feat: Added feature to add CBR for Kibana app and other security issues (#476)

* feat: added proper user for kibana app

* added cbr for kibana

* updated var des

* fixed cra

* updated kibana setup

* updated kibana setup

* addressed review comments

* addressed review comments

* addressed review comments

* addressed review comments

* cda

* Revert "addressed review comments"

This reverts commit 414f320.

* fixes

* fixes

* updated kibana system pw

* updated catalog

---------

Co-authored-by: shemau <[email protected]>

Author: Ak-sky

README.md

@@ -136,6 +136,7 @@ You need the following permissions to run this module.
 | <a name="output_port"></a> [port](#output\_port) | Database connection port |
 | <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | Service credentials json map |
 | <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | Service credentials object |
+| <a name="output_users_credentials"></a> [users\_credentials](#output\_users\_credentials) | Database user credentials |
 | <a name="output_version"></a> [version](#output\_version) | Elasticsearch version |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

ibm_catalog.json

@@ -446,19 +446,22 @@
               "key": "kibana_image_port"
             },
             {
-              "key": "kibana_image_secret"
+              "key": "cbr_code_engine_kibana_project_rules"
             },
             {
-              "key": "kibana_registry_personal_access_token"
+              "key": "use_private_registry"
             },
             {
-              "key": "kibana_registry_server"
+              "key": "kibana_image_secret"
             },
             {
               "key": "kibana_registry_username"
             },
             {
-              "key": "use_private_registry"
+              "key": "kibana_registry_personal_access_token"
+            },
+            {
+              "key": "kibana_registry_server"
             },
             {
               "key": "kibana_visibility",

modules/fscloud/README.md

@@ -74,5 +74,6 @@ No resources.
 | <a name="output_port"></a> [port](#output\_port) | Database connection port |
 | <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | Service credentials json map |
 | <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | Service credentials object |
+| <a name="output_users_credentials"></a> [users\_credentials](#output\_users\_credentials) | Database user credentials |
 | <a name="output_version"></a> [version](#output\_version) | Elasticsearch instance version |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/fscloud/outputs.tf

@@ -59,3 +59,9 @@ output "certificate_base64" {
   value       = module.elasticsearch.certificate_base64
   sensitive   = true
 }
+
+output "users_credentials" {
+  description = "Database user credentials"
+  value       = module.elasticsearch.users_credentials
+  sensitive   = true
+}

outputs.tf

@@ -44,6 +44,12 @@ output "adminuser" {
   value       = ibm_database.elasticsearch.adminuser
 }
 
+output "users_credentials" {
+  description = "Database user credentials"
+  value       = ibm_database.elasticsearch.users
+  sensitive   = true
+}
+
 output "hostname" {
   description = "Database connection hostname"
   value       = data.ibm_database_connection.database_connection.https[0].hosts[0].hostname

solutions/fully-configurable/main.tf

@@ -273,6 +273,20 @@ data "ibm_database_connection" "existing_connection" {
   user_type     = "database"
 }
 
+locals {
+  kibana_users = [{
+    name     = "kibana_user"
+    password = local.kibana_app_login_password
+    type     = "database"
+    },
+    {
+      name     = "kibana_system"
+      password = local.kibana_system_password
+  }]
+
+  all_users = local.kibana_app_login_password != null ? concat(var.users, local.kibana_users) : var.users
+}
+
 # Create new instance
 module "elasticsearch" {
   count                             = var.existing_elasticsearch_instance_crn != null ? 0 : 1
@@ -292,7 +306,7 @@ module "elasticsearch" {
   access_tags                       = var.access_tags
   tags                              = var.resource_tags
   admin_pass                        = local.admin_pass
-  users                             = var.users
+  users                             = local.all_users
   members                           = var.members
   member_host_flavor                = var.member_host_flavor
   memory_mb                         = var.member_memory_mb
@@ -412,11 +426,29 @@ module "secrets_manager_service_credentials" {
 # Code Engine Kibana Dashboard instance
 ########################################################################################################################
 
+resource "random_password" "kibana_system_password" {
+  count            = var.enable_kibana_dashboard ? 1 : 0
+  length           = 32
+  special          = true
+  override_special = "-_"
+  min_numeric      = 1
+}
+
+resource "random_password" "kibana_app_login_password" {
+  count            = var.enable_kibana_dashboard ? 1 : 0
+  length           = 32
+  special          = true
+  override_special = "-_"
+  min_numeric      = 1
+}
+
 locals {
-  code_engine_project_id   = var.existing_code_engine_project_id != null ? var.existing_code_engine_project_id : null
-  code_engine_project_name = local.code_engine_project_id != null ? null : "${local.prefix}${var.kibana_code_engine_new_project_name}"
-  code_engine_app_name     = "${local.prefix}${var.kibana_code_engine_new_app_name}"
-  kibana_version           = var.enable_kibana_dashboard ? jsondecode(data.http.es_metadata[0].response_body).version.number : null
+  code_engine_project_id    = var.existing_code_engine_project_id != null ? var.existing_code_engine_project_id : null
+  code_engine_project_name  = local.code_engine_project_id != null ? null : (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.kibana_code_engine_new_project_name}" : var.kibana_code_engine_new_project_name
+  code_engine_app_name      = (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.kibana_code_engine_new_app_name}" : var.kibana_code_engine_new_app_name
+  kibana_version            = var.enable_kibana_dashboard ? jsondecode(data.http.es_metadata[0].response_body).version.number : null
+  kibana_system_password    = var.enable_kibana_dashboard ? random_password.kibana_system_password[0].result : null
+  kibana_app_login_password = var.enable_kibana_dashboard ? random_password.kibana_app_login_password[0].result : null
 }
 
 data "http" "es_metadata" {
@@ -432,12 +464,13 @@ module "code_engine_kibana" {
   resource_group_id   = module.resource_group.resource_group_id
   project_name        = local.code_engine_project_name
   existing_project_id = local.code_engine_project_id
+  cbr_rules           = var.cbr_code_engine_kibana_project_rules
   secrets = merge(
     {
       "es-secret" = {
         format = "generic"
         data = {
-          "ELASTICSEARCH_PASSWORD" = local.admin_pass
+          "ELASTICSEARCH_PASSWORD" = local.kibana_system_password
         }
       }
     },
@@ -466,7 +499,7 @@ module "code_engine_kibana" {
         {
           type  = "literal"
           name  = "ELASTICSEARCH_USERNAME"
-          value = local.elasticsearch_username
+          value = "kibana_system"
         },
         {
           type      = "secret_key_reference"

solutions/fully-configurable/outputs.tf

@@ -60,6 +60,14 @@ output "kibana_app_endpoint" {
   value       = var.enable_kibana_dashboard ? module.code_engine_kibana[0].app[local.code_engine_app_name].endpoint : null
 }
 
+output "user_credentials" {
+  description = "Kibana/database user credentials for Elasticsearch"
+  value = var.enable_kibana_dashboard ? {
+    for user in module.elasticsearch[0].users_credentials : user.name => user.password
+    if user.name != "kibana_system"
+  } : null
+  sensitive = true
+}
 output "cbr_rule_ids" {
   description = "CBR rule ids created to restrict Elasticsearch"
   value       = var.existing_elasticsearch_instance_crn != null ? null : module.elasticsearch[0].cbr_rule_ids

solutions/fully-configurable/variables.tf

@@ -583,3 +583,23 @@ variable "cbr_rules" {
   description = "(Optional, list) List of context-based restrictions rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/tree/main/solutions/fully-configurable/DA-cbr_rules.md)"
   default     = []
 }
+
+variable "cbr_code_engine_kibana_project_rules" {
+  type = list(object({
+    description = string
+    account_id  = string
+    rule_contexts = list(object({
+      attributes = optional(list(object({
+        name  = string
+        value = string
+    }))) }))
+    enforcement_mode = string
+    operations = optional(list(object({
+      api_types = list(object({
+        api_type_id = string
+      }))
+    })))
+  }))
+  description = "(Optional, list) List of context-based restrictions rules to create for the Kibana dashboard and it is only applicable if `enable_kibana_dashboard` is true. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/tree/main/solutions/standard/DA-cbr_rules.md)"
+  default     = []
+}