feat: add fscloud added pre-wired rule for AT -> COS (#296)

Co-authored-by: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>

Author: Ak-sky

common-dev-assets

@@ -67,6 +67,7 @@ module "cbr_account_level" {
   allow_roks_to_kms                = var.allow_roks_to_kms
   allow_vpcs_to_container_registry = var.allow_vpcs_to_container_registry
   allow_vpcs_to_cos                = var.allow_vpcs_to_cos
+  allow_at_to_cos                  = var.allow_at_to_cos
 
   # Demonstrates how zone creation will be skipped for these two service references ["user-management", "iam-groups"]
   skip_specific_services_for_zone_creation = ["user-management", "iam-groups"]

examples/fscloud/main.tf

@@ -30,30 +30,36 @@ variable "resource_tags" {
 
 variable "allow_cos_to_kms" {
   type        = bool
-  description = "Set rule for COS to KMS, deafult is true"
+  description = "Set rule for COS to KMS, default is true"
   default     = true
 }
 
 variable "allow_block_storage_to_kms" {
   type        = bool
-  description = "Set rule for block storage to KMS, deafult is true"
+  description = "Set rule for block storage to KMS, default is true"
   default     = true
 }
 
 variable "allow_roks_to_kms" {
   type        = bool
-  description = "Set rule for ROKS to KMS, deafult is true"
+  description = "Set rule for ROKS to KMS, default is true"
   default     = true
 }
 
 variable "allow_vpcs_to_container_registry" {
   type        = bool
-  description = "Set rule for VPCs to container registry, deafult is true"
+  description = "Set rule for VPCs to container registry, default is true"
   default     = true
 }
 
 variable "allow_vpcs_to_cos" {
   type        = bool
-  description = "Set rule for VPCs to COS, deafult is true"
+  description = "Set rule for VPCs to COS, default is true"
+  default     = true
+}
+
+variable "allow_at_to_cos" {
+  type        = bool
+  description = "Set rule for Activity Tracker to COS, default is true"
   default     = true
 }

examples/fscloud/variables.tf

@@ -45,11 +45,12 @@ The services 'compliance', 'directlink', 'iam-groups', 'containers-kubernetes',
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_allow_block_storage_to_kms"></a> [allow\_block\_storage\_to\_kms](#input\_allow\_block\_storage\_to\_kms) | Set rule for block storage to KMS, deafult is true | `bool` | `true` | no |
-| <a name="input_allow_cos_to_kms"></a> [allow\_cos\_to\_kms](#input\_allow\_cos\_to\_kms) | Set rule for COS to KMS, deafult is true | `bool` | `true` | no |
-| <a name="input_allow_roks_to_kms"></a> [allow\_roks\_to\_kms](#input\_allow\_roks\_to\_kms) | Set rule for ROKS to KMS, deafult is true | `bool` | `true` | no |
-| <a name="input_allow_vpcs_to_container_registry"></a> [allow\_vpcs\_to\_container\_registry](#input\_allow\_vpcs\_to\_container\_registry) | Set rule for VPCs to container registry, deafult is true | `bool` | `true` | no |
-| <a name="input_allow_vpcs_to_cos"></a> [allow\_vpcs\_to\_cos](#input\_allow\_vpcs\_to\_cos) | Set rule for VPCs to COS, deafult is true | `bool` | `true` | no |
+| <a name="input_allow_at_to_cos"></a> [allow\_at\_to\_cos](#input\_allow\_at\_to\_cos) | Set rule for Activity Tracker to COS, default is true | `bool` | `true` | no |
+| <a name="input_allow_block_storage_to_kms"></a> [allow\_block\_storage\_to\_kms](#input\_allow\_block\_storage\_to\_kms) | Set rule for block storage to KMS, default is true | `bool` | `true` | no |
+| <a name="input_allow_cos_to_kms"></a> [allow\_cos\_to\_kms](#input\_allow\_cos\_to\_kms) | Set rule for COS to KMS, default is true | `bool` | `true` | no |
+| <a name="input_allow_roks_to_kms"></a> [allow\_roks\_to\_kms](#input\_allow\_roks\_to\_kms) | Set rule for ROKS to KMS, default is true | `bool` | `true` | no |
+| <a name="input_allow_vpcs_to_container_registry"></a> [allow\_vpcs\_to\_container\_registry](#input\_allow\_vpcs\_to\_container\_registry) | Set rule for VPCs to container registry, default is true | `bool` | `true` | no |
+| <a name="input_allow_vpcs_to_cos"></a> [allow\_vpcs\_to\_cos](#input\_allow\_vpcs\_to\_cos) | Set rule for VPCs to COS, default is true | `bool` | `true` | no |
 | <a name="input_custom_rule_contexts_by_service"></a> [custom\_rule\_contexts\_by\_service](#input\_custom\_rule\_contexts\_by\_service) | Any additional context to add to the CBR rules created by this module. The context are added to the CBR rule targetting the service passed as a key. The module looks up the zone id when service\_ref\_names or add\_managed\_vpc\_zone are passed in. | <pre>map(list(object(<br>    {<br>      endpointType = string # "private, public or direct"<br><br>      # Service-name (module lookup for existing network zone) and/or CBR zone id<br>      service_ref_names    = optional(list(string), [])<br>      add_managed_vpc_zone = optional(bool, false)<br>      zone_ids             = optional(list(string), [])<br>  })))</pre> | `{}` | no |
 | <a name="input_existing_cbr_zone_vpcs"></a> [existing\_cbr\_zone\_vpcs](#input\_existing\_cbr\_zone\_vpcs) | Provide a existing zone id for VPC | <pre>object(<br>    {<br>      zone_id = string<br>  })</pre> | `null` | no |
 | <a name="input_existing_serviceref_zone"></a> [existing\_serviceref\_zone](#input\_existing\_serviceref\_zone) | Provide a valid service reference and existing zone id | <pre>map(object(<br>    {<br>      zone_id = string<br>  }))</pre> | `{}` | no |

modules/fscloud/README.md

@@ -192,6 +192,8 @@ locals {
   server-protect_cbr_zone_id = local.cbr_zones["server-protect"].zone_id # block storage
   # tflint-ignore: terraform_naming_convention
   containers-kubernetes_cbr_zone_id = local.cbr_zones["containers-kubernetes"].zone_id
+  # tflint-ignore: terraform_naming_convention
+  logdnaat_cbr_zone_id = local.cbr_zones["logdnaat"].zone_id
 
   prewired_rule_contexts_by_service = {
     # COS -> KMS, Block storage -> KMS, ROKS -> KMS
@@ -203,11 +205,12 @@ locals {
         var.allow_roks_to_kms ? [local.containers-kubernetes_cbr_zone_id] : []
       ])
     }],
-    # Fs VPCs -> COS
+    # Fs VPCs -> COS, AT -> COS
     "cloud-object-storage" : [{
       endpointType : "direct",
       networkZoneIds : flatten([
-        var.allow_vpcs_to_cos ? [local.cbr_zone_vpcs.zone_id] : []
+        var.allow_vpcs_to_cos ? [local.cbr_zone_vpcs.zone_id] : [],
+        var.allow_at_to_cos ? [local.logdnaat_cbr_zone_id] : []
       ])
     }],
     # VPCs -> container registry
@@ -217,7 +220,6 @@ locals {
         var.allow_vpcs_to_container_registry ? [local.cbr_zone_vpcs.zone_id] : []
       ])
     }],
-    # TODO: Activity Tracker route -> COS (pending support of AT as CBR zone)
   }
 
   prewired_rule_contexts_by_service_pre_check = { for key, value in local.prewired_rule_contexts_by_service :

modules/fscloud/main.tf

@@ -10,31 +10,37 @@ variable "zone_vpc_crn_list" {
 
 variable "allow_cos_to_kms" {
   type        = bool
-  description = "Set rule for COS to KMS, deafult is true"
+  description = "Set rule for COS to KMS, default is true"
   default     = true
 }
 
 variable "allow_block_storage_to_kms" {
   type        = bool
-  description = "Set rule for block storage to KMS, deafult is true"
+  description = "Set rule for block storage to KMS, default is true"
   default     = true
 }
 
 variable "allow_roks_to_kms" {
   type        = bool
-  description = "Set rule for ROKS to KMS, deafult is true"
+  description = "Set rule for ROKS to KMS, default is true"
   default     = true
 }
 
 variable "allow_vpcs_to_container_registry" {
   type        = bool
-  description = "Set rule for VPCs to container registry, deafult is true"
+  description = "Set rule for VPCs to container registry, default is true"
   default     = true
 }
 
 variable "allow_vpcs_to_cos" {
   type        = bool
-  description = "Set rule for VPCs to COS, deafult is true"
+  description = "Set rule for VPCs to COS, default is true"
+  default     = true
+}
+
+variable "allow_at_to_cos" {
+  type        = bool
+  description = "Set rule for Activity Tracker to COS, default is true"
   default     = true
 }