Skip to content

terraform-ibm-modules/terraform-ibm-iam-account-settings

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

IAM account settings module

Graduated (Supported) semantic-release pre-commit latest release Renovate enabled

This module configures standard IAM account settings with the recommended values, in which the default values are aligned with FSCloud requirements, and exports the values as outputs.

The module handles the following account settings:

  • Multifactor authentication (None - Federated Users - All - Email/TOPT/U2F based)
  • User specific Multifactor authentication (None - Federated Users - All - Email/TOPT/U2F based)
  • Restrict API key creation (on - off)
  • Restrict service ID creation (on - off)
  • Session activity timeout (seconds)
  • Session inactivity timeout (seconds)
  • Access token expiration (seconds)
  • Refresh token expiration (seconds)
  • Restrict IP address access (off/Any Allowed - on/Allow only specified IP subnets or IP addresses). Two control modes are supported:
    • Monitor: traffic that originates outside the specified allowed IP addresses is allowed but logged by audit events that are sent to SIEM and Activity Tracker
    • Restrict: traffic that originates outside the specified allowed IP addresses is blocked
  • Global shell settings (on - off)
  • Public access group (on - off)

The module supports creating and updating settings that are applied with the terraform apply command. With objects affected by the destroy command, the module preserves the most recent setting and doesn't change objects that are configured outside of Terraform's scope.

Current limitations:

The module currently does not support setting the following FSCloud requirements using the IBM provider:

  • Check whether user list visibility restrictions are configured in IAM settings for the account owner
  • Check whether the Financial Services Validated setting is enabled in account settings

Tracking issue with IBM provider -> IBM-Cloud/terraform-provider-ibm#4204

If you need to manage these FSCloud requirements via Terraform, please see the experimental submodule which uses the RestAPI provider to manage these settings.

Overview

terraform-ibm-iam-account-settings

Usage

module "iam_account_settings" {
  source               = "terraform-ibm-modules/iam-account-settings/ibm"
  version              = "X.X.X"  # Replace "X.X.X" with a release version to lock into a specific release
  allowed_ip_addresses = ["17.5.7.8.0/16"]

  # example usage of creating CBR zones within the module
  # see https://github.com/terraform-ibm-modules/terraform-ibm-cbr/tree/main/modules/cbr-zone-module for more details
  cbr_zones = [{
    name             = "default-zone-1"
    zone_description = "test zone in iam-account-settings module"
    addresses = [{
      type = "serviceRef"
      ref = {
        account_id   = data.ibm_iam_account_settings.iam_account_settings.account_id
        service_name = "secrets-manager"
      }
    }]
  }]
}

User MFA

When specifying User MFA (user_mfa), use the following format:

variable "user_mfa" {
  type = set(object({
    iam_id = string
    mfa = string
  }))
  default = [{

    iam_id = "IBMid-3x000xx3xH"
    mfa    = "LEVEL3"
  },
  {
    iam_id = "IBMid-50xG4CxSQx"
    mfa = "NONE"
  }]
  }

When/if it is necessary to delete/reset the MFA configuration for all users, use the user_mfa_reset input var.

Required IAM access policies

You need the following permissions to run this module.

  • Account Management
    • IAM Access Groups service
      • Administrator platform access
    • IAM Access Management service
      • Editor platform access
    • IAM Identity service
      • Operator platform access
    • IBM Cloud Shell service
      • Administrator platform access

Requirements

Name Version
terraform >= 1.3.0
ibm >= 1.65.0, < 2.0.0

Modules

Name Source Version
cbr_zones terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module v1.24.1

Resources

Name Type
ibm_cloud_shell_account_settings.cloud_shell_account_settings resource
ibm_iam_access_group_account_settings.iam_access_group_account_settings resource
ibm_iam_account_settings.iam_account_settings resource
ibm_cloud_shell_account_settings.cloud_shell_account_settings data source
ibm_iam_account_settings.iam_account_settings data source

Inputs

Name Description Type Default Required
access_token_expiration Defines the access token expiration in seconds string "3600" no
active_session_timeout Specify how long (seconds) a user is allowed to work continuously in the account number "86400" no
allowed_ip_addresses List of the IP addresses and subnets from which IAM tokens can be created for the account. list(any) [] no
api_creation When restriction is enabled, only users, including the account owner, assigned the User API key creator role on the IAM Identity Service can create API keys. Allowed values are 'RESTRICTED', 'NOT_RESTRICTED', or 'NOT_SET' (to 'unset' a previous set value). string "RESTRICTED" no
cbr_zones A list of CBR zones created by the module
list(object({
account_id = optional(string)
addresses = optional(list(object({
type = optional(string)
value = optional(string)
ref = optional(object({
account_id = string
location = optional(string)
service_instance = optional(string)
service_name = optional(string)
service_type = optional(string)
}))
})), [])
excluded_addresses = optional(list(object({
type = optional(string)
value = optional(string)
})), [])
name = string
zone_description = optional(string, null)
}))
[] no
enforce_allowed_ip_addresses If true IP address restriction will be enforced, If false, traffic originated outside specified allowed IP address set is monitored with audit events sent to SIEM and Activity Tracker. After running in monitored mode to test this variable, it should then explicitly be set to true to enforce IP allow listing. bool true no
inactive_session_timeout Specify how long (seconds) a user is allowed to stay logged in the account while being inactive/idle string "7200" no
max_sessions_per_identity Defines the maximum allowed sessions per identity required by the account. Supports any whole number greater than '0', or 'NOT_SET' to unset account setting and use service default. string "NOT_SET" no
mfa Specify Multi-Factor Authentication method in the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users). string "TOTP4ALL" no
public_access_enabled Enable/Disable public access group in which resources are open anyone regardless if they are member of your account or not bool false no
refresh_token_expiration Defines the refresh token expiration in seconds string "259200" no
serviceid_creation When restriction is enabled, only users, including the account owner, assigned the Service ID creator role on the IAM Identity Service can create service IDs. Allowed values are 'RESTRICTED', 'NOT_RESTRICTED', or 'NOT_SET' (to 'unset' a previous set value). string "RESTRICTED" no
shell_settings_enabled Enable global shell settings to all users in the account. If skip_cloud_shell_calls is set to true, then this setting is ignored. bool false no
skip_cloud_shell_calls Skip Cloud Shell calls in the account. bool false no
user_mfa Specify Multi-Factor Authentication method for specific users the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users). Example of format is available here > https://github.com/terraform-ibm-modules/terraform-ibm-iam-account-settings#usage
set(object({
iam_id = string
mfa = string
}))
[] no
user_mfa_reset Set to true to delete all user MFA settings configured in the targeted account, and ignoring entries declared in var user_mfa bool false no

Outputs

Name Description
account_allowed_ip_addresses Current allowed IP addresses
account_allowed_ip_addresses_control_mode Current allowed IP addresses enforcement control mode, will indicate RESTRICT if account_allowed_ip_addresses_enforced is TRUE
account_allowed_ip_addresses_enforced Current allowed IP addresses enforcement state
account_iam_access_token_expiration Current access token expiration
account_iam_active_session_timeout Current active session timeout
account_iam_apikey_creation Current state of API key creation restriction
account_iam_inactive_session_timeout Current inactive session timeout
account_iam_mfa Current MFA setting
account_iam_refresh_token_expiration Current refresh token expiration
account_iam_serviceid_creation Current state of ServiceID creation restriction
account_iam_user_mfa_list Current list of users with specific MFA settings
account_public_access Current state of public access group setting
account_shell_settings_status Current state of global shell setting
account_zones Current CBR zones managed by the module

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.