terraform-ibm-modules / terraform-ibm-cbr Goto Github PK
View Code? Open in Web Editor NEWThis module can be used to provision and configure Context Based Restrictions.
License: Apache License 2.0
This module can be used to provision and configure Context Based Restrictions.
License: Apache License 2.0
CBR has recently been supporting the existing serviceRef with regions which is currently being omitted here -
terraform-ibm-cbr/modules/fscloud/main.tf
Line 125 in c6032c9
As per this API List available service reference targets response, now compliance
and containers-kubernetes
also supports regionality.
Need to Update these serviceRef in location condtion- Total CBR serviceRef NOT supporting locations count: 4 values: ["directlink","globalcatalog-collection","iam-groups","user-management"]
It would be desirable to create 2 different rules for containers-kubernetes as typically different sources will be calling them
One for api-type:cluster, and another one for api-type:management.
Couple of issues with this example:
By submitting this issue, you agree to follow our Code of Conduct
Need to add rules for newly added services that is logdna and logdnaat.
Context: CBR APIs / provider (not visible in UI) support creating network zone scoped to a given region.
What: This ticket covers support to add the region as input to the root and cbr-service-profile
submodule.
Add some logic to allow consumer to indicate how to skip creation of some rules. Currently the module creates rule for all services in #267
By submitting this issue, you agree to follow our Code of Conduct
Example: https://github.com/terraform-ibm-modules/terraform-ibm-cbr/tree/main/profiles/fscloud - the terra doc in this markdown file is not longer generated.
Note:
is used in this version in order to force generation using terraform-doc command line. This is a workaround for the issue, rather than the cause.location
variable to set for each service and there now might be the case where this location value may not support for every service.Total locations supporting for each ServiceRef: {
"apprapp": 12,
"cloud-object-storage": 32,
"cloudantnosqldb": 33,
"codeengine": 25,
"compliance": 17,
"containers-kubernetes": 25,
"databases-for-cassandra": 27,
"databases-for-elasticsearch": 27,
"databases-for-enterprisedb": 27,
"databases-for-etcd": 27,
"databases-for-mongodb": 27,
"databases-for-mysql": 27,
"databases-for-postgresql": 27,
"databases-for-redis": 27,
"event-notifications": 16,
"is": 24,
"logdna": 27,
"logdnaat": 27,
"messagehub": 25,
"messages-for-rabbitmq": 27,
"schematics": 12,
"secrets-manager": 25,
"server-protect": 24,
"sysdig-monitor": 25,
"sysdig-secure": 25,
"toolchain": 25
}
If multiple contexts, resources or operations are provided they should all be added to the rule
If multiple contexts, resources or operations are provided only the first value is added to the rule
terraform apply
By submitting this issue, you agree to follow our Code of Conduct
More services now support CBR - so the lists here are not longer containing the full list of services supporting CBRs as a rule or as a zone
andAdd rule for Activity Tracker route -> COS, as logdnaat
service now supports CBR.
Feedback from one consumer. Currently flexibility is on the prefix only.
This should be an optional name in the inputs of the module per zone, rule - current support with prefix should remain as well.
By default, this should apply to all endpoint, not only private one.
The current configuration would results in public access not being subject to CBR rule. (update: there is an implicit deny all by default on the endpoints that do not have any zone assigned when another endpoint is assigned a zone. Exception today is with the ICD service but this was confirmed as a bug)
Add this statement in the documentation.
This should not longer be needed to force the implicit deny all on an interface. All Cloud services now have this implicit deny.
This context is also being flagged up by SCC in recent release, creating some noise in audit reports.
2 related aspects in this ticket:
Context:
By submitting this issue, you agree to follow our Code of Conduct
HPCS now supports CBRs, so support should be added.
In the fscloud module, there should be an extra variable kms
allowing the consumer to specify whether to add pre wired rules for hpcs, key protect or both. This approach reduces the number of extra boolean variables.
Currently:
"cloud-object-storage" : [{
endpointType : "direct",
networkZoneIds : flatten([
var.allow_vpcs_to_cos ? [local.cbr_zone_vpcs.zone_id] : [],
var.allow_at_to_cos ? [local.logdnaat_cbr_zone_id] : [],
var.allow_is_to_cos ? [local.is_cbr_zone_id] : []
])
However, AT and IS would access COS through the private endpoint - so there should be an update to have the private endpoint for at and is. direct should only be for VPC.
Needed to enable the iks stack to create things that vpc lb.
Add pre-wired rules to enable ICD databases to talk to KMS. Put it under one single variable allow_icd_to_kms
Based on early consumer inputs on the cbr-service-profile, it would be desirable to create one zone per service, as opposed to grouping multiple services in one zone.
Concretely, taking the existing example at
- this results in creating one service zone with "directlink", "is" as services source. Instead, the desire is to create 2 CBR zones - one zone with is, and one zone with direct link.Update the list of services supporting CBRs as a rule or as a zone.
Newly added services supporting CBR- logdna and logdnaat.
Error in logs:
๏ Failed to write Flow Log file for the past 24 hours. Dropping flow log for Virtual Server ...
Flow logs writes to COS. Suggest to try adding is-> cos flow in the rule and see if reproducable.
Need to add zone id validation for both existing_serviceref_zone and existing_cbr_zone_vpcs.
Add a submodule (under fscloud directory to follow conventions created from other module) that utilize the submodule https://github.com/terraform-ibm-modules/terraform-ibm-cbr/tree/main/cbr-service-profile to create pre-defined CBR rules needed by the services specified in the FsCloud architecture patterns :
COS -> KMS
Block storage -> KMS
ROKS -> KMS
Activity Tracker route -> COS
VPCs -> container registry
VPCs -> where clusters are deployed -> COS
COS leverage the "direct" endpoint for request coming from VPC as opposed to the private one.
https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-endpoints
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.