Several optional input variables in the IBM Cloud Activity Tracker deployable architecture use complex object types. You specify these inputs when you configure deployable architecture.
- Context-Based Restrictions Rules (
cbr_rules)
The cbr_rules input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.
- Variable name:
cbr_rules. - Type: A list of objects. Allows only one object representing a rule for the target service
- Default value: An empty list (
[]).
-
description(required): The description of the rule to create.Learn more -
account_id(required): The IBM Cloud Account ID -
region(optional): The region where the CBR rule applies to the Activity Tracker Event Routing service. If not specified, the rule applies to all regions. -
rule_contexts(required): (List) The contexts the rule applies toattributes(optional): (List) Individual context attributesname(required): The attribute name.value(required): The attribute value.
-
enforcement_mode(required): The rule enforcement mode can have the following values:enabled- The restrictions are enforced and reported. This is the default.disabled- The restrictions are disabled. Nothing is enforced or reported.report- The restrictions are evaluated and reported, but not enforced.
The following example defines a Context-Based Restrictions (CBR) rule that restricts access to a Activity Tracker instance in a specific IBM Cloud account, based on contextual attributes like network zone and endpoint type.
[
{
description = "Activity Tracker can be accessed from xyz"
account_id = "<REPLACE ME>"
rule_contexts= [{
attributes = [{
name : "endpointType",
value : "private"
},{
name = "networkZoneId"
value = "<REPLACE ME>"
}]
}]
enforcement_mode = "enabled"
}
]