IBM App ID: What are the parameters to configure custom encryption during provisioning?

71 views Asked by At

I know how to create an App ID instance using the IBM Cloud browser UI, or via CLI and even utilizing Terraform. But what are the parameters for Terraform (and the Resource Controller API) to specify that a root key from my Key Protect instance should be used for encryption?

It seems that a parameter for the KMS instance and one for the root key are required. But what's their name?

App ID with custom encryption

2

There are 2 answers

0
data_henrik On BEST ANSWER

I created an App ID instance with custom encryption in the browser UI, then retrieved the details using the CLI with --output JSON:

parameters in metadata

The above parameters indicate the required parameters to be passed on the CLI / API / Terraform.

  • kms_info: a JSON object with the KMS (Key Protect or Hyper Protect Crypto Services) ID and an url field.
  • tek_id: The actual CRN for the crypto key.
0
blaimi On

I got it running with this configuration (simplified)

resource "ibm_resource_instance" "key_protect_instance" {
  name              = "name-your-kp-instance"
  resource_group_id = data.ibm_resource_group.resource_group.id
  service           = "kms"
  plan              = "tiered-pricing"
  location          = local.ibm_region
}

resource "ibm_kms_key" "appid_root_key" {
  instance_id   = ibm_resource_instance.key_protect_instance.guid
  key_name      = "appid-root-key"
  standard_key  = false
  endpoint_type = "private"
}

resource "ibm_iam_authorization_policy" "appid_kms" {
  source_service_name         = "appid"
  target_service_name         = "kms"
  target_resource_instance_id = ibm_resource_instance.key_protect_instance.guid
  roles                       = ["Reader"]
}

resource "ibm_resource_instance" "appid_instance" {
  name              = "name-your-appid-instance"
  resource_group_id = data.ibm_resource_group.resource_group.id
  service           = "appid"
  plan              = "graduated-tier"
  location          = local.ibm_region
  parameters = {
    kms_info = jsonencode({
      id = ibm_resource_instance.key_protect_instance.guid
      url = "https://${local.ibm_region}.kms.cloud.ibm.com"
    })
    tek_id = ibm_kms_key.appid_root_key.crn
  }
}

I made an issue for the missing documentation: https://github.com/ibm-cloud-docs/appid/issues/392#issuecomment-1534269880