Drift detected / idempotency issues - Githubissues

terraform-ibm-modules / terraform-ibm-kms-all-inclusive

Supports creating a Key Protect instance, KMS Key Rings and Keys.

Apache License 2.0

0 stars 1 forks source link

Drift detected / idempotency issues #448

Closed vburckhardt closed 5 months ago

vburckhardt commented 7 months ago

Detected by Project on daily scans.

 2024/04/03 11:10:05 [1m-----  New Workspace Action  -----[21m[0m
 2024/04/03 11:10:05 Request: activitId=16f0b41ffb68ebb11e26b7da61aae1cc, account=9f9af00a96104f49b6509aa715f9d6a5, owner=crn:v1:bluemix:public:project:eu-gb:a/9f9af00a96104f49b6509aa715f9d6a5:74557cfb-9def-4205-af2c-882131d7958e::, requestID=48d0bf48-390f-476e-9ef4-017ad9beb868
 2024/04/03 11:10:06 Related Activity: action=TERRAFORM_COMMANDS, workspaceID=eu-gb.workspace.projects-service.171782e9, processedBy=orchestrator-6bfc579dcb-t6mbq
 2024/04/03 11:10:06 Related Workspace: name=2a---Security-Service---Key-Management, sourcerelease=(not specified), sourceurl=, folder=terraform-ibm-kms-all-inclusive-4.8.5/solutions/standard
 2024/04/03 11:10:10  --- Ready to execute the command --- 
 2024/04/03 11:10:11 workspace.template.StateFile: d5053f50-1382-4a1c-89a7-a6ad8d5dabc3
 2024/04/03 11:10:13 workspace.template.EnvFile: 6a510c2a-0296-4cf8-b3eb-af377d650ade
 2024/04/03 11:10:13 workspace.template.SecFile: 3c4a22a7-08d5-40b7-a9b3-c91a892df108
 2024/04/03 11:10:10 [1m-----  New Action  -----[21m[0m
 2024/04/03 11:10:10 Request: requestID=48d0bf48-390f-476e-9ef4-017ad9beb868
 2024/04/03 11:10:14 Related Activity: action=TF_COMMAND, workspaceID=eu-gb.workspace.projects-service.171782e9, processedByOrchestrator=48d0bf48-390f-476e-9ef4-017ad9beb868_16f0b41ffb68ebb11e26b7da61aae1cc, processedByJob=job12-b8bc7cb58-t8wv4, actionType=Terraform

 2024/04/03 11:10:19 [1m-----  Terraform INIT  -----[21m[0m

 2024/04/03 11:10:19 [34mStarting command: terraform1.5 init -input=false -no-color[39m[0m
 2024/04/03 11:10:19 Starting command: terraform1.5 init -input=false -no-color
 2024/04/03 11:10:20 Terraform init | 
 2024/04/03 11:10:20 Terraform init | Initializing the backend...
 2024/04/03 11:10:20 Terraform init | Initializing modules...
 2024/04/03 11:10:20 Terraform init | - kms in ../..
 2024/04/03 11:10:21 Terraform init | Downloading registry.terraform.io/terraform-ibm-modules/kms-key/ibm 1.2.1 for kms.existing_key_ring_keys...
 2024/04/03 11:10:25 Terraform init | - kms.existing_key_ring_keys in .terraform/modules/kms.existing_key_ring_keys
 2024/04/03 11:10:25 Terraform init | Downloading registry.terraform.io/terraform-ibm-modules/key-protect/ibm 2.6.2 for kms.key_protect...
 2024/04/03 11:10:28 Terraform init | - kms.key_protect in .terraform/modules/kms.key_protect
 2024/04/03 11:10:29 Terraform init | Downloading registry.terraform.io/terraform-ibm-modules/kms-key-ring/ibm 2.3.1 for kms.kms_key_rings...
 2024/04/03 11:10:33 Terraform init | - kms.kms_key_rings in .terraform/modules/kms.kms_key_rings
 2024/04/03 11:10:33 Terraform init | Downloading registry.terraform.io/terraform-ibm-modules/kms-key/ibm 1.2.1 for kms.kms_keys...
 2024/04/03 11:10:33 Terraform init | - kms.kms_keys in .terraform/modules/kms.kms_keys
 2024/04/03 11:10:33 Terraform init | Downloading registry.terraform.io/terraform-ibm-modules/resource-group/ibm 1.1.5 for resource_group...
 2024/04/03 11:10:37 Terraform init | - resource_group in .terraform/modules/resource_group
 2024/04/03 11:10:37 Terraform init | 
 2024/04/03 11:10:37 Terraform init | Initializing provider plugins...
 2024/04/03 11:10:37 Terraform init | - Finding ibm-cloud/ibm versions matching ">= 1.49.0, >= 1.56.1, >= 1.58.0, 1.63.0, < 2.0.0"...
 2024/04/03 11:10:38 Terraform init | - Installing ibm-cloud/ibm v1.63.0...
 2024/04/03 11:10:42 Terraform init | - Installed ibm-cloud/ibm v1.63.0 (self-signed, key ID AAD3B791C49CC253)
 2024/04/03 11:10:42 Terraform init | 
 2024/04/03 11:10:42 Terraform init | Partner and community providers are signed by their developers.
 2024/04/03 11:10:42 Terraform init | If you'd like to know more about provider signing, you can read about it here:
 2024/04/03 11:10:42 Terraform init | https://www.terraform.io/docs/cli/plugins/signing.html
 2024/04/03 11:10:42 Terraform init | 
 2024/04/03 11:10:42 Terraform init | Terraform has created a lock file .terraform.lock.hcl to record the provider
 2024/04/03 11:10:42 Terraform init | selections it made above. Include this file in your version control repository
 2024/04/03 11:10:42 Terraform init | so that Terraform can guarantee to make the same selections by default when
 2024/04/03 11:10:42 Terraform init | you run "terraform init" in the future.
 2024/04/03 11:10:42 Terraform init | 
 2024/04/03 11:10:42 Terraform init | Terraform has been successfully initialized!
 2024/04/03 11:10:42 Command finished successfully.

 2024/04/03 11:10:42 [1m-----  Terraform Commands  -----[21m[0m

 2024/04/03 11:10:42 [1m-----  Terraform PLAN  -----[21m[0m

 2024/04/03 11:10:42 [34mStarting command: terraform1.5 plan -input=false -refresh=true -state=terraform.tfstate -var-file=schematics.tfvars -no-color -out=tfplan.binary[39m[0m
 2024/04/03 11:10:42 Starting command: terraform1.5 plan -input=false -refresh=true -state=terraform.tfstate -var-file=schematics.tfvars -no-color -out=tfplan.binary
 2024/04/03 11:10:51 Terraform plan | module.resource_group.data.ibm_resource_group.existing_resource_group[0]: Reading...
 2024/04/03 11:10:52 Terraform plan | module.resource_group.data.ibm_resource_group.existing_resource_group[0]: Read complete after 1s [id=77dcebb43e244a0e9dc8b5d399b3dada]
 2024/04/03 11:10:52 Terraform plan | module.kms.module.key_protect[0].ibm_resource_instance.key_protect_instance: Refreshing state... [id=crn:v1:bluemix:public:kms:eu-gb:a/190c293e9fda4c6684b5acf4b17871b8:99a0117a-ef35-4093-9f5c-a2e488d01103::]
 2024/04/03 11:10:53 Terraform plan | module.kms.module.key_protect[0].ibm_kms_instance_policies.key_protect_instance_policies: Refreshing state... [id=crn:v1:bluemix:public:kms:eu-gb:a/190c293e9fda4c6684b5acf4b17871b8:99a0117a-ef35-4093-9f5c-a2e488d01103::]
 2024/04/03 11:10:54 Terraform plan | 
 2024/04/03 11:10:54 Terraform plan | Terraform used the selected providers to generate the following execution
 2024/04/03 11:10:54 Terraform plan | plan. Resource actions are indicated with the following symbols:
 2024/04/03 11:10:54 Terraform plan |   ~ update in-place
 2024/04/03 11:10:54 Terraform plan | 
 2024/04/03 11:10:54 Terraform plan | Terraform will perform the following actions:
 2024/04/03 11:10:54 Terraform plan | 
 2024/04/03 11:10:54 Terraform plan |   # module.kms.module.key_protect[0].ibm_kms_instance_policies.key_protect_instance_policies will be updated in-place
 2024/04/03 11:10:54 Terraform plan |   ~ resource "ibm_kms_instance_policies" "key_protect_instance_policies" {
 2024/04/03 11:10:54 Terraform plan |         id          = "crn:v1:bluemix:public:kms:eu-gb:a/190c293e9fda4c6684b5acf4b17871b8:99a0117a-ef35-4093-9f5c-a2e488d01103::"
 2024/04/03 11:10:54 Terraform plan |         # (1 unchanged attribute hidden)
 2024/04/03 11:10:54 Terraform plan | 
 2024/04/03 11:10:54 Terraform plan |       + dual_auth_delete {
 2024/04/03 11:10:54 Terraform plan |           + enabled = false
 2024/04/03 11:10:54 Terraform plan |         }
 2024/04/03 11:10:54 Terraform plan | 
 2024/04/03 11:10:54 Terraform plan |       + key_create_import_access {
 2024/04/03 11:10:54 Terraform plan |           + create_root_key     = true
 2024/04/03 11:10:54 Terraform plan |           + create_standard_key = true
 2024/04/03 11:10:54 Terraform plan |           + enabled             = false
 2024/04/03 11:10:54 Terraform plan |           + enforce_token       = false
 2024/04/03 11:10:54 Terraform plan |           + import_root_key     = true
 2024/04/03 11:10:54 Terraform plan |           + import_standard_key = true
 2024/04/03 11:10:54 Terraform plan |         }
 2024/04/03 11:10:54 Terraform plan | 
 2024/04/03 11:10:54 Terraform plan |       + metrics {
 2024/04/03 11:10:54 Terraform plan |           + enabled = true
 2024/04/03 11:10:54 Terraform plan |         }
 2024/04/03 11:10:54 Terraform plan | 
 2024/04/03 11:10:54 Terraform plan |       + rotation {
 2024/04/03 11:10:54 Terraform plan |           + enabled        = true
 2024/04/03 11:10:54 Terraform plan |           + interval_month = 3
 2024/04/03 11:10:54 Terraform plan |         }
 2024/04/03 11:10:54 Terraform plan |     }
 2024/04/03 11:10:54 Terraform plan | 
 2024/04/03 11:10:54 Terraform plan | Plan: 0 to add, 1 to change, 0 to destroy.
 2024/04/03 11:10:54 Terraform plan | 
 2024/04/03 11:10:54 Terraform plan | Changes to Outputs:
 2024/04/03 11:10:54 Terraform plan |   ~ key_protect_instance_policies = {
 2024/04/03 11:10:54 Terraform plan |       ~ dual_auth_delete         = [
 2024/04/03 11:10:54 Terraform plan |           + {
 2024/04/03 11:10:54 Terraform plan |               + created_by    = null
 2024/04/03 11:10:54 Terraform plan |               + creation_date = null
 2024/04/03 11:10:54 Terraform plan |               + enabled       = false
 2024/04/03 11:10:54 Terraform plan |               + last_updated  = null
 2024/04/03 11:10:54 Terraform plan |               + updated_by    = null
 2024/04/03 11:10:54 Terraform plan |             },
 2024/04/03 11:10:54 Terraform plan |         ]
 2024/04/03 11:10:54 Terraform plan |         id                       = "crn:v1:bluemix:public:kms:eu-gb:a/190c293e9fda4c6684b5acf4b17871b8:99a0117a-ef35-4093-9f5c-a2e488d01103::"
 2024/04/03 11:10:54 Terraform plan |       ~ key_create_import_access = [
 2024/04/03 11:10:54 Terraform plan |           + {
 2024/04/03 11:10:54 Terraform plan |               + create_root_key     = true
 2024/04/03 11:10:54 Terraform plan |               + create_standard_key = true
 2024/04/03 11:10:54 Terraform plan |               + created_by          = null
 2024/04/03 11:10:54 Terraform plan |               + creation_date       = null
 2024/04/03 11:10:54 Terraform plan |               + enabled             = false
 2024/04/03 11:10:54 Terraform plan |               + enforce_token       = false
 2024/04/03 11:10:54 Terraform plan |               + import_root_key     = true
 2024/04/03 11:10:54 Terraform plan |               + import_standard_key = true
 2024/04/03 11:10:54 Terraform plan |               + last_updated        = null
 2024/04/03 11:10:54 Terraform plan |               + updated_by          = null
 2024/04/03 11:10:54 Terraform plan |             },
 2024/04/03 11:10:54 Terraform plan |         ]
 2024/04/03 11:10:54 Terraform plan |       ~ metrics                  = [
 2024/04/03 11:10:54 Terraform plan |           + {
 2024/04/03 11:10:54 Terraform plan |               + created_by    = null
 2024/04/03 11:10:54 Terraform plan |               + creation_date = null
 2024/04/03 11:10:54 Terraform plan |               + enabled       = true
 2024/04/03 11:10:54 Terraform plan |               + last_updated  = null
 2024/04/03 11:10:54 Terraform plan |               + updated_by    = null
 2024/04/03 11:10:54 Terraform plan |             },
 2024/04/03 11:10:54 Terraform plan |         ]
 2024/04/03 11:10:54 Terraform plan |       ~ rotation                 = [
 2024/04/03 11:10:54 Terraform plan |           + {
 2024/04/03 11:10:54 Terraform plan |               + created_by     = null
 2024/04/03 11:10:54 Terraform plan |               + creation_date  = null
 2024/04/03 11:10:54 Terraform plan |               + enabled        = true
 2024/04/03 11:10:54 Terraform plan |               + interval_month = 3
 2024/04/03 11:10:54 Terraform plan |               + last_updated   = null
 2024/04/03 11:10:54 Terraform plan |               + updated_by     = null
 2024/04/03 11:10:54 Terraform plan |             },
 2024/04/03 11:10:54 Terraform plan |         ]
 2024/04/03 11:10:54 Terraform plan |         # (1 unchanged attribute hidden)
 2024/04/03 11:10:54 Terraform plan |     }
 2024/04/03 11:10:54 Command finished successfully.

 2024/04/03 11:10:54 [1m-----  Terraform SHOW  -----[21m[0m

 2024/04/03 11:10:54 [34mStarting command: terraform1.5 show -no-color -json tfplan.binary[39m[0m
 2024/04/03 11:10:54 Starting command: terraform1.5 show -no-color -json tfplan.binary
 2024/04/03 11:10:57 Command finished successfully.
 2024/04/03 11:10:57 [1m-----  Terraform DRIFT  -----[21m[0m

 2024/04/03 11:10:57 [34mStarting command: terraform-drift-cli drift[39m[0m
 2024/04/03 11:10:57 Terraform Drift | configuration drift identfied
 2024/04/03 11:10:57 Terraform Drift | resource                                                                                   operation   attribute                  drift value   
 2024/04/03 11:10:57 Terraform Drift | module.kms.module.key_protect[0].ibm_kms_instance_policies.key_protect_instance_policies   delete      key_create_import_access   <nil>   
 2024/04/03 11:10:57 Terraform Drift | module.kms.module.key_protect[0].ibm_kms_instance_policies.key_protect_instance_policies   delete      metrics                    <nil>   
 2024/04/03 11:10:57 Terraform Drift | module.kms.module.key_protect[0].ibm_kms_instance_policies.key_protect_instance_policies   delete      rotation                   <nil>   
 2024/04/03 11:10:57 Terraform Drift | module.kms.module.key_protect[0].ibm_kms_instance_policies.key_protect_instance_policies   delete      dual_auth_delete           <nil>   
 2024/04/03 11:10:57 Terraform Drift |                                                                                            
 2024/04/03 11:10:57 Command finished successfully.

 2024/04/03 11:10:57 [34mStarting command: terraform1.5 output -no-color -json[39m[0m
 2024/04/03 11:10:57 Starting command: terraform1.5 output -no-color -json
 2024/04/03 11:10:58 Command finished successfully.
 2024/04/03 11:11:04 [1m[32mDone with the workspace action[39m[0m

Affected modules

*

Terraform CLI and Terraform provider versions

Terraform version:
Provider version:

Terraform output

Debug output

Expected behavior

Actual behavior

Steps to reproduce (including links and screen captures)

Run terraform apply

Anything else

By submitting this issue, you agree to follow our Code of Conduct

tyao117 commented 7 months ago

is the problem related to these defined locals here: https://github.com/terraform-ibm-modules/terraform-ibm-key-protect/pull/534

ocofaigh commented 7 months ago

cc @MatthewLemmond

MatthewLemmond commented 6 months ago

Tested this locally using the non-modified output from the kms instance policy resource block and it has the same issue likely due to the same root problem with the outputs from the provider being improperly formatted thus terraform always thinks the output does not match its expected value. I don't think we would be able to resolve this drift without https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5163 being resolved first.

I do have a couple more things to test on this to see if we can resolve the drift issue so will continue looking at this.

bhakta-ibm commented 6 months ago

@MatthewLemmond - Is this issue fixed? Will made fix for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5163. Can you please validate?

MatthewLemmond commented 6 months ago

@bhakta-ibm Yes, issue with idempotency/drift is resolved, we will create a PR for https://github.com/terraform-ibm-modules/terraform-ibm-key-protect to require 1.65.0 once it is out of beta and the consuming modules (such as this one) will then be updated to match.

MatthewLemmond commented 5 months ago

PRs merged, closing