doc: expand documentation around the cbr-service-profile (#268)

Author: Ak-sky

README.md

@@ -13,6 +13,24 @@ This module can be used to provision and configure [Context Based Restrictions](
 
 See in particular the [fscloud profile](./profiles/fscloud/) module that enables creating an opiniated account-level coarse-grained set of CBR rules and zones aligned with the "secure by default" principles.
 
+<!-- BEGIN OVERVIEW HOOK -->
+## Overview
+* [terraform-ibm-cbr](#terraform-ibm-cbr)
+* [Submodules](./modules)
+    * [cbr-rule-module](./modules/cbr-rule-module)
+    * [cbr-service-profile](./modules/cbr-service-profile)
+    * [cbr-zone-module](./modules/cbr-zone-module)
+    * [fscloud](./modules/fscloud)
+* [Examples](./examples)
+    * [CBR multi service profile](./examples/multi-service-profile)
+    * [Multi-zone example](./examples/multizone-rule)
+    * [Pre-wired CBR configuration for FS Cloud example](./examples/fscloud)
+    * [Zone example](./examples/zone)
+* [Contributing](#contributing)
+
+## terraform-ibm-cbr
+<!-- END OVERVIEW HOOK -->
+
 ## Usage
 
 ```hcl
@@ -58,10 +76,11 @@ You need the following permissions to run this module.
 ## Examples
 
 - [ Pre-wired CBR configuration for FS Cloud example](examples/fscloud)
-- [ CBR Multi Service Profile](examples/multi-service-profile)
+- [ CBR multi service profile](examples/multi-service-profile)
 - [ Multi-zone example](examples/multizone-rule)
 - [ Zone example](examples/zone)
 <!-- END EXAMPLES HOOK -->
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ### Requirements
 
@@ -74,8 +93,8 @@ You need the following permissions to run this module.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | ./cbr-rule-module | n/a |
-| <a name="module_cbr_zone"></a> [cbr\_zone](#module\_cbr\_zone) | ./cbr-zone-module | n/a |
+| <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | ./modules/cbr-rule-module | n/a |
+| <a name="module_cbr_zone"></a> [cbr\_zone](#module\_cbr\_zone) | ./modules/cbr-zone-module | n/a |
 
 ### Resources
 

cbr-service-profile/README.md

@@ -1,47 +1,47 @@
-# CBR Rule Profile
-
-Accepts a list of VPC crns / service references to create CBR zones and a list of target services, to create the rule matching these profiles.  It supports to target the service using name, account id, tags, resource group.
+# CBR service module
+
+This module creates a list of CBR zones and rules. Accepts a list of VPC CRNs / service references to create CBR zones and a list of target services to create the rule matching these profiles. It supports to target the service using name, account id, tags, resource group.
+## Usage
+
+```hcl
+locals {
+  zone_vpc_crn_list = [ibm_is_vpc.example_vpc.crn]
+  enforcement_mode  = "report"
+  # Merge zone ids to pass as contexts to the rule
+  target_services_details = [
+    {
+      target_service_name = "kms",
+      target_rg           = module.resource_group.resource_group_id
+      enforcement_mode    = local.enforcement_mode
+    }
+  ]
+}
+module "cbr_rule_multi_service_profile" {
+  source                 = "../../cbr-service-profile"
+  zone_service_ref_list  = ["cloud-object-storage", "containers-kubernetes", "server-protect"]
+  zone_vpc_crn_list      = local.zone_vpc_crn_list
+  target_service_details = local.target_services_details
+}
+```
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ### Requirements
 
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
-| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.49.0 |
+No requirements.
 
 ### Modules
 
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | ../cbr-rule-module | n/a |
-| <a name="module_cbr_zone"></a> [cbr\_zone](#module\_cbr\_zone) | ../cbr-zone-module | n/a |
+No modules.
 
 ### Resources
 
-| Name | Type |
-|------|------|
-| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source |
+No resources.
 
 ### Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | List specific endpoint types for target services, valid values for endpoints are 'public', 'private' or 'direct' | `list(string)` | <pre>[<br>  "private"<br>]</pre> | no |
-| <a name="input_location"></a> [location](#input\_location) | The region in which the network zone is scoped | `string` | `"us-south"` | no |
-| <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix to append to all vpc\_zone\_list, service\_ref\_zone\_list and cbr\_rule\_description created by this submodule | `string` | `"serviceprofile"` | no |
-| <a name="input_target_service_details"></a> [target\_service\_details](#input\_target\_service\_details) | (String) Details of the target service for which the rule has to be created | <pre>list(object({<br>    target_service_name = string<br>    target_rg           = optional(string)<br>    enforcement_mode    = string<br>    tags                = optional(list(string))<br>  }))</pre> | n/a | yes |
-| <a name="input_zone_service_ref_list"></a> [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | (List) Service reference for the zone creation | `list(string)` | `[]` | no |
-| <a name="input_zone_vpc_crn_list"></a> [zone\_vpc\_crn\_list](#input\_zone\_vpc\_crn\_list) | (List) VPC CRN for the zones | `list(string)` | `[]` | no |
+No inputs.
 
 ### Outputs
 
-| Name | Description |
-|------|-------------|
-| <a name="output_rule_crns"></a> [rule\_crns](#output\_rule\_crns) | CBR rule crn(s) |
-| <a name="output_rule_hrefs"></a> [rule\_hrefs](#output\_rule\_hrefs) | CBR rule href(s) |
-| <a name="output_rule_ids"></a> [rule\_ids](#output\_rule\_ids) | CBR rule id(s) |
-| <a name="output_zone_crns"></a> [zone\_crns](#output\_zone\_crns) | CBR zone crn(s) |
-| <a name="output_zone_hrefs"></a> [zone\_hrefs](#output\_zone\_hrefs) | CBR zone href(s) |
-| <a name="output_zone_ids"></a> [zone\_ids](#output\_zone\_ids) | CBR zone resource instance id(s) |
+No outputs.
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/fscloud/main.tf

@@ -46,7 +46,7 @@ resource "ibm_is_subnet" "testacc_subnet" {
 ##############################################################################
 
 module "cbr_account_level" {
-  source                           = "../../profiles/fscloud"
+  source                           = "../../modules/fscloud"
   prefix                           = var.prefix
   zone_vpc_crn_list                = [ibm_is_vpc.example_vpc.crn]
   allow_cos_to_kms                 = var.allow_cos_to_kms
@@ -94,7 +94,7 @@ module "cbr_account_level" {
 ## Example of zone using ip addresses, and reference in one of the zone created by the cbr_account_level above.
 ## A zone used to group operator machine ips.
 module "cbr_zone_operator_ips" {
-  source           = "../../cbr-zone-module"
+  source           = "../../modules/cbr-zone-module"
   name             = "List of operator environment public IPs"
   account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
   zone_description = "Zone grouping list of known public ips for operator machines"

examples/multi-service-profile/README.md

@@ -1,4 +1,4 @@
-# CBR Multi Service Profile
+# CBR multi service profile
 
 An end-to-end example that uses the submodule cbr-service-profile. This example uses the IBM Cloud Provider to automate the following infrastructure::
 

examples/multi-service-profile/main.tf

@@ -60,7 +60,7 @@ locals {
 
 module "cbr_rule_multi_service_profile" {
   prefix                 = var.prefix
-  source                 = "../../cbr-service-profile"
+  source                 = "../../modules/cbr-service-profile"
   zone_service_ref_list  = var.zone_service_ref_list
   zone_vpc_crn_list      = local.zone_vpc_crn_list
   target_service_details = local.target_services_details

examples/multizone-rule/main.tf

@@ -65,7 +65,7 @@ locals {
 
 module "cbr_zone" {
   count            = length(local.zone_list)
-  source           = "../../cbr-zone-module"
+  source           = "../../modules/cbr-zone-module"
   name             = local.zone_list[count.index].name
   zone_description = local.zone_list[count.index].zone_description
   account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
@@ -139,7 +139,7 @@ resource "ibm_resource_tag" "attach_tags" {
 }
 
 module "cbr_rule" {
-  source           = "../../cbr-rule-module"
+  source           = "../../modules/cbr-rule-module"
   rule_description = "${var.prefix} ${var.rule_description}"
   enforcement_mode = var.enforcement_mode
   rule_contexts    = local.rule_contexts

examples/zone/main.tf

@@ -60,7 +60,7 @@ locals {
 }
 
 module "ibm_cbr_zone" {
-  source           = "../../cbr-zone-module"
+  source           = "../../modules/cbr-zone-module"
   name             = "${var.prefix}-cbr-zone"
   account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
   zone_description = var.zone_description

main.tf

@@ -11,7 +11,7 @@ data "ibm_iam_account_settings" "iam_account_settings" {
 ##############################################################################
 
 module "cbr_zone" {
-  source             = "./cbr-zone-module"
+  source             = "./modules/cbr-zone-module"
   name               = var.name
   account_id         = data.ibm_iam_account_settings.iam_account_settings.account_id
   zone_description   = var.zone_description
@@ -20,7 +20,7 @@ module "cbr_zone" {
 }
 
 module "cbr_rule" {
-  source           = "./cbr-rule-module"
+  source           = "./modules/cbr-rule-module"
   rule_description = var.rule_description
   enforcement_mode = var.enforcement_mode
   rule_contexts    = var.rule_contexts

module-metadata.json

@@ -213,7 +213,7 @@
   "module_calls": {
     "cbr_rule": {
       "name": "cbr_rule",
-      "source": "./cbr-rule-module",
+      "source": "./modules/cbr-rule-module",
       "attributes": {
         "enforcement_mode": "enforcement_mode",
         "operations": "operations",
@@ -234,7 +234,7 @@
             "name": "ibm"
           },
           "pos": {
-            "filename": "cbr-rule-module/main.tf",
+            "filename": "modules/cbr-rule-module/main.tf",
             "line": 7
           }
         }
@@ -246,7 +246,7 @@
           "description": "CBR rule resource instance crn",
           "value": "ibm_cbr_rule.cbr_rule.crn",
           "pos": {
-            "filename": "cbr-rule-module/outputs.tf",
+            "filename": "modules/cbr-rule-module/outputs.tf",
             "line": 15
           },
           "type": "TypeString",
@@ -257,7 +257,7 @@
           "description": "CBR rule resource instance description",
           "value": "ibm_cbr_rule.cbr_rule.description",
           "pos": {
-            "filename": "cbr-rule-module/outputs.tf",
+            "filename": "modules/cbr-rule-module/outputs.tf",
             "line": 5
           },
           "type": "TypeString"
@@ -267,7 +267,7 @@
           "description": "CBR rule resource href",
           "value": "ibm_cbr_rule.cbr_rule.href",
           "pos": {
-            "filename": "cbr-rule-module/outputs.tf",
+            "filename": "modules/cbr-rule-module/outputs.tf",
             "line": 20
           },
           "type": "TypeString"
@@ -277,7 +277,7 @@
           "description": "CBR rule resource instance id",
           "value": "ibm_cbr_rule.cbr_rule.id",
           "pos": {
-            "filename": "cbr-rule-module/outputs.tf",
+            "filename": "modules/cbr-rule-module/outputs.tf",
             "line": 10
           }
         }
@@ -289,7 +289,7 @@
     },
     "cbr_zone": {
       "name": "cbr_zone",
-      "source": "./cbr-zone-module",
+      "source": "./modules/cbr-zone-module",
       "attributes": {
         "addresses": "addresses",
         "excluded_addresses": "excluded_addresses",
@@ -310,7 +310,7 @@
             "name": "ibm"
           },
           "pos": {
-            "filename": "cbr-zone-module/main.tf",
+            "filename": "modules/cbr-zone-module/main.tf",
             "line": 7
           }
         }
@@ -322,7 +322,7 @@
           "description": "CBR zone resource instance crn",
           "value": "ibm_cbr_zone.cbr_zone.crn",
           "pos": {
-            "filename": "cbr-zone-module/outputs.tf",
+            "filename": "modules/cbr-zone-module/outputs.tf",
             "line": 20
           },
           "type": "TypeString",
@@ -333,7 +333,7 @@
           "description": "(Optional, String) The description of the zone",
           "value": "var.zone_description",
           "pos": {
-            "filename": "cbr-zone-module/outputs.tf",
+            "filename": "modules/cbr-zone-module/outputs.tf",
             "line": 10
           },
           "type": "string"
@@ -343,7 +343,7 @@
           "description": "CBR zone resource instance link",
           "value": "ibm_cbr_zone.cbr_zone.href",
           "pos": {
-            "filename": "cbr-zone-module/outputs.tf",
+            "filename": "modules/cbr-zone-module/outputs.tf",
             "line": 25
           },
           "type": "TypeString"
@@ -353,7 +353,7 @@
           "description": "CBR zone resource instance id",
           "value": "ibm_cbr_zone.cbr_zone.id",
           "pos": {
-            "filename": "cbr-zone-module/outputs.tf",
+            "filename": "modules/cbr-zone-module/outputs.tf",
             "line": 15
           }
         },
@@ -362,7 +362,7 @@
           "description": "CBR zone resource instance name",
           "value": "ibm_cbr_zone.cbr_zone.name",
           "pos": {
-            "filename": "cbr-zone-module/outputs.tf",
+            "filename": "modules/cbr-zone-module/outputs.tf",
             "line": 5
           },
           "type": "TypeString"