terraform-ibm-modules / terraform-ibm-event-notifications Goto Github PK

A module for creating IBM Cloud Event Notifications

License: Apache License 2.0

HCL 88.56% Go 11.44%

event-notifications ibm-cloud terraform terraform-module core-team supported graduated deployable-architecture

terraform-ibm-event-notifications's Introduction

IBM Cloud Event Notifications module

This module is used to create an IBM Cloud Event Notifications instance to filter and route event notifications from IBM Cloud services like monitoring, to communication channels like email, SMS, and webhooks. Event Notifications provides you information about critical events that occur in your IBM Cloud account or triggers automated actions by using webhooks. For more information, see Getting started with Event Notifications.

Overview

terraform-ibm-event-notifications

Usage

module "event_notification" {
  source            = "terraform-ibm-modules/event-notifications/ibm"
  version           = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  resource_group_id = "a8cff104f1764e98aac9ab879198230a" # pragma: allowlist secret
  name              = "event-notification"
  tags              = ["dev", "qa"]
  plan              = "lite"
  service_endpoints = "public"
  service_credential_names = {
                                "en_manager" : "Manager",
                                "en_writer" : "Writer",
                                "en_reader" : "Reader",
                             }
}

Required IAM access policies

You need the following permissions to run this module:

Account Management
- Event Notifications service
  - Platform Management Roles
    - Editor platform role access

To create service credentials, access the Event Notifications service, and access to call the Event Notifications API, you need the following access:

Service access roles
- Reader - View Event Notifications instance data
- Writer - View and edit an Event Notifications instance
- Channel Editor - View, create, and delete Event Notifications subscriptions
- Manager - View, edit, and delete data in an Event Notifications instance
- Service Configuration Reader - Read services configuration for Governance management
- Event Source Manager - Source integration with Event Notifications by using service to service authorization
- Event Notifications Publisher - Create notification and view notifications count
- Device Manager - Custom role to handle push device registration with the Event Notifications service

Requirements

Name	Version
terraform	>= 1.3.0
ibm	>= 1.65.0, < 2.0.0
time	>= 0.9.1

Modules

Name	Source	Version
cbr_rule	terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module	1.23.5

Resources

Name	Type
ibm_en_integration.en_kms_integration	resource
ibm_en_integration_cos.en_cos_integration	resource
ibm_iam_authorization_policy.cos_policy	resource
ibm_iam_authorization_policy.kms_policy	resource
ibm_resource_instance.en_instance	resource
ibm_resource_key.service_credentials	resource
time_sleep.wait_for_cos_authorization_policy	resource
time_sleep.wait_for_kms_authorization_policy	resource
ibm_en_integrations.en_integrations	data source
ibm_iam_account_settings.iam_account_settings	data source

Inputs

Name	Description	Type	Default	Required
cbr_rules	The list of context-based restrictions rules to create.	list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string }))	`[]`	no
cos_bucket_name	The name of an existing IBM Cloud Object Storage bucket which will be used for storage of failed delivery events. Required if `cos_integration_enabled` is set to true.	`string`	`null`	no
cos_endpoint	The endpoint URL for your bucket region. For more information, see https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-endpoints. Required if `cos_integration_enabled` is set to true.	`string`	`null`	no
cos_instance_id	The ID of the IBM Cloud Object Storage instance in which the bucket that is defined in the `cos_bucket_name` variable exists. Required if `cos_integration_enabled` is set to true.	`string`	`null`	no
cos_integration_enabled	Set to `true` to connect a Cloud Object Storage service instance to your Event Notifications instance to collect events that failed delivery. If set to false, no failed events will be captured.	`bool`	`false`	no
existing_kms_instance_crn	The CRN of the Hyper Protect Crypto Services or Key Protect instance. Required only if `var.kms_encryption_enabled` is set to `true`.	`string`	`null`	no
kms_encryption_enabled	Set to `true` to control the encryption keys that are used to encrypt the data that you store in the Event Notifications instance. If set to `false`, the data is encrypted by using randomly generated keys. For more information, see Managing encryption.	`bool`	`false`	no
kms_endpoint_url	The URL of the KMS endpoint to use when configuring KMS encryption. The Hyper Protect Crypto Services endpoint URL format is `https://api.private.<REGION>.hs-crypto.cloud.ibm.com:<port>` and the Key Protect endpoint URL format is `https://<REGION>.kms.cloud.ibm.com`.	`string`	`null`	no
name	The name of the Event Notifications instance that is created by this module.	`string`	n/a	yes
plan	The pricing plan of the Event Notifications instance. Possible values: `Lite`, `Standard`	`string`	`"standard"`	no
region	The IBM Cloud region where the Event Notifications resource is created. Possible values: `us-south` (Dallas), `eu-gb` (London), `eu-de` (Frankfurt), `au-syd` (Sydney), `eu-es` (Madrid)	`string`	`"us-south"`	no
resource_group_id	The ID of the resource group where the Event Notifications instance is created.	`string`	n/a	yes
root_key_id	The key ID of a root key, existing in the KMS instance passed in `var.existing_kms_instance_crn`, which will be used to encrypt the data encryption keys which are then used to encrypt the data. Required only if `var.kms_encryption_enabled` is set to `true`.	`string`	`null`	no
service_credential_names	The mapping of names and roles for service credentials that you want to create for the Event Notifications instance.	`map(string)`	`{}`	no
service_endpoints	Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private`	`string`	`"public-and-private"`	no
skip_en_cos_auth_policy	Whether an IAM authorization policy is created for your Event Notifications instance to interact with your Object Storage bucket. Set to `true` to use an existing policy. Ignored if `cos_integration_enabled` is set to `false`.	`bool`	`false`	no
skip_en_kms_auth_policy	Set to `true` to skip the creation of an IAM authorization policy that permits all Event Notifications instances in the resource group to read the encryption key from the KMS instance. If set to `false`, specify a value for the KMS instance in the `existing_kms_instance_guid` variable. In addition, no policy is created if `kms_encryption_enabled` is set to `false`.	`bool`	`false`	no
tags	The list of tags to add to the Event Notifications instance.	`list(string)`	`[]`	no

Outputs

Name	Description
crn	The Event Notifications instance CRN.
event_notification_instance_name	The name of the Event Notifications instance.
guid	The globally unique identifier of the Event Notifications instance.
service_credentials_json	The service credentials JSON map.
service_credentials_object	The service credentials object.

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.

terraform-ibm-event-notifications's People

Contributors

Stargazers

Watchers

Forkers

hooznora

terraform-ibm-event-notifications's Issues

[EN] recent change in CBR enforcement_mode causing test to fail

Failing with error

Error: CreateRuleWithContext failed The rule enforcement mode 'report' is not supported for service 'event-notifications' and API types 'all'. Valid values are: disabled, enabled

Review all EN DA related documentation

The EN DA has 1 flavor currently:

standard

The following items will need to be reviewed and updated where required:

DA variable descriptions (in the DA's variables.tf file)
The information in the ibm_catalog.json (labels, descriptions, features etc). Are we happy with the flavor naming?

[EN] Bug in FScloud example when using private endpoint in CBR rule for schematics.

Review EN DA diagram

Review the diagram(s) in the reference-architectures directory...

Do they contain accurate relevant information
Are they using approved icons / objects?

[terraform-ibm-modules/terraform-ibm-event-notifications] Release Pipeline failed 2024-08-10-13:22

For details see: https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/actions/runs/10331937072

[EN DA] COS module should not be called if using an existing bucket

In the DA, I would expect a count around the cos module block for the use case where a user has passed an existing bucket with the existing_cos_bucket_name variable. If user is using an existing bucket, I see no reason why the COS module would need to be called.

Support passing existing event notification instance

Description

Add support to pass existing event-notification instance.

New or affected modules

By submitting this issue, you agree to follow our Code of Conduct

[terraform-ibm-event-notifications] - Revisit failing CRA check around COS network access restriction

In #157 we are ignoring the rule Check whether Cloud Object Storage network access is restricted to a specific IP range in the CRA ignore rule file. We need to finalise what to do here, since network access restriction should be done by CBRs. However should the DA actually support creating the CBRs, or is the idea that the CBRs would be in place by the time the DA ran?

[terraform-ibm-event-notifications] Add estimated-usage.yml to improve the calculated cost estimation

We need to put in a yaml file like this : https://github.com/terraform-ibm-modules/terraform-ibm-scc-da/blob/main/estimated-usage.yml to help with COS bucket estimations

Update the provider version to use minimum 1.65.0

In the CBR module, the provider constraints are updated to >= 1.65.0, hence the need to update.

COS/KMS resources should not be provisioned when existing EN CRN is supplied

When the module is used with the existing Event Noitications instance CRN, the COS and KMS parameters should be ignored and the module should not try to provision the related resources (COS instances, buckets, S2S authorizations, KMS keys)

Currently it creates all of the above even though it cannot be connected to the existing EN instance.

Affected modules

Terraform CLI and Terraform provider versions

Terraform version:
Provider version:

Terraform output

Debug output

Expected behavior

Actual behavior

Steps to reproduce (including links and screen captures)

Run terraform apply

Anything else

By submitting this issue, you agree to follow our Code of Conduct

Update upgrade test to test the DA instead of example

We need an upgrade test for the DA - just replace the current upgrade (which deploys complete example) to deploy the DA instead

Add support to create EN topics, destinations and subscriptions

IBM provider supports it, so should be exposed in this module. See https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-en-tera-workwith

Needs to be added to root level module, fscloud submodule(modules/fscloud) and the DA (solutions/standard)

[terraform-ibm-event-notifications] Add support to connect to a COS service instance

To collect the events which failed delivery, you need to connect a Cloud Object Storage Services instance. See https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-en-cfe-integrations

The module should support creating the authorization policy to grant access between services before integrating with IBM Cloud Object Storage. For more information, see Using authorizations to grant access between services. - suggest renaming skip_iam_authorization_policy to skip_en_kms_auth_policy, and add new variable skip_en_cos_auth_policy

While adding this support, make sure to update the DA in solutions/standard to The DA optionally take in an existing COS instance, otherwise create one

Event Notifications DA feedback

existing_resource_group -> use_existing_resource_group
existing_kms_root_key_id -> Can we ask for the CRN to be consistent with other DAs and parse the ID from it? Also make this a required variable in ibm_catalog.json to improve user experience (even though its not required if using the DA to create the key)
Parse the KMS region from the key or instance crn and remove the kms_region input variable

[EN DA] Add support to store service credentials in secrets manager

service_credential_names DA variable is a complex object type, and will be hard for consumers in Projects to know what format should be used for the values. I suggest that we add some supporting documentation for it, the same way we did here. Then we can update the variable description to point to the supporting doc
Once terraform-ibm-modules/terraform-ibm-secrets-manager#157 is merged we should be able to call that module in the DA to add service credentials to a secrets manager secret

[terraform-ibm-event-notifications] Add support to create KMS key in external account

Changes should go into solutions/standard only..

Add new optional variable ibmcloud_kms_api_key. This should be used in a new provider block like so:

provider "ibm" {
  alias            = "kms"
  ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
  region           = local.kms_region # this value should be parsed from the existing KMS CRN 
}

provider "ibm" {
  ibmcloud_api_key = var.ibmcloud_api_key
  region           = var.region
}

The kms module block should use the kms provider alias.
Support creating cross account s2s auth policy (in KMS account):
- if value for ibmcloud_kms_api_key is passed, and skip_iam_authorization_policy is set to false, then create a cross account s2s auth policy in the KMS account to allow the exact Event Notification instance GUID reader access to the KMS instance GUID in the KMS account.
- Ensure that if doing cross account auth policy, the skip_iam_authorization_policy value thats passed to the EN module itself is set to true since we will create the cross account one in the DA itself.
Review all of the variable descriptions and readme markdowns to ensure its clear that it supports KMS in a different account using the ibmcloud_kms_api_key variable.

Bug during destroy

Recent started seeing the below error during continuous and PR tests

TestRunFSCloudExample 2024-06-18T05:17:56Z command.go:185: module.event_notification.module.event_notification.ibm_en_destination_cos.cos_en_destination[0]: Refreshing state... [id=8396983a-2677-4f1f-90ac-9f0a2a300a0c/28744ecb-d0f1-4af9-a638-b495ddeef0c5]
TestRunCompleteExample 2024-06-18T05:17:57Z command.go:185: ibm_is_vpc.example_vpc: Still destroying... [id=r010-ba2a1a89-8642-454d-88ac-83ba672a04a4, 10s elapsed]
TestRunCompleteExample 2024-06-18T05:18:00Z command.go:185: ibm_is_vpc.example_vpc: Destruction complete after 13s
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: ╷
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │ Error: DeleteDestinationWithContext failed Unauthorized, service to service is not enabled
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │ {
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │     "StatusCode": 401,
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │     "Headers": {
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Access-Control-Allow-Credentials": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "true"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Access-Control-Allow-Headers": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "*"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Access-Control-Allow-Methods": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "POST, GET, OPTIONS, PUT, DELETE, PATCH"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Access-Control-Allow-Origin": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "*"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Cache-Control": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "No-Store"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Cf-Cache-Status": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "DYNAMIC"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Cf-Ray": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "8958d058aeb4ea42-DFW"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Content-Length": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "236"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Content-Security-Policy": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "script-src * 'unsafe-inline', frame-ancestors 'self'; form-action 'self'"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Content-Type": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "application/json"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Date": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "Tue, 18 Jun 2024 05:17:36 GMT"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Server": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "cloudflare"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "Strict-Transport-Security": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "max-age=31536000; includeSubDomains"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "X-Envoy-Upstream-Service-Time": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "1009"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "X-Request-Id": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             "f3ec08b8-2fc2-42eb-b30a-b4e680fbb119"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ]
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │     },
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │     "Result": {
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "errors": [
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             {
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │                 "code": "unauthorized_due_to_s2s",
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │                 "message": "Unauthorized, service to service is not enabled",
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │                 "more_info": "https://cloud.ibm.com/apidocs/event-notifications"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │             }
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         ],
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "status_code": 401,
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │         "trace": "1ea10146-b675-485f-a93d-69448cf078e0"
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │     },
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │     "RawResult": null
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │ }
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │ 
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │ 
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: │ 
TestRunCompleteExample 2024-06-18T05:18:01Z command.go:185: ╵
TestRunCompleteExample 2024-06-18T05:18:01Z retry.go:99: Returning due to fatal error: FatalError{Underlying: error while running command: exit status 1; ╷
│ Error: DeleteDestinationWithContext failed Unauthorized, service to service is not enabled