feat: add the ability to skip the IAM Auth policy creation (COS -> KM…

…S) (#230)
terraform-ibm-modules · Mar 8, 2023 · 5b99ab3 · 5b99ab3
1 parent 8d2b082
commit 5b99ab3
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -158,6 +158,7 @@ You need the following permissions to run this module.
 | <a name="input_retention_minimum"></a> [retention\_minimum](#input\_retention\_minimum) | Specifies minimum duration of time an object must be kept unmodified for COS bucket. Only used if 'create\_cos\_bucket' is true. | `number` | `90` | no |
 | <a name="input_retention_permanent"></a> [retention\_permanent](#input\_retention\_permanent) | Specifies a permanent retention status either enable or disable for COS bucket. Only used if 'create\_cos\_bucket' is true. | `bool` | `false` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | (Deprecated) Will be removed in the next major release | `string` | `null` | no |
+| <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits the COS instance created to read the encryption key from the Key Protect instance in `existing_key_protect_instance_guid`. WARNING: An authorization policy must exist before an encrypted bucket can be created | `bool` | `false` | no |
 | <a name="input_sysdig_crn"></a> [sysdig\_crn](#input\_sysdig\_crn) | Sysdig Monitoring crn for COS bucket (Optional) | `string` | `null` | no |
 
 ## Outputs

diff --git a/examples/existing-resources/main.tf b/examples/existing-resources/main.tf
@@ -53,6 +53,16 @@ module "cos_instance" {
   cross_region_location               = null
   activity_tracker_crn                = null
   resource_key_existing_serviceid_crn = ibm_iam_service_id.resource_key_existing_serviceid.crn
+  skip_iam_authorization_policy       = true
+}
+
+# Create IAM Authorization Policy to allow COS to access key protect for the encryption key
+resource "ibm_iam_authorization_policy" "policy" {
+  source_service_name         = "cloud-object-storage"
+  source_resource_instance_id = module.cos_instance.cos_instance_guid
+  target_service_name         = "kms"
+  target_resource_instance_id = module.key_protect_all_inclusive.key_protect_guid
+  roles                       = ["Reader"]
 }
 
 ##############################################################################

diff --git a/main.tf b/main.tf
@@ -56,10 +56,10 @@ resource "ibm_resource_key" "resource_key" {
 locals {
   cos_instance_id      = var.create_cos_instance == true ? tolist(ibm_resource_instance.cos_instance[*].id)[0] : var.existing_cos_instance_id
   cos_instance_guid    = var.create_cos_instance == true ? tolist(ibm_resource_instance.cos_instance[*].guid)[0] : element(split(":", var.existing_cos_instance_id), length(split(":", var.existing_cos_instance_id)) - 3)
-  create_access_policy = var.encryption_enabled && var.create_cos_instance
+  create_access_policy = var.encryption_enabled && var.create_cos_instance && !var.skip_iam_authorization_policy
 }
 
-# Create IAM Access Policy to allow Key protect to access COS instance
+# Create IAM Authorization Policy to allow COS to access key protect for the encryption key
 resource "ibm_iam_authorization_policy" "policy" {
   count                       = local.create_access_policy ? 1 : 0
   source_service_name         = "cloud-object-storage"

diff --git a/module-metadata.json b/module-metadata.json
@@ -434,6 +434,16 @@
         "line": 84
       }
     },
+    "skip_iam_authorization_policy": {
+      "name": "skip_iam_authorization_policy",
+      "type": "bool",
+      "description": "Set to true to skip the creation of an IAM authorization policy that permits the COS instance created to read the encryption key from the Key Protect instance in `existing_key_protect_instance_guid`. WARNING: An authorization policy must exist before an encrypted bucket can be created",
+      "default": false,
+      "pos": {
+        "filename": "variables.tf",
+        "line": 296
+      }
+    },
     "sysdig_crn": {
       "name": "sysdig_crn",
       "type": "string",

diff --git a/variables.tf b/variables.tf
@@ -292,3 +292,9 @@ variable "instance_cbr_rules" {
   default     = []
   # Validation happens in the rule module
 }
+
+variable "skip_iam_authorization_policy" {
+  type        = bool
+  description = "Set to true to skip the creation of an IAM authorization policy that permits the COS instance created to read the encryption key from the Key Protect instance in `existing_key_protect_instance_guid`. WARNING: An authorization policy must exist before an encrypted bucket can be created"
+  default     = false
+}