feat: CBR service profile submodule to support multiple target services (#59)

Author: jojustin

README.md

@@ -54,6 +54,7 @@ You need the following permissions to run this module.
 <!-- BEGIN EXAMPLES HOOK -->
 ## Examples
 
+- [ CBR Multi Service Profile](examples/multi-service-profile)
 - [ Multi-zone example](examples/multizone-rule)
 - [ Zone example](examples/zone)
 <!-- END EXAMPLES HOOK -->
@@ -87,7 +88,7 @@ You need the following permissions to run this module.
 | <a name="input_excluded_addresses"></a> [excluded\_addresses](#input\_excluded\_addresses) | (Optional, List) The list of excluded addresses in the zone | <pre>list(object({<br>    type  = optional(string)<br>    value = optional(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | (Optional, String) The name of the zone | `string` | `null` | no |
 | <a name="input_operations"></a> [operations](#input\_operations) | (Optional, List) The operations this rule applies to | <pre>list(object({<br>    api_types = list(object({<br>      api_type_id = string<br>    }))<br>  }))</pre> | `[]` | no |
-| <a name="input_resources"></a> [resources](#input\_resources) | (Optional, List) The resources this rule apply to | <pre>list(object({<br>    attributes = list(object({<br>      name     = string<br>      value    = string<br>      operator = optional(string)<br>    }))<br>    tags = optional(list(object({<br>      name     = string<br>      value    = string<br>      operator = optional(string)<br>    })))<br>  }))</pre> | `[]` | no |
+| <a name="input_resources"></a> [resources](#input\_resources) | (Optional, List) The resources this rule apply to | <pre>list(object({<br>    attributes = list(object({<br>      name     = string<br>      value    = string<br>      operator = optional(string)<br>    }))<br>    tags = optional(list(object({ #These access tags should match to the target service access tags for the CBR rules to work<br>      name     = string<br>      value    = string<br>      operator = optional(string)<br>    })))<br>  }))</pre> | `[]` | no |
 | <a name="input_rule_contexts"></a> [rule\_contexts](#input\_rule\_contexts) | (List) The contexts the rule applies to | <pre>list(object({<br>    attributes = list(object({<br>      name  = string<br>      value = string<br>    }))<br>  }))</pre> | <pre>[<br>  {<br>    "attributes": [<br>      {<br>        "name": "va",<br>        "value": "va"<br>      }<br>    ]<br>  }<br>]</pre> | no |
 | <a name="input_rule_description"></a> [rule\_description](#input\_rule\_description) | (Optional, String) The description of the rule | `string` | `null` | no |
 | <a name="input_zone_description"></a> [zone\_description](#input\_zone\_description) | (Optional, String) The description of the zone | `string` | `null` | no |

cbr-rule-module/main.tf

@@ -36,6 +36,8 @@ resource "ibm_cbr_rule" "cbr_rule" {
           operator = attribute.value["operator"]
         }
       }
+      # Access tags for the target resources.  These tags specified in the rule should match to the tags attached to the target service access tags.
+      # These tags should be valid in the account.  Refer https://cloud.ibm.com/docs/account?topic=account-access&interface=ui for more details
       dynamic "tags" {
         for_each = resource.value["tags"] == null ? [] : resource.value["tags"]
         iterator = tag

cbr-service-profile/README.md

@@ -0,0 +1,3 @@
+# CBR Rule Profile
+
+Accepts a list of VPC crns / service references to create CBR zones and a list of target services, to create the rule matching these profiles.  It supports to target the service using name, account id, tags, resource group.

cbr-service-profile/main.tf

@@ -0,0 +1,126 @@
+# ##############################################################################
+# # Get Cloud Account ID
+# ##############################################################################
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+#
+# CBR Rule for a list of target services
+##############################################################################
+locals {
+  # tflint-ignore: terraform_unused_declarations
+  validate_zone_inputs = ((length(var.zone_vpc_crn_list) == 0) && (length(var.zone_service_ref_list) == 0)) ? tobool("Error: Provide a valid zone vpc and/or service references") : true
+
+  # Restrict and allow the api types as per the target service
+  icd_api_types = ["crn:v1:bluemix:public:context-based-restrictions::::api-type:data-plane"]
+  operations_apitype_val = {
+    databases-for-enterprisedb  = local.icd_api_types,
+    containers-kubernetes       = ["crn:v1:bluemix:public:containers-kubernetes::::api-type:cluster", "crn:v1:bluemix:public:containers-kubernetes::::api-type:management"],
+    databases-for-cassandra     = local.icd_api_types,
+    databases-for-elasticsearch = local.icd_api_types,
+    databases-for-etcd          = local.icd_api_types,
+    databases-for-mongodb       = local.icd_api_types,
+    databases-for-postgresql    = local.icd_api_types,
+    databases-for-redis         = local.icd_api_types,
+    messages-for-rabbitmq       = local.icd_api_types
+  }
+
+  vpc_zone_list = (length(var.zone_vpc_crn_list) > 0) ? [{
+    name             = "${var.prefix}-cbr-vpc-zone"
+    account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+    zone_description = "cbr-vpc-zone-terraform"
+    addresses = [
+      for zone_vpc_crn in var.zone_vpc_crn_list :
+      { "type" = "vpc", value = zone_vpc_crn }
+    ]
+  }] : []
+
+  service_ref_zone_list = (length(var.zone_service_ref_list) > 0) ? [{
+    name             = "${var.prefix}-cbr-serviceref-zone"
+    account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+    zone_description = "cbr-serviceref-zone-terraform"
+    # when the target service is containers-kubernetes or any icd services, context cannot have a serviceref
+    addresses = [
+      for serviceref in var.zone_service_ref_list : {
+        type = "serviceRef"
+        ref = {
+          account_id   = data.ibm_iam_account_settings.iam_account_settings.account_id
+          service_name = serviceref
+        }
+      }
+    ]
+  }] : []
+  zone_list = concat(tolist(local.vpc_zone_list), tolist(local.service_ref_zone_list))
+}
+
+module "cbr_zone" {
+  count            = length(local.zone_list)
+  source           = "../cbr-zone-module"
+  name             = local.zone_list[count.index].name
+  zone_description = local.zone_list[count.index].zone_description
+  account_id       = local.zone_list[count.index].account_id
+  addresses        = local.zone_list[count.index].addresses
+}
+
+locals {
+  rule_contexts = [{
+    attributes = [
+      {
+        "name" : "endpointType",
+        "value" : "private"
+      },
+      {
+        name  = "networkZoneId"
+        value = join(",", ([for zone in module.cbr_zone : zone.zone_id]))
+    }]
+  }]
+}
+
+module "cbr_rule" {
+  count            = length(var.target_service_details)
+  source           = "../cbr-rule-module"
+  rule_description = "${var.prefix}-${var.target_service_details[count.index].target_service_name}-serviceprofile-rule"
+  enforcement_mode = var.target_service_details[count.index].enforcement_mode
+  rule_contexts    = local.rule_contexts
+  operations = (length(lookup(local.operations_apitype_val, var.target_service_details[count.index].target_service_name, [])) > 0) ? [{
+    api_types = [
+      # lookup the map for the target service name, if not present make api_type_id as empty
+      for apitype in lookup(local.operations_apitype_val, var.target_service_details[count.index].target_service_name, []) : {
+        api_type_id = apitype
+    }]
+  }] : []
+
+  resources = [{
+    tags = var.target_service_details[count.index].tags != null ? [for tag in var.target_service_details[count.index].tags : {
+      name  = split(":", tag)[0]
+      value = split(":", tag)[1]
+    }] : []
+    attributes = var.target_service_details[count.index].target_rg != null ? [
+      {
+        name     = "accountId",
+        operator = "stringEquals",
+        value    = data.ibm_iam_account_settings.iam_account_settings.account_id
+      },
+      {
+        name     = "resourceGroupId",
+        operator = "stringEquals",
+        value    = var.target_service_details[count.index].target_rg
+      },
+      {
+        name     = "serviceName",
+        operator = "stringEquals",
+        value    = var.target_service_details[count.index].target_service_name
+      }] : [
+      {
+        name     = "accountId",
+        operator = "stringEquals",
+        value    = data.ibm_iam_account_settings.iam_account_settings.account_id
+      },
+      {
+        name     = "serviceName",
+        operator = "stringEquals",
+        value    = var.target_service_details[count.index].target_service_name
+    }]
+  }]
+}

cbr-service-profile/outputs.tf

@@ -0,0 +1,33 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "zone_ids" {
+  value       = module.cbr_zone[*].zone_id
+  description = "CBR zone resource instance id(s)"
+}
+
+output "zone_crns" {
+  value       = module.cbr_zone[*].zone_crn
+  description = "CBR zone crn(s)"
+}
+
+output "zone_hrefs" {
+  value       = module.cbr_zone[*].zone_href
+  description = "CBR zone href(s)"
+}
+
+output "rule_ids" {
+  value       = join(",", module.cbr_rule[*].rule_id)
+  description = "CBR rule id(s)"
+}
+
+output "rule_crns" {
+  value       = join(",", module.cbr_rule[*].rule_crn)
+  description = "CBR rule crn(s)"
+}
+
+output "rule_hrefs" {
+  value       = join(",", module.cbr_rule[*].rule_href)
+  description = "CBR rule href(s)"
+}

cbr-service-profile/variables.tf

@@ -0,0 +1,61 @@
+##############################################################################
+# Rule Related Input Variables
+##############################################################################
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example"
+  default     = "serviceprofile"
+}
+
+variable "zone_vpc_crn_list" {
+  type        = list(string)
+  default     = []
+  description = "(List) VPC CRN for the zones"
+}
+
+variable "zone_service_ref_list" {
+  type = list(string)
+  validation {
+    condition = alltrue([
+      for service_ref in var.zone_service_ref_list :
+      contains(["cloud-object-storage", "codeengine", "containers-kubernetes",
+        "databases-for-cassandra", "databases-for-elasticsearch", "databases-for-enterprisedb",
+        "databases-for-etcd", "databases-for-mongodb",
+        "databases-for-mysql", "databases-for-postgresql",
+        "databases-for-redis", "directlink",
+        "iam-groups", "is", "messagehub",
+        "messages-for-rabbitmq", "schematics", "secrets-manager", "server-protect", "user-management"],
+      service_ref)
+    ])
+    error_message = "Provide a valid service reference for zone creation"
+  }
+  default     = []
+  description = "(List) Service reference for the zone creation"
+}
+
+variable "target_service_details" {
+  type = list(object({
+    target_service_name = string
+    target_rg           = optional(string)
+    enforcement_mode    = string
+    tags                = optional(list(string))
+  }))
+  description = "(String) Details of the target service for which the rule has to be created"
+  #Validation to restrict the target service name to be the list of supported targets only.
+  validation {
+    condition = alltrue([
+      for service_detail in var.target_service_details :
+      contains(["iam-groups", "iam-access-management", "iam-identity",
+        "user-management", "cloud-object-storage", "codeengine",
+        "container-registry", "databases-for-cassandra",
+        "databases-for-enterprisedb", "databases-for-elasticsearch",
+        "databases-for-etcd", "databases-for-mongodb",
+        "databases-for-mysql", "databases-for-postgresql", "databases-for-redis",
+        "directlink", "dns-svcs", "messagehub", "kms", "containers-kubernetes",
+        "messages-for-rabbitmq", "secrets-manager", "transit", "is",
+      "schematics"], service_detail.target_service_name)
+    ])
+    error_message = "Provide a valid target service name that is supported by context-based restrictions"
+  }
+}

cbr-service-profile/version.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">= 1.49.0"
+    }
+  }
+}

examples/multi-service-profile/README.md

@@ -0,0 +1,12 @@
+# CBR Multi Service Profile
+
+An end-to-end example that uses the module's default variable values. This example uses the IBM Cloud Provider to automate the following infrastructure::
+
+ - Create a VPC and create a CBR zone to allowlist the VPC.
+ - Create a service reference based CBR zone.
+ - Create a set of CBR rules.
+   - Based on the list of target service details provided, create rules for each of them.
+   - Target service instances access is granted based on the following parameters.
+     - Based on the account.
+     - Based on the access tags.
+     - Based on the resource group.

examples/multi-service-profile/main.tf

@@ -0,0 +1,77 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-resource-group.git?ref=v1.0.5"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+# ##############################################################################
+# # Get Cloud Account ID
+# ##############################################################################
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_public_gateway" "testacc_gateway" {
+  name           = "${var.prefix}-pgateway"
+  vpc            = ibm_is_vpc.example_vpc.id
+  zone           = "${var.region}-1"
+  resource_group = module.resource_group.resource_group_id
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-1"
+  public_gateway           = ibm_is_public_gateway.testacc_gateway.id
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# CBR zone & rule creation
+##############################################################################
+
+locals {
+  zone_vpc_crn_list = [ibm_is_vpc.example_vpc.crn]
+  enforcement_mode  = "report"
+  # Merge zone ids to pass as contexts to the rule
+  target_services_details = [
+    {
+      target_service_name = "cloud-object-storage",
+      # Note these are access tags and all iam access tags must be present on the COS instance for the rule to match
+      tags             = var.existing_access_tags,
+      enforcement_mode = local.enforcement_mode,
+    },
+    {
+      target_service_name = "kms",
+      target_rg           = module.resource_group.resource_group_id
+      enforcement_mode    = local.enforcement_mode,
+
+    },
+    {
+      target_service_name = "messagehub",
+      target_rg           = module.resource_group.resource_group_id
+      enforcement_mode    = local.enforcement_mode
+    }
+  ]
+}
+
+module "cbr_rule_multi_service_profile" {
+  source                 = "../../cbr-service-profile"
+  zone_service_ref_list  = var.zone_service_ref_list
+  zone_vpc_crn_list      = local.zone_vpc_crn_list
+  target_service_details = local.target_services_details
+}

examples/multi-service-profile/outputs.tf

@@ -0,0 +1,43 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "zone_ids" {
+  value       = module.cbr_rule_multi_service_profile[*].zone_ids
+  description = "CBR zone resource instance id(s)"
+}
+
+output "zone_crns" {
+  value       = module.cbr_rule_multi_service_profile[*].zone_crns
+  description = "CBR zones crn(s)"
+}
+
+output "zone_hrefs" {
+  value       = module.cbr_rule_multi_service_profile[*].zone_hrefs
+  description = "CBR zones href(s)"
+}
+
+output "rule_ids" {
+  value       = module.cbr_rule_multi_service_profile[*].rule_ids
+  description = "CBR rule id(s)"
+}
+
+output "rule_crns" {
+  value       = module.cbr_rule_multi_service_profile[*].rule_crns
+  description = "CBR rule resource instance crn(s)"
+}
+
+output "rule_hrefs" {
+  value       = module.cbr_rule_multi_service_profile[*].rule_hrefs
+  description = "CBR rule resource instance href(s)"
+}
+
+output "vpc_crn" {
+  value       = ibm_is_vpc.example_vpc.crn
+  description = "VPC CRN"
+}
+
+output "account_id" {
+  value       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  description = "Account ID (used in tests)"
+}