feat: added way to skip zone creation (#273)

Ak-sky · web-flow · commit 89ea8244114e · 2023-08-16T18:42:38.000+01:00
diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
@@ -10,6 +10,7 @@ This examples is designed to show case some of the key customization options for
 
 Context: this examples covers a "pseudo" real-world scenario where:
 1. ICD Mongodb, and Postgresql instances are encrypted using keys storage in Key Protect.
-2. Schematics is used to execute terraform that create Key Protect keys and key ring over its public endpoint
-3. Operators used machines with a set list of public IPs to interact with Schematics
+2. Schematics is used to execute terraform that create Key Protect keys and key ring over its public endpoint.
+3. Operators use machines with a set list of public IPs to interact with Schematics.
 4. Applications are running the VPC and need access to PostgreSQL via the private endpoint - eg: a VPE.
+5. Skips creation of zones for these two service references ["user-management", "iam-groups"].
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
@@ -55,6 +55,9 @@ module "cbr_account_level" {
   allow_vpcs_to_container_registry = var.allow_vpcs_to_container_registry
   allow_vpcs_to_cos                = var.allow_vpcs_to_cos
 
+  # Demonstrates how zone creation will be skipped for these two service references ["user-management", "iam-groups"]
+  skip_specific_services_for_zone_creation = ["user-management", "iam-groups"]
+
   ## Enable enforcement for key protect as an example
   ## The other services not referenced here, are either report, or disabled (when not support report)
   target_service_details = {
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
@@ -51,6 +51,7 @@ Important: In order to avoid unexpected breakage in the account against which th
 | <a name="input_existing_cbr_zone_vpcs"></a> [existing\_cbr\_zone\_vpcs](#input\_existing\_cbr\_zone\_vpcs) | Provide a existing zone id for VPC | <pre>object(<br>    {<br>      zone_id = string<br>  })</pre> | `null` | no |
 | <a name="input_existing_serviceref_zone"></a> [existing\_serviceref\_zone](#input\_existing\_serviceref\_zone) | Provide a valid service reference and existing zone id | <pre>map(object(<br>    {<br>      zone_id = string<br>  }))</pre> | `{}` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix to append to all vpc\_zone\_list, service\_ref\_zone\_list and cbr\_rule\_description created by this submodule | `string` | n/a | yes |
+| <a name="input_skip_specific_services_for_zone_creation"></a> [skip\_specific\_services\_for\_zone\_creation](#input\_skip\_specific\_services\_for\_zone\_creation) | Provide a list of service references for which zone creation is not required | `list(string)` | `[]` | no |
 | <a name="input_target_service_details"></a> [target\_service\_details](#input\_target\_service\_details) | Details of the target service for which a rule is created. The key is the service name. | <pre>map(object({<br>    target_rg        = optional(string)<br>    enforcement_mode = string<br>    tags             = optional(list(string))<br>  }))</pre> | `{}` | no |
 | <a name="input_zone_service_ref_list"></a> [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | (List) Service reference for the zone creation | `list(string)` | <pre>[<br>  "cloud-object-storage",<br>  "codeengine",<br>  "containers-kubernetes",<br>  "databases-for-cassandra",<br>  "databases-for-elasticsearch",<br>  "databases-for-enterprisedb",<br>  "databases-for-etcd",<br>  "databases-for-mongodb",<br>  "databases-for-mysql",<br>  "databases-for-postgresql",<br>  "databases-for-redis",<br>  "directlink",<br>  "iam-groups",<br>  "is",<br>  "messagehub",<br>  "messages-for-rabbitmq",<br>  "schematics",<br>  "secrets-manager",<br>  "server-protect",<br>  "user-management",<br>  "apprapp",<br>  "compliance",<br>  "event-notifications"<br>]</pre> | no |
 | <a name="input_zone_vpc_crn_list"></a> [zone\_vpc\_crn\_list](#input\_zone\_vpc\_crn\_list) | (List) VPC CRN for the zones | `list(string)` | n/a | yes |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -94,15 +94,19 @@ locals {
   }
 
   target_service_details = merge(local.target_service_details_default, var.target_service_details)
+
+  zone_final_service_ref_list = [
+    for service in var.zone_service_ref_list : service if !contains(var.skip_specific_services_for_zone_creation, service)
+  ]
 }
 
 ###############################################################################
 # Pre-create coarse grained CBR zones for each service
 ###############################################################################
 
 locals {
-  service_ref_zone_list = (length(var.zone_service_ref_list) > 0) ? [
-    for serviceref in var.zone_service_ref_list : {
+  service_ref_zone_list = (length(local.zone_final_service_ref_list) > 0) ? [
+    for serviceref in local.zone_final_service_ref_list : {
       name             = "${var.prefix}-${serviceref}-service-zone"
       account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
       zone_description = "Single zone for service ${serviceref}."
@@ -118,7 +122,7 @@ locals {
       ]
   }] : []
 
-  service_ref_zone_map_pre_check = zipmap(var.zone_service_ref_list, local.service_ref_zone_list)
+  service_ref_zone_map_pre_check = zipmap(local.zone_final_service_ref_list, local.service_ref_zone_list)
 
   service_ref_zone_map_check = merge(local.service_ref_zone_map_pre_check, var.existing_serviceref_zone)
 
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
@@ -155,3 +155,24 @@ variable "existing_cbr_zone_vpcs" {
   description = "Provide a existing zone id for VPC"
   default     = null
 }
+
+variable "skip_specific_services_for_zone_creation" {
+  type = list(string)
+  validation {
+    condition = alltrue([
+      for service_ref in var.skip_specific_services_for_zone_creation :
+      contains(["cloud-object-storage", "codeengine", "containers-kubernetes",
+        "databases-for-cassandra", "databases-for-elasticsearch", "databases-for-enterprisedb",
+        "databases-for-etcd", "databases-for-mongodb",
+        "databases-for-mysql", "databases-for-postgresql",
+        "databases-for-redis", "directlink",
+        "iam-groups", "is", "messagehub",
+        "messages-for-rabbitmq", "schematics", "secrets-manager", "server-protect", "user-management",
+        "apprapp", "compliance", "event-notifications"],
+      service_ref)
+    ])
+    error_message = "Provide a valid service reference for zone creation"
+  }
+  description = "Provide a list of service references for which zone creation is not required"
+  default     = []
+}
