IBM Cloud Docs
FAQs

FAQs

How do I find the flavor and parameters to configure a virtual service instance in IBM Cloud?

The Terraform on IBM Cloud ibm_compute_vm_instance resource includes optional and mandatory configuration parameters. To find an overview of how you can configure your virtual server, use the IBM Cloud CLI.

  1. Install the IBM Cloud CLI.

  2. List supported configuration options for virtual servers in IBM Cloud. The listed options include available data centers, machine flavors, CPU, memory, operating systems, local disk and SAN disk sizes, and network interface controllers (NIC). IBM Cloud offers multiple virtual server offerings that each come with a specific configuration. The configuration of an offering is optimized for a specific workload need, such as high performance, or real-time analytics. For more information, see Public Virtual Servers.

    ibmcloud sl vs options
    

How long does it take for my resources to provision and delete?

Most IBM Cloud platform resources provision within a few seconds. Infrastructure resources, including Bare Metal servers, virtual servers, and IBM Cloud Load Balancers can take longer. When you run the terraform apply or terraform destroy command, the command might take a few minutes to complete and you are not able to enter a different command during that time. The terraform apply command returns when your resources are fully provisioned, whereas the terraform destroy command might return before your resources are deleted from your IBM Cloud platform or infrastructure portfolio.

Use the terraform apply and terraform destroy times in the following table as a reference for when you can expect your commands to complete.

If the Terraform on IBM Cloud operation does not complete due to a timeout, wait for the resource state change to complete and retry the operation.

Overview of Terraform apply and destroy command completion times
Resource terraform apply return time terraform destroy return time
IBM Cloud platform resources A few seconds A few seconds
Virtual servers A few seconds A few seconds
IBM Cloud Load Balancers A few seconds Up to 30 minutes
Bare Metal servers Up to a few hours Up to a few hours

How do I set up Terraform on IBM Cloud greater than v0.13.0 ?

For detailed steps, see how to install the Terraform on IBM Cloud and install the IBM Cloud Provider plug-in.

How can I resolve the error when provisioning a ibm_container_alb_cert resource with secret?

```text
stderr :
Error: Error waiting for create resource alb cert (buvlsclf0qcur3hjcrng/ingress-tls-cert) : The resource alb cert buvlsclf0qcur3hjcrng/ingress-tls-cert does not exist anymore: Request failed with status code: 404, ServerErrorResponse: {"incidentID":"5f82fa1696ce299a-IAD","code":"E0024","description":"The specified Ingress secret name is not found for this cluster.","type":"ALBSecret","recoveryCLI":"To list the Ingress secrets for a cluster, run 'ibmcloud ks ingress secret ls -c \u003ccluster_name_or_ID\u003e'."}
```

You need to update the IBM Cloud provider version to version 1.16.1 or above to support create secret feature in ibm_container_alb_cert.

How can I set or add multiple address prefixes to the configuration file when provisioning VPC?

The address_prefix_management argument indicates a default address prefix should be created automatically or manually for each zone in the VPC. Supported values are auto and manual. The default value is auto. Most scenario covers default address prefixes set as optional without specifying during the creation of VPC through Terraform.

If you require one or more address prefixes you should define as part of resource provisioning in the configuration file. To configure multiple address prefix with arguments define the code as stated in the code block. For more information, see ibm_is_vpc_address_prefix data source.

```terraform {: codeblock}
resource "ibm_is_vpc" "testacc_vpc" {
  name = "testvpc"
}

resource "ibm_is_vpc_address_prefix" "testacc_vpc_address_prefix" {
  name = "test"
  zone = "us-south-1"
  vpc  = ibm_is_vpc.testacc_vpc.id
  cidr = "10.240.0.0/24"
}

resource "ibm_is_vpc_address_prefix" "testacc_vpc_address_prefix2" {
  name = "test2"
  zone = "us-south-1"
  vpc  = ibm_is_vpc.testacc_vpc.id
  cidr = "10.240.0.0/24"
}
```

How do I define a policy which has all resource groups?

A access group policy is a way to organize your account having create, modify, or delete an IAM access groups, where user can grant permissions to members with appropriate privileges such as Manager, Viewer and Administrator. For more information, about ibm_access_group_policy resource and iam_service_policy resource.

```terraform {: codeblock}
resource "ibm_iam_access_group" "accgrp" {
  name = "rg"
}

resource "ibm_iam_access_group_policy" "policy" {
  access_group_id = ibm_iam_access_group.accgrp.id
  roles           = ["Manager", "Viewer", "Administrator"]
]

  resources {
    resource_type = "resource-group"
  }
}
```    

How do I configure policy for all services in all the resource groups for an user?

The sample code block helps to configure the policy for all services in all resource group. But you have to enter all the roles in the list.

```terraform {: codeblock}
resource "ibm_iam_user_policy" "policy" {
  ibm_id = "test@in.ibm.com"
  roles  = ["Viewer"]
}
```    

How can I configure a target resource to connect from different regions?

You need to configure the different regions in the provider block by using region parameter, as shown in the code block.

```terraform {: codeblock}
// First code block
provider "ibm" {
    ibmcloud_api_key   = xxxxxx
    region             = "eu-de"
}
```
```terraform {: codeblock}
// Second code block
data "ibm_is_vpc" "vpc1" {
  name            = "aa-kubecf-a"
}
```

How can I connect and retrieve information from multiple region at once in the same template?

You can connect and retrieve information from a multiple regions by using aliases parameter as shown in the example code block. For more information, about configuring multiple provider block, see Multiple provider configurations.

```terraform {: codeblock}
provider "ibm" {
  ibmcloud_api_key = "${var.ibmcloud_api_key}"
  generation = 2
  region = "eu-de"
}
```
```terraform {: codeblock}
provider "ibm" {
  ibmcloud_api_key = "${var.ibmcloud_api_key}"
  region = "eu-de"
}

provider "ibm" {
  ibmcloud_api_key = "${var.ibmcloud_api_key}"
  alias  = "eu-gb-alias"
  region = "eu-gb"
}
```

How do I assign multiple resources to a group policy?

You can configure only one region for a resource list to a group policy, as shown in the code block. For more information, about configuring resource block, see Multiple provider configurations.

```terraform {: codeblock}
resource "ibm_iam_user_policy"  "policy" { 
ibm_id = "test@in.ibm.com" 
roles = ["Viewer"] 
resources { 
  service = "kms" 
} 
} 
```    

How can I create access group policies and add memo as an attribute to the policy?

Here is a code block that helps you to create access group policies and add memo as an attribute to the policy.

```terraform {: codeblock}
resource "ibm_iam_access_group_policy" "policy" {
  access_group_id = ibm_iam_access_group.grp.id
  roles = ["Viewer"]
  resources {
    resource_type = "resource-group"
    resource = "resource-id"
  }
}

or

data "ibm_resource_group" "group" {
  name = "default"
}
resource "ibm_iam_access_group_policy" "policy" {
  access_group_id = ibm_iam_access_group.accgrp.id
  roles = ["Viewer"]
  resources {
    resource_type = "resource-group"
    resource = data.ibm_resource_group.group.id
  }
}
```

How do I create the Terraform resources of the same type in sequential order?

The sample code block helps to create the resources of the same type in a sequential order.

```terraform {: codeblock}
resource "ibm_is_vpc" "res_a" {
  name = "test1"
}
resource "ibm_is_vpc" "res_b" {
  name = "test2"
  depends_on = [ibm_is_vpc.res_a]
}
```

How do I enable the User list visibility for the IAM in Terraform?

Currently, Schematics do not support enabling user list visibility. For more information, about user list visibility, see ibm_iam_account_settings.

Can I configure the ibm_container_cluster Terraform resource to control the IPs on the IBM Cloud Object Storage bucket?

No, currently, the API does not support IPs on the IBM Cloud Object Storage bucket. For more information, about the argument and attribute reference for the container cluster, see ibm_container_cluster.

Can I retrieve a list of all the existing Virtual Servers for VPCs from all the regions by using Terraform?

Yes, but the VPC API’s are region specific so ibm_is_vpcs gives only one region VPC. If user requires one or more regions, you should define or use the alias during the resource provisioning, as shown in the code block.

```terraform {: codeblock}
provider "ibm" {
  region = "eu-de"
}

provider "ibm" {
  alias  = "dal"
  region = "us-south"
}

data ibm_is_vpcs eu-de{
}
data ibm_is_vpcs dal {
  provider = ibm.dal
}

output "vpcs" {
  value = concat(
    tolist(data.ibm_is_vpcs.eu-de.vpcs), 
    tolist(data.ibm_is_vpcs.dal.vpcs)
    )
} 

```    

How can I edit the flavor of an existing IKS worker pool without deleting or destroying an existing one by updating its machine_type?

Updating the machine type in the Terraform file allows to built or provision new set of resource creating an entirely new worker pool. You can use the sample code block to update.

```terraform {: codeblock}
resource "ibm_container_cluster" "iks_cluster" {
    name                      = var.cluster_name
    datacenter                = var.datacenter
    machine_type              = var.machine_type
    hardware                  = var.hardware
    public_vlan_id            = var.public_vlan_id
    private_vlan_id           = var.private_vlan_id
    disk_encryption           = "true"

    kube_version              = var.kube_version

    default_pool_size         = var.pool_size

    public_service_endpoint   = "true"
    private_service_endpoint  = "true"
    update_all_workers        = var.update_all_workers
    wait_for_worker_update    = "true"

    resource_group_id         = var.resource_group.id
} 

```    

How can I secure a workspace by setting an environment variable?

Currently, the IBM Cloud Schematics service team is working to enable secure environment variables and support for passing credentials for modules. It is planned in the future roadmap. However, here is a sample code block to secure a workspace.

```text
Example input file get workspace:
  "env_values": [{
      "name": "GIT_ASKPASS",
      "value": "./git-askpass-helper.sh",
      "secure": false,
      "hidden": false
    },
    {
      "name": "GIT_PASSWORD",
      "value": "plain text token",
      "secure": false,
      "hidden": false
    }
  ]
```

How can I create ibm_function_trigger with Terraform that connects to an Event Stream?

The sample code block allows to create the resources of the same type in a sequential order. For more information, about creating a trigger that listens to an Event Streams instance block, see Event Streams Terraform reference.

```terraform {: codeblock}
resource "ibm_function_trigger" "trigger" {
  name = "event - trigger"
  namespace = "ns01"
  user_defined_annotations = jsonencode([])
  user_defined_parameters = jsonencode([])
  feed {
    name = "/whisk.system/messaging / messageHubFeed"
    parameters = jsonencode([])
  }
}
```

How do I associate a public gateway while creating multiple zones with a Subnet for each zone?

```text
{
  
  "StatusCode": 400,
  "Headers": {
    
    "Cache-Control": ["max-age=0, no-cache, no-store, must-revalidate"],
    "Cf-Cache-Status": ["DYNAMIC"],
    "Cf-Ray": ["6ab6a5e86ac41b69-DEL"],
    "Connection": ["keep-alive"],
    "Content-Length": ["261"],
    "Content-Type": ["application/json; charset=utf-8"],
    "Date": ["Tue, 09 Nov 2021 11:19:47 GMT"],
    "Expect-Ct": ["max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\""],
    "Expires": ["-1"],
    "Pragma": ["no-cache"],
    "Server": ["cloudflare"],
    "Strict-Transport-Security": ["max-age=31536000; includeSubDomains"],
    "Vary": ["Accept-Encoding"],
    "X-Content-Type-Options": ["nosniff"],
    "X-Request-Id": ["37b94c40-a4bf-4942-a0da-45dc5434d610"],
    "X-Xss-Protection": ["1; mode=block"]
  },
  "Result": {
    
    "errors": [{
      
      "code": "bad_field",
      "message": "Failed to attach public gateway of different zone to the subnet",
      "target": {
        
        "name": "public_gateway.id",
        "type": "field",
        "value": "r010-2df568da-f87e-468d-9696-27b05e126179"
      }
    }],
    "trace": "37b94c40-a4bf-4942-a0da-45dc5434d610"
  },
  "RawResult": null
}
```

The Zones can have multiple subnets, but you need at least one subnet per zone for IP distribution. One subnet can be part of only one zone. Public gateway can be attached to one or more subnets (of the same zone). Each zone has only one public gateway.

How can I resolve the unexpected HTTP status code 502 (502 Bad Gateway) null error when deploying an instance of IBM Cloud Database RabbitMQ by using Terraform?

The sample Terraform configuration with the default memory and disk allocation size for RabbitMQ resource

resource "ibm_database" "messages-for-rabbitmq" {
  name              = "rabbitmq"
  plan              = "standard"
  location          = "eu-de"
  service           = "messages-for-rabbitmq"
  resource_group_id = data.ibm_resource_group.resource_group.id
  adminpassword                = "password12"
  members_memory_allocation_mb = 2048
  members_disk_allocation_mb   = 1024
  
  service_endpoints = var.service_endpoints
}

You have to update the memory and disk allocation size in the Terraform configuration file as shown in the code block.

members_memory_allocation_mb = 3072
members_disk_allocation_mb   = 3072

For more information, about configuring the memory and disk allocation for the database, see IBM Cloud Database instance.

How can I resolve cross-origin resource sharing (CORS) configuration issue while creating a cloudant instance?

You need to own manager role for configuring cross-origin resource sharing (CORS) configuration to successfully apply the plan. You can only create an IBM Cloudant instance with the writer role. For more information, about IBM Cloudant instance access, see roles.

For example, to get the resource-controller.instance.create action you need Cloudant Platform editor or Administrator role. To configure the Cloudant instance feature such as cloudantnosqldb.sapi.usercors action you need the cloudant service manager role. For more information, about IBM Cloud cloudant, see ibm_cloudant resource.

Can I increase or decrease timeouts while deleting Terraform resource?

Yes, you can increase or decrease timeouts by using timeouts blocks within your resource block as shown in the example. For more information, about a resource having timeouts block, see ibm_container_vpc_cluster timeouts.

timeouts {
    create = "3h"
    update = "2h"
    delete = "1h"
  }

resource "ibm_container_cluster" "mycluster" {
  ...
  timeouts {
    delete = "60m" # something higher than the default of 45m
  }
}

Can I update the changes into the current existing Terraform file?

Yes, Terraform saves the configuration in the form of the state file and identifies the drift that is made outside Terraform. When you run Terraform apply on the drift, Terraform reverts to the configuration that is present in your Terraform file. Hence, you can modify or update Terraform files to be in line with changes that are made outside Terraform and run Terraform refresh.

How can I run Terraform files sequentially based on the results in IBM Cloud Schematics?

You can use module blocks which is a container for multiple resources that are used together. The Terraform configuration has at least one module known as its root module, which consists of the resources defined in the .tf files of the main working directory. For more information, about reusing configuration through modules, see terraform-ibm-modules.

Can I always set Terraform to use the latest or default version?

Yes, in the payload or JSON file, if the value for the type and template_type parameter is not declared, at runtime the default Terraform version is considered. For more information, refer to specifying version constraints for the Terraform. You can specify the Terraform version in the payload by using the type or template_type parameter. However, check whether the version value for the type and template_type contains the same version.

If I set "type”: = “terraform_v1.0" in the JSON file as shown in the code block, will Terraform version 1.0 continue to use even if Terraform version 2.0 or higher are released?

```terraform {: codeblock}
//Sample JSON file
{
"name": "<workspace_name>",
"type": "terraform_v1.0",
"resource_group": "<resource_group>",
"location": "",
"description": "<workspace_description>",
"template_repo": {
"url": "http://xxxxx.git",
"branch": "main"
},
"template_data": [{
"folder": "",
"type": "terraform_v1.0"
}]
}
```

No, if the Terraform version is specified in the payload or template, only the version specified in versions.tf is considered during provisioning. To consider the latest Terraform version, you can configure the required_version parameter as required_version = ">=1.0.0. <2.0". For more information, refer to Version constraints for the Terraform.

Can I specify only the provider version in the version parameter? Or is it mandatory to provide the required_version parameter in the versions.tf file?

Yes, you need to specify the version = "x.x.x" as it signifies the IBM Cloud provider version. Where as, required_version = ">1.0.0, <2.0" signifies the Terraform version to provision. For more information, refer to Version constraints for the Terraform. If the version parameter is not declared in your versions.tf file, the latest version of the provider plug-in is automatically used in Schematics. For more information, refer to Version constraints for the Terraform providers.

How can I deploy one resources in two different IBM Cloud account?

Use alias concept for deploying resource into your different IBM Cloud account as you can target provider with different accounts. For more information, about the configuration, see Creating multiple provider configurations.

Can I automate the certificates to the Secrets Manager by using Terraform provider?

No, currently there is no option for automation for moving the certificates to the Secrets Manager. As part of the workaround you can create a Secrets Manager with ibm_resource_instance.

resource "ibm_resource_instance" "secret_manager" {
  name              = "test"
  service           = "secrets-manager"
  plan              = "trial"
  location          = "us-south"
  resource_group_id = ibm_resource_group.group.id
  parameters = {
    kms_info        = data.ibm_resource_instance.kms.id
    kms_key         = ibm_kms_key.secrets_manager_root_key.id
  }
}