This module creates default coarse-grained CBR rules in a given account following a "secure by default" approach - that is: deny all flows by default, except known documented communication in the Financial Services Cloud Reference Architecture:
- Cloud Object Storage (COS) -> Hyper Protect Crypto Services (HPCS)
- Block Storage -> Hyper Protect Crypto Services (HPCS)
- IBM Cloud Kubernetes Service (IKS) -> Hyper Protect Crypto Services (HPCS)
- All IBM Cloud Databases (ICD) services -> Hyper Protect Crypto Services (HPCS)
- Event Streams (Messagehub) -> Hyper Protect Crypto Services (HPCS)
- Virtual Private Clouds (VPCs) where clusters are deployed -> Cloud Object Storage (COS)
- Virtual Private Clouds (VPCs) where clusters are deployed -> IAM groups
- Virtual Private Clouds (VPCs) where clusters are deployed -> IAM access management
- Activity Tracker route -> Cloud Object Storage (COS)
- IBM Cloud VPC Infrastructure Services (IS) -> Cloud Object Storage (COS)
- Security and Compliance Center (SCC) -> Cloud Object Storage (COS)
- Virtual Private Clouds (VPCs) workload (eg: Kubernetes worker nodes) -> IBM Cloud Container Registry
- IBM Cloud Kubernetes Service (IKS) -> VPC Infrastructure Services (IS)
Note on KMS: the module supports setting up rules for Key Protect, and Hyper Protect Crypto Services. By default the modules set rules for Hyper Protect Crypto Services, but this can be modified to use Key Protect, Hyper Protect, or both Key Protect and Hyper Protect Crypto Services using the input variable kms_service_targeted_by_prewired_rules.
Note on containers-kubernetes: the module supports the pseudo-service names containers-kubernetes-management and containers-kubernetes-cluster to distinguish between the cluster and management APIs (see details ). The module creates separates CBR rules for the two types of APIs by default to align with common real-world scenarios. containers-kubernetes can be used to create a CBR targetting both the cluster and management APIs.
This module is designed to allow the consumer to add additional custom rules to open up additional flows necessarity for their usage. See the custom_rule_contexts_by_service input variable, and an usage example demonstrating how to open up more flows.
The module also pre-create CBR zone for each service in the account as a best practice. CBR rules associated with these CBR zone can be set by using the custom_rule_contexts_by_service variable.
Important: In order to avoid unexpected breakage in the account against which this module is executed, the CBR rule enforcement mode is set to 'report' (or 'disabled' for services not supporting 'report' mode) by default. It is recommended to test out this module first with these default, and then use the target_service_details variable to set the enforcement mode to "enabled" gradually by service. The usage example demonstrates how to set the enforcement mode to 'enabled' for the key protect ("kms") service.
Note on Event Notifications: By default, disabled enforcement mode is set for Event Notifications as the SMTP API does not support report enforcement mode.
Note on global_deny variable: When a scope is specified in a rule for the target service, a new separate global rule will be created for the respective target service to scope all the resources of that service. This can be opted out by setting the variable global_deny = false. It is also mandatory to set global_deny = false when no scope is specified for the target service.
Note on mqcloud: Region and/or instance_id is/are required for service mqcloud to create the CBR rule. This service is only available in eu-fr2 region.
Note on Security and Compliance Center (SCC) scan: Compliance can only be claimed after all the enforcement mode have been set to enabled.
The services 'directlink', 'globalcatalog-collection', 'iam-groups' and 'user-management' do not support restriction per location.
module "cbr_fscloud" {
source = "terraform-ibm-modules/cbr/ibm//modules/fscloud"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
prefix = "fs-cbr"
zone_vpc_crn_list = ["crn:v1:bluemix:public:is:us-south:a/abac0df06b644a9cabc6e44f55b3880e::vpc:r006-069c6449-03a9-49f1-9070-4d23fc79285e"]
# True or False to set prewired rule
allow_cos_to_kms = true
allow_block_storage_to_kms = true
allow_roks_to_kms = true
allow_icd_to_kms = true
allow_vpcs_to_container_registry = true
allow_vpcs_to_cos = true
allow_at_to_cos = true
allow_iks_to_is = true
# Will skip the zone creation for service ref. present in the list
skip_specific_services_for_zone_creation = ["user-management", "iam-groups"]
target_service_details = {
"kms" = {
"enforcement_mode" = "enabled"
"instance_id" = "dhd2-2bdjd-2bdjd-asgd3" # pragma: allowlist secret
"target_rg" = "a8cff104f1764e98aac9ab879198230a" # pragma: allowlist secret
}
"cloud-object-storage" = {
"enforcement_mode" = "enabled"
"target_rg" = "a8cff104f1764e98aac9ab879198230a" # pragma: allowlist secret
"global_deny" = false # opting out from creating a new global rule
}
"messagehub" = {
"enforcement_mode" = "enabled"
"global_deny" = false # mandatory to set 'global_deny = false' when no scope is defined
}
"IAM" : {
"enforcement_mode" = "report"
"global_deny" = false
}
}
custom_rule_contexts_by_service = {
"schematics" = [{
endpointType = "public"
zone_ids = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
}]
}
}| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| ibm | >=1.70.0, < 2.0.0 |
| Name | Source | Version |
|---|---|---|
| cbr_rule | ../../modules/cbr-rule-module | n/a |
| cbr_zone | ../../modules/cbr-zone-module | n/a |
| cbr_zone_vpcs | ../../modules/cbr-zone-module | n/a |
| global_deny_cbr_rule | ../../modules/cbr-rule-module | n/a |
| Name | Type |
|---|---|
| ibm_iam_account_settings.iam_account_settings | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allow_at_to_cos | Set rule for Activity Tracker to COS, default is true | bool |
true |
no |
| allow_block_storage_to_kms | Set rule for block storage to KMS, default is true | bool |
true |
no |
| allow_cos_to_kms | Set rule for COS to KMS, default is true | bool |
true |
no |
| allow_event_streams_to_kms | Set rule for Event Streams (Messagehub) to KMS, default is true | bool |
true |
no |
| allow_icd_to_kms | Set rule for ICD to KMS, default is true | bool |
true |
no |
| allow_iks_to_is | Set rule for IKS to IS (VPC Infrastructure Services), default is true | bool |
true |
no |
| allow_is_to_cos | Set rule for IS (VPC Infrastructure Services) to COS, default is true | bool |
true |
no |
| allow_roks_to_kms | Set rule for ROKS to KMS, default is true | bool |
true |
no |
| allow_scc_to_cos | Set rule for SCC (Security and Compliance Center) to COS, default is true | bool |
true |
no |
| allow_vpcs_to_container_registry | Set rule for VPCs to container registry, default is true | bool |
true |
no |
| allow_vpcs_to_cos | Set rule for VPCs to COS, default is true | bool |
true |
no |
| allow_vpcs_to_iam_access_management | Set rule for VPCs to IAM access management, default is true | bool |
true |
no |
| allow_vpcs_to_iam_groups | Set rule for VPCs to IAM groups, default is true | bool |
true |
no |
| custom_rule_contexts_by_service | Any additional context to add to the CBR rules created by this module. The context are added to the CBR rule targetting the service passed as a key. The module looks up the zone id when service_ref_names or add_managed_vpc_zone are passed in. | map(list(object( |
{} |
no |
| existing_cbr_zone_vpcs | Provide a existing zone id for VPC | object( |
null |
no |
| existing_serviceref_zone | Provide a valid service reference and existing zone id | map(object( |
{} |
no |
| kms_service_targeted_by_prewired_rules | IBM Cloud offers two distinct Key Management Services (KMS): Key Protect and Hyper Protect Crypto Services (HPCS). This variable determines the specific KMS service to which the pre-configured rules will be applied. Use the value 'key-protect' to specify the Key Protect service, and 'hs-crypto' for the Hyper Protect Crypto Services (HPCS). | list(string) |
[ |
no |
| prefix | Prefix to append to all vpc_zone_list, service_ref_zone_list and cbr_rule_description created by this submodule | string |
n/a | yes |
| skip_specific_services_for_zone_creation | Provide a list of service references for which zone creation is not required | list(string) |
[] |
no |
| target_service_details | Details of the target service for which a rule is created. The key is the service name. | map(object({ |
{} |
no |
| zone_service_ref_list | (Optional) Provide a valid service reference with the customized name of the zone and location where the context-based restriction zones are created. If no value is specified for serviceRef_location, the zones are not scoped to any location and if no value is specified for zone_name default zone name with the prefix will be created. |
object({ |
{} |
no |
| zone_vpc_crn_list | (List) VPC CRN for the zones | list(string) |
[] |
no |
| Name | Description |
|---|---|
| account_id | Account ID |
| map_service_ref_name_zoneid | Map of service reference and zone ids |
| map_target_service_rule_ids | Map of target service and rule ids |
| map_vpc_zoneid | Map of VPC and zone ids |