feat: added support to the DA for use case where KMS is in a different account by adding new optional variable ibmcloud_kms_api_key (#236)

Author: Soaib024

solutions/standard/main.tf

@@ -10,7 +10,11 @@ locals {
   elasticsearch_key_name      = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_name}" : var.elasticsearch_key_name
   elasticsearch_key_ring_name = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_ring_name}" : var.elasticsearch_key_ring_name
 
-  kms_key_crn = var.existing_kms_key_crn != null ? var.existing_kms_key_crn : module.kms[0].keys[format("%s.%s", local.elasticsearch_key_ring_name, local.elasticsearch_key_name)].crn
+  kms_key_crn                      = var.existing_kms_key_crn != null ? var.existing_kms_key_crn : module.kms[0].keys[format("%s.%s", local.elasticsearch_key_ring_name, local.elasticsearch_key_name)].crn
+  create_cross_account_auth_policy = !var.skip_iam_authorization_policy && var.ibmcloud_kms_api_key != null
+  kms_service_name = local.kms_key_crn != null ? (
+    can(regex(".*kms.*", local.kms_key_crn)) ? "kms" : can(regex(".*hs-crypto.*", local.kms_key_crn)) ? "hs-crypto" : null
+  ) : null
 }
 
 #######################################################################################################################
@@ -28,6 +32,29 @@ module "resource_group" {
 # KMS root key for Elasticsearch
 #######################################################################################################################
 
+data "ibm_iam_account_settings" "iam_account_settings" {
+  count = local.create_cross_account_auth_policy ? 1 : 0
+}
+
+resource "ibm_iam_authorization_policy" "kms_policy" {
+  count                       = local.create_cross_account_auth_policy ? 1 : 0
+  provider                    = ibm.kms
+  source_service_account      = data.ibm_iam_account_settings.iam_account_settings[0].account_id
+  source_service_name         = "databases-for-elasticsearch"
+  source_resource_group_id    = module.resource_group.resource_group_id
+  target_service_name         = local.kms_service_name
+  target_resource_instance_id = local.existing_kms_instance_guid
+  roles                       = ["Reader"]
+  description                 = "Allow all Elastic Search instances in the resource group ${module.resource_group.resource_group_id} in the account ${data.ibm_iam_account_settings.iam_account_settings[0].account_id} to read from the ${local.kms_service_name} instance GUID ${local.existing_kms_instance_guid}"
+}
+
+# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
+resource "time_sleep" "wait_for_authorization_policy" {
+  depends_on      = [ibm_iam_authorization_policy.kms_policy]
+  create_duration = "30s"
+}
+
+
 module "kms" {
   providers = {
     ibm = ibm.kms
@@ -64,11 +91,12 @@ module "kms" {
 
 module "elasticsearch" {
   source                        = "../../modules/fscloud"
+  depends_on                    = [time_sleep.wait_for_authorization_policy]
   resource_group_id             = module.resource_group.resource_group_id
   name                          = var.prefix != null ? "${var.prefix}-${var.name}" : var.name
   region                        = var.region
   plan                          = var.plan
-  skip_iam_authorization_policy = var.skip_iam_authorization_policy
+  skip_iam_authorization_policy = var.skip_iam_authorization_policy || local.create_cross_account_auth_policy
   elasticsearch_version         = var.elasticsearch_version
   existing_kms_instance_guid    = local.existing_kms_instance_guid
   kms_key_crn                   = local.kms_key_crn

solutions/standard/provider.tf

@@ -1,6 +1,10 @@
 provider "ibm" {
-  alias            = "kms"
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.region
-  ibmcloud_timeout = 60
+}
+
+provider "ibm" {
+  alias            = "kms"
+  ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
+  region           = local.existing_kms_instance_region
 }

solutions/standard/variables.tf

@@ -117,6 +117,13 @@ variable "tags" {
   default     = []
 }
 
+variable "ibmcloud_kms_api_key" {
+  type        = string
+  description = "The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud_api_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Elastic Search instance. Leave this input empty if the same account owns both instances."
+  sensitive   = true
+  default     = null
+}
+
 variable "kms_endpoint_type" {
   type        = string
   description = "The type of endpoint to use to communicate with the KMS instance. Possible values: `public`, `private`."
@@ -134,14 +141,14 @@ variable "existing_kms_key_crn" {
 }
 
 variable "existing_kms_instance_crn" {
-  description = "The CRN of a Hyper Protect Crypto Services or Key Protect instance in the same account as the Databases for Elasticsearch instance. This value is used to create an authorization policy if `skip_iam_authorization_policy` is false. If not specified, a root key is created."
+  description = "The CRN of the KMS instance (Hyper Protect Crypto Services or Key Protect). Required only if `existing_kms_key_crn` is not specified. If the KMS instance is in different account you must also provide a value for `ibmcloud_kms_api_key`."
   type        = string
   default     = null
 }
 
 variable "skip_iam_authorization_policy" {
   type        = bool
-  description = "Whether to create an IAM authorization policy that permits all Databases for Elasticsearch instances in the resource group to read the encryption key from the Hyper Protect Crypto Services instance specified in the `existing_kms_instance_crn` variable."
+  description = "Set to true to skip the creation of an IAM authorization policy that permits all Elastic Search instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account."
   default     = false
 }
 

solutions/standard/version.tf

@@ -7,5 +7,10 @@ terraform {
       source  = "IBM-Cloud/ibm"
       version = "1.67.1"
     }
+
+    time = {
+      source  = "hashicorp/time"
+      version = "0.11.2"
+    }
   }
 }