fix: Event Notifications introduced SMTP API that does not support report enforcement mode. By default report mode is set which excludes SMTP API. If enforcement mode is set to enabled, CBR will be applied to the SMTP API as well.<br>- Added MQ segmentation to add data plane API type id (#485)

Author: Ak-sky

examples/fscloud/main.tf

@@ -85,6 +85,11 @@ module "cbr_account_level" {
       "target_rg"        = module.resource_group.resource_group_id
       "global_deny"      = false
     }
+    "mqcloud" : {
+      "enforcement_mode" = "disabled"
+      "region"           = "eu-fr2" # BNPP region
+      "global_deny"      = false
+    }
   }
 
   # Demonstrates how a customized name can be set for the CBR zone

modules/cbr-service-profile/main.tf

@@ -29,7 +29,8 @@ locals {
     databases-for-mongodb       = local.icd_api_types,
     databases-for-postgresql    = local.icd_api_types,
     databases-for-redis         = local.icd_api_types,
-    messages-for-rabbitmq       = local.icd_api_types
+    messages-for-rabbitmq       = local.icd_api_types,
+    mqcloud                     = local.icd_api_types
   }
 
   vpc_zone_list = (length(var.zone_vpc_crn_list) > 0) ? [{

modules/fscloud/README.md

@@ -24,6 +24,8 @@ The module also pre-create CBR zone for each service in the account as a best pr
 
 Important: In order to avoid unexpected breakage in the account against which this module is executed, the CBR rule enforcement mode is set to 'report' (or 'disabled' for services not supporting 'report' mode) by default. It is recommended to test out this module first with these default, and then use the `target_service_details` variable to set the enforcement mode to "enabled" gradually by service. The [usage example](../../examples/fscloud/) demonstrates how to set the enforcement mode to 'enabled' for the key protect ("kms") service.
 
+**Note on Event Notifications**: Event Notifications introduced SMTP API that does not support `report` enforcement mode. By default `report` mode is set which excludes SMTP API. If enforcement mode is set to `enabled`, CBR will be applied to the SMTP API as well.
+
 ## Note
 The services 'directlink', 'globalcatalog-collection', 'iam-groups' and 'user-management' does not support restriction per location.
 

modules/fscloud/main.tf

@@ -345,6 +345,7 @@ locals {
     databases-for-redis              = local.icd_api_types,
     messages-for-rabbitmq            = local.icd_api_types,
     databases-for-mysql              = local.icd_api_types
+    mqcloud                          = local.icd_api_types
   }
 
   fake_service_names = {
@@ -401,6 +402,10 @@ module "cbr_rule" {
       # lookup the map for the target service name, if empty then pass default value
       for apitype in lookup(local.operations_apitype_val, each.key, []) : {
         api_type_id = apitype
+    }] # Addding condition below for Event Notifications to enable CBR for control plane API explicitly for report mode as SMTP API does not support report mode
+    }] : each.key == "event-notifications" && each.value.enforcement_mode == "report" ? [{
+    api_types = [{
+      api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:control-plane"
     }]
     }] : [{
     api_types = [{