feat: initial module implementation (#4)

Author: MatthewLemmond

README.md

@@ -1,20 +1,18 @@
 <!-- Update the title -->
-# Terraform Modules Template Project
+# Terraform IBM S2S Auth
 
 <!--
 Update status and "latest release" badges:
   1. For the status options, see https://github.ibm.com/GoldenEye/documentation/blob/master/status.md
   2. Update the "latest release" badge to point to the correct module's repo. Replace "module-template" in two places.
 -->
-[![Incubating (Not yet consumable)](https://img.shields.io/badge/status-Incubating%20(Not%20yet%20consumable)-red)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
+[![Stable (Adopted)](https://img.shields.io/badge/Status-Stable%20(Adopted)-yellowgreen?style=plastic)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
 [![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-s2s-auth?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-s2s-auth/releases/latest)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
 [![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)
 [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
 
-<!-- Add a description of module(s) in this repo -->
-TODO: Replace me with description of the module(s) in this repo
-
+This module is responsible for generating authorization policies and CBR rules that enable access permissions and restrictions between a source service and a target service
 
 <!-- Below content is automatically populated via pre-commit hook -->
 <!-- BEGIN OVERVIEW HOOK -->
@@ -49,38 +47,42 @@ unless real values don't help users know what to change.
 -->
 
 ```hcl
-
+module "service_auth_cbr_rules" {
+  # Replace "main" with a GIT release version to lock into a specific release
+  source                = "terraform-ibm-modules/s2s-auth/ibm"
+  version               = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
+  service_map           = [
+    {
+        "description"= "This is a test auth policy",
+        "enforcement_mode"= "report",
+        "roles"= [
+            "Reader"
+        ],
+        "source_resource_instance_id"= "<source_resource_instance_id>",
+        "source_service_name"= "cloud-object-storage",
+        "target_resource_instance_id"= "<target_resource_instance_id>",
+        "target_service_name"= "kms"
+    },
+    {
+        "description"= "This is a test auth policy",
+        "enforcement_mode"= "report",
+        "roles"= [
+            "Reader"
+        ],
+        "source_rg"= "<source_rg>",
+        "source_service_name"= "containers-kubernetes",
+        "target_rg"= "<target_rg>",
+        "target_service_name"= "kms"
+    }
+  ]
+}
 ```
 
 ### Required IAM access policies
 
-<!-- PERMISSIONS REQUIRED TO RUN MODULE
-If this module requires permissions, uncomment the following block and update
-the sample permissions, following the format.
-Replace the sample Account and IBM Cloud service names and roles with the
-information in the console at
-Manage > Access (IAM) > Access groups > Access policies.
--->
-
-<!--
 You need the following permissions to run this module.
 
-- Account Management
-    - **Sample Account Service** service
-        - `Editor` platform access
-        - `Manager` service access
-    - IAM Services
-        - **Sample Cloud Service** service
-            - `Administrator` platform access
--->
-
-<!-- NO PERMISSIONS FOR MODULE
-If no permissions are required for the module, uncomment the following
-statement instead the previous block.
--->
-
-<!-- No permissions are needed to run this module.-->
-
+* You must have access to the target service to create an authorization between services. You can grant only the level of access that you have as a user of the target service. For example, if you have viewer access on the target service, you can assign only the viewer role for the authorization.
 
 <!-- Below content is automatically populated via pre-commit hook -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -89,22 +91,36 @@ statement instead the previous block.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0, <1.6.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.56.1 |
 
 ### Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cbr_rules"></a> [cbr\_rules](#module\_cbr\_rules) | terraform-ibm-modules/cbr/ibm//modules/cbr-service-profile | 1.12.1 |
 
 ### Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [ibm_iam_authorization_policy.auth_policies](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 
 ### Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cbr_target_service_details"></a> [cbr\_target\_service\_details](#input\_cbr\_target\_service\_details) | Details of the target service for which the rule has to be created | <pre>list(object({<br>    target_service_name = string<br>    target_rg           = optional(string)<br>    enforcement_mode    = string<br>    tags                = optional(list(string))<br>  }))</pre> | `[]` | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix to append when creating CBR zones and CBR rules | `string` | `null` | no |
+| <a name="input_service_map"></a> [service\_map](#input\_service\_map) | Map of source service and the corresponding target service details | <pre>list(object({<br>    source_service_name         = string<br>    target_service_name         = string<br>    roles                       = list(string)<br>    description                 = optional(string, null)<br>    source_resource_instance_id = optional(string, null)<br>    target_resource_instance_id = optional(string, null)<br>    source_resource_group_id    = optional(string, null)<br>    target_resource_group_id    = optional(string, null)<br>  }))</pre> | `[]` | no |
+| <a name="input_zone_service_ref_list"></a> [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | Service reference for the zone creation | `list(string)` | `[]` | no |
+| <a name="input_zone_vpc_crn_list"></a> [zone\_vpc\_crn\_list](#input\_zone\_vpc\_crn\_list) | VPC CRN for the zones | `list(string)` | `[]` | no |
 
 ### Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_auth_policies"></a> [auth\_policies](#output\_auth\_policies) | Authorizations created |
+| <a name="output_cbr_rules"></a> [cbr\_rules](#output\_cbr\_rules) | CBR Rules created |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 <!-- Leave this section as is so that your module has a link to local development environment set up steps for contributors to follow -->

cra-tf-validate-ignore-rules.json

@@ -1,3 +1,16 @@
 {
-    "scc_rules": []
+  "scc_rules": [
+    {
+        "scc_rule_id": "rule-8cbd597c-7471-42bd-9c88-36b2696456e9",
+        "description": "Check whether Cloud Object Storage network access is restricted to a specific IP range",
+        "ignore_reason": "This rule is not relevant to the module itself, just the COS resource that is used in the example that is scanned",
+        "is_valid": false
+    },
+    {
+        "scc_rule_id": "rule-c97259ee-336d-4c5f-b436-1868107a9558",
+        "description": "Check whether Cloud Object Storage is enabled with customer-managed encryption and Keep Your Own Key (KYOK)",
+        "ignore_reason": "This rule is not relevant to the module itself, just the COS resource that is used in the example that is scanned",
+        "is_valid": false
+    }
+  ]
 }

examples/basic/README.md

@@ -7,5 +7,7 @@ The text below should describe exactly what resources are provisioned / configur
 -->
 
 An end-to-end basic example that will provision the following:
+
 - A new resource group if one is not passed in.
-- A new Cloud Object Storage instance.
+- An authorization policy for databases-for-postgresql -> kms.
+- A cbr rule for kms in the resource group.

examples/basic/main.tf

@@ -11,14 +11,33 @@ module "resource_group" {
 }
 
 ########################################################################################################################
-# COS instance
+# S2S Auth Module
 ########################################################################################################################
 
-resource "ibm_resource_instance" "cos_instance" {
-  name              = "${var.prefix}-cos"
-  resource_group_id = module.resource_group.resource_group_id
-  service           = "cloud-object-storage"
-  plan              = "standard"
-  location          = "global"
-  tags              = var.resource_tags
+locals {
+  # generate a service_map
+  service_map = [{
+    source_service_name         = "databases-for-postgresql"
+    target_service_name         = "kms"
+    roles                       = ["Reader"]
+    description                 = "This is a test policy"
+    source_resource_instance_id = null
+    target_resource_instance_id = null
+    source_resource_group_id    = module.resource_group.resource_group_id
+    target_resource_group_id    = module.resource_group.resource_group_id
+    }
+  ]
+  cbr_target_service_details = [{
+    target_service_name = "kms"
+    target_rg           = module.resource_group.resource_group_id
+    enforcement_mode    = "report"
+  }]
+}
+
+module "service_auth_cbr_rules" {
+  source                     = "../.."
+  service_map                = local.service_map
+  cbr_target_service_details = local.cbr_target_service_details
+  prefix                     = var.prefix
+  zone_service_ref_list      = ["databases-for-postgresql"]
 }

examples/basic/outputs.tf

@@ -2,17 +2,7 @@
 # Outputs
 ########################################################################################################################
 
-output "cos_instance_id" {
-  description = "COS instance id"
-  value       = ibm_resource_instance.cos_instance.id
-}
-
-output "resource_group_name" {
-  description = "Resource group name"
-  value       = module.resource_group.resource_group_name
-}
-
-output "resource_group_id" {
-  description = "Resource group ID"
-  value       = module.resource_group.resource_group_id
+output "service_auth_cbr_rules" {
+  description = "Details of rules created"
+  value       = module.service_auth_cbr_rules
 }

examples/basic/variables.tf

@@ -17,17 +17,11 @@ variable "region" {
 variable "prefix" {
   type        = string
   description = "Prefix to append to all resources created by this example"
-  default     = "basic"
+  default     = "basic-s2s"
 }
 
 variable "resource_group" {
   type        = string
   description = "The name of an existing resource group to provision resources in to. If not set a new resource group will be created using the prefix variable"
   default     = null
 }
-
-variable "resource_tags" {
-  type        = list(string)
-  description = "Optional list of tags to be added to created resources"
-  default     = []
-}

examples/basic/version.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.49.0"
+      version = "1.56.1"
     }
   }
 }

examples/complete/README.md

@@ -2,3 +2,11 @@
 
 <!-- There is a pre-commit hook that will take the title of each example add include it in the repos main README.md  -->
 <!-- Add text below should describe exactly what resources are provisioned / configured by the example  -->
+
+An example that creates authentication policies and context based restrictions
+
+This example uses the IBM Cloud terraform provider to:
+
+- Create resource groups if not provided
+- Create a Cloud Object Storage and Key protect instance instance
+- Create auth policies and CBR rules for the newly created services

examples/complete/main.tf

@@ -1,3 +1,95 @@
 ##############################################################################
 # Complete example
 ##############################################################################
+
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.0"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+# Create COS instance
+module "cos_instance" {
+  source                 = "terraform-ibm-modules/cos/ibm"
+  version                = "6.12.2"
+  cos_instance_name      = "${var.prefix}-cos"
+  kms_encryption_enabled = false
+  retention_enabled      = false
+  resource_group_id      = module.resource_group.resource_group_id
+  bucket_name            = "${var.prefix}-cos-bucket"
+}
+
+# Create Key Protect instance
+module "key_protect_instance" {
+  source            = "terraform-ibm-modules/key-protect/ibm"
+  version           = "2.3.1"
+  key_protect_name  = "${var.prefix}-key-protect"
+  resource_group_id = module.resource_group.resource_group_id
+  plan              = "tiered-pricing"
+  region            = var.region
+  tags              = var.resource_tags
+}
+
+resource "ibm_is_vpc" "vpc_instance" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+# generate a service_map
+locals {
+  service_map = [
+    {
+      source_service_name         = "cloud-object-storage"
+      target_service_name         = "kms"
+      roles                       = ["Reader"]
+      description                 = "This is a test policy"
+      source_resource_instance_id = module.cos_instance.cos_instance_id
+      target_resource_instance_id = module.key_protect_instance.key_protect_guid
+      source_resource_group_id    = null
+      target_resource_group_id    = null
+    },
+    {
+      source_service_name         = "cloud-object-storage"
+      target_service_name         = "kms"
+      roles                       = ["Reader"]
+      description                 = "This is a test policy"
+      source_resource_instance_id = null
+      target_resource_instance_id = module.key_protect_instance.key_protect_guid
+      source_resource_group_id    = module.resource_group.resource_group_id
+      target_resource_group_id    = null
+    },
+    {
+      source_service_name         = "cloud-object-storage"
+      target_service_name         = "kms"
+      roles                       = ["Reader"]
+      description                 = "This is a test policy"
+      source_resource_instance_id = module.cos_instance.cos_instance_id
+      target_resource_instance_id = null
+      source_resource_group_id    = null
+      target_resource_group_id    = module.resource_group.resource_group_id
+    }
+  ]
+  cbr_target_service_details = [
+    {
+      target_service_name = "kms"
+      target_rg           = module.resource_group.resource_group_id
+      enforcement_mode    = var.enforcement_mode
+    }
+  ]
+}
+
+module "service_auth_cbr_rules" {
+  source                     = "../.."
+  service_map                = local.service_map
+  cbr_target_service_details = local.cbr_target_service_details
+  prefix                     = var.prefix
+  zone_vpc_crn_list          = [ibm_is_vpc.vpc_instance.crn]
+  zone_service_ref_list      = ["cloud-object-storage"]
+}

examples/complete/outputs.tf

@@ -2,22 +2,17 @@
 # Outputs
 ##############################################################################
 
-output "region" {
-  description = "The region all resources were provisioned in"
-  value       = var.region
+output "cos_instance" {
+  description = "COS instance"
+  value       = module.resource_group.resource_group_id
 }
 
-output "prefix" {
-  description = "The prefix used to name all provisioned resources"
-  value       = var.prefix
+output "key_protect_instance_guid" {
+  description = "Key protect instance"
+  value       = module.key_protect_instance.key_protect_guid
 }
 
-output "resource_group_name" {
-  description = "The name of the resource group used"
-  value       = var.resource_group
-}
-
-output "resource_tags" {
-  description = "List of resource tags"
-  value       = var.resource_tags
+output "service_auth_cbr_rules" {
+  description = "Details of rules created"
+  value       = module.service_auth_cbr_rules
 }