feat: added support to create CBR rules using new input cbr_rules (#142)

Aayush-Abhyarthi · web-flow · commit 2bc63c8bd9bb · 2024-09-17T10:47:04.000+01:00
diff --git a/README.md b/README.md
@@ -91,7 +91,9 @@ statement instead the previous block.
 
 ### Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.24.0 |
 
 ### Resources
 
@@ -106,6 +108,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the SCC WP instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no |
+| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create. | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    tags = optional(list(object({<br>      name  = string<br>      value = string<br>    })), [])<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
 | <a name="input_cloud_monitoring_instance_crn"></a> [cloud\_monitoring\_instance\_crn](#input\_cloud\_monitoring\_instance\_crn) | The CRN of an IBM Cloud Monitoring instance to connect to the SCC Workload Protection instance. | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the SCC Workload Protection instance that will be provisioned by this module. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | IBM Cloud region where all resources will be deployed | `string` | `"us-south"` | no |
diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf
@@ -22,6 +22,36 @@ module "cloud_monitoring" {
   instance_name     = "${var.prefix}-cm"
 }
 
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+module "cbr_zone" {
+  source           = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-zone-module?ref=v1.2.0"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone representing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc", # to bind a specific vpc to the zone
+    value = ibm_is_vpc.example_vpc.crn,
+  }]
+}
+
 ########################################################################################################################
 # SCC WP instance
 ########################################################################################################################
@@ -34,4 +64,29 @@ module "scc_wp" {
   resource_tags                 = var.resource_tags
   access_tags                   = var.access_tags
   cloud_monitoring_instance_crn = module.cloud_monitoring.crn
+
+  cbr_rules = [
+    {
+      description      = "${var.prefix}-SCC-WP access only from vpc"
+      enforcement_mode = "enabled"
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      tags = [
+        {
+          name  = "test-name"
+          value = "test-value"
+        }
+      ]
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
 }
diff --git a/examples/basic/version.tf b/examples/basic/version.tf
@@ -4,7 +4,7 @@ terraform {
     # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
     ibm = {
       source  = "ibm-cloud/ibm"
-      version = "1.58.1"
+      version = "1.65.0"
     }
   }
 }
diff --git a/main.tf b/main.tf
@@ -41,3 +41,35 @@ resource "ibm_resource_tag" "scc_wp_access_tag" {
   tags        = var.access_tags
   tag_type    = "access"
 }
+
+##############################################################################
+# Context Based Restrictions
+##############################################################################
+module "cbr_rule" {
+  count            = length(var.cbr_rules) > 0 ? length(var.cbr_rules) : 0
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module"
+  version          = "1.24.0"
+  rule_description = var.cbr_rules[count.index].description
+  enforcement_mode = var.cbr_rules[count.index].enforcement_mode
+  rule_contexts    = var.cbr_rules[count.index].rule_contexts
+  resources = [{
+    attributes = [
+      {
+        name     = "accountId"
+        value    = var.cbr_rules[count.index].account_id
+        operator = "stringEquals"
+      },
+      {
+        name     = "serviceInstance"
+        value    = ibm_resource_instance.scc_wp.guid
+        operator = "stringEquals"
+      },
+      {
+        name     = "serviceName"
+        value    = "Security and Compliance Center Workload Protection"
+        operator = "stringEquals"
+      }
+    ],
+    tags = var.cbr_rules[count.index].tags
+  }]
+}
diff --git a/variables.tf b/variables.tf
@@ -72,3 +72,27 @@ variable "cloud_monitoring_instance_crn" {
   description = "The CRN of an IBM Cloud Monitoring instance to connect to the SCC Workload Protection instance."
   default     = null
 }
+
+##############################################################
+# Context-based restriction (CBR)
+##############################################################
+
+variable "cbr_rules" {
+  type = list(object({
+    description = string
+    account_id  = string
+    tags = optional(list(object({
+      name  = string
+      value = string
+    })), [])
+    rule_contexts = list(object({
+      attributes = optional(list(object({
+        name  = string
+        value = string
+    }))) }))
+    enforcement_mode = string
+  }))
+  description = "The list of context-based restriction rules to create."
+  default     = []
+  # Validation happens in the rule module
+}

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`# Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works`
`5`	`5`	`ibm = {`
`6`	`6`	`source = "ibm-cloud/ibm"`
`7`		`- version = "1.58.1"`
	`7`	`+ version = "1.65.0"`
`8`	`8`	`}`
`9`	`9`	`}`
`10`	`10`	`}`