From 4060786ae16925b6bc088ed00861587a986445f3 Mon Sep 17 00:00:00 2001
From: Rajat Agrawal <108140212+rajatagarwal-ibm@users.noreply.github.com>
Date: Tue, 10 Sep 2024 09:49:53 +0100
Subject: [PATCH] feat: updated the `target_service_details` input in the
fscloud submodule to support setting the `geography` option.
**NOTE:**
Both `region` and `geography` cannot be set simultaneously for the container
registry service. (#519)
---
examples/fscloud/README.md | 7 ++++---
examples/fscloud/main.tf | 8 ++++++--
examples/fscloud/variables.tf | 2 +-
modules/fscloud/README.md | 2 +-
modules/fscloud/main.tf | 5 +++++
modules/fscloud/variables.tf | 13 +++++++++++++
6 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
index e9f43027..2f44dc2c 100644
--- a/examples/fscloud/README.md
+++ b/examples/fscloud/README.md
@@ -7,9 +7,10 @@ This examples is designed to show case some of the key customization options for
2. Open up network traffic flow from Schematics to Key Protect private endpoints.
3. Open up network traffic flow from a block of IPs to the Schematics public endpoint.
4. Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints.
-5. Customize the rule description for `kms` and the zone name for `codeengine` and `cloud-object-storage`.
-6. Add optional locations to open traffic only from `au` and `tok` locations for the `codeengine` network zone and leave the flow closed in other locations.
-7. Add optional location to open traffic only from `fr` location for `server-protect` network zone and leave the flow closed in other locations.
+5. Customize the rules for `kms`, `cloud-object-storage`, `databases-for-postgresql`, `messagehub`, `IAM` and `container-registry`.
+6. Customize the zone name for `codeengine` and `cloud-object-storage`.
+7. Add optional locations to open traffic only from `au` and `tok` locations for the `codeengine` network zone and leave the flow closed in other locations.
+8. Add optional location to open traffic only from `eu` location for `server-protect` network zone and leave the flow closed in other locations.
Context: this examples covers a "pseudo" real-world scenario where:
1. ICD Mongodb and Postgresql instances are encrypted using keys storage in Key Protect.
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
index 68bf5270..c8ff1cf4 100644
--- a/examples/fscloud/main.tf
+++ b/examples/fscloud/main.tf
@@ -100,19 +100,23 @@ module "cbr_account_level" {
"enforcement_mode" = "report"
"global_deny" = false
}
+ "container-registry" : {
+ "enforcement_mode" : "enabled"
+ "geography" : "global"
+ }
}
# Demonstrates how a customized name and an optional location can be set for the CBR serviceRef zones
zone_service_ref_list = {
codeengine = {
- zone_name = "codeengine-zone-example-of-customized-zone-name"
+ zone_name = "${var.prefix}-codeengine-zone-example-of-customized-zone-name"
serviceRef_location = ["au", "tok"]
},
server-protect = {
serviceRef_location = ["eu"]
},
cloud-object-storage = {
- zone_name = "COS-zone-example-of-customized-zone-name"
+ zone_name = "${var.prefix}-COS-zone-example-of-customized-zone-name"
}
}
diff --git a/examples/fscloud/variables.tf b/examples/fscloud/variables.tf
index 4d941399..6998477a 100644
--- a/examples/fscloud/variables.tf
+++ b/examples/fscloud/variables.tf
@@ -6,7 +6,7 @@ variable "ibmcloud_api_key" {
variable "prefix" {
type = string
- description = "Prefix to append to all vpc_zone_list, service_ref_zone_list and cbr_rule_description created by this submodule"
+ description = "Prefix to append to all vpc_zone_list, zone_service_ref_list and cbr_rule_description created by this submodule"
}
variable "region" {
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index d390c81e..156f1c68 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -128,7 +128,7 @@ module "cbr_fscloud" {
| [kms\_service\_targeted\_by\_prewired\_rules](#input\_kms\_service\_targeted\_by\_prewired\_rules) | IBM Cloud offers two distinct Key Management Services (KMS): Key Protect and Hyper Protect Crypto Services (HPCS). This variable determines the specific KMS service to which the pre-configured rules will be applied. Use the value 'key-protect' to specify the Key Protect service, and 'hs-crypto' for the Hyper Protect Crypto Services (HPCS). | `list(string)` | [
"hs-crypto"
]
| no |
| [prefix](#input\_prefix) | Prefix to append to all vpc\_zone\_list, service\_ref\_zone\_list and cbr\_rule\_description created by this submodule | `string` | n/a | yes |
| [skip\_specific\_services\_for\_zone\_creation](#input\_skip\_specific\_services\_for\_zone\_creation) | Provide a list of service references for which zone creation is not required | `list(string)` | `[]` | no |
-| [target\_service\_details](#input\_target\_service\_details) | Details of the target service for which a rule is created. The key is the service name. | map(object({
description = optional(string)
target_rg = optional(string)
instance_id = optional(string)
enforcement_mode = string
tags = optional(list(string))
region = optional(string)
global_deny = optional(bool, true)
})) | `{}` | no |
+| [target\_service\_details](#input\_target\_service\_details) | Details of the target service for which a rule is created. The key is the service name. | map(object({
description = optional(string)
target_rg = optional(string)
instance_id = optional(string)
enforcement_mode = string
tags = optional(list(string))
region = optional(string)
geography = optional(string)
global_deny = optional(bool, true)
})) | `{}` | no |
| [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | (Optional) Provide a valid service reference with the customized name of the zone and location where the context-based restriction zones are created. If no value is specified for `serviceRef_location`, the zones are not scoped to any location and if no value is specified for `zone_name` default zone name with the prefix will be created. | object({
cloud-object-storage = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
codeengine = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
containers-kubernetes = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
databases-for-cassandra = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
databases-for-elasticsearch = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
databases-for-enterprisedb = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
databases-for-etcd = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
databases-for-mongodb = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
databases-for-mysql = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
databases-for-postgresql = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
databases-for-redis = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
directlink = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
iam-groups = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
is = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
messagehub = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
messages-for-rabbitmq = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
schematics = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
secrets-manager = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
server-protect = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
user-management = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
apprapp = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
compliance = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
event-notifications = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
logdna = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
logdnaat = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
cloudantnosqldb = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
globalcatalog-collection = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
sysdig-monitor = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
sysdig-secure = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
toolchain = optional(object({
zone_name = optional(string)
serviceRef_location = optional(list(string))
}))
}) | `{}` | no |
| [zone\_vpc\_crn\_list](#input\_zone\_vpc\_crn\_list) | (List) VPC CRN for the zones | `list(string)` | `[]` | no |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
index 235b1e94..46f36ddd 100644
--- a/modules/fscloud/main.tf
+++ b/modules/fscloud/main.tf
@@ -404,6 +404,11 @@ locals {
name = "region",
operator = "stringEquals",
value = value.region
+ } : {},
+ try(value.geography, null) != null ? {
+ name = "geography",
+ operator = "stringEquals",
+ value = value.geography
} : {}
] }
}
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
index 576dbe57..604b6c33 100644
--- a/modules/fscloud/variables.tf
+++ b/modules/fscloud/variables.tf
@@ -285,9 +285,11 @@ variable "target_service_details" {
enforcement_mode = string
tags = optional(list(string))
region = optional(string)
+ geography = optional(string)
global_deny = optional(bool, true)
}))
description = "Details of the target service for which a rule is created. The key is the service name."
+
validation {
condition = alltrue([
for target_service_name, _ in var.target_service_details :
@@ -295,6 +297,17 @@ variable "target_service_details" {
])
error_message = "Provide a valid target service name that is supported by context-based restrictions"
}
+ validation {
+ condition = alltrue([
+ for target_service_name, attributes in var.target_service_details : (
+ target_service_name != "container-registry" || (
+ contains(["container-registry"], target_service_name) &&
+ !(attributes.region != null && attributes.geography != null)
+ )
+ )
+ ])
+ error_message = "Both `region` and `geography` cannot be set simultaneously for the container registry service."
+ }
validation {
condition = alltrue([
for target_service_name, attributes in var.target_service_details :