provider issue: For KMS resource

[surajsbharadwaj]

Hello Team,

I am getting this error with the ibm_resource_instance for kms resource:
"MISSING_FIELD_ERR: The field allowed_network is required: Allowed Network parameter must be set",
on reapply again, it passes.

PATCH /v2/resource_instances/crn:v1:bluemix:public:kms:au-syd:a%2F719e669b325b4d888c6f45401fef8bc1:8a634ddb-82de-4a4b-b0e2-66c1209dacca:: HTTP/1.1
Host: resource-controller.cloud.ibm.com
User-Agent: platform-services-go-sdk/0.55.0 (lang=go; arch=amd64; os=darwin; go.version=go1.19.13)
Content-Length: 58
Accept: application/json
Authorization: [redacted]
Content-Type: application/json
X-Original-User-Agent: terraform-provider-ibm/1.61.0
Accept-Encoding: gzip

{"parameters":{"service-endpoints":"public-and-private"}}: timestamp=2024-01-24T14:36:34.850+0100
2024-01-24T14:36:34.850+0100 [INFO]  provider.terraform-provider-ibm_v1.61.0: 2024/01/24 14:36:34 [DEBUG] PATCH https://resource-controller.cloud.ibm.com/v2/resource_instances/crn:v1:bluemix:public:kms:au-syd:a%!F(MISSING)719e669b325b4d888c6f45401fef8bc1:8a634ddb-82de-4a4b-b0e2-66c1209dacca::: timestamp=2024-01-24T14:36:34.850+0100
2024-01-24T14:36:36.192+0100 [INFO]  provider.terraform-provider-ibm_v1.61.0: 2024/01/24 14:36:36 [Debug] Response:
HTTP/2.0 422 Unprocessable Entity

Its trying to update Key Protect with {"parameters":{"service-endpoints":"public-and-private"}} since in version v5.10.0 of landing zone it was added .
@key Protect team why this patch is causing the error:
"MISSING_FIELD_ERR: The field allowed_network is required: Allowed Network parameter must be set"
The api is saying that allowed_network is required, so I bet they are incorrectly calling the api ?

# module.fullstack.module.landing_zone.module.landing_zone.module.key_management.ibm_resource_instance.kms[0] will be updated in-place
  ~ resource "ibm_resource_instance" "kms" {
        id                      = "crn:v1:bluemix:public:kms:au-syd:a/719e669b325b4d888c6f45401fef8bc1:8dd0fe10-9be8-46ba-94a2-ca2fe0805b4c::"
        name                    = "slz-kms"
      + service_endpoints       = "public-and-private"
        tags                    = []
        # (32 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.fullstack.module.landing_zone.module.landing_zone.module.key_management.ibm_resource_instance.kms[0]: Modifying... [id=crn:v1:bluemix:public:kms:au-syd:a/719e669b325b4d888c6f45401fef8bc1:8dd0fe10-9be8-46ba-94a2-ca2fe0805b4c::]
╷
│ Error: [ERROR] Error updating resource instance: Please contact the Service Provider for this error. Service Broker returned error status code 422 with resp code: {
│     "StatusCode": 422,
│     "Headers": {
│         "Cache-Control": [
│             "max-age=0, no-cache, no-store"
│         ],
│         "Content-Length": [
│             "325"
│         ],
│         "Content-Type": [
│             "application/json; charset=utf-8"
│         ],
│         "Date": [
│             "Wed, 24 Jan 2024 10:23:11 GMT"
│         ],
│         "Expires": [
│             "Wed, 24 Jan 2024 10:23:11 GMT"
│         ],
│         "Pragma": [
│             "no-cache"
│         ],
│         "Request-Id": [
│             "5cbd2598-3445-406f-aebd-a582360ec375"
│         ],
│         "Retry-After": [
│             "0"
│         ],
│         "Server": [
│             "istio-envoy"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000;includeSubDomains"
│         ],
│         "Transaction-Id": [
│             "bss-605c0d2c88b3654e"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Envoy-Upstream-Service-Time": [
│             "1230"
│         ],
│         "X-Global-Transaction-Id": [
│             "bss-605c0d2c88b3654e"
│         ],
│         "X-Op-Completion-Time": [
│             ""
│         ],
│         "X-Ratelimit-Limit": [
│             "100"
│         ],
│         "X-Ratelimit-Remaining": [
│             "99"
│         ],
│         "X-Ratelimit-Reset": [
│             "0"
│         ],
│         "X-Request-Id": [
│             "5cbd2598-3445-406f-aebd-a582360ec375"
│         ],
│         "X-Transaction-Id": [
│             "bss-605c0d2c88b3654e"
│         ]
│     },
│     "Result": {
│         "details": "MISSING_FIELD_ERR: The field `allowed_network` is required: Allowed Network parameter must be set",
│         "error_code": "RC-ServiceBrokerErrorResponse",
│         "message": "Please contact the Service Provider for this error. Service Broker returned error status code 422",
│         "status_code": 422,
│         "transaction_id": "bss-605c0d2c88b3654e"
│     },
│     "RawResult": null
│ }
│ 
│ 
│   with module.fullstack.module.landing_zone.module.landing_zone.module.key_management.ibm_resource_instance.kms[0],
│   on .terraform/modules/fullstack.landing_zone/kms/main.tf line 20, in resource "ibm_resource_instance" "kms":
│   20: resource "ibm_resource_instance" "kms" {
(edited)

Message terraform-ibmcloud-users

[surajsbharadwaj]

Logs.zip
Trace Logs

[ocofaigh]

@BrunoHenriques @william8siew Is it something you can help with?

[william8siew]

I believe it is as you said, Resource Controller is incorrectly calling our policies API.
The error

Allowed Network parameter must be set

is from KMS teams api.

This terraform resource code

resource "ibm_resource_instance" "kms" {

is managed by a different team from the KMS team
https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance
You will need to reach out to the Resource Controller team

[ocofaigh]

As per internal debug:

this difference is because of different services have their own implementation of service_endpoints. Some services requires us to send it as part of parameters with key params[service_endpoints] some other services requires to send it as params[allowed_network] (mainly hpcs and keyprotect I think) since resource_instance is a generic resource it did n't supported corner case of KMS and HPCS.

Can we update service_endpoints as part of parameters instead of service_endpoints something like

 parameters = {
   allowed_network: "public-and-private",
 }

I'm trying this out now, however if this is the solution, I think a new Key Protect provision example needs to be added into the docs that shows passing service endpoint as a parameter. Similar to this example.
Also, if logic was added to provider code to fail if someone tries to pass the endpoint value directly in ibm_resource_instance when provisioning Key Protect - that would also be nice too, otherwise consumers don't know they have a misconfiguration at all.

[ocofaigh]

@hkantare FYI, using parameters block worked fine - do you want to keep this issue open to track doc update and logic to catch the misconfiguration?

[william8siew]

https://ibm-cloudplatform.slack.com/archives/C53NF5MB4/p1706518011466959

[william8siew]

Issue seems to have been resolved by core terraform team
@surajsbharadwaj can you resolve this?