https://github.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base

A general base layer module for setting up a newly provisioned account.
https://github.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base

account account-infrastructure-base core-team deployable-architecture ibm-cloud stable supported terraform terraform-module

Last synced: about 1 month ago
JSON representation

A general base layer module for setting up a newly provisioned account.

• Host: GitHub
• URL: https://github.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base
• Owner: terraform-ibm-modules
• License: apache-2.0
• Created: 2023-11-20T18:35:16.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2025-04-08T13:36:20.000Z (about 1 month ago)
• Last Synced: 2025-04-08T20:02:23.506Z (about 1 month ago)
• Topics: account, account-infrastructure-base, core-team, deployable-architecture, ibm-cloud, stable, supported, terraform, terraform-module
• Language: HCL
• Size: 677 KB
• Stars: 0
• Watchers: 14
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

        
# IBM Cloud Account infrastructure base module

[![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)

[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-base-account-enterprise?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-base-account-enterprise/releases/latest)

[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)

[![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)

[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)

This module is a general base layer module for setting up a newly provisioned account with a default provision of:

- Base Resource Group

- IAM Account Settings

- Trusted Profile + Access Group for Projects

- CBR Rules + Zones

![account-infrastructure-base](https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-account-infrastructure-base/main/reference-architectures/base-account-enterprise.svg)

## Overview

* [terraform-ibm-account-infrastructure-base](#terraform-ibm-account-infrastructure-base)

* [Contributing](#contributing)

## Reference architectures

- [IBM Cloud Account Infrastructure Base solution](./solutions/account-infrastructure-base/)

## terraform-ibm-account-infrastructure-base

### Current limitations:

The module currently does not support setting the following FSCloud requirements:

- Check whether user list visibility restrictions are configured in IAM settings for the account owner

  - Follow these [steps](https://cloud.ibm.com/docs/account?topic=account-iam-user-setting) as a workaround to set this manually in the UI

- Check whether the Financial Services Validated setting is enabled in account settings

  - Follow these [steps](https://cloud.ibm.com/docs/account?topic=account-enabling-fs-validated) as a workaround to set this manually in the UI

Tracking issue with IBM provider -> https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4204

### Pre-wired CBR configuration for FS Cloud

This module creates pre-wired rules for CBR from our [FS Cloud submodule for CBR](https://github.com/terraform-ibm-modules/terraform-ibm-cbr), see [this README](https://github.com/terraform-ibm-modules/terraform-ibm-cbr/tree/main/modules/fscloud#pre-wired-cbr-configuration-for-fs-cloud) for more details on this configuration.

### Usage

```hcl

module "account_configuration" {

    source  = "terraform-ibm-modules/account-infrastructure-base/ibm"

    version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release

    resource_group_name               = "account-base-resource-group"

    trusted_profile_name              = "account-base-trusted-profile"

}

```

### Required IAM access policies

You need the following permissions to run this module.

- Account Management

    - **All Account Management** services

        - `Administrator` platform access

### Requirements

| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.9.0 |

|  [ibm](#requirement\_ibm) | >= 1.70.0, < 2.0.0 |

### Modules

| Name | Source | Version |

|------|--------|---------|

|  [account\_settings](#module\_account\_settings) | terraform-ibm-modules/iam-account-settings/ibm | 2.11.0 |

|  [cbr\_fscloud](#module\_cbr\_fscloud) | terraform-ibm-modules/cbr/ibm//modules/fscloud | 1.29.0 |

|  [existing\_resource\_group](#module\_existing\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.2.0 |

|  [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.2.0 |

|  [trusted\_profile\_projects](#module\_trusted\_profile\_projects) | terraform-ibm-modules/trusted-profile/ibm | 2.0.1 |

### Resources

No resources.

### Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [access\_token\_expiration](#input\_access\_token\_expiration) | Defines the access token expiration in seconds, has no effect when `skip_iam_account_settings` is true. | `string` | `"3600"` | no |

|  [active\_session\_timeout](#input\_active\_session\_timeout) | Specify how long (seconds) a user is allowed to work continuously in the account, has no effect when `skip_iam_account_settings` is true. | `number` | `86400` | no |

|  [allowed\_ip\_addresses](#input\_allowed\_ip\_addresses) | List of the IP addresses and subnets from which IAM tokens can be created for the account, has no effect when `skip_iam_account_settings` is true. | `list(any)` | `[]` | no |

|  [api\_creation](#input\_api\_creation) | When restriction is enabled, only users, including the account owner, assigned the User API key creator role on the IAM Identity Service can create API keys. Allowed values are 'RESTRICTED', 'NOT\_RESTRICTED', or 'NOT\_SET' (to 'unset' a previous set value), has no effect when `skip_iam_account_settings` is true. | `string` | `"RESTRICTED"` | no |

|  [audit\_resource\_group\_name](#input\_audit\_resource\_group\_name) | The name of the audit resource group to create. | `string` | `"audit-rg"` | no |

|  [cbr\_allow\_at\_to\_cos](#input\_cbr\_allow\_at\_to\_cos) | Whether to enable the rule that allows Activity Tracker to access Object Storage. Default is true if `provision_cbr` is set to true. | `bool` | `true` | no |

|  [cbr\_allow\_block\_storage\_to\_kms](#input\_cbr\_allow\_block\_storage\_to\_kms) | Whether to enable the rule that allows Block Storage for VPC to access the key management service. Default is true if `provision_cbr` is set to true. | `bool` | `true` | no |

|  [cbr\_allow\_cos\_to\_kms](#input\_cbr\_allow\_cos\_to\_kms) | Whether to enable the rule that allows Object Storage to access the key management service. Default is true if `provision_cbr` is set to true. | `bool` | `true` | no |

|  [cbr\_allow\_event\_streams\_to\_kms](#input\_cbr\_allow\_event\_streams\_to\_kms) | Whether to enable the rule that allows Event Streams to access the key management service. Default is true if `provision_cbr` is set to true. | `bool` | `true` | no |

|  [cbr\_allow\_icd\_to\_kms](#input\_cbr\_allow\_icd\_to\_kms) | Whether to enable the rule that allows IBM cloud databases to access the key management service. Default is true if `provision_cbr` is set to true. | `bool` | `true` | no |

|  [cbr\_allow\_iks\_to\_is](#input\_cbr\_allow\_iks\_to\_is) | Whether to enable the rule that allows the Kubernetes Service to access VPC Infrastructure Services. Default is true if `provision_cbr` is set to true. | `bool` | `true` | no |

|  [cbr\_allow\_is\_to\_cos](#input\_cbr\_allow\_is\_to\_cos) | Whether to enable the rule that allows VPC Infrastructure Services to access Object Storage. Default is true if `provision_cbr` is set to true. | `bool` | `true` | no |

|  [cbr\_allow\_roks\_to\_kms](#input\_cbr\_allow\_roks\_to\_kms) | Whether to enable the rule that allows Red Hat OpenShift to access the key management service. Default is true if `provision_cbr` is set to true. | `bool` | `true` | no |

|  [cbr\_allow\_scc\_to\_cos](#input\_cbr\_allow\_scc\_to\_cos) | Set rule for SCC (Security and Compliance Center) to COS. Default is true if `provision_cbr` is true. | `bool` | `true` | no |

|  [cbr\_allow\_vpcs\_to\_container\_registry](#input\_cbr\_allow\_vpcs\_to\_container\_registry) | Whether to enable the rule that allows Virtual Private Clouds to access Container Registry. Default is true if `provision_cbr` is set to true. | `bool` | `true` | no |

|  [cbr\_allow\_vpcs\_to\_cos](#input\_cbr\_allow\_vpcs\_to\_cos) | Whether to enable the rule that allows Virtual Private Clouds to access Object Storage. Default is true if `provision_cbr` is set to true. | `bool` | `true` | no |

|  [cbr\_allow\_vpcs\_to\_iam\_access\_management](#input\_cbr\_allow\_vpcs\_to\_iam\_access\_management) | Whether to enable the rule that allows Virtual Private Clouds to IAM access management. Default is true if `provision_cbr` is set to true. | `bool` | `true` | no |

|  [cbr\_allow\_vpcs\_to\_iam\_groups](#input\_cbr\_allow\_vpcs\_to\_iam\_groups) | Whether to enable the rule that allows Virtual Private Clouds to access IAM groups. Default is true if `provision_cbr` is set to true. | `bool` | `true` | no |

|  [cbr\_kms\_service\_targeted\_by\_prewired\_rules](#input\_cbr\_kms\_service\_targeted\_by\_prewired\_rules) | IBM Cloud offers two distinct Key Management Services (KMS): Key Protect and Hyper Protect Crypto Services (HPCS). This variable determines the specific KMS service to which the pre-configured rules are applied. Use the value 'key-protect' to specify the Key Protect service, and 'hs-crypto' for the Hyper Protect Crypto Services (HPCS). Default is `["hs-crypto"]` if `provision_cbr` is set to true. | `list(string)` | 
[
  "hs-crypto"
]
 | no |

|  [cbr\_prefix](#input\_cbr\_prefix) | String to use as the prefix for all context-based restriction resources, default is `account-infra-base` if `provision_cbr` is set to true. | `string` | `"acct-infra-base"` | no |

|  [cbr\_target\_service\_details](#input\_cbr\_target\_service\_details) | Details of the target service for which a rule is created. The key is the service name. | 
map(object({
    description      = optional(string)
    target_rg        = optional(string)
    instance_id      = optional(string)
    enforcement_mode = string
    tags             = optional(list(string))
    region           = optional(string)
    geography        = optional(string)
    global_deny      = optional(bool, true)
  }))
 | `{}` | no |

|  [devops\_resource\_group\_name](#input\_devops\_resource\_group\_name) | The name of the devops resource group to create. | `string` | `"devops-tools-rg"` | no |

|  [edge\_resource\_group\_name](#input\_edge\_resource\_group\_name) | The name of the edge resource group to create. | `string` | `"edge-rg"` | no |

|  [enforce\_allowed\_ip\_addresses](#input\_enforce\_allowed\_ip\_addresses) | Whether the IP address restriction is enforced. Set the value to `false` to test the impact of the restriction on your account, once the impact of the restriction has been observed set the value to `true`. | `bool` | `true` | no |

|  [global\_resource\_group\_name](#input\_global\_resource\_group\_name) | The name of the global resource group to create. When this variable is provided only one resource group will be created and all other resource group name variables will be ignored. | `string` | `null` | no |

|  [inactive\_session\_timeout](#input\_inactive\_session\_timeout) | Specify how long (seconds) a user is allowed to stay logged in the account while being inactive/idle, has no effect when `skip_iam_account_settings` is true. | `string` | `"7200"` | no |

|  [management\_resource\_group\_name](#input\_management\_resource\_group\_name) | The name of the management resource group to create. | `string` | `"management-plane-rg"` | no |

|  [max\_sessions\_per\_identity](#input\_max\_sessions\_per\_identity) | Defines the maximum allowed sessions per identity required by the account. Supports any whole number greater than '0', or 'NOT\_SET' to unset account setting and use service default, has no effect when `skip_iam_account_settings` is true. | `string` | `"NOT_SET"` | no |

|  [mfa](#input\_mfa) | Specify Multi-Factor Authentication method in the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users), has no effect when `skip_iam_account_settings` is true. | `string` | `"TOTP4ALL"` | no |

|  [observability\_resource\_group\_name](#input\_observability\_resource\_group\_name) | The name of the observability resource group to create. | `string` | `"observability-rg"` | no |

|  [provision\_cbr](#input\_provision\_cbr) | Whether to enable the creation of context-based restriction rules and zones in the module. Default is false. | `bool` | `false` | no |

|  [provision\_trusted\_profile\_projects](#input\_provision\_trusted\_profile\_projects) | Controls whether the Trusted Profile for Projects is provisioned. | `bool` | `true` | no |

|  [public\_access\_enabled](#input\_public\_access\_enabled) | Enable/Disable public access group in which resources are open anyone regardless if they are member of your account or not, has no effect when `skip_iam_account_settings` is true. | `bool` | `false` | no |

|  [refresh\_token\_expiration](#input\_refresh\_token\_expiration) | Defines the refresh token expiration in seconds, has no effect when `skip_iam_account_settings` is true. | `string` | `"259200"` | no |

|  [security\_resource\_group\_name](#input\_security\_resource\_group\_name) | The name of the security resource group to create. | `string` | `"security-rg"` | no |

|  [serviceid\_creation](#input\_serviceid\_creation) | When restriction is enabled, only users, including the account owner, assigned the Service ID creator role on the IAM Identity Service can create service IDs, has no effect when `skip_iam_account_settings` is true. Allowed values are 'RESTRICTED', 'NOT\_RESTRICTED', or 'NOT\_SET' (to 'unset' a previous set value). | `string` | `"RESTRICTED"` | no |

|  [shell\_settings\_enabled](#input\_shell\_settings\_enabled) | Enable global shell settings to all users in the account, has no effect when `skip_iam_account_settings` is true. | `bool` | `false` | no |

|  [skip\_cloud\_shell\_calls](#input\_skip\_cloud\_shell\_calls) | Skip Cloud Shell calls in the account, has no effect when `skip_iam_account_settings` is true. | `bool` | `false` | no |

|  [skip\_iam\_account\_settings](#input\_skip\_iam\_account\_settings) | Set to true to skip the IAM account settings being applied to the account | `bool` | `false` | no |

|  [trusted\_profile\_description](#input\_trusted\_profile\_description) | Description of the trusted profile. | `string` | `"Trusted Profile for Projects access"` | no |

|  [trusted\_profile\_name](#input\_trusted\_profile\_name) | Name of the trusted profile, required if `provision_trusted_profile_projects` is true. | `string` | `null` | no |

|  [trusted\_profile\_roles](#input\_trusted\_profile\_roles) | List of roles given to the trusted profile. | `list(string)` | 
[
  "Administrator"
]
 | no |

|  [use\_existing\_audit\_resource\_group](#input\_use\_existing\_audit\_resource\_group) | Set to `true` to use an existing resource group that has the name provided in `audit_resource_group_name`. | `bool` | `false` | no |

|  [use\_existing\_devops\_resource\_group](#input\_use\_existing\_devops\_resource\_group) | Set to `true` to use an existing resource group that has the name provided in `devops_resource_group_name`. | `bool` | `false` | no |

|  [use\_existing\_edge\_resource\_group](#input\_use\_existing\_edge\_resource\_group) | Set to `true` to use an existing resource group that has the name provided in `edge_resource_group_name`. | `bool` | `false` | no |

|  [use\_existing\_global\_resource\_group](#input\_use\_existing\_global\_resource\_group) | Set to `true` to use an existing resource group that has the name provided in `global_resource_group_name`. | `bool` | `false` | no |

|  [use\_existing\_management\_resource\_group](#input\_use\_existing\_management\_resource\_group) | Set to `true` to use an existing resource group that has the name provided in `management_resource_group_name`. | `bool` | `false` | no |

|  [use\_existing\_observability\_resource\_group](#input\_use\_existing\_observability\_resource\_group) | Set to `true`to use an existing resource group that has the name provided in `observability_resource_group_name`. | `bool` | `false` | no |

|  [use\_existing\_security\_resource\_group](#input\_use\_existing\_security\_resource\_group) | Set to `true` to use an existing resource group that has the name provided in `security_resource_group_name`. | `bool` | `false` | no |

|  [use\_existing\_workload\_resource\_group](#input\_use\_existing\_workload\_resource\_group) | Set to `true` to use an existing resource group that has the name provided in `workload_resource_group_name`. | `bool` | `false` | no |

|  [user\_mfa](#input\_user\_mfa) | Specify Multi-Factor Authentication method for specific users the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users). Example of format is available here > https://github.com/terraform-ibm-modules/terraform-ibm-iam-account-settings#usage, has no effect when `skip_iam_account_settings` is true. | 
set(object({
    iam_id = string
    mfa    = string
  }))
 | `[]` | no |

|  [user\_mfa\_reset](#input\_user\_mfa\_reset) | Set to true to delete all user MFA settings configured in the targeted account, and ignoring entries declared in var user\_mfa, has no effect when `skip_iam_account_settings` is true. | `bool` | `false` | no |

|  [workload\_resource\_group\_name](#input\_workload\_resource\_group\_name) | The name of the workload resource group to create. | `string` | `"workload-rg"` | no |


### Outputs

| Name | Description |

|------|-------------|

|  [account\_allowed\_ip\_addresses](#output\_account\_allowed\_ip\_addresses) | Account Settings Allowed IP Addresses |

|  [account\_allowed\_ip\_addresses\_control\_mode](#output\_account\_allowed\_ip\_addresses\_control\_mode) | Account Settings Allowed IP Addresses Control Mode |

|  [account\_allowed\_ip\_addresses\_enforced](#output\_account\_allowed\_ip\_addresses\_enforced) | Account Settings Allowed IP Addresses Enforced |

|  [account\_iam\_access\_token\_expiration](#output\_account\_iam\_access\_token\_expiration) | Account Settings IAM Access Token Expiration |

|  [account\_iam\_active\_session\_timeout](#output\_account\_iam\_active\_session\_timeout) | Account Settings IAM Active Session Timeout |

|  [account\_iam\_apikey\_creation](#output\_account\_iam\_apikey\_creation) | Account Settings IAM API Key Creation |

|  [account\_iam\_inactive\_session\_timeout](#output\_account\_iam\_inactive\_session\_timeout) | Account Settings IAM Inactive Session Timeout |

|  [account\_iam\_mfa](#output\_account\_iam\_mfa) | Account Settings IAM MFA |

|  [account\_iam\_refresh\_token\_expiration](#output\_account\_iam\_refresh\_token\_expiration) | Account Settings IAM Refresh Token Expiration |

|  [account\_iam\_serviceid\_creation](#output\_account\_iam\_serviceid\_creation) | Account Settings IAM Service ID Creation |

|  [account\_iam\_user\_mfa\_list](#output\_account\_iam\_user\_mfa\_list) | Account Settings IAM User MFA List |

|  [account\_public\_access](#output\_account\_public\_access) | Account Settings Public Access |

|  [account\_shell\_settings\_status](#output\_account\_shell\_settings\_status) | Account Settings Shell Settings Status |

|  [audit\_resource\_group\_id](#output\_audit\_resource\_group\_id) | ID of the Resource Group created by the module. |

|  [audit\_resource\_group\_name](#output\_audit\_resource\_group\_name) | Name of the Resource Group created by the module. |

|  [cbr\_map\_service\_ref\_name\_zoneid](#output\_cbr\_map\_service\_ref\_name\_zoneid) | Map of service reference and zone ids |

|  [cbr\_map\_target\_service\_rule\_ids](#output\_cbr\_map\_target\_service\_rule\_ids) | Map of target service and rule ids |

|  [devops\_resource\_group\_id](#output\_devops\_resource\_group\_id) | ID of the Resource Group created by the module. |

|  [devops\_resource\_group\_name](#output\_devops\_resource\_group\_name) | Name of the Resource Group created by the module. |

|  [edge\_resource\_group\_id](#output\_edge\_resource\_group\_id) | ID of the Resource Group created by the module. |

|  [edge\_resource\_group\_name](#output\_edge\_resource\_group\_name) | Name of the Resource Group created by the module. |

|  [global\_resource\_group\_id](#output\_global\_resource\_group\_id) | ID of the Resource Group created by the module. |

|  [global\_resource\_group\_name](#output\_global\_resource\_group\_name) | Name of the Resource Group created by the module. |

|  [management\_resource\_group\_id](#output\_management\_resource\_group\_id) | ID of the Resource Group created by the module. |

|  [management\_resource\_group\_name](#output\_management\_resource\_group\_name) | Name of the Resource Group created by the module. |

|  [observability\_resource\_group\_id](#output\_observability\_resource\_group\_id) | ID of the Resource Group created by the module. |

|  [observability\_resource\_group\_name](#output\_observability\_resource\_group\_name) | Name of the Resource Group created by the module. |

|  [security\_resource\_group\_id](#output\_security\_resource\_group\_id) | ID of the Resource Group created by the module. |

|  [security\_resource\_group\_name](#output\_security\_resource\_group\_name) | Name of the Resource Group created by the module. |

|  [trusted\_profile\_projects](#output\_trusted\_profile\_projects) | Trusted Profile Projects Profile |

|  [trusted\_profile\_projects\_claim\_rules](#output\_trusted\_profile\_projects\_claim\_rules) | Trusted Profile Projects Profile Claim Rules |

|  [trusted\_profile\_projects\_links](#output\_trusted\_profile\_projects\_links) | Trusted Profile Projects Profile Links |

|  [trusted\_profile\_projects\_policies](#output\_trusted\_profile\_projects\_policies) | Trusted Profile Projects Profile Policies |

|  [workload\_resource\_group\_id](#output\_workload\_resource\_group\_id) | ID of the Resource Group created by the module. |

|  [workload\_resource\_group\_name](#output\_workload\_resource\_group\_name) | Name of the Resource Group created by the module. |

## Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md).

To set up your local development environment, see [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.