VPE Gateway to sysdig-monitor fails to create gateway

[shemau]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Several between 1.61.0 and 1.81.1

Affected Resource(s)

• ibm_is_virtual_endpoint_gateway

Terraform Configuration Files

Source code location: https://github.com/terraform-ibm-modules/terraform-ibm-vpe-gateway/

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "ibm_is_virtual_endpoint_gateway" "vpe" {
  for_each = { # Create a map based on gateway name
    for gateway in local.gateway_list :
    (gateway.name) => gateway
  }
  name            = each.key
  vpc             = var.vpc_id
  resource_group  = var.resource_group_id
  security_groups = var.security_group_ids

  # check if target is a CRN and handle accordingly
  target {
    name          = length(regexall("crn:v1:([^:]*:){6}", each.value.crn)) > 0 ? null : each.value.crn
    crn           = length(regexall("crn:v1:([^:]*:){6}", each.value.crn)) > 0 ? each.value.crn : null
    resource_type = length(regexall("crn:v1:([^:]*:){6}", each.value.crn)) > 0 ? strcontains(each.value.crn, "private-path-service-gateway") ? "private_path_service_gateway" : "provider_cloud_service" : "provider_infrastructure_service"
  }
  allow_dns_resolution_binding = each.value.allow_dns_resolution_binding
}

This code when the sysdig-monitor CRN is any region other ca-mon. If the monitor region is ca-mon it fails.

Debug Output

 2025/08/08 16:23:30 Terraform apply |       "Result": {
 2025/08/08 16:23:30 Terraform apply |           "errors": [
 2025/08/08 16:23:30 Terraform apply |               {
 2025/08/08 16:23:30 Terraform apply |                   "code": "bad_field",
 2025/08/08 16:23:30 Terraform apply |                   "message": "Could not find service"
 2025/08/08 16:23:30 Terraform apply |               }
 2025/08/08 16:23:30 Terraform apply |           ],
 2025/08/08 16:23:30 Terraform apply |           "trace": "16b98bae-19d5-48c0-9aac-fd89f028cd8c"
 2025/08/08 16:23:30 Terraform apply |       },
 2025/08/08 16:23:30 Terraform apply |       "RawResult": null
 2025/08/08 16:23:30 Terraform apply |   }
 2025/08/08 16:23:30 Terraform apply | severity: error
 2025/08/08 16:23:30 Terraform apply | resource: ibm_is_virtual_endpoint_gateway
 2025/08/08 16:23:30 Terraform apply | operation: create
 2025/08/08 16:23:30 Terraform apply | component:
 2025/08/08 16:23:30 Terraform apply |   name: github.com/IBM-Cloud/terraform-provider-ibm
 2025/08/08 16:23:30 Terraform apply |   version: 1.81.1

The service exists and the method is identical when running eu-de to eu-de works. When running anywhere to ca-mon fails as above.

Panic Output

Not applicable

Expected Behavior

A VPE gateway is created to the required IBM service. The gateway logic should determine the appropriate code path to use based on the service and location.

Actual Behavior

In ca-mon (but not anywhere else) with sysdig-monitoring (not sure about others) the gateway is not created.

Steps to Reproduce

1. terraform apply

Important Factoids

A reasonable amount of problem determination has been done already.

The sysdig-monitor service has a different target (as returned by ibmcloud is egts) in Montreal.

Anywhere else the service has instance specific targets that looks like, including account and instance id:

CRN                crn:v1:bluemix:public:sysdig-monitor:us-south:a/abac0df06b644a9cabc6e44f55b3880e:ff11282f-bbc5-48af-ab53-101babfbb9e7::   
Name               qwerty-2-cloud-monitoring   
Resource type      provider_cloud_service   
Service location   us-south   

but in Montreal there is global/multi-tenant service target that looks like, no instance, just a service endpoint

CRN                           crn:v1:bluemix:public:sysdig-monitor:ca-mon:::endpoint:private.ca-mon.monitoring.cloud.ibm.com   
Parent                        ca-mon   
Name                          prod-ca-mon_monitor   
Resource type                 provider_cloud_service   
Endpoint type                 vpe   
Full qualified domain names   private.ca-mon.monitoring.cloud.ibm.com, ingest.prws.private.ca-mon.monitoring.cloud.ibm.com, ingest.private.ca-mon.monitoring.cloud.ibm.com 

Additionally the UI from a Montreal VPC to Montreal sysdig-monitor service provides appropriate pickers and successfully creates a gateway.

All attempts to use Montreal sysdig-monitor have failed. This includes:

• Changing the code to use the endpoint CRN rather than the instance CRN
• Changing the code to use the provider block including private_endpoint_type = "vpe"

References

• #0000

[shemau]

Montreal is reported in https://cloud.ibm.com/unifiedsupport/cases?number=CS4382716 (which is sev 1, until it gets looked at) and London (which you care less about) is https://cloud.ibm.com/unifiedsupport/cases?number=CS4382720 (sev 2).

The current theory is that this is a service issue that prevents the provider working and thus can not be resolved in the provider.

One outstanding question is why does this work in the UI and not terraform. It appears to be partially possible to create the gateways even whilst the service has not registered endpoints in global search. Arguably the UI is broken in a different way, but can partially work, so it looks like the UI and terraform provider have different code paths.