Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: create service credentials, remove the CBR rule and set kms_encryption_enabled to true for fscloud module #312

Merged
merged 15 commits into from
Oct 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,7 @@ You need the following permissions to run this module.
| [ibm_event_streams_topic.es_topic](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/event_streams_topic) | resource |
| [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
| [ibm_resource_instance.es_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
| [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource |
| [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |

### Inputs
Expand All @@ -140,6 +141,7 @@ You need the following permissions to run this module.
| <a name="input_region"></a> [region](#input\_region) | The region where the Event Streams are created. | `string` | `"us-south"` | no |
| <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes |
| <a name="input_schemas"></a> [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | <pre>list(object(<br/> {<br/> schema_id = string<br/> schema = object({<br/> type = string<br/> name = string<br/> fields = optional(list(object({<br/> name = string<br/> type = string<br/> })))<br/> })<br/> }<br/> ))</pre> | `[]` | no |
| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no |
| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of service endpoints. Possible values: 'public', 'private', 'public-and-private'. | `string` | `"public"` | no |
| <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing\_kms\_instance\_guid variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no |
| <a name="input_storage_size"></a> [storage\_size](#input\_storage\_size) | Storage size of the Event Streams in GB. Applies only to Enterprise plan instances. Possible values: `2048`, `4096`, `6144`, `8192`, `10240`, `12288`. Storage capacity cannot be reduced after the instance is created. When the `throughput` input variable is set to `300`, storage size starts at 4096. When `throughput` is `450`, storage size starts starts at `6144`. | `number` | `"2048"` | no |
Expand All @@ -158,6 +160,8 @@ You need the following permissions to run this module.
| <a name="output_kafka_broker_version"></a> [kafka\_broker\_version](#output\_kafka\_broker\_version) | The Kafka version |
| <a name="output_kafka_brokers_sasl"></a> [kafka\_brokers\_sasl](#output\_kafka\_brokers\_sasl) | (Array of Strings) Kafka brokers use for interacting with Kafka native API |
| <a name="output_kafka_http_url"></a> [kafka\_http\_url](#output\_kafka\_http\_url) | The API endpoint to interact with Event Streams REST API |
| <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | The service credentials JSON map. |
| <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | The service credentials object. |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
<!-- BEGIN CONTRIBUTING HOOK -->

Expand Down
1 change: 0 additions & 1 deletion examples/complete/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,3 @@ This example uses the IBM Cloud Terraform provider to create the following infra
- A new resource group, if one is not passed in.
- A sample virtual private cloud (VPC).
- A instance of Event Streams in the provided resource group and region. You can identify topics and schemas to apply to the instance.
- A context-based restriction rule to allow Event Streams to be accessible only from within the VPC.
62 changes: 5 additions & 57 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,45 +10,6 @@ module "resource_group" {
existing_resource_group_name = var.resource_group
}

##############################################################################
# Get Cloud Account ID
##############################################################################

data "ibm_iam_account_settings" "iam_account_settings" {
}

##############################################################################
# VPC
##############################################################################
resource "ibm_is_vpc" "example_vpc" {
name = "${var.prefix}-vpc"
resource_group = module.resource_group.resource_group_id
tags = var.resource_tags
}

resource "ibm_is_subnet" "testacc_subnet" {
name = "${var.prefix}-subnet"
vpc = ibm_is_vpc.example_vpc.id
zone = "${var.region}-1"
total_ipv4_address_count = 256
resource_group = module.resource_group.resource_group_id
}

##############################################################################
# Create CBR Zone
##############################################################################
module "cbr_zone" {
source = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
version = "1.27.0"
name = "${var.prefix}-VPC-network-zone"
zone_description = "CBR Network zone representing VPC"
account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
addresses = [{
type = "vpc", # to bind a specific vpc to the zone
value = ibm_is_vpc.example_vpc.crn,
}]
}

##############################################################################
# Events-streams-instance
##############################################################################
Expand All @@ -60,22 +21,9 @@ module "event_streams" {
schemas = var.schemas
tags = var.resource_tags
topics = var.topics
cbr_rules = [
{
description = "${var.prefix}-event stream access only from vpc"
enforcement_mode = "enabled"
account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
rule_contexts = [{
attributes = [
{
"name" : "endpointType",
"value" : "private"
},
{
name = "networkZoneId"
value = module.cbr_zone.zone_id
}]
}]
}
]
service_credential_names = {
"es_writer" : "Writer",
"es_reader" : "Reader",
"es_manager" : "Manager"
}
}
12 changes: 12 additions & 0 deletions examples/complete/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,15 @@ output "kafka_broker_version" {
description = "The Kafka version"
value = module.event_streams.kafka_broker_version
}

output "service_credentials_json" {
description = "Service credentials json map"
value = module.event_streams.service_credentials_json
sensitive = true
}

output "service_credentials_object" {
description = "Service credentials object"
value = module.event_streams.service_credentials_object
sensitive = true
}
5 changes: 5 additions & 0 deletions examples/fscloud/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,11 @@ module "event_streams" {
tags = var.resource_tags
topics = var.topics
existing_kms_instance_guid = var.existing_kms_instance_guid
service_credential_names = {
"es_writer" : "Writer",
"es_reader" : "Reader",
"es_manager" : "Manager"
}
cbr_rules = [
{
description = "${var.prefix}-event stream access only from vpc"
Expand Down
12 changes: 12 additions & 0 deletions examples/fscloud/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,15 @@ output "kafka_http_url" {
description = "The API endpoint to interact with Event Streams REST API"
value = module.event_streams.kafka_http_url
}

output "service_credentials_json" {
description = "Service credentials json map"
value = module.event_streams.service_credentials_json
sensitive = true
}

output "service_credentials_object" {
description = "Service credentials object"
value = module.event_streams.service_credentials_object
sensitive = true
}
21 changes: 21 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -123,3 +123,24 @@ module "cbr_rule" {
]
}]
}

resource "ibm_resource_key" "service_credentials" {
for_each = var.service_credential_names
name = each.key
role = each.value
resource_instance_id = ibm_resource_instance.es_instance.id
}

locals {
service_credentials_json = length(var.service_credential_names) > 0 ? {
for service_credential in ibm_resource_key.service_credentials :
service_credential["name"] => service_credential["credentials_json"]
} : null

service_credentials_object = length(var.service_credential_names) > 0 ? {
credentials = {
for service_credential in ibm_resource_key.service_credentials :
service_credential["name"] => service_credential["credentials"]
}
} : null
}
3 changes: 3 additions & 0 deletions modules/fscloud/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ No resources.
| <a name="input_region"></a> [region](#input\_region) | The region where the Event Streams are created. | `string` | `"us-south"` | no |
| <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes |
| <a name="input_schemas"></a> [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | <pre>list(object(<br/> {<br/> schema_id = string<br/> schema = object({<br/> type = string<br/> name = string<br/> fields = optional(list(object({<br/> name = string<br/> type = string<br/> })))<br/> })<br/> }<br/> ))</pre> | `[]` | no |
| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | The list of tags associated with the Event Steams instance. | `list(string)` | `[]` | no |
| <a name="input_topics"></a> [topics](#input\_topics) | The list of topics to apply to resources. Only one topic is allowed for Lite plan instances. | <pre>list(object(<br/> {<br/> name = string<br/> partitions = number<br/> config = object({})<br/> }<br/> ))</pre> | `[]` | no |

Expand All @@ -46,4 +47,6 @@ No resources.
| <a name="output_kafka_broker_version"></a> [kafka\_broker\_version](#output\_kafka\_broker\_version) | The Kafka version |
| <a name="output_kafka_brokers_sasl"></a> [kafka\_brokers\_sasl](#output\_kafka\_brokers\_sasl) | (Array of Strings) Kafka brokers use for interacting with Kafka native API |
| <a name="output_kafka_http_url"></a> [kafka\_http\_url](#output\_kafka\_http\_url) | The API endpoint to interact with Event Streams REST API |
| <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | Service credentials json map |
| <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | Service credentials object |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
3 changes: 3 additions & 0 deletions modules/fscloud/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,7 @@ module "event_streams" {
topics = var.topics
service_endpoints = "private"
cbr_rules = var.cbr_rules
service_credential_names = var.service_credential_names
kms_encryption_enabled = true

}
12 changes: 12 additions & 0 deletions modules/fscloud/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,15 @@ output "kafka_broker_version" {
description = "The Kafka version"
value = module.event_streams.kafka_broker_version
}

output "service_credentials_json" {
description = "Service credentials json map"
value = module.event_streams.service_credentials_json
sensitive = true
}

output "service_credentials_object" {
description = "Service credentials object"
value = module.event_streams.service_credentials_object
sensitive = true
}
6 changes: 6 additions & 0 deletions modules/fscloud/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,9 @@ variable "cbr_rules" {
default = []
# Validation happens in the rule module
}

variable "service_credential_names" {
description = "The mapping of names and roles for service credentials that you want to create for the Event streams."
type = map(string)
default = {}
}
12 changes: 12 additions & 0 deletions outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,15 @@ output "kafka_broker_version" {
description = "The Kafka version"
value = ibm_resource_instance.es_instance.extensions.kafka_broker_version
}

output "service_credentials_json" {
description = "The service credentials JSON map."
value = local.service_credentials_json
sensitive = true
}

output "service_credentials_object" {
description = "The service credentials object."
value = local.service_credentials_object
sensitive = true
}
28 changes: 28 additions & 0 deletions solutions/quickstart/DA-types.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Configuring complex inputs in Event Streams

Several optional input variables in the IBM Cloud [Event Streams deployable architecture](https://cloud.ibm.com/catalog/7df1e4ca-d54c-4fd0-82ce-3d13247308cd/architecture/deploy-arch-ibm-event-streams-8272d54f-b54f-46a6-8dd6-772c6db82e87) use complex object types. You specify these inputs when you configure you deployable architecture.

- [Service credentials](#svc-credential-name) (`service_credential_names`)

## Service credentials <a name="svc-credential-name"></a>

You can specify a set of IAM credentials to connect to the instance with the `service_credential_names` input variable. Include a credential name and IAM service role for each key-value pair. Each role provides a specific level of access to the instance. For more information, see [Adding and viewing credentials](https://cloud.ibm.com/docs/account?topic=account-service_credentials&interface=ui).

- Variable name: `service_credential_names`.
- Type: A map. The key is the name of the service credential. The value is the role that is assigned to that credential.
- Default value: An empty map (`{}`).

### Options for service_credential_names

- Key (required): The name of the service credential.
- Value (required): The IAM service role that is assigned to the credential. The following values are valid for service credential roles: 'Manager', 'Writer', 'Reader'. For more information, see [IBM Cloud IAM roles](https://cloud.ibm.com/docs/account?topic=account-userroles).

### Example service credentials

```hcl
{
"es_writer" : "Writer",
"es_reader" : "Reader",
"es_manager" : "Manager"
}
```
15 changes: 8 additions & 7 deletions solutions/quickstart/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,12 @@ module "resource_group" {
# Event Streams Instance
#######################################################################################################################
module "event_streams" {
source = "../../"
resource_group_id = module.resource_group.resource_group_id
es_name = var.prefix != null ? "${var.prefix}-${var.es_name}" : var.es_name
plan = var.plan
region = var.region
topics = var.topics
tags = var.resource_tags
source = "../../"
resource_group_id = module.resource_group.resource_group_id
es_name = var.prefix != null ? "${var.prefix}-${var.es_name}" : var.es_name
plan = var.plan
region = var.region
topics = var.topics
tags = var.resource_tags
service_credential_names = var.service_credential_names
}
12 changes: 12 additions & 0 deletions solutions/quickstart/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,15 @@ output "kafka_broker_version" {
description = "The Kafka version"
value = module.event_streams.kafka_broker_version
}

output "service_credentials_json" {
description = "Service credentials json map"
value = module.event_streams.service_credentials_json
sensitive = true
}

output "service_credentials_object" {
description = "Service credentials object"
value = module.event_streams.service_credentials_object
sensitive = true
}
6 changes: 6 additions & 0 deletions solutions/quickstart/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -61,3 +61,9 @@ variable "topics" {
description = "The list of topics to apply to resources. Only one topic is allowed for Lite plan instances. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/quickstart/DA-schemas-topics-cbr.md)."
default = []
}

variable "service_credential_names" {
description = "The mapping of names and roles for service credentials that you want to create for the Event streams.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/quickstart/DA-types.md#svc-credential-name)"
type = map(string)
default = {}
}
11 changes: 11 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -174,3 +174,14 @@ variable "cbr_rules" {
default = []
# Validation happens in the rule module
}

variable "service_credential_names" {
description = "The mapping of names and roles for service credentials that you want to create for the Event streams."
type = map(string)
default = {}

validation {
condition = alltrue([for name, role in var.service_credential_names : contains(["Writer", "Reader", "Manager"], role)])
error_message = "The specified service credential role is not valid. The following values are valid for service credential roles: 'Writer', 'Reader', 'Manager'"
}
}