Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ibm_database key_protect_instance and key_protect_key defaults forces resource to be replaced #5863

Closed
lra opened this issue Dec 10, 2024 · 2 comments
Closed

ibm_database key_protect_instance and key_protect_key defaults forces resource to be replaced #5863

lra opened this issue Dec 10, 2024 · 2 comments
Labels
service/Cloud Databases Issues related to Cloud Databases

Comments

@lra
Copy link

lra commented Dec 10, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Terraform v1.10.1
on darwin_arm64
+ provider registry.terraform.io/ibm-cloud/ibm v1.72.1

Affected Resource(s)

  • ibm_database

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

Notice the missing key_protect_instance and key_protect_key, which are supposed to be optional, and default to null:

resource "ibm_database" "this" {
  name              = ibm_resource_group.this.name
  service           = "databases-for-mongodb"
  plan              = "standard"
  location          = var.primary_region
  resource_group_id = ibm_resource_group.this.id
  service_endpoints = "public"
  version           = "6.0"
  adminpassword     = random_password.this.result
  tags              = local.tags

  group {
    group_id = "member"

    cpu {
      allocation_count = 3
    }

    memory {
      allocation_mb = var.mongodb_memory_in_mb
    }
  }

  auto_scaling {

    disk {
      capacity_enabled             = true
      free_space_less_than_percent = 15
      io_above_percent             = 85
      io_enabled                   = true
      io_over_period               = "15m"
      rate_increase_percent        = 15
      rate_limit_mb_per_member     = 3670016
      rate_period_seconds          = 900
      rate_units                   = "mb"
    }
    memory {
      io_above_percent         = 90
      io_enabled               = true
      io_over_period           = "15m"
      rate_increase_percent    = 10
      rate_limit_mb_per_member = 114688
      rate_period_seconds      = 900
      rate_units               = "mb"
    }
  }
}

Debug Output

Panic Output

Expected Behavior

terraform plan
No changes. Your infrastructure matches the configuration.

Actual Behavior

The default of the key_protect_instance and key_protect_key arguments of the ibm_database resource seem to have been changed from null to the "none" string, leading to terraform wanting to recreate all ibm_database where it was not specified

Terraform plan using 1.72.1 on an ibm_database resource created with 1.71 or below without key_protect arguments specified tries to replace the resource:

Terraform will perform the following actions:

  # module.gndev03.ibm_database.this must be replaced
-/+ resource "ibm_database" "this" {
      ~ adminuser               = "admin" -> (known after apply)
      + configuration_schema    = (known after apply)
      + deletion_protection     = false
      ~ groups                  = [
          - {
              - count       = 3
              - cpu         = [
                  - {
                      - allocation_count = 9
                      - can_scale_down   = true
                      - is_adjustable    = true
                      - minimum_count    = 9
                      - step_size_count  = 3
                      - units            = "count"
                    },
                ]
              - disk        = [
                  - {
                      - allocation_mb  = 76800
                      - can_scale_down = false
                      - is_adjustable  = true
                      - minimum_mb     = 76800
                      - step_size_mb   = 3072
                      - units          = "mb"
                    },
                ]
              - group_id    = "member"
              - host_flavor = []
              - memory      = [
                  - {
                      - allocation_mb                    = 6144
                      - can_scale_down                   = true
                      - cpu_enforcement_ratio_ceiling_mb = 0
                      - cpu_enforcement_ratio_mb         = 0
                      - is_adjustable                    = true
                      - minimum_mb                       = 3072
                      - step_size_mb                     = 384
                      - units                            = "mb"
                    },
                ]
            },
        ] -> (known after apply)
      ~ guid                    = "REDACTED" -> (known after apply)
      ~ id                      = "crn:v1:bluemix:public:databases-for-mongodb:us-south:a/REDACTED:REDACTED::" -> (known after apply)
      - key_protect_instance    = "none" -> null # forces replacement
      - key_protect_key         = "none" -> null # forces replacement
        name                    = "REDACTED"
      ~ resource_controller_url = "https://cloud.ibm.com/services/crn%3Av1%3Abluemix%3Apublic%3Adatabases-for-mongodb%3Aus-south%3Aa%REDACTED" -> (known after apply)
      ~ resource_crn            = "crn:v1:bluemix:public:databases-for-mongodb:us-south:a/REDACTED:REDACTED::" -> (known after apply)
      ~ resource_group_name     = "crn:v1:bluemix:public:resource-controller::a/REDACTED::resource-group:REDACTED9" -> (known after apply)
      ~ resource_name           = "REDACTED" -> (known after apply)
      ~ resource_status         = "active" -> (known after apply)
      ~ status                  = "active" -> (known after apply)
        tags                    = [
            "REDACTED",
        ]
        # (7 unchanged attributes hidden)

      ~ auto_scaling {
          ~ cpu (known after apply)
          - cpu {
              - rate_increase_percent       = 10 -> null
              - rate_limit_count_per_member = 30 -> null
              - rate_period_seconds         = 900 -> null
              - rate_units                  = "count" -> null
            }

            # (2 unchanged blocks hidden)
        }

        # (1 unchanged block hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Steps to Reproduce

  1. Create a ibm_database with 1.71
  2. Upgrade the provider to 1.72
  3. terraform plan

Important Factoids

Explicitely setting those properties on ibm_database resources fixed the issue, but do we really want the provider to expected a "none" string for those 2 properties, it's not even specified in the documentation, so I think it's an oversight.

resource "ibm_database" "this" {
    [...]
    key_protect_instance    = "none"
    key_protect_key         = "none"
    [...]
}

See https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#key_protect_key-1

The issue happened to ibm_database with service = "databases-for-mongodb" and service = "databases-for-postgresql"

References
@github-actions github-actions bot added the service/Cloud Databases Issues related to Cloud Databases label Dec 10, 2024
@lra lra mentioned this issue Dec 10, 2024
Closed
@lornakelly lornakelly mentioned this issue Dec 12, 2024
Merged
@lornakelly
Copy link
Contributor

A fix has been released, please upgrade to version 1.73.0. Thank you for bringing this to our attention

@lra
Copy link
Author

lra commented Dec 17, 2024

Fixed, thanks!

@lra lra closed this as completed Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/Cloud Databases Issues related to Cloud Databases
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lra @lornakelly