[terraform-ibm-secrets-manager] Scope KMS policy to the exact KMS key

[ocofaigh]

The policy here and here can be updated to scope it to the exact KMS key. For an example of the syntax, see terraform-ibm-modules/terraform-ibm-cos#764

[arya-girish-k]

cc : @SarikaSinha

[arya-girish-k]

As per the document authorization policy gets created at Instance level.
Currently while scoping KMS policy to the exact KMS key ,policy gets created but provisioning of secret manager instance is failing .As per the discussion scoping authorization policy at key level is not allowed
Hence closing the issue.

[ocofaigh]

I think there is some confusion here. The auth policy has to be created before the instance is created. Therefor the auth policy cannot be scoped the secrets manager instance. However it can be scoped to the KMS key. Re-opening this issue to discuss further

[ocofaigh]

It looks like when scoped to exact key, it fails with:

│ Error: [ERROR] Error when creating resource instance: Please contact the Service Provider for this error. [422, Unprocessable Entity] An IAM service authorization policy is missing between your key management service and Secrets Manager. To provision the service with customer managed encryption, authorization must be granted to all instances of Secrets Manager in your account. After provisioning, you can choose to create a more granular policy. with resp code: {
│   "StatusCode": 422,
│   "Headers": {
│     "Cache-Control": [
│       "max-age=0, no-cache, no-store"

In my opinion this is a bug on the service so I have created an enhancement request with the Secrets Manager service to support this so its consistent with other services.

[ocofaigh]

Secrets Manager made updates to support this, so we should no longer be blocked

[Aayush-Abhyarthi]

PR merged. Closing this.