From 0c8a8fa4a46bf59d6db55e0b9d37340eb645717f Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Tue, 19 Nov 2024 20:52:58 +0530 Subject: [PATCH 01/16] feat : scope KMS-policy to the exact KMS key --- main.tf | 55 ++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 42 insertions(+), 13 deletions(-) diff --git a/main.tf b/main.tf index 030ec448..cec8a7d8 100644 --- a/main.tf +++ b/main.tf @@ -28,23 +28,52 @@ locals { # Determine if restore, from backup or point in time recovery recovery_mode = var.backup_crn != null || var.pitr_id != null - # Determine what KMS service is being used for database encryption - kms_service = var.kms_key_crn != null ? ( - can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : ( - can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null - ) - ) : null + + parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : [] + kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null + kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null + kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.kms_scope)[1] : null + kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null } # Create IAM Authorization Policies to allow PostgreSQL to access KMS for the encryption key resource "ibm_iam_authorization_policy" "kms_policy" { - count = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1 - source_service_name = "databases-for-postgresql" - source_resource_group_id = var.resource_group_id - target_service_name = local.kms_service - target_resource_instance_id = var.existing_kms_instance_guid - roles = ["Reader"] - description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service} instance GUID ${var.existing_kms_instance_guid}" + count = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1 + source_service_name = "databases-for-postgresql" + source_resource_group_id = var.resource_group_id + roles = ["Reader"] + description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service} instance GUID ${var.existing_kms_instance_guid}" + + resource_attributes { + name = "serviceName" + operator = "stringEquals" + value = local.kms_service + } + resource_attributes { + name = "accountId" + operator = "stringEquals" + value = local.kms_account_id + } + resource_attributes { + name = "serviceInstance" + operator = "stringEquals" + value = var.existing_kms_instance_guid + } + resource_attributes { + name = "resourceType" + operator = "stringEquals" + value = "key" + } + resource_attributes { + name = "resource" + operator = "stringEquals" + value = local.kms_key_id + } + # Scope of policy now includes the key, so ensure to create new policy before + # destroying old one to prevent any disruption to every day services. + lifecycle { + create_before_destroy = true + } } # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 From 2b1d17473630d1fc0028c1f295f5e9313bfdfc5d Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Wed, 27 Nov 2024 23:09:27 +0530 Subject: [PATCH 02/16] Added Auth policy to backup encryption key --- README.md | 3 ++- main.tf | 45 +++++++++++++++++++++++++++++++-------------- variables.tf | 7 ++++++- 3 files changed, 39 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index c1ef86bd..17215fcc 100644 --- a/README.md +++ b/README.md @@ -93,9 +93,10 @@ To attach access management tags to resources in this module, you need the follo | [admin\_pass](#input\_admin\_pass) | The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block. | `string` | `null` | no | | [auto\_scaling](#input\_auto\_scaling) | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://ibm.biz/autoscaling-considerations in the IBM Cloud Docs. | 
object({
    disk = object({
      capacity_enabled             = optional(bool, false)
      free_space_less_than_percent = optional(number, 10)
      io_above_percent             = optional(number, 90)
      io_enabled                   = optional(bool, false)
      io_over_period               = optional(string, "15m")
      rate_increase_percent        = optional(number, 10)
      rate_limit_mb_per_member     = optional(number, 3670016)
      rate_period_seconds          = optional(number, 900)
      rate_units                   = optional(string, "mb")
    })
    memory = object({
      io_above_percent         = optional(number, 90)
      io_enabled               = optional(bool, false)
      io_over_period           = optional(string, "15m")
      rate_increase_percent    = optional(number, 10)
      rate_limit_mb_per_member = optional(number, 114688)
      rate_period_seconds      = optional(number, 900)
      rate_units               = optional(string, "mb")
    })
  })
| `null` | no | | [backup\_crn](#input\_backup\_crn) | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. | `string` | `null` | no | -| [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for encrypting the disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. There are region limitations for backup encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups (HPCS) and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok (Key Protect). | `string` | `null` | no | +| [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for encrypting the disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. There are region limitations for backup encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups (HPCS) and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok (Key Protect). | `string` | `"null"` | no | | [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
  }))
| `[]` | no | | [configuration](#input\_configuration) | Database configuration parameters, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-changing-configuration&interface=api for more details. | 
object({
    shared_buffers  = optional(number)
    max_connections = optional(number)
    # below field gives error when sent to provider
    # tracking issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5403
    # max_locks_per_transaction  = optional(number)
    max_prepared_transactions  = optional(number)
    synchronous_commit         = optional(string)
    effective_io_concurrency   = optional(number)
    deadlock_timeout           = optional(number)
    log_connections            = optional(string)
    log_disconnections         = optional(string)
    log_min_duration_statement = optional(number)
    tcp_keepalives_idle        = optional(number)
    tcp_keepalives_interval    = optional(number)
    tcp_keepalives_count       = optional(number)
    archive_timeout            = optional(number)
    wal_level                  = optional(string)
    max_replication_slots      = optional(number)
    max_wal_senders            = optional(number)
  })
| `null` | no | +| [existing\_backup\_kms\_instance\_guid](#input\_existing\_backup\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms\_key\_crn and var.backup\_encryption\_key\_crn is coming from. Required only if var.kms\_encryption\_enabled is set to true, var.skip\_iam\_authorization\_policy is set to false, and you pass a value for var.kms\_key\_crn, var.backup\_encryption\_key\_crn, or both. | `string` | `null` | no | | [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms\_key\_crn and var.backup\_encryption\_key\_crn is coming from. Required only if var.kms\_encryption\_enabled is set to true, var.skip\_iam\_authorization\_policy is set to false, and you pass a value for var.kms\_key\_crn, var.backup\_encryption\_key\_crn, or both. | `string` | `null` | no | | [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs | `bool` | `false` | no | | [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for disk encryption. Only used if var.kms\_encryption\_enabled is set to true. | `string` | `null` | no | diff --git a/main.tf b/main.tf index cec8a7d8..b90b736d 100644 --- a/main.tf +++ b/main.tf @@ -26,48 +26,65 @@ locals { host_flavor_set = var.member_host_flavor != null ? true : false # Determine if restore, from backup or point in time recovery - recovery_mode = var.backup_crn != null || var.pitr_id != null + recovery_mode = var.backup_crn != null || var.pitr_id != null + parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : [] + parsed_kms_backup_key_crn = var.backup_encryption_key_crn != null ? split(":", var.backup_encryption_key_crn) : [] + existing_backup_kms_instance_guid = var.backup_encryption_key_crn != null ? local.parsed_kms_backup_key_crn[7] : null + kms_keys = { + "key1" = { - - parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : [] - kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null - kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null - kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.kms_scope)[1] : null - kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null + kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null, + kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null, + kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.parsed_kms_key_crn[6])[1] : null, + kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null, + instance = var.existing_kms_instance_guid, + resource_type = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[8] : null + }, + "key2" = { + kms_service = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[4] : null, + kms_scope = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[6] : null, + kms_account_id = length(local.parsed_kms_backup_key_crn) > 0 ? split("/", local.parsed_kms_backup_key_crn[6])[1] : null, + kms_key_id = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[9] : null, + instance = var.existing_backup_kms_instance_guid != null ? var.existing_backup_kms_instance_guid : var.existing_kms_instance_guid + resource_type = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[8] : null + }, + } + keys = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? {} : tomap({ + for i, key in local.kms_keys : i => key }) } # Create IAM Authorization Policies to allow PostgreSQL to access KMS for the encryption key resource "ibm_iam_authorization_policy" "kms_policy" { - count = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1 + for_each = local.keys source_service_name = "databases-for-postgresql" source_resource_group_id = var.resource_group_id roles = ["Reader"] - description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service} instance GUID ${var.existing_kms_instance_guid}" + description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${each.value.kms_service} instance GUID ${each.value.instance}" resource_attributes { name = "serviceName" operator = "stringEquals" - value = local.kms_service + value = each.value.kms_service } resource_attributes { name = "accountId" operator = "stringEquals" - value = local.kms_account_id + value = each.value.kms_account_id } resource_attributes { name = "serviceInstance" operator = "stringEquals" - value = var.existing_kms_instance_guid + value = each.value.instance } resource_attributes { name = "resourceType" operator = "stringEquals" - value = "key" + value = each.value.resource_type } resource_attributes { name = "resource" operator = "stringEquals" - value = local.kms_key_id + value = each.value.kms_key_id } # Scope of policy now includes the key, so ensure to create new policy before # destroying old one to prevent any disruption to every day services. diff --git a/variables.tf b/variables.tf index 5a8e757e..65b60145 100644 --- a/variables.tf +++ b/variables.tf @@ -278,7 +278,7 @@ variable "kms_key_crn" { variable "backup_encryption_key_crn" { type = string description = "The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for encrypting the disk that holds deployment backups. Only used if var.kms_encryption_enabled is set to true. There are region limitations for backup encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups (HPCS) and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok (Key Protect)." - default = null + default = "null" validation { condition = var.backup_encryption_key_crn == null ? true : length(regexall("^crn:v1:bluemix:public:kms:(us-south|us-east|eu-de):a/[[:xdigit:]]{32}:[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}:key:[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$|^crn:v1:bluemix:public:hs-crypto:[a-z-]+:a/[[:xdigit:]]{32}:[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}:key:[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$", var.backup_encryption_key_crn)) > 0 @@ -303,6 +303,11 @@ variable "existing_kms_instance_guid" { description = "The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms_key_crn and var.backup_encryption_key_crn is coming from. Required only if var.kms_encryption_enabled is set to true, var.skip_iam_authorization_policy is set to false, and you pass a value for var.kms_key_crn, var.backup_encryption_key_crn, or both." default = null } +variable "existing_backup_kms_instance_guid" { + type = string + description = "The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms_key_crn and var.backup_encryption_key_crn is coming from. Required only if var.kms_encryption_enabled is set to true, var.skip_iam_authorization_policy is set to false, and you pass a value for var.kms_key_crn, var.backup_encryption_key_crn, or both." + default = null +} ############################################################## # Context-based restriction (CBR) From dc79d661951f52bc0e8606ee4bc25fad2d2020ce Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Thu, 28 Nov 2024 11:19:36 +0530 Subject: [PATCH 03/16] added changes main.tf --- README.md | 2 +- common-dev-assets | 2 +- main.tf | 8 +++++--- variables.tf | 2 +- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index ddc63265..90776fec 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,7 @@ To attach access management tags to resources in this module, you need the follo | [admin\_pass](#input\_admin\_pass) | The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block. | `string` | `null` | no | | [auto\_scaling](#input\_auto\_scaling) | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://ibm.biz/autoscaling-considerations in the IBM Cloud Docs. | 
object({
    disk = object({
      capacity_enabled             = optional(bool, false)
      free_space_less_than_percent = optional(number, 10)
      io_above_percent             = optional(number, 90)
      io_enabled                   = optional(bool, false)
      io_over_period               = optional(string, "15m")
      rate_increase_percent        = optional(number, 10)
      rate_limit_mb_per_member     = optional(number, 3670016)
      rate_period_seconds          = optional(number, 900)
      rate_units                   = optional(string, "mb")
    })
    memory = object({
      io_above_percent         = optional(number, 90)
      io_enabled               = optional(bool, false)
      io_over_period           = optional(string, "15m")
      rate_increase_percent    = optional(number, 10)
      rate_limit_mb_per_member = optional(number, 114688)
      rate_period_seconds      = optional(number, 900)
      rate_units               = optional(string, "mb")
    })
  })
| `null` | no | | [backup\_crn](#input\_backup\_crn) | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. | `string` | `null` | no | -| [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for encrypting the disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. There are region limitations for backup encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups (HPCS) and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok (Key Protect). | `string` | `"null"` | no | +| [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for encrypting the disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. There are region limitations for backup encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups (HPCS) and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok (Key Protect). | `string` | `null` | no | | [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
  }))
| `[]` | no | | [configuration](#input\_configuration) | Database configuration parameters, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-changing-configuration&interface=api for more details. | 
object({
    shared_buffers  = optional(number)
    max_connections = optional(number)
    # below field gives error when sent to provider
    # tracking issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5403
    # max_locks_per_transaction  = optional(number)
    max_prepared_transactions  = optional(number)
    synchronous_commit         = optional(string)
    effective_io_concurrency   = optional(number)
    deadlock_timeout           = optional(number)
    log_connections            = optional(string)
    log_disconnections         = optional(string)
    log_min_duration_statement = optional(number)
    tcp_keepalives_idle        = optional(number)
    tcp_keepalives_interval    = optional(number)
    tcp_keepalives_count       = optional(number)
    archive_timeout            = optional(number)
    wal_level                  = optional(string)
    max_replication_slots      = optional(number)
    max_wal_senders            = optional(number)
  })
| `null` | no | | [existing\_backup\_kms\_instance\_guid](#input\_existing\_backup\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms\_key\_crn and var.backup\_encryption\_key\_crn is coming from. Required only if var.kms\_encryption\_enabled is set to true, var.skip\_iam\_authorization\_policy is set to false, and you pass a value for var.kms\_key\_crn, var.backup\_encryption\_key\_crn, or both. | `string` | `null` | no | diff --git a/common-dev-assets b/common-dev-assets index ffeb38ae..95f6c1ed 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit ffeb38ae284999d23c25416b2f19268ca0ff49b8 +Subproject commit 95f6c1ed6360a3350a750313fb94d7781f129aba diff --git a/main.tf b/main.tf index c1204f57..c860f116 100644 --- a/main.tf +++ b/main.tf @@ -26,9 +26,11 @@ locals { host_flavor_set = var.member_host_flavor != null ? true : false # Determine if restore, from backup or point in time recovery - recovery_mode = var.backup_crn != null || var.pitr_id != null - parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : [] - parsed_kms_backup_key_crn = var.backup_encryption_key_crn != null ? split(":", var.backup_encryption_key_crn) : [] + recovery_mode = var.backup_crn != null || var.pitr_id != null + parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : [] + parsed_kms_backup_key_crn = var.backup_encryption_key_crn != null ? split(":", var.backup_encryption_key_crn) : [] + + # tflint-ignore: terraform_unused_declarations existing_backup_kms_instance_guid = var.backup_encryption_key_crn != null ? local.parsed_kms_backup_key_crn[7] : null kms_keys = { "key1" = { diff --git a/variables.tf b/variables.tf index 65b60145..2a5c19b6 100644 --- a/variables.tf +++ b/variables.tf @@ -278,7 +278,7 @@ variable "kms_key_crn" { variable "backup_encryption_key_crn" { type = string description = "The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for encrypting the disk that holds deployment backups. Only used if var.kms_encryption_enabled is set to true. There are region limitations for backup encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups (HPCS) and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok (Key Protect)." - default = "null" + default = null validation { condition = var.backup_encryption_key_crn == null ? true : length(regexall("^crn:v1:bluemix:public:kms:(us-south|us-east|eu-de):a/[[:xdigit:]]{32}:[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}:key:[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$|^crn:v1:bluemix:public:hs-crypto:[a-z-]+:a/[[:xdigit:]]{32}:[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}:key:[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$", var.backup_encryption_key_crn)) > 0 From 415495fa5cac373488493dd70467cf2f32c246ef Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Thu, 28 Nov 2024 06:21:17 +0000 Subject: [PATCH 04/16] latest changes --- common-dev-assets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common-dev-assets b/common-dev-assets index 95f6c1ed..0f1f11eb 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 95f6c1ed6360a3350a750313fb94d7781f129aba +Subproject commit 0f1f11eb807b936a39b2a41106b5c26afd4b2b03 From 36b60112a19d81f5338ba28e3e1cbcca98e2c82b Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Thu, 28 Nov 2024 10:57:20 +0000 Subject: [PATCH 05/16] Changes in description --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index c860f116..99afc65d 100644 --- a/main.tf +++ b/main.tf @@ -61,7 +61,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" { source_service_name = "databases-for-postgresql" source_resource_group_id = var.resource_group_id roles = ["Reader"] - description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${each.value.kms_service} instance GUID ${each.value.instance}" + description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the kms_service instance GUID ${each.value.instance}" resource_attributes { name = "serviceName" From a0cc673b54335ff2ab3c9ffcfad5c40f2570d746 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Thu, 28 Nov 2024 14:37:40 +0000 Subject: [PATCH 06/16] added variable in cra-config.yaml --- cra-config.yaml | 1 + main.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cra-config.yaml b/cra-config.yaml index 02ae2ae2..6912e181 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -10,3 +10,4 @@ CRA_TARGETS: TF_VAR_prefix: "test-postgres-standard" TF_VAR_resource_group_name: "test" TF_VAR_provider_visibility: "public" + TF_VAR_backup_encryption_key_crn : "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533" diff --git a/main.tf b/main.tf index 99afc65d..c860f116 100644 --- a/main.tf +++ b/main.tf @@ -61,7 +61,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" { source_service_name = "databases-for-postgresql" source_resource_group_id = var.resource_group_id roles = ["Reader"] - description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the kms_service instance GUID ${each.value.instance}" + description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${each.value.kms_service} instance GUID ${each.value.instance}" resource_attributes { name = "serviceName" From 3536343b898cd403ea27a88fe2cbdd0086eb767d Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Fri, 29 Nov 2024 15:32:59 +0530 Subject: [PATCH 07/16] added changes related to backup_encryption_key variable --- cra-config.yaml | 2 +- main.tf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cra-config.yaml b/cra-config.yaml index 6912e181..af1a313d 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -10,4 +10,4 @@ CRA_TARGETS: TF_VAR_prefix: "test-postgres-standard" TF_VAR_resource_group_name: "test" TF_VAR_provider_visibility: "public" - TF_VAR_backup_encryption_key_crn : "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533" + TF_VAR_backup_encryption_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533" \ No newline at end of file diff --git a/main.tf b/main.tf index c860f116..63098d5f 100644 --- a/main.tf +++ b/main.tf @@ -28,10 +28,10 @@ locals { # Determine if restore, from backup or point in time recovery recovery_mode = var.backup_crn != null || var.pitr_id != null parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : [] - parsed_kms_backup_key_crn = var.backup_encryption_key_crn != null ? split(":", var.backup_encryption_key_crn) : [] + parsed_kms_backup_key_crn = local.backup_encryption_key_crn != null ? split(":", local.backup_encryption_key_crn) : [] # tflint-ignore: terraform_unused_declarations - existing_backup_kms_instance_guid = var.backup_encryption_key_crn != null ? local.parsed_kms_backup_key_crn[7] : null + existing_backup_kms_instance_guid = local.backup_encryption_key_crn != null ? local.parsed_kms_backup_key_crn[7] : null kms_keys = { "key1" = { @@ -67,7 +67,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" { name = "serviceName" operator = "stringEquals" value = each.value.kms_service - } + } resource_attributes { name = "accountId" operator = "stringEquals" From 0c467b888241b982c76b88f61a752510db987713 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Fri, 29 Nov 2024 16:48:09 +0530 Subject: [PATCH 08/16] fixed the cr-config.yaml issue --- cra-config.yaml | 2 +- main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cra-config.yaml b/cra-config.yaml index af1a313d..eb062154 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -10,4 +10,4 @@ CRA_TARGETS: TF_VAR_prefix: "test-postgres-standard" TF_VAR_resource_group_name: "test" TF_VAR_provider_visibility: "public" - TF_VAR_backup_encryption_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533" \ No newline at end of file + TF_VAR_backup_encryption_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533" diff --git a/main.tf b/main.tf index 63098d5f..b98024c1 100644 --- a/main.tf +++ b/main.tf @@ -67,7 +67,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" { name = "serviceName" operator = "stringEquals" value = each.value.kms_service - } + } resource_attributes { name = "accountId" operator = "stringEquals" From 0610552b60bfd689dcf0ed5610322a82ac831dde Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Mon, 2 Dec 2024 10:23:59 +0530 Subject: [PATCH 09/16] latest changes --- cra-config.yaml | 3 +-- main.tf | 2 +- variables.tf | 5 ----- 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/cra-config.yaml b/cra-config.yaml index eb062154..4704d5bb 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -9,5 +9,4 @@ CRA_TARGETS: TF_VAR_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533" TF_VAR_prefix: "test-postgres-standard" TF_VAR_resource_group_name: "test" - TF_VAR_provider_visibility: "public" - TF_VAR_backup_encryption_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533" + TF_VAR_provider_visibility: "public" \ No newline at end of file diff --git a/main.tf b/main.tf index b98024c1..b1eb90b7 100644 --- a/main.tf +++ b/main.tf @@ -47,7 +47,7 @@ locals { kms_scope = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[6] : null, kms_account_id = length(local.parsed_kms_backup_key_crn) > 0 ? split("/", local.parsed_kms_backup_key_crn[6])[1] : null, kms_key_id = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[9] : null, - instance = var.existing_backup_kms_instance_guid != null ? var.existing_backup_kms_instance_guid : var.existing_kms_instance_guid + instance = local.existing_backup_kms_instance_guid != null ? local.existing_backup_kms_instance_guid : var.existing_kms_instance_guid resource_type = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[8] : null }, } diff --git a/variables.tf b/variables.tf index 2a5c19b6..5a8e757e 100644 --- a/variables.tf +++ b/variables.tf @@ -303,11 +303,6 @@ variable "existing_kms_instance_guid" { description = "The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms_key_crn and var.backup_encryption_key_crn is coming from. Required only if var.kms_encryption_enabled is set to true, var.skip_iam_authorization_policy is set to false, and you pass a value for var.kms_key_crn, var.backup_encryption_key_crn, or both." default = null } -variable "existing_backup_kms_instance_guid" { - type = string - description = "The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms_key_crn and var.backup_encryption_key_crn is coming from. Required only if var.kms_encryption_enabled is set to true, var.skip_iam_authorization_policy is set to false, and you pass a value for var.kms_key_crn, var.backup_encryption_key_crn, or both." - default = null -} ############################################################## # Context-based restriction (CBR) From 29d410414e836995dd9b58296e68dd02153ad227 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Mon, 2 Dec 2024 05:17:06 +0000 Subject: [PATCH 10/16] Added Changes in Readme and cra-config.yaml --- README.md | 1 - cra-config.yaml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 90776fec..577119ed 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,6 @@ To attach access management tags to resources in this module, you need the follo | [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for encrypting the disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. There are region limitations for backup encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups (HPCS) and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok (Key Protect). | `string` | `null` | no | | [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
  }))
| `[]` | no | | [configuration](#input\_configuration) | Database configuration parameters, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-changing-configuration&interface=api for more details. | 
object({
    shared_buffers  = optional(number)
    max_connections = optional(number)
    # below field gives error when sent to provider
    # tracking issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5403
    # max_locks_per_transaction  = optional(number)
    max_prepared_transactions  = optional(number)
    synchronous_commit         = optional(string)
    effective_io_concurrency   = optional(number)
    deadlock_timeout           = optional(number)
    log_connections            = optional(string)
    log_disconnections         = optional(string)
    log_min_duration_statement = optional(number)
    tcp_keepalives_idle        = optional(number)
    tcp_keepalives_interval    = optional(number)
    tcp_keepalives_count       = optional(number)
    archive_timeout            = optional(number)
    wal_level                  = optional(string)
    max_replication_slots      = optional(number)
    max_wal_senders            = optional(number)
  })
| `null` | no | -| [existing\_backup\_kms\_instance\_guid](#input\_existing\_backup\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms\_key\_crn and var.backup\_encryption\_key\_crn is coming from. Required only if var.kms\_encryption\_enabled is set to true, var.skip\_iam\_authorization\_policy is set to false, and you pass a value for var.kms\_key\_crn, var.backup\_encryption\_key\_crn, or both. | `string` | `null` | no | | [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms\_key\_crn and var.backup\_encryption\_key\_crn is coming from. Required only if var.kms\_encryption\_enabled is set to true, var.skip\_iam\_authorization\_policy is set to false, and you pass a value for var.kms\_key\_crn, var.backup\_encryption\_key\_crn, or both. | `string` | `null` | no | | [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs | `bool` | `false` | no | | [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for disk encryption. Only used if var.kms\_encryption\_enabled is set to true. | `string` | `null` | no | diff --git a/cra-config.yaml b/cra-config.yaml index 4704d5bb..02ae2ae2 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -9,4 +9,4 @@ CRA_TARGETS: TF_VAR_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533" TF_VAR_prefix: "test-postgres-standard" TF_VAR_resource_group_name: "test" - TF_VAR_provider_visibility: "public" \ No newline at end of file + TF_VAR_provider_visibility: "public" From 509b8632318108fc2912499403d9eccc859cedd6 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Wed, 4 Dec 2024 13:57:30 +0530 Subject: [PATCH 11/16] Testing --- main.tf | 99 +++++++++++++++++++++--------- modules/fscloud/outputs.tf | 110 ++++++++++++++++++--------------- solutions/standard/outputs.tf | 111 +++++++++++++++++++--------------- 3 files changed, 194 insertions(+), 126 deletions(-) diff --git a/main.tf b/main.tf index b1eb90b7..823feef8 100644 --- a/main.tf +++ b/main.tf @@ -27,66 +27,107 @@ locals { # Determine if restore, from backup or point in time recovery recovery_mode = var.backup_crn != null || var.pitr_id != null + parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : [] parsed_kms_backup_key_crn = local.backup_encryption_key_crn != null ? split(":", local.backup_encryption_key_crn) : [] # tflint-ignore: terraform_unused_declarations existing_backup_kms_instance_guid = local.backup_encryption_key_crn != null ? local.parsed_kms_backup_key_crn[7] : null - kms_keys = { - "key1" = { - - kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null, - kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null, - kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.parsed_kms_key_crn[6])[1] : null, - kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null, - instance = var.existing_kms_instance_guid, - resource_type = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[8] : null - }, - "key2" = { - kms_service = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[4] : null, - kms_scope = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[6] : null, - kms_account_id = length(local.parsed_kms_backup_key_crn) > 0 ? split("/", local.parsed_kms_backup_key_crn[6])[1] : null, - kms_key_id = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[9] : null, - instance = local.existing_backup_kms_instance_guid != null ? local.existing_backup_kms_instance_guid : var.existing_kms_instance_guid - resource_type = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[8] : null - }, - } - keys = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? {} : tomap({ - for i, key in local.kms_keys : i => key }) + + kms_region = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[5] : null + backup_kms_region = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[5] : null + + validate_backup_kms_key = var.use_default_backup_encryption_key != true ? (local.backup_encryption_key_crn == var.kms_key_crn )? true : false : false + #&& can(regex("us-south|eu-de|jp-tok", local.kms_region)) + + + + kms_key = var.kms_key_crn !=null? { + kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null, + #kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null, + kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.parsed_kms_key_crn[6])[1] : null, + kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null, + instance = var.existing_kms_instance_guid, + resource_type = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[8] : null, + }:null + + backup_encryption_key = var.backup_encryption_key_crn !=null? { + kms_service = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[4] : null, + #kms_scope = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[6] : null, + kms_account_id = length(local.parsed_kms_backup_key_crn) > 0 ? split("/", local.parsed_kms_backup_key_crn[6])[1] : null, + kms_key_id = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[9] : null, + instance = local.existing_backup_kms_instance_guid != null ? local.existing_backup_kms_instance_guid : var.existing_kms_instance_guid, + resource_type = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[8] : null, + }:null + + + keys = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? [] : ( + local.validate_backup_kms_key ? + [local.kms_key] # Only use `kms_key` if the condition is true + : [local.kms_key,local.backup_encryption_key] + ) + #tomap({ + #for i, key in local.kms_keys : i => key }) # Add `backup_encryption_key` if the condition is false + test = {"a"={ + kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null, + #kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null, + kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.parsed_kms_key_crn[6])[1] : null, + kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null, + instance = var.existing_kms_instance_guid, + resource_type = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[8] : null, + }} + +} + +output "kms_keys_debug" { + value = local.keys +} +output "validate_backup_kms_key" { + value = local.validate_backup_kms_key +} + +output "kms_key" { + value = local.kms_key +} +output "backup_encryption_key" { + value = local.backup_encryption_key } # Create IAM Authorization Policies to allow PostgreSQL to access KMS for the encryption key resource "ibm_iam_authorization_policy" "kms_policy" { - for_each = local.keys + count = length(local.keys) + #for_each = local.test + #for_each = { + #for i,key in local.keys :i => key} source_service_name = "databases-for-postgresql" source_resource_group_id = var.resource_group_id roles = ["Reader"] - description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${each.value.kms_service} instance GUID ${each.value.instance}" - + #description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${each.value.kms_service} instance GUID ${each.value.instance}" + resource_attributes { name = "serviceName" operator = "stringEquals" - value = each.value.kms_service + value = local.keys[count.index].kms_service } resource_attributes { name = "accountId" operator = "stringEquals" - value = each.value.kms_account_id + value = local.keys[count.index].kms_account_id } resource_attributes { name = "serviceInstance" operator = "stringEquals" - value = each.value.instance + value = local.keys[count.index].instance } resource_attributes { name = "resourceType" operator = "stringEquals" - value = each.value.resource_type + value = local.keys[count.index].resource_type } resource_attributes { name = "resource" operator = "stringEquals" - value = each.value.kms_key_id + value = local.keys[count.index].kms_key_id } # Scope of policy now includes the key, so ensure to create new policy before # destroying old one to prevent any disruption to every day services. diff --git a/modules/fscloud/outputs.tf b/modules/fscloud/outputs.tf index 9b36082e..473be1ac 100644 --- a/modules/fscloud/outputs.tf +++ b/modules/fscloud/outputs.tf @@ -1,61 +1,75 @@ -############################################################################## -# Outputs -############################################################################## +# ############################################################################## +# # Outputs +# ############################################################################## -output "id" { - description = "Postgresql instance id" - value = module.postgresql_db.id -} +# output "id" { +# description = "Postgresql instance id" +# value = module.postgresql_db.id +# } -output "guid" { - description = "Postgresql instance guid" - value = module.postgresql_db.guid -} +# output "guid" { +# description = "Postgresql instance guid" +# value = module.postgresql_db.guid +# } -output "version" { - description = "Postgresql instance version" - value = module.postgresql_db.version -} +# output "version" { +# description = "Postgresql instance version" +# value = module.postgresql_db.version +# } -output "crn" { - description = "Postgresql instance crn" - value = module.postgresql_db.crn -} +# output "crn" { +# description = "Postgresql instance crn" +# value = module.postgresql_db.crn +# } -output "adminuser" { - description = "Database admin user name" - value = module.postgresql_db.adminuser -} +# output "adminuser" { +# description = "Database admin user name" +# value = module.postgresql_db.adminuser +# } -output "hostname" { - description = "Database connection hostname" - value = module.postgresql_db.hostname -} +# output "hostname" { +# description = "Database connection hostname" +# value = module.postgresql_db.hostname +# } -output "port" { - description = "Database connection port" - value = module.postgresql_db.port -} +# output "port" { +# description = "Database connection port" +# value = module.postgresql_db.port +# } -output "certificate_base64" { - description = "Database connection certificate" - value = module.postgresql_db.certificate_base64 - sensitive = true -} +# output "certificate_base64" { +# description = "Database connection certificate" +# value = module.postgresql_db.certificate_base64 +# sensitive = true +# } -output "service_credentials_json" { - description = "Service credentials json map" - value = module.postgresql_db.service_credentials_json - sensitive = true -} +# output "service_credentials_json" { +# description = "Service credentials json map" +# value = module.postgresql_db.service_credentials_json +# sensitive = true +# } -output "service_credentials_object" { - description = "Service credentials object" - value = module.postgresql_db.service_credentials_object - sensitive = true +# output "service_credentials_object" { +# description = "Service credentials object" +# value = module.postgresql_db.service_credentials_object +# sensitive = true +# } + +# output "cbr_rule_ids" { +# description = "CBR rule ids created to restrict Postgresql" +# value = module.postgresql_db.cbr_rule_ids +# } + +output "kms_keys_debug" { + value = module.postgresql_db.kms_keys_debug +} +output "validate_backup_kms_key" { + value = module.postgresql_db.validate_backup_kms_key } -output "cbr_rule_ids" { - description = "CBR rule ids created to restrict Postgresql" - value = module.postgresql_db.cbr_rule_ids +output "kms_key" { + value = module.postgresql_db.kms_key } +output "backup_encryption_key" { + value = module.postgresql_db.backup_encryption_key +} \ No newline at end of file diff --git a/solutions/standard/outputs.tf b/solutions/standard/outputs.tf index 691f3fe6..191c128b 100644 --- a/solutions/standard/outputs.tf +++ b/solutions/standard/outputs.tf @@ -1,50 +1,63 @@ -############################################################################## -# Outputs -############################################################################## - -output "id" { - description = "PostgreSQL instance id" - value = module.postgresql_db.id -} - -output "guid" { - description = "PostgreSQL instance guid" - value = module.postgresql_db.guid -} - -output "version" { - description = "PostgreSQL instance version" - value = module.postgresql_db.version -} - -output "crn" { - description = "PostgreSQL instance crn" - value = module.postgresql_db.crn -} - -output "cbr_rule_ids" { - description = "CBR rule ids created to restrict PostgreSQL" - value = module.postgresql_db.cbr_rule_ids -} - -output "service_credentials_json" { - description = "Service credentials json map" - value = module.postgresql_db.service_credentials_json - sensitive = true -} - -output "service_credentials_object" { - description = "Service credentials object" - value = module.postgresql_db.service_credentials_object - sensitive = true -} - -output "hostname" { - description = "PostgreSQL instance hostname" - value = module.postgresql_db.hostname -} - -output "port" { - description = "PostgreSQL instance port" - value = module.postgresql_db.port +# ############################################################################## +# # Outputs +# ############################################################################## + +# output "id" { +# description = "PostgreSQL instance id" +# value = module.postgresql_db.id +# } + +# output "guid" { +# description = "PostgreSQL instance guid" +# value = module.postgresql_db.guid +# } + +# output "version" { +# description = "PostgreSQL instance version" +# value = module.postgresql_db.version +# } + +# output "crn" { +# description = "PostgreSQL instance crn" +# value = module.postgresql_db.crn +# } + +# output "cbr_rule_ids" { +# description = "CBR rule ids created to restrict PostgreSQL" +# value = module.postgresql_db.cbr_rule_ids +# } + +# output "service_credentials_json" { +# description = "Service credentials json map" +# value = module.postgresql_db.service_credentials_json +# sensitive = true +# } + +# output "service_credentials_object" { +# description = "Service credentials object" +# value = module.postgresql_db.service_credentials_object +# sensitive = true +# } + +# output "hostname" { +# description = "PostgreSQL instance hostname" +# value = module.postgresql_db.hostname +# } + +# output "port" { +# description = "PostgreSQL instance port" +# value = module.postgresql_db.port +# } +output "kms_keys_debug" { + value = module.postgresql_db.kms_keys_debug +} +output "validate_backup_kms_key" { + value = module.postgresql_db.validate_backup_kms_key +} + +output "kms_key" { + value = module.postgresql_db.kms_key +} +output "backup_encryption_key" { + value = module.postgresql_db.backup_encryption_key } From df12a6d3d03c40501505b6bb2d1eedbbefffed43 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Fri, 6 Dec 2024 13:56:59 +0000 Subject: [PATCH 12/16] Added parser and Auth policy resource for Backup encryption key --- main.tf | 154 +++++++++++++++++++--------------- modules/fscloud/outputs.tf | 110 +++++++++++------------- solutions/standard/outputs.tf | 111 +++++++++++------------- 3 files changed, 182 insertions(+), 193 deletions(-) diff --git a/main.tf b/main.tf index 823feef8..eb09dd33 100644 --- a/main.tf +++ b/main.tf @@ -27,107 +27,67 @@ locals { # Determine if restore, from backup or point in time recovery recovery_mode = var.backup_crn != null || var.pitr_id != null - - parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : [] - parsed_kms_backup_key_crn = local.backup_encryption_key_crn != null ? split(":", local.backup_encryption_key_crn) : [] - - # tflint-ignore: terraform_unused_declarations - existing_backup_kms_instance_guid = local.backup_encryption_key_crn != null ? local.parsed_kms_backup_key_crn[7] : null - - kms_region = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[5] : null - backup_kms_region = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[5] : null - - validate_backup_kms_key = var.use_default_backup_encryption_key != true ? (local.backup_encryption_key_crn == var.kms_key_crn )? true : false : false - #&& can(regex("us-south|eu-de|jp-tok", local.kms_region)) + #validation for creating KMS and backup KMS policy + create_backup_auth_policy = local.backup_encryption_key_crn != null && var.backup_encryption_key_crn != null ? 1 : 0 + create_kms_auth_policy = var.kms_encryption_enabled == true && !var.skip_iam_authorization_policy ? 1 : 0 - kms_key = var.kms_key_crn !=null? { - kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null, - #kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null, - kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.parsed_kms_key_crn[6])[1] : null, - kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null, - instance = var.existing_kms_instance_guid, - resource_type = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[8] : null, - }:null - - backup_encryption_key = var.backup_encryption_key_crn !=null? { - kms_service = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[4] : null, - #kms_scope = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[6] : null, - kms_account_id = length(local.parsed_kms_backup_key_crn) > 0 ? split("/", local.parsed_kms_backup_key_crn[6])[1] : null, - kms_key_id = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[9] : null, - instance = local.existing_backup_kms_instance_guid != null ? local.existing_backup_kms_instance_guid : var.existing_kms_instance_guid, - resource_type = length(local.parsed_kms_backup_key_crn) > 0 ? local.parsed_kms_backup_key_crn[8] : null, - }:null - - - keys = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? [] : ( - local.validate_backup_kms_key ? - [local.kms_key] # Only use `kms_key` if the condition is true - : [local.kms_key,local.backup_encryption_key] - ) - #tomap({ - #for i, key in local.kms_keys : i => key }) # Add `backup_encryption_key` if the condition is false - test = {"a"={ - kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null, - #kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null, - kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.parsed_kms_key_crn[6])[1] : null, - kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null, - instance = var.existing_kms_instance_guid, - resource_type = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[8] : null, - }} - -} + + #KMS Encryption key details + kms_service = var.kms_key_crn != null ? module.kms_crn_parser[0].service_name : null + kms_account_id = var.kms_key_crn != null ? module.kms_crn_parser[0].account_id : null + kms_key_id = var.kms_key_crn != null ? module.kms_crn_parser[0].resource : null + instance = var.kms_key_crn != null ? module.kms_crn_parser[0].service_instance : null + + #Backup encryption key details + backup_kms_service = local.backup_encryption_key_crn != null && length(module.backup_kms_crn_parser) > 0 ? module.backup_kms_crn_parser[0].service_name : null + backup_kms_account_id = local.backup_encryption_key_crn != null && length(module.backup_kms_crn_parser) > 0 ? module.backup_kms_crn_parser[0].account_id : null + backup_kms_key_id = local.backup_encryption_key_crn != null && length(module.backup_kms_crn_parser) > 0 ? module.backup_kms_crn_parser[0].resource : null + backup_instance = local.backup_encryption_key_crn != null && length(module.backup_kms_crn_parser) > 0 ? module.backup_kms_crn_parser[0].service_instance : null -output "kms_keys_debug" { - value = local.keys -} -output "validate_backup_kms_key" { - value = local.validate_backup_kms_key } -output "kms_key" { - value = local.kms_key +# Module to parse the KMS CRN and extract kms key details. +# The module is only created if the 'create_kms_auth_policy' local variable is true . +module "kms_crn_parser" { + count = local.create_kms_auth_policy + source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" + version = "1.1.0" + crn = var.kms_key_crn } -output "backup_encryption_key" { - value = local.backup_encryption_key -} - # Create IAM Authorization Policies to allow PostgreSQL to access KMS for the encryption key resource "ibm_iam_authorization_policy" "kms_policy" { - count = length(local.keys) - #for_each = local.test - #for_each = { - #for i,key in local.keys :i => key} + count = local.create_kms_auth_policy source_service_name = "databases-for-postgresql" source_resource_group_id = var.resource_group_id roles = ["Reader"] - #description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${each.value.kms_service} instance GUID ${each.value.instance}" + description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service} instance GUID ${local.instance}" resource_attributes { name = "serviceName" operator = "stringEquals" - value = local.keys[count.index].kms_service + value = local.kms_service } resource_attributes { name = "accountId" operator = "stringEquals" - value = local.keys[count.index].kms_account_id + value = local.kms_account_id } resource_attributes { name = "serviceInstance" operator = "stringEquals" - value = local.keys[count.index].instance + value = local.instance } resource_attributes { name = "resourceType" operator = "stringEquals" - value = local.keys[count.index].resource_type + value = "key" } resource_attributes { name = "resource" operator = "stringEquals" - value = local.keys[count.index].kms_key_id + value = local.kms_key_id } # Scope of policy now includes the key, so ensure to create new policy before # destroying old one to prevent any disruption to every day services. @@ -138,11 +98,67 @@ resource "ibm_iam_authorization_policy" "kms_policy" { # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 resource "time_sleep" "wait_for_authorization_policy" { + count = local.create_kms_auth_policy depends_on = [ibm_iam_authorization_policy.kms_policy] create_duration = "30s" } +# Module to parse the backup encryption key crn and extract key details. +# The module is only created if the 'create_backup_auth_policy' local variable is true +module "backup_kms_crn_parser" { + count = local.create_backup_auth_policy + source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" + version = "1.1.0" + crn = local.backup_encryption_key_crn +} + +resource "ibm_iam_authorization_policy" "backup_kms_policy" { + count = local.create_backup_auth_policy + source_service_name = "databases-for-postgresql" + source_resource_group_id = var.resource_group_id + roles = ["Reader"] + description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${local.backup_kms_service} instance GUID ${local.backup_instance}" + + resource_attributes { + name = "serviceName" + operator = "stringEquals" + value = local.backup_kms_service + } + resource_attributes { + name = "accountId" + operator = "stringEquals" + value = local.backup_kms_account_id + } + resource_attributes { + name = "serviceInstance" + operator = "stringEquals" + value = local.backup_instance + } + resource_attributes { + name = "resourceType" + operator = "stringEquals" + value = "key" + } + resource_attributes { + name = "resource" + operator = "stringEquals" + value = local.backup_kms_key_id + } + # Scope of policy now includes the key, so ensure to create new policy before + # destroying old one to prevent any disruption to every day services. + lifecycle { + create_before_destroy = true + } +} + +resource "time_sleep" "wait_for_backup_kms_authorization_policy" { + count = local.create_backup_auth_policy + depends_on = [ibm_iam_authorization_policy.backup_kms_policy] + + create_duration = "30s" +} + # Create postgresql database resource "ibm_database" "postgresql_db" { depends_on = [time_sleep.wait_for_authorization_policy] diff --git a/modules/fscloud/outputs.tf b/modules/fscloud/outputs.tf index 473be1ac..ffeca0c6 100644 --- a/modules/fscloud/outputs.tf +++ b/modules/fscloud/outputs.tf @@ -1,75 +1,61 @@ -# ############################################################################## -# # Outputs -# ############################################################################## +############################################################################## +# Outputs +############################################################################## -# output "id" { -# description = "Postgresql instance id" -# value = module.postgresql_db.id -# } - -# output "guid" { -# description = "Postgresql instance guid" -# value = module.postgresql_db.guid -# } - -# output "version" { -# description = "Postgresql instance version" -# value = module.postgresql_db.version -# } - -# output "crn" { -# description = "Postgresql instance crn" -# value = module.postgresql_db.crn -# } - -# output "adminuser" { -# description = "Database admin user name" -# value = module.postgresql_db.adminuser -# } +output "id" { + description = "Postgresql instance id" + value = module.postgresql_db.id +} -# output "hostname" { -# description = "Database connection hostname" -# value = module.postgresql_db.hostname -# } +output "guid" { + description = "Postgresql instance guid" + value = module.postgresql_db.guid +} -# output "port" { -# description = "Database connection port" -# value = module.postgresql_db.port -# } +output "version" { + description = "Postgresql instance version" + value = module.postgresql_db.version +} -# output "certificate_base64" { -# description = "Database connection certificate" -# value = module.postgresql_db.certificate_base64 -# sensitive = true -# } +output "crn" { + description = "Postgresql instance crn" + value = module.postgresql_db.crn +} -# output "service_credentials_json" { -# description = "Service credentials json map" -# value = module.postgresql_db.service_credentials_json -# sensitive = true -# } +output "adminuser" { + description = "Database admin user name" + value = module.postgresql_db.adminuser +} -# output "service_credentials_object" { -# description = "Service credentials object" -# value = module.postgresql_db.service_credentials_object -# sensitive = true -# } +output "hostname" { + description = "Database connection hostname" + value = module.postgresql_db.hostname +} -# output "cbr_rule_ids" { -# description = "CBR rule ids created to restrict Postgresql" -# value = module.postgresql_db.cbr_rule_ids -# } +output "port" { + description = "Database connection port" + value = module.postgresql_db.port +} -output "kms_keys_debug" { - value = module.postgresql_db.kms_keys_debug +output "certificate_base64" { + description = "Database connection certificate" + value = module.postgresql_db.certificate_base64 + sensitive = true } -output "validate_backup_kms_key" { - value = module.postgresql_db.validate_backup_kms_key + +output "service_credentials_json" { + description = "Service credentials json map" + value = module.postgresql_db.service_credentials_json + sensitive = true } -output "kms_key" { - value = module.postgresql_db.kms_key +output "service_credentials_object" { + description = "Service credentials object" + value = module.postgresql_db.service_credentials_object + sensitive = true } -output "backup_encryption_key" { - value = module.postgresql_db.backup_encryption_key + +output "cbr_rule_ids" { + description = "CBR rule ids created to restrict Postgresql" + value = module.postgresql_db.cbr_rule_ids } \ No newline at end of file diff --git a/solutions/standard/outputs.tf b/solutions/standard/outputs.tf index 191c128b..691f3fe6 100644 --- a/solutions/standard/outputs.tf +++ b/solutions/standard/outputs.tf @@ -1,63 +1,50 @@ -# ############################################################################## -# # Outputs -# ############################################################################## - -# output "id" { -# description = "PostgreSQL instance id" -# value = module.postgresql_db.id -# } - -# output "guid" { -# description = "PostgreSQL instance guid" -# value = module.postgresql_db.guid -# } - -# output "version" { -# description = "PostgreSQL instance version" -# value = module.postgresql_db.version -# } - -# output "crn" { -# description = "PostgreSQL instance crn" -# value = module.postgresql_db.crn -# } - -# output "cbr_rule_ids" { -# description = "CBR rule ids created to restrict PostgreSQL" -# value = module.postgresql_db.cbr_rule_ids -# } - -# output "service_credentials_json" { -# description = "Service credentials json map" -# value = module.postgresql_db.service_credentials_json -# sensitive = true -# } - -# output "service_credentials_object" { -# description = "Service credentials object" -# value = module.postgresql_db.service_credentials_object -# sensitive = true -# } - -# output "hostname" { -# description = "PostgreSQL instance hostname" -# value = module.postgresql_db.hostname -# } - -# output "port" { -# description = "PostgreSQL instance port" -# value = module.postgresql_db.port -# } -output "kms_keys_debug" { - value = module.postgresql_db.kms_keys_debug -} -output "validate_backup_kms_key" { - value = module.postgresql_db.validate_backup_kms_key -} - -output "kms_key" { - value = module.postgresql_db.kms_key -} -output "backup_encryption_key" { - value = module.postgresql_db.backup_encryption_key +############################################################################## +# Outputs +############################################################################## + +output "id" { + description = "PostgreSQL instance id" + value = module.postgresql_db.id +} + +output "guid" { + description = "PostgreSQL instance guid" + value = module.postgresql_db.guid +} + +output "version" { + description = "PostgreSQL instance version" + value = module.postgresql_db.version +} + +output "crn" { + description = "PostgreSQL instance crn" + value = module.postgresql_db.crn +} + +output "cbr_rule_ids" { + description = "CBR rule ids created to restrict PostgreSQL" + value = module.postgresql_db.cbr_rule_ids +} + +output "service_credentials_json" { + description = "Service credentials json map" + value = module.postgresql_db.service_credentials_json + sensitive = true +} + +output "service_credentials_object" { + description = "Service credentials object" + value = module.postgresql_db.service_credentials_object + sensitive = true +} + +output "hostname" { + description = "PostgreSQL instance hostname" + value = module.postgresql_db.hostname +} + +output "port" { + description = "PostgreSQL instance port" + value = module.postgresql_db.port } From 5fe8a920657085170b23ae81de697f67b228578f Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Fri, 6 Dec 2024 19:59:44 +0530 Subject: [PATCH 13/16] Resolved Pre-commit errors --- README.md | 4 ++++ main.tf | 28 ++++++++++++---------------- modules/fscloud/outputs.tf | 2 +- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 577119ed..720dbf14 100644 --- a/README.md +++ b/README.md @@ -71,17 +71,21 @@ To attach access management tags to resources in this module, you need the follo | Name | Source | Version | |------|--------|---------| +| [backup\_kms\_crn\_parser](#module\_backup\_kms\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 | | [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.29.0 | +| [kms\_crn\_parser](#module\_kms\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 | ### Resources | Name | Type | |------|------| | [ibm_database.postgresql_db](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database) | resource | +| [ibm_iam_authorization_policy.backup_kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource | | [ibm_resource_tag.postgresql_tag](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_tag) | resource | | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [time_sleep.wait_for_backup_kms_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [ibm_database_connection.database_connection](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/database_connection) | data source | | [ibm_database_point_in_time_recovery.source_db_earliest_pitr_time](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/database_point_in_time_recovery) | data source | diff --git a/main.tf b/main.tf index eb09dd33..9642dcf7 100644 --- a/main.tf +++ b/main.tf @@ -26,26 +26,23 @@ locals { host_flavor_set = var.member_host_flavor != null ? true : false # Determine if restore, from backup or point in time recovery - recovery_mode = var.backup_crn != null || var.pitr_id != null + recovery_mode = var.backup_crn != null || var.pitr_id != null #validation for creating KMS and backup KMS policy create_backup_auth_policy = local.backup_encryption_key_crn != null && var.backup_encryption_key_crn != null ? 1 : 0 - create_kms_auth_policy = var.kms_encryption_enabled == true && !var.skip_iam_authorization_policy ? 1 : 0 - - - + create_kms_auth_policy = var.kms_encryption_enabled == true && !var.skip_iam_authorization_policy ? 1 : 0 + #KMS Encryption key details - kms_service = var.kms_key_crn != null ? module.kms_crn_parser[0].service_name : null + kms_service = var.kms_key_crn != null ? module.kms_crn_parser[0].service_name : null kms_account_id = var.kms_key_crn != null ? module.kms_crn_parser[0].account_id : null kms_key_id = var.kms_key_crn != null ? module.kms_crn_parser[0].resource : null instance = var.kms_key_crn != null ? module.kms_crn_parser[0].service_instance : null #Backup encryption key details - backup_kms_service = local.backup_encryption_key_crn != null && length(module.backup_kms_crn_parser) > 0 ? module.backup_kms_crn_parser[0].service_name : null + backup_kms_service = local.backup_encryption_key_crn != null && length(module.backup_kms_crn_parser) > 0 ? module.backup_kms_crn_parser[0].service_name : null backup_kms_account_id = local.backup_encryption_key_crn != null && length(module.backup_kms_crn_parser) > 0 ? module.backup_kms_crn_parser[0].account_id : null - backup_kms_key_id = local.backup_encryption_key_crn != null && length(module.backup_kms_crn_parser) > 0 ? module.backup_kms_crn_parser[0].resource : null - backup_instance = local.backup_encryption_key_crn != null && length(module.backup_kms_crn_parser) > 0 ? module.backup_kms_crn_parser[0].service_instance : null - + backup_kms_key_id = local.backup_encryption_key_crn != null && length(module.backup_kms_crn_parser) > 0 ? module.backup_kms_crn_parser[0].resource : null + backup_instance = local.backup_encryption_key_crn != null && length(module.backup_kms_crn_parser) > 0 ? module.backup_kms_crn_parser[0].service_instance : null } # Module to parse the KMS CRN and extract kms key details. @@ -56,14 +53,14 @@ module "kms_crn_parser" { version = "1.1.0" crn = var.kms_key_crn } + # Create IAM Authorization Policies to allow PostgreSQL to access KMS for the encryption key resource "ibm_iam_authorization_policy" "kms_policy" { count = local.create_kms_auth_policy source_service_name = "databases-for-postgresql" source_resource_group_id = var.resource_group_id roles = ["Reader"] - description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service} instance GUID ${local.instance}" - + description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service} instance GUID ${local.instance}." resource_attributes { name = "serviceName" operator = "stringEquals" @@ -98,14 +95,14 @@ resource "ibm_iam_authorization_policy" "kms_policy" { # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 resource "time_sleep" "wait_for_authorization_policy" { - count = local.create_kms_auth_policy + count = local.create_kms_auth_policy depends_on = [ibm_iam_authorization_policy.kms_policy] create_duration = "30s" } # Module to parse the backup encryption key crn and extract key details. -# The module is only created if the 'create_backup_auth_policy' local variable is true +# The module is only created if the 'create_backup_auth_policy' local variable is true module "backup_kms_crn_parser" { count = local.create_backup_auth_policy source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" @@ -118,8 +115,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" { source_service_name = "databases-for-postgresql" source_resource_group_id = var.resource_group_id roles = ["Reader"] - description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${local.backup_kms_service} instance GUID ${local.backup_instance}" - + description = "Allow all ICD Postgres instances in the resource group ${var.resource_group_id} to read from the ${local.backup_kms_service} instance GUID ${local.backup_instance}." resource_attributes { name = "serviceName" operator = "stringEquals" diff --git a/modules/fscloud/outputs.tf b/modules/fscloud/outputs.tf index ffeca0c6..9b36082e 100644 --- a/modules/fscloud/outputs.tf +++ b/modules/fscloud/outputs.tf @@ -58,4 +58,4 @@ output "service_credentials_object" { output "cbr_rule_ids" { description = "CBR rule ids created to restrict Postgresql" value = module.postgresql_db.cbr_rule_ids -} \ No newline at end of file +} From ca26e4d6991c134625deba1761f95880188ccc4e Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Mon, 9 Dec 2024 17:23:25 +0530 Subject: [PATCH 14/16] Updated validation code in main.tf --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 9642dcf7..0741d013 100644 --- a/main.tf +++ b/main.tf @@ -29,7 +29,7 @@ locals { recovery_mode = var.backup_crn != null || var.pitr_id != null #validation for creating KMS and backup KMS policy - create_backup_auth_policy = local.backup_encryption_key_crn != null && var.backup_encryption_key_crn != null ? 1 : 0 + create_backup_auth_policy = var.use_default_backup_encryption_key != true && var.backup_encryption_key_crn != null ? 1 : 0 create_kms_auth_policy = var.kms_encryption_enabled == true && !var.skip_iam_authorization_policy ? 1 : 0 #KMS Encryption key details From 6cf4cb037b609ed157c103744848dba461387c26 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Mon, 9 Dec 2024 18:16:19 +0530 Subject: [PATCH 15/16] Resolved precommit error --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 0741d013..f84f390a 100644 --- a/main.tf +++ b/main.tf @@ -29,7 +29,7 @@ locals { recovery_mode = var.backup_crn != null || var.pitr_id != null #validation for creating KMS and backup KMS policy - create_backup_auth_policy = var.use_default_backup_encryption_key != true && var.backup_encryption_key_crn != null ? 1 : 0 + create_backup_auth_policy = var.use_default_backup_encryption_key != true && var.backup_encryption_key_crn != null ? 1 : 0 create_kms_auth_policy = var.kms_encryption_enabled == true && !var.skip_iam_authorization_policy ? 1 : 0 #KMS Encryption key details From c9702b2774994fe563a16e823cadb20bbba28044 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Mon, 9 Dec 2024 20:46:46 +0530 Subject: [PATCH 16/16] SKIP UPGRADE TEST