Merge remote-tracking branch 'internal/main'

.docs/access-policies.md

@@ -9,30 +9,154 @@ The following account settings should be enabled:
     - Activate Virtual routing and forwarding
     - Service endpoints
 
-## Access policies
-The API key used for the `ibmcloud_api_key` variable during Terraform or Schematics `apply` must have the necessary access to create and manage the resources in the project. The following steps list how to create and access group with the required access.
+## Automation of Access Policy Creation
+
+The `access.sh` script automates the creation of 3 access groups which assign all required access policies needed for CRAIG deployment, application runtime, and provisioning of all resources depending on the use case.
+
+### Prerequisites
+
+- _To use this script, users must have the following type of access in your Cloud Account:_
+  - **_Account owner_**
+  - **_Administrator or editor on the IAM Access Groups account management service in the account_**
+  - **_Administrator or editor for the All Account Management services_**
+
+- _Requires that the ibmcloud CLI be installed and a ibmcloud login has been performed prior to running the script (or run using the IBM Cloud Shell)._
+
+### Access Groups that are created
+
+- _1st Access Group: craig-deployer:_
+
+    Assigns all access policies required for the service ID or user account that is logged into the ibmcloud CLI when running the deploy.sh script in order to create a Code Engine project, Container Registry namespace, application, image build, and secrets. This access is also needed by the service ID or user account owning the API key specified to the deploy.sh script to successfully create a schematics workspace, and PowerVS workspaces in every PowerVS zone when running deploy.sh with the `-z` parameter. 
+
+
+- _2nd Access Group: craig-application:_
+
+    Assigns all access required for CRAIG to dynamically fetch account information such as VSI & Power VS images, storage tiers, and storage pools from IBM Cloud, as well as the ability to create and upload data to schematics workspaces. 
+
+    Note: If you deploy CRAIG with the deploy.sh script then this access group must be assigend to the service ID or user account that owns the API key you give deploy.sh. It is good practice to make sure that a service ID or user account is assigned to both the craig-deployer and craig-application access groups before deploying and using CRAIG.
+
+
+
+- _3rd Access Group: craig-terraform-applier:_
+
+    Assigns high level access required to create resources through Terraform or Schematics "Apply" on the service ID or user account owning the API key set on the API key variable of the CRAIG generated Terraform.
+
+
+
+### Configuring the access script
+If you're running the script within IBM Cloud Shell then you must run the following two commands to download the `access.sh` script and make it executable:
+```bash
+wget https://raw.githubusercontent.com/IBM/CRAIG/main/access.sh
+chmod 755 access.sh
+```
+If you are running the access script locally, first make sure you are logged into IBM Cloud, then simply make sure your in the root CRAIG directory and make the script executable:
+```bash
+chmod 755 access.sh
+```
+
+### Running the access script
+
+
+The script can be run without any parameters to automatically create your access groups:
+
+```bash
+./access.sh
+```
+
+This script can also delete the access groups created when the delete flag `-d` is passed:
+
+```bash
+./access.sh -d
+```
+For the more information about the script, specify the `-h` parameter:
+
+```
+./access.sh -h
+```
+
+**_After running the script, users should navigate to the IBM Cloud UI to assign users/service IDs to the respective access groups before deploying and using CRAIG._**
+
+## Creating Access Groups Manually 
+
+Users can also create and define access groups and policies for CRAIG use manually. Below are detailed instructions on how to create the access groups and policies needed for CRAIG deployment, application runtime, and provisioning of all resources depending on the use case.
+
+### CRAIG Deployment Access Group
+
+The service ID or user account that is logged into the ibmcloud CLI when running the `deploy.sh` script must have the following necessary access policies in order to create a Code Engine project, Container Registry namespace, application, image build, and secrets. 
+
+_This access is also needed by the service ID or user account owning the API key specified to the `deploy.sh` script to successfully create a schematics workspace, and PowerVS workspaces in every PowerVS zone when running `deploy.sh` with the `-z` parameter._
+
+The following steps list how to create an access group with these required access policies:
+
+- Create Access Group
+    - Manage -> Access (IAM) -> Access Groups -> Create +
+    - Name the access group  _(i.e. CRAIG Deployment)_
+    - Add users and/or service IDs as needed
+    - Navigate to Access tab -> Assign access +
+    - Create an access policy for each of the following:
+
+| Service                            | Resources                          | Access          |
+|-                                   |-                                   |-                |
+| Code Engine                        | All                                | Writer, Editor  |
+| Container Registry                 | All                                | Manager         |
+| Resource Group Only                | All resource groups in the account | Viewer, Editor  |
+| Schematics                         | All                                | Manager, Editor |
+| Workspace for Power Virtual Server | All                                | Manager, Editor |
+
+### CRAIG Application Access Group
+
+The service ID or user account owning the API key given to the `deploy.sh` script must have the following necessary access policies in order for CRAIG to dynamically fetch account information such as VSI & Power VS images, storage tiers, and storage pools from IBM Cloud, as well as the ability to create and upload data to schematics workspaces.  
+
+_It is good practice to make sure that a service ID or user account is assigned to both the CRAIG Deployment and Application Access Groups._
+
+The following steps list how to create an access group with these required access policies:
+
 - Create Access Group
     - Manage -> Access (IAM) -> Access Groups -> Create +
-    - Name the access group "base-infrastructure"
-    - Add users +
+    - Name the access group _(i.e. CRAIG Application)_
+    - Add users and/or service IDs as needed
     - Navigate to Access tab -> Assign access +
-    - Create access for each of the following:
+    - Create an access policy for each of the following:
+
+| Service                            | Resources                          | Access          |
+|-                                   |-                                   |-                |
+| Container Registry                 | All                                | Reader, Viewer  |
+| Kubernetes Service                 | All                                | Reader, Viewer  |
+| Resource Group Only                | All resource groups in the account | Viewer, Editor  |
+| Schematics                         | All                                | Manager, Editor |
+| VPC Infrastructure Services        | All                                | Reader, Viewer  |
+| Workspace for Power Virtual Server | All                                | Reader, Editor  |
+
+
+### CRAIG Terraform Applier Access Group
+
+The service ID or user account owning the API key specified for the `ibmcloud_api_key` variable during Terraform or Schematics `apply` must have the following necessary access policies to create and manage the resources in the project. 
+
+The following steps list how to create an access group with these required access policies:
+
+- Create Access Group
+    - Manage -> Access (IAM) -> Access Groups -> Create +
+    - Name the access group _(i.e. CRAIG Terraform Applier)_
+    - Add users and/or service IDs as needed
+    - Navigate to Access tab -> Assign access +
+    - Create an access policy for each of the following:
 
-| Service | Resources | Access |
-|- |- |- |
-| All Account Management services | All | Administrator |
-| All IAM Account Management services | All | UserApiKeyCreator |
-| All Identity and Access enabled services | All | Writer, Editor, Operator, Administrator  |
-| Cloud Object Storage | All | Administrator |
-| Direct Link | All | Editor |
-| Hyper Protect Crypto Services | All | Manager, Vault Administrator, Key Custodian - Deployer, KMS Key Purge Role, Certificate Manager, Administrator |
-| IBM Cloud Monitoring | All | Editor |
-| Internet Services | All | Manager |
-| Key Protect | All | Manager, Administrator |
-| Secrets Manager | All | Manager, Administrator |
-| Transit Gateway | All | Editor |
-| VPC Infrastructure Services | All | Administrator, Manager, IP Spoofing Operator |
-| Workspace for Power Systems Virtual Server | All | Manager, Editor |
+| Service                                    | Resources | Access                                                                                                         |
+|-                                           |-          |-                                                                                                               |
+| All Account Management services            | All       | Administrator                                                                                                  |
+| All Identity and Access enabled services   | All       | Writer, Editor, Operator, Administrator                                                                        |
+| Cloud Object Storage                       | All       | Manager, Administrator                                                                                         |
+| Direct Link                                | All       | Editor                                                                                                         |
+| Hyper Protect Crypto Services              | All       | Manager, Vault Administrator, Key Custodian - Deployer, KMS Key Purge Role, Certificate Manager, Administrator |
+| IBM Cloud Monitoring                       | All       | Editor                                                                                                         |
+| Internet Services                          | All       | Manager                                                                                                        |
+| Key Protect                                | All       | Manager, Administrator                                                                                         |
+| Secrets Manager                            | All       | Manager, Administrator                                                                                         |
+| Transit Gateway                            | All       | Editor                                                                                                         |
+| VPC Infrastructure Services                | All       | Manager, IP Spoofing Operator, Administrator                                                                   |
+| Workspace for Power Systems Virtual Server | All       | Manager, Editor                                                                                                |
+
+**_After creating access groups manually, users should navigate to the IBM Cloud UI to assign users/service IDs to the respective access groups before deploying and using CRAIG._**
 
 ## Authorization Policies
 The following authorization policies should be created.

.docs/schematics-how-to.md

@@ -8,7 +8,7 @@ The `API_KEY` variable must be set in the `.env`. If CRAIG is deployed in IBM Co
 
 ### Access Policy
 In order to allow Schematics integration, users should make sure they have the following access policy roles for the Schematics service:
->* `Writer` or greater Service access
+>* `Manager` Service access
 >* `Editor` or greater Platform access
 
 These roles allow the integration with Schematics including the Schematics workspace creation and the upload of the project. However, to create and manage the IBM Cloud resources in the template, you must be assigned the IAM platform or service access role for the individual IBM Cloud resources that are in the template. See the IBM Cloud documentation for the various services for specific roles required.

.gitignore

@@ -11,6 +11,7 @@ config_test/
 config_test.tf
 dev.*
 .env
+workspaceids.env
 node_modules/
 frog.*
 terraform.tfvars
@@ -32,4 +33,6 @@ tfxjs.tfvars
 /build
 .icse/
 tf-test/
-dev/
+dev/
+
+vars.yml

CHANGELOG.md

@@ -2,10 +2,34 @@
 
 All notable changes to this project will be documented in this file.
 
-## 1.14.0
+## 1.14.1
 
 ### Upgrade Notes
 
+- Removed unused artifacts from JSON-to-IaC code
+- Images are now saved as `craig.png` regardless of project name
+
+### Features
+
+- VPN Gateway Connections are now enabled automatically by default. To revert to manual connection, set the `Connection Enabled` toggle on the connection form to `false`
+- Cloud Internet Services Domains now support multiple subdomains and the `-` character
+- Additional prefixes being created for VPN Servers now depend on the VPN Server for creation to prevent overlap
+- The `advanced` toggle for Subnet Tiers is now hidden in the modal as intended. To create subnets with custom CIDR blocks, first create a subnet tier, then toggle the `Advanced Configuration` toggle and then click the `Save` icon. We are currently looking for a solution to make this feature easier to use
+- Users can now validate images for VPC and Power VS VSI at any time by clicking the new `Validate Images` button in the top navigation bar
+- In the `/v2/vpcDeployments` page, an additional `+` button has been added to each VPC to make the creation of additional resources faster and more seamless
+
+### Fixes
+
+- Fixed an issue with Power VS SSH Key outputs not having the correct field for `name`
+- Fixed an issue causing Classic SSH Key Modal Forms to crash the page when adding a public key
+- Fixed a bug causing Subnet Tier form to crash when changing to advanced
+- Fixed a bug causing the optional Key Management Encryption Keys `key_ring` to show as invalid when it is not required
+- Fixed a bug causing VPN Servers to have additional prefix zone number to unintentionally reset
+- Fixed an issue causing VPC Virtual Server user data to be templated incorrectly in Terraform output
+- Fixed an issue causing JSON-to-IaC for Network ACLs with no rules to fail at time of apply
+- Fixed an issue causing ACL Rule names in modals to not show as invalid when the rule name is a duplicate of an existing rule name
+
+## 1.14.0
 
 ### Features
 
@@ -103,9 +127,6 @@ All notable changes to this project will be documented in this file.
 
 ## 1.12.1
 
-### Upgrade Notes
-
-
 ### Features
 
 - Users can now use the `Trial` plan for secrets manager
@@ -302,9 +323,6 @@ All notable changes to this project will be documented in this file.
 - Power VS Instance health status has been removed as it is not used for infrastructure provisioning
 - When changing a Power VS Workspace name, instances and volumes in that workspace will also be updated with the new name
 
-### Features
-
-
 ### Fixes
 
 - Fixed an issue causing Power VS Instance page to crash when loading map of storage pools
@@ -408,9 +426,6 @@ All notable changes to this project will be documented in this file.
 
 ## 1.4.0
 
-### Upgrade Notes
-
-
 ### Features
 
 - Users are now shown a loading modal after a creating a schematics workspace or uploading to an existing workspace.

README.md

@@ -29,11 +29,12 @@ CRAIG configures infrastructure using JSON to create full VPC networks, manage s
 
 ## Installation
 
-1. [Running CRAIG Application Locally](#running-craig-application-locally)
-2. [Deploying To IBM Code Engine](#deploying-to-ibm-code-engine)
-3. [Building Local CRAIG Container Image](#building-local-container-image)
-4. [Setting Up CRAIG Development Environment](.docs/dev-env-setup.md)
-5. [Power VS Workspace Deployment](.docs/power-vs-workspace-deployment.md)
+1. [Permission Requirements for CRAIG](.docs/access-policies.md)
+2. [Running CRAIG Application Locally](#running-craig-application-locally)
+3. [Deploying To IBM Code Engine](#deploying-to-ibm-code-engine)
+4. [Building Local CRAIG Container Image](#building-local-container-image)
+5. [Setting Up CRAIG Development Environment](.docs/dev-env-setup.md)
+6. [Power VS Workspace Deployment](.docs/power-vs-workspace-deployment.md)
 
 ---
 
@@ -74,6 +75,8 @@ IBM Code Engine is a fully managed serverless platform. CRAIG "scales to zero" i
 
 Within the root directory is a script `deploy.sh` which deploys CRAIG to IBM Cloud Code Engine. 
 
+_Note: CRAIG has the ability to automate the creation of all the access policies listed below using the `access.sh` script. For more information, refer to our [Access Policy documentation](.docs/access-policies.md)._
+
 Users should make sure they have the following access policy roles for the IBM Code Engine service set within their IBM Cloud Account:
 
 >* `Writer` or greater Service access
@@ -114,7 +117,7 @@ By default the script will securely prompt you for your API key. It may also be
 
  The deploy script uses a Schematics workspace and Terraform to drive the creation and deletion of the Power Virtual Server workspaces. In order to allow Schematics integration, users should make sure they have the following access policy roles for the Schematics service set within their IBM Cloud Account:
 
->* `Writer` or greater Service access
+>* `Manager` Service access
 >* `Editor` or greater Platform access
  
  Once access policy roles for the Schematics service are properly configured, users can specify the `-z` parameter to automatically create the Power Virtual Server workspaces alongside your CRAIG deployment: