feat: add ability to create kms to block storage s2s (#145)

terraform-ibm-modules · Oct 25, 2022 · 06b640f · 06b640f
1 parent 18684c7
commit 06b640f
Show file tree

Hide file tree

Showing 16 changed files with 119 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -911,6 +911,7 @@ statement instead the previous block.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_groups"></a> [access\_groups](#input\_access\_groups) | A list of access groups to create | <pre>list(<br>    object({<br>      name        = string # Name of the group<br>      description = string # Description of group<br>      policies = list(<br>        object({<br>          name  = string       # Name of the policy<br>          roles = list(string) # list of roles for the policy<br>          resources = object({<br>            resource_group       = optional(string) # Name of the resource group the policy will apply to<br>            resource_type        = optional(string) # Name of the resource type for the policy ex. "resource-group"<br>            resource             = optional(string) # The resource of the policy definition<br>            service              = optional(string) # Name of the service type for the policy ex. "cloud-object-storage"<br>            resource_instance_id = optional(string) # ID of a service instance to give permissions<br>          })<br>        })<br>      )<br>      dynamic_policies = optional(<br>        list(<br>          object({<br>            name              = string # Dynamic group name<br>            identity_provider = string # URI for identity provider<br>            expiration        = number # How many hours authenticated users can work before refresh<br>            conditions = object({<br>              claim    = string # key value to evaluate the condition against.<br>              operator = string # The operation to perform on the claim. Supported values are EQUALS, EQUALS_IGNORE_CASE, IN, NOT_EQUALS_IGNORE_CASE, NOT_EQUALS, and CONTAINS.<br>              value    = string # Value to be compared agains<br>            })<br>          })<br>        )<br>      )<br>      account_management_policies = optional(list(string))<br>      invite_users                = optional(list(string)) # Users to invite to the access group<br>    })<br>  )</pre> | `[]` | no |
+| <a name="input_add_kms_block_storage_s2s"></a> [add\_kms\_block\_storage\_s2s](#input\_add\_kms\_block\_storage\_s2s) | add kms to block storage s2s authorization | `bool` | `true` | no |
 | <a name="input_appid"></a> [appid](#input\_appid) | The App ID instance to be used for the teleport vsi deployments | <pre>object({<br>    name           = optional(string)<br>    resource_group = optional(string)<br>    use_data       = optional(bool)<br>    keys           = optional(list(string))<br>    use_appid      = bool<br>  })</pre> | <pre>{<br>  "use_appid": false<br>}</pre> | no |
 | <a name="input_atracker"></a> [atracker](#input\_atracker) | atracker variables | <pre>object({<br>    resource_group        = string<br>    receive_global_events = bool<br>    collector_bucket_name = string<br>    add_route             = bool<br>  })</pre> | n/a | yes |
 | <a name="input_clusters"></a> [clusters](#input\_clusters) | A list describing clusters workloads to create | <pre>list(<br>    object({<br>      name               = string           # Name of Cluster<br>      vpc_name           = string           # Name of VPC<br>      subnet_names       = list(string)     # List of vpc subnets for cluster<br>      workers_per_subnet = number           # Worker nodes per subnet.<br>      machine_type       = string           # Worker node flavor<br>      kube_type          = string           # iks or openshift<br>      kube_version       = optional(string) # Can be a version from `ibmcloud ks versions` or `default`<br>      entitlement        = optional(string) # entitlement option for openshift<br>      pod_subnet         = optional(string) # Portable subnet for pods<br>      service_subnet     = optional(string) # Portable subnet for services<br>      resource_group     = string           # Resource Group used for cluster<br>      cos_name           = optional(string) # Name of COS instance Required only for OpenShift clusters<br>      update_all_workers = optional(bool)   # If true force workers to update<br>      kms_config = optional(<br>        object({<br>          crk_name         = string         # Name of key<br>          private_endpoint = optional(bool) # Private endpoint<br>        })<br>      )<br>      worker_pools = optional(<br>        list(<br>          object({<br>            name               = string           # Worker pool name<br>            vpc_name           = string           # VPC name<br>            workers_per_subnet = number           # Worker nodes per subnet<br>            flavor             = string           # Worker node flavor<br>            subnet_names       = list(string)     # List of vpc subnets for worker pool<br>            entitlement        = optional(string) # entitlement option for openshift<br>          })<br>        )<br>      )<br>    })<br>  )</pre> | n/a | yes |

diff --git a/dynamic_values.tf b/dynamic_values.tf
@@ -31,6 +31,7 @@ module "dynamic_values" {
   f5_vsi                    = var.f5_vsi
   f5_template_data          = var.f5_template_data
   secrets_manager           = var.secrets_manager
+  add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
 }
 
 ##############################################################################
diff --git a/dynamic_values/config_modules/service_authorizations/service_authorizations.tf b/dynamic_values/config_modules/service_authorizations/service_authorizations.tf
@@ -22,6 +22,10 @@ variable "use_secrets_manager" {
   description = "Use secrets manager"
 }
 
+variable "add_kms_block_storage_s2s" {
+  description = "Add kms to block storage s2s"
+}
+
 ##############################################################################
 
 ##############################################################################
@@ -30,16 +34,21 @@ variable "use_secrets_manager" {
 
 locals {
   target_key_management_service = lookup(var.key_management, "use_hs_crypto", false) == true ? "hs-crypto" : "kms"
-  service_authorization_vpc_to_key_management = {
-    # Create authorization to allow key management to access VPC block storage
-    "block-storage" = {
+}
+
+module "kms_to_block_storage" {
+  source = "../list_to_map"
+  list = [
+    for instance in(var.add_kms_block_storage_s2s ? ["block-storage"] : []) :
+    {
+      name                        = instance
       source_service_name         = "server-protect"
       description                 = "Allow block storage volumes to be encrypted by KMS instance"
       roles                       = ["Reader"]
       target_service_name         = local.target_key_management_service
       target_resource_instance_id = var.key_management_guid
     }
-  }
+  ]
 }
 
 ##############################################################################
@@ -104,7 +113,7 @@ module "secrets_manager_to_cos" {
 output "authorizations" {
   description = "Map of service authorizations"
   value = merge(
-    local.service_authorization_vpc_to_key_management,
+    module.kms_to_block_storage.value,
     module.cos_to_key_management.value,
     module.flow_logs_to_cos.value,
     module.secrets_manager_to_cos.value

diff --git a/dynamic_values/service_authorizations.tf b/dynamic_values/service_authorizations.tf
@@ -3,12 +3,13 @@
 ##############################################################################
 
 module "service_authorizations" {
-  source              = "./config_modules/service_authorizations"
-  key_management      = var.key_management
-  key_management_guid = var.key_management_guid
-  cos                 = var.cos
-  cos_instance_ids    = local.cos_instance_ids
-  use_secrets_manager = var.secrets_manager.use_secrets_manager
+  source                    = "./config_modules/service_authorizations"
+  key_management            = var.key_management
+  key_management_guid       = var.key_management_guid
+  cos                       = var.cos
+  cos_instance_ids          = local.cos_instance_ids
+  use_secrets_manager       = var.secrets_manager.use_secrets_manager
+  add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
 }
 
 ##############################################################################
diff --git a/dynamic_values/variables.tf b/dynamic_values/variables.tf
@@ -195,3 +195,13 @@ variable "secrets_manager" {
 }
 
 ##############################################################################
+
+##############################################################################
+# Service Authorization Variables
+##############################################################################
+
+variable "add_kms_block_storage_s2s" {
+  description = "Direct reference to kms block storage variable"
+}
+
+##############################################################################
diff --git a/module-metadata.json b/module-metadata.json
@@ -11,6 +11,16 @@
         "line": 1116
       }
     },
+    "add_kms_block_storage_s2s": {
+      "name": "add_kms_block_storage_s2s",
+      "type": "bool",
+      "description": "add kms to block storage s2s authorization",
+      "default": true,
+      "pos": {
+        "filename": "variables.tf",
+        "line": 1534
+      }
+    },
     "appid": {
       "name": "appid",
       "type": "object({\n    name           = optional(string)\n    resource_group = optional(string)\n    use_data       = optional(bool)\n    keys           = optional(list(string))\n    use_appid      = bool\n  })",
@@ -1126,6 +1136,7 @@
       "source": "./dynamic_values",
       "attributes": {
         "access_groups": "access_groups",
+        "add_kms_block_storage_s2s": "add_kms_block_storage_s2s",
         "appid": "appid",
         "bastion_vsi": "teleport_vsi",
         "clusters": "clusters",

diff --git a/patterns/mixed/config.tf b/patterns/mixed/config.tf
@@ -174,6 +174,13 @@ locals {
 
     ##############################################################################
 
+    ##############################################################################
+    # S2S Authorization
+    ##############################################################################
+    add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
+
+    ##############################################################################
+
     ##############################################################################
     # IAM Account Settings
     ##############################################################################
@@ -314,6 +321,7 @@ locals {
     virtual_private_endpoints      = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                            = lookup(local.override[local.override_type], "cos", local.config.object_storage)
     service_endpoints              = lookup(local.override[local.override_type], "service_endpoints", "private")
+    add_kms_block_storage_s2s      = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
     key_management                 = lookup(local.override[local.override_type], "key_management", local.config.key_management)
     atracker                       = lookup(local.override[local.override_type], "atracker", local.config.atracker)
     clusters                       = lookup(local.override[local.override_type], "clusters", local.config.clusters)

diff --git a/patterns/mixed/main.tf b/patterns/mixed/main.tf
@@ -34,6 +34,7 @@ module "landing_zone" {
   cos                            = local.env.cos
   service_endpoints              = local.env.service_endpoints
   key_management                 = local.env.key_management
+  add_kms_block_storage_s2s      = local.env.add_kms_block_storage_s2s
   atracker                       = local.env.atracker
   clusters                       = local.env.clusters
   wait_till                      = local.env.wait_till

diff --git a/patterns/mixed/variables.tf b/patterns/mixed/variables.tf
@@ -617,6 +617,18 @@ variable "scc_scope_name" {
 
 ##############################################################################
 
+##############################################################################
+# s2s variables
+##############################################################################
+
+variable "add_kms_block_storage_s2s" {
+  description = "add kms to block storage s2s authorization"
+  type        = bool
+  default     = true
+}
+
+##############################################################################
+
 ##############################################################################
 # Override JSON
 ##############################################################################

diff --git a/patterns/roks/config.tf b/patterns/roks/config.tf
@@ -160,6 +160,13 @@ locals {
 
     ##############################################################################
 
+    ##############################################################################
+    # S2S Authorization
+    ##############################################################################
+    add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
+
+    ##############################################################################
+
     ##############################################################################
     # IAM Account Settings
     ##############################################################################
@@ -300,6 +307,7 @@ locals {
     virtual_private_endpoints      = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                            = lookup(local.override[local.override_type], "cos", local.config.object_storage)
     service_endpoints              = lookup(local.override[local.override_type], "service_endpoints", "private")
+    add_kms_block_storage_s2s      = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
     key_management                 = lookup(local.override[local.override_type], "key_management", local.config.key_management)
     atracker                       = lookup(local.override[local.override_type], "atracker", local.config.atracker)
     clusters                       = lookup(local.override[local.override_type], "clusters", local.config.clusters)

diff --git a/patterns/roks/main.tf b/patterns/roks/main.tf
@@ -34,6 +34,7 @@ module "landing_zone" {
   cos                            = local.env.cos
   service_endpoints              = local.env.service_endpoints
   key_management                 = local.env.key_management
+  add_kms_block_storage_s2s      = local.env.add_kms_block_storage_s2s
   atracker                       = local.env.atracker
   clusters                       = local.env.clusters
   wait_till                      = local.env.wait_till

diff --git a/patterns/roks/variables.tf b/patterns/roks/variables.tf
@@ -593,6 +593,18 @@ variable "scc_scope_name" {
 
 ##############################################################################
 
+##############################################################################
+# s2s variables
+##############################################################################
+
+variable "add_kms_block_storage_s2s" {
+  description = "add kms to block storage s2s authorization"
+  type        = bool
+  default     = true
+}
+
+##############################################################################
+
 ##############################################################################
 # Override JSON
 ##############################################################################

diff --git a/patterns/vsi/config.tf b/patterns/vsi/config.tf
@@ -136,6 +136,13 @@ locals {
 
     ##############################################################################
 
+    ##############################################################################
+    # S2S Authorization
+    ##############################################################################
+    add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
+
+    ##############################################################################
+
     ##############################################################################
     # IAM Account Settings
     ##############################################################################
@@ -276,6 +283,7 @@ locals {
     virtual_private_endpoints      = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                            = lookup(local.override[local.override_type], "cos", local.config.object_storage)
     service_endpoints              = lookup(local.override[local.override_type], "service_endpoints", "private")
+    add_kms_block_storage_s2s      = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
     key_management                 = lookup(local.override[local.override_type], "key_management", local.config.key_management)
     atracker                       = lookup(local.override[local.override_type], "atracker", local.config.atracker)
     clusters                       = lookup(local.override[local.override_type], "clusters", local.config.clusters)

diff --git a/patterns/vsi/main.tf b/patterns/vsi/main.tf
@@ -34,6 +34,7 @@ module "landing_zone" {
   cos                            = local.env.cos
   service_endpoints              = local.env.service_endpoints
   key_management                 = local.env.key_management
+  add_kms_block_storage_s2s      = local.env.add_kms_block_storage_s2s
   atracker                       = local.env.atracker
   clusters                       = local.env.clusters
   wait_till                      = local.env.wait_till

diff --git a/patterns/vsi/variables.tf b/patterns/vsi/variables.tf
@@ -554,6 +554,18 @@ variable "scc_scope_name" {
 
 ##############################################################################
 
+##############################################################################
+# s2s variables
+##############################################################################
+
+variable "add_kms_block_storage_s2s" {
+  description = "add kms to block storage s2s authorization"
+  type        = bool
+  default     = true
+}
+
+##############################################################################
+
 ##############################################################################
 # Override JSON
 ##############################################################################

diff --git a/variables.tf b/variables.tf
@@ -1526,3 +1526,15 @@ variable "vpc_placement_groups" {
 }
 
 ##############################################################################
+
+##############################################################################
+# s2s variables
+##############################################################################
+
+variable "add_kms_block_storage_s2s" {
+  description = "add kms to block storage s2s authorization"
+  type        = bool
+  default     = true
+}
+
+##############################################################################