Skip to content

Latest commit

 

History

History

encrypted_cos_bucket

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
version.tf
version.tf
 
 

README.md

Encrypted Object Storage bucket module

All in one module for creating a Key protect, COS instance and a Object Storage bucket that is encrypted with a key from Key Protect.

Usage

# Creates:
# - COS instance
# - Key Protect instance
# - COS buckets with retention, encryption
module "cos_bucket" {
    source              = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cloudability-onboarding//modules/encrypted_cos_bucket"
    resource_group_id          = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
    region                     = "us-south"
    cos_instance_name          = "my-cos-instance"
    bucket_name                = "my-cos-bucket"
    key_protect_instance_name           = "my-key-protect-instance"
}

Required IAM access policies

Requirements

Name Version
terraform >= 1.9.0
ibm >= 1.59.0, < 2.0.0

Modules

Name Source Version
cos_bucket terraform-ibm-modules/cos/ibm 8.16.5
key_protect_all_inclusive terraform-ibm-modules/kms-all-inclusive/ibm 4.19.2

Resources

No resources.

Inputs

Name Description Type Default Required
access_tags A list of access tags to apply to the cos instance created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details list(string) [] no
activity_tracker_management_events If set to true, all Object Storage management events will be sent to Activity Tracker. bool true no
activity_tracker_read_data_events If set to true, all Object Storage bucket read events (downloads) will be sent to Activity Tracker. bool true no
activity_tracker_write_data_events If set to true, all Object Storage bucket write events (uploads) will be sent to Activity Tracker. bool true no
add_bucket_name_suffix Add random generated suffix (4 characters long) to the newly provisioned Object Storage bucket name (Optional). bool false no
archive_days Specifies the number of days when the archive rule action takes effect. This must be set to null when when using var.cross_region_location as archive data is not supported with this feature. number null no
archive_type Specifies the storage class or archive type to which you want the object to transition. string "Glacier" no
bucket_name The name to give the newly provisioned Object Storage bucket. string "snapshots" no
bucket_storage_class the storage class of the newly provisioned Object Storage bucket. Supported values are 'standard', 'vault', 'cold', 'smart' and onerate_active. string "standard" no
cos_bucket_cbr_rules (Optional, list) List of CBR rules to create for the bucket 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    tags = optional(list(object({
      name  = string
      value = string
    })), [])
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
 [] no
cos_instance_cbr_rules (Optional, list) List of CBR rules to create for the instance 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    tags = optional(list(object({
      name  = string
      value = string
    })), [])
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
 [] no
cos_instance_name The name to give the Cloud Object Storage instance that will be provisioned by this module. Only required if 'create_cos_instance' is true. string "billing_snapshots" no
cos_plan Plan to be used for creating Cloud Object Storage instance. Only used if 'create_cos_instance' it true. string "standard" no
create_cos_instance Set as true to create a new Cloud Object Storage instance. bool true no
create_key_protect_instance Key Protect instance name bool true no
cross_region_location Specify the cross-regional bucket location. Supported values are 'us', 'eu', and 'ap'. If you pass a value for this, ensure to set the value of var.region to null. string null no
existing_cos_instance_id The ID of an existing Cloud Object Storage instance. Required if 'var.create_cos_instance' is false. string null no
existing_kms_instance_crn The CRN of an existing Key Protect or Hyper Protect Crypto Services instance. Required if 'create_key_protect_instance' is false. string null no
expire_days Specifies the number of days when the expire rule action takes effect. number null no
key_endpoint_type The type of endpoint to be used for creating keys. Accepts 'public' or 'private' string "public" no
key_name Name of the Object Storage bucket encryption key string null no
key_protect_allowed_network The type of the allowed network to be set for the Key Protect instance. Possible values are 'private-only', or 'public-and-private'. Only used if 'create_key_protect_instance' is true. string "public-and-private" no
key_protect_instance_name Key Protect instance name string null no
key_ring_endpoint_type The type of endpoint to be used for creating key rings. Accepts 'public' or 'private' string "public" no
key_ring_name Name of the key ring to group keys string "bucket-encryption" no
management_endpoint_type_for_bucket The type of endpoint for the IBM terraform provider to use to manage the bucket. (public, private, or direct) string "public" no
monitoring_crn The CRN of an IBM Cloud Monitoring instance to send Object Storage bucket metrics to. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. string null no
object_versioning_enabled Enable object versioning to keep multiple versions of an object in a bucket. bool false no
region Region where resources are created string "us-south" no
request_metrics_enabled If set to true, all Object Storage bucket request metrics will be sent to the monitoring service. bool true no
resource_group_id The resource group ID where resources will be provisioned. string n/a yes
resource_tags Optional list of tags to be added to created resources list(string) [] no
retention_default Specifies default duration of time an object that can be kept unmodified for Object Storage bucket. number 90 no
retention_enabled Retention enabled for Object Storage bucket. bool false no
retention_maximum Specifies maximum duration of time an object that can be kept unmodified for Object Storage bucket. number 350 no
retention_minimum Specifies minimum duration of time an object must be kept unmodified for Object Storage bucket. number 90 no
retention_permanent Specifies a permanent retention status either enable or disable for Object Storage bucket. bool false no
rotation_enabled If set to true, Key Protect enables a rotation policy on the Key Protect instance. Only used if 'create_key_protect_instance' is true. bool true no
rotation_interval_month Specifies the number of months for the encryption key to be rotated.. Must be between 1 and 12 inclusive. Only used if 'create_key_protect_instance' is true. number 1 no
skip_iam_authorization_policy Set to true to skip the creation of an IAM authorization policy that permits the COS instance created to read the encryption key from the KMS instance in existing_kms_instance_crn. WARNING: An authorization policy must exist before an encrypted bucket can be created bool false no
usage_metrics_enabled If set to true, all Object Storage bucket usage metrics will be sent to the monitoring service. bool true no
use_existing_key_ring Whether the key_ring_name corresponds to an existing key ring or a new key ring for storing the encryption key string false no

Outputs

Name Description
bucket_cbr_rules Object Storage bucket rules
bucket_crn Bucket CRN
bucket_id Bucket id
bucket_name Bucket name
bucket_region Bucket region if you create a regional bucket
bucket_storage_class Bucket Storage Class
cbr_rule_ids List of all rule ids
cos_instance_guid The GUID of the Cloud Object Storage Instance where the buckets are created
cos_instance_id The ID of the Cloud Object Storage Instance where the buckets are created
instance_cbr_rules COS instance rules
key_protect_guid ID of the Key Protect instance which contains the encryption key for the object storage bucket
key_protect_instance_policies Instance Polices of the Key Protect instance
key_protect_name Key Protect Name
key_rings IDs of new Key Rings created by the module
keys IDs of new Keys created by the module
kms_crn CRN of the KMS instance when an instance
kms_key_crn The CRN of the KMS key used to encrypt the Object Storage bucket
resource_group_id Resource Group ID
s3_endpoint_direct S3 direct endpoint
s3_endpoint_private S3 private endpoint
s3_endpoint_public S3 public endpoint