From d4b06790b244fcb49aacac800455a4992c1459a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Conall=20=C3=93=20Cofaigh?= Date: Mon, 22 May 2023 16:11:08 +0100 Subject: [PATCH] feat: added new boolean variable `kms_encryption_enabled` which is now required to enable KMS encryption (#26) --- README.md | 23 +++------ catalogValidationValues.json.template | 1 - cra-tf-validate-ignore-rules.json | 18 +++---- examples/basic/README.md | 2 +- examples/basic/main.tf | 10 ++-- examples/basic/variables.tf | 2 +- examples/complete/main.tf | 3 +- examples/complete/variables.tf | 14 +----- main.tf | 20 +++++--- module-metadata.json | 72 +++++++++++++++------------ tests/other_test.go | 2 +- variables.tf | 51 ++++++++++++++++--- version.tf | 1 + 13 files changed, 126 insertions(+), 93 deletions(-) delete mode 100644 catalogValidationValues.json.template diff --git a/README.md b/README.md index aa35d09e..65584c3d 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,4 @@ - - - # Event Streams Module - [![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green)](https://terraform-ibm-modules.github.io/documentation/#/badge-status) [![Build Status](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/actions/workflows/ci.yml/badge.svg)](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/actions/workflows/ci.yml) @@ -156,17 +148,18 @@ No modules. | [create\_timeout](#input\_create\_timeout) | Creation timeout value of the Event Streams module. Use 3h when creating enterprise instance, add more 1h for each level of non-default throughput, add more 30m for each level of non-default storage\_size | `string` | `"3h"` | no | | [delete\_timeout](#input\_delete\_timeout) | Deleting timeout value of the Event Streams module | `string` | `"15m"` | no | | [es\_name](#input\_es\_name) | The name to give the IBM Event Streams instance created by this module. | `string` | n/a | yes | -| [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | (Optional) The GUID of the Hyper Protect or Key Protect instance in which the key specified in var.kms\_key\_crn is coming from. Only required if skip\_iam\_authorization\_policy is false | `string` | `null` | no | -| [kms\_key\_crn](#input\_kms\_key\_crn) | (Optional) The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. If null, database is encrypted by using randomly generated keys. See https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-managing_encryption for more info. | `string` | `null` | no | +| [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms\_key\_crn is coming from. Required only if var.kms\_encryption\_enabled is set to true, var.skip\_iam\_authorization\_policy is set to false, and you pass a value for var.kms\_key\_crn. | `string` | `null` | no | +| [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs | `bool` | `false` | no | +| [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for disk encryption. Only used if var.kms\_encryption\_enabled is set to true. | `string` | `null` | no | | [plan](#input\_plan) | Plan for the event streams instance : lite, standard or enterprise-3nodes-2tb | `string` | `"standard"` | no | | [region](#input\_region) | IBM Cloud region where event streams will be created | `string` | `"us-south"` | no | -| [resource\_group\_id](#input\_resource\_group\_id) | ID of resource group to use when creating the event stream instance | `string` | n/a | yes | +| [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance will be created. | `string` | n/a | yes | | [schemas](#input\_schemas) | The list of schema object which contains schema id and format of the schema | 
list(object(
    {
      schema_id = string
      schema = object({
        type = string
        name = string
      })
    }
  ))
| `[]` | no | -| [service\_endpoints](#input\_service\_endpoints) | The type of service endpoint(public,private or public-and-private) to be used for connection. | `string` | `"public"` | no | -| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Whether or not you want to skip applying an authorization policy to your kms instance. | `bool` | `false` | no | -| [storage\_size](#input\_storage\_size) | Storage size of the event streams in GB. For enterprise instance only. Options are: 2048, 4096, 6144, 8192, 10240, 12288, and the default is 2048. Note: When throughput is 300, storage\_size starts from 4096, when throughput is 450, storage\_size starts from 6144. Storage capacity cannot be scaled down once instance is created. | `number` | `"2048"` | no | +| [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. | `string` | `"public"` | no | +| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing\_kms\_instance\_guid variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no | +| [storage\_size](#input\_storage\_size) | Storage size of the event streams in GB. For enterprise instance only. Options are: 2048, 4096, 6144, 8192, 10240, 12288,. Note: When throughput is 300, storage\_size starts from 4096, when throughput is 450, storage\_size starts from 6144. Storage capacity cannot be scaled down once instance is created. | `number` | `"2048"` | no | | [tags](#input\_tags) | List of tags associated with the Event Steams instance | `list(string)` | `[]` | no | -| [throughput](#input\_throughput) | Throughput capacity in MB per second. for enterprise instance only. Options are: 150, 300, 450. Default is 150. | `number` | `"150"` | no | +| [throughput](#input\_throughput) | Throughput capacity in MB per second. For enterprise instance only. Options are: 150, 300, 450. | `number` | `"150"` | no | | [topics](#input\_topics) | List of topics. For lite plan only one topic is allowed. | 
list(object(
    {
      name       = string
      partitions = number
      config     = object({})
    }
  ))
| `[]` | no | | [update\_timeout](#input\_update\_timeout) | Updating timeout value of the Event Streams module. Use 1h when updating enterprise instance, add more 1h for each level of non-default throughput, add more 30m for each level of non-default storage\_size. | `string` | `"1h"` | no | diff --git a/catalogValidationValues.json.template b/catalogValidationValues.json.template deleted file mode 100644 index 0967ef42..00000000 --- a/catalogValidationValues.json.template +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/cra-tf-validate-ignore-rules.json b/cra-tf-validate-ignore-rules.json index db569798..e702ba1c 100644 --- a/cra-tf-validate-ignore-rules.json +++ b/cra-tf-validate-ignore-rules.json @@ -1,10 +1,10 @@ { - "scc_rules": [ - { - "scc_rule_id": "rule-3b2768e5-d783-4b0c-a47f-81479af34689", - "description": " Check whether Event Streams is accessible only by using private endpoints Found in: resource_address: module.event_streams.ibm_resource_instance.es_instance", - "ignore_reason": "Private endpoint option is not available in Standard plan which the complete example uses. When we create an FSCloud profile example for this module, the CRA scan will be done against that, and that should use private endpoint only. (Tracked at https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/issues/5)", - "is_valid": true - } - ] - } + "scc_rules": [ + { + "scc_rule_id": "rule-3b2768e5-d783-4b0c-a47f-81479af34689", + "description": " Check whether Event Streams is accessible only by using private endpoints Found in: resource_address: module.event_streams.ibm_resource_instance.es_instance", + "ignore_reason": "Private endpoint option is not available in Standard plan which the complete example uses. When we create an FSCloud profile example for this module, the CRA scan will be done against that, and that should use private endpoint only. (Tracked at https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/issues/5)", + "is_valid": true + } + ] +} diff --git a/examples/basic/README.md b/examples/basic/README.md index db0bb1b8..ac79e7bb 100644 --- a/examples/basic/README.md +++ b/examples/basic/README.md @@ -3,4 +3,4 @@ An end-to-end example that creates an event streams instance. This example uses the IBM Cloud terraform provider to: - Create a new resource group if one is not passed in. - - Create a new event streams instance with default inputs in the resource group and region provided. + - Create a new lite Event Streams instance in the resource group and region provided. diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 8bfff13c..51a3b16f 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -14,9 +14,9 @@ module "resource_group" { ############################################################################## module "event_streams" { - source = "../../" - resource_group_id = module.resource_group.resource_group_id - es_name = "${var.prefix}-es" - tags = var.resource_tags - skip_iam_authorization_policy = true + source = "../../" + resource_group_id = module.resource_group.resource_group_id + es_name = "${var.prefix}-es" + tags = var.resource_tags + plan = "lite" } diff --git a/examples/basic/variables.tf b/examples/basic/variables.tf index ba60020b..5b560f0c 100644 --- a/examples/basic/variables.tf +++ b/examples/basic/variables.tf @@ -13,7 +13,7 @@ variable "region" { variable "prefix" { type = string description = "Prefix to append to all resources created by this example" - default = "event_streams" + default = "event-streams" } variable "resource_group" { diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 7145c03e..8ceddb5f 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -31,11 +31,10 @@ module "event_streams" { source = "../../" resource_group_id = module.resource_group.resource_group_id es_name = "${var.prefix}-es" - plan = var.plan + kms_encryption_enabled = true kms_key_crn = module.key_protect_all_inclusive.keys["es.${var.prefix}-es"].crn existing_kms_instance_guid = module.key_protect_all_inclusive.key_protect_guid schemas = var.schemas tags = var.resource_tags topics = var.topics - service_endpoints = var.service_endpoints } diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index fecbeeea..b69ae17b 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -10,16 +10,10 @@ variable "region" { default = "us-south" } -variable "plan" { - type = string - description = "Plan for the event stream instance. lite, standard or enterprise-3nodes-2tb" - default = "standard" -} - variable "prefix" { type = string description = "Prefix to append to all resources created by this example" - default = "event_streams" + default = "event-streams-com" } variable "resource_group" { @@ -34,12 +28,6 @@ variable "resource_tags" { default = [] } -variable "service_endpoints" { - type = string - description = "The type of service endpoint(public,private or public-and-private) to be used for connection. Default is public for Standard and lite plans" - default = "public" -} - variable "schemas" { type = list(object( { diff --git a/main.tf b/main.tf index f1e8cd49..55a9a3ed 100644 --- a/main.tf +++ b/main.tf @@ -3,20 +3,26 @@ ####################################################################################### locals { + # Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400) # tflint-ignore: terraform_unused_declarations - kms_service = var.kms_key_crn != null ? ( - can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : ( - can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null - ) - ) : null + validate_kms_values = !var.kms_encryption_enabled && var.kms_key_crn != null ? tobool("When passing values for var.kms_key_crn, you must set var.kms_encryption_enabled to true. Otherwise unset them to use default encryption") : true + # tflint-ignore: terraform_unused_declarations + validate_kms_vars = var.kms_encryption_enabled && var.kms_key_crn == null ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn and/or var.backup_encryption_key_crn") : true # tflint-ignore: terraform_unused_declarations - validate_skip_iam_authorization_policy = var.skip_iam_authorization_policy == false && (var.kms_key_crn == null || var.existing_kms_instance_guid == null) ? tobool("When var.skip_iam_authorization_policy is set to false, a value must be passed for var.existing_kms_instance_guid and var.kms_key_crn. Alternatively, if opting to use default encryption, set var.skip_iam_authorization_policy to true to skip creating any KMS auth policy creation.") : true + validate_auth_policy = var.kms_encryption_enabled && var.skip_iam_authorization_policy == false && var.existing_kms_instance_guid == null ? tobool("When var.skip_iam_authorization_policy is set to false, and var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_guid in order to create the auth policy.") : true # tflint-ignore: terraform_unused_declarations validate_throughput_lite_standard = ((var.plan == "lite" || var.plan == "standard") && var.throughput != 150) ? tobool("Throughput value cannot be changed in lite and standard plan. Default value is 150.") : true # tflint-ignore: terraform_unused_declarations validate_storage_size_lite_standard = ((var.plan == "lite" || var.plan == "standard") && var.storage_size != 2048) ? tobool("Storage size value cannot be changed in lite and standard plan. Default value is 2048.") : true # tflint-ignore: terraform_unused_declarations validate_service_end_points_lite_standard = ((var.plan == "lite" || var.plan == "standard") && var.service_endpoints != "public") ? tobool("Service endpoint cannot be changed in lite and standard plan. Default is public.") : true + + # Determine what KMS service is being used for database encryption + kms_service = var.kms_key_crn != null ? ( + can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : ( + can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null + ) + ) : null } resource "ibm_resource_instance" "es_instance" { @@ -70,7 +76,7 @@ resource "ibm_event_streams_topic" "es_topic" { # Create IAM Authorization Policies to allow messagehub to access kms for the encryption key resource "ibm_iam_authorization_policy" "kms_policy" { - count = var.skip_iam_authorization_policy ? 0 : 1 + count = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1 depends_on = [ibm_resource_instance.es_instance] source_service_name = "messagehub" source_resource_group_id = var.resource_group_id diff --git a/module-metadata.json b/module-metadata.json index e9fbfdda..5d50be71 100644 --- a/module-metadata.json +++ b/module-metadata.json @@ -8,7 +8,7 @@ "default": "3h", "pos": { "filename": "variables.tf", - "line": 99 + "line": 136 } }, "delete_timeout": { @@ -18,7 +18,7 @@ "default": "15m", "pos": { "filename": "variables.tf", - "line": 111 + "line": 148 } }, "es_name": { @@ -31,30 +31,43 @@ ], "pos": { "filename": "variables.tf", - "line": 6 + "line": 10 } }, "existing_kms_instance_guid": { "name": "existing_kms_instance_guid", "type": "string", - "description": "(Optional) The GUID of the Hyper Protect or Key Protect instance in which the key specified in var.kms_key_crn is coming from. Only required if skip_iam_authorization_policy is false", + "description": "The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms_key_crn is coming from. Required only if var.kms_encryption_enabled is set to true, var.skip_iam_authorization_policy is set to false, and you pass a value for var.kms_key_crn.", "source": [ "ibm_iam_authorization_policy.kms_policy.target_resource_instance_id" ], "pos": { "filename": "variables.tf", - "line": 93 + "line": 130 }, "immutable": true, "computed": true }, + "kms_encryption_enabled": { + "name": "kms_encryption_enabled", + "type": "bool", + "description": "Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs", + "default": false, + "source": [ + "ibm_iam_authorization_policy.kms_policy.count" + ], + "pos": { + "filename": "variables.tf", + "line": 110 + } + }, "kms_key_crn": { "name": "kms_key_crn", "type": "string", - "description": "(Optional) The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. If null, database is encrypted by using randomly generated keys. See https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-managing_encryption for more info.", + "description": "The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for disk encryption. Only used if var.kms_encryption_enabled is set to true.", "pos": { "filename": "variables.tf", - "line": 87 + "line": 116 } }, "plan": { @@ -68,7 +81,7 @@ ], "pos": { "filename": "variables.tf", - "line": 11 + "line": 15 } }, "region": { @@ -82,7 +95,7 @@ ], "pos": { "filename": "variables.tf", - "line": 27 + "line": 31 }, "cloud_data_type": "region", "immutable": true @@ -90,7 +103,7 @@ "resource_group_id": { "name": "resource_group_id", "type": "string", - "description": "ID of resource group to use when creating the event stream instance", + "description": "The resource group ID where the Event Streams instance will be created.", "required": true, "source": [ "ibm_iam_authorization_policy.kms_policy.source_resource_group_id", @@ -98,7 +111,7 @@ ], "pos": { "filename": "variables.tf", - "line": 1 + "line": 5 }, "cloud_data_type": "resource_group", "immutable": true, @@ -119,43 +132,40 @@ ], "pos": { "filename": "variables.tf", - "line": 61 + "line": 84 } }, "service_endpoints": { "name": "service_endpoints", "type": "string", - "description": "The type of service endpoint(public,private or public-and-private) to be used for connection.", + "description": "Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'.", "default": "public", "source": [ "ibm_resource_instance.es_instance.parameters" ], "pos": { "filename": "variables.tf", - "line": 45 + "line": 68 } }, "skip_iam_authorization_policy": { "name": "skip_iam_authorization_policy", "type": "bool", - "description": "Whether or not you want to skip applying an authorization policy to your kms instance.", + "description": "Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing_kms_instance_guid variable. In addition, no policy is created if var.kms_encryption_enabled is set to false.", "default": false, - "source": [ - "ibm_iam_authorization_policy.kms_policy.count" - ], "pos": { "filename": "variables.tf", - "line": 55 + "line": 78 } }, "storage_size": { "name": "storage_size", "type": "number", - "description": "Storage size of the event streams in GB. For enterprise instance only. Options are: 2048, 4096, 6144, 8192, 10240, 12288, and the default is 2048. Note: When throughput is 300, storage_size starts from 4096, when throughput is 450, storage_size starts from 6144. Storage capacity cannot be scaled down once instance is created.", + "description": "Storage size of the event streams in GB. For enterprise instance only. Options are: 2048, 4096, 6144, 8192, 10240, 12288,. Note: When throughput is 300, storage_size starts from 4096, when throughput is 450, storage_size starts from 6144. Storage capacity cannot be scaled down once instance is created.", "default": "2048", "pos": { "filename": "variables.tf", - "line": 39 + "line": 51 } }, "tags": { @@ -168,7 +178,7 @@ ], "pos": { "filename": "variables.tf", - "line": 21 + "line": 25 }, "min_length": 1, "max_length": 128, @@ -181,11 +191,11 @@ "throughput": { "name": "throughput", "type": "number", - "description": "Throughput capacity in MB per second. for enterprise instance only. Options are: 150, 300, 450. Default is 150.", + "description": "Throughput capacity in MB per second. For enterprise instance only. Options are: 150, 300, 450.", "default": "150", "pos": { "filename": "variables.tf", - "line": 33 + "line": 37 } }, "topics": { @@ -201,7 +211,7 @@ ], "pos": { "filename": "variables.tf", - "line": 75 + "line": 98 } }, "update_timeout": { @@ -211,7 +221,7 @@ "default": "1h", "pos": { "filename": "variables.tf", - "line": 105 + "line": 142 } } }, @@ -290,7 +300,7 @@ }, "pos": { "filename": "main.tf", - "line": 47 + "line": 53 } }, "ibm_event_streams_topic.es_topic": { @@ -308,7 +318,7 @@ }, "pos": { "filename": "main.tf", - "line": 58 + "line": 64 } }, "ibm_iam_authorization_policy.kms_policy": { @@ -316,7 +326,7 @@ "type": "ibm_iam_authorization_policy", "name": "kms_policy", "attributes": { - "count": "skip_iam_authorization_policy", + "count": "kms_encryption_enabled", "source_resource_group_id": "resource_group_id", "target_resource_instance_id": "existing_kms_instance_guid" }, @@ -325,7 +335,7 @@ }, "pos": { "filename": "main.tf", - "line": 72 + "line": 78 } }, "ibm_resource_instance.es_instance": { @@ -345,7 +355,7 @@ }, "pos": { "filename": "main.tf", - "line": 22 + "line": 28 } } }, diff --git a/tests/other_test.go b/tests/other_test.go index fead558a..658380dc 100644 --- a/tests/other_test.go +++ b/tests/other_test.go @@ -1,5 +1,5 @@ // Tests in this file are NOT run in the PR pipeline. They are run in the continuous testing pipeline along with the ones in pr_test.go -// Tests in this file are run in the PR pipeline + package test import ( diff --git a/variables.tf b/variables.tf index 09c1a578..86050eb9 100644 --- a/variables.tf +++ b/variables.tf @@ -1,5 +1,9 @@ +############################################################################## +# Input Variables +############################################################################## + variable "resource_group_id" { - description = "ID of resource group to use when creating the event stream instance" + description = "The resource group ID where the Event Streams instance will be created." type = string } @@ -32,19 +36,38 @@ variable "region" { variable "throughput" { type = number - description = "Throughput capacity in MB per second. for enterprise instance only. Options are: 150, 300, 450. Default is 150." + description = "Throughput capacity in MB per second. For enterprise instance only. Options are: 150, 300, 450." default = "150" + validation { + condition = anytrue([ + var.throughput == 150, + var.throughput == 300, + var.throughput == 450, + ]) + error_message = "Supported throughput values are: 150, 300, 450." + } } variable "storage_size" { type = number - description = "Storage size of the event streams in GB. For enterprise instance only. Options are: 2048, 4096, 6144, 8192, 10240, 12288, and the default is 2048. Note: When throughput is 300, storage_size starts from 4096, when throughput is 450, storage_size starts from 6144. Storage capacity cannot be scaled down once instance is created." + description = "Storage size of the event streams in GB. For enterprise instance only. Options are: 2048, 4096, 6144, 8192, 10240, 12288,. Note: When throughput is 300, storage_size starts from 4096, when throughput is 450, storage_size starts from 6144. Storage capacity cannot be scaled down once instance is created." default = "2048" + validation { + condition = anytrue([ + var.storage_size == 2048, + var.storage_size == 4096, + var.storage_size == 6144, + var.storage_size == 8192, + var.storage_size == 10240, + var.storage_size == 12288, + ]) + error_message = "Supported throughput values are: 2048, 4096, 6144, 8192, 10240, 12288." + } } variable "service_endpoints" { type = string - description = "The type of service endpoint(public,private or public-and-private) to be used for connection." + description = "Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'." default = "public" validation { condition = contains(["public", "public-and-private", "private"], var.service_endpoints) @@ -54,7 +77,7 @@ variable "service_endpoints" { variable "skip_iam_authorization_policy" { type = bool - description = "Whether or not you want to skip applying an authorization policy to your kms instance." + description = "Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing_kms_instance_guid variable. In addition, no policy is created if var.kms_encryption_enabled is set to false." default = false } @@ -84,14 +107,28 @@ variable "topics" { default = [] } +variable "kms_encryption_enabled" { + type = bool + description = "Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs" + default = false +} + variable "kms_key_crn" { type = string - description = "(Optional) The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. If null, database is encrypted by using randomly generated keys. See https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-managing_encryption for more info." + description = "The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for disk encryption. Only used if var.kms_encryption_enabled is set to true." default = null + validation { + condition = anytrue([ + var.kms_key_crn == null, + can(regex(".*kms.*", var.kms_key_crn)), + can(regex(".*hs-crypto.*", var.kms_key_crn)), + ]) + error_message = "Value must be the root key CRN from either the Key Protect or Hyper Protect Crypto Service (HPCS)" + } } variable "existing_kms_instance_guid" { - description = "(Optional) The GUID of the Hyper Protect or Key Protect instance in which the key specified in var.kms_key_crn is coming from. Only required if skip_iam_authorization_policy is false" + description = "The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms_key_crn is coming from. Required only if var.kms_encryption_enabled is set to true, var.skip_iam_authorization_policy is set to false, and you pass a value for var.kms_key_crn." type = string default = null } diff --git a/version.tf b/version.tf index f4091081..de8ad0f1 100644 --- a/version.tf +++ b/version.tf @@ -1,6 +1,7 @@ terraform { required_version = ">= 1.3.0" required_providers { + # Use "greater than or equal to" range in modules ibm = { source = "IBM-Cloud/ibm" version = ">= 1.49.0"