feat: Added FScloud submodule (#126)

Author: Ak-sky

README.md

@@ -10,7 +10,10 @@ A module to create IBM Cloud Event Notifications.
 <!-- BEGIN OVERVIEW HOOK -->
 ## Overview
 * [terraform-ibm-event-notifications](#terraform-ibm-event-notifications)
+* [Submodules](./modules)
+    * [fscloud](./modules/fscloud)
 * [Examples](./examples)
+    * [ Financial Services Cloud profile example](./examples/fscloud)
     * [Basic example](./examples/basic)
     * [Complete example with BYOK encryption and CBR rules](./examples/complete)
 * [Contributing](#contributing)
@@ -91,8 +94,7 @@ To create service credentials, access to Event Notifications and access to call
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
 | <a name="input_existing_kms_instance_crn"></a> [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of the Hyper Protect Crypto Services or Key Protect instance. Required only if var.kms\_encryption\_enabled is set to true | `string` | `null` | no |
 | <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in Event Notification. If set to false, the data is encrypted by using randomly generated keys. For more info on Managing Encryption, see https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-en-managing-encryption | `bool` | `false` | no |
-| <a name="input_kms_endpoint"></a> [kms\_endpoint](#input\_kms\_endpoint) | The KMS endpoint to use when configuring KMS encryption. Must be private or public. | `string` | `"public"` | no |
-| <a name="input_kms_region"></a> [kms\_region](#input\_kms\_region) | The region where KMS instance exists if using KMS encryption. | `string` | `"us-south"` | no |
+| <a name="input_kms_endpoint_url"></a> [kms\_endpoint\_url](#input\_kms\_endpoint\_url) | The KMS endpoint URL to use when configuring KMS encryption. HPCS endpoint URL format- https://api.private.<REGION>.hs-crypto.cloud.ibm.com:<port> and KP endpoint URL format- https://<REGION>.kms.cloud.ibm.com | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the IBM Event Notification instance created by this module. | `string` | n/a | yes |
 | <a name="input_plan"></a> [plan](#input\_plan) | Plan for the event notification instance : lite or standard | `string` | `"standard"` | no |
 | <a name="input_region"></a> [region](#input\_region) | IBM Cloud region where event notification will be created, supported regions are: us-south (Dallas), eu-gb (London), eu-de (Frankfurt), au-syd (Sydney), eu-es (Madrid) | `string` | `"us-south"` | no |
@@ -108,6 +110,7 @@ To create service credentials, access to Event Notifications and access to call
 | Name | Description |
 |------|-------------|
 | <a name="output_crn"></a> [crn](#output\_crn) | Event Notification crn |
+| <a name="output_event_notification_instance_name"></a> [event\_notification\_instance\_name](#output\_event\_notification\_instance\_name) | Event Notification name |
 | <a name="output_guid"></a> [guid](#output\_guid) | Event Notification guid |
 | <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | Service credentials json map |
 | <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | Service credentials object |

cra-config.yaml

@@ -1,8 +1,15 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/basic" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "examples/fscloud" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
+    CRA_ENVIRONMENT_VARIABLES:
+      TF_VAR_prefix: "cra-sap"
+      TF_VAR_existing_kms_instance_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::"
+      TF_VAR_root_key_id: "76170fae-4e0c-48c3-8ebe-326059ebb533"
+      TF_VAR_kms_endpoint_url: "https://api.private.us-south.hs-crypto.cloud.ibm.com:8992"
+
+
     # CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
     #   TF_VAR_sample: "sample value"
     #   TF_VAR_other:  "another value"

examples/basic/outputs.tf

@@ -2,6 +2,10 @@
 # Outputs
 ##############################################################################
 
+output "event_notification_instance_name" {
+  description = "Event Notification name"
+  value       = module.event_notification.event_notification_instance_name
+}
 output "resource_group_name" {
   description = "Resource group name"
   value       = module.resource_group.resource_group_name

examples/complete/main.tf

@@ -20,14 +20,17 @@ locals {
 }
 module "key_protect_all_inclusive" {
   source                    = "terraform-ibm-modules/key-protect-all-inclusive/ibm"
-  version                   = "4.4.2"
+  version                   = "4.6.0"
   resource_group_id         = module.resource_group.resource_group_id
   region                    = var.region
   key_protect_instance_name = "${var.prefix}-kp"
   resource_tags             = var.resource_tags
-  key_map = {
-    (local.key_ring_name) = [local.key_name]
-  }
+  keys = [{
+    key_ring_name = "en-key-ring"
+    keys = [{
+      key_name = "${var.prefix}-en"
+    }]
+  }]
 }
 
 ##############################################################################
@@ -77,11 +80,11 @@ module "event_notification" {
   kms_encryption_enabled    = true
   existing_kms_instance_crn = module.key_protect_all_inclusive.key_protect_id
   root_key_id               = module.key_protect_all_inclusive.keys["${local.key_ring_name}.${local.key_name}"].key_id
+  kms_endpoint_url          = module.key_protect_all_inclusive.kp_public_endpoint
   tags                      = var.resource_tags
   service_endpoints         = "public"
   service_credential_names  = var.service_credential_names
   region                    = var.region
-  kms_region                = var.region
   cbr_rules = [
     {
       description      = "${var.prefix}-event notification access only from vpc"

examples/complete/outputs.tf

@@ -12,6 +12,11 @@ output "resource_group_id" {
   value       = module.resource_group.resource_group_id
 }
 
+output "event_notification_instance_name" {
+  description = "Event Notification name"
+  value       = module.event_notification.event_notification_instance_name
+}
+
 output "crn" {
   description = "Event notification instance crn"
   value       = module.event_notification.crn

examples/fscloud/README.md

@@ -0,0 +1,18 @@
+ # Financial Services Cloud profile example
+
+An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/modules/fscloud) to deploy an instance of Event Notification.
+
+The example uses the IBM Cloud Terraform provider to create the following infrastructure:
+
+- A resource group, if one is not passed in.
+- An IAM authorization between all Event Notification instances in the given resource group and the KMS instance that is passed in.
+- An Event Notification instance that is encrypted with the KMS root key that is passed in.
+- A sample virtual private cloud (VPC).
+- A context-based restriction (CBR) rule to only allow Event Notification to be accessible from within the VPC.
+
+:exclamation: **Important:** In this example, only the Event Notification instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.
+
+## Before you begin
+
+- You need a KMS instance and root key available in the region that you want to deploy your Event Notification instance to.
+- To ensure compliance with FSCloud standards, it is required to use HPCS only.

examples/fscloud/main.tf

@@ -0,0 +1,94 @@
+##############################################################################
+# Resource group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.4"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+
+module "cbr_zone" {
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
+  version          = "1.17.1"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone representing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc",
+    value = ibm_is_vpc.example_vpc.crn
+  }]
+}
+
+module "event_notification" {
+  source                    = "../../modules/fscloud"
+  resource_group_id         = module.resource_group.resource_group_id
+  name                      = "${var.prefix}-en-fs"
+  existing_kms_instance_crn = var.existing_kms_instance_crn
+  root_key_id               = var.root_key_id
+  kms_endpoint_url          = var.kms_endpoint_url
+  tags                      = var.resource_tags
+
+  # Map of name, role for service credentials that you want to create for the event notification
+  service_credential_names = {
+    "en_manager" : "Manager",
+    "en_writer" : "Writer",
+    "en_reader" : "Reader",
+    "en_channel_editor" : "Channel Editor",
+    "en_device_manager" : "Device Manager",
+    "en_event_source_manager" : "Event Source Manager",
+    "en_event_notifications_publisher" : "Event Notification Publisher",
+    "en_status_reporter" : "Status Reporter",
+    "en_email_sender" : "Email Sender",
+    "en_custom_email_status_reporter" : "Custom Email Status Reporter",
+  }
+  region = var.region
+  cbr_rules = [
+    {
+      description      = "${var.prefix}-event notification access only from vpc"
+      enforcement_mode = "report"
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
+}

examples/fscloud/outputs.tf

@@ -0,0 +1,40 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "resource_group_name" {
+  description = "Resource group name"
+  value       = module.resource_group.resource_group_name
+}
+
+output "resource_group_id" {
+  description = "Resource group ID"
+  value       = module.resource_group.resource_group_id
+}
+
+output "event_notification_instance_name" {
+  description = "Event Notification name"
+  value       = module.event_notification.event_notification_instance_name
+}
+
+output "crn" {
+  description = "Event notification instance crn"
+  value       = module.event_notification.crn
+}
+
+output "guid" {
+  description = "Event Notification guid"
+  value       = module.event_notification.guid
+}
+
+output "service_credentials_json" {
+  description = "Service credentials json map"
+  value       = module.event_notification.service_credentials_json
+  sensitive   = true
+}
+
+output "service_credentials_object" {
+  description = "Service credentials json object"
+  value       = module.event_notification.service_credentials_object
+  sensitive   = true
+}

examples/fscloud/provider.tf

@@ -0,0 +1,8 @@
+##############################################################################
+# Provider config
+##############################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/fscloud/variables.tf

@@ -0,0 +1,47 @@
+##############################################################################
+# Input Variables
+##############################################################################
+
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "resource_group" {
+  type        = string
+  description = "The name of an existing resource group to provision resources in to. If not set a new resource group will be created using the prefix variable"
+  default     = null
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example"
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "region" {
+  type        = string
+  description = "Region to provision all resources created by this example, Event Notifications supported regions are: us-south (Dallas), eu-gb (London), eu-de (Frankfurt), au-syd (Sydney), eu-es (Madrid)"
+  default     = "us-south"
+}
+
+variable "existing_kms_instance_crn" {
+  description = "The CRN of the Hyper Protect Crypto Services. To ensure compliance with FSCloud standards, it is required to use HPCS only"
+  type        = string
+}
+
+variable "root_key_id" {
+  type        = string
+  description = "The Key ID of a root key, existing in the KMS instance passed in var.existing_kms_instance_crn, which will be used to encrypt the data encryption keys (DEKs) which are then used to encrypt the data."
+}
+
+variable "kms_endpoint_url" {
+  description = "The KMS endpoint URL to use when configuring KMS encryption."
+  type        = string
+}