terraformibm-cloudterraform-provider-ibm

updateSubnetReservedIPOptions failed validation error upon creating a VSI in IBM Cloud with Terraform

When creating a VSI everything with terrafrom everything seems to be set-up correctly but it throws one engimatic error regarding the appointed internal IP address.

Error: [ERROR] Error updating instance network interface reserved ip(): updateSubnetReservedIPOptions failed validation:
│ Key: 'UpdateSubnetReservedIPOptions.ID' Error:Field validation for 'ID' failed on the 'ne' tag
│ null
│ 
│ 
│   with module.vpc_workload.module.vsi_monitoring.ibm_is_instance.vsi,
│   on modules/create_vsi/vsi.tf line 1, in resource "ibm_is_instance" "vsi":
│    1: resource "ibm_is_instance" "vsi" {

The VSI and it's IP is set up and works correctly, but any subsequent terraform apply that is done throws the error that the VSI instance is tainted. So it is a problem that needs to be solved in order to continue working on it.

Any idea what this could be? Perhaps a problem with the terraform-ibm-provider?

Tainted error:

  # module.vpc_workload.module.vsi_monitoring.ibm_is_instance.vsi is tainted, so must be replaced
-/+ resource "ibm_is_instance" "vsi" {
      ~ availability_policy_host_failure  = "restart" -> (known after apply)
      ~ bandwidth                         = 4000 -> (known after apply)
      ~ crn                               = "crn:v1:bluemix:public:is:eu-de-3:a/c0ff1d00dc6f6f66adce030d4dfac132::instance:02d7_bd6e47cc-7256-4995-a65b-6982b8440167" -> (known after apply)
      + default_trusted_profile_auto_link = (known after apply)
      ~ disks                             = [] -> (known after apply)
      ~ gpu                               = [] -> (known after apply)
      ~ id                                = "02d7_bd6e47cc-7256-4995-a65b-6982b8440167" -> (known after apply)
      ~ memory                            = 4 -> (known after apply)
      ~ metadata_service_enabled          = false -> (known after apply)
        name                              = "monitoring"
      ~ placement_target                  = [] -> (known after apply)
      ~ resource_controller_url           = "https://cloud.ibm.com/vpc-ext/compute/vs" -> (known after apply)
      ~ resource_crn                      = "crn:v1:bluemix:public:is:eu-de-3:a/c0ff1d00dc6f6f66adce030d4dfac132::instance:02d7_bd6e47cc-7256-4995-a65b-6982b8440167" -> (known after apply)
      ~ resource_group_name               = "toolbox-fra" -> (known after apply)
      ~ resource_name                     = "monitoring" -> (known after apply)
      ~ resource_status                   = "running" -> (known after apply)
      ~ status                            = "running" -> (known after apply)
      ~ status_reasons                    = [] -> (known after apply)
      ~ tags                              = [] -> (known after apply)
      ~ total_network_bandwidth           = 3000 -> (known after apply)
      ~ total_volume_bandwidth            = 1000 -> (known after apply)
      ~ vcpu                              = [
          - {
              - architecture = "amd64"
              - count        = 2
            },
        ] -> (known after apply)
      ~ volume_attachments                = [
          - {
              - id          = "02d7-630f0198-913e-4f66-9ca6-ec7cfc810077"
              - name        = "hybrid-probably-crayfish-tribute"
              - volume_crn  = "crn:v1:bluemix:public:is:eu-de-3:a/c0ff1d00dc6f6f66adce030d4dfac132::volume:r010-d1907aa9-9cf8-4ac6-9802-c898e13305e2"
              - volume_id   = "r010-d1907aa9-9cf8-4ac6-9802-c898e13305e2"
              - volume_name = "attach-earwig-crushable-decade"
            },
        ] -> (known after apply)
        # (8 unchanged attributes hidden)

Here's what I think is the relevant part of the vsi module

resource "ibm_is_instance" "vsi" {
  name           = var.name
  image          = var.image_id
  profile        = var.profile
  vpc            = var.vpc_id
  zone           = var.availability_zone
  keys           = var.ssh_key_ids
  resource_group = var.resource_group_id

  primary_network_interface {
    name            = "eth0"
    subnet          = var.subnet_id
    security_groups = [var.security_group_id]

    primary_ip {
      address     = var.ipv4_address
      name        = "${var.name}-primary-ip-address"
      auto_delete = false
    }
  }
Solution

  • what does your module's block for creating the vsi looks like, i.e.

    resource "ibm_is_instance" "vsi" {
  ...
}

    are you using a primary_ip block inside and is the name of the primary ip auto-generated?

    primary_ip {
      name = "<some-value-that-changes>?"
}

    Thank you for the edits and including the ibm_is_instance code block. I believe the problem is the way you are assigning the IP address (not saying that the provider should not be looking in fixing a few things, i.e. the primary_ip should have rejected unacceptable options), but the example that they provide for using the "primary_ip" section is when you are assigning a reserved IP. If you are using a reserved IP you should not be specifying the IP address, but instead the ID for the reserved IP like so..

      primary_network_interface {
    name   = "eth0"
    subnet = ibm_is_subnet.example.id
    primary_ip {
      reserved_ip = ibm_is_subnet_reserved_ip.example.reserved_ip
    }
  }

    If you want to specify an IP that is not reserved, but you believe is available to obtain, you can use

      primary_network_interface {
    subnet = ibm_is_subnet.example.id
    primary_ipv4_address = "10.240.0.6"
    allow_ip_spoofing = true
  }

    You can find the examples in here: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_instance#example-usage