Ability to pass root key crn or support account_id in kms_config of ibm_container_vpc_cluster

[Aashiq-J]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

This is a feature request which is already available when deploying through UI.

https://registry.terraform.io/providers/IBM-Cloud/ibm/1.55.0/docs/resources/container_vpc_cluster#kms_config

According to the above terraform documentation, the only possible way to enable cluster encryption is by passing the instance_id and the key crk_id that means the kms has to be from the same account as the cluster. But from the UI we have two option either pass the instance and key details or pass the key crn.

We have a use case of using the a common kms in another account for all the encryption.

The boot volume encryption supports passing kms from another account using the kms_account_id variable.
https://registry.terraform.io/providers/IBM-Cloud/ibm/1.56.0/docs/resources/container_vpc_cluster#kms_account_id
We require a similar functionality for kms_config which is used for cluster encryption.

New or Affected Resource(s)

• ibm_container_vpc_cluster

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• #0000

[ocofaigh]

@Aashiq-J It looks like its already supported https://registry.terraform.io/providers/IBM-Cloud/ibm/1.55.0/docs/resources/container_vpc_cluster#kms_account_id

[ocofaigh]

NOTE:

The provider does support passing an account ID for the encryption of the worker nodes boot volumes:

HOWEVER, the IBM provider does not support passing an account ID in the cluster encryption block. It only supports:

  kms_config {
      instance_id = "12043812-757f-4e1e-8436-6af3245e6a69"
      crk_id = "0792853c-b9f9-4b35-9d9e-ffceab51d3c1"
      private_endpoint = false
  }

From the UI, all that is required is to pass the Key CRN, which can be from any account, so I'm guessing its parsing the account ID from that. The provider needs to support this too.

[ocofaigh]

Looking at the api (https://cloud.ibm.com/apidocs/kubernetes/containers-v1-v2#createkmsconfig), it supports optionally passing accountID. So I think the change to the provider code should be straightforward. In resource_ibm_container_cluster.go update the ResourceIBMContainerCluster function to support optionally passing an account_id value in the kms_config map and then pass the value as part of the call to kmsAPI.EnableKms

[ocofaigh]

@hasan4791 Is this something you or your team could help with?

[ocofaigh]

Looks like the feature is in https://github.com/IBM-Cloud/terraform-provider-ibm/releases/tag/v1.60.0-beta1

[z0za]

@Aashiq-J the feature was released as part of https://github.com/IBM-Cloud/terraform-provider-ibm/releases/tag/v1.60.0

[ocofaigh]

Thanks, we are rolling it out to our module terraform-ibm-modules/terraform-ibm-base-ocp-vpc#301