security enforced variation

Author: whoffler

ibm_catalog.json

@@ -97,6 +97,18 @@
             {
               "key": "ibmcloud_api_key"
             },
+            {
+              "key": "existing_resource_group_name",
+              "required": true,
+              "custom_config": {
+                "type": "resource_group",
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "identifier": "rg_name"
+                }
+              }
+            },
             {
               "key": "provider_visibility",
               "options": [
@@ -114,9 +126,6 @@
                 }
               ]
             },
-            {
-              "key": "existing_resource_group_name"
-            },
             {
               "key": "prefix"
             },
@@ -258,7 +267,17 @@
               "key": "existing_kms_key_crn"
             },
             {
-              "key": "kms_endpoint_type"
+              "key": "kms_endpoint_type",
+              "options": [
+                {
+                  "displayname": "public",
+                  "value": "public"
+                },
+                {
+                  "displayname": "private",
+                  "value": "private"
+                }
+              ]
             },
             {
               "key": "skip_mongodb_kms_auth_policy"
@@ -297,6 +316,234 @@
               "key": "skip_mongodb_secrets_manager_auth_policy"
             }
           ]
+        },
+        {
+          "label": "Security Enforced",
+          "name": "security-enforced",
+          "install_type": "fullstack",
+          "working_directory": "solutions/security-enforced",
+          "compliance": {
+            "authority": "scc-v3",
+            "profiles": [
+              {
+                "profile_name": "IBM Cloud Framework for Financial Services",
+                "profile_version": "1.7.0"
+              }
+            ]
+          },
+          "iam_permissions": [
+            {
+              "role_crns": [
+                "crn:v1:bluemix:public:iam::::role:Editor"
+              ],
+              "service_name": "databases-for-mongodb"
+            },
+            {
+              "role_crns": [
+                "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+                "crn:v1:bluemix:public:iam::::role:Editor"
+              ],
+              "service_name": "kms"
+            }
+          ],
+          "architecture": {
+            "descriptions": "This architecture creates an instance of IBM Cloud Databases for MongoDB instance with KMS encryption. Supports autoscaling.",
+            "features": [
+              {
+                "title": " Creates an instance of Databases for MongoDB",
+                "description": "This architecture creates an instance of IBM Cloud Databases for MongoDB with KMS encryption. It accepts or creates a resource group, and provides autoscaling rules."
+              }
+            ],
+            "diagrams": [
+              {
+                "diagram": {
+                  "caption": "Databases for MongoDB instance on IBM Cloud",
+                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/main/reference-architecture/deployable-architecture-mongodb.svg",
+                  "type": "image/svg+xml"
+                },
+                "description": "This architecture supports creating and configuring an instance of Databases for MongoDB instance with KMS encryption."
+              }
+            ]
+          },
+          "configuration": [
+            {
+              "key": "ibmcloud_api_key"
+            },
+            {
+              "key": "existing_resource_group_name",
+              "required": true,
+              "custom_config": {
+                "type": "resource_group",
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "identifier": "rg_name"
+                }
+              }
+            },
+            {
+              "key": "region",
+              "required": true,
+              "default_value": "us-south",
+              "options": [
+                {
+                  "displayname": "Chennai (che01)",
+                  "value": "che01"
+                },
+                {
+                  "displayname": "Dallas (us-south)",
+                  "value": "us-south"
+                },
+                {
+                  "displayname": "Frankfurt (eu-de)",
+                  "value": "eu-de"
+                },
+                {
+                  "displayname": "London (eu-gb)",
+                  "value": "eu-gb"
+                },
+                {
+                  "displayname": "Madrid (eu-es)",
+                  "value": "eu-es"
+                },
+                {
+                  "displayname": "Osaka (jp-osa)",
+                  "value": "jp-osa"
+                },
+                {
+                  "displayname": "Paris (par01)",
+                  "value": "par01"
+                },
+                {
+                  "displayname": "Sao Paulo (br-sao)",
+                  "value": "br-sao"
+                },
+                {
+                  "displayname": "Sydney (au-syd)",
+                  "value": "au-syd"
+                },
+                {
+                  "displayname": "Toronto (ca-tor)",
+                  "value": "ca-tor"
+                },
+                {
+                  "displayname": "Tokyo (jp-tok)",
+                  "value": "jp-tok"
+                },
+                {
+                  "displayname": "Washington (us-east)",
+                  "value": "us-east"
+                }
+              ]
+            },
+            {
+              "key": "prefix"
+            },
+            {
+              "key": "mongodb_name"
+            },
+
+            {
+              "key": "mongodb_version",
+              "required": false,
+              "default_value": "__NULL__",
+              "options": [
+                {
+                  "displayname": "preferred",
+                  "value": "__NULL__"
+                },
+                {
+                  "displayname": "6.0",
+                  "value": "6.0"
+                },
+                {
+                  "displayname": "7.0",
+                  "value": "7.0"
+                }
+              ]
+            },
+            {
+              "key": "plan"
+            },
+            {
+              "key": "members"
+            },
+            {
+              "key": "memory_mb"
+            },
+            {
+              "key": "cpu_count"
+            },
+            {
+              "key": "disk_mb"
+            },
+            {
+              "key": "member_host_flavor"
+            },
+            {
+              "key": "service_credential_names"
+            },
+            {
+              "key": "admin_pass"
+            },
+            {
+              "key": "admin_pass_secrets_manager_secret_group"
+            },
+            {
+              "key": "admin_pass_secrets_manager_secret_name"
+            },
+            {
+              "key": "existing_mongodb_instance_crn"
+            },
+            {
+              "key": "use_existing_admin_pass_secrets_manager_secret_group"
+            },
+            {
+              "key": "users"
+            },
+            {
+              "key": "mongodb_tags"
+            },
+            {
+              "key": "mongodb_access_tags"
+            },
+            {
+              "key": "existing_kms_instance_crn"
+            },
+            {
+              "key": "existing_kms_key_crn"
+            },
+            {
+              "key": "skip_mongodb_kms_auth_policy"
+            },
+            {
+              "key": "ibmcloud_kms_api_key"
+            },
+            {
+              "key": "key_ring_name"
+            },
+            {
+              "key": "key_name"
+            },
+            {
+              "key": "existing_backup_kms_key_crn"
+            },
+            {
+              "key": "auto_scaling"
+            },
+            {
+              "key": "backup_crn"
+            },
+            {
+              "key": "existing_secrets_manager_instance_crn"
+            },
+            {
+              "key": "service_credential_secrets"
+            },
+            {
+              "key": "skip_mongodb_secrets_manager_auth_policy"
+            }
+          ]
         }
       ]
     }

solutions/fully-configurable/README.md

@@ -1,4 +1,4 @@
-# IBM Cloud Databases for MongoDB
+# IBM Cloud Databases for MongoDB (Fully Configurable)
 
 ## Prerequisites
 - An existing resource group

solutions/fully-configurable/variables.tf

@@ -70,7 +70,7 @@ variable "plan" {
 variable "service_endpoints" {
   type        = string
   description = "The type of endpoint of the database instance. Possible values: `public`, `private`, `public-and-private`."
-  default     = "public"
+  default     = "private"
 
   validation {
     condition     = can(regex("public|public-and-private|private", var.service_endpoints))

solutions/security-enforced/README.md

@@ -0,0 +1,15 @@
+# IBM Cloud Databases for MongoDB (Security Enforced)
+
+## Prerequisites
+- An existing resource group
+
+This architecture creates an instance of IBM Cloud Databases for MongoDB and supports provisioning of the following resources:
+
+- A KMS root key, if one is not passed in.
+- An IBM Cloud Databases for MongoDB instance with KMS encryption.
+- Autoscaling rules for the database instance, if provided.
+- Service credential secrets and store them in secret manager.
+
+![fscloud-mongodb](../../reference-architecture/deployable-architecture-mongodb.svg)
+
+:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).

solutions/security-enforced/catalogValidationValues.json.template

@@ -0,0 +1,8 @@
+{
+  "ibmcloud_api_key": $VALIDATION_APIKEY,
+  "region": "us-south",
+  "mongodb_tags": $TAGS,
+  "mongodb_name": $PREFIX,
+  "existing_resource_group_name": $PREFIX,
+  "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN
+}

solutions/security-enforced/main.tf

@@ -0,0 +1,47 @@
+module "mongodb" {
+  source                        = "../fully-configurable"
+  ibmcloud_api_key              = var.ibmcloud_api_key
+  existing_resource_group_name  = var.existing_resource_group_name
+  prefix                        = var.prefix
+  mongodb_name                  = var.mongodb_name
+  region                        = var.region
+  mongodb_version               = var.mongodb_version
+  plan                          = var.plan
+  service_endpoints             = "private"
+  existing_mongodb_instance_crn = var.existing_mongodb_instance_crn
+  # ICD hosting model properties
+  members                  = var.members
+  memory_mb                = var.memory_mb
+  cpu_count                = var.cpu_count
+  disk_mb                  = var.disk_mb
+  member_host_flavor       = var.member_host_flavor
+  service_credential_names = var.service_credential_names
+  admin_pass               = var.admin_pass
+  users                    = var.users
+  mongodb_tags             = var.mongodb_tags
+  mongodb_access_tags      = var.mongodb_access_tags
+  # Encryption
+  kms_encryption_enabled            = true
+  use_ibm_owned_encryption_key      = false
+  existing_kms_instance_crn         = var.existing_kms_instance_crn
+  existing_kms_key_crn              = var.existing_kms_key_crn
+  existing_backup_kms_key_crn       = var.existing_backup_kms_key_crn
+  kms_endpoint_type                 = "private"
+  skip_mongodb_kms_auth_policy      = var.skip_mongodb_kms_auth_policy
+  ibmcloud_kms_api_key              = var.ibmcloud_kms_api_key
+  key_ring_name                     = var.key_ring_name
+  key_name                          = var.key_name
+  use_default_backup_encryption_key = false
+  backup_crn                        = var.backup_crn
+  provider_visibility               = "private"
+  # Auto Scaling
+  auto_scaling = var.auto_scaling
+  # Secrets Manager Service Credentials
+  existing_secrets_manager_instance_crn                = var.existing_secrets_manager_instance_crn
+  existing_secrets_manager_endpoint_type               = "private"
+  service_credential_secrets                           = var.service_credential_secrets
+  skip_mongodb_secrets_manager_auth_policy             = var.skip_mongodb_secrets_manager_auth_policy
+  admin_pass_secrets_manager_secret_group              = var.admin_pass_secrets_manager_secret_group
+  use_existing_admin_pass_secrets_manager_secret_group = var.use_existing_admin_pass_secrets_manager_secret_group
+  admin_pass_secrets_manager_secret_name               = var.admin_pass_secrets_manager_secret_name
+}