/terraform-ibm-s2s-auth

This module is to set up a list of s2s authorization policies, and cbr rules

Primary LanguageHCLApache License 2.0Apache-2.0

Terraform IBM Service-to-service authorization module

Graduated (Supported) latest release pre-commit Renovate enabled semantic-release

This module generates authorization policies and context-based restriction (CBR) rules to enable access and restrictions between a source service and a target service.

Overview

terraform-ibm-s2s-auth

Usage

module "service_auth_cbr_rules" {
  source                = "terraform-ibm-modules/s2s-auth/ibm"
  version               = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  service_map           = [
    {
        "description"= "This is a test auth policy",
        "enforcement_mode"= "report",
        "roles"= [
            "Reader"
        ],
        "source_resource_instance_id"= "<source_resource_instance_guid>",
        "source_service_name"= "cloud-object-storage",
        "target_resource_instance_id"= "<target_resource_instance_guid>",
        "target_service_name"= "kms"
    },
    {
        "description"= "This is a test auth policy",
        "enforcement_mode"= "report",
        "roles"= [
            "Reader"
        ],
        "source_rg"= "<source_rg>",
        "source_service_name"= "containers-kubernetes",
        "target_rg"= "<target_rg>",
        "target_service_name"= "kms"
    }
  ]
}

Required IAM access policies

You need the following permissions to run this module.

  • You must have access to the target service to create an authorization between services. You can grant only the level of access that you have as a user of the target service. For example, if you have viewer access on the target service, you can assign only the viewer role for the authorization.

Requirements

Name Version
terraform >= 1.3.0
ibm >= 1.65.0, <2.0.0

Modules

Name Source Version
cbr_rules terraform-ibm-modules/cbr/ibm//modules/cbr-service-profile 1.23.0

Resources

Name Type
ibm_iam_authorization_policy.auth_policies resource

Inputs

Name Description Type Default Required
cbr_target_service_details Details of the target service for which the rule has to be created. 
list(object({
    target_service_name = string
    target_rg           = optional(string)
    enforcement_mode    = string
    tags                = optional(list(string))
  }))
 [] no
prefix Prefix for new CBR zones and rules. string null no
service_map Map of source service and the corresponding target service details. 
list(object({
    source_service_name         = string
    target_service_name         = string
    roles                       = list(string)
    description                 = optional(string, null)
    source_resource_instance_id = optional(string, null)
    target_resource_instance_id = optional(string, null)
    source_resource_group_id    = optional(string, null)
    target_resource_group_id    = optional(string, null)
  }))
 [] no
zone_service_ref_list Service reference for the zone creation. 
map(object({
    service_ref_location = optional(list(string), [])
  }))
 {} no
zone_vpc_crn_list CRN of the VPC for the zones. list(string) [] no

Outputs

Name Description
auth_policies Authorizations created
cbr_rules CBR Rules created

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.