From ad3ca26b1d33d5d10a8adea34e82ea5c4aeaefed Mon Sep 17 00:00:00 2001
From: Arya Girish K <arya.girish.k@ibm.com>
Date: Thu, 21 Nov 2024 12:45:46 +0530
Subject: [PATCH 1/3] feat:scope KMS auth policy to the exact KMS key

---
 main.tf | 46 ++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 38 insertions(+), 8 deletions(-)

diff --git a/main.tf b/main.tf
index 59d7d19..4e985ec 100644
--- a/main.tf
+++ b/main.tf
@@ -27,12 +27,12 @@ locals {
   # Determine if host_flavor is used
   host_flavor_set = var.member_host_flavor != null ? true : false
 
-  # Determine what KMS service is being used for database encryption
-  kms_service = var.kms_key_crn != null ? (
-    can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : (
-      can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null
-    )
-  ) : null
+  
+  parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : []
+  kms_service        = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null
+  kms_scope          = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null
+  kms_account_id     = length(local.parsed_kms_key_crn) > 0 ? split("/", local.kms_scope)[1] : null
+  kms_key_id         = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null
 }
 
 # Create IAM Authorization Policies to allow EDB to access KMS for the encryption key
@@ -40,10 +40,40 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
   count                       = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
   source_service_name         = "databases-for-enterprisedb"
   source_resource_group_id    = var.resource_group_id
-  target_service_name         = local.kms_service
-  target_resource_instance_id = var.existing_kms_instance_guid
   roles                       = ["Reader"]
   description                 = "Allow all Enterprise db instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service} instance GUID ${var.existing_kms_instance_guid}"
+  
+  
+  resource_attributes {
+    name     = "serviceName"
+    operator = "stringEquals"
+    value    = local.kms_service
+  }
+  resource_attributes {
+    name     = "accountId"
+    operator = "stringEquals"
+    value    = local.kms_account_id
+  }
+  resource_attributes {
+    name     = "serviceInstance"
+    operator = "stringEquals"
+    value    = var.existing_kms_instance_guid
+  }
+  resource_attributes {
+    name     = "resourceType"
+    operator = "stringEquals"
+    value    = "key"
+  }
+  resource_attributes {
+    name     = "resource"
+    operator = "stringEquals"
+    value    = local.kms_key_id
+  }
+  # Scope of policy now includes the key, so ensure to create new policy before
+  # destroying old one to prevent any disruption to every day services.
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478

From ef1f1a23865a8b0398cfacd11fc5173cafe2a91f Mon Sep 17 00:00:00 2001
From: Arya Girish K <arya.girish.k@ibm.com>
Date: Thu, 21 Nov 2024 16:10:54 +0530
Subject: [PATCH 2/3] feat:Scope KMS auth policy to exact KMS key

---
 main.tf | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/main.tf b/main.tf
index 4e985ec..398d805 100644
--- a/main.tf
+++ b/main.tf
@@ -27,7 +27,6 @@ locals {
   # Determine if host_flavor is used
   host_flavor_set = var.member_host_flavor != null ? true : false
 
-  
   parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : []
   kms_service        = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null
   kms_scope          = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null
@@ -37,13 +36,12 @@ locals {
 
 # Create IAM Authorization Policies to allow EDB to access KMS for the encryption key
 resource "ibm_iam_authorization_policy" "kms_policy" {
-  count                       = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
-  source_service_name         = "databases-for-enterprisedb"
-  source_resource_group_id    = var.resource_group_id
-  roles                       = ["Reader"]
-  description                 = "Allow all Enterprise db instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service} instance GUID ${var.existing_kms_instance_guid}"
-  
-  
+  count                    = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
+  source_service_name      = "databases-for-enterprisedb"
+  source_resource_group_id = var.resource_group_id
+  roles                    = ["Reader"]
+  description              = "Allow all Enterprise db instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service} instance GUID ${var.existing_kms_instance_guid}"
+
   resource_attributes {
     name     = "serviceName"
     operator = "stringEquals"

From 7985757b3be11bff555c996fb26d3d74c6dc715b Mon Sep 17 00:00:00 2001
From: Arya Girish K <arya.girish.k@ibm.com>
Date: Fri, 22 Nov 2024 11:09:32 +0530
Subject: [PATCH 3/3] SKIP UPGRADE TEST