fix: add missing Authorization Delegator role to s2s auth policy (#746)

Author: shemau

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-10-04T04:36:16Z",
+  "generated_at": "2025-10-05T04:36:16Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

main.tf

@@ -70,7 +70,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
   count                    = local.create_kms_auth_policy
   source_service_name      = "databases-for-postgresql"
   source_resource_group_id = var.resource_group_id
-  roles                    = ["Reader"]
+  roles                    = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
   description              = "Allow all PostgreSQL instances in the resource group ${var.resource_group_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_key_instance_guid}"
   resource_attributes {
     name     = "serviceName"
@@ -116,7 +116,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" {
   count                    = local.create_backup_kms_auth_policy
   source_service_name      = "databases-for-postgresql"
   source_resource_group_id = var.resource_group_id
-  roles                    = ["Reader"]
+  roles                    = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
   description              = "Allow all PostgreSQL instances in the Resource Group ${var.resource_group_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_key_instance_guid}"
   resource_attributes {
     name     = "serviceName"

solutions/fully-configurable/main.tf

@@ -120,7 +120,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
   source_service_account   = local.account_id
   source_service_name      = "databases-for-postgresql"
   source_resource_group_id = module.resource_group.resource_group_id
-  roles                    = ["Reader"]
+  roles                    = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
   description              = "Allow all PostgreSQL instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.account_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_instance_guid}"
   resource_attributes {
     name     = "serviceName"
@@ -168,7 +168,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" {
   source_service_account   = local.account_id
   source_service_name      = "databases-for-postgresql"
   source_resource_group_id = module.resource_group.resource_group_id
-  roles                    = ["Reader"]
+  roles                    = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
   description              = "Allow all PostgreSQL instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.account_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_instance_guid}"
   resource_attributes {
     name     = "serviceName"