feat: Ability to add optional location for each serviceRef when creating zone (#457)

Author: Ak-sky

examples/multi-service-profile/main.tf

@@ -65,5 +65,4 @@ module "cbr_rule_multi_service_profile" {
   zone_vpc_crn_list      = local.zone_vpc_crn_list
   target_service_details = local.target_services_details
   endpoints              = var.endpoints
-  location               = var.location
 }

examples/multi-service-profile/variables.tf

@@ -14,12 +14,6 @@ variable "region" {
   type        = string
 }
 
-variable "location" {
-  description = "The region in which the network zone is scoped"
-  type        = string
-  default     = "dal" # dal metro is the equivalent location for the us-south region
-}
-
 variable "resource_group" {
   type        = string
   description = "An existing resource group name to use for this example, if unset a new resource group will be created"
@@ -33,11 +27,23 @@ variable "resource_tags" {
 }
 
 variable "zone_service_ref_list" {
-  type        = list(string)
-  default     = ["cloud-object-storage", "server-protect"]
-  description = "(List) Service reference for the zone creation"
+  type = map(object({
+    serviceRef_location = optional(list(string), [])
+  }))
+  description = "Provide a valid service reference with the location where the context-based restriction zones are created. If no value is specified for `serviceRef_location`, the zones are not scoped to any location."
+  default = {
+    "cloud-object-storage" = {
+      serviceRef_location = ["syd", "au"]
+    },
+    "server-protect" = {
+      serviceRef_location = ["au"]
+    },
+    "directlink"          = {}, # directlink does not support restriction per location, hence no value is specified for serviceRef_location.
+    "event-notifications" = {}
+  }
 }
 
+
 variable "endpoints" {
   type        = list(string)
   description = "List specific endpoint types for target services, valid values for endpoints are 'public', 'private' or 'direct'"

modules/cbr-service-profile/README.md

@@ -6,10 +6,19 @@ Accepts a list of VPC crns / service references to create CBR zones and a list o
 
 ```hcl
 module "cbr_rule_multi_service_profile" {
-  source           = "terraform-ibm-modules/cbr/ibm//modules/multi-service-profile"
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-service-profile"
   version          = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
   prefix                 = "multi-service-profile"
-  zone_service_ref_list  = ["cloud-object-storage", "containers-kubernetes", "server-protect"]
+  zone_service_ref_list  = {
+                              "cloud-object-storage" = {
+                                serviceRef_location = = ["syd", "au"]
+                              },
+                              "server-protect" = {
+                                serviceRef_location = ["au"]
+                              },
+                                "directlink"          = {}, # directlink does not support restriction per location, hence no value is specified for serviceRef_location.
+                                "event-notifications" = {}
+                             }
   zone_vpc_crn_list      = ["crn:v1:bluemix:public:is:us-south:a/abac0df06b644a9cabc6e44f55b3880e::vpc:r006-069c6449-03a9-49f1-9070-4d23fc79285e"]
   target_service_details = [
                             {
@@ -19,7 +28,6 @@ module "cbr_rule_multi_service_profile" {
                             }
                            ]
   endpoints              = "private"
-  location               = "us-south"
 }
 ```
 
@@ -49,10 +57,9 @@ module "cbr_rule_multi_service_profile" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | List specific endpoint types for target services, valid values for endpoints are 'public', 'private' or 'direct' | `list(string)` | <pre>[<br>  "private"<br>]</pre> | no |
-| <a name="input_location"></a> [location](#input\_location) | The region in which the network zone is scoped | `string` | n/a | yes |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix to append to all vpc\_zone\_list, service\_ref\_zone\_list and cbr\_rule\_description created by this submodule | `string` | `"serviceprofile"` | no |
 | <a name="input_target_service_details"></a> [target\_service\_details](#input\_target\_service\_details) | (String) Details of the target service for which the rule has to be created | <pre>list(object({<br>    target_service_name = string<br>    target_rg           = optional(string)<br>    enforcement_mode    = string<br>    tags                = optional(list(string))<br>  }))</pre> | n/a | yes |
-| <a name="input_zone_service_ref_list"></a> [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | (List) Service reference for the zone creation | `list(string)` | `[]` | no |
+| <a name="input_zone_service_ref_list"></a> [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | Provide a valid service reference with the location where the context-based restriction zones are created. If no value is specified for `serviceRef_location`, the zones are not scoped to any location. | <pre>map(object({<br>    serviceRef_location = optional(list(string), [])<br>  }))</pre> | n/a | yes |
 | <a name="input_zone_vpc_crn_list"></a> [zone\_vpc\_crn\_list](#input\_zone\_vpc\_crn\_list) | (List) VPC CRN for the zones | `list(string)` | `[]` | no |
 
 ### Outputs

modules/cbr-service-profile/main.tf

@@ -11,10 +11,12 @@ data "ibm_iam_account_settings" "iam_account_settings" {
 locals {
   # tflint-ignore: terraform_unused_declarations
   validate_zone_inputs = ((length(var.zone_vpc_crn_list) == 0) && (length(var.zone_service_ref_list) == 0)) ? tobool("Error: Provide a valid zone vpc and/or service references") : true
-  # tflint-ignore: terraform_unused_declarations
-  validate_location_and_service_name = (length(setintersection(["directlink", "globalcatalog-collection", "iam-groups", "user-management"], var.zone_service_ref_list)) > 0 && var.location != null) ? tobool("Error: The services 'directlink', 'globalcatalog-collection', 'iam-groups' and 'user-management' does not support location") : true
-
 
+  # tflint-ignore: terraform_unused_declarations
+  validate_location_and_service_name = [
+    for item in ["directlink", "globalcatalog-collection", "iam-groups", "user-management"] :
+    contains(keys(var.zone_service_ref_list), item) ? length(var.zone_service_ref_list[item].serviceRef_location) == 0 ? true : tobool("Error: The services 'directlink', 'globalcatalog-collection', 'iam-groups' and 'user-management' do not support location") : true
+  ]
 
   # Restrict and allow the api types as per the target service
   icd_api_types = ["crn:v1:bluemix:public:context-based-restrictions::::api-type:data-plane"]
@@ -33,33 +35,43 @@ locals {
   vpc_zone_list = (length(var.zone_vpc_crn_list) > 0) ? [{
     name             = "${var.prefix}-cbr-vpc-zone"
     account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
-    zone_description = "${var.prefix}-cbr-vpc-zone-terraform"
+    zone_description = "${var.prefix}-cbr-vpc-zone"
     addresses = [
       for zone_vpc_crn in var.zone_vpc_crn_list :
       { "type" = "vpc", value = zone_vpc_crn }
     ]
   }] : []
 
   service_ref_zone_list = (length(var.zone_service_ref_list) > 0) ? [
-    for serviceref in var.zone_service_ref_list : {
+    for serviceref, location in var.zone_service_ref_list : {
       name             = "${var.prefix}-${serviceref}-cbr-serviceref-zone"
       account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
-      zone_description = "${serviceref}-cbr-serviceref-zone-terraform"
+      zone_description = "${serviceref}-cbr-serviceref-zone"
       # when the target service is containers-kubernetes or any icd services, context cannot have a serviceref
-      addresses = [
+      addresses = length(location.serviceRef_location) == 0 ? [
         {
           type = "serviceRef"
           ref = {
             account_id   = data.ibm_iam_account_settings.iam_account_settings.account_id
             service_name = serviceref
-            location     = var.location
+            location     = null
+          }
+        }
+        ] : [for loc in location.serviceRef_location :
+        {
+          type = "serviceRef"
+          ref = {
+            account_id   = data.ibm_iam_account_settings.iam_account_settings.account_id
+            service_name = serviceref
+            location     = loc
           }
         }
       ]
   }] : []
 
   zone_list = concat(tolist(local.vpc_zone_list), tolist(local.service_ref_zone_list))
 }
+
 module "cbr_zone" {
   count            = length(local.zone_list)
   source           = "../cbr-zone-module"

modules/cbr-service-profile/variables.tf

@@ -15,10 +15,14 @@ variable "zone_vpc_crn_list" {
 }
 
 variable "zone_service_ref_list" {
-  type = list(string)
+  type = map(object({
+    serviceRef_location = optional(list(string), [])
+  }))
+  description = "Provide a valid service reference with the location where the context-based restriction zones are created. If no value is specified for `serviceRef_location`, the zones are not scoped to any location."
+  # Validation to restrict the target service name to be the list of supported targets only.
   validation {
     condition = alltrue([
-      for service_ref in var.zone_service_ref_list :
+      for service_ref, service_ref_location in var.zone_service_ref_list :
       contains(["cloud-object-storage", "codeengine", "containers-kubernetes",
         "databases-for-cassandra", "databases-for-elasticsearch", "databases-for-enterprisedb",
         "databases-for-etcd", "databases-for-mongodb",
@@ -29,15 +33,8 @@ variable "zone_service_ref_list" {
         "apprapp", "compliance", "event-notifications", "logdna", "logdnaat",
       "cloudantnosqldb", "globalcatalog-collection", "sysdig-monitor", "sysdig-secure", "toolchain"], service_ref)
     ])
-    error_message = "Provide a valid service reference for zone creation"
+    error_message = "Provide a valid target service name that is supported by context-based restrictions."
   }
-  default     = []
-  description = "(List) Service reference for the zone creation"
-}
-
-variable "location" {
-  type        = string
-  description = "The region in which the network zone is scoped"
 }
 
 variable "target_service_details" {

tests/pr_test.go

@@ -212,20 +212,26 @@ func TestMultiServiceProfileExample(t *testing.T) {
 				t.Run("verify service reference exist", func(t *testing.T) {
 					var serviceRefExists bool
 					var actual_references []string
-					expected_references := []string{"cloud-object-storage", "server-protect"}
+					expected_references := []string{"cloud-object-storage", "server-protect", "directlink", "event-notifications"}
 
 					zoneIds := zones[0].([]interface{})
 					for index := range zoneIds {
 						zone := zoneIds[index].(string)
 						zone_details, err := cloudInfoSvc.GetCBRZoneByID(zone)
 						if assert.Nil(t, err, "Failed to get the zone") &&
 							assert.NotNil(t, zone_details, "No zone found") {
+							uniqueMap := make(map[string]struct{})
 							for addr_index := range zone_details.Addresses {
 								switch zone_details.Addresses[addr_index].(type) {
 								case *contextbasedrestrictionsv1.AddressServiceRef:
 									serviceRefExists = true
 									serviceRef := zone_details.Addresses[addr_index].(*contextbasedrestrictionsv1.AddressServiceRef)
-									actual_references = append(actual_references, *serviceRef.Ref.ServiceName)
+									serviceName := *serviceRef.Ref.ServiceName
+									if _, ok := uniqueMap[serviceName]; !ok {
+										// Adding multilocation support for COS causing same number of COS as items in list as serviceRef, to avoid duplicates, making the list as unique
+										uniqueMap[serviceName] = struct{}{}
+										actual_references = append(actual_references, serviceName)
+									}
 								}
 							}
 						}