Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KMS keys created with endpoint_type = "public" regardless of the actual setting #2482

Closed
cnocula-i opened this issue Apr 8, 2021 · 2 comments · Fixed by #2611
Closed

KMS keys created with endpoint_type = "public" regardless of the actual setting #2482

cnocula-i opened this issue Apr 8, 2021 · 2 comments · Fixed by #2611
Labels
service/Key Management Services Issues related to Key Management Release

Comments

@cnocula-i
Copy link

cnocula-i commented Apr 8, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Using IBM Cloud Schematics workspaces with:

  • Terraform v0.13.6
  • ibm-cloud/ibm v1.23.0

Affected Resource(s)

  • ibm_kms_key

Terraform Configuration Files

I am provisioning a ROKS cluster with a custom KMS key and a the private endpoint option.

resource "ibm_kms_key" "kms_rootkey" {
  instance_id    = var.kp_guid
  key_name       = "${var.basename}-${var.instance}-root-key"
  standard_key   = false
  force_delete   = true
  endpoint_type  = "private"
}

resource "ibm_container_vpc_cluster" "cluster" {
  name              = "${var.basename}-${var.instance}"
  vpc_id            = ibm_is_vpc.vpc1.id
  kube_version      = var.kube_version
  flavor            = var.default_worker_flavor
  worker_count      = var.default_worker_count
  worker_labels     = var.default_worker_labels
  resource_group_id = data.ibm_resource_group.group.id
  entitlement       = var.entitlement
  cos_instance_crn  = data.ibm_resource_instance.cos_instance.id

  zones {
    subnet_id = ibm_is_subnet.subnet1.id
    name      = var.zone_primary
  }

  kms_config {
    instance_id      = var.kp_guid
    crk_id           = ibm_kms_key.kms_rootkey.key_id
    private_endpoint = true
  }
}

Debug Output

Panic Output

Expected Behavior

KMS keys are created with endpoint_type = "private"

Actual Behavior

KMS keys are created with endpoint_type = "public"

Steps to Reproduce

  1. terraform apply a configuration using a KMS key with endpoint type private
  2. Verify, that the key is created, e.g. fetching it's data:
  + key    = {
      + alias         = null
      + endpoint_type = "public"
      + id            = "myid"
      + instance_id   = "myid"
      + key_name      = "mybasename-myinstance-root-key"

Note, that the key is "public". Any further changes to any other configurations lead to a plan, which attempts to destroy / recreate the KMS key. Example from a plan, where I only reduce the number of workers:

 2021/04/08 10:18:41 Terraform plan |   # module.roks.ibm_container_vpc_cluster.cluster will be updated in-place
 2021/04/08 10:18:41 Terraform plan |   ~ resource "ibm_container_vpc_cluster" "cluster" {
...
~ worker_count                    = 2 -> 1
...

 2021/04/08 10:18:41 Terraform plan |   # module.roks.ibm_kms_key.kms_rootkey must be replaced
 2021/04/08 10:18:41 Terraform plan | -/+ resource "ibm_kms_key" "kms_rootkey" {
 2021/04/08 10:18:41 Terraform plan |       ~ crn                     = "crn:v1:bluemix:public:kms:<my_crn>" -> (known after apply)
 2021/04/08 10:18:41 Terraform plan |       ~ endpoint_type           = "public" -> "private" # forces replacement
...

Important Factoids

The KMS instance itself has been provisioned with the default policy "public-and-private".

References

  • #0000
@hkantare
Copy link
Collaborator

hkantare commented Apr 8, 2021

currently this endpoint_type is used only for HPCS service because the endpoint for HPCS is dynamic ....

For KMS to use private endpoint you can currently export via enviornmental variablei
export IBMCLOUD_KP_API_ENDPOINT=https://private..kms.cloud.ibm.com

If you want to ignore the change in diff for endpoint type you can consider lifeCycle

 lifecycle {
   ignore_changes = ["endpoint)type"]
 }

@kavya498 kavya498 added the service/Key Management Services Issues related to Key Management Release label Apr 15, 2021
@skymichel
Copy link

@cnocula-i I had a similar problem, when terraform wasn't able to access my KMS instance with private-only endpoint. IBM Support suggested to change the visibility parameter on terraform provider level (https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs#visibility). After changing it to private or public-and-private terraform could easily access the KMS keys in my private-only endpoint instance.
But be aware that the private endpoints are only reachable from inside the IBM Cloud. As long as you try to run terraform outside the IBM Cloud and you don't have any running VPN connection, you need to use the public endpoints.

@kavya498 kavya498 mentioned this issue May 12, 2021
Merged
@kavya498 kavya498 linked a pull request May 12, 2021 that will close this issue
KMS Private Endpoint bug fix #2611
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/Key Management Services Issues related to Key Management Release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

KMS Private Endpoint bug fix
4 participants
@hkantare @kavya498 @cnocula-i @skymichel