feat: Add KMS and EN integration

README.md

@@ -80,6 +80,8 @@ For more information on access and permissions, see <https://cloud.ibm.com/docs/
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.79.1, < 2.0.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.5.1, < 4.0.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1, < 1.0.0 |
 
 ### Modules
 
@@ -89,21 +91,32 @@ For more information on access and permissions, see <https://cloud.ibm.com/docs/
 | <a name="module_config_aggregator_trusted_profile"></a> [config\_aggregator\_trusted\_profile](#module\_config\_aggregator\_trusted\_profile) | terraform-ibm-modules/trusted-profile/ibm | 3.1.1 |
 | <a name="module_config_aggregator_trusted_profile_enterprise"></a> [config\_aggregator\_trusted\_profile\_enterprise](#module\_config\_aggregator\_trusted\_profile\_enterprise) | terraform-ibm-modules/trusted-profile/ibm | 3.1.1 |
 | <a name="module_config_aggregator_trusted_profile_template"></a> [config\_aggregator\_trusted\_profile\_template](#module\_config\_aggregator\_trusted\_profile\_template) | terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template | 3.1.1 |
+| <a name="module_en_crn_parser"></a> [en\_crn\_parser](#module\_en\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.2.0 |
+| <a name="module_kms_crn_parser"></a> [kms\_crn\_parser](#module\_kms\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.2.0 |
 
 ### Resources
 
 | Name | Type |
 |------|------|
 | [ibm_app_config_collection.collections](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/app_config_collection) | resource |
+| [ibm_app_config_integration_en.app_config_integration_en](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/app_config_integration_en) | resource |
+| [ibm_app_config_integration_kms.app_config_integration_kms](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/app_config_integration_kms) | resource |
 | [ibm_config_aggregator_settings.config_aggregator_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/config_aggregator_settings) | resource |
+| [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
+| [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_iam_custom_role.template_assignment_reader](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_custom_role) | resource |
 | [ibm_resource_instance.app_config](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
+| [random_string.en_integration_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [random_string.kms_integration_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [time_sleep.wait_for_en_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.wait_for_kms_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_app_config_collections"></a> [app\_config\_collections](#input\_app\_config\_collections) | A list of collections to be added to the App Configuration instance | <pre>list(object({<br/>    name          = string<br/>    collection_id = string<br/>    description   = optional(string, null)<br/>    tags          = optional(string, null)<br/>  }))</pre> | `[]` | no |
+| <a name="input_app_config_event_notifications_source_name"></a> [app\_config\_event\_notifications\_source\_name](#input\_app\_config\_event\_notifications\_source\_name) | The name by which Event Notifications source will be created in the existing Event Notification instance. | `string` | `"app-config-en-source-name"` | no |
 | <a name="input_app_config_name"></a> [app\_config\_name](#input\_app\_config\_name) | Name for the App Configuration service instance | `string` | n/a | yes |
 | <a name="input_app_config_plan"></a> [app\_config\_plan](#input\_app\_config\_plan) | Plan for the App Configuration service instance, valid plans are lite, basic, standardv2, and enterprise. | `string` | `"lite"` | no |
 | <a name="input_app_config_service_endpoints"></a> [app\_config\_service\_endpoints](#input\_app\_config\_service\_endpoints) | Service Endpoints for the App Configuration service instance, valid endpoints are public or public-and-private. | `string` | `"public-and-private"` | no |
@@ -117,8 +130,18 @@ For more information on access and permissions, see <https://cloud.ibm.com/docs/
 | <a name="input_config_aggregator_resource_collection_regions"></a> [config\_aggregator\_resource\_collection\_regions](#input\_config\_aggregator\_resource\_collection\_regions) | From which region do you want to collect configuration data? Only applies if `enable_config_aggregator` is set to true. | `list(string)` | <pre>[<br/>  "all"<br/>]</pre> | no |
 | <a name="input_config_aggregator_trusted_profile_name"></a> [config\_aggregator\_trusted\_profile\_name](#input\_config\_aggregator\_trusted\_profile\_name) | The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`. | `string` | `"config-aggregator-trusted-profile"` | no |
 | <a name="input_enable_config_aggregator"></a> [enable\_config\_aggregator](#input\_enable\_config\_aggregator) | Set to true to enable configuration aggregator. By setting to true a trusted profile will be created with the required access to record configuration data from all resources across regions in your account. [Learn more](https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator). | `bool` | `false` | no |
+| <a name="input_enable_event_notifications"></a> [enable\_event\_notifications](#input\_enable\_event\_notifications) | Flag to enable the event notification when the configured plan is 'enterprise'. | `bool` | `false` | no |
+| <a name="input_event_notifications_endpoint_url"></a> [event\_notifications\_endpoint\_url](#input\_event\_notifications\_endpoint\_url) | The URL of the Event Notifications service endpoint to use for notifying configuration changes. For more information on the endpoint URL for Event Notifications, go to [Service endpoints](https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-en-regions-endpoints#en-service-endpoints). It is required if `enable_event_notifications` is set to true. | `string` | `null` | no |
+| <a name="input_event_notifications_integration_description"></a> [event\_notifications\_integration\_description](#input\_event\_notifications\_integration\_description) | The description of integration between Event Notification and App Configuration service. | `string` | `"The App Configuration integration to send notifications of events of users"` | no |
+| <a name="input_existing_event_notifications_instance_crn"></a> [existing\_event\_notifications\_instance\_crn](#input\_existing\_event\_notifications\_instance\_crn) | The CRN of the existing Event Notifications instance to enable notifications for your App Configuration instance. It is required if `enable_event_notifications` is set to true | `string` | `null` | no |
+| <a name="input_existing_kms_instance_crn"></a> [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of the Hyper Protect Crypto Services or Key Protect instance. Required only if `var.kms_encryption_enabled` is set to `true`. | `string` | `null` | no |
+| <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Flag to enable the KMS encryption when the configured plan is 'enterprise'. | `bool` | `false` | no |
+| <a name="input_kms_endpoint_url"></a> [kms\_endpoint\_url](#input\_kms\_endpoint\_url) | The URL of the key management service endpoint to use for key encryption. For more information on the endpoint URL format for Hyper Protect Crypto Services, go to [Instance-based endpoints](https://cloud.ibm.com/docs/hs-crypto?topic=hs-crypto-regions#new-service-endpoints). For more information on the endpoint URL format for Key Protect, go to [Service endpoints](https://cloud.ibm.com/docs/key-protect?topic=key-protect-regions#service-endpoints). It is required if `kms_encryption_enabled` is set to true. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision the App Configuration service, valid regions are au-syd, jp-osa, jp-tok, eu-de, eu-gb, eu-es, us-east, us-south, ca-tor, br-sao, eu-fr2, ca-mon. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where resources will be provisioned. | `string` | n/a | yes |
+| <a name="input_root_key_id"></a> [root\_key\_id](#input\_root\_key\_id) | The key ID of a root key, existing in the key management service instance passed in `var.existing_kms_instance_crn`, which is used to encrypt the data encryption keys which are then used to encrypt the data. Required only if `var.kms_encryption_enabled` is set to `true`. | `string` | `null` | no |
+| <a name="input_skip_app_config_event_notifications_auth_policy"></a> [skip\_app\_config\_event\_notifications\_auth\_policy](#input\_skip\_app\_config\_event\_notifications\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits App configuration instances to integrate with Event Notification in the same account. | `bool` | `false` | no |
+| <a name="input_skip_app_config_kms_auth_policy"></a> [skip\_app\_config\_kms\_auth\_policy](#input\_skip\_app\_config\_kms\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits App configuration instances to read the encryption key from the KMS instance in the same account. | `bool` | `false` | no |
 
 ### Outputs
 

examples/advanced/README.md

@@ -6,9 +6,14 @@
 An end-to-end example that will provision the following:
 
 - A new resource group if one is not passed in.
+- A new Key Management Service instance with Key Protect encryption.
+- A root key inside the key ring for the above KMS instance.
+- A new Event Notification instance.
 - A new App Configuration instance.
 - A new collection within the App Configuration instance.
 - Configuration aggregator ([learn more](https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator))
+- Integration between App Configuration and Key Management Service instance.
+- Integration between App Configuration and Event Notification instance.
 - A simple VPC
 - A CBR zone for the VPC
 - A CBR rule to only allow the App Configuration instance to be accessed from within the VPC zone over private endpoint

examples/advanced/main.tf

@@ -42,6 +42,53 @@ module "cbr_zone" {
   }]
 }
 
+##############################################################################
+# Create KMS Instance
+##############################################################################
+
+locals {
+  key_ring_name = "${var.prefix}-ring"
+  key_name      = "${var.prefix}-root-key"
+}
+
+module "key_protect_all_inclusive" {
+  source                    = "terraform-ibm-modules/kms-all-inclusive/ibm"
+  version                   = "5.1.22"
+  resource_group_id         = module.resource_group.resource_group_id
+  key_protect_instance_name = "${var.prefix}-kms"
+  region                    = var.region
+  resource_tags             = var.resource_tags
+  key_ring_endpoint_type    = "public"
+  key_endpoint_type         = "public"
+  keys = [
+    {
+      key_ring_name = local.key_ring_name
+      keys = [
+        {
+          key_name     = local.key_name
+          force_delete = true # Setting it to true for testing purpose
+        }
+      ]
+    }
+  ]
+}
+
+##############################################################################
+# Create EN Instance
+##############################################################################
+
+module "event_notification" {
+  source            = "terraform-ibm-modules/event-notifications/ibm"
+  version           = "2.7.0"
+  resource_group_id = module.resource_group.resource_group_id
+  name              = "${var.prefix}-en"
+  tags              = var.resource_tags
+  plan              = "lite"
+  service_endpoints = "public-and-private"
+  region            = var.region
+}
+
+
 ########################################################################################################################
 # App Config
 ########################################################################################################################
@@ -53,7 +100,7 @@ module "app_config" {
   app_config_name                        = "${var.prefix}-app-config"
   app_config_tags                        = var.resource_tags
   enable_config_aggregator               = true # See https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator
-  app_config_plan                        = "standardv2"
+  app_config_plan                        = "enterprise"
   config_aggregator_trusted_profile_name = "${var.prefix}-config-aggregator-trusted-profile"
   app_config_collections = [
     {
@@ -86,4 +133,11 @@ module "app_config" {
       }]
     }
   ]
+  kms_encryption_enabled                    = true
+  existing_kms_instance_crn                 = module.key_protect_all_inclusive.key_protect_crn
+  root_key_id                               = module.key_protect_all_inclusive.keys["${local.key_ring_name}.${local.key_name}"].key_id
+  kms_endpoint_url                          = module.key_protect_all_inclusive.kms_public_endpoint
+  enable_event_notifications                = true
+  existing_event_notifications_instance_crn = module.event_notification.crn
+  event_notifications_endpoint_url          = module.event_notification.event_notifications_public_endpoint
 }

examples/basic/version.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.79.1"
+      version = "1.82.1"
     }
   }
 }