feat: adding option to specific explicit name for cbr rule and zone (#313)

Co-authored-by: Khuzaima-Shakeel <[email protected]>
Co-authored-by: Akash Kumar <[email protected]>
Co-authored-by: Vincent Burckhardt <[email protected]>
Co-authored-by: [email protected] <[email protected]>

Author: 5 people

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-12-11T10:56:30Z",
+  "generated_at": "2024-01-16T11:01:35Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

common-dev-assets

@@ -2,16 +2,19 @@
 
 This example demonstrates how to use the [fscloud profile](../../profiles/fscloud/) module to lay out a complete "secure by default" coarse-grained CBR topology in a given account.
 
-This examples is designed to show case some of the key customization options for the module. In addition to the pre-wired CBR rules documented at [fscloud profile](../../profiles/fscloud/), this example shows how to customize the module to:
-1. Open up network traffic flow from Schematics to Key Protect and HPCS public endpoints. Note that for illustration purpose, this example configures the use of both Key Protect and HPCS through the `kms_service_targeted_by_prewired_rules` variable. In a real-world scenario, only one Key Management Service would be used
-2. Open up network traffic flow from a block of IPs to the Schematics public endpoint and the private container clusters endpoints.
-3. Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints.
+This examples is designed to show case some of the key customization options for the module. In addition to the pre-wired CBR rules documented at [fscloud profile](../../profiles/fscloud/), this examples show how to customize the module to:
+1. Open up network traffic flow from ICD mongodb, ICD Postgresql to the Key Protect private endpoints.
+2. Open up network traffic flow from Schematics to Key Protect public endpoints.
+3. Open up network traffic flow from a block of IPs to the Schematics public endpoint.
+4. Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints.
+5. Customize the rule description for `kms` and the zone name for `codeengine`.
 
 Context: this examples covers a "pseudo" real-world scenario where:
-1. Schematics is used to execute terraform that create Key Protect, and HPCS keys and key ring over its public endpoint.
-2. Operators use machines with a set list of public IPs to interact with Schematics, and through private endpoints to the container clusters.
-3. Applications are running the VPC and need access to PostgreSQL via the private endpoint - eg: a VPE.
-4. Skips creation of zones for these two service references ["user-management", "iam-groups"].
+1. ICD Mongodb and Postgresql instances are encrypted using keys storage in Key Protect.
+2. Schematics is used to execute terraform that create Key Protect keys and key ring over its public endpoint.
+3. Operators use machines with a set list of public IPs to interact with Schematics.
+4. Applications are running the VPC and need access to PostgreSQL via the private endpoint - eg: a VPE.
+5. Skips creation of zones for these two service references ["user-management", "iam-groups"].
 
 ## Note
 - The services 'compliance', 'directlink', 'iam-groups', 'containers-kubernetes', 'user-management' do not support restriction per location for zone creation.

examples/fscloud/README.md

@@ -73,9 +73,20 @@ module "cbr_account_level" {
   target_service_details = {
     # Using 'kms' for Key Protect value as target service name supported by CBR for Key Protect is 'kms'.
     "kms" = {
+      # Demonstrates how a customized CBR description (also seen as being the rule name) can be set
+      "description"      = "kms-rule-example-of-customized-description"
       "enforcement_mode" = "enabled"
       "instance_id"      = module.key_protect_module.key_protect_guid
     }
+    "cloud-object-storage" = {
+      "enforcement_mode" = "enabled"
+      "instance_id"      = module.key_protect_module.key_protect_guid
+    }
+  }
+
+  # Demonstrates how a customized name can be set for the CBR zone
+  zone_service_ref_list = {
+    "codeengine" = "codeengine-zone-example-of-customized-zone-name"
   }
 
   # Demonstrates how additional context to the rules created by this module can be added.

examples/fscloud/main.tf

@@ -105,8 +105,8 @@ module "cbr_fscloud" {
 | <a name="input_location"></a> [location](#input\_location) | The region in which the network zone is scoped | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix to append to all vpc\_zone\_list, service\_ref\_zone\_list and cbr\_rule\_description created by this submodule | `string` | n/a | yes |
 | <a name="input_skip_specific_services_for_zone_creation"></a> [skip\_specific\_services\_for\_zone\_creation](#input\_skip\_specific\_services\_for\_zone\_creation) | Provide a list of service references for which zone creation is not required | `list(string)` | `[]` | no |
-| <a name="input_target_service_details"></a> [target\_service\_details](#input\_target\_service\_details) | Details of the target service for which a rule is created. The key is the service name. | <pre>map(object({<br>    target_rg        = optional(string)<br>    instance_id      = optional(string)<br>    enforcement_mode = string<br>    tags             = optional(list(string))<br>  }))</pre> | `{}` | no |
-| <a name="input_zone_service_ref_list"></a> [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | (List) Service reference for the zone creation | `list(string)` | <pre>[<br>  "cloud-object-storage",<br>  "codeengine",<br>  "containers-kubernetes",<br>  "databases-for-cassandra",<br>  "databases-for-elasticsearch",<br>  "databases-for-enterprisedb",<br>  "databases-for-etcd",<br>  "databases-for-mongodb",<br>  "databases-for-mysql",<br>  "databases-for-postgresql",<br>  "databases-for-redis",<br>  "directlink",<br>  "iam-groups",<br>  "is",<br>  "messagehub",<br>  "messages-for-rabbitmq",<br>  "schematics",<br>  "secrets-manager",<br>  "server-protect",<br>  "user-management",<br>  "apprapp",<br>  "compliance",<br>  "event-notifications",<br>  "logdna",<br>  "logdnaat"<br>]</pre> | no |
+| <a name="input_target_service_details"></a> [target\_service\_details](#input\_target\_service\_details) | Details of the target service for which a rule is created. The key is the service name. | <pre>map(object({<br>    description      = optional(string)<br>    target_rg        = optional(string)<br>    instance_id      = optional(string)<br>    enforcement_mode = string<br>    tags             = optional(list(string))<br>  }))</pre> | `{}` | no |
+| <a name="input_zone_service_ref_list"></a> [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | (Optional) Customized name of the zone for the service reference. If not provided, default zone name with the prefix will be created. | <pre>object({<br>    cloud-object-storage        = optional(string)<br>    codeengine                  = optional(string)<br>    containers-kubernetes       = optional(string)<br>    databases-for-cassandra     = optional(string)<br>    databases-for-elasticsearch = optional(string)<br>    databases-for-enterprisedb  = optional(string)<br>    databases-for-etcd          = optional(string)<br>    databases-for-mongodb       = optional(string)<br>    databases-for-mysql         = optional(string)<br>    databases-for-postgresql    = optional(string)<br>    databases-for-redis         = optional(string)<br>    directlink                  = optional(string)<br>    iam-groups                  = optional(string)<br>    is                          = optional(string)<br>    messagehub                  = optional(string)<br>    messages-for-rabbitmq       = optional(string)<br>    schematics                  = optional(string)<br>    secrets-manager             = optional(string)<br>    server-protect              = optional(string)<br>    user-management             = optional(string)<br>    apprapp                     = optional(string)<br>    compliance                  = optional(string)<br>    event-notifications         = optional(string)<br>    logdna                      = optional(string)<br>    logdnaat                    = optional(string)<br>  })</pre> | <pre>{<br>  "apprapp": null,<br>  "cloud-object-storage": null,<br>  "codeengine": null,<br>  "compliance": null,<br>  "containers-kubernetes": null,<br>  "databases-for-cassandra": null,<br>  "databases-for-elasticsearch": null,<br>  "databases-for-enterprisedb": null,<br>  "databases-for-etcd": null,<br>  "databases-for-mongodb": null,<br>  "databases-for-mysql": null,<br>  "databases-for-postgresql": null,<br>  "databases-for-redis": null,<br>  "directlink": null,<br>  "event-notifications": null,<br>  "iam-groups": null,<br>  "is": null,<br>  "logdna": null,<br>  "logdnaat": null,<br>  "messagehub": null,<br>  "messages-for-rabbitmq": null,<br>  "schematics": null,<br>  "secrets-manager": null,<br>  "server-protect": null,<br>  "user-management": null<br>}</pre> | no |
 | <a name="input_zone_vpc_crn_list"></a> [zone\_vpc\_crn\_list](#input\_zone\_vpc\_crn\_list) | (List) VPC CRN for the zones | `list(string)` | n/a | yes |
 
 ### Outputs

modules/fscloud/README.md

@@ -100,39 +100,37 @@ locals {
 
   target_service_details = merge(local.target_service_details_default, var.target_service_details)
 
-  zone_final_service_ref_list = [
-    for service in var.zone_service_ref_list : service if !contains(var.skip_specific_services_for_zone_creation, service)
-  ]
+  zone_final_service_ref_list = {
+    for service_ref, service_ref_name in var.zone_service_ref_list : service_ref => service_ref_name if !contains(var.skip_specific_services_for_zone_creation, service_ref)
+  }
 }
 
 ###############################################################################
 # Pre-create coarse grained CBR zones for each service
 ###############################################################################
 
 locals {
-  service_ref_zone_list = (length(local.zone_final_service_ref_list) > 0) ? [
-    for serviceref in local.zone_final_service_ref_list : {
-      name             = "${var.prefix}-${serviceref}-service-zone"
+  service_ref_zone_list = (length(local.zone_final_service_ref_list) > 0) ? {
+    for service_ref, service_ref_name in local.zone_final_service_ref_list : service_ref => {
+      name             = service_ref_name == null ? "${var.prefix}-${service_ref}-service-zone" : service_ref_name
       account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
-      zone_description = "Single zone for service ${serviceref}."
+      zone_description = "Single zone for service ${service_ref}."
       # when the target service is containers-kubernetes or any icd services, context cannot have a serviceref
       addresses = [
         {
           type = "serviceRef"
           ref = {
             account_id   = data.ibm_iam_account_settings.iam_account_settings.account_id
-            service_name = serviceref
-            location     = (serviceref == "compliance" || serviceref == "directlink" || serviceref == "iam-groups" || serviceref == "user-management" || serviceref == "containers-kubernetes") ? null : var.location
+            service_name = service_ref
+            location     = (service_ref == "compliance" || service_ref == "directlink" || service_ref == "iam-groups" || service_ref == "user-management" || service_ref == "containers-kubernetes") ? null : var.location
           }
         }
       ]
-  }] : []
-
-  service_ref_zone_map_pre_check = zipmap(local.zone_final_service_ref_list, local.service_ref_zone_list)
+  } } : {}
 
-  service_ref_zone_map_check = merge(local.service_ref_zone_map_pre_check, var.existing_serviceref_zone)
+  service_ref_zone_map_check = merge(local.service_ref_zone_list, var.existing_serviceref_zone)
 
-  service_ref_zone_map = { for k, v in local.service_ref_zone_map_check : k => v if !contains(keys(v), "zone_id") }
+  service_ref_zone_map = { for service_ref, service_ref_name in local.service_ref_zone_map_check : service_ref => service_ref_name if !contains(keys(service_ref_name), "zone_id") }
 
   cbr_zones = merge(module.cbr_zone, var.existing_serviceref_zone)
 
@@ -338,7 +336,7 @@ locals {
 module "cbr_rule" {
   for_each         = local.target_service_details
   source           = "../../modules/cbr-rule-module"
-  rule_description = "${var.prefix}-${each.key}-rule"
+  rule_description = try(each.value.description, null) != null ? each.value.description : "${var.prefix}-${each.key}-rule"
   enforcement_mode = each.value.enforcement_mode
   rule_contexts    = lookup(local.allow_rules_by_service, each.key, [])
   operations = (length(lookup(local.operations_apitype_val, each.key, [])) > 0) ? [{

modules/fscloud/main.tf

@@ -63,11 +63,64 @@ variable "allow_is_to_cos" {
 }
 
 variable "zone_service_ref_list" {
-  type = list(string)
+  type = object({
+    cloud-object-storage        = optional(string)
+    codeengine                  = optional(string)
+    containers-kubernetes       = optional(string)
+    databases-for-cassandra     = optional(string)
+    databases-for-elasticsearch = optional(string)
+    databases-for-enterprisedb  = optional(string)
+    databases-for-etcd          = optional(string)
+    databases-for-mongodb       = optional(string)
+    databases-for-mysql         = optional(string)
+    databases-for-postgresql    = optional(string)
+    databases-for-redis         = optional(string)
+    directlink                  = optional(string)
+    iam-groups                  = optional(string)
+    is                          = optional(string)
+    messagehub                  = optional(string)
+    messages-for-rabbitmq       = optional(string)
+    schematics                  = optional(string)
+    secrets-manager             = optional(string)
+    server-protect              = optional(string)
+    user-management             = optional(string)
+    apprapp                     = optional(string)
+    compliance                  = optional(string)
+    event-notifications         = optional(string)
+    logdna                      = optional(string)
+    logdnaat                    = optional(string)
+  })
+  default = {
+    cloud-object-storage        = null
+    codeengine                  = null
+    containers-kubernetes       = null
+    databases-for-cassandra     = null
+    databases-for-elasticsearch = null
+    databases-for-enterprisedb  = null
+    databases-for-etcd          = null
+    databases-for-mongodb       = null
+    databases-for-mysql         = null
+    databases-for-postgresql    = null
+    databases-for-redis         = null
+    directlink                  = null
+    iam-groups                  = null
+    is                          = null
+    messagehub                  = null
+    messages-for-rabbitmq       = null
+    schematics                  = null
+    secrets-manager             = null
+    server-protect              = null
+    user-management             = null
+    apprapp                     = null
+    compliance                  = null
+    event-notifications         = null
+    logdna                      = null
+    logdnaat                    = null
+  }
   validation {
     condition = alltrue([
-      for service_ref in var.zone_service_ref_list :
-      contains(["cloud-object-storage", "codeengine", "containers-kubernetes",
+      for service_ref, service_ref_name in var.zone_service_ref_list : contains([
+        "cloud-object-storage", "codeengine", "containers-kubernetes",
         "databases-for-cassandra", "databases-for-elasticsearch", "databases-for-enterprisedb",
         "databases-for-etcd", "databases-for-mongodb",
         "databases-for-mysql", "databases-for-postgresql",
@@ -79,15 +132,7 @@ variable "zone_service_ref_list" {
     ])
     error_message = "Provide a valid service reference for zone creation"
   }
-  default = ["cloud-object-storage", "codeengine", "containers-kubernetes",
-    "databases-for-cassandra", "databases-for-elasticsearch", "databases-for-enterprisedb",
-    "databases-for-etcd", "databases-for-mongodb",
-    "databases-for-mysql", "databases-for-postgresql",
-    "databases-for-redis", "directlink",
-    "iam-groups", "is", "messagehub",
-    "messages-for-rabbitmq", "schematics", "secrets-manager", "server-protect", "user-management",
-  "apprapp", "compliance", "event-notifications", "logdna", "logdnaat"]
-  description = "(List) Service reference for the zone creation"
+  description = "(Optional) Customized name of the zone for the service reference. If not provided, default zone name with the prefix will be created."
 }
 
 variable "custom_rule_contexts_by_service" {
@@ -133,6 +178,7 @@ variable "custom_rule_contexts_by_service" {
 }
 variable "target_service_details" {
   type = map(object({
+    description      = optional(string)
     target_rg        = optional(string)
     instance_id      = optional(string)
     enforcement_mode = string