key_protect_key parameter in ibm_database is silently ignored if changed

[l2fprod]

At first I created a Redis instance with no encryption:

resource ibm_database redis {
  name              = "${var.basename}-redis"
  resource_group_id = ibm_resource_group.group.id
  plan              = "standard"
  service           = "databases-for-redis"
  location          = var.region

  service_endpoints = "private"
  tags              = concat(var.tags, ["service"])
}

then I decided to add the encryption

resource ibm_database redis {
  name              = "${var.basename}-redis"
  resource_group_id = ibm_resource_group.group.id
  plan              = "standard"
  service           = "databases-for-redis"
  location          = var.region

  key_protect_key = ibm_kp_key.key.crn
  key_protect_instance = ibm_resource_instance.kms.crn

  service_endpoints = "private"
  tags              = concat(var.tags, ["service"])
}

Running apply does not detect any changes, which got me confused as the doc does not say anything. It seems key protect parameters are ignored after creation.

I'd rather have a message telling me that the instance will be replaced and let me decide whether I want this or want to abort my changes.

terraform-provider-ibm/ibm/resource_ibm_database.go

Line 176 in 281bd6f

"key_protect_instance": {

terraform-provider-ibm/ibm/resource_ibm_database.go

Line 182 in 281bd6f

"key_protect_key": {

[hkantare]

@l2fprod Can you validate same from UI ..I don't think so we can change the key-protect after creating a instance.

[l2fprod]

@hkantare

from the UI, we can't change the key-protect after creating the instance... and this is fine but ignoring the field is misleading.

I ran apply and thought my change was applied whereas it was just ignored. Instead we should just show a replace and let the user decide whether they want this. This applyOnce diff function looks dangerous.