fix: do not create COS auth policy if passing existing SCC instance (#167)

Author: Khuzaima05

README.md

@@ -107,7 +107,7 @@ You need the following permissions to run this module.
 | <a name="input_region"></a> [region](#input\_region) | Region where SCC instance will be created | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The id of the resource group to create the SCC instance | `string` | n/a | yes |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | A list of tags applied to the resources created by the module | `list(string)` | `[]` | no |
-| <a name="input_skip_cos_iam_authorization_policy"></a> [skip\_cos\_iam\_authorization\_policy](#input\_skip\_cos\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits the SCC instance created by this module to write access to the provided COS instance | `bool` | `false` | no |
+| <a name="input_skip_cos_iam_authorization_policy"></a> [skip\_cos\_iam\_authorization\_policy](#input\_skip\_cos\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits the SCC instance created by this module to write access to the provided COS instance. This value will get ignored if an existing SCC instance is passed. | `bool` | `false` | no |
 | <a name="input_skip_scc_wp_auth_policy"></a> [skip\_scc\_wp\_auth\_policy](#input\_skip\_scc\_wp\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits the SCC instance created by this solution read access to the workload protection instance. Only used if `attach_wp_to_scc_instance` is set to true. | `bool` | `false` | no |
 | <a name="input_wp_instance_crn"></a> [wp\_instance\_crn](#input\_wp\_instance\_crn) | Optionally pass the CRN of an existing SCC Workload Protection instance to attach it to the SCC instance. | `string` | `null` | no |
 

examples/complete/main.tf

@@ -14,6 +14,7 @@ module "resource_group" {
 ##############################################################################
 
 module "cos" {
+  count                  = var.existing_scc_instance_crn == null ? 1 : 0
   source                 = "terraform-ibm-modules/cos/ibm"
   version                = "8.11.15"
   cos_instance_name      = "${var.prefix}-cos"
@@ -51,6 +52,7 @@ module "scc_wp" {
   resource_tags     = var.resource_tags
 }
 
+
 ##############################################################################
 # SCC instance
 ##############################################################################
@@ -63,8 +65,8 @@ module "create_scc_instance" {
   resource_tags                     = var.resource_tags
   existing_scc_instance_crn         = var.existing_scc_instance_crn
   access_tags                       = var.access_tags
-  cos_bucket                        = module.cos.bucket_name
-  cos_instance_crn                  = module.cos.cos_instance_id
+  cos_bucket                        = var.existing_scc_instance_crn == null ? module.cos[0].bucket_name : null
+  cos_instance_crn                  = var.existing_scc_instance_crn == null ? module.cos[0].cos_instance_id : null
   en_instance_crn                   = module.event_notification.crn
   skip_cos_iam_authorization_policy = false
   attach_wp_to_scc_instance         = true

examples/complete/moved.tf

@@ -0,0 +1,4 @@
+moved {
+  from = module.cos
+  to   = module.cos[0]
+}

examples/complete/outputs.tf

@@ -44,12 +44,12 @@ output "en_crn" {
 
 output "cos_instance_id" {
   description = "The COS instance ID created in this example"
-  value       = module.cos.cos_instance_id
+  value       = var.existing_scc_instance_crn == null ? module.cos[0].cos_instance_id : null
 }
 
 output "cos_bucket" {
   description = "The COS bucket created in this example"
-  value       = module.cos.bucket_name
+  value       = var.existing_scc_instance_crn == null ? module.cos[0].bucket_name : null
   depends_on  = [module.create_scc_instance]
 }
 

main.tf

@@ -49,7 +49,7 @@ locals {
 }
 
 resource "ibm_iam_authorization_policy" "scc_cos_s2s_access" {
-  count                       = var.skip_cos_iam_authorization_policy ? 0 : 1
+  count                       = var.existing_scc_instance_crn != null || var.skip_cos_iam_authorization_policy ? 0 : 1
   source_service_name         = "compliance"
   source_resource_instance_id = local.scc_instance_guid
   roles                       = ["Writer"]

tests/existing-resources/outputs.tf

@@ -7,6 +7,11 @@ output "resource_group_id" {
   value       = module.resource_group.resource_group_id
 }
 
+output "prefix" {
+  description = "Prefix to append to all resources created by this example"
+  value       = var.prefix
+}
+
 output "resource_group_name" {
   description = "The name of the resource group where SCC instance is created by this module"
   value       = module.resource_group.resource_group_name

tests/pr_test.go

@@ -153,6 +153,7 @@ func TestRunExistingResourcesInstances(t *testing.T) {
 				"region":                    region,
 				"resource_group":            terraform.Output(t, existingTerraformOptions, "resource_group_name"),
 				"existing_scc_instance_crn": terraform.Output(t, existingTerraformOptions, "crn"),
+				"prefix":                    terraform.Output(t, existingTerraformOptions, "prefix"),
 			},
 		})
 

variables.tf

@@ -88,7 +88,7 @@ variable "en_instance_crn" {
 variable "skip_cos_iam_authorization_policy" {
   type        = bool
   default     = false
-  description = "Set to true to skip the creation of an IAM authorization policy that permits the SCC instance created by this module to write access to the provided COS instance"
+  description = "Set to true to skip the creation of an IAM authorization policy that permits the SCC instance created by this module to write access to the provided COS instance. This value will get ignored if an existing SCC instance is passed."
 }
 
 variable "skip_scc_wp_auth_policy" {