feat: added pre-wired rule for icd-databases in fscloud submodule (#294)

Ak-sky · web-flow · commit 2d8d25be74d8 · 2023-09-20T10:17:57.000+01:00
diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
@@ -3,13 +3,13 @@
 This example demonstrates how to use the [fscloud profile](../../profiles/fscloud/) module to lay out a complete "secure by default" coarse-grained CBR topology in a given account.
 
 This examples is designed to show case some of the key customization options for the module. In addition to the pre-wired CBR rules documented at [fscloud profile](../../profiles/fscloud/), this examples show how to customize the module to:
-1. Open up network traffic flow from ICD mongodb, ICD Postgresql to the Key Protect private endpoints
-2. Open up network traffic flow from Schematics to Key Protect public endpoints
-3. Open up network traffic flow from a block of IPs to the Schematics public endpoint
-4. Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints
+1. Open up network traffic flow from ICD mongodb, ICD Postgresql to the Key Protect private endpoints.
+2. Open up network traffic flow from Schematics to Key Protect public endpoints.
+3. Open up network traffic flow from a block of IPs to the Schematics public endpoint.
+4. Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints.
 
 Context: this examples covers a "pseudo" real-world scenario where:
-1. ICD Mongodb, and Postgresql instances are encrypted using keys storage in Key Protect.
+1. ICD Mongodb and Postgresql instances are encrypted using keys storage in Key Protect.
 2. Schematics is used to execute terraform that create Key Protect keys and key ring over its public endpoint.
 3. Operators use machines with a set list of public IPs to interact with Schematics.
 4. Applications are running the VPC and need access to PostgreSQL via the private endpoint - eg: a VPE.
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
@@ -65,6 +65,7 @@ module "cbr_account_level" {
   allow_cos_to_kms                 = var.allow_cos_to_kms
   allow_block_storage_to_kms       = var.allow_block_storage_to_kms
   allow_roks_to_kms                = var.allow_roks_to_kms
+  allow_icd_to_kms                 = var.allow_icd_to_kms
   allow_vpcs_to_container_registry = var.allow_vpcs_to_container_registry
   allow_vpcs_to_cos                = var.allow_vpcs_to_cos
   allow_at_to_cos                  = var.allow_at_to_cos
diff --git a/examples/fscloud/variables.tf b/examples/fscloud/variables.tf
@@ -46,6 +46,12 @@ variable "allow_roks_to_kms" {
   default     = true
 }
 
+variable "allow_icd_to_kms" {
+  type        = bool
+  description = "Set rule for ICD to KMS, deafult is true"
+  default     = true
+}
+
 variable "allow_vpcs_to_container_registry" {
   type        = bool
   description = "Set rule for VPCs to container registry, default is true"
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
@@ -4,9 +4,10 @@ This module creates default coarse-grained CBR rules in a given account followin
 - COS -> KMS
 - Block storage -> KMS
 - ROKS -> KMS
-- Activity Tracker route -> COS (pending addition of AT as zone)
-- VPCs -> container registry
+- Activity Tracker route -> COS
 - VPCs where clusters are deployed -> COS
+- VPCs -> container registry
+- All ICD -> KMS
 
 This module is designed to allow the consumer to add additional custom rules to open up additional flows necessarity for their usage. See the `custom_rule_contexts_by_service` input variable, and an [usage example](../../examples/fscloud/) demonstrating how to open up more flows.
 
@@ -48,6 +49,7 @@ The services 'compliance', 'directlink', 'iam-groups', 'containers-kubernetes',
 | <a name="input_allow_at_to_cos"></a> [allow\_at\_to\_cos](#input\_allow\_at\_to\_cos) | Set rule for Activity Tracker to COS, default is true | `bool` | `true` | no |
 | <a name="input_allow_block_storage_to_kms"></a> [allow\_block\_storage\_to\_kms](#input\_allow\_block\_storage\_to\_kms) | Set rule for block storage to KMS, default is true | `bool` | `true` | no |
 | <a name="input_allow_cos_to_kms"></a> [allow\_cos\_to\_kms](#input\_allow\_cos\_to\_kms) | Set rule for COS to KMS, default is true | `bool` | `true` | no |
+| <a name="input_allow_icd_to_kms"></a> [allow\_icd\_to\_kms](#input\_allow\_icd\_to\_kms) | Set rule for ICD to KMS, deafult is true | `bool` | `true` | no |
 | <a name="input_allow_roks_to_kms"></a> [allow\_roks\_to\_kms](#input\_allow\_roks\_to\_kms) | Set rule for ROKS to KMS, default is true | `bool` | `true` | no |
 | <a name="input_allow_vpcs_to_container_registry"></a> [allow\_vpcs\_to\_container\_registry](#input\_allow\_vpcs\_to\_container\_registry) | Set rule for VPCs to container registry, default is true | `bool` | `true` | no |
 | <a name="input_allow_vpcs_to_cos"></a> [allow\_vpcs\_to\_cos](#input\_allow\_vpcs\_to\_cos) | Set rule for VPCs to COS, default is true | `bool` | `true` | no |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -178,31 +178,47 @@ module "cbr_zone_vpcs" {
   ]
 }
 
-
 ##############################################################################
 # Create CBR rules for each service
 ##############################################################################
 
 locals {
-  # tflint-ignore: terraform_unused_declarations
-  validate_allow_rules = var.allow_cos_to_kms || var.allow_block_storage_to_kms || var.allow_roks_to_kms || var.allow_vpcs_to_container_registry || var.allow_vpcs_to_cos ? true : tobool("Minimum of one rule has to be set to True")
   ## define FsCloud pre-wired CBR rule context - contains the known default flow that must be open for fscloud ref architecture
   cos_cbr_zone_id = local.cbr_zones["cloud-object-storage"].zone_id
   # tflint-ignore: terraform_naming_convention
   server-protect_cbr_zone_id = local.cbr_zones["server-protect"].zone_id # block storage
   # tflint-ignore: terraform_naming_convention
   containers-kubernetes_cbr_zone_id = local.cbr_zones["containers-kubernetes"].zone_id
   # tflint-ignore: terraform_naming_convention
+  databases-for-cassandra_cbr_zone_id = local.cbr_zones["databases-for-cassandra"].zone_id
+  # tflint-ignore: terraform_naming_convention
+  databases-for-elasticsearch_cbr_zone_id = local.cbr_zones["databases-for-elasticsearch"].zone_id
+  # tflint-ignore: terraform_naming_convention
+  databases-for-enterprisedb_cbr_zone_id = local.cbr_zones["databases-for-enterprisedb"].zone_id
+  # tflint-ignore: terraform_naming_convention
+  databases-for-etcd_cbr_zone_id = local.cbr_zones["databases-for-etcd"].zone_id
+  # tflint-ignore: terraform_naming_convention
+  databases-for-mongodb_cbr_zone_id = local.cbr_zones["databases-for-mongodb"].zone_id
+  # tflint-ignore: terraform_naming_convention
+  databases-for-mysql_cbr_zone_id = local.cbr_zones["databases-for-mysql"].zone_id
+  # tflint-ignore: terraform_naming_convention
+  databases-for-postgresql_cbr_zone_id = local.cbr_zones["databases-for-postgresql"].zone_id
+  # tflint-ignore: terraform_naming_convention
+  databases-for-redis_cbr_zone_id = local.cbr_zones["databases-for-redis"].zone_id
+  # tflint-ignore: terraform_naming_convention
   logdnaat_cbr_zone_id = local.cbr_zones["logdnaat"].zone_id
 
   prewired_rule_contexts_by_service = {
-    # COS -> KMS, Block storage -> KMS, ROKS -> KMS
+    # COS -> KMS, Block storage -> KMS, ROKS -> KMS, ICD -> KMS
     "kms" : [{
       endpointType : "private",
       networkZoneIds : flatten([
         var.allow_cos_to_kms ? [local.cos_cbr_zone_id] : [],
         var.allow_block_storage_to_kms ? [local.server-protect_cbr_zone_id] : [],
-        var.allow_roks_to_kms ? [local.containers-kubernetes_cbr_zone_id] : []
+        var.allow_roks_to_kms ? [local.containers-kubernetes_cbr_zone_id] : [],
+        var.allow_icd_to_kms ? [local.databases-for-cassandra_cbr_zone_id, local.databases-for-elasticsearch_cbr_zone_id, local.databases-for-enterprisedb_cbr_zone_id,
+          local.databases-for-etcd_cbr_zone_id, local.databases-for-mongodb_cbr_zone_id, local.databases-for-mysql_cbr_zone_id, local.databases-for-postgresql_cbr_zone_id,
+        local.databases-for-redis_cbr_zone_id] : []
       ])
     }],
     # Fs VPCs -> COS, AT -> COS
@@ -222,18 +238,13 @@ locals {
     }],
   }
 
-  prewired_rule_contexts_by_service_pre_check = { for key, value in local.prewired_rule_contexts_by_service :
+  prewired_rule_contexts_by_service_check = { for key, value in local.prewired_rule_contexts_by_service :
     key => [
       for rule in value :
       rule if length(rule.networkZoneIds) > 0
     ]
   }
 
-  prewired_rule_contexts_by_service_check = { for key, value in local.prewired_rule_contexts_by_service_pre_check :
-    key => value if length(value) > 0
-  }
-
-
   ## define default 'deny' rule context
   deny_rule_context_by_service = { for target_service_name in keys(local.target_service_details) :
     target_service_name => [{ endpointType : "public", networkZoneIds : [module.cbr_zone_deny.zone_id] }]
@@ -255,7 +266,6 @@ locals {
     ]
   }
 
-
   # Merge map values (array of context) under the same service-name key
   all_services = keys(merge(local.deny_rule_context_by_service, local.prewired_rule_contexts_by_service_check, local.custom_rule_contexts_by_service))
   allow_rules_by_service_intermediary = { for service_name in local.all_services :
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
@@ -26,6 +26,12 @@ variable "allow_roks_to_kms" {
   default     = true
 }
 
+variable "allow_icd_to_kms" {
+  type        = bool
+  description = "Set rule for ICD to KMS, deafult is true"
+  default     = true
+}
+
 variable "allow_vpcs_to_container_registry" {
   type        = bool
   description = "Set rule for VPCs to container registry, default is true"
