feat: added new boolean variable kms_encryption_enabled which is no…

…w required to enable KMS encryption (#26)

README.md

@@ -1,12 +1,4 @@
-<!-- BEGIN MODULE HOOK -->
-
-<!-- Update the title to match the module name and add a description -->
 # Event Streams Module
-<!-- UPDATE BADGES:
-1. Make sure that the badge link for the current status of the module is correct. For the status options, see https://github.com/terraform-ibm-modules/documentation/blob/main/status.md.
-2. Update the "Build Status" badge to point to the travis pipeline for the module. Replace "module-template" in two places.
-3. Update the "latest release" badge to point to the new module. Replace "module-template" in two places.
--->
 
 [![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
 [![Build Status](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/actions/workflows/ci.yml/badge.svg)](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/actions/workflows/ci.yml)
@@ -156,17 +148,18 @@ No modules.
 | <a name="input_create_timeout"></a> [create\_timeout](#input\_create\_timeout) | Creation timeout value of the Event Streams module. Use 3h when creating enterprise instance, add more 1h for each level of non-default throughput, add more 30m for each level of non-default storage\_size | `string` | `"3h"` | no |
 | <a name="input_delete_timeout"></a> [delete\_timeout](#input\_delete\_timeout) | Deleting timeout value of the Event Streams module | `string` | `"15m"` | no |
 | <a name="input_es_name"></a> [es\_name](#input\_es\_name) | The name to give the IBM Event Streams instance created by this module. | `string` | n/a | yes |
-| <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | (Optional) The GUID of the Hyper Protect or Key Protect instance in which the key specified in var.kms\_key\_crn is coming from. Only required if skip\_iam\_authorization\_policy is false | `string` | `null` | no |
-| <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | (Optional) The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. If null, database is encrypted by using randomly generated keys. See https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-managing_encryption for more info. | `string` | `null` | no |
+| <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms\_key\_crn is coming from. Required only if var.kms\_encryption\_enabled is set to true, var.skip\_iam\_authorization\_policy is set to false, and you pass a value for var.kms\_key\_crn. | `string` | `null` | no |
+| <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs | `bool` | `false` | no |
+| <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for disk encryption. Only used if var.kms\_encryption\_enabled is set to true. | `string` | `null` | no |
 | <a name="input_plan"></a> [plan](#input\_plan) | Plan for the event streams instance : lite, standard or enterprise-3nodes-2tb | `string` | `"standard"` | no |
 | <a name="input_region"></a> [region](#input\_region) | IBM Cloud region where event streams will be created | `string` | `"us-south"` | no |
-| <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | ID of resource group to use when creating the event stream instance | `string` | n/a | yes |
+| <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance will be created. | `string` | n/a | yes |
 | <a name="input_schemas"></a> [schemas](#input\_schemas) | The list of schema object which contains schema id and format of the schema | <pre>list(object(<br>    {<br>      schema_id = string<br>      schema = object({<br>        type = string<br>        name = string<br>      })<br>    }<br>  ))</pre> | `[]` | no |
-| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of service endpoint(public,private or public-and-private) to be used for connection. | `string` | `"public"` | no |
-| <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Whether or not you want to skip applying an authorization policy to your kms instance. | `bool` | `false` | no |
-| <a name="input_storage_size"></a> [storage\_size](#input\_storage\_size) | Storage size of the event streams in GB. For enterprise instance only. Options are: 2048, 4096, 6144, 8192, 10240, 12288, and the default is 2048. Note: When throughput is 300, storage\_size starts from 4096, when throughput is 450, storage\_size starts from 6144. Storage capacity cannot be scaled down once instance is created. | `number` | `"2048"` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. | `string` | `"public"` | no |
+| <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing\_kms\_instance\_guid variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no |
+| <a name="input_storage_size"></a> [storage\_size](#input\_storage\_size) | Storage size of the event streams in GB. For enterprise instance only. Options are: 2048, 4096, 6144, 8192, 10240, 12288,. Note: When throughput is 300, storage\_size starts from 4096, when throughput is 450, storage\_size starts from 6144. Storage capacity cannot be scaled down once instance is created. | `number` | `"2048"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of tags associated with the Event Steams instance | `list(string)` | `[]` | no |
-| <a name="input_throughput"></a> [throughput](#input\_throughput) | Throughput capacity in MB per second. for enterprise instance only. Options are: 150, 300, 450. Default is 150. | `number` | `"150"` | no |
+| <a name="input_throughput"></a> [throughput](#input\_throughput) | Throughput capacity in MB per second. For enterprise instance only. Options are: 150, 300, 450. | `number` | `"150"` | no |
 | <a name="input_topics"></a> [topics](#input\_topics) | List of topics. For lite plan only one topic is allowed. | <pre>list(object(<br>    {<br>      name       = string<br>      partitions = number<br>      config     = object({})<br>    }<br>  ))</pre> | `[]` | no |
 | <a name="input_update_timeout"></a> [update\_timeout](#input\_update\_timeout) | Updating timeout value of the Event Streams module. Use 1h when updating enterprise instance, add more 1h for each level of non-default throughput, add more 30m for each level of non-default storage\_size. | `string` | `"1h"` | no |
 

cra-tf-validate-ignore-rules.json

@@ -1,10 +1,10 @@
 {
-    "scc_rules": [
-        {
-            "scc_rule_id": "rule-3b2768e5-d783-4b0c-a47f-81479af34689",
-            "description": " Check whether Event Streams is accessible only by using private endpoints Found in: resource_address: module.event_streams.ibm_resource_instance.es_instance",
-            "ignore_reason": "Private endpoint option is not available in Standard plan which the complete example uses. When we create an FSCloud profile example for this module, the CRA scan will be done against that, and that should use private endpoint only. (Tracked at https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/issues/5)",
-            "is_valid": true
-          }
-        ]
-  }
+  "scc_rules": [
+    {
+      "scc_rule_id": "rule-3b2768e5-d783-4b0c-a47f-81479af34689",
+      "description": " Check whether Event Streams is accessible only by using private endpoints Found in: resource_address: module.event_streams.ibm_resource_instance.es_instance",
+      "ignore_reason": "Private endpoint option is not available in Standard plan which the complete example uses. When we create an FSCloud profile example for this module, the CRA scan will be done against that, and that should use private endpoint only. (Tracked at https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/issues/5)",
+      "is_valid": true
+    }
+  ]
+}

examples/basic/README.md

@@ -3,4 +3,4 @@
 An end-to-end example that creates an event streams instance.
 This example uses the IBM Cloud terraform provider to:
  - Create a new resource group if one is not passed in.
- - Create a new event streams instance with default inputs in the resource group and region provided.
+ - Create a new lite Event Streams instance in the resource group and region provided.

examples/basic/main.tf

@@ -14,9 +14,9 @@ module "resource_group" {
 ##############################################################################
 
 module "event_streams" {
-  source                        = "../../"
-  resource_group_id             = module.resource_group.resource_group_id
-  es_name                       = "${var.prefix}-es"
-  tags                          = var.resource_tags
-  skip_iam_authorization_policy = true
+  source            = "../../"
+  resource_group_id = module.resource_group.resource_group_id
+  es_name           = "${var.prefix}-es"
+  tags              = var.resource_tags
+  plan              = "lite"
 }

examples/basic/variables.tf

@@ -13,7 +13,7 @@ variable "region" {
 variable "prefix" {
   type        = string
   description = "Prefix to append to all resources created by this example"
-  default     = "event_streams"
+  default     = "event-streams"
 }
 
 variable "resource_group" {

examples/complete/main.tf

@@ -31,11 +31,10 @@ module "event_streams" {
   source                     = "../../"
   resource_group_id          = module.resource_group.resource_group_id
   es_name                    = "${var.prefix}-es"
-  plan                       = var.plan
+  kms_encryption_enabled     = true
   kms_key_crn                = module.key_protect_all_inclusive.keys["es.${var.prefix}-es"].crn
   existing_kms_instance_guid = module.key_protect_all_inclusive.key_protect_guid
   schemas                    = var.schemas
   tags                       = var.resource_tags
   topics                     = var.topics
-  service_endpoints          = var.service_endpoints
 }

examples/complete/variables.tf

@@ -10,16 +10,10 @@ variable "region" {
   default     = "us-south"
 }
 
-variable "plan" {
-  type        = string
-  description = "Plan for the event stream instance. lite, standard or enterprise-3nodes-2tb"
-  default     = "standard"
-}
-
 variable "prefix" {
   type        = string
   description = "Prefix to append to all resources created by this example"
-  default     = "event_streams"
+  default     = "event-streams-com"
 }
 
 variable "resource_group" {
@@ -34,12 +28,6 @@ variable "resource_tags" {
   default     = []
 }
 
-variable "service_endpoints" {
-  type        = string
-  description = "The type of service endpoint(public,private or public-and-private) to be used for connection. Default is public for Standard and lite plans"
-  default     = "public"
-}
-
 variable "schemas" {
   type = list(object(
     {

main.tf

@@ -3,20 +3,26 @@
 #######################################################################################
 
 locals {
+  # Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
   # tflint-ignore: terraform_unused_declarations
-  kms_service = var.kms_key_crn != null ? (
-    can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : (
-      can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null
-    )
-  ) : null
+  validate_kms_values = !var.kms_encryption_enabled && var.kms_key_crn != null ? tobool("When passing values for var.kms_key_crn, you must set var.kms_encryption_enabled to true. Otherwise unset them to use default encryption") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_kms_vars = var.kms_encryption_enabled && var.kms_key_crn == null ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn and/or var.backup_encryption_key_crn") : true
   # tflint-ignore: terraform_unused_declarations
-  validate_skip_iam_authorization_policy = var.skip_iam_authorization_policy == false && (var.kms_key_crn == null || var.existing_kms_instance_guid == null) ? tobool("When var.skip_iam_authorization_policy is set to false, a value must be passed for var.existing_kms_instance_guid and var.kms_key_crn. Alternatively, if opting to use default encryption, set var.skip_iam_authorization_policy to true to skip creating any KMS auth policy creation.") : true
+  validate_auth_policy = var.kms_encryption_enabled && var.skip_iam_authorization_policy == false && var.existing_kms_instance_guid == null ? tobool("When var.skip_iam_authorization_policy is set to false, and var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_guid in order to create the auth policy.") : true
   # tflint-ignore: terraform_unused_declarations
   validate_throughput_lite_standard = ((var.plan == "lite" || var.plan == "standard") && var.throughput != 150) ? tobool("Throughput value cannot be changed in lite and standard plan. Default value is 150.") : true
   # tflint-ignore: terraform_unused_declarations
   validate_storage_size_lite_standard = ((var.plan == "lite" || var.plan == "standard") && var.storage_size != 2048) ? tobool("Storage size value cannot be changed in lite and standard plan. Default value is 2048.") : true
   # tflint-ignore: terraform_unused_declarations
   validate_service_end_points_lite_standard = ((var.plan == "lite" || var.plan == "standard") && var.service_endpoints != "public") ? tobool("Service endpoint cannot be changed in lite and standard plan. Default is public.") : true
+
+  # Determine what KMS service is being used for database encryption
+  kms_service = var.kms_key_crn != null ? (
+    can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : (
+      can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null
+    )
+  ) : null
 }
 
 resource "ibm_resource_instance" "es_instance" {
@@ -70,7 +76,7 @@ resource "ibm_event_streams_topic" "es_topic" {
 
 # Create IAM Authorization Policies to allow messagehub to access kms for the encryption key
 resource "ibm_iam_authorization_policy" "kms_policy" {
-  count                       = var.skip_iam_authorization_policy ? 0 : 1
+  count                       = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
   depends_on                  = [ibm_resource_instance.es_instance]
   source_service_name         = "messagehub"
   source_resource_group_id    = var.resource_group_id