vpc spoke dns resolver type can not be set to delegated after a ibm_is_vpc_dns_resolution_binding

[powellquiring]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

There isn’t currently a way in terraform to create a delegated system consisting of a hub and spoke VPC in 1 pass that includes an IAM authorization that specifies by the hub and spoke:

1. hub vpc and resolvers
2. spoke vpc
3. IAM authorization hub_vpc, spoke_vpc
4. resource "ibm_is_vpc_dns_resolution_binding" from spoke to hub
5. set the spoke vpc DNS resolver type to delegated

Here is the iam authorization policy, notice it has the hub and spoke ids to narrowed as much as possible.

resource "ibm_iam_authorization_policy" "policy" {
  #"DNSBindingConnector",
  roles = [
    "DNS Binding Connector",
  ]
  subject_attributes {
    name  = "accountId"
    value = local.settings.account_id
  }
  subject_attributes {
    name  = "serviceName"
    value = "is"
  }
  subject_attributes {
    name  = "resourceType"
    value = "vpc"
  }
  subject_attributes {
    name  = "resource"
    value = locl.spoke_vpc.id
  }
  resource_attributes {
    name  = "accountId"
    value = local.settings.account_id
  }
  resource_attributes {
    name  = "serviceName"
    value = "is"
  }
  resource_attributes {
    name  = "vpcId"
    value = local.transit_vpc.id
  }
}

The last step of setting the spoke to delegated currently requires that one goes back to the spoke vpc and make an editing change.

A solution would be to add the type to the binding resource as shown below:

resource "ibm_is_vpc_dns_resolution_binding" "spoke_vpc_dns_resolution_binding_by_id" {
  for_each = { for index, vpc in local.spoke_vpcs : index => vpc }
  name     = each.value.name
  vpc_id   = each.value.id
  type     = "delegated" # THIS IS NEW
  vpc {
    id = local.transit_vpc.id
  }
}

As a work around it is possible to patch the spoke VPC DNS using curl. But this is problematic since the bearer token is persisted in the terraform state file and could (will likely) expire before the destroy operation is executed.

locals {
  api_version      = "2024-04-04"
  vpc_api_endpoint = "https://${local.settings.region}.iaas.cloud.ibm.com"
  vpcs_url         = "${local.vpc_api_endpoint}/v1/vpcs/${each.value.id}?version=${local.api_version}&generation=2"
  patch_delegated = {
    dns = {
      resolver = {
        type = "delegated"
        vpc = {
          id = local.transit_vpc.id
        }
        dns_binding_name = "spoke-to-transit"
      }
    }
  }
  patch_system = {
    dns = {
      resolver = {
        type = "system"
        vpc  = null
      }
    }
  }
  iam_access_token = sensitive(data.ibm_iam_auth_token.tokendata.iam_access_token)
  headers = {
    "Content-Type"  = "application/json"
    "Authorization" = data.ibm_iam_auth_token.tokendata.iam_access_token
  }
}

resource "terracurl_request" "patch_delegated" {
  for_each     = { for index, vpc in local.spoke_vpcs : index => vpc }
  name         = each.value.name
  url          = local.vpcs_url
  method       = "PATCH"
  request_body = jsonencode(local.patch_delegated)
  headers      = local.headers
  response_codes = [
    200,
    204
  ]

  destroy_url          = local.vpcs_url
  destroy_method       = "PATCH"
  destroy_request_body = jsonencode(local.patch_system)
  destroy_headers      = local.headers
  destroy_response_codes = [
    200,
    204
  ]
}

New or Affected Resource(s)

• ibm_is_vpc_dns_resolution_binding

Potential Terraform Configuration

resource "ibm_is_vpc_dns_resolution_binding" "spoke_vpc_dns_resolution_binding_by_id" {
  for_each = { for index, vpc in local.spoke_vpcs : index => vpc }
  name     = each.value.name
  vpc_id   = each.value.id
  type     = "delegated" # THIS IS NEW
  vpc {
    id = local.transit_vpc.id
  }
}

[astha-jain]

hi @powellquiring Fix was added in release v1.61.0
https://github.com/IBM-Cloud/terraform-provider-ibm/pull/5000/files#diff-ce0d6d161b16d61703ebee92b2f35379d225abedba0fb7c2c4d09b2ccb1bb427R86

[sumitkumartiwari]

Closing based on @astha-jain comments.

[sumitkumartiwari]

@powellquiring Please confirm if the issue can be closed ?

[hFti]

@powellquiring @sumitkumartiwari
I can confirm that the change doesn't work.
Adding the dns_binding_name
as mentioned in the doc , doesn't create the dns binding resource.

In my plan it doesn't detect the creation of the dns binding.
here is the code :

` resource "ibm_is_vpc" "vpc" {
name = var.vpc_name
dns {
enable_hub = var.dns_hub
dynamic "resolver" {
for_each = toset(var.hub_dns_vpc)
content {
type = "delegated"
vpc_id = resolver.value
dns_binding_name = "${var.vpc_name}-dns"
}
}
}
resource_group = var.resource_group_id
address_prefix_management = var.default_address_prefix
default_network_acl_name = var.default_network_acl_name
default_security_group_name = var.default_security_group_name
default_routing_table_name = var.default_routing_table_name
tags = var.vpc_tags

} `

in the plan I get this

` # module.vpc["toolchain"].ibm_is_vpc.vpc will be updated in-place
~ resource "ibm_is_vpc" "vpc" {
id = "r030-5a5425e0-629d-lkio-bdc3-lkir67"
name = "vpc-toolchain"
tags = [
"landingzone",
"terraform",
"toolchain",
]
# (26 unchanged attributes hidden)

    ~ dns {
          # (2 unchanged attributes hidden)

        ~ resolver {
            + dns_binding_name = "vpc-toolchain-dns"
            ~ type             = "system" -> "delegated"
            + vpc_id           = "r030-jkilmloj-98bc-hkkihv-9247-hjyubnhhjnh"
              # (2 unchanged attributes hidden)
          }
      }
  }

so no resource dns binding and apply throws errors [ERROR] Error Updating VPC : VPC does not have the DNS binding with the delegated VPC
{
"StatusCode": 400,
"Headers": {
"Allow-Snippet-Annotations": [
"true"
],
"Cache-Control": [
"max-age=0, no-cache, no-store, must-revalidate"
],
"Cf-Cache-Status": [
"DYNAMIC"
],
"Cf-Ray": [
"9037393328097805-CDG"
],
"Content-Length": [
"149"
],
"Content-Type": [
"application/json; charset=utf-8"
],
"Date": [
"Fri, 17 Jan 2025 15:01:57 GMT"
],
"Expires": [
"-1"
],
"Pragma": [
"no-cache"
],
"Server": [
"cloudflare"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
],
"X-Content-Type-Options": [
"nosniff"
],
"X-Correlation-Id": [
"e5e95973-502a-466a-8fe2-f46e31fff534"
],
"X-Request-Id": [
"0f6bdb8d-3fb7-42ba-b147-b7aa8882870f"
],
"X-Xss-Protection": [
"1; mode=block"
]
},
"Result": {
"errors": [
{
"code": "bad_field",
"message": "VPC does not have the DNS binding with the delegated VPC"
}
],
"trace": "0f6bdb8d-3fb7-42ba-b147-b7aa8882870f"
},
"RawResult": null
}`

[uibm]

looking at it

[uibm]

#5937 as per this fix, we are fixing the issue where the binding is not getting created in update operations