forked from terraform-ibm-modules/terraform-ibm-landing-zone
-
Notifications
You must be signed in to change notification settings - Fork 0
/
service_authorizations.tf
38 lines (30 loc) · 1.76 KB
/
service_authorizations.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
##############################################################################
# Service To Service Authorization Policies
# > `target_resource_group_id` and `target_resource_instance_id` are mutually
# exclusive. IAM will use the least specific of the two
##############################################################################
locals {
authorization_policies = module.dynamic_values.service_authorizations
}
##############################################################################
##############################################################################
# Authorization Policies
##############################################################################
resource "ibm_iam_authorization_policy" "policy" {
for_each = var.skip_all_s2s_auth_policies == true ? null : local.authorization_policies
source_service_name = each.value.source_service_name
source_resource_type = lookup(each.value, "source_resource_type", null)
source_resource_instance_id = lookup(each.value, "source_resource_instance_id", null)
source_resource_group_id = lookup(each.value, "source_resource_group_id", null)
target_service_name = each.value.target_service_name
target_resource_instance_id = lookup(each.value, "target_resource_instance_id", null)
target_resource_group_id = lookup(each.value, "target_resource_group", null)
roles = each.value.roles
description = each.value.description
}
# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
resource "time_sleep" "wait_for_authorization_policy" {
depends_on = [ibm_iam_authorization_policy.policy]
create_duration = "30s"
}
##############################################################################