| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2023-12-13 |
secure-infrastructure-vpc |
{{site.data.keyword.attribute-definition-list}}
{: #known-issues}
{: #ki-vsiqs-validation-fail}
With the QuickStart variation of the VSI on VPC landing zone that you deploy to {{site.data.keyword.cloud_notm}} projects, the configuration fails validation during the the Code Risk Analyzer scan. The QuickStart variation is designed to deploy quickly for demonstration and development and doesn't claim any controls for the scan.
{: #ki-svc-key-rhos}
Service ID API keys are not supported for the {{site.data.keyword.redhat_openshift_notm}} Container Platform on VPC landing zone deployable architecture. Use an {{site.data.keyword.cloud_notm}} API key. For more information, see Ensuring that the API key or infrastructure credentials owner has the correct permissions in the {{site.data.keyword.redhat_openshift_notm}} Cloud Docs.
{: #ki-trusted-profile}
When you deploy a deployable architecture with {{site.data.keyword.cloud_notm}} projects, you select an authentication method to deploy your configuration.
Currently, the {{site.data.keyword.redhat_openshift_notm}} Container Platform on VPC landing zone supports authenticating only with an API key and not a service ID API key (see previous known issue). Trusted profile is not supported as an authentication method for this landing zone.
{: #ki-scc-goals}
The deployable architectures support a set of security controls, and those controls are listed with the deployable architecture in the {{site.data.keyword.cloud_notm}} catalog.
If you use {{site.data.keyword.compliance_short}} or the Code Risk Analyzer plug-in for {{site.data.keyword.cloud_notm}} to scan your deployed resources against another security profile, you might see failures in the results.
{: #ki-unsupported-attribute}
If a Terraform apply or destroy operation is interrupted, you might see an "Unsupported attribute" error at the next Terraform operation. Typically, this error occurs when a destroy operation is cancelled or has an unexpected error.
Error: Unsupported attribute
on .terraform/modules/landing_zone/dynamic_values/config_modules/vsi/vsi.tf line 20, in module "vsi_subnets":
20: subnet_zone_list = var.vpc_modules[each.value.vpc_name].subnet_zone_list
├────────────────
│ each.value.vpc_name is "management"
│ var.vpc_modules is object with 3 attributes
This object does not have an attribute named "subnet_zone_list".
{: screen}
The error occurs because the interrupted operation leaves key resources in a partial deployment state and other resources are configured to use these missing components.
{: #ki-unsupported-workaround}
To complete the destroy operation that is stuck in this state, try to decouple the resources that depend on the missing components. To decouple the resources, use the override feature, for example by setting the override_json_string input variable.
- VSI on VPC landing zone deployable architectures that are missing their VPC components:
override_json_string='{"vsi": []}' - Red Hat OpenShift Container Platform on VPC landing zone deployable architectures:
override_json_string='{"clusters": []}'