This example demonstrates how to use the fscloud profile module to lay out a complete "secure by default" coarse-grained CBR topology in a given account.
This examples is designed to show case some of the key customization options for the module. In addition to the pre-wired CBR rules documented at fscloud profile, this examples show how to customize the module to:
- Open up network traffic flow from ICD mongodb, ICD Postgresql to the Key Protect private endpoints.
- Open up network traffic flow from Schematics to Key Protect private endpoints.
- Open up network traffic flow from a block of IPs to the Schematics public endpoint.
- Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints.
- Customize the rules for
kms,cloud-object-storage,databases-for-postgresql,messagehub,IAMandcontainer-registry. - Customize the zone name for
codeengineandcloud-object-storage. - Add optional locations to open traffic only from
auandtoklocations for thecodeenginenetwork zone and leave the flow closed in other locations. - Add optional location to open traffic only from
eulocation forserver-protectnetwork zone and leave the flow closed in other locations.
Context: this examples covers a "pseudo" real-world scenario where:
- ICD Mongodb and Postgresql instances are encrypted using keys storage in Key Protect.
- Schematics is used to execute terraform that create Key Protect keys and key ring over its public endpoint.
- Operators use machines with a set list of public IPs to interact with Schematics.
- Applications are running the VPC and need access to PostgreSQL via the private endpoint - eg: a VPE.
- Skips creation of zones for these two service references ["user-management", "iam-groups"].
- The services 'compliance', 'directlink', 'iam-groups', 'user-management' do not support restriction per location for zone creation.