fix: restrict codeengine control plane api (#639)

Ak-sky · web-flow · commit bce717a7e42d · 2025-04-14T09:30:29.000+01:00
* fix: restrict codeengine control plane api

* update CE APIs

* update CE APIs
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -27,6 +27,12 @@ locals {
     "codeengine" : {
       "enforcement_mode" : "report"
     },
+    "codeengine-service-control-plane" : {
+      "enforcement_mode" : "report"
+    },
+    "codeengine-platform" : {
+      "enforcement_mode" : "report"
+    },
     "container-registry" : {
       "enforcement_mode" : "report"
     },
@@ -69,6 +75,9 @@ locals {
     "hs-crypto" : {
       "enforcement_mode" : "report"
     },
+    "containers-kubernetes" : {
+      "enforcement_mode" : "disabled"
+    },
     "containers-kubernetes-management" : {
       "enforcement_mode" : "disabled"
     },
@@ -386,11 +395,16 @@ locals {
     messages-for-rabbitmq            = local.icd_api_types,
     databases-for-mysql              = local.icd_api_types
     mqcloud                          = local.icd_api_types
+    codeengine                       = ["crn:v1:bluemix:public:context-based-restrictions::::api-type:control-plane", "crn:v1:bluemix:public:context-based-restrictions::::platform-api-type:"]
+    codeengine-service-control-plane = ["crn:v1:bluemix:public:context-based-restrictions::::api-type:control-plane"]
+    codeengine-platform              = ["crn:v1:bluemix:public:context-based-restrictions::::platform-api-type:"]
   }
 
   fake_service_names = {
     "containers-kubernetes-cluster"    = "containers-kubernetes",
     "containers-kubernetes-management" = "containers-kubernetes"
+    "codeengine-service-control-plane" = "codeengine"
+    "codeengine-platform"              = "codeengine"
   }
 }
 
