feat:exposing CBRs in DA

README.md

@@ -94,7 +94,7 @@ You need the following permissions to run this module.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_allowed_network"></a> [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"public-and-private"` | no |
-| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_enable_event_notification"></a> [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null. | `bool` | `false` | no |
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no |
 | <a name="input_existing_en_instance_crn"></a> [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no |

ibm_catalog.json

@@ -246,6 +246,9 @@
             },
             {
               "key": "skip_event_notification_iam_authorization_policy"
+            },
+            {
+              "key":"cbr_rules"
             }
           ],
           "architecture": {

modules/fscloud/README.md

@@ -47,7 +47,7 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (list) List of CBR rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (list) List of CBR rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_enable_event_notification"></a> [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` variable. | `bool` | `false` | no |
 | <a name="input_existing_en_instance_crn"></a> [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no |
 | <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services instance in which the key specified in `kms_key_crn` is coming from. | `string` | n/a | yes |

modules/fscloud/variables.tf

@@ -84,6 +84,11 @@ variable "cbr_rules" {
         value = string
     }))) }))
     enforcement_mode = string
+    operations = optional(list(object({
+      api_types = list(object({
+        api_type_id = string
+      }))
+    })))
   }))
   description = "(list) List of CBR rules to create"
   default     = []

solutions/standard/DA-cbr_rules.md

@@ -0,0 +1,62 @@
+# Configuring complex inputs for Secrets Manager in IBM Cloud projects
+
+Several optional input variables in the IBM Cloud [Secrets Manager deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture.
+
+* Context-Based Restrictions Rules (`cbr_rules`)
+
+
+## Rules For Context-Based Restrictions <a name="cbr_rules"></a>
+
+The `cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.
+
+- Variable name: `cbr_rules`.
+- Type: A list of objects. Allows only one object representing a rule for the target service
+- Default value: An empty list (`[]`).
+
+### Options for cbr_rules
+
+  - `description` (required): The description of the rule to create.
+  - `account_id` (required): The IBM Cloud Account ID
+  - `rule_contexts` (required): (List) The contexts the rule applies to
+      - `attributes` (optional): (List) Individual context attributes
+        - `name` (required): The attribute name.
+        - `value`(required): The attribute value.
+
+  - `enforcement_mode` (required): The rule enforcement mode can have the following values:
+      - `enabled` - The restrictions are enforced and reported. This is the default.
+      - `disabled` - The restrictions are disabled. Nothing is enforced or reported.
+      - `report` - The restrictions are evaluated and reported, but not enforced.
+  - `operations` (optional): The operations this rule applies to
+    - `api_types`(required): (List) The API types this rule applies to.
+        - `api_type_id`(required):The API type ID
+
+
+### Example Rule For Context-Based Restrictions Configuration
+
+```hcl
+cbr_rules = [
+  {
+  description = "Secrets Manager can be accessed from xyz"
+  account_id = "defc0df06b644a9cabc6e44f55b3880s."
+  rule_contexts= [{
+      attributes = [
+                {
+                              "name" : "endpointType",
+                              "value" : "private"
+                },
+                {
+                  name  = "networkZoneId"
+                  value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
+                }
+        ]
+     }
+   ]
+  enforcement_mode = "enabled"
+  operations = [{
+    api_types = [{
+     api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+      }]
+    }]
+  }
+]
+```

solutions/standard/main.tf

@@ -119,6 +119,7 @@ module "secrets_manager" {
   existing_en_instance_crn         = var.existing_event_notification_instance_crn
   skip_en_iam_authorization_policy = var.skip_event_notification_iam_authorization_policy
   endpoint_type                    = local.sm_endpoint_type
+  cbr_rules                        = var.cbr_rules
 }
 
 # Configure an IBM Secrets Manager IAM credentials engine for an existing IBM Secrets Manager instance.

solutions/standard/variables.tf

@@ -291,3 +291,27 @@ variable "sm_en_reply_to_email" {
   description = "The email address used in the 'reply_to' of any Secret Manager event coming from Event Notifications"
   default     = "[email protected]"
 }
+##############################################################
+# Context-based restriction (CBR)
+##############################################################
+
+variable "cbr_rules" {
+  type = list(object({
+    description = string
+    account_id  = string
+    rule_contexts = list(object({
+      attributes = optional(list(object({
+        name  = string
+        value = string
+    }))) }))
+    enforcement_mode = string
+    operations = optional(list(object({
+      api_types = list(object({
+        api_type_id = string
+      }))
+    })))
+  }))
+  description = "(Optional, list) List of CBR rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/solutions/standard/DA-cbr_rules.md)"
+  default     = []
+  # Validation happens in the rule module
+}

variables.tf

@@ -87,6 +87,11 @@ variable "cbr_rules" {
         value = string
     }))) }))
     enforcement_mode = string
+    operations = optional(list(object({
+      api_types = list(object({
+        api_type_id = string
+      }))
+    })))
   }))
   description = "(Optional, list) List of CBR rules to create"
   default     = []