feat: added pre-wired rule for IS (VPC infra) -> COS in fscloud submodule (#302)

Ak-sky · web-flow · commit 2e8521d37e0d · 2023-10-12T10:49:25.000+01:00
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
@@ -70,6 +70,7 @@ module "cbr_account_level" {
   allow_vpcs_to_cos                = var.allow_vpcs_to_cos
   allow_at_to_cos                  = var.allow_at_to_cos
   allow_iks_to_is                  = var.allow_iks_to_is
+  allow_is_to_cos                  = var.allow_is_to_cos
 
   # Demonstrates how zone creation will be skipped for these two service references ["user-management", "iam-groups"]
   skip_specific_services_for_zone_creation = ["user-management", "iam-groups"]
diff --git a/examples/fscloud/variables.tf b/examples/fscloud/variables.tf
@@ -75,3 +75,9 @@ variable "allow_iks_to_is" {
   description = "Set rule for IKS to IS (VPC Infrastructure Services), default is true"
   default     = true
 }
+
+variable "allow_is_to_cos" {
+  type        = bool
+  description = "Set rule for IS (VPC Infrastructure Services) to COS, default is true"
+  default     = true
+}
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
@@ -6,6 +6,7 @@ This module creates default coarse-grained CBR rules in a given account followin
 - ROKS -> KMS
 - Activity Tracker route -> COS
 - VPCs where clusters are deployed -> COS
+- IS (VPC Infrastructure Services) -> COS
 - VPCs -> container registry
 - All ICD -> KMS
 - IKS -> IS (VPC Infrastructure Services)
@@ -52,6 +53,7 @@ The services 'compliance', 'directlink', 'iam-groups', 'containers-kubernetes',
 | <a name="input_allow_cos_to_kms"></a> [allow\_cos\_to\_kms](#input\_allow\_cos\_to\_kms) | Set rule for COS to KMS, default is true | `bool` | `true` | no |
 | <a name="input_allow_icd_to_kms"></a> [allow\_icd\_to\_kms](#input\_allow\_icd\_to\_kms) | Set rule for ICD to KMS, deafult is true | `bool` | `true` | no |
 | <a name="input_allow_iks_to_is"></a> [allow\_iks\_to\_is](#input\_allow\_iks\_to\_is) | Set rule for IKS to IS (VPC Infrastructure Services), default is true | `bool` | `true` | no |
+| <a name="input_allow_is_to_cos"></a> [allow\_is\_to\_cos](#input\_allow\_is\_to\_cos) | Set rule for IS (VPC Infrastructure Services) to COS, default is true | `bool` | `true` | no |
 | <a name="input_allow_roks_to_kms"></a> [allow\_roks\_to\_kms](#input\_allow\_roks\_to\_kms) | Set rule for ROKS to KMS, default is true | `bool` | `true` | no |
 | <a name="input_allow_vpcs_to_container_registry"></a> [allow\_vpcs\_to\_container\_registry](#input\_allow\_vpcs\_to\_container\_registry) | Set rule for VPCs to container registry, default is true | `bool` | `true` | no |
 | <a name="input_allow_vpcs_to_cos"></a> [allow\_vpcs\_to\_cos](#input\_allow\_vpcs\_to\_cos) | Set rule for VPCs to COS, default is true | `bool` | `true` | no |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -207,6 +207,8 @@ locals {
   databases-for-redis_cbr_zone_id = local.cbr_zones["databases-for-redis"].zone_id
   # tflint-ignore: terraform_naming_convention
   logdnaat_cbr_zone_id = local.cbr_zones["logdnaat"].zone_id
+  # tflint-ignore: terraform_naming_convention
+  is_cbr_zone_id = local.cbr_zones["is"].zone_id
 
   prewired_rule_contexts_by_service = {
     # COS -> KMS, Block storage -> KMS, ROKS -> KMS, ICD -> KMS
@@ -216,17 +218,23 @@ locals {
         var.allow_cos_to_kms ? [local.cos_cbr_zone_id] : [],
         var.allow_block_storage_to_kms ? [local.server-protect_cbr_zone_id] : [],
         var.allow_roks_to_kms ? [local.containers-kubernetes_cbr_zone_id] : [],
-        var.allow_icd_to_kms ? [local.databases-for-cassandra_cbr_zone_id, local.databases-for-elasticsearch_cbr_zone_id, local.databases-for-enterprisedb_cbr_zone_id,
-          local.databases-for-etcd_cbr_zone_id, local.databases-for-mongodb_cbr_zone_id, local.databases-for-mysql_cbr_zone_id, local.databases-for-postgresql_cbr_zone_id,
+        var.allow_icd_to_kms ? [local.databases-for-cassandra_cbr_zone_id,
+          local.databases-for-elasticsearch_cbr_zone_id,
+          local.databases-for-enterprisedb_cbr_zone_id,
+          local.databases-for-etcd_cbr_zone_id,
+          local.databases-for-mongodb_cbr_zone_id,
+          local.databases-for-mysql_cbr_zone_id,
+          local.databases-for-postgresql_cbr_zone_id,
         local.databases-for-redis_cbr_zone_id] : []
       ])
     }],
-    # Fs VPCs -> COS, AT -> COS
+    # Fs VPCs -> COS, AT -> COS, IS (VPC Infrastructure Services) -> COS
     "cloud-object-storage" : [{
       endpointType : "direct",
       networkZoneIds : flatten([
         var.allow_vpcs_to_cos ? [local.cbr_zone_vpcs.zone_id] : [],
-        var.allow_at_to_cos ? [local.logdnaat_cbr_zone_id] : []
+        var.allow_at_to_cos ? [local.logdnaat_cbr_zone_id] : [],
+        var.allow_is_to_cos ? [local.is_cbr_zone_id] : []
       ])
     }],
     # VPCs -> container registry
@@ -236,7 +244,7 @@ locals {
         var.allow_vpcs_to_container_registry ? [local.cbr_zone_vpcs.zone_id] : []
       ])
     }],
-    # IKS -> IS
+    # IKS -> IS (VPC Infrastructure Services)
     "is" : [{
       endpointType : "private",
       networkZoneIds : flatten([
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
@@ -56,6 +56,12 @@ variable "allow_iks_to_is" {
   default     = true
 }
 
+variable "allow_is_to_cos" {
+  type        = bool
+  description = "Set rule for IS (VPC Infrastructure Services) to COS, default is true"
+  default     = true
+}
+
 variable "zone_service_ref_list" {
   type = list(string)
   validation {
