diff --git a/README.md b/README.md index c01146e..e0a6cef 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ For more information on access and permissions, see [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.31.0 | | [config\_aggregator\_trusted\_profile](#module\_config\_aggregator\_trusted\_profile) | terraform-ibm-modules/trusted-profile/ibm | 3.0.0 | | [config\_aggregator\_trusted\_profile\_enterprise](#module\_config\_aggregator\_trusted\_profile\_enterprise) | terraform-ibm-modules/trusted-profile/ibm | 3.0.0 | -| [config\_aggregator\_trusted\_profile\_template](#module\_config\_aggregator\_trusted\_profile\_template) | terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template | 3.0.0 | +| [config\_aggregator\_trusted\_profile\_template](#module\_config\_aggregator\_trusted\_profile\_template) | terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template | 3.1.0 | ### Resources @@ -110,6 +110,7 @@ For more information on access and permissions, see [app\_config\_tags](#input\_app\_config\_tags) | Optional list of tags to be added to the App Config instance. | `list(string)` | `[]` | no | | [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create. | 
list(object({
    description = string
    account_id  = string
    tags = optional(list(object({
      name  = string
      value = string
    })), [])
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
  }))
| `[]` | no | | [config\_aggregator\_enterprise\_account\_group\_ids\_to\_assign](#input\_config\_aggregator\_enterprise\_account\_group\_ids\_to\_assign) | A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all account groups. Only applies if `enable_config_aggregator` is true and a value is being passed for `config_aggregator_enterprise_id`. | `list(string)` | 
[
  "all"
]
| no | +| [config\_aggregator\_enterprise\_account\_ids\_to\_assign](#input\_config\_aggregator\_enterprise\_account\_ids\_to\_assign) | A list of enterprise account IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all accounts. Only applies if `enable_config_aggregator` is true and a value is being passed for `config_aggregator_enterprise_id`. | `list(string)` | `[]` | no | | [config\_aggregator\_enterprise\_id](#input\_config\_aggregator\_enterprise\_id) | If the account is an enterprise account, this value should be set to the enterprise ID (NOTE: This is different to the account ID). | `string` | `null` | no | | [config\_aggregator\_enterprise\_trusted\_profile\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_name) | The name to give the enterprise viewer trusted profile with that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. | `string` | `"config-aggregator-enterprise-trusted-profile"` | no | | [config\_aggregator\_enterprise\_trusted\_profile\_template\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_template\_name) | The name to give the trusted profile template that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. | `string` | `"config-aggregator-trusted-profile-template"` | no | diff --git a/ibm_catalog.json b/ibm_catalog.json index 53148f4..b9edaa3 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -192,6 +192,9 @@ { "key": "config_aggregator_enterprise_account_group_ids_to_assign" }, + { + "key": "config_aggregator_enterprise_account_ids_to_assign" + }, { "key": "app_config_cbr_rules" }, diff --git a/main.tf b/main.tf index 4b4d371..0cf47b8 100644 --- a/main.tf +++ b/main.tf @@ -135,15 +135,22 @@ module "config_aggregator_trusted_profile_enterprise" { # If enterprise account, create trusted profile template module "config_aggregator_trusted_profile_template" { - count = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? 1 : 0 - source = "terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template" - version = "3.0.0" - template_name = var.config_aggregator_enterprise_trusted_profile_template_name - template_description = "Trusted Profile template for App Configuration instance ${ibm_resource_instance.app_config.guid} with required access for configuration aggregator" - profile_name = var.config_aggregator_trusted_profile_name - profile_description = "Trusted Profile for App Configuration instance ${ibm_resource_instance.app_config.guid} with required access for configuration aggregator" - identity_crn = ibm_resource_instance.app_config.crn + count = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? 1 : 0 + source = "terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template" + version = "3.1.0" + template_name = var.config_aggregator_enterprise_trusted_profile_template_name + template_description = "Trusted Profile template for App Configuration instance ${ibm_resource_instance.app_config.guid} with required access for configuration aggregator" + profile_name = var.config_aggregator_trusted_profile_name + profile_description = "Trusted Profile for App Configuration instance ${ibm_resource_instance.app_config.guid} with required access for configuration aggregator" + identities = [ + { + type = "crn" + iam_id = "crn-${ibm_resource_instance.app_config.crn}" + identifier = ibm_resource_instance.app_config.crn + } + ] account_group_ids_to_assign = var.config_aggregator_enterprise_account_group_ids_to_assign + account_ids_to_assign = var.config_aggregator_enterprise_account_ids_to_assign policy_templates = [ { name = "identity-access" diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index d6e8f90..b4c8f7b 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -1,6 +1,6 @@ # Cloud automation for App Configuration -### Configuration +[![Catalog release](https://img.shields.io/badge/release-IBM%20Cloud%20Catalog-3662FF?logo=ibm)](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-apprapp-045c1169-d15a-4046-ae81-aa3d3348421f-global) This solution supports provisioning and configuring the following infrastructure: @@ -8,58 +8,4 @@ This solution supports provisioning and configuring the following infrastructure - Optional context-based restrictions (CBR) - Configuration aggregator -![app-configuration-deployable-architecture](../../reference-architecture/app_configuration.svg) - - - -### Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.0 | -| [ibm](#requirement\_ibm) | 1.78.3 | - -### Modules - -| Name | Source | Version | -|------|--------|---------| -| [app\_config](#module\_app\_config) | ../.. | n/a | -| [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.2.0 | - -### Resources - -No resources. - -### Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [app\_config\_cbr\_rules](#input\_app\_config\_cbr\_rules) | (Optional, list) A list of context-based restrictions rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-app-configuration/tree/main/solutions/fully-configurable/DA-cbr_rules.md). | 
list(object({
    description = string
    account_id  = string
    tags = optional(list(object({
      name  = string
      value = string
    })), [])
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
  }))
| `[]` | no | -| [app\_config\_collections](#input\_app\_config\_collections) | (Optional, list) A list of collections to be added to the App Configuration instance. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-app-configuration/tree/main/solutions/fully-configurable/DA-collections.md). | 
list(object({
    name          = string
    collection_id = string
    description   = optional(string, null)
    tags          = optional(string, null)
  }))
| `[]` | no | -| [app\_config\_name](#input\_app\_config\_name) | Name for the App Configuration service instance | `string` | `"app-config"` | no | -| [app\_config\_plan](#input\_app\_config\_plan) | Plan for the App Configuration service instance | `string` | `"standardv2"` | no | -| [app\_config\_service\_endpoints](#input\_app\_config\_service\_endpoints) | Service Endpoints for the App Configuration service instance, valid endpoints are public or public-and-private. | `string` | `"public-and-private"` | no | -| [app\_config\_tags](#input\_app\_config\_tags) | Optional list of tags to be added to the App Config instance. | `list(string)` | `[]` | no | -| [config\_aggregator\_enterprise\_account\_group\_ids\_to\_assign](#input\_config\_aggregator\_enterprise\_account\_group\_ids\_to\_assign) | A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all account groups. Only applies if `enable_config_aggregator` is true and a value is being passed for `config_aggregator_enterprise_id`. | `list(string)` | 
[
  "all"
]
| no | -| [config\_aggregator\_enterprise\_id](#input\_config\_aggregator\_enterprise\_id) | If the account is an enterprise account, this value should be set to the enterprise ID (NOTE: This is different to the account ID). | `string` | `null` | no | -| [config\_aggregator\_enterprise\_trusted\_profile\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_name) | The name to give the enterprise viewer trusted profile with that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"config-aggregator-enterprise-trusted-profile"` | no | -| [config\_aggregator\_enterprise\_trusted\_profile\_template\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_template\_name) | The name to give the trusted profile template that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"config-aggregator-trusted-profile-template"` | no | -| [config\_aggregator\_resource\_collection\_regions](#input\_config\_aggregator\_resource\_collection\_regions) | From which region do you want to collect configuration data? Only applies if `enable_config_aggregator` is set to true. | `list(string)` | 
[
  "all"
]
| no | -| [config\_aggregator\_trusted\_profile\_name](#input\_config\_aggregator\_trusted\_profile\_name) | The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"config-aggregator-trusted-profile"` | no | -| [enable\_config\_aggregator](#input\_enable\_config\_aggregator) | Set to true to enable configuration aggregator. By setting to true a trusted profile will be created with the required access to record configuration data from all resources across regions in your account. [Learn more](https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator). | `bool` | `false` | no | -| [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of an existing resource group to provision resource in. | `string` | `"Default"` | no | -| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key used to provision resources. | `string` | n/a | yes | -| [prefix](#input\_prefix) | The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-us-south. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-app-configuration/tree/main/solutions/fully-configurable/DA-prefix.md). | `string` | n/a | yes | -| [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no | -| [region](#input\_region) | The region to provision resources to. | `string` | `"us-south"` | no | - -### Outputs - -| Name | Description | -|------|-------------| -| [app\_config\_account\_id](#output\_app\_config\_account\_id) | Account ID of the App Configuration instance | -| [app\_config\_collection\_ids](#output\_app\_config\_collection\_ids) | List of IDs for the collections in the App Configuration instance | -| [app\_config\_crn](#output\_app\_config\_crn) | CRN of the App Configuration instance | -| [app\_config\_guid](#output\_app\_config\_guid) | GUID of the App Configuration instance | -| [app\_config\_id](#output\_app\_config\_id) | ID of the App Configuration instance | - +:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers). diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 170bae7..ce19a04 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -30,5 +30,6 @@ module "app_config" { config_aggregator_enterprise_trusted_profile_name = "${local.prefix}${var.config_aggregator_enterprise_trusted_profile_name}" config_aggregator_enterprise_trusted_profile_template_name = "${local.prefix}${var.config_aggregator_enterprise_trusted_profile_template_name}" config_aggregator_enterprise_account_group_ids_to_assign = var.config_aggregator_enterprise_account_group_ids_to_assign + config_aggregator_enterprise_account_ids_to_assign = var.config_aggregator_enterprise_account_ids_to_assign cbr_rules = var.app_config_cbr_rules } diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 6767f37..51f35b6 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -181,6 +181,18 @@ variable "config_aggregator_enterprise_account_group_ids_to_assign" { } } +variable "config_aggregator_enterprise_account_ids_to_assign" { + type = list(string) + default = [] + description = "A list of enterprise account IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all accounts. Only applies if `enable_config_aggregator` is true and a value is being passed for `config_aggregator_enterprise_id`." + nullable = false + + validation { + condition = contains(var.config_aggregator_enterprise_account_ids_to_assign, "all") ? length(var.config_aggregator_enterprise_account_ids_to_assign) == 1 : true + error_message = "When specifying 'all' in the list, you cannot add any other values to the list" + } +} + ############################################################## # Context-based restriction (CBR) ############################################################## diff --git a/variables.tf b/variables.tf index 6644554..a964c3d 100644 --- a/variables.tf +++ b/variables.tf @@ -153,6 +153,18 @@ variable "config_aggregator_enterprise_account_group_ids_to_assign" { } } +variable "config_aggregator_enterprise_account_ids_to_assign" { + type = list(string) + default = [] + description = "A list of enterprise account IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all accounts. Only applies if `enable_config_aggregator` is true and a value is being passed for `config_aggregator_enterprise_id`." + nullable = false + + validation { + condition = contains(var.config_aggregator_enterprise_account_ids_to_assign, "all") ? length(var.config_aggregator_enterprise_account_ids_to_assign) == 1 : true + error_message = "When specifying 'all' in the list, you cannot add any other values to the list" + } +} + ############################################################## # Context-based restriction (CBR) ##############################################################