fix: improve DA user experience (#348)

Author: mukulpalit-ibm

README.md

@@ -74,7 +74,9 @@ Manage > Access (IAM) > Access groups > Access policies.
 You need the following permissions to run this module.
 
 - Account Management
-    - **All Account Management** services
+    - **All Account Management** services (For creation of resource group)
+        - `Administrator` platform access
+    - **All Identity and Access enabled** services (For provisioning of CBR rules)
         - `Administrator` platform access
 
 <!-- Below content is automatically populated via pre-commit hook -->

ibm_catalog.json

@@ -21,25 +21,25 @@
         "iam"
       ],
       "short_description": "Creates and configures the base layer components of an IBM Cloud account",
-      "long_description": "This architecture supports creating and configuring the foundational components of an IBM Cloud account. This includes IAM account settings, a trusted profile and associated access groups, and the resource groups in which all resources are provisioned [Learn more...](https://github.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base/tree/main/docs/about.md)\n\nYou can choose from two variations when deploying:\n  * **Resource groups only**: Creates a structured set of IBM Cloud resource groups to help organize cloud resources by function [Learn more...](https://github.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base/tree/main/docs/resource-group-configuration.md)\n  * **Resource groups with Account Settings**: In addition to resource groups, configures account-level settings for access control, security, and compliance alignment [Learn more...](https://github.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base/tree/main/docs/account-settings-configuration.md)",
+      "long_description": "This architecture supports creating and configuring the foundational components of an IBM Cloud account. This includes IAM account settings, a trusted profile and associated access groups, and the resource groups in which all resources are provisioned [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base/tree/main/docs/about.md).\n\nYou can choose from two variations when deploying:\n  **Resource groups only**: Creates a structured set of IBM Cloud resource groups to help organize cloud resources by function [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base/tree/main/docs/resource-group-configuration.md).\n  **Resource groups with Account Settings**: In addition to resource groups, configures account-level settings for access control, security, and compliance alignment [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base/tree/main/docs/account-settings-configuration.md).",
       "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base/tree/main/docs/about.md",
       "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/documentation/main/icons/security_icon.svg",
       "provider_name": "IBM",
       "features": [
         {
-          "title": "Configures IAM account settings",
-          "description": "Configures IAM account settings to meet compliance requirements fof the IBM Cloud Framework for Financial Services."
+          "title": "IAM account settings",
+          "description": "Configures IAM account settings to meet compliance requirements for the IBM Cloud Framework for Financial Services."
         },
         {
-          "title": "Creates access controls",
+          "title": "Access controls",
           "description": "Creates a trusted profile and associated access group to give Projects access to securely deploy solutions in this account."
         },
         {
-          "title": "Creates a resource group",
+          "title": "Resource group",
           "description": "Creates resource group where all resources created by this solution are provisioned."
         },
         {
-          "title": "Creates CBR rules",
+          "title": "CBR rules",
           "description": "Creates pre-wired CBR rules in a given account following a secure by default approach."
         }
       ],
@@ -48,6 +48,7 @@
         {
           "label": "Resource groups with account settings",
           "name": "resource-groups-with-account-settings",
+          "index": 1,
           "install_type": "fullstack",
           "working_directory": "solutions/fully-configurable",
           "compliance": {
@@ -65,18 +66,32 @@
               "role_crns": [
                 "crn:v1:bluemix:public:iam::::role:Administrator"
               ],
-              "service_name": "iam-identity"
+              "service_name": "All Account Management services",
+              "notes": "Administrator access is required for resource group creation and deletion."
+            },
+            {
+              "role_crns": [
+                "crn:v1:bluemix:public:iam::::role:Administrator"
+              ],
+              "service_name": "All Identity and Access enabled services",
+              "notes": "(Optional) Only required if creating context-based restrictions which can be toggled using the `provision_cbr` input."
             }
           ],
           "architecture": {
+             "features": [
+              {
+                "title": " ",
+                "description": "Orchestrates the creation of resource groups, account-level IAM settings, trusted profiles, and context-based restriction (CBR) rules."
+              }
+            ],
             "diagrams": [
               {
                 "diagram": {
                   "caption": "Account Configuration",
                   "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base/main/reference-architectures/base-account-enterprise.svg",
                   "type": "image/svg+xml"
                 },
-                "description": "The Account Configuration architecture provides a standardized approach to setting up cloud account settings as outlined in the IBM Cloud Framework for Financial Services. The architecture includes configurations for IAM settings and access controls that enforce security best practices. You can use this architecture as a base for deploying additional services and resources in multiple types of accounts, such as administrative or workload accounts."
+                "description": "**IBM Account Configuration** <br/> <br/> <b>Description</b> <br/>The Account Configuration architecture provides a standardized approach to setting up cloud account settings as outlined in the IBM Cloud Framework for Financial Services. The architecture includes configurations for IAM settings and access controls that enforce security best practices. You can use this architecture as a base for deploying additional services and resources in multiple types of accounts, such as administrative or workload accounts."
               }
             ]
           },
@@ -90,6 +105,7 @@
             },
             {
               "key": "provider_visibility",
+              "hidden": true,
               "options": [
                 {
                   "displayname": "private",
@@ -317,25 +333,33 @@
         {
           "label": "Resource groups only",
           "name": "resource-group-only",
+          "index": 2,
           "install_type": "fullstack",
           "working_directory": "solutions/fully-configurable",
           "iam_permissions": [
             {
               "role_crns": [
-                "crn:v1:bluemix:public:iam::::role:Editor"
+                "crn:v1:bluemix:public:iam::::role:Administrator"
               ],
-              "service_name": "resource-group"
+              "service_name": "All Account Management services",
+              "notes": "Administrator access is required for resource group creation and deletion."
             }
           ],
           "architecture": {
+             "features": [
+              {
+                "title": " ",
+                "description": "Orchestrates the creation of resource groups as well as referencing existing resource groups across different functional categories."
+              }
+            ],
             "diagrams": [
               {
                 "diagram": {
                   "caption": "Resource Groups",
                   "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base/main/reference-architectures/rg-only.svg",
                   "type": "image/svg+xml"
                 },
-                "description": "The Account Configuration architecture provides a standardized set of resource groups to prepare for different scenarios. You can use this architecture as a base for deploying additional services and resources in multiple types of accounts, such as administrative or workload accounts."
+                "description": "**IBM Account Configuration** <br/> <br/> <b>Description</b> <br/>The Account Configuration architecture provides a standardized set of resource groups to prepare for different scenarios. You can use this architecture as a base for deploying additional services and resources in multiple types of accounts, such as administrative or workload accounts."
               }
             ]
           },
@@ -347,71 +371,6 @@
               "key": "prefix",
               "required": true
             },
-            {
-              "key": "provider_visibility",
-              "options": [
-                {
-                  "displayname": "private",
-                  "value": "private"
-                },
-                {
-                  "displayname": "public",
-                  "value": "public"
-                },
-                {
-                  "displayname": "public-and-private",
-                  "value": "public-and-private"
-                }
-              ]
-            },
-            {
-              "key": "single_resource_group_name"
-            },
-            {
-              "key": "use_existing_single_resource_group"
-            },
-            {
-              "key": "audit_resource_group_name"
-            },
-            {
-              "key": "use_existing_audit_resource_group"
-            },
-            {
-              "key": "devops_resource_group_name"
-            },
-            {
-              "key": "use_existing_devops_resource_group"
-            },
-            {
-              "key": "edge_resource_group_name"
-            },
-            {
-              "key": "use_existing_edge_resource_group"
-            },
-            {
-              "key": "management_resource_group_name"
-            },
-            {
-              "key": "use_existing_management_resource_group"
-            },
-            {
-              "key": "observability_resource_group_name"
-            },
-            {
-              "key": "use_existing_observability_resource_group"
-            },
-            {
-              "key": "security_resource_group_name"
-            },
-            {
-              "key": "use_existing_security_resource_group"
-            },
-            {
-              "key": "workload_resource_group_name"
-            },
-            {
-              "key": "use_existing_workload_resource_group"
-            },
             {
               "key": "skip_iam_account_settings",
               "default_value": true,
@@ -506,6 +465,72 @@
             {
               "key": "cbr_kms_service_targeted_by_prewired_rules",
               "hidden": true
+            },
+            {
+              "key": "single_resource_group_name"
+            },
+            {
+              "key": "use_existing_single_resource_group"
+            },
+            {
+              "key": "audit_resource_group_name"
+            },
+            {
+              "key": "use_existing_audit_resource_group"
+            },
+            {
+              "key": "devops_resource_group_name"
+            },
+            {
+              "key": "use_existing_devops_resource_group"
+            },
+            {
+              "key": "edge_resource_group_name"
+            },
+            {
+              "key": "use_existing_edge_resource_group"
+            },
+            {
+              "key": "management_resource_group_name"
+            },
+            {
+              "key": "use_existing_management_resource_group"
+            },
+            {
+              "key": "observability_resource_group_name"
+            },
+            {
+              "key": "use_existing_observability_resource_group"
+            },
+            {
+              "key": "security_resource_group_name"
+            },
+            {
+              "key": "use_existing_security_resource_group"
+            },
+            {
+              "key": "workload_resource_group_name"
+            },
+            {
+              "key": "use_existing_workload_resource_group"
+            },
+            {
+              "key": "provider_visibility",
+              "hidden": true,
+              "options": [
+                {
+                  "displayname": "private",
+                  "value": "private"
+                },
+                {
+                  "displayname": "public",
+                  "value": "public"
+                },
+                {
+                  "displayname": "public-and-private",
+                  "value": "public-and-private"
+                }
+              ]
             }
           ]
         }

reference-architectures/base-account-enterprise.svg

@@ -1,21 +1,3 @@
-# IBM Cloud Account Infrastructure Base solution
+# Cloud Automation for Account Configuration
 
-An end-to-end deployable architecture solution that provisions the following infrastructure:
-
-- A set of resource groups for separation of resources
-- A default set of account settings that are compliant with the IBM Cloud for Financial Services framework
-- A trusted profile to give access for IBM Cloud Projects to deploy solutions securely in this account
-- A set of context-based restriction rules and zones that are compliant with IBM Cloud Framework for Financial Services.
-
-![account-infrastructure-base](https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base/main/reference-architectures/base-account-enterprise.svg)
-
-## Limitations
-
-The solution does not support configuring the following settings that are required for compliance with IBM Cloud for Financial Services:
-
-- The user list visibility IAM setting. An account owner can enable this restriction in the IBM Cloud console by following these [steps](https://cloud.ibm.com/docs/account?topic=account-iam-user-setting).
-- The Financial Services Validated setting. An account owner can enable the account to be designated as Financial Services Validated. IBM Cloud for Financial Services Validated designates that an IBM Cloud service or ecosystem partner service has evidenced compliance to the controls of the IBM Cloud Framework for Financial Services and can be used to build solutions that might themselves be validated.
-
-    For more information, see [Enabling your account to use Financial Services Validated products](https://cloud.ibm.com/docs/account?topic=account-enabling-fs-validated).
-
-Tracking issue with IBM provider -> https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4204
+:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).

reference-architectures/rg-only.svg

@@ -21,20 +21,22 @@ variable "provider_visibility" {
 
 variable "prefix" {
   type        = string
-  description = "The prefix to add to all resources that this solution creates. To not use any prefix value, you can set this value to `null` or an empty string."
   nullable    = true
+  description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-us-south. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)."
 
-  # prefix restriction due to limitations when using multiple DAs in stacks
-  # this value was determined based on the lowest prefix restriction located here:
-  # https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone/blob/main/patterns/roks/variables.tf#L11
   validation {
-    condition = (var.prefix == null ? true :
+    # - null and empty string is allowed
+    # - Must not contain consecutive hyphens (--): length(regexall("--", var.prefix)) == 0
+    # - Starts with a lowercase letter: [a-z]
+    # - Contains only lowercase letters (a–z), digits (0–9), and hyphens (-) and must not exceed 16 characters in length: [a-z0-9-]{0,14}
+    # - Must not end with a hyphen (-): [a-z0-9]
+    condition = (var.prefix == null || var.prefix == "" ? true :
       alltrue([
-        can(regex("^[a-z]{0,1}[-a-z0-9]{0,11}[a-z0-9]{0,1}$", var.prefix)),
-        length(regexall("^.*--.*", var.prefix)) == 0
+        can(regex("^[a-z][-a-z0-9]{0,14}[a-z0-9]$", var.prefix)),
+        length(regexall("--", var.prefix)) == 0
       ])
     )
-    error_message = "Prefix must begin with a lowercase letter, contain only lowercase letters, numbers, and - characters, and cannot have double hyphens (--). Prefixes must end with a lowercase letter or number and be 13 or fewer characters."
+    error_message = "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--')."
   }
 }