feat: cbr support added

* feat: cbr support added

Author: rajatagarwal-ibm

README.md

@@ -40,7 +40,7 @@ You need the following permissions to run this module.
 ## Examples
 
 - [ Autoscale example](examples/autoscale)
-- [ Encryption example](examples/complete)
+- [ Complete example with Encryption and CBR rules](examples/complete)
 - [ Default example](examples/default)
 <!-- END EXAMPLES HOOK -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -53,7 +53,9 @@ You need the following permissions to run this module.
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-rule-module | v1.1.2 |
 
 ## Resources
 
@@ -68,6 +70,7 @@ No modules.
 | <a name="input_allowlist"></a> [allowlist](#input\_allowlist) | (Optional, List of Objects) A list of allowed IP addresses for the database. | <pre>list(object({<br>    address     = string<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_auto_scaling"></a> [auto\_scaling](#input\_auto\_scaling) | Configure rules to allow your database to automatically increase its resources. Single block of autoscaling is allowed at once. | <pre>object({<br>    cpu = object({<br>      rate_increase_percent       = optional(number)<br>      rate_limit_count_per_member = optional(number)<br>      rate_period_seconds         = optional(number)<br>      rate_units                  = optional(string)<br>    })<br>    disk = object({<br>      capacity_enabled             = optional(bool)<br>      free_space_less_than_percent = optional(number)<br>      io_above_percent             = optional(number)<br>      io_over_period               = optional(string)<br>      io_enabled                   = optional(bool)<br>      rate_increase_percent        = optional(number)<br>      rate_limit_mb_per_member     = optional(number)<br>      rate_period_seconds          = optional(number)<br>      rate_units                   = optional(string)<br>    })<br>    memory = object({<br>      io_above_percent         = optional(number)<br>      io_enabled               = optional(bool)<br>      io_over_period           = optional(string)<br>      rate_increase_percent    = optional(number)<br>      rate_limit_mb_per_member = optional(number)<br>      rate_period_seconds      = optional(number)<br>      rate_units               = optional(string)<br>    })<br>  })</pre> | <pre>{<br>  "cpu": {},<br>  "disk": {},<br>  "memory": {}<br>}</pre> | no |
 | <a name="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | (Optional) The CRN of a key protect key, that you want to use for encrypting disk that holds deployment backups. If null, will use 'key\_protect\_key\_crn' as encryption key. If 'key\_protect\_key\_crn' is also null database is encrypted by using randomly generated keys. | `string` | `null` | no |
+| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
 | <a name="input_configuration"></a> [configuration](#input\_configuration) | Database Configuration in JSON format. | <pre>object({<br>    maxmemory                   = optional(number)<br>    maxmemory-policy            = optional(string)<br>    appendonly                  = optional(string)<br>    maxmemory-samples           = optional(number)<br>    stop-writes-on-bgsave-error = optional(string)<br>  })</pre> | `null` | no |
 | <a name="input_cpu_count"></a> [cpu\_count](#input\_cpu\_count) | Number of CPU cores available to the mongodb instance | `number` | `7` | no |
 | <a name="input_disk_mb"></a> [disk\_mb](#input\_disk\_mb) | Disk available to the mongodb instance | `number` | `20480` | no |
@@ -86,7 +89,8 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_id"></a> [id](#output\_id) | mongodb instance id |
+| <a name="output_guid"></a> [guid](#output\_guid) | mongodb instance guid |
+| <a name="output_id"></a> [id](#output\_id) | mongodb instance id (CRN) |
 | <a name="output_version"></a> [version](#output\_version) | mongodb instance version |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 <!-- BEGIN CONTRIBUTING HOOK -->

examples/complete/README.md

@@ -1,8 +1,10 @@
-# Encryption example
+# Complete example with Encryption and CBR rules
 
-An example that adds encryption to the [default example](../default/README.md).
+An end-to-end example that adds encryption to the [default example](../default/README.md). This example uses the IBM Cloud terraform provider to:
 
-This example uses the IBM Cloud Terraform provider to create the following infrastructure:
-
-- A resource group, if one is not passed in.
-- An encrypted ICD MongoDB instance with credentials stored in IBM Cloud Secrets Manager.
+- Create a new resource group if one is not passed in.
+- Create a new mongoDB database instance.
+- Create Key Protect instance with root key.
+- Backend encryption using generated Key Protect key.
+- Create a Sample VPC.
+- Create Context Based Restriction(CBR) to only allow MongoDB to be accessible from the VPC.

examples/complete/main.tf

@@ -9,6 +9,23 @@ module "resource_group" {
   existing_resource_group_name = var.resource_group
 }
 
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
+
 ##############################################################################
 # Key Protect All Inclusive
 ##############################################################################
@@ -47,6 +64,27 @@ resource "ibm_resource_key" "service_credentials" {
   tags                 = var.resource_tags
 }
 
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+module "cbr_zone" {
+  source           = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-zone-module?ref=v1.1.2"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone containing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc", # to bind a specific vpc to the zone
+    value = ibm_is_vpc.example_vpc.crn,
+  }]
+}
+
 ##############################################################################
 # ICD mongodb database
 ##############################################################################
@@ -56,7 +94,26 @@ module "mongodb" {
   resource_group_id   = module.resource_group.resource_group_id
   mongodb_version     = var.mongodb_version
   instance_name       = "${var.prefix}-mongodb"
+  endpoints           = "private"
   region              = var.region
   key_protect_key_crn = module.key_protect_all_inclusive.keys["icd.${var.prefix}-mongodb"].crn
   tags                = var.resource_tags
+  cbr_rules = [
+    {
+      description      = "${var.prefix}-mongodb access only from vpc"
+      enforcement_mode = var.enforcement_mode
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
 }

examples/complete/outputs.tf

@@ -11,3 +11,8 @@ output "version" {
   description = "MongoDB instance version"
   value       = module.mongodb.version
 }
+
+output "guid" {
+  description = "mongodb instance guid"
+  value       = module.mongodb.guid
+}

examples/complete/variables.tf

@@ -39,3 +39,9 @@ variable "service_credentials" {
   type        = list(string)
   default     = ["mongodb_credential_microservices", "mongodb_credential_dev_1", "mongodb_credential_dev_2"]
 }
+
+variable "enforcement_mode" {
+  description = "whether or not enforce a rule upon creation and update the rule enforcement."
+  type        = string
+  default     = "enabled"
+}

main.tf

@@ -85,3 +85,42 @@ resource "ibm_database" "mongodb" {
     ]
   }
 }
+
+##############################################################################
+# Context Based Restrictions
+##############################################################################
+
+module "cbr_rule" {
+  count            = length(var.cbr_rules) > 0 ? length(var.cbr_rules) : 0
+  source           = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-rule-module?ref=v1.1.2"
+  rule_description = var.cbr_rules[count.index].description
+  enforcement_mode = var.cbr_rules[count.index].enforcement_mode
+  rule_contexts    = var.cbr_rules[count.index].rule_contexts
+  resources = [{
+    attributes = [
+      {
+        name     = "accountId"
+        value    = var.cbr_rules[count.index].account_id
+        operator = "stringEquals"
+      },
+      {
+        name     = "serviceInstance"
+        value    = ibm_database.mongodb.guid
+        operator = "stringEquals"
+      },
+      {
+        name     = "serviceName"
+        value    = "databases-for-mongodb"
+        operator = "stringEquals"
+      }
+    ]
+  }]
+  #  There is only 1 operation type for Redis so it is not exposed as a configuration
+  operations = [{
+    api_types = [
+      {
+        api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:data-plane"
+      }
+    ]
+  }]
+}

module-metadata.json

@@ -34,6 +34,23 @@
         "line": 85
       }
     },
+    "cbr_rules": {
+      "name": "cbr_rules",
+      "type": "list(object({\n    description = string\n    account_id  = string\n    rule_contexts = list(object({\n      attributes = optional(list(object({\n        name  = string\n        value = string\n    }))) }))\n    enforcement_mode = string\n  }))",
+      "description": "(Optional, list) List of CBR rules to create",
+      "default": [],
+      "source": [
+        "module.cbr_rule",
+        "module.cbr_rule",
+        "module.cbr_rule",
+        "module.cbr_rule",
+        "module.cbr_rule"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 186
+      }
+    },
     "configuration": {
       "name": "configuration",
       "type": "object({\n    maxmemory                   = optional(number)\n    maxmemory-policy            = optional(string)\n    appendonly                  = optional(string)\n    maxmemory-samples           = optional(number)\n    stop-writes-on-bgsave-error = optional(string)\n  })",
@@ -205,9 +222,19 @@
     }
   },
   "outputs": {
+    "guid": {
+      "name": "guid",
+      "description": "mongodb instance guid",
+      "value": "ibm_database.mongodb.guid",
+      "pos": {
+        "filename": "outputs.tf",
+        "line": 10
+      },
+      "type": "TypeString"
+    },
     "id": {
       "name": "id",
-      "description": "mongodb instance id",
+      "description": "mongodb instance id (CRN)",
       "value": "ibm_database.mongodb.id",
       "pos": {
         "filename": "outputs.tf",
@@ -220,7 +247,7 @@
       "value": "ibm_database.mongodb.version",
       "pos": {
         "filename": "outputs.tf",
-        "line": 10
+        "line": 15
       },
       "type": "TypeString"
     }
@@ -262,5 +289,66 @@
     }
   },
   "data_resources": {},
-  "module_calls": {}
+  "module_calls": {
+    "cbr_rule": {
+      "name": "cbr_rule",
+      "source": "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-rule-module?ref=v1.1.2",
+      "attributes": {
+        "count": "cbr_rules",
+        "enforcement_mode": "cbr_rules",
+        "resources": "cbr_rules",
+        "rule_contexts": "cbr_rules",
+        "rule_description": "cbr_rules"
+      },
+      "managed_resources": {
+        "ibm_cbr_rule.cbr_rule": {
+          "mode": "managed",
+          "type": "ibm_cbr_rule",
+          "name": "cbr_rule",
+          "attributes": {
+            "description": "rule_description",
+            "enforcement_mode": "enforcement_mode"
+          },
+          "provider": {
+            "name": "ibm"
+          },
+          "pos": {
+            "filename": ".terraform/modules/cbr_rule/cbr-rule-module/main.tf",
+            "line": 7
+          }
+        }
+      },
+      "data_resources": {},
+      "outputs": {
+        "rule_crn": {
+          "name": "rule_crn",
+          "description": "CBR rule resource instance crn",
+          "pos": {
+            "filename": ".terraform/modules/cbr_rule/cbr-rule-module/outputs.tf",
+            "line": 10
+          }
+        },
+        "rule_href": {
+          "name": "rule_href",
+          "description": "CBR rule resource href",
+          "pos": {
+            "filename": ".terraform/modules/cbr_rule/cbr-rule-module/outputs.tf",
+            "line": 15
+          }
+        },
+        "rule_id": {
+          "name": "rule_id",
+          "description": "CBR rule resource instance id",
+          "pos": {
+            "filename": ".terraform/modules/cbr_rule/cbr-rule-module/outputs.tf",
+            "line": 5
+          }
+        }
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 93
+      }
+    }
+  }
 }

outputs.tf

@@ -3,10 +3,15 @@
 ##############################################################################
 
 output "id" {
-  description = "mongodb instance id"
+  description = "mongodb instance id (CRN)"
   value       = ibm_database.mongodb.id
 }
 
+output "guid" {
+  description = "mongodb instance guid"
+  value       = ibm_database.mongodb.guid
+}
+
 output "version" {
   description = "mongodb instance version"
   value       = ibm_database.mongodb.version

tests/pr_test.go

@@ -79,12 +79,9 @@ func TestRunCompleteExample(t *testing.T) {
 func TestRunUpgradeExample(t *testing.T) {
 	t.Parallel()
 
-	// TODO: Remove this line after the first merge to primary branch is complete to enable upgrade test
-	t.Skip("Skipping upgrade test until initial code is in primary branch")
-
 	options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
 		Testing:            t,
-		TerraformDir:       defaultExampleTerraformDir,
+		TerraformDir:       completeExampleTerraformDir,
 		Prefix:             "mongodb-upg",
 		ResourceGroup:      resourceGroup,
 		BestRegionYAMLPath: regionSelectionPath,

variables.tf

@@ -180,3 +180,21 @@ variable "auto_scaling" {
     memory = {}
   }
 }
+##############################################################
+# Context-based restriction (CBR)
+##############################################################
+variable "cbr_rules" {
+  type = list(object({
+    description = string
+    account_id  = string
+    rule_contexts = list(object({
+      attributes = optional(list(object({
+        name  = string
+        value = string
+    }))) }))
+    enforcement_mode = string
+  }))
+  description = "(Optional, list) List of CBR rules to create"
+  default     = []
+  # Validation happens in the rule module
+}