Security enforced variation + variable validation

Author: whoffler

cra-config.yaml

@@ -1,12 +1,11 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "solutions/standard" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "solutions/fully-configurable" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
     PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3"  # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
     CRA_ENVIRONMENT_VARIABLES:
       TF_VAR_existing_kms_instance_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::"
       TF_VAR_existing_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533"
       TF_VAR_provider_visibility: "public"
-      TF_VAR_resource_group_name: "test-es-cra"
-      TF_VAR_use_existing_resource_group: false
+      TF_VAR_existing_resource_group_name: "geretain-test-elasticsearch"

ibm_catalog.json

@@ -22,7 +22,7 @@
         "nosql"
       ],
       "short_description": "Creates and configures an instance of IBM Cloud Databases for Elasticsearch.",
-      "long_description": "This architecture supports creating and configuring an instance of Databases for Elasticsearch with KMS encryption.",
+      "long_description": "This architecture supports creating and configuring an instance of [Databases for Elasticsearch](https://www.ibm.com/products/databases-for-elasticsearch), with optional KMS encryption. This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
       "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/blob/main/README.md",
       "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/main/images/elasticsearch_icon.svg",
       "provider_name": "IBM",
@@ -183,7 +183,7 @@
               ]
             },
             {
-              "key": "name"
+              "key": "elasticsearch_name"
             },
             {
               "key": "existing_elasticsearch_instance_crn"
@@ -202,7 +202,17 @@
               ]
             },
             {
-              "key": "service_endpoints"
+              "key": "service_endpoints",
+              "options": [
+                {
+                  "displayname": "private",
+                  "value": "private"
+                },
+                {
+                  "displayname": "public",
+                  "value": "public"
+                }
+              ]
             },
             {
               "key": "elasticsearch_version",
@@ -228,7 +238,7 @@
               ]
             },
             {
-              "key": "tags"
+              "key": "elasticsearch_tags"
             },
             {
               "key": "elasticsearch_access_tags"
@@ -333,7 +343,7 @@
               "key": "skip_es_kms_auth_policy"
             },
             {
-              "key": "backup_crn"
+              "key": "elasticsearch_backup_crn"
             },
             {
               "key": "enable_elser_model"
@@ -399,10 +409,10 @@
           ]
         },
         {
-          "label": "Fully configurable",
-          "name": "fully-configurable",
+          "label": "Security Enforced",
+          "name": "security-enforced",
           "install_type": "fullstack",
-          "working_directory": "solutions/fully-configurable",
+          "working_directory": "solutions/security-enforced",
           "compliance": {
             "authority": "scc-v3",
             "profiles": [
@@ -443,23 +453,6 @@
             {
               "key": "ibmcloud_api_key"
             },
-            {
-              "key": "provider_visibility",
-              "options": [
-                {
-                  "displayname": "private",
-                  "value": "private"
-                },
-                {
-                  "displayname": "public",
-                  "value": "public"
-                },
-                {
-                  "displayname": "public-and-private",
-                  "value": "public-and-private"
-                }
-              ]
-            },
             {
               "key": "existing_resource_group_name",
               "required": true,
@@ -532,7 +525,7 @@
               ]
             },
             {
-              "key": "name"
+              "key": "elasticsearch_name"
             },
             {
               "key": "existing_elasticsearch_instance_crn"
@@ -550,9 +543,6 @@
                 }
               ]
             },
-            {
-              "key": "service_endpoints"
-            },
             {
               "key": "elasticsearch_version",
               "required": false,
@@ -577,7 +567,7 @@
               ]
             },
             {
-              "key": "tags"
+              "key": "elasticsearch_tags"
             },
             {
               "key": "elasticsearch_access_tags"
@@ -612,19 +602,6 @@
             {
               "key": "existing_secrets_manager_instance_crn"
             },
-            {
-              "key": "existing_secrets_manager_endpoint_type",
-              "options": [
-                {
-                  "displayname": "public",
-                  "value": "public"
-                },
-                {
-                  "displayname": "private",
-                  "value": "private"
-                }
-              ]
-            },
             {
               "key": "service_credential_secrets"
             },
@@ -643,19 +620,6 @@
             {
               "key": "ibmcloud_kms_api_key"
             },
-            {
-              "key": "kms_endpoint_type",
-              "options": [
-                {
-                  "displayname": "public",
-                  "value": "public"
-                },
-                {
-                  "displayname": "private",
-                  "value": "private"
-                }
-              ]
-            },
             {
               "key": "use_ibm_owned_encryption_key"
             },
@@ -682,7 +646,7 @@
               "key": "skip_es_kms_auth_policy"
             },
             {
-              "key": "backup_crn"
+              "key": "elasticsearch_backup_crn"
             },
             {
               "key": "enable_elser_model"
@@ -725,23 +689,6 @@
             {
               "key": "kibana_image_port"
             },
-            {
-              "key": "kibana_visibility",
-              "options": [
-                {
-                  "displayname": "local_public",
-                  "value": "local_public"
-                },
-                {
-                  "displayname": "local_private",
-                  "value": "local_private"
-                },
-                {
-                  "displayname": "local",
-                  "value": "local"
-                }
-              ]
-            },
             {
               "key": "cbr_rules"
             }

solutions/fully-configurable/README.md

@@ -1,4 +1,7 @@
-# IBM Cloud Databases for Elasticsearch
+# IBM Cloud Databases for Elasticsearch (Fully Configurable)
+
+## Prerequisites
+- An existing resource group
 
 This architecture creates an instance of IBM Cloud Databases for Elasticsearch and supports provisioning of the following resources:
 

solutions/fully-configurable/catalogValidationValues.json.template

@@ -1,8 +1,8 @@
 {
   "ibmcloud_api_key": $VALIDATION_APIKEY,
   "region": "us-south",
-  "tags": $TAGS,
-  "name": $PREFIX,
+  "elasticsearch_tags": $TAGS,
+  "elasticsearch_name": $PREFIX,
   "existing_resource_group_name": "geretain-test-permanent",
   "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN
 }

solutions/fully-configurable/main.tf

@@ -278,7 +278,7 @@ module "elasticsearch" {
   source                            = "../.."
   depends_on                        = [time_sleep.wait_for_authorization_policy, time_sleep.wait_for_backup_kms_authorization_policy]
   resource_group_id                 = module.resource_group.resource_group_id
-  name                              = (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.name}" : var.name
+  name                              = (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.elasticsearch_name}" : var.elasticsearch_name
   region                            = var.region
   plan                              = var.plan
   skip_iam_authorization_policy     = var.skip_es_kms_auth_policy
@@ -289,9 +289,9 @@ module "elasticsearch" {
   backup_encryption_key_crn         = local.backup_kms_key_crn
   use_same_kms_key_for_backups      = local.use_same_kms_key_for_backups
   use_default_backup_encryption_key = var.use_default_backup_encryption_key
-  backup_crn                        = var.backup_crn
+  backup_crn                        = var.elasticsearch_backup_crn
   access_tags                       = var.elasticsearch_access_tags
-  tags                              = var.tags
+  tags                              = var.elasticsearch_tags
   admin_pass                        = local.admin_pass
   users                             = var.users
   members                           = var.members
@@ -322,14 +322,6 @@ locals {
 #######################################################################################################################
 
 locals {
-  ## Variable validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
-  # tflint-ignore: terraform_unused_declarations
-  validate_sm_crn = length(local.service_credential_secrets) > 0 && var.existing_secrets_manager_instance_crn == null ? tobool("`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret.") : false
-  # tflint-ignore: terraform_unused_declarations
-  validate_sm_sg = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_group == null ? tobool("`admin_pass_secrets_manager_secret_group` is required when `existing_secrets_manager_instance_crn` is set.") : false
-  # tflint-ignore: terraform_unused_declarations
-  validate_sm_sn = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_name == null ? tobool("`admin_pass_secrets_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set.") : false
-
   create_sm_auth_policy = var.skip_elasticsearch_to_secrets_manager_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1
 }
 

solutions/fully-configurable/outputs.tf

@@ -59,3 +59,19 @@ output "kibana_app_endpoint" {
   description = "Code Engine Kibana endpoint URL"
   value       = var.enable_kibana_dashboard ? module.code_engine_kibana[0].app[local.code_engine_app_name].endpoint : null
 }
+
+output "cbr_rule_ids" {
+  description = "CBR rule ids created to restrict Elasticsearch"
+  value       = module.elasticsearch[0].cbr_rule_ids != null ? module.elasticsearch[0].cbr_rule_ids : null
+}
+
+output "adminuser" {
+  description = "Database admin user name"
+  value       = module.elasticsearch[0].adminuser != null ? module.elasticsearch[0].adminuser : null
+}
+
+output "certificate_base64" {
+  description = "Database connection certificate"
+  value       = module.elasticsearch[0].certificate_base64 != null ? module.elasticsearch[0].certificate_base64 : null
+  sensitive   = true
+}