feat : scope KMS auth policy to the exact KMS key

[arya-girish-k]

Description

This PR is to scope the KMS auth policy to the exact KMS key.
Git Issue

Release required?

• No release
• Patch release (x.x.X)
• Minor release (x.X.x)
• Major release (X.x.x)

Release notes content

Scope the KMS auth policy to the exact KMS key

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

• If relevant, a test for the change is included or updated with this PR.
• If relevant, documentation for the change is included or updated with this PR.

For mergers

• Use a conventional commit message to set the release level. Follow the guidelines.
• Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
• Use the Squash and merge option.

[arya-girish-k]

/run pipeline

[arya-girish-k]

/run pipeline

[arya-girish-k]

/run pipeline

[arya-girish-k]

/run pipeline

[arya-girish-k]

/run pipeline

[arya-girish-k]

/run pipeline

[arya-girish-k]

/run pipeline

[arya-girish-k]

/run pipeline

[arya-girish-k]

/run pipeline

[arya-girish-k]

/run pipeline

[arya-girish-k]

/run pipeline

[Ak-sky]

Pipeline failing due to the below error but could not find any existing policy id 51eb33e6-22cf-46b5-9cb1-915a78079b9a in dev acc.

TestRunFSCloudExample 2024-12-02T05:57:50Z retry.go:99: Returning due to fatal error: FatalError{Underlying: error while running command: exit status 1; ╷
Error: [0m Error: [ERROR] Error creating authorization policy: The policy wasn't created because an access policy with identical attributes and roles already exists. Please update the rule in the existing policy (51eb33e6-22cf-46b5-9cb1-915a78079b9a), or update the one you're trying to assign to include a different attribute assignment. {

[Ak-sky]

/run pipeline

[Ak-sky]

Looks like PR will fail again as same auth policy is getting created, @arya-girish-k can you please check the logic once?

  + keys_check = {
      + key1 = {
          + instance       = "e6dce284-e80f-46e1-a3c1-830f7adff7a9"
          + kms_account_id = "abac0df06b644a9cabc6e44f55b3880e"
          + kms_key_id     = "76170fae-4e0c-48c3-8ebe-326059ebb533"
          + kms_scope      = "a/abac0df06b644a9cabc6e44f55b3880e"
          + kms_service    = "hs-crypto"
          + resource_type  = "key"
        }
      + key2 = {
          + instance       = "e6dce284-e80f-46e1-a3c1-830f7adff7a9"
          + kms_account_id = "abac0df06b644a9cabc6e44f55b3880e"
          + kms_key_id     = "76170fae-4e0c-48c3-8ebe-326059ebb533"
          + kms_scope      = "a/abac0df06b644a9cabc6e44f55b3880e"
          + kms_service    = "hs-crypto"
          + resource_type  = "key"
        }
    }

[Ak-sky]

@arya-girish-k, you need to see if backup_encryption_key_crn is same as kms_key_crn, then you do not need to create 2 auth policies but then you also need to check if same kms_key_crn is used as backup_encryption_key_crn then it should be supported in that region, refer below comment.

terraform-ibm-icd-postgresql/main.tf

Line 18 in 7ad7d55

# If no value passed for 'backup_encryption_key_crn' use the value of 'kms_key_crn' and perform validation of 'kms_key_crn' to check if region is supported by backup encryption key.

[arya-girish-k]

/run pipeline

[arya-girish-k]

Added a parser for KMS and backup encryption keys, along with an authorization policy resource for backup encryption. Also resolved pre-commit errors. Hence retriggering the pipeline.

[arya-girish-k]

/run pipeline

[arya-girish-k]

Pipeline(CRA scan) is failed because of this error

│ Error: Invalid count argument
│ 
│   on ../../main.tf line 107, in module "backup_kms_crn_parser":
│  107:   count   = local.create_backup_auth_policy
│ 
│ The "count" value depends on resource attributes that cannot be determined
│ until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only
│ the resources that the count depends on.
╵
Error: Process completed with exit code 1.```

[arya-girish-k]

Updated the validation code in main.tf .Hence retriggering the pipeline

[arya-girish-k]

/run pipeline

[arya-girish-k]

Resolved the pre-commit error .Re-triggering the pipeline.

[arya-girish-k]

/run pipeline

[arya-girish-k]

As expected, the upgrade test fails due to the re-creation of the auth policy, however since we are using create_before_destroy = true there will be no disruption to key access so skipping upgrade test.

    terraform.go:238: 
        	Error Trace:	/go/pkg/mod/github.com/terraform-ibm-modules/[email protected]/testhelper/terraform.go:238
        	            				/go/pkg/mod/github.com/terraform-ibm-modules/[email protected]/testhelper/tests.go:620
        	            				/__w/terraform-ibm-icd-postgresql/terraform-ibm-icd-postgresql/tests/pr_test.go:167
        	Error:      	Should be false
        	Test:       	TestRunStandardUpgradeSolution
        	Messages:   	Resource(s) identified to be destroyed 
        	            	Name: kms_policy
        	            	Address: module.postgresql_db.module.postgresql_db.ibm_iam_authorization_policy.kms_policy[0]
        	            	Actions: [create delete]
        	            	DIFF:
        	            	  Before: 
        	            		{"description":"Allow all ICD Postgres instances in the resource group 2be8e5c7879a43a4afdda20ab9c22852 to read from the hs-crypto instance GUID e6dce284-e80f-46e1-a3c1-830f7adff7a9","id":"72d17db0-bcc4-4971-b305-046b32b050a5","resource_attributes":"SECURE_VALUE_HIDDEN_HASH:-a234ec499736fd2e4a35bbcd3efb473fbc14095c4d280a404e866c82","source_resource_instance_id":"","source_resource_type":"","source_service_account":"abac0df06b644a9cabc6e44f55b3880e","subject_attributes":"SECURE_VALUE_HIDDEN_HASH:-816cc83ba3027c1b6e38e6d10ba26f5ab4fc2440c3d9d4cada474827","target_resource_group_id":"","target_resource_instance_id":"e6dce284-e80f-46e1-a3c1-830f7adff7a9","target_resource_type":"","target_service_name":"hs-crypto","transaction_id":"04212b8fdc95481cb6820bfa026b3050"}
        	            	  After: 
        	            		{"description":"Allow all ICD Postgres instances in the resource group 2be8e5c7879a43a4afdda20ab9c22852 to read from the hs-crypto instance GUID e6dce284-e80f-46e1-a3c1-830f7adff7a9.","resource_attributes":"SECURE_VALUE_HIDDEN_HASH:-7eed2c799fa6472bbda0c258329756e2de64dd8f51e7eccfb6ef1565"}
        	            	
        	            	Change Detail:
        	            	{
        	            	  "actions": [
        	            	    "create",
        	            	    "delete"
        	            	  ],
        	            	  "after": {
        	            	    "description": "Allow all ICD Postgres instances in the resource group 2be8e5c7879a43a4afdda20ab9c22852 to read from the hs-crypto instance GUID e6dce284-e80f-46e1-a3c1-830f7adff7a9.",
        	            	    "resource_attributes": "SECURE_VALUE_HIDDEN_HASH:-b23a09bc211fcf06d1380867f0e2074d43d6169d97768a0fb2713a00",
        	            	    "roles": "SECURE_VALUE_HIDDEN_HASH:-3cb87c221da77a9c9c8ff3d5189bb4a2ccf65a2371e5f3e2e5a2811a",
        	            	    "source_resource_group_id": "2be8e5c7879a43a4afdda20ab9c22852",
        	            	    "source_service_name": "databases-for-postgresql"
        	            	  },
        	            	  "after_sensitive": {
        	            	    "resource_attributes": [
        	            	      {},
        	            	      {},
        	            	      {},
        	            	      {},
        	            	      {}
        	            	    ],
        	            	    "roles": [
        	            	      false
        	            	    ],
        	            	    "subject_attributes": []
        	            	  },
        	            	  "after_unknown": {
        	            	    "id": true,
        	            	    "resource_attributes": [
        	            	      {},
        	            	      {},
        	            	      {},
        	            	      {},
        	            	      {}
        	            	    ],
        	            	    "roles": [
        	            	      false
        	            	    ],
        	            	    "source_resource_instance_id": true,
        	            	    "source_resource_type": true,
        	            	    "source_service_account": true,
        	            	    "subject_attributes": true,
        	            	    "target_resource_group_id": true,
        	            	    "target_resource_instance_id": true,
        	            	    "target_resource_type": true,
        	            	    "target_service_name": true,
        	            	    "transaction_id": true,
        	            	    "version": true
        	            	  },
        	            	  "before": {
        	            	    "description": "Allow all ICD Postgres instances in the resource group 2be8e5c7879a43a4afdda20ab9c22852 to read from the hs-crypto instance GUID e6dce284-e80f-46e1-a3c1-830f7adff7a9",
        	            	    "id": "72d17db0-bcc4-4971-b305-046b32b050a5",
        	            	    "resource_attributes": "SECURE_VALUE_HIDDEN_HASH:-a5c4ee6c0d4a1e17e7f5c45b5297384faa8219c066343c688f5fabbe",
        	            	    "roles": "SECURE_VALUE_HIDDEN_HASH:-2f925fe2e7d7359c571c3d64ba46b29ca34146c7045ffe96f4b72f5e",
        	            	    "source_resource_group_id": "2be8e5c7879a43a4afdda20ab9c22852",
        	            	    "source_resource_instance_id": "",
        	            	    "source_resource_type": "",
        	            	    "source_service_account": "abac0df06b644a9cabc6e44f55b3880e",
        	            	    "source_service_name": "databases-for-postgresql",
        	            	    "subject_attributes": "SECURE_VALUE_HIDDEN_HASH:-1e3043f6df230a786675f4428af787[2358](https://github.com/terraform-ibm-modules/terraform-ibm-icd-postgresql/actions/runs/12235974028/job/34128681519#step:7:2359)1512949ada66f5b35a08f8",
        	            	    "target_resource_group_id": "",
        	            	    "target_resource_instance_id": "e6dce284-e80f-46e1-a3c1-830f7adff7a9",
        	            	    "target_resource_type": "",
        	            	    "target_service_name": "hs-crypto",
        	            	    "transaction_id": "04212b8fdc95481cb6820bfa026b3050",
        	            	    "version": null
        	            	  },
        	            	  "before_sensitive": {
        	            	    "resource_attributes": [
        	            	      {},
        	            	      {},
        	            	      {}
        	            	    ],
        	            	    "roles": [
        	            	      false
        	            	    ],
        	            	    "subject_attributes": []
        	            	  },
        	            	  "replace_paths": [
        	            	    [
        	            	      "resource_attributes"
        	            	    ]
        	            	  ]
        	            	}

[arya-girish-k]

@Ak-sky ,TestRunFSCloudExample is failed because of version error.

    tests.go:742: 
        	Error Trace:	/go/pkg/mod/github.com/terraform-ibm-modules/[email protected]/testhelper/tests.go:742
        	            				/go/pkg/mod/github.com/terraform-ibm-modules/[email protected]/testhelper/tests.go:662
        	            				/__w/terraform-ibm-icd-postgresql/terraform-ibm-icd-postgresql/tests/pr_test.go:68
        	Error:      	Expected nil, but got: retry.FatalError{Underlying:(*shell.ErrWithCmdOutput)(0xc000152948)}
        	Test:       	TestRunFSCloudExample
        	Messages:   	Failed%!(EXTRA retry.FatalError=FatalError{Underlying: error while running command: exit status 1; ╷
        	            	│ Error: ---
        	            	│ id: terraform-23dab597
Error:  	            	│ summary: "1 error occurred:\n\t* [ERROR] The version in your configuration file (16)
        	            	│   does not match the version of your remote instance (). Make sure that you have the
        	            	│   same version in your configuration as the version on the remote instance. Learn
        	            	│   more about the versioning policy here: https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-versioning-policy
        	            	│   \n\n"
        	            	│ severity: error
        	            	│ resource: ibm_database
        	            	│ operation: CustomizeDiff
        	            	│ component:
        	            	│   name: github.com/IBM-Cloud/terraform-provider-ibm
        	            	│   version: 1.72.0
        	            	│ ---
        	            	│ 
        	            	│ 
        	            	│   with module.postgresql_db.module.postgresql_db.ibm_database.postgresql_db,
        	            	│   on ../../main.tf line 159, in resource "ibm_database" "postgresql_db":
        	            	│  159: resource "ibm_database" "postgresql_db" {
        	            	│ 
        	            	╵})

Tested the issue locally in two ways: first, by commenting out the pg_version in the test for the specific test case, which ran successfully; and second, by setting pg_version ="v16", which resulted in an error.

[arya-girish-k]

Provider version is updated .Re-triggering the pipeline.

[arya-girish-k]

/run pipeline

[maheshwarishikha]

we should say create_backup_kms_auth_policy

[maheshwarishikha]

We should use var.backup_encryption_key_crn in conditions instead of local.backup_encryption_key_crn
Then we may not require length(module.backup_kms_crn_parser) > 0

[arya-girish-k]

As suggested currently paused on working in this issue until the Elastic search PR is completed, as the same changes needs to be integrated into this one.

[ocofaigh]

@arya-girish-k The Elasticsearch PR has been merged, however it contains alot of refactoring work. In order to ensure consistency across our ICD modules / DA, we should make the same changes to Postgres. So I am re-assigning this issue to @jor2 who is already working on the refactoring work as part of #541