terraform-ibm-modules / terraform-ibm-cos Goto Github PK
View Code? Open in Web Editor NEWConfigures an IBM Cloud Object Storage instance and bucket
License: Apache License 2.0
Configures an IBM Cloud Object Storage instance and bucket
License: Apache License 2.0
It would be good to have such an option to avoid common scenarios where we end up with clash in bucket name (with existing bucket name)
Looks like its only possible to set the add_bucket_name_suffix
in the root level module. Can we expose this in the buckets and fscloud submodules as an optional attribute to the buckets config variable (default to false).
terraform-ibm-cos/variables.tf
Line 135 in 753a10a
Suggest to set to false as this is going to prevent from deleting objects from cos bucket. Leave the retention enable only in the fscloud profile version at https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/profiles/fscloud
Expose cos instance guid as an output
https://github.com/terraform-ibm-modules/terraform-ibm-cos
By submitting this issue, you agree to follow our Code of Conduct
The variable cos_plan
only allows standard
and lite
plans however it seems there is a third plan - "One Rate":
The One-rate plan offers large enterprises and ISVs (with multiple divisions or end-users) a predictable TCO based on one flat rate. The flat rate has built-in allowances for outbound bandwidth and operational requests. These allowances depend on the amount of storage capacity aggregated across multiple instances within a One Rate pricing region. There is no data retrieval charge.
https://github.com/terraform-ibm-modules/terraform-ibm-cos
By submitting this issue, you agree to follow our Code of Conduct
If the resource key name that is passed as an input to the module is dynamically generated, for instance to use a constructed name, apply results in the following:
Line 77 in f45883e
By submitting this issue, you agree to follow our Code of Conduct
The module at https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/profiles/fscloud only has support for regional buckets. Cross-regional buckets are also FSCloud compliant (and actually preferred when possible)
The COS DA has 3 flavors:
The following items for all of these DA flavors will need to be reviewed and updated where required:
When you are using the buckets or fscloud submodule, and you are creating more than 1 bucket with KMS encryption enabled, and have skip_iam_authorization_policy
set to false for 1 bucket and set to true for the other, there is a timing issue where 1 bucket config will start to create the KMS auth policy first, while the other will start to create the bucket first, but bucket creation will fail because the auth policy may not yet be created.
We found this issue in terraform-ibm-modules/terraform-ibm-observability-da#8
Ideally we need to find a way where if any bucket config is set to create an auth policy, NO buckets should get created until its created. This logic would have to live in the buckets submodule I guess.
We probably should also fast fail if we detect that multiple buckets have skip_iam_authorization_policy
set to false since its going to try and create duplicate policies and fail anyway.
bucket_endpoint was removed in version 6.0.0. However, this value is used by the provider to construct the url used to access cos management apis.
Allow the capability to configure allowed_ip for the cos bucket in the main.tf
argument here: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cos_bucket#allowed_ip
COS module: https://github.com/terraform-ibm-modules/terraform-ibm-cos/blob/main/main.tf#L127
By submitting this issue, you agree to follow our Code of Conduct
Scenario to reproduce the issue:
Result: Notice you can see the instance and buckets
Expected: Access denied message when accessing the instance as requests are not coming from within VPC (but the internet in this case). As below (displayed when fixing the CBR rule manually)
Issue is that the module pass the instance id as input, instead of the guid. https://github.com/terraform-ibm-modules/terraform-ibm-cos/blob/main/main.tf#L236
See whether we could expend the automated test suite as well to catch this type of issue - eg: trying to list the cos bucket in the instance as part of the test executing the complete example would catch this type of problem.
Allow to pass a list of buckets as input - loop within the module on creating that list.
Should work with creating a cos instance, or pointing to existing cos instance
By submitting this issue, you agree to follow our Code of Conduct
The descriptions of the below variable in the FSCloud submodule seem to indicated they are required if 'create_cos_bucket' is true, however there is no create_cos_bucket
variable in the FSCloud submodule. They are also not required variables at all (which I think should be correct - the user can optionally opt in).
variable "activity_tracker_crn" {
type = string
description = "Activity tracker crn for COS bucket. Only required if 'create_cos_bucket' is true."
default = null
}
variable "sysdig_crn" {
type = string
description = "Sysdig Monitoring crn for COS bucket. Only required if 'create_cos_bucket' is true."
default = null
}
Extract out the replication logic at https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/examples/replication into its own terraform submodule that consumers can consume
The COS module supports creating a resource key, however it does not output it in its outputs.
We should add 3 new outputs to output the name, ID and value of the key.
The problem we will face is when we output the key value as a sensitive value, the buckets module complains because it has the following output:
output "buckets" {
description = "Map of buckets created in the Cloud Object Storage Instance"
value = module.buckets
}
The output will now contain a sensitive value and hence terraform says it should be marked as a sensitive, which is not what we want. We should update the logic here so it only outputs bucket info. There is no need to include the resource key output in this output.
Ensure we also add the outputs to the fscloud submodule.
module "cos" {
resource_group_id = module.resource_group.resource_group_id
region = var.region
cos_instance_name = "${var.prefix}-cos"
cos_tags = var.resource_tags
bucket_name = "${var.prefix}-bucket"
retention_enabled = true
}
This errors out with the following message.
validate_cross_region_retention = var.cross_region_location != "us" && var.retention_enabled ? tobool("Retention is currently only supported in the US
location for cross region buckets.") : true
The issue is that at no point the call is retrying to create a cross region bucket.
Changes should go into solutions/secure-cross-regional-bucket
and solutions/secure-regional-bucket
only..
Add new optional variable ibmcloud_kms_api_key
. This should be used in a new provider block like so:
provider "ibm" {
alias = "kms"
ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
region = local.kms_region # this value should be parsed from the existing KMS CRN
}
The kms
module block should use the kms
provider alias (its already set up like this in the code actually).
Support creating cross account s2s auth policy (in KMS account):
ibmcloud_kms_api_key
is passed, and skip_iam_authorization_policy
is set to false, then create a cross account s2s auth policy in the KMS account to allow the COS bucket reader access to the KMS instance GUID in the KMS account.skip_iam_authorization_policy
value thats passed to the COS module itself is set to true
since we will create the cross account one in the DA itself.Review all of the variable descriptions and readme markdowns to ensure its clear that it supports KMS in a different account using the ibmcloud_kms_api_key
variable.
This module currently exposes the public and private endpoint in the output. But there are also the direct endpoints that are available from COS. Could this be added to the output as well, please?
By submitting this issue, you agree to follow our Code of Conduct
The root level module has a variable called management_endpoint_type_for_bucket
which can be set to "public", "private", or "direct", however there doesn't seem to be any way to set this when creating a bucket using the buckets submodule. That means all buckets get created with "public" since this is the default value in the root level module
FSCloud mandates KMS encryption, so we should expose the option kms_encryption_enabled
in the bucket_configs
in FSCloud submodule. Instead default it to true
in here
NOTE: Some of the bucket_validations
will need to be updated as part of this change
Minor issue but could lead to confusion.
encryption_enabled controls whether kms encryption is enable (key protect / hpcs). If set to false, cos bucket is still encrypted but with ibm managed keys.
Currently "standard" is hardcoded in the code.
By submitting this issue, you agree to follow our Code of Conduct
Some changes are coming in IBM-Cloud/terraform-provider-ibm#5277 which will require some refactoring of the module...
Current code works like this:
activity_tracker_crn
and sysdig_crn
, this is what determines if activity tracking or monitoring should be enabled for buckets.Refactoring considerations:
activity_tracker_crn
and metrics_monitoring_crn
are now becoming optional by the provider. If they are not specified, it will default to the default AT or Sysdig instances in the account. So with this in mind, we should probably create new variables enable_metrics_monitoring
and enable_activity_tracking
which default to true
(see how upgrade test handles this).management_events
is also coming in new provider drop for AT, so that should be set to true as well.sysdig_crn
to monitoring_crn
NB: modules/fscloud
, modules/buckets
, solutions/secure-cross-regional-bucket
, solutions/secure-regional-bucket
will all need updates based on the refactor.
The CBR UI does not currently display properly tags. The question came from one of the module consumer, and is likely to repeat, so would be good to document directly into the module README.md.
By submitting this issue, you agree to follow our Code of Conduct
What:
Some downstream service DA's (eg. Observability) require the CRN of the COS service instance. Only guid and id are output from the current DA. This feature request is to add CRN to output values of the COS DA to make it easier to wire up downstream DA's.
By submitting this issue, you agree to follow our Code of Conduct
Most of the time we want to create a Cloud Object Storage instance with a predetermined name that adheres to a projects naming conventions.
The current behaviour when creating a COS instance is to use the name environment-name
-cos.
https://github.com/terraform-ibm-modules/terraform-ibm-cos
Existing consumers of this module that specify both create-cos-instance
=true and cos-instance-name
may see a change in behaviour. The current behaviour is to silently ignore the cos-instance-name
provided. The new behaviour will be to change the name of the COS instance, which may result in an attempt to delete and re-create the instance.
Issue reference to the CBR rule in the 'complete' example at https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/examples/complete
I executed the example multiple times. When looking at the rule in the UI - I see many more VPCs that the one VPC created in the example.
To be consistent with other DAs, both the COS buckets DAs should ask for:
existing_kms_instance_crn
(instead of existing_kms_instance_guid
)existing_kms_instance_crn
existing_kms_instance_crn
and remove the kms_region
variableAll example and the usage section go into a lot of complexity in term of replication, encryption, etc.
It would be desirable to have a simple, basic example that creates an instance with a bucket with the minimum amount of inputs to set.
Review the diagram(s) in the reference-architectures
directory...
Support for attaching access tag
By submitting this issue, you agree to follow our Code of Conduct
bucket_crn and bucket_id are impacted (at first glance, maybe more).
Line 19 in 753a10a
Suggest to make them string - otherwise caller need to specify first index - module.cos_instance_bucket.bucket_crn[0] in their code which is untidy.
The COS module should support creating IAM as well as HMAC resource keys. Currently it only supports HMAC keys however IAM API Keys are the preferred method of authentication for COS as per docs.
Rename these variables (both root level module and fscloud submodule)
create_hmac_key
-> create_resource_key
hmac_key_name
-> resource_key_name
hmac_key_role
-> resource_key_role
Create a new boolean variable called generate-hmac-credentials
which should be used like this:
parameters = {
"serviceid_crn" = var.resource_key_existing_serviceid_crn
"HMAC" = var.generate-hmac-credentials
}
Since IAM is the recommended key type, I think we should set generate-hmac-credentials
to false by default (make sure we mention this in the release notes, as it will attempt to destroy any existing hmac credentials and replace it with an IAM credential)
There is a need to have an actual check that the tags passed in the CBR rule are indeed used. So far, I think the assumption is that they are, but I don't think this has been actually verified. Perhaps, as part of this add a tag example here: https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/examples
By submitting this issue, you agree to follow our Code of Conduct
As a user I should be able to create a COS instance only without buckets and associate it to a KMS instance.
The ibm_iam_authorization_policy
to authorize COS instance to read KMS keys should not be skipped.
I need something similar to this:
module "cos_instance" {
source = "../../"
cos_instance_name = "${var.prefix}-cos"
create_cos_bucket = false
resource_group_id = module.resource_group.resource_group_id
existing_kms_instance_guid = module.key_protect_all_inclusive.key_protect_guid
region = var.region
cross_region_location = null
activity_tracker_crn = null
resource_key_existing_serviceid_crn = ibm_iam_service_id.resource_key_existing_serviceid.crn
skip_iam_authorization_policy = false
}
I get the following error:
Error: Invalid combination of arguments
with module.cos_module["vpc-cos"].ibm_iam_authorization_policy.policy[0],
on .terraform/modules/cos_module/main.tf line 73, in resource "ibm_iam_authorization_policy" "policy":
73: target_service_name = local.kms_service
"target_service_name": one of resource_attributes,target_service_name must be specified
By submitting this issue, you agree to follow our Code of Conduct
╷
│ Error: InvalidRequest: The region provided in the KMS key CRN does not provide cross region support.
│ status code: 400, request id: a6d17a58-f715-479e-bb0c-1fe53a149f00, host id:
│
│ with module.cos_bucket2.ibm_cos_bucket.cos_bucket[0],
│ on ../../main.tf line 77, in resource "ibm_cos_bucket" "cos_bucket":
│ 77: resource "ibm_cos_bucket" "cos_bucket" {
│
Extracted out from original issue at #201 .
See whether we could expend the automated test suite as well to catch this type of issue - eg: trying to list the cos bucket in the instance as part of the test executing the complete example would catch this type of problem.
This request is from BNPP
We want to create a resource_key with role "None" with Terraform.
This is impossible as role seems to not exist:
[17:01] ABDELKRIM Habib
id: terraform-25711290
2024/05/16 14:50:54 Terraform apply | summary: '[ERROR] Error creating resource key when get role:
2024/05/16 14:50:54 Terraform apply | RoleDoesnotExist: None
2024/05/16 14:50:54 Terraform apply | was not found. Valid roles are Writer, Reader, Manager,
2024/05/16 14:50:54 Terraform apply | Content Reader, Object Reader, Object Writer, Service Configuration Reader, Viewer,
2024/05/16 14:50:54 Terraform apply | Administrator, Operator, Editor, Key Manager'
More details refer : IBM-Cloud/terraform-provider-ibm#5391
They want to extend this support for this module also
Can we have the module only output the bucket name once the bucket is actually created and ready for use? That way consuming modules won't have to add explicit depends_on in their code since they always take bucket name is as input as opposed to bucket ID.
To do this, we can add a depends_on in the outout:
output "bucket_name" {
description = "Bucket name"
value = local.bucket_name
depends_on = [local.bucket_id]
}
Tracking ongoing work at https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/fscloud
By submitting this issue, you agree to follow our Code of Conduct
Most of the time we want to create a bucket when creating a COS instance. But this is not always the case. Make bucket creation optional
https://github.com/terraform-ibm-modules/terraform-ibm-cos
By submitting this issue, you agree to follow our Code of Conduct
Hello there,
We are facing an issue with your module, especially regarding authorization as shown below:
ibm_resource_instance.kms_instance: Creating...
2023/01/27 22:03:52 Terraform apply | module.cos.ibm_resource_instance.cos_instance[0]: Creating...
2023/01/27 22:04:02 Terraform apply | ibm_resource_instance.kms_instance: Still creating... [10s elapsed]
2023/01/27 22:04:02 Terraform apply | module.cos.ibm_resource_instance.cos_instance[0]: Still creating... [10s elapsed]
2023/01/27 22:04:06 Terraform apply | ibm_resource_instance.kms_instance: Creation complete after 14s [id=crn:v1:bluemix:public:kms:eu-fr2:a/3f2cae45b0644f6d87aefcf404f5987f:ba24f111-f80e-4298-a301-ca20371a0d8d::]
2023/01/27 22:04:06 Terraform apply | data.ibm_kms_keys.encryption_data: Reading...
2023/01/27 22:04:06 Terraform apply | ibm_kms_key.encryption_key: Creating...
2023/01/27 22:04:07 Terraform apply | data.ibm_kms_keys.encryption_data: Read complete after 0s [id=ba24f111-f80e-4298-a301-ca20371a0d8d]
2023/01/27 22:04:07 Terraform apply | ibm_kms_key.encryption_key: Creation complete after 1s [id=crn:v1:bluemix:public:kms:eu-fr2:a/3f2cae45b0644f6d87aefcf404f5987f:ba24f111-f80e-4298-a301-ca20371a0d8d:key:8c87060a-6993-47b5-9ca6-1e2738973927]
2023/01/27 22:04:08 Terraform apply | module.cos.ibm_resource_instance.cos_instance[0]: Creation complete after 16s [id=crn:v1:bluemix:public:cloud-object-storage:global:a/3f2cae45b0644f6d87aefcf404f5987f:d20bf547-6b85-4f4b-877c-1475c4bde1ee::]
2023/01/27 22:04:08 Terraform apply | module.cos.ibm_resource_key.resource_key[0]: Creating...
2023/01/27 22:04:08 Terraform apply | module.cos.ibm_iam_authorization_policy.policy[0]: Creating...
2023/01/27 22:04:09 Terraform apply | module.cos.ibm_iam_authorization_policy.policy[0]: Creation complete after 1s [id=a77acd3f-d3c4-4c63-b1b5-0951bfee108d]
2023/01/27 22:04:09 Terraform apply | module.cos.ibm_cos_bucket.cos_bucket[0]: Creating...
2023/01/27 22:04:12 Terraform apply | module.cos.ibm_resource_key.resource_key[0]: Creation complete after 4s [id=crn:v1:bluemix:public:cloud-object-storage:global:a/3f2cae45b0644f6d87aefcf404f5987f:d20bf547-6b85-4f4b-877c-1475c4bde1ee:resource-key:3c34a882-8178-4ab8-b136-c010847e62b5]
2023/01/27 22:04:12 Terraform apply |
2023/01/27 22:04:12 Terraform apply | Error: ServiceNotAuthorized: The specified COS Service Instance does not have sufficient permissions to access the resource associated with the KMS key CRN.
2023/01/27 22:04:12 Terraform apply | status code: 401, request id: d32b07a0-e350-4e6a-aa86-787e467c0b4f, host id:
2023/01/27 22:04:12 Terraform apply |
2023/01/27 22:04:12 Terraform apply | with module.cos.ibm_cos_bucket.cos_bucket[0],
2023/01/27 22:04:12 Terraform apply | on .terraform/modules/cos/main.tf line 76, in resource "ibm_cos_bucket" "cos_bucket":
2023/01/27 22:04:12 Terraform apply | 76: resource "ibm_cos_bucket" "cos_bucket" {
2023/01/27 22:04:12 Terraform apply |
2023/01/27 22:04:12 �[1m�[31mTerraform APPLY error: Terraform APPLY errorexit status 1�[39m�[0m
We found out that your authorization resource input for the source_service_id, is not correct, it should be the GUID of the COS instance instead of ID.
It results into this authorization in your IAM:
###Proposal
locals {
cos_instance_id = var.create_cos_instance == true ? tolist(ibm_resource_instance.cos_instance[*].id)[0] : var.existing_cos_instance_id
cos_instance_guid = var.create_cos_instance == true ? : tolist(ibm_resource_instance.cos_instance[*].guid)[0] : element(split(":",var.existing_cos_instance_id),length(split(":",var.existing_cos_instance_id)-3)
create_access_policy = var.encryption_enabled && var.create_cos_instance
}
# Create IAM Access Policy to allow Key protect to access COS instance
resource "ibm_iam_authorization_policy" "policy" {
count = local.create_access_policy ? 1 : 0
source_service_name = "cloud-object-storage"
source_resource_instance_id = local.cos_instance_guid
target_service_name = "kms"
target_resource_instance_id = var.existing_key_protect_instance_guid
roles = ["Reader"]
}
Resulting into a correct Authorization:
Let me know if you want me to do a PR.
Regards
endpoint_type
should be defined in cos_bucket
as it is defined in cos_bucket1
. When the user specifies an endpoint_type
along with enabling encryption on their cos_bucket the endpoint_type
will not take affect.
What:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.