change

Vipin Kumar · Vipin Kumar · commit 0b526a1d3f4f · 2025-05-07T13:11:15.000+05:30
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
@@ -195,65 +195,16 @@ module "kms" {
 # COS
 #######################################################################################################################
 
-# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
-resource "time_sleep" "wait_for_authorization_policy" {
-  depends_on      = [ibm_iam_authorization_policy.policy]
-  count           = var.skip_cos_kms_auth_policy ? 0 : 1
-  create_duration = "30s"
-}
 
 # Data source to account settings for retrieving COS cross account id
 data "ibm_iam_account_settings" "iam_cos_account_settings" {
   provider = ibm.cos
 }
 
-# The auth policy is being created here instead of in COS module because of this limitation: https://github.com/terraform-ibm-modules/terraform-ibm-observability-da/issues/8
-
-# Create IAM Authorization Policy to allow COS to access KMS for the encryption key
-resource "ibm_iam_authorization_policy" "policy" {
-  count = local.apply_auth_policy
-  # Conditionals with providers aren't possible, using ibm.kms as provider incase cross account is enabled
-  provider                    = ibm.kms
-  source_service_account      = data.ibm_iam_account_settings.iam_cos_account_settings.account_id
-  source_service_name         = "cloud-object-storage"
-  source_resource_instance_id = local.cos_instance_guid
-  roles                       = ["Reader"]
-  description                 = "Allow the COS instance ${local.cos_instance_guid} to read the ${local.kms_service} key ${local.cos_kms_key_id} from the instance ${local.existing_kms_guid}"
-  resource_attributes {
-    name     = "serviceName"
-    operator = "stringEquals"
-    value    = local.kms_service
-  }
-  resource_attributes {
-    name     = "accountId"
-    operator = "stringEquals"
-    value    = local.kms_account_id
-  }
-  resource_attributes {
-    name     = "serviceInstance"
-    operator = "stringEquals"
-    value    = local.existing_kms_guid
-  }
-  resource_attributes {
-    name     = "resourceType"
-    operator = "stringEquals"
-    value    = "key"
-  }
-  resource_attributes {
-    name     = "resource"
-    operator = "stringEquals"
-    value    = local.cos_kms_key_id
-  }
-  # Scope of policy now includes the key, so ensure to create new policy before
-  # destroying old one to prevent any disruption to every day services.
-  lifecycle {
-    create_before_destroy = true
-  }
-}
+
 
 
 module "cos_bucket" {
-  depends_on = [time_sleep.wait_for_authorization_policy]
   providers = {
     ibm = ibm.cos
   }
@@ -269,7 +220,7 @@ module "cos_bucket" {
       kms_guid                      = local.existing_kms_guid
       kms_encryption_enabled        = var.kms_encryption_enabled_buckets
       kms_key_crn                   = local.cos_kms_key_crn
-      skip_iam_authorization_policy = true
+      skip_iam_authorization_policy = local.apply_auth_policy == 0 ? true : false
       management_endpoint_type      = var.management_endpoint_type_for_bucket
       storage_class                 = value.class
       resource_instance_id          = local.cos_instance_crn
