feat: Add CBR support to module using new input cbr_rules (#18)

Author: iamar7

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-04-09T08:26:47Z",
+  "generated_at": "2025-04-17T09:27:20Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -82,7 +82,7 @@
         "hashed_secret": "ff9ee043d85595eb255c05dfe32ece02a53efbb2",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 41,
+        "line_number": 48,
         "type": "Secret Keyword",
         "verified_result": null
       }

README.md

@@ -35,6 +35,13 @@ terraform {
 
 locals {
     region = "us-south"
+    default_operations = [{
+      api_types = [
+        {
+          "api_type_id" : "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+        }
+      ]
+    }]
 }
 
 provider "ibm" {
@@ -45,10 +52,30 @@ provider "ibm" {
 # IBM Cloud Monitoring
 
 module "cloud_monitoring" {
-  source            = "terraform-ibm-modules/cloud_monitoring/ibm"
+  source            = "terraform-ibm-modules/cloud-monitoring/ibm"
   version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
   region            = local.region
   resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
+
+  # CBR
+  cbr_rules = [{
+    description      = "Rules for cloud monitoring access"
+    account_id       = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
+    enforcement_mode = "report"
+    rule_contexts = [{
+      attributes = [
+        {
+          "name" : "endpointType",
+          "value" : "private"
+        },
+        {
+          name  = "networkZoneId"
+          value = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
+        }
+      ]
+      }]
+      operations = local.default_operations
+  }]
 }
 
 # IBM Cloud Metrics Routing
@@ -62,7 +89,7 @@ module "metric_router" {
       # ID of the Cloud Monitoring instance
       destination_crn   = "crn:v1:bluemix:public:sysdig-monitor:eu-de:a/xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX:xxxxxx-XXXX-XXXX-XXXX-xxxxxx::"
       target_region = "us-south"
-      target_name   = "my-mr-target"
+      target_name   = "cloud-monitoring-target"
     }
   ]
 
@@ -73,7 +100,7 @@ module "metric_router" {
             {
                 action = "send"
                 targets = [{
-                    id = module.metric_router.metric_router_targets["my-mr-target"].id
+                    id = module.metric_router.metric_router_targets["cloud-monitoring-target"].id
                 }]
                 inclusion_filters = [{
                     operand = "location"
@@ -84,6 +111,16 @@ module "metric_router" {
         ]
     }
   ]
+
+  metrics_router_settings = {
+    default_targets = [{
+      id = module.metrics_routing.metrics_router_targets["cloud-monitoring-target"].id
+    }]
+    permitted_target_regions  = ["us-south", "eu-de", "us-east", "eu-es", "eu-gb"]
+    primary_metadata_region   = "us-south" # To configure metrics routing, the account must have a `primary_metadata_region` set.
+    private_api_endpoint_only = false  # You will be unable to view the metrics routing account settings in the UI if `private_api_endpoint_only` is set to true.
+                                       # For more information, see https://cloud.ibm.com/docs/metrics-router?topic=metrics-router-settings-about&interface=ui.
+  }
 }
 
 ```
@@ -113,7 +150,9 @@ You need the following permissions to run this module.
 
 ### Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.29.0 |
 
 ### Resources
 
@@ -128,6 +167,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | Access Management Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no |
+| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_enable_platform_metrics"></a> [enable\_platform\_metrics](#input\_enable\_platform\_metrics) | Receive platform metrics in the provisioned IBM Cloud Monitoring instance. Only 1 instance in a given region can be enabled for platform metrics. | `bool` | `false` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Monitoring instance to create. Defaults to 'cloud-monitoring-<region>' | `string` | `null` | no |
 | <a name="input_manager_key_name"></a> [manager\_key\_name](#input\_manager\_key\_name) | The name to give the IBM Cloud Monitoring manager key. | `string` | `"SysdigManagerKey"` | no |

examples/advanced/README.md

@@ -4,3 +4,4 @@ Example that configures:
 
 - IBM Cloud Monitoring instance
 - IBM Cloud Metrics Routing
+- A context-based restriction (CBR) rule to only allow cloud monitoring to be accessible from schematics

examples/advanced/main.tf

@@ -27,6 +27,42 @@ module "cloud_monitoring" {
   access_tags       = var.access_tags
   plan              = "graduated-tier"
   instance_name     = local.cloud_monitoring_instance_name
+  cbr_rules = [{
+    description      = "${var.prefix}-cloud-monitoring access from vpc and schematics"
+    account_id       = module.cloud_monitoring.account_id
+    enforcement_mode = "report"
+    rule_contexts = [{
+      attributes = [
+        {
+          "name" : "endpointType",
+          "value" : "private"
+        },
+        {
+          name  = "networkZoneId"
+          value = module.cbr_schematics_zone.zone_id
+        }
+      ]
+    }]
+  }]
+}
+
+##############################################################################
+# CBR
+##############################################################################
+
+module "cbr_schematics_zone" {
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
+  version          = "1.29.0"
+  name             = "${var.prefix}-schematics-network-zone"
+  zone_description = "CBR Network zone containing Schematics"
+  account_id       = module.cloud_monitoring.account_id
+  addresses = [{
+    type = "serviceRef"
+    ref = {
+      account_id   = module.cloud_monitoring.account_id
+      service_name = "schematics"
+    }
+  }]
 }
 
 ##############################################################################

examples/advanced/provider.tf

@@ -5,4 +5,5 @@
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.region
+  visibility       = "private"
 }

examples/advanced/variables.tf

@@ -2,19 +2,12 @@
 # Variables
 ##############################################################################
 
-#
-# Module developer tips:
-#   - Examples are references that consumers can use to see how the module can be consumed. They are not designed to be
-#     flexible re-usable solutions for general consumption, so do not expose any more variables here and instead hard
-#     code things in the example main.tf with code comments explaining the different configurations.
-#   - For the same reason as above, do not add default values to the example inputs.
-#
-
 variable "ibmcloud_api_key" {
   type        = string
   description = "The IBM Cloud API Key."
   sensitive   = true
 }
+
 variable "prefix" {
   type        = string
   description = "A string value to prefix to all resources created by this example."

examples/advanced/version.tf

@@ -4,7 +4,7 @@ terraform {
     # Use "greater than or equal to" range in modules
     ibm = {
       source  = "ibm-cloud/ibm"
-      version = ">= 1.70.0, < 2.0.0"
+      version = ">= 1.76.1, < 2.0.0"
     }
   }
 }

main.tf

@@ -37,3 +37,44 @@ resource "ibm_resource_key" "resource_key" {
   role                 = "Manager"
   tags                 = var.manager_key_tags
 }
+
+########################################################################
+# Context Based Restrictions
+#########################################################################
+
+locals {
+  default_operations = [{
+    api_types = [
+      {
+        "api_type_id" : "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+      }
+    ]
+  }]
+}
+
+module "cbr_rule" {
+  count            = length(var.cbr_rules)
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module"
+  version          = "1.29.0"
+  rule_description = var.cbr_rules[count.index].description
+  enforcement_mode = var.cbr_rules[count.index].enforcement_mode
+  rule_contexts    = var.cbr_rules[count.index].rule_contexts
+  resources = [{
+    attributes = [
+      {
+        name  = "accountId"
+        value = var.cbr_rules[count.index].account_id
+      },
+      {
+        name  = "serviceName"
+        value = "sysdig-monitor"
+      },
+      {
+        name     = "serviceInstance"
+        value    = ibm_resource_instance.cloud_monitoring.guid
+        operator = "stringEquals"
+      }
+    ]
+  }]
+  operations = var.cbr_rules[count.index].operations == null ? local.default_operations : var.cbr_rules[count.index].operations
+}

tests/pr_test.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
+	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic"
 )
 
 // Use existing resource group
@@ -51,27 +52,67 @@ func TestRunBasicExample(t *testing.T) {
 	assert.NotNil(t, output, "Expected some output")
 }
 
-func TestRunAdvancedExample(t *testing.T) {
+func TestRunAdvancedExampleInSchematics(t *testing.T) {
 	// https://github.ibm.com/GoldenEye/issues/issues/12223
 	// Avoid t.Parallel() to avoid test clashes
 
-	options := setupOptions(t, "icm-adv", advancedExampleDir)
+	var region = validRegions[rand.Intn(len(validRegions))]
 
-	output, err := options.RunTestConsistency()
+	options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
+		Testing: t,
+		Prefix:  "icm-adv",
+		TarIncludePatterns: []string{
+			"*.tf",
+			"modules/metrics_routing" + "/*.tf",
+			advancedExampleDir + "/*.tf",
+		},
+		ResourceGroup:          resourceGroup,
+		TemplateFolder:         advancedExampleDir,
+		Tags:                   []string{"test-schematic"},
+		DeleteWorkspaceOnFail:  false,
+		WaitJobCompleteMinutes: 60,
+	})
+
+	options.TerraformVars = []testschematic.TestSchematicTerraformVar{
+		{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
+		{Name: "prefix", Value: options.Prefix, DataType: "string"},
+		{Name: "region", Value: region, DataType: "string"},
+	}
+
+	err := options.RunSchematicTest()
 	assert.Nil(t, err, "This should not have errored")
-	assert.NotNil(t, output, "Expected some output")
 }
 
-// Upgrade test (using advanced example)
-func TestRunUpgradeExample(t *testing.T) {
+// Upgrade test in schematics (using advanced example)
+func TestRunUpgradeExampleInSchematics(t *testing.T) {
 	// https://github.ibm.com/GoldenEye/issues/issues/12223
 	// Avoid t.Parallel() to avoid test clashes
 
-	options := setupOptions(t, "icm-adv-upg", advancedExampleDir)
+	var region = validRegions[rand.Intn(len(validRegions))]
+
+	options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
+		Testing: t,
+		Prefix:  "icm-adv-upg",
+		TarIncludePatterns: []string{
+			"*.tf",
+			"modules/metrics_routing" + "/*.tf",
+			advancedExampleDir + "/*.tf",
+		},
+		ResourceGroup:          resourceGroup,
+		TemplateFolder:         advancedExampleDir,
+		Tags:                   []string{"test-schematic"},
+		DeleteWorkspaceOnFail:  false,
+		WaitJobCompleteMinutes: 60,
+	})
+
+	options.TerraformVars = []testschematic.TestSchematicTerraformVar{
+		{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
+		{Name: "prefix", Value: options.Prefix, DataType: "string"},
+		{Name: "region", Value: region, DataType: "string"},
+	}
 
-	output, err := options.RunTestUpgrade()
+	err := options.RunSchematicUpgradeTest()
 	if !options.UpgradeTestSkipped {
 		assert.Nil(t, err, "This should not have errored")
-		assert.NotNil(t, output, "Expected some output")
 	}
 }

variables.tf

@@ -65,3 +65,28 @@ variable "service_endpoints" {
     error_message = "The specified service_endpoints is not a valid selection"
   }
 }
+
+##############################################################
+# Context-based restriction (CBR)
+##############################################################
+
+variable "cbr_rules" {
+  type = list(object({
+    description = string
+    account_id  = string
+    rule_contexts = list(object({
+      attributes = optional(list(object({
+        name  = string
+        value = string
+    }))) }))
+    enforcement_mode = string
+    operations = optional(list(object({
+      api_types = list(object({
+        api_type_id = string
+      }))
+    })))
+  }))
+  description = "(Optional, list) List of context-based restrictions rules to create"
+  default     = []
+  # Validation happens in the rule module
+}