fix: added fix to ensure only service-group-id should be specified when the pseudo service IAM is used (#487)

Author: Ak-sky

examples/fscloud/README.md

@@ -8,6 +8,7 @@ This examples is designed to show case some of the key customization options for
 3. Open up network traffic flow from a block of IPs to the Schematics public endpoint.
 4. Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints.
 5. Customize the rule description for `kms` and the zone name for `codeengine`.
+6. Restrict network traffic flow for pseudo `IAM` service.
 
 Context: this examples covers a "pseudo" real-world scenario where:
 1. ICD Mongodb and Postgresql instances are encrypted using keys storage in Key Protect.
@@ -17,4 +18,4 @@ Context: this examples covers a "pseudo" real-world scenario where:
 5. Skips creation of zones for these two service references ["user-management", "iam-groups"].
 
 ## Note
-- The services 'compliance', 'directlink', 'iam-groups', 'containers-kubernetes', 'user-management' do not support restriction per location for zone creation.
+The services 'directlink', 'globalcatalog-collection', 'iam-groups' and 'user-management' do not support restrictions per location.

examples/fscloud/main.tf

@@ -87,7 +87,11 @@ module "cbr_account_level" {
     }
     "mqcloud" : {
       "enforcement_mode" = "disabled"
-      "region"           = "eu-fr2" # BNPP region
+      "region"           = "eu-fr2" # BNPP region (region or serviceInstance is/are required for service 'mqcloud`)
+      "global_deny"      = false
+    }
+    "IAM" : {
+      "enforcement_mode" = "report"
       "global_deny"      = false
     }
   }

modules/fscloud/README.md

@@ -27,7 +27,7 @@ Important: In order to avoid unexpected breakage in the account against which th
 **Note on Event Notifications**: Event Notifications introduced SMTP API that does not support `report` enforcement mode. By default `report` mode is set which excludes SMTP API. If enforcement mode is set to `enabled`, CBR will be applied to the SMTP API as well.
 
 ## Note
-The services 'directlink', 'globalcatalog-collection', 'iam-groups' and 'user-management' does not support restriction per location.
+The services 'directlink', 'globalcatalog-collection', 'iam-groups' and 'user-management' do not support restriction per location.
 
 ### Usage
 

modules/fscloud/main.tf

@@ -5,6 +5,9 @@ data "ibm_iam_account_settings" "iam_account_settings" {
 }
 
 locals {
+
+  service_group_ids = ["IAM"] # List of pseudo services for which service_group_id is required
+
   target_service_details_default = {
     "iam-groups" : {
       "enforcement_mode" : "report"
@@ -98,7 +101,6 @@ locals {
     },
     "IAM" : {
       "enforcement_mode" : "report"
-      "service_group_id" : "IAM"
     },
     "context-based-restrictions" : {
       "enforcement_mode" : "report"
@@ -325,10 +327,6 @@ locals {
     ] }]
   }
 
-  deny_rules_by_service = { for target_service_name in keys(local.global_deny_target_service_details) :
-    target_service_name => []
-  }
-
   # Some services have restrictions on the api types that can apply CBR - we codify this below
   # Restrict and allow the api types as per the target service
   icd_api_types = ["crn:v1:bluemix:public:context-based-restrictions::::api-type:data-plane"]
@@ -355,18 +353,23 @@ locals {
 }
 
 locals {
+
   target_service_details_attributes = { for key, value in local.target_service_details :
     key => [
       {
         name     = "accountId",
         operator = "stringEquals",
         value    = data.ibm_iam_account_settings.iam_account_settings.account_id
       },
-      try(value.service_group_id, null) != null ? {
+      contains(local.service_group_ids, key) ? {
         name     = "service_group_id",
         operator = "stringEquals",
-        value    = value.service_group_id
-      } : {},
+        value    = key
+        } : {
+        name     = "serviceName",
+        operator = "stringEquals",
+        value    = lookup(local.fake_service_names, key, key)
+      },
       try(value.target_rg, null) != null ? {
         name     = "resourceGroupId",
         operator = "stringEquals",
@@ -381,11 +384,6 @@ locals {
         name     = "region",
         operator = "stringEquals",
         value    = value.region
-      } : {},
-      try(value.service_group_id, null) == null ? {
-        name     = "serviceName",
-        operator = "stringEquals",
-        value    = lookup(local.fake_service_names, key, key)
       } : {}
   ] }
 }
@@ -433,8 +431,7 @@ module "global_deny_cbr_rule" {
   source           = "../../modules/cbr-rule-module"
   rule_description = try(each.value.description, null) != null ? each.value.description : "${var.prefix}-${each.key}-global-deny-rule"
   enforcement_mode = each.value.enforcement_mode
-  rule_contexts    = lookup(local.deny_rules_by_service, each.key, [])
-
+  rule_contexts    = []
 
   resources = [{
     tags = try(each.value.tags, null) != null ? [for tag in each.value.tags : {
@@ -447,10 +444,15 @@ module "global_deny_cbr_rule" {
         operator = "stringEquals",
         value    = data.ibm_iam_account_settings.iam_account_settings.account_id
       },
-      {
+      contains(local.service_group_ids, each.key) ? {
+        name     = "service_group_id",
+        operator = "stringEquals",
+        value    = each.key
+        } : {
         name     = "serviceName",
         operator = "stringEquals",
         value    = lookup(local.fake_service_names, each.key, each.key)
-    }]
+      }
+    ]
   }]
 }