Skip to content
This repository has been archived by the owner on Nov 24, 2023. It is now read-only.

Could not look up the key management service instance #83

Open
lionelmace opened this issue Oct 26, 2021 · 7 comments
Open

Could not look up the key management service instance #83

lionelmace opened this issue Oct 26, 2021 · 7 comments

Comments

@lionelmace
Copy link

I'm trying to enable KMS on my existing cluster using the following terraform:

module "vpc_openshift_cluster" {
  source = "terraform-ibm-modules/cluster/ibm//modules/vpc-openshift"

...
  kms_config                      = [
    {
      instance_id      = ibm_resource_instance.kp_instance.id,
      crk_id           = ibm_kp_key.my_kp_key.id,
      private_endpoint = true
    }
  ]
}
...
resource "ibm_resource_instance" "kp_instance" {
  resource_group_id = ibm_resource_group.resource_group.id
  name              = "key-protect"
  service           = "kms"
  plan              = "tiered-pricing"
  location          = var.region
  tags              = var.tags
}

resource "ibm_kp_key" "my_kp_key" {
  key_protect_id  = ibm_resource_instance.kp_instance.guid
  key_name     = "my-key-name"
  standard_key = false
}

I'm facing the error below when I do terraform apply

ibm_resource_instance.kp_instance: Modifications complete after 14s [id=crn:v1:bluemix:public:kms:eu-de:a/0b5a00334eaf9eb9339d2ab48f7326b4:6bc3ed5a-0bf4-46ad-bb7e-dfdef2af1c10::]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Modifying... [id=c5r5me1f0qelptsqsrn0]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 10s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 20s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 30s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 40s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 50s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 1m0s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 1m10s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 1m20s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 1m30s elapsed]
module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Still modifying... [id=c5r5me1f0qelptsqsrn0, 1m40s elapsed]
╷
│ Error: Request failed with status code: 503, ServerErrorResponse: {"incidentID":"3f60f73d-76e7-4f95-87fb-eb2de5bc8488,3f60f73d-76e7-4f95-87fb-eb2de5bc8488","code":"Ef7d5","description":"Could not look up the key management service instance. Try again later.","type":"General"}
│
│   with module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster,
│   on .terraform/modules/vpc_openshift_cluster/modules/vpc-openshift/main.tf line 6, in resource "ibm_container_vpc_cluster" "cluster":
│    6: resource "ibm_container_vpc_cluster" "cluster" {

What am I missing? Wrong id for KP?
@VaishnaviGopal
Copy link

Hi @lionelmace Can you try passing kms instance guid for the kms config's instance_id.. like this

kms_config                      = [
    {
      instance_id      = ibm_resource_instance.kp_instance.guid,
      crk_id           = ibm_kp_key.my_kp_key.id,
      private_endpoint = true
    }
  ]

@lionelmace
Copy link
Author

If I use guid, I face this error

module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Modifying... [id=c5r5me1f0qelptsqsrn0]
╷
│ Error: Request failed with status code: 400, ServerErrorResponse: {"incidentID":"32b7b592-399c-48f0-8cda-37a2190b96e5,32b7b592-399c-48f0-8cda-37a2190b96e5","code":"E94ef","description":"Invalid key management service information. Check your KMS instance ID, root key, and endpoint URL.","type":"Cluster","recoveryCLI":"To get the instance ID, run 'ibmcloud resource service-instance \u003ckms_service\u003e --id' and copy the second value (not the full CRN).\nTo get the root key and endpoint URL, consult the KMS provider documentation, such as 'http://ibm.biz/kp-viewcrk' and 'http://ibm.biz/kp-endpoints'."}
│
│   with module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster,
│   on .terraform/modules/vpc_openshift_cluster/modules/vpc-openshift/main.tf line 6, in resource "ibm_container_vpc_cluster" "cluster":
│    6: resource "ibm_container_vpc_cluster" "cluster" {

@VaishnaviGopal
Copy link

Which provider version has your module downloaded? If using the latest version, you shouldn't be seeing the issue when passing the guid of kp instance to kms_config. But in case you it has downloaded the older provider versions.. can you tell us if you have provider block with region parameter declared inn your tf configuration?

@lionelmace
Copy link
Author

I didn’t specify a version so I guess I use the latest version. Here is the code I use: https://github.com/lionelmace/mytodo/blob/master/cloud/terraform/main.tf

@lionelmace
Copy link
Author

I upgraded the terraform to version 1.34.0. I use guid. I still face the same error

module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster: Modifying... [id=c5r5me1f0qelptsqsrn0]
╷
│ Error: Request failed with status code: 400, ServerErrorResponse: {"incidentID":"71b26e62-3b1b-4405-b87b-b684822f99f7,71b26e62-3b1b-4405-b87b-b684822f99f7","code":"E94ef","description":"Invalid key management service information. Check your KMS instance ID, root key, and endpoint URL.","type":"Cluster","recoveryCLI":"To get the instance ID, run 'ibmcloud resource service-instance \u003ckms_service\u003e --id' and copy the second value (not the full CRN).\nTo get the root key and endpoint URL, consult the KMS provider documentation, such as 'http://ibm.biz/kp-viewcrk' and 'http://ibm.biz/kp-endpoints'."}
│
│   with module.vpc_openshift_cluster.ibm_container_vpc_cluster.cluster,
│   on .terraform/modules/vpc_openshift_cluster/modules/vpc-openshift/main.tf line 6, in resource "ibm_container_vpc_cluster" "cluster":
│    6: resource "ibm_container_vpc_cluster" "cluster" {

@VaishnaviGopal
Copy link

Do you have provider block declared with region? If yes, what is the region?
What location are you creating the cluster?

@lionelmace
Copy link
Author

Yes. Region = eu-de

The complete tf scripts are here

https://github.com/lionelmace/mytodo/blob/master/cloud/terraform/provider.tf

@ocofaigh ocofaigh transferred this issue from terraform-ibm-modules/terraform-ibm-cluster Jul 8, 2022
@ocofaigh ocofaigh transferred this issue from terraform-ibm-modules/terraform-ibm-issue-tracker Aug 18, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lionelmace @VaishnaviGopal