Skip to content

Commit 15db4de

Browse files
Aditya-ranjan-16Aditya-ranjan-16
authored
fix: fixed bug in the DA when using KMS from another account (#112)
1 parent ad05771 commit 15db4de

File tree

1 file changed

+14
-13
lines changed
  • solutions/fully-configurable

1 file changed

+14
-13
lines changed

solutions/fully-configurable/main.tf

Lines changed: 14 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -64,22 +64,23 @@ module "cloud_logs" {
6464

6565
locals {
6666
use_kms_module = var.kms_encryption_enabled_buckets && var.existing_kms_key_crn == null
67-
kms_region = var.kms_encryption_enabled_buckets ? module.existing_kms_crn_parser[0].region : null
68-
existing_kms_guid = var.kms_encryption_enabled_buckets ? module.existing_kms_crn_parser[0].service_instance : var.existing_kms_key_crn != null ? module.existing_kms_key_crn_parser[0].service_instance : null
69-
kms_service_name = var.kms_encryption_enabled_buckets ? module.existing_kms_crn_parser[0].service_name : var.existing_kms_key_crn != null ? module.existing_kms_key_crn_parser[0].service_name : null
70-
kms_account_id = var.kms_encryption_enabled_buckets ? module.existing_kms_crn_parser[0].account_id : var.existing_kms_key_crn != null ? module.existing_kms_key_crn_parser[0].account_id : null
67+
kms_region = var.kms_encryption_enabled_buckets ? var.existing_kms_key_crn != null ? module.existing_kms_key_crn_parser[0].region : module.existing_kms_crn_parser[0].region : null
68+
existing_kms_guid = var.kms_encryption_enabled_buckets ? var.existing_kms_key_crn != null ? module.existing_kms_key_crn_parser[0].service_instance : module.existing_kms_crn_parser[0].service_instance : null
69+
kms_service_name = var.kms_encryption_enabled_buckets ? var.existing_kms_key_crn != null ? module.existing_kms_key_crn_parser[0].service_name : module.existing_kms_crn_parser[0].service_name : null
70+
kms_account_id = var.kms_encryption_enabled_buckets ? var.existing_kms_key_crn != null ? module.existing_kms_key_crn_parser[0].account_id : module.existing_kms_crn_parser[0].account_id : null
7171

7272
data_bucket_name = "${local.prefix}${var.cloud_logs_data_cos_bucket_name}"
7373
metrics_bucket_name = "${local.prefix}${var.cloud_logs_metrics_cos_bucket_name}"
7474
cos_instance_guid = module.existing_cos_instance_crn_parser.service_instance
7575

76-
key_ring_name = "${local.prefix}${var.cloud_logs_cos_key_ring_name}"
77-
key_name = "${local.prefix}${var.cloud_logs_cos_key_name}"
76+
key_ring_name = local.use_kms_module ? "${local.prefix}${var.cloud_logs_cos_key_ring_name}" : null
77+
key_name = local.use_kms_module ? "${local.prefix}${var.cloud_logs_cos_key_name}" : null
7878
kms_key_crn = var.kms_encryption_enabled_buckets ? var.existing_kms_key_crn != null ? var.existing_kms_key_crn : module.kms[0].keys[format("%s.%s", local.key_ring_name, local.key_name)].crn : null
79-
kms_key_id = var.existing_kms_instance_crn != null ? module.kms[0].keys[format("%s.%s", local.key_ring_name, local.key_name)].key_id : var.existing_kms_key_crn != null ? module.existing_kms_key_crn_parser[0].resource : null
79+
kms_key_id = var.existing_kms_key_crn != null ? module.existing_kms_key_crn_parser[0].resource : var.existing_kms_instance_crn != null ? module.kms[0].keys[format("%s.%s", local.key_ring_name, local.key_name)].key_id : null
8080

81-
create_cross_account_auth_policy = var.existing_cloud_logs_crn == null ? !var.skip_cos_kms_iam_auth_policy && var.ibmcloud_kms_api_key == null ? false : true : false
81+
create_cross_account_auth_policy = var.existing_cloud_logs_crn == null ? !var.skip_cos_kms_iam_auth_policy && var.ibmcloud_kms_api_key == null && var.ibmcloud_cos_api_key == null ? false : true : false
8282
create_cross_account_cos_auth_policy = var.existing_cloud_logs_crn == null && var.ibmcloud_cos_api_key != null && !var.skip_cloud_logs_cos_auth_policy
83+
is_same_cross_account = var.ibmcloud_kms_api_key == var.ibmcloud_cos_api_key
8384
}
8485

8586
module "existing_cos_instance_crn_parser" {
@@ -99,7 +100,7 @@ module "buckets" {
99100
{
100101
bucket_name = local.data_bucket_name
101102
kms_key_crn = var.kms_encryption_enabled_buckets ? local.kms_key_crn : null
102-
kms_guid = var.kms_encryption_enabled_buckets ? module.existing_kms_crn_parser[0].service_instance : null
103+
kms_guid = var.kms_encryption_enabled_buckets ? local.existing_kms_guid : null
103104
kms_encryption_enabled = var.kms_encryption_enabled_buckets
104105
region_location = var.region
105106
resource_instance_id = var.existing_cos_instance_crn
@@ -120,7 +121,7 @@ module "buckets" {
120121
{
121122
bucket_name = local.metrics_bucket_name
122123
kms_key_crn = var.kms_encryption_enabled_buckets ? local.kms_key_crn : null
123-
kms_guid = var.kms_encryption_enabled_buckets ? module.existing_kms_crn_parser[0].service_instance : null
124+
kms_guid = var.kms_encryption_enabled_buckets ? local.existing_kms_guid : null
124125
kms_encryption_enabled = var.kms_encryption_enabled_buckets
125126
region_location = var.region
126127
resource_instance_id = var.existing_cos_instance_crn
@@ -206,16 +207,16 @@ module "existing_kms_crn_parser" {
206207
}
207208

208209
module "existing_kms_key_crn_parser" {
209-
count = local.use_kms_module ? 1 : 0
210+
count = var.existing_kms_key_crn != null ? 1 : 0
210211
source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
211212
version = "1.2.0"
212-
crn = local.kms_key_crn
213+
crn = var.existing_kms_key_crn
213214
}
214215

215216
# Create IAM Authorization Policy to allow COS to access KMS for the encryption key, if cross account KMS is passed in
216217
resource "ibm_iam_authorization_policy" "cos_kms_policy" {
217218
provider = ibm.kms
218-
count = local.create_cross_account_auth_policy ? 1 : 0
219+
count = local.create_cross_account_auth_policy ? local.is_same_cross_account ? 0 : 1 : 0
219220
source_service_account = module.existing_cos_instance_crn_parser.account_id
220221
source_service_name = "cloud-object-storage"
221222
source_resource_instance_id = local.cos_instance_guid

0 commit comments

Comments
 (0)