feat: Added FScloud submodule (#126)

terraform-ibm-modules · Feb 29, 2024 · b83056d · b83056d
1 parent 8ea4165
commit b83056d
Show file tree

Hide file tree

Showing 20 changed files with 528 additions and 30 deletions.
diff --git a/README.md b/README.md
@@ -10,7 +10,10 @@ A module to create IBM Cloud Event Notifications.
 <!-- BEGIN OVERVIEW HOOK -->
 ## Overview
 * [terraform-ibm-event-notifications](#terraform-ibm-event-notifications)
+* [Submodules](./modules)
+    * [fscloud](./modules/fscloud)
 * [Examples](./examples)
+    * [ Financial Services Cloud profile example](./examples/fscloud)
     * [Basic example](./examples/basic)
     * [Complete example with BYOK encryption and CBR rules](./examples/complete)
 * [Contributing](#contributing)
@@ -91,8 +94,7 @@ To create service credentials, access to Event Notifications and access to call
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
 | <a name="input_existing_kms_instance_crn"></a> [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of the Hyper Protect Crypto Services or Key Protect instance. Required only if var.kms\_encryption\_enabled is set to true | `string` | `null` | no |
 | <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in Event Notification. If set to false, the data is encrypted by using randomly generated keys. For more info on Managing Encryption, see https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-en-managing-encryption | `bool` | `false` | no |
-| <a name="input_kms_endpoint"></a> [kms\_endpoint](#input\_kms\_endpoint) | The KMS endpoint to use when configuring KMS encryption. Must be private or public. | `string` | `"public"` | no |
-| <a name="input_kms_region"></a> [kms\_region](#input\_kms\_region) | The region where KMS instance exists if using KMS encryption. | `string` | `"us-south"` | no |
+| <a name="input_kms_endpoint_url"></a> [kms\_endpoint\_url](#input\_kms\_endpoint\_url) | The KMS endpoint URL to use when configuring KMS encryption. HPCS endpoint URL format- https://api.private.<REGION>.hs-crypto.cloud.ibm.com:<port> and KP endpoint URL format- https://<REGION>.kms.cloud.ibm.com | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the IBM Event Notification instance created by this module. | `string` | n/a | yes |
 | <a name="input_plan"></a> [plan](#input\_plan) | Plan for the event notification instance : lite or standard | `string` | `"standard"` | no |
 | <a name="input_region"></a> [region](#input\_region) | IBM Cloud region where event notification will be created, supported regions are: us-south (Dallas), eu-gb (London), eu-de (Frankfurt), au-syd (Sydney), eu-es (Madrid) | `string` | `"us-south"` | no |
@@ -108,6 +110,7 @@ To create service credentials, access to Event Notifications and access to call
 | Name | Description |
 |------|-------------|
 | <a name="output_crn"></a> [crn](#output\_crn) | Event Notification crn |
+| <a name="output_event_notification_instance_name"></a> [event\_notification\_instance\_name](#output\_event\_notification\_instance\_name) | Event Notification name |
 | <a name="output_guid"></a> [guid](#output\_guid) | Event Notification guid |
 | <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | Service credentials json map |
 | <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | Service credentials object |

diff --git a/cra-config.yaml b/cra-config.yaml
@@ -1,8 +1,15 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/basic" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "examples/fscloud" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
+    CRA_ENVIRONMENT_VARIABLES:
+      TF_VAR_prefix: "cra-sap"
+      TF_VAR_existing_kms_instance_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::"
+      TF_VAR_root_key_id: "76170fae-4e0c-48c3-8ebe-326059ebb533"
+      TF_VAR_kms_endpoint_url: "https://api.private.us-south.hs-crypto.cloud.ibm.com:8992"
+
+
     # CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
     #   TF_VAR_sample: "sample value"
     #   TF_VAR_other:  "another value"

diff --git a/examples/basic/outputs.tf b/examples/basic/outputs.tf
@@ -2,6 +2,10 @@
 # Outputs
 ##############################################################################
 
+output "event_notification_instance_name" {
+  description = "Event Notification name"
+  value       = module.event_notification.event_notification_instance_name
+}
 output "resource_group_name" {
   description = "Resource group name"
   value       = module.resource_group.resource_group_name

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -20,14 +20,17 @@ locals {
 }
 module "key_protect_all_inclusive" {
   source                    = "terraform-ibm-modules/key-protect-all-inclusive/ibm"
-  version                   = "4.4.2"
+  version                   = "4.6.0"
   resource_group_id         = module.resource_group.resource_group_id
   region                    = var.region
   key_protect_instance_name = "${var.prefix}-kp"
   resource_tags             = var.resource_tags
-  key_map = {
-    (local.key_ring_name) = [local.key_name]
-  }
+  keys = [{
+    key_ring_name = "en-key-ring"
+    keys = [{
+      key_name = "${var.prefix}-en"
+    }]
+  }]
 }
 
 ##############################################################################
@@ -77,11 +80,11 @@ module "event_notification" {
   kms_encryption_enabled    = true
   existing_kms_instance_crn = module.key_protect_all_inclusive.key_protect_id
   root_key_id               = module.key_protect_all_inclusive.keys["${local.key_ring_name}.${local.key_name}"].key_id
+  kms_endpoint_url          = module.key_protect_all_inclusive.kp_public_endpoint
   tags                      = var.resource_tags
   service_endpoints         = "public"
   service_credential_names  = var.service_credential_names
   region                    = var.region
-  kms_region                = var.region
   cbr_rules = [
     {
       description      = "${var.prefix}-event notification access only from vpc"

diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -12,6 +12,11 @@ output "resource_group_id" {
   value       = module.resource_group.resource_group_id
 }
 
+output "event_notification_instance_name" {
+  description = "Event Notification name"
+  value       = module.event_notification.event_notification_instance_name
+}
+
 output "crn" {
   description = "Event notification instance crn"
   value       = module.event_notification.crn

diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
@@ -0,0 +1,18 @@
+ # Financial Services Cloud profile example
+
+An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/modules/fscloud) to deploy an instance of Event Notification.
+
+The example uses the IBM Cloud Terraform provider to create the following infrastructure:
+
+- A resource group, if one is not passed in.
+- An IAM authorization between all Event Notification instances in the given resource group and the KMS instance that is passed in.
+- An Event Notification instance that is encrypted with the KMS root key that is passed in.
+- A sample virtual private cloud (VPC).
+- A context-based restriction (CBR) rule to only allow Event Notification to be accessible from within the VPC.
+
+:exclamation: **Important:** In this example, only the Event Notification instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.
+
+## Before you begin
+
+- You need a KMS instance and root key available in the region that you want to deploy your Event Notification instance to.
+- To ensure compliance with FSCloud standards, it is required to use HPCS only.
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
@@ -0,0 +1,94 @@
+##############################################################################
+# Resource group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.4"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+
+module "cbr_zone" {
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
+  version          = "1.17.1"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone representing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc",
+    value = ibm_is_vpc.example_vpc.crn
+  }]
+}
+
+module "event_notification" {
+  source                    = "../../modules/fscloud"
+  resource_group_id         = module.resource_group.resource_group_id
+  name                      = "${var.prefix}-en-fs"
+  existing_kms_instance_crn = var.existing_kms_instance_crn
+  root_key_id               = var.root_key_id
+  kms_endpoint_url          = var.kms_endpoint_url
+  tags                      = var.resource_tags
+
+  # Map of name, role for service credentials that you want to create for the event notification
+  service_credential_names = {
+    "en_manager" : "Manager",
+    "en_writer" : "Writer",
+    "en_reader" : "Reader",
+    "en_channel_editor" : "Channel Editor",
+    "en_device_manager" : "Device Manager",
+    "en_event_source_manager" : "Event Source Manager",
+    "en_event_notifications_publisher" : "Event Notification Publisher",
+    "en_status_reporter" : "Status Reporter",
+    "en_email_sender" : "Email Sender",
+    "en_custom_email_status_reporter" : "Custom Email Status Reporter",
+  }
+  region = var.region
+  cbr_rules = [
+    {
+      description      = "${var.prefix}-event notification access only from vpc"
+      enforcement_mode = "report"
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
+}
diff --git a/examples/fscloud/outputs.tf b/examples/fscloud/outputs.tf
@@ -0,0 +1,40 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "resource_group_name" {
+  description = "Resource group name"
+  value       = module.resource_group.resource_group_name
+}
+
+output "resource_group_id" {
+  description = "Resource group ID"
+  value       = module.resource_group.resource_group_id
+}
+
+output "event_notification_instance_name" {
+  description = "Event Notification name"
+  value       = module.event_notification.event_notification_instance_name
+}
+
+output "crn" {
+  description = "Event notification instance crn"
+  value       = module.event_notification.crn
+}
+
+output "guid" {
+  description = "Event Notification guid"
+  value       = module.event_notification.guid
+}
+
+output "service_credentials_json" {
+  description = "Service credentials json map"
+  value       = module.event_notification.service_credentials_json
+  sensitive   = true
+}
+
+output "service_credentials_object" {
+  description = "Service credentials json object"
+  value       = module.event_notification.service_credentials_object
+  sensitive   = true
+}
diff --git a/examples/fscloud/provider.tf b/examples/fscloud/provider.tf
@@ -0,0 +1,8 @@
+##############################################################################
+# Provider config
+##############################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
diff --git a/examples/fscloud/variables.tf b/examples/fscloud/variables.tf
@@ -0,0 +1,47 @@
+##############################################################################
+# Input Variables
+##############################################################################
+
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "resource_group" {
+  type        = string
+  description = "The name of an existing resource group to provision resources in to. If not set a new resource group will be created using the prefix variable"
+  default     = null
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example"
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "region" {
+  type        = string
+  description = "Region to provision all resources created by this example, Event Notifications supported regions are: us-south (Dallas), eu-gb (London), eu-de (Frankfurt), au-syd (Sydney), eu-es (Madrid)"
+  default     = "us-south"
+}
+
+variable "existing_kms_instance_crn" {
+  description = "The CRN of the Hyper Protect Crypto Services. To ensure compliance with FSCloud standards, it is required to use HPCS only"
+  type        = string
+}
+
+variable "root_key_id" {
+  type        = string
+  description = "The Key ID of a root key, existing in the KMS instance passed in var.existing_kms_instance_crn, which will be used to encrypt the data encryption keys (DEKs) which are then used to encrypt the data."
+}
+
+variable "kms_endpoint_url" {
+  description = "The KMS endpoint URL to use when configuring KMS encryption."
+  type        = string
+}
diff --git a/examples/fscloud/version.tf b/examples/fscloud/version.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_version = ">= 1.3.0, <1.6.0"
+
+  # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
+  # module's version.tf (usually a basic example), and 1 example that will always use the latest provider version.
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">= 1.56.1, < 2.0.0"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -5,9 +5,9 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   validate_kms_plan = var.kms_encryption_enabled && var.plan != "standard" ? tobool("kms encryption is only supported for standard plan") : true
   # tflint-ignore: terraform_unused_declarations
-  validate_kms_values = !var.kms_encryption_enabled && (var.existing_kms_instance_crn != null || var.root_key_id != null) ? tobool("When passing values for var.existing_kms_instance_crn or/and var.root_key_id, you must set var.kms_encryption_enabled to true. Otherwise unset them to use default encryption") : true
+  validate_kms_values = !var.kms_encryption_enabled && (var.existing_kms_instance_crn != null || var.root_key_id != null || var.kms_endpoint_url != null) ? tobool("When passing values for var.existing_kms_instance_crn or/and var.root_key_id or/and var.kms_endpoint_url, you must set var.kms_encryption_enabled to true. Otherwise unset them to use default encryption") : true
   # tflint-ignore: terraform_unused_declarations
-  validate_kms_vars = var.kms_encryption_enabled && (var.existing_kms_instance_crn == null || var.root_key_id == null) ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_crn and var.root_key_id") : true
+  validate_kms_vars = var.kms_encryption_enabled && (var.existing_kms_instance_crn == null || var.root_key_id == null || var.kms_endpoint_url == null) ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_crn, var.root_key_id and var.kms_endpoint_url") : true
 
   # Determine what KMS service is being used for encryption
   kms_service = var.existing_kms_instance_crn != null ? (
@@ -35,11 +35,9 @@ resource "ibm_resource_instance" "en_instance" {
 #############################################################################
 
 locals {
-  en_integration_id = length(data.ibm_en_integrations.en_integrations) > 0 ? [
-    for integrations in data.ibm_en_integrations.en_integrations[0].integrations :
-    integrations.id if integrations.type == local.kms_service
-  ] : null
+  en_integration_id = length(data.ibm_en_integrations.en_integrations) > 0 ? data.ibm_en_integrations.en_integrations[0].integrations[0]["id"] : null
 }
+
 data "ibm_en_integrations" "en_integrations" {
   count         = var.kms_encryption_enabled == false ? 0 : 1
   instance_guid = ibm_resource_instance.en_instance.guid
@@ -48,10 +46,10 @@ data "ibm_en_integrations" "en_integrations" {
 resource "ibm_en_integration" "en_kms_integration" {
   count          = var.kms_encryption_enabled == false ? 0 : 1
   instance_guid  = ibm_resource_instance.en_instance.guid
-  integration_id = local.en_integration_id[0]
+  integration_id = local.en_integration_id
   type           = local.kms_service
   metadata {
-    endpoint    = var.kms_endpoint == "public" ? "https://${var.kms_region}.kms.cloud.ibm.com" : "https://private.${var.kms_region}.kms.cloud.ibm.com"
+    endpoint    = var.kms_endpoint_url
     crn         = var.existing_kms_instance_crn
     root_key_id = var.root_key_id
   }