auth policy fixes

terraform-ibm-modules · ocofaigh · Nov 29, 2024 · Oct 29, 2024 · Oct 29, 2024 · Oct 29, 2024
commit 4639bc8f21168e9faa9afba67d0cc5356e1ef7c1
@@ -127,14 +127,12 @@ You need the following permissions to run this module.
 | [ibm_event_streams_topic.es_topic](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/event_streams_topic) | resource |
 | [ibm_iam_authorization_policy.es_s2s_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
-| [ibm_iam_authorization_policy.mirroring_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_resource_instance.es_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource |
 | [ibm_resource_tag.es_access_tag](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_tag) | resource |
 | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [time_sleep.wait_for_es_s2s_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [time_sleep.wait_for_kms_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
-| [time_sleep.wait_for_mirroring_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 
 ### Inputs
 

@@ -153,22 +153,6 @@ resource "time_sleep" "wait_for_kms_authorization_policy" {
   create_duration = "30s"
 }
 
-# Create s2s at service level for provisioning mirroring instance
-resource "ibm_iam_authorization_policy" "es_s2s_policy" {
-  count               = var.mirroring_enabled == false || var.skip_es_s2s_iam_authorization_policy ? 0 : 1
-  source_service_name = "messagehub"
-  target_service_name = "messagehub"
-  roles               = ["Reader"]
-  description         = "Required for provisioning mirroring instance."
-}
-
-# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
-resource "time_sleep" "wait_for_es_s2s_policy" {
-  depends_on = [ibm_iam_authorization_policy.es_s2s_policy]
-
-  create_duration = "30s"
-}
-
 # Parse GUID from source ES instance
 module "es_guid_crn_parser" {
   count   = var.mirroring_enabled ? 1 : 0
@@ -177,22 +161,20 @@ module "es_guid_crn_parser" {
   crn     = var.mirroring.source_crn
 }
 
-# Create IAM Authorization Policies to allow mirroring EN instance to access source EN instance
-resource "ibm_iam_authorization_policy" "mirroring_policy" {
-  depends_on                  = [ibm_resource_instance.es_instance]
-  count                       = var.mirroring_enabled ? 1 : 0
+# Create s2s at service level for provisioning mirroring instance
+resource "ibm_iam_authorization_policy" "es_s2s_policy" {
+  count                       = var.mirroring_enabled == false || var.skip_es_s2s_iam_authorization_policy ? 0 : 1
   source_service_name         = "messagehub"
-  source_resource_instance_id = ibm_resource_instance.es_instance.guid
+  source_resource_group_id    = var.resource_group_id
   target_service_name         = "messagehub"
   target_resource_instance_id = module.es_guid_crn_parser[0].service_instance
   roles                       = ["Reader"]
-  description                 = "Allow an Event Streams mirroring instance ${ibm_resource_instance.es_instance.guid} to read from the source Event Streams instance ${module.es_guid_crn_parser[0].service_instance}."
+  description                 = "Allow all Event Streams instances in the resource group ${var.resource_group_id} to read from the source Event Streams instance ${module.es_guid_crn_parser[0].service_instance}."
 }
 
 # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
-resource "time_sleep" "wait_for_mirroring_authorization_policy" {
-  count      = var.mirroring_enabled ? 1 : 0
-  depends_on = [ibm_iam_authorization_policy.mirroring_policy]
+resource "time_sleep" "wait_for_es_s2s_policy" {
+  depends_on = [ibm_iam_authorization_policy.es_s2s_policy]
 
   create_duration = "30s"
 }
@@ -250,7 +232,7 @@ locals {
 }
 
 resource "ibm_event_streams_mirroring_config" "es_mirroring_config" {
-  depends_on               = [ibm_resource_instance.es_instance, time_sleep.wait_for_mirroring_authorization_policy]
+  depends_on               = [ibm_resource_instance.es_instance]
   count                    = var.mirroring_enabled ? 1 : 0
   resource_instance_id     = ibm_resource_instance.es_instance.id
   mirroring_topic_patterns = var.mirroring_topic_patterns

@@ -91,7 +91,7 @@ func TestRunFSCloudExample(t *testing.T) {
 		/*
 		 Comment out the 'ResourceGroup' input to force this tests to create a unique resource group to ensure tests do
 		 not clash. This is due to the fact that an auth policy may already exist in this resource group since we are
-		 re-using a permanent HPCS instance. By using a new resource group, the auth policy will not already exist
+		 re-using a permanent HPCS instance and permanent Event Streams instance. By using a new resource group, the auth policy will not already exist
 		 since this module scopes auth policies by resource group.
 		*/
 		//ResourceGroup:      resourceGroup,