[KP] ibm_kms_instance_policies- issue on subsequent plan

[Ak-sky]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Terraform Version v1.5.7
Terraform IBM Provider Version v1.65.0

Affected Resource(s)

• ibm_kms_instance_policies

Terraform Configuration Files

We have been facing this issue when deploying this solution, on subsequent TF plan, it shows an update in place.

  ~ update in-place

Terraform will perform the following actions:

  # module.kms.module.key_protect[0].ibm_kms_instance_policies.key_protect_instance_policies will be updated in-place
  ~ resource "ibm_kms_instance_policies" "key_protect_instance_policies" {
        id            = "crn:v1:bluemix:public:kms:us-south:a/52a1d940412a4e67b109175bd1fb6513:725341f1-12c7-4575-aa39-2c16f20fafda::"
        # (2 unchanged attributes hidden)

      + dual_auth_delete {
          + enabled = false
        }

      + key_create_import_access {
          + create_root_key     = true
          + create_standard_key = true
          + enabled             = false
          + enforce_token       = false
          + import_root_key     = true
          + import_standard_key = true
        }

      + metrics {
          + enabled = true
        }

      + rotation {
          + enabled        = true
          + interval_month = 3
        }
    }

And on TF apply it fails with the below error

│ Error: Could not update the policies: [ERROR] Error while setting instance policies: kp.Error: correlation_id='84935c42-b102-4982-934b-e4a92ad5466e', msg='Bad Request: Instance policy could not be created: Please see `reasons` for more details (INVALID_FIELD_ERR)', reasons='[INVALID_FIELD_ERR: The field `attributes` must be: provided only if policy is being enabled - FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'
│
│   with module.kms.module.key_protect[0].ibm_kms_instance_policies.key_protect_instance_policies,
│   on .terraform/modules/kms.key_protect/main.tf line 26, in resource "ibm_kms_instance_policies" "key_protect_instance_policies":
│   26: resource "ibm_kms_instance_policies" "key_protect_instance_policies" {
│

This is reproducible in both schematics and in local.

Debug Output

Attached TF Trace Logs - kms-all-inclusive-standard_Trace_TFA_09.05.2024-21.50.04.log

Attached TF Aplly std output kms-all-inclusive-standard_TFA_09.05.2024-21.50.04.log

Panic Output

Expected Behavior

• There should not be any update in place.

Actual Behavior

TF subsequent plan shows update in place.

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[bhakta-ibm]

@william8siew Can you please take a look? This is a blocker for others.

[stephaniegalang]

Hi there!
I have a fix in the works which involves correcting the failing inputs from the Key Protect Go SDK side. Please hold tight while we get a new Go SDK version out. Once the new version is out, I will open a PR here to update go.mod and provide test results.

[stephaniegalang]

Fix PR has been opened: #5346. With this change, users will be able to disable keyCreateImportAccess instance policies via Terraform.

[william8siew]

Hi @Ak-sky
Can you test the fix using terraform provider version 1.65.1? Thanks

[Ak-sky]

We tested it and is fixed now, thank you @william8siew.