feat: add fscloud profile and example

* feat: add fscloud profile and example

* fix: remove cbr rule tags

---------

Co-authored-by: shikha-mah <shikha.mah@in.ibm.com>

Author: maheshwarishikha

.github/workflows/ci.yml

@@ -16,6 +16,6 @@ jobs:
     uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/common-terraform-module-ci.yml@v1.7.3
     secrets: inherit
     with:
-      craTarget: "examples/complete"
+      craTarget: "examples/fscloud"
       craGoalIgnoreFile: "cra-tf-validate-ignore-goals.json"
       craEnvironmentVariables: "TF_VAR_existing_at_instance_crn=crn:v1:bluemix:public:logdnaat:eu-de:a/abac0df06b644a9cabc6e44f55b3880e:b1ef3365-dfbf-4d8f-8ac8-75f4f84d6f4a::"

README.md

@@ -39,6 +39,7 @@ You need the following permissions to run this module.
 - [ Autoscale example](examples/autoscale)
 - [ Complete example with byok encryption, CBR rules and storing credentials in secrets manager](examples/complete)
 - [ Default example](examples/default)
+- [ Financial Services Cloud profile example](examples/fscloud)
 <!-- END EXAMPLES HOOK -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -67,7 +68,7 @@ You need the following permissions to run this module.
 | <a name="input_allowlist"></a> [allowlist](#input\_allowlist) | Set of IP address and description to allowlist in database | <pre>list(object({<br>    address     = optional(string)<br>    description = optional(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_auto_scaling"></a> [auto\_scaling](#input\_auto\_scaling) | (Optional) Configure rules to allow your database to automatically increase its resources. Single block of autoscaling is allowed at once. | <pre>object({<br>    cpu = object({<br>      rate_increase_percent       = optional(number)<br>      rate_limit_count_per_member = optional(number)<br>      rate_period_seconds         = optional(number)<br>      rate_units                  = optional(string)<br>    })<br>    disk = object({<br>      capacity_enabled             = optional(bool)<br>      free_space_less_than_percent = optional(number)<br>      io_above_percent             = optional(number)<br>      io_enabled                   = optional(bool)<br>      io_over_period               = optional(string)<br>      rate_increase_percent        = optional(number)<br>      rate_limit_mb_per_member     = optional(number)<br>      rate_period_seconds          = optional(number)<br>      rate_units                   = optional(string)<br>    })<br>    memory = object({<br>      io_above_percent         = optional(number)<br>      io_enabled               = optional(bool)<br>      io_over_period           = optional(string)<br>      rate_increase_percent    = optional(number)<br>      rate_limit_mb_per_member = optional(number)<br>      rate_period_seconds      = optional(number)<br>      rate_units               = optional(string)<br>    })<br>  })</pre> | <pre>{<br>  "cpu": {},<br>  "disk": {},<br>  "memory": {}<br>}</pre> | no |
 | <a name="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | (Optional) The CRN of a key protect key, that you want to use for encrypting disk that holds deployment backups. If null, will use 'key\_protect\_key\_crn' as encryption key. If 'key\_protect\_key\_crn' is also null database is encrypted by using randomly generated keys. | `string` | `null` | no |
-| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create, if operations is not set it will default to api-type:data-plane | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>    tags = optional(list(object({<br>      name  = string<br>      value = string<br>    })))<br>    operations = optional(list(object({<br>      api_types = list(object({<br>        api_type_id = string<br>      }))<br>    })))<br>  }))</pre> | `[]` | no |
+| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
 | <a name="input_configuration"></a> [configuration](#input\_configuration) | (Optional, Json String) Database Configuration in JSON format. | <pre>object({<br>    max_connections            = optional(number)<br>    max_prepared_transactions  = optional(number)<br>    deadlock_timeout           = optional(number)<br>    effective_io_concurrency   = optional(number)<br>    max_replication_slots      = optional(number)<br>    max_wal_senders            = optional(number)<br>    shared_buffers             = optional(number)<br>    synchronous_commit         = optional(string)<br>    wal_level                  = optional(string)<br>    archive_timeout            = optional(number)<br>    log_min_duration_statement = optional(number)<br>  })</pre> | `null` | no |
 | <a name="input_key_protect_key_crn"></a> [key\_protect\_key\_crn](#input\_key\_protect\_key\_crn) | (Optional) The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. If `null`, database is encrypted by using randomly generated keys. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok for current list of supported regions for BYOK | `string` | `null` | no |
 | <a name="input_member_cpu_count"></a> [member\_cpu\_count](#input\_member\_cpu\_count) | CPU allocation required for postgresql database | `string` | `"3"` | no |
@@ -86,7 +87,8 @@ You need the following permissions to run this module.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_id"></a> [id](#output\_id) | Postgresl instance id |
+| <a name="output_guid"></a> [guid](#output\_guid) | Postgresql instance guid |
+| <a name="output_id"></a> [id](#output\_id) | Postgresql instance id |
 | <a name="output_version"></a> [version](#output\_version) | Postgresql instance version |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 <!-- BEGIN CONTRIBUTING HOOK -->

examples/complete/main.tf

@@ -89,20 +89,9 @@ module "postgresql_db" {
   resource_tags       = var.resource_tags
   cbr_rules = [
     {
-      name             = var.pg_version == null ? "${var.prefix}-postgres-zone" : "${var.prefix}-${var.pg_version}-postgres-zone"
-      description      = "sample rule"
+      description      = "${var.prefix}-postgres access only from vpc"
       enforcement_mode = "enabled" #Postgresql does not support report mode
       account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
-      tags = [
-        {
-          name  = "environment"
-          value = "${var.prefix}-test"
-        },
-        {
-          name  = "terraform-rule"
-          value = "allow-${var.prefix}-vpc-to-${var.prefix}-postgresql"
-        }
-      ]
       rule_contexts = [{
         attributes = [
           {

examples/fscloud/README.md

@@ -0,0 +1,12 @@
+# Financial Services Cloud profile example
+
+## *Note:* This example is only deploying Postgresql in a compliant manner the other infrastructure is not necessarily compliant.
+
+An example using the fscloud profile to deploy a compliant Postgresql instance. This example uses the IBM Cloud terraform provider to:
+
+- Create a new resource group if one is not passed in.
+- Create a new ICD Postgresql database instance and credentials.
+- Create Key Protect instance with root key.
+- Backend encryption using generated Key Protect key.
+- Create a Sample VPC.
+- Create Context Based Restriction(CBR) to only allow Postgresql to be accessible from the VPC.

examples/fscloud/main.tf

@@ -0,0 +1,108 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-resource-group.git?ref=v1.0.5"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Key Protect All Inclusive
+##############################################################################
+
+module "key_protect_all_inclusive" {
+  providers = {
+    restapi = restapi.kp
+  }
+  source            = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v3.1.1"
+  resource_group_id = module.resource_group.resource_group_id
+  # Note: Database instance and Key Protect must be created in the same region when using BYOK
+  # See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok
+  region                    = var.region
+  key_protect_instance_name = "${var.prefix}-kp"
+  resource_tags             = var.resource_tags
+  key_map                   = { "icd-pg" = ["${var.prefix}-pg"] }
+}
+
+# Create IAM Access Policy to allow Key protect to access Postgres instance
+resource "ibm_iam_authorization_policy" "policy" {
+  source_service_name         = "databases-for-postgresql"
+  source_resource_group_id    = module.resource_group.resource_group_id
+  target_service_name         = "kms"
+  target_resource_instance_id = module.key_protect_all_inclusive.key_protect_guid
+  roles                       = ["Reader"]
+}
+
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+module "cbr_zone" {
+  source           = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-zone-module?ref=v1.1.2"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone representing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc", # to bind a specific vpc to the zone
+    value = ibm_is_vpc.example_vpc.crn,
+  }]
+}
+
+##############################################################################
+# Postgres Instance
+##############################################################################
+
+module "postgresql_db" {
+  source              = "../../profiles/fscloud"
+  resource_group_id   = module.resource_group.resource_group_id
+  name                = "${var.prefix}-postgres"
+  region              = var.region
+  pg_version          = var.pg_version
+  key_protect_key_crn = module.key_protect_all_inclusive.keys["icd-pg.${var.prefix}-pg"].crn
+  resource_tags       = var.resource_tags
+  allowlist           = var.allowlist
+  cbr_rules = [
+    {
+      description      = "${var.prefix}-postgres access only from vpc"
+      enforcement_mode = "enabled" #Postgresql does not support report mode
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
+}

examples/fscloud/outputs.tf

@@ -0,0 +1,17 @@
+##############################################################################
+# Outputs
+##############################################################################
+output "id" {
+  description = "Postgresql instance id"
+  value       = module.postgresql_db.id
+}
+
+output "guid" {
+  description = "Postgresql instance guid"
+  value       = module.postgresql_db.guid
+}
+
+output "version" {
+  description = "Postgresql instance version"
+  value       = module.postgresql_db.version
+}

examples/fscloud/provider.tf

@@ -0,0 +1,21 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
+
+# used by the restapi provider to authenticate the API call based on API key
+data "ibm_iam_auth_token" "token_data" {
+}
+
+provider "restapi" {
+  uri                   = "https:"
+  alias                 = "kp"
+  write_returns_object  = false
+  create_returns_object = false
+  debug                 = false # set to true to show detailed logs, but use carefully as it might print sensitive values.
+  headers = {
+    Authorization    = data.ibm_iam_auth_token.token_data.iam_access_token
+    Bluemix-Instance = module.key_protect_all_inclusive.key_protect_guid
+    Content-Type     = "application/vnd.ibm.kms.policy+json"
+  }
+}

examples/fscloud/variables.tf

@@ -0,0 +1,44 @@
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "region" {
+  type        = string
+  description = "Region to provision all resources created by this example."
+  default     = "us-south"
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example"
+  default     = "sm-test"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "pg_version" {
+  description = "Version of the postgresql instance"
+  type        = string
+  default     = null
+}
+
+variable "allowlist" {
+  type = list(object({
+    address     = optional(string)
+    description = optional(string)
+  }))
+  default     = []
+  description = "Set of IP address and description to allowlist in database"
+}

examples/fscloud/version.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.49.0"
+    }
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = ">=1.18.0"
+    }
+  }
+}

main.tf

@@ -107,23 +107,17 @@ module "cbr_rule" {
       },
       {
         name     = "serviceInstance"
-        value    = ibm_database.postgresql_db.id
+        value    = ibm_database.postgresql_db.guid
         operator = "stringEquals"
       },
       {
         name     = "serviceName"
         value    = "databases-for-postgresql"
         operator = "stringEquals"
       }
-    ],
-    tags = var.cbr_rules[count.index].tags != null ? var.cbr_rules[count.index].tags : [
-      {
-        name  = "terraform-rule"
-        value = "allow-postgresql"
-      }
     ]
   }]
-  operations = var.cbr_rules[count.index].operations != null ? var.cbr_rules[count.index].operations : [{
+  operations = [{
     api_types = [
       {
         api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:data-plane"