Creation of ECS with encrypted system disk fails with EVS.2044 and Ecs.0025

[pwurbs]

Terraform provider version

v1.27.6

Affected Resource(s)

• opentelekomcloud_kms_key_v1
• opentelekomcloud_ecs_instance_v1

Terraform Configuration Files

resource opentelekomcloud_ecs_instance_v1 ecs {
  name                = var.host_name
  flavor              = var.flavor_name
  availability_zone   = var.az
  security_groups     = [ data.opentelekomcloud_networking_secgroup_v2.default.id , var.elb_sg_id ]
  user_data           = data.cloudinit_config.cloudinit.rendered
  vpc_id              = var.vpc_id
  image_id            = var.image_id
  auto_recovery       = true
  tags                = var.tags

  nics {
    network_id = var.vpc_subnetwork_id
    ip_address = var.private_ip
  }

  system_disk_type    = var.disk_type
  system_disk_size    = var.os_disk_size
  system_disk_kms_id  = var.key_disk_encryption
  delete_disks_on_termination = true # otherwise we would have orphaned volumes

Debug Output/Panic Output

Error: error creating OpenTelekomCloud server: Bad request with: [POST https://ecs.eu-de.otc.t-systems.com/v1/254d218d0e5447edb65601ec879eadf2/cloudservers], error message: {"error":{"message":"Failed to check the role of kms.{\"error\":{\"code\":\"EVS.2044\",\"message\":\"Failed to check the role of kms.\"}}","code":"Ecs.0025"}}
09:38:49  │ 
09:38:49  │   with module.hosts["1"].opentelekomcloud_ecs_instance_v1.ecs,
09:38:49  │   on ../../../modules/otc/hosts/main.tf line 110, in resource "opentelekomcloud_ecs_instance_v1" "ecs":
09:38:49  │  110: resource opentelekomcloud_ecs_instance_v1 ecs {

Steps to Reproduce

0. Have a fresh OTC project without an resources
1. apply KMS resource, take the KMS id
2. apply ECS resource with the KMS id

Expected Behavior

ECS resource is able to access the KMS to create encrypted system disk

Actual Behavior

apply of ECS resource terminates with error message above

References

In https://docs.otc.t-systems.com/en-us/api/ecs/en-us_topic_0022067717.html there is hint what the error message mean:
"EVS is not authorized to obtain KMS keys for encrypting EVS disks."
"Authorize EVS to obtain KMS keys for encrypting EVS disks."

Maybe there is an issue in the resource regarding authorization of the system EVS

[pwurbs]

When I try to create an ECS with encrypted system disk manually in OTC, then I spotted a configuration option
"Xrole NameEVSAccessKMS"
I am not sure if this is new.

So, obviously this role must be created. Now it's the question if the Terraform resource provider should do that or if I have to create this role in advance (but how)?

[pwurbs]

I found this aditional hint in OTC doc:
When the encryption function is used for the first time ever, the KMS access rights need to be granted to EVS. After the KMS access rights have been granted, all users in this region can use the encryption function, without requiring the KMS access rights to be granted again.

So, I created one ECS manually including Xrole.
This seems to create the general trust relation ship. Afterwards I could apply my Terraform manifests.
So, I would recommend to mention this behavior in the Terraform provider documentation an/or to build in some logic in the resource to detect if the relationship must be built.

[outcatcher]

It sounds like some kind of API change, I will raise an internal incident for that.

[lego963]

@pwurbs, you meet this issue, because if project is newly created you will have to grant permissions between services. Here I would like to suggest a solution. Can you try to use this block of code? You can face with this issue in CCE service

resource "opentelekomcloud_identity_agency_v3" "enable_evs_enryption" {
  name                  = "EVSAccessKMS"
  description           = "Created by Terraform to enable evs encryption"
  delegated_domain_name = "op_svc_evs"
  dynamic "project_role" {
    for_each = var.projects
    content {
      project = project_role.value
      roles = [
        "Tenant Administrator"
      ]
    }
  }
}

PS: This grants you should give only 1 time.
PSS: We will update doc

[pwurbs]

@lego963 I faced that issue just creating ECS instances (without CCE relation).
To be honest, I don't know what this TF manifest does. And I don't have TF manifests for initial project setup. So I would rather stick to setup the permission by creating a foo ECS manually. ;)

[lego963]

@pwurbs CCE is just example with the same issue.