Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated the KMS auth policy so its scoped to the exact KMS Key #764

Merged
merged 11 commits into from
Oct 31, 2024
Merged

Updated the KMS auth policy so its scoped to the exact KMS Key #764

merged 11 commits into from
Oct 31, 2024

Conversation

ocofaigh
Copy link
Member

@ocofaigh ocofaigh commented Oct 30, 2024
edited
Loading

Description

Updated the KMS auth policy so its scoped to the exact KMS Key (#758). This will recreate the auth policy, but it won't be disruptive as I have used create_before_destroy = true

Release required?

  • No release
  • Patch release (x.x.X)
  • Minor release (x.X.x)
  • Major release (X.x.x)
Release notes content

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

  • If relevant, a test for the change is included or updated with this PR.
  • If relevant, documentation for the change is included or updated with this PR.

For mergers

  • Use a conventional commit message to set the release level. Follow the guidelines.
  • Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
  • Use the Squash and merge option.

@ocofaigh
Copy link
Member Author

/run pipeline

@ocofaigh ocofaigh mentioned this pull request Oct 30, 2024
Closed
@ocofaigh
Copy link
Member Author

/run pipeline

@ocofaigh
Copy link
Member Author

/run pipeline

@ocofaigh
Copy link
Member Author

/run pipeline

@ocofaigh
Copy link
Member Author

/run pipeline

@ocofaigh ocofaigh mentioned this pull request Oct 30, 2024
Open
@ocofaigh
Copy link
Member Author

As expected, the upgrade test fails due to the re-creation of the auth policy, however since we are using create_before_destroy = true there will be no disruption to key access so skipping upgrade test..

Messages:   	Resource(s) identified to be destroyed 
        	            	Name: policy
        	            	Address: module.cos_bucket1.ibm_iam_authorization_policy.policy[0]
        	            	Actions: [create delete]
        	            	DIFF:
        	            	  Before: 
        	            		{"description":"Allow the COS instance with GUID 590d4995-34cc-4381-ae42-2b1c147dc3d8 reader access to the kms instance GUID 8794dc95-6977-43c7-a027-3586a9cfebfd","id":"8988a78f-0c24-4d63-b424-69ebfbe01a8d","resource_attributes":"SECURE_VALUE_HIDDEN_HASH:-545edab1d5168d493ebb23d0c7c80b09d8233770d543e7157f616e0a","source_resource_group_id":"","source_resource_type":"","source_service_account":"abac0df06b644a9cabc6e44f55b3880e","subject_attributes":"SECURE_VALUE_HIDDEN_HASH:-c2ac0584fd5b5bebd8cdf04e5023c6e84271dec96cf119338b62f37c","target_resource_group_id":"","target_resource_instance_id":"8794dc95-6977-43c7-a027-3586a9cfebfd","target_resource_type":"","target_service_name":"kms","transaction_id":"4bb61b63d0e948db8e09ef4708b6cc39"}
        	            	  After: 
        	            		{"description":"Allow the COS instance 590d4995-34cc-4381-ae42-2b1c147dc3d8 to read the kms key 5d9458e6-8b2b-4fb6-b128-c8fac76e3be3 from the instance 8794dc95-6977-43c7-a027-3586a9cfebfd","resource_attributes":"SECURE_VALUE_HIDDEN_HASH:-7c74d87519f13fe49bd29004eb04bdc1ff8b402a498c89ca91f971c5"}
        	            	
        	            	Change Detail:
        	            	{
        	            	  "actions": [
        	            	    "create",
        	            	    "delete"
        	            	  ],
        	            	  "after": {
        	            	    "description": "Allow the COS instance 590d4995-34cc-4381-ae42-2b1c147dc3d8 to read the kms key 5d9458e6-8b2b-4fb6-b128-c8fac76e3be3 from the instance 8794dc95-6977-43c7-a027-3586a9cfebfd",
        	            	    "resource_attributes": "SECURE_VALUE_HIDDEN_HASH:-c90dcf9626e20ba028e624e205ef433f46c3ed0df6c790eceb1e8329",
        	            	    "roles": "SECURE_VALUE_HIDDEN_HASH:-93c7463038accfb0bd4348150239e058934ceedbf54dc749e45ee499",
        	            	    "source_resource_instance_id": "590d4995-34cc-4381-ae42-2b1c147dc3d8",
        	            	    "source_service_name": "cloud-object-storage"
        	            	  },
        	            	  "after_sensitive": {
        	            	    "resource_attributes": "SECURE_VALUE_HIDDEN_HASH:-ea363a1baecc424b453c4929799ff7239548596d7af4de80ec11f5c0",
        	            	    "roles": "SECURE_VALUE_HIDDEN_HASH:-db30a8deb6403e4b80e54a61af5be23d0526702837d0fb71dd9334b0",
        	            	    "subject_attributes": "SECURE_VALUE_HIDDEN_HASH:-06ed15af1f2d0d472fcf2945660aa76d693717ab675f8fe0340a44e5"
        	            	  },
        	            	  "after_unknown": {
        	            	    "id": true,
        	            	    "resource_attributes": "SECURE_VALUE_HIDDEN_HASH:-dee2a7af8167f4d7d587e677745a54d41af3f4c62de4fcc8661760ad",
        	            	    "roles": "SECURE_VALUE_HIDDEN_HASH:-6bb8e2ac1fcf24a9689e464eafbbd5913f9289579e1b7c25f180db40",
        	            	    "source_resource_group_id": true,
        	            	    "source_resource_type": true,
        	            	    "source_service_account": true,
        	            	    "subject_attributes": "SECURE_VALUE_HIDDEN_HASH:-9a96d45624c97887f3546333ba726f0211ca9fb1310223da742ca30d",
        	            	    "target_resource_group_id": true,
        	            	    "target_resource_instance_id": true,
        	            	    "target_resource_type": true,
        	            	    "target_service_name": true,
        	            	    "transaction_id": true,
        	            	    "version": true
        	            	  },
        	            	  "before": {
        	            	    "description": "Allow the COS instance with GUID 590d4995-34cc-4381-ae42-2b1c147dc3d8 reader access to the kms instance GUID 8794dc95-6977-43c7-a027-3586a9cfebfd",
        	            	    "id": "8988a78f-0c24-4d63-b424-69ebfbe01a8d",
        	            	    "resource_attributes": "SECURE_VALUE_HIDDEN_HASH:-f1eeb70700a3543fefbd63a26fa58db91d9dfc982409b6fd7d5901e9",
        	            	    "roles": "SECURE_VALUE_HIDDEN_HASH:-d37d85cc9c709b57789403b6b398341d0a84635d978e6dc414cb1c05",
        	            	    "source_resource_group_id": "",
        	            	    "source_resource_instance_id": "590d4995-34cc-4381-ae42-2b1c147dc3d8",
        	            	    "source_resource_type": "",
        	            	    "source_service_account": "abac0df06b644a9cabc6e44f55b3880e",
        	            	    "source_service_name": "cloud-object-storage",
        	            	    "subject_attributes": "SECURE_VALUE_HIDDEN_HASH:-6d93f91b613b3f98f15aae627afe7b6c556d06805a605117238fa0e8",
        	            	    "target_resource_group_id": "",
        	            	    "target_resource_instance_id": "8794dc95-6977-43c7-a027-3586a9cfebfd",
        	            	    "target_resource_type": "",
        	            	    "target_service_name": "kms",
        	            	    "transaction_id": "4bb61b63d0e948db8e09ef4708b6cc39",
        	            	    "version": null
        	            	  },
        	            	  "before_sensitive": {
        	            	    "resource_attributes": "SECURE_VALUE_HIDDEN_HASH:-7b5beaf30ca52539617191eabcaef9afd273b70fc106033d8664f780",
        	            	    "roles": "SECURE_VALUE_HIDDEN_HASH:-6e49f1c7c392a9ec504b5b86e837fe98fd7eab96e0c553f3b0270660",
        	            	    "subject_attributes": "SECURE_VALUE_HIDDEN_HASH:-dc24c48faff9152ac1c60010b98f398c7cc065f03e4e3d3c03ba65a6"
        	            	  },
        	            	  "replace_paths": [
        	            	    [
        	            	      "resource_attributes"
        	            	    ]
        	            	  ]
        	            	}

@ocofaigh
Copy link
Member Author

/run pipeline

@ocofaigh ocofaigh merged commit 211576e into main Oct 31, 2024
2 checks passed
@ocofaigh ocofaigh deleted the scope branch October 31, 2024 10:13
@terraform-ibm-modules-ops
Copy link
Contributor

🎉 This PR is included in version 8.14.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

This was referenced Oct 31, 2024
Merged
Closed
@ocofaigh ocofaigh restored the scope branch October 31, 2024 16:27
This was referenced Oct 31, 2024
Merged
Closed
Closed
Closed
Open
Closed
Closed
Open
Closed
Closed
Open
Closed
@ocofaigh ocofaigh deleted the scope branch November 4, 2024 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daniel-butler-irl daniel-butler-irl daniel-butler-irl approved these changes

@shemau shemau Awaiting requested review from shemau shemau is a code owner

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ocofaigh @terraform-ibm-modules-ops @daniel-butler-irl