fix: fixed bug which was causing kms auth policy to be created even w…

…hen kms encryption was not enabled (#489)
terraform-ibm-modules · Jul 20, 2023 · 6b037d0 · 6b037d0
1 parent 8abd7cf
commit 6b037d0
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 7 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-06-10T00:32:33Z",
+  "generated_at": "2023-07-20T09:57:54Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

diff --git a/catalogValidationValues.json.template b/catalogValidationValues.json.template
diff --git a/main.tf b/main.tf
@@ -74,7 +74,7 @@ locals {
 ##############################################################################
 
 resource "ibm_iam_authorization_policy" "block_storage_policy" {
-  count               = var.skip_iam_authorization_policy ? 0 : 1
+  count               = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
   source_service_name = "server-protect"
   # commented the following as policy is not working as expected with this option. Related support case - https://cloud.ibm.com/unifiedsupport/cases?number=CS3419700
   #  source_resource_group_id    = var.resource_group_id

diff --git a/module-metadata.json b/module-metadata.json
@@ -112,6 +112,9 @@
       "type": "bool",
       "description": "Set this to true to control the encryption keys used to encrypt the data that for the block storage volumes for VPC. If set to false, the data is encrypted by using randomly generated keys. For more info on encrypting block storage volumes, see https://cloud.ibm.com/docs/vpc?topic=vpc-creating-instances-byok",
       "default": false,
+      "source": [
+        "ibm_iam_authorization_policy.block_storage_policy.count"
+      ],
       "pos": {
         "filename": "variables.tf",
         "line": 194
@@ -254,9 +257,6 @@
       "type": "bool",
       "description": "Set to true to skip the creation of an IAM authorization policy that permits all Storage Blocks to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing_kms_instance_guid variable. In addition, no policy is created if var.kms_encryption_enabled is set to false.",
       "default": false,
-      "source": [
-        "ibm_iam_authorization_policy.block_storage_policy.count"
-      ],
       "pos": {
         "filename": "variables.tf",
         "line": 200
@@ -425,7 +425,7 @@
       "type": "ibm_iam_authorization_policy",
       "name": "block_storage_policy",
       "attributes": {
-        "count": "skip_iam_authorization_policy",
+        "count": "kms_encryption_enabled",
         "target_resource_instance_id": "existing_kms_instance_guid"
       },
       "provider": {