feat: added support to pass an external account ID for cluster and worker boot volumes if KMS encryption key comes from another account (#664)

Ak-sky · web-flow · commit 05642b0f5911 · 2024-01-09T09:13:44.000Z
diff --git a/README.md b/README.md
@@ -890,6 +890,7 @@ module "cluster_pattern" {
 | [time_sleep.wait_30_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [ibm_container_cluster_versions.cluster_versions](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/container_cluster_versions) | data source |
+| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source |
 | [ibm_is_image.image](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_image) | data source |
 | [ibm_resource_group.resource_groups](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/resource_group) | data source |
 | [ibm_resource_instance.appid](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/resource_instance) | data source |
diff --git a/cluster.tf b/cluster.tf
@@ -6,6 +6,14 @@ data "ibm_container_cluster_versions" "cluster_versions" {}
 
 ##############################################################################
 
+##############################################################################
+# Get account id
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {}
+
+##############################################################################
+
 
 ##############################################################################
 # Cluster Locals
@@ -53,8 +61,9 @@ resource "ibm_container_vpc_cluster" "cluster" {
   cos_instance_crn   = each.value.cos_instance_crn
   pod_subnet         = each.value.pod_subnet
   service_subnet     = each.value.service_subnet
-  crk                = each.value.boot_volume_crk_name == null ? null : module.key_management.key_map[each.value.boot_volume_crk_name].key_id
-  kms_instance_id    = each.value.boot_volume_crk_name == null ? null : module.key_management.key_management_guid
+  crk                = each.value.boot_volume_crk_name == null ? null : regex("key:(.*)", module.key_management.key_map[each.value.boot_volume_crk_name].crn)[0]
+  kms_instance_id    = each.value.boot_volume_crk_name == null ? null : regex(".*:(.*):key:.*", module.key_management.key_map[each.value.boot_volume_crk_name].crn)[0]
+  kms_account_id     = each.value.boot_volume_crk_name == null ? null : regex("a/([a-f0-9]{32})", module.key_management.key_map[each.value.boot_volume_crk_name].crn)[0] == data.ibm_iam_account_settings.iam_account_settings.account_id ? null : regex("a/([a-f0-9]{32})", module.key_management.key_map[each.value.boot_volume_crk_name].crn)[0]
   lifecycle {
     ignore_changes = [kube_version]
   }
@@ -70,9 +79,10 @@ resource "ibm_container_vpc_cluster" "cluster" {
   dynamic "kms_config" {
     for_each = each.value.kms_config == null ? [] : [each.value.kms_config]
     content {
-      crk_id           = module.key_management.key_map[kms_config.value.crk_name].key_id
-      instance_id      = module.key_management.key_management_guid
+      crk_id           = regex("key:(.*)", module.key_management.key_map[kms_config.value.crk_name].crn)[0]
+      instance_id      = regex(".*:(.*):key:.*", module.key_management.key_map[kms_config.value.crk_name].crn)[0]
       private_endpoint = kms_config.value.private_endpoint
+      account_id       = regex("a/([a-f0-9]{32})", module.key_management.key_map[kms_config.value.crk_name].crn)[0] == data.ibm_iam_account_settings.iam_account_settings.account_id ? null : regex("a/([a-f0-9]{32})", module.key_management.key_map[kms_config.value.crk_name].crn)[0]
     }
   }
 
@@ -108,8 +118,9 @@ resource "ibm_container_vpc_worker_pool" "pool" {
   worker_pool_name  = each.value.name
   flavor            = each.value.flavor
   worker_count      = each.value.workers_per_subnet
-  crk               = each.value.boot_volume_crk_name == null ? null : module.key_management.key_map[each.value.boot_volume_crk_name].key_id
-  kms_instance_id   = each.value.boot_volume_crk_name == null ? null : module.key_management.key_management_guid
+  crk               = each.value.boot_volume_crk_name == null ? null : regex("key:(.*)", module.key_management.key_map[each.value.boot_volume_crk_name].crn)[0]
+  kms_instance_id   = each.value.boot_volume_crk_name == null ? null : regex(".*:(.*):key:.*", module.key_management.key_map[each.value.boot_volume_crk_name].crn)[0]
+  kms_account_id    = each.value.boot_volume_crk_name == null ? null : regex("a/([a-f0-9]{32})", module.key_management.key_map[each.value.boot_volume_crk_name].crn)[0] == data.ibm_iam_account_settings.iam_account_settings.account_id ? null : regex("a/([a-f0-9]{32})", module.key_management.key_map[each.value.boot_volume_crk_name].crn)[0]
 
   dynamic "zones" {
     for_each = each.value.subnets
