feat: updated KMS auth policy scope to scope to the KMS key + cleanup

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-12-12T05:17:42Z",
+  "generated_at": "2023-12-13T05:17:42Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

README.md

@@ -91,7 +91,6 @@ To create service credentials, access the Event Notifications service, and acces
 | [time_sleep.wait_for_cos_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [time_sleep.wait_for_kms_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [ibm_en_integrations.en_integrations](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/en_integrations) | data source |
-| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source |
 
 ### Inputs
 
@@ -112,14 +111,15 @@ To create service credentials, access the Event Notifications service, and acces
 | <a name="input_root_key_id"></a> [root\_key\_id](#input\_root\_key\_id) | The key ID of a root key, existing in the KMS instance passed in `var.existing_kms_instance_crn`, which will be used to encrypt the data encryption keys which are then used to encrypt the data. Required only if `var.kms_encryption_enabled` is set to `true`. | `string` | `null` | no |
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event Notifications instance. | `map(string)` | `{}` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private` | `string` | `"public-and-private"` | no |
-| <a name="input_skip_en_cos_auth_policy"></a> [skip\_en\_cos\_auth\_policy](#input\_skip\_en\_cos\_auth\_policy) | Whether an IAM authorization policy is created for your Event Notifications instance to interact with your Object Storage bucket. Set to `true` to use an existing policy. Ignored if `cos_integration_enabled` is set to `false`. | `bool` | `false` | no |
-| <a name="input_skip_en_kms_auth_policy"></a> [skip\_en\_kms\_auth\_policy](#input\_skip\_en\_kms\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits all Event Notifications instances in the resource group to read the encryption key from the KMS instance. If set to `false`, specify a value for the KMS instance in the `existing_kms_instance_guid` variable. In addition, no policy is created if `kms_encryption_enabled` is set to `false`. | `bool` | `false` | no |
+| <a name="input_skip_en_cos_auth_policy"></a> [skip\_en\_cos\_auth\_policy](#input\_skip\_en\_cos\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance `Object Writer` and `Reader` access to the given Object Storage bucket. Ignored if `cos_integration_enabled` is set to `false`. | `bool` | `false` | no |
+| <a name="input_skip_en_kms_auth_policy"></a> [skip\_en\_kms\_auth\_policy](#input\_skip\_en\_kms\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance to read the encryption key from the KMS instance. If set to `false`, a value must be passed for the KMS instance and key using inputs `existing_kms_instance_crn` and `root_key_id`. In addition, no policy is created if `kms_encryption_enabled` is set to `false`. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | The list of tags to add to the Event Notifications instance. | `list(string)` | `[]` | no |
 
 ### Outputs
 
 | Name | Description |
 |------|-------------|
+| <a name="output_account_id"></a> [account\_id](#output\_account\_id) | The Event Notifications account ID. |
 | <a name="output_crn"></a> [crn](#output\_crn) | The Event Notifications instance CRN. |
 | <a name="output_event_notification_instance_name"></a> [event\_notification\_instance\_name](#output\_event\_notification\_instance\_name) | The name of the Event Notifications instance. |
 | <a name="output_guid"></a> [guid](#output\_guid) | The globally unique identifier of the Event Notifications instance. |

main.tf

@@ -19,6 +19,9 @@ locals {
       can(regex(".*hs-crypto.*", var.existing_kms_instance_crn)) ? "hs-crypto" : null
     )
   ) : null
+
+  # Get account ID
+  account_id = ibm_resource_instance.en_instance.account_id
 }
 
 resource "ibm_resource_instance" "en_instance" {
@@ -79,13 +82,6 @@ resource "ibm_en_integration" "en_kms_integration" {
   }
 }
 
-##############################################################################
-# Get Cloud Account ID
-##############################################################################
-
-data "ibm_iam_account_settings" "iam_account_settings" {
-}
-
 ##############################################################################
 # IAM Authorization Policy
 ##############################################################################
@@ -102,30 +98,26 @@ resource "ibm_iam_authorization_policy" "cos_policy" {
   source_resource_instance_id = ibm_resource_instance.en_instance.guid
   roles                       = ["Object Writer", "Reader"]
   description                 = "Allow EN instance with GUID ${ibm_resource_instance.en_instance.guid} `Object Writer` and `Reader` access to the COS instance with GUID ${local.existing_cos_instance_guid}."
-
   resource_attributes {
     name     = "serviceName"
     operator = "stringEquals"
     value    = "cloud-object-storage"
   }
-
   resource_attributes {
     name     = "accountId"
     operator = "stringEquals"
-    value    = data.ibm_iam_account_settings.iam_account_settings.account_id
+    value    = local.account_id
   }
   resource_attributes {
     name     = "serviceInstance"
     operator = "stringEquals"
     value    = local.existing_cos_instance_guid
   }
-
   resource_attributes {
     name     = "resourceType"
     operator = "stringEquals"
     value    = "bucket"
   }
-
   resource_attributes {
     name     = "resource"
     operator = "stringEquals"
@@ -145,10 +137,38 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
   count                       = var.kms_encryption_enabled == false || var.skip_en_kms_auth_policy ? 0 : 1
   source_service_name         = "event-notifications"
   source_resource_instance_id = ibm_resource_instance.en_instance.guid
-  target_service_name         = local.kms_service
-  target_resource_instance_id = local.existing_kms_instance_guid
   roles                       = ["Reader"]
-  description                 = "Allow Event Notification instance ${ibm_resource_instance.en_instance.guid} to read from the ${local.kms_service} instance ${local.existing_kms_instance_guid}"
+  description                 = "Allow Event Notifications instance ${ibm_resource_instance.en_instance.guid} to read the ${local.kms_service} key ${var.root_key_id} from instance ${local.existing_kms_instance_guid}"
+  resource_attributes {
+    name     = "serviceName"
+    operator = "stringEquals"
+    value    = local.kms_service
+  }
+  resource_attributes {
+    name     = "accountId"
+    operator = "stringEquals"
+    value    = local.account_id
+  }
+  resource_attributes {
+    name     = "serviceInstance"
+    operator = "stringEquals"
+    value    = local.existing_kms_instance_guid
+  }
+  resource_attributes {
+    name     = "resourceType"
+    operator = "stringEquals"
+    value    = "key"
+  }
+  resource_attributes {
+    name     = "resource"
+    operator = "stringEquals"
+    value    = var.root_key_id
+  }
+  # Scope of policy now includes the key, so ensure to create new policy before
+  # destroying old one to prevent any disruption to every day services.
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478

outputs.tf

@@ -6,11 +6,17 @@ output "event_notification_instance_name" {
   description = "The name of the Event Notifications instance."
   value       = ibm_resource_instance.en_instance.name
 }
+
 output "crn" {
   description = "The Event Notifications instance CRN."
   value       = ibm_resource_instance.en_instance.crn
 }
 
+output "account_id" {
+  description = "The Event Notifications account ID."
+  value       = local.account_id
+}
+
 output "guid" {
   description = "The globally unique identifier of the Event Notifications instance."
   value       = ibm_resource_instance.en_instance.guid