Skip to content

feat: updated KMS auth policy scope to scope to the KMS key + cleanup #313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Oct 16, 2024
Merged

feat: updated KMS auth policy scope to scope to the KMS key + cleanup #313

merged 9 commits into from
Oct 16, 2024

Conversation

@ocofaigh
Copy link
Contributor

@ocofaigh ocofaigh commented Oct 14, 2024
edited
Loading

Description

  • updated KMS auth policy scope to scope to the KMS key (expect this to fail upgrade test however Im using create before destroy to prevent disruption to service)
  • Started to use the CRN parser instead of messy regex
  • During cleanup I found a few bugs that I fixed, mainly around incorrect validation
  • Added code comments to make the code easier to read and maintain

Release required?

  • No release
  • Patch release (x.x.X)
  • Minor release (x.X.x)
  • Major release (X.x.x)
Release notes content

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

  • If relevant, a test for the change is included or updated with this PR.
  • If relevant, documentation for the change is included or updated with this PR.

For mergers

  • Use a conventional commit message to set the release level. Follow the guidelines.
  • Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
  • Use the Squash and merge option.

@ocofaigh
Copy link
Contributor Author

/run pipeline

@ocofaigh
Copy link
Contributor Author

As expected the upgrade test failed as it wants to recreate the auth policy. But it also failed on this update and no idea why...

        	Messages:   	Resource(s) identified to be updated 
        	            	Name: en_cos_integration
        	            	Address: module.event_notifications[0].ibm_en_integration_cos.en_cos_integration[0]
        	            	Actions: [update]
        	            	DIFF:
        	            	  Before: 
        	            		{"metadata":"SECURE_VALUE_HIDDEN_HASH:-cfa39bbf1424dbe87cb424f2a794fb25c65c2a34d1694dc0b6f5cb53"}
        	            	  After: 
        	            		{"metadata":"SECURE_VALUE_HIDDEN_HASH:-1eb7d7592816a31b59566ff9a7fd7863426a53a7dafd3a993b2110ff"}

I'm going to have to do a manual upgrade test to figure this out

@ocofaigh
Copy link
Contributor Author

OK after doing manual check, I see why the update is happening. Its because I updated the default COS endpoint to be the direct endpoint instead of public one:

2024/10/14 20:07:29 Terraform plan |   # module.event_notifications[0].ibm_en_integration_cos.en_cos_integration[0] will be updated in-place
 2024/10/14 20:07:29 Terraform plan |   ~ resource "ibm_en_integration_cos" "en_cos_integration" {
 2024/10/14 20:07:29 Terraform plan |         id             = "77ce8909-eca2-450d-8875-8e84ea56eaf4/7a7ac1cb-049a-4017-bc35-4c235f8f29c5"
 2024/10/14 20:07:29 Terraform plan |         # (4 unchanged attributes hidden)
 2024/10/14 20:07:29 Terraform plan | 
 2024/10/14 20:07:29 Terraform plan |       ~ metadata {
 2024/10/14 20:07:29 Terraform plan |           ~ endpoint    = "https://s3.us-south.cloud-object-storage.appdomain.cloud" -> "https://s3.direct.us-south.cloud-object-storage.appdomain.cloud"
 2024/10/14 20:07:29 Terraform plan |             # (2 unchanged attributes hidden)
 2024/10/14 20:07:29 Terraform plan |         }
 2024/10/14 20:07:29 Terraform plan |     }

This is also expected, and non disruptive, so skipping upgrade test.
@Ak-sky can you please review?

@ocofaigh
Copy link
Contributor Author

/run pipeline

@Ak-sky
Copy link
Member

Ak-sky commented Oct 15, 2024

TestRunExistingResourcesInstances Test failed in Schematics with below error during TF plan-

024/10/14 20:25:15 Terraform plan |   # time_sleep.wait_for_en_authorization_policy will be created
 2024/10/14 20:25:15 Terraform plan |   + resource "time_sleep" "wait_for_en_authorization_policy" {
 2024/10/14 20:25:15 Terraform plan |       + create_duration = "30s"
 2024/10/14 20:25:15 Terraform plan |       + id              = (known after apply)
 2024/10/14 20:25:15 Terraform plan |     }
 2024/10/14 20:25:15 Terraform plan | 
 2024/10/14 20:25:15 Terraform plan | Plan: 1 to add, 0 to change, 0 to destroy.
 2024/10/14 20:25:15 Terraform plan | 
 2024/10/14 20:25:15 Terraform plan | Changes to Outputs:
 2024/10/14 20:25:15 Terraform plan |   + crn                              = "crn:v1:bluemix:public:event-notifications:au-syd:a/abac0df06b644a9cabc6e44f55b3880e:aab948d3-fff1-496f-9967-44ceb6135554::"
 2024/10/14 20:25:15 Terraform plan |   + event_notification_instance_name = "en-existing-t6wbsk-en"
 2024/10/14 20:25:15 Terraform plan |   + guid                             = "aab948d3-fff1-496f-9967-44ceb6135554"
 2024/10/14 20:25:15 Terraform plan | 
 2024/10/14 20:25:15 Terraform plan | Error: Invalid index
 2024/10/14 20:25:15 Terraform plan | 
 2024/10/14 20:25:15 Terraform plan |   on main.tf line 235, in locals:
 2024/10/14 20:25:15 Terraform plan |  235:   cos_instance_guid = var.existing_cos_instance_crn == null ? module.cos[0].cos_instance_guid : module.cos_instance_crn_parser[0].service_instance
 2024/10/14 20:25:15 Terraform plan |     ├────────────────
 2024/10/14 20:25:15 Terraform plan |     │ module.cos is empty tuple
 2024/10/14 20:25:15 Terraform plan | 
 2024/10/14 20:25:15 Terraform plan | The given key does not identify an element in this collection value: the
 2024/10/14 20:25:15 Terraform plan | collection has no elements.
 2024/10/14 20:25:16 Terraform plan | 
 2024/10/14 20:25:16 Terraform plan | Error: Invalid index
 2024/10/14 20:25:16 Terraform plan | 
 2024/10/14 20:25:16 Terraform plan |   on main.tf line 238, in locals:
 2024/10/14 20:25:16 Terraform plan |  238:   cos_account_id = var.existing_cos_instance_crn != null ? split("/", module.cos_instance_crn_parser[0].scope)[1] : module.cos[0].cos_account_id
 2024/10/14 20:25:16 Terraform plan |     ├────────────────
 2024/10/14 20:25:16 Terraform plan |     │ module.cos is empty tuple
 2024/10/14 20:25:16 Terraform plan | 
 2024/10/14 20:25:16 Terraform plan | The given key does not identify an element in this collection value: the
 2024/10/14 20:25:16 Terraform plan | collection has no elements.
 2024/10/14 20:25:16 Terraform plan | 
 2024/10/14 20:25:16 Terraform plan | Error: Invalid function argument
 2024/10/14 20:25:16 Terraform plan | 
 2024/10/14 20:25:16 Terraform plan |   on .terraform/modules/cos_kms_key_crn_parser/modules/crn-parser/main.tf line 6, in locals:
 2024/10/14 20:25:16 Terraform plan |    6:   split_crn        = coalescelist(split(":", var.crn))
 2024/10/14 20:25:16 Terraform plan |     ├────────────────
 2024/10/14 20:25:16 Terraform plan |     │ while calling split(separator, str)
 2024/10/14 20:25:16 Terraform plan |     │ var.crn is null
 2024/10/14 20:25:16 Terraform plan | 
 2024/10/14 20:25:16 Terraform plan | Invalid value for "str" parameter: argument must not be null.
 2024/10/14 20:25:16 �[1m�[31mTerraform PLAN error: Terraform PLAN errorexit status 1�[39m�[0m

@ocofaigh
Copy link
Contributor Author

/run pipeline

@ocofaigh
Copy link
Contributor Author

/run pipeline

@ocofaigh
Copy link
Contributor Author

@Ak-sky I addressed the issues, and also added more tests. Can you please re-review?

@ocofaigh
Copy link
Contributor Author

/run pipeline

1 similar comment
@ocofaigh
Copy link
Contributor Author

/run pipeline

Aashiq-J
Aashiq-J reviewed Oct 16, 2024
View reviewed changes
Copy link
Member

@Aashiq-J Aashiq-J left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some minor changes related to the code comments.
Rest everything looks good to me.

solutions/standard/main.tf Outdated
# If a prefix value is passed, add it to the COS key ring name
cos_key_ring_name = var.prefix != null ? "${var.prefix}-${var.cos_key_ring_name}" : var.cos_key_ring_name
# Determine the COS KMS key CRN (new key or existing key). It will only have a value if not using an existing bucket or existing EN instance
# cos_kms_key_crn = var.existing_cos_bucket_name != null ? null : var.existing_kms_root_key_crn != null ? var.existing_kms_root_key_crn : var.existing_en_instance_crn == null ? module.kms[0].keys[format("%s.%s", local.cos_key_ring_name, local.cos_key_name)].crn : null
Copy link
Member

@Aashiq-J Aashiq-J Oct 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can remove this commented out code, right?

solutions/standard/main.tf
# cos_kms_key_crn = var.existing_cos_bucket_name != null ? null : var.existing_kms_root_key_crn != null ? var.existing_kms_root_key_crn : var.existing_en_instance_crn == null ? module.kms[0].keys[format("%s.%s", local.cos_key_ring_name, local.cos_key_name)].crn : null
cos_kms_key_crn = var.existing_en_instance_crn != null || var.existing_cos_bucket_name != null ? null : var.existing_kms_root_key_crn != null ? var.existing_kms_root_key_crn : module.kms[0].keys[format("%s.%s", local.cos_key_ring_name, local.cos_key_name)].crn
# If existing KMS instance CRN passed, parse the account ID from it
cos_kms_key_id = local.cos_kms_key_crn != null ? module.cos_kms_key_crn_parser[0].resource : null
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The above comment mentions about parsing the account ID, but we are getting the key_id.

solutions/standard/main.tf Outdated
validate_sm_crn = length(var.service_credential_secrets) > 0 && var.existing_secrets_manager_instance_crn == null ? tobool("'existing_secrets_manager_instance_crn' is required when adding service credentials with the 'service_credential_secrets' input.") : false
# parse SM GUID from CRN
existing_secrets_manager_instance_guid = var.existing_secrets_manager_instance_crn != null ? module.existing_sm_crn_parser[0].service_instance : null
# parse SM regiob from CRN
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SM regiob -> SM region

@ocofaigh
Copy link
Contributor Author

/run pipeline

@ocofaigh ocofaigh merged commit 80b244f into main Oct 16, 2024
2 checks passed
@ocofaigh ocofaigh deleted the auth branch October 16, 2024 12:10
@terraform-ibm-modules-ops
Copy link
Contributor

🎉 This PR is included in version 1.13.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@ocofaigh ocofaigh mentioned this pull request Oct 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aashiq-J Aashiq-J Aashiq-J approved these changes

@Ak-sky Ak-sky Awaiting requested review from Ak-sky Ak-sky is a code owner

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ocofaigh @Ak-sky @terraform-ibm-modules-ops @Aashiq-J