Requirement 1. We need to find a way to ensure that if any bucket configuration requires an authorization policy, NO buckets should be created until the policy is created.
All required authorization policies will be created in the buckets submodule instead of the main module. Since bucket creation starts in parallel, it won’t be possible to control the creation of authorization policies in the main module.
Requirement 2. We should also implement a fast fail mechanism if we detect that multiple buckets have skip_iam_authorization_policy set to false, as this would result in duplicate policy creation and failure.
Added validation to detect duplicate authorization policies. Policies are deemed duplicate if source_resource_instance_id (resource_instance_id) and target_resource_instance_id (kms_guid) are the same.
If duplicate authorization policies exist and the resource_instance_id is available at the plan phase (i.e., an existing COS instance is used), an error will be flagged during the plan phase. If a new COS instance is being created, validation will be deferred until the COS CRN is available during apply.
Caught while plan
Caught while apply
Release required?
[ ] No release
[x] Patch release (x.x.X)
[ ] Minor release (x.X.x)
[ ] Major release (X.x.x)
Release notes content
Fix timing issue with auth policy when creating multiple buckets with buckets submodule
Run the pipeline
If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.
Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:
/run pipeline
Checklist for reviewers
[ ] If relevant, a test for the change is included or updated with this PR.
[ ] If relevant, documentation for the change is included or updated with this PR.
For mergers
Use a conventional commit message to set the release level. Follow the guidelines.
Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
Description
Fixed timing issue with auth policy when creating multiple buckets with buckets submodule https://github.com/terraform-ibm-modules/terraform-ibm-cos/issues/573
Requirements
Requirement 1. We need to find a way to ensure that if any bucket configuration requires an authorization policy, NO buckets should be created until the policy is created.
Requirement 2. We should also implement a fast fail mechanism if we detect that multiple buckets have
skip_iam_authorization_policy
set to false, as this would result in duplicate policy creation and failure.source_resource_instance_id
(resource_instance_id) andtarget_resource_instance_id
(kms_guid) are the same.resource_instance_id
is available at the plan phase (i.e., an existing COS instance is used), an error will be flagged during the plan phase. If a new COS instance is being created, validation will be deferred until the COS CRN is available during apply.Caught while plan
Caught while apply
Release required?
x.x.X
)x.X.x
)X.x.x
)Release notes content
Fix timing issue with auth policy when creating multiple buckets with buckets submodule
Run the pipeline
If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.
Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:
Checklist for reviewers
For mergers