feat: added fscloud profile (#19)

* feat: added fscloud profile

* feat: fixed pr_test

* feat: fixed pr_test

* feat: fixed ci env vars

* feat: added kms_encryption_enabled variable and cra ignore

* feat: fscloud profile fixes

* feat: fscloud profile fixes

* feat: fscloud profile fixes

* feat: fscloud profile fixes

* feat: fscloud profile fixes

* refactor: added standard plan for basic ex.

* refactor: removed rule form ignore file (CRA v1.36)

* Revert "refactor: removed rule form ignore file (CRA v1.36)"

This reverts commit 465a5a1.

* refactor: addressed the review comments

* refactor: addressed the review comments

* refactor: addressed the review comments

* refactor: addressed the review comments

* doc: addressed review comments

* doc: addressed review comments

* refactor: removed cbr from complete ex and skipping upgrade test

* refactor: added the complete ex back in pr test

* refactor: modified readme

* refactor: modified complete ex and SKIP UPGRADE TEST due to CBR in main complete ex

.github/settings.yml

@@ -23,5 +23,5 @@ repository:
   # Uncomment this description property
   # and update the description to the current repo description.
   description: "Module that supports provisioning and configuring IBM Cloud Event Streams"
-  
+
   topics: core-team, terraform, ibm-cloud, terraform-module, event-streams, kafka

.github/workflows/ci.yml

@@ -11,6 +11,6 @@ jobs:
     secrets: inherit
     with:
       craSCCv2: true
-      craTarget: "examples/complete"
+      craTarget: "examples/fscloud"
       craRuleIgnoreFile: "cra-tf-validate-ignore-rules.json"
-      craEnvironmentVariables: "TF_VAR_existing_at_instance_crn=${{ vars.AT_INSTANCE_CRN }}"
+      craEnvironmentVariables: "TF_VAR_existing_kms_instance_guid=${{ vars.HPCS_SOUTH_GUID }},TF_VAR_kms_key_crn=${{ vars.HPCS_SOUTH_KEY_CRN }}"

.secrets.baseline

@@ -3,14 +3,17 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-05-05T09:58:47Z",
+  "generated_at": "2023-05-31T21:39:59Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
     },
     {
       "name": "ArtifactoryDetector"
     },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
     {
       "base64_limit": 4.5,
       "name": "Base64HighEntropyString"
@@ -28,6 +31,9 @@
       "ghe_instance": "github.ibm.com",
       "name": "GheDetector"
     },
+    {
+      "name": "GitHubTokenDetector"
+    },
     {
       "hex_limit": 3,
       "name": "HexHighEntropyString"
@@ -48,6 +54,9 @@
     {
       "name": "MailchimpDetector"
     },
+    {
+      "name": "NpmDetector"
+    },
     {
       "name": "PrivateKeyDetector"
     },
@@ -57,6 +66,9 @@
     {
       "name": "SoftlayerDetector"
     },
+    {
+      "name": "SquareOAuthDetector"
+    },
     {
       "name": "StripeDetector"
     },

README.md

@@ -117,7 +117,8 @@ You need the following permissions to run this module.
 ## Examples
 
 - [ Basic example](examples/basic)
-- [ Complete example with BYOK encryption and CBR rules](examples/complete)
+- [ Complete example with topics and schema creation and BYOK encryption](examples/complete)
+- [ Financial Services Cloud profile example](examples/fscloud)
 <!-- END EXAMPLES HOOK -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements

cra-tf-validate-ignore-rules.json

@@ -2,13 +2,13 @@
   "scc_rules": [
     {
       "scc_rule_id": "rule-3b2768e5-d783-4b0c-a47f-81479af34689",
-      "description": " Check whether Event Streams is accessible only by using private endpoints Found in: resource_address: module.event_streams.ibm_resource_instance.es_instance",
-      "ignore_reason": "Private endpoint option is not available in Standard plan which the complete example uses. When we create an FSCloud profile example for this module, the CRA scan will be done against that, and that should use private endpoint only. (Tracked at https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/issues/5)",
-      "is_valid": true
+      "description": " Check whether Event Streams is accessible only by using private endpoints.",
+      "ignore_reason": "Failing due to known CRA bug (https://github.ibm.com/oneibmcloud/CD-CRA/issues/1820)",
+      "is_valid": false
     },
     {
       "scc_rule_id": "rule-216e2449-27d7-4afc-929a-b66e196a9cf9",
-      "description": "Check whether Flow Logs for VPC are enabled Found in: resource_address: module.event_streams.ibm_resource_instance.es_instance",
+      "description": "Check whether Flow Logs for VPC are enabled.",
       "ignore_reason": "This rule is not relevant to the module itself, just the VPC resource is used in the example that is scanned",
       "is_valid": false
     }

examples/basic/main.tf

@@ -18,5 +18,5 @@ module "event_streams" {
   resource_group_id = module.resource_group.resource_group_id
   es_name           = "${var.prefix}-es"
   tags              = var.resource_tags
-  plan              = "lite"
+  plan              = "standard"
 }

examples/complete/README.md

@@ -1,8 +1,7 @@
-# Complete example with BYOK encryption and CBR rules
+# Complete example with topics and schema creation and BYOK encryption
 
 An end-to-end example that creates an event streams instance with key protect.
 This example uses the IBM Cloud terraform provider to:
  - Create a new resource group if one is not passed in.
  - Create a Key Protect instance and root key in the provided region.
  - Create a new event streams instance in the resource group and region provided, encrypted with the root key created above, and configured with topics and schemas.
- - A context-based restriction (CBR) rule to only allow Event Streams to be accessible from within the VPC.

examples/complete/main.tf

@@ -23,37 +23,6 @@ module "key_protect_all_inclusive" {
   enable_metrics            = false
 }
 
-##############################################################################
-# Get Cloud Account ID
-##############################################################################
-
-data "ibm_iam_account_settings" "iam_account_settings" {
-}
-
-##############################################################################
-# VPC
-##############################################################################
-resource "ibm_is_vpc" "example_vpc" {
-  name           = "${var.prefix}-vpc"
-  resource_group = module.resource_group.resource_group_id
-  tags           = var.resource_tags
-}
-
-##############################################################################
-# Create CBR Zone
-##############################################################################
-module "cbr_zone" {
-  source           = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-zone-module?ref=v1.2.0"
-  name             = "${var.prefix}-VPC-network-zone"
-  zone_description = "CBR Network zone representing VPC"
-  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
-  addresses = [{
-    type  = "vpc", # to bind a specific vpc to the zone
-    value = ibm_is_vpc.example_vpc.crn,
-  }]
-}
-
-
 ##############################################################################
 # Events-streams-instance
 ##############################################################################
@@ -68,22 +37,4 @@ module "event_streams" {
   schemas                    = var.schemas
   tags                       = var.resource_tags
   topics                     = var.topics
-  cbr_rules = [
-    {
-      description      = "${var.prefix}-event stream access only from vpc"
-      enforcement_mode = "enabled"
-      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
-      rule_contexts = [{
-        attributes = [
-          {
-            "name" : "endpointType",
-            "value" : "private"
-          },
-          {
-            name  = "networkZoneId"
-            value = module.cbr_zone.zone_id
-        }]
-      }]
-    }
-  ]
 }

examples/fscloud/README.md

@@ -0,0 +1,17 @@
+ # Financial Services Cloud profile example
+
+An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](../../profiles/fscloud/) to deploy an instance of Event Streams.
+
+The example uses the IBM Cloud Terraform provider to create the following infrastructure:
+
+- A resource group, if one is not passed in.
+- An IAM authorization between all Event Stream instances in the given resource group and the Hyper Protect Crypto Services instance that is passed in.
+- An Event Streams instance that is encrypted with the Hyper Protect Crypto Services root key that is passed in.
+- A sample virtual private cloud (VPC).
+- A context-based restriction (CBR) rule to only allow Event Streams to be accessible from within the VPC.
+
+:exclamation: **Important:** In this example, only the Event Streams instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.
+
+## Before you begin
+
+- You need a Hyper Protect Crypto Services instance and root key available in the region that you want to deploy your Event Streams instance to.

examples/fscloud/main.tf

@@ -0,0 +1,82 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-resource-group.git?ref=v1.0.5"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+module "cbr_zone" {
+  source           = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-zone-module?ref=v1.2.0"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone representing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc", # to bind a specific vpc to the zone
+    value = ibm_is_vpc.example_vpc.crn,
+  }]
+}
+
+
+# #############################################################################
+# Events-streams-instance
+# #############################################################################
+
+module "event_streams" {
+  source                     = "../../profiles/fscloud"
+  resource_group_id          = module.resource_group.resource_group_id
+  es_name                    = "${var.prefix}-es-fs"
+  kms_key_crn                = var.kms_key_crn
+  existing_kms_instance_guid = var.existing_kms_instance_guid
+  schemas                    = var.schemas
+  tags                       = var.resource_tags
+  topics                     = var.topics
+  cbr_rules = [
+    {
+      description      = "${var.prefix}-event stream access only from vpc"
+      enforcement_mode = "enabled"
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
+}

examples/fscloud/outputs.tf

@@ -0,0 +1,33 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "resource_group_name" {
+  description = "Resource group name"
+  value       = module.resource_group.resource_group_name
+}
+
+output "resource_group_id" {
+  description = "Resource group ID"
+  value       = module.resource_group.resource_group_id
+}
+
+output "crn" {
+  description = "Event Streams instance crn"
+  value       = module.event_streams.crn
+}
+
+output "guid" {
+  description = "Event Streams instance guid"
+  value       = module.event_streams.guid
+}
+
+output "kafka_brokers_sasl" {
+  description = "(Array of Strings) Kafka brokers use for interacting with Kafka native API"
+  value       = module.event_streams.kafka_brokers_sasl
+}
+
+output "kafka_http_url" {
+  description = "The API endpoint to interact with Event Streams REST API"
+  value       = module.event_streams.kafka_http_url
+}

examples/fscloud/provider.tf

@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/fscloud/variables.tf

@@ -0,0 +1,65 @@
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "region" {
+  type        = string
+  description = "Region to provision all resources created by this example"
+  default     = "us-south"
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example"
+  default     = "fs-cloud"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "List of tags associated with the Event Steams instance"
+  default     = []
+}
+
+variable "schemas" {
+  type = list(object(
+    {
+      schema_id = string
+      schema = object({
+        type = string
+        name = string
+      })
+    }
+  ))
+  description = "The list of schema object which contains schema id and format of the schema"
+  default     = []
+}
+
+variable "topics" {
+  type = list(object(
+    {
+      name       = string
+      partitions = number
+      config     = object({})
+    }
+  ))
+  description = "List of topics. For lite plan only one topic is allowed."
+  default     = []
+}
+
+variable "existing_kms_instance_guid" {
+  description = "The GUID of the Hyper Protect Crypto service in which the key specified in var.kms_key_crn is coming from"
+  type        = string
+}
+
+variable "kms_key_crn" {
+  type        = string
+  description = "The root key CRN of a Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs&interface=ui for more information on integrating HPCS with Event Streams instance."
+}

examples/fscloud/version.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.49.0"
+    }
+  }
+}