_kms_curve.test_curve.id
    }
    management_endpoint = "https://kms.us-ashburn-1.oraclecloud.com" # all resources are in IAD region

    protection_mode = var.key_protection_mode
}

Debug Output

https://gist.github.com/bassg0navy/197f8ff99d019dead55c0e6d1641c2c0

Panic Output

Expected Behavior

New KMS key should have been created.

Actual Behavior

Key creation fails. Suggestion mentions error maybe due to missing policy allowing Kms Key service access to KMS vault/keys.

Steps to Reproduce

Add policy to allow user to manage all resources in tenancy to ensure user permissions are not an issue. Create oci_kms_vault resource. (I'm able to create KMS default virtual vaults, but not KMS keys) Attempt to create oci_kms_key resource in tenancy

1. Add policy to allow user to manage all resources in tenancy to ensure user permissions are not an issue.
2. Create oci_kms_vault resource.
3. Run terraform apply
4. Type yes to allow plan to run

Important Factoids

I'm able to create KMS (default virtual) vault resources, but not KMS keys. I've tried adding specific policies to allow user to manage vault, keys and secrets-family resources in tenancy.

References

KMS Key resource documentation KMS FAQ

[bassg0navy]

Issue was using the KMS API endpoint instead of the vault-specific management endpoint for the management_endpoint attribute. Answer shown here.