hkantare
commented
4 years ago I think here the way authoriztion policy defined is wrong the source should be Keyprotect and the destination should be databse
Closed Mallear closed 4 years ago
hkantare
commented
4 years ago I think here the way authoriztion policy defined is wrong the source should be Keyprotect and the destination should be databse
Mallear
commented
4 years ago That's not how I understand the console, databases services are not available as target services:
hkantare
commented
4 years ago May be this issue needs to be taken with respective service Teams....Even from UI or cli you do see same behavior where user needs to create a authorization policy for all database instance to key-protect
Mallear
commented
4 years ago Given the help popup, it seems source service is the service which need to acces the target service, so Database service is source and KP is target. Seems fair for me.
So the only solution I see to deploy database encrypted with a KP Key is to give the whole Database service access to my key instead of specifying the database instance. That will be OK but I think it's a lack of security.
hkantare
commented
4 years ago closing this issue based on discussion
nela
commented
4 years ago Yep, having the same issue with the circular dependency. I did solve it the same way you have, and terraform builds the resources but the Database service does not use the provided key.
Why is this issue closed, when the bug is clearly present and no secure solutions are provided?
hkantare
commented
4 years ago Based on the above discussion does your template a have a authorization policy defined to database service?Can you share your your sample configuration
resource "ibm_resource_instance" "kp_instance" {
name = "mykey"
service = "kms"
plan = "tiered-pricing"
location = "us-south"
}
resource "ibm_kp_key" "test" {
key_protect_id = ibm_resource_instance.kp_instance.guid
key_name = "mykey"
standard_key = false
force_delete = true
}
resource "ibm_iam_authorization_policy" "policy" {
source_service_name = "databases-for-postgresql"
target_service_name = "kms"
roles = ["Reader"]
}
resource "ibm_database" "test" {
name = "harini"
service = "databases-for-postgresql"
plan = "standard"
location = "us-south"
members_memory_allocation_mb = 4096
members_disk_allocation_mb = 14336
members_cpu_allocation_count = 8
service_endpoints = "public-and-private"
key_protect_instance = ibm_resource_instance.kp_instance.id
key_protect_key = ibm_kp_key.test.id
}
Terraform Version
Terraform v0.12.21 ibm provider v1.2.1
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Database created with encryption based on given Key Protect key on first deployment.
Actual Behavior
IBM Provider fails to create database.
Error: Error creating database instance: Request failed with status code: 400, ServerErrorResponse: {"error_code":"RC-ServiceBrokerErrorResponse","message":"Service Broker returned error status code 500","details":"{\"errors\":\"internal_server_error\"}","status_code":400,"transaction_id":"bss-18e96243365a2453"}We need to deploy first the database, the key and the authorization policy and THEN update the database to set the encryption using the Key protect key.
Steps to Reproduce
Deploying given Terraform Configuration Files.
A first workaround is to grant acces to my key to all instance of
database-for-postgresqlby using:But I don't want all my DB to be able to access other DB's keys.
[edit] Terraform log gave me a hint:
Error: Cycle: module.database.ibm_iam_authorization_policy.postgres_authorize_policy, module.database.ibm_database.databasebut is there a way to make it working ?