cross-account kms key support

Shikha Maheshwari · Shikha Maheshwari · commit 7577fea3ca70 · 2025-03-25T13:35:38.000+05:30
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -351,6 +351,9 @@
             {
               "key": "kms_key_name"
             },
+            {
+              "key": "ibmcloud_kms_api_key"
+            },
             {
               "key": "management_endpoint_type_for_bucket",
               "options": [
diff --git a/solutions/fully-configurable/DA-types.md b/solutions/fully-configurable/DA-types.md
@@ -310,6 +310,6 @@ This variable defines a map of existing reserved IP names and values to attach w
 
 ```hcl
  {
-  name = "10.10.10.4"
+  name = "vpe-reserved-ip"
  }
 ```
diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
@@ -37,6 +37,7 @@ This solution supports provisioning and configuring the following infrastructure
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | 1.76.1 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | 0.13.0 |
 
 ### Modules
 
@@ -55,7 +56,8 @@ This solution supports provisioning and configuring the following infrastructure
 
 | Name | Type |
 |------|------|
-| [ibm_iam_authorization_policy.cos_kms_iam_auth_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.76.1/docs/resources/iam_authorization_policy) | resource |
+| [ibm_iam_authorization_policy.cos_kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.76.1/docs/resources/iam_authorization_policy) | resource |
+| [time_sleep.wait_for_cross_account_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/0.13.0/docs/resources/sleep) | resource |
 
 ### Inputs
 
@@ -84,6 +86,7 @@ This solution supports provisioning and configuring the following infrastructure
 | <a name="input_flow_logs_cos_bucket_minimum_retention_days"></a> [flow\_logs\_cos\_bucket\_minimum\_retention\_days](#input\_flow\_logs\_cos\_bucket\_minimum\_retention\_days) | The minimum number of days that an object must be kept unmodified in the flow logs cloud object storage. | `number` | `90` | no |
 | <a name="input_flow_logs_cos_bucket_name"></a> [flow\_logs\_cos\_bucket\_name](#input\_flow\_logs\_cos\_bucket\_name) | Name of the Cloud Object Storage bucket to be created to collect VPC flow logs. | `string` | `"flow-logs-bucket"` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes |
+| <a name="input_ibmcloud_kms_api_key"></a> [ibmcloud\_kms\_api\_key](#input\_ibmcloud\_kms\_api\_key) | The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud\_api\_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Cloud Object Storage instance. Leave this input empty if the same account owns both instances. | `string` | `null` | no |
 | <a name="input_kms_encryption_enabled_bucket"></a> [kms\_encryption\_enabled\_bucket](#input\_kms\_encryption\_enabled\_bucket) | Set to true to encrypt the Cloud Object Storage Flow Logs bucket with a KMS key. If set to true, a value must be passed for existing\_flow\_logs\_bucket\_kms\_key\_crn (to use that key) or existing\_kms\_instance\_crn (to create a new key). Value cannot be set to true if enable\_vpc\_flow\_logs is set to false. | `bool` | `false` | no |
 | <a name="input_kms_endpoint_type"></a> [kms\_endpoint\_type](#input\_kms\_endpoint\_type) | The type of endpoint to use for communicating with the KMS. Possible values: `public`, `private`. Applies only if `existing_flow_logs_bucket_kms_key_crn` is not specified. | `string` | `"private"` | no |
 | <a name="input_kms_key_name"></a> [kms\_key\_name](#input\_kms\_key\_name) | The name of the key to encrypt the flow logs Cloud Object Storage bucket. If an existing key is used, this variable is not required. If the prefix input variable is passed, the name of the key is prefixed to the value in the `<prefix>-value` format. | `string` | `"flow-logs-cos-key"` | no |
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
@@ -25,13 +25,15 @@ module "existing_cos_crn_parser" {
 }
 
 locals {
-  cos_instance_guid              = var.existing_cos_instance_crn != null ? module.existing_cos_crn_parser[0].service_instance : null
-  bucket_name                    = "${local.prefix}${var.flow_logs_cos_bucket_name}"
-  kms_guid                       = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? module.existing_kms_key_crn_parser[0].service_instance : module.existing_kms_instance_crn_parser[0].service_instance) : null
-  kms_account_id                 = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? module.existing_kms_key_crn_parser[0].account_id : module.existing_kms_instance_crn_parser[0].account_id) : null
-  kms_service                    = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? module.existing_kms_key_crn_parser[0].service_name : module.existing_kms_instance_crn_parser[0].service_name) : null
-  cos_kms_key_crn                = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? var.existing_flow_logs_bucket_kms_key_crn : module.kms[0].keys[format("%s.%s", local.kms_key_ring_name, local.kms_key_name)].crn) : null
-  create_cos_kms_iam_auth_policy = var.enable_vpc_flow_logs && var.kms_encryption_enabled_bucket && !var.skip_cos_kms_iam_auth_policy
+  cos_instance_guid                        = var.existing_cos_instance_crn != null ? module.existing_cos_crn_parser[0].service_instance : null
+  cos_account_id                           = var.existing_cos_instance_crn != null ? module.existing_cos_crn_parser[0].account_id : null
+  bucket_name                              = "${local.prefix}${var.flow_logs_cos_bucket_name}"
+  kms_guid                                 = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? module.existing_kms_key_crn_parser[0].service_instance : module.existing_kms_instance_crn_parser[0].service_instance) : null
+  kms_account_id                           = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? module.existing_kms_key_crn_parser[0].account_id : module.existing_kms_instance_crn_parser[0].account_id) : null
+  kms_service_name                         = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? module.existing_kms_key_crn_parser[0].service_name : module.existing_kms_instance_crn_parser[0].service_name) : null
+  cos_kms_key_crn                          = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? var.existing_flow_logs_bucket_kms_key_crn : module.kms[0].keys[format("%s.%s", local.kms_key_ring_name, local.kms_key_name)].crn) : null
+  create_cos_kms_iam_auth_policy           = var.enable_vpc_flow_logs && var.kms_encryption_enabled_bucket && !var.skip_cos_kms_iam_auth_policy
+  create_cross_account_cos_kms_auth_policy = (local.create_cos_kms_iam_auth_policy && var.ibmcloud_kms_api_key == null) ? false : (local.cos_account_id != local.kms_account_id)
 
   # configuration for the flow logs bucket
   bucket_config = [{
@@ -41,7 +43,7 @@ locals {
     kms_encryption_enabled        = var.kms_encryption_enabled_bucket
     kms_guid                      = local.kms_guid
     kms_key_crn                   = local.cos_kms_key_crn
-    skip_iam_authorization_policy = var.skip_cos_kms_iam_auth_policy
+    skip_iam_authorization_policy = local.create_cross_account_cos_kms_auth_policy || var.skip_cos_kms_iam_auth_policy
     management_endpoint_type      = var.management_endpoint_type_for_bucket
     storage_class                 = var.cos_bucket_class
     resource_instance_id          = var.existing_cos_instance_crn
@@ -69,22 +71,25 @@ locals {
 # Create COS bucket using the defined bucket configuration
 module "cos_buckets" {
   count          = var.enable_vpc_flow_logs ? 1 : 0
+  depends_on     = [time_sleep.wait_for_cross_account_authorization_policy[0]]
   source         = "terraform-ibm-modules/cos/ibm//modules/buckets"
   version        = "8.19.2"
   bucket_configs = local.bucket_config
 }
 
-# Create IAM Authorization Policy to allow COS to access KMS for the encryption key
-resource "ibm_iam_authorization_policy" "cos_kms_iam_auth_policy" {
-  count                       = local.create_cos_kms_iam_auth_policy ? 1 : 0
+# Create IAM Authorization Policy to allow COS to access KMS for the encryption key, if cross account KMS is passed in
+resource "ibm_iam_authorization_policy" "cos_kms_policy" {
+  count                       = local.create_cross_account_cos_kms_auth_policy ? 1 : 0
+  provider                    = ibm.kms
+  source_service_account      = local.cos_account_id
   source_service_name         = "cloud-object-storage"
   source_resource_instance_id = local.cos_instance_guid
   roles                       = ["Reader"]
-  description                 = "Allow the COS instance ${local.cos_instance_guid} to read the ${local.kms_service} key ${local.cos_kms_key_crn} from the instance ${local.kms_guid}"
+  description                 = "Allow the COS instance ${local.cos_instance_guid} to read the ${local.kms_service_name} key ${local.cos_kms_key_crn} from the instance ${local.kms_guid}"
   resource_attributes {
     name     = "serviceName"
     operator = "stringEquals"
-    value    = local.kms_service
+    value    = local.kms_service_name
   }
   resource_attributes {
     name     = "accountId"
@@ -113,6 +118,14 @@ resource "ibm_iam_authorization_policy" "cos_kms_iam_auth_policy" {
   }
 }
 
+# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
+resource "time_sleep" "wait_for_cross_account_authorization_policy" {
+  depends_on = [ibm_iam_authorization_policy.cos_kms_policy]
+  count      = local.create_cross_account_cos_kms_auth_policy ? 1 : 0
+
+  create_duration = "30s"
+}
+
 #######################################################################################################################
 # KMS Key
 #######################################################################################################################
@@ -143,7 +156,11 @@ locals {
   create_kms_key = (var.enable_vpc_flow_logs && var.kms_encryption_enabled_bucket) ? (var.existing_flow_logs_bucket_kms_key_crn == null ? (var.existing_kms_instance_crn != null ? true : false) : false) : false
 }
 
+# KMS root key for flow logs COS bucket
 module "kms" {
+  providers = {
+    ibm = ibm.kms
+  }
   count                       = local.create_kms_key ? 1 : 0 # no need to create any KMS resources if not passing an existing KMS CRN or existing KMS key CRN is provided
   source                      = "terraform-ibm-modules/kms-all-inclusive/ibm"
   version                     = "4.19.5"
diff --git a/solutions/fully-configurable/provider.tf b/solutions/fully-configurable/provider.tf
@@ -7,3 +7,10 @@ provider "ibm" {
   region           = var.region
   visibility       = var.provider_visibility
 }
+
+provider "ibm" {
+  alias            = "kms"
+  ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
+  region           = local.kms_region
+  visibility       = var.provider_visibility
+}
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
@@ -592,6 +592,13 @@ variable "kms_key_name" {
   description = "The name of the key to encrypt the flow logs Cloud Object Storage bucket. If an existing key is used, this variable is not required. If the prefix input variable is passed, the name of the key is prefixed to the value in the `<prefix>-value` format."
 }
 
+variable "ibmcloud_kms_api_key" {
+  type        = string
+  description = "The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud_api_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Cloud Object Storage instance. Leave this input empty if the same account owns both instances."
+  sensitive   = true
+  default     = null
+}
+
 ##############################################################################
 # Optional VPC Variables
 ##############################################################################
diff --git a/solutions/fully-configurable/version.tf b/solutions/fully-configurable/version.tf
@@ -6,5 +6,9 @@ terraform {
       source  = "IBM-Cloud/ibm"
       version = "1.76.1"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = "0.13.0"
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -351,6 +351,9 @@`
`351`	`351`	`{`
`352`	`352`	`"key": "kms_key_name"`
`353`	`353`	`},`
	`354`	`+ {`
	`355`	`+ "key": "ibmcloud_kms_api_key"`
	`356`	`+ },`
`354`	`357`	`{`
`355`	`358`	`"key": "management_endpoint_type_for_bucket",`
`356`	`359`	`"options": [`
Original file line number	Diff line number	Diff line change
`@@ -310,6 +310,6 @@ This variable defines a map of existing reserved IP names and values to attach w`
`310`	`310`
`311`	`311`	```hcl
`312`	`312`	`{`
`313`		`- name = "10.10.10.4"`
	`313`	`+ name = "vpe-reserved-ip"`
`314`	`314`	`}`
`315`	`315`	```
Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,9 @@ terraform {`
`6`	`6`	`source = "IBM-Cloud/ibm"`
`7`	`7`	`version = "1.76.1"`
`8`	`8`	`}`
	`9`	`+ time = {`
	`10`	`+ source = "hashicorp/time"`
	`11`	`+ version = "0.13.0"`
	`12`	`+ }`
`9`	`13`	`}`
`10`	`14`	`}`