Skip to content

Commit

Permalink
feat: The module was incorrectly creating a COS destination instead o…
Browse files Browse the repository at this point in the history
…f creating a COS integration needed for failed events to work. Due to this change, the `cos_destination_name` has been removed. If you are updating from a previous version, you will see the expected destroy of the destination (#242)
  • Loading branch information
Ak-sky authored Jul 23, 2024
1 parent 50d21db commit d03e2a5
Show file tree
Hide file tree
Showing 12 changed files with 104 additions and 83 deletions.
3 changes: 1 addition & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,8 @@ To create service credentials, access the Event Notifications service, and acces

| Name | Type |
|------|------|
| [ibm_en_destination_cos.cos_en_destination](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/en_destination_cos) | resource |
| [ibm_en_integration.en_kms_integration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/en_integration) | resource |
| [ibm_en_integration_cos.en_cos_integration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/en_integration_cos) | resource |
| [ibm_iam_authorization_policy.cos_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
| [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
| [ibm_resource_instance.en_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
Expand All @@ -99,7 +99,6 @@ To create service credentials, access the Event Notifications service, and acces
|------|-------------|------|---------|:--------:|
| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restrictions rules to create. | <pre>list(object({<br> description = string<br> account_id = string<br> rule_contexts = list(object({<br> attributes = optional(list(object({<br> name = string<br> value = string<br> }))) }))<br> enforcement_mode = string<br> }))</pre> | `[]` | no |
| <a name="input_cos_bucket_name"></a> [cos\_bucket\_name](#input\_cos\_bucket\_name) | The name of an existing IBM Cloud Object Storage bucket which will be used for storage of failed delivery events. Required if `cos_integration_enabled` is set to true. | `string` | `null` | no |
| <a name="input_cos_destination_name"></a> [cos\_destination\_name](#input\_cos\_destination\_name) | The name of the IBM Cloud Object Storage destination which will be created for the storage of failed delivery events. | `string` | `"COS Destination"` | no |
| <a name="input_cos_endpoint"></a> [cos\_endpoint](#input\_cos\_endpoint) | The endpoint URL for your bucket region. For more information, see https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-endpoints. Required if `cos_integration_enabled` is set to true. | `string` | `null` | no |
| <a name="input_cos_instance_id"></a> [cos\_instance\_id](#input\_cos\_instance\_id) | The ID of the IBM Cloud Object Storage instance in which the bucket that is defined in the `cos_bucket_name` variable exists. Required if `cos_integration_enabled` is set to true. | `string` | `null` | no |
| <a name="input_cos_integration_enabled"></a> [cos\_integration\_enabled](#input\_cos\_integration\_enabled) | Set to `true` to connect a Cloud Object Storage service instance to your Event Notifications instance to collect events that failed delivery. If set to false, no failed events will be captured. | `bool` | `false` | no |
Expand Down
2 changes: 1 addition & 1 deletion examples/complete/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,5 @@ An end-to-end example that creates the following infrastructure:
- An Event Notifications instance with bring-your-own-key encryption.
- An IBM Cloud Object Storage service instance and bucket to collect events that fail delivery.
- A Virtual Private Cloud (VPC).
- A context-based restriction (CBR) rule to allow Event Notifications to be accessible only from within the VPC.
- A context-based restriction (CBR) rule to allow Event Notifications to be accessible from VPC and Schematics.
- Service credentials for the Event Notifications instance.
42 changes: 40 additions & 2 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,10 @@ module "cbr_zone_schematics" {
}]
}

#############################################################################
# Create EN instance, destination, topic and subscription
##############################################################################

module "event_notification" {
source = "../../"
resource_group_id = module.resource_group.resource_group_id
Expand All @@ -125,9 +129,8 @@ module "event_notification" {
region = var.region
# COS Related
cos_integration_enabled = true
cos_destination_name = module.cos.cos_instance_name
cos_bucket_name = module.cos.bucket_name
cos_instance_id = module.cos.cos_instance_guid
cos_instance_id = module.cos.cos_instance_crn
cos_endpoint = "https://${module.cos.s3_endpoint_public}"
cbr_rules = [
{
Expand Down Expand Up @@ -158,3 +161,38 @@ module "event_notification" {
}
]
}

resource "ibm_en_destination_webhook" "webhook_destination" {
instance_guid = module.event_notification.guid
name = "${var.prefix}-webhook-destination"
type = "webhook"
collect_failed_events = false
description = "Destination webhook for event notification"
config {
params {
verb = "POST"
url = "https://testwebhook.com"
custom_headers = {
"authorization" = "authorization"
}
sensitive_headers = ["authorization"]
}
}
}

resource "ibm_en_topic" "webhook_topic" {
instance_guid = module.event_notification.guid
name = "${var.prefix}-e2e-topic"
description = "Topic for EN events routing"
}

resource "ibm_en_subscription_webhook" "webhook_subscription" {
instance_guid = module.event_notification.guid
name = "${var.prefix}-webhook-subscription"
description = "The webhook subscription"
destination_id = ibm_en_destination_webhook.webhook_destination.destination_id
topic_id = ibm_en_topic.webhook_topic.topic_id
attributes {
signing_enabled = true
}
}
2 changes: 1 addition & 1 deletion examples/fscloud/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ The example uses the IBM Cloud Terraform provider to create the following infras
- An IAM authorization between all Event Notification instances in the given resource group and the KMS instance that is passed in.
- An Event Notification instance that is encrypted with the KMS root key that is passed in.
- A sample virtual private cloud (VPC).
- A context-based restriction (CBR) rule to only allow Event Notification to be accessible from within the VPC.
- A context-based restriction (CBR) rule to only allow Event Notification to be accessible from VPC and Schematics.

:exclamation: **Important:** In this example, only the Event Notification instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.

Expand Down
63 changes: 33 additions & 30 deletions examples/fscloud/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ module "cos" {
kms_guid = local.kms_instance_guid
kms_key_crn = var.root_key_crn
skip_iam_authorization_policy = false
management_endpoint_type = "public"
management_endpoint_type = "private"
storage_class = "smart"
region_location = var.region
force_delete = true
Expand Down Expand Up @@ -126,35 +126,38 @@ module "event_notification" {
region = var.region
# COS Related
cos_bucket_name = module.cos.buckets[local.bucket_name].bucket_name
cos_instance_id = module.cos.cos_instance_guid
cos_instance_id = module.cos.cos_instance_crn
skip_en_cos_auth_policy = false
cos_endpoint = "https://${module.cos.buckets[local.bucket_name].s3_endpoint_private}"
cbr_rules = [
{
description = "${var.prefix}-event notification access only from vpc"
enforcement_mode = "enabled"
account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
rule_contexts = [{
attributes = [
{
"name" : "endpointType",
"value" : "private"
},
{
name = "networkZoneId"
value = module.cbr_vpc_zone.zone_id
}]
}, {
attributes = [
{
"name" : "endpointType",
"value" : "private"
},
{
name = "networkZoneId"
value = module.cbr_zone_schematics.zone_id
}]
}]
}
]

# There is a known issue https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5525 when adding schematics network zone with private endpoint type to the EN CBR rule, causing this example to fail.

# cbr_rules = [
# {
# description = "${var.prefix}-event notification access from vpc and schematics"
# enforcement_mode = "enabled"
# account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
# rule_contexts = [{
# attributes = [
# {
# "name" : "endpointType",
# "value" : "private"
# },
# {
# name = "networkZoneId"
# value = module.cbr_vpc_zone.zone_id
# }]
# }, {
# attributes = [
# {
# "name" : "endpointType",
# "value" : "private"
# },
# {
# name = "networkZoneId"
# value = module.cbr_zone_schematics.zone_id
# }]
# }]
# }
# ]
}
43 changes: 23 additions & 20 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ locals {
validate_kms_values = !var.kms_encryption_enabled && (var.existing_kms_instance_crn != null || var.root_key_id != null || var.kms_endpoint_url != null) ? tobool("When passing values for var.existing_kms_instance_crn or/and var.root_key_id or/and var.kms_endpoint_url, you must set var.kms_encryption_enabled to true. Otherwise unset them to use default encryption") : true
# tflint-ignore: terraform_unused_declarations
validate_kms_vars = var.kms_encryption_enabled && (var.existing_kms_instance_crn == null || var.root_key_id == null || var.kms_endpoint_url == null) ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_crn, var.root_key_id and var.kms_endpoint_url") : true
# tflint-ignore: terraform_unused_declarations
validate_cos_values = !var.cos_integration_enabled && (var.cos_instance_id != null || var.cos_bucket_name != null || var.cos_endpoint != null) ? tobool("When passing values for var.cos_instance_id or/and var.cos_bucket_name or/and var.cos_endpoint, you must set var.cos_integration_enabled to true. Otherwise unset them to disable collection of failed delivery events") : true
# tflint-ignore: terraform_unused_declarations
validate_cos_vars = var.cos_integration_enabled && (var.cos_instance_id == null || var.cos_bucket_name == null || var.cos_endpoint == null) ? tobool("When setting var.cos_integration_enabled to true, a value must be passed for var.cos_instance_id, var.cos_bucket_name and var.cos_endpoint") : true

# Determine what KMS service is being used for encryption
kms_service = var.existing_kms_instance_crn != null ? (
Expand All @@ -31,23 +35,17 @@ resource "ibm_resource_instance" "en_instance" {
}

#############################################################################
# Event Notification COS integration
# Event Notification COS integration to Collect Failed Events
#############################################################################

resource "ibm_en_destination_cos" "cos_en_destination" {
depends_on = [time_sleep.wait_for_cos_authorization_policy]
count = var.cos_integration_enabled ? 1 : 0
instance_guid = ibm_resource_instance.en_instance.guid
name = var.cos_destination_name
type = "ibmcos"
collect_failed_events = true
description = "IBM Cloud Object Storage destination for collection of failed events."
config {
params {
bucket_name = var.cos_bucket_name
instance_id = var.cos_instance_id
endpoint = var.cos_endpoint
}
resource "ibm_en_integration_cos" "en_cos_integration" {
depends_on = [time_sleep.wait_for_cos_authorization_policy]
count = var.cos_integration_enabled ? 1 : 0
instance_guid = ibm_resource_instance.en_instance.guid
type = "collect_failed_events"
metadata {
endpoint = var.cos_endpoint
crn = var.cos_instance_id
bucket_name = var.cos_bucket_name
}
}

Expand All @@ -56,7 +54,11 @@ resource "ibm_en_destination_cos" "cos_en_destination" {
#############################################################################

locals {
en_integration_id = length(data.ibm_en_integrations.en_integrations) > 0 ? data.ibm_en_integrations.en_integrations[0].integrations[0]["id"] : null

en_integration_id = length(data.ibm_en_integrations.en_integrations) > 0 ? [
for integrations in data.ibm_en_integrations.en_integrations[0].integrations :
integrations.id if(integrations.type == "kms" || integrations.type == "hs-crypto")
] : null
}

data "ibm_en_integrations" "en_integrations" {
Expand All @@ -68,7 +70,7 @@ resource "ibm_en_integration" "en_kms_integration" {
depends_on = [time_sleep.wait_for_kms_authorization_policy]
count = var.kms_encryption_enabled == false ? 0 : 1
instance_guid = ibm_resource_instance.en_instance.guid
integration_id = local.en_integration_id
integration_id = local.en_integration_id[0]
type = local.kms_service
metadata {
endpoint = var.kms_endpoint_url
Expand All @@ -90,6 +92,7 @@ data "ibm_iam_account_settings" "iam_account_settings" {

locals {
existing_kms_instance_guid = var.kms_encryption_enabled == true ? element(split(":", var.existing_kms_instance_crn), length(split(":", var.existing_kms_instance_crn)) - 3) : null
existing_cos_instance_guid = var.cos_integration_enabled == true ? element(split(":", var.cos_instance_id), length(split(":", var.cos_instance_id)) - 3) : null
}

# Create IAM Authorization Policies to allow event notification to access cos
Expand All @@ -98,7 +101,7 @@ resource "ibm_iam_authorization_policy" "cos_policy" {
source_service_name = "event-notifications"
source_resource_instance_id = ibm_resource_instance.en_instance.guid
roles = ["Object Writer", "Reader"]
description = "Allow EN instance with GUID ${ibm_resource_instance.en_instance.guid} `Object Writer` and `Reader` access to the COS instance with ID ${var.cos_instance_id}."
description = "Allow EN instance with GUID ${ibm_resource_instance.en_instance.guid} `Object Writer` and `Reader` access to the COS instance with GUID ${local.existing_cos_instance_guid}."

resource_attributes {
name = "serviceName"
Expand All @@ -114,7 +117,7 @@ resource "ibm_iam_authorization_policy" "cos_policy" {
resource_attributes {
name = "serviceInstance"
operator = "stringEquals"
value = var.cos_instance_id
value = local.existing_cos_instance_guid
}

resource_attributes {
Expand Down
5 changes: 2 additions & 3 deletions modules/fscloud/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,10 +82,9 @@ No resources.
|------|-------------|------|---------|:--------:|
| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restrictions rules to create. | <pre>list(object({<br> description = string<br> account_id = string<br> rule_contexts = list(object({<br> attributes = optional(list(object({<br> name = string<br> value = string<br> }))) }))<br> enforcement_mode = string<br> }))</pre> | `[]` | no |
| <a name="input_cos_bucket_name"></a> [cos\_bucket\_name](#input\_cos\_bucket\_name) | The name of an existing Object Storage bucket to use for the storage of failed delivery events. | `string` | `null` | no |
| <a name="input_cos_destination_name"></a> [cos\_destination\_name](#input\_cos\_destination\_name) | The name of the IBM Cloud Object Storage destination which will be created for the storage of failed delivery events. | `string` | `"COS Destination"` | no |
| <a name="input_cos_endpoint"></a> [cos\_endpoint](#input\_cos\_endpoint) | The endpoint URL for your bucket region. Required if `cos_integration_enabled` is set to `true`. [Learn more](https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-endpoints). | `string` | `null` | no |
| <a name="input_cos_instance_id"></a> [cos\_instance\_id](#input\_cos\_instance\_id) | The ID of the Object Storage instance that contains the bucket that is specified in the `cos_bucket_name` variable. Required only if `cos_integration_enabled` is set to `true`. | `string` | `null` | no |
| <a name="input_cos_integration_enabled"></a> [cos\_integration\_enabled](#input\_cos\_integration\_enabled) | Whether to connect an Object Storage service instance to your Event Notifications instance to collect events that fail delivery. If set to `false`, no failed events are captured. | `bool` | `true` | no |
| <a name="input_cos_instance_id"></a> [cos\_instance\_id](#input\_cos\_instance\_id) | The ID of the IBM Cloud Object Storage instance in which the bucket that is defined in the `cos_bucket_name` variable exists. Required if `cos_integration_enabled` is set to true. | `string` | `null` | no |
| <a name="input_cos_integration_enabled"></a> [cos\_integration\_enabled](#input\_cos\_integration\_enabled) | Whether to connect an Object Storage service instance to your Event Notifications instance to collect events that failed delivery. If set to `false`, no failed events are captured. | `bool` | `true` | no |
| <a name="input_existing_kms_instance_crn"></a> [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of the Hyper Protect Crypto Services or Key Protect instance. To ensure compliance with IBM Cloud Framework for Financial Services standards, it is required to use Hyper Protect Crypto Services only. | `string` | n/a | yes |
| <a name="input_kms_endpoint_url"></a> [kms\_endpoint\_url](#input\_kms\_endpoint\_url) | The KMS endpoint URL to use when you configure KMS encryption. | `string` | n/a | yes |
| <a name="input_name"></a> [name](#input\_name) | The name of the Event Notifications instance that is created by this module. | `string` | n/a | yes |
Expand Down
1 change: 0 additions & 1 deletion modules/fscloud/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ module "event_notification" {
# COS Related
cos_integration_enabled = var.cos_integration_enabled
cos_endpoint = var.cos_endpoint
cos_destination_name = var.cos_destination_name
cos_bucket_name = var.cos_bucket_name
cos_instance_id = var.cos_instance_id
skip_en_cos_auth_policy = var.skip_en_cos_auth_policy
Expand Down
10 changes: 2 additions & 8 deletions modules/fscloud/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -70,12 +70,6 @@ variable "cbr_rules" {
# COS
########################################################################################################################

variable "cos_destination_name" {
type = string
description = "The name of the IBM Cloud Object Storage destination which will be created for the storage of failed delivery events."
default = "COS Destination"
}

variable "cos_bucket_name" {
type = string
description = "The name of an existing Object Storage bucket to use for the storage of failed delivery events."
Expand All @@ -84,7 +78,7 @@ variable "cos_bucket_name" {

variable "cos_instance_id" {
type = string
description = "The ID of the Object Storage instance that contains the bucket that is specified in the `cos_bucket_name` variable. Required only if `cos_integration_enabled` is set to `true`."
description = "The ID of the IBM Cloud Object Storage instance in which the bucket that is defined in the `cos_bucket_name` variable exists. Required if `cos_integration_enabled` is set to true."
default = null
}

Expand All @@ -96,7 +90,7 @@ variable "skip_en_cos_auth_policy" {

variable "cos_integration_enabled" {
type = bool
description = "Whether to connect an Object Storage service instance to your Event Notifications instance to collect events that fail delivery. If set to `false`, no failed events are captured."
description = "Whether to connect an Object Storage service instance to your Event Notifications instance to collect events that failed delivery. If set to `false`, no failed events are captured."
default = true
}

Expand Down
Loading

0 comments on commit d03e2a5

Please sign in to comment.