From f22efd1ea6eba163925391ee67776b9ef6737625 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Conall=20=C3=93=20Cofaigh?= <ocofaigh@ie.ibm.com>
Date: Tue, 25 Jul 2023 12:55:37 +0100
Subject: [PATCH] fix: scope the block storage / HPCS auth policy to the source
 resource group (#491)

---
 main.tf              |  7 +++----
 module-metadata.json | 13 +++++++++----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/main.tf b/main.tf
index 2b839369..87126ef0 100644
--- a/main.tf
+++ b/main.tf
@@ -74,10 +74,9 @@ locals {
 ##############################################################################
 
 resource "ibm_iam_authorization_policy" "block_storage_policy" {
-  count               = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
-  source_service_name = "server-protect"
-  # commented the following as policy is not working as expected with this option. Related support case - https://cloud.ibm.com/unifiedsupport/cases?number=CS3419700
-  #  source_resource_group_id    = var.resource_group_id
+  count                       = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
+  source_service_name         = "server-protect"
+  source_resource_group_id    = var.resource_group_id
   target_service_name         = "hs-crypto"
   target_resource_instance_id = var.existing_kms_instance_guid
   roles                       = ["Reader"]
diff --git a/module-metadata.json b/module-metadata.json
index 8a7f1b1b..dc2bd0f4 100644
--- a/module-metadata.json
+++ b/module-metadata.json
@@ -167,6 +167,7 @@
       "description": "id of resource group to create VPC",
       "required": true,
       "source": [
+        "ibm_iam_authorization_policy.block_storage_policy.source_resource_group_id",
         "ibm_is_instance.vsi.resource_group",
         "ibm_is_lb.lb.resource_group",
         "ibm_is_security_group.security_group.resource_group"
@@ -177,7 +178,10 @@
       },
       "cloud_data_type": "resource_group",
       "immutable": true,
-      "computed": true
+      "computed": true,
+      "cloud_data_range": [
+        "resolved_to:id"
+      ]
     },
     "secondary_allow_ip_spoofing": {
       "name": "secondary_allow_ip_spoofing",
@@ -426,6 +430,7 @@
       "name": "block_storage_policy",
       "attributes": {
         "count": "kms_encryption_enabled",
+        "source_resource_group_id": "resource_group_id",
         "target_resource_instance_id": "existing_kms_instance_guid"
       },
       "provider": {
@@ -450,7 +455,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 154
+        "line": 153
       }
     },
     "ibm_is_floating_ip.vsi_fip": {
@@ -467,7 +472,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 146
+        "line": 145
       }
     },
     "ibm_is_instance.vsi": {
@@ -490,7 +495,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 87
+        "line": 86
       }
     },
     "ibm_is_lb.lb": {