feat: add support for config aggregator and related trusted profiles (#214)

Author: ocofaigh

README.md

@@ -21,8 +21,8 @@ https://terraform-ibm-modules.github.io/documentation/#/implementation-guideline
 ## Overview
 * [terraform-ibm-app-configuration](#terraform-ibm-app-configuration)
 * [Examples](./examples)
+    * [Advanced example](./examples/advanced)
     * [Basic example](./examples/basic)
-    * [Complete example](./examples/complete)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 
@@ -79,19 +79,24 @@ For more information on access and permissions, see <https://cloud.ibm.com/docs/
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
-| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.65.0, < 2.0.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.76.1, < 2.0.0 |
 
 ### Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.28.0 |
+| <a name="module_config_aggregator_trusted_profile"></a> [config\_aggregator\_trusted\_profile](#module\_config\_aggregator\_trusted\_profile) | terraform-ibm-modules/trusted-profile/ibm | 2.1.1 |
+| <a name="module_config_aggregator_trusted_profile_enterprise"></a> [config\_aggregator\_trusted\_profile\_enterprise](#module\_config\_aggregator\_trusted\_profile\_enterprise) | terraform-ibm-modules/trusted-profile/ibm | 2.1.1 |
+| <a name="module_config_aggregator_trusted_profile_template"></a> [config\_aggregator\_trusted\_profile\_template](#module\_config\_aggregator\_trusted\_profile\_template) | terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template | 2.2.0 |
 
 ### Resources
 
 | Name | Type |
 |------|------|
 | [ibm_app_config_collection.collections](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/app_config_collection) | resource |
+| [ibm_config_aggregator_settings.config_aggregator_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/config_aggregator_settings) | resource |
+| [ibm_iam_custom_role.template_assignment_reader](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_custom_role) | resource |
 | [ibm_resource_instance.app_config](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
 
 ### Inputs
@@ -104,6 +109,13 @@ For more information on access and permissions, see <https://cloud.ibm.com/docs/
 | <a name="input_app_config_service_endpoints"></a> [app\_config\_service\_endpoints](#input\_app\_config\_service\_endpoints) | Service Endpoints for the App Configuration service instance, valid endpoints are public or public-and-private. | `string` | `"public-and-private"` | no |
 | <a name="input_app_config_tags"></a> [app\_config\_tags](#input\_app\_config\_tags) | Optional list of tags to be added to the App Config instance. | `list(string)` | `[]` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create. | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    tags = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })), [])<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_config_aggregator_enterprise_account_group_ids_to_assign"></a> [config\_aggregator\_enterprise\_account\_group\_ids\_to\_assign](#input\_config\_aggregator\_enterprise\_account\_group\_ids\_to\_assign) | A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all account groups. Only applies if `enable_config_aggregator` is true and a value is being passed for `config_aggregator_enterprise_id`. | `list(string)` | <pre>[<br/>  "all"<br/>]</pre> | no |
+| <a name="input_config_aggregator_enterprise_id"></a> [config\_aggregator\_enterprise\_id](#input\_config\_aggregator\_enterprise\_id) | If the account is an enterprise account, this value should be set to the enterprise ID (NOTE: This is different to the account ID). | `string` | `null` | no |
+| <a name="input_config_aggregator_enterprise_trusted_profile_name"></a> [config\_aggregator\_enterprise\_trusted\_profile\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_name) | The name to give the enterprise viewer trusted profile with that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. | `string` | `"config-aggregator-enterprise-trusted-profile"` | no |
+| <a name="input_config_aggregator_enterprise_trusted_profile_template_name"></a> [config\_aggregator\_enterprise\_trusted\_profile\_template\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_template\_name) | The name to give the trusted profile template that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. | `string` | `"config-aggregator-trusted-profile-template"` | no |
+| <a name="input_config_aggregator_resource_collection_regions"></a> [config\_aggregator\_resource\_collection\_regions](#input\_config\_aggregator\_resource\_collection\_regions) | From which region do you want to collect configuration data? Only applies if `enable_config_aggregator` is set to true. | `list(string)` | <pre>[<br/>  "all"<br/>]</pre> | no |
+| <a name="input_config_aggregator_trusted_profile_name"></a> [config\_aggregator\_trusted\_profile\_name](#input\_config\_aggregator\_trusted\_profile\_name) | The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`. | `string` | `"config-aggregator-trusted-profile"` | no |
+| <a name="input_enable_config_aggregator"></a> [enable\_config\_aggregator](#input\_enable\_config\_aggregator) | Set to true to enable configuration aggregator. By setting to true a trusted profile will be created with the required access to record configuration data from all resources across regions in your account. [Learn more](https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator). | `bool` | `false` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision the App Configuration service, valid regions are us-south, us-east, eu-gb, and au-syd. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where resources will be provisioned. | `string` | n/a | yes |
 
@@ -116,6 +128,9 @@ For more information on access and permissions, see <https://cloud.ibm.com/docs/
 | <a name="output_app_config_crn"></a> [app\_config\_crn](#output\_app\_config\_crn) | CRN of the App Configuration instance |
 | <a name="output_app_config_guid"></a> [app\_config\_guid](#output\_app\_config\_guid) | GUID of the App Configuration instance |
 | <a name="output_app_config_id"></a> [app\_config\_id](#output\_app\_config\_id) | ID of the App Configuration instance |
+| <a name="output_config_aggregator_enterprise_trusted_profile_id"></a> [config\_aggregator\_enterprise\_trusted\_profile\_id](#output\_config\_aggregator\_enterprise\_trusted\_profile\_id) | ID of the config aggregator trusted profile for enterprise access |
+| <a name="output_config_aggregator_enterprise_trusted_profile_template_id"></a> [config\_aggregator\_enterprise\_trusted\_profile\_template\_id](#output\_config\_aggregator\_enterprise\_trusted\_profile\_template\_id) | ID of the config aggregator trusted profile enterprise template ID |
+| <a name="output_config_aggregator_trusted_profile_id"></a> [config\_aggregator\_trusted\_profile\_id](#output\_config\_aggregator\_trusted\_profile\_id) | ID of the config aggregator trusted profile |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 <!-- Leave this section as is so that your module has a link to local development environment set up steps for contributors to follow -->

common-dev-assets

@@ -1,6 +1,6 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/complete" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "examples/advanced" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
     PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3"         # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).

cra-config.yaml

@@ -0,0 +1,14 @@
+# Advanced example
+
+<!-- There is a pre-commit hook that will take the title of each example add include it in the repos main README.md  -->
+<!-- Add text below should describe exactly what resources are provisioned / configured by the example  -->
+
+An end-to-end example that will provision the following:
+
+- A new resource group if one is not passed in.
+- A new App Configuration instance.
+- A new collection within the App Configuration instance.
+- Configuration aggregator ([learn more](https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator))
+- A simple VPC
+- A CBR zone for the VPC
+- A CBR rule to only allow the App Configuration instance to be accessed from within the VPC zone over private endpoint

examples/advanced/README.md

@@ -1,7 +1,3 @@
-##############################################################################
-# Complete example
-##############################################################################
-
 ########################################################################################################################
 # Resource group
 ########################################################################################################################
@@ -33,6 +29,7 @@ resource "ibm_is_vpc" "example_vpc" {
 ##############################################################################
 # Create CBR Zone
 ##############################################################################
+
 module "cbr_zone" {
   source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
   version          = "1.28.0"
@@ -50,20 +47,19 @@ module "cbr_zone" {
 ########################################################################################################################
 
 module "app_config" {
-  source            = "../.."
-  resource_group_id = module.resource_group.resource_group_id
-  region            = var.region
-  app_config_name   = "${var.prefix}-app-config"
-  app_config_tags   = var.resource_tags
-
+  source                   = "../.."
+  resource_group_id        = module.resource_group.resource_group_id
+  region                   = var.region
+  app_config_name          = "${var.prefix}-app-config"
+  app_config_tags          = var.resource_tags
+  enable_config_aggregator = true # See https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator
   app_config_collections = [
     {
       name          = "${var.prefix}-collection",
       collection_id = "${var.prefix}-collection"
       description   = "Collection for ${var.prefix}"
     }
   ]
-
   cbr_rules = [
     {
       description      = "${var.prefix}-APP-CONF access only from vpc"

examples/complete/main.tf renamed to examples/advanced/main.tf

@@ -13,7 +13,7 @@ variable "region" {
 variable "prefix" {
   type        = string
   description = "Prefix to append to all resources created by this example"
-  default     = "complete"
+  default     = "advanced"
 }
 
 variable "resource_group" {

examples/complete/outputs.tf renamed to examples/advanced/outputs.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.65.0, < 2.0.0"
+      version = ">= 1.76.1, < 2.0.0"
     }
   }
 }

examples/complete/provider.tf renamed to examples/advanced/provider.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.65.0"
+      version = "1.76.1"
     }
   }
 }

examples/complete/variables.tf renamed to examples/advanced/variables.tf

@@ -12,6 +12,10 @@ resource "ibm_resource_instance" "app_config" {
   tags              = var.app_config_tags
 }
 
+##############################################################################
+# Collections
+##############################################################################
+
 locals {
   collections_map = {
     for obj in var.app_config_collections :
@@ -28,9 +32,161 @@ resource "ibm_app_config_collection" "collections" {
   tags          = each.value.tags
 }
 
+##############################################################################
+# Configuration aggregator
+##############################################################################
+
+# Create the required Trusted Profile
+module "config_aggregator_trusted_profile" {
+  count                       = var.enable_config_aggregator ? 1 : 0
+  source                      = "terraform-ibm-modules/trusted-profile/ibm"
+  version                     = "2.1.1"
+  trusted_profile_name        = var.config_aggregator_trusted_profile_name
+  trusted_profile_description = "Trusted Profile for App Configuration instance ${ibm_resource_instance.app_config.guid} with required access for configuration aggregator"
+  trusted_profile_identity = {
+    identifier    = ibm_resource_instance.app_config.crn
+    identity_type = "crn"
+  }
+  trusted_profile_policies = [
+    {
+      roles              = ["Viewer", "Service Configuration Reader"]
+      account_management = true
+      description        = "All Account Management Services"
+    },
+    {
+      roles = ["Viewer", "Service Configuration Reader", "Reader"]
+      resource_attributes = [{
+        name     = "serviceType"
+        value    = "service"
+        operator = "stringEquals"
+      }]
+      description = "All Identity and Access enabled services"
+    }
+  ]
+  trusted_profile_links = [{
+    cr_type = "VSI"
+    links = [{
+      crn = ibm_resource_instance.app_config.crn
+    }]
+  }]
+}
+
+# If enterprise account, create custom role "Template Assignment Reader"
+# This role is used in the trusted profile to grant permission to read IAM template assignments.
+# It is required by the App Config enterprise-level trusted profile to manage IAM templates."
+locals {
+  custom_role = "Template Assignment Reader"
+}
+resource "ibm_iam_custom_role" "template_assignment_reader" {
+  count        = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? 1 : 0
+  name         = "TemplateAssignmentReader"
+  service      = "iam-identity"
+  display_name = local.custom_role
+  description  = "Custom role to allow reading IAM template assignments"
+  actions      = ["iam-identity.profile-assignment.read"]
+}
+
+# If enterprise account, create trusted profile for App Config enterprise-level permissions
+module "config_aggregator_trusted_profile_enterprise" {
+  count                       = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? 1 : 0
+  source                      = "terraform-ibm-modules/trusted-profile/ibm"
+  version                     = "2.1.1"
+  trusted_profile_name        = var.config_aggregator_enterprise_trusted_profile_name
+  trusted_profile_description = "Trusted Profile for App Configuration instance ${ibm_resource_instance.app_config.guid} with required access for configuration aggregator for enterprise accounts"
+
+  trusted_profile_identity = {
+    identifier    = ibm_resource_instance.app_config.crn
+    identity_type = "crn"
+  }
+
+  trusted_profile_policies = [
+    {
+      roles = ["Viewer", local.custom_role]
+      resource_attributes = [{
+        name     = "service_group_id"
+        value    = "IAM"
+        operator = "stringEquals"
+      }]
+      description = "IAM access with custom role"
+    },
+    {
+      roles = ["Viewer"]
+      resources = [{
+        service = "enterprise"
+      }]
+      description = "Enterprise viewer and template reader access"
+    }
+  ]
+
+  trusted_profile_links = [{
+    cr_type = "VSI"
+    links = [{
+      crn = ibm_resource_instance.app_config.crn
+    }]
+  }]
+}
+
+# If enterprise account, create trusted profile template
+module "config_aggregator_trusted_profile_template" {
+  count                       = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? 1 : 0
+  source                      = "terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template"
+  version                     = "2.2.0"
+  template_name               = var.config_aggregator_enterprise_trusted_profile_template_name
+  template_description        = "Trusted Profile template for App Configuration instance ${ibm_resource_instance.app_config.guid} with required access for configuration aggregator"
+  profile_name                = var.config_aggregator_trusted_profile_name
+  profile_description         = "Trusted Profile for App Configuration instance ${ibm_resource_instance.app_config.guid} with required access for configuration aggregator"
+  identity_crn                = ibm_resource_instance.app_config.crn
+  account_group_ids_to_assign = var.config_aggregator_enterprise_account_group_ids_to_assign
+  policy_templates = [
+    {
+      name        = "identity-access"
+      description = "Policy template for identity services"
+      roles       = ["Viewer", "Reader"]
+      attributes = [{
+        key      = "serviceType"
+        value    = "service" # assigns access to All Identity and Access enabled services
+        operator = "stringEquals"
+      }]
+    },
+    {
+      name        = "platform-access"
+      description = "Policy template for platform services"
+      roles       = ["Viewer", "Service Configuration Reader"]
+      attributes = [{
+        key      = "serviceType"
+        value    = "platform_service" # assigns access to All Account Management services
+        operator = "stringEquals"
+      }]
+    }
+  ]
+}
+
+# Define an aggregation
+resource "ibm_config_aggregator_settings" "config_aggregator_settings" {
+  count                       = var.enable_config_aggregator ? 1 : 0
+  instance_id                 = ibm_resource_instance.app_config.guid
+  region                      = ibm_resource_instance.app_config.location
+  resource_collection_regions = var.config_aggregator_resource_collection_regions
+  resource_collection_enabled = true
+  trusted_profile_id          = module.config_aggregator_trusted_profile[0].profile_id
+
+  dynamic "additional_scope" {
+    for_each = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? [1] : []
+    content {
+      type          = "Enterprise"
+      enterprise_id = var.config_aggregator_enterprise_id
+      profile_template {
+        id                 = module.config_aggregator_trusted_profile_template[0].trusted_profile_template_id
+        trusted_profile_id = module.config_aggregator_trusted_profile_enterprise[0].profile_id
+      }
+    }
+  }
+}
+
 ##############################################################################
 # Context Based Restrictions
 ##############################################################################
+
 module "cbr_rule" {
   count            = length(var.cbr_rules) > 0 ? length(var.cbr_rules) : 0
   source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module"