Add support to output GUID for instance / firewall for bucket / kms encryption for bucket (#14)

* Add guid output for instance and Firewall for bucket

* update readme files

* Add encrypton key crn to storage bucket

* Change name of variable for encryption

* Update examples with changes

Co-authored-by: Adam Geiger <ageiger@us.ibm.com>

Author: argeiger

examples/bucket/README.md

@@ -97,10 +97,11 @@ module "cos_bucket" {
 | logdna\_crn            | instance crn of logdna that will receive object event data                            | string | n/a     | no       |
 | read\_data\_events     | If set to true, all object write events will be sent to Activity Tracke/logdna        | bool   | `true`  | no       |
 | write\_data\_events    | If set to true, all object write events will be sent to Activity Tracke/logdna        | bool   | `true`  | no       |
-
+| allowed_ip             | A list of IPs you want to allow access to your bucket.                                | list   | n/a     | no       |
+| kms_key_crn            | The CRN of the root key that you want to use to encrypt data                          | string | n/a     | no       |
 
 ## NOTE:
 
 * If we want to make use of a particular version of module, then set the argument "version" to respective module version.
 
-* To attach a key to cos instance, enbale it by setting `bind_resource_key` argument to true (which is by default false). And set the `resource_key_name` and `role` parameters accordingly (which are by deafult empty) in variables.tf file.
+* To attach a key to cos instance, enbale it by setting `bind_resource_key` argument to true (which is by default false). And set the `resource_key_name` and `role` parameters accordingly (which are by deafult empty) in variables.tf file.

examples/bucket/main.tf

@@ -61,6 +61,8 @@ module "cos_bucket" {
   force_delete         = var.force_delete
   endpoint_type        = var.endpoint_type
   activity_tracker_crn = local.crn_list[count.index]
+  allowed_ip           = var.allowed_ip
+  kms_key_crn          = var.kms_key_crn
   archive_rule = {
     rule_id = local.archive_rule_id
     enable  = true

examples/bucket/variables.tf

@@ -50,6 +50,17 @@ variable "role" {
   default     = ""
 }
 
+variable "allowed_ip" {
+  description = "A list of IPv4 or IPv6 addresses in CIDR notation that you want to allow access to your IBM Cloud Object Storage bucket"
+  type        = list(string)
+  default     = null
+}
+
+variable "kms_key_crn" {
+  description = "The CRN of the encryption root key that you want to use to encrypt data"
+  type        = string
+  default     = null
+}
 
 variable "cos_instance_name" {
   description = "Enter Name of the cos instance with bucket to be attached"

examples/configure-bucket/README.md

@@ -91,12 +91,13 @@ module "cos_bucket" {
 | force\_delete          | COS buckets need to be empty before they can be deleted                               | bool   | `true`  | no       |
 | read\_data\_events     | If set to true, all object write events will be sent to Activity Tracke/logdna        | bool   | `true`  | no       |
 | write\_data\_events    | If set to true, all object write events will be sent to Activity Tracke/logdna        | bool   | `true`  | no       |
-
+| allowed_ip             | A list of IPs you want to allow access to your bucket.                                | list   | n/a     | no       |
+| kms_key_crn            | The CRN of the root key that you want to use to encrypt data                          | string | n/a     | no       |
 
 ## NOTE :
 
 * If we want to make use of a particular version of module, then set the argument "version" to respective module version.
 
 * Set the `archive_rule_enabled` argument to true only for regional cos bucket creation. For cross region and singleSite location set to false.
 
-* To attach a key to cos instance, enbale it by setting `bind_resource_key` argument to true (which is by default false). And set the `resource_key_name` and `role` parameters accordingly (which are by deafult empty) in variables.tf file.
+* To attach a key to cos instance, enbale it by setting `bind_resource_key` argument to true (which is by default false). And set the `resource_key_name` and `role` parameters accordingly (which are by deafult empty) in variables.tf file.

examples/configure-bucket/main.tf

@@ -50,6 +50,8 @@ module "cos_bucket" {
   force_delete         = var.force_delete
   endpoint_type        = var.endpoint_type
   activity_tracker_crn = ibm_resource_instance.at_instance.id
+  allowed_ip           = var.allowed_ip
+  kms_key_crn          = var.kms_key_crn
   archive_rule = {
     rule_id = local.archive_rule_id
     enable  = true

examples/configure-bucket/variables.tf

@@ -50,6 +50,18 @@ variable "force_delete" {
   default     = true
 }
 
+variable "allowed_ip" {
+  description = "A list of IPv4 or IPv6 addresses in CIDR notation that you want to allow access to your IBM Cloud Object Storage bucket"
+  type        = list(string)
+  default     = null
+}
+
+variable "kms_key_crn" {
+  description = "The CRN of the encryption root key that you want to use to encrypt data"
+  type        = string
+  default     = null
+}
+
 variable "read_data_events" {
   description = "If set to true, all object read events will be sent to Activity Tracker/logdna"
   type        = bool

examples/instance/output.tf

@@ -8,6 +8,11 @@ output "cos_instance_id" {
   value       = module.cos.cos_instance_id
 }
 
+output "cos_instance_guid" {
+  description = "The GUID of the cos instance"
+  value       = module.cos.cos_instance_guid
+}
+
 output "cos_key_id" {
   description = "The ID of the key"
   value       = concat(module.cos.*.cos_key_id, [""])[0]

modules/bucket/README.md

@@ -45,5 +45,7 @@ module "cos_bucket" {
 | plan            | The name of the plan type supported by service.                  | string | n/a     | yes      |
 | region          | Target location or environment to create the resource instance.  | string | n/a     | yes      |
 | resource\_group | Name of the resource group                                       | string | n/a     | yes      |
+| allowed_ip      | A list of IPs you want to allow access to your bucket.  | string | list   | n/a     | no       |
+| kms_key_crn     | The CRN of the root key that you want to use to encrypt data     | string | n/a     | no       |
 
-## NOTE: If we want to make use of a particular version of module, then set the argument "version" to respective module version.
+## NOTE: If we want to make use of a particular version of module, then set the argument "version" to respective module version.

modules/bucket/main.tf

@@ -21,6 +21,8 @@ resource "ibm_cos_bucket" "bucket" {
   storage_class         = var.storage_class
   force_delete          = (var.force_delete != null ? var.force_delete : true)
   endpoint_type         = (var.endpoint_type != null ? var.endpoint_type : "public")
+  allowed_ip            = (var.allowed_ip != null ? var.allowed_ip : null)
+  key_protect           = (var.kms_key_crn != null ? var.kms_key_crn : null)
 
   dynamic "activity_tracking" {
     for_each = var.activity_tracker_crn == "" ? [] : [1]
@@ -65,4 +67,4 @@ resource "ibm_cos_bucket" "bucket" {
 
     }
   }
-}
+}

modules/bucket/variables.tf

@@ -24,6 +24,12 @@ variable "storage_class" {
   type        = string
 }
 
+variable "kms_key_crn" {
+  description = "The CRN of the encryption root key that you want to use to encrypt data"
+  type        = string
+  default     = null
+}
+
 variable "cos_instance_id" {
   description = "Cos instance id"
   type        = string
@@ -34,6 +40,13 @@ variable "endpoint_type" {
   type        = string
   default     = null
 }
+
+variable "allowed_ip" {
+  description = "A list of IPv4 or IPv6 addresses in CIDR notation that you want to allow access to your IBM Cloud Object Storage bucket"
+  type        = list(string)
+  default     = null
+}
+
 variable "force_delete" {
   description = "COS buckets need to be empty before they can be deleted. force_delete option empty the bucket and delete it"
   type        = bool