fix: fixed icd-apitypes for global deny rule (#522)

Ak-sky · web-flow · commit f6c29345c1fd · 2024-09-05T14:38:43.000+01:00
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
@@ -87,6 +87,10 @@ module "cbr_account_level" {
       "enforcement_mode" = "enabled"
       "global_deny"      = false # mandatory to set 'global_deny = false' when no scope is defined
     }
+    "databases-for-postgresql" = {
+      "enforcement_mode" = "enabled"
+      "target_rg"        = module.resource_group.resource_group_id
+    }
     "messagehub" = {
       # As the service is scoped, a new global rule will also get created
       "enforcement_mode" = "enabled"
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -448,7 +448,17 @@ module "global_deny_cbr_rule" {
   rule_description = try(each.value.description, null) != null ? each.value.description : "${var.prefix}-${each.key}-global-deny-rule"
   enforcement_mode = each.value.enforcement_mode
   rule_contexts    = []
-
+  operations = (length(lookup(local.operations_apitype_val, each.key, [])) > 0) ? [{
+    api_types = [
+      # lookup the map for the target service name, if empty then pass default value
+      for apitype in lookup(local.operations_apitype_val, each.key, []) : {
+        api_type_id = apitype
+    }]
+    }] : [{
+    api_types = [{
+      api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+    }]
+  }]
   resources = [{
     tags = try(each.value.tags, null) != null ? [for tag in each.value.tags : {
       name  = split(":", tag)[0]
