fully-configurble + security-enforced DAs

Author: whoffler

.catalog-onboard-pipeline.yaml

@@ -6,7 +6,7 @@ offerings:
     catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
     offering_id: 0298facd-3e69-43fa-87c0-4d3d0b3c887e
     variations:
-      - name: standard
+      - name: fully-configurable
         mark_ready: true
         install_type: fullstack
         scc:

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-07-25T15:38:43Z",
+  "generated_at": "2025-05-12T14:07:27Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -87,7 +87,7 @@
         "verified_result": null
       }
     ],
-    "solutions/standard/DA-types.md": [
+    "solutions/fully-configurable/DA-types.md": [
       {
         "hashed_secret": "44cdfc3615970ada14420caaaa5c5745fca06002",
         "is_secret": false,

cra-config.yaml

@@ -1,11 +1,13 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "solutions/standard"
+  - CRA_TARGET: "solutions/fully-configurable"
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json"
     PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3"  # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
     CRA_ENVIRONMENT_VARIABLES:
+      TF_VAR_kms_encryption_enabled: true
+      TF_VAR_use_ibm_owned_encryption_key: false
       TF_VAR_existing_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533"
-      TF_VAR_prefix: "test-postgres-standard"
-      TF_VAR_resource_group_name: "test"
+      TF_VAR_prefix: "test-postgres-fc"
+      TF_VAR_existing_resource_group_name: "geretain-test-postgres"
       TF_VAR_provider_visibility: "public"

ibm_catalog.json

@@ -23,7 +23,7 @@
         "relational"
       ],
       "short_description": "Creates and configures an instance of IBM Cloud Databases for PostgreSQL.",
-      "long_description": "This architecture supports creating and configuring an instance of Databases for PostgreSQL with KMS encryption.",
+      "long_description": "This architecture supports creating and configuring an instance of [Databases for PostgreSQL](https://www.ibm.com/products/databases-for-postgresql), with optional KMS encryption. This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
       "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-icd-postgresql/blob/main/README.md",
       "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-icd-postgresql/main/images/postgresql.svg",
       "provider_name": "IBM",
@@ -47,10 +47,10 @@
       ],
       "flavors": [
         {
-          "label": "Standard",
-          "name": "standard",
+          "label": "Fully configurable",
+          "name": "fully-configurable",
           "install_type": "fullstack",
-          "working_directory": "solutions/standard",
+          "working_directory": "solutions/fully-configurable",
           "compliance": {
             "authority": "scc-v3",
             "profiles": [
@@ -122,18 +122,21 @@
               ]
             },
             {
-              "key": "use_existing_resource_group"
-            },
-            {
-              "key": "resource_group_name"
+              "key": "existing_resource_group_name",
+              "required": true,
+              "custom_config": {
+                "type": "resource_group",
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "identifier": "rg_name"
+                }
+              }
             },
             {
               "key": "prefix",
               "required": true
             },
-            {
-              "key": "name"
-            },
             {
               "key": "region",
               "required": true,
@@ -190,7 +193,10 @@
               ]
             },
             {
-              "key": "pg_version",
+              "key": "postgresql_name"
+            },
+            {
+              "key": "postgresql_version",
               "required": false,
               "default_value": "__NULL__",
               "options": [
@@ -248,10 +254,13 @@
               "key": "users"
             },
             {
-              "key": "resource_tags"
+              "key": "postgresql_resource_tags"
+            },
+            {
+              "key": "postgresql_access_tags"
             },
             {
-              "key": "access_tags"
+              "key": "kms_encryption_enabled"
             },
             {
               "key": "use_ibm_owned_encryption_key"
@@ -260,8 +269,7 @@
               "key": "ibmcloud_kms_api_key"
             },
             {
-              "key": "existing_kms_instance_crn",
-              "required": true
+              "key": "existing_kms_instance_crn"
             },
             {
               "key": "existing_kms_key_crn"
@@ -280,7 +288,7 @@
               ]
             },
             {
-              "key": "skip_pg_kms_auth_policy"
+              "key": "skip_postgresql_kms_auth_policy"
             },
             {
               "key": "key_ring_name"
@@ -305,6 +313,9 @@
             },
             {
               "key": "existing_postgresql_instance_crn"
+            },
+            {
+              "key": "service_endpoints"
             }
           ]
         }

solutions/standard/DA-types.md renamed to solutions/fully-configurable/DA-types.md

@@ -0,0 +1,14 @@
+# IBM Cloud Databases for PostgreSQL (Fully Configurable)
+
+## Prerequisites
+- An existing resource group
+
+This architecture creates an instance of IBM Cloud Databases for PostgreSQL and supports provisioning of the following resources:
+
+- A KMS root key, if one is not passed in.
+- An IBM Cloud Databases for PostgreSQL instance with KMS encryption.
+- Autoscaling rules for the database instance, if provided.
+
+![fscloud-postgresql](../../reference-architecture/deployable-architecture-postgresql.svg)
+
+:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).

solutions/fully-configurable/README.md

@@ -0,0 +1,10 @@
+{
+  "ibmcloud_api_key": $VALIDATION_APIKEY,
+  "region": "us-south",
+  "postgresql_resource_tags": $TAGS,
+  "postgresql_name": $PREFIX,
+  "existing_resource_group_name": $PREFIX,
+  "kms_encryption_enabled": true,
+  "use_ibm_owned_encryption_key": false,
+  "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN
+}

solutions/fully-configurable/catalogValidationValues.json.template

@@ -5,22 +5,7 @@
 module "resource_group" {
   source                       = "terraform-ibm-modules/resource-group/ibm"
   version                      = "1.2.0"
-  resource_group_name          = var.use_existing_resource_group == false ? ((var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.resource_group_name}" : var.resource_group_name) : null
-  existing_resource_group_name = var.use_existing_resource_group == true ? var.resource_group_name : null
-}
-
-#######################################################################################################################
-# KMS related variable validation
-# (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
-#
-# TODO: Replace with terraform cross variable validation: https://github.ibm.com/GoldenEye/issues/issues/10836
-#######################################################################################################################
-
-locals {
-  # tflint-ignore: terraform_unused_declarations
-  validate_kms_1 = var.existing_postgresql_instance_crn != null ? true : var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) ? tobool("When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false.") : true
-  # tflint-ignore: terraform_unused_declarations
-  validate_kms_2 = var.existing_postgresql_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key.") : true
+  existing_resource_group_name = var.existing_resource_group_name
 }
 
 #######################################################################################################################
@@ -99,8 +84,8 @@ data "ibm_iam_account_settings" "iam_account_settings" {
 
 locals {
   account_id                                  = data.ibm_iam_account_settings.iam_account_settings.account_id
-  create_cross_account_kms_auth_policy        = var.existing_postgresql_instance_crn == null && !var.skip_pg_kms_auth_policy && var.ibmcloud_kms_api_key != null && !var.use_ibm_owned_encryption_key
-  create_cross_account_backup_kms_auth_policy = var.existing_postgresql_instance_crn == null && !var.skip_pg_kms_auth_policy && var.ibmcloud_kms_api_key != null && !var.use_ibm_owned_encryption_key && var.existing_backup_kms_key_crn != null
+  create_cross_account_kms_auth_policy        = var.existing_postgresql_instance_crn == null && !var.skip_postgresql_kms_auth_policy && var.ibmcloud_kms_api_key != null && !var.use_ibm_owned_encryption_key
+  create_cross_account_backup_kms_auth_policy = var.existing_postgresql_instance_crn == null && !var.skip_postgresql_kms_auth_policy && var.ibmcloud_kms_api_key != null && !var.use_ibm_owned_encryption_key && var.existing_backup_kms_key_crn != null
 
   # If KMS encryption enabled (and existing ES instance is not being passed), parse details from the existing key if being passed, otherwise get it from the key that the DA creates
   kms_account_id    = var.existing_postgresql_instance_crn != null || var.use_ibm_owned_encryption_key ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : module.kms_instance_crn_parser[0].account_id
@@ -287,21 +272,21 @@ data "ibm_database_connection" "existing_connection" {
 # Create new instance
 module "postgresql_db" {
   count                             = var.existing_postgresql_instance_crn != null ? 0 : 1
-  source                            = "../../modules/fscloud"
+  source                            = "../../"
   depends_on                        = [time_sleep.wait_for_authorization_policy, time_sleep.wait_for_backup_kms_authorization_policy]
   resource_group_id                 = module.resource_group.resource_group_id
-  name                              = (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.name}" : var.name
+  name                              = (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.postgresql_name}" : var.postgresql_name
   region                            = var.region
   remote_leader_crn                 = var.remote_leader_crn
-  skip_iam_authorization_policy     = var.skip_pg_kms_auth_policy
-  pg_version                        = var.pg_version
+  skip_iam_authorization_policy     = var.skip_postgresql_kms_auth_policy
+  pg_version                        = var.postgresql_version
   use_ibm_owned_encryption_key      = var.use_ibm_owned_encryption_key
   kms_key_crn                       = local.kms_key_crn
   backup_encryption_key_crn         = local.backup_kms_key_crn
   use_same_kms_key_for_backups      = local.use_same_kms_key_for_backups
   use_default_backup_encryption_key = var.use_default_backup_encryption_key
-  access_tags                       = var.access_tags
-  tags                              = var.resource_tags
+  access_tags                       = var.postgresql_access_tags
+  tags                              = var.postgresql_resource_tags
   # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6141
   admin_pass               = var.remote_leader_crn == null ? local.admin_pass : null
   users                    = var.users
@@ -314,6 +299,7 @@ module "postgresql_db" {
   configuration            = var.configuration
   service_credential_names = var.service_credential_names
   backup_crn               = var.backup_crn
+  service_endpoints        = var.service_endpoints
 }
 
 locals {

solutions/standard/main.tf renamed to solutions/fully-configurable/main.tf

@@ -30,7 +30,7 @@ output "service_credentials_json" {
 
 output "service_credentials_object" {
   description = "Service credentials object"
-  value       = var.existing_postgresql_instance_crn != null ? null : module.postgresql_db[0].service_credentials_json
+  value       = var.existing_postgresql_instance_crn != null ? null : module.postgresql_db[0].service_credentials_object
   sensitive   = true
 }