I know how to create an App ID instance using the IBM Cloud browser UI, or via CLI and even utilizing Terraform. But what are the parameters for Terraform (and the Resource Controller API) to specify that a root key from my Key Protect instance should be used for encryption?
It seems that a parameter for the KMS instance and one for the root key are required. But what's their name?
I created an App ID instance with custom encryption in the browser UI, then retrieved the details using the CLI with --output JSON:
The above parameters indicate the required parameters to be passed on the CLI / API / Terraform.
I got it running with this configuration (simplified)
resource "ibm_resource_instance" "key_protect_instance" {
name = "name-your-kp-instance"
resource_group_id = data.ibm_resource_group.resource_group.id
service = "kms"
plan = "tiered-pricing"
location = local.ibm_region
}
resource "ibm_kms_key" "appid_root_key" {
instance_id = ibm_resource_instance.key_protect_instance.guid
key_name = "appid-root-key"
standard_key = false
endpoint_type = "private"
}
resource "ibm_iam_authorization_policy" "appid_kms" {
source_service_name = "appid"
target_service_name = "kms"
target_resource_instance_id = ibm_resource_instance.key_protect_instance.guid
roles = ["Reader"]
}
resource "ibm_resource_instance" "appid_instance" {
name = "name-your-appid-instance"
resource_group_id = data.ibm_resource_group.resource_group.id
service = "appid"
plan = "graduated-tier"
location = local.ibm_region
parameters = {
kms_info = jsonencode({
id = ibm_resource_instance.key_protect_instance.guid
url = "https://${local.ibm_region}.kms.cloud.ibm.com"
})
tek_id = ibm_kms_key.appid_root_key.crn
}
}
I made an issue for the missing documentation: https://github.com/ibm-cloud-docs/appid/issues/392#issuecomment-1534269880
