fix: added a default value for the operations variable to make it backward compatible with recent CBR service updates around api types (#305)

Author: Ak-sky

README.md

@@ -110,7 +110,7 @@ You need the following permissions to run this module.
 | <a name="input_enforcement_mode"></a> [enforcement\_mode](#input\_enforcement\_mode) | (String) The rule enforcement mode | `string` | `"report"` | no |
 | <a name="input_excluded_addresses"></a> [excluded\_addresses](#input\_excluded\_addresses) | (Optional, List) The list of excluded addresses in the zone | <pre>list(object({<br>    type  = optional(string)<br>    value = optional(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | (Optional, String) The name of the zone | `string` | `null` | no |
-| <a name="input_operations"></a> [operations](#input\_operations) | (Optional, List) The operations this rule applies to | <pre>list(object({<br>    api_types = list(object({<br>      api_type_id = string<br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_operations"></a> [operations](#input\_operations) | (Optional, List) The operations this rule applies to | <pre>list(object({<br>    api_types = list(object({<br>      api_type_id = string<br>    }))<br>  }))</pre> | <pre>[<br>  {<br>    "api_types": [<br>      {<br>        "api_type_id": "crn:v1:bluemix:public:context-based-restrictions::::api-type:"<br>      }<br>    ]<br>  }<br>]</pre> | no |
 | <a name="input_resources"></a> [resources](#input\_resources) | (Optional, List) The resources this rule apply to | <pre>list(object({<br>    attributes = list(object({<br>      name     = string<br>      value    = string<br>      operator = optional(string)<br>    }))<br>    tags = optional(list(object({ #These access tags should match to the target service access tags for the CBR rules to work<br>      name     = string<br>      value    = string<br>      operator = optional(string)<br>    })))<br>  }))</pre> | `[]` | no |
 | <a name="input_rule_contexts"></a> [rule\_contexts](#input\_rule\_contexts) | (List) The contexts the rule applies to | <pre>list(object({<br>    attributes = list(object({<br>      name  = string<br>      value = string<br>    }))<br>  }))</pre> | <pre>[<br>  {<br>    "attributes": [<br>      {<br>        "name": "va",<br>        "value": "va"<br>      }<br>    ]<br>  }<br>]</pre> | no |
 | <a name="input_rule_description"></a> [rule\_description](#input\_rule\_description) | (Optional, String) The description of the rule | `string` | `null` | no |

examples/multizone-rule/main.tf

@@ -144,5 +144,4 @@ module "cbr_rule" {
   enforcement_mode = var.enforcement_mode
   rule_contexts    = local.rule_contexts
   resources        = local.rule_resources
-  operations       = []
 }

module-metadata.json

@@ -61,7 +61,15 @@
       "name": "operations",
       "type": "list(object({\n    api_types = list(object({\n      api_type_id = string\n    }))\n  }))",
       "description": "(Optional, List) The operations this rule applies to",
-      "default": [],
+      "default": [
+        {
+          "api_types": [
+            {
+              "api_type_id": "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+            }
+          ]
+        }
+      ],
       "source": [
         "module.cbr_rule"
       ],

modules/cbr-rule-module/README.md

@@ -25,7 +25,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_enforcement_mode"></a> [enforcement\_mode](#input\_enforcement\_mode) | (String) The rule enforcement mode | `string` | `"report"` | no |
-| <a name="input_operations"></a> [operations](#input\_operations) | (Optional, List) The operations this rule applies to | <pre>list(object({<br>    api_types = list(object({<br>      api_type_id = string<br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_operations"></a> [operations](#input\_operations) | (Optional, List) The operations this rule applies to, by default it will protect all of the service and platform APIs the target service supports. | <pre>list(object({<br>    api_types = list(object({<br>      api_type_id = string<br>    }))<br>  }))</pre> | <pre>[<br>  {<br>    "api_types": [<br>      {<br>        "api_type_id": "crn:v1:bluemix:public:context-based-restrictions::::api-type:"<br>      }<br>    ]<br>  }<br>]</pre> | no |
 | <a name="input_resources"></a> [resources](#input\_resources) | (List) The resources this rule apply to | <pre>list(object({<br>    attributes = optional(list(object({<br>      name     = string<br>      value    = string<br>      operator = optional(string)<br>    })))<br>    tags = optional(list(object({<br>      name     = string<br>      value    = string<br>      operator = optional(string)<br>    })))<br>  }))</pre> | n/a | yes |
 | <a name="input_rule_contexts"></a> [rule\_contexts](#input\_rule\_contexts) | (List) The contexts the rule applies to | <pre>list(object({<br>    attributes = optional(list(object({<br>      name  = string<br>      value = string<br>    })))<br>  }))</pre> | n/a | yes |
 | <a name="input_rule_description"></a> [rule\_description](#input\_rule\_description) | (Optional, String) The description of the rule | `string` | `null` | no |

modules/cbr-rule-module/variables.tf

@@ -81,10 +81,14 @@ variable "operations" {
       api_type_id = string
     }))
   }))
-  description = "(Optional, List) The operations this rule applies to"
-  default     = []
+  description = "(Optional, List) The operations this rule applies to, by default it will protect all of the service and platform APIs the target service supports."
+  default = [{
+    api_types = [{
+      api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+    }]
+  }]
   validation {
-    condition     = var.operations != null
-    error_message = "operations cannot be null, an empty list is valid"
+    condition     = length(var.operations) > 0
+    error_message = "Operations cannot be null or an empty list"
   }
 }

modules/cbr-service-profile/main.tf

@@ -90,11 +90,15 @@ module "cbr_rule" {
   rule_contexts    = local.rule_contexts
   operations = (length(lookup(local.operations_apitype_val, var.target_service_details[count.index].target_service_name, [])) > 0) ? [{
     api_types = [
-      # lookup the map for the target service name, if not present make api_type_id as empty
+      # lookup the map for the target service name, if empty then pass default value
       for apitype in lookup(local.operations_apitype_val, var.target_service_details[count.index].target_service_name, []) : {
         api_type_id = apitype
     }]
-  }] : []
+    }] : [{
+    api_types = [{
+      api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+    }]
+  }]
 
   resources = [{
     tags = var.target_service_details[count.index].tags != null ? [for tag in var.target_service_details[count.index].tags : {

modules/fscloud/main.tf

@@ -311,11 +311,15 @@ module "cbr_rule" {
   rule_contexts    = lookup(local.allow_rules_by_service, each.key, [])
   operations = (length(lookup(local.operations_apitype_val, each.key, [])) > 0) ? [{
     api_types = [
-      # lookup the map for the target service name, if not present make api_type_id as empty
+      # lookup the map for the target service name, if empty then pass default value
       for apitype in lookup(local.operations_apitype_val, each.key, []) : {
         api_type_id = apitype
     }]
-  }] : []
+    }] : [{
+    api_types = [{
+      api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+    }]
+  }]
 
   resources = [{
     tags = try(each.value.tags, null) != null ? [for tag in each.value.tags : {

tests/pr_test.go

@@ -167,26 +167,15 @@ func TestRunCompleteExample(t *testing.T) {
 
 						assert.ElementsMatch(t, expectedTags, rules.Resources[0].Tags, "expected resource tags not found")
 					})
-					t.Run("verify no operation set", func(t *testing.T) {
-						// Note: COS has no operations that can be set
-						//       Leaving this code here as a reference for others
-						//expectedOperations := []contextbasedrestrictionsv1.OperationsList{
-						//	{APITypes: []contextbasedrestrictionsv1.APIType{{
-						//		APITypeID:   core.StringPtr(""),
-						//		DisplayName: core.StringPtr(""),
-						//		Description: core.StringPtr(""),
-						//		Actions: []contextbasedrestrictionsv1.Action{{
-						//			ActionID:    core.StringPtr(""),
-						//			Description: core.StringPtr(""),
-						//		}},
-						//	},
-						//	}},
-						//}
-						//
-						//assert.ElementsMatch(t, expectedOperations, rules.Operations)
-
-						// Assert COS has no operations set as expected
-						assert.Nil(t, rules.Operations)
+					t.Run("verify rule operation set", func(t *testing.T) {
+						expectedOperations := &contextbasedrestrictionsv1.NewRuleOperations{
+							APITypes: []contextbasedrestrictionsv1.NewRuleOperationsAPITypesItem{
+								{
+									APITypeID: core.StringPtr("crn:v1:bluemix:public:context-based-restrictions::::api-type:"),
+								},
+							},
+						}
+						assert.Equal(t, expectedOperations, rules.Operations, "expected operations not found")
 					})
 
 				}

variables.tf

@@ -96,5 +96,9 @@ variable "operations" {
     }))
   }))
   description = "(Optional, List) The operations this rule applies to"
-  default     = []
+  default = [{
+    api_types = [{
+      api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+    }]
+  }]
 }