Terraform modules template project

This Terraform configuration provisions a secure IBM Cloud Object Storage environment with integrated Key Protect encryption, Cloud Logs, and Context-Based Restrictions. It automates creation of COS buckets (CyberVault, Logs, Metrics) and manages encryption keys and IAM policies. Designed to ensure data protection, compliance, and controlled network access within IBM Cloud.

Overview

• terraform-ibm-cos-storage-defender
• Contributing

terraform-ibm-cos-storage-defender

Usage

terraform {
  required_version = ">= 1.9.0"
  required_providers {
    ibm = {
      source  = "IBM-Cloud/ibm"
      version = "X.Y.Z"  # Lock into a provider version that satisfies the module constraints
    }
  }
}

locals {
    region = "us-south"
}

provider "ibm" {
  ibmcloud_api_key = "XXXXXXXXXX"  # replace with apikey value
  region           = local.region
}

module "module_template" {
  source            = "terraform-ibm-modules/<replace>/ibm"
  version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
  region            = local.region
  name              = "instance-name"
  resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX" # Replace with the actual ID of resource group to use
}

Required access policies

The following IBM Cloud IAM permissions are required for the user or service ID running this Terraform configuration:

• Resource Group

  • Viewer or Editor on the target Resource Group

• Cloud Object Storage (COS)

  • Manager on the COS service instance
  • Manager on COS buckets

• Key Protect (KMS)

  • Manager on the Key Protect instance
  • Writer to create and manage encryption keys

• IAM Authorization Policies

  • Editor or higher on IAM Access Management to create COS → KMS and Cloud Logs → COS authorization policies

• Cloud Logs

  • Manager on the Cloud Logs service instance

• Context-Based Restrictions (CBR)

  • Administrator on Context-Based Restrictions to create zones and rules

• VPC / Networking (optional, if using network restrictions)

  • Viewer on VPC resources to read VPC details

Ensure that the API key or IAM identity used has sufficient access to all these services within the same IBM Cloud account and region.

Requirements

Name	Version
terraform	>= 1.9.0
ibm	>= 1.71.2, < 2.0.0

Modules

Name	Source	Version
cbr_rule	terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module	1.33.7
cbr_zone	terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module	1.33.7
cloud_logs	terraform-ibm-modules/cloud-logs/ibm	1.9.3
cos	terraform-ibm-modules/cos/ibm	10.5.1
cos_buckets	terraform-ibm-modules/cos/ibm//modules/buckets	10.5.1
key	terraform-ibm-modules/kms-key/ibm	1.4.2
kms	terraform-ibm-modules/key-protect/ibm	2.10.16
resource_group	terraform-ibm-modules/resource-group/ibm	1.4.0

Resources

Name	Type
ibm_iam_authorization_policy.cos_policy	resource
ibm_iam_authorization_policy.cos_to_kms	resource
ibm_iam_account_settings.iam_account_settings	data source

Inputs

Name	Description	Type	Default	Required
allowed_ip_addresses	List of allowed IPv4 addresses. This will restrict access to the bucket from only specifically allowed IP addresses. Entering values in this field will result in the creation of a new network zone.	list(string)	null	no
allowed_network	Allowed networks for the Key Protect instance. Possible values: 'private-only', 'public-and-private'.	string	"private-only"	no
allowed_network_zone_name	Name used for new network zone created if values are entered in the allowed_ip_addresses, allowed_vpc, or allowed_vpc_crns fields	string	"cyber-zone"	no
allowed_vpc	List of allowed VPC. This will restrict access to the bucket from only specifically allowed VPC. Entering values in this field will result in the creation of a new network zone.	string	null	no
allowed_vpc_crns	Comma-separated list of allowed VPC CRNs. This will restrict access to the bucket from only specifically allowed VPC CRNs. Entering values in this field will result in the creation of a new network zone.	list(string)	null	no
bucket_name	The name for the IBM Cloud Object Storage bucket provisioned by this solution. A default name has been provided. The instance will be named with the prefix plus this value in the format -value. The bucket namewill also be appended with a randomly generated string of unique characters.	string	"cybervault-bucket"	no
bucket_storage_class	The storage class of the new bucket. Required only if create_cos_bucket is true. Possible values: standard, vault, cold, smart, onerate_active.	string	"smart"	no
cloud_log_instance_name	The name for the Cloud Logs instance provisioned by this solution. If a prefix is provided via the 'prefix' variable, it will be prepended to this value in the format -value.	string	"Cloud-Logs"	no
cloud_logs_bucket_class	The storage class of the new bucket for cloud logs bucket. Required only if create_cos_bucket is true. Possible values: standard, vault, cold, smart, onerate_active.	string	"standard"	no
cloud_logs_plan	The IBM Cloud Logs plan to provision. Available: standard	string	"standard"	no
cos_allowed_endpoint_types	Restrict access to the COS bucket through specific endpoint types. By specifying a value here, access to the bucket will be restricted to that endpoint type. Public endpoints are used for traffic originating from outside IBM Cloud. Private endpoints are used for traffic coming from other parts ofIBM Cloud, excluding VPCs. Direct endpoints are used for traffic coming from customer VPCs.	string	"all"	no
cos_instance_name	The name for the IBM Cloud Object Storage instance provisioned by this module. If a prefix is provided via the 'prefix' variable, it will be prepended to this value in the format -value. Applies only if create_cos_instance is true.	string	"cos-cybervault"	no
cos_location	The location for the Object Storage instance.	string	"global"	no
enforcement_mode	(String) The rule enforcement mode	string	"enabled"	no
existing_resource_group_name	The name of an existing resource group to provision the resources. If not provided the default resource group will be used.	string	null	no
force_delete	Whether to force delete the key when deleting the resource.	bool	true	no
hard_quota	The hard quota (in GB) for the bucket. Set to 0 for unlimited.	number	1024	no
ibmcloud_api_key	The IBM Cloud platform API key to deploy resources.	string	n/a	yes
key_protect_name	The name for the Key Protect instance provisioned by this solution. If a prefix is provided via the 'prefix' variable, it will be prepended to this value in the format -value.	string	"key-protect"	no
key_protect_plan	Plan for the Key Protect instance. Valid plans are 'tiered-pricing' and 'cross-region-resiliency', for more information on these plans see Key Protect pricing plan.	string	"tiered-pricing"	no
kms_endpoint_type	Endpoint to use when creating the Key	string	"private"	no
logs_bucket_name	The name for the new Object Storage logs bucket. If a prefix is provided via the 'prefix' variable, it will be prepended to this value in the format -value. A unique suffix may also be appended.	string	"logs-bucket"	no
metrics_bucket_name	The name for the new Object Storage metrics bucket. If a prefix is provided via the 'prefix' variable, it will be prepended to this value in the format -value. A unique suffix may also be appended.	string	"metrics-bucket"	no
object_lock_duration_years	The number of years for the object lock duration. If you specify a number of years, do not specify a value for object_lock_duration_days. Applies only if create_cos_bucket is set to true.	number	1	no
object_locking_enabled	Whether to create an object lock configuration. Applies only if object_versioning_enabled and create_cos_bucket are true.	bool	false	no
prefix	The prefix to add to all resources that this solution creates (e.g prod, test, dev). To skip using a prefix, set this value to null or an empty string. Learn more.	string	n/a	yes
region	The IBM Cloud region where all resources (COS instance and buckets, Key Protect, Cloud Logs, etc.) will be provisioned. If specifying cross-region or single-site locations for COS buckets, set cross_region_location and single_site_location to null.	string	"us-east"	no
retention_period	Retention period (in days) for logs and metrics stored in Cloud Logs.	number	7	no
role	This is the role that will be granted to the service credential used by Defender when making requests to COS. The Writer role has been selected by default since it contains the minimum set of permissions needed by Defender.	string	"Writer"	no
service_endpoints	The type of the service endpoint that will be set for the IBM Cloud Logs instance. Allowed values: public-and-private.	string	"public-and-private"	no
standard_key	Specifies whether to create a standard encryption key (true) or import an existing key (false).For more information, see: Key Protect concepts.	bool	false	no
zone_description	Description of the zone	string	"CBR zone created by Terraform"	no

Outputs

Name	Description
cos_instance_id	The ID of the COS instance.
credentials_json	The HMAC credentials JSON for the COS instance.
cybervault_bucket_endpoint	The direct S3 endpoint of the Cybervault COS bucket.
cybervault_bucket_name	The name of the Cybervault COS bucket.

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.