chore: add multi resource rule example (#307)

daniel-butler-irl · web-flow · commit c3abb65f6fbc · 2023-10-10T16:42:14.000+01:00
diff --git a/README.md b/README.md
@@ -20,6 +20,7 @@ See in particular the [fscloud module](./modules/fscloud/) that enables creating
     * [fscloud](./modules/fscloud)
 * [Examples](./examples)
     * [CBR multi service profile](./examples/multi-service-profile)
+    * [Multi resource rule example](./examples/multi-resource-rule)
     * [Multi-zone example](./examples/multizone-rule)
     * [Pre-wired CBR configuration for FS Cloud example](./examples/fscloud)
     * [Zone example](./examples/zone)
diff --git a/examples/multi-resource-rule/README.md b/examples/multi-resource-rule/README.md
@@ -0,0 +1,9 @@
+# Multi resource rule example
+
+An end-to-end example to show how to apply a rule to multiple resources. This example uses the IBM Cloud Provider to automate the following infrastructure:
+
+- Creates a VPC
+- Creates a VPC Subnet
+- Creates a CBR Zone for the VPC
+- Creates a COS Instance and a COS Bucket
+- Applies a single CBR rule to only allow access form the VPC zone to the COS Instance and the same rule for the Bucket
diff --git a/examples/multi-resource-rule/main.tf b/examples/multi-resource-rule/main.tf
@@ -0,0 +1,155 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.0.6"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# VPC
+##############################################################################
+
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
+
+
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+
+module "cbr_zone_vpc" {
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
+  version          = "1.9.0"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone containing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc", # to bind a specific vpc to the zone
+    value = ibm_is_vpc.example_vpc.crn,
+  }]
+}
+
+module "cos_instance_and_bucket" {
+  source                        = "terraform-ibm-modules/cos/ibm"
+  version                       = "6.12.2"
+  resource_group_id             = module.resource_group.resource_group_id
+  region                        = var.region
+  create_cos_instance           = true
+  create_cos_bucket             = true
+  bucket_name                   = "${var.prefix}-cos-bucket"
+  kms_encryption_enabled        = false
+  skip_iam_authorization_policy = true
+  cos_instance_name             = "${var.prefix}-cos-instance"
+}
+
+locals {
+  #   List of resources to apply rules to
+  resource_list = [
+    [{
+      attributes = [
+        {
+          name     = "accountId"
+          value    = data.ibm_iam_account_settings.iam_account_settings.account_id
+          operator = "stringEquals"
+        },
+        {
+          name     = "serviceInstance"
+          value    = module.cos_instance_and_bucket.cos_instance_guid
+          operator = "stringEquals"
+        },
+        {
+          name     = "serviceName"
+          value    = "cloud-object-storage"
+          operator = "stringEquals"
+        }
+    ] }],
+    [{
+      attributes = [
+        {
+          name     = "accountId"
+          value    = data.ibm_iam_account_settings.iam_account_settings.account_id
+          operator = "stringEquals"
+        },
+        {
+          name     = "serviceInstance"
+          value    = module.cos_instance_and_bucket.bucket_crn
+          operator = "stringEquals"
+        },
+        {
+          name     = "serviceName"
+          value    = "cloud-object-storage"
+          operator = "stringEquals"
+        }
+    ] }]
+  ]
+
+  # rule to be applied for each resource
+  rule = {
+    enforcement_mode = "report"
+    rule_contexts = [
+      {
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone_vpc.zone_id
+          }
+        ]
+      }
+    ]
+    operations = [
+      {
+        api_types = [
+          {
+            api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+          }
+        ]
+      }
+    ]
+  }
+
+  #  List of rule descriptions
+  rule_descriptions = [
+    "sample rule for the instance ${module.cos_instance_and_bucket.cos_instance_guid} access from vpc zone",
+    "sample rule for the bucket ${module.cos_instance_and_bucket.bucket_name} access from vpc zone",
+  ]
+}
+
+# Create CBR Rules Last
+#
+module "cbr_rules" {
+  count            = length(local.resource_list)
+  source           = "../../modules/cbr-rule-module"
+  rule_description = local.rule_descriptions[count.index] != null ? local.rule_descriptions[count.index] : "sample rule"
+  enforcement_mode = local.rule.enforcement_mode
+  rule_contexts    = local.rule.rule_contexts
+  resources        = local.resource_list[count.index]
+  operations       = local.rule.operations
+
+}
diff --git a/examples/multi-resource-rule/outputs.tf b/examples/multi-resource-rule/outputs.tf
@@ -0,0 +1,18 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "cos_guid" {
+  value       = module.cos_instance_and_bucket.cos_instance_guid
+  description = "COS guid"
+}
+
+output "bucket_guid" {
+  value       = module.cos_instance_and_bucket.bucket_id
+  description = "COS bucket guid"
+}
+
+output "resource_group_id" {
+  value       = module.resource_group.resource_group_id
+  description = "Resource group ID"
+}
diff --git a/examples/multi-resource-rule/provider.tf b/examples/multi-resource-rule/provider.tf
@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
diff --git a/examples/multi-resource-rule/variables.tf b/examples/multi-resource-rule/variables.tf
@@ -0,0 +1,29 @@
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example"
+  default     = "test-terraform-multirule"
+}
+
+variable "region" {
+  description = "Name of the Region to deploy into"
+  type        = string
+  default     = "us-south"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
diff --git a/examples/multi-resource-rule/version.tf b/examples/multi-resource-rule/version.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.56.1"
+    }
+  }
+}
diff --git a/tests/go.mod b/tests/go.mod
@@ -4,10 +4,10 @@ go 1.20
 
 require (
 	github.com/IBM/go-sdk-core/v5 v5.14.1
-	github.com/IBM/platform-services-go-sdk v0.49.0
+	github.com/IBM/platform-services-go-sdk v0.50.1
 	github.com/gruntwork-io/terratest v0.43.13
 	github.com/stretchr/testify v1.8.4
-	github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.21.7
+	github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.21.10
 )
 
 require (
@@ -17,7 +17,7 @@ require (
 	cloud.google.com/go/iam v1.1.0 // indirect
 	cloud.google.com/go/storage v1.30.1 // indirect
 	dario.cat/mergo v1.0.0 // indirect
-	github.com/IBM-Cloud/bluemix-go v0.0.0-20230616121711-b838ccdcd2fb // indirect
+	github.com/IBM-Cloud/bluemix-go v0.0.0-20230914140903-40534e34a2a5 // indirect
 	github.com/IBM-Cloud/power-go-client v1.3.1 // indirect
 	github.com/IBM/vpc-go-sdk v1.0.2 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
diff --git a/tests/go.sum b/tests/go.sum
@@ -189,15 +189,15 @@ dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/IBM-Cloud/bluemix-go v0.0.0-20230616121711-b838ccdcd2fb h1:INoGxS/wEA+Vl4R1mMHVW3HoFTvxpYABf/10XEe5GP0=
-github.com/IBM-Cloud/bluemix-go v0.0.0-20230616121711-b838ccdcd2fb/go.mod h1:cO5KCpiop9eP/pM/5W07TprYUkv/kHtajW1FiZgE59k=
+github.com/IBM-Cloud/bluemix-go v0.0.0-20230914140903-40534e34a2a5 h1:1hjspcKEce53NnIT+byrqy6Bre1ZNmsbl+IZw8AqKsQ=
+github.com/IBM-Cloud/bluemix-go v0.0.0-20230914140903-40534e34a2a5/go.mod h1:cO5KCpiop9eP/pM/5W07TprYUkv/kHtajW1FiZgE59k=
 github.com/IBM-Cloud/power-go-client v1.3.1 h1:LIxP6XJtP6MpDOB3foAZzX36FYvfgsyfa6q+Xg+foys=
 github.com/IBM-Cloud/power-go-client v1.3.1/go.mod h1:UBFlT5XKspkD1K0Wqd9evScL7dnu6hZOnGikTID8lHQ=
 github.com/IBM/go-sdk-core/v5 v5.9.2/go.mod h1:YlOwV9LeuclmT/qi/LAK2AsobbAP42veV0j68/rlZsE=
 github.com/IBM/go-sdk-core/v5 v5.14.1 h1:WR1r0zz+gDW++xzZjF41r9ueY4JyjS2vgZjiYs8lO3c=
 github.com/IBM/go-sdk-core/v5 v5.14.1/go.mod h1:MUvIr/1mgGh198ZXL+ByKz9Qs1JoEh80v/96x8jPXNY=
-github.com/IBM/platform-services-go-sdk v0.49.0 h1:Xd2pCCyjgrgTv8n+9oGoaYXBRCiKDcR4aT3J1bW1Ftw=
-github.com/IBM/platform-services-go-sdk v0.49.0/go.mod h1:6LxcUhIaSLP4SuQJXF9oLXBamSQogs5D9BcVwr4hmfU=
+github.com/IBM/platform-services-go-sdk v0.50.1 h1:mLT6SB2L/4uatI0tflj/IA2966UeGBNF4Pj8FnbtrJk=
+github.com/IBM/platform-services-go-sdk v0.50.1/go.mod h1:6LxcUhIaSLP4SuQJXF9oLXBamSQogs5D9BcVwr4hmfU=
 github.com/IBM/vpc-go-sdk v1.0.2 h1:WhI1Cb8atA8glUdFg0SEUh9u8afjnKHxZAj9onQBi04=
 github.com/IBM/vpc-go-sdk v1.0.2/go.mod h1:42NO/XCXsyrYqpvtxoX5xwSEv/jBU1MKEoyaYkIUico=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
@@ -622,8 +622,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.21.7 h1:U7a7qJW5wpEEk3DdBiF7xsuvtn0zWWWT65cbv3vZ/KQ=
-github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.21.7/go.mod h1:BiJPtkHaZOuS3xgI98WhK2uLjUjTMphE06+w/11+I30=
+github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.21.10 h1:jL0o2ccRHCEvrhrJKDluRc2+q7Pi1olihkSjnL64Ny8=
+github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.21.10/go.mod h1:6Mjzd2WPoXXn+cjEU16NkYKlnYSNFpWP8bTDOW6XsAw=
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tmccombs/hcl2json v0.5.0 h1:cT2sXStOzKL06c8ZTf9vh+0N8GKGzV7+9RUaY5/iUP8=
diff --git a/tests/other_test.go b/tests/other_test.go
@@ -0,0 +1,26 @@
+package test
+
+import (
+	"github.com/stretchr/testify/assert"
+	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
+)
+
+import (
+	"testing"
+)
+
+const multiResourceTerraformDir = "examples/multi-resource-rule"
+
+func TestRunMultiResourceExample(t *testing.T) {
+	t.Parallel()
+
+	options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
+		Testing:      t,
+		TerraformDir: multiResourceTerraformDir,
+		Prefix:       "mrr-rule",
+	})
+
+	output, err := options.RunTestConsistency()
+	assert.Nil(t, err, "This should not have errored")
+	assert.NotNil(t, output, "Expected some output")
+}
