terraform-ibm-modules
diff --git a/‎README.md‎
Lines changed: 63 additions & 109 deletions b/‎README.md‎
Lines changed: 63 additions & 109 deletions
diff --git a/‎cbr-rule-module/README.md‎
Lines changed: 3 additions & 0 deletions b/‎cbr-rule-module/README.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎cbr-rule-module/main.tf‎
Lines changed: 66 additions & 0 deletions b/‎cbr-rule-module/main.tf‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎cbr-rule-module/outputs.tf‎
Lines changed: 18 additions & 0 deletions b/‎cbr-rule-module/outputs.tf‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎cbr-rule-module/variables.tf‎
Lines changed: 87 additions & 0 deletions b/‎cbr-rule-module/variables.tf‎
Lines changed: 87 additions & 0 deletions
@@ -1,88 +1,16 @@
 <!-- BEGIN MODULE HOOK -->
 
 <!-- Update the title to match the module name and add a description -->
-# Terraform Modules Template Project
-<!-- UPDATE BADGE: Update the link for the following badge-->
-[![Incubating (Not yet consumable)](https://img.shields.io/badge/status-Incubating%20(Not%20yet%20consumable)-red)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
-[![Build status](https://github.com/terraform-ibm-modules/terraform-ibm-module-template/actions/workflows/ci.yml/badge.svg)](https://github.com/terraform-ibm-modules/terraform-ibm-module-template/actions/workflows/ci.yml)
+# Context Based Restrications Module
+
+[![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green?style=plastic)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
+[![Build Status](https://github.com/terraform-ibm-modules/terraform-ibm-cos/actions/workflows/ci.yml/badge.svg)](https://github.com/terraform-ibm-modules/terraform-ibm-cbr/actions/workflows/ci.yml)
+[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
-[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-module-template?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-module-template/releases/latest)
+[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-cbr?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-cbr/releases/latest)
 [![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)
-[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
-
-<!-- Remove the content in this H2 heading after completing the steps -->
-
-## Submit a new module
-
-:+1::tada: Thank you for taking the time to contribute! :tada::+1:
-
-This template repository exists to help you create Terraform modules for IBM Cloud.
-
-The default structure includes the following files:
-
-- `README.md`: A description of the module
-- `main.tf`: The logic for the module
-- `version.tf`: The required terraform and provider versions
-- `variables.tf`: The input variables for the module
-- `outputs.tf`: The values that are output from the module
-For more information, see [Module structure](https://terraform-ibm-modules.github.io/documentation/#/module-structure) in the project documentation.
-
-You can add other content to support what your module does and how it works. For example, you might add a `scripts/` directory that contains shell scripts that are run by a `local-exec` `null_resource` in the Terraform module.
-
-Follow this process to create and submit a Terraform module.
-
-### Create a repo from this repo template
-
-1.  Create a repository from this repository template by clicking `Use this template` in the upper right of the GitHub UI.
-&emsp;&emsp;&emsp;&emsp;<br>For more information about creating a repository from a template, see the [GitHub docs](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-repository-from-a-template).
-1.  Select `terraform-ibm-modules` as the owner.
-1.  Enter a name for the module in format `terraform-ibm-<NAME>`, where `<NAME>` reflects the type of infrastructure that the module manages.
-&emsp;&emsp;&emsp;&emsp;<br>Use hyphens as delimiters for names with multiple words (for example, terraform-ibm-`activity-tracker`).
-1.  Provide a short description of the module.
-&emsp;&emsp;&emsp;&emsp;<br>The description is displayed under the repository name on the [organization page](https://github.com/terraform-ibm-modules) and in the **About** section of the repository. Use the description to help users understand the purpose of your module. For more information, see [module names and descriptions](https://terraform-ibm-modules.github.io/documentation/#/implementation-guidelines?id=module-names-and-descriptions) in the docs.
-
-### Clone the repo and set up your development environment
-
-Locally clone the new repository and set up your development environment by completing the tasks in [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.
-
-### Update the repo name and description in source control
-
-To help make sure that the repo name and description are not changed except through pull requests, they are defined in the `settings.yml` file.
-
-Check to make sure that values are uncommented and correct:
-
-1.  Open the [settings.yml](.github/settings.yml) file.
-1.  If not already updated, uncomment the `name` and `description` properties and set the values to what you specified when you requested the repo.
-
-### Update the Terraform files
-
-Implement the logic for your module by updating the `main.tf`, `version.tf`, `variables.tf`, and `outputs.tf` Terraform files. For more information, see [Creating Terraform on IBM Cloud templates](https://cloud.ibm.com/docs/ibm-cloud-provider-for-terraform?topic=ibm-cloud-provider-for-terraform-create-tf-config).
 
-### Create examples and tests
-
-Add one or more examples in the `examples` directory that consume your new module, and configure tests for them in the `tests` directory. For more information about tests, see [Tests](https://terraform-ibm-modules.github.io/documentation/#/tests).
-
-### Update the content in the readme file
-
-After you implement the logic for your module and create examples and tests, update this readme file in your repository by following these steps:
-
-1.  Update the title heading and add a description about your module.
-1.  Update the badge links.
-1.  Remove all the content in this H2 heading section.
-1.  Complete the [Usage](#usage) and [Required IAM access policies](#required-iam-access-policies) sections. The [Examples](#examples) and [Requirements](#requirements) section are populated by a pre-commit hook.
-
-### Commit your code and submit your module for review
-
-1.  Before you commit any code, review [Contributing to the IBM Cloud Terraform modules project](https://terraform-ibm-modules.github.io/documentation/#/contribute-module) in the project documentation.
-1.  Create a pull request for review.
-
-### Post-merge steps
-
-After the first PR for your module is merged, follow these post-merge steps:
-
-1.  Create a PR to enable the upgrade test by removing the `t.Skip` line in `tests/pr_test.go`.
-
-<!-- Remove the content in this previous H2 heading -->
+This module can be used to provision and configure [Context Based Restrictions](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-create&interface=ui).
 
 ## Usage
 
@@ -94,67 +22,93 @@ unless real values don't help users know what to change.
 -->
 
 ```hcl
-
+module "ibm_cbr" "zone" {
+  # replace main with version
+  source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-zone-module?ref=main"
+  name             = "zone_for_pg_access"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  zone_description = "Zone created from terraform"
+  addresses        = [{type  = "vpc",value = "vpc_crn"}]
+}
+
+module "ibm_cbr" "rule" {
+  # replace main with version
+  source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-rule-module?ref=main"
+  name             = "rule_for_pg_access"
+  rule_description = "rule from terraform"
+  enforcement_mode = "enabled"
+  rule_contexts    = var.rule_contexts
+  resources        = var.pg_resource
+  operations       = []
+}
 ```
+<!--
+Include the following 'Controls' section if the module implements NIST controls
+Remove the 'section if the module does not implement controls
+-->
 
-## Required IAM access policies
 
-<!-- PERMISSIONS REQUIRED TO RUN MODULE
-If this module requires permissions, uncomment the following block and update
-the sample permissions, following the format.
-Replace the sample Account and IBM Cloud service names and roles with the
-information in the console at
-Manage > Access (IAM) > Access groups > Access policies.
--->
+## Required IAM access policies
 
-<!--
 You need the following permissions to run this module.
 
 - Account Management
-    - **Sample Account Service** service
-        - `Editor` platform access
-        - `Manager` service access
-    - IAM Services
-        - **Sample Cloud Service** service
-            - `Administrator` platform access
--->
-
-<!-- NO PERMISSIONS FOR MODULE
-If no permissions are required for the module, uncomment the following
-statement instead the previous block.
--->
+    - `Editor` role access
+- VPC Infrastructure Services
+    - `Editor` role access
 
-<!-- No permissions are needed to run this module.-->
 <!-- END MODULE HOOK -->
 <!-- BEGIN EXAMPLES HOOK -->
 ## Examples
 
-- [ Default example](examples/default)
-- [ Example that uses existing resources](examples/existing-resources)
-- [ Non default example](examples/non-default)
+- [ Multi zone example](examples/multizone-rule)
+- [ Zone example](examples/zone)
 <!-- END EXAMPLES HOOK -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.49.0 |
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | ./cbr-rule-module | n/a |
+| <a name="module_cbr_zone"></a> [cbr\_zone](#module\_cbr\_zone) | ./cbr-zone-module | n/a |
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_addresses"></a> [addresses](#input\_addresses) | (List) The list of addresses in the zone | <pre>list(object({<br>    type  = optional(string)<br>    value = optional(string)<br>    ref = optional(object({<br>      account_id       = string<br>      location         = optional(string)<br>      service_instance = optional(string)<br>      service_name     = optional(string)<br>      service_type     = optional(string)<br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_enforcement_mode"></a> [enforcement\_mode](#input\_enforcement\_mode) | (String) The rule enforcement mode | `string` | `"report"` | no |
+| <a name="input_excluded_addresses"></a> [excluded\_addresses](#input\_excluded\_addresses) | (Optional, List) The list of excluded addresses in the zone | <pre>list(object({<br>    type  = optional(string)<br>    value = optional(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_name"></a> [name](#input\_name) | (Optional, String) The name of the zone | `string` | `null` | no |
+| <a name="input_operations"></a> [operations](#input\_operations) | (Optional, List) The operations this rule applies to | <pre>list(object({<br>    api_types = list(object({<br>      api_type_id = string<br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_resources"></a> [resources](#input\_resources) | (Optional, List) The resources this rule apply to | <pre>list(object({<br>    attributes = list(object({<br>      name     = string<br>      value    = string<br>      operator = optional(string)<br>    }))<br>    tags = optional(list(object({<br>      name     = string<br>      value    = string<br>      operator = optional(string)<br>    })))<br>  }))</pre> | `[]` | no |
+| <a name="input_rule_contexts"></a> [rule\_contexts](#input\_rule\_contexts) | (List) The contexts the rule applies to | <pre>list(object({<br>    attributes = list(object({<br>      name  = string<br>      value = string<br>    }))<br>  }))</pre> | <pre>[<br>  {<br>    "attributes": [<br>      {<br>        "name": "va",<br>        "value": "va"<br>      }<br>    ]<br>  }<br>]</pre> | no |
+| <a name="input_rule_description"></a> [rule\_description](#input\_rule\_description) | (Optional, String) The description of the rule | `string` | `null` | no |
+| <a name="input_zone_description"></a> [zone\_description](#input\_zone\_description) | (Optional, String) The description of the zone | `string` | `null` | no |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_rule_crn"></a> [rule\_crn](#output\_rule\_crn) | CBR rule resource instance crn |
+| <a name="output_rule_href"></a> [rule\_href](#output\_rule\_href) | CBR rule resource href |
+| <a name="output_rule_id"></a> [rule\_id](#output\_rule\_id) | CBR rule resource instance id |
+| <a name="output_zone_crn"></a> [zone\_crn](#output\_zone\_crn) | cbr\_zone resource instance crn |
+| <a name="output_zone_href"></a> [zone\_href](#output\_zone\_href) | cbr\_zone resource instance link |
+| <a name="output_zone_id"></a> [zone\_id](#output\_zone\_id) | cbr\_zone resource instance id |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 <!-- BEGIN CONTRIBUTING HOOK -->
 
 
@@ -0,0 +1,3 @@
+# CBR Rule Module
+
+Creates a rule for Context Based Restrictions
@@ -0,0 +1,66 @@
+##############################################################################
+# Context Based Restrictions module
+#
+# Creates CBR Rule
+##############################################################################
+
+locals {
+  operations = var.operations == null && length(var.operations) == 0 ? null : var.operations
+  resources  = var.resources == null && length(var.resources) == 0 ? null : var.resources
+  contexts   = var.rule_contexts == null && length(var.rule_contexts) == 0 ? null : var.rule_contexts
+}
+
+resource "ibm_cbr_rule" "cbr_rule" {
+  description      = var.rule_description
+  enforcement_mode = var.enforcement_mode
+
+  dynamic "contexts" {
+    for_each = local.contexts
+    content {
+      dynamic "attributes" {
+        for_each = local.contexts[0].attributes == null ? [] : local.contexts[0].attributes
+        iterator = attribute
+        content {
+          name  = attribute.value.name
+          value = attribute.value.value
+        }
+      }
+    }
+  }
+
+  dynamic "resources" {
+    for_each = local.resources
+    content {
+      dynamic "attributes" {
+        for_each = local.resources[0].attributes == null ? [] : local.resources[0].attributes
+        iterator = attribute
+        content {
+          name     = attribute.value.name
+          value    = attribute.value.value
+          operator = attribute.value.operator
+        }
+      }
+      dynamic "tags" {
+        for_each = local.resources[0].tags == null ? [] : local.resources[0].tags
+        iterator = tag
+        content {
+          name  = tag.value.name
+          value = tag.value.value
+        }
+      }
+    }
+  }
+
+  dynamic "operations" {
+    for_each = local.operations
+    content {
+      dynamic "api_types" {
+        for_each = var.operations[0].api_types == null ? null : var.operations[0].api_types
+        iterator = apitype
+        content {
+          api_type_id = apitype.value["api_type_id"]
+        }
+      }
+    }
+  }
+}
@@ -0,0 +1,18 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "rule_id" {
+  value       = join("", ibm_cbr_rule.cbr_rule[*].id)
+  description = "CBR rule resource instance id"
+}
+
+output "rule_crn" {
+  value       = join("", ibm_cbr_rule.cbr_rule[*].crn)
+  description = "CBR rule resource instance crn"
+}
+
+output "rule_href" {
+  value       = join("", ibm_cbr_rule.cbr_rule[*].href)
+  description = "CBR rule resource href"
+}
@@ -0,0 +1,87 @@
+##############################################################################
+# Rule Related Input Variables
+##############################################################################
+
+variable "rule_description" {
+  type        = string
+  description = "(Optional, String) The description of the rule"
+  default     = null
+  validation {
+    condition = anytrue([
+      var.rule_description == null,
+      alltrue([
+        can(length(var.rule_description) >= 0),
+        can(length(var.rule_description) <= 300),
+        can(regex("^[\\x20-\\xFE]+$", var.rule_description))
+      ])
+    ])
+    error_message = "Value should be a valid rule description with 1-300 characters"
+  }
+
+}
+
+variable "rule_contexts" {
+  type = list(object({
+    attributes = optional(list(object({
+      name  = string
+      value = string
+    })))
+  }))
+  description = "(List) The contexts the rule applies to"
+  default     = []
+  validation {
+    condition = anytrue(
+      flatten(
+        [for rule_context in var.rule_contexts :
+          [for attribute in rule_context.attributes : alltrue([
+            length(attribute.name) >= 2,
+            length(attribute.name) <= 128,
+            can(regex("^[a-zA-Z0-9]+$", attribute.name))
+          ])]
+        ]
+      )
+    )
+    error_message = "Value should be a valid rule context name"
+  }
+}
+
+variable "enforcement_mode" {
+  type        = string
+  description = "(String) The rule enforcement mode"
+  default     = "report" # As part of the best practices, mode should be in report only mode for 30 days before the rules is enabled.
+  validation {
+    condition = anytrue([
+      var.enforcement_mode == "enabled",
+      var.enforcement_mode == "disabled",
+      var.enforcement_mode == "report"
+    ])
+    error_message = "Valid values for enforcement mode can be 'enabled', 'disabled' and 'report'"
+  }
+}
+
+variable "resources" {
+  type = list(object({
+    attributes = optional(list(object({
+      name     = string
+      value    = string
+      operator = optional(string)
+    })))
+    tags = optional(list(object({
+      name     = string
+      value    = string
+      operator = optional(string)
+    })))
+  }))
+  description = "(Optional, List) The resources this rule apply to"
+  default     = []
+
+}
+
+variable "operations" {
+  type = list(object({
+    api_types = list(object({
+      api_type_id = string
+    }))
+  }))
+  description = "(Optional, List) The operations this rule applies to"
+}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# CBR Rule Module`
	`2`	`+`
	`3`	`+Creates a rule for Context Based Restrictions`