feat: added new FSCloud terraform submodule (profiles/fscloud) with example on how to consume + added support for Hyper Protect + added support for creating the KMS auth policy. key_protect_key_crn has been renamed kms_key_crn (#139)

Author: rajatagarwal-ibm

.github/workflows/ci.yml

@@ -7,6 +7,7 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
+    types: [opened, synchronize, reopened, ready_for_review]
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
@@ -15,3 +16,8 @@ jobs:
   call-terraform-ci-pipeline:
     uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/[email protected]
     secrets: inherit
+    with:
+      craSCCv2: true
+      craTarget: "examples/fscloud"
+      craRuleIgnoreFile: "cra-tf-validate-ignore-rules.json"
+      craEnvironmentVariables: "TF_VAR_existing_at_instance_crn=crn:v1:bluemix:public:logdnaat:eu-de:a/abac0df06b644a9cabc6e44f55b3880e:b1ef3365-dfbf-4d8f-8ac8-75f4f84d6f4a::,TF_VAR_existing_kms_instance_guid=${{ vars.HPCS_SOUTH_GUID }},TF_VAR_kms_key_crn=${{ vars.HPCS_SOUTH_KEY_CRN }} "

README.md

@@ -42,6 +42,7 @@ You need the following permissions to run this module.
 - [ Autoscale example](examples/autoscale)
 - [ Complete example with Encryption and CBR rules](examples/complete)
 - [ Default example](examples/default)
+- [ Financial Services Cloud profile example](examples/fscloud)
 <!-- END EXAMPLES HOOK -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -62,27 +63,30 @@ You need the following permissions to run this module.
 | Name | Type |
 |------|------|
 | [ibm_database.mongodb](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database) | resource |
+| [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_allowlist"></a> [allowlist](#input\_allowlist) | (Optional, List of Objects) A list of allowed IP addresses for the database. | <pre>list(object({<br>    address     = string<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_auto_scaling"></a> [auto\_scaling](#input\_auto\_scaling) | Configure rules to allow your database to automatically increase its resources. Single block of autoscaling is allowed at once. | <pre>object({<br>    cpu = object({<br>      rate_increase_percent       = optional(number, 10)<br>      rate_limit_count_per_member = optional(number, 20)<br>      rate_period_seconds         = optional(number, 900)<br>      rate_units                  = optional(string, "count")<br>    })<br>    disk = object({<br>      capacity_enabled             = optional(bool, false)<br>      free_space_less_than_percent = optional(number, 10)<br>      io_above_percent             = optional(number, 90)<br>      io_enabled                   = optional(bool, false)<br>      io_over_period               = optional(string, "15m")<br>      rate_increase_percent        = optional(number, 10)<br>      rate_limit_mb_per_member     = optional(number, 3670016)<br>      rate_period_seconds          = optional(number, 900)<br>      rate_units                   = optional(string, "mb")<br>    })<br>    memory = object({<br>      io_above_percent         = optional(number, 90)<br>      io_enabled               = optional(bool, false)<br>      io_over_period           = optional(string, "15m")<br>      rate_increase_percent    = optional(number, 10)<br>      rate_limit_mb_per_member = optional(number, 114688)<br>      rate_period_seconds      = optional(number, 900)<br>      rate_units               = optional(string, "mb")<br>    })<br>  })</pre> | `null` | no |
-| <a name="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | (Optional) The CRN of a key protect key, that you want to use for encrypting disk that holds deployment backups. If null, will use 'key\_protect\_key\_crn' as encryption key. If 'key\_protect\_key\_crn' is also null database is encrypted by using randomly generated keys. | `string` | `null` | no |
+| <a name="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | (Optional) The CRN of a Key Protect Key to use for encrypting backups. If left null, the value passed for the 'kms\_key\_crn' variable will be used. Take note that Hyper Protect Crypto Services for IBM Cloud® Databases backups is not currently supported. | `string` | `null` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
 | <a name="input_configuration"></a> [configuration](#input\_configuration) | Database Configuration in JSON format. | <pre>object({<br>    maxmemory                   = optional(number)<br>    maxmemory-policy            = optional(string)<br>    appendonly                  = optional(string)<br>    maxmemory-samples           = optional(number)<br>    stop-writes-on-bgsave-error = optional(string)<br>  })</pre> | `null` | no |
 | <a name="input_cpu_count"></a> [cpu\_count](#input\_cpu\_count) | Number of CPU cores available to the mongodb instance | `number` | `7` | no |
 | <a name="input_disk_mb"></a> [disk\_mb](#input\_disk\_mb) | Disk available to the mongodb instance | `number` | `20480` | no |
 | <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | Endpoints available to the mongodb instance (public, private, public-and-private) | `string` | `"private"` | no |
+| <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect or Key Protect instance in which the key specified in var.kms\_key\_crn is coming from. Only required if skip\_iam\_authorization\_policy is false | `string` | `null` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | Name of the MongoDB instance | `string` | n/a | yes |
-| <a name="input_key_protect_key_crn"></a> [key\_protect\_key\_crn](#input\_key\_protect\_key\_crn) | (Optional) The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. If `null`, database is encrypted by using randomly generated keys. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok for current list of supported regions for BYOK | `string` | `null` | no |
+| <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | (Optional) The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. If `null`, database is encrypted by using randomly generated keys. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok for current list of supported regions for BYOK | `string` | `null` | no |
 | <a name="input_members"></a> [members](#input\_members) | Allocated number of members | `number` | `3` | no |
 | <a name="input_memory_mb"></a> [memory\_mb](#input\_memory\_mb) | Memory available to the mongodb instance | `number` | `1024` | no |
 | <a name="input_mongodb_version"></a> [mongodb\_version](#input\_mongodb\_version) | The version of the mongodb to be provisioned | `string` | `null` | no |
 | <a name="input_plan"></a> [plan](#input\_plan) | The name of the service plan that you choose for your mongodb instance | `string` | `"standard"` | no |
-| <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where instance will be created | `string` | `"us-south"` | no |
+| <a name="input_region"></a> [region](#input\_region) | The region MongoDB is to be created on. The region must support BYOK region if Key Protect Key is used or KYOK region if Hyper Protect Crypto Service (HPCS) is used. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of the IMB Cloud resource group where you want to create the instance | `string` | n/a | yes |
+| <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all MongoDB instances in the given Resource group to read the encryption key from the Hyper Protect or Key Protect instance in `existing_kms_instance_guid`. | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A list of tags that you want to add to your instance | `list(any)` | `[]` | no |
 
 ## Outputs

cra-tf-validate-ignore-rules.json

@@ -0,0 +1,16 @@
+{
+  "scc_rules": [
+    {
+      "scc_rule_id": "rule-beb7b289-706b-4dc0-b01d-b1d15d4331e3",
+      "description": "Check whether Databases for MongoDB network access is restricted to a specific IP range",
+      "ignore_reason": "This module supports restricting network access using Context Based Restrictions (CBRs), however SCC does not yet support scanning for CBR rules, hence the rule currently fails. SCC CBR support is being tracked in AHA SCC-961",
+      "is_valid": true
+    },
+    {
+      "scc_rule_id": "rule-216e2449-27d7-4afc-929a-b66e196a9cf9",
+      "description": "Check whether Flow Logs for VPC are enabled",
+      "ignore_reason": "This rule is not relevant to the module itself, just the VPC resource is used in the example that is scanned",
+      "is_valid": false
+    }
+  ]
+}

examples/complete/main.tf

@@ -87,14 +87,14 @@ module "cbr_zone" {
 ##############################################################################
 
 module "mongodb" {
-  source              = "../.."
-  resource_group_id   = module.resource_group.resource_group_id
-  mongodb_version     = var.mongodb_version
-  instance_name       = "${var.prefix}-mongodb"
-  endpoints           = "private"
-  region              = var.region
-  key_protect_key_crn = module.key_protect_all_inclusive.keys["icd.${var.prefix}-mongodb"].crn
-  tags                = var.resource_tags
+  source            = "../.."
+  resource_group_id = module.resource_group.resource_group_id
+  mongodb_version   = var.mongodb_version
+  instance_name     = "${var.prefix}-mongodb"
+  endpoints         = "private"
+  region            = var.region
+  kms_key_crn       = module.key_protect_all_inclusive.keys["icd.${var.prefix}-mongodb"].crn
+  tags              = var.resource_tags
   cbr_rules = [
     {
       description      = "${var.prefix}-mongodb access only from vpc"

examples/fscloud/README.md

@@ -0,0 +1,16 @@
+# Financial Services Cloud profile example
+
+## *Note:* This example is only deploying MongoDB in a compliant manner the other infrastructure is not necessarily compliant.
+
+### Requirements
+This example expects you have Hyper Protect Crypto Service instances in the region you wish to deploy your MongoDB instance.
+
+### Deploys
+An example using the fscloud profile to deploy a compliant MongoDB instance. This example uses the IBM Cloud terraform provider to:
+
+- Create a new resource group if one is not passed in.
+- Create a Key protect instance and IAM Authorization between MongoDB instance resource group and Key Protect Instance.
+- Create an IAM Authorization between MongoDB instance Resource group and HPSC permanent Instance.
+- Create a new ICD MongoDB instance and credentials that is encrypted using the Hyper Protect Crypto Service resources that are passed in.
+- Create a Sample VPC.
+- Create Context Based Restriction(CBR) to only allow Postgresql to be accessible from the VPC.

examples/fscloud/main.tf

@@ -0,0 +1,106 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-resource-group.git?ref=v1.0.5"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Key Protect All Inclusive
+##############################################################################
+
+# Need Key Protect instance for backup_encryption_key_crn as backup encryption key is not supported by Hyper Protect instaces yet.
+module "key_protect_all_inclusive" {
+  source            = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v4.0.0"
+  resource_group_id = module.resource_group.resource_group_id
+  # Note: Database instance and Key Protect must be created in the same region when using BYOK
+  # See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok
+  region                    = var.region
+  key_protect_instance_name = "${var.prefix}-kp"
+  resource_tags             = var.resource_tags
+  key_map                   = { "icd-mongodb" = ["${var.prefix}-mongodb"] }
+}
+
+# Create IAM Access Policy to allow Key protect to access MongoDB instance
+resource "ibm_iam_authorization_policy" "policy" {
+  source_service_name         = "databases-for-mongodb"
+  source_resource_group_id    = module.resource_group.resource_group_id
+  target_service_name         = "kms"
+  target_resource_instance_id = module.key_protect_all_inclusive.key_protect_guid
+  roles                       = ["Reader"]
+}
+
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+module "cbr_zone" {
+  source           = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-zone-module?ref=v1.1.2"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone containing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc", # to bind a specific vpc to the zone
+    value = ibm_is_vpc.example_vpc.crn,
+  }]
+}
+
+##############################################################################
+# ICD mongodb database
+##############################################################################
+
+module "mongodb" {
+  source                     = "../../profiles/fscloud"
+  resource_group_id          = module.resource_group.resource_group_id
+  instance_name              = "${var.prefix}-mongodb"
+  region                     = var.region
+  tags                       = var.resource_tags
+  kms_key_crn                = var.kms_key_crn
+  existing_kms_instance_guid = var.existing_kms_instance_guid
+  backup_encryption_key_crn  = module.key_protect_all_inclusive.keys["icd-mongodb.${var.prefix}-mongodb"].crn
+  cbr_rules = [
+    {
+      description      = "${var.prefix}-mongodb access only from vpc"
+      enforcement_mode = "enabled"
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
+}

examples/fscloud/outputs.tf

@@ -0,0 +1,17 @@
+##############################################################################
+# Outputs
+##############################################################################
+output "id" {
+  description = "MongoDB instance id"
+  value       = module.mongodb.id
+}
+
+output "guid" {
+  description = "MongoDB instance guid"
+  value       = module.mongodb.guid
+}
+
+output "version" {
+  description = "MongoDB instance version"
+  value       = module.mongodb.version
+}

examples/fscloud/provider.tf

@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/fscloud/variables.tf

@@ -0,0 +1,39 @@
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "region" {
+  type        = string
+  description = "Region to provision all resources created by this example"
+  default     = "us-south"
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example"
+  default     = "fs-cloud"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "existing_kms_instance_guid" {
+  description = "The GUID of the Hyper Protect Crypto service in which the key specified in var.kms_key_crn is coming from"
+  type        = string
+}
+
+variable "kms_key_crn" {
+  type        = string
+  description = "The root key CRN of a Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs&interface=ui for more information on integrating HPCS with MongoDB instance."
+}

examples/fscloud/version.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.49.0"
+    }
+  }
+}