Context-based restrictions module

This module can be used to provision and configure Context Based Restrictions.

See in particular the fscloud module that enables creating an opiniated account-level coarse-grained set of CBR rules and zones aligned with the "secure by default" principles.

ℹ️ Tip: Changes to context-based restriction rules are propagated worldwide and have a TTL value of 10 minutes. Rule changes might not take effect until the propagation process is complete and the TTL cache is updated.

Overview

• terraform-ibm-cbr
• Submodules
  • cbr-rule-module
  • cbr-service-profile
  • cbr-zone-module
  • fscloud
• Examples
  • CBR multi service profile
  • Multi resource rule example
  • Multi-zone example
  • Pre-wired CBR configuration for FS Cloud example
  • Zone example
  • Zone example
• Contributing

terraform-ibm-cbr

Usage

module "ibm_cbr" "zone" {
  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
  version          = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  name             = "zone_for_pg_access"
  account_id       = "defc0df06b644a9cabc6e44f55b3880s" # pragma: allowlist secret
  zone_description = "Zone created from terraform"
  addresses        = [{type  = "vpc",value = "vpc_crn"}]
}

module "ibm_cbr" "rule" {
  # replace main with version
  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module"
  version          = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  name             = "rule_for_pg_access"
  rule_description = "rule from terraform"
  enforcement_mode = "enabled"
  rule_contexts    = [{
                      attributes = [{
                        name  = "networkZoneId"
                        value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
                      }]
                     }]
  resources        = [{
                      attributes = [
                        {
                          name     = "accountId"
                          value    = "defc0df06b644a9cabc6e44f55b3880s" # pragma: allowlist secret
                          operator = "stringEquals"
                        },
                        {
                          name     = "resourceGroupId",
                          value    = "8ce996b5e6ed4592ac0e39f4105351d6" # pragma: allowlist secret
                          operator = "stringEquals"
                        },
                        {
                          name     = "serviceInstance"
                          value    = "10732830-c128-48f0-aec6-c9eaa8d10c68" # pragma: allowlist secret
                          operator = "stringEquals"
                        },
                        {
                          name     = "serviceName"
                          value    = "cloud-object-storage"
                          operator = "stringEquals"
                        }
                       ]
                     }]
  operations       = [{ api_types = [{
                        api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
                      }]
                     }]
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • Editor role access
• VPC Infrastructure Services
  • Editor role access

Requirements

Name	Version
terraform	>= 1.3.0
ibm	>= 1.70.0, < 2.0.0

Modules

Name	Source	Version
cbr_rule	./modules/cbr-rule-module	n/a
cbr_zone	./modules/cbr-zone-module	n/a

Resources

Name	Type
ibm_iam_account_settings.iam_account_settings	data source

Inputs

Name	Description	Type	Default	Required
addresses	(List) The list of addresses in the zone	list(object({ type = optional(string) value = optional(string) ref = optional(object({ account_id = string location = optional(string) service_instance = optional(string) service_name = optional(string) service_type = optional(string) })) }))	[]	no
enforcement_mode	(String) The rule enforcement mode	string	"report"	no
excluded_addresses	(Optional, List) The list of excluded addresses in the zone	list(object({ type = optional(string) value = optional(string) }))	[]	no
name	(Optional, String) The name of the zone	string	null	no
operations	(Optional, List) The operations this rule applies to	list(object({ api_types = list(object({ api_type_id = string })) }))	[ { "api_types": [ { "api_type_id": "crn:v1:bluemix:public:context-based-restrictions::::api-type:" } ] } ]	no
resources	(Optional, List) The resources this rule apply to	list(object({ attributes = list(object({ name = string value = string operator = optional(string) })) tags = optional(list(object({ #These access tags should match to the target service access tags for the CBR rules to work name = string value = string operator = optional(string) }))) }))	[]	no
rule_contexts	(List) The contexts the rule applies to	list(object({ attributes = list(object({ name = string value = string })) }))	[ { "attributes": [ { "name": "va", "value": "va" } ] } ]	no
rule_description	(Optional, String) The description of the rule	string	null	no
zone_description	(Optional, String) The description of the zone	string	null	no

Outputs

Name	Description
rule_crn	CBR rule crn
rule_href	CBR rule href
rule_id	CBR rule id
zone_crn	cbr_zone crn
zone_href	cbr_zone link
zone_id	cbr_zone id

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.