feat: Scope auth policy for flow logs to exact cos bucket<br><br>NOTE: When upgrading from a previous version, you will see a recreate of this auth policy, however new auth policy will be created before destroyed so there will be no disruption to everyday services (#941)

Author: vkuma17

main.tf

@@ -326,15 +326,47 @@ resource "ibm_is_public_gateway" "gateway" {
 # Add VPC to Flow Logs
 ##############################################################################
 
-# Create authorization policy to allow VPC to access COS instance
+# Create authorization policy to allow VPC to access COS Bucket
 resource "ibm_iam_authorization_policy" "policy" {
   count = (var.enable_vpc_flow_logs) ? ((var.create_authorization_policy_vpc_to_cos) ? 1 : 0) : 0
 
-  source_service_name         = "is"
-  source_resource_type        = "flow-log-collector"
-  target_service_name         = "cloud-object-storage"
-  target_resource_instance_id = var.existing_cos_instance_guid
-  roles                       = ["Writer"]
+  source_service_name  = "is"
+  source_resource_type = "flow-log-collector"
+  roles                = ["Writer"]
+
+  resource_attributes {
+    name     = "accountId"
+    operator = "stringEquals"
+    value    = data.ibm_iam_account_settings.iam_account_settings.account_id
+  }
+
+  resource_attributes {
+    name     = "serviceName"
+    operator = "stringEquals"
+    value    = "cloud-object-storage"
+  }
+
+  resource_attributes {
+    name     = "serviceInstance"
+    operator = "stringEquals"
+    value    = var.existing_cos_instance_guid
+  }
+
+  resource_attributes {
+    name     = "resourceType"
+    operator = "stringEquals"
+    value    = "bucket"
+  }
+
+  resource_attributes {
+    name     = "resource"
+    operator = "stringEquals"
+    value    = var.existing_storage_bucket_name
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 # Create VPC flow logs collector

solutions/fully-configurable/main.tf

@@ -33,7 +33,7 @@ locals {
   kms_service_name                         = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? module.existing_kms_key_crn_parser[0].service_name : module.existing_kms_instance_crn_parser[0].service_name) : null
   cos_kms_key_crn                          = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? var.existing_flow_logs_bucket_kms_key_crn : module.kms[0].keys[format("%s.%s", local.kms_key_ring_name, local.kms_key_name)].crn) : null
   create_cos_kms_iam_auth_policy           = var.enable_vpc_flow_logs && var.kms_encryption_enabled_bucket && !var.skip_cos_kms_iam_auth_policy
-  create_cross_account_cos_kms_auth_policy = (local.create_cos_kms_iam_auth_policy && var.ibmcloud_kms_api_key == null) ? false : (local.cos_account_id != local.kms_account_id)
+  create_cross_account_cos_kms_auth_policy = (local.create_cos_kms_iam_auth_policy && var.ibmcloud_kms_api_key == null) ? false : (local.kms_account_id != null ? (local.cos_account_id != local.kms_account_id) : false)
 
   # configuration for the flow logs bucket
   bucket_config = [{
@@ -43,7 +43,7 @@ locals {
     kms_encryption_enabled        = var.kms_encryption_enabled_bucket
     kms_guid                      = local.kms_guid
     kms_key_crn                   = local.cos_kms_key_crn
-    skip_iam_authorization_policy = local.create_cross_account_cos_kms_auth_policy || var.skip_cos_kms_iam_auth_policy
+    skip_iam_authorization_policy = local.create_cross_account_cos_kms_auth_policy || !local.create_cos_kms_iam_auth_policy
     management_endpoint_type      = var.management_endpoint_type_for_bucket
     storage_class                 = var.cos_bucket_class
     resource_instance_id          = var.existing_cos_instance_crn