feat: Add CBR's to COS bucket and KMS key

README.md

@@ -105,6 +105,11 @@ statement instead the previous block.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_billing_exports"></a> [billing\_exports](#module\_billing\_exports) | ./modules/billing-exports | n/a |
+| <a name="module_cbr_zone_additional"></a> [cbr\_zone\_additional](#module\_cbr\_zone\_additional) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.29.0 |
+| <a name="module_cbr_zone_cloudability"></a> [cbr\_zone\_cloudability](#module\_cbr\_zone\_cloudability) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.29.0 |
+| <a name="module_cbr_zone_cos"></a> [cbr\_zone\_cos](#module\_cbr\_zone\_cos) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.29.0 |
+| <a name="module_cbr_zone_ibmcloud_billing"></a> [cbr\_zone\_ibmcloud\_billing](#module\_cbr\_zone\_ibmcloud\_billing) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.29.0 |
+| <a name="module_cbr_zone_schematics"></a> [cbr\_zone\_schematics](#module\_cbr\_zone\_schematics) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.29.0 |
 | <a name="module_cloudability_bucket_access"></a> [cloudability\_bucket\_access](#module\_cloudability\_bucket\_access) | ./modules/cloudability-bucket-access | n/a |
 | <a name="module_cloudability_enterprise_access"></a> [cloudability\_enterprise\_access](#module\_cloudability\_enterprise\_access) | ./modules/cloudability-enterprise-access | n/a |
 | <a name="module_cloudability_onboarding"></a> [cloudability\_onboarding](#module\_cloudability\_onboarding) | ./modules/cloudability-onboarding | n/a |
@@ -130,11 +135,17 @@ statement instead the previous block.
 | <a name="input_activity_tracker_read_data_events"></a> [activity\_tracker\_read\_data\_events](#input\_activity\_tracker\_read\_data\_events) | If set to true, all Object Storage bucket read events (downloads) will be sent to Activity Tracker. | `bool` | `true` | no |
 | <a name="input_activity_tracker_write_data_events"></a> [activity\_tracker\_write\_data\_events](#input\_activity\_tracker\_write\_data\_events) | If set to true, all Object Storage bucket read events (downloads) will be sent to Activity Tracker. | `bool` | `true` | no |
 | <a name="input_add_bucket_name_suffix"></a> [add\_bucket\_name\_suffix](#input\_add\_bucket\_name\_suffix) | Add random generated suffix (4 characters long) to the newly provisioned Object Storage bucket name (Optional). | `bool` | `true` | no |
+| <a name="input_additional_allowed_cbr_bucket_ip_addresses"></a> [additional\_allowed\_cbr\_bucket\_ip\_addresses](#input\_additional\_allowed\_cbr\_bucket\_ip\_addresses) | A list of CBR zone IP addresses, which are permitted to access the bucket.  This zone typically represents the IP addresses for your company or workstation to allow access to view the contents of the bucket. | `list(string)` | `[]` | no |
 | <a name="input_archive_days"></a> [archive\_days](#input\_archive\_days) | Specifies the number of days when the archive rule action takes effect. A value of `null` disables archiving. A value of `0` immediately archives uploaded objects to the bucket. | `number` | `null` | no |
 | <a name="input_archive_type"></a> [archive\_type](#input\_archive\_type) | Specifies the storage class or archive type to which you want the object to transition. | `string` | `"Glacier"` | no |
-| <a name="input_bucket_cbr_rules"></a> [bucket\_cbr\_rules](#input\_bucket\_cbr\_rules) | (Optional, list) List of CBR rules to create for the bucket | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    tags = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })), [])<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name to give the newly provisioned Object Storage bucket. | `string` | `"billing-reports"` | no |
 | <a name="input_bucket_storage_class"></a> [bucket\_storage\_class](#input\_bucket\_storage\_class) | The storage class of the newly provisioned Object Storage bucket. Supported values are 'standard', 'vault', 'cold', 'smart' and `onerate_active`. | `string` | `"standard"` | no |
+| <a name="input_cbr_additional_zone_name"></a> [cbr\_additional\_zone\_name](#input\_cbr\_additional\_zone\_name) | Name of the CBR zone that corresponds to the ip address range set in `additional_allowed_cbr_bucket_ip_addresses`. | `string` | `"company-billing-reports-bucket-access"` | no |
+| <a name="input_cbr_billing_zone_name"></a> [cbr\_billing\_zone\_name](#input\_cbr\_billing\_zone\_name) | Name of the CBR zone which represents IBM Cloud billing. See [What are CBRs?](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-whatis) | `string` | `"ibmcloud-billing-reports-bucket-writer"` | no |
+| <a name="input_cbr_cloudability_zone_name"></a> [cbr\_cloudability\_zone\_name](#input\_cbr\_cloudability\_zone\_name) | Name of the CBR zone which represents IBM Cloudability. See [What are CBRs?](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-whatis) | `string` | `"cldy-billing-reports-bucket-reader"` | no |
+| <a name="input_cbr_cos_zone_name"></a> [cbr\_cos\_zone\_name](#input\_cbr\_cos\_zone\_name) | Name of the CBR zone which represents Cloud Object Storage service. See [What are CBRs?](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-whatis) | `string` | `"cldy-billing-reports-object-storage"` | no |
+| <a name="input_cbr_enforcement_mode"></a> [cbr\_enforcement\_mode](#input\_cbr\_enforcement\_mode) | The rule enforcement mode: * enabled - The restrictions are enforced and reported. This is the default. * disabled - The restrictions are disabled. Nothing is enforced or reported. * report - The restrictions are evaluated and reported, but not enforced. | `string` | `"enabled"` | no |
+| <a name="input_cbr_schematics_zone_name"></a> [cbr\_schematics\_zone\_name](#input\_cbr\_schematics\_zone\_name) | Name of the CBR zone which represents Schematics. The schematics zone allows Projects to access and manage the Object Storage bucket. | `string` | `"schematics-billing-reports-bucket-management"` | no |
 | <a name="input_cloudability_api_key"></a> [cloudability\_api\_key](#input\_cloudability\_api\_key) | Cloudability API Key. Retrieve your Api Key from https://app.apptio.com/cloudability#/settings/preferences under the section **Cloudability API** select **Enable API** which will generate an api key. Setting this value to __NULL__ will skip adding the IBM Cloud account to Cloudability and only configure IBM Cloud so that the IBM Cloud Account can be added to Cloudability manually | `string` | `null` | no |
 | <a name="input_cloudability_auth_type"></a> [cloudability\_auth\_type](#input\_cloudability\_auth\_type) | Select Cloudability authentication mode. Options are:<br/><br/>* `none`: no connection to Cloudability<br/>* `manual`: manually enter in the credentials in the Cloudability UI<br/>* `api_key`: use Cloudability API Keys<br/>* `frontdoor`: Frontdoor Access Administration | `string` | `"api_key"` | no |
 | <a name="input_cloudability_environment_id"></a> [cloudability\_environment\_id](#input\_cloudability\_environment\_id) | An ID corresponding to your FrontDoor environment. Required if `cloudability_auth_type` = `frontdoor` | `string` | `null` | no |
@@ -148,13 +159,13 @@ statement instead the previous block.
 | <a name="input_enable_billing_exports"></a> [enable\_billing\_exports](#input\_enable\_billing\_exports) | Whether billing exports should be enabled | `bool` | `true` | no |
 | <a name="input_enable_cloudability_access"></a> [enable\_cloudability\_access](#input\_enable\_cloudability\_access) | Whether to grant cloudability access to read the billing reports | `bool` | `true` | no |
 | <a name="input_enterprise_id"></a> [enterprise\_id](#input\_enterprise\_id) | The ID of the enterprise. If `__NULL__` then it is automatically retrieved if `is_enterprise_account` is `true`. Providing this value reduces the access policies that are required to run the DA. | `string` | `null` | no |
+| <a name="input_existing_allowed_cbr_bucket_zone_id"></a> [existing\_allowed\_cbr\_bucket\_zone\_id](#input\_existing\_allowed\_cbr\_bucket\_zone\_id) | An extra CBR zone ID which is permitted to access the bucket.  This zone typically represents the ip addresses for your company or workstation to allow access to view the contents of the bucket. It can be used as an alternative to `additional_allowed_cbr_bucket_ip_addresses` in the case that a zone exists. | `string` | `null` | no |
 | <a name="input_existing_cos_instance_id"></a> [existing\_cos\_instance\_id](#input\_existing\_cos\_instance\_id) | The ID of an existing Cloud Object Storage instance. Required if 'var.create\_cos\_instance' is false. | `string` | `null` | no |
 | <a name="input_existing_kms_instance_crn"></a> [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of an existing Key Protect or Hyper Protect Crypto Services instance. Required if 'create\_key\_protect\_instance' is false. | `string` | `null` | no |
 | <a name="input_expire_days"></a> [expire\_days](#input\_expire\_days) | Specifies the number of days when the expire rule action takes effect. | `number` | `3` | no |
 | <a name="input_frontdoor_public_key"></a> [frontdoor\_public\_key](#input\_frontdoor\_public\_key) | The public key that is used along with the `frontdoor_secret_key` to authenticate requests to Cloudability. Only required if `cloudability_auth_type` is `frontdoor`. See [acquiring an Access Administration API key](/docs/track-spend-with-cloudability?topic=track-spend-with-cloudability-planning#frontdoor-api-key) for steps to create your credentials. | `string` | `null` | no |
 | <a name="input_frontdoor_secret_key"></a> [frontdoor\_secret\_key](#input\_frontdoor\_secret\_key) | The secret key that is used along with the `frontdoor_public_key` to authenticate requests to Cloudability. Only required if `cloudability_auth_type` is `frontdoor`.  See [acquiring an Access Administration API key](/docs/track-spend-with-cloudability?topic=track-spend-with-cloudability-planning#frontdoor-api-key) for steps to create your credentials. | `string` | `null` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key corresponding to the cloud account that will be added to Cloudability. For enterprise accounts this should be the primary enterprise account | `string` | n/a | yes |
-| <a name="input_instance_cbr_rules"></a> [instance\_cbr\_rules](#input\_instance\_cbr\_rules) | (Optional, list) List of CBR rules to create for the instance | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    tags = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })), [])<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_is_enterprise_account"></a> [is\_enterprise\_account](#input\_is\_enterprise\_account) | Whether the account corresponding to the `ibmcloud_api_key` is an enterprise account and, if so, is the primary account within the enterprise | `bool` | `false` | no |
 | <a name="input_key_name"></a> [key\_name](#input\_key\_name) | Name of the Object Storage bucket encryption key | `string` | `null` | no |
 | <a name="input_key_protect_allowed_network"></a> [key\_protect\_allowed\_network](#input\_key\_protect\_allowed\_network) | The type of the allowed network to be set for the Key Protect instance. Possible values are 'private-only', or 'public-and-private'. Only used if 'create\_key\_protect\_instance' is true. | `string` | `"public-and-private"` | no |

ibm_catalog.json

@@ -31,6 +31,10 @@
 					"title": "Secured with Key Protect",
 					"description": "Your Object Storage bucket containing billing reports is encrypted with a Key Protect encryption key with automated rotation. See [encrypting a bucket with Key Protect](https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-tutorial-kp-encrypt-bucket) for more details."
 				},
+				{
+					"title": "Context-Based Restrictions",
+					"description": "Access to your Object Storage bucket is restricted to IBM Cloud Billing, IBM Cloudability, and Schematics (for provisioning) by using [context-based restrictions](/docs/account?topic=account-context-restrictions-whatis)."
+				},
 				{
 					"title": "Least Privileged Operations to Cloudability",
 					"description": "Custom IAM access roles are used so that Cloudability is granted the minimal required access to integrate with your IBM Cloud Account."
@@ -83,6 +87,18 @@
 								"crn:v1:bluemix:public:iam::::role:Administrator"
 							]
 						},
+						{
+							"service_name": "cbr",
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::role:Viewer"
+							]
+						},
+						{
+							"service_name": "schematics",
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::role:Administrator"
+							]
+						},
 						{
 							"service_name": "cloud-object-storage",
 							"role_crns": [
@@ -478,10 +494,80 @@
 								}
 							]
 						},
+						{
+							"key": "cbr_enforcement_mode",
+							"type": "string",
+							"default_value": "enabled",
+							"description": "The rule enforcement mode: \n* enabled - The restrictions are enforced and reported.\n* disabled - The restrictions are disabled. Nothing is enforced or reported.\n* report - The restrictions are evaluated and reported, but not enforced.",
+							"required": false,
+							"options": [
+								{
+									"displayname": "Enabled (Restrict access to bucket)",
+									"value": "enabled"
+								},
+								{
+									"displayname": "Disabled (No access restrictions or audit logging)",
+									"value": "disabled"
+								},
+								{
+									"displayname": "Report-Only (No access restrictions, but audit logs are still enabled)",
+									"value": "report"
+								}
+							]
+						},
+						{
+							"key": "additional_allowed_cbr_bucket_ip_addresses",
+							"type": "array",
+							"default_value": "[]",
+							"description": "A list of CBR zone address which are permitted to access the bucket. This zone typically represents the IP addresses for your company or workstation to allow access to view the contents of the bucket.",
+							"required": false
+						},
+						{
+							"key": "existing_allowed_cbr_bucket_zone_id",
+							"type": "string",
+							"default_value": "[]",
+							"description": "A list of CBR zone address which are permitted to access the bucket. This zone typically represents the IP addresses for your company or workstation to allow access to view the contents of the bucket.",
+							"required": false
+						},
+						{
+							"key": "cbr_additional_zone_name",
+							"type": "string",
+							"default_value": "__NULL__",
+							"description": "An extra CBR zone ID which is permitted to access the bucket.  This zone typically represents the IP addresses for your company or workstation to allow access to view the contents of the bucket. It can be used as an alternative to `additional_allowed_cbr_bucket_ip_addresses` in the case that a zone exists.",
+							"required": false
+						},
+						{
+							"key": "cbr_billing_zone_name",
+							"type": "string",
+							"default_value": "ibmcloud-billing-reports-bucket-writer",
+							"description": "Name of the cbr zone which represents IBM Cloud billing",
+							"required": false
+						},
+						{
+							"key": "cbr_cloudability_zone_name",
+							"type": "string",
+							"default_value": "cldy-billing-reports-bucket-reader",
+							"description": "Name of the CBR zone which represents IBM Cloudability. See [What are CBRs?](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-whatis)",
+							"required": false
+						},
+						{
+							"key": "cbr_cos_zone_name",
+							"type": "string",
+							"default_value": "cldy-billing-reports-object-storage",
+							"description": "Name of the CBR zone which represents Cloud Object Storage service. See [What are CBRs?](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-whatis)",
+							"required": false
+						},
+						{
+							"key": "cbr_schematics_zone_name",
+							"type": "string",
+							"default_value": "schematics-billing-reports-bucket-management",
+							"description": "Name of the CBR zone which represents Schematics. The schematics zone allows Projects to access and manage the Object Storage bucket.",
+							"required": false
+						},
 						{
 							"key": "existing_kms_instance_crn",
 							"type": "string",
-							"description": "The CRN of an existing Key Protect or Hyper Protect Crypto Services instance to be used to create the Object Storage encryption key.",
+							"description": "The ID of an existing Key Protect or Hyper Protect Crypto Services instance to be used to create the object storage encryption key.",
 							"default_value": "__NULL__",
 							"required": false
 						},
@@ -733,6 +819,14 @@
 							"key": "cos_instance_name",
 							"description": "Name of the Object Storage Instance"
 						},
+						{
+							"key": "bucket_cbr_rule_ids",
+							"description": "Object Storage bucket rule ids"
+						},
+						{
+							"key": "bucket_cbr_rules",
+							"description": "Object Storage bucket rules"
+						},
 						{
 							"key": "key_protect_guid",
 							"description": "ID of the Key Protect instance which contains the encryption key for the object storage bucket"