Skip to content

Commit

Permalink
Merge branch 'ks-add-prefix-val' of https://github.com/terraform-ibm-…
Browse files Browse the repository at this point in the history 
…modules/terraform-ibm-cos into ks-add-prefix-val
  • Loading branch information
@kierramarie
kierramarie committed Jan 6, 2025
2 parents 3ac25ad + 92c1c37 commit b0e81f6
Show file tree
Hide file tree
Showing 28 changed files with 550 additions and 939 deletions.
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,8 +137,8 @@ You need the following permissions to run this module.

| Name | Source | Version |
|------|--------|---------|
| <a name="module_bucket_cbr_rule"></a> [bucket\_cbr\_rule](#module\_bucket\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.28.1 |
| <a name="module_instance_cbr_rule"></a> [instance\_cbr\_rule](#module\_instance\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.28.1 |
| <a name="module_bucket_cbr_rule"></a> [bucket\_cbr\_rule](#module\_bucket\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.29.0 |
| <a name="module_instance_cbr_rule"></a> [instance\_cbr\_rule](#module\_instance\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.29.0 |

### Resources

Expand Down
2 changes: 1 addition & 1 deletion common-dev-assets
Submodule common-dev-assets updated 8 files
+13 −0 common-go-assets/common-permanent-resources.yaml
+1 −1 examples/Dockerfile
+4 −4 module-assets/.pre-commit-config.yaml
+6 −6 module-assets/ci/install-deps.sh
+3 −2 module-assets/ci/license_checker.sh
+3 −1 pipeline-assets/publish.sh
+1 −1 scripts/update-source/requirements.txt
+2 −2 stack-assets/.pre-commit-config.yaml
9 changes: 6 additions & 3 deletions cra-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,24 @@ version: "v1"
CRA_TARGETS:
- CRA_TARGET: "solutions/instance" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
PROFILE_ID: "bfacb71d-4b84-41ac-9825-e8a3a3eb7405" # SCC profile ID (currently set to IBM Cloud Framework for Financial Services 1.6.0 profile).
PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3" # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
CRA_ENVIRONMENT_VARIABLES: # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
TF_VAR_resource_group_name: "terraform-ibm-cos"
TF_VAR_provider_visibility: "public"
- CRA_TARGET: "solutions/secure-cross-regional-bucket" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
PROFILE_ID: "bfacb71d-4b84-41ac-9825-e8a3a3eb7405" # SCC profile ID (currently set to IBM Cloud Framework for Financial Services 1.6.0 profile).
PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3" # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
CRA_ENVIRONMENT_VARIABLES: # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
TF_VAR_existing_kms_instance_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::"
TF_VAR_existing_cos_instance_id: "crn:v1:bluemix:public:cloud-object-storage:global:a/abac0df06b644a9cabc6e44f55b3880e:12345a67-12ab-1a23-abc1-1a2345abcde6::"
TF_VAR_bucket_name: "mock"
TF_VAR_cross_region_location: us
TF_VAR_provider_visibility: "public"
- CRA_TARGET: "solutions/secure-regional-bucket" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
PROFILE_ID: "bfacb71d-4b84-41ac-9825-e8a3a3eb7405" # SCC profile ID (currently set to IBM Cloud Framework for Financial Services 1.6.0 profile).
PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3" # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
CRA_ENVIRONMENT_VARIABLES: # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
TF_VAR_existing_kms_instance_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::"
TF_VAR_existing_cos_instance_id: "crn:v1:bluemix:public:cloud-object-storage:global:a/abac0df06b644a9cabc6e44f55b3880e:12345a67-12ab-1a23-abc1-1a2345abcde6::"
TF_VAR_bucket_name: "mock"
TF_VAR_provider_visibility: "public"
4 changes: 2 additions & 2 deletions examples/advanced/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ locals {

module "key_protect_all_inclusive" {
source = "terraform-ibm-modules/kms-all-inclusive/ibm"
version = "4.16.7"
version = "4.19.1"
key_protect_instance_name = "${var.prefix}-kp"
resource_group_id = module.resource_group.resource_group_id
enable_metrics = false
Expand Down Expand Up @@ -81,7 +81,7 @@ data "ibm_iam_account_settings" "iam_account_settings" {

module "cbr_zone" {
source = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
version = "1.28.1"
version = "1.29.0"
name = "${var.prefix}-VPC-network-zone"
zone_description = "CBR Network zone containing VPC"
account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
Expand Down
4 changes: 2 additions & 2 deletions examples/fscloud/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ data "ibm_iam_account_settings" "iam_account_settings" {

module "cbr_zone" {
source = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
version = "1.28.1"
version = "1.29.0"
name = "${var.prefix}-VPC-fscloud-nz"
zone_description = "CBR Network zone containing VPC"
account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
Expand All @@ -54,7 +54,7 @@ module "cbr_zone" {
# Allow schematics, from outside VPC, to manage resources
module "cbr_zone_schematics" {
source = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
version = "1.28.1"
version = "1.29.0"
name = "${var.prefix}-schematics-fscloud-nz"
zone_description = "CBR Network zone containing Schematics"
account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
Expand Down
80 changes: 74 additions & 6 deletions ibm_catalog.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,7 @@
"profiles": [
{
"profile_name": "IBM Cloud Framework for Financial Services",
"profile_version": "1.6.0"
"profile_version": "1.7.0"
}
]
},
Expand All @@ -230,7 +230,30 @@
"description": "This architecture supports creating and configuring an IBM Cloud Object Storage instance."
}
]
}
},
"configuration":[
{
"key": "provider_visibility",
"options": [
{
"displayname": "private",
"value": "private"
},
{
"displayname": "public",
"value": "public"
},
{
"displayname": "public-and-private",
"value": "public-and-private"
}
]
},
{
"key":"instance_cbr_rules"
}
]

},
{
"label": "Secure cross-region bucket",
Expand All @@ -254,7 +277,7 @@
"profiles": [
{
"profile_name": "IBM Cloud Framework for Financial Services",
"profile_version": "1.6.0"
"profile_version": "1.7.0"
}
]
},
Expand Down Expand Up @@ -295,7 +318,30 @@
"description": "This architecture supports creating and configuring a secure cross-region bucket."
}
]
}
},
"configuration":[
{
"key": "provider_visibility",
"options": [
{
"displayname": "private",
"value": "private"
},
{
"displayname": "public",
"value": "public"
},
{
"displayname": "public-and-private",
"value": "public-and-private"
}
]
},
{
"key":"instance_cbr_rules"
}
]

},
{
"label": "Secure regional bucket",
Expand All @@ -319,7 +365,7 @@
"profiles": [
{
"profile_name": "IBM Cloud Framework for Financial Services",
"profile_version": "1.6.0"
"profile_version": "1.7.0"
}
]
},
Expand Down Expand Up @@ -364,7 +410,29 @@
"description": "This architecture supports creating and configuring a regional bucket."
}
]
}
},
"configuration":[
{
"key": "provider_visibility",
"options": [
{
"displayname": "private",
"value": "private"
},
{
"displayname": "public",
"value": "public"
},
{
"displayname": "public-and-private",
"value": "public-and-private"
}
]
},
{
"key":"instance_cbr_rules"
}
]
}
]
}
Expand Down
4 changes: 2 additions & 2 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -371,7 +371,7 @@ locals {
module "bucket_cbr_rule" {
count = (length(var.bucket_cbr_rules) > 0 && var.create_cos_bucket) ? length(var.bucket_cbr_rules) : 0
source = "terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module"
version = "1.28.1"
version = "1.29.0"
rule_description = var.bucket_cbr_rules[count.index].description
enforcement_mode = var.bucket_cbr_rules[count.index].enforcement_mode
rule_contexts = var.bucket_cbr_rules[count.index].rule_contexts
Expand Down Expand Up @@ -406,7 +406,7 @@ module "bucket_cbr_rule" {
module "instance_cbr_rule" {
count = length(var.instance_cbr_rules)
source = "terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module"
version = "1.28.1"
version = "1.29.0"
rule_description = var.instance_cbr_rules[count.index].description
enforcement_mode = var.instance_cbr_rules[count.index].enforcement_mode
rule_contexts = var.instance_cbr_rules[count.index].rule_contexts
Expand Down
2 changes: 1 addition & 1 deletion modules/fscloud/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ module "cos_fscloud" {
|------|--------|---------|
| <a name="module_buckets"></a> [buckets](#module\_buckets) | ../../modules/buckets | n/a |
| <a name="module_cos_instance"></a> [cos\_instance](#module\_cos\_instance) | ../../ | n/a |
| <a name="module_instance_cbr_rules"></a> [instance\_cbr\_rules](#module\_instance\_cbr\_rules) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.28.1 |
| <a name="module_instance_cbr_rules"></a> [instance\_cbr\_rules](#module\_instance\_cbr\_rules) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.29.0 |

### Resources

Expand Down
5 changes: 4 additions & 1 deletion modules/fscloud/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ locals {
force_delete = config.force_delete
hard_quota = config.hard_quota
add_bucket_name_suffix = config.add_bucket_name_suffix
object_locking_enabled = config.object_locking_enabled
object_lock_duration_days = config.object_lock_duration_days
object_lock_duration_years = config.object_lock_duration_years
}
]
}
Expand All @@ -84,7 +87,7 @@ module "instance_cbr_rules" {
depends_on = [module.buckets]
count = length(var.instance_cbr_rules)
source = "terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module"
version = "1.28.1"
version = "1.29.0"
rule_description = var.instance_cbr_rules[count.index].description
enforcement_mode = var.instance_cbr_rules[count.index].enforcement_mode
rule_contexts = var.instance_cbr_rules[count.index].rule_contexts
Expand Down
70 changes: 70 additions & 0 deletions solutions/instance/DA-cbr_rules.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# Configuring complex inputs for COS in IBM Cloud projects

Several optional input variables in the IBM Cloud [COS deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture.

* Context-Based Restrictions Rules (`instance_cbr_rules`)


## Rules For Context-Based Restrictions <a name="instance_cbr_rules"></a>

The `instance_cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.

- Variable name: `instance_cbr_rules`.
- Type: A list of objects. Allows only one object representing a rule for the target service
- Default value: An empty list (`[]`).

### Options for instance_cbr_rules

- `description` (required): The description of the rule to create.
- `account_id` (required): The IBM Cloud Account ID
- `rule_contexts` (required): (List) The contexts the rule applies to
- `attributes` (optional): (List) Individual context attributes
- `name` (required): The attribute name.
- `value` (required): The attribute value.

- `enforcement_mode` (required): The rule enforcement mode can have the following values:
- `enabled` - The restrictions are enforced and reported. This is the default.
- `disabled` - The restrictions are disabled. Nothing is enforced or reported.
- `report` - The restrictions are evaluated and reported, but not enforced.
- `tags` (optional): (List) Resource Tags .
- `name` (required): The Tag name.
- `value` (required): The Tag value.
- `operations` (optional): The operations this rule applies to
- `api_types`(required): (List) The API types this rule applies to.
- `api_type_id`(required):The API type ID

### Example Rule For Context-Based Restrictions Configuration

```hcl
instance_cbr_rules = [
{
description = "COS can be accessed from xyz"
account_id = "defc0df06b644a9cabc6e44f55b3880s."
rule_contexts= [{
attributes = [
{
"name" : "endpointType",
"value" : "private"
},
{
name = "networkZoneId"
value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
}
]
}
]
enforcement_mode = "enabled"
resources = [{
tags {
name = "tag_name"
value = "tag_value"
}
}]
operations = [{
api_types = [{
api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
}]
}]
}
]
```
3 changes: 2 additions & 1 deletion solutions/instance/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ module "cos" {
cos_plan = var.cos_plan
cos_tags = var.cos_tags
access_tags = var.access_tags
instance_cbr_rules = var.instance_cbr_rules
}

resource "ibm_iam_authorization_policy" "secrets_manager_key_manager" {
Expand Down Expand Up @@ -68,7 +69,7 @@ module "secrets_manager_service_credentials" {
count = length(local.service_credential_secrets) > 0 ? 1 : 0
depends_on = [time_sleep.wait_for_cos_authorization_policy]
source = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
version = "1.18.12"
version = "1.19.10"
existing_sm_instance_guid = local.existing_secrets_manager_instance_guid
existing_sm_instance_region = local.existing_secrets_manager_instance_region
endpoint_type = var.existing_secrets_manager_endpoint_type
Expand Down
9 changes: 9 additions & 0 deletions solutions/instance/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@ output "resource_group_id" {
value = module.resource_group.resource_group_id
}

output "resource_group_name" {
description = "Resource group name"
value = !var.existing_resource_group ? module.resource_group.resource_group_name : var.existing_resource_group
}

output "cos_instance_id" {
description = "COS instance id"
value = module.cos.cos_instance_id
Expand All @@ -30,3 +35,7 @@ output "service_credential_secret_groups" {
description = "Service credential secret groups"
value = length(local.service_credential_secrets) > 0 ? module.secrets_manager_service_credentials[0].secret_groups : null
}
output "cos_instance_name" {
description = "The name of the Cloud Object Storage instance"
value = module.cos.cos_instance_name
}
1 change: 1 addition & 0 deletions solutions/instance/provider.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
provider "ibm" {
ibmcloud_api_key = var.ibmcloud_api_key
ibmcloud_timeout = 60
visibility = var.provider_visibility
}
Loading

0 comments on commit b0e81f6

Please sign in to comment.