feat: COS apikey has been replaced by s2s auth policy between atracker and cos. NOTE: If upgrading to this version, this will destroy the COS apikey which is expected. (#346)

Author: argeiger

atracker.tf

@@ -21,10 +21,10 @@ resource "ibm_atracker_target" "atracker_target" {
   count = local.valid_atracker_region && var.atracker.add_route == true ? 1 : 0
 
   cos_endpoint {
-    endpoint   = "s3.private.${var.region}.cloud-object-storage.appdomain.cloud"
-    target_crn = local.bucket_to_instance_map[var.atracker.collector_bucket_name].id
-    bucket     = ibm_cos_bucket.buckets[replace(var.atracker.collector_bucket_name, var.prefix, "")].bucket_name
-    api_key    = local.bucket_to_instance_map[var.atracker.collector_bucket_name].bind_key
+    endpoint                   = "s3.private.${var.region}.cloud-object-storage.appdomain.cloud"
+    target_crn                 = local.bucket_to_instance_map[var.atracker.collector_bucket_name].id
+    bucket                     = ibm_cos_bucket.buckets[replace(var.atracker.collector_bucket_name, var.prefix, "")].bucket_name
+    service_to_service_enabled = true
   }
   name        = "${var.prefix}-atracker"
   target_type = "cloud_object_storage"

dynamic_values.tf

@@ -32,6 +32,7 @@ module "dynamic_values" {
   f5_template_data          = var.f5_template_data
   secrets_manager           = var.secrets_manager
   add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
+  atracker_cos_bucket       = var.atracker.add_route == true ? var.atracker.collector_bucket_name : null
 }
 
 ##############################################################################

dynamic_values/config_modules/service_authorizations/service_authorizations.tf

@@ -26,6 +26,10 @@ variable "add_kms_block_storage_s2s" {
   description = "Add kms to block storage s2s"
 }
 
+variable "atracker_cos_bucket" {
+  description = "Add atracker to cos s2s"
+}
+
 ##############################################################################
 
 ##############################################################################
@@ -106,6 +110,35 @@ module "secrets_manager_to_cos" {
 
 ##############################################################################
 
+##############################################################################
+# Atracker to COS
+##############################################################################
+
+locals {
+  atracker_cos_instance = var.atracker_cos_bucket == null ? null : flatten([
+    for instance in var.cos :
+    [
+      for bucket in instance.buckets :
+      [instance.name] if bucket.name == var.atracker_cos_bucket
+    ]
+  ])[0]
+}
+
+module "atracker_to_cos" {
+  source = "../list_to_map"
+  list = [
+    for instance in(var.atracker_cos_bucket != null ? ["atracker-to-cos"] : []) :
+    {
+      name                        = instance
+      source_service_name         = "atracker"
+      description                 = "Allow atracker to write to COS"
+      roles                       = ["Object Writer"]
+      target_service_name         = "cloud-object-storage"
+      target_resource_instance_id = split(":", var.cos_instance_ids[local.atracker_cos_instance])[7]
+    }
+  ]
+}
+
 ##############################################################################
 # Outputs
 ##############################################################################
@@ -116,7 +149,8 @@ output "authorizations" {
     module.kms_to_block_storage.value,
     module.cos_to_key_management.value,
     module.flow_logs_to_cos.value,
-    module.secrets_manager_to_cos.value
+    module.secrets_manager_to_cos.value,
+    module.atracker_to_cos.value
   )
 }
 

dynamic_values/service_authorizations.tf

@@ -10,6 +10,7 @@ module "service_authorizations" {
   cos_instance_ids          = local.cos_instance_ids
   use_secrets_manager       = var.secrets_manager.use_secrets_manager
   add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
+  atracker_cos_bucket       = var.atracker_cos_bucket
 }
 
 ##############################################################################

dynamic_values/variables.tf

@@ -204,4 +204,7 @@ variable "add_kms_block_storage_s2s" {
   description = "Direct reference to kms block storage variable"
 }
 
+variable "atracker_cos_bucket" {
+  description = "Direct reference to atracker to cos variable"
+}
 ##############################################################################

module-metadata.json

@@ -51,7 +51,8 @@
       "description": "atracker variables",
       "required": true,
       "source": [
-        "ibm_atracker_route.atracker_route.count"
+        "ibm_atracker_route.atracker_route.count",
+        "module.dynamic_values"
       ],
       "pos": {
         "filename": "variables.tf",
@@ -1701,6 +1702,7 @@
         "access_groups": "access_groups",
         "add_kms_block_storage_s2s": "add_kms_block_storage_s2s",
         "appid": "appid",
+        "atracker_cos_bucket": "atracker",
         "bastion_vsi": "teleport_vsi",
         "clusters": "clusters",
         "cos": "cos",

patterns/dynamic_values/config_modules/cloud_object_storage/cos.tf

@@ -63,12 +63,7 @@ output "value" {
           force_delete  = true
         }
       ]
-      # Key is needed to initialize actibity tracker
-      keys = [{
-        name        = "cos-bind-key"
-        role        = "Writer"
-        enable_HMAC = false
-      }]
+      keys          = []
       random_suffix = var.use_random_cos_suffix
     },
     # COS instance for everything else

tests/pr_test.go

@@ -23,16 +23,16 @@ const vsiPatternTerraformDir = "patterns/vsi"
 const resourceGroup = "geretain-test-resources"
 
 // Temp: the atracker_target ignore is being tracked in https://github.ibm.com/GoldenEye/issues/issues/4302
-// The ACL ignores can be removed once we merge this PR (https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone/pull/315)
 var ignoreUpdates = []string{
-	"module.landing_zone.module.landing_zone.module.vpc[\"management\"].ibm_is_network_acl.network_acl[\"management-acl\"]",
-	"module.landing_zone.module.vpc[\"management\"].ibm_is_network_acl.network_acl[\"management-acl\"]",
-	"module.landing_zone.module.landing_zone.module.vpc[\"workload\"].ibm_is_network_acl.network_acl[\"workload-acl\"]",
-	"module.landing_zone.module.vpc[\"workload\"].ibm_is_network_acl.network_acl[\"workload-acl\"]",
 	"module.landing_zone.module.landing_zone.ibm_atracker_target.atracker_target[0]",
 	"module.landing_zone.ibm_atracker_target.atracker_target[0]",
 }
 
+// TODO: Remove after https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone/pull/346 is merged
+var ignoreDestroys = []string{
+	"module.landing_zone.ibm_resource_key.key[\"cos-bind-key\"]",
+}
+
 var sharedInfoSvc *cloudinfo.CloudInfoService
 
 // TestMain will be run before any parallel tests, used to set up a shared InfoService object to track region usage
@@ -74,6 +74,9 @@ func setupOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptio
 			IgnoreUpdates: testhelper.Exemptions{
 				List: ignoreUpdates,
 			},
+			IgnoreDestroys: testhelper.Exemptions{
+				List: ignoreDestroys,
+			},
 			CloudInfoService: sharedInfoSvc,
 		})
 
@@ -92,6 +95,9 @@ func setupOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptio
 		IgnoreUpdates: testhelper.Exemptions{
 			List: ignoreUpdates,
 		},
+		IgnoreDestroys: testhelper.Exemptions{
+			List: ignoreDestroys,
+		},
 		CloudInfoService: sharedInfoSvc,
 	})
 
@@ -157,6 +163,9 @@ func setupOptionsRoksPattern(t *testing.T, prefix string) *testhelper.TestOption
 		IgnoreUpdates: testhelper.Exemptions{
 			List: ignoreUpdates,
 		},
+		IgnoreDestroys: testhelper.Exemptions{
+			List: ignoreDestroys,
+		},
 		CloudInfoService: sharedInfoSvc,
 	})
 
@@ -209,6 +218,9 @@ func setupOptionsVsiPattern(t *testing.T, prefix string) *testhelper.TestOptions
 		IgnoreUpdates: testhelper.Exemptions{
 			List: ignoreUpdates,
 		},
+		IgnoreDestroys: testhelper.Exemptions{
+			List: ignoreDestroys,
+		},
 		CloudInfoService: sharedInfoSvc,
 	})