feat: added support to the DA for use case where KMS is in a different account by adding new optional variable ibmcloud_kms_api_key (#147)

Soaib024 · web-flow · commit 20c16a91dd8c · 2024-06-27T14:40:41.000+01:00
diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
@@ -25,6 +25,33 @@ locals {
   parsed_existing_kms_instance_crn = var.existing_kms_instance_crn != null ? split(":", var.existing_kms_instance_crn) : []
   kms_region                       = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[5] : null
   existing_kms_guid                = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[7] : null
+  create_cross_account_auth_policy = !var.skip_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null
+
+  kms_service_name = local.kms_key_crn != null ? (
+    can(regex(".*kms.*", local.kms_key_crn)) ? "kms" : can(regex(".*hs-crypto.*", local.kms_key_crn)) ? "hs-crypto" : null
+  ) : null
+}
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+  count = local.create_cross_account_auth_policy ? 1 : 0
+}
+
+resource "ibm_iam_authorization_policy" "kms_policy" {
+  count                       = local.create_cross_account_auth_policy ? 1 : 0
+  provider                    = ibm.kms
+  source_service_account      = data.ibm_iam_account_settings.iam_account_settings[0].account_id
+  source_service_name         = "secrets-manager"
+  source_resource_group_id    = module.resource_group[0].resource_group_id
+  target_service_name         = local.kms_service_name
+  target_resource_instance_id = local.existing_kms_guid
+  roles                       = ["Reader"]
+  description                 = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${data.ibm_iam_account_settings.iam_account_settings[0].account_id} to read from the ${local.kms_service_name} instance GUID ${local.existing_kms_guid}"
+}
+
+# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
+resource "time_sleep" "wait_for_authorization_policy" {
+  depends_on      = [ibm_iam_authorization_policy.kms_policy]
+  create_duration = "30s"
 }
 
 # KMS root key for Secrets Manager secret encryption
@@ -72,6 +99,7 @@ locals {
 
 module "secrets_manager" {
   count                = var.existing_secrets_manager_crn != null ? 0 : 1
+  depends_on           = [time_sleep.wait_for_authorization_policy]
   source               = "../.."
   resource_group_id    = module.resource_group[0].resource_group_id
   region               = var.region
@@ -83,7 +111,7 @@ module "secrets_manager" {
   kms_encryption_enabled            = true
   existing_kms_instance_guid        = local.existing_kms_guid
   kms_key_crn                       = local.kms_key_crn
-  skip_kms_iam_authorization_policy = var.skip_kms_iam_authorization_policy
+  skip_kms_iam_authorization_policy = var.skip_kms_iam_authorization_policy || local.create_cross_account_auth_policy
   # event notifications dependency
   enable_event_notification        = var.existing_event_notification_instance_crn != null ? true : false
   existing_en_instance_crn         = var.existing_event_notification_instance_crn
diff --git a/solutions/standard/provider.tf b/solutions/standard/provider.tf
@@ -2,9 +2,8 @@ provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.region
 }
-
 provider "ibm" {
   alias            = "kms"
-  ibmcloud_api_key = var.ibmcloud_api_key
+  ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
   region           = local.kms_region
 }
diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf
@@ -183,7 +183,7 @@ variable "iam_engine_name" {
 
 variable "skip_kms_iam_authorization_policy" {
   type        = bool
-  description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key. If set to false, pass in a value for the Key Protect or Hyper Protect Crypto Service instance in the existing_kms_instance_crn variable."
+  description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account."
   default     = false
 }
 
@@ -200,7 +200,7 @@ variable "existing_secrets_manager_kms_key_crn" {
 variable "existing_kms_instance_crn" {
   type        = string
   default     = null
-  description = "The CRN of the Hyper Protect Crypto Services or Key Protect instance. Applies only if `existing_secrets_manager_kms_key_crn` is not specified."
+  description = "The CRN of the KMS instance (Hyper Protect Crypto Services or Key Protect). Required only if `existing_secrets_manager_crn` or `existing_secrets_manager_kms_key_crn` is not specified. If the KMS instance is in different account you must also provide a value for `ibmcloud_kms_api_key`."
 }
 
 variable "kms_endpoint_type" {
@@ -225,6 +225,13 @@ variable "kms_key_name" {
   description = "The name for the new root key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `<prefix>-value` format."
 }
 
+variable "ibmcloud_kms_api_key" {
+  type        = string
+  description = "The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud_api_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Secrets Manager instance. Leave this input empty if the same account owns both instances."
+  sensitive   = true
+  default     = null
+}
+
 ########################################################################################################################
 # Event Notifications
 ########################################################################################################################
diff --git a/solutions/standard/version.tf b/solutions/standard/version.tf
@@ -8,7 +8,7 @@ terraform {
     }
     time = {
       source  = "hashicorp/time"
-      version = ">= 0.9.1, < 1.0.0"
+      version = "0.9.1"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -2,9 +2,8 @@ provider "ibm" {`
`2`	`2`	`ibmcloud_api_key = var.ibmcloud_api_key`
`3`	`3`	`region = var.region`
`4`	`4`	`}`
`5`		`-`
`6`	`5`	`provider "ibm" {`
`7`	`6`	`alias = "kms"`
`8`		`- ibmcloud_api_key = var.ibmcloud_api_key`
	`7`	`+ ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key`
`9`	`8`	`region = local.kms_region`
`10`	`9`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ terraform {`
`8`	`8`	`}`
`9`	`9`	`time = {`
`10`	`10`	`source = "hashicorp/time"`
`11`		`- version = ">= 0.9.1, < 1.0.0"`
	`11`	`+ version = "0.9.1"`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`	`}`