feat: add support for api-key reset resource block <br> IMPORTANT: <br> - During updates, you may observe the destruction of a null_resource. This is expected and has no impact on existing resources. <br> - Moving forward, there is no capability to check for the existence of the containers-kubernetes-key ahead of cluster creation. As a result, the key will always be created, even if it already exists. (#795)

Aashiq-J · web-flow · commit 381aaeaaa945 · 2025-09-22T14:13:48.000+05:30
diff --git a/README.md b/README.md
@@ -259,6 +259,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | Name | Type |
 |------|------|
 | [ibm_container_addons.addons](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_addons) | resource |
+| [ibm_container_api_key_reset.reset_api_key](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_api_key_reset) | resource |
 | [ibm_container_ingress_instance.instance](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_ingress_instance) | resource |
 | [ibm_container_vpc_cluster.autoscaling_cluster](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_vpc_cluster) | resource |
 | [ibm_container_vpc_cluster.cluster](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_vpc_cluster) | resource |
@@ -271,14 +272,12 @@ Optionally, you need the following permissions to attach Access Management tags
 | [null_resource.config_map_status](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.confirm_network_healthy](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.ocp_console_management](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [null_resource.reset_api_key](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [time_sleep.wait_for_auth_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.wait_for_reset_api_key](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [ibm_container_addons.existing_addons](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_addons) | data source |
 | [ibm_container_cluster_config.cluster_config](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_config) | data source |
 | [ibm_container_cluster_versions.cluster_versions](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_versions) | data source |
 | [ibm_container_vpc_worker_pool.all_pools](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_vpc_worker_pool) | data source |
-| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source |
-| [ibm_iam_auth_token.reset_api_key_tokendata](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_auth_token) | data source |
 | [ibm_is_lbs.all_lbs](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_lbs) | data source |
 | [ibm_is_virtual_endpoint_gateway.api_vpe](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway) | data source |
 | [ibm_is_virtual_endpoint_gateway.master_vpe](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway) | data source |
@@ -322,7 +321,6 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="input_skip_ocp_secrets_manager_iam_auth_policy"></a> [skip\_ocp\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_ocp\_secrets\_manager\_iam\_auth\_policy) | To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Metadata labels describing this cluster deployment, i.e. test | `list(string)` | `[]` | no |
 | <a name="input_use_existing_cos"></a> [use\_existing\_cos](#input\_use\_existing\_cos) | Flag indicating whether or not to use an existing COS instance for OpenShift internal registry storage. Only applicable if 'enable\_registry\_storage' is true | `bool` | `false` | no |
-| <a name="input_use_private_endpoint"></a> [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all API calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
 | <a name="input_verify_worker_network_readiness"></a> [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script runs kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, set this value to false. | `bool` | `true` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC instance where this cluster is provisioned. | `string` | n/a | yes |
 | <a name="input_vpc_subnets"></a> [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster is created. | <pre>map(list(object({<br/>    id         = string<br/>    zone       = string<br/>    cidr_block = string<br/>  })))</pre> | n/a | yes |
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
@@ -247,7 +247,6 @@ module "ocp_fscloud" {
   access_tags                      = var.access_tags
   ocp_version                      = var.ocp_version
   additional_lb_security_group_ids = [module.custom_sg["custom-lb-sg"].security_group_id]
-  use_private_endpoint             = true
   ocp_entitlement                  = var.ocp_entitlement
   enable_ocp_console               = false
   kms_config = {
diff --git a/main.tf b/main.tf
@@ -126,7 +126,7 @@ resource "ibm_resource_tag" "cos_access_tag" {
 ##############################################################################
 
 resource "ibm_container_vpc_cluster" "cluster" {
-  depends_on                          = [null_resource.reset_api_key]
+  depends_on                          = [time_sleep.wait_for_reset_api_key]
   count                               = var.ignore_worker_pool_size_changes ? 0 : 1
   name                                = var.cluster_name
   vpc_id                              = var.vpc_id
@@ -197,7 +197,7 @@ resource "ibm_container_vpc_cluster" "cluster" {
 
 # copy of the cluster resource above which ignores changes to the worker pool for use in autoscaling scenarios
 resource "ibm_container_vpc_cluster" "autoscaling_cluster" {
-  depends_on                          = [null_resource.reset_api_key]
+  depends_on                          = [time_sleep.wait_for_reset_api_key]
   count                               = var.ignore_worker_pool_size_changes ? 1 : 0
   name                                = var.cluster_name
   vpc_id                              = var.vpc_id
@@ -284,28 +284,16 @@ resource "ibm_resource_tag" "cluster_access_tag" {
 # when the IAM API key is initially created and when it is fully replicated across Cloudant instances where the API key
 # does not work because it is not fully replicated, so commands that require the API key may fail with 404.
 #
-# WORKAROUND:
-# Run a script that checks if an IAM API key already exists for the given region and resource group, and if it does not,
-# run the ibmcloud ks api-key reset command to create one. The script will then pause for some time to allow any IAM
-# Cloudant replication to occur. By doing this, it means the cluster provisioning process will not attempt to create a
-# new key, and simply use the key created by this script. So hence should not face 404s anymore.
-# The IKS team are tracking internally https://github.ibm.com/alchemy-containers/armada-ironsides/issues/5023
+# Enhancement Request: Add support to skip API key reset if a valid key already exists (https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6468).
 
-data "ibm_iam_auth_token" "reset_api_key_tokendata" {
-}
-
-data "ibm_iam_account_settings" "iam_account_settings" {
+resource "ibm_container_api_key_reset" "reset_api_key" {
+  region            = var.region
+  resource_group_id = var.resource_group_id
 }
 
-resource "null_resource" "reset_api_key" {
-  provisioner "local-exec" {
-    command     = "${path.module}/scripts/reset_iks_api_key.sh ${var.region} ${var.resource_group_id} ${var.use_private_endpoint} ${var.cluster_config_endpoint_type}"
-    interpreter = ["/bin/bash", "-c"]
-    environment = {
-      IAM_TOKEN  = data.ibm_iam_auth_token.reset_api_key_tokendata.iam_access_token
-      ACCOUNT_ID = data.ibm_iam_account_settings.iam_account_settings.account_id
-    }
-  }
+resource "time_sleep" "wait_for_reset_api_key" {
+  depends_on      = [ibm_container_api_key_reset.reset_api_key]
+  create_duration = "10s"
 }
 
 ##############################################################################
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
@@ -136,7 +136,6 @@ No resources.
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The Id of an existing IBM Cloud resource group where the cluster will be grouped. | `string` | n/a | yes |
 | <a name="input_service_subnet_cidr"></a> [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Metadata labels describing this cluster deployment | `list(string)` | `[]` | no |
-| <a name="input_use_private_endpoint"></a> [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
 | <a name="input_verify_worker_network_readiness"></a> [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
 | <a name="input_vpc_subnets"></a> [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | <pre>map(list(object({<br/>    id         = string<br/>    zone       = string<br/>    cidr_block = string<br/>  })))</pre> | n/a | yes |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -11,7 +11,6 @@ module "fscloud" {
   ocp_entitlement                       = var.ocp_entitlement
   vpc_id                                = var.vpc_id
   vpc_subnets                           = var.vpc_subnets
-  use_private_endpoint                  = var.use_private_endpoint
   worker_pools                          = var.worker_pools
   disable_public_endpoint               = true
   cluster_config_endpoint_type          = var.cluster_config_endpoint_type
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
@@ -13,12 +13,6 @@ variable "region" {
   description = "The IBM Cloud region where the cluster will be provisioned."
 }
 
-variable "use_private_endpoint" {
-  type        = bool
-  description = "Set this to true to force all api calls to use the IBM Cloud private endpoints."
-  default     = false
-}
-
 # Cluster Variables
 variable "tags" {
   type        = list(string)
diff --git a/scripts/reset_iks_api_key.sh b/scripts/reset_iks_api_key.sh
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
@@ -233,7 +233,6 @@ module "ocp_base" {
   number_of_lbs                            = var.number_of_lbs
   pod_subnet_cidr                          = var.pod_subnet_cidr
   service_subnet_cidr                      = var.service_subnet_cidr
-  use_private_endpoint                     = var.use_private_endpoint
   verify_worker_network_readiness          = var.verify_worker_network_readiness
   worker_pools_taints                      = var.worker_pools_taints
   enable_secrets_manager_integration       = var.enable_secrets_manager_integration
diff --git a/solutions/quickstart/main.tf b/solutions/quickstart/main.tf
@@ -143,6 +143,5 @@ module "ocp_base" {
   disable_outbound_traffic_protection = var.allow_outbound_traffic
   access_tags                         = var.access_tags
   disable_public_endpoint             = !var.allow_public_access_to_cluster
-  use_private_endpoint                = true
   cluster_config_endpoint_type        = "default"
 }
diff --git a/variables.tf b/variables.tf
@@ -13,12 +13,6 @@ variable "region" {
   description = "The IBM Cloud region where the cluster is provisioned."
 }
 
-variable "use_private_endpoint" {
-  type        = bool
-  description = "Set this to true to force all API calls to use the IBM Cloud private endpoints."
-  default     = false
-}
-
 # Cluster Variables
 variable "tags" {
   type        = list(string)

Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,5 @@ module "ocp_base" {`
`143`	`143`	`disable_outbound_traffic_protection = var.allow_outbound_traffic`
`144`	`144`	`access_tags = var.access_tags`
`145`	`145`	`disable_public_endpoint = !var.allow_public_access_to_cluster`
`146`		`- use_private_endpoint = true`
`147`	`146`	`cluster_config_endpoint_type = "default"`
`148`	`147`	`}`