TechQA.

IBM Cloud and Terraform: How to identify keyring in ibm_iam_authorization_policy?

72 views Asked by At

I am using Terraform with IBM Cloud and wanted to create a service to service authorization with ibm_iam_authorization_policy.

I know how to create the policy between cloud-object-storage and kms in general. But how do I scope it to a specific key ring? I can do it in the IBM Cloud console, but haven't seen anything in the provider.

resource "ibm_iam_authorization_policy" "testpolicy" {
  source_resource_instance_id = data.ibm_resource_instance.cos_resource_instance.guid
  source_service_name = "cloud-object-storage"
  
  target_resource_instance_id = data.ibm_resource_instance.kms_resource_instance.guid
  target_service_name = "kms"

  roles               = ["Reader"]
  description         = "TF-based test"
}
ibm-cloud terraform-provider-ibm key-protect
Original Q&A
1

There are 1 answers

0
data_henrik On BEST ANSWER

Performing some more tests with the Policy Management API and then Terraform, the following seems to work:

resource "ibm_iam_authorization_policy" "team_testpolicy" {
  provider = ibm.team_account

  
  source_service_account = data.ibm_iam_account_settings.dev_iam_account_settings.account_id
  source_resource_instance_id = data.ibm_resource_instance.cos_resource_instance.guid
  source_service_name = "cloud-object-storage"

  resource_attributes {
        name     = "accountId"
        operator = "stringEquals"
        value    = data.ibm_iam_account_settings.team_iam_account_settings.account_id
  }

  resource_attributes {
        name     = "serviceName"
        operator = "stringEquals"
        value    = "kms"
  }
  resource_attributes {
              name = "serviceInstance"
              operator = "stringEquals"
              value = ibm_resource_instance.kms_instance.guid
  }
  resource_attributes {
              name = "keyRing"
              operator = "stringEquals"
              value = ibm_kms_key_rings.key_ring.key_ring_id
  }


  roles               = ["Reader"]
  description         = "reverse policy in other account"
}

Using resource_attributes with the name attribute keyRing creates the right authorization policy.

Related Questions in IBM-CLOUD

Related Questions in TERRAFORM-PROVIDER-IBM

Related Questions in KEY-PROTECT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions