feat(hipaa/pci): add hipaa/pci compliance type to the service resource (#341)

Author: gkorolev

.github/scripts/set_api_env.sh

@@ -24,6 +24,7 @@ api_key_id="$(echo "${api_env_production}" | jq -r .api_key_id)"
 api_key_secret="$(echo "${api_env_production}" | jq -r .api_key_secret)"
 if [ "$cloud" != "" ]; then
   region="$(echo "${api_env_production}" | jq -rc --arg cloud $cloud '.regions[$cloud]' | jq -c '.[]' | shuf -n 1 |jq -r .)"
+  compliance_region="$(echo "${api_env_production}" | jq -rc --arg cloud $cloud '.compliance_regions[$cloud]' | jq -c '.[]' | shuf -n 1 |jq -r .)"
 fi
 ;;
 
@@ -34,6 +35,7 @@ api_key_id="$(echo "${api_env_staging}" | jq -r .api_key_id)"
 api_key_secret="$(echo "${api_env_staging}" | jq -r .api_key_secret)"
 if [ "$cloud" != "" ]; then
   region="$(echo "${api_env_staging}" | jq -rc --arg cloud $cloud '.regions[$cloud]' | jq -c '.[]' | shuf -n 1 |jq -r .)"
+  compliance_region="$(echo "${api_env_staging}" | jq -rc --arg cloud $cloud '.compliance_regions[$cloud]' | jq -c '.[]' | shuf -n 1 |jq -r .)"
 fi
 ;;
 
@@ -44,6 +46,7 @@ api_key_id="$(echo "${api_env_development}" | jq -r .api_key_id)"
 api_key_secret="$(echo "${api_env_development}" | jq -r .api_key_secret)"
 if [ "$cloud" != "" ]; then
   region="$(echo "${api_env_development}" | jq -rc --arg cloud $cloud '.regions[$cloud]' | jq -c '.[]' | shuf -n 1 |jq -r .)"
+  compliance_region="$(echo "${api_env_development}" | jq -rc --arg cloud $cloud '.compliance_regions[$cloud]' | jq -c '.[]' | shuf -n 1 |jq -r .)"
 fi
 ;;
 
@@ -85,7 +88,10 @@ if [ "${region}" == "" ]; then
   if [ "${region}" == "" ]; then
       echo "${cloud}_region input must be set when api_env is set to 'Custom'"
       exit 1
-    fi
+  fi
+
+  compliance_region="${region}"
+
 fi
 ;;
 esac
@@ -95,6 +101,8 @@ echo "organization_id=${organization_id}" >> $GITHUB_OUTPUT
 echo "api_key_id=${api_key_id}" >> $GITHUB_OUTPUT
 echo "api_key_secret=${api_key_secret}" >> $GITHUB_OUTPUT
 echo "region='${region}'"
+echo "compliance_region='${compliance_region}'"
 if [ "$region" != "" ]; then
   echo "region=${region}" >> $GITHUB_OUTPUT
+  echo "compliance_region=${compliance_region}" >> $GITHUB_OUTPUT
 fi

.github/workflows/e2e.yaml

@@ -91,6 +91,8 @@ jobs:
         uses: actions/checkout@v4
       - uses: ./.github/actions/list-examples
         id: list
+        with:
+          ignore: 'pci'
 
   # Run e2e tests
   e2e:
@@ -148,7 +150,7 @@ jobs:
           cloud_provider: ${{ matrix.test.cloud }}
           upgrade_test: "false"
           skip_build: "false"
-          region: ${{ steps.credentials.outputs.region }}
+          region: ${{ contains(fromJSON('["hipaa", "pci"]'), matrix.test.name) && steps.credentials.outputs.compliance_region || steps.credentials.outputs.region }}
           aws_role_arn: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
       - name: cleanup
         if: ${{ always() && matrix.test.cloud == 'aws' }}

docs/resources/service.md

@@ -56,6 +56,7 @@ resource "clickhouse_service" "service" {
 - `backup_configuration` (Attributes) Configuration of service backup settings. (see [below for nested schema](#nestedatt--backup_configuration))
 - `backup_id` (String) ID of the backup to restore when creating new service. If specified, the service will be created as a restore operation
 - `byoc_id` (String) BYOC ID related to the cloud provider account you want to create this service into.
+- `compliance_type` (String) Compliance type of the service. Can be 'hipaa', 'pci'. Required for organizations that wish to deploy their services in the hipaa/pci compliant environment. NOTE: hipaa/pci compliance should be enabled for your ClickHouse organization before using this field.
 - `double_sha1_password_hash` (String, Sensitive) Double SHA1 hash of password for connecting with the MySQL protocol. Cannot be specified if `password` is specified.
 - `encryption_assumed_role_identifier` (String) Custom role identifier ARN.
 - `encryption_key` (String) Custom encryption key ARN.

examples/full/hipaa/aws/README.md

@@ -0,0 +1,17 @@
+## AWS HIPAA compliant service example
+
+The Terraform code deploys following resources:
+- 1 ClickHouse HIPAA compliant service on AWS
+
+The ClickHouse HIPAA compliant service is available from anywhere.
+
+## How to run
+
+- Rename `variables.tfvars.sample` to `variables.tfvars` and fill in all needed data.
+- Run `terraform init`
+- Run `terraform <plan|apply> -var-file=variables.tfvars`
+
+
+## Important note
+
+HIPAA compliance should be enabled for your ClickHouse organization.

examples/full/hipaa/aws/main.tf

@@ -0,0 +1,85 @@
+variable "organization_id" {
+  type = string
+}
+
+variable "token_key" {
+  type = string
+}
+
+variable "token_secret" {
+  type = string
+}
+
+variable "service_name" {
+  type = string
+  default = "My Terraform Service"
+}
+
+variable "region" {
+  type = string
+  default = "us-east-2"
+}
+
+variable "release_channel" {
+  type = string
+  default = "default"
+  validation {
+    condition     = contains(["default", "fast", "slow"], var.release_channel)
+    error_message = "Release channel can be 'default', 'fast' or 'slow'."
+  }
+}
+
+data "clickhouse_api_key_id" "self" {
+}
+
+resource "clickhouse_service" "service" {
+  name                      = var.service_name
+  cloud_provider            = "aws"
+  region                    = var.region
+  release_channel           = var.release_channel
+  idle_scaling              = true
+  idle_timeout_minutes      = 5
+  password_hash             = "n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=" # base64 encoded sha256 hash of "test"
+
+  ip_access = [
+    {
+      source      = "0.0.0.0"
+      description = "Anywhere"
+    }
+  ]
+
+  endpoints = {
+    mysql = {
+      enabled = true
+    }
+  }
+
+  query_api_endpoints = {
+    api_key_ids = [
+      data.clickhouse_api_key_id.self.id,
+    ]
+    roles = [
+      "sql_console_admin"
+    ]
+    allowed_origins = null
+  }
+
+  min_replica_memory_gb = 8
+  max_replica_memory_gb = 120
+
+  backup_configuration = {
+    backup_period_in_hours           = 24
+    backup_retention_period_in_hours = 24
+    backup_start_time                = null
+  }
+
+  compliance_type = "hipaa"
+}
+
+output "service_endpoints" {
+  value = clickhouse_service.service.endpoints
+}
+
+output "service_iam" {
+  value = clickhouse_service.service.iam_role
+}

examples/full/hipaa/aws/provider.tf

@@ -0,0 +1,15 @@
+# This file is generated automatically please do not edit
+terraform {
+  required_providers {
+    clickhouse = {
+      version = "3.5.1"
+      source  = "ClickHouse/clickhouse"
+    }
+  }
+}
+
+provider "clickhouse" {
+  organization_id = var.organization_id
+  token_key       = var.token_key
+  token_secret    = var.token_secret
+}

examples/full/hipaa/aws/provider.tf.template

@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    clickhouse = {
+      version = "${CLICKHOUSE_TERRAFORM_PROVIDER_VERSION}"
+      source  = "ClickHouse/clickhouse"
+    }
+  }
+}
+
+provider "clickhouse" {
+  organization_id = var.organization_id
+  token_key       = var.token_key
+  token_secret    = var.token_secret
+}

examples/full/hipaa/aws/variables.tfvars.sample

@@ -0,0 +1,4 @@
+# these keys are for example only and won't work when pointed to a deployed ClickHouse OpenAPI server
+organization_id = "aee076c1-3f83-4637-95b1-ad5a0a825b71"
+token_key       = "avhj1U5QCdWAE9CA9"
+token_secret    = "4b1dROiHQEuSXJHlV8zHFd0S7WQj7CGxz5kGJeJnca"

examples/full/hipaa/gcp/README.md

@@ -0,0 +1,17 @@
+## GCP HIPAA compliant service example
+
+The Terraform code deploys following resources:
+- 1 ClickHouse HIPAA compliant service on GCP
+
+The ClickHouse HIPAA compliant service is available from anywhere.
+
+## How to run
+
+- Rename `variables.tfvars.sample` to `variables.tfvars` and fill in all needed data.
+- Run `terraform init`
+- Run `terraform <plan|apply> -var-file=variables.tfvars`
+
+
+## Important note
+
+HIPAA compliance should be enabled for your ClickHouse organization.

examples/full/hipaa/gcp/main.tf

@@ -0,0 +1,83 @@
+variable "organization_id" {
+  type = string
+}
+
+variable "token_key" {
+  type = string
+}
+
+variable "token_secret" {
+  type = string
+}
+
+variable "service_name" {
+  type = string
+  default = "My Terraform Service"
+}
+
+variable "region" {
+  type = string
+  default = "us-central1"
+}
+
+variable "release_channel" {
+  type = string
+  default = "default"
+  validation {
+    condition     = contains(["default", "fast", "slow"], var.release_channel)
+    error_message = "Release channel can be 'default', 'fast' or 'slow'."
+  }
+}
+
+data "clickhouse_api_key_id" "self" {
+}
+
+resource "clickhouse_service" "service" {
+  name                      = var.service_name
+  cloud_provider            = "gcp"
+  region                    = var.region
+  release_channel           = var.release_channel
+  idle_scaling              = true
+  idle_timeout_minutes      = 5
+  password_hash             = "n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=" # base64 encoded sha256 hash of "test"
+
+  ip_access = [
+    {
+      source      = "0.0.0.0"
+      description = "Anywhere"
+    }
+  ]
+
+  endpoints = {
+    mysql = {
+      enabled = true
+    }
+  }
+
+  query_api_endpoints = {
+    api_key_ids = [
+      data.clickhouse_api_key_id.self.id,
+    ]
+    roles = [
+      "sql_console_admin"
+    ]
+    allowed_origins = null
+  }
+
+  min_replica_memory_gb = 8
+  max_replica_memory_gb = 120
+
+  backup_configuration = {
+    backup_retention_period_in_hours = 48
+  }
+
+  compliance_type = "hipaa"
+}
+
+output "service_endpoints" {
+  value = clickhouse_service.service.endpoints
+}
+
+output "service_iam" {
+  value = clickhouse_service.service.iam_role
+}