Skip to content

feat: fully configurable app config da #212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 20 commits into from
May 8, 2025
Merged

feat: fully configurable app config da #212

Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
9e50017
feat: #13296 Fully Configurable DA
mukulpalit-ibm Apr 21, 2025
0ffb7b1
SKIP UPGRADE TEST
mukulpalit-ibm Apr 22, 2025
9eca92f
Update catalog.json and SKIP UPGRADE TEST
mukulpalit-ibm Apr 22, 2025
a85734e
Update variables.tf and SKIP UPGRADE TEST
mukulpalit-ibm Apr 22, 2025
0d1cf8e
Update readme
mukulpalit-ibm Apr 22, 2025
037ac17
PR changes
mukulpalit-ibm Apr 28, 2025
c96421d
Update App config Icon
mukulpalit-ibm Apr 28, 2025
03f1198
update offering name
mukulpalit-ibm Apr 28, 2025
41996c4
testing tile
mukulpalit-ibm Apr 28, 2025
e2bfaee
Restore Image URL
mukulpalit-ibm Apr 28, 2025
b953419
PR changes
mukulpalit-ibm May 2, 2025
4b971d6
update architecture features
mukulpalit-ibm May 2, 2025
6d6d0db
Merge main
mukulpalit-ibm May 6, 2025
2cd92b5
Added Configuration Aggregator feature to DA
mukulpalit-ibm May 7, 2025
1b3595f
generate test tile
mukulpalit-ibm May 7, 2025
ead5b8a
restore URL
mukulpalit-ibm May 7, 2025
c6bdcde
update prefix validation
mukulpalit-ibm May 7, 2025
b26fcb7
update README
mukulpalit-ibm May 7, 2025
a9bab71
PR changes
mukulpalit-ibm May 8, 2025
9dc4576
making advanced examples to standard plan
mukulpalit-ibm May 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .catalog-onboard-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
apiVersion: v1
offerings:
- name: deploy-arch-ibm-apprapp
kind: solution
catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
offering_id: 045c1169-d15a-4046-ae81-aa3d3348421f
variations:
- name: fully-configurable
mark_ready: true
install_type: fullstack
scc:
instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
region: us-south
scope_resource_group_var_name: existing_resource_group_name
3 changes: 3 additions & 0 deletions .releaserc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@
}],
["@semantic-release/exec", {
"successCmd": "echo \"SEMVER_VERSION=${nextRelease.version}\" >> $GITHUB_ENV"
}],
["@semantic-release/exec",{
"publishCmd": "./ci/trigger-catalog-onboarding-pipeline.sh --version=v${nextRelease.version}"
}]
]
}
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ For more information on access and permissions, see <https://cloud.ibm.com/docs/
|------|-------------|------|---------|:--------:|
| <a name="input_app_config_collections"></a> [app\_config\_collections](#input\_app\_config\_collections) | A list of collections to be added to the App Configuration instance | <pre>list(object({<br/> name = string<br/> collection_id = string<br/> description = optional(string, null)<br/> tags = optional(string, null)<br/> }))</pre> | `[]` | no |
| <a name="input_app_config_name"></a> [app\_config\_name](#input\_app\_config\_name) | Name for the App Configuration service instance | `string` | n/a | yes |
| <a name="input_app_config_plan"></a> [app\_config\_plan](#input\_app\_config\_plan) | Plan for the App Configuration service instance, valid plans are lite, standardv2, and enterprise. | `string` | `"lite"` | no |
| <a name="input_app_config_plan"></a> [app\_config\_plan](#input\_app\_config\_plan) | Plan for the App Configuration service instance, valid plans are lite, basic, standardv2, and enterprise. | `string` | `"lite"` | no |
| <a name="input_app_config_service_endpoints"></a> [app\_config\_service\_endpoints](#input\_app\_config\_service\_endpoints) | Service Endpoints for the App Configuration service instance, valid endpoints are public or public-and-private. | `string` | `"public-and-private"` | no |
| <a name="input_app_config_tags"></a> [app\_config\_tags](#input\_app\_config\_tags) | Optional list of tags to be added to the App Config instance. | `list(string)` | `[]` | no |
| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create. | <pre>list(object({<br/> description = string<br/> account_id = string<br/> tags = optional(list(object({<br/> name = string<br/> value = string<br/> })), [])<br/> rule_contexts = list(object({<br/> attributes = optional(list(object({<br/> name = string<br/> value = string<br/> }))) }))<br/> enforcement_mode = string<br/> }))</pre> | `[]` | no |
Expand All @@ -116,7 +116,7 @@ For more information on access and permissions, see <https://cloud.ibm.com/docs/
| <a name="input_config_aggregator_resource_collection_regions"></a> [config\_aggregator\_resource\_collection\_regions](#input\_config\_aggregator\_resource\_collection\_regions) | From which region do you want to collect configuration data? Only applies if `enable_config_aggregator` is set to true. | `list(string)` | <pre>[<br/> "all"<br/>]</pre> | no |
| <a name="input_config_aggregator_trusted_profile_name"></a> [config\_aggregator\_trusted\_profile\_name](#input\_config\_aggregator\_trusted\_profile\_name) | The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`. | `string` | `"config-aggregator-trusted-profile"` | no |
| <a name="input_enable_config_aggregator"></a> [enable\_config\_aggregator](#input\_enable\_config\_aggregator) | Set to true to enable configuration aggregator. By setting to true a trusted profile will be created with the required access to record configuration data from all resources across regions in your account. [Learn more](https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator). | `bool` | `false` | no |
| <a name="input_region"></a> [region](#input\_region) | The region to provision the App Configuration service, valid regions are us-south, us-east, eu-gb, and au-syd. | `string` | `"us-south"` | no |
| <a name="input_region"></a> [region](#input\_region) | The region to provision the App Configuration service, valid regions are au-syd, jp-osa, jp-tok, eu-de, eu-gb, eu-es, us-east, us-south, ca-tor, br-sao. | `string` | `"us-south"` | no |
| <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where resources will be provisioned. | `string` | n/a | yes |

### Outputs
Expand Down
1 change: 1 addition & 0 deletions examples/advanced/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ module "app_config" {
app_config_name = "${var.prefix}-app-config"
app_config_tags = var.resource_tags
enable_config_aggregator = true # See https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator
app_config_plan = var.app_config_plan
app_config_collections = [
{
name = "${var.prefix}-collection",
Expand Down
6 changes: 6 additions & 0 deletions examples/advanced/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,9 @@ variable "resource_tags" {
description = "Optional list of tags to be added to created resources"
default = []
}

variable "app_config_plan" {
type = string
description = "Plan for the App Configuration service instance, valid plans are lite, basic, standardv2, and enterprise."
default = "basic"
}
1 change: 1 addition & 0 deletions examples/basic/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,5 @@ module "app_config" {
region = var.region
app_config_name = "${var.prefix}-app-config"
app_config_tags = var.resource_tags
app_config_plan = var.app_config_plan
}
6 changes: 6 additions & 0 deletions examples/basic/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,9 @@ variable "resource_tags" {
description = "Optional list of tags to be added to created resources"
default = []
}

variable "app_config_plan" {
type = string
description = "Plan for the App Configuration service instance, valid plans are lite, basic, standardv2, and enterprise."
default = "basic"
}
248 changes: 248 additions & 0 deletions ibm_catalog.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,248 @@
{
"products": [
{
"name": "deploy-arch-ibm-apprapp",
"label": "Cloud automation for App Configuration",
"product_kind": "solution",
"tags": [
"devops",
"integration",
"ibm_created",
"terraform",
"solution",
"support_ibm"
],
"keywords": [
"terraform",
"appconfig",
"app configuration",
"solution",
"IaC",
"infrastructure as code"
],
"short_description": "Creates and configures an App Configuration service on IBM Cloud",
"long_description": "This deployable architecture automates the provisioning of IBM Cloud App Configuration along with initial collection to help you manage feature flags and dynamic properties at scale. It also includes support for configuration aggregators, enabling centralized monitoring and management of configurations across multiple App Configuration instances. It simplifies onboarding by preconfiguring key resources and provides support for defining context-based restrictions (CBR) to enhance security and control access based on network policies. Ideal for teams adopting feature flagging, experimentation, or remote configuration strategies in cloud-native applications, this solution accelerates setup while following IBM Cloud best practices. Refer [this](https://cloud.ibm.com/docs/app-configuration) for more information.",
"offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-app-configuration/blob/main/README.md",
"offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-app-configuration/main/images/app_config-icon.png",
"provider_name": "IBM",
"features": [
{
"title": "Provision Collection",
"description": "Supports creation of collection to help manage feature flags and dynamic properties at scale."
},
{
"title": "CBR Enhanced Security",
"description": "Provides support for defining context-based restrictions (CBR) to enhance security and control access based on network policies."
},
{
"title": "Configuration Aggregator",
"description": "Supports creation and management of configuration aggregator to manage configurations across multiple App Configuration instances."
}
],
"support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [https://github.com/terraform-ibm-modules/terraform-ibm-app-configuration/issues](https://github.com/terraform-ibm-modules/terraform-ibm-app-configuration/issues). Please note this product is not supported via the IBM Cloud Support Center.",
"flavors": [
{
"label": "Fully configurable",
"name": "fully-configurable",
"install_type": "fullstack",
"working_directory": "solutions/fully-configurable",
"compliance": {
"authority": "scc-v3",
"profiles": [
{
"profile_name": "IBM Cloud Framework for Financial Services",
"profile_version": "1.7.0"
}
]
},
"configuration": [
{
"key": "ibmcloud_api_key"
},
{
"key": "prefix",
"required": true
},
{
"key": "existing_resource_group_name",
"required": true,
"custom_config": {
"type": "resource_group",
"grouping": "deployment",
"original_grouping": "deployment",
"config_constraints": {
"identifier": "rg_name"
}
}
},
{
"key": "region",
"required": true,
"options": [
{
"displayname": "Osaka (jp-osa)",
"value": "jp-osa"
},
{
"displayname": "Sydney (au-syd)",
"value": "au-syd"
},
{
"displayname": "Tokyo (jp-tok)",
"value": "jp-tok"
},
{
"displayname": "Frankfurt (eu-de)",
"value": "eu-de"
},
{
"displayname": "London (eu-gb)",
"value": "eu-gb"
},
{
"displayname": "Madrid (eu-es)",
"value": "eu-es"
},
{
"displayname": "Dallas (us-south)",
"value": "us-south"
},
{
"displayname": "Toronto (ca-tor)",
"value": "ca-tor"
},
{
"displayname": "Washington DC (us-east)",
"value": "us-east"
},
{
"displayname": "Sao Paulo (br-sao)",
"value": "br-sao"
}
]
},
{
"key": "app_config_name",
"required": true
},
{
"key": "app_config_plan",
"required": true,
"options": [
{
"displayname": "lite",
"value": "lite"
},
{
"displayname": "basic",
"value": "basic"
},
{
"displayname": "standard",
"value": "standardv2"
},
{
"displayname": "enterprise",
"value": "enterprise"
}
]
},
{
"key": "app_config_service_endpoints",
"required": true,
"options": [
{
"displayname": "public",
"value": "public"
},
{
"displayname": "public-and-private",
"value": "public-and-private"
}
]
},
{
"key": "app_config_collections"
},
{
"key": "app_config_tags"
},
{
"key": "enable_config_aggregator"
},
{
"key": "config_aggregator_trusted_profile_name"
},
{
"key": "config_aggregator_resource_collection_regions"
},
{
"key": "config_aggregator_enterprise_id"
},
{
"key": "config_aggregator_enterprise_trusted_profile_name"
},
{
"key": "config_aggregator_enterprise_trusted_profile_template_name"
},
{
"key": "config_aggregator_enterprise_account_group_ids_to_assign"
},
{
"key": "app_config_cbr_rules"
},
{
"key": "provider_visibility",
"hidden": true,
"options": [
{
"displayname": "private",
"value": "private"
},
{
"displayname": "public",
"value": "public"
},
{
"displayname": "public-and-private",
"value": "public-and-private"
}
]
}
],
"architecture": {
"descriptions": "This architecture supports creating and configuring an IBM Cloud App Configuration",
"features": [
{
"title": "App Configuration instance with Collections",
"description": "Creates App Configuration instance. Collections can be created and configured for the instance"
},
{
"title": "Use existing resource group",
"description": "Supports deployment into an existing IBM Cloud resource group."
},
{
"title": "CBR Enhanced Security",
"description": "Enforces network-based access control through context-based restrictions (CBR) rules."
},
{
"title": "Configuration Aggregator",
"description": "Enables the creation and management of configuration aggregator to consolidate and monitor configurations across multiple App Configuration instances."
}
],
"diagrams": [
{
"diagram": {
"caption": "App Configuration",
"url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-app-configuration/main/reference-architecture/app_configuration.svg",
"type": "image/svg+xml"
},
"description": "**App Configuration on IBM Cloud** <br/> <br/> <b>Description</b> <br/> This architecture automates the setup of IBM Cloud App Configuration. The modular design includes the creation of a collection to streamline the management of feature flags and properties, consolidation of multiple App Cpnfiguration instances via configuration aggregator and optionally integrates context-based restrictions (CBR) to improve access control and align with your network security policies."
}
]
}
}
]
}
]
}
Binary file added images/app_config-icon.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
4 changes: 4 additions & 0 deletions reference-architecture/app_configuration.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
55 changes: 55 additions & 0 deletions solutions/fully-configurable/DA-cbr_rules.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# Configuring context-based restrictions (CBRs)

The `app_config_cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.

- Variable name: `app_config_cbr_rules`.
- Type: A list of objects. Allows only one object representing a rule for the target service
- Default value: An empty list (`[]`).

### Options for app_config_cbr_rules

- `description` (required): The description of the rule to create.
- `account_id` (required): The IBM Cloud Account ID
- `tag` (optional): (List) The tags related to CBR rules
- `rule_contexts` (required): (List) The contexts the rule applies to
- `attributes` (optional): (List) Individual context attributes
- `name` (required): The attribute name.
- `value`(required): The attribute value.

- `enforcement_mode` (required): The rule enforcement mode can have the following values:
- `enabled` - The restrictions are enforced and reported. This is the default.
- `disabled` - The restrictions are disabled. Nothing is enforced or reported.
- `report` - The restrictions are evaluated and reported, but not enforced.


### Example Rule For context-based restrictions configuration

```hcl
[
{
description = "Restrict access to App Config from trusted network"
account_id = "<AccountID>"
enforcement_mode = "enabled"
tags = [
{
name = "env"
value = "dev"
}
]
rule_contexts = [
{
attributes = [
{
name = "networkZoneId"
value = "<NetworkZoneID>"
},
{
"name" : "endpointType",
"value" : "private"
}
]
}
]
}
]
```
Loading