cos: importing a bucket does not import the key_protect attribute

[willholley]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

terraform -v
Terraform v1.0.11
on darwin_amd64
+ provider registry.terraform.io/ibm-cloud/ibm v1.36.0

Affected Resource(s)

• ibm_cos_bucket

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

terraform {
  required_version = ">= 1.0.11"
  required_providers {
    ibm = {
      source  = "ibm-cloud/ibm"
      version = ">= 1.36.0"
    }
  }
}

variable "ibmcloud_api_key" {
  type        = string
  description = "The IBM Cloud API Token"
}

provider "ibm" {
  ibmcloud_api_key = var.ibmcloud_api_key
}

locals {
  region = "eu-gb"
}

data "ibm_resource_group" "default" {
  name = "default"
}

resource "ibm_resource_instance" "kms" {
  name              = "kms-test"
  service           = "kms"
  plan              = "tiered-pricing"
  location          = local.region
  resource_group_id = data.ibm_resource_group.default.id
}

resource "ibm_kms_key" "key" {
  instance_id  = ibm_resource_instance.kms.guid
  key_name     = "test-key"
  standard_key = false
}

resource "ibm_resource_instance" "cos" {
  name              = "cos-test"
  location          = "global"
  resource_group_id = data.ibm_resource_group.default.id
  service           = "cloud-object-storage"
  plan              = "standard"
}

resource "ibm_iam_authorization_policy" "cos2kms" {
  source_service_name         = "cloud-object-storage"
  source_resource_instance_id = ibm_resource_instance.cos.guid
  target_service_name         = "kms"
  target_resource_instance_id = ibm_resource_instance.kms.guid
  roles                       = ["Reader"]
}

resource "ibm_cos_bucket" "test" {
  bucket_name          = "cos-test"
  resource_instance_id = ibm_resource_instance.cos.id
  region_location      = local.region
  storage_class        = "standard"
  key_protect          = ibm_kms_key.key.id
  depends_on           = [ibm_iam_authorization_policy.cos2kms]
}

Debug Output

https://gist.github.com/willholley/25e0954f10da982accba2777a061829c

Panic Output

Expected Behavior

Importing a COS bucket encrypted with a KMS key known to Terraform should not force recreation on the next terraform plan/apply operation.

Actual Behavior

When importing a COS bucket encrypted with a KMS key, the next terraform apply/plan operation attempts to force recreation of the COS bucket. This appears to be due to the key_protect attribute not being imported.

Steps to Reproduce

1. Create an encrypted COS bucket using terraform apply. Note the CRN of ibm_cos_bucket.test that gets created.
2. Remove the COS bucket from the Terraform state: terraform state rm 'ibm_cos_bucket.test'
3. Import the COS bucket that was just removed from the state: terraform import 'ibm_cos_bucket.test' `
4. terraform plan.

Example plan output:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # ibm_cos_bucket.test must be replaced
-/+ resource "ibm_cos_bucket" "test" {
      ~ crn                  = "crn:v1:bluemix:public:cloud-object-storage:global:a/ed07d43eb85092dfc279f2252ffca250:22ad2c55-ba66-4cca-a4f4-67ab8a91a20c:bucket:cos-test-will" -> (known after apply)
      + force_delete         = true
      ~ id                   = "crn:v1:bluemix:public:cloud-object-storage:global:a/ed07d43eb85092dfc279f2252ffca250:22ad2c55-ba66-4cca-a4f4-67ab8a91a20c:bucket:cos-test-will:meta:rl:eu-gb:public" -> (known after apply)
      + key_protect          = "crn:v1:bluemix:public:kms:eu-gb:a/ed07d43eb85092dfc279f2252ffca250:cff9bc60-5e35-41fa-8cb2-1b63d1ef2af4:key:12a5f70d-3e73-4ab6-9a48-fa46d4819604" # forces replacement
      ~ s3_endpoint_private  = "s3.private.eu-gb.cloud-object-storage.appdomain.cloud" -> (known after apply)
      ~ s3_endpoint_public   = "s3.eu-gb.cloud-object-storage.appdomain.cloud" -> (known after apply)
        # (5 unchanged attributes hidden)

      - timeouts {}
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Important Factoids

I've reproduced this on multiple accounts, using COS buckets created via Terraform or by hand.

References

• #0000

[pauljegouic]

@kavya498 seem to be the same issue with databases

[IBM-diksha]

This issue has been fixed in the latest release(v1.55.0).
Thank you.
https://github.com/IBM-Cloud/terraform-provider-ibm/releases/tag/v1.55.0