diff --git a/.secrets.baseline b/.secrets.baseline
index 35efb212..fc3f2ffb 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
"files": "go.sum|^.secrets.baseline$",
"lines": null
},
- "generated_at": "2025-02-05T07:22:24Z",
+ "generated_at": "2025-02-13T14:40:55Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
diff --git a/README.md b/README.md
index b396e37d..39a39bf8 100644
--- a/README.md
+++ b/README.md
@@ -95,7 +95,7 @@ You need the following permissions to run this module.
| [auto\_scaling](#input\_auto\_scaling) | The rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-autoscaling&interface=cli#autoscaling-considerations). | object({
disk = object({
capacity_enabled = optional(bool, false)
free_space_less_than_percent = optional(number, 10)
io_above_percent = optional(number, 90)
io_enabled = optional(bool, false)
io_over_period = optional(string, "15m")
rate_increase_percent = optional(number, 10)
rate_limit_mb_per_member = optional(number, 3670016)
rate_period_seconds = optional(number, 900)
rate_units = optional(string, "mb")
})
memory = object({
io_above_percent = optional(number, 90)
io_enabled = optional(bool, false)
io_over_period = optional(string, "15m")
rate_increase_percent = optional(number, 10)
rate_limit_mb_per_member = optional(number, 114688)
rate_period_seconds = optional(number, 900)
rate_units = optional(string, "mb")
})
}) | `null` | no |
| [backup\_crn](#input\_backup\_crn) | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after both provisioning is complete and the new deployment that uses that data starts. Specify a backup CRN is in the format `crn:v1:<...>:backup:`. If not specified, the database is provisioned empty. | `string` | `null` | no |
| [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false and `use_same_kms_key_for_backups` is false. If no value is passed, and `use_same_kms_key_for_backups` is true, the value of `kms_key_crn` is used. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
-| [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create. | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
})) | `[]` | no |
+| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create. | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
| [elasticsearch\_version](#input\_elasticsearch\_version) | The version of Databases for Elasticsearch to deploy. Possible values: `8.7`, `8.10`, `8.12`, `8.15` which requires an Enterprise Platinum pricing plan. If no value is specified, the current preferred version for IBM Cloud Databases is used. | `string` | `null` | no |
| [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no |
| [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no |
diff --git a/ibm_catalog.json b/ibm_catalog.json
index e731a84c..6090b19b 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -376,6 +376,9 @@
"value": "local"
}
]
+ },
+ {
+ "key": "cbr_rules"
}
]
}
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index d3128ce7..e5afb351 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -35,7 +35,7 @@ No resources.
| [auto\_scaling](#input\_auto\_scaling) | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-autoscaling&interface=cli#autoscaling-considerations in the IBM Cloud Docs. | object({
disk = object({
capacity_enabled = optional(bool, false)
free_space_less_than_percent = optional(number, 10)
io_above_percent = optional(number, 90)
io_enabled = optional(bool, false)
io_over_period = optional(string, "15m")
rate_increase_percent = optional(number, 10)
rate_limit_mb_per_member = optional(number, 3670016)
rate_period_seconds = optional(number, 900)
rate_units = optional(string, "mb")
})
memory = object({
io_above_percent = optional(number, 90)
io_enabled = optional(bool, false)
io_over_period = optional(string, "15m")
rate_increase_percent = optional(number, 10)
rate_limit_mb_per_member = optional(number, 114688)
rate_period_seconds = optional(number, 900)
rate_units = optional(string, "mb")
})
}) | `null` | no |
| [backup\_crn](#input\_backup\_crn) | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. | `string` | `null` | no |
| [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false and `use_same_kms_key_for_backups` is false. If no value is passed, and `use_same_kms_key_for_backups` is true, the value of `kms_key_crn` is used. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
-| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
})) | `[]` | no |
+| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create. | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
| [elasticsearch\_version](#input\_elasticsearch\_version) | Version of the Elasticsearch instance. If no value is passed, the current preferred version of IBM Cloud Databases is used. | `string` | `null` | no |
| [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no |
| [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no |
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
index 09b9b69b..2c092047 100644
--- a/modules/fscloud/variables.tf
+++ b/modules/fscloud/variables.tf
@@ -195,10 +195,14 @@ variable "cbr_rules" {
value = string
}))) }))
enforcement_mode = string
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
}))
- description = "(Optional, list) List of CBR rules to create"
+ description = "(Optional, list) List of context-based restrictions rules to create."
default = []
- # Validation happens in the rule module
}
##############################################################
diff --git a/solutions/standard/DA-cbr_rules.md b/solutions/standard/DA-cbr_rules.md
new file mode 100644
index 00000000..d38dcda3
--- /dev/null
+++ b/solutions/standard/DA-cbr_rules.md
@@ -0,0 +1,61 @@
+# Configuring complex inputs for ICD Elastic Search in IBM Cloud projects
+
+Several optional input variables in the IBM Cloud [ICD Elastic search Deployable Architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture.
+
+* Context-Based Restrictions Rules (`cbr_rules`)
+
+
+## Rules For Context-Based Restrictions
+
+The `cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.
+
+- Variable name: `cbr_rules`.
+- Type: A list of objects. Allows only one object representing a rule for the target service
+- Default value: An empty list (`[]`).
+
+### Options for cbr_rules
+
+ - `description` (required): The description of the rule to create.
+ - `account_id` (required): The IBM Cloud Account ID
+ - `rule_contexts` (required): (List) The contexts the rule applies to
+ - `attributes` (optional): (List) Individual context attributes
+ - `name` (required): The attribute name.
+ - `value`(required): The attribute value.
+
+ - `enforcement_mode` (required): The rule enforcement mode can have the following values:
+ - `enabled` - The restrictions are enforced and reported. This is the default.
+ - `disabled` - The restrictions are disabled. Nothing is enforced or reported.
+ - `report` - The restrictions are evaluated and reported, but not enforced.
+ - `operations` (optional): The operations this rule applies to
+ - `api_types`(required): (List) The API types this rule applies to.
+ - `api_type_id`(required):The API type ID
+
+
+### Example Rule For Context-Based Restrictions Configuration
+
+```hcl
+cbr_rules = [
+ {
+ "description" : "SCC Instance can be accessed from xyz"
+ "account_id" : "defc0df06b644a9cabc6e44f55b3880s."
+ "rule_contexts" : [{
+ "attributes" : [
+ {
+ "name" : "endpointType",
+ "value" : "private"
+ },
+ {
+ "name" : "networkZoneId"
+ "value" : "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
+ }
+ ]
+ }]
+ "enforcement_mode" : "enabled"
+ "operations" : [{
+ "api_types" : [{
+ "api_type_id" : "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+ }]
+ }]
+ }
+]
+```
diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
index a14a3030..b81a5cd2 100644
--- a/solutions/standard/main.tf
+++ b/solutions/standard/main.tf
@@ -316,6 +316,7 @@ module "elasticsearch" {
service_credential_names = var.service_credential_names
enable_elser_model = var.enable_elser_model
elser_model_type = var.elser_model_type
+ cbr_rules = var.cbr_rules
}
locals {
diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf
index 9c375023..0a9a2e6e 100644
--- a/solutions/standard/variables.tf
+++ b/solutions/standard/variables.tf
@@ -394,3 +394,27 @@ variable "kibana_visibility" {
error_message = "Valid values are 'local_public', 'local_private', or 'local'."
}
}
+
+##############################################################
+# Context-based restriction (CBR)
+##############################################################
+
+variable "cbr_rules" {
+ type = list(object({
+ description = string
+ account_id = string
+ rule_contexts = list(object({
+ attributes = optional(list(object({
+ name = string
+ value = string
+ }))) }))
+ enforcement_mode = string
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
+ }))
+ description = "(Optional, list) List of context-based restrictions rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/tree/main/solutions/standard/DA-cbr_rules.md)"
+ default = []
+}
diff --git a/tests/pr_test.go b/tests/pr_test.go
index 7e201953..dc6996e8 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -3,6 +3,12 @@ package test
import (
"fmt"
+ "log"
+ "math/rand"
+ "os"
+ "strings"
+ "testing"
+
"github.com/gruntwork-io/terratest/modules/files"
"github.com/gruntwork-io/terratest/modules/logger"
"github.com/gruntwork-io/terratest/modules/random"
@@ -13,11 +19,6 @@ import (
"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common"
"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic"
- "log"
- "math/rand"
- "os"
- "strings"
- "testing"
)
const completeExampleTerraformDir = "examples/complete"
diff --git a/variables.tf b/variables.tf
index 871468aa..cf93a452 100644
--- a/variables.tf
+++ b/variables.tf
@@ -244,8 +244,13 @@ variable "cbr_rules" {
value = string
}))) }))
enforcement_mode = string
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
}))
- description = "The list of context-based restriction rules to create."
+ description = "(Optional, list) List of context-based restrictions rules to create."
default = []
# Validation happens in the rule module
}