Allow configuration of the key used to encrypt IBM Cloud Databases backups

[l2fprod]

Currently only the key used to encrypt the database can be specified:

terraform-provider-ibm/ibm/resource_ibm_database.go

Line 176 in cf43312

"key_protect_instance": {

but ICD also supports providing the key to encrypt backups as described in https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect#byok-for-backups

Today it is not possible and I end up having only the data but not the backup being encrypted with my own key:

[movinglightspeed]

Also another issue on this
#1727

[hkantare]

Fixed in latest releases
https://github.com/IBM-Cloud/terraform-provider-ibm/releases/tag/v1.11.1

[l2fprod]

@hkantare there is a naming inconsistency in the newly added key:

• notice "key_protect_key" for the disk encryption pointing to a crn.
• And then "backup_encryption_key_crn" for the backup encryption, this one has "crn" in its name. Not very consistent with the other one.
• Also the doc for "key_protect_instance" does not say if this instance will be used to look for the backup encryption key. Is this instance needed at all given we have the crn for the key?

[kavya498]

Hi,
key_protect_instance is not required.. crn for the key i.e backup_encryption_key_crn parameter is good enough for icd backup encryption..

backup_encryption_key_crn parameter name is chosen from docs.

key_protect_key support was introduced long back in terraform, we see some updates from icd api..
we'll work on the consistency of parameters and update soon.

[l2fprod]

@kavya498

I tried the new backup_encryption_key_crn and the Redis instance I wanted to create stayed in "Provisioning" for hours before failing. I use the same key for both db encryption and backup encryption.

After I removed the backup_encryption_key_crn I could create a Redis instance

[l2fprod]

here is a terraform template that fails to provision a Redis database:

variable ibmcloud_api_key {}
variable basename { default="redis-failed"}
variable resource_group_name {}
variable region { default = "us-south" }

provider "ibm" {
  ibmcloud_api_key = var.ibmcloud_api_key
  region           = var.region
  generation       = 2
  ibmcloud_timeout = 900
}

data ibm_resource_group group {
  name = var.resource_group_name
}

resource ibm_resource_instance kms {
  name              = "${var.basename}-kms"
  resource_group_id = data.ibm_resource_group.group.id
  service           = "kms"
  plan              = "tiered-pricing"
  location          = var.region
}

resource ibm_kp_key key {
  key_protect_id = ibm_resource_instance.kms.guid
  key_name       = "root_key"
  standard_key   = false
  force_delete   = true
}

resource ibm_database redis {
  name              = "${var.basename}-redis"
  resource_group_id = data.ibm_resource_group.group.id
  plan              = "standard"
  service           = "databases-for-redis"
  location          = var.region

  key_protect_key           = ibm_kp_key.key.crn
  key_protect_instance      = ibm_resource_instance.kms.crn
  backup_encryption_key_crn = ibm_kp_key.key.crn

  service_endpoints = "private"

  depends_on = [
    ibm_iam_authorization_policy.redis_policy
  ]
}

resource ibm_iam_authorization_policy redis_policy {
  source_service_name         = "databases-for-redis"
  target_service_name         = "kms"
  target_resource_instance_id = ibm_resource_instance.kms.guid
  roles                       = ["Reader"]
}

[l2fprod]

the reason for the provisioning failure is because the authorization policy is incomplete. It needs an additional role AuthorizationDelegator:

resource ibm_iam_authorization_policy redis_policy {
  source_service_name         = "databases-for-redis"
  target_service_name         = "kms"
  target_resource_instance_id = ibm_resource_instance.kms.guid
  roles                       = ["Reader", "AuthorizationDelegator"]
}