feat: Scope KMS policy to the exact KMS key

[arya-girish-k]

Description

Scope KMS policy to the exact KMS key
Git_issue.

Release required?

• No release
• Patch release (x.x.X)
• Minor release (x.X.x)
• Major release (X.x.x)

Release notes content

As part of addressing this issue,made the following modification:

1. Updated the KMS policy and added an additional policy for the HPCS key in the root module and DA.
2. Introduced a boolean variable is_hpcs_key to create the second policy.
3. Implemented a CRN parser to retrieve the kms_instance_guid from kms_key_crn_parser, removing the existing_kms_instance_guid.
4. Updated the validation

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

• If relevant, a test for the change is included or updated with this PR.
• If relevant, documentation for the change is included or updated with this PR.

For mergers

• Use a conventional commit message to set the release level. Follow the guidelines.
• Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
• Use the Squash and merge option.

[ocofaigh]

@arya-girish-k any update on this?

[ocofaigh]

Lets forget about DA updates in this PR - the DA is being refactored in #300 and it will handle the DA updates

[ocofaigh]

see comments

[arya-girish-k]

1.Added two policies in the rootmodule and DA.
2.Added crn parser ,since retriving kms_instance_guid from kms_key_crn_parser,removed existing_kms_instance_guid.
3.Added boolean variable is_hpcs_key to create the second policy
4.Faced the below error while testing:

│   CreateNotificationsRegistrationWithContext failed Invalid authorization with Event Notifications instance 

Since it is Known error, removed this line in complete example.

[arya-girish-k]

/run pipeline

[arya-girish-k]

/run pipeline

[arya-girish-k]

As expected, the upgrade test fails due to the re-creation of the auth policy, however since we are using create_before_destroy = true there will be no disruption to key access so skipping upgrade test.

[arya-girish-k]

/run pipeline

[ocofaigh]

see final comments

[Aayush-Abhyarthi]

/run pipeline

[ocofaigh]

just realised we don't need the new boolean in the DA - we can parse the CRN (see comment)

[Aayush-Abhyarthi]

/run pipeline

[Aayush-Abhyarthi]

/run pipeline

[ocofaigh]

We seem to be missing logic in the module that verifies if is_hpcs_key is set to true, it matches the instance type in the kms_key_crn value. Can you add it please?

[Aayush-Abhyarthi]

/run pipeline

[terraform-ibm-modules-ops]

🎉 This PR is included in version 1.26.0 🎉

The release is available on:

• GitHub release
• v1.26.0

Your semantic-release bot 📦🚀