Could not look up the key management service instance
lionelmace opened this issue · 7 comments
lionelmace commented
I'm trying to enable KMS on my existing cluster using the following terraform:
module "vpc_openshift_cluster" {
source = "terraform-ibm-modules/cluster/ibm//modules/vpc-openshift"
...
kms_config = [
{
instance_id = ibm_resource_instance.kp_instance.id,
crk_id = ibm_kp_key.my_kp_key.id,
private_endpoint = true
}
]
}
...
resource "ibm_resource_instance" "kp_instance" {
resource_group_id = ibm_resource_group.resource_group.id
name = "key-protect"
service = "kms"
plan = "tiered-pricing"
location = var.region
tags = var.tags
}
resource "ibm_kp_key" "my_kp_key" {
key_protect_id = ibm_resource_instance.kp_instance.guid
key_name = "my-key-name"
standard_key = false
}
I'm facing the error below when I do terraform apply
ibm_resource_instance.kp_instance: Modifications complete after 14s [id=crn:v1:bluemix:public:kms:eu-de:a/0b5a00334eaf9eb9339d2ab48f7326b4:6bc3ed5a-0bf4-46ad-bb7e-dfdef2af1c10::]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Modifying... [id=c5r5me1f0qelptsqsrn0]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 10s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 20s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 30s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 40s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 50s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 1m0s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 1m10s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 1m20s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 1m30s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 1m40s elapsed]
╷
│ Error: Request failed with status code: 503, ServerErrorResponse: {"incidentID":"3f60f73d-76e7-4f95-87fb-eb2de5bc8488,3f60f73d-76e7-4f95-87fb-eb2de5bc8488","code":"Ef7d5","description":"Could not look up the key management service instance. Try again later.","type":"General"}
│
│ with module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster,
│ on .terraform/modules/vpc_openshift_cluster/modules/vpc-openshift/main.tf line 6, in resource "ibm_container_vpc_cluster" "cluster":
│ 6: resource "ibm_container_vpc_cluster" "cluster" {
What am I missing? Wrong id for KP?
VaishnaviGopal commented
Hi @lionelmace Can you try passing kms instance guid for the kms config's instance_id.. like this
kms_config = [
{
instance_id = ibm_resource_instance.kp_instance.guid,
crk_id = ibm_kp_key.my_kp_key.id,
private_endpoint = true
}
]
lionelmace commented
If I use guid, I face this error
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Modifying... [id=c5r5me1f0qelptsqsrn0]
╷
│ Error: Request failed with status code: 400, ServerErrorResponse: {"incidentID":"32b7b592-399c-48f0-8cda-37a2190b96e5,32b7b592-399c-48f0-8cda-37a2190b96e5","code":"E94ef","description":"Invalid key management service information. Check your KMS instance ID, root key, and endpoint URL.","type":"Cluster","recoveryCLI":"To get the instance ID, run 'ibmcloud resource service-instance \u003ckms_service\u003e --id' and copy the second value (not the full CRN).\nTo get the root key and endpoint URL, consult the KMS provider documentation, such as 'http://ibm.biz/kp-viewcrk' and 'http://ibm.biz/kp-endpoints'."}
│
│ with module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster,
│ on .terraform/modules/vpc_openshift_cluster/modules/vpc-openshift/main.tf line 6, in resource "ibm_container_vpc_cluster" "cluster":
│ 6: resource "ibm_container_vpc_cluster" "cluster" {
VaishnaviGopal commented
Which provider version has your module downloaded? If using the latest version, you shouldn't be seeing the issue when passing the guid of kp instance to kms_config. But in case you it has downloaded the older provider versions.. can you tell us if you have provider block with region parameter declared inn your tf configuration?
lionelmace commented
I didn’t specify a version so I guess I use the latest version. Here is the code I use: https://github.com/lionelmace/mytodo/blob/master/cloud/terraform/main.tf
lionelmace commented
I upgraded the terraform to version 1.34.0. I use guid. I still face the same error
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Modifying... [id=c5r5me1f0qelptsqsrn0]
╷
│ Error: Request failed with status code: 400, ServerErrorResponse: {"incidentID":"71b26e62-3b1b-4405-b87b-b684822f99f7,71b26e62-3b1b-4405-b87b-b684822f99f7","code":"E94ef","description":"Invalid key management service information. Check your KMS instance ID, root key, and endpoint URL.","type":"Cluster","recoveryCLI":"To get the instance ID, run 'ibmcloud resource service-instance \u003ckms_service\u003e --id' and copy the second value (not the full CRN).\nTo get the root key and endpoint URL, consult the KMS provider documentation, such as 'http://ibm.biz/kp-viewcrk' and 'http://ibm.biz/kp-endpoints'."}
│
│ with module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster,
│ on .terraform/modules/vpc_openshift_cluster/modules/vpc-openshift/main.tf line 6, in resource "ibm_container_vpc_cluster" "cluster":
│ 6: resource "ibm_container_vpc_cluster" "cluster" {
VaishnaviGopal commented
Do you have provider block declared with region? If yes, what is the region?
What location are you creating the cluster?
lionelmace commented
Yes. Region = eu-de
The complete tf scripts are here
https://github.com/lionelmace/mytodo/blob/master/cloud/terraform/provider.tf