feat: the following optional input variables have been added to the OCP DA solution, allowing the use of existing resources for KMS and COS:<br>- existing_kms_instance_name<br>- existing_kms_resource_group<br>- existing_kms_endpoint_type<br>- existing_cos_instance_name<br>- existing_cos_resource_group<br>- existing_cos_endpoint_type<br>- use_existing_cos_for_vpc_flowlogs<br>- use_existing_cos_for_atracker (#855)

Author: toddgiguere

README.md

@@ -86,7 +86,7 @@ resource "ibm_cos_bucket" "buckets" {
   bucket_name           = "${var.prefix}-${each.value.name}${each.value.random_suffix == "true" ? "-${random_string.random_cos_suffix.result}" : ""}"
   resource_instance_id  = local.cos_instance_ids[each.value.instance]
   storage_class         = each.value.storage_class
-  endpoint_type         = each.value.endpoint_type
+  endpoint_type         = coalesce(each.value.endpoint_type, "public")
   force_delete          = each.value.force_delete
   single_site_location  = each.value.single_site_location
   region_location       = (each.value.region_location == null && each.value.single_site_location == null && each.value.cross_region_location == null) ? var.region : each.value.region_location

cos.tf

@@ -30,6 +30,7 @@ module "dynamic_values" {
   f5_vsi                                 = var.f5_vsi
   f5_template_data                       = var.f5_template_data
   skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
+  skip_kms_kube_s2s_auth_policy          = var.skip_kms_kube_s2s_auth_policy
   skip_all_s2s_auth_policies             = var.skip_all_s2s_auth_policies
   atracker_cos_bucket                    = var.atracker.add_route == true ? var.atracker.collector_bucket_name : null
 }

dynamic_values.tf

@@ -22,6 +22,10 @@ variable "skip_kms_block_storage_s2s_auth_policy" {
   description = "Add kms to block storage s2s"
 }
 
+variable "skip_kms_kube_s2s_auth_policy" {
+  description = "Add kms to kubernetes s2s"
+}
+
 variable "skip_all_s2s_auth_policies" {
   description = "Add s2s authorization policies"
 }
@@ -73,7 +77,7 @@ module "kube_to_kms" {
       roles                       = ["Reader"]
       target_service_name         = local.target_key_management_service
       target_resource_instance_id = var.key_management_guid
-    } if local.target_key_management_service != null
+    } if local.target_key_management_service != null && !var.skip_kms_kube_s2s_auth_policy
   ]
 }
 
@@ -95,7 +99,7 @@ module "cos_to_key_management" {
       roles                       = ["Reader"]
       target_service_name         = local.target_key_management_service
       target_resource_instance_id = var.key_management_guid
-    } if local.target_key_management_service != null
+    } if local.target_key_management_service != null && !instance.skip_kms_s2s_auth_policy
   ]
 }
 
@@ -111,7 +115,7 @@ module "flow_logs_to_cos" {
       roles                       = ["Writer"]
       target_service_name         = "cloud-object-storage"
       target_resource_instance_id = split(":", var.cos_instance_ids[instance.name])[7]
-    }
+    } if !instance.skip_flowlogs_s2s_auth_policy
   ]
 }
 
@@ -122,19 +126,19 @@ module "flow_logs_to_cos" {
 ##############################################################################
 
 locals {
-  atracker_cos_instance = var.atracker_cos_bucket == null ? null : flatten([
+  atracker_cos_instance = var.atracker_cos_bucket == null ? null : one(flatten([
     for instance in var.cos :
     [
       for bucket in instance.buckets :
       [instance.name] if bucket.name == var.atracker_cos_bucket
-    ]
-  ])[0]
+    ] if !instance.skip_atracker_s2s_auth_policy
+  ]))
 }
 
 module "atracker_to_cos" {
   source = "../list_to_map"
   list = [
-    for instance in(var.atracker_cos_bucket != null ? ["atracker-to-cos"] : []) :
+    for instance in(var.atracker_cos_bucket != null && local.atracker_cos_instance != null ? ["atracker-to-cos"] : []) :
     {
       name                        = instance
       source_service_name         = "atracker"

dynamic_values/config_modules/service_authorizations/service_authorizations.tf

@@ -10,6 +10,7 @@ module "service_authorizations" {
   cos_instance_ids                       = local.cos_instance_ids
   skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
   skip_all_s2s_auth_policies             = var.skip_all_s2s_auth_policies
+  skip_kms_kube_s2s_auth_policy          = var.skip_kms_kube_s2s_auth_policy
   atracker_cos_bucket                    = var.atracker_cos_bucket
   clusters                               = var.clusters
 }

dynamic_values/service_authorizations.tf

@@ -184,6 +184,10 @@ variable "skip_kms_block_storage_s2s_auth_policy" {
   description = "Direct reference to kms block storage variable"
 }
 
+variable "skip_kms_kube_s2s_auth_policy" {
+  description = "Do not create a kube to kms auth policy"
+}
+
 variable "skip_all_s2s_auth_policies" {
   description = "Direct reference to s2s authorization variable"
 }

dynamic_values/variables.tf

@@ -24,7 +24,7 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   assert_key_exists_in_map = module.unit_test_hs_crypto.keys["test_key"]
   # tflint-ignore: terraform_unused_declarations
-  assert_key_ring_exists_in_map = regex("test-ring", module.unit_test_hs_crypto.key_rings[0])
+  assert_key_ring_exists_in_map = regex("test-ring", module.unit_test_hs_crypto.key_rings[0].key_ring_name)
   # tflint-ignore: terraform_unused_declarations
   assert_no_duplicate_key_rings = regex("1", tostring(length(module.unit_test_hs_crypto.key_rings)))
   # tflint-ignore: terraform_unused_declarations

kms/dynamic_values.unit_tests.tf

@@ -74,11 +74,14 @@ locals {
     (encryption_key.name) => encryption_key if lookup(encryption_key, "existing_key_crn", null) == null
   }
   # Rings
-  key_rings = distinct([
-    for encryption_key in var.keys :
-    encryption_key.key_ring if encryption_key.key_ring != null
+  key_rings = distinct([for encryption_key in var.keys :
+    {
+      key_ring_name = encryption_key.key_ring
+      endpoint      = lookup(encryption_key, "endpoint", "public")
+    } if encryption_key.key_ring != null
   ])
 
+
   # Policies
   key_management_key_policies = {
     for encryption_key in var.keys :

kms/dynamic_values/main.tf

@@ -59,9 +59,10 @@ data "ibm_resource_instance" "hpcs_instance" {
 ##############################################################################
 
 resource "ibm_kms_key_rings" "rings" {
-  for_each    = toset(local.key_rings)
-  instance_id = local.key_management_guid
-  key_ring_id = each.key
+  for_each      = { for ring in local.key_rings : ring.key_ring_name => ring }
+  instance_id   = local.key_management_guid
+  key_ring_id   = each.value.key_ring_name
+  endpoint_type = each.value.endpoint
 }
 
 ##############################################################################

kms/main.tf

@@ -3,11 +3,19 @@
 ##############################################################################
 
 module "cloud_object_storage" {
-  source                = "./config_modules/cloud_object_storage"
-  prefix                = var.prefix
-  vpc_list              = local.vpc_list
-  bastion_resource_list = local.bastion_resource_list
-  use_random_cos_suffix = var.use_random_cos_suffix
+  source                            = "./config_modules/cloud_object_storage"
+  prefix                            = var.prefix
+  vpc_list                          = local.vpc_list
+  bastion_resource_list             = local.bastion_resource_list
+  use_random_cos_suffix             = var.use_random_cos_suffix
+  existing_cos_instance_name        = var.existing_cos_instance_name
+  existing_cos_resource_group       = var.existing_cos_resource_group
+  use_existing_cos_for_atracker     = var.use_existing_cos_for_atracker
+  use_existing_cos_for_vpc_flowlogs = var.use_existing_cos_for_vpc_flowlogs
+  endpoint_type                     = var.existing_cos_endpoint_type
+  create_atracker_storage           = var.add_atracker_route
+  # skip the kms s2s auth policy for existing cos instances: if existing kms name is null or empty
+  skip_kms_auth_for_existing_cos = coalesce(var.existing_kms_instance_name, "~EMPTY~") != "~EMPTY~" ? true : false
 }
 
 ##############################################################################