feat: support for cross account auth policy creation

Soaib024 commented 3 months ago

Description

https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/issues/138

Release required?

[ ] No release
[ ] Patch release (x.x.X)
[x] Minor release (x.X.x)
[ ] Major release (X.x.x)

Release notes content

support for cross account s2s policy creation

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

[ ] If relevant, a test for the change is included or updated with this PR.
[ ] If relevant, documentation for the change is included or updated with this PR.

For mergers

Use a conventional commit message to set the release level. Follow the guidelines.
Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
Use the Squash and merge option.

Soaib024 commented 3 months ago

/run pipeline

Soaib024 commented 3 months ago

I have resolved the comments but will wait for this PR to be approved so that these can be made consistent.

Soaib024 commented 3 months ago

/run pipeline

Soaib024 commented 3 months ago

/run pipeline

Soaib024 commented 3 months ago

I do not see any updates in PRs similar to this one, so I am requesting a re-review.

The major difference between this and other PRs is that those PRs do not have the 30-second wait time workaround for the auth policy. I am not sure if this is required when it is a cross-account policy.

@ocofaigh @shemau

Soaib024 commented 3 months ago

/run pipeline

SirSpidey commented 3 months ago

Lets make it clear in the skip_kms_iam_authorization_policy variable description that if a value is passed for ibmcloud_kms_api_key that the auth policy will be created in the KMS account

This? We have similar in SCC and COS now.

Does this also need a statement about needing that auth policy "before XXX ..."?

"Whether to create an IAM authorization policy that permits the Secrets Manager instance to read the encryption key from the Key Protect or Hyper Protect Crypto Service instance (the KMS). Set to true to avoid creating the policy. An authorization policy must exist before XXX can be created. If set to false, specify a value for the KMS instance in existing_kms_instance_crn. If a value is specified for ibmcloud_kms_api_key, the policy is created in the KMS account."

Will need to be updated in a few files:

"Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing_kms_instance_guid variable. In addition, no policy is created if kms_encryption_enabled is set to false."

"Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key. If set to false, pass in a value for the Key Protect or Hyper Protect Crypto Service instance in the existing_kms_instance_crn variable."

Soaib024 commented 3 months ago

/run pipeline

SirSpidey commented 3 months ago

I'll wait for Conall's review and then review the "final" descriptions.

ocofaigh commented 3 months ago

/run pipeline

terraform-ibm-modules-ops commented 3 months ago

:tada: This PR is included in version 1.15.0 :tada:

The release is available on:

GitHub release
v1.15.0

Your semantic-release bot :package::rocket:

terraform-ibm-modules / terraform-ibm-secrets-manager