diff --git a/README.md b/README.md
index 60f2bb4d8..8595abb98 100644
--- a/README.md
+++ b/README.md
@@ -968,7 +968,7 @@ statement instead the previous block.
| [f5\_vsi](#input\_f5\_vsi) | A list describing F5 VSI workloads to create | list(
object({
name = string
vpc_name = string
primary_subnet_name = string
secondary_subnet_names = list(string)
secondary_subnet_security_group_names = list(
object({
group_name = string
interface_name = string
})
)
ssh_keys = list(string)
f5_image_name = string
machine_type = string
resource_group = optional(string)
enable_management_floating_ip = optional(bool)
enable_external_floating_ip = optional(bool)
security_groups = optional(list(string))
boot_volume_encryption_key_name = optional(string)
hostname = string
domain = string
access_tags = optional(list(string), [])
security_group = optional(
object({
name = string
rules = list(
object({
name = string
direction = string
source = string
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
})
)
block_storage_volumes = optional(list(
object({
name = string
profile = string
capacity = optional(number)
iops = optional(number)
encryption_key = optional(string)
})
))
load_balancers = optional(list(
object({
name = string
type = string
listener_port = number
listener_protocol = string
connection_limit = number
algorithm = string
protocol = string
health_delay = number
health_retries = number
health_timeout = number
health_type = string
pool_member_port = string
security_group = optional(
object({
name = string
rules = list(
object({
name = string
direction = string
source = string
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
})
)
})
))
})
)
| `[]` | no |
| [iam\_account\_settings](#input\_iam\_account\_settings) | IAM Account Settings. | object({
enable = bool
mfa = optional(string)
allowed_ip_addresses = optional(string)
include_history = optional(bool)
if_match = optional(string)
max_sessions_per_identity = optional(string)
restrict_create_service_id = optional(string)
restrict_create_platform_apikey = optional(string)
session_expiration_in_seconds = optional(string)
session_invalidation_in_seconds = optional(string)
}) | {
"enable": false
} | no |
| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | IBM Cloud API Key that will be used for authentication in scripts run in this module. Only required if certain options are required. | `string` | `null` | no |
-| [key\_management](#input\_key\_management) | Key Protect instance variables | object({
name = string
resource_group = string
use_data = optional(bool)
use_hs_crypto = optional(bool)
access_tags = optional(list(string), [])
keys = optional(
list(
object({
name = string
root_key = optional(bool)
payload = optional(string)
key_ring = optional(string) # Any key_ring added will be created
force_delete = optional(bool)
endpoint = optional(string) # can be public or private
iv_value = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
policies = optional(
object({
rotation = optional(
object({
interval_month = number
})
)
dual_auth_delete = optional(
object({
enabled = bool
})
)
})
)
})
)
)
}) | n/a | yes |
+| [key\_management](#input\_key\_management) | Key Protect instance variables | object({
name = optional(string)
resource_group = optional(string)
use_data = optional(bool)
use_hs_crypto = optional(bool)
access_tags = optional(list(string), [])
keys = optional(
list(
object({
name = string
root_key = optional(bool)
payload = optional(string)
key_ring = optional(string) # Any key_ring added will be created
force_delete = optional(bool)
existing_key_crn = optional(string) # CRN of an existing key in the same or different account.
endpoint = optional(string) # can be public or private
iv_value = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
policies = optional(
object({
rotation = optional(
object({
interval_month = number
})
)
dual_auth_delete = optional(
object({
enabled = bool
})
)
})
)
})
)
)
}) | n/a | yes |
| [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
| [prefix](#input\_prefix) | A unique identifier for resources. Must begin with a letter and end with a letter or number. This prefix will be prepended to any resources provisioned by this template. Prefixes must be 16 or fewer characters. | `string` | n/a | yes |
| [region](#input\_region) | Region where VPC will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions. | `string` | n/a | yes |
diff --git a/bastion_host.tf b/bastion_host.tf
index 678321ae4..fbd4e03fe 100644
--- a/bastion_host.tf
+++ b/bastion_host.tf
@@ -55,7 +55,7 @@ module "bastion_host" {
vsi_per_subnet = 1
boot_volume_encryption_key = each.value.boot_volume_encryption_key_name == null ? "" : [
for keys in module.key_management.keys :
- keys.id if keys.name == each.value.boot_volume_encryption_key_name
+ keys.crn if keys.name == each.value.boot_volume_encryption_key_name
][0]
image_id = data.ibm_is_image.image["${var.prefix}-${each.value.name}"].id
user_data = module.teleport_config[0].cloud_init
diff --git a/cos.tf b/cos.tf
index af3b4d330..f470820ee 100644
--- a/cos.tf
+++ b/cos.tf
@@ -95,7 +95,7 @@ resource "ibm_cos_bucket" "buckets" {
hard_quota = each.value.hard_quota
key_protect = each.value.kms_key == null ? null : [
for key in module.key_management.keys :
- key.id if key.name == each.value.kms_key
+ key.crn if key.name == each.value.kms_key
][0]
dynamic "archive_rule" {
diff --git a/dynamic_values/config_modules/service_authorizations/service_authorizations.tf b/dynamic_values/config_modules/service_authorizations/service_authorizations.tf
index 320392baa..73e5f80d8 100644
--- a/dynamic_values/config_modules/service_authorizations/service_authorizations.tf
+++ b/dynamic_values/config_modules/service_authorizations/service_authorizations.tf
@@ -37,7 +37,7 @@ variable "atracker_cos_bucket" {
##############################################################################
locals {
- target_key_management_service = lookup(var.key_management, "use_hs_crypto", false) == true ? "hs-crypto" : "kms"
+ target_key_management_service = lookup(var.key_management, "name", null) != null ? lookup(var.key_management, "use_hs_crypto", false) == true ? "hs-crypto" : "kms" : null
}
module "kms_to_block_storage" {
@@ -51,7 +51,7 @@ module "kms_to_block_storage" {
roles = ["Reader"]
target_service_name = local.target_key_management_service
target_resource_instance_id = var.key_management_guid
- }
+ } if local.target_key_management_service != null
]
}
@@ -73,7 +73,7 @@ module "cos_to_key_management" {
roles = ["Reader"]
target_service_name = local.target_key_management_service
target_resource_instance_id = var.key_management_guid
- }
+ } if local.target_key_management_service != null
]
}
@@ -105,7 +105,7 @@ module "secrets_manager_to_cos" {
roles = ["Reader"]
target_service_name = local.target_key_management_service
target_resource_instance_id = var.key_management_guid
- }
+ } if local.target_key_management_service != null
]
}
diff --git a/f5_vsi.tf b/f5_vsi.tf
index 3e57bd9bc..cf845428c 100644
--- a/f5_vsi.tf
+++ b/f5_vsi.tf
@@ -145,7 +145,7 @@ module "f5_vsi" {
# Get boot volume
boot_volume_encryption_key = each.value.boot_volume_encryption_key_name == null ? "" : [
for keys in module.key_management.keys :
- keys.id if keys.name == each.value.boot_volume_encryption_key_name
+ keys.crn if keys.name == each.value.boot_volume_encryption_key_name
][0]
# Get security group ids
security_group_ids = each.value.security_groups == null ? [] : [
@@ -169,7 +169,7 @@ module "f5_vsi" {
iops = volume.iops
encryption_key = lookup(volume, "encryption_key", null) == null ? null : [
for key in module.key_management.keys :
- key.id if key.name == volume.encryption_key
+ key.crn if key.name == volume.encryption_key
][0]
}
]
diff --git a/kms/dynamic_values.tf b/kms/dynamic_values.tf
index d1f849600..6e10ff94b 100644
--- a/kms/dynamic_values.tf
+++ b/kms/dynamic_values.tf
@@ -10,6 +10,7 @@ module "dynamic_values" {
kms_data = data.ibm_resource_instance.kms
kms_resource = ibm_resource_instance.kms
keys = var.keys
+ name = var.key_management.name
}
##############################################################################
@@ -59,6 +60,7 @@ module "unit_test_kms_resource" {
source = "./dynamic_values"
hpcs_data = []
kms_data = []
+ name = "test-kms"
kms_resource = [{
guid = "resource"
crn = "resource"
diff --git a/kms/dynamic_values/main.tf b/kms/dynamic_values/main.tf
index da7967df3..3f6f8b7be 100644
--- a/kms/dynamic_values/main.tf
+++ b/kms/dynamic_values/main.tf
@@ -34,6 +34,11 @@ variable "keys" {
default = []
}
+variable "name" {
+ description = "Name of the kms instance"
+ default = null
+}
+
##############################################################################
##############################################################################
@@ -42,13 +47,15 @@ variable "keys" {
locals {
# Get key management type
- key_management_type = var.use_hs_crypto == true ? "hs-crypto" : var.use_data == true ? "data" : "resource"
+ key_management_type = var.use_hs_crypto == true ? "hs-crypto" : var.use_data == true ? "data" : var.name == null ? null : "resource"
# Get GUID
key_management_guid = (
local.key_management_type == "hs-crypto"
? var.hpcs_data[0].guid
: local.key_management_type == "data"
? var.kms_data[0].guid
+ : var.name == null
+ ? null
: var.kms_resource[0].guid
)
# Get CRN
@@ -57,12 +64,14 @@ locals {
? var.hpcs_data[0].crn
: local.key_management_type == "data"
? var.kms_data[0].crn
+ : var.name == null
+ ? null
: var.kms_resource[0].crn
)
# Keys
key_management_keys = {
for encryption_key in var.keys :
- (encryption_key.name) => encryption_key
+ (encryption_key.name) => encryption_key if lookup(encryption_key, "existing_key_crn", null) == null
}
# Rings
key_rings = distinct([
diff --git a/kms/outputs.tf b/kms/outputs.tf
index 1c06b10c6..07ce19f6d 100644
--- a/kms/outputs.tf
+++ b/kms/outputs.tf
@@ -4,12 +4,12 @@
output "key_management_name" {
description = "Name of key management service"
- value = var.key_management.use_hs_crypto == true ? data.ibm_resource_instance.hpcs_instance[0].name : var.key_management.use_data == true ? data.ibm_resource_instance.kms[0].name : ibm_resource_instance.kms[0].name
+ value = var.key_management.use_hs_crypto == true ? data.ibm_resource_instance.hpcs_instance[0].name : var.key_management.use_data == true ? data.ibm_resource_instance.kms[0].name : var.key_management.name == null ? null : ibm_resource_instance.kms[0].name
}
output "key_management_crn" {
description = "CRN for KMS instance"
- value = var.key_management.use_hs_crypto == true ? data.ibm_resource_instance.hpcs_instance[0].crn : var.key_management.use_data == true ? data.ibm_resource_instance.kms[0].crn : ibm_resource_instance.kms[0].crn
+ value = var.key_management.use_hs_crypto == true ? data.ibm_resource_instance.hpcs_instance[0].crn : var.key_management.use_data == true ? data.ibm_resource_instance.kms[0].crn : var.key_management.name == null ? null : ibm_resource_instance.kms[0].crn
}
output "key_management_guid" {
@@ -38,28 +38,43 @@ output "key_rings" {
output "keys" {
description = "List of names and ids for keys created."
- value = [
+ value = concat([
for kms_key in var.keys :
{
name = kms_key.name
id = ibm_kms_key.key[kms_key.name].id
crn = ibm_kms_key.key[kms_key.name].crn
key_id = ibm_kms_key.key[kms_key.name].key_id
- }
- ]
+ } if lookup(kms_key, "existing_key_crn", null) == null
+ ],
+ [
+ for kms_key in var.keys :
+ {
+ name = kms_key.name
+ crn = kms_key.existing_key_crn
+ } if lookup(kms_key, "existing_key_crn", null) != null
+ ]
+ )
}
output "key_map" {
description = "Map of ids and keys for keys created"
- value = {
+ value = merge({
for kms_key in var.keys :
(kms_key.name) => {
name = kms_key.name
id = ibm_kms_key.key[kms_key.name].id
crn = ibm_kms_key.key[kms_key.name].crn
key_id = ibm_kms_key.key[kms_key.name].key_id
- }
- }
+ } if lookup(kms_key, "existing_key_crn", null) == null
+ },
+ {
+ for kms_key in var.keys :
+ (kms_key.name) => {
+ name = kms_key.name
+ crn = kms_key.existing_key_crn
+ } if lookup(kms_key, "existing_key_crn", null) != null
+ })
}
##############################################################################
diff --git a/kms/variables.tf b/kms/variables.tf
index 6c0fd15b3..7abf713ec 100644
--- a/kms/variables.tf
+++ b/kms/variables.tf
@@ -30,14 +30,15 @@ variable "keys" {
description = "List of keys to be created for the service"
type = list(
object({
- name = string
- root_key = optional(bool)
- payload = optional(string)
- key_ring = optional(string) # Any key_ring added will be created
- force_delete = optional(bool)
- endpoint = optional(string) # can be public or private
- iv_value = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
- encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
+ name = string
+ root_key = optional(bool)
+ payload = optional(string)
+ key_ring = optional(string) # Any key_ring added will be created
+ force_delete = optional(bool)
+ existing_key_crn = optional(string)
+ endpoint = optional(string) # can be public or private
+ iv_value = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
+ encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
policies = optional(
object({
rotation = optional(
diff --git a/module-metadata.json b/module-metadata.json
index 321701658..d0a231359 100644
--- a/module-metadata.json
+++ b/module-metadata.json
@@ -11,7 +11,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 1123
+ "line": 1150
}
},
"add_kms_block_storage_s2s": {
@@ -25,7 +25,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 1488
+ "line": 1515
}
},
"appid": {
@@ -42,7 +42,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 879
+ "line": 906
}
},
"atracker": {
@@ -56,7 +56,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 758
+ "line": 785
}
},
"clusters": {
@@ -69,7 +69,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 774
+ "line": 801
}
},
"cos": {
@@ -112,7 +112,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 1392
+ "line": 1419
}
},
"f5_vsi": {
@@ -125,7 +125,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 1255
+ "line": 1282
}
},
"iam_account_settings": {
@@ -149,7 +149,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 1017
+ "line": 1044
}
},
"ibmcloud_api_key": {
@@ -167,7 +167,7 @@
},
"key_management": {
"name": "key_management",
- "type": "object({\n name = string\n resource_group = string\n use_data = optional(bool)\n use_hs_crypto = optional(bool)\n access_tags = optional(list(string), [])\n keys = optional(\n list(\n object({\n name = string\n root_key = optional(bool)\n payload = optional(string)\n key_ring = optional(string) # Any key_ring added will be created\n force_delete = optional(bool)\n endpoint = optional(string) # can be public or private\n iv_value = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.\n encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.\n policies = optional(\n object({\n rotation = optional(\n object({\n interval_month = number\n })\n )\n dual_auth_delete = optional(\n object({\n enabled = bool\n })\n )\n })\n )\n })\n )\n )\n })",
+ "type": "object({\n name = optional(string)\n resource_group = optional(string)\n use_data = optional(bool)\n use_hs_crypto = optional(bool)\n access_tags = optional(list(string), [])\n keys = optional(\n list(\n object({\n name = string\n root_key = optional(bool)\n payload = optional(string)\n key_ring = optional(string) # Any key_ring added will be created\n force_delete = optional(bool)\n existing_key_crn = optional(string) # CRN of an existing key in the same or different account.\n endpoint = optional(string) # can be public or private\n iv_value = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.\n encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.\n policies = optional(\n object({\n rotation = optional(\n object({\n interval_month = number\n })\n )\n dual_auth_delete = optional(\n object({\n enabled = bool\n })\n )\n })\n )\n })\n )\n )\n })",
"description": "Key Protect instance variables",
"required": true,
"source": [
@@ -309,7 +309,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 1438
+ "line": 1465
}
},
"security_groups": {
@@ -409,7 +409,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 923
+ "line": 950
}
},
"teleport_vsi": {
@@ -422,7 +422,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 949
+ "line": 976
}
},
"transit_gateway_connections": {
@@ -481,7 +481,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 1456
+ "line": 1483
}
},
"vpcs": {
@@ -533,7 +533,7 @@
],
"pos": {
"filename": "variables.tf",
- "line": 858
+ "line": 885
}
}
},
@@ -2441,7 +2441,7 @@
"description": "Map of ids and keys for keys created",
"pos": {
"filename": "kms/outputs.tf",
- "line": 52
+ "line": 60
}
},
"key_rings": {
diff --git a/secrets_manager.tf b/secrets_manager.tf
index a3252ef0e..930b6d6eb 100644
--- a/secrets_manager.tf
+++ b/secrets_manager.tf
@@ -14,7 +14,7 @@ resource "ibm_resource_instance" "secrets_manager" {
parameters = {
kms_key = (
lookup(var.secrets_manager, "kms_key_name", null) != null
- ? module.key_management.key_map[var.secrets_manager.kms_key_name].id
+ ? module.key_management.key_map[var.secrets_manager.kms_key_name].crn
: null
)
}
diff --git a/variables.tf b/variables.tf
index ed3254e5c..41afe8e8b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -712,22 +712,23 @@ variable "service_endpoints" {
variable "key_management" {
description = "Key Protect instance variables"
type = object({
- name = string
- resource_group = string
+ name = optional(string)
+ resource_group = optional(string)
use_data = optional(bool)
use_hs_crypto = optional(bool)
access_tags = optional(list(string), [])
keys = optional(
list(
object({
- name = string
- root_key = optional(bool)
- payload = optional(string)
- key_ring = optional(string) # Any key_ring added will be created
- force_delete = optional(bool)
- endpoint = optional(string) # can be public or private
- iv_value = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
- encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
+ name = string
+ root_key = optional(bool)
+ payload = optional(string)
+ key_ring = optional(string) # Any key_ring added will be created
+ force_delete = optional(bool)
+ existing_key_crn = optional(string) # CRN of an existing key in the same or different account.
+ endpoint = optional(string) # can be public or private
+ iv_value = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
+ encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
policies = optional(
object({
rotation = optional(
@@ -746,6 +747,32 @@ variable "key_management" {
)
)
})
+ validation {
+ error_message = "Name must be included if use_data is true."
+ condition = (
+ lookup(var.key_management, "use_data", null) == null
+ ) || (
+ lookup(var.key_management, "use_data", false) == false
+ ) || (
+ lookup(var.key_management, "name", null) != null &&
+ lookup(var.key_management, "use_data", false) == true
+ )
+ }
+ validation {
+ error_message = "Name must be included if use_hs_crypto is true."
+ condition = (
+ lookup(var.key_management, "use_hs_crypto", null) == null
+ ) || (
+ lookup(var.key_management, "use_hs_crypto", false) == false
+ ) || (
+ lookup(var.key_management, "name", null) != null &&
+ lookup(var.key_management, "use_hs_crypto", false) == true
+ )
+ }
+ validation {
+ condition = length(flatten([for key in var.key_management.keys : key if(lookup(key, "existing_key_crn", null) == null) && var.key_management.name == null])) == 0
+ error_message = "Please provide kms name to be created."
+ }
}
##############################################################################
diff --git a/virtual_servers.tf b/virtual_servers.tf
index eae27bdf9..2369b56c4 100644
--- a/virtual_servers.tf
+++ b/virtual_servers.tf
@@ -56,7 +56,7 @@ module "vsi" {
image_id = data.ibm_is_image.image["${var.prefix}-${each.value.name}"].id
boot_volume_encryption_key = each.value.boot_volume_encryption_key_name == null ? "" : [
for keys in module.key_management.keys :
- keys.id if keys.name == each.value.boot_volume_encryption_key_name
+ keys.crn if keys.name == each.value.boot_volume_encryption_key_name
][0]
security_group_ids = each.value.security_groups == null ? [] : [
for group in each.value.security_groups :
@@ -81,7 +81,7 @@ module "vsi" {
iops = volume.iops
encryption_key = lookup(volume, "encryption_key", null) == null ? null : [
for key in module.key_management.keys :
- key.id if key.name == volume.encryption_key
+ key.crn if key.name == volume.encryption_key
][0]
}
]