ibm_resource_key for COS does not nest HMAC object

[data-henrik]

In trying to access the credentials for IBM Cloud Object Storage the nested parts with HMAC details are not accessible as expected via, e.g., credentials.cos_hmac_keys.access_key_id, but it needs credentials["cos_hmac_keys.access_key_id"].

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.

$ terraform -v
Terraform v0.12.28
+ provider.ibm (unversioned)
+ provider.kubernetes v1.11.3

Affected Resource(s)

Please list the resources as a list, for example:

• ibm_resource_key
  ( - kubernetes_secret)

Terraform Configuration Files

# service access key for COS
resource "ibm_resource_key" "RKcos" {
  name                 = "${var.name}-accKey-cos"
  role                 = "Writer"
  resource_instance_id = ibm_resource_instance.cos.id
  parameters= {    HMAC = true  }
}

data "ibm_container_cluster_config" "mycluster" {
  cluster_name_id = ibm_container_vpc_cluster.cluster.name
  resource_group_id = data.ibm_resource_group.cloud_development.id
}

provider "kubernetes" {
  load_config_file       = "false"
  host                   = data.ibm_container_cluster_config.mycluster.host
  token                  = data.ibm_container_cluster_config.mycluster.token
  cluster_ca_certificate = data.ibm_container_cluster_config.mycluster.ca_certificate
}

resource "kubernetes_secret" "appsecrets" {
  metadata {
    name = "${var.name}-credentials"
    namespace = "prod"
  }

  data = {
    cos_apiKey             = ibm_resource_key.RKcos.credentials.apikey
    cos_resourceInstanceId = ibm_resource_key.RKcos.credentials.resource_instance_id
    cos_access_key_id      = ibm_resource_key.RKcos.credentials["cos_hmac_keys.access_key_id"]
    cos_secret_access_key  = ibm_resource_key.RKcos.credentials["cos_hmac_keys.secret_access_key"]
  }
}

Debug Output

terraform show -json prints the key as:

"cos_hmac_keys.secret_access_key"

Expected Behavior

obtain HMAC details via credentials.cos_hmac_keys.access_key_id

Actual Behavior

credentials["cos_hmac_keys.access_key_id"]

[data-henrik]

It seems the code only handles flat properties.

[hkantare]

I'm not clear with the issue but when I try the same we are able to access all credentials

"data": {
              "cos_access_key_id": "9c881f7b6b0b41eaaeced601f0d9bca3",
              "cos_apiKey": "f4k-zhaHjQIi9eS95nEpV6vhiJ6lJ55YHhzmOs3rxDbt",
              "cos_resourceInstanceId": "crn:v1:bluemix:public:cloud-object-storage:global:a/883079c85357a1f3f85d968780e56518:7c9dd25f-ac25-48c2-96e4-2bdf2463d5ad::",
              "cos_secret_access_key": "3bcddcf96c49847de96dce4d949e40784119ee3d78e78030"
            },

In terraform statefile I can see data of secret listing all details

[data-henrik]

First, I am creating the resource key, then trying to access the credentials part. The credentials as JSON look like:

       "credentials": {
            "apikey": "xxxxxxxxxxxxbYM23vQnWcdYmk8K0TYZryqqnHxxxxxx",
            "cos_hmac_keys": {
                "access_key_id": "1111111111944ae8aa6d958985b7310d",
                "secret_access_key": "11111111118654245fbc4cf7c5325416b0f720dfb3f48140"
            },
         ...
       }

The provider flattens them into

          "credentials": {
              "apikey": "xxxxxxxxxxxxbYM23vQnWcdYmk8K0TYZryqxxxxxxxx",
              "cos_hmac_keys.access_key_id": "111111111118aa6d958985b7310d",
              "cos_hmac_keys.secret_access_key": "1111111111115325416b0f720dfb3f48140",
              "endpoints": "https://control.cloud-object-storage.cloud.ibm.com/v2/endpoints",

In other parts of the IBM terraform provider nested structures are handled correctly.

[hkantare]

Yes ....Its because of the limitation of datatypes in Terraform...We don't have any datatype which accepts the dynamic content with different types....So we used TypeMap to store the credentials which flatten because even the TypeMap can hold only elements with primitive types...

[data-henrik]

It is a functional bug because it is unexpected to the user. The minimum would be to document it.

[pauljegouic]

@data-henrik this is my workaround:

# Workaround because returned keys are not usable in terraform.
# TO BE CHANGED
locals {
  access_key_id = {
    for key,value in ibm_resource_key.cos_credentials.0.credentials:
      "access_key_id" => value
    if key == "cos_hmac_keys.access_key_id"
  }
  secret_access_key =  {
    for key,value in ibm_resource_key.cos_credentials.0.credentials:
      "secret_access_key" => value
    if key == "cos_hmac_keys.secret_access_key"
  }
  credentials = merge(local.access_key_id, local.secret_access_key)
}

It will produce a usable terraform object in local.credentials

[data-henrik]

I didn't use any code, just "cos_hmac_keys.access_key_id" to get to the value. But first I had to discover the reason for the problem.

[powellquiring]

I ran into this as well and needed slack to figure it out. I changed the issue #2180 to a documentation issue.

[powellquiring]

I just ran into this again... Two solutions I can think of:

• add the attribute credentials_json as another attribute. Document that a terraform configuration could do the following:

locals {
  credentials = jsondecode(ibm_resource_key.cos_credentials)
)

• Each service creates their own terraform resource:

resource ibm_resource_key_cos us_south {
  ...
}

In my latest use case I wanted the json document. I was going to put it into a file and distribute it to an application that was using it. That way I could easily set up a test environment by copying the creds from the UI.