feat: added pre-wired rule targetting HPCS in fscloud module (#310)

Co-authored-by: Vincent Burckhardt <[email protected]>

Author: Ak-sky

common-dev-assets

@@ -2,18 +2,16 @@
 
 This example demonstrates how to use the [fscloud profile](../../profiles/fscloud/) module to lay out a complete "secure by default" coarse-grained CBR topology in a given account.
 
-This examples is designed to show case some of the key customization options for the module. In addition to the pre-wired CBR rules documented at [fscloud profile](../../profiles/fscloud/), this examples show how to customize the module to:
-1. Open up network traffic flow from ICD mongodb, ICD Postgresql to the Key Protect private endpoints.
-2. Open up network traffic flow from Schematics to Key Protect public endpoints.
-3. Open up network traffic flow from a block of IPs to the Schematics public endpoint.
-4. Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints.
+This examples is designed to show case some of the key customization options for the module. In addition to the pre-wired CBR rules documented at [fscloud profile](../../profiles/fscloud/), this example shows how to customize the module to:
+1. Open up network traffic flow from Schematics to Key Protect and HPCS public endpoints. Note that for illustration purpose, this example configures the use of both Key Protect and HPCS through the `kms_service_targeted_by_prewired_rules` variable. In a real-world scenario, only one Key Management Service would be used
+2. Open up network traffic flow from a block of IPs to the Schematics public endpoint.
+3. Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints.
 
 Context: this examples covers a "pseudo" real-world scenario where:
-1. ICD Mongodb and Postgresql instances are encrypted using keys storage in Key Protect.
-2. Schematics is used to execute terraform that create Key Protect keys and key ring over its public endpoint.
-3. Operators use machines with a set list of public IPs to interact with Schematics.
-4. Applications are running the VPC and need access to PostgreSQL via the private endpoint - eg: a VPE.
-5. Skips creation of zones for these two service references ["user-management", "iam-groups"].
+1. Schematics is used to execute terraform that create Key Protect, and HPCS keys and key ring over its public endpoint.
+2. Operators use machines with a set list of public IPs to interact with Schematics.
+3. Applications are running the VPC and need access to PostgreSQL via the private endpoint - eg: a VPE.
+4. Skips creation of zones for these two service references ["user-management", "iam-groups"].
 
 ## Note
 - The services 'compliance', 'directlink', 'iam-groups', 'containers-kubernetes', 'user-management' do not support restriction per location for zone creation.

examples/fscloud/README.md

@@ -59,25 +59,19 @@ resource "ibm_is_subnet" "testacc_subnet" {
 ##############################################################################
 
 module "cbr_account_level" {
-  source                           = "../../modules/fscloud"
-  prefix                           = var.prefix
-  zone_vpc_crn_list                = [ibm_is_vpc.example_vpc.crn]
-  allow_cos_to_kms                 = var.allow_cos_to_kms
-  allow_block_storage_to_kms       = var.allow_block_storage_to_kms
-  allow_roks_to_kms                = var.allow_roks_to_kms
-  allow_icd_to_kms                 = var.allow_icd_to_kms
-  allow_vpcs_to_container_registry = var.allow_vpcs_to_container_registry
-  allow_vpcs_to_cos                = var.allow_vpcs_to_cos
-  allow_at_to_cos                  = var.allow_at_to_cos
-  allow_iks_to_is                  = var.allow_iks_to_is
-  allow_is_to_cos                  = var.allow_is_to_cos
+  source            = "../../modules/fscloud"
+  prefix            = var.prefix
+  zone_vpc_crn_list = [ibm_is_vpc.example_vpc.crn]
+  # Demonstrates how to target either key-protect, hpcs, or both. Both in this fictional example.
+  kms_service_targeted_by_prewired_rules = ["key-protect", "hs-crypto"]
 
   # Demonstrates how zone creation will be skipped for these two service references ["user-management", "iam-groups"]
   skip_specific_services_for_zone_creation = ["user-management", "iam-groups"]
 
   ## Enable enforcement for key protect as an example
   ## The other services not referenced here, are either report, or disabled (when not support report)
   target_service_details = {
+    # Using 'kms' for Key Protect value as target service name supported by CBR for Key Protect is 'kms'.
     "kms" = {
       "enforcement_mode" = "enabled"
       "instance_id"      = module.key_protect_module.key_protect_guid
@@ -86,23 +80,21 @@ module "cbr_account_level" {
 
   # Demonstrates how additional context to the rules created by this module can be added.
   # This example open up:
-  #   1. Flows from icd mongodb, postgresql to kms on private endpoint
-  #   2. Flow from schematics on public kms endpoint
-  #   3. Add a block of ips to schematics public endpoint
-  #   4. Flow from vpc(s) specified in input zone_vpc_crn_list to postgresql private endpoint
-  custom_rule_contexts_by_service = {
-    "kms" = [{
-      endpointType      = "private"
-      service_ref_names = ["databases-for-mongodb", "databases-for-postgresql"]
-      },
+  #   1. Flow from schematics to KMS on public HPCS endpoint
+  #   2. Add a block of ips to schematics public endpoint
+  #   3. Flow from vpc(s) specified in input zone_vpc_crn_list to PostgreSQL private endpoint
+  #   4. Add a block of ips to Key Protect public endpoint
+
+  custom_rule_contexts_by_service = merge({
+    "kms" = [
       {
         endpointType      = "public"
         service_ref_names = ["schematics"]
       },
       {
         endpointType = "public"
       zone_ids = [module.cbr_zone_operator_ips.zone_id] }
-    ],
+    ] }, {
     "schematics" = [{
       endpointType = "public"
       zone_ids     = [module.cbr_zone_operator_ips.zone_id]
@@ -112,7 +104,13 @@ module "cbr_account_level" {
       ## Give access to the zone containing the VPC passed in zone_vpc_crn_list input
       add_managed_vpc_zone = true
     }]
-  }
+    }, {
+    # Using 'kms' for Key Protect value as target service name supported by CBR for Key Protect is 'kms'.
+    "kms" = [
+      {
+        endpointType = "public"
+      zone_ids = [module.cbr_zone_operator_ips.zone_id] }
+  ] })
 }
 
 ## Example of zone using ip addresses, and reference in one of the zone created by the cbr_account_level above.

examples/fscloud/main.tf

@@ -27,57 +27,3 @@ variable "resource_tags" {
   description = "Optional list of tags to be added to created resources"
   default     = []
 }
-
-variable "allow_cos_to_kms" {
-  type        = bool
-  description = "Set rule for COS to KMS, default is true"
-  default     = true
-}
-
-variable "allow_block_storage_to_kms" {
-  type        = bool
-  description = "Set rule for block storage to KMS, default is true"
-  default     = true
-}
-
-variable "allow_roks_to_kms" {
-  type        = bool
-  description = "Set rule for ROKS to KMS, default is true"
-  default     = true
-}
-
-variable "allow_icd_to_kms" {
-  type        = bool
-  description = "Set rule for ICD to KMS, deafult is true"
-  default     = true
-}
-
-variable "allow_vpcs_to_container_registry" {
-  type        = bool
-  description = "Set rule for VPCs to container registry, default is true"
-  default     = true
-}
-
-variable "allow_vpcs_to_cos" {
-  type        = bool
-  description = "Set rule for VPCs to COS, default is true"
-  default     = true
-}
-
-variable "allow_at_to_cos" {
-  type        = bool
-  description = "Set rule for Activity Tracker to COS, default is true"
-  default     = true
-}
-
-variable "allow_iks_to_is" {
-  type        = bool
-  description = "Set rule for IKS to IS (VPC Infrastructure Services), default is true"
-  default     = true
-}
-
-variable "allow_is_to_cos" {
-  type        = bool
-  description = "Set rule for IS (VPC Infrastructure Services) to COS, default is true"
-  default     = true
-}

examples/fscloud/variables.tf

@@ -4,13 +4,16 @@ This module creates default coarse-grained CBR rules in a given account followin
 - COS -> KMS
 - Block storage -> KMS
 - ROKS -> KMS
+- All ICD services -> KMS
 - Activity Tracker route -> COS
 - VPCs where clusters are deployed -> COS
 - IS (VPC Infrastructure Services) -> COS
 - VPCs -> container registry
-- All ICD -> KMS
+- All ICD -> HPCS
 - IKS -> IS (VPC Infrastructure Services)
 
+**Note on KMS**: the module supports setting up rules for Key Protect, and Hyper Protect Crypto Services. By default the modules set rules for Hyper Protect Crypto Services, but this can be modified to use Key Protect, Hyper Protect, or both Key Protect and Hyper Protect Crypto Services using the input variable `kms_service_targeted_by_prewired_rules`.
+
 This module is designed to allow the consumer to add additional custom rules to open up additional flows necessarity for their usage. See the `custom_rule_contexts_by_service` input variable, and an [usage example](../../examples/fscloud/) demonstrating how to open up more flows.
 
 The module also pre-create CBR zone for each service in the account as a best practice. CBR rules associated with these CBR zone can be set by using the `custom_rule_contexts_by_service` variable.
@@ -95,6 +98,7 @@ module "cbr_fscloud" {
 | <a name="input_custom_rule_contexts_by_service"></a> [custom\_rule\_contexts\_by\_service](#input\_custom\_rule\_contexts\_by\_service) | Any additional context to add to the CBR rules created by this module. The context are added to the CBR rule targetting the service passed as a key. The module looks up the zone id when service\_ref\_names or add\_managed\_vpc\_zone are passed in. | <pre>map(list(object(<br>    {<br>      endpointType = string # "private, public or direct"<br><br>      # Service-name (module lookup for existing network zone) and/or CBR zone id<br>      service_ref_names    = optional(list(string), [])<br>      add_managed_vpc_zone = optional(bool, false)<br>      zone_ids             = optional(list(string), [])<br>  })))</pre> | `{}` | no |
 | <a name="input_existing_cbr_zone_vpcs"></a> [existing\_cbr\_zone\_vpcs](#input\_existing\_cbr\_zone\_vpcs) | Provide a existing zone id for VPC | <pre>object(<br>    {<br>      zone_id = string<br>  })</pre> | `null` | no |
 | <a name="input_existing_serviceref_zone"></a> [existing\_serviceref\_zone](#input\_existing\_serviceref\_zone) | Provide a valid service reference and existing zone id | <pre>map(object(<br>    {<br>      zone_id = string<br>  }))</pre> | `{}` | no |
+| <a name="input_kms_service_targeted_by_prewired_rules"></a> [kms\_service\_targeted\_by\_prewired\_rules](#input\_kms\_service\_targeted\_by\_prewired\_rules) | IBM Cloud offers two distinct Key Management Services (KMS): Key Protect and Hyper Protect Crypto Services (HPCS). This variable determines the specific KMS service to which the pre-configured rules will be applied. Use the value 'key-protect' to specify the Key Protect service, and 'hs-crypto' for the Hyper Protect Crypto Services (HPCS). | `list(string)` | <pre>[<br>  "hs-crypto"<br>]</pre> | no |
 | <a name="input_location"></a> [location](#input\_location) | The region in which the network zone is scoped | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix to append to all vpc\_zone\_list, service\_ref\_zone\_list and cbr\_rule\_description created by this submodule | `string` | n/a | yes |
 | <a name="input_skip_specific_services_for_zone_creation"></a> [skip\_specific\_services\_for\_zone\_creation](#input\_skip\_specific\_services\_for\_zone\_creation) | Provide a list of service references for which zone creation is not required | `list(string)` | `[]` | no |

modules/fscloud/README.md

@@ -63,6 +63,9 @@ locals {
     "kms" : {
       "enforcement_mode" : "report"
     },
+    "hs-crypto" : {
+      "enforcement_mode" : "report"
+    },
     "containers-kubernetes" : {
       "enforcement_mode" : "disabled"
     },
@@ -183,6 +186,10 @@ module "cbr_zone_vpcs" {
 ##############################################################################
 
 locals {
+  kms_values = [
+    for kms_val in var.kms_service_targeted_by_prewired_rules :
+    kms_val == "key-protect" ? "kms" : kms_val # It maps 'key-protect' input to 'kms' because target service name supported by CBR for Key Protect is 'kms'.
+  ]
   ## define FsCloud pre-wired CBR rule context - contains the known default flow that must be open for fscloud ref architecture
   cos_cbr_zone_id = local.cbr_zones["cloud-object-storage"].zone_id
   # tflint-ignore: terraform_naming_convention
@@ -210,9 +217,9 @@ locals {
   # tflint-ignore: terraform_naming_convention
   is_cbr_zone_id = local.cbr_zones["is"].zone_id
 
-  prewired_rule_contexts_by_service = {
-    # COS -> KMS, Block storage -> KMS, ROKS -> KMS, ICD -> KMS
-    "kms" : [{
+  prewired_rule_contexts_by_service = merge({
+    # COS -> HPCS, Block storage -> HPCS, ROKS -> HPCS, ICD -> HPCS
+    for key in local.kms_values : key => [{
       endpointType : "private",
       networkZoneIds : flatten([
         var.allow_cos_to_kms ? [local.cos_cbr_zone_id] : [],
@@ -227,7 +234,7 @@ locals {
           local.databases-for-postgresql_cbr_zone_id,
         local.databases-for-redis_cbr_zone_id] : []
       ])
-    }],
+    }] }, {
     # Fs VPCs -> COS, AT -> COS, IS (VPC Infrastructure Services) -> COS
     "cloud-object-storage" : [{
       endpointType : "direct",
@@ -236,22 +243,22 @@ locals {
         var.allow_at_to_cos ? [local.logdnaat_cbr_zone_id] : [],
         var.allow_is_to_cos ? [local.is_cbr_zone_id] : []
       ])
-    }],
+    }] }, {
     # VPCs -> container registry
     "container-registry" : [{
       endpointType : "private",
       networkZoneIds : flatten([
         var.allow_vpcs_to_container_registry ? [local.cbr_zone_vpcs.zone_id] : []
       ])
-    }],
+    }] }, {
     # IKS -> IS (VPC Infrastructure Services)
     "is" : [{
       endpointType : "private",
       networkZoneIds : flatten([
         var.allow_iks_to_is ? [local.containers-kubernetes_cbr_zone_id] : []
       ])
     }],
-  }
+  })
 
   prewired_rule_contexts_by_service_check = { for key, value in local.prewired_rule_contexts_by_service :
     key => [

modules/fscloud/main.tf

@@ -149,7 +149,7 @@ variable "target_service_details" {
         "databases-for-mysql", "databases-for-postgresql", "databases-for-redis",
         "directlink", "dns-svcs", "messagehub", "kms", "containers-kubernetes",
         "messages-for-rabbitmq", "secrets-manager", "transit", "is",
-      "schematics", "apprapp", "event-notifications", "compliance"], target_service_name)
+      "schematics", "apprapp", "event-notifications", "compliance", "hs-crypto"], target_service_name)
     ])
     error_message = "Provide a valid target service name that is supported by context-based restrictions"
   }
@@ -229,3 +229,15 @@ variable "location" {
   description = "The region in which the network zone is scoped"
   default     = null
 }
+
+variable "kms_service_targeted_by_prewired_rules" {
+  type        = list(string)
+  description = "IBM Cloud offers two distinct Key Management Services (KMS): Key Protect and Hyper Protect Crypto Services (HPCS). This variable determines the specific KMS service to which the pre-configured rules will be applied. Use the value 'key-protect' to specify the Key Protect service, and 'hs-crypto' for the Hyper Protect Crypto Services (HPCS)."
+  default     = ["hs-crypto"]
+  validation {
+    condition = alltrue([
+      for key_protect_val in var.kms_service_targeted_by_prewired_rules : can(regex("^(key-protect|hs-crypto)$", key_protect_val))
+    ])
+    error_message = "Valid values for kms are 'key-protect' for Key Protect and 'hs-crypto' for HPCS"
+  }
+}