feat: updated fscloud module to optionally take list of location for zones (#472)

Author: Ak-sky

examples/fscloud/README.md

@@ -4,11 +4,12 @@ This example demonstrates how to use the [fscloud profile](../../profiles/fsclou
 
 This examples is designed to show case some of the key customization options for the module. In addition to the pre-wired CBR rules documented at [fscloud profile](../../profiles/fscloud/), this examples show how to customize the module to:
 1. Open up network traffic flow from ICD mongodb, ICD Postgresql to the Key Protect private endpoints.
-2. Open up network traffic flow from Schematics to Key Protect public endpoints.
+2. Open up network traffic flow from Schematics to Key Protect private endpoints.
 3. Open up network traffic flow from a block of IPs to the Schematics public endpoint.
 4. Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints.
-5. Customize the rule description for `kms` and the zone name for `codeengine`.
-6. Restrict network traffic flow for pseudo `IAM` service.
+5. Customize the rule description for `kms` and the zone name for `codeengine` and `cloud-object-storage`.
+6. Added optional location to open traffic only from `au` and `syd` locations for `codeengine` network zone and leave the flow closed in other locations.
+7. Added optional location to open traffic only from `au` location for `server-protect` network zone and leave the flow closed in other locations.
 
 Context: this examples covers a "pseudo" real-world scenario where:
 1. ICD Mongodb and Postgresql instances are encrypted using keys storage in Key Protect.
@@ -18,4 +19,4 @@ Context: this examples covers a "pseudo" real-world scenario where:
 5. Skips creation of zones for these two service references ["user-management", "iam-groups"].
 
 ## Note
-The services 'directlink', 'globalcatalog-collection', 'iam-groups' and 'user-management' do not support restrictions per location.
+- The services 'compliance', 'directlink', 'iam-groups', 'user-management' do not support restriction per location for zone creation.

examples/fscloud/main.tf

@@ -98,9 +98,18 @@ module "cbr_account_level" {
     }
   }
 
-  # Demonstrates how a customized name can be set for the CBR zone
+  # Demonstrates how a customized name and an optional location can be set for the CBR serviceRef zones
   zone_service_ref_list = {
-    "codeengine" = "codeengine-zone-example-of-customized-zone-name"
+    codeengine = {
+      zone_name           = "codeengine-zone-example-of-customized-zone-name"
+      serviceRef_location = ["au", "tok"]
+    },
+    server-protect = {
+      serviceRef_location = ["fr"]
+    },
+    cloud-object-storage = {
+      zone_name = "COS-zone-example-of-customized-zone-name"
+    }
   }
 
   # Demonstrates how additional context to the rules created by this module can be added.

modules/fscloud/README.md

@@ -8,7 +8,7 @@ This module creates default coarse-grained CBR rules in a given account followin
 - Activity Tracker route -> Cloud Object Storage (COS)
 - Virtual Private Clouds (VPCs) where clusters are deployed -> Cloud Object Storage (COS)
 - IBM Cloud VPC Infrastructure Services (IS) -> Cloud Object Storage (COS)
-- Virtual Private Cloud workload (eg: Kubernetes worker nodes) -> IBM Cloud Container Registry
+- Virtual Private Clouds (VPCs) workload (eg: Kubernetes worker nodes) -> IBM Cloud Container Registry
 - IBM Cloud Databases (ICD) -> Hyper Protect Crypto Services (HPCS)
 - IBM Cloud Kubernetes Service (IKS) -> VPC Infrastructure Services (IS)
 - Event Streams (Messagehub) -> Hyper Protect Crypto Services (HPCS)
@@ -126,11 +126,10 @@ module "cbr_fscloud" {
 | <a name="input_existing_cbr_zone_vpcs"></a> [existing\_cbr\_zone\_vpcs](#input\_existing\_cbr\_zone\_vpcs) | Provide a existing zone id for VPC | <pre>object(<br>    {<br>      zone_id = string<br>  })</pre> | `null` | no |
 | <a name="input_existing_serviceref_zone"></a> [existing\_serviceref\_zone](#input\_existing\_serviceref\_zone) | Provide a valid service reference and existing zone id | <pre>map(object(<br>    {<br>      zone_id = string<br>  }))</pre> | `{}` | no |
 | <a name="input_kms_service_targeted_by_prewired_rules"></a> [kms\_service\_targeted\_by\_prewired\_rules](#input\_kms\_service\_targeted\_by\_prewired\_rules) | IBM Cloud offers two distinct Key Management Services (KMS): Key Protect and Hyper Protect Crypto Services (HPCS). This variable determines the specific KMS service to which the pre-configured rules will be applied. Use the value 'key-protect' to specify the Key Protect service, and 'hs-crypto' for the Hyper Protect Crypto Services (HPCS). | `list(string)` | <pre>[<br>  "hs-crypto"<br>]</pre> | no |
-| <a name="input_location"></a> [location](#input\_location) | The region in which the network zone is scoped | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix to append to all vpc\_zone\_list, service\_ref\_zone\_list and cbr\_rule\_description created by this submodule | `string` | n/a | yes |
 | <a name="input_skip_specific_services_for_zone_creation"></a> [skip\_specific\_services\_for\_zone\_creation](#input\_skip\_specific\_services\_for\_zone\_creation) | Provide a list of service references for which zone creation is not required | `list(string)` | `[]` | no |
 | <a name="input_target_service_details"></a> [target\_service\_details](#input\_target\_service\_details) | Details of the target service for which a rule is created. The key is the service name. | <pre>map(object({<br>    description      = optional(string)<br>    target_rg        = optional(string)<br>    instance_id      = optional(string)<br>    enforcement_mode = string<br>    tags             = optional(list(string))<br>    region           = optional(string)<br>    global_deny      = optional(bool, true)<br>  }))</pre> | `{}` | no |
-| <a name="input_zone_service_ref_list"></a> [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | (Optional) Customized name of the zone for the service reference. If not provided, default zone name with the prefix will be created. | <pre>object({<br>    cloud-object-storage        = optional(string)<br>    codeengine                  = optional(string)<br>    containers-kubernetes       = optional(string)<br>    databases-for-cassandra     = optional(string)<br>    databases-for-elasticsearch = optional(string)<br>    databases-for-enterprisedb  = optional(string)<br>    databases-for-etcd          = optional(string)<br>    databases-for-mongodb       = optional(string)<br>    databases-for-mysql         = optional(string)<br>    databases-for-postgresql    = optional(string)<br>    databases-for-redis         = optional(string)<br>    directlink                  = optional(string)<br>    iam-groups                  = optional(string)<br>    is                          = optional(string)<br>    messagehub                  = optional(string)<br>    messages-for-rabbitmq       = optional(string)<br>    schematics                  = optional(string)<br>    secrets-manager             = optional(string)<br>    server-protect              = optional(string)<br>    user-management             = optional(string)<br>    apprapp                     = optional(string)<br>    compliance                  = optional(string)<br>    event-notifications         = optional(string)<br>    logdna                      = optional(string)<br>    logdnaat                    = optional(string)<br>    cloudantnosqldb             = optional(string)<br>    globalcatalog-collection    = optional(string)<br>    sysdig-monitor              = optional(string)<br>    sysdig-secure               = optional(string)<br>    toolchain                   = optional(string)<br>  })</pre> | <pre>{<br>  "apprapp": null,<br>  "cloud-object-storage": null,<br>  "cloudantnosqldb": null,<br>  "codeengine": null,<br>  "compliance": null,<br>  "containers-kubernetes": null,<br>  "databases-for-cassandra": null,<br>  "databases-for-elasticsearch": null,<br>  "databases-for-enterprisedb": null,<br>  "databases-for-etcd": null,<br>  "databases-for-mongodb": null,<br>  "databases-for-mysql": null,<br>  "databases-for-postgresql": null,<br>  "databases-for-redis": null,<br>  "directlink": null,<br>  "event-notifications": null,<br>  "globalcatalog-collection": null,<br>  "iam-groups": null,<br>  "is": null,<br>  "logdna": null,<br>  "logdnaat": null,<br>  "messagehub": null,<br>  "messages-for-rabbitmq": null,<br>  "schematics": null,<br>  "secrets-manager": null,<br>  "server-protect": null,<br>  "sysdig-monitor": null,<br>  "sysdig-secure": null,<br>  "toolchain": null,<br>  "user-management": null<br>}</pre> | no |
+| <a name="input_zone_service_ref_list"></a> [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | (Optional) Provide a valid service reference with the customized name of the zone and location where the context-based restriction zones are created. If no value is specified for `serviceRef_location`, the zones are not scoped to any location and if no value is specified for `zone_name` default zone name with the prefix will be created. | <pre>object({<br>    cloud-object-storage = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    codeengine = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    containers-kubernetes = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-cassandra = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-elasticsearch = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-enterprisedb = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-etcd = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-mongodb = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-mysql = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-postgresql = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    databases-for-redis = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    directlink = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    iam-groups = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    is = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    messagehub = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    messages-for-rabbitmq = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    schematics = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    secrets-manager = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    server-protect = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    user-management = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    apprapp = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    compliance = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    event-notifications = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    logdna = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    logdnaat = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    cloudantnosqldb = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    globalcatalog-collection = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    sysdig-monitor = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    sysdig-secure = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>    toolchain = optional(object({<br>      zone_name           = optional(string)<br>      serviceRef_location = optional(list(string))<br>    }))<br><br>  })</pre> | `{}` | no |
 | <a name="input_zone_vpc_crn_list"></a> [zone\_vpc\_crn\_list](#input\_zone\_vpc\_crn\_list) | (List) VPC CRN for the zones | `list(string)` | `[]` | no |
 
 ### Outputs

modules/fscloud/main.tf

@@ -125,28 +125,51 @@ locals {
   target_service_details = merge(local.target_service_details_default, var.target_service_details)
 
   zone_final_service_ref_list = {
-    for service_ref, service_ref_name in var.zone_service_ref_list : service_ref => service_ref_name if !contains(var.skip_specific_services_for_zone_creation, service_ref)
+    for service_ref, service_ref_details in var.zone_service_ref_list : service_ref => (
+      service_ref_details != null ? {
+        zone_name           = service_ref_details.zone_name != null ? service_ref_details.zone_name : null,
+        serviceRef_location = service_ref_details.serviceRef_location != null ? service_ref_details.serviceRef_location : []
+        } : {
+        zone_name           = null,
+        serviceRef_location = []
+      }
+    ) if !contains(var.skip_specific_services_for_zone_creation, service_ref)
   }
+
 }
 
 ###############################################################################
 # Pre-create coarse grained CBR zones for each service
 ###############################################################################
 
 locals {
+
+  # tflint-ignore: terraform_unused_declarations
+  validate_location_and_service_name = [
+    for item in ["directlink", "globalcatalog-collection", "iam-groups", "user-management"] :
+    contains(keys(local.zone_final_service_ref_list), item) ? length(local.zone_final_service_ref_list[item].serviceRef_location) == 0 ? true : tobool("Error: The services 'directlink', 'globalcatalog-collection', 'iam-groups' and 'user-management' do not support location") : true
+  ]
   service_ref_zone_list = (length(local.zone_final_service_ref_list) > 0) ? {
-    for service_ref, service_ref_name in local.zone_final_service_ref_list : service_ref => {
-      name             = service_ref_name == null ? "${var.prefix}-${service_ref}-service-zone" : service_ref_name
+    for service_ref, service_ref_details in local.zone_final_service_ref_list : service_ref => {
+      name             = service_ref_details.zone_name == null ? "${var.prefix}-${service_ref}-service-zone" : service_ref_details.zone_name
       account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
       zone_description = "Single zone for service ${service_ref}."
-      # when the target service is containers-kubernetes or any icd services, context cannot have a serviceref
-      addresses = [
+      addresses = length(service_ref_details.serviceRef_location) == 0 ? [
+        {
+          type = "serviceRef"
+          ref = {
+            account_id   = data.ibm_iam_account_settings.iam_account_settings.account_id
+            service_name = service_ref
+            location     = null
+          }
+        }
+        ] : [for loc in service_ref_details.serviceRef_location :
         {
           type = "serviceRef"
           ref = {
             account_id   = data.ibm_iam_account_settings.iam_account_settings.account_id
             service_name = service_ref
-            location     = (service_ref == "directlink" || service_ref == "globalcatalog-collection" || service_ref == "user-management" || service_ref == "iam-groups") ? null : var.location
+            location     = loc
           }
         }
       ]