WIP

Author: whoffler

ibm_catalog.json

@@ -42,7 +42,7 @@
       "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/issues](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/issues). Please note this product is not supported via the IBM Cloud Support Center.",
       "flavors": [
         {
-          "label": "Standard",
+          "label": "Security-enforced",
           "name": "standard",
           "install_type": "fullstack",
           "working_directory": "solutions/standard",

main.tf

@@ -1,5 +1,5 @@
 ###########################################################
-# This file creates an event notificaiton resource instance
+# This file creates an event notification resource instance
 ###########################################################
 locals {
   # tflint-ignore: terraform_unused_declarations

solutions/standard/DA-cbr_rules.md renamed to solutions/Security-enforced/DA-cbr_rules.md

@@ -0,0 +1,62 @@
+# Configuring complex inputs for Event Notifications in IBM Cloud projects
+
+Several optional input variables in the IBM Cloud [Event Notifications deployable architecture](https://cloud.ibm.com/catalog#deployable_architecture) use complex object types. You specify these inputs when you configure deployable architecture.
+
+* Context-Based Restrictions Rules (`cbr_rules`)
+
+
+## Rules For Context-Based Restrictions <a name="cbr_rules"></a>
+
+The `cbr_rules` input variable allows you to provide a rule for the target service to enforce access restrictions for the service based on the context of access requests. Contexts are criteria that include the network location of access requests, the endpoint type from where the request is sent, etc.
+
+- Variable name: `cbr_rules`.
+- Type: A list of objects. Allows only one object representing a rule for the target service
+- Default value: An empty list (`[]`).
+
+### Options for cbr_rules
+
+  - `description` (required): The description of the rule to create.
+  - `account_id` (required): The IBM Cloud Account ID
+  - `rule_contexts` (required): (List) The contexts the rule applies to
+      - `attributes` (optional): (List) Individual context attributes
+        - `name` (required): The attribute name.
+        - `value`(required): The attribute value.
+
+  - `enforcement_mode` (required): The rule enforcement mode can have the following values:
+      - `enabled` - The restrictions are enforced and reported. This is the default.
+      - `disabled` - The restrictions are disabled. Nothing is enforced or reported.
+      - `report` - The restrictions are evaluated and reported, but not enforced.
+  - `operations` (optional): The operations this rule applies to
+    - `api_types`(required): (List) The API types this rule applies to.
+        - `api_type_id`(required):The API type ID
+
+
+### Example Rule For Context-Based Restrictions Configuration
+
+```hcl
+cbr_rules = [
+  {
+  description = "Event Notifications can be accessed from xyz"
+  account_id = "defc0df06b644a9cabc6e44f55b3880s."
+  rule_contexts= [{
+      attributes = [
+                {
+                              "name" : "endpointType",
+                              "value" : "private"
+                },
+                {
+                  name  = "networkZoneId"
+                  value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
+                }
+        ]
+     }
+   ]
+  enforcement_mode = "enabled"
+  operations = [{
+    api_types = [{
+     api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
+      }]
+    }]
+  }
+]
+```

solutions/standard/DA-types.md renamed to solutions/Security-enforced/DA-types.md

@@ -0,0 +1,97 @@
+# Configuring complex inputs in Event Notifications
+
+Several optional input variables in the IBM Cloud [Event Notifications deployable architecture](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-event-notifications-c7ac3ee6-4f48-4236-b974-b0cd8c624a46-global) use complex object types. You specify these inputs when you configure you deployable architecture.
+
+- [Service credentials](#svc-credential-name) (`service_credential_names`)
+- [Service credential secrets](#service-credential-secrets) (`service_credential_secrets`)
+
+## Service credentials <a name="svc-credential-name"></a>
+
+You can specify a set of IAM credentials to connect to the instance with the `service_credential_names` input variable. Include a credential name and IAM service role for each key-value pair. Each role provides a specific level of access to the instance. For more information, see [Adding and viewing credentials](https://cloud.ibm.com/docs/account?topic=account-service_credentials&interface=ui). If you want to add service credentials to secret manager and to allow secret manager to manage it, you should use `service_credential_secrets` , see [Service credential secrets](#service-credential-secrets)
+
+- Variable name: `service_credential_names`.
+- Type: A map. The key is the name of the service credential. The value is the role that is assigned to that credential.
+- Default value: An empty map (`{}`).
+
+### Options for service_credential_names
+
+- Key (required): The name of the service credential.
+- Value (required): The IAM service role that is assigned to the credential. The following values are valid for service credential roles: 'Manager', 'Writer', 'Reader', 'Event Source Manager', 'Channel Editor', 'Event Notification Publisher', 'Status Reporter', 'Device Manager', 'Email Sender', 'Custom Email Status Reporter'. For more information, see [IBM Cloud IAM roles](https://cloud.ibm.com/docs/account?topic=account-userroles).
+
+### Example service credentials
+
+```hcl
+  {
+      "en_manager"      : "Manager",
+      "en_reader"       : "Reader",
+      "en_writer"       : "Writer",
+      "en_email_sender" : "Email Sender"
+  }
+```
+
+## Service credential secrets <a name="service-credential-secrets"></a>
+
+When you add an IBM Event Notification deployable architecture from the IBM Cloud catalog to IBM Cloud Project, you can configure service credentials. In edit mode for the projects configuration, from the configure panel click the optional tab.
+
+To enter a custom value, use the edit action to open the "Edit Array" panel. Add the service credential secrets configurations to the array here.
+
+In the configuration, specify the secret group name, whether it already exists or will be created and include all the necessary service credential secrets that need to be created within that secret group.
+
+ [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-getting-started#getting-started) about service credential secrets.
+
+- Variable name: `service_credential_secrets`.
+- Type: A list of objects that represent service credential secret groups and secrets
+- Default value: An empty list (`[]`)
+
+### Options for service_credential_secrets
+
+- `secret_group_name` (required): A unique human-readable name that identifies this service credential secret group.
+- `secret_group_description` (optional, default = `null`): A human-readable description for this secret group.
+- `existing_secret_group`: (optional, default = `false`): Set to true, if secret group name provided in the variable `secret_group_name` already exists.
+- `service_credentials`: (required): A list of object that represents a service credential secret.
+
+    #### Options for service_credentials
+
+  - `secret_name`: (required): A unique human-readable name of the secret to create.
+  - `service_credentials_source_service_role_crn`: (required): The CRN of the role to give the service credential in the Event Nofication service. Service credentials role CRNs can be found at https://cloud.ibm.com/iam/roles, select Event Notifications and select the role. Role CRNs can be for the roles `Writer`, `Reader`, `Manager`, `Event Source Manager`, `Channel Editor`, `Event Notification Publisher`, `Status Reporter`, `Device Manager`, `Email Sender`, `Custom Email Status Reporter` , or `Pool ID Manager`
+  - `secret_labels`: (optional, default = `[]`): Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|).
+  - `secret_auto_rotation`: (optional, default = `true`): Whether to configure automatic rotation of service credential.
+  - `secret_auto_rotation_unit`: (optional, default = `day`): Specifies the unit of time for rotation of a secret. Acceptable values are `day` or `month`.
+  - `secret_auto_rotation_interval`: (optional, default = `89`): Specifies the rotation interval for the rotation unit.
+  - `service_credentials_ttl`: (optional, default = `7776000`): The time-to-live (TTL) to assign to generated service credentials (in seconds).
+  - `service_credential_secret_description`: (optional, default = `null`): Description of the secret to create.
+
+  The following example includes all the configuration options for four service credentials and two secret groups.
+  ```hcl
+  [
+    {
+      "secret_group_name": "sg-1"
+      "existing_secret_group": true
+      "service_credentials": [
+        {
+          "secret_name": "cred-1"
+          "service_credentials_source_service_role_crn":  "crn:v1:bluemix:public:iam::::serviceRole:Writer"
+          "secret_labels": ["test-writer-1", "test-writer-2"]
+          "secret_auto_rotation": true
+          "secret_auto_rotation_unit": "day"
+          "secret_auto_rotation_interval": 89
+          "service_credentials_ttl": 7776000
+          "service_credential_secret_description": "sample description"
+        },
+        {
+          "secret_name": "cred-2"
+          "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Reader"
+        }
+      ]
+    },
+    {
+      "secret_group_name": "sg-2"
+      "service_credentials": [
+        {
+          "secret_name": "cred-3"
+          "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor"
+        }
+      ]
+    }
+  ]
+  ```

solutions/standard/README.md renamed to solutions/Security-enforced/README.md

@@ -0,0 +1,14 @@
+# Event Notifications solution
+
+When `existing_en_instance_crn` is not passed, this solution configures the following infrastructure:
+
+- optionally a KMS key ring and key for IBM Event Notifications encryption
+- optionally a KMS key ring and key for IBM Cloud Object Storage encryption
+- optionally an IBM Cloud Object Storage bucket to collect events that fail delivery
+- an IBM Event Notifications instance
+
+When `existing_en_instance_crn` is passed, this solution ignores ALL other inputs and sets the outputs based on the CRN.
+
+- required inputs MUST still be set, but will be ignored.
+
+:exclamation: **Important:** This solution is not intended to be called by one or more other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).

solutions/standard/catalogValidationValues.json.template renamed to solutions/Security-enforced/catalogValidationValues.json.template

@@ -0,0 +1,7 @@
+{
+  "ibmcloud_api_key": $VALIDATION_APIKEY,
+  "resource_group_name": $PREFIX,
+  "tags": $TAGS,
+  "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN,
+  "kms_endpoint_url": "https://api.private.us-south.hs-crypto.cloud.ibm.com:8992"
+}