-
Notifications
You must be signed in to change notification settings - Fork 1
/
authorization-policy.tf
42 lines (36 loc) · 1.47 KB
/
authorization-policy.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# See https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy
# IBM Cloud IAM service to service authorization policy
#
# An Cloud Object Storage located in the project account is granted Reader permission on
# the Key Protect instance with a named keyring in the corporate account.
# Note that resource_attributes is used to describe all properties of the targeted service.
#
# The code is executed on the corporate account where the permission is granted.
resource "ibm_iam_authorization_policy" "cos_to_kms_policy" {
provider = ibm.corporate_account
source_service_account = data.ibm_iam_account_settings.source_iam_account_settings.account_id
source_resource_instance_id = data.ibm_resource_instance.source_cos_resource_instance.guid
source_service_name = "cloud-object-storage"
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.target_iam_account_settings.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "kms"
}
resource_attributes {
name = "serviceInstance"
operator = "stringEquals"
value = ibm_resource_instance.target_kms_instance.guid
}
resource_attributes {
name = "keyRing"
operator = "stringEquals"
value = ibm_kms_key_rings.some_key_ring.key_ring_id
}
roles = ["Reader"]
description = "reverse policy in other account"
}