feat: multiple refactoring (#158)

BREAKING CHANGE: If you were using the legacy input variable `allowlist` to restrict network to a specific IP range, you will need to migrate to using Context Based Restrictions (CBRs) for this. For more info see [Protecting Cloud Databases resources with context-based restrictions](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-cbr&interface=ui)

Author: ocofaigh

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-05-05T07:45:21Z",
+  "generated_at": "2023-05-16T09:19:59Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -76,7 +76,18 @@
       "name": "TwilioKeyDetector"
     }
   ],
-  "results": {},
+  "results": {
+    "README.md": [
+      {
+        "hashed_secret": "ff9ee043d85595eb255c05dfe32ece02a53efbb2",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 17,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ]
+  },
   "version": "0.13.1+ibm.60.dss",
   "word_list": {
     "file": null,

README.md

@@ -1,8 +1,6 @@
 # Basic example
 
-An end-to-end example that uses the module's default variable values.
-
-This example uses the IBM Cloud Terraform provider to create the following infrastructure:
+An end-to-end example that creates the following infrastructure:
 
 - A resource group, if one is not passed in.
 - An ICD MongoDB database instance.

catalogValidationValues.json.template

@@ -1,10 +1,10 @@
 # Complete example with encryption, autoscaling, and CBR rules
 
-This end-to-end example uses the IBM Cloud terraform provider to:
+An end-to-end example that uses the IBM Cloud Terraform provider to create the following infrastructure:
 
-- Create a new resource group if one is not passed in.
-- An ICD MongoDB database instance with autoscaling enabled (automatically increase resources).
-- Create Key Protect instance with root key.
-- Backend encryption using generated Key Protect key.
-- Create a Sample VPC.
-- Create Context Based Restriction(CBR) to only allow MongoDB to be accessible from the VPC.
+- A resource group, if one is not passed in.
+- A Key Protect instance with a root key.
+- An instance of Databases for MongoDB with BYOK encryption and autoscaling enabled (automatically increases resources).
+- Service credentials for the database instance.
+- A sample virtual private cloud (VPC).
+- A context-based restriction (CBR) rule to only allow MongoDB to be accessible from within the VPC.

common-dev-assets

@@ -31,7 +31,7 @@ resource "ibm_is_subnet" "testacc_subnet" {
 ##############################################################################
 
 module "key_protect_all_inclusive" {
-  source            = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v4.0.0"
+  source            = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v4.1.0"
   resource_group_id = module.resource_group.resource_group_id
   # Note: Database instance and Key Protect must be created in the same region when using BYOK
   # See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok
@@ -41,26 +41,6 @@ module "key_protect_all_inclusive" {
   key_map                   = { "icd" = ["${var.prefix}-mongodb"] }
 }
 
-# Create IAM Access Policy to allow Key protect to access Postgres instance
-resource "ibm_iam_authorization_policy" "policy" {
-  source_service_name         = "databases-for-mongodb"
-  source_resource_group_id    = module.resource_group.resource_group_id
-  target_service_name         = "kms"
-  target_resource_instance_id = module.key_protect_all_inclusive.key_protect_guid
-  roles                       = ["Reader"]
-}
-
-##############################################################################
-# Service Credentials
-##############################################################################
-
-resource "ibm_resource_key" "service_credentials" {
-  count                = length(var.service_credentials)
-  name                 = var.service_credentials[count.index]
-  resource_instance_id = module.mongodb.id
-  tags                 = var.resource_tags
-}
-
 ##############################################################################
 # Get Cloud Account ID
 ##############################################################################
@@ -83,23 +63,25 @@ module "cbr_zone" {
 }
 
 ##############################################################################
-# ICD mongodb database
+# ICD MongoDB instance
 ##############################################################################
 
 module "mongodb" {
-  source            = "../.."
-  resource_group_id = module.resource_group.resource_group_id
-  mongodb_version   = var.mongodb_version
-  instance_name     = "${var.prefix}-mongodb"
-  endpoints         = "private"
-  region            = var.region
-  kms_key_crn       = module.key_protect_all_inclusive.keys["icd.${var.prefix}-mongodb"].crn
-  tags              = var.resource_tags
-  auto_scaling      = var.auto_scaling
+  source                     = "../.."
+  resource_group_id          = module.resource_group.resource_group_id
+  mongodb_version            = var.mongodb_version
+  instance_name              = "${var.prefix}-mongodb"
+  kms_encryption_enabled     = true
+  existing_kms_instance_guid = module.key_protect_all_inclusive.key_protect_guid
+  region                     = var.region
+  kms_key_crn                = module.key_protect_all_inclusive.keys["icd.${var.prefix}-mongodb"].crn
+  tags                       = var.resource_tags
+  auto_scaling               = var.auto_scaling
+  service_credential_names   = var.service_credential_names
   cbr_rules = [
     {
       description      = "${var.prefix}-mongodb access only from vpc"
-      enforcement_mode = var.enforcement_mode
+      enforcement_mode = "enabled"
       account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
       rule_contexts = [{
         attributes = [

examples/basic/README.md

@@ -16,3 +16,15 @@ output "guid" {
   description = "mongodb instance guid"
   value       = module.mongodb.guid
 }
+
+output "service_credentials_json" {
+  description = "Service credentials json map"
+  value       = module.mongodb.service_credentials_json
+  sensitive   = true
+}
+
+output "service_credentials_object" {
+  description = "Service credentials object"
+  value       = module.mongodb.service_credentials_object
+  sensitive   = true
+}

examples/complete/README.md

@@ -30,20 +30,19 @@ variable "resource_tags" {
 
 variable "mongodb_version" {
   type        = string
-  description = "Version of the mongodb instance. If left at null, the latest version is provisioned."
+  description = "Version of the MongoDB instance. If no value is passed, the current preferred version of IBM Cloud Databases is used."
   default     = null
 }
 
-variable "service_credentials" {
-  description = "A list of service credentials that you want to create for the database"
-  type        = list(string)
-  default     = ["mongodb_credential_microservices", "mongodb_credential_dev_1", "mongodb_credential_dev_2"]
-}
-
-variable "enforcement_mode" {
-  description = "whether or not enforce a rule upon creation and update the rule enforcement."
-  type        = string
-  default     = "enabled"
+variable "service_credential_names" {
+  description = "Map of name, role for service credentials that you want to create for the database"
+  type        = map(string)
+  default = {
+    "mongodb_admin" : "Administrator",
+    "mongodb_operator" : "Operator",
+    "mongodb_viewer" : "Viewer",
+    "mongodb_viewer" : "Editor",
+  }
 }
 
 variable "auto_scaling" {
@@ -75,7 +74,7 @@ variable "auto_scaling" {
       rate_units               = optional(string)
     })
   })
-  description = "Configure rules to allow your database to automatically increase its resources. Single block of autoscaling is allowed at once."
+  description = "Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-autoscaling&interface=cli#autoscaling-considerations in the IBM Cloud Docs."
   default = {
     cpu = {}
     disk = {

examples/complete/main.tf

@@ -1,17 +1,18 @@
 # Financial Services Cloud profile example
 
-## *Note:* This example is only deploying MongoDB in a compliant manner the other infrastructure is not necessarily compliant.
+An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](../../profiles/fscloud/) to deploy an instance of IBM Cloud Databases for MongoDB.
 
-### Requirements
-This example expects you have Hyper Protect Crypto Service instances in the region you wish to deploy your MongoDB instance.
+The example uses the IBM Cloud Terraform provider to create the following infrastructure:
 
-### Deploys
-An example using the fscloud profile to deploy a compliant MongoDB instance. This example uses the IBM Cloud terraform provider to:
+- A resource group, if one is not passed in.
+- An IAM authorization between all MongoDB database instances in the given resource group, and the Hyper Protect Crypto Services instance that is passed in.
+- An IBM Cloud Databases MongoDB database instance that is encrypted with the Hyper Protect Crypto Services root key that is passed in.
+- Service Credentials for the MongoDB database instance.
+- A sample virtual private cloud (VPC).
+- A context-based restriction (CBR) rule to only allow MongoDB to be accessible from within the VPC.
 
-- Create a new resource group if one is not passed in.
-- Create a Key protect instance and generate backup encryption key.
-- Create an IAM Authorization between MongoDB instance resource group and Key Protect Instance for backup_encryption_key_crn as backup encryption key is not supported by Hyper Protect instances yet.
-- Create an IAM Authorization between MongoDB instance Resource group and HPSC permanent Instance.
-- Create a new ICD MongoDB instance and credentials that is encrypted using the Hyper Protect Crypto Service resources that are passed in.
-- Create a Sample VPC.
-- Create Context Based Restriction(CBR) to only allow MongoDB to be accessible from the VPC.
+:exclamation: **Important:** In this example, only the IBM Cloud Databases for MongoDB instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.
+
+## Before you begin
+
+- You need a Hyper Protect Crypto Services instance and root key available in the region that you want to deploy your MongoDB database instance to.