feat: add support to create CBR rules using new input cbr_rules (#10)

Author: iamar7

.github/CODEOWNERS

@@ -1,2 +1,3 @@
 # Primary owner should be listed first in list of global owners, followed by any secondary owners
-*       @kierramarie @ocofaigh
+
+*       @kierramarie @iamar7

README.md

@@ -16,6 +16,13 @@ To provision Cloud Logs instance
 # Locals
 locals {
   region      = "us-south"
+  default_operations = [{
+    api_types = [
+      {
+        "api_type_id" : "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+      }
+    ]
+  }]
 }
 
 # Required providers
@@ -35,7 +42,7 @@ provider "ibm" {
 
 # IBM Cloud Logs
 module "cloud_logs" {
-  source            = "terraform-ibm-modules/cloud_logs/ibm"
+  source            = "terraform-ibm-modules/cloud-logs/ibm"
   version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
   resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
   region            = local.region
@@ -52,6 +59,7 @@ module "cloud_logs" {
       bucket_endpoint = "s3.direct.us-south.cloud-object-storage.appdomain.cloud"
     }
   }
+
   # Create policies
   policies = [{
     logs_policy_name        = "logs_policy_name"
@@ -68,6 +76,26 @@ module "cloud_logs" {
       severities = ["info", "debug"]
     }]
   }]
+
+  # CBR
+  cbr_rules = [{
+    description      = "Rules for cloud logs access"
+    account_id       = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
+    enforcement_mode = "report"
+    rule_contexts = [{
+      attributes = [
+        {
+          "name" : "endpointType",
+          "value" : "private"
+        },
+        {
+          name  = "networkZoneId"
+          value = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
+        }
+      ]
+      }]
+      operations = local.default_operations
+  }]
 }
 ```
 
@@ -76,16 +104,16 @@ module "cloud_logs" {
 You need the following permissions to run this module.
 
 - Service
-    - **Resource group only**
-        - `Viewer` access on the specific resource group
-    - **Cloud Logs**
-        - `Editor` platform access
-        - `Manager` service access
-    - **IBM Cloud Logs Routing** (Required if creating tenants, which are required to enable platform logs)
-        - `Editor` platform access
-        - `Manager` service access
-    - **Tagging service** (Required if attaching access tags to the ICL instance)
-        - `Editor` platform access
+  - **Resource group only**
+    - `Viewer` access on the specific resource group
+  - **Cloud Logs**
+    - `Editor` platform access
+    - `Manager` service access
+  - **IBM Cloud Logs Routing** (Required if creating tenants, which are required to enable platform logs)
+    - `Editor` platform access
+    - `Manager` service access
+  - **Tagging service** (Required if attaching access tags to the ICL instance)
+    - `Editor` platform access
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ### Requirements
@@ -101,6 +129,7 @@ You need the following permissions to run this module.
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.29.0 |
 | <a name="module_cos_bucket_crn_parser"></a> [cos\_bucket\_crn\_parser](#module\_cos\_bucket\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
 
 ### Resources
@@ -124,6 +153,7 @@ You need the following permissions to run this module.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the IBM Cloud Logs instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no |
+| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_data_storage"></a> [data\_storage](#input\_data\_storage) | A logs data bucket and a metrics bucket in IBM Cloud Object Storage to store your IBM Cloud Logs data for long term storage, search, analysis and alerting. | <pre>object({<br/>    logs_data = optional(object({<br/>      enabled              = optional(bool, false)<br/>      bucket_crn           = optional(string)<br/>      bucket_endpoint      = optional(string)<br/>      skip_cos_auth_policy = optional(bool, false)<br/>    }), {})<br/>    metrics_data = optional(object({<br/>      enabled              = optional(bool, false)<br/>      bucket_crn           = optional(string)<br/>      bucket_endpoint      = optional(string)<br/>      skip_cos_auth_policy = optional(bool, false)<br/>    }), {})<br/>    }<br/>  )</pre> | <pre>{<br/>  "logs_data": null,<br/>  "metrics_data": null<br/>}</pre> | no |
 | <a name="input_existing_event_notifications_instances"></a> [existing\_event\_notifications\_instances](#input\_existing\_event\_notifications\_instances) | List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs. | <pre>list(object({<br/>    en_instance_id      = string<br/>    en_region           = string<br/>    en_integration_name = optional(string)<br/>    skip_en_auth_policy = optional(bool, false)<br/>  }))</pre> | `[]` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Logs instance to create. Defaults to 'cloud-logs-<region>' | `string` | `null` | no |
@@ -141,6 +171,7 @@ You need the following permissions to run this module.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_account_id"></a> [account\_id](#output\_account\_id) | The account id where cloud logs instance is provisioned. |
 | <a name="output_crn"></a> [crn](#output\_crn) | The CRN of the provisioned Cloud Logs instance. |
 | <a name="output_guid"></a> [guid](#output\_guid) | The guid of the provisioned Cloud Logs instance. |
 | <a name="output_ingress_endpoint"></a> [ingress\_endpoint](#output\_ingress\_endpoint) | The public ingress endpoint of the provisioned Cloud Logs instance. |

examples/advanced/README.md

@@ -9,3 +9,4 @@ Example that configures:
 - Cloud Logs with Event Notifications integration
 - Cloud Logs policies
 - Key Protect instance and root key
+- A context-based restriction (CBR) rule to only allow cloud logs to be accessible from schematics

examples/advanced/main.tf

@@ -20,11 +20,14 @@ locals {
 }
 
 module "key_protect" {
-  source            = "terraform-ibm-modules/kms-all-inclusive/ibm"
-  version           = "4.21.8"
-  resource_group_id = module.resource_group.resource_group_id
-  region            = var.region
-  resource_tags     = var.resource_tags
+  source                      = "terraform-ibm-modules/kms-all-inclusive/ibm"
+  version                     = "4.21.8"
+  resource_group_id           = module.resource_group.resource_group_id
+  region                      = var.region
+  resource_tags               = var.resource_tags
+  key_protect_allowed_network = "private-only"
+  key_endpoint_type           = "private"
+  key_ring_endpoint_type      = "private"
   keys = [
     {
       key_ring_name = local.key_ring_name
@@ -107,16 +110,30 @@ module "buckets" {
   ]
 }
 
+##############################################################################
+# Create CBR Zone
+##############################################################################
+
+# A network zone with service reference to schematics
+module "cbr_schematics_zone" {
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
+  version          = "1.29.0"
+  name             = "${var.prefix}-schematics-network-zone"
+  zone_description = "CBR Network zone for schematics"
+  account_id       = module.cloud_logs.account_id
+  addresses = [{
+    type = "serviceRef"
+    ref = {
+      account_id   = module.cloud_logs.account_id
+      service_name = "schematics"
+    }
+  }]
+}
+
 ########################################################################################################################
 # Cloud Logs
 ########################################################################################################################
 
-#
-# Developer tips:
-#   - Call the local module / modules in the example to show how they can be consumed
-#   - include the actual module source as a code comment like below so consumers know how to consume from correct location
-#
-
 locals {
   cloud_logs_instance_name = "${var.prefix}-cloud-logs"
 }
@@ -169,4 +186,22 @@ module "cloud_logs" {
       en_region           = var.region
       en_integration_name = "${var.prefix}-en-2"
   }]
+
+  cbr_rules = [{
+    description      = "${var.prefix}-icl access only from schematics"
+    account_id       = module.cloud_logs.account_id
+    enforcement_mode = "report"
+    rule_contexts = [{
+      attributes = [
+        {
+          "name" : "endpointType",
+          "value" : "private"
+        },
+        {
+          name  = "networkZoneId"
+          value = module.cbr_schematics_zone.zone_id
+        }
+      ]
+    }]
+  }]
 }

examples/advanced/provider.tf

@@ -5,4 +5,5 @@
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.region
+  visibility       = "private"
 }

examples/advanced/variables.tf

@@ -2,14 +2,6 @@
 # Input variables
 ########################################################################################################################
 
-#
-# Module developer tips:
-#   - Examples are references that consumers can use to see how the module can be consumed. They are not designed to be
-#     flexible re-usable solutions for general consumption, so do not expose any more variables here and instead hard
-#     code things in the example main.tf with code comments explaining the different configurations.
-#   - For the same reason as above, do not add default values to the example inputs.
-#
-
 variable "ibmcloud_api_key" {
   type        = string
   description = "The IBM Cloud API Key."

main.tf

@@ -222,3 +222,45 @@ resource "ibm_logs_policy" "logs_policies" {
     }
   }
 }
+
+
+##############################################################################
+# CBR
+##############################################################################
+
+locals {
+  default_operations = [{
+    api_types = [
+      {
+        "api_type_id" : "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+      }
+    ]
+  }]
+}
+
+module "cbr_rule" {
+  count            = length(var.cbr_rules)
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module"
+  version          = "1.29.0"
+  rule_description = var.cbr_rules[count.index].description
+  enforcement_mode = var.cbr_rules[count.index].enforcement_mode
+  rule_contexts    = var.cbr_rules[count.index].rule_contexts
+  resources = [{
+    attributes = [
+      {
+        name  = "accountId"
+        value = var.cbr_rules[count.index].account_id
+      },
+      {
+        name  = "serviceName"
+        value = "logs"
+      },
+      {
+        name     = "serviceInstance"
+        value    = ibm_resource_instance.cloud_logs.guid
+        operator = "stringEquals"
+      }
+    ]
+  }]
+  operations = var.cbr_rules[count.index].operations == null ? local.default_operations : var.cbr_rules[count.index].operations
+}

outputs.tf

@@ -8,6 +8,11 @@ output "guid" {
   description = "The guid of the provisioned Cloud Logs instance."
 }
 
+output "account_id" {
+  value       = ibm_resource_instance.cloud_logs.account_id
+  description = "The account id where cloud logs instance is provisioned."
+}
+
 output "name" {
   value       = ibm_resource_instance.cloud_logs.name
   description = "The name of the provisioned Cloud Logs instance."

tests/pr_test.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
+	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic"
 )
 
 // Use existing resource group
@@ -47,25 +48,63 @@ func TestRunBasicExample(t *testing.T) {
 	assert.NotNil(t, output, "Expected some output")
 }
 
-func TestRunAdvancedExample(t *testing.T) {
+func TestRunAdvancedExampleInSchematics(t *testing.T) {
 	t.Parallel()
 
-	options := setupOptions(t, "icl-adv", advancedExampleDir)
+	var region = validRegions[rand.Intn(len(validRegions))]
 
-	output, err := options.RunTestConsistency()
+	options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
+		Testing: t,
+		Prefix:  "icl-adv",
+		TarIncludePatterns: []string{
+			"*.tf",
+			advancedExampleDir + "/*.tf",
+		},
+		ResourceGroup:          resourceGroup,
+		TemplateFolder:         advancedExampleDir,
+		Tags:                   []string{"test-schematic"},
+		DeleteWorkspaceOnFail:  false,
+		WaitJobCompleteMinutes: 60,
+	})
+
+	options.TerraformVars = []testschematic.TestSchematicTerraformVar{
+		{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
+		{Name: "prefix", Value: options.Prefix, DataType: "string"},
+		{Name: "region", Value: region, DataType: "string"},
+	}
+
+	err := options.RunSchematicTest()
 	assert.Nil(t, err, "This should not have errored")
-	assert.NotNil(t, output, "Expected some output")
 }
 
-// Upgrade test (using advanced example)
-func TestRunUpgradeExample(t *testing.T) {
+// Upgrade test in schematics (using advanced example)
+func TestRunUpgradeExampleInSchematics(t *testing.T) {
 	t.Parallel()
 
-	options := setupOptions(t, "icl-adv-upg", advancedExampleDir)
+	var region = validRegions[rand.Intn(len(validRegions))]
+
+	options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
+		Testing: t,
+		Prefix:  "icl-adv-upg",
+		TarIncludePatterns: []string{
+			"*.tf",
+			advancedExampleDir + "/*.tf",
+		},
+		ResourceGroup:          resourceGroup,
+		TemplateFolder:         advancedExampleDir,
+		Tags:                   []string{"test-schematic"},
+		DeleteWorkspaceOnFail:  false,
+		WaitJobCompleteMinutes: 60,
+	})
+
+	options.TerraformVars = []testschematic.TestSchematicTerraformVar{
+		{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
+		{Name: "prefix", Value: options.Prefix, DataType: "string"},
+		{Name: "region", Value: region, DataType: "string"},
+	}
 
-	output, err := options.RunTestUpgrade()
+	err := options.RunSchematicUpgradeTest()
 	if !options.UpgradeTestSkipped {
 		assert.Nil(t, err, "This should not have errored")
-		assert.NotNil(t, output, "Expected some output")
 	}
 }

variables.tf

@@ -265,3 +265,28 @@ variable "policies" {
     error_message = "The id of the archive_retention does not meet the required criteria."
   }
 }
+
+##############################################################
+# Context-based restriction (CBR)
+##############################################################
+
+variable "cbr_rules" {
+  type = list(object({
+    description = string
+    account_id  = string
+    rule_contexts = list(object({
+      attributes = optional(list(object({
+        name  = string
+        value = string
+    }))) }))
+    enforcement_mode = string
+    operations = optional(list(object({
+      api_types = list(object({
+        api_type_id = string
+      }))
+    })))
+  }))
+  description = "(Optional, list) List of context-based restrictions rules to create"
+  default     = []
+  # Validation happens in the rule module
+}