feat: Root module updates:<br> * existing_kms_instance_guid is no longer a supported input. The code will now parse the GUID from the KMS key CRN<br> * added new input use_same_kms_key_for_backups to give more control over KMS key usage<br> * kms_encryption_enabled has been renamed to use_ibm_owned_encryption_key<br>* fscloud submodule updates:<br> * added new inputs use_default_backup_encryption_key and use_same_kms_key_for_backups (#320)

Author: jor2

README.md

@@ -5,7 +5,6 @@ CRA_TARGETS:
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
     PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3"         # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
     CRA_ENVIRONMENT_VARIABLES:
-      TF_VAR_existing_kms_instance_guid: "e6dce284-e80f-46e1-a3c1-830f7adff7a9"
       TF_VAR_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533"
     # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.
     # SCC_REGION: "" # The IBM Cloud region that the SCC instance is in. If not provided, a default global value will be used.

cra-config.yaml

@@ -14,6 +14,11 @@ module "resource_group" {
 # Key Protect All Inclusive
 ##############################################################################
 
+locals {
+  data_key_name    = "${var.prefix}-enterprisedb"
+  backups_key_name = "${var.prefix}-enterprisedb-backups"
+}
+
 module "key_protect_all_inclusive" {
   source            = "terraform-ibm-modules/kms-all-inclusive/ibm"
   version           = "4.19.2"
@@ -28,7 +33,11 @@ module "key_protect_all_inclusive" {
       key_ring_name = "icd-edb"
       keys = [
         {
-          key_name     = "${var.prefix}-edb"
+          key_name     = local.data_key_name
+          force_delete = true
+        },
+        {
+          key_name     = local.backups_key_name
           force_delete = true
         }
       ]
@@ -80,20 +89,27 @@ module "cbr_zone" {
 ##############################################################################
 
 module "enterprise_db" {
-  source                     = "../../"
-  resource_group_id          = module.resource_group.resource_group_id
-  name                       = "${var.prefix}-edb"
-  region                     = var.region
-  edb_version                = var.edb_version
-  admin_pass                 = var.admin_pass
-  users                      = var.users
-  kms_encryption_enabled     = true
-  kms_key_crn                = module.key_protect_all_inclusive.keys["icd-edb.${var.prefix}-edb"].crn
-  existing_kms_instance_guid = module.key_protect_all_inclusive.kms_guid
-  resource_tags              = var.resource_tags
-  service_credential_names   = var.service_credential_names
-  access_tags                = var.access_tags
-  member_host_flavor         = "b3c.4x16.encrypted"
+  source            = "../../"
+  resource_group_id = module.resource_group.resource_group_id
+  name              = "${var.prefix}-edb"
+  region            = var.region
+  edb_version       = var.edb_version
+  admin_pass        = var.admin_pass
+  users             = var.users
+  resource_tags     = var.resource_tags
+  # Example of how to use different KMS keys for data and backups
+  use_ibm_owned_encryption_key = false
+  use_same_kms_key_for_backups = false
+  kms_key_crn                  = module.key_protect_all_inclusive.keys["icd-edb.${var.prefix}-edb"].crn
+  backup_encryption_key_crn    = module.key_protect_all_inclusive.keys["icd.${local.data_key_name}"].crn
+  service_credential_names = {
+    "enterprisedb_admin" : "Administrator",
+    "enterprisedb_operator" : "Operator",
+    "enterprisedb_viewer" : "Viewer",
+    "enterprisedb_editor" : "Editor",
+  }
+  access_tags        = var.access_tags
+  member_host_flavor = "b3c.4x16.encrypted"
   configuration = {
     max_connections = 250
   }

examples/complete/main.tf

@@ -58,14 +58,3 @@ variable "users" {
   sensitive   = true
   description = "A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters."
 }
-
-variable "service_credential_names" {
-  description = "Map of name, role for service credentials that you want to create for the database"
-  type        = map(string)
-  default = {
-    "enterprise_db_admin" : "Administrator",
-    "enterprise_db_operator" : "Operator",
-    "enterprise_db_viewer" : "Viewer",
-    "enterprise_db_editor" : "Editor",
-  }
-}

examples/complete/variables.tf

@@ -54,20 +54,32 @@ module "cbr_zone" {
 ##############################################################################
 
 module "enterprise_db" {
-  source                     = "../../modules/fscloud"
-  resource_group_id          = module.resource_group.resource_group_id
-  name                       = "${var.prefix}-edb"
-  region                     = var.region
-  edb_version                = var.edb_version
-  kms_key_crn                = var.kms_key_crn
-  existing_kms_instance_guid = var.existing_kms_instance_guid
-  resource_tags              = var.resource_tags
-  service_credential_names   = var.service_credential_names
-  access_tags                = var.access_tags
-  auto_scaling               = var.auto_scaling
-  member_host_flavor         = "b3c.4x16.encrypted"
-  backup_encryption_key_crn  = var.backup_encryption_key_crn
-  backup_crn                 = var.backup_crn
+  source                    = "../../modules/fscloud"
+  resource_group_id         = module.resource_group.resource_group_id
+  name                      = "${var.prefix}-edb"
+  region                    = var.region
+  edb_version               = var.edb_version
+  resource_tags             = var.resource_tags
+  kms_key_crn               = var.kms_key_crn
+  backup_encryption_key_crn = var.backup_encryption_key_crn
+  backup_crn                = var.backup_crn
+  service_credential_names = {
+    "enterprisedb_admin" : "Administrator",
+    "enterprisedb_operator" : "Operator",
+    "enterprisedb_viewer" : "Viewer",
+    "enterprisedb_editor" : "Editor",
+  }
+  auto_scaling = {
+    disk = {
+      capacity_enabled : true,
+      io_enabled : true
+    }
+    memory = {
+      io_enabled : true,
+    }
+  }
+  member_host_flavor = "b3c.4x16.encrypted"
+  access_tags        = var.access_tags
   cbr_rules = [
     {
       description      = "${var.prefix}-edb access only from vpc"

examples/fscloud/main.tf

@@ -40,62 +40,11 @@ variable "edb_version" {
   default     = null
 }
 
-variable "existing_kms_instance_guid" {
-  description = "The GUID of the Hyper Protect Crypto services in which the key specified in var.kms_key_crn is coming from"
-  type        = string
-}
-
 variable "kms_key_crn" {
   type        = string
   description = "The root key CRN of a Hyper Protect Crypto Services (HPCS) that you want to use for disk encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs&interface=ui for more information on integrating HPCS with Enterprise database."
 }
 
-variable "service_credential_names" {
-  description = "Map of name, role for service credentials that you want to create for the database"
-  type        = map(string)
-  default = {
-    "enterprise_db_admin" : "Administrator",
-    "enterprise_db_operator" : "Operator",
-    "enterprise_db_viewer" : "Viewer",
-    "enterprise_db_editor" : "Editor",
-  }
-}
-
-variable "auto_scaling" {
-  type = object({
-    disk = object({
-      capacity_enabled             = optional(bool)
-      free_space_less_than_percent = optional(number)
-      io_above_percent             = optional(number)
-      io_enabled                   = optional(bool)
-      io_over_period               = optional(string)
-      rate_increase_percent        = optional(number)
-      rate_limit_mb_per_member     = optional(number)
-      rate_period_seconds          = optional(number)
-      rate_units                   = optional(string)
-    })
-    memory = object({
-      io_above_percent         = optional(number)
-      io_enabled               = optional(bool)
-      io_over_period           = optional(string)
-      rate_increase_percent    = optional(number)
-      rate_limit_mb_per_member = optional(number)
-      rate_period_seconds      = optional(number)
-      rate_units               = optional(string)
-    })
-  })
-  description = "Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://ibm.biz/autoscaling-considerations in the IBM Cloud Docs."
-  default = {
-    disk = {
-      capacity_enabled : true,
-      io_enabled : true
-    }
-    memory = {
-      io_enabled : true,
-    }
-  }
-}
-
 variable "backup_crn" {
   type        = string
   description = "The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty."