fix: cleanup the KMS validation logic + other cleanup

.secrets.baseline

@@ -3,7 +3,7 @@
  "files": "go.sum|^.secrets.baseline$",
  "lines": null
  },
- "generated_at": "2023-05-05T07:46:50Z",
+ "generated_at": "2023-05-11T10:56:04Z",
  "plugins_used": [
  {
  "name": "AWSKeyDetector"
@@ -76,18 +76,7 @@
  "name": "TwilioKeyDetector"
  }
  ],
- "results": {
- "README.md": [
- {
- "hashed_secret": "8acbd0ff478f744859b92e1251622e4124bceef0",
- "is_secret": false,
- "is_verified": false,
- "line_number": 24,
- "type": "Secret Keyword",
- "verified_result": null
- }
- ]
- },
+ "results": {},
  "version": "0.13.1+ibm.60.dss",
  "word_list": {
  "file": null,

README.md

@@ -1,8 +1,5 @@
-<!-- BEGIN MODULE HOOK -->
-
-<!-- Update the title to match the module name and add a description -->
 # IBM Cloud Databases for ICD Postgresql module
-<!-- UPDATE BADGE: Update the link for the following badge-->
+
 [![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green?style=plastic)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
 [![Build status](https://github.com/terraform-ibm-modules/terraform-ibm-module-template/actions/workflows/ci.yml/badge.svg)](https://github.com/terraform-ibm-modules/terraform-ibm-module-template/actions/workflows/ci.yml)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
@@ -19,11 +16,10 @@
 
 ```hcl
 module "postgresql_db" {
- # replace main with version
- source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-icd-postgresql?ref=main"
- admin_password = var.admin_password
- resource_group_id = module.resource_group.resource_group_id
- name = var.name
+ # Replace "main" with a GIT release version to lock into a specific release
+ source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-icd-postgresql?ref=main"
+ resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
+ name = "my-instance"
 }
 ```
 
@@ -34,7 +30,6 @@ You need the following permissions to run this module.
 - Account Management
  - **Databases for PostgreSQL** service
  - `Editor` role access
-<!-- END MODULE HOOK -->
 
 ## Read-only Replica considerations
 
@@ -85,30 +80,30 @@ You need the following permissions to run this module.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_allowlist"></a> [allowlist](#input\_allowlist) | Set of IP address and description to allowlist in database | <pre>list(object({<br> address = optional(string)<br> description = optional(string)<br> }))</pre> | `[]` | no |
-| <a name="input_auto_scaling"></a> [auto\_scaling](#input\_auto\_scaling) | (Optional) Configure rules to allow your database to automatically increase its resources. Single block of autoscaling is allowed at once. | <pre>object({<br> cpu = object({<br> rate_increase_percent = optional(number, 10)<br> rate_limit_count_per_member = optional(number, 20)<br> rate_period_seconds = optional(number, 900)<br> rate_units = optional(string, "count")<br> })<br> disk = object({<br> capacity_enabled = optional(bool, false)<br> free_space_less_than_percent = optional(number, 10)<br> io_above_percent = optional(number, 90)<br> io_enabled = optional(bool, false)<br> io_over_period = optional(string, "15m")<br> rate_increase_percent = optional(number, 10)<br> rate_limit_mb_per_member = optional(number, 3670016)<br> rate_period_seconds = optional(number, 900)<br> rate_units = optional(string, "mb")<br> })<br> memory = object({<br> io_above_percent = optional(number, 90)<br> io_enabled = optional(bool, false)<br> io_over_period = optional(string, "15m")<br> rate_increase_percent = optional(number, 10)<br> rate_limit_mb_per_member = optional(number, 114688)<br> rate_period_seconds = optional(number, 900)<br> rate_units = optional(string, "mb")<br> })<br> })</pre> | `null` | no |
+| <a name="input_auto_scaling"></a> [auto\_scaling](#input\_auto\_scaling) | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://ibm.biz/autoscaling-considerations in the IBM Cloud Docs. | <pre>object({<br> cpu = object({<br> rate_increase_percent = optional(number, 10)<br> rate_limit_count_per_member = optional(number, 20)<br> rate_period_seconds = optional(number, 900)<br> rate_units = optional(string, "count")<br> })<br> disk = object({<br> capacity_enabled = optional(bool, false)<br> free_space_less_than_percent = optional(number, 10)<br> io_above_percent = optional(number, 90)<br> io_enabled = optional(bool, false)<br> io_over_period = optional(string, "15m")<br> rate_increase_percent = optional(number, 10)<br> rate_limit_mb_per_member = optional(number, 3670016)<br> rate_period_seconds = optional(number, 900)<br> rate_units = optional(string, "mb")<br> })<br> memory = object({<br> io_above_percent = optional(number, 90)<br> io_enabled = optional(bool, false)<br> io_over_period = optional(string, "15m")<br> rate_increase_percent = optional(number, 10)<br> rate_limit_mb_per_member = optional(number, 114688)<br> rate_period_seconds = optional(number, 900)<br> rate_units = optional(string, "mb")<br> })<br> })</pre> | `null` | no |
 | <a name="input_backup_crn"></a> [backup\_crn](#input\_backup\_crn) | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. | `string` | `null` | no |
-| <a name="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | (Optional) The CRN of a Key Protect Key to use for encrypting backups. If left null, the value passed for the 'kms\_key\_crn' variable will be used. Take note that Hyper Protect Crypto Services for IBM Cloud® Databases backups is not currently supported. | `string` | `null` | no |
+| <a name="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Key Protect key, that you want to use for encrypting disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. If no value passed, the value passed for the 'kms\_key\_crn' variable will be used. BYOK for backups is available only in US regions us-south and us-east, and eu-de. Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, you must use a key from us-south or eu-de. Take note that Hyper Protect Crypto Services for IBM Cloud® Databases backups is not currently supported. | `string` | `null` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br> description = string<br> account_id = string<br> rule_contexts = list(object({<br> attributes = optional(list(object({<br> name = string<br> value = string<br> }))) }))<br> enforcement_mode = string<br> }))</pre> | `[]` | no |
 | <a name="input_configuration"></a> [configuration](#input\_configuration) | (Optional, Json String) Database Configuration in JSON format. | <pre>object({<br> max_connections = optional(number)<br> max_prepared_transactions = optional(number)<br> deadlock_timeout = optional(number)<br> effective_io_concurrency = optional(number)<br> max_replication_slots = optional(number)<br> max_wal_senders = optional(number)<br> shared_buffers = optional(number)<br> synchronous_commit = optional(string)<br> wal_level = optional(string)<br> archive_timeout = optional(number)<br> log_min_duration_statement = optional(number)<br> })</pre> | `null` | no |
-| <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect or Key Protect instance in which the key specified in var.kms\_key\_crn is coming from. Only required if skip\_iam\_authorization\_policy is false | `string` | `null` | no |
-| <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | (Optional) The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. If `null`, database is encrypted by using randomly generated keys. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok for current list of supported regions for BYOK | `string` | `null` | no |
+| <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect or Key Protect instance in which the key specified in var.kms\_key\_crn and var.backup\_encryption\_key\_crn is coming from. Only required if var.kms\_encryption\_enabled is 'true', var.skip\_iam\_authorization\_policy is 'false', and passing a value for var.kms\_key\_crn and/or var.backup\_encryption\_key\_crn. | `string` | `null` | no |
+| <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs | `bool` | `false` | no |
+| <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. Only used if var.kms\_encryption\_enabled is set to true. | `string` | `null` | no |
 | <a name="input_member_cpu_count"></a> [member\_cpu\_count](#input\_member\_cpu\_count) | CPU allocation required for postgresql database | `string` | `"3"` | no |
 | <a name="input_member_disk_mb"></a> [member\_disk\_mb](#input\_member\_disk\_mb) | Disk allocation required for postgresql database | `string` | `"5120"` | no |
 | <a name="input_member_memory_mb"></a> [member\_memory\_mb](#input\_member\_memory\_mb) | Memory allocation required for postgresql database | `string` | `"1024"` | no |
 | <a name="input_members"></a> [members](#input\_members) | Number of members | `number` | `3` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the Postgresql instance | `string` | n/a | yes |
 | <a name="input_pg_version"></a> [pg\_version](#input\_pg\_version) | Version of the postgresql instance | `string` | `null` | no |
-| <a name="input_pitr_id"></a> [pitr\_id](#input\_pitr\_id) | (Optional) The ID of the postgresql instance that you want to recover back to. Here ID of the postgresql instance is expected to be up and in running state. | `string` | `null` | no |
-| <a name="input_pitr_time"></a> [pitr\_time](#input\_pitr\_time) | (Optional) The timestamp in UTC format (%Y-%m-%dT%H:%M:%SZ) that you want to restore to. To retrieve the timestamp, run the command (ibmcloud cdb postgresql earliest-pitr-timestamp <deployment name or CRN>) | `string` | `null` | no |
+| <a name="input_pitr_id"></a> [pitr\_id](#input\_pitr\_id) | (Optional) The ID of the source deployment PostgreSQL instance that you want to recover back to. The PostgreSQL instance is expected to be in an up and in running state. | `string` | `null` | no |
+| <a name="input_pitr_time"></a> [pitr\_time](#input\_pitr\_time) | (Optional) The timestamp in UTC format (%Y-%m-%dT%H:%M:%SZ) that you want to restore to. To retrieve the timestamp, run the command (ibmcloud cdb postgresql earliest-pitr-timestamp <deployment name or CRN>). For more info on Point-in-time Recovery, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-pitr | `string` | `null` | no |
 | <a name="input_plan_validation"></a> [plan\_validation](#input\_plan\_validation) | Enable or disable validating the database parameters for postgres during the plan phase | `bool` | `true` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region postgresql is to be created on. The region must support BYOK region if Key Protect Key is used or KYOK region if Hyper Protect Crypto Service (HPCS) is used. | `string` | `"us-south"` | no |
 | <a name="input_remote_leader_crn"></a> [remote\_leader\_crn](#input\_remote\_leader\_crn) | The CRN of the leader database to make the replica(read-only) deployment. | `string` | `null` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the postgresql will be created | `string` | n/a | yes |
-| <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to created resources | `list(string)` | `[]` | no |
+| <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to the newly provisioned PostgreSQL instance and the associated service credentials. | `list(string)` | `[]` | no |
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the database | `map(string)` | `{}` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Sets the endpoint of the Postgresql instance, valid values are 'public', 'private', or 'public-and-private' | `string` | `"private"` | no |
-| <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all PostgreSQL database instances in the given Resource group to read the encryption key from the Hyper Protect or Key Protect instance in `existing_kms_instance_guid`. | `bool` | `true` | no |
+| <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all PostgreSQL database instances in the given resource group to read the encryption key from the Hyper Protect or Key Protect instance passed in var.existing\_kms\_instance\_guid. If set to 'false', a value must be passed for var.existing\_kms\_instance\_guid. No policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no |
 
 ## Outputs
 

examples/complete/main.tf

@@ -73,6 +73,7 @@ module "postgresql_db" {
  region = var.region
  service_endpoints = "private"
  pg_version = var.pg_version
+ kms_encryption_enabled = true
  kms_key_crn = module.key_protect_all_inclusive.keys["icd-pg.${var.prefix}-pg"].crn
  resource_tags = var.resource_tags
  service_credential_names = var.service_credential_names

examples/fscloud/README.md

@@ -1,17 +1,21 @@
 # Financial Services Cloud profile example
 
-## *Note:* This example is only deploying Postgresql in a compliant manner the other infrastructure is not necessarily compliant.
+An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](../../profiles/fscloud/) to deploy an instance of IBM Cloud Databases for PostgreSQL.
 
-### Requirements
-This example expects you have Hyper Protect Crypto Service instances in the region you wish to deploy your Postgresql database instance.
+The example uses the IBM Cloud Terraform provider to create the following infrastructure:
 
-### Deploys
-An example using the fscloud profile to deploy a compliant Postgresql instance. This example uses the IBM Cloud terraform provider to:
+- A resource group, if one is not passed in.
+- A Key Protect instance with a root key.
+- Backend encryption that uses the generated Key Protect key.
+- An IAM authorization between the PostgreSQL database resource group and the Key Protect instance for the `backup_encryption_key_crn`. This is because backup encryption keys are not yet supported by Hyper Protect Crypto Services.
+- An IAM authorization between the PostgreSQL database resource group and the Hyper Protect Crypto Services permanent instance.
+- An IBM Cloud Databases PostgreSQL database instance and credentials that are encrypted with the Hyper Protect Crypto Services resources that are passed in.
+- A sample virtual private cloud (VPC).
+- A context-based restriction (CBR) rule to prevent access from the VPC except to the PostgreSQL database.
 
-- Create a new resource group if one is not passed in.
-- Create a Key protect instance and generate backup encryption key.
-- Create an IAM Authorization between PostgreSQL Database Resource group and Key Protect Instance for backup_encryption_key_crn as backup encryption key is not supported by Hyper Protect instances yet.
-- Create an IAM Authorization between PostgreSQL Database Resource group and HPSC permanent Instance.
-- Create a new ICD Postgresql database instance and credentials that is encrypted using the Hyper Protect Crypto Service resources that are passed in.
-- Create a Sample VPC.
-- Create Context Based Restriction(CBR) to only allow Postgresql to be accessible from the VPC.
+:exclamation: **Important:** In this example, only the IBM Cloud Databases for PostgreSQL instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.
+
+## Before you begin
+
+- You need Hyper Protect Crypto Service instances available in the two regions that you want to deploy your PostgreSQL database instance.
+- You must deploy into an account that complies with the framework.

examples/fscloud/main.tf

@@ -15,7 +15,7 @@ module "resource_group" {
 
 # Need Key Protect instance for backup_encryption_key_crn as backup encryption key is not supported by Hyper Protect instaces yet.
 module "key_protect_all_inclusive" {
- source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v4.0.0"
+ source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v4.1.0"
  resource_group_id = module.resource_group.resource_group_id
  # Note: Database instance and Key Protect must be created in the same region when using BYOK
  # See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok
@@ -77,11 +77,13 @@ module "cbr_zone" {
 ##############################################################################
 
 module "postgresql_db" {
+ depends_on = [ibm_iam_authorization_policy.policy]
  source = "../../profiles/fscloud"
  resource_group_id = module.resource_group.resource_group_id
  name = "${var.prefix}-postgres"
  region = var.region
  pg_version = var.pg_version
+ kms_encryption_enabled = true
  kms_key_crn = var.kms_key_crn
  existing_kms_instance_guid = var.existing_kms_instance_guid
  resource_tags = var.resource_tags