https://github.com/IBM-Cloud/terraform-provider-ibm/pull/6327 broke existing configs using ibm_pi_key

[thozza]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Affected Resource(s)

• ibm_pi_key

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

I'm not going to include full Terraform configs, but this should be enough to get the gist of what is happening. We have a set of PowerVM instances that have SSH keys configured. We are also maintaining SSH keys as a resource in IBMC using Terraform.

We had the ibm_pi_key resources that were created by terraform-provider-ibm of version prior to 1.80.0 and prior #6327.

Running the same config against the existing infrastructure without anything changing in the infra or in the config now fails with 1.80.1. The problem is the newly added optional pi_visibility argument and its default value, which differs for resources created with older versions, and the IBMC API fails to change it for whatever reason.

...

# SSH keys
resource "ibm_pi_key" "redhat_worker_service_ssh_pub_key" {
  pi_cloud_instance_id = data.ibm_resource_instance.workspace.guid
  pi_key_name          = local.workspace_name == "staging" ? "osbuild-infra-stage" : "osbuild-infra-prod"
  pi_ssh_key           = local.workspace_name == "staging" ? local.public_key_stage : local.public_key_prod
}

data "ibm_pi_key" "redhat_worker_service_ssh_pub_key" {
  pi_cloud_instance_id = data.ibm_resource_instance.workspace.guid
  pi_key_name          = resource.ibm_pi_key.redhat_worker_service_ssh_pub_key.pi_key_name
}

...

Debug Output

Panic Output

Expected Behavior

Running the exsiting terraform config that uses ibm_pi_key without any change in the config or infra should not fail when using new version of terraform-provider-ibm.

Actual Behavior

Without changing anything in the terraform config or in the infra, the config fails with 1.80.1 or newer:

  # ibm_pi_key.redhat_worker_service_ssh_pub_key will be updated in-place
  ~ resource "ibm_pi_key" "redhat_worker_service_ssh_pub_key" {
        id                   = "0892ac90-6bb8-4110-876a-79dc3dcf2074/osbuild-infra-stage"
        name                 = "osbuild-infra-stage"
      ~ pi_visibility        = "account" -> "workspace"
        # (7 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
╷
│ Error: failed to Update PI SSH Key osbuild-infra-stage with error [PUT /v1/ssh-keys/{sshkey_id}][400] v1SshkeysPutBadRequest {"description":"Bad Request: only name and ssh key can be updated for SSH keys created using tenant API","error":"Bad Request"}
│ 
│   with ibm_pi_key.redhat_worker_service_ssh_pub_key,
│   on redhat-workers.tf line 197, in resource "ibm_pi_key" "redhat_worker_service_ssh_pub_key":
│  197: resource "ibm_pi_key" "redhat_worker_service_ssh_pub_key" {
│ 
╵

Steps to Reproduce

1. Create ibm_pi_key resources with the provider version 1.80.0 or older.
2. Run the same config with provider version 1.80.1 or newer, against the project with the resources created in the previous step.

Important Factoids

References

• #0000