feat: added fully-configurable & security-enforced DA variations (#641)

BREAKING CHANGE: No upgrade path from `standard` to the new `Fully configurable` and `Security-enforced` variations

Author: whoffler

.catalog-onboard-pipeline.yaml

@@ -6,9 +6,17 @@ offerings:
     catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
     offering_id: 0298facd-3e69-43fa-87c0-4d3d0b3c887e
     variations:
-      - name: standard
+      - name: fully-configurable
         mark_ready: true
         install_type: fullstack
         scc:
           instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
           region: us-south
+          scope_resource_group_var_name: existing_resource_group_name
+      - name: security-enforced
+        mark_ready: true
+        install_type: fullstack
+        scc:
+          instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
+          region: us-south
+          scope_resource_group_var_name: existing_resource_group_name

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-07-25T15:38:43Z",
+  "generated_at": "2025-05-12T14:07:27Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -87,7 +87,7 @@
         "verified_result": null
       }
     ],
-    "solutions/standard/DA-types.md": [
+    "solutions/fully-configurable/DA-types.md": [
       {
         "hashed_secret": "44cdfc3615970ada14420caaaa5c5745fca06002",
         "is_secret": false,

README.md

@@ -65,7 +65,7 @@ To attach access management tags to resources in this module, you need the follo
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.79.2, <2.0.0 |
-| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1, < 1.0.0 |
 
 ### Modules
 
@@ -83,7 +83,7 @@ To attach access management tags to resources in this module, you need the follo
 | [ibm_iam_authorization_policy.backup_kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource |
-| [ibm_resource_tag.postgresql_tag](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_tag) | resource |
+| [ibm_resource_tag.access_tag](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_tag) | resource |
 | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [time_sleep.wait_for_backup_kms_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [ibm_database_connection.database_connection](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/database_connection) | data source |
@@ -100,16 +100,16 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false and `use_same_kms_key_for_backups` is false. If no value is passed, and `use_same_kms_key_for_backups` is true, the value of `kms_key_crn` is used. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    tags = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_configuration"></a> [configuration](#input\_configuration) | Database configuration parameters, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-changing-configuration&interface=api for more details. | <pre>object({<br/>    shared_buffers  = optional(number)<br/>    max_connections = optional(number)<br/>    # below field gives error when sent to provider<br/>    # tracking issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5403<br/>    # max_locks_per_transaction  = optional(number)<br/>    max_prepared_transactions  = optional(number)<br/>    synchronous_commit         = optional(string)<br/>    effective_io_concurrency   = optional(number)<br/>    deadlock_timeout           = optional(number)<br/>    log_connections            = optional(string)<br/>    log_disconnections         = optional(string)<br/>    log_min_duration_statement = optional(number)<br/>    tcp_keepalives_idle        = optional(number)<br/>    tcp_keepalives_interval    = optional(number)<br/>    tcp_keepalives_count       = optional(number)<br/>    archive_timeout            = optional(number)<br/>    wal_level                  = optional(string)<br/>    max_replication_slots      = optional(number)<br/>    max_wal_senders            = optional(number)<br/>  })</pre> | `null` | no |
+| <a name="input_cpu_count"></a> [cpu\_count](#input\_cpu\_count) | Allocated dedicated CPU per member. For shared CPU, set to 0. [Learn more](https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling) | `number` | `0` | no |
+| <a name="input_disk_mb"></a> [disk\_mb](#input\_disk\_mb) | Allocated disk per member. [Learn more](https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling) | `number` | `5120` | no |
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the `use_same_kms_key_for_backups` and `backup_encryption_key_crn` inputs. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
-| <a name="input_member_cpu_count"></a> [member\_cpu\_count](#input\_member\_cpu\_count) | Allocated dedicated CPU per member. For shared CPU, set to 0. [Learn more](https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling). Ignored during restore and point in time recovery operations | `number` | `0` | no |
-| <a name="input_member_disk_mb"></a> [member\_disk\_mb](#input\_member\_disk\_mb) | Allocated disk per member. [Learn more](https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling). Ignored during restore and point in time recovery operations | `number` | `5120` | no |
-| <a name="input_member_host_flavor"></a> [member\_host\_flavor](#input\_member\_host\_flavor) | Allocated host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor). Ignored during restore and point in time recovery operations | `string` | `null` | no |
-| <a name="input_member_memory_mb"></a> [member\_memory\_mb](#input\_member\_memory\_mb) | Allocated memory per member. [Learn more](https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling). Ignored during restore and point in time recovery operations | `number` | `4096` | no |
+| <a name="input_member_host_flavor"></a> [member\_host\_flavor](#input\_member\_host\_flavor) | Allocated host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor). | `string` | `null` | no |
 | <a name="input_members"></a> [members](#input\_members) | Allocated number of members. Members can be scaled up but not down. | `number` | `2` | no |
+| <a name="input_memory_mb"></a> [memory\_mb](#input\_memory\_mb) | Allocated memory per member. [Learn more](https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling) | `number` | `4096` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the Postgresql instance. | `string` | n/a | yes |
-| <a name="input_pg_version"></a> [pg\_version](#input\_pg\_version) | Version of the PostgreSQL instance. If no value is passed, the current preferred version of IBM Cloud Databases is used. | `string` | `null` | no |
 | <a name="input_pitr_id"></a> [pitr\_id](#input\_pitr\_id) | (Optional) The ID of the source deployment PostgreSQL instance that you want to recover back to. The PostgreSQL instance is expected to be in an up and in running state. | `string` | `null` | no |
 | <a name="input_pitr_time"></a> [pitr\_time](#input\_pitr\_time) | (Optional) The timestamp in UTC format (%Y-%m-%dT%H:%M:%SZ) for any time in the last 7 days that you want to restore to. If empty string ("") is passed, earliest\_point\_in\_time\_recovery\_time will be used as pitr\_time. To retrieve the timestamp, run the command (ibmcloud cdb postgresql earliest-pitr-timestamp <deployment name or CRN>). For more info on Point-in-time Recovery, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-pitr | `string` | `null` | no |
+| <a name="input_postgresql_version"></a> [postgresql\_version](#input\_postgresql\_version) | Version of the PostgreSQL instance. If no value is passed, the current preferred version of IBM Cloud Databases is used. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region where you want to deploy your instance. | `string` | `"us-south"` | no |
 | <a name="input_remote_leader_crn"></a> [remote\_leader\_crn](#input\_remote\_leader\_crn) | A CRN of the leader database to make the replica(read-only) deployment. The leader database is created by a database deployment with the same service ID. A read-only replica is set up to replicate all of your data from the leader deployment to the replica deployment by using asynchronous replication. For more information, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-read-only-replicas | `string` | `null` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the PostgreSQL instance will be created. | `string` | n/a | yes |

cra-config.yaml

@@ -1,11 +1,12 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "solutions/standard"
-    CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json"
-    PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3"  # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
-    CRA_ENVIRONMENT_VARIABLES:
+  - CRA_TARGET: "solutions/fully-configurable" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+    CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
+    PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3"         # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
+    CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
       TF_VAR_existing_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533"
-      TF_VAR_prefix: "test-postgres-standard"
-      TF_VAR_resource_group_name: "test"
+      TF_VAR_existing_resource_group_name: "geretain-test-postgres"
+      TF_VAR_kms_encryption_enabled: true
       TF_VAR_provider_visibility: "public"
+      TF_VAR_prefix: "test"

examples/backup/main.tf

@@ -15,7 +15,7 @@ module "postgresql_db" {
   source             = "../.."
   resource_group_id  = module.resource_group.resource_group_id
   name               = "${var.prefix}-postgres"
-  pg_version         = var.pg_version
+  postgresql_version = var.pg_version
   region             = var.region
   tags               = var.resource_tags
   access_tags        = var.access_tags
@@ -35,7 +35,7 @@ module "restored_icd_postgresql" {
   # version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
   resource_group_id  = module.resource_group.resource_group_id
   name               = "${var.prefix}-postgres-restored"
-  pg_version         = var.pg_version
+  postgresql_version = var.pg_version
   region             = var.region
   tags               = var.resource_tags
   access_tags        = var.access_tags

examples/basic/main.tf

@@ -21,7 +21,7 @@ module "database" {
   # version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
   resource_group_id  = module.resource_group.resource_group_id
   name               = "${var.prefix}-data-store"
-  pg_version         = var.pg_version
+  postgresql_version = var.postgresql_version
   region             = var.region
   tags               = var.resource_tags
   access_tags        = var.access_tags
@@ -61,10 +61,10 @@ module "read_only_replica_postgresql_db" {
   region             = var.region
   tags               = var.resource_tags
   access_tags        = var.access_tags
-  pg_version         = var.pg_version
+  postgresql_version = var.postgresql_version
   remote_leader_crn  = module.database.crn
   member_host_flavor = "multitenant"
-  member_memory_mb   = 4096 # Must be an increment of 384 megabytes. The minimum size of a read-only replica is 2 GB RAM, new hosting model minimum is 4 GB RAM.
-  member_disk_mb     = 5120 # Must be an increment of 512 megabytes. The minimum size of a read-only replica is 5 GB of disk
+  memory_mb          = 4096 # Must be an increment of 384 megabytes. The minimum size of a read-only replica is 2 GB RAM, new hosting model minimum is 4 GB RAM.
+  disk_mb            = 5120 # Must be an increment of 512 megabytes. The minimum size of a read-only replica is 5 GB of disk
   depends_on         = [time_sleep.wait_time]
 }

examples/basic/variables.tf

@@ -14,7 +14,7 @@ variable "prefix" {
   description = "Prefix to append to all resources created by this example"
 }
 
-variable "pg_version" {
+variable "postgresql_version" {
   description = "Version of the postgresql instance. If no value passed, the current ICD preferred version is used."
   type        = string
   default     = null

examples/complete/main.tf

@@ -106,12 +106,12 @@ module "icd_postgresql" {
   # remove the above line and uncomment the below 2 lines to consume the module from the registry
   # source            = "terraform-ibm-modules/icd-postgresql/ibm"
   # version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
-  resource_group_id = module.resource_group.resource_group_id
-  name              = "${var.prefix}-postgres"
-  region            = var.region
-  pg_version        = var.pg_version
-  admin_pass        = var.admin_pass
-  users             = var.users
+  resource_group_id  = module.resource_group.resource_group_id
+  name               = "${var.prefix}-postgres"
+  region             = var.region
+  postgresql_version = var.pg_version
+  admin_pass         = var.admin_pass
+  users              = var.users
   # Example of how to use different KMS keys for data and backups
   use_ibm_owned_encryption_key = false
   use_same_kms_key_for_backups = false

examples/pitr/main.tf

@@ -21,12 +21,12 @@ module "postgresql_db_pitr" {
   region             = var.region
   tags               = var.resource_tags
   access_tags        = var.access_tags
-  member_memory_mb   = 4096
-  member_disk_mb     = 5120
-  member_cpu_count   = 0
+  memory_mb          = 4096
+  disk_mb            = 5120
+  cpu_count          = 0
   member_host_flavor = "multitenant"
   members            = var.members
-  pg_version         = var.pg_version
+  postgresql_version = var.pg_version
   pitr_id            = var.pitr_id
   pitr_time          = var.pitr_time
 }