You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform CLI and Terraform IBM Provider Version
Using IBM Cloud Schematics workspaces with:
Terraform v0.13.6
ibm-cloud/ibm v1.23.0
Affected Resource(s)
ibm_kms_key
Terraform Configuration Files
I am provisioning a ROKS cluster with a custom KMS key and a the private endpoint option.
Note, that the key is "public". Any further changes to any other configurations lead to a plan, which attempts to destroy / recreate the KMS key. Example from a plan, where I only reduce the number of workers:
2021/04/08 10:18:41 Terraform plan | # module.roks.ibm_container_vpc_cluster.cluster will be updated in-place
2021/04/08 10:18:41 Terraform plan | ~ resource "ibm_container_vpc_cluster" "cluster" {
...
~ worker_count = 2 -> 1
...
2021/04/08 10:18:41 Terraform plan | # module.roks.ibm_kms_key.kms_rootkey must be replaced
2021/04/08 10:18:41 Terraform plan | -/+ resource "ibm_kms_key" "kms_rootkey" {
2021/04/08 10:18:41 Terraform plan | ~ crn = "crn:v1:bluemix:public:kms:<my_crn>" -> (known after apply)
2021/04/08 10:18:41 Terraform plan | ~ endpoint_type = "public" -> "private" # forces replacement
...
Important Factoids
The KMS instance itself has been provisioned with the default policy "public-and-private".
References
#0000
The text was updated successfully, but these errors were encountered:
currently this endpoint_type is used only for HPCS service because the endpoint for HPCS is dynamic ....
For KMS to use private endpoint you can currently export via enviornmental variablei
export IBMCLOUD_KP_API_ENDPOINT=https://private..kms.cloud.ibm.com
If you want to ignore the change in diff for endpoint type you can consider lifeCycle
@cnocula-i I had a similar problem, when terraform wasn't able to access my KMS instance with private-only endpoint. IBM Support suggested to change the visibility parameter on terraform provider level (https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs#visibility). After changing it to private or public-and-private terraform could easily access the KMS keys in my private-only endpoint instance.
But be aware that the private endpoints are only reachable from inside the IBM Cloud. As long as you try to run terraform outside the IBM Cloud and you don't have any running VPN connection, you need to use the public endpoints.
Community Note
Terraform CLI and Terraform IBM Provider Version
Using IBM Cloud Schematics workspaces with:
Affected Resource(s)
Terraform Configuration Files
I am provisioning a ROKS cluster with a custom KMS key and a the private endpoint option.
Debug Output
Panic Output
Expected Behavior
KMS keys are created with
endpoint_type = "private"
Actual Behavior
KMS keys are created with
endpoint_type = "public"
Steps to Reproduce
terraform apply
a configuration using a KMS key with endpoint typeprivate
Note, that the key is "public". Any further changes to any other configurations lead to a plan, which attempts to destroy / recreate the KMS key. Example from a plan, where I only reduce the number of workers:
Important Factoids
The KMS instance itself has been provisioned with the default policy "public-and-private".
References
The text was updated successfully, but these errors were encountered: