feat: updated the target_service_details input in the fscloud submodule to support setting the geography option.<br>**NOTE:** Both region and geography cannot be set simultaneously for the container registry service. (#519)

Author: rajatagarwal-ibm

examples/fscloud/README.md

@@ -7,9 +7,10 @@ This examples is designed to show case some of the key customization options for
 2. Open up network traffic flow from Schematics to Key Protect private endpoints.
 3. Open up network traffic flow from a block of IPs to the Schematics public endpoint.
 4. Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints.
-5. Customize the rule description for `kms` and the zone name for `codeengine` and `cloud-object-storage`.
-6. Add optional locations to open traffic only from `au` and `tok` locations for the `codeengine` network zone and leave the flow closed in other locations.
-7. Add optional location to open traffic only from `fr` location for `server-protect` network zone and leave the flow closed in other locations.
+5. Customize the rules for `kms`, `cloud-object-storage`,  `databases-for-postgresql`, `messagehub`, `IAM` and `container-registry`.
+6. Customize the zone name for `codeengine` and `cloud-object-storage`.
+7. Add optional locations to open traffic only from `au` and `tok` locations for the `codeengine` network zone and leave the flow closed in other locations.
+8. Add optional location to open traffic only from `eu` location for `server-protect` network zone and leave the flow closed in other locations.
 
 Context: this examples covers a "pseudo" real-world scenario where:
 1. ICD Mongodb and Postgresql instances are encrypted using keys storage in Key Protect.

examples/fscloud/main.tf

@@ -100,19 +100,23 @@ module "cbr_account_level" {
       "enforcement_mode" = "report"
       "global_deny"      = false
     }
+    "container-registry" : {
+      "enforcement_mode" : "enabled"
+      "geography" : "global"
+    }
   }
 
   # Demonstrates how a customized name and an optional location can be set for the CBR serviceRef zones
   zone_service_ref_list = {
     codeengine = {
-      zone_name           = "codeengine-zone-example-of-customized-zone-name"
+      zone_name           = "${var.prefix}-codeengine-zone-example-of-customized-zone-name"
       serviceRef_location = ["au", "tok"]
     },
     server-protect = {
       serviceRef_location = ["eu"]
     },
     cloud-object-storage = {
-      zone_name = "COS-zone-example-of-customized-zone-name"
+      zone_name = "${var.prefix}-COS-zone-example-of-customized-zone-name"
     }
   }
 

examples/fscloud/variables.tf

@@ -6,7 +6,7 @@ variable "ibmcloud_api_key" {
 
 variable "prefix" {
   type        = string
-  description = "Prefix to append to all vpc_zone_list, service_ref_zone_list and cbr_rule_description created by this submodule"
+  description = "Prefix to append to all vpc_zone_list, zone_service_ref_list and cbr_rule_description created by this submodule"
 }
 
 variable "region" {

modules/fscloud/README.md

@@ -128,7 +128,7 @@ module "cbr_fscloud" {
 | <a name="input_kms_service_targeted_by_prewired_rules"></a> [kms\_service\_targeted\_by\_prewired\_rules](#input\_kms\_service\_targeted\_by\_prewired\_rules) | IBM Cloud offers two distinct Key Management Services (KMS): Key Protect and Hyper Protect Crypto Services (HPCS). This variable determines the specific KMS service to which the pre-configured rules will be applied. Use the value 'key-protect' to specify the Key Protect service, and 'hs-crypto' for the Hyper Protect Crypto Services (HPCS). | `list(string)` | <pre>[<br>  "hs-crypto"<br>]</pre> | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix to append to all vpc\_zone\_list, service\_ref\_zone\_list and cbr\_rule\_description created by this submodule | `string` | n/a | yes |
 | <a name="input_skip_specific_services_for_zone_creation"></a> [skip\_specific\_services\_for\_zone\_creation](#input\_skip\_specific\_services\_for\_zone\_creation) | Provide a list of service references for which zone creation is not required | `list(string)` | `[]` | no |
-| <a name="input_target_service_details"></a> [target\_service\_details](#input\_target\_service\_details) | Details of the target service for which a rule is created. The key is the service name. | <pre>map(object({<br>    description      = optional(string)<br>    target_rg        = optional(string)<br>    instance_id      = optional(string)<br>    enforcement_mode = string<br>    tags             = optional(list(string))<br>    region           = optional(string)<br>    global_deny      = optional(bool, true)<br>  }))</pre> | `{}` | no |
+| <a name="input_target_service_details"></a> [target\_service\_details](#input\_target\_service\_details) | Details of the target service for which a rule is created. The key is the service name. | <pre>map(object({<br>    description      = optional(string)<br>    target_rg        = optional(string)<br>    instance_id      = optional(string)<br>    enforcement_mode = string<br>    tags             = optional(list(string))<br>    region           = optional(string)<br>    geography        = optional(string)<br>    global_deny      = optional(bool, true)<br>  }))</pre> | `{}` | no |
 | <a name="input_zone_service_ref_list"></a> [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | (Optional) Provide a valid service reference with the customized name of the zone and location where the context-based restriction zones are created. If no value is specified for `serviceRef_location`, the zones are not scoped to any location and if no value is specified for `zone_name` default zone name with the prefix will be created. | <pre>object({<br>    cloud-object-storage = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    codeengine = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    containers-kubernetes = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-cassandra = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-elasticsearch = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-enterprisedb = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-etcd = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-mongodb = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-mysql = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-postgresql = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-redis = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    directlink = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    iam-groups = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    is = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    messagehub = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    messages-for-rabbitmq = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    schematics = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    secrets-manager = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    server-protect = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    user-management = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    apprapp = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    compliance = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    event-notifications = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    logdna = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    logdnaat = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    cloudantnosqldb = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    globalcatalog-collection = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    sysdig-monitor = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    sysdig-secure = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    toolchain = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>  })</pre> | `{}` | no |
 | <a name="input_zone_vpc_crn_list"></a> [zone\_vpc\_crn\_list](#input\_zone\_vpc\_crn\_list) | (List) VPC CRN for the zones | `list(string)` | `[]` | no |
 

modules/fscloud/main.tf

@@ -404,6 +404,11 @@ locals {
         name     = "region",
         operator = "stringEquals",
         value    = value.region
+      } : {},
+      try(value.geography, null) != null ? {
+        name     = "geography",
+        operator = "stringEquals",
+        value    = value.geography
       } : {}
   ] }
 }

modules/fscloud/variables.tf

@@ -285,16 +285,29 @@ variable "target_service_details" {
     enforcement_mode = string
     tags             = optional(list(string))
     region           = optional(string)
+    geography        = optional(string)
     global_deny      = optional(bool, true)
   }))
   description = "Details of the target service for which a rule is created. The key is the service name."
+
   validation {
     condition = alltrue([
       for target_service_name, _ in var.target_service_details :
       contains(["IAM", "apprapp", "cloud-object-storage", "codeengine", "compliance", "container-registry", "containers-kubernetes", "containers-kubernetes-cluster", "containers-kubernetes-management", "context-based-restrictions", "databases-for-cassandra", "databases-for-elasticsearch", "databases-for-enterprisedb", "databases-for-etcd", "databases-for-mongodb", "databases-for-mysql", "databases-for-postgresql", "databases-for-redis", "directlink", "dns-svcs", "event-notifications", "globalcatalog-collection", "hs-crypto", "iam-access-management", "iam-groups", "iam-identity", "is", "kms", "logdna", "logdnaat", "messagehub", "messages-for-rabbitmq", "mqcloud", "schematics", "secrets-manager", "sysdig-monitor", "sysdig-secure", "transit", "user-management"], target_service_name)
     ])
     error_message = "Provide a valid target service name that is supported by context-based restrictions"
   }
+  validation {
+    condition = alltrue([
+      for target_service_name, attributes in var.target_service_details : (
+        target_service_name != "container-registry" || (
+          contains(["container-registry"], target_service_name) &&
+          !(attributes.region != null && attributes.geography != null)
+        )
+      )
+    ])
+    error_message = "Both `region` and `geography` cannot be set simultaneously for the container registry service."
+  }
   validation {
     condition = alltrue([
       for target_service_name, attributes in var.target_service_details :