feat: Scope Policy To Exact KMS Key

README.md

@@ -111,7 +111,9 @@ statement instead the previous block.
 
 ### Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kms_key_crn_parser"></a> [kms\_key\_crn\_parser](#module\_kms\_key\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
 
 ### Resources
 

cra-config.yaml

@@ -5,7 +5,7 @@ CRA_TARGETS:
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
     PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3"         # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
     CRA_ENVIRONMENT_VARIABLES:
-      TF_VAR_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533"
+      TF_VAR_existing_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533"
       TF_VAR_existing_kms_instance_guid: "e6dce284-e80f-46e1-a3c1-830f7adff7a9"
       TF_VAR_resource_group_name: "test"
       TF_VAR_appid_name: "appid"

main.tf

@@ -1,3 +1,10 @@
+module "kms_key_crn_parser" {
+  count   = var.kms_encryption_enabled != false ? 1 : 0
+  source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+  version = "1.1.0"
+  crn     = var.kms_key_crn
+}
+
 locals {
   # tflint-ignore: terraform_unused_declarations
   validate_kms_plan = var.kms_encryption_enabled && var.plan != "graduated-tier" ? tobool("kms encryption is only supported for graduated-tier plan") : true
@@ -7,15 +14,11 @@ locals {
   validate_kms_values = !var.kms_encryption_enabled && (var.existing_kms_instance_guid != null || var.kms_key_crn != null) ? tobool("When passing values for var.existing_kms_instance_guid or/and var.kms_key_crn, you must set var.kms_encryption_enabled to true. Otherwise unset them to use default encryption") : true
   # tflint-ignore: terraform_unused_declarations
   validate_kms_vars = var.kms_encryption_enabled && (var.existing_kms_instance_guid == null || var.kms_key_crn == null) ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_guid and var.kms_key_crn") : true
+  kms_service       = var.kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : null
+  kms_account_id    = var.kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : null
+  kms_key_id        = var.kms_key_crn != null ? module.kms_key_crn_parser[0].resource : null
 
 
-  # Determine what KMS service is being used for database encryption
-  kms_service = var.kms_key_crn != null ? (
-    can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : (
-      can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null
-    )
-  ) : null
-
   parameters_enabled = var.kms_encryption_enabled && var.existing_kms_instance_guid != null && var.kms_key_crn != null ? true : false
 }
 
@@ -24,15 +27,44 @@ locals {
 ##############################################################################
 
 resource "ibm_iam_authorization_policy" "policy" {
-  count                       = (var.kms_encryption_enabled && !var.skip_iam_authorization_policy) ? 1 : 0
-  source_service_name         = "appid"
-  source_resource_group_id    = var.resource_group_id
-  description                 = "Allow all AppID instances in the given resource group reader access to KMS instance ${var.existing_kms_instance_guid}"
-  target_service_name         = local.kms_service
-  target_resource_instance_id = var.existing_kms_instance_guid
+  count                    = (var.kms_encryption_enabled && !var.skip_iam_authorization_policy) ? 1 : 0
+  source_service_name      = "appid"
+  source_resource_group_id = var.resource_group_id
+  description              = "Allow all AppID instances in the given resource group ${var.resource_group_id} to read the ${local.kms_service} key ${local.kms_key_id} from instance ${var.existing_kms_instance_guid}"
   roles = [
     "Reader"
   ]
+
+  resource_attributes {
+    name     = "serviceName"
+    operator = "stringEquals"
+    value    = local.kms_service
+  }
+  resource_attributes {
+    name     = "accountId"
+    operator = "stringEquals"
+    value    = local.kms_account_id
+  }
+  resource_attributes {
+    name     = "serviceInstance"
+    operator = "stringEquals"
+    value    = var.existing_kms_instance_guid
+  }
+  resource_attributes {
+    name     = "resourceType"
+    operator = "stringEquals"
+    value    = "key"
+  }
+  resource_attributes {
+    name     = "resource"
+    operator = "stringEquals"
+    value    = local.kms_key_id
+  }
+  # Scope of policy now includes the key, so ensure to create new policy before
+  # destroying old one to prevent any disruption to every day services.
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478