Skip to content
This repository was archived by the owner on Jun 17, 2025. It is now read-only.

feat: Scope the KMS auth policy to the exact KMS key #292

Closed
wants to merge 4 commits into from
Closed

feat: Scope the KMS auth policy to the exact KMS key #292

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ad3ca26
feat:scope KMS auth policy to the exact KMS key
Nov 21, 2024
ef1f1a2
feat:Scope KMS auth policy to exact KMS key
Nov 21, 2024
7985757
SKIP UPGRADE TEST
Nov 22, 2024
86f7c25
Merge branch 'main' into 11345-scope-kms
imprateeksh Nov 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 41 additions & 13 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,23 +27,51 @@ locals {
# Determine if host_flavor is used
host_flavor_set = var.member_host_flavor != null ? true : false

# Determine what KMS service is being used for database encryption
kms_service = var.kms_key_crn != null ? (
can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : (
can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null
)
) : null
parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : []
kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null
kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null
kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.kms_scope)[1] : null
kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null
}

# Create IAM Authorization Policies to allow EDB to access KMS for the encryption key
resource "ibm_iam_authorization_policy" "kms_policy" {
count = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
source_service_name = "databases-for-enterprisedb"
source_resource_group_id = var.resource_group_id
target_service_name = local.kms_service
target_resource_instance_id = var.existing_kms_instance_guid
roles = ["Reader"]
description = "Allow all Enterprise db instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service} instance GUID ${var.existing_kms_instance_guid}"
count = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
source_service_name = "databases-for-enterprisedb"
source_resource_group_id = var.resource_group_id
roles = ["Reader"]
description = "Allow all Enterprise db instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service} instance GUID ${var.existing_kms_instance_guid}"
Copy link
Member

@imprateeksh imprateeksh Nov 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To maintain consistency, this can be modified as -

to read the ${local.kms_service} key ${local.kms_key_id} from the instance ${var.existing_kms_instance_guid}"


resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = local.kms_service
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = local.kms_account_id
}
resource_attributes {
name = "serviceInstance"
operator = "stringEquals"
value = var.existing_kms_instance_guid
}
resource_attributes {
name = "resourceType"
operator = "stringEquals"
value = "key"
}
resource_attributes {
name = "resource"
operator = "stringEquals"
value = local.kms_key_id
}
# Scope of policy now includes the key, so ensure to create new policy before
# destroying old one to prevent any disruption to every day services.
lifecycle {
create_before_destroy = true
}
}

# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
Expand Down