fix: auth policy logic update

README.md

@@ -124,6 +124,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Key Protect instance in which the key specified in var.kms\_key\_crn is coming from. | `string` | `null` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | Name to of the new data engine instance | `string` | n/a | yes |
+| <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs | `bool` | `false` | no |
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Service like Key Protect that you want to use for disk encryption. If null, database is encrypted by using randomly generated keys. See https://cloud.ibm.com/docs/sql-query?topic=sql-query-keyprotect | `string` | `null` | no |
 | <a name="input_kms_region"></a> [kms\_region](#input\_kms\_region) | (Optional) The region where key protect is deployed | `string` | `"us-south"` | no |
 | <a name="input_plan"></a> [plan](#input\_plan) | The plan for the Data engine instance. Standard or lite. | `string` | `"lite"` | no |

main.tf

@@ -6,12 +6,12 @@ locals {
  enable_user_managed_encryption = var.plan == "standard" && var.existing_kms_instance_guid != null && var.kms_key_crn != null && var.kms_region != null
 
  # tflint-ignore: terraform_unused_declarations
- validate_skip_iam_authorization_policy = var.skip_iam_authorization_policy == false && (var.kms_key_crn == null || var.existing_kms_instance_guid == null) ? tobool("When var.skip_iam_authorization_policy is set to false, a value must be passed for var.existing_kms_instance_guid and var.kms_key_crn. Alternatively, if opting to use default encryption, set var.skip_iam_authorization_policy to true to skip creating any KMS auth policy creation.") : true
+ validate_auth_policy = var.kms_encryption_enabled && var.skip_iam_authorization_policy == false && var.existing_kms_instance_guid == null ? tobool("When var.skip_iam_authorization_policy is set to false, and var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_guid in order to create the auth policy.") : true
 
 }
 
 resource "ibm_iam_authorization_policy" "kms_policy" {
- count = var.skip_iam_authorization_policy ? 0 : 1
+ count = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
  source_service_name = "sql-query"
  source_resource_group_id = var.resource_group_id
  target_service_name = "kms"

module-metadata.json

@@ -10,7 +10,7 @@
  ],
  "pos": {
  "filename": "variables.tf",
- "line": 63
+ "line": 69
  },
  "immutable": true,
  "computed": true
@@ -28,13 +28,26 @@
  "line": 12
  }
  },
+ "kms_encryption_enabled": {
+ "name": "kms_encryption_enabled",
+ "type": "bool",
+ "description": "Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs",
+ "default": false,
+ "source": [
+ "ibm_iam_authorization_policy.kms_policy.count"
+ ],
+ "pos": {
+ "filename": "variables.tf",
+ "line": 51
+ }
+ },
  "kms_key_crn": {
  "name": "kms_key_crn",
  "type": "string",
  "description": "The root key CRN of a Key Management Service like Key Protect that you want to use for disk encryption. If null, database is encrypted by using randomly generated keys. See https://cloud.ibm.com/docs/sql-query?topic=sql-query-keyprotect",
  "pos": {
  "filename": "variables.tf",
- "line": 69
+ "line": 75
  }
  },
  "kms_region": {
@@ -44,7 +57,7 @@
  "default": "us-south",
  "pos": {
  "filename": "variables.tf",
- "line": 57
+ "line": 63
  }
  },
  "plan": {
@@ -112,12 +125,9 @@
  "type": "bool",
  "description": "Set to true to skip the creation of an IAM authorization policy that permits all Data Engine instances in the given resource group to read the encryption key from the KMS instance provided in 'existing_kms_instance_guid'",
  "default": true,
- "source": [
- "ibm_iam_authorization_policy.kms_policy.count"
- ],
  "pos": {
  "filename": "variables.tf",
- "line": 51
+ "line": 57
  }
  },
  "tags": {
@@ -183,7 +193,7 @@
  "type": "ibm_iam_authorization_policy",
  "name": "kms_policy",
  "attributes": {
- "count": "skip_iam_authorization_policy",
+ "count": "kms_encryption_enabled",
  "source_resource_group_id": "resource_group_id",
  "target_resource_instance_id": "existing_kms_instance_guid"
  },

variables.tf

@@ -48,6 +48,12 @@ variable "service_endpoints" {
  }
 }
 
+variable "kms_encryption_enabled" {
+ type = bool
+ description = "Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs"
+ default = false
+}
+
 variable "skip_iam_authorization_policy" {
  type = bool
  description = "Set to true to skip the creation of an IAM authorization policy that permits all Data Engine instances in the given resource group to read the encryption key from the KMS instance provided in 'existing_kms_instance_guid'"