feat: added CBR (Context Based Restriction) support (#28)

terraform-ibm-modules · May 26, 2023 · 69a468f · 69a468f
1 parent d4b0679
commit 69a468f
Show file tree

Hide file tree

Showing 8 changed files with 209 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -118,7 +118,7 @@ You need the following permissions to run this module.
 ## Examples
 
 - [ Basic example](examples/basic)
-- [ Complete example with BYOK encryption](examples/complete)
+- [ Complete example with BYOK encryption and CBR rules](examples/complete)
 <!-- END EXAMPLES HOOK -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -130,7 +130,9 @@ You need the following permissions to run this module.
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-rule-module | v1.2.0 |
 
 ## Resources
 
@@ -145,6 +147,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
 | <a name="input_create_timeout"></a> [create\_timeout](#input\_create\_timeout) | Creation timeout value of the Event Streams module. Use 3h when creating enterprise instance, add more 1h for each level of non-default throughput, add more 30m for each level of non-default storage\_size | `string` | `"3h"` | no |
 | <a name="input_delete_timeout"></a> [delete\_timeout](#input\_delete\_timeout) | Deleting timeout value of the Event Streams module | `string` | `"15m"` | no |
 | <a name="input_es_name"></a> [es\_name](#input\_es\_name) | The name to give the IBM Event Streams instance created by this module. | `string` | n/a | yes |

diff --git a/common-dev-assets b/common-dev-assets
diff --git a/cra-tf-validate-ignore-rules.json b/cra-tf-validate-ignore-rules.json
@@ -5,6 +5,12 @@
       "description": " Check whether Event Streams is accessible only by using private endpoints Found in: resource_address: module.event_streams.ibm_resource_instance.es_instance",
       "ignore_reason": "Private endpoint option is not available in Standard plan which the complete example uses. When we create an FSCloud profile example for this module, the CRA scan will be done against that, and that should use private endpoint only. (Tracked at https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/issues/5)",
       "is_valid": true
+    },
+    {
+      "scc_rule_id": "rule-216e2449-27d7-4afc-929a-b66e196a9cf9",
+      "description": "Check whether Flow Logs for VPC are enabled Found in: resource_address: module.event_streams.ibm_resource_instance.es_instance",
+      "ignore_reason": "This rule is not relevant to the module itself, just the VPC resource is used in the example that is scanned",
+      "is_valid": false
     }
   ]
 }
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -1,7 +1,8 @@
-# Complete example with BYOK encryption
+# Complete example with BYOK encryption and CBR rules
 
 An end-to-end example that creates an event streams instance with key protect.
 This example uses the IBM Cloud terraform provider to:
  - Create a new resource group if one is not passed in.
  - Create a Key Protect instance and root key in the provided region.
  - Create a new event streams instance in the resource group and region provided, encrypted with the root key created above, and configured with topics and schemas.
+ - A context-based restriction (CBR) rule to only allow Event Streams to be accessible from within the VPC.
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -23,6 +23,37 @@ module "key_protect_all_inclusive" {
   enable_metrics            = false
 }
 
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+module "cbr_zone" {
+  source           = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-zone-module?ref=v1.2.0"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone representing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc", # to bind a specific vpc to the zone
+    value = ibm_is_vpc.example_vpc.crn,
+  }]
+}
+
+
 ##############################################################################
 # Events-streams-instance
 ##############################################################################
@@ -37,4 +68,22 @@ module "event_streams" {
   schemas                    = var.schemas
   tags                       = var.resource_tags
   topics                     = var.topics
+  cbr_rules = [
+    {
+      description      = "${var.prefix}-event stream access only from vpc"
+      enforcement_mode = "enabled"
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
 }
diff --git a/main.tf b/main.tf
@@ -84,3 +84,34 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
   target_resource_instance_id = var.existing_kms_instance_guid
   roles                       = ["Reader"]
 }
+
+##############################################################################
+# Context Based Restrictions
+##############################################################################
+module "cbr_rule" {
+  count            = length(var.cbr_rules) > 0 ? length(var.cbr_rules) : 0
+  source           = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-rule-module?ref=v1.2.0"
+  rule_description = var.cbr_rules[count.index].description
+  enforcement_mode = var.cbr_rules[count.index].enforcement_mode
+  rule_contexts    = var.cbr_rules[count.index].rule_contexts
+  resources = [{
+    attributes = [
+      {
+        name     = "accountId"
+        value    = var.cbr_rules[count.index].account_id
+        operator = "stringEquals"
+      },
+      {
+        name     = "serviceInstance"
+        value    = ibm_resource_instance.es_instance.guid
+        operator = "stringEquals"
+      },
+      {
+        name     = "serviceName"
+        value    = "messagehub"
+        operator = "stringEquals"
+      }
+    ]
+  }]
+  operations = []
+}
diff --git a/module-metadata.json b/module-metadata.json
@@ -1,6 +1,23 @@
 {
   "path": ".",
   "variables": {
+    "cbr_rules": {
+      "name": "cbr_rules",
+      "type": "list(object({\n    description = string\n    account_id  = string\n    rule_contexts = list(object({\n      attributes = optional(list(object({\n        name  = string\n        value = string\n    }))) }))\n    enforcement_mode = string\n  }))",
+      "description": "(Optional, list) List of CBR rules to create",
+      "default": [],
+      "source": [
+        "module.cbr_rule",
+        "module.cbr_rule",
+        "module.cbr_rule",
+        "module.cbr_rule",
+        "module.cbr_rule"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 158
+      }
+    },
     "create_timeout": {
       "name": "create_timeout",
       "type": "string",
@@ -360,5 +377,82 @@
     }
   },
   "data_resources": {},
-  "module_calls": {}
+  "module_calls": {
+    "cbr_rule": {
+      "name": "cbr_rule",
+      "source": "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-rule-module?ref=v1.2.0",
+      "attributes": {
+        "count": "cbr_rules",
+        "enforcement_mode": "cbr_rules",
+        "resources": "cbr_rules",
+        "rule_contexts": "cbr_rules",
+        "rule_description": "cbr_rules"
+      },
+      "managed_resources": {
+        "ibm_cbr_rule.cbr_rule": {
+          "mode": "managed",
+          "type": "ibm_cbr_rule",
+          "name": "cbr_rule",
+          "attributes": {
+            "description": "rule_description",
+            "enforcement_mode": "enforcement_mode"
+          },
+          "provider": {
+            "name": "ibm"
+          },
+          "pos": {
+            "filename": ".terraform/modules/cbr_rule/cbr-rule-module/main.tf",
+            "line": 7
+          }
+        }
+      },
+      "data_resources": {},
+      "outputs": {
+        "rule_crn": {
+          "name": "rule_crn",
+          "description": "CBR rule resource instance crn",
+          "value": "ibm_cbr_rule.cbr_rule.crn",
+          "pos": {
+            "filename": ".terraform/modules/cbr_rule/cbr-rule-module/outputs.tf",
+            "line": 15
+          },
+          "type": "TypeString",
+          "cloud_data_type": "crn"
+        },
+        "rule_description": {
+          "name": "rule_description",
+          "description": "CBR rule resource instance description",
+          "value": "ibm_cbr_rule.cbr_rule.description",
+          "pos": {
+            "filename": ".terraform/modules/cbr_rule/cbr-rule-module/outputs.tf",
+            "line": 5
+          },
+          "type": "TypeString"
+        },
+        "rule_href": {
+          "name": "rule_href",
+          "description": "CBR rule resource href",
+          "value": "ibm_cbr_rule.cbr_rule.href",
+          "pos": {
+            "filename": ".terraform/modules/cbr_rule/cbr-rule-module/outputs.tf",
+            "line": 20
+          },
+          "type": "TypeString"
+        },
+        "rule_id": {
+          "name": "rule_id",
+          "description": "CBR rule resource instance id",
+          "value": "ibm_cbr_rule.cbr_rule.id",
+          "pos": {
+            "filename": ".terraform/modules/cbr_rule/cbr-rule-module/outputs.tf",
+            "line": 10
+          }
+        }
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 91
+      }
+    }
+  }
 }
diff --git a/variables.tf b/variables.tf
@@ -150,3 +150,23 @@ variable "delete_timeout" {
   description = "Deleting timeout value of the Event Streams module"
   default     = "15m"
 }
+
+##############################################################
+# Context-based restriction (CBR)
+##############################################################
+
+variable "cbr_rules" {
+  type = list(object({
+    description = string
+    account_id  = string
+    rule_contexts = list(object({
+      attributes = optional(list(object({
+        name  = string
+        value = string
+    }))) }))
+    enforcement_mode = string
+  }))
+  description = "(Optional, list) List of CBR rules to create"
+  default     = []
+  # Validation happens in the rule module
+}
+2 −2		common-go-assets/cloudinfo-region-power-prefs.yaml
+2 −2		commonRenovateConfig.json
+1 −1		module-assets/.pre-commit-config.yaml
+1 −1		module-assets/ci/install-deps.sh
+20 −3		module-assets/ci/module-template-automation/.terraform-docs-config-template-module.yaml
+3 −1		module-assets/ci/run-tests.sh
+1 −1		scripts/update-source/requirements.txt