feat: Add CBR's to COS bucket and KMS key (#57)

* feat: Add CBR's to COS bucket

* change to using a serviceRef instead of ipRange

* fix: cbr var and output fixes (#124)

* fix: cbr var and output fixes

* fix: change existing_allowed_cbr_bucket_zone_id default_value to null

* Add display names and array validation

* add different cbr zone names to avoid conflicts between tests

* disable zone_name overrides on upgrade, since it doesn't exist yet

* set the endpoint type of the cbr rule to the management_endpoint_type_for_bucket,

* try public configuration endpoints

* change the names to fix build issue for avoiding conflict with existing zone names

* Change cbr_enforcement_mode: to report for tests

* change the names to fix build issue for avoiding conflict with existing zone names

---------

Co-authored-by: Balázs Marján <balazs.marjan@ibm.com>
Co-authored-by: Balázs Marján <108288807+balazs-marjan@users.noreply.github.com>

Author: chrisw-ibm

README.md

@@ -105,6 +105,11 @@ statement instead the previous block.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_billing_exports"></a> [billing\_exports](#module\_billing\_exports) | ./modules/billing-exports | n/a |
+| <a name="module_cbr_zone_additional"></a> [cbr\_zone\_additional](#module\_cbr\_zone\_additional) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.29.0 |
+| <a name="module_cbr_zone_cloudability"></a> [cbr\_zone\_cloudability](#module\_cbr\_zone\_cloudability) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.29.0 |
+| <a name="module_cbr_zone_cos"></a> [cbr\_zone\_cos](#module\_cbr\_zone\_cos) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.29.0 |
+| <a name="module_cbr_zone_ibmcloud_billing"></a> [cbr\_zone\_ibmcloud\_billing](#module\_cbr\_zone\_ibmcloud\_billing) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.29.0 |
+| <a name="module_cbr_zone_schematics"></a> [cbr\_zone\_schematics](#module\_cbr\_zone\_schematics) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.29.0 |
 | <a name="module_cloudability_bucket_access"></a> [cloudability\_bucket\_access](#module\_cloudability\_bucket\_access) | ./modules/cloudability-bucket-access | n/a |
 | <a name="module_cloudability_enterprise_access"></a> [cloudability\_enterprise\_access](#module\_cloudability\_enterprise\_access) | ./modules/cloudability-enterprise-access | n/a |
 | <a name="module_cloudability_onboarding"></a> [cloudability\_onboarding](#module\_cloudability\_onboarding) | ./modules/cloudability-onboarding | n/a |
@@ -130,11 +135,17 @@ statement instead the previous block.
 | <a name="input_activity_tracker_read_data_events"></a> [activity\_tracker\_read\_data\_events](#input\_activity\_tracker\_read\_data\_events) | If set to true, all Object Storage bucket read events (downloads) will be sent to Activity Tracker. | `bool` | `true` | no |
 | <a name="input_activity_tracker_write_data_events"></a> [activity\_tracker\_write\_data\_events](#input\_activity\_tracker\_write\_data\_events) | If set to true, all Object Storage bucket read events (downloads) will be sent to Activity Tracker. | `bool` | `true` | no |
 | <a name="input_add_bucket_name_suffix"></a> [add\_bucket\_name\_suffix](#input\_add\_bucket\_name\_suffix) | Add random generated suffix (4 characters long) to the newly provisioned Object Storage bucket name (Optional). | `bool` | `true` | no |
+| <a name="input_additional_allowed_cbr_bucket_ip_addresses"></a> [additional\_allowed\_cbr\_bucket\_ip\_addresses](#input\_additional\_allowed\_cbr\_bucket\_ip\_addresses) | A list of CBR zone IP addresses, which are permitted to access the bucket.  This zone typically represents the IP addresses for your company or workstation to allow access to view the contents of the bucket. | `list(string)` | `[]` | no |
 | <a name="input_archive_days"></a> [archive\_days](#input\_archive\_days) | Specifies the number of days when the archive rule action takes effect. A value of `null` disables archiving. A value of `0` immediately archives uploaded objects to the bucket. | `number` | `null` | no |
 | <a name="input_archive_type"></a> [archive\_type](#input\_archive\_type) | Specifies the storage class or archive type to which you want the object to transition. | `string` | `"Glacier"` | no |
-| <a name="input_bucket_cbr_rules"></a> [bucket\_cbr\_rules](#input\_bucket\_cbr\_rules) | (Optional, list) List of CBR rules to create for the bucket | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    tags = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })), [])<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name to give the newly provisioned Object Storage bucket. | `string` | `"billing-reports"` | no |
 | <a name="input_bucket_storage_class"></a> [bucket\_storage\_class](#input\_bucket\_storage\_class) | The storage class of the newly provisioned Object Storage bucket. Supported values are 'standard', 'vault', 'cold', 'smart' and `onerate_active`. | `string` | `"standard"` | no |
+| <a name="input_cbr_additional_zone_name"></a> [cbr\_additional\_zone\_name](#input\_cbr\_additional\_zone\_name) | Name of the CBR zone that corresponds to the ip address range set in `additional_allowed_cbr_bucket_ip_addresses`. | `string` | `"additional-billing-reports-bucket-access"` | no |
+| <a name="input_cbr_billing_zone_name"></a> [cbr\_billing\_zone\_name](#input\_cbr\_billing\_zone\_name) | Name of the CBR zone which represents IBM Cloud billing. See [What are CBRs?](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-whatis) | `string` | `"billing-reports-bucket-writer"` | no |
+| <a name="input_cbr_cloudability_zone_name"></a> [cbr\_cloudability\_zone\_name](#input\_cbr\_cloudability\_zone\_name) | Name of the CBR zone which represents IBM Cloudability. See [What are CBRs?](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-whatis) | `string` | `"cldy-reports-bucket-reader"` | no |
+| <a name="input_cbr_cos_zone_name"></a> [cbr\_cos\_zone\_name](#input\_cbr\_cos\_zone\_name) | Name of the CBR zone which represents Cloud Object Storage service. See [What are CBRs?](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-whatis) | `string` | `"cldy-reports-object-storage"` | no |
+| <a name="input_cbr_enforcement_mode"></a> [cbr\_enforcement\_mode](#input\_cbr\_enforcement\_mode) | The rule enforcement mode: * enabled - The restrictions are enforced and reported. This is the default. * disabled - The restrictions are disabled. Nothing is enforced or reported. * report - The restrictions are evaluated and reported, but not enforced. | `string` | `"enabled"` | no |
+| <a name="input_cbr_schematics_zone_name"></a> [cbr\_schematics\_zone\_name](#input\_cbr\_schematics\_zone\_name) | Name of the CBR zone which represents Schematics. The schematics zone allows Projects to access and manage the Object Storage bucket. | `string` | `"schematics-reports-bucket-management"` | no |
 | <a name="input_cloudability_api_key"></a> [cloudability\_api\_key](#input\_cloudability\_api\_key) | Cloudability API Key. Retrieve your Api Key from https://app.apptio.com/cloudability#/settings/preferences under the section **Cloudability API** select **Enable API** which will generate an api key. Setting this value to __NULL__ will skip adding the IBM Cloud account to Cloudability and only configure IBM Cloud so that the IBM Cloud Account can be added to Cloudability manually | `string` | `null` | no |
 | <a name="input_cloudability_auth_type"></a> [cloudability\_auth\_type](#input\_cloudability\_auth\_type) | Select Cloudability authentication mode. Options are:<br/><br/>* `none`: no connection to Cloudability<br/>* `manual`: manually enter in the credentials in the Cloudability UI<br/>* `api_key`: use Cloudability API Keys<br/>* `frontdoor`: Frontdoor Access Administration | `string` | `"api_key"` | no |
 | <a name="input_cloudability_environment_id"></a> [cloudability\_environment\_id](#input\_cloudability\_environment\_id) | An ID corresponding to your FrontDoor environment. Required if `cloudability_auth_type` = `frontdoor` | `string` | `null` | no |
@@ -148,13 +159,13 @@ statement instead the previous block.
 | <a name="input_enable_billing_exports"></a> [enable\_billing\_exports](#input\_enable\_billing\_exports) | Whether billing exports should be enabled | `bool` | `true` | no |
 | <a name="input_enable_cloudability_access"></a> [enable\_cloudability\_access](#input\_enable\_cloudability\_access) | Whether to grant cloudability access to read the billing reports | `bool` | `true` | no |
 | <a name="input_enterprise_id"></a> [enterprise\_id](#input\_enterprise\_id) | The ID of the enterprise. If `__NULL__` then it is automatically retrieved if `is_enterprise_account` is `true`. Providing this value reduces the access policies that are required to run the DA. | `string` | `null` | no |
+| <a name="input_existing_allowed_cbr_bucket_zone_id"></a> [existing\_allowed\_cbr\_bucket\_zone\_id](#input\_existing\_allowed\_cbr\_bucket\_zone\_id) | An extra CBR zone ID which is permitted to access the bucket.  This zone typically represents the ip addresses for your company or workstation to allow access to view the contents of the bucket. It can be used as an alternative to `additional_allowed_cbr_bucket_ip_addresses` in the case that a zone exists. | `string` | `null` | no |
 | <a name="input_existing_cos_instance_id"></a> [existing\_cos\_instance\_id](#input\_existing\_cos\_instance\_id) | The ID of an existing Cloud Object Storage instance. Required if 'var.create\_cos\_instance' is false. | `string` | `null` | no |
 | <a name="input_existing_kms_instance_crn"></a> [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of an existing Key Protect or Hyper Protect Crypto Services instance. Required if 'create\_key\_protect\_instance' is false. | `string` | `null` | no |
 | <a name="input_expire_days"></a> [expire\_days](#input\_expire\_days) | Specifies the number of days when the expire rule action takes effect. | `number` | `3` | no |
 | <a name="input_frontdoor_public_key"></a> [frontdoor\_public\_key](#input\_frontdoor\_public\_key) | The public key that is used along with the `frontdoor_secret_key` to authenticate requests to Cloudability. Only required if `cloudability_auth_type` is `frontdoor`. See [acquiring an Access Administration API key](/docs/track-spend-with-cloudability?topic=track-spend-with-cloudability-planning#frontdoor-api-key) for steps to create your credentials. | `string` | `null` | no |
 | <a name="input_frontdoor_secret_key"></a> [frontdoor\_secret\_key](#input\_frontdoor\_secret\_key) | The secret key that is used along with the `frontdoor_public_key` to authenticate requests to Cloudability. Only required if `cloudability_auth_type` is `frontdoor`.  See [acquiring an Access Administration API key](/docs/track-spend-with-cloudability?topic=track-spend-with-cloudability-planning#frontdoor-api-key) for steps to create your credentials. | `string` | `null` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key corresponding to the cloud account that will be added to Cloudability. For enterprise accounts this should be the primary enterprise account | `string` | n/a | yes |
-| <a name="input_instance_cbr_rules"></a> [instance\_cbr\_rules](#input\_instance\_cbr\_rules) | (Optional, list) List of CBR rules to create for the instance | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    tags = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })), [])<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_is_enterprise_account"></a> [is\_enterprise\_account](#input\_is\_enterprise\_account) | Whether the account corresponding to the `ibmcloud_api_key` is an enterprise account and, if so, is the primary account within the enterprise | `bool` | `false` | no |
 | <a name="input_key_name"></a> [key\_name](#input\_key\_name) | Name of the Object Storage bucket encryption key | `string` | `null` | no |
 | <a name="input_key_protect_allowed_network"></a> [key\_protect\_allowed\_network](#input\_key\_protect\_allowed\_network) | The type of the allowed network to be set for the Key Protect instance. Possible values are 'private-only', or 'public-and-private'. Only used if 'create\_key\_protect\_instance' is true. | `string` | `"public-and-private"` | no |