fscloud

Profile for IBM Cloud Framework for Financial Services

This code is a version of the parent root module that includes a default configuration that complies with the relevant controls from the IBM Cloud Framework for Financial Services. See the Example for IBM Cloud Framework for Financial Services for logic that uses this module. The profile assumes you are deploying into an account that is in compliance with the framework.

The default values in this profile were scanned by IBM Code Risk Analyzer (CRA) for compliance with the IBM Cloud Framework for Financial Services profile that is specified by the IBM Security and Compliance Center. The scan passed for all applicable rules with the following exceptions:

rule-8cbd597c-7471-42bd-9c88-36b2696456e9 - Check whether Cloud Object Storage network access is restricted to a specific IP range

The IBM Cloud Framework for Financial Services mandates the application of an inbound network-based allowlist in front of the IBM Cloud Object Storage instance. You can comply with this requirement with the bucket_cbr_rules and instance_cbr_rules variables in the module. Use these variables to create a narrow context-based restriction rule that is scoped to the IBM Cloud Storage instance. CRA does not support checking for context-based restrictions, so you can ignore the failing rule after you set the context-based restrictions.

Usage

provider "ibm" {
  ibmcloud_api_key = "XXXXXXXXXX"
  region           = "us-south"
}

module "cos_fscloud" {
  source                                = "terraform-ibm-modules/cos/ibm//modules/fscloud"
  version                               = "latest" # Replace "latest" with a release version to lock into a specific release
  resource_group_id                     = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
  cos_instance_name                     = "my-cos-instance"
  bucket_configs = [
    {
      bucket_name              = "services-bucket"
      kms_guid                 = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
      kms_key_crn              = "crn:v1:bluemix:public:kms:us-south:a/xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX:xxxxxx-XXXX-XXXX-XXXX-xxxxxx:key:xxxxxx-XXXX-XXXX-XXXX-xxxxxx"
      management_endpoint_type = "private"
      metrics_monitoring = {
        metrics_monitoring_crn = "crn:v1:bluemix:public:sysdig-monitor:us-south:a/xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX:xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX::"
      }
      region_location      = "us-south"
      cbr_rules = [{
        description      = "sample rule for buckets"
        enforcement_mode = "enabled"
        account_id       = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
        rule_contexts = [{
          attributes = [
            {
              "name" : "endpointType",
              "value" : "private"
            },
            {
              name  = "networkZoneId"
              value = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
            }
          ]
        }]
        operations = [{
          api_types = [{
            api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
          }]
        }]
      }]
    }
  ]
  instance_cbr_rules = [{
    description      = "sample rule for the instance"
    enforcement_mode = "enabled"
    account_id       = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
    rule_contexts = [{
      attributes = [
        {
          "name" : "endpointType",
          "value" : "private"
        },
        {
          name  = "networkZoneId"
          value = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
        }
      ]
    }]
    operations = [{
      api_types = [{
        api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
      }]
    }]
  }]
}

Requirements

Name	Version
terraform	>= 1.4.0
ibm	>= 1.70.0, <2.0.0

Modules

Name	Source	Version
buckets	../../modules/buckets	n/a
cos_instance	../../	n/a
instance_cbr_rules	terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module	1.29.0

Resources

No resources.

Inputs

Name	Description	Type	Default	Required
access_tags	A list of access tags to apply to the Object Storage instance created by the module. Learn more.	list(string)	[]	no
bucket_configs	Object Storage bucket configurations	list(object({ access_tags = optional(list(string), []) add_bucket_name_suffix = optional(bool, false) bucket_name = string kms_encryption_enabled = optional(bool, true) kms_guid = optional(string, null) kms_key_crn = string skip_iam_authorization_policy = optional(bool, false) management_endpoint_type = string cross_region_location = optional(string, null) storage_class = optional(string, "smart") region_location = optional(string, null) resource_instance_id = optional(string, null) force_delete = optional(bool, true) single_site_location = optional(string, null) hard_quota = optional(number, null) expire_filter_prefix = optional(string, null) archive_filter_prefix = optional(string, null) object_locking_enabled = optional(bool, false) object_lock_duration_days = optional(number, 0) object_lock_duration_years = optional(number, 0) activity_tracking = optional(object({ read_data_events = optional(bool, true) write_data_events = optional(bool, true) management_events = optional(bool, true) })) archive_rule = optional(object({ enable = optional(bool, false) days = optional(number, 20) type = optional(string, "Glacier") })) expire_rule = optional(object({ enable = optional(bool, false) days = optional(number, 365) })) metrics_monitoring = optional(object({ usage_metrics_enabled = optional(bool, true) request_metrics_enabled = optional(bool, true) metrics_monitoring_crn = optional(string, null) })) object_versioning = optional(object({ enable = optional(bool, false) })) retention_rule = optional(object({ default = optional(number, 90) maximum = optional(number, 350) minimum = optional(number, 90) permanent = optional(bool, false) })) cbr_rules = optional(list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string tags = optional(list(object({ name = string value = string })), []) operations = optional(list(object({ api_types = list(object({ api_type_id = string })) }))) })), []) }))	[]	no
cos_instance_name	The name to give the Object Storage instance provisioned by this module. Applies only if create_cos_instance is true.	string	null	no
cos_plan	The plan to use when Object Storage instances are created. Possible values: standard. Applies only if create_cos_instance is true.	string	"standard"	no
cos_tags	The list of tags to add to the Object Storage instance. Applies only if create_cos_instance is true.	list(string)	[]	no
create_cos_instance	Specify true to create an Object Storage instance.	bool	true	no
existing_cos_instance_id	The ID of an existing Object Storage instance. Required only if var.create_cos_instance is false.	string	null	no
instance_cbr_rules	The list of context-based restriction rules to create for the instance.	list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string tags = optional(list(object({ name = string value = string })), []) operations = optional(list(object({ api_types = list(object({ api_type_id = string })) }))) }))	[]	no
resource_group_id	The resource group ID where resources will be provisioned.	string	n/a	yes
resource_keys	The definition of any resource keys to generate.	list(object({ name = string generate_hmac_credentials = optional(bool, false) role = optional(string, "Reader") service_id_crn = string }))	[]	no

Outputs

Name	Description
bucket_cbr_rules	COS bucket rules
buckets	List of buckets created
cbr_rule_ids	List of all rule ids
cos_account_id	The account ID in which the Cloud Object Storage instance is created.
cos_instance_crn	COS instance crn
cos_instance_guid	COS instance guid
cos_instance_id	COS instance id
cos_instance_name	COS instance name
instance_cbr_rules	COS instance rules
resource_group_id	Resource Group ID
resource_keys	List of resource keys