Event Notification DA Fully configurable

[whoffler]

Description

for issue - https://github.ibm.com/GoldenEye/issues/issues/12573

Event Notification DA Fully configurable flavor

Release required?

• No release
• Patch release (x.x.X)
• Minor release (x.X.x)
• Major release (X.x.x)

Release notes content

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

• If relevant, a test for the change is included or updated with this PR.
• If relevant, documentation for the change is included or updated with this PR.

For mergers

• Use a conventional commit message to set the release level. Follow the guidelines.
• Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
• Use the Squash and merge option.

[ocofaigh]

@whoffler Vipin has a PR open to update the current standard variation with some best practises. Since that variation is going away, can I suggest we just make the changes directly in this PR in the new variation you are adding?

[ocofaigh]

Left an initial first round of comments to address - there will be more. Also we need to claify if we really should be using cloud_object_storage and key_management_service in our input names, as opposed to just cos and kms. Discussion started on slack

[ocofaigh]

I suggest you update to >= 1.9.0 so we can use the terraform 1.9 cross variable validation feature.
We will need to use it in many input variables in variables.tf. For an idea of how to use it, see my branch (WIP): https://github.com/terraform-ibm-modules/terraform-ibm-scc/blob/DA/solutions/fully-configurable/variables.tf

[ocofaigh]

@whoffler still a lot of things to address here. Its not consistent at all with the SCC DA. Please review your variable descriptions, variable validation and other logic to ensure consistency. Some other things that stand out:

• security-enforced variation needs to be a striaght wrapper around fully-configurable. See https://github.com/terraform-ibm-modules/terraform-ibm-scc/tree/main/solutions/security-enforced as a reference
• It seems we are supporting creation of cross regional buckets. We are not doing that anywhere else right now, so I think remove it so its less confusing for consumers

[ocofaigh]

We will never need a existing KMS key name?? The user will either pass the key using existing_kms_root_key_crn, or we will create the key using existing_kms_instance_crn so I'm confused as to what this is for?

[ocofaigh]

We might need 2 existing KMS key inputs - one for the COS bucket, and one for the Event Notifications instance

[whoffler]

Yeah if a KMS key is provided to the fscloud version it uses it for everything. Adding another KMS key input makes sense.. more configurable

[ocofaigh]

@whoffler Also take a look at terraform-ibm-modules/terraform-ibm-secrets-manager#309 - we will need something similar in this PR

[whoffler]

@ocofaigh

• security-enforced variation needs to be a striaght wrapper around fully-configurable. See https://github.com/terraform-ibm-modules/terraform-ibm-scc/tree/main/solutions/security-enforced as a reference

was going to do that in a separate PR but will add here instead

[ocofaigh]

@whoffler A separate Pr is fine if you want - but just remove the security-enforced code from this PR then

[rajatagarwal-ibm]

/run pipeline

[rajatagarwal-ibm]

/run pipeline

[rajatagarwal-ibm]

/run pipeline

[rajatagarwal-ibm]

/run pipeline

[rajatagarwal-ibm]

/run pipeline

[rajatagarwal-ibm]

@ocofaigh working with @whoffler on this, and will try to get that done as soo as we can. Thanks!

[whoffler]

@rajatagarwal-ibm @ocofaigh think I've figured out why that unit test is failing.

For COS bucket when we set kms_encryption_enabled to true then the cos bucket module creates a policy:

# Create IAM Authorization Policy to allow COS to access KMS for the encryption key
resource "ibm_iam_authorization_policy" "policy" {

The existing standard solution does not pass kms_encryption_enabled variable to cos module

In Event Notifications we create policy:

# Create cross account IAM Authorization Policy to allow COS to read the KMS encryption key
resource "ibm_iam_authorization_policy" "cos_kms_policy" {

Which creates the access policy conflict we are seeing.

Removing kms_encryption_enabled and the test passes for me. Maybe we remove the access policy altogether from Event Notifications and let COS module do its thing?

[whoffler]

/run pipeline

[whoffler]

/run pipeline

[whoffler]

/run pipeline

[whoffler]

/run pipeline

[whoffler]

/run pipeline

[whoffler]

/run pipeline

[rajatagarwal-ibm]

/run pipeline

[akocbek]

should TF_VAR_kms_encryption_enabled: true be added as well?

[rajatagarwal-ibm]

No, it is not required as the fully-configurable does not enforce KMS encryption.

[akocbek]

picker should be used

{
              "key": "existing_resource_group_name",
              "required": true,
              "custom_config": {
                  "type": "resource_group",
                  "grouping": "deployment",
                  "original_grouping": "deployment",
                  "config_constraints": {
                      "identifier": "rg_name"
                  }
              }
            },

[akocbek]

should be hidden.

"hidden": true

[ocofaigh]

Not sure yet if we are going to hide this - it will be discussed in todays deep dive

[ocofaigh]

Please do a full re-review of the code for consistency between the 2 variations, and between other DAs (for example SCC DA)

[ocofaigh]

This should not default to true in fully configurable because the user is then required to pass either a KMS instance CRN, or a KMS key. We want fully configurable to be like a one click deploy. This is consistent with all our other fully configurable DAs

[ocofaigh]

Same as above, I don't think this should be true by default in fully configurable, since it will have a dependency on COS

[ocofaigh]

same as above, this should not default to true for fully configurable

[ocofaigh]

Can we take same approach as SCC DA where default value will be null (meaning it will be provisioned in same region as the EN instance). See https://github.com/terraform-ibm-modules/terraform-ibm-scc/blob/6fbd4973c72855920c157848ab9eee0b7cce5439/solutions/fully-configurable/variables.tf#L301-L305

[ocofaigh]

KMS is mandated in security enforced. So I would not use the word "optionally" here. The options are the DA either creates the key and key ring, or the DA takes in existing key

[ocofaigh]

Description should say what its used for

[ocofaigh]

existing_en_instance_crn is not a valid input. Do we have variable validation checking the condition mentioned?

[ocofaigh]

You seem to be missing variable validation for the KMS inputs. For example: https://github.com/terraform-ibm-modules/terraform-ibm-scc/blob/6fbd4973c72855920c157848ab9eee0b7cce5439/solutions/security-enforced/variables.tf#L159-L181

[ocofaigh]

This does not match the value in fully configurable. Can you please do a full review to ensure consistency

[ocofaigh]

why is this description different to the fully configurable one? Please ensure consistency

[akocbek]

security-enforced should be added to the title

[akocbek]

to be in consistent with other DAs, let's follow the structure by defining Prerequisites as well . Same for security-enforced DA

https://github.com/terraform-ibm-modules/terraform-ibm-scc/blob/main/solutions/fully-configurable/README.md#prerequisites