feat: added pre-wired rule for Event Notification (Messagehub) to HPCS (#406)

Ak-sky · web-flow · commit acd3d60b02d8 · 2024-02-22T08:45:22.000Z
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
@@ -1,16 +1,17 @@
 # Pre-wired CBR configuration for FS Cloud
 
 This module creates default coarse-grained CBR rules in a given account following a "secure by default" approach - that is: deny all flows by default, except known documented communication in the [Financial Services Cloud Reference Architecture](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-vpc-architecture-about):
-- Cloud Object Storage (COS) -> Key Management Service (KMS)
-- Block Storage -> Key Management Service (KMS)
-- IBM Cloud Kubernetes Service (IKS) -> Key Management Service (KMS)
-- All IBM Cloud Databases (ICD) services -> Key Management Service (KMS)
+- Cloud Object Storage (COS) -> Hyper Protect Crypto Services (HPCS)
+- Block Storage -> Hyper Protect Crypto Services (HPCS)
+- IBM Cloud Kubernetes Service (IKS) -> Hyper Protect Crypto Services (HPCS)
+- All IBM Cloud Databases (ICD) services -> Hyper Protect Crypto Services (HPCS)
 - Activity Tracker route -> Cloud Object Storage (COS)
 - Virtual Private Clouds (VPCs) where clusters are deployed -> Cloud Object Storage (COS)
 - IBM Cloud VPC Infrastructure Services (IS) -> Cloud Object Storage (COS)
 - Virtual Private Cloud workload (eg: Kubernetes worker nodes) -> IBM Cloud Container Registry
 - IBM Cloud Databases (ICD) -> Hyper Protect Crypto Services (HPCS)
-- IBM Cloud Kubernetes Service (IKS) -> IS (VPC Infrastructure Services)
+- IBM Cloud Kubernetes Service (IKS) -> VPC Infrastructure Services (IS)
+- Event Streams (Messagehub) -> Hyper Protect Crypto Services (HPCS)
 
 
 **Note on KMS**: the module supports setting up rules for Key Protect, and Hyper Protect Crypto Services. By default the modules set rules for Hyper Protect Crypto Services, but this can be modified to use Key Protect, Hyper Protect, or both Key Protect and Hyper Protect Crypto Services using the input variable `kms_service_targeted_by_prewired_rules`.
@@ -92,7 +93,8 @@ module "cbr_fscloud" {
 | <a name="input_allow_at_to_cos"></a> [allow\_at\_to\_cos](#input\_allow\_at\_to\_cos) | Set rule for Activity Tracker to COS, default is true | `bool` | `true` | no |
 | <a name="input_allow_block_storage_to_kms"></a> [allow\_block\_storage\_to\_kms](#input\_allow\_block\_storage\_to\_kms) | Set rule for block storage to KMS, default is true | `bool` | `true` | no |
 | <a name="input_allow_cos_to_kms"></a> [allow\_cos\_to\_kms](#input\_allow\_cos\_to\_kms) | Set rule for COS to KMS, default is true | `bool` | `true` | no |
-| <a name="input_allow_icd_to_kms"></a> [allow\_icd\_to\_kms](#input\_allow\_icd\_to\_kms) | Set rule for ICD to KMS, deafult is true | `bool` | `true` | no |
+| <a name="input_allow_event_streams_to_kms"></a> [allow\_event\_streams\_to\_kms](#input\_allow\_event\_streams\_to\_kms) | Set rule for Event Streams (Messagehub) to KMS, default is true | `bool` | `true` | no |
+| <a name="input_allow_icd_to_kms"></a> [allow\_icd\_to\_kms](#input\_allow\_icd\_to\_kms) | Set rule for ICD to KMS, default is true | `bool` | `true` | no |
 | <a name="input_allow_iks_to_is"></a> [allow\_iks\_to\_is](#input\_allow\_iks\_to\_is) | Set rule for IKS to IS (VPC Infrastructure Services), default is true | `bool` | `true` | no |
 | <a name="input_allow_is_to_cos"></a> [allow\_is\_to\_cos](#input\_allow\_is\_to\_cos) | Set rule for IS (VPC Infrastructure Services) to COS, default is true | `bool` | `true` | no |
 | <a name="input_allow_roks_to_kms"></a> [allow\_roks\_to\_kms](#input\_allow\_roks\_to\_kms) | Set rule for ROKS to KMS, default is true | `bool` | `true` | no |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -217,9 +217,11 @@ locals {
   logdnaat_cbr_zone_id = local.cbr_zones["logdnaat"].zone_id
   # tflint-ignore: terraform_naming_convention
   is_cbr_zone_id = local.cbr_zones["is"].zone_id
+  # tflint-ignore: terraform_naming_convention
+  event_streams_cbr_zone_id = local.cbr_zones["messagehub"].zone_id
 
   prewired_rule_contexts_by_service = merge({
-    # COS -> HPCS, Block storage -> HPCS, ROKS -> HPCS, ICD -> HPCS
+    # COS -> HPCS, Block storage -> HPCS, ROKS -> HPCS, ICD -> HPCS, Event Streams (Messagehub) -> HPCS
     for key in local.kms_values : key => [{
       endpointType : "private",
       networkZoneIds : flatten([
@@ -233,10 +235,11 @@ locals {
           local.databases-for-mongodb_cbr_zone_id,
           local.databases-for-mysql_cbr_zone_id,
           local.databases-for-postgresql_cbr_zone_id,
-        local.databases-for-redis_cbr_zone_id] : []
+        local.databases-for-redis_cbr_zone_id] : [],
+        var.allow_event_streams_to_kms ? [local.event_streams_cbr_zone_id] : []
       ])
     }] }, {
-    # Fs VPCs -> COS, AT -> COS, IS (VPC Infrastructure Services) -> COS
+    # Fs VPCs -> COS, AT -> COS, VPC Infrastructure Services (IS) -> COS
     "cloud-object-storage" : [{
       endpointType : "direct",
       networkZoneIds : flatten([
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
@@ -28,7 +28,13 @@ variable "allow_roks_to_kms" {
 
 variable "allow_icd_to_kms" {
   type        = bool
-  description = "Set rule for ICD to KMS, deafult is true"
+  description = "Set rule for ICD to KMS, default is true"
+  default     = true
+}
+
+variable "allow_event_streams_to_kms" {
+  type        = bool
+  description = "Set rule for Event Streams (Messagehub) to KMS, default is true"
   default     = true
 }
 
