feat: created fscloud profile submodule (#53)

Author: shemau

.secrets.baseline

@@ -1,9 +1,9 @@
 {
   "exclude": {
-    "files": "go.sum|^.secrets.baseline$",
+    "files": "go.sum|^.secrets.baseline$|^../.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-03-11T11:41:39Z",
+  "generated_at": "2024-03-25T22:08:26Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -76,18 +76,7 @@
       "name": "TwilioKeyDetector"
     }
   ],
-  "results": {
-    "README.md": [
-      {
-        "hashed_secret": "33da8d0e8af2efc260f01d8e5edfcc5c5aba44ad",
-        "is_secret": true,
-        "is_verified": false,
-        "line_number": 34,
-        "type": "Secret Keyword",
-        "verified_result": null
-      }
-    ]
-  },
+  "results": {},
   "version": "0.13.1+ibm.62.dss",
   "word_list": {
     "file": null,

README.md

@@ -15,10 +15,12 @@ This module is used to provision and configure an IBM Cloud [Secrets Manager](ht
 <!-- BEGIN OVERVIEW HOOK -->
 ## Overview
 * [terraform-ibm-secrets-manager](#terraform-ibm-secrets-manager)
+* [Submodules](./modules)
+    * [fscloud](./modules/fscloud)
 * [Examples](./examples)
     * [Basic example](./examples/basic)
     * [Complete example with BYOK encryption](./examples/complete)
-    * [Complete example with private only instance and KYOK encryption](./examples/complete-private)
+    * [Financial Services Cloud profile example with KYOK encryption](./examples/fscloud)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 
@@ -31,9 +33,10 @@ This module is used to provision and configure an IBM Cloud [Secrets Manager](ht
 
 ```hcl
 provider "ibm" {
-  ibmcloud_api_key     = "XXXXXXXXXXXXXX"
+  ibmcloud_api_key     = "XXXXXXXXXXXXXX"  # pragma: allowlist secret
   region               = "us-south"
 }
+
 module "secrets_manager" {
   source               = "terraform-ibm-modules/secrets-manager/ibm"
   version              = "X.X.X"  # Replace "X.X.X" with a release version to lock into a specific release

cra-config.yaml

@@ -1,11 +1,11 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/complete" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "examples/fscloud" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
     PROFILE_ID: "0e6e7b5a-817d-4344-ab6f-e5d7a9c49520" # SCC profile ID (currently set to the FSCloud 1.4.0 profile).
     # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.
     # SCC_REGION: "" # The IBM Cloud region that the SCC instance is in. If not provided, a default global value will be used.
-    # CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
-    #   TF_VAR_sample: "sample value"
-    #   TF_VAR_other:  "another value"
+    CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
+      TF_VAR_existing_kms_instance_guid: "e6dce284-e80f-46e1-a3c1-830f7adff7a9" # hpcs_south
+      TF_VAR_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533" # hpcs_south_root_key_crn

examples/complete-private/README.md

@@ -0,0 +1,20 @@
+# Financial Services Cloud profile example with KYOK encryption
+
+An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/modules/fscloud) to deploy a private only Secrets-Manager instance with KYOK encryption
+
+This examples handles the provisioning of Secrets-Manager instance, the IAM engine configuration in the recently created instance and a context-based restriction (CBR) rule to only allow Secret Manager to be accessible from within the VPC..
+
+Only private service endpoints are enabled, public are disabled. Secrets Manager instances that are private only do not offer a UI management experience.
+The example uses the IBM Cloud Terraform provider to create the following infrastructure:
+
+- A resource group, if one is not passed in.
+- A sample virtual private cloud (VPC).
+- A sample event notification service.
+- A secrets manager instance.
+- A context-based restriction (CBR) rule to only allow Secrets Manager to be accessible from within the VPC.
+
+:exclamation: **Important:** In this example, only the IBM Secrets Manager instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.
+
+## Before you begin
+
+- You need a Hyper Protect Crypto Services instance and root key available.

examples/complete-private/version.tf

@@ -1,9 +1,8 @@
 module "resource_group" {
-  source  = "terraform-ibm-modules/resource-group/ibm"
-  version = "1.1.5"
-  # if an existing resource group is not set (null) create a new one using prefix
-  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
-  existing_resource_group_name = var.resource_group
+  source                       = "terraform-ibm-modules/resource-group/ibm"
+  version                      = "1.1.4"
+  resource_group_name          = var.existing_resource_group == false ? var.resource_group : null
+  existing_resource_group_name = var.existing_resource_group == true ? var.resource_group : null
 }
 
 ##############################################################################
@@ -16,7 +15,7 @@ data "ibm_iam_account_settings" "iam_account_settings" {
 ##############################################################################
 # VPC
 ##############################################################################
-resource "ibm_is_vpc" "example_vpc" {
+resource "ibm_is_vpc" "vpc" {
   name           = "${var.prefix}-vpc"
   resource_group = module.resource_group.resource_group_id
   tags           = var.resource_tags
@@ -27,31 +26,39 @@ resource "ibm_is_vpc" "example_vpc" {
 ##############################################################################
 module "cbr_zone" {
   source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
-  version          = "1.19.1"
-  name             = "${var.prefix}-VPC-network-zone"
+  version          = "1.18.0"
+  name             = "${var.prefix}-CBR-zone"
   zone_description = "CBR Network zone representing VPC"
   account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
   addresses = [{
     type  = "vpc", # to bind a specific vpc to the zone
-    value = ibm_is_vpc.example_vpc.crn,
+    value = ibm_is_vpc.vpc.crn,
   }]
 }
 
+module "event_notification" {
+  source            = "terraform-ibm-modules/event-notifications/ibm"
+  version           = "1.0.4"
+  resource_group_id = module.resource_group.resource_group_id
+  name              = "${var.prefix}-en"
+  tags              = var.resource_tags
+  plan              = "lite"
+  service_endpoints = "public"
+  region            = var.region
+}
 
 module "secrets_manager" {
-  source                     = "../.."
+  source                     = "../../modules/fscloud"
   resource_group_id          = module.resource_group.resource_group_id
   region                     = var.region
   secrets_manager_name       = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure
-  sm_service_plan            = var.sm_service_plan
   sm_tags                    = var.resource_tags
-  service_endpoints          = "private"
-  kms_encryption_enabled     = var.kms_encryption_enabled
   existing_kms_instance_guid = var.existing_kms_instance_guid
   kms_key_crn                = var.kms_key_crn
+  existing_en_instance_crn   = module.event_notification.crn
   cbr_rules = [
     {
-      description      = "${var.prefix}-Secrets Manager access only from vpc"
+      description      = "${var.prefix}-secrets-manager access only from vpc"
       enforcement_mode = "enabled"
       account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
       rule_contexts = [{

examples/fscloud/README.md

@@ -9,22 +9,23 @@ variable "prefix" {
   description = "Prefix for sm instance"
   default     = "secrets-manager-test"
 }
-variable "sm_service_plan" {
-  type        = string
-  description = "Secrets-Manager Trial plan"
-  default     = "trial"
-}
 
 variable "region" {
   type        = string
   description = "Region where resources will be created"
-  default     = "us-east"
+  default     = "us-south"
+}
+
+variable "existing_resource_group" {
+  type        = bool
+  description = "Whether to use an existing resource group."
+  default     = false
 }
 
 variable "resource_group" {
   type        = string
-  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
-  default     = null
+  description = "A resource group name to use for this example, if `existing_resource_group` is false a new resource group will be created"
+  default     = "sm-fscloud"
 }
 
 variable "resource_tags" {
@@ -33,20 +34,16 @@ variable "resource_tags" {
   default     = []
 }
 
-variable "kms_encryption_enabled" {
-  type        = bool
-  description = "Optional flag to enable KMS encryption"
-  default     = false
-}
+##############################################################################
+# Key Management Service (KMS)
+##############################################################################
 
 variable "existing_kms_instance_guid" {
   type        = string
-  description = "GUID of the KMS instance containing the key to use for encryption"
-  default     = null
+  description = "The GUID of the Hyper Protect Crypto Services instance in which the key specified in `kms_key_crn` is coming from."
 }
 
 variable "kms_key_crn" {
   type        = string
-  description = "CRN of the KMS key to use for encryption"
-  default     = null
+  description = "The root key CRN of Hyper Protect Crypto Services (HPCS) that you want to use for encryption."
 }