doc: Gobal deny doc update (#490)

Ak-sky · web-flow · commit d97ec1456aaf · 2024-07-31T17:07:16.000+01:00
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
@@ -70,24 +70,31 @@ module "cbr_account_level" {
 
   ## Enable enforcement for key protect as an example
   ## The other services not referenced here, are either report, or disabled (when not support report)
+  ## When a scope is specified in a rule for the target service, a new separate global rule will be created for the respective target service to scope all the resources of that service. This can be opted out by setting the variable 'global_deny = false'
+  ## It is mandatory to set 'global_deny = false' when no scope is specified for the target service
+
   target_service_details = {
     # Using 'kms' for Key Protect value as target service name supported by CBR for Key Protect is 'kms'.
     "kms" = {
       # Demonstrates how a customized CBR description (also seen as being the rule name) can be set
       "description"      = "kms-rule-example-of-customized-description"
       "enforcement_mode" = "enabled"
       "instance_id"      = module.key_protect_module.key_protect_guid
-      "global_deny"      = false
       "target_rg"        = module.resource_group.resource_group_id
+      "global_deny"      = false # opting out from creating a new global rule
     }
     "cloud-object-storage" = {
+      "enforcement_mode" = "enabled"
+      "global_deny"      = false # mandatory to set 'global_deny = false' when no scope is defined
+    }
+    "messagehub" = {
+      # As the service is scoped, a new global rule will also get created
       "enforcement_mode" = "enabled"
       "target_rg"        = module.resource_group.resource_group_id
-      "global_deny"      = false
     }
     "mqcloud" : {
-      "enforcement_mode" = "disabled"
-      "region"           = "eu-fr2" # BNPP region (region or serviceInstance is/are required for service 'mqcloud`)
+      "enforcement_mode" = "enabled"
+      "region"           = "eu-fr2" # region and/or instance_id is/are required for service 'mqcloud'
       "global_deny"      = false
     }
     "IAM" : {
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
@@ -26,6 +26,10 @@ Important: In order to avoid unexpected breakage in the account against which th
 
 **Note on Event Notifications**: Event Notifications introduced SMTP API that does not support `report` enforcement mode. By default `report` mode is set which excludes SMTP API. If enforcement mode is set to `enabled`, CBR will be applied to the SMTP API as well.
 
+**Note on global_deny variable**: When a `scope` is specified in a rule for the target service, a new separate `global rule` will be created for the respective target service to scope `all the resources` of that service. This can be opted out by setting the variable `global_deny = false`. It is also mandatory to set `global_deny = false` when no scope is specified for the target service.
+
+**Note on `mqcloud`**: Region and/or instance_id is/are required for service `mqcloud` to create the CBR rule.
+
 ## Note
 The services 'directlink', 'globalcatalog-collection', 'iam-groups' and 'user-management' do not support restriction per location.
 
@@ -51,10 +55,31 @@ module "cbr_fscloud" {
   # Will skip the zone creation for service ref. present in the list
   skip_specific_services_for_zone_creation = ["user-management", "iam-groups"]
 
-  target_service_details = {
-                            "kms" = {
-                              "enforcement_mode" = "enabled"
-                           }}
+ target_service_details = {
+    "kms" = {
+      "enforcement_mode" = "enabled"
+      "instance_id"      = "dhd2-2bdjd-2bdjd-asgd3" # pragma: allowlist secret
+      "target_rg"        = "a8cff104f1764e98aac9ab879198230a" # pragma: allowlist secret
+    }
+    "cloud-object-storage" = {
+      "enforcement_mode" = "enabled"
+      "target_rg"        = "a8cff104f1764e98aac9ab879198230a" # pragma: allowlist secret
+      "global_deny"      = false # opting out from creating a new global rule
+    }
+    "messagehub" = {
+      "enforcement_mode" = "enabled"
+      "global_deny"      = false # mandatory to set 'global_deny = false' when no scope is defined
+    }
+    "mqcloud" : {
+      "enforcement_mode" = "enabled"
+      "region"           = "eu-fr2" # region and/or instance_id is/are required for service 'mqcloud'
+      "global_deny"      = false
+    }
+    "IAM" : {
+      "enforcement_mode" = "report"
+      "global_deny"      = false
+    }
+  }
 
   custom_rule_contexts_by_service = {
                                     "schematics" = [{
