fix: scope the block storage / HPCS auth policy to the source resourc…

…e group (#491)
terraform-ibm-modules · Jul 25, 2023 · f22efd1 · f22efd1
1 parent e41a3de
commit f22efd1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 8 deletions.
diff --git a/main.tf b/main.tf
@@ -74,10 +74,9 @@ locals {
 ##############################################################################
 
 resource "ibm_iam_authorization_policy" "block_storage_policy" {
-  count               = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
-  source_service_name = "server-protect"
-  # commented the following as policy is not working as expected with this option. Related support case - https://cloud.ibm.com/unifiedsupport/cases?number=CS3419700
-  #  source_resource_group_id    = var.resource_group_id
+  count                       = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
+  source_service_name         = "server-protect"
+  source_resource_group_id    = var.resource_group_id
   target_service_name         = "hs-crypto"
   target_resource_instance_id = var.existing_kms_instance_guid
   roles                       = ["Reader"]

diff --git a/module-metadata.json b/module-metadata.json
@@ -167,6 +167,7 @@
       "description": "id of resource group to create VPC",
       "required": true,
       "source": [
+        "ibm_iam_authorization_policy.block_storage_policy.source_resource_group_id",
         "ibm_is_instance.vsi.resource_group",
         "ibm_is_lb.lb.resource_group",
         "ibm_is_security_group.security_group.resource_group"
@@ -177,7 +178,10 @@
       },
       "cloud_data_type": "resource_group",
       "immutable": true,
-      "computed": true
+      "computed": true,
+      "cloud_data_range": [
+        "resolved_to:id"
+      ]
     },
     "secondary_allow_ip_spoofing": {
       "name": "secondary_allow_ip_spoofing",
@@ -426,6 +430,7 @@
       "name": "block_storage_policy",
       "attributes": {
         "count": "kms_encryption_enabled",
+        "source_resource_group_id": "resource_group_id",
         "target_resource_instance_id": "existing_kms_instance_guid"
       },
       "provider": {
@@ -450,7 +455,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 154
+        "line": 153
       }
     },
     "ibm_is_floating_ip.vsi_fip": {
@@ -467,7 +472,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 146
+        "line": 145
       }
     },
     "ibm_is_instance.vsi": {
@@ -490,7 +495,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 87
+        "line": 86
       }
     },
     "ibm_is_lb.lb": {