feat: add FSCloud profile submodule with example on how to use it (#85)

Author: Aashiq-J

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-12-11T13:50:58Z",
+  "generated_at": "2024-01-19T08:57:22Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -82,7 +82,7 @@
         "hashed_secret": "33da8d0e8af2efc260f01d8e5edfcc5c5aba44ad",
         "is_secret": true,
         "is_verified": false,
-        "line_number": 33,
+        "line_number": 36,
         "type": "Secret Keyword",
         "verified_result": null
       }

README.md

@@ -10,9 +10,12 @@
 <!-- BEGIN OVERVIEW HOOK -->
 ## Overview
 * [terraform-ibm-icd-elasticsearch](#terraform-ibm-icd-elasticsearch)
+* [Submodules](./modules)
+    * [fscloud](./modules/fscloud)
 * [Examples](./examples)
     * [Basic example](./examples/basic)
     * [Complete example with autoscaling, BYOK encryption, service credentials creation, index creation and updates to cluster-wide settings](./examples/complete)
+    * [Financial Services Cloud profile example with autoscaling enabled](./examples/fscloud)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 

cra-config.yaml

@@ -1,11 +1,10 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/complete" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "examples/fscloud" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
-    # CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
-    #   TF_VAR_sample: "sample value"
-    #   TF_VAR_other:  "another value"
-    # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.
-    # SCC_REGION: "" # The IBM Cloud region that the SCC instance is in. If not provided, a default global value will be used.
-    # PROFILE_ID: "" # The Profile ID input for CRA SCC scan. If not provided, a default global value will be used.
+    PROFILE_ID: "0e6e7b5a-817d-4344-ab6f-e5d7a9c49520"
+    CRA_ENVIRONMENT_VARIABLES:
+      TF_VAR_existing_at_instance_crn: "crn:v1:bluemix:public:logdnaat:eu-de:a/abac0df06b644a9cabc6e44f55b3880e:b1ef3365-dfbf-4d8f-8ac8-75f4f84d6f4a::"
+      TF_VAR_existing_kms_instance_guid: "e6dce284-e80f-46e1-a3c1-830f7adff7a9"
+      TF_VAR_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533"

cra-tf-validate-ignore-rules.json

@@ -1,3 +1,10 @@
 {
-    "scc_rules": []
+    "scc_rules": [
+        {
+            "scc_rule_id": "rule-216e2449-27d7-4afc-929a-b66e196a9cf9",
+            "description": "Check whether Flow Logs for VPC are enabled",
+            "ignore_reason": "This rule is not relevant to the module itself, just the VPC resource is used in the example that is scanned",
+            "is_valid": false
+        }
+    ]
 }

examples/fscloud/README.md

@@ -0,0 +1,19 @@
+# Financial Services Cloud profile example with autoscaling enabled
+
+An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/tree/main/modules/fscloud) to deploy an instance of IBM Cloud Databases for Elasticsearch.
+
+The example uses the IBM Cloud Terraform provider to create the following infrastructure:
+
+- A resource group, if one is not passed in.
+- An IAM authorization between all Elasticsearch database instances in the given resource group, and the Hyper Protect Crypto Services instance that is passed in.
+- An IBM Cloud Databases Elasticsearch database instance that is encrypted with the Hyper Protect Crypto Services root key that is passed in.
+- Autoscaling rules for the IBM Cloud Databases Elasticsearch database instance.
+- Service Credentials for the Elasticsearch database instance.
+- A sample virtual private cloud (VPC).
+- A context-based restriction (CBR) rule to only allow Elasticsearch to be accessible from within the VPC.
+
+:exclamation: **Important:** In this example, only the IBM Cloud Databases for Elasticsearch instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.
+
+## Before you begin
+
+- You need a Hyper Protect Crypto Services instance and root key available in the region that you want to deploy your Elasticsearch database instance to.

examples/fscloud/main.tf

@@ -0,0 +1,86 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.4"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+module "cbr_zone" {
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
+  version          = "1.17.1"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone containing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc", # to bind a specific vpc to the zone
+    value = ibm_is_vpc.example_vpc.crn,
+  }]
+}
+
+##############################################################################
+# ICD elasticsearch database
+##############################################################################
+
+module "elasticsearch" {
+  source                     = "../../modules/fscloud"
+  resource_group_id          = module.resource_group.resource_group_id
+  name                       = "${var.prefix}-elasticsearch"
+  region                     = var.region
+  tags                       = var.resource_tags
+  access_tags                = var.access_tags
+  kms_key_crn                = var.kms_key_crn
+  existing_kms_instance_guid = var.existing_kms_instance_guid
+  elasticsearch_version      = var.elasticsearch_version
+  service_credential_names   = var.service_credential_names
+  auto_scaling               = var.auto_scaling
+  cbr_rules = [
+    {
+      description      = "${var.prefix}-elasticsearch access only from vpc"
+      enforcement_mode = "enabled"
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
+}

examples/fscloud/outputs.tf

@@ -0,0 +1,27 @@
+##############################################################################
+# Outputs
+##############################################################################
+output "id" {
+  description = "Elasticsearch instance id"
+  value       = module.elasticsearch.id
+}
+
+output "guid" {
+  description = "Elasticsearch instance guid"
+  value       = module.elasticsearch.guid
+}
+
+output "version" {
+  description = "Elasticsearch instance version"
+  value       = module.elasticsearch.version
+}
+
+output "hostname" {
+  description = "Database hostname. Only contains value when var.service_credential_names or var.users are set."
+  value       = module.elasticsearch.hostname
+}
+
+output "port" {
+  description = "Database port. Only contains value when var.service_credential_names or var.users are set."
+  value       = module.elasticsearch.port
+}

examples/fscloud/provider.tf

@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/fscloud/variables.tf

@@ -0,0 +1,97 @@
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "region" {
+  type        = string
+  description = "Region to provision all resources created by this example"
+  default     = "us-south"
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example"
+  default     = "fs-cloud"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "access_tags" {
+  type        = list(string)
+  description = "A list of access tags to apply to the Elasticsearch instance created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details"
+  default     = []
+}
+
+variable "existing_kms_instance_guid" {
+  description = "The GUID of the Hyper Protect Crypto service in which the key specified in var.kms_key_crn is coming from"
+  type        = string
+}
+
+variable "kms_key_crn" {
+  type        = string
+  description = "The root key CRN of a Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs&interface=ui for more information on integrating HPCS with Elasticsearch instance."
+}
+
+variable "elasticsearch_version" {
+  type        = string
+  description = "Version of the Elasticsearch instance. If no value is passed, the current preferred version of IBM Cloud Databases is used."
+  default     = null
+}
+
+variable "service_credential_names" {
+  description = "Map of name, role for service credentials that you want to create for the database"
+  type        = map(string)
+  default = {
+    "elasticsearch_admin" : "Administrator",
+    "elasticsearch_operator" : "Operator",
+    "elasticsearch_viewer" : "Viewer",
+    "elasticsearch_editor" : "Editor",
+  }
+}
+
+variable "auto_scaling" {
+  type = object({
+    disk = object({
+      capacity_enabled             = optional(bool)
+      free_space_less_than_percent = optional(number)
+      io_above_percent             = optional(number)
+      io_enabled                   = optional(bool)
+      io_over_period               = optional(string)
+      rate_increase_percent        = optional(number)
+      rate_limit_mb_per_member     = optional(number)
+      rate_period_seconds          = optional(number)
+      rate_units                   = optional(string)
+    })
+    memory = object({
+      io_above_percent         = optional(number)
+      io_enabled               = optional(bool)
+      io_over_period           = optional(string)
+      rate_increase_percent    = optional(number)
+      rate_limit_mb_per_member = optional(number)
+      rate_period_seconds      = optional(number)
+      rate_units               = optional(string)
+    })
+  })
+  description = "Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-autoscaling&interface=cli#autoscaling-considerations in the IBM Cloud Docs."
+  default = {
+    disk = {
+      capacity_enabled : true,
+      io_enabled : true
+    }
+    memory = {
+      io_enabled : true,
+    }
+  }
+}

examples/fscloud/version.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0, <1.6.0"
+  required_providers {
+    # Use latest version of provider in non-basic examples to verify latest version works with module
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">= 1.56.1"
+    }
+  }
+}