Updated the KMS auth policy so its scoped to the exact KMS Key

[ocofaigh]

Description

Updated the KMS auth policy so its scoped to the exact KMS Key (https://github.com/terraform-ibm-modules/terraform-ibm-cos/issues/758). This will recreate the auth policy, but it won't be disruptive as I have used create_before_destroy = true

Release required?

• [ ] No release
• [ ] Patch release (x.x.X)
• [x] Minor release (x.X.x)
• [ ] Major release (X.x.x)

Release notes content

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

• [ ] If relevant, a test for the change is included or updated with this PR.
• [ ] If relevant, documentation for the change is included or updated with this PR.

For mergers

• Use a conventional commit message to set the release level. Follow the guidelines.
• Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
• Use the Squash and merge option.

[ocofaigh]

/run pipeline

[ocofaigh]

/run pipeline

[ocofaigh]

/run pipeline

[ocofaigh]

/run pipeline

[ocofaigh]

/run pipeline

[ocofaigh]

As expected, the upgrade test fails due to the re-creation of the auth policy, however since we are using create_before_destroy = true there will be no disruption to key access so skipping upgrade test..

Messages:       Resource(s) identified to be destroyed 
                            Name: policy
                            Address: module.cos_bucket1.ibm_iam_authorization_policy.policy[0]
                            Actions: [create delete]
                            DIFF:
                              Before: 
                                {"description":"Allow the COS instance with GUID 590d4995-34cc-4381-ae42-2b1c147dc3d8 reader access to the kms instance GUID 8794dc95-6977-43c7-a027-3586a9cfebfd","id":"8988a78f-0c24-4d63-b424-69ebfbe01a8d","resource_attributes":"SECURE_VALUE_HIDDEN_HASH:-545edab1d5168d493ebb23d0c7c80b09d8233770d543e7157f616e0a","source_resource_group_id":"","source_resource_type":"","source_service_account":"abac0df06b644a9cabc6e44f55b3880e","subject_attributes":"SECURE_VALUE_HIDDEN_HASH:-c2ac0584fd5b5bebd8cdf04e5023c6e84271dec96cf119338b62f37c","target_resource_group_id":"","target_resource_instance_id":"8794dc95-6977-43c7-a027-3586a9cfebfd","target_resource_type":"","target_service_name":"kms","transaction_id":"4bb61b63d0e948db8e09ef4708b6cc39"}
                              After: 
                                {"description":"Allow the COS instance 590d4995-34cc-4381-ae42-2b1c147dc3d8 to read the kms key 5d9458e6-8b2b-4fb6-b128-c8fac76e3be3 from the instance 8794dc95-6977-43c7-a027-3586a9cfebfd","resource_attributes":"SECURE_VALUE_HIDDEN_HASH:-7c74d87519f13fe49bd29004eb04bdc1ff8b402a498c89ca91f971c5"}

                            Change Detail:
                            {
                              "actions": [
                                "create",
                                "delete"
                              ],
                              "after": {
                                "description": "Allow the COS instance 590d4995-34cc-4381-ae42-2b1c147dc3d8 to read the kms key 5d9458e6-8b2b-4fb6-b128-c8fac76e3be3 from the instance 8794dc95-6977-43c7-a027-3586a9cfebfd",
                                "resource_attributes": "SECURE_VALUE_HIDDEN_HASH:-c90dcf9626e20ba028e624e205ef433f46c3ed0df6c790eceb1e8329",
                                "roles": "SECURE_VALUE_HIDDEN_HASH:-93c7463038accfb0bd4348150239e058934ceedbf54dc749e45ee499",
                                "source_resource_instance_id": "590d4995-34cc-4381-ae42-2b1c147dc3d8",
                                "source_service_name": "cloud-object-storage"
                              },
                              "after_sensitive": {
                                "resource_attributes": "SECURE_VALUE_HIDDEN_HASH:-ea363a1baecc424b453c4929799ff7239548596d7af4de80ec11f5c0",
                                "roles": "SECURE_VALUE_HIDDEN_HASH:-db30a8deb6403e4b80e54a61af5be23d0526702837d0fb71dd9334b0",
                                "subject_attributes": "SECURE_VALUE_HIDDEN_HASH:-06ed15af1f2d0d472fcf2945660aa76d693717ab675f8fe0340a44e5"
                              },
                              "after_unknown": {
                                "id": true,
                                "resource_attributes": "SECURE_VALUE_HIDDEN_HASH:-dee2a7af8167f4d7d587e677745a54d41af3f4c62de4fcc8661760ad",
                                "roles": "SECURE_VALUE_HIDDEN_HASH:-6bb8e2ac1fcf24a9689e464eafbbd5913f9289579e1b7c25f180db40",
                                "source_resource_group_id": true,
                                "source_resource_type": true,
                                "source_service_account": true,
                                "subject_attributes": "SECURE_VALUE_HIDDEN_HASH:-9a96d45624c97887f3546333ba726f0211ca9fb1310223da742ca30d",
                                "target_resource_group_id": true,
                                "target_resource_instance_id": true,
                                "target_resource_type": true,
                                "target_service_name": true,
                                "transaction_id": true,
                                "version": true
                              },
                              "before": {
                                "description": "Allow the COS instance with GUID 590d4995-34cc-4381-ae42-2b1c147dc3d8 reader access to the kms instance GUID 8794dc95-6977-43c7-a027-3586a9cfebfd",
                                "id": "8988a78f-0c24-4d63-b424-69ebfbe01a8d",
                                "resource_attributes": "SECURE_VALUE_HIDDEN_HASH:-f1eeb70700a3543fefbd63a26fa58db91d9dfc982409b6fd7d5901e9",
                                "roles": "SECURE_VALUE_HIDDEN_HASH:-d37d85cc9c709b57789403b6b398341d0a84635d978e6dc414cb1c05",
                                "source_resource_group_id": "",
                                "source_resource_instance_id": "590d4995-34cc-4381-ae42-2b1c147dc3d8",
                                "source_resource_type": "",
                                "source_service_account": "abac0df06b644a9cabc6e44f55b3880e",
                                "source_service_name": "cloud-object-storage",
                                "subject_attributes": "SECURE_VALUE_HIDDEN_HASH:-6d93f91b613b3f98f15aae627afe7b6c556d06805a605117238fa0e8",
                                "target_resource_group_id": "",
                                "target_resource_instance_id": "8794dc95-6977-43c7-a027-3586a9cfebfd",
                                "target_resource_type": "",
                                "target_service_name": "kms",
                                "transaction_id": "4bb61b63d0e948db8e09ef4708b6cc39",
                                "version": null
                              },
                              "before_sensitive": {
                                "resource_attributes": "SECURE_VALUE_HIDDEN_HASH:-7b5beaf30ca52539617191eabcaef9afd273b70fc106033d8664f780",
                                "roles": "SECURE_VALUE_HIDDEN_HASH:-6e49f1c7c392a9ec504b5b86e837fe98fd7eab96e0c553f3b0270660",
                                "subject_attributes": "SECURE_VALUE_HIDDEN_HASH:-dc24c48faff9152ac1c60010b98f398c7cc065f03e4e3d3c03ba65a6"
                              },
                              "replace_paths": [
                                [
                                  "resource_attributes"
                                ]
                              ]
                            }

[ocofaigh]

/run pipeline

[terraform-ibm-modules-ops]

:tada: This PR is included in version 8.14.0 :tada:

The release is available on:

• GitHub release
• v8.14.0

Your semantic-release bot :package::rocket: