fix: added workaround to create the kube to kms auth policy since IKS is not creating it automatically (#685)

Ak-sky · web-flow · commit 03cb99c3aba4 · 2024-01-30T09:25:00.000Z
diff --git a/dynamic_values/config_modules/service_authorizations/service_authorizations.tf b/dynamic_values/config_modules/service_authorizations/service_authorizations.tf
@@ -30,6 +30,10 @@ variable "atracker_cos_bucket" {
   description = "Add atracker to cos s2s"
 }
 
+variable "clusters" {
+  description = "Add cluster to kms auth policies"
+}
+
 ##############################################################################
 
 ##############################################################################
@@ -55,6 +59,22 @@ module "kms_to_block_storage" {
   ]
 }
 
+# workaround for https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone/issues/645
+module "kube_to_kms" {
+  source = "../list_to_map"
+  list = [
+    for instance in(length(var.clusters) > 0 ? ["containers-kubernetes"] : []) :
+    {
+      name                        = instance
+      source_service_name         = "containers-kubernetes"
+      description                 = "Allow cluster to be encrypted by KMS instance"
+      roles                       = ["Reader"]
+      target_service_name         = local.target_key_management_service
+      target_resource_instance_id = var.key_management_guid
+    } if local.target_key_management_service != null
+  ]
+}
+
 ##############################################################################
 
 ##############################################################################
@@ -134,7 +154,8 @@ output "authorizations" {
     module.kms_to_block_storage.value,
     module.cos_to_key_management.value,
     module.flow_logs_to_cos.value,
-    module.atracker_to_cos.value
+    module.atracker_to_cos.value,
+    module.kube_to_kms.value
   )
 }
 
diff --git a/dynamic_values/service_authorizations.tf b/dynamic_values/service_authorizations.tf
@@ -11,6 +11,7 @@ module "service_authorizations" {
   skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
   skip_all_s2s_auth_policies             = var.skip_all_s2s_auth_policies
   atracker_cos_bucket                    = var.atracker_cos_bucket
+  clusters                               = var.clusters
 }
 
 ##############################################################################

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ module "service_authorizations" {`
`11`	`11`	`skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy`
`12`	`12`	`skip_all_s2s_auth_policies = var.skip_all_s2s_auth_policies`
`13`	`13`	`atracker_cos_bucket = var.atracker_cos_bucket`
	`14`	`+ clusters = var.clusters`
`14`	`15`	`}`
`15`	`16`
`16`	`17`	`##############################################################################`