fix: add extra validation around KMS inputs (#188)

Author: ocofaigh

README.md

@@ -29,7 +29,6 @@ module "postgresql_db" {
 ```
 
 ## Required IAM access policies
-
 You need the following permissions to run this module.
 
 - Account Management
@@ -41,7 +40,7 @@ You need the following permissions to run this module.
 
 - [ Restore from backup example](examples/backup)
 - [ Basic with read-only replica example](examples/basic)
-- [ Complete example with BYOK encryption, autoscaling, CBR rules, VPE creation, and read-only replica provisioning](examples/complete)
+- [ Complete example with BYOK encryption, autoscaling, CBR rules and VPE creation](examples/complete)
 - [ Financial Services Cloud profile example](examples/fscloud)
 - [ Point in time recovery example (PITR)](examples/pitr)
 <!-- END EXAMPLES HOOK -->
@@ -73,18 +72,18 @@ You need the following permissions to run this module.
 |------|-------------|------|---------|:--------:|
 | <a name="input_auto_scaling"></a> [auto\_scaling](#input\_auto\_scaling) | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://ibm.biz/autoscaling-considerations in the IBM Cloud Docs. | <pre>object({<br>    cpu = object({<br>      rate_increase_percent       = optional(number, 10)<br>      rate_limit_count_per_member = optional(number, 20)<br>      rate_period_seconds         = optional(number, 900)<br>      rate_units                  = optional(string, "count")<br>    })<br>    disk = object({<br>      capacity_enabled             = optional(bool, false)<br>      free_space_less_than_percent = optional(number, 10)<br>      io_above_percent             = optional(number, 90)<br>      io_enabled                   = optional(bool, false)<br>      io_over_period               = optional(string, "15m")<br>      rate_increase_percent        = optional(number, 10)<br>      rate_limit_mb_per_member     = optional(number, 3670016)<br>      rate_period_seconds          = optional(number, 900)<br>      rate_units                   = optional(string, "mb")<br>    })<br>    memory = object({<br>      io_above_percent         = optional(number, 90)<br>      io_enabled               = optional(bool, false)<br>      io_over_period           = optional(string, "15m")<br>      rate_increase_percent    = optional(number, 10)<br>      rate_limit_mb_per_member = optional(number, 114688)<br>      rate_period_seconds      = optional(number, 900)<br>      rate_units               = optional(string, "mb")<br>    })<br>  })</pre> | `null` | no |
 | <a name="input_backup_crn"></a> [backup\_crn](#input\_backup\_crn) | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. | `string` | `null` | no |
-| <a name="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Key Protect key, that you want to use for encrypting disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. If no value passed, the value passed for the 'kms\_key\_crn' variable will be used. BYOK for backups is available only in US regions us-south and us-east, and eu-de. Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, you must use a key from us-south or eu-de. Take note that Hyper Protect Crypto Services for IBM Cloud® Databases backups is not currently supported, so if no value is passed here, but a HPCS value is passed for var.kms\_key\_crn, databases backup encryption will use the default encryption keys. | `string` | `null` | no |
+| <a name="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Key Protect key that you want to use for encrypting the disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. BYOK for backups is available only in US regions us-south and us-east, and in eu-de. Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, use a key from us-south or eu-de. Hyper Protect Crypto Services for IBM Cloud Databases backups is not currently supported. If no value is passed here, the value passed for the 'kms\_key\_crn' variable is used. And if a HPCS value is passed for var.kms\_key\_crn, the database backup encryption uses the default encryption keys. | `string` | `null` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
 | <a name="input_configuration"></a> [configuration](#input\_configuration) | Database configuration | <pre>object({<br>    max_connections            = optional(number)<br>    max_prepared_transactions  = optional(number)<br>    deadlock_timeout           = optional(number)<br>    effective_io_concurrency   = optional(number)<br>    max_replication_slots      = optional(number)<br>    max_wal_senders            = optional(number)<br>    shared_buffers             = optional(number)<br>    synchronous_commit         = optional(string)<br>    wal_level                  = optional(string)<br>    archive_timeout            = optional(number)<br>    log_min_duration_statement = optional(number)<br>  })</pre> | `null` | no |
-| <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect or Key Protect instance in which the key specified in var.kms\_key\_crn and var.backup\_encryption\_key\_crn is coming from. Only required if var.kms\_encryption\_enabled is 'true', var.skip\_iam\_authorization\_policy is 'false', and passing a value for var.kms\_key\_crn and/or var.backup\_encryption\_key\_crn. | `string` | `null` | no |
+| <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms\_key\_crn and var.backup\_encryption\_key\_crn is coming from. Required only if var.kms\_encryption\_enabled is set to true, var.skip\_iam\_authorization\_policy is set to false, and you pass a value for var.kms\_key\_crn, var.backup\_encryption\_key\_crn, or both. | `string` | `null` | no |
 | <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs | `bool` | `false` | no |
-| <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. Only used if var.kms\_encryption\_enabled is set to true. | `string` | `null` | no |
-| <a name="input_member_cpu_count"></a> [member\_cpu\_count](#input\_member\_cpu\_count) | Allocated dedicated CPU per-member. For shared CPU, set to 0. See the following doc for supported values: https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling | `number` | `0` | no |
-| <a name="input_member_disk_mb"></a> [member\_disk\_mb](#input\_member\_disk\_mb) | Allocated disk per-member. See the following doc for supported values: https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling | `number` | `5120` | no |
+| <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for disk encryption. Only used if var.kms\_encryption\_enabled is set to true. | `string` | `null` | no |
+| <a name="input_member_cpu_count"></a> [member\_cpu\_count](#input\_member\_cpu\_count) | Allocated dedicated CPU per member. For shared CPU, set to 0. For more information, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling | `number` | `0` | no |
+| <a name="input_member_disk_mb"></a> [member\_disk\_mb](#input\_member\_disk\_mb) | Allocated disk per member. For more information, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling | `number` | `5120` | no |
 | <a name="input_member_memory_mb"></a> [member\_memory\_mb](#input\_member\_memory\_mb) | Allocated memory per-member. See the following doc for supported values: https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling | `number` | `1024` | no |
 | <a name="input_members"></a> [members](#input\_members) | Allocated number of members. Members can be scaled up but not down. | `number` | `2` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the Postgresql instance. | `string` | n/a | yes |
-| <a name="input_pg_version"></a> [pg\_version](#input\_pg\_version) | Version of the PostgreSQL instance to provision. | `string` | `null` | no |
+| <a name="input_pg_version"></a> [pg\_version](#input\_pg\_version) | Version of the PostgreSQL instance to provision. If no value is passed, the current preferred version of IBM Cloud Databases is used. | `string` | `null` | no |
 | <a name="input_pitr_id"></a> [pitr\_id](#input\_pitr\_id) | (Optional) The ID of the source deployment PostgreSQL instance that you want to recover back to. The PostgreSQL instance is expected to be in an up and in running state. | `string` | `null` | no |
 | <a name="input_pitr_time"></a> [pitr\_time](#input\_pitr\_time) | (Optional) The timestamp in UTC format (%Y-%m-%dT%H:%M:%SZ) that you want to restore to. To retrieve the timestamp, run the command (ibmcloud cdb postgresql earliest-pitr-timestamp <deployment name or CRN>). For more info on Point-in-time Recovery, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-pitr | `string` | `null` | no |
 | <a name="input_plan_validation"></a> [plan\_validation](#input\_plan\_validation) | Enable or disable validating the database parameters for PostgreSQL during the plan phase. | `bool` | `true` | no |
@@ -94,7 +93,7 @@ You need the following permissions to run this module.
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to the PostgreSQL instance and the associated service credentials (if creating). | `list(string)` | `[]` | no |
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the database | `map(string)` | `{}` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. | `string` | `"private"` | no |
-| <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all PostgreSQL database instances in the given resource group to read the encryption key from the Hyper Protect or Key Protect instance passed in var.existing\_kms\_instance\_guid. If set to 'false', a value must be passed for var.existing\_kms\_instance\_guid. No policy is created if var.kms\_encryption\_enabled is set to 'false'. | `bool` | `false` | no |
+| <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all PostgreSQL database instances in the resource group to read the encryption key from the Hyper Protect Crypto Services (HPCS) instance. If set to false, pass in a value for the HPCS instance in the  var.existing\_kms\_instance\_guid variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no |
 
 ## Outputs
 

common-dev-assets

@@ -17,7 +17,7 @@ variable "prefix" {
 }
 
 variable "pg_version" {
-  description = "Version of the postgresql instance"
+  description = "Version of the postgresql instance. If no value passed, the current ICD preferred version is used."
   type        = string
   default     = null
 }

examples/backup/variables.tf

@@ -17,7 +17,7 @@ variable "prefix" {
 }
 
 variable "pg_version" {
-  description = "Version of the postgresql instance"
+  description = "Version of the postgresql instance. If no value passed, the current ICD preferred version is used."
   type        = string
   default     = null
 }

examples/basic/variables.tf

@@ -1,10 +1,11 @@
-# Complete example with BYOK encryption, autoscaling, CBR rules, VPE creation, and read-only replica provisioning
+# Complete example with BYOK encryption, autoscaling, CBR rules and VPE creation
 
 An end-to-end example that does the following:
 
 - Create a new resource group if one is not passed in.
 - Create Key Protect instance with root key.
 - Create a new ICD PostgreSQL database instance with auto-scaling and BYOK encryption enabled.
+- Create service credentials for the database instance.
 - Create a Virtual Private Cloud (VPC).
 - Create Context Based Restriction (CBR) to only allow Postgresql to be accessible from the VPC.
 - Create a security group and a VPE for the PostgreSQL instance.

examples/complete/README.md

@@ -71,7 +71,6 @@ module "postgresql_db" {
   resource_group_id          = module.resource_group.resource_group_id
   name                       = "${var.prefix}-postgres"
   region                     = var.region
-  service_endpoints          = "private"
   pg_version                 = var.pg_version
   kms_encryption_enabled     = true
   kms_key_crn                = module.key_protect_all_inclusive.keys["icd-pg.${var.prefix}-pg"].crn
@@ -133,6 +132,7 @@ resource "ibm_is_virtual_endpoint_gateway" "pgvpe" {
   ]
 }
 
+# wait 30 secs after security group is destroyed before destroying VPE to workaround race condition
 resource "time_sleep" "wait_30_seconds" {
   depends_on       = [ibm_is_security_group.sg1]
   destroy_duration = "30s"

examples/complete/main.tf

@@ -29,7 +29,7 @@ variable "resource_tags" {
 }
 
 variable "pg_version" {
-  description = "Version of the postgresql instance"
+  description = "Version of the PostgreSQL instance. If no value is passed, the current preferred version of IBM Cloud Databases is used."
   type        = string
   default     = null
 }
@@ -38,9 +38,10 @@ variable "service_credential_names" {
   description = "Map of name, role for service credentials that you want to create for the database"
   type        = map(string)
   default = {
-    "postgressql_credential_microservices" : "Administrator",
-    "postgressql_credential_dev_1" : "Administrator",
-    "postgressql_credential_dev_2" : "Administrator"
+    "postgressql_admin" : "Administrator",
+    "postgressql_operator" : "Operator",
+    "postgressql_viewer" : "Viewer",
+    "postgressql_editor" : "Editor",
   }
 }
 
@@ -85,42 +86,3 @@ variable "auto_scaling" {
     }
   }
 }
-
-variable "replica_member_memory_mb" {
-  type        = number
-  description = "Memory allocation required for postgresql read-only replica database"
-  default     = "3072"
-  validation {
-    condition = alltrue([
-      var.replica_member_memory_mb >= 3072,
-      var.replica_member_memory_mb <= 114688
-    ])
-    error_message = "member group memory must be >= 3072 and <= 114688 in increments of 384"
-  }
-}
-
-variable "replica_member_disk_mb" {
-  type        = number
-  description = "Disk allocation required for postgresql read-only replica database"
-  default     = "15360"
-  validation {
-    condition = alltrue([
-      var.replica_member_disk_mb >= 15360,
-      var.replica_member_disk_mb <= 4194304
-    ])
-    error_message = "member group disk must be >= 15360 and <= 4194304 in increments of 1536"
-  }
-}
-
-variable "replica_member_cpu_count" {
-  type        = number
-  description = "CPU allocation required for the postgresql read-only replica database"
-  default     = "9"
-  validation {
-    condition = alltrue([
-      var.replica_member_cpu_count >= 9,
-      var.replica_member_cpu_count <= 28
-    ])
-    error_message = "member group cpu must be >= 9 and <= 28 in increments of 1"
-  }
-}

examples/complete/variables.tf

@@ -5,14 +5,14 @@ An end-to-end example that uses the [Profile for IBM Cloud Framework for Financi
 The example uses the IBM Cloud Terraform provider to create the following infrastructure:
 
 - A resource group, if one is not passed in.
-- An IAM authorization between the PostgreSQL database resource group and the Hyper Protect Crypto Services permanent instance.
-- An IBM Cloud Databases PostgreSQL database instance and credentials that are encrypted with the Hyper Protect Crypto Services resources that are passed in.
+- An IAM authorization between all PostgreSQL database instances in the given resource group, and the Hyper Protect Crypto Services instance that is passed in.
+- An IBM Cloud Databases PostgreSQL database instance that is encrypted with the Hyper Protect Crypto Services root key that is passed in.
+- Service Credentials for the PostgreSQL database instance.
 - A sample virtual private cloud (VPC).
-- A context-based restriction (CBR) rule to prevent access from the VPC except to the PostgreSQL database.
+- A context-based restriction (CBR) rule to only allow PostgreSQL to be accessible from within the VPC.
 
 :exclamation: **Important:** In this example, only the IBM Cloud Databases for PostgreSQL instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.
 
 ## Before you begin
 
-- You need Hyper Protect Crypto Service instances available in the two regions that you want to deploy your PostgreSQL database instance.
-- You must deploy into an account that complies with the framework.
+- You need a Hyper Protect Crypto Services instance and root key available in the region that you want to deploy your PostgreSQL database instance to.

examples/fscloud/README.md

@@ -60,6 +60,7 @@ module "postgresql_db" {
   kms_key_crn                = var.kms_key_crn
   existing_kms_instance_guid = var.existing_kms_instance_guid
   resource_tags              = var.resource_tags
+  service_credential_names   = var.service_credential_names
   cbr_rules = [
     {
       description      = "${var.prefix}-postgres access only from vpc"