feat: added new variable skip_all_s2s_auth_policies which allows you to skip all IAM auth policy creations (for a use case where you may be managing auth policies some place else). Also the add_kms_block_storage_s2s variable has been renamed to skip_kms_block_storage_s2s_auth_policy to keep naming consistent, and it has a default value of false.<br><br>NB: If auth policy creation is being skipped, ensure that the policies exist in the account before attempting to provision SLZ resources. (#644)

Author: Aayush-Abhyarthi

README.md

@@ -900,7 +900,6 @@ module "cluster_pattern" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_add_kms_block_storage_s2s"></a> [add\_kms\_block\_storage\_s2s](#input\_add\_kms\_block\_storage\_s2s) | Whether to create a service-to-service authorization between block storage and the key management service. | `bool` | `true` | no |
 | <a name="input_appid"></a> [appid](#input\_appid) | The App ID instance to be used for the teleport vsi deployments | <pre>object({<br>    name           = optional(string)<br>    resource_group = optional(string)<br>    use_data       = optional(bool)<br>    keys           = optional(list(string))<br>    use_appid      = bool<br>  })</pre> | <pre>{<br>  "use_appid": false<br>}</pre> | no |
 | <a name="input_atracker"></a> [atracker](#input\_atracker) | atracker variables | <pre>object({<br>    resource_group        = string<br>    receive_global_events = bool<br>    collector_bucket_name = string<br>    add_route             = bool<br>  })</pre> | n/a | yes |
 | <a name="input_clusters"></a> [clusters](#input\_clusters) | A list describing clusters workloads to create | <pre>list(<br>    object({<br>      name                 = string           # Name of Cluster<br>      vpc_name             = string           # Name of VPC<br>      subnet_names         = list(string)     # List of vpc subnets for cluster<br>      workers_per_subnet   = number           # Worker nodes per subnet.<br>      machine_type         = string           # Worker node flavor<br>      kube_type            = string           # iks or openshift<br>      kube_version         = optional(string) # Can be a version from `ibmcloud ks versions`, `latest` or `default`<br>      entitlement          = optional(string) # entitlement option for openshift<br>      pod_subnet           = optional(string) # Portable subnet for pods<br>      service_subnet       = optional(string) # Portable subnet for services<br>      resource_group       = string           # Resource Group used for cluster<br>      cos_name             = optional(string) # Name of COS instance Required only for OpenShift clusters<br>      update_all_workers   = optional(bool)   # If true force workers to update<br>      access_tags          = optional(list(string), [])<br>      boot_volume_crk_name = optional(string) # Boot volume encryption key name<br>      kms_config = optional(<br>        object({<br>          crk_name         = string         # Name of key<br>          private_endpoint = optional(bool) # Private endpoint<br>        })<br>      )<br>      worker_pools = optional(<br>        list(<br>          object({<br>            name                 = string           # Worker pool name<br>            vpc_name             = string           # VPC name<br>            workers_per_subnet   = number           # Worker nodes per subnet<br>            flavor               = string           # Worker node flavor<br>            subnet_names         = list(string)     # List of vpc subnets for worker pool<br>            entitlement          = optional(string) # entitlement option for openshift<br>            boot_volume_crk_name = optional(string) # Boot volume encryption key name<br>          })<br>        )<br>      )<br>    })<br>  )</pre> | n/a | yes |
@@ -915,6 +914,8 @@ module "cluster_pattern" {
 | <a name="input_resource_groups"></a> [resource\_groups](#input\_resource\_groups) | Object describing resource groups to create or reference | <pre>list(<br>    object({<br>      name       = string<br>      create     = optional(bool)<br>      use_prefix = optional(bool)<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | Security groups for VPC | <pre>list(<br>    object({<br>      name           = string<br>      vpc_name       = string<br>      resource_group = optional(string)<br>      access_tags    = optional(list(string), [])<br>      rules = list(<br>        object({<br>          name      = string<br>          direction = string<br>          source    = string<br>          tcp = optional(<br>            object({<br>              port_max = number<br>              port_min = number<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max = number<br>              port_min = number<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = number<br>              code = number<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | `[]` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Service endpoints. Can be `public`, `private`, or `public-and-private` | `string` | `"public-and-private"` | no |
+| <a name="input_skip_all_s2s_auth_policies"></a> [skip\_all\_s2s\_auth\_policies](#input\_skip\_all\_s2s\_auth\_policies) | Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning. | `bool` | `false` | no |
+| <a name="input_skip_kms_block_storage_s2s_auth_policy"></a> [skip\_kms\_block\_storage\_s2s\_auth\_policy](#input\_skip\_kms\_block\_storage\_s2s\_auth\_policy) | Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service. | `bool` | `false` | no |
 | <a name="input_ssh_keys"></a> [ssh\_keys](#input\_ssh\_keys) | SSH keys to use to provision a VSI. Must be an RSA key with a key size of either 2048 bits or 4096 bits (recommended). If `public_key` is not provided, the named key will be looked up from data. If a resource group name is added, it must be included in `var.resource_groups`. See https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys. | <pre>list(<br>    object({<br>      name           = string<br>      public_key     = optional(string)<br>      resource_group = optional(string)<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of resource tags to apply to resources created by this module. | `list(string)` | `[]` | no |
 | <a name="input_teleport_config_data"></a> [teleport\_config\_data](#input\_teleport\_config\_data) | Teleport config data. This is used to create a single template for all teleport instances to use. Creating a single template allows for values to remain sensitive | <pre>object({<br>    teleport_license   = optional(string)<br>    https_cert         = optional(string)<br>    https_key          = optional(string)<br>    domain             = optional(string)<br>    cos_bucket_name    = optional(string)<br>    cos_key_name       = optional(string)<br>    teleport_version   = optional(string)<br>    message_of_the_day = optional(string)<br>    hostname           = optional(string)<br>    app_id_key_name    = optional(string)<br>    claims_to_roles = optional(<br>      list(<br>        object({<br>          email = string<br>          roles = list(string)<br>        })<br>      )<br>    )<br>  })</pre> | `null` | no |

common-dev-assets

@@ -3,34 +3,35 @@
 ##############################################################################
 
 module "dynamic_values" {
-  source                    = "./dynamic_values"
-  region                    = var.region
-  prefix                    = var.prefix
-  key_management            = var.key_management
-  key_management_guid       = module.key_management.key_management_guid
-  clusters                  = var.clusters
-  vpcs                      = var.vpcs
-  resource_groups           = local.resource_groups
-  vpc_modules               = module.vpc
-  cos                       = var.cos
-  cos_data_source           = data.ibm_resource_instance.cos
-  cos_resource              = ibm_resource_instance.cos
-  cos_resource_keys         = ibm_resource_key.key
-  suffix                    = random_string.random_cos_suffix.result
-  ssh_keys                  = var.ssh_keys
-  vsi                       = var.vsi
-  virtual_private_endpoints = var.virtual_private_endpoints
-  vpn_gateways              = var.vpn_gateways
-  security_groups           = var.security_groups
-  bastion_vsi               = var.teleport_vsi
-  appid                     = var.appid
-  appid_resource            = ibm_resource_instance.appid
-  appid_data                = data.ibm_resource_instance.appid
-  teleport_domain           = tostring(try(var.teleport_config_data.domain, null))
-  f5_vsi                    = var.f5_vsi
-  f5_template_data          = var.f5_template_data
-  add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
-  atracker_cos_bucket       = var.atracker.add_route == true ? var.atracker.collector_bucket_name : null
+  source                                 = "./dynamic_values"
+  region                                 = var.region
+  prefix                                 = var.prefix
+  key_management                         = var.key_management
+  key_management_guid                    = module.key_management.key_management_guid
+  clusters                               = var.clusters
+  vpcs                                   = var.vpcs
+  resource_groups                        = local.resource_groups
+  vpc_modules                            = module.vpc
+  cos                                    = var.cos
+  cos_data_source                        = data.ibm_resource_instance.cos
+  cos_resource                           = ibm_resource_instance.cos
+  cos_resource_keys                      = ibm_resource_key.key
+  suffix                                 = random_string.random_cos_suffix.result
+  ssh_keys                               = var.ssh_keys
+  vsi                                    = var.vsi
+  virtual_private_endpoints              = var.virtual_private_endpoints
+  vpn_gateways                           = var.vpn_gateways
+  security_groups                        = var.security_groups
+  bastion_vsi                            = var.teleport_vsi
+  appid                                  = var.appid
+  appid_resource                         = ibm_resource_instance.appid
+  appid_data                             = data.ibm_resource_instance.appid
+  teleport_domain                        = tostring(try(var.teleport_config_data.domain, null))
+  f5_vsi                                 = var.f5_vsi
+  f5_template_data                       = var.f5_template_data
+  skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
+  skip_all_s2s_auth_policies             = var.skip_all_s2s_auth_policies
+  atracker_cos_bucket                    = var.atracker.add_route == true ? var.atracker.collector_bucket_name : null
 }
 
 ##############################################################################

dynamic_values.tf

@@ -18,10 +18,14 @@ variable "cos" {
   description = "COS variable"
 }
 
-variable "add_kms_block_storage_s2s" {
+variable "skip_kms_block_storage_s2s_auth_policy" {
   description = "Add kms to block storage s2s"
 }
 
+variable "skip_all_s2s_auth_policies" {
+  description = "Add s2s authorization policies"
+}
+
 variable "atracker_cos_bucket" {
   description = "Add atracker to cos s2s"
 }
@@ -39,7 +43,7 @@ locals {
 module "kms_to_block_storage" {
   source = "../list_to_map"
   list = [
-    for instance in(var.add_kms_block_storage_s2s ? ["block-storage"] : []) :
+    for instance in(var.skip_kms_block_storage_s2s_auth_policy ? [] : ["block-storage"]) :
     {
       name                        = instance
       source_service_name         = "server-protect"

dynamic_values/config_modules/service_authorizations/service_authorizations.tf

@@ -3,13 +3,14 @@
 ##############################################################################
 
 module "service_authorizations" {
-  source                    = "./config_modules/service_authorizations"
-  key_management            = var.key_management
-  key_management_guid       = var.key_management_guid
-  cos                       = var.cos
-  cos_instance_ids          = local.cos_instance_ids
-  add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
-  atracker_cos_bucket       = var.atracker_cos_bucket
+  source                                 = "./config_modules/service_authorizations"
+  key_management                         = var.key_management
+  key_management_guid                    = var.key_management_guid
+  cos                                    = var.cos
+  cos_instance_ids                       = local.cos_instance_ids
+  skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
+  skip_all_s2s_auth_policies             = var.skip_all_s2s_auth_policies
+  atracker_cos_bucket                    = var.atracker_cos_bucket
 }
 
 ##############################################################################

dynamic_values/service_authorizations.tf

@@ -180,10 +180,14 @@ variable "f5_template_data" {
 # Service Authorization Variables
 ##############################################################################
 
-variable "add_kms_block_storage_s2s" {
+variable "skip_kms_block_storage_s2s_auth_policy" {
   description = "Direct reference to kms block storage variable"
 }
 
+variable "skip_all_s2s_auth_policies" {
+  description = "Direct reference to s2s authorization variable"
+}
+
 variable "atracker_cos_bucket" {
   description = "Direct reference to atracker to cos variable"
 }

dynamic_values/variables.tf

@@ -548,7 +548,7 @@
             }
           ],
           "architecture": {
-            "descriptions": "This architecture creates virtual server instances (VSI) in some or all of the subnets of one VPC of an existing landing zone deployable architecture. To create VSIs in multiple VPCs, deploy the extension once for each VPC.\r\n\r\n## Before you begin\r\n\r\n- You must have either the [VPC landing zone](https:\/\/cloud.ibm.com\/catalog\/architecture\/deploy-arch-ibm-slz-vpc-9fc0fa64-27af-4fed-9dce-47b3640ba739-global) or [Red Hat OpenShift Container Platform on VPC landing zone](https:\/\/cloud.ibm.com\/catalog\/architecture\/deploy-arch-ibm-slz-ocp-95fccffc-ae3b-42df-b6d9-80be5914d852-global) deployable architecture deployed.\r\n- You need an authorization policy that grants access between block storage and the KMS. The policy exists if you set the `add_kms_block_storage_s2s` input variable to `true` (the default value) in your existing landing zone deployable architecture.\r\n- You need the VPC ID, subnet names, and boot volume encryption key from your existing landing zone deployable architecture. For information about finding these values, see [Adding a VSI to your VPC landing zone deployable architecture](https:\/\/cloud.ibm.com\/docs\/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-ext-with-vsi).",
+            "descriptions": "This architecture creates virtual server instances (VSI) in some or all of the subnets of one VPC of an existing landing zone deployable architecture. To create VSIs in multiple VPCs, deploy the extension once for each VPC.\r\n\r\n## Before you begin\r\n\r\n- You must have either the [VPC landing zone](https:\/\/cloud.ibm.com\/catalog\/architecture\/deploy-arch-ibm-slz-vpc-9fc0fa64-27af-4fed-9dce-47b3640ba739-global) or [Red Hat OpenShift Container Platform on VPC landing zone](https:\/\/cloud.ibm.com\/catalog\/architecture\/deploy-arch-ibm-slz-ocp-95fccffc-ae3b-42df-b6d9-80be5914d852-global) deployable architecture deployed.\r\n- You need an authorization policy that grants access between block storage and the KMS. The policy exists if you set the `skip_kms_block_storage_s2s_auth_policy` input variable to `false` (the default value) in your existing landing zone deployable architecture.\r\n- You need the VPC ID, subnet names, and boot volume encryption key from your existing landing zone deployable architecture. For information about finding these values, see [Adding a VSI to your VPC landing zone deployable architecture](https:\/\/cloud.ibm.com\/docs\/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-ext-with-vsi).",
             "features": [
               {
                 "title": "Adds a virtual server instance in every VPC subnet",