https://github.com/terraform-ibm-modules/terraform-ibm-cbr
This module can be used to provision and configure Context Based Restrictions.
https://github.com/terraform-ibm-modules/terraform-ibm-cbr
cbr context-based-restrictions core-team graduated ibm-cloud supported terraform terraform-module
Last synced: about 1 month ago
JSON representation
This module can be used to provision and configure Context Based Restrictions.
- Host: GitHub
- URL: https://github.com/terraform-ibm-modules/terraform-ibm-cbr
- Owner: terraform-ibm-modules
- License: apache-2.0
- Created: 2023-01-19T13:01:32.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-04-06T20:12:36.000Z (about 1 month ago)
- Last Synced: 2025-04-08T20:02:23.621Z (about 1 month ago)
- Topics: cbr, context-based-restrictions, core-team, graduated, ibm-cloud, supported, terraform, terraform-module
- Language: HCL
- Size: 1010 KB
- Stars: 0
- Watchers: 16
- Forks: 2
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
# Context-based restrictions module
[-brightgreen)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
[](https://github.com/semantic-release/semantic-release)
[](https://github.com/pre-commit/pre-commit)
[](https://github.com/terraform-ibm-modules/terraform-ibm-cbr/releases/latest)
[](https://renovatebot.com/)
This module can be used to provision and configure [Context Based Restrictions](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-create&interface=ui).
See in particular the [fscloud module](./modules/fscloud/) that enables creating an opiniated account-level coarse-grained set of CBR rules and zones aligned with the "secure by default" principles.
:information_source: **Tip:** Changes to context-based restriction rules are propagated worldwide and have a TTL value of 10 minutes. Rule changes might not take effect until the propagation process is complete and the TTL cache is updated.
## Overview
* [terraform-ibm-cbr](#terraform-ibm-cbr)
* [Submodules](./modules)
* [cbr-rule-module](./modules/cbr-rule-module)
* [cbr-service-profile](./modules/cbr-service-profile)
* [cbr-zone-module](./modules/cbr-zone-module)
* [fscloud](./modules/fscloud)
* [Examples](./examples)
* [CBR multi service profile](./examples/multi-service-profile)
* [Multi resource rule example](./examples/multi-resource-rule)
* [Multi-zone example](./examples/multizone-rule)
* [Pre-wired CBR configuration for FS Cloud example](./examples/fscloud)
* [Zone example](./examples/update-existing-zone-addresses)
* [Zone example](./examples/zone)
* [Contributing](#contributing)
## terraform-ibm-cbr
### Usage
```hcl
module "ibm_cbr" "zone" {
source = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
name = "zone_for_pg_access"
account_id = "defc0df06b644a9cabc6e44f55b3880s" # pragma: allowlist secret
zone_description = "Zone created from terraform"
addresses = [{type = "vpc",value = "vpc_crn"}]
}
module "ibm_cbr" "rule" {
# replace main with version
source = "terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
name = "rule_for_pg_access"
rule_description = "rule from terraform"
enforcement_mode = "enabled"
rule_contexts = [{
attributes = [{
name = "networkZoneId"
value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
}]
}]
resources = [{
attributes = [
{
name = "accountId"
value = "defc0df06b644a9cabc6e44f55b3880s" # pragma: allowlist secret
operator = "stringEquals"
},
{
name = "resourceGroupId",
value = "8ce996b5e6ed4592ac0e39f4105351d6" # pragma: allowlist secret
operator = "stringEquals"
},
{
name = "serviceInstance"
value = "10732830-c128-48f0-aec6-c9eaa8d10c68" # pragma: allowlist secret
operator = "stringEquals"
},
{
name = "serviceName"
value = "cloud-object-storage"
operator = "stringEquals"
}
]
}]
operations = [{ api_types = [{
api_type_id = "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
}]
}]
}
```
### Required IAM access policies
You need the following permissions to run this module.
- Account Management
- `Editor` role access
- VPC Infrastructure Services
- `Editor` role access
### Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
| [ibm](#requirement\_ibm) | >= 1.70.0, < 2.0.0 |
### Modules
| Name | Source | Version |
|------|--------|---------|
| [cbr\_rule](#module\_cbr\_rule) | ./modules/cbr-rule-module | n/a |
| [cbr\_zone](#module\_cbr\_zone) | ./modules/cbr-zone-module | n/a |
### Resources
| Name | Type |
|------|------|
| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source |
### Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [addresses](#input\_addresses) | (List) The list of addresses in the zone |
list(object({
type = optional(string)
value = optional(string)
ref = optional(object({
account_id = string
location = optional(string)
service_instance = optional(string)
service_name = optional(string)
service_type = optional(string)
}))
})) | `[]` | no |
| [enforcement\_mode](#input\_enforcement\_mode) | (String) The rule enforcement mode | `string` | `"report"` | no |
| [excluded\_addresses](#input\_excluded\_addresses) | (Optional, List) The list of excluded addresses in the zone | list(object({
type = optional(string)
value = optional(string)
})) | `[]` | no |
| [name](#input\_name) | (Optional, String) The name of the zone | `string` | `null` | no |
| [operations](#input\_operations) | (Optional, List) The operations this rule applies to | list(object({
api_types = list(object({
api_type_id = string
}))
})) | [
{
"api_types": [
{
"api_type_id": "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
}
]
}
]
| no |
| [resources](#input\_resources) | (Optional, List) The resources this rule apply to | list(object({
attributes = list(object({
name = string
value = string
operator = optional(string)
}))
tags = optional(list(object({ #These access tags should match to the target service access tags for the CBR rules to work
name = string
value = string
operator = optional(string)
})))
})) | `[]` | no |
| [rule\_contexts](#input\_rule\_contexts) | (List) The contexts the rule applies to | list(object({
attributes = list(object({
name = string
value = string
}))
})) | [
{
"attributes": [
{
"name": "va",
"value": "va"
}
]
}
]
| no |
| [rule\_description](#input\_rule\_description) | (Optional, String) The description of the rule | `string` | `null` | no |
| [zone\_description](#input\_zone\_description) | (Optional, String) The description of the zone | `string` | `null` | no |
### Outputs
| Name | Description |
|------|-------------|
| [rule\_crn](#output\_rule\_crn) | CBR rule crn |
| [rule\_href](#output\_rule\_href) | CBR rule href |
| [rule\_id](#output\_rule\_id) | CBR rule id |
| [zone\_crn](#output\_zone\_crn) | cbr\_zone crn |
| [zone\_href](#output\_zone\_href) | cbr\_zone link |
| [zone\_id](#output\_zone\_id) | cbr\_zone id |
## Contributing
You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md).
To set up your local development environment, see [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.