IBM Cloud Account infrastructure base module

This module is a general base layer module for setting up a newly provisioned account with a default provision of:

• Base Resource Group
• IAM Account Settings
• Trusted Profile + Access Group for Projects
• CBR Rules + Zones

Overview

• terraform-ibm-account-infrastructure-base
• Contributing

terraform-ibm-account-infrastructure-base

Current limitations:

The module currently does not support setting the following FSCloud requirements:

• Check whether user list visibility restrictions are configured in IAM settings for the account owner
  • Follow these steps as a workaround to set this manually in the UI
• Check whether the Financial Services Validated setting is enabled in account settings
  • Follow these steps as a workaround to set this manually in the UI

Tracking issue with IBM provider -> IBM-Cloud/terraform-provider-ibm#4204

Pre-wired CBR configuration for FS Cloud

This module creates pre-wired rules for CBR from our FS Cloud submodule for CBR, see this README for more details on this configuration.

Usage

module "account_configuration" {
    source  = "terraform-ibm-modules/account-infrastructure-base/ibm"
    version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
    resource_group_name               = "account-base-resource-group"
    trusted_profile_name              = "account-base-trusted-profile"
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • All Account Management services (For creation of resource group)
    • Administrator platform access
  • All Identity and Access enabled services (For provisioning of CBR rules)
    • Administrator platform access

Requirements

Name	Version
terraform	>= 1.9.0
ibm	>= 1.79.0, < 2.0.0

Modules

Name	Source	Version
account_settings	terraform-ibm-modules/iam-account-settings/ibm	2.12.0
cbr_fscloud	terraform-ibm-modules/cbr/ibm//modules/fscloud	1.32.6
existing_resource_group	terraform-ibm-modules/resource-group/ibm	1.3.0
resource_group	terraform-ibm-modules/resource-group/ibm	1.3.0
trusted_profile_projects	terraform-ibm-modules/trusted-profile/ibm	2.3.1

Resources

No resources.

Inputs

Name	Description	Type	Default	Required
access_token_expiration	Defines the access token expiration in seconds. This variable is ignored when skip_iam_account_settings is set to true.	string	"3600"	no
active_session_timeout	Specify how long, in seconds, a user is allowed to work continuously in the account. This variable is ignored when skip_iam_account_settings is set to true.	number	86400	no
allowed_ip_addresses	List of the IP addresses and subnets that can create IAM tokens for the account. This variable is ignored when skip_iam_account_settings is set to true.	list(any)	[]	no
api_creation	When this variable is set to RESTRICTED, only users who are assigned the User API key creator role on the IAM Identity Service can create API keys, including the account owner. When set to NOT_SET, the previous value for this variable is cleared. Allowed values are RESTRICTED, NOT_RESTRICTED, or NOT_SET. This variable is ignored when skip_iam_account_settings is set to true.	string	"RESTRICTED"	no
audit_resource_group_name	The name of the audit resource group to create.	string	"audit-rg"	no
cbr_allow_at_to_cos	Set to true to allow Activity Tracker Event Routing access to Object Storage. Default is true if provision_cbr is set to true.	bool	true	no
cbr_allow_block_storage_to_kms	Set to true to allow Block Storage for VPC access to the key management service. Default is true if provision_cbr is set to true.	bool	true	no
cbr_allow_cos_to_kms	Set to true to allow Object Storage access to the key management service. Default is true if provision_cbr is set to true.	bool	true	no
cbr_allow_event_streams_to_kms	Set to true to allow Event Streams access to the key management service. Default is true if provision_cbr is set to true.	bool	true	no
cbr_allow_icd_to_kms	Set to true to allow IBM Cloud databases access to the key management service. Default is true if provision_cbr is set to true.	bool	true	no
cbr_allow_iks_to_is	Set to true to allow the Kubernetes service access to Virtual Private Cloud Infrastructure Services. Default is true if provision_cbr is set to true.	bool	true	no
cbr_allow_is_to_cos	Set to true to allow Virtual Private Cloud Infrastructure Services access to Object Storage. Default is true if provision_cbr is set to true.	bool	true	no
cbr_allow_roks_to_kms	Set to true to allow Red Hat OpenShift access to the key management service. Default is true if provision_cbr is set to true.	bool	true	no
cbr_allow_scc_to_cos	Set to true to allow Security and Compliance Center access to Object Storage. Default is true if provision_cbr is true.	bool	true	no
cbr_allow_vpcs_to_container_registry	Set to true to allow Virtual Private Clouds access to the Container Registry. Default is true if provision_cbr is set to true.	bool	true	no
cbr_allow_vpcs_to_cos	Set to true to allows Virtual Private Clouds access to Object Storage. Default is true if provision_cbr is set to true.	bool	true	no
cbr_allow_vpcs_to_iam_access_management	Set to true to allow Virtual Private Clouds access to IAM access management. Default is true if provision_cbr is set to true.	bool	true	no
cbr_allow_vpcs_to_iam_groups	Set to true to allows Virtual Private Clouds access to IAM groups. Default is true if provision_cbr is set to true.	bool	true	no
cbr_kms_service_targeted_by_prewired_rules	IBM Cloud offers two distinct key management services: Key Protect and Hyper Protect Crypto Services. This variable determines the specific key management service to which the pre-configured rules are applied. Use the value 'key-protect' to specify the Key Protect service, and 'hs-crypto' for Hyper Protect Crypto Services. Default is ["hs-crypto"] if provision_cbr is set to true.	list(string)	[ "hs-crypto" ]	no
cbr_prefix	String to use as the prefix for all context-based restriction resources, default is account-infra-base if provision_cbr is set to true.	string	"acct-infra-base"	no
cbr_target_service_details	Details of the target service for which a rule is created. The key is the service name.	map(object({ description = optional(string) target_rg = optional(string) instance_id = optional(string) enforcement_mode = string tags = optional(list(string)) region = optional(string) geography = optional(string) global_deny = optional(bool, true) }))	{}	no
devops_resource_group_name	The name of the devops resource group to create.	string	"devops-tools-rg"	no
edge_resource_group_name	The name of the edge resource group to create.	string	"edge-rg"	no
enforce_allowed_ip_addresses	Whether the IP address restriction is enforced. Set the value to false to test the impact of the restriction on your account. After the impact of the restriction is determined, set the value to true.	bool	true	no
inactive_session_timeout	Specify how long, in seconds, a user is allowed to stay logged in to the account while being inactive or idle. This variable is ignored when skip_iam_account_settings is set to true.	string	"7200"	no
management_resource_group_name	The name of the management resource group to create.	string	"management-plane-rg"	no
max_sessions_per_identity	Defines the maximum allowed sessions per identity required by the account. Supports any whole number greater than 0, or NOT_SET to clear account settings and use the service default. This variable is ignored when skip_iam_account_settings is set to true.	string	"NOT_SET"	no
mfa	Specify a multifactor authentication (MFA) method in the account. Supported valid values are NONE (no MFA method set), TOTP (for all non-federated IBMid users), TOTP4ALL (for all users), LEVEL1 (email-based MFA for all users), LEVEL2 (TOTP-based MFA for all users), LEVEL3 (U2F MFA for all users). If skip_iam_account_settings is set to true, this variable is ignored.	string	"TOTP4ALL"	no
observability_resource_group_name	The name of the observability resource group to create.	string	"observability-rg"	no
provision_cbr	Set to true to create context-based restriction rules and zones in the module. The default is 'false'.	bool	false	no
provision_trusted_profile_projects	Whether the trusted profile that authorizes an IBM Cloud project to deploy to your target account is created.	bool	true	no
public_access_enabled	Specifies whether the public access group is available to anyone, regardless of whether they have access to your account or not. When enabled, assigned access policies can make resources accessible without authentication. If skip_iam_account_settings is set to true, this variable is ignored.	bool	false	no
refresh_token_expiration	Defines the refresh token expiration in seconds. If skip_iam_account_settings is set to true, this variable is ignored.	string	"259200"	no
security_resource_group_name	The name of the security resource group to create.	string	"security-rg"	no
serviceid_creation	When this variable is set to RESTRICTED, only users who are assigned the Service ID creator role on the IAM Identity Service can create service IDs, including the account owner. When set to NOT_SET, the previous value for this variable is cleared. Allowed values are RESTRICTED, NOT_RESTRICTED, or NOT_SET. This variable is ignored when skip_iam_account_settings is set to true.	string	"RESTRICTED"	no
shell_settings_enabled	Whether global shell settings for all users in the account are enabled or disabled. This variable is ignored when skip_iam_account_settings is set to true.	bool	false	no
single_resource_group_name	The name of the resource group to create. When this variable is provided, only one resource group is created and all other resource group name variables are ignored.	string	null	no
skip_cloud_shell_calls	Skip Cloud Shell calls in the account. This variable is ignored when skip_iam_account_settings is set to true.	bool	false	no
skip_iam_account_settings	When set to true, only resource groups are created and IAM settings are not applied to the account.	bool	false	no
trusted_profile_description	Description of the trusted profile.	string	"Trusted profile that authorizes the project to deploy to your target account."	no
trusted_profile_name	Name of the trusted profile, required if provision_trusted_profile_projects is set to true.	string	null	no
trusted_profile_roles	List of roles given to the trusted profile.	list(string)	[ "Administrator" ]	no
use_existing_audit_resource_group	Set to true to use an existing resource group that has the name provided in audit_resource_group_name.	bool	false	no
use_existing_devops_resource_group	Set to true to use an existing resource group that has the name provided in devops_resource_group_name.	bool	false	no
use_existing_edge_resource_group	Set to true to use an existing resource group that has the name provided in edge_resource_group_name.	bool	false	no
use_existing_management_resource_group	Set to true to use an existing resource group that has the name provided in management_resource_group_name.	bool	false	no
use_existing_observability_resource_group	Set to trueto use an existing resource group that has the name provided in observability_resource_group_name.	bool	false	no
use_existing_security_resource_group	Set to true to use an existing resource group that has the name provided in security_resource_group_name.	bool	false	no
use_existing_single_resource_group	Set to true to use an existing resource group that has the name provided in single_resource_group_name.	bool	false	no
use_existing_workload_resource_group	Set to true to use an existing resource group that has the name provided in workload_resource_group_name.	bool	false	no
user_mfa	Specify a multifactor authentication (MFA) method for specific users the account. Supported valid values are NONE (no MFA method set), TOTP (for all non-federated IBMid users), TOTP4ALL (for all users), LEVEL1 (email-based MFA for all users), LEVEL2 (TOTP-based MFA for all users), LEVEL3 (U2F MFA for all users). Example format is available here > https://github.com/terraform-ibm-modules/terraform-ibm-iam-account-settings#usage. If skip_iam_account_settings is set to true, this variable is ignored.	set(object({ iam_id = string mfa = string }))	[]	no
user_mfa_reset	Set to true to delete all user multifactor authentication (MFA) settings in the target account, and ignore entries declared in var user_mfa. If skip_iam_account_settings is set to true, this variable is ignored.	bool	false	no
workload_resource_group_name	The name of the workload resource group to create.	string	"workload-rg"	no

Outputs

Name	Description
account_allowed_ip_addresses	Account settings allowed IP addresses
account_allowed_ip_addresses_control_mode	Account settings allowed IP addresses control mode
account_allowed_ip_addresses_enforced	Account settings allowed IP addresses enforced
account_iam_access_token_expiration	Account eettings IAM access token expiration
account_iam_active_session_timeout	Account settings IAM active session timeout
account_iam_apikey_creation	Account settings IAM API key creation
account_iam_inactive_session_timeout	Account settings IAM inactive session timeout
account_iam_mfa	Account settings IAM MFA
account_iam_refresh_token_expiration	Account settings IAM refresh token expiration
account_iam_serviceid_creation	Account settings IAM service ID creation
account_iam_user_mfa_list	Account settings IAM user MFA list
account_public_access	Account settings public access
account_shell_settings_status	Account settings shell settings status
audit_resource_group_id	ID of the resource group created for audit-related resources.
audit_resource_group_name	Name of the resource group created for audit-related resources.
cbr_map_service_ref_name_zoneid	Map of service references and zone IDs
cbr_map_target_service_rule_ids	Map of target services and rule IDs
cbr_map_vpc_zoneid	Map of VPC and zone ID
devops_resource_group_id	ID of the resource group created for devops-related resources.
devops_resource_group_name	Name of the resource group created for devops-related resources.
edge_resource_group_id	ID of the resource group created for edge network-related resources.
edge_resource_group_name	Name of the resource group created for edge network-related resources.
management_resource_group_id	ID of the resource group created for management-related resources.
management_resource_group_name	Name of the resource group created for management-related resources.
observability_resource_group_id	ID of the resource group created for observability-related resources.
observability_resource_group_name	Name of the resource group created for observability-related resources.
security_resource_group_id	ID of the resource group created for security-related resources.
security_resource_group_name	Name of the resource group created for security-related resources.
single_resource_group_id	ID of the resource group created by the module.
single_resource_group_name	Name of the resource group created by the module.
trusted_profile_projects	Trusted profile for IBM Cloud projects
trusted_profile_projects_claim_rules	Trusted profile IBM Cloud projects profile claim rules
trusted_profile_projects_links	Trusted profile IBM Cloud projects profile links
trusted_profile_projects_policies	Policies for the trusted profile for IBM Cloud projects
workload_resource_group_id	ID of the resource group created for workload-related resources.
workload_resource_group_name	Name of the resource group created for workload-related resources.

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.