From 64369c71625999ffda3195a0efbd1c76adc4a5c9 Mon Sep 17 00:00:00 2001 From: shemau Date: Wed, 5 Nov 2025 16:49:04 +0000 Subject: [PATCH 1/2] fix: authorization delegator role required on backup kms key --- main.tf | 4 ++-- solutions/fully-configurable/main.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 26c336f..e8a94ce 100644 --- a/main.tf +++ b/main.tf @@ -65,7 +65,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" { count = local.create_kms_auth_policy source_service_name = "messages-for-rabbitmq" source_resource_group_id = var.resource_group_id - roles = ["Reader"] + roles = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key description = "Allow all RabbitMQ instances in the resource group ${var.resource_group_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_key_instance_guid}" resource_attributes { name = "serviceName" @@ -110,7 +110,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" { count = local.create_backup_kms_auth_policy source_service_name = "messages-for-rabbitmq" source_resource_group_id = var.resource_group_id - roles = ["Reader"] + roles = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key description = "Allow all RabbitMQ instances in the Resource Group ${var.resource_group_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_key_instance_guid}" resource_attributes { name = "serviceName" diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 16494ba..7ced642 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -120,7 +120,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" { source_service_account = local.account_id source_service_name = "messages-for-rabbitmq" source_resource_group_id = module.resource_group.resource_group_id - roles = ["Reader"] + roles = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key description = "Allow all RabbitMQ instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.account_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_instance_guid}" resource_attributes { name = "serviceName" @@ -168,7 +168,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" { source_service_account = local.account_id source_service_name = "messages-for-rabbitmq" source_resource_group_id = module.resource_group.resource_group_id - roles = ["Reader"] + roles = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key description = "Allow all RabbitMQ instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.account_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_instance_guid}" resource_attributes { name = "serviceName" From b5c815231ba43cbef5a99016c37fb5134378871f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Conall=20=C3=93=20Cofaigh?= Date: Thu, 6 Nov 2025 09:26:28 +0000 Subject: [PATCH 2/2] SKIP UPGRADE TEST --- .secrets.baseline | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.secrets.baseline b/.secrets.baseline index 319bbf6..2019df4 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-10-04T04:39:36Z", + "generated_at": "2025-10-05T04:39:36Z", "plugins_used": [ { "name": "AWSKeyDetector"