Description

It would be good to have such an option to avoid common scenarios where we end up with clash in bucket name (with existing bucket name)

Looks like its only possible to set the add_bucket_name_suffix in the root level module. Can we expose this in the buckets and fscloud submodules as an optional attribute to the buckets config variable (default to false).

Suggest to set to false as this is going to prevent from deleting objects from cos bucket. Leave the retention enable only in the fscloud profile version at https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/profiles/fscloud

Description

Expose cos instance guid as an output

New or affected modules

https://github.com/terraform-ibm-modules/terraform-ibm-cos

By submitting this issue, you agree to follow our Code of Conduct

Description

The variable cos_plan only allows standard and lite plans however it seems there is a third plan - "One Rate":

The One-rate plan offers large enterprises and ISVs (with multiple divisions or end-users) a predictable TCO based on one flat rate. The flat rate has built-in allowances for outbound bandwidth and operational requests. These allowances depend on the amount of storage capacity aggregated across multiple instances within a One Rate pricing region. There is no data retrieval charge.

New or affected modules

https://github.com/terraform-ibm-modules/terraform-ibm-cos

By submitting this issue, you agree to follow our Code of Conduct

Description

If the resource key name that is passed as an input to the module is dynamically generated, for instance to use a constructed name, apply results in the following:

New or affected modules

By submitting this issue, you agree to follow our Code of Conduct

The module at https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/profiles/fscloud only has support for regional buckets. Cross-regional buckets are also FSCloud compliant (and actually preferred when possible)

The COS DA has 3 flavors:

• instance
• secure-cross-regional-bucket
• secure-regional-bucket

The following items for all of these DA flavors will need to be reviewed and updated where required:

• DA variable descriptions (in each of the DA flavor's variables.tf files)
• The information in the ibm_catalog.json (labels, descriptions, features etc). Are we happy with the flavor naming?

Description

1. Expose https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cos_bucket#object_lock
2. Add a static check in the module to ensure object versioning is enabled when object lock is enabled
3. (May be done in a subsequent PR) - Expose object lock configuration https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cos_bucket_object_lock_configuration

When you are using the buckets or fscloud submodule, and you are creating more than 1 bucket with KMS encryption enabled, and have skip_iam_authorization_policy set to false for 1 bucket and set to true for the other, there is a timing issue where 1 bucket config will start to create the KMS auth policy first, while the other will start to create the bucket first, but bucket creation will fail because the auth policy may not yet be created.

We found this issue in terraform-ibm-modules/terraform-ibm-observability-da#8

Ideally we need to find a way where if any bucket config is set to create an auth policy, NO buckets should get created until its created. This logic would have to live in the buckets submodule I guess.

We probably should also fast fail if we detect that multiple buckets have skip_iam_authorization_policy set to false since its going to try and create duplicate policies and fail anyway.

bucket_endpoint was removed in version 6.0.0. However, this value is used by the provider to construct the url used to access cos management apis.

https://github.com/IBM-Cloud/terraform-provider-ibm/blob/master/ibm/service/cos/resource_ibm_cos_bucket.go#L1140

Description

Allow the capability to configure allowed_ip for the cos bucket in the main.tf

argument here: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cos_bucket#allowed_ip

New or affected modules

COS module: https://github.com/terraform-ibm-modules/terraform-ibm-cos/blob/main/main.tf#L127

By submitting this issue, you agree to follow our Code of Conduct

Scenario to reproduce the issue:

1. Execute the complete examples at https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/examples/complete - this example creates 3 CBR rules (one for instance, and one per bucket) that are scoped to allow access only from a VPC (created in the example as well)
2. Change the CBR enforcement mode to 'enabled' (example set it to reporting by default)
3. Navigate to the COS instance from your local browser (so that you're not in the VPC..) - from the IBM cloud console for instance.

Result: Notice you can see the instance and buckets
Expected: Access denied message when accessing the instance as requests are not coming from within VPC (but the internet in this case). As below (displayed when fixing the CBR rule manually)

Issue is that the module pass the instance id as input, instead of the guid. https://github.com/terraform-ibm-modules/terraform-ibm-cos/blob/main/main.tf#L236

Affected modules

• terraform-ibm-cos
• Seeing the same problem across all modules using the same CBR code - so it would be good to do a sweep around

See whether we could expend the automated test suite as well to catch this type of issue - eg: trying to list the cos bucket in the instance as part of the test executing the complete example would catch this type of problem.

Description

Allow to pass a list of buckets as input - loop within the module on creating that list.
Should work with creating a cos instance, or pointing to existing cos instance

New or affected modules

• terraform-ibm-cos

By submitting this issue, you agree to follow our Code of Conduct

The descriptions of the below variable in the FSCloud submodule seem to indicated they are required if 'create_cos_bucket' is true, however there is no create_cos_bucket variable in the FSCloud submodule. They are also not required variables at all (which I think should be correct - the user can optionally opt in).

variable "activity_tracker_crn" {
  type        = string
  description = "Activity tracker crn for COS bucket. Only required if 'create_cos_bucket' is true."
  default     = null
}

variable "sysdig_crn" {
  type        = string
  description = "Sysdig Monitoring crn for COS bucket. Only required if 'create_cos_bucket' is true."
  default     = null
}

Extract out the replication logic at https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/examples/replication into its own terraform submodule that consumers can consume

Description

Current logic creates one single key (optionally) at

It would be desirable to allow creating multiple keys with different roles

The COS module supports creating a resource key, however it does not output it in its outputs.
We should add 3 new outputs to output the name, ID and value of the key.

The problem we will face is when we output the key value as a sensitive value, the buckets module complains because it has the following output:

output "buckets" {
  description = "Map of buckets created in the Cloud Object Storage Instance"
  value       = module.buckets
}

The output will now contain a sensitive value and hence terraform says it should be marked as a sensitive, which is not what we want. We should update the logic here so it only outputs bucket info. There is no need to include the resource key output in this output.

Ensure we also add the outputs to the fscloud submodule.

Description

module "cos" {
  resource_group_id      = module.resource_group.resource_group_id
  region                 = var.region
  cos_instance_name      = "${var.prefix}-cos"
  cos_tags               = var.resource_tags
  bucket_name            = "${var.prefix}-bucket"
  retention_enabled      = true 
}

This errors out with the following message.
validate_cross_region_retention = var.cross_region_location != "us" && var.retention_enabled ? tobool("Retention is currently only supported in the US location for cross region buckets.") : true

The issue is that at no point the call is retrying to create a cross region bucket.

Changes should go into solutions/secure-cross-regional-bucket and solutions/secure-regional-bucket only..

• Add new optional variable ibmcloud_kms_api_key. This should be used in a new provider block like so:

  provider "ibm" {
    alias            = "kms"
    ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
    region           = local.kms_region # this value should be parsed from the existing KMS CRN 
  }
  

• The kms module block should use the kms provider alias (its already set up like this in the code actually).

• Support creating cross account s2s auth policy (in KMS account):

  • if value for ibmcloud_kms_api_key is passed, and skip_iam_authorization_policy is set to false, then create a cross account s2s auth policy in the KMS account to allow the COS bucket reader access to the KMS instance GUID in the KMS account.
  • Ensure that if doing cross account auth policy, the skip_iam_authorization_policy value thats passed to the COS module itself is set to true since we will create the cross account one in the DA itself.

• Review all of the variable descriptions and readme markdowns to ensure its clear that it supports KMS in a different account using the ibmcloud_kms_api_key variable.

Description

This module currently exposes the public and private endpoint in the output. But there are also the direct endpoints that are available from COS. Could this be added to the output as well, please?

New or affected modules

• terraform-ibm-cos

By submitting this issue, you agree to follow our Code of Conduct

The root level module has a variable called management_endpoint_type_for_bucket which can be set to "public", "private", or "direct", however there doesn't seem to be any way to set this when creating a bucket using the buckets submodule. That means all buckets get created with "public" since this is the default value in the root level module

FSCloud mandates KMS encryption, so we should expose the option kms_encryption_enabled in the bucket_configs in FSCloud submodule. Instead default it to true in here

NOTE: Some of the bucket_validations will need to be updated as part of this change

Minor issue but could lead to confusion.

encryption_enabled controls whether kms encryption is enable (key protect / hpcs). If set to false, cos bucket is still encrypted but with ibm managed keys.

Description

Currently "standard" is hardcoded in the code.

storage_class

New or affected modules

• terraform-ibm-cos

By submitting this issue, you agree to follow our Code of Conduct

Some changes are coming in IBM-Cloud/terraform-provider-ibm#5277 which will require some refactoring of the module...

Current code works like this:

• When values are passed for activity_tracker_crn and sysdig_crn, this is what determines if activity tracking or monitoring should be enabled for buckets.

Refactoring considerations:

• activity_tracker_crn and metrics_monitoring_crn are now becoming optional by the provider. If they are not specified, it will default to the default AT or Sysdig instances in the account. So with this in mind, we should probably create new variables enable_metrics_monitoring and enable_activity_tracking which default to true (see how upgrade test handles this).
• management_events is also coming in new provider drop for AT, so that should be set to true as well.
• take this opportunely to rename sysdig_crn to monitoring_crn

NB: modules/fscloud, modules/buckets, solutions/secure-cross-regional-bucket, solutions/secure-regional-bucket will all need updates based on the refactor.

Description

The CBR UI does not currently display properly tags. The question came from one of the module consumer, and is likely to repeat, so would be good to document directly into the module README.md.

New or affected modules

• terraform-ibm-cos

By submitting this issue, you agree to follow our Code of Conduct

Description

What:

• Give more control on whether the ibm_iam_authorization_policy (new input variable) object is created
• Current logic at https://github.com/terraform-ibm-modules/terraform-ibm-cos/blob/main/main.tf#L61
• Needed to cover scenario where IAM auth policies are created in advance at the account level - typically at account creation

Description

Some downstream service DA's (eg. Observability) require the CRN of the COS service instance. Only guid and id are output from the current DA. This feature request is to add CRN to output values of the COS DA to make it easier to wire up downstream DA's.

New or affected modules

terraform-ibm-cos

By submitting this issue, you agree to follow our Code of Conduct

Description

Most of the time we want to create a Cloud Object Storage instance with a predetermined name that adheres to a projects naming conventions.

The current behaviour when creating a COS instance is to use the name environment-name-cos.

New or affected modules

https://github.com/terraform-ibm-modules/terraform-ibm-cos

Other considerations

Existing consumers of this module that specify both create-cos-instance=true and cos-instance-name may see a change in behaviour. The current behaviour is to silently ignore the cos-instance-name provided. The new behaviour will be to change the name of the COS instance, which may result in an attempt to delete and re-create the instance.

Issue reference to the CBR rule in the 'complete' example at https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/examples/complete

I executed the example multiple times. When looking at the rule in the UI - I see many more VPCs that the one VPC created in the example.

Affected modules

• terraform-ibm-cos

To be consistent with other DAs, both the COS buckets DAs should ask for:

• existing_kms_instance_crn (instead of existing_kms_instance_guid)
• Parse the KMS GUID from existing_kms_instance_crn
• Parse the KMS region from existing_kms_instance_crn and remove the kms_region variable

Description

All example and the usage section go into a lot of complexity in term of replication, encryption, etc.

It would be desirable to have a simple, basic example that creates an instance with a bucket with the minimum amount of inputs to set.

The usage is wrong https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/modules/fscloud#usage

Review the diagram(s) in the reference-architectures directory...

• Do they contain accurate relevant information
• Are they using approved icons / objects?

Description

Support for attaching access tag

New or affected modules

By submitting this issue, you agree to follow our Code of Conduct

bucket_crn and bucket_id are impacted (at first glance, maybe more).

Suggest to make them string - otherwise caller need to specify first index - module.cos_instance_bucket.bucket_crn[0] in their code which is untidy.

The COS module should support creating IAM as well as HMAC resource keys. Currently it only supports HMAC keys however IAM API Keys are the preferred method of authentication for COS as per docs.

Proposal:

Rename these variables (both root level module and fscloud submodule)

• create_hmac_key -> create_resource_key
• hmac_key_name -> resource_key_name
• hmac_key_role -> resource_key_role

Create a new boolean variable called generate-hmac-credentials which should be used like this:

parameters = {
    "serviceid_crn" = var.resource_key_existing_serviceid_crn
    "HMAC"          = var.generate-hmac-credentials
  }

Since IAM is the recommended key type, I think we should set generate-hmac-credentials to false by default (make sure we mention this in the release notes, as it will attempt to destroy any existing hmac credentials and replace it with an IAM credential)

Description

There is a need to have an actual check that the tags passed in the CBR rule are indeed used. So far, I think the assumption is that they are, but I don't think this has been actually verified. Perhaps, as part of this add a tag example here: https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/examples

New or affected modules

• terraform-ibm-cos

By submitting this issue, you agree to follow our Code of Conduct

Affected modules

• COS

Terraform CLI and Terraform provider versions

• Terraform version: v1.4.5
• Provider version: v1.51.0

Expected behavior

As a user I should be able to create a COS instance only without buckets and associate it to a KMS instance.

The ibm_iam_authorization_policy to authorize COS instance to read KMS keys should not be skipped.

I need something similar to this:
module "cos_instance" {
source = "../../"
cos_instance_name = "${var.prefix}-cos"
create_cos_bucket = false
resource_group_id = module.resource_group.resource_group_id
existing_kms_instance_guid = module.key_protect_all_inclusive.key_protect_guid
region = var.region
cross_region_location = null
activity_tracker_crn = null
resource_key_existing_serviceid_crn = ibm_iam_service_id.resource_key_existing_serviceid.crn
skip_iam_authorization_policy = false
}

Actual behavior

I get the following error:
Error: Invalid combination of arguments

with module.cos_module["vpc-cos"].ibm_iam_authorization_policy.policy[0],
on .terraform/modules/cos_module/main.tf line 73, in resource "ibm_iam_authorization_policy" "policy":
73: target_service_name = local.kms_service

"target_service_name": one of resource_attributes,target_service_name must be specified

Steps to reproduce (including links and screen captures)

By submitting this issue, you agree to follow our Code of Conduct

╷
│ Error: InvalidRequest: The region provided in the KMS key CRN does not provide cross region support.
│ status code: 400, request id: a6d17a58-f715-479e-bb0c-1fe53a149f00, host id:
│
│ with module.cos_bucket2.ibm_cos_bucket.cos_bucket[0],
│ on ../../main.tf line 77, in resource "ibm_cos_bucket" "cos_bucket":
│ 77: resource "ibm_cos_bucket" "cos_bucket" {
│

Description

Extracted out from original issue at #201 .

See whether we could expend the automated test suite as well to catch this type of issue - eg: trying to list the cos bucket in the instance as part of the test executing the complete example would catch this type of problem.

This request is from BNPP

We want to create a resource_key with role "None" with Terraform.
This is impossible as role seems to not exist:

[17:01] ABDELKRIM Habib
id: terraform-25711290
2024/05/16 14:50:54 Terraform apply | summary: '[ERROR] Error creating resource key when get role:
2024/05/16 14:50:54 Terraform apply | RoleDoesnotExist: None
2024/05/16 14:50:54 Terraform apply | was not found. Valid roles are Writer, Reader, Manager,
2024/05/16 14:50:54 Terraform apply | Content Reader, Object Reader, Object Writer, Service Configuration Reader, Viewer,
2024/05/16 14:50:54 Terraform apply | Administrator, Operator, Editor, Key Manager'

More details refer : IBM-Cloud/terraform-provider-ibm#5391

They want to extend this support for this module also

Can we have the module only output the bucket name once the bucket is actually created and ready for use? That way consuming modules won't have to add explicit depends_on in their code since they always take bucket name is as input as opposed to bucket ID.

To do this, we can add a depends_on in the outout:

output "bucket_name" {
  description = "Bucket name"
  value       = local.bucket_name
  depends_on  = [local.bucket_id]
}

Description

Tracking ongoing work at https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/fscloud

By submitting this issue, you agree to follow our Code of Conduct

Description

Most of the time we want to create a bucket when creating a COS instance. But this is not always the case. Make bucket creation optional

New or affected modules

https://github.com/terraform-ibm-modules/terraform-ibm-cos

By submitting this issue, you agree to follow our Code of Conduct

Hello there,

We are facing an issue with your module, especially regarding authorization as shown below:

 ibm_resource_instance.kms_instance: Creating...
 2023/01/27 22:03:52 Terraform apply | module.cos.ibm_resource_instance.cos_instance[0]: Creating...
 2023/01/27 22:04:02 Terraform apply | ibm_resource_instance.kms_instance: Still creating... [10s elapsed]
 2023/01/27 22:04:02 Terraform apply | module.cos.ibm_resource_instance.cos_instance[0]: Still creating... [10s elapsed]
 2023/01/27 22:04:06 Terraform apply | ibm_resource_instance.kms_instance: Creation complete after 14s [id=crn:v1:bluemix:public:kms:eu-fr2:a/3f2cae45b0644f6d87aefcf404f5987f:ba24f111-f80e-4298-a301-ca20371a0d8d::]
 2023/01/27 22:04:06 Terraform apply | data.ibm_kms_keys.encryption_data: Reading...
 2023/01/27 22:04:06 Terraform apply | ibm_kms_key.encryption_key: Creating...
 2023/01/27 22:04:07 Terraform apply | data.ibm_kms_keys.encryption_data: Read complete after 0s [id=ba24f111-f80e-4298-a301-ca20371a0d8d]
 2023/01/27 22:04:07 Terraform apply | ibm_kms_key.encryption_key: Creation complete after 1s [id=crn:v1:bluemix:public:kms:eu-fr2:a/3f2cae45b0644f6d87aefcf404f5987f:ba24f111-f80e-4298-a301-ca20371a0d8d:key:8c87060a-6993-47b5-9ca6-1e2738973927]
 2023/01/27 22:04:08 Terraform apply | module.cos.ibm_resource_instance.cos_instance[0]: Creation complete after 16s [id=crn:v1:bluemix:public:cloud-object-storage:global:a/3f2cae45b0644f6d87aefcf404f5987f:d20bf547-6b85-4f4b-877c-1475c4bde1ee::]
 2023/01/27 22:04:08 Terraform apply | module.cos.ibm_resource_key.resource_key[0]: Creating...
 2023/01/27 22:04:08 Terraform apply | module.cos.ibm_iam_authorization_policy.policy[0]: Creating...
 2023/01/27 22:04:09 Terraform apply | module.cos.ibm_iam_authorization_policy.policy[0]: Creation complete after 1s [id=a77acd3f-d3c4-4c63-b1b5-0951bfee108d]
 2023/01/27 22:04:09 Terraform apply | module.cos.ibm_cos_bucket.cos_bucket[0]: Creating...
 2023/01/27 22:04:12 Terraform apply | module.cos.ibm_resource_key.resource_key[0]: Creation complete after 4s [id=crn:v1:bluemix:public:cloud-object-storage:global:a/3f2cae45b0644f6d87aefcf404f5987f:d20bf547-6b85-4f4b-877c-1475c4bde1ee:resource-key:3c34a882-8178-4ab8-b136-c010847e62b5]
 2023/01/27 22:04:12 Terraform apply | 
 2023/01/27 22:04:12 Terraform apply | Error: ServiceNotAuthorized: The specified COS Service Instance does not have sufficient permissions to access the resource associated with the KMS key CRN.
 2023/01/27 22:04:12 Terraform apply | 	status code: 401, request id: d32b07a0-e350-4e6a-aa86-787e467c0b4f, host id: 
 2023/01/27 22:04:12 Terraform apply | 
 2023/01/27 22:04:12 Terraform apply |   with module.cos.ibm_cos_bucket.cos_bucket[0],
 2023/01/27 22:04:12 Terraform apply |   on .terraform/modules/cos/main.tf line 76, in resource "ibm_cos_bucket" "cos_bucket":
 2023/01/27 22:04:12 Terraform apply |   76: resource "ibm_cos_bucket" "cos_bucket" {
 2023/01/27 22:04:12 Terraform apply | 
 2023/01/27 22:04:12 �[1m�[31mTerraform APPLY error: Terraform APPLY errorexit status 1�[39m�[0m

We found out that your authorization resource input for the source_service_id, is not correct, it should be the GUID of the COS instance instead of ID.

It results into this authorization in your IAM:

###Proposal

locals {
 cos_instance_id      = var.create_cos_instance == true ? tolist(ibm_resource_instance.cos_instance[*].id)[0] : var.existing_cos_instance_id
 cos_instance_guid      = var.create_cos_instance == true ? : tolist(ibm_resource_instance.cos_instance[*].guid)[0] : element(split(":",var.existing_cos_instance_id),length(split(":",var.existing_cos_instance_id)-3)
 create_access_policy = var.encryption_enabled && var.create_cos_instance
}

# Create IAM Access Policy to allow Key protect to access COS instance
resource "ibm_iam_authorization_policy" "policy" {
 count                       = local.create_access_policy ? 1 : 0
 source_service_name         = "cloud-object-storage"
 source_resource_instance_id = local.cos_instance_guid
 target_service_name         = "kms"
 target_resource_instance_id = var.existing_key_protect_instance_guid
 roles                       = ["Reader"]
}

Resulting into a correct Authorization:

Let me know if you want me to do a PR.

Regards

For details see: https://github.com/terraform-ibm-modules/terraform-ibm-cos/actions/runs/8580148041

endpoint_type should be defined in cos_bucket as it is defined in cos_bucket1. When the user specifies an endpoint_type along with enabling encryption on their cos_bucket the endpoint_type will not take affect.

Affected modules

• https://github.com/terraform-ibm-modules/terraform-ibm-cos

Description

What:

• Current logic always creates a new ServiceId at https://github.com/terraform-ibm-modules/terraform-ibm-cos/blob/main/main.tf#L49
• There is an option to pass a reference to an existing ServiceId
• Module should take (optionally) the serviceId reference as input