This module configures standard IAM account settings with the recommended values, in which the default values are aligned with FSCloud requirements, and exports the values as outputs.
The module handles the following account settings:
- Multifactor authentication (None - Federated Users - All - Email/TOPT/U2F based)
- User specific Multifactor authentication (None - Federated Users - All - Email/TOPT/U2F based)
- Restrict API key creation (on - off)
- Restrict service ID creation (on - off)
- Session activity timeout (seconds)
- Session inactivity timeout (seconds)
- Access token expiration (seconds)
- Refresh token expiration (seconds)
- Restrict IP address access (off/Any Allowed - on/Allow only specified IP subnets or IP addresses). Two control modes
are supported:
- Monitor: traffic that originates outside the specified allowed IP addresses is allowed but logged by audit events that are sent to SIEM and Activity Tracker
- Restrict: traffic that originates outside the specified allowed IP addresses is blocked
- Global shell settings (on - off)
- Public access group (on - off)
The module supports creating and updating settings that are applied with the terraform apply
command. With objects
affected by the destroy
command, the module preserves the most recent setting and doesn't change objects that are
configured outside of Terraform's scope.
The module currently does not support setting the following FSCloud requirements using the IBM provider:
- Check whether user list visibility restrictions are configured in IAM settings for the account owner
- Check whether the Financial Services Validated setting is enabled in account settings
Tracking issue with IBM provider -> IBM-Cloud/terraform-provider-ibm#4204
If you need to manage these FSCloud requirements via Terraform, please see the experimental submodule which uses the RestAPI provider to manage these settings.
module "iam_account_settings" {
source = "terraform-ibm-modules/iam-account-settings/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
allowed_ip_addresses = ["17.5.7.8.0/16"]
# example usage of creating CBR zones within the module
# see https://github.com/terraform-ibm-modules/terraform-ibm-cbr/tree/main/modules/cbr-zone-module for more details
cbr_zones = [{
name = "default-zone-1"
zone_description = "test zone in iam-account-settings module"
addresses = [{
type = "serviceRef"
ref = {
account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
service_name = "secrets-manager"
}
}]
}]
}
When specifying User MFA (user_mfa
), use the following format:
variable "user_mfa" {
type = set(object({
iam_id = string
mfa = string
}))
default = [{
iam_id = "IBMid-3x000xx3xH"
mfa = "LEVEL3"
},
{
iam_id = "IBMid-50xG4CxSQx"
mfa = "NONE"
}]
}
When/if it is necessary to delete/reset the MFA configuration for all users, use the user_mfa_reset
input var.
You need the following permissions to run this module.
- Account Management
- IAM Access Groups service
Administrator
platform access
- IAM Access Management service
Editor
platform access
- IAM Identity service
Operator
platform access
- IBM Cloud Shell service
Administrator
platform access
- IAM Access Groups service
Name | Version |
---|---|
terraform | >= 1.3.0 |
ibm | >= 1.65.0, < 2.0.0 |
Name | Source | Version |
---|---|---|
cbr_zones | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | v1.24.1 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_token_expiration | Defines the access token expiration in seconds | string |
"3600" |
no |
active_session_timeout | Specify how long (seconds) a user is allowed to work continuously in the account | number |
"86400" |
no |
allowed_ip_addresses | List of the IP addresses and subnets from which IAM tokens can be created for the account. | list(any) |
[] |
no |
api_creation | When restriction is enabled, only users, including the account owner, assigned the User API key creator role on the IAM Identity Service can create API keys. Allowed values are 'RESTRICTED', 'NOT_RESTRICTED', or 'NOT_SET' (to 'unset' a previous set value). | string |
"RESTRICTED" |
no |
cbr_zones | A list of CBR zones created by the module | list(object({ |
[] |
no |
enforce_allowed_ip_addresses | If true IP address restriction will be enforced, If false, traffic originated outside specified allowed IP address set is monitored with audit events sent to SIEM and Activity Tracker. After running in monitored mode to test this variable, it should then explicitly be set to true to enforce IP allow listing. | bool |
true |
no |
inactive_session_timeout | Specify how long (seconds) a user is allowed to stay logged in the account while being inactive/idle | string |
"7200" |
no |
max_sessions_per_identity | Defines the maximum allowed sessions per identity required by the account. Supports any whole number greater than '0', or 'NOT_SET' to unset account setting and use service default. | string |
"NOT_SET" |
no |
mfa | Specify Multi-Factor Authentication method in the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users). | string |
"TOTP4ALL" |
no |
public_access_enabled | Enable/Disable public access group in which resources are open anyone regardless if they are member of your account or not | bool |
false |
no |
refresh_token_expiration | Defines the refresh token expiration in seconds | string |
"259200" |
no |
serviceid_creation | When restriction is enabled, only users, including the account owner, assigned the Service ID creator role on the IAM Identity Service can create service IDs. Allowed values are 'RESTRICTED', 'NOT_RESTRICTED', or 'NOT_SET' (to 'unset' a previous set value). | string |
"RESTRICTED" |
no |
shell_settings_enabled | Enable global shell settings to all users in the account. If skip_cloud_shell_calls is set to true, then this setting is ignored. |
bool |
false |
no |
skip_cloud_shell_calls | Skip Cloud Shell calls in the account. | bool |
false |
no |
user_mfa | Specify Multi-Factor Authentication method for specific users the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users). Example of format is available here > https://github.com/terraform-ibm-modules/terraform-ibm-iam-account-settings#usage | set(object({ |
[] |
no |
user_mfa_reset | Set to true to delete all user MFA settings configured in the targeted account, and ignoring entries declared in var user_mfa |
bool |
false |
no |
Name | Description |
---|---|
account_allowed_ip_addresses | Current allowed IP addresses |
account_allowed_ip_addresses_control_mode | Current allowed IP addresses enforcement control mode, will indicate RESTRICT if account_allowed_ip_addresses_enforced is TRUE |
account_allowed_ip_addresses_enforced | Current allowed IP addresses enforcement state |
account_iam_access_token_expiration | Current access token expiration |
account_iam_active_session_timeout | Current active session timeout |
account_iam_apikey_creation | Current state of API key creation restriction |
account_iam_inactive_session_timeout | Current inactive session timeout |
account_iam_mfa | Current MFA setting |
account_iam_refresh_token_expiration | Current refresh token expiration |
account_iam_serviceid_creation | Current state of ServiceID creation restriction |
account_iam_user_mfa_list | Current list of users with specific MFA settings |
account_public_access | Current state of public access group setting |
account_shell_settings_status | Current state of global shell setting |
account_zones | Current CBR zones managed by the module |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.