Skip to content

Commit

Permalink
feat: Updated the KMS auth policies created by the module and DA to n…
Browse files Browse the repository at this point in the history
…ow scope them to the exact KMS Key ID. Previously auth policies were scoped to the whole KMS instance. This change has been implemented in a way where it will create the new auth policy first before destroying the old one to ensure there is no disruption to every day operations.<br>- updated the configuration in the DA that is used to stored failed events in a COS bucket to now use the direct COS endpoint by default (previously it was using the public endpoint). This change is done as an update in place. (#313)
  • Loading branch information
ocofaigh authored Oct 16, 2024
1 parent 85b939d commit 80b244f
Show file tree
Hide file tree
Showing 11 changed files with 385 additions and 150 deletions.
2 changes: 1 addition & 1 deletion .secrets.baseline
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"files": "go.sum|^.secrets.baseline$",
"lines": null
},
"generated_at": "2023-12-12T05:17:42Z",
"generated_at": "2023-12-13T05:17:42Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
Expand Down
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,6 @@ To create service credentials, access the Event Notifications service, and acces
| [time_sleep.wait_for_cos_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [time_sleep.wait_for_kms_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [ibm_en_integrations.en_integrations](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/en_integrations) | data source |
| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source |

### Inputs

Expand All @@ -112,14 +111,15 @@ To create service credentials, access the Event Notifications service, and acces
| <a name="input_root_key_id"></a> [root\_key\_id](#input\_root\_key\_id) | The key ID of a root key, existing in the KMS instance passed in `var.existing_kms_instance_crn`, which will be used to encrypt the data encryption keys which are then used to encrypt the data. Required only if `var.kms_encryption_enabled` is set to `true`. | `string` | `null` | no |
| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event Notifications instance. | `map(string)` | `{}` | no |
| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private` | `string` | `"public-and-private"` | no |
| <a name="input_skip_en_cos_auth_policy"></a> [skip\_en\_cos\_auth\_policy](#input\_skip\_en\_cos\_auth\_policy) | Whether an IAM authorization policy is created for your Event Notifications instance to interact with your Object Storage bucket. Set to `true` to use an existing policy. Ignored if `cos_integration_enabled` is set to `false`. | `bool` | `false` | no |
| <a name="input_skip_en_kms_auth_policy"></a> [skip\_en\_kms\_auth\_policy](#input\_skip\_en\_kms\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits all Event Notifications instances in the resource group to read the encryption key from the KMS instance. If set to `false`, specify a value for the KMS instance in the `existing_kms_instance_guid` variable. In addition, no policy is created if `kms_encryption_enabled` is set to `false`. | `bool` | `false` | no |
| <a name="input_skip_en_cos_auth_policy"></a> [skip\_en\_cos\_auth\_policy](#input\_skip\_en\_cos\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance `Object Writer` and `Reader` access to the given Object Storage bucket. Ignored if `cos_integration_enabled` is set to `false`. | `bool` | `false` | no |
| <a name="input_skip_en_kms_auth_policy"></a> [skip\_en\_kms\_auth\_policy](#input\_skip\_en\_kms\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance to read the encryption key from the KMS instance. If set to `false`, a value must be passed for the KMS instance and key using inputs `existing_kms_instance_crn` and `root_key_id`. In addition, no policy is created if `kms_encryption_enabled` is set to `false`. | `bool` | `false` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | The list of tags to add to the Event Notifications instance. | `list(string)` | `[]` | no |

### Outputs

| Name | Description |
|------|-------------|
| <a name="output_account_id"></a> [account\_id](#output\_account\_id) | The Event Notifications account ID. |
| <a name="output_crn"></a> [crn](#output\_crn) | The Event Notifications instance CRN. |
| <a name="output_event_notification_instance_name"></a> [event\_notification\_instance\_name](#output\_event\_notification\_instance\_name) | The name of the Event Notifications instance. |
| <a name="output_guid"></a> [guid](#output\_guid) | The globally unique identifier of the Event Notifications instance. |
Expand Down
50 changes: 35 additions & 15 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ locals {
can(regex(".*hs-crypto.*", var.existing_kms_instance_crn)) ? "hs-crypto" : null
)
) : null

# Get account ID
account_id = ibm_resource_instance.en_instance.account_id
}

resource "ibm_resource_instance" "en_instance" {
Expand Down Expand Up @@ -79,13 +82,6 @@ resource "ibm_en_integration" "en_kms_integration" {
}
}

##############################################################################
# Get Cloud Account ID
##############################################################################

data "ibm_iam_account_settings" "iam_account_settings" {
}

##############################################################################
# IAM Authorization Policy
##############################################################################
Expand All @@ -102,30 +98,26 @@ resource "ibm_iam_authorization_policy" "cos_policy" {
source_resource_instance_id = ibm_resource_instance.en_instance.guid
roles = ["Object Writer", "Reader"]
description = "Allow EN instance with GUID ${ibm_resource_instance.en_instance.guid} `Object Writer` and `Reader` access to the COS instance with GUID ${local.existing_cos_instance_guid}."

resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "cloud-object-storage"
}

resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.iam_account_settings.account_id
value = local.account_id
}
resource_attributes {
name = "serviceInstance"
operator = "stringEquals"
value = local.existing_cos_instance_guid
}

resource_attributes {
name = "resourceType"
operator = "stringEquals"
value = "bucket"
}

resource_attributes {
name = "resource"
operator = "stringEquals"
Expand All @@ -145,10 +137,38 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
count = var.kms_encryption_enabled == false || var.skip_en_kms_auth_policy ? 0 : 1
source_service_name = "event-notifications"
source_resource_instance_id = ibm_resource_instance.en_instance.guid
target_service_name = local.kms_service
target_resource_instance_id = local.existing_kms_instance_guid
roles = ["Reader"]
description = "Allow Event Notification instance ${ibm_resource_instance.en_instance.guid} to read from the ${local.kms_service} instance ${local.existing_kms_instance_guid}"
description = "Allow Event Notifications instance ${ibm_resource_instance.en_instance.guid} to read the ${local.kms_service} key ${var.root_key_id} from instance ${local.existing_kms_instance_guid}"
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = local.kms_service
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = local.account_id
}
resource_attributes {
name = "serviceInstance"
operator = "stringEquals"
value = local.existing_kms_instance_guid
}
resource_attributes {
name = "resourceType"
operator = "stringEquals"
value = "key"
}
resource_attributes {
name = "resource"
operator = "stringEquals"
value = var.root_key_id
}
# Scope of policy now includes the key, so ensure to create new policy before
# destroying old one to prevent any disruption to every day services.
lifecycle {
create_before_destroy = true
}
}

# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
Expand Down
6 changes: 6 additions & 0 deletions outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,17 @@ output "event_notification_instance_name" {
description = "The name of the Event Notifications instance."
value = ibm_resource_instance.en_instance.name
}

output "crn" {
description = "The Event Notifications instance CRN."
value = ibm_resource_instance.en_instance.crn
}

output "account_id" {
description = "The Event Notifications account ID."
value = local.account_id
}

output "guid" {
description = "The globally unique identifier of the Event Notifications instance."
value = ibm_resource_instance.en_instance.guid
Expand Down
Loading

0 comments on commit 80b244f

Please sign in to comment.