我将Terraform与IBM Cloud一起使用,并希望使用IBM_iam_authorization_policy创建一个服务到服务授权。
我知道如何在cloud-object-storage
和kms
之间创建策略。但是,我如何将其范围扩大到特定的钥匙圈?我可以在IBMCloud控制台中完成,但在提供程序中没有看到任何内容。
resource "ibm_iam_authorization_policy" "testpolicy" {
source_resource_instance_id = data.ibm_resource_instance.cos_resource_instance.guid
source_service_name = "cloud-object-storage"
target_resource_instance_id = data.ibm_resource_instance.kms_resource_instance.guid
target_service_name = "kms"
roles = ["Reader"]
description = "TF-based test"
}
使用策略管理API和Terraform进行更多测试,以下似乎有效:
resource "ibm_iam_authorization_policy" "team_testpolicy" {
provider = ibm.team_account
source_service_account = data.ibm_iam_account_settings.dev_iam_account_settings.account_id
source_resource_instance_id = data.ibm_resource_instance.cos_resource_instance.guid
source_service_name = "cloud-object-storage"
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = data.ibm_iam_account_settings.team_iam_account_settings.account_id
}
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = "kms"
}
resource_attributes {
name = "serviceInstance"
operator = "stringEquals"
value = ibm_resource_instance.kms_instance.guid
}
resource_attributes {
name = "keyRing"
operator = "stringEquals"
value = ibm_kms_key_rings.key_ring.key_ring_id
}
roles = ["Reader"]
description = "reverse policy in other account"
}
使用resource_attributes和name属性keyRing创建正确的授权策略。