Merge branch 'main' into ks-add-prefix-val

examples/advanced/main.tf

@@ -50,7 +50,7 @@ locals {
 
 module "key_protect_all_inclusive" {
   source                    = "terraform-ibm-modules/kms-all-inclusive/ibm"
-  version                   = "4.17.1"
+  version                   = "4.19.1"
   key_protect_instance_name = "${var.prefix}-kp"
   resource_group_id         = module.resource_group.resource_group_id
   enable_metrics            = false

ibm_catalog.json

@@ -248,6 +248,9 @@
                             "value": "public-and-private"
                           }
                         ]
+                      },
+                      {
+                        "key":"instance_cbr_rules"
                       }
                     ]
 
@@ -333,6 +336,9 @@
                             "value": "public-and-private"
                           }
                         ]
+                      },
+                      {
+                        "key":"instance_cbr_rules"
                       }
                     ]
 
@@ -422,6 +428,9 @@
                             "value": "public-and-private"
                           }
                         ]
+                      },
+                      {
+                        "key":"instance_cbr_rules"
                       }
                     ]
                 }

modules/fscloud/main.tf

@@ -60,6 +60,9 @@ locals {
       force_delete                  = config.force_delete
       hard_quota                    = config.hard_quota
       add_bucket_name_suffix        = config.add_bucket_name_suffix
+      object_locking_enabled        = config.object_locking_enabled
+      object_lock_duration_days     = config.object_lock_duration_days
+      object_lock_duration_years    = config.object_lock_duration_years
     }
   ]
 }

solutions/instance/DA-cbr_rules.md

@@ -0,0 +1,70 @@
+# Configuring complex inputs for COS in IBM Cloud projects
+
+Several optional input variables in the IBM Cloud [COS deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture.
+
+* Context-Based Restrictions Rules (`instance_cbr_rules`)
+
+
+## Rules For Context-Based Restrictions <a name="instance_cbr_rules"></a>
+
+The `instance_cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.
+
+- Variable name: `instance_cbr_rules`.
+- Type: A list of objects. Allows only one object representing a rule for the target service
+- Default value: An empty list (`[]`).
+
+### Options for instance_cbr_rules
+
+  - `description` (required): The description of the rule to create.
+  - `account_id` (required): The IBM Cloud Account ID
+  - `rule_contexts` (required): (List) The contexts the rule applies to
+      - `attributes` (optional): (List) Individual context attributes
+        - `name` (required): The attribute name.
+        - `value` (required): The attribute value.
+
+  - `enforcement_mode` (required): The rule enforcement mode can have the following values:
+      - `enabled` - The restrictions are enforced and reported. This is the default.
+      - `disabled` - The restrictions are disabled. Nothing is enforced or reported.
+      - `report` - The restrictions are evaluated and reported, but not enforced.
+  - `tags` (optional): (List) Resource Tags .
+       - `name` (required): The Tag name.
+       - `value` (required): The Tag value.
+  - `operations` (optional): The operations this rule applies to
+    - `api_types`(required): (List) The API types this rule applies to.
+        - `api_type_id`(required):The API type ID
+
+### Example Rule For Context-Based Restrictions Configuration
+
+```hcl
+instance_cbr_rules = [
+  {
+  description = "COS can be accessed from xyz"
+  account_id = "defc0df06b644a9cabc6e44f55b3880s."
+  rule_contexts= [{
+      attributes = [
+                {
+                              "name" : "endpointType",
+                              "value" : "private"
+                },
+                {
+                  name  = "networkZoneId"
+                  value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
+                }
+        ]
+     }
+   ]
+  enforcement_mode = "enabled"
+  resources = [{
+    tags {
+              name     = "tag_name"
+              value    = "tag_value"
+        }
+  }]
+  operations = [{
+    api_types = [{
+     api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+      }]
+    }]
+  }
+]
+```

solutions/instance/main.tf

@@ -14,6 +14,7 @@ module "cos" {
   cos_plan            = var.cos_plan
   cos_tags            = var.cos_tags
   access_tags         = var.access_tags
+  instance_cbr_rules  = var.instance_cbr_rules
 }
 
 resource "ibm_iam_authorization_policy" "secrets_manager_key_manager" {
@@ -68,7 +69,7 @@ module "secrets_manager_service_credentials" {
   count                       = length(local.service_credential_secrets) > 0 ? 1 : 0
   depends_on                  = [time_sleep.wait_for_cos_authorization_policy]
   source                      = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
-  version                     = "1.19.3"
+  version                     = "1.19.10"
   existing_sm_instance_guid   = local.existing_secrets_manager_instance_guid
   existing_sm_instance_region = local.existing_secrets_manager_instance_region
   endpoint_type               = var.existing_secrets_manager_endpoint_type

solutions/instance/variables.tf

@@ -127,3 +127,31 @@ variable "provider_visibility" {
     error_message = "Invalid visibility option. Allowed values are 'public', 'private', or 'public-and-private'."
   }
 }
+
+##############################################################
+# Context-based restriction (CBR)
+##############################################################
+variable "instance_cbr_rules" {
+  type = list(object({
+    description = string
+    account_id  = string
+    rule_contexts = list(object({
+      attributes = optional(list(object({
+        name  = string
+        value = string
+    }))) }))
+    enforcement_mode = string
+    tags = optional(list(object({
+      name  = string
+      value = string
+    })), [])
+    operations = optional(list(object({
+      api_types = list(object({
+        api_type_id = string
+      }))
+    })))
+  }))
+  description = "The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-cos/blob/main/solutions/instance/DA-cbr_rules.md)"
+  default     = []
+  # Validation happens in the rule module
+}

solutions/instance/version.tf

@@ -5,7 +5,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.71.3"
+      version = "1.73.0"
     }
     time = {
       source  = "hashicorp/time"

solutions/secure-cross-regional-bucket/DA-cbr_rules.md

@@ -0,0 +1,70 @@
+# Configuring complex inputs for COS - Secure Cross Regional bucket in IBM Cloud projects
+
+Several optional input variables in the IBM Cloud [COS - Secure Cross Regional bucket deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture.
+
+* Context-Based Restrictions Rules (`instance_cbr_rules`)
+
+
+## Rules For Context-Based Restrictions <a name="instance_cbr_rules"></a>
+
+The `instance_cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.
+
+- Variable name: `instance_cbr_rules`.
+- Type: A list of objects. Allows only one object representing a rule for the target service
+- Default value: An empty list (`[]`).
+
+### Options for instance_cbr_rules
+
+  - `description` (required): The description of the rule to create.
+  - `account_id` (required): The IBM Cloud Account ID
+  - `rule_contexts` (required): (List) The contexts the rule applies to
+      - `attributes` (optional): (List) Individual context attributes
+        - `name` (required): The attribute name.
+        - `value` (required): The attribute value.
+
+  - `enforcement_mode` (required): The rule enforcement mode can have the following values:
+      - `enabled` - The restrictions are enforced and reported. This is the default.
+      - `disabled` - The restrictions are disabled. Nothing is enforced or reported.
+      - `report` - The restrictions are evaluated and reported, but not enforced.
+  - `tags` (optional): (List) Resource Tags .
+       - `name` (required): The Tag name.
+       - `value` (required): The Tag value.
+  - `operations` (optional): The operations this rule applies to
+    - `api_types`(required): (List) The API types this rule applies to.
+        - `api_type_id`(required):The API type ID
+
+### Example Rule For Context-Based Restrictions Configuration
+
+```hcl
+instance_cbr_rules = [
+  {
+  description = "COS can be accessed from xyz"
+  account_id = "defc0df06b644a9cabc6e44f55b3880s."
+  rule_contexts= [{
+      attributes = [
+                {
+                              "name" : "endpointType",
+                              "value" : "private"
+                },
+                {
+                  name  = "networkZoneId"
+                  value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
+                }
+        ]
+     }
+   ]
+  enforcement_mode = "enabled"
+  resources = [{
+    tags {
+              name     = "tag_name"
+              value    = "tag_value"
+        }
+  }]
+  operations = [{
+    api_types = [{
+     api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+      }]
+    }]
+  }
+]
+```

solutions/secure-cross-regional-bucket/main.tf

@@ -127,7 +127,7 @@ module "kms" {
   }
   count                       = var.existing_kms_key_crn != null ? 0 : 1 # no need to create any KMS resources if passing an existing key.
   source                      = "terraform-ibm-modules/kms-all-inclusive/ibm"
-  version                     = "4.17.1"
+  version                     = "4.19.1"
   create_key_protect_instance = false
   region                      = local.existing_kms_instance_region
   existing_kms_instance_crn   = var.existing_kms_instance_crn
@@ -164,4 +164,5 @@ module "cos" {
   create_cos_instance      = false
   existing_cos_instance_id = var.existing_cos_instance_id
   bucket_configs           = local.bucket_config
+  instance_cbr_rules       = var.instance_cbr_rules
 }

solutions/secure-cross-regional-bucket/variables.tf

@@ -185,3 +185,30 @@ variable "provider_visibility" {
     error_message = "Invalid visibility option. Allowed values are 'public', 'private', or 'public-and-private'."
   }
 }
+##############################################################
+# Context-based restriction (CBR)
+##############################################################
+variable "instance_cbr_rules" {
+  type = list(object({
+    description = string
+    account_id  = string
+    rule_contexts = list(object({
+      attributes = optional(list(object({
+        name  = string
+        value = string
+    }))) }))
+    enforcement_mode = string
+    tags = optional(list(object({
+      name  = string
+      value = string
+    })), [])
+    operations = optional(list(object({
+      api_types = list(object({
+        api_type_id = string
+      }))
+    })))
+  }))
+  description = "The list of context-based restriction rules to create for the instance.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-cos/blob/main/solutions/secure-cross-regional-bucket/DA-cbr_rules.md)"
+  default     = []
+  # Validation happens in the rule module
+}

solutions/secure-cross-regional-bucket/version.tf

@@ -5,7 +5,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.71.3"
+      version = "1.73.0"
     }
     time = {
       source  = "hashicorp/time"

solutions/secure-regional-bucket/DA-cbr_rules.md

@@ -0,0 +1,70 @@
+# Configuring complex inputs for COS - Secure Regional bucket in IBM Cloud projects
+
+Several optional input variables in the IBM Cloud [COS - Secure Regional bucket deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture.
+
+* Context-Based Restrictions Rules (`instance_cbr_rules`)
+
+
+## Rules For Context-Based Restrictions <a name="instance_cbr_rules"></a>
+
+The `instance_cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.
+
+- Variable name: `instance_cbr_rules`.
+- Type: A list of objects. Allows only one object representing a rule for the target service
+- Default value: An empty list (`[]`).
+
+### Options for instance_cbr_rules
+
+  - `description` (required): The description of the rule to create.
+  - `account_id` (required): The IBM Cloud Account ID
+  - `rule_contexts` (required): (List) The contexts the rule applies to
+      - `attributes` (optional): (List) Individual context attributes
+        - `name` (required): The attribute name.
+        - `value` (required): The attribute value.
+
+  - `enforcement_mode` (required): The rule enforcement mode can have the following values:
+      - `enabled` - The restrictions are enforced and reported. This is the default.
+      - `disabled` - The restrictions are disabled. Nothing is enforced or reported.
+      - `report` - The restrictions are evaluated and reported, but not enforced.
+  - `tags` (optional): (List) Resource Tags .
+       - `name` (required): The Tag name.
+       - `value` (required): The Tag value.
+  - `operations` (optional): The operations this rule applies to
+    - `api_types`(required): (List) The API types this rule applies to.
+        - `api_type_id`(required):The API type ID
+
+### Example Rule For Context-Based Restrictions Configuration
+
+```hcl
+instance_cbr_rules = [
+  {
+  description = "COS can be accessed from xyz"
+  account_id = "defc0df06b644a9cabc6e44f55b3880s."
+  rule_contexts= [{
+      attributes = [
+                {
+                              "name" : "endpointType",
+                              "value" : "private"
+                },
+                {
+                  name  = "networkZoneId"
+                  value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
+                }
+        ]
+     }
+   ]
+  enforcement_mode = "enabled"
+  resources = [{
+    tags {
+              name     = "tag_name"
+              value    = "tag_value"
+        }
+  }]
+  operations = [{
+    api_types = [{
+     api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+      }]
+    }]
+  }
+]
+```

solutions/secure-regional-bucket/main.tf

@@ -130,7 +130,7 @@ module "kms" {
   }
   count                       = var.existing_kms_key_crn != null ? 0 : 1 # no need to create any KMS resources if passing an existing key
   source                      = "terraform-ibm-modules/kms-all-inclusive/ibm"
-  version                     = "4.17.1"
+  version                     = "4.19.1"
   create_key_protect_instance = false
   region                      = local.existing_kms_instance_region
   existing_kms_instance_crn   = var.existing_kms_instance_crn
@@ -167,4 +167,5 @@ module "cos" {
   create_cos_instance      = false
   existing_cos_instance_id = var.existing_cos_instance_id
   bucket_configs           = local.bucket_config
+  instance_cbr_rules       = var.instance_cbr_rules
 }