fix: only allow private COS endpoint access for all services except VPC which will use direct endpoint (#453)

Ak-sky · web-flow · commit 264dc9262b82 · 2024-05-28T08:59:01.000+01:00
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
@@ -109,7 +109,7 @@ module "cbr_fscloud" {
 | <a name="input_skip_specific_services_for_zone_creation"></a> [skip\_specific\_services\_for\_zone\_creation](#input\_skip\_specific\_services\_for\_zone\_creation) | Provide a list of service references for which zone creation is not required | `list(string)` | `[]` | no |
 | <a name="input_target_service_details"></a> [target\_service\_details](#input\_target\_service\_details) | Details of the target service for which a rule is created. The key is the service name. | <pre>map(object({<br>    description      = optional(string)<br>    target_rg        = optional(string)<br>    instance_id      = optional(string)<br>    enforcement_mode = string<br>    tags             = optional(list(string))<br>    region           = optional(string)<br>    global_deny      = optional(bool, true)<br>  }))</pre> | `{}` | no |
 | <a name="input_zone_service_ref_list"></a> [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | (Optional) Customized name of the zone for the service reference. If not provided, default zone name with the prefix will be created. | <pre>object({<br>    cloud-object-storage        = optional(string)<br>    codeengine                  = optional(string)<br>    containers-kubernetes       = optional(string)<br>    databases-for-cassandra     = optional(string)<br>    databases-for-elasticsearch = optional(string)<br>    databases-for-enterprisedb  = optional(string)<br>    databases-for-etcd          = optional(string)<br>    databases-for-mongodb       = optional(string)<br>    databases-for-mysql         = optional(string)<br>    databases-for-postgresql    = optional(string)<br>    databases-for-redis         = optional(string)<br>    directlink                  = optional(string)<br>    iam-groups                  = optional(string)<br>    is                          = optional(string)<br>    messagehub                  = optional(string)<br>    messages-for-rabbitmq       = optional(string)<br>    schematics                  = optional(string)<br>    secrets-manager             = optional(string)<br>    server-protect              = optional(string)<br>    user-management             = optional(string)<br>    apprapp                     = optional(string)<br>    compliance                  = optional(string)<br>    event-notifications         = optional(string)<br>    logdna                      = optional(string)<br>    logdnaat                    = optional(string)<br>    cloudantnosqldb             = optional(string)<br>    globalcatalog-collection    = optional(string)<br>    sysdig-monitor              = optional(string)<br>    sysdig-secure               = optional(string)<br>    toolchain                   = optional(string)<br>  })</pre> | <pre>{<br>  "apprapp": null,<br>  "cloud-object-storage": null,<br>  "cloudantnosqldb": null,<br>  "codeengine": null,<br>  "compliance": null,<br>  "containers-kubernetes": null,<br>  "databases-for-cassandra": null,<br>  "databases-for-elasticsearch": null,<br>  "databases-for-enterprisedb": null,<br>  "databases-for-etcd": null,<br>  "databases-for-mongodb": null,<br>  "databases-for-mysql": null,<br>  "databases-for-postgresql": null,<br>  "databases-for-redis": null,<br>  "directlink": null,<br>  "event-notifications": null,<br>  "globalcatalog-collection": null,<br>  "iam-groups": null,<br>  "is": null,<br>  "logdna": null,<br>  "logdnaat": null,<br>  "messagehub": null,<br>  "messages-for-rabbitmq": null,<br>  "schematics": null,<br>  "secrets-manager": null,<br>  "server-protect": null,<br>  "sysdig-monitor": null,<br>  "sysdig-secure": null,<br>  "toolchain": null,<br>  "user-management": null<br>}</pre> | no |
-| <a name="input_zone_vpc_crn_list"></a> [zone\_vpc\_crn\_list](#input\_zone\_vpc\_crn\_list) | (List) VPC CRN for the zones | `list(string)` | n/a | yes |
+| <a name="input_zone_vpc_crn_list"></a> [zone\_vpc\_crn\_list](#input\_zone\_vpc\_crn\_list) | (List) VPC CRN for the zones | `list(string)` | `[]` | no |
 
 ### Outputs
 
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -249,6 +249,10 @@ locals {
       endpointType : "direct",
       networkZoneIds : flatten([
         var.allow_vpcs_to_cos ? [local.cbr_zone_vpcs.zone_id] : [],
+      ])
+      }, {
+      endpointType : "private",
+      networkZoneIds : flatten([
         var.allow_at_to_cos ? [local.logdnaat_cbr_zone_id] : [],
         var.allow_is_to_cos ? [local.is_cbr_zone_id] : []
       ])
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
@@ -6,6 +6,7 @@ variable "prefix" {
 variable "zone_vpc_crn_list" {
   type        = list(string)
   description = "(List) VPC CRN for the zones"
+  default     = []
 }
 
 variable "allow_cos_to_kms" {

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ variable "prefix" {`
`6`	`6`	`variable "zone_vpc_crn_list" {`
`7`	`7`	`type = list(string)`
`8`	`8`	`description = "(List) VPC CRN for the zones"`
	`9`	`+ default = []`
`9`	`10`	`}`
`10`	`11`
`11`	`12`	`variable "allow_cos_to_kms" {`