Skip to content

feat: added fscloud profile #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 28 commits into from
Jun 12, 2023
Merged

feat: added fscloud profile #19

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
b6a7564
feat: added fscloud profile
Ak-sky May 11, 2023
8b29f34
feat: fixed pr_test
Ak-sky May 11, 2023
3c642cd
feat: fixed pr_test
Ak-sky May 12, 2023
bf390d5
feat: fixed ci env vars
Ak-sky May 12, 2023
90bc1a4
feat: added kms_encryption_enabled variable and cra ignore
Ak-sky May 15, 2023
9c4484f
feat: fscloud profile fixes
Ak-sky May 15, 2023
03eabd4
Merge branch 'main' into es-fscloud
Ak-sky May 22, 2023
ab1cf2e
feat: fscloud profile fixes
Ak-sky May 22, 2023
9014cf7
Merge branch 'main' into es-fscloud
Ak-sky May 29, 2023
decb6dd
feat: fscloud profile fixes
Ak-sky May 29, 2023
d54c1a3
feat: fscloud profile fixes
Ak-sky May 29, 2023
e07df40
feat: fscloud profile fixes
Ak-sky May 31, 2023
7ef88a3
Merge branch 'es-fscloud' of github.com:terraform-ibm-modules/terrafo…
Ak-sky May 31, 2023
1e9433e
refactor: added standard plan for basic ex.
Ak-sky Jun 1, 2023
465a5a1
refactor: removed rule form ignore file (CRA v1.36)
Ak-sky Jun 1, 2023
a277093
Revert "refactor: removed rule form ignore file (CRA v1.36)"
Ak-sky Jun 1, 2023
c742a09
refactor: addressed the review comments
Ak-sky Jun 2, 2023
b70d544
Merge branch 'main' into es-fscloud
Ak-sky Jun 2, 2023
bf87ba2
Merge branch 'es-fscloud' of github.com:terraform-ibm-modules/terrafo…
Ak-sky Jun 2, 2023
200ec56
refactor: addressed the review comments
Ak-sky Jun 2, 2023
1bda608
refactor: addressed the review comments
Ak-sky Jun 3, 2023
069d940
refactor: addressed the review comments
Ak-sky Jun 3, 2023
1e91667
doc: addressed review comments
Ak-sky Jun 7, 2023
091dfec
doc: addressed review comments
Ak-sky Jun 7, 2023
1acf14d
refactor: removed cbr from complete ex and skipping upgrade test
Ak-sky Jun 9, 2023
a7509ef
refactor: added the complete ex back in pr test
Ak-sky Jun 9, 2023
4b09014
refactor: modified readme
Ak-sky Jun 9, 2023
8cad5fa
refactor: modified complete ex and SKIP UPGRADE TEST due to CBR in ma…
Ak-sky Jun 9, 2023
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
feat: fscloud profile fixes
  • Loading branch information
@Ak-sky
Ak-sky committed May 31, 2023
commit e07df40cc27d555fa8c5e045ef22594aaa3386a0
14 changes: 13 additions & 1 deletion .secrets.baseline
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,17 @@
"files": "go.sum|^.secrets.baseline$",
"lines": null
},
"generated_at": "2023-05-05T09:58:47Z",
"generated_at": "2023-05-31T21:39:59Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
},
{
"name": "ArtifactoryDetector"
},
{
"name": "AzureStorageKeyDetector"
},
{
"base64_limit": 4.5,
"name": "Base64HighEntropyString"
Expand All @@ -28,6 +31,9 @@
"ghe_instance": "github.ibm.com",
"name": "GheDetector"
},
{
"name": "GitHubTokenDetector"
},
{
"hex_limit": 3,
"name": "HexHighEntropyString"
Expand All @@ -48,6 +54,9 @@
{
"name": "MailchimpDetector"
},
{
"name": "NpmDetector"
},
{
"name": "PrivateKeyDetector"
},
Expand All @@ -57,6 +66,9 @@
{
"name": "SoftlayerDetector"
},
{
"name": "SquareOAuthDetector"
},
{
"name": "StripeDetector"
},
Expand Down
2 changes: 1 addition & 1 deletion cra-tf-validate-ignore-rules.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
{
"scc_rule_id": "rule-216e2449-27d7-4afc-929a-b66e196a9cf9",
"description": "Check whether Flow Logs for VPC are enabled Found in: resource_address: module.event_streams.ibm_resource_instance.es_instance",
"description": "Check whether Flow Logs for VPC are enabled Found in: resource_address:ibm_is_vpc.example_vpc",
"ignore_reason": "This rule is not relevant to the module itself, just the VPC resource is used in the example that is scanned",
"is_valid": false
}
Expand Down
49 changes: 49 additions & 0 deletions examples/fscloud/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,37 @@ module "resource_group" {
existing_resource_group_name = var.resource_group
}

##############################################################################
# Get Cloud Account ID
##############################################################################

data "ibm_iam_account_settings" "iam_account_settings" {
}

##############################################################################
# VPC
##############################################################################
resource "ibm_is_vpc" "example_vpc" {
name = "${var.prefix}-vpc"
resource_group = module.resource_group.resource_group_id
tags = var.resource_tags
}

##############################################################################
# Create CBR Zone
##############################################################################
module "cbr_zone" {
source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-zone-module?ref=v1.2.0"
name = "${var.prefix}-VPC-network-zone"
zone_description = "CBR Network zone representing VPC"
account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
addresses = [{
type = "vpc", # to bind a specific vpc to the zone
value = ibm_is_vpc.example_vpc.crn,
}]
}


# #############################################################################
# Events-streams-instance
# #############################################################################
Expand All @@ -23,4 +54,22 @@ module "event_streams" {
schemas = var.schemas
tags = var.resource_tags
topics = var.topics
cbr_rules = [
{
description = "${var.prefix}-event stream access only from vpc"
enforcement_mode = "enabled"
account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
rule_contexts = [{
attributes = [
{
"name" : "endpointType",
"value" : "private"
},
{
name = "networkZoneId"
value = module.cbr_zone.zone_id
}]
}]
}
]
}
1 change: 1 addition & 0 deletions profiles/fscloud/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,5 @@ module "event_streams" {
tags = var.tags
topics = var.topics
service_endpoints = "private"
cbr_rules = var.cbr_rules
}
20 changes: 20 additions & 0 deletions profiles/fscloud/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,3 +103,23 @@ variable "skip_iam_authorization_policy" {
description = "Set to true to skip the creation of an IAM authorization policy that permits all mongodb instances in the provided resource group reader access to the instance specified in the existing_kms_instance_guid variable."
default = false
}

##############################################################
# Context-based restriction (CBR)
##############################################################

variable "cbr_rules" {
type = list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
}))
description = "(Optional, list) List of CBR rules to create"
default = []
# Validation happens in the rule module
}