fix: update policy resource according to recent provider changes

Author: kavya498

.gitignore

@@ -6,6 +6,7 @@
 *.terraform.lock.hcl
 # Crash log files
 crash.log
+.DS_Store
 # Exclude all .tfvars files, which are likely to contain sentitive data, such as
 # password, private keys, and other secrets. These should not be part of version
 # control as they are data points which are potentially sensitive and subject

.pre-commit-config.yaml

@@ -5,12 +5,12 @@ default_stages: [commit]
 # Terraform Fmt      : Used to rewrite Terraform configuration files to a canonical format and style.
 # Terraform Validate : Validates the configuration files in a directory, referring only to the configuration and not accessing any remote services such as remote state, provider APIs, etc
 repos:
-- repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.45.0
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.64.0
   hooks:
     - id: terraform_fmt
-- repo: git://github.com/pre-commit/pre-commit-hooks
-  rev: v3.4.0
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.1.0
   hooks:
       - id: check-merge-conflict
       - id: trailing-whitespace

examples/kp-key/outputs.tf

@@ -5,6 +5,9 @@
 output "kms_key_id" {
   value = module.kms_key.kms_key_id
 }
+output "kms_key_status" {
+  value = module.kms_key.kms_key_status
+}
 output "kms_instance_id" {
   value = module.kms_key.kms_instance_guid
 }

modules/key-protect/README.md

@@ -42,12 +42,6 @@ module "kms_key" {
 | encrypted_nonce          | Encrypted Nonce. Only for imported root key.                   |`string`| n/a     | no      |
 | iv_value                 | IV Value. Only for imported root key.                          |`string`| n/a     | no      |
 | expiration_date          | Expination Date.                                               |`string`| n/a     | no      |
-| policies                 | Set policies for a key.                                        |`list(map)`| n/a  | no      |
-
-## policies Inputs
-
-| Name                     | Description                                                    | Type   |Default  |Required |
-|--------------------------|-------------------------------------------------------|:-------|:--------|:--------|
 | rotation                 | Specifies the key rotation time interval in months    |`map(string)`| n/a| Atleast one of rotation/dual_auth_delete|
 | dual_auth_delete         | Data associated with the dual authorization delete policy.|`map(string)`| n/a | Atleast one of rotation/dual_auth_delete|
 
@@ -78,6 +72,11 @@ Note:
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
+~> NOTE:
+```
+The ability to use the ibm_kms_key resource to create or update key policies in Terraform has been removed in favor of a dedicated ibm_kms_key_policies resource.
+```
+
 ## NOTE: If we want to make use of a particular version of module, then set the argument "version" to respective module version
 
 ## Usage

modules/key-protect/main.tf

@@ -30,23 +30,24 @@ resource "ibm_kms_key" "key" {
   encrypted_nonce = (var.encrypted_nonce != null ? var.encrypted_nonce : null)
   iv_value        = (var.iv_value != null ? var.iv_value : null)
   expiration_date = (var.expiration_date != null ? var.expiration_date : null)
-  dynamic "policies" {
-    for_each = length(keys(var.policies)) == 0 ? [] : [var.policies]
+}
 
-    content {
-      dynamic "rotation" {
-        for_each = length(keys(lookup(policies.value, "rotation", {}))) == 0 ? [] : [lookup(policies.value, "rotation", {})]
+resource "ibm_kms_key_policies" "key_policy" {
+  count       = length(keys(var.rotation)) != 0 ? 1 : length(keys(var.dual_auth_delete)) != 0 ? 1 : 0
+  instance_id = var.is_kp_instance_exist != true ? ibm_resource_instance.kms_instance[0].guid : data.ibm_resource_instance.kms_instance[0].guid
+  key_id      = ibm_kms_key.key.key_id
+  dynamic "rotation" {
+    for_each = length(keys(var.rotation)) == 0 ? [] : [var.rotation]
 
-        content {
-          interval_month = lookup(rotation.value, "interval_month", null)
-        }
-      }
-      dynamic "dual_auth_delete" {
-        for_each = length(keys(lookup(policies.value, "dual_auth_delete", {}))) == 0 ? [] : [lookup(policies.value, "dual_auth_delete", {})]
-        content {
-          enabled = lookup(dual_auth_delete.value, "enabled", null)
-        }
-      }
+    content {
+      interval_month = lookup(rotation.value, "interval_month", null)
     }
   }
+  dynamic "dual_auth_delete" {
+    for_each = length(keys(var.dual_auth_delete)) == 0 ? [] : [var.dual_auth_delete]
+    content {
+      enabled = lookup(dual_auth_delete.value, "enabled", null)
+    }
+  }
+
 }

modules/key-protect/outputs.tf

@@ -13,4 +13,7 @@ output "kms_instance_guid" {
 }
 output "kms_instance_crn" {
   value = var.is_kp_instance_exist != true ? ibm_resource_instance.kms_instance[0].id : data.ibm_resource_instance.kms_instance[0].id
+}
+output "kms_key_status" {
+  value = ibm_kms_key.key.resource_status
 }

modules/key-protect/variables.tf

@@ -81,8 +81,21 @@ variable "expiration_date" {
   type        = string
   default     = null
 }
-variable "policies" {
-  description = " Set policies for a key, such as an automatic rotation policy or a dual authorization policy."
+variable "rotation" {
+  description = "Specifies the key rotation time interval in months. Atleast one of rotation/dual_auth_delete is required for policy creation."
   type        = any
   default     = {}
+  # default = {     // Example value
+  #      interval_month = 3
+  #   }
+
 }
+variable "dual_auth_delete" {
+  description = "Data associated with the dual authorization delete policy.Atleast one of rotation/dual_auth_delete is required for policy creation."
+  type        = any
+  default     = {}
+  # default {       // Example value
+  #      enabled = false
+  #   }
+}
+