fix: fixed bug which occrued when not provisioning a KMIP certificate but an adapter is created which attempts to index a null value. As part of this fix the kmip input variable has been marked as "sensitive" since it can contain a certificate value (#657)

MatthewLemmond · web-flow · commit 825452d60e0f · 2025-01-16T11:40:18.000Z
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -99,6 +99,18 @@ module "kms_root_key" {
   ]
 }
 
+module "kms_root_key_2" {
+  source          = "../.."
+  kms_instance_id = ibm_resource_instance.key_protect_instance.guid
+  key_name        = "${var.prefix}-root-key-2"
+
+  kmip = [
+    {
+      name = "${var.prefix}-kmip-adapter-2"
+    }
+  ]
+}
+
 ##############################################################################
 # KMS standard key
 ##############################################################################
diff --git a/main.tf b/main.tf
@@ -38,32 +38,46 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   kmip_root_key_validation = (length(var.kmip) > 0 && var.standard_key) ? tobool("When providing a value for `kmip`, the key being created must be a root key.") : true
 
-  kmip_certs = flatten([
+  # for-each for adapter resource
+  adapter_map = {
+    for adapter in nonsensitive(var.kmip) : adapter.name => adapter
+  }
+
+  # add adapter name to certificate map
+  kmip_cert_list = flatten([
     [
-      for adapter in var.kmip : [
+      for adapter in nonsensitive(var.kmip) : [
         for certificate in adapter.certificates : {
           adapter_name     = adapter.name
           certificate_name = try(certificate.name, null)
           certificate      = certificate.certificate
           # Check if filepath string is given, used in ibm_kms_kmip_client_cert call
           cert_is_file = length(regexall("^.+\\.pem$", certificate.certificate)) > 0
         }
-      ]
+      ] if lookup(adapter, "certificates", null) != null
     ]
   ])
 
+  # for-each for cert resource
+  kmip_cert_map = {
+    for idx, cert in nonsensitive(local.kmip_cert_list) : "${cert.adapter_name}-${idx}" => cert
+  }
+
+  # building adapter output
   kmip_adapter_id_output = {
     for idx, _ in ibm_kms_kmip_adapter.kmip_adapter :
     idx => ibm_kms_kmip_adapter.kmip_adapter[idx].adapter_id
   }
+
+  # building cert output
   kmip_cert_id_output = {
     for idx, _ in ibm_kms_kmip_client_cert.kmip_cert :
     idx => ibm_kms_kmip_client_cert.kmip_cert[idx].cert_id
   }
 }
 
 resource "ibm_kms_kmip_adapter" "kmip_adapter" {
-  for_each    = { for adapter in var.kmip : adapter.name => adapter }
+  for_each    = local.adapter_map
   instance_id = var.kms_instance_id
   profile     = "native_1.0"
   profile_data = {
@@ -75,7 +89,7 @@ resource "ibm_kms_kmip_adapter" "kmip_adapter" {
 }
 
 resource "ibm_kms_kmip_client_cert" "kmip_cert" {
-  for_each      = { for idx, obj in local.kmip_certs : "${obj.adapter_name}-${idx}" => obj }
+  for_each      = local.kmip_cert_map
   endpoint_type = var.endpoint_type
   instance_id   = var.kms_instance_id
   adapter_id    = ibm_kms_kmip_adapter.kmip_adapter[each.value.adapter_name].adapter_id
diff --git a/variables.tf b/variables.tf
@@ -66,6 +66,7 @@ variable "kmip" {
       certificate = string
     })))
   }))
+  sensitive   = true
   description = "Allows a key to utilize the key management interoperability protocol (KMIP), for more information see https://cloud.ibm.com/docs/key-protect?topic=key-protect-kmip"
   default     = []
 
