feat: Split containers-kubernetes rules in the secure-by-default submodule (#336)

Co-authored-by: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>

Author: rajatagarwal-ibm

examples/fscloud/README.md

@@ -4,12 +4,12 @@ This example demonstrates how to use the [fscloud profile](../../profiles/fsclou
 
 This examples is designed to show case some of the key customization options for the module. In addition to the pre-wired CBR rules documented at [fscloud profile](../../profiles/fscloud/), this example shows how to customize the module to:
 1. Open up network traffic flow from Schematics to Key Protect and HPCS public endpoints. Note that for illustration purpose, this example configures the use of both Key Protect and HPCS through the `kms_service_targeted_by_prewired_rules` variable. In a real-world scenario, only one Key Management Service would be used
-2. Open up network traffic flow from a block of IPs to the Schematics public endpoint.
+2. Open up network traffic flow from a block of IPs to the Schematics public endpoint and the private container clusters endpoints.
 3. Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints.
 
 Context: this examples covers a "pseudo" real-world scenario where:
 1. Schematics is used to execute terraform that create Key Protect, and HPCS keys and key ring over its public endpoint.
-2. Operators use machines with a set list of public IPs to interact with Schematics.
+2. Operators use machines with a set list of public IPs to interact with Schematics, and through private endpoints to the container clusters.
 3. Applications are running the VPC and need access to PostgreSQL via the private endpoint - eg: a VPE.
 4. Skips creation of zones for these two service references ["user-management", "iam-groups"].
 

examples/fscloud/main.tf

@@ -103,14 +103,13 @@ module "cbr_account_level" {
       endpointType = "private"
       ## Give access to the zone containing the VPC passed in zone_vpc_crn_list input
       add_managed_vpc_zone = true
+    }],
+    "containers-kubernetes-cluster" = [{
+      endpointType = "private"
+      ## Give operator access to run kubectl against private endpoints on any cluster in account
+      zone_ids = [module.cbr_zone_operator_ips.zone_id]
     }]
-    }, {
-    # Using 'kms' for Key Protect value as target service name supported by CBR for Key Protect is 'kms'.
-    "kms" = [
-      {
-        endpointType = "public"
-      zone_ids = [module.cbr_zone_operator_ips.zone_id] }
-  ] })
+  })
 }
 
 ## Example of zone using ip addresses, and reference in one of the zone created by the cbr_account_level above.

modules/fscloud/README.md

@@ -1,19 +1,22 @@
 # Pre-wired CBR configuration for FS Cloud
 
 This module creates default coarse-grained CBR rules in a given account following a "secure by default" approach - that is: deny all flows by default, except known documented communication in the [Financial Services Cloud Reference Architecture](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-vpc-architecture-about):
-- COS -> KMS
-- Block storage -> KMS
-- ROKS -> KMS
-- All ICD services -> KMS
-- Activity Tracker route -> COS
-- VPCs where clusters are deployed -> COS
-- IS (VPC Infrastructure Services) -> COS
-- VPCs -> container registry
-- All ICD -> HPCS
-- IKS -> IS (VPC Infrastructure Services)
+- Cloud Object Storage (COS) -> Key Management Service (KMS)
+- Block Storage -> Key Management Service (KMS)
+- IBM Cloud Kubernetes Service (IKS) -> Key Management Service (KMS)
+- All IBM Cloud Databases (ICD) services -> Key Management Service (KMS)
+- Activity Tracker route -> Cloud Object Storage (COS)
+- Virtual Private Clouds (VPCs) where clusters are deployed -> Cloud Object Storage (COS)
+- IBM Cloud VPC Infrastructure Services (IS) -> Cloud Object Storage (COS)
+- Virtual Private Cloud workload (eg: Kubernetes worker nodes) -> IBM Cloud Container Registry
+- IBM Cloud Databases (ICD) -> Hyper Protect Crypto Services (HPCS)
+- IBM Cloud Kubernetes Service (IKS) -> IS (VPC Infrastructure Services)
+
 
 **Note on KMS**: the module supports setting up rules for Key Protect, and Hyper Protect Crypto Services. By default the modules set rules for Hyper Protect Crypto Services, but this can be modified to use Key Protect, Hyper Protect, or both Key Protect and Hyper Protect Crypto Services using the input variable `kms_service_targeted_by_prewired_rules`.
 
+**Note on containers-kubernetes**: the module supports the pseudo-service names `containers-kubernetes-management` and `containers-kubernetes-cluster` to distinguish between the cluster and management APIs (see [details](https://cloud.ibm.com/docs/containers?topic=containers-cbr&interface=ui#protect-api-types-cbr) ). The module creates separates CBR rules for the two types of APIs by default to align with common real-world scenarios. `containers-kubernetes` can be used to create a CBR targetting both the cluster and management APIs.
+
 This module is designed to allow the consumer to add additional custom rules to open up additional flows necessarity for their usage. See the `custom_rule_contexts_by_service` input variable, and an [usage example](../../examples/fscloud/) demonstrating how to open up more flows.
 
 The module also pre-create CBR zone for each service in the account as a best practice. CBR rules associated with these CBR zone can be set by using the `custom_rule_contexts_by_service` variable.

modules/fscloud/main.tf

@@ -66,7 +66,10 @@ locals {
     "hs-crypto" : {
       "enforcement_mode" : "report"
     },
-    "containers-kubernetes" : {
+    "containers-kubernetes-management" : {
+      "enforcement_mode" : "disabled"
+    },
+    "containers-kubernetes-cluster" : {
       "enforcement_mode" : "disabled"
     },
     "messages-for-rabbitmq" : {
@@ -257,7 +260,7 @@ locals {
       networkZoneIds : flatten([
         var.allow_iks_to_is ? [local.containers-kubernetes_cbr_zone_id] : []
       ])
-    }],
+    }]
   })
 
   prewired_rule_contexts_by_service_check = { for key, value in local.prewired_rule_contexts_by_service :
@@ -311,16 +314,23 @@ locals {
   # Restrict and allow the api types as per the target service
   icd_api_types = ["crn:v1:bluemix:public:context-based-restrictions::::api-type:data-plane"]
   operations_apitype_val = {
-    databases-for-enterprisedb  = local.icd_api_types,
-    containers-kubernetes       = ["crn:v1:bluemix:public:containers-kubernetes::::api-type:cluster", "crn:v1:bluemix:public:containers-kubernetes::::api-type:management"],
-    databases-for-cassandra     = local.icd_api_types,
-    databases-for-elasticsearch = local.icd_api_types,
-    databases-for-etcd          = local.icd_api_types,
-    databases-for-mongodb       = local.icd_api_types,
-    databases-for-postgresql    = local.icd_api_types,
-    databases-for-redis         = local.icd_api_types,
-    messages-for-rabbitmq       = local.icd_api_types,
-    databases-for-mysql         = local.icd_api_types
+    databases-for-enterprisedb       = local.icd_api_types,
+    containers-kubernetes            = ["crn:v1:bluemix:public:containers-kubernetes::::api-type:cluster", "crn:v1:bluemix:public:containers-kubernetes::::api-type:management"],
+    containers-kubernetes-cluster    = ["crn:v1:bluemix:public:containers-kubernetes::::api-type:cluster"],
+    containers-kubernetes-management = ["crn:v1:bluemix:public:containers-kubernetes::::api-type:management"]
+    databases-for-cassandra          = local.icd_api_types,
+    databases-for-elasticsearch      = local.icd_api_types,
+    databases-for-etcd               = local.icd_api_types,
+    databases-for-mongodb            = local.icd_api_types,
+    databases-for-postgresql         = local.icd_api_types,
+    databases-for-redis              = local.icd_api_types,
+    messages-for-rabbitmq            = local.icd_api_types,
+    databases-for-mysql              = local.icd_api_types
+  }
+
+  fake_service_names = {
+    "containers-kubernetes-cluster"    = "containers-kubernetes",
+    "containers-kubernetes-management" = "containers-kubernetes"
   }
 }
 
@@ -362,7 +372,7 @@ module "cbr_rule" {
       {
         name     = "serviceName",
         operator = "stringEquals",
-        value    = each.key
+        value    = lookup(local.fake_service_names, each.key, each.key)
       }] : try(each.value.instance_id, null) != null ? [
       {
         name     = "accountId",
@@ -377,7 +387,7 @@ module "cbr_rule" {
       {
         name     = "serviceName",
         operator = "stringEquals",
-        value    = each.key
+        value    = lookup(local.fake_service_names, each.key, each.key)
       }] : [
       {
         name     = "accountId",
@@ -387,7 +397,7 @@ module "cbr_rule" {
       {
         name     = "serviceName",
         operator = "stringEquals",
-        value    = each.key
+        value    = lookup(local.fake_service_names, each.key, each.key)
     }]
   }]
 }

modules/fscloud/variables.tf

@@ -107,6 +107,7 @@ variable "custom_rule_contexts_by_service" {
       for key, val in var.custom_rule_contexts_by_service :
       [for rule in val : [
         for ref in rule.service_ref_names : contains(["cloud-object-storage", "codeengine", "containers-kubernetes",
+          "containers-kubernetes-cluster", "containers-kubernetes-management",
           "databases-for-cassandra", "databases-for-elasticsearch", "databases-for-enterprisedb",
           "databases-for-etcd", "databases-for-mongodb",
           "databases-for-mysql", "databases-for-postgresql",
@@ -147,7 +148,7 @@ variable "target_service_details" {
         "databases-for-enterprisedb", "databases-for-elasticsearch",
         "databases-for-etcd", "databases-for-mongodb",
         "databases-for-mysql", "databases-for-postgresql", "databases-for-redis",
-        "directlink", "dns-svcs", "messagehub", "kms", "containers-kubernetes",
+        "directlink", "dns-svcs", "messagehub", "kms", "containers-kubernetes", "containers-kubernetes-cluster", "containers-kubernetes-management",
         "messages-for-rabbitmq", "secrets-manager", "transit", "is",
       "schematics", "apprapp", "event-notifications", "compliance", "hs-crypto"], target_service_name)
     ])