I am using Terraform with IBM Cloud and wanted to create a service to service authorization with ibm_iam_authorization_policy.
I know how to create the policy between cloud-object-storage and kms in general. But how do I scope it to a specific key ring? I can do it in the IBM Cloud console, but haven't seen anything in the provider.
resource "ibm_iam_authorization_policy" "testpolicy" {
source_resource_instance_id = data.ibm_resource_instance.cos_resource_instance.guid
source_service_name = "cloud-object-storage"
target_resource_instance_id = data.ibm_resource_instance.kms_resource_instance.guid
target_service_name = "kms"
roles = ["Reader"]
description = "TF-based test"
}
Performing some more tests with the Policy Management API and then Terraform, the following seems to work:
resource "ibm_iam_authorization_policy" "team_testpolicy" {
provider = ibm.team_account
source_service_account = data.ibm_iam_account_settings.dev_iam_account_settings.account_id
source_resource_instance_id = data.ibm_resource_instance.cos_resource_instance.guid
source_service_name = "cloud-object-storage"
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.team_iam_account_settings.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "kms"
}
resource_attributes {
name = "serviceInstance"
operator = "stringEquals"
value = ibm_resource_instance.kms_instance.guid
}
resource_attributes {
name = "keyRing"
operator = "stringEquals"
value = ibm_kms_key_rings.key_ring.key_ring_id
}
roles = ["Reader"]
description = "reverse policy in other account"
}
Using resource_attributes with the name attribute keyRing creates the right authorization policy.