Context-based restrictions to enhance security (#35)

* first CBR drop

* restructure

* restructure

* restructure

* move to module

* move to module

* smoothing

* smoothing

* smoothing

* rule syntax

* updated README

* rename variable and add description

Author: data-henrik

.gitignore

@@ -17,6 +17,7 @@ local_yaml
 *.tfvars
 .terraform
 *.tfstate*
+.terraform.lock.hcl
 
 #vim swap files
 [._]*.sw[a-p]

Architecture.png

@@ -6,7 +6,7 @@ The repository features a sample application that enables groups of users to upl
 
 Refer to [this tutorial](https://cloud.ibm.com/docs/solution-tutorials?topic=solution-tutorials-cloud-e2e-security) for instructions.
 
-![Architecture](Architecture.png)
+![Architecture](Architecture.svg)
 
 1. The user connects to the application.
 2. [App ID](https://cloud.ibm.com/catalog/services/AppID) secures the application and redirects the user to the authentication page. Users can sign up from there too.
@@ -36,12 +36,15 @@ Either create the Schematics workspace automatically by clicking this ["deploy l
 Configure all required variables:
 - **basename**: project basename which is used as prefix for names, e.g., secure-file-storage
 - **region** is where the resources will be deployed and the location of the existing Kubernetes cluster: us-south, eu-de, ...
-- **iks_cluster_name**: name of your existing (VPC-based) Kubernetes cluster
+- **iks_cluster_name**: name of your existing VPC-based Kubernetes cluster
 - **iks_namespace**: Kubernetes namespace into which to deploy the app. It will be created if it does not exist.
 - **resource_group** is the name of the IBM Cloud resource group where to deploy the services into.
 - **toolchain_registry_namespace**: The existing namespace in the Container Registry to use.
 - **toolchain_registry_region**: The Container Registry region
 - **toolchain_apikey**: An IBM Cloud API key to use for building the container image with the app, pushing it to the Container Registry, and deploying it to the Kubernetes cluster.
+- **deploy_cbr**: Indicates whether the CBR zones and rules should be deployed. `false` by default and can be set to `true`.
+- **cbr_enforcement_mode**: By default, the CBR rules are in `report` mode only. Change and set to `enforced` or `disabled`.
+- **cbr_homezone_iprange**: Can be set to the IP range of your home or bastion network. 
 
 Be sure to click "**Save**".
 
@@ -57,7 +60,7 @@ Next, optionally click "**Generate plan**" to verify everything would be working
 Go to the [toolchains](https://cloud.ibm.com/devops/toolchains) page. Make sure to be in the correct region. Click on the toolchain **secure-file-storage-toolchain**, then on the delivery pipeline **secure-file-storage-pipeline**. Finally, **Run Pipeline** and choose the manual trigger **manual-trigger-builddeploy** to build and deploy the app. You can click on the details of the pipeline run to see and examine the diagnostic logs.
 
 ### Uninstall
-The toolchain includes a trigger to uninstall the app. Click **Run Pipeline**, select the trigger **manual-trigger-uninstall** and run the pipeline. When it has finished, switch to the [Schematics workspace](https://cloud.ibm.com/schematics/workspaces) and select the action to **Destroy resources**. As an alternative, you could also select **Delete workspace** which removes the resources and the workspace.
+The toolchain includes a trigger to uninstall the app. Click **Run Pipeline**, select the trigger **manual-trigger-uninstall** and run the pipeline. When it has finished, switch to the [Schematics workspace](https://cloud.ibm.com/schematics/workspaces) and select the action to **Destroy resources**. Thereafter, select **Delete workspace** which removes the workspace itself. Only deleting the workspace keeps the resources.
 
 ## Code Structure
 The file for the Infrastructure as Code, the Continuous Delivery pipeline, and the app itself are organized in several directories.

Architecture.svg

@@ -0,0 +1,10 @@
+# CBR objects are integrated as optional module
+module "cbr_objects" {
+  count                = var.deploy_cbr ? 1 : 0
+  source               = "./cbr"
+  iks_cluster_name     = var.iks_cluster_name
+  cbr_enforcement_mode = var.cbr_enforcement_mode
+  cos                  = ibm_resource_instance.cos
+  keyprotect           = ibm_resource_instance.keyprotect
+  cbr_homezone_iprange = var.cbr_homezone_iprange
+}

Architecture_cbr.png

@@ -0,0 +1,155 @@
+# CBR rules
+# See https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cbr_rule
+# for the syntax and the following link for supported services:
+# https://cloud.ibm.com/docs/account?topic=account-context-restrictions-whatis#cbr-adopters
+# The rules cover resources from the mentioned tutorial.
+
+# COS access
+resource "ibm_cbr_rule" "cbr_rule_cos_k8s" {
+  contexts {
+    attributes {
+      name  = "networkZoneId"
+      value = ibm_cbr_zone.cbr_zone_k8s.id
+    }
+  }
+  contexts {
+    attributes {
+      name  = "networkZoneId"
+      value = ibm_cbr_zone.cbr_zone_homezone.id
+    }
+  }
+
+  description      = "restrict COS access, limit to cluster"
+  enforcement_mode = var.cbr_enforcement_mode
+  resources {
+    attributes {
+      name  = "accountId"
+      value = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+    }
+    attributes {
+      name     = "serviceInstance"
+      operator = "stringEquals"
+      value    = var.cos.guid
+    }
+    attributes {
+      name     = "serviceName"
+      operator = "stringEquals"
+      value    = "cloud-object-storage"
+    }
+
+  }
+}
+
+# Access to the Container Registry and a specific namespace
+resource "ibm_cbr_rule" "cbr_rule_registry" {
+  contexts {
+    attributes {
+      name  = "networkZoneId"
+      value = ibm_cbr_zone.cbr_zone_k8s.id
+    }
+  }
+
+  description      = "restrict access to registry, limit to cluster"
+  enforcement_mode = var.cbr_enforcement_mode
+  resources {
+    attributes {
+      name  = "accountId"
+      value = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+    }
+    attributes {
+      name     = "resourceType"
+      operator = "stringEquals"
+      value    = "namespace"
+    }
+    attributes {
+      name     = "resource"
+      operator = "stringEquals"
+      value    = "e2esec"
+    }
+    attributes {
+      name     = "serviceName"
+      operator = "stringEquals"
+      value    = "container-registry"
+    }
+
+  }
+}
+
+# access to Key Protect from
+# - IAM
+# - Kubernetes
+# - COS
+# - (App ID, not yet supported)
+resource "ibm_cbr_rule" "cbr_rule_kms" {
+  contexts {
+    attributes {
+      name  = "networkZoneId"
+      value = ibm_cbr_zone.cbr_zone_k8s.id
+    }
+  }
+  contexts {
+    attributes {
+      name  = "networkZoneId"
+      value = ibm_cbr_zone.cbr_zone_cos.id
+    }
+  }
+
+  description      = "restrict access to Key Protect"
+  enforcement_mode = var.cbr_enforcement_mode
+  resources {
+    attributes {
+      name  = "accountId"
+      value = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+    }
+    attributes {
+      name     = "serviceInstance"
+      operator = "stringEquals"
+      value    = var.keyprotect.guid
+    }
+    attributes {
+      name     = "serviceName"
+      operator = "stringEquals"
+      value    = "kms"
+    }
+  }
+}
+
+
+
+# access to Kubernetes Cluster management API from
+# - IAM
+# - home / bastion zone
+resource "ibm_cbr_rule" "cbr_rule_k8s_mgmt" {
+  contexts {
+    attributes {
+      name  = "networkZoneId"
+      value = ibm_cbr_zone.cbr_zone_homezone.id
+    }
+  }
+
+  description      = "restrict access to Kubernetes management API"
+  enforcement_mode = var.cbr_enforcement_mode
+  operations {
+        api_types {
+            api_type_id = "crn:v1:bluemix:public:containers-kubernetes::::api-type:management"
+        }
+  }
+  resources {
+    attributes {
+      name  = "accountId"
+      value = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+    }
+    attributes {
+      name     = "serviceInstance"
+      operator = "stringEquals"
+      value    = data.ibm_container_vpc_cluster.cluster.id
+    }
+    attributes {
+      name     = "serviceName"
+      operator = "stringEquals"
+      value    = "containers-kubernetes"
+    }
+
+
+  }
+}

README.md

@@ -0,0 +1,105 @@
+# CBR zones
+#
+# See https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cbr_zone
+# The zones relate to general areas and services defined as part of the 
+# IBM Cloud solution tutorial "Apply end to end security to a cloud application". 
+# https://cloud.ibm.com/docs/solution-tutorials?topic=solution-tutorials-cloud-e2e-security
+
+
+# Zone with the home network or for a bastion host
+resource "ibm_cbr_zone" "cbr_zone_homezone" {
+  account_id = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+  addresses {
+    type  = "ipRange"
+    value = var.cbr_homezone_iprange
+  }
+  description = "Zone for typical home network"
+  name        = "cbr_zone_homenetwork"
+}
+
+# NOT NEEDED
+# Zone for the VPC that hosts the Kubernetes cluster
+#resource "ibm_cbr_zone" "cbr_zone_vpc" {
+#  account_id = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+#  addresses {
+#    type  = "vpc"
+#    value = data.ibm_is_vpc.vpc.crn
+#  }
+#  description = "Zone with VPC of Kubernetes cluster"
+#  name        = "cbr_zone_vpc"
+#}
+
+# Zone with the Kubernetes cluster
+resource "ibm_cbr_zone" "cbr_zone_k8s" {
+  account_id = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+  addresses {
+    type = "serviceRef"
+    ref {
+      account_id       = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+      service_instance = data.ibm_container_vpc_cluster.cluster.id
+      service_name     = "containers-kubernetes"
+    }
+  }
+  description = "Zone with the Kubernetes cluster"
+  name        = "cbr_zone_k8s"
+}
+
+# Zone with the COS service
+resource "ibm_cbr_zone" "cbr_zone_cos" {
+  account_id = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+  addresses {
+    type = "serviceRef"
+    ref {
+      account_id       = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+      service_instance = var.cos.guid
+      service_name     = "cloud-object-storage"
+    }
+  }
+  description = "Zone with COS"
+  name        = "cbr_zone_cos"
+}
+
+# Key Protect service zone
+# not yet supported as zone
+/* resource "ibm_cbr_zone" "cbr_zone_kms" {
+  account_id = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+  addresses {
+    type = "serviceRef"
+    ref {
+      account_id       = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+      service_instance = data.terraform_remote_state.e2e-resources.outputs.keyprotect.guid
+      service_name     = "kms"
+      location = data.terraform_remote_state.e2e-resources.outputs.keyprotect.location
+    }
+  }
+  description = "Zone with Key Protect"
+  name        = "cbr_zone_kms"
+} */
+
+# Service zone for IAM group management
+resource "ibm_cbr_zone" "cbr_zone_iam_groups" {
+  account_id = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+  addresses {
+    type = "serviceRef"
+    ref {
+      account_id = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+      service_name = "iam-groups"
+    }
+  }
+  description = "Zone for IAM groups"
+  name        = "cbr_zone_iam_groups"
+}
+
+# Service zone for IAM user management
+resource "ibm_cbr_zone" "cbr_zone_iam_users" {
+  account_id = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+  addresses {
+    type = "serviceRef"
+    ref {
+      account_id = data.ibm_iam_account_settings.team_iam_account_settings.account_id
+      service_name = "user-management"
+    }
+  }
+  description = "Zone for IAM user management"
+  name        = "cbr_zone_users"
+}

terraform/cbr.tf

@@ -0,0 +1,8 @@
+# Retrieve the account ID to be used in the CBR objects
+data "ibm_iam_account_settings" "team_iam_account_settings" {
+}
+
+# Locate Kubernetes cluster in VPC
+data "ibm_container_vpc_cluster" "cluster" {
+  name = var.iks_cluster_name
+}

terraform/cbr/cbr-rules.tf

@@ -0,0 +1,22 @@
+# configure the enforcement mode for CBR
+variable "cbr_enforcement_mode" {
+  default = "report"
+}
+
+# define a homezone or bastion zone
+# change the setting in tfvars
+variable "cbr_homezone_iprange" {
+  default = "0.0.0.0-255.255.255.255"
+}
+
+variable "iks_cluster_name" {
+  description = "Name of the existing Kubernetes cluster to deploy into"
+  default     = "secure-file-storage-cluster"
+}
+
+# Variables to hold information about resource instances
+variable "cos" {
+}
+
+variable "keyprotect" {
+}