Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/terraform-ibm-modules/terraform-ibm-iam-account-settings

Configures standard IAM parameters and account settings
https://github.com/terraform-ibm-modules/terraform-ibm-iam-account-settings

core-team graduated iam-account ibm-cloud supported terraform terraform-module

Last synced: 6 days ago
JSON representation

Configures standard IAM parameters and account settings

Awesome Lists containing this project

README 

        
# IAM account settings module



[![Graduated (Supported)](https://img.shields.io/badge/Status-Graduated%20(Supported)-brightgreen)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)

[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)

[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)

[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-iam-account-settings?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-iam-account-settings/releases/latest)

[![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)



This module configures standard IAM account settings with the recommended values, in which the default values are

aligned with FSCloud requirements, and exports the values as outputs.



The module handles the following account settings:



- Multifactor authentication (None - Federated Users - All - Email/TOPT/U2F based)

- User specific Multifactor authentication (None - Federated Users - All - Email/TOPT/U2F based)

- Restrict API key creation (on - off)

- Restrict service ID creation (on - off)

- Session activity timeout (seconds)

- Session inactivity timeout (seconds)

- Access token expiration (seconds)

- Refresh token expiration (seconds)

- Restrict IP address access (off/Any Allowed - on/Allow only specified IP subnets or IP addresses). Two control modes

  are supported:

    - Monitor: traffic that originates outside the specified allowed IP addresses is allowed but logged by audit events

      that are sent to SIEM and Activity Tracker

    - Restrict: traffic that originates outside the specified allowed IP addresses is blocked

- Global shell settings (on - off)

- Public access group (on - off)



The module supports creating and updating settings that are applied with the `terraform apply` command. With objects

affected by the `destroy` command, the module preserves the most recent setting and doesn't change objects that are

configured outside of Terraform's scope.



## Current limitations:

The module currently does not support setting the following FSCloud requirements using the IBM provider:



- Check whether user list visibility restrictions are configured in IAM settings for the account owner

- Check whether the Financial Services Validated setting is enabled in account settings



Tracking issue with IBM provider -> 



If you need to manage these FSCloud requirements via Terraform, please see the [experimental submodule](https://github.com/terraform-ibm-modules/terraform-ibm-iam-account-settings/tree/main/modules/experimental) which uses the RestAPI provider to manage these settings.



## Overview

* [terraform-ibm-iam-account-settings](#terraform-ibm-iam-account-settings)

* [Submodules](./modules)

    * [experimental](./modules/experimental)

* [Examples](./examples)

    * [Account Custom Settings example](./examples/custom)

    * [Default Example](./examples/default)

* [Contributing](#contributing)



## terraform-ibm-iam-account-settings

### Usage



```hcl

module "iam_account_settings" {

  source               = "terraform-ibm-modules/iam-account-settings/ibm"

  version              = "X.X.X"  # Replace "X.X.X" with a release version to lock into a specific release

  allowed_ip_addresses = ["17.5.7.8.0/16"]



  # example usage of creating CBR zones within the module

  # see https://github.com/terraform-ibm-modules/terraform-ibm-cbr/tree/main/modules/cbr-zone-module for more details

  cbr_zones = [{

    name             = "default-zone-1"

    zone_description = "test zone in iam-account-settings module"

    addresses = [{

      type = "serviceRef"

      ref = {

        account_id   = data.ibm_iam_account_settings.iam_account_settings.account_id

        service_name = "secrets-manager"

      }

    }]

  }]

}

```

### User MFA



When specifying User MFA ([`user_mfa`](#input_user_mfa)), use the following format:



```

variable "user_mfa" {

  type = set(object({

    iam_id = string

    mfa = string

  }))

  default = [{



    iam_id = "IBMid-3x000xx3xH"

    mfa    = "LEVEL3"

  },

  {

    iam_id = "IBMid-50xG4CxSQx"

    mfa = "NONE"

  }]

  }



```

When/if it is necessary to delete/reset the MFA configuration for all users, use the [`user_mfa_reset`](#input_user_mfa_reset) input var.



### Required IAM access policies



You need the following permissions to run this module.



- Account Management

    - **IAM Access Groups** service

        - `Administrator` platform access

    - **IAM Access Management** service

        - `Editor` platform access

    - **IAM Identity** service

        - `Operator` platform access

    - **IBM Cloud Shell** service

        - `Administrator` platform access



### Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.3.0 |

|  [ibm](#requirement\_ibm) | >= 1.65.0, < 2.0.0 |



### Modules



| Name | Source | Version |

|------|--------|---------|

|  [cbr\_zones](#module\_cbr\_zones) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | v1.24.1 |



### Resources



| Name | Type |

|------|------|

| [ibm_cloud_shell_account_settings.cloud_shell_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cloud_shell_account_settings) | resource |

| [ibm_iam_access_group_account_settings.iam_access_group_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_access_group_account_settings) | resource |

| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_account_settings) | resource |

| [ibm_cloud_shell_account_settings.cloud_shell_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/cloud_shell_account_settings) | data source |

| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source |



### Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [access\_token\_expiration](#input\_access\_token\_expiration) | Defines the access token expiration in seconds | `string` | `"3600"` | no |

|  [active\_session\_timeout](#input\_active\_session\_timeout) | Specify how long (seconds) a user is allowed to work continuously in the account | `number` | `"86400"` | no |

|  [allowed\_ip\_addresses](#input\_allowed\_ip\_addresses) | List of the IP addresses and subnets from which IAM tokens can be created for the account. | `list(any)` | `[]` | no |

|  [api\_creation](#input\_api\_creation) | When restriction is enabled, only users, including the account owner, assigned the User API key creator role on the IAM Identity Service can create API keys. Allowed values are 'RESTRICTED', 'NOT\_RESTRICTED', or 'NOT\_SET' (to 'unset' a previous set value). | `string` | `"RESTRICTED"` | no |

|  [cbr\_zones](#input\_cbr\_zones) | A list of CBR zones created by the module | 
list(object({
    account_id = optional(string)
    addresses = optional(list(object({
      type  = optional(string)
      value = optional(string)
      ref = optional(object({
        account_id       = string
        location         = optional(string)
        service_instance = optional(string)
        service_name     = optional(string)
        service_type     = optional(string)
      }))
    })), [])
    excluded_addresses = optional(list(object({
      type  = optional(string)
      value = optional(string)
    })), [])
    name             = string
    zone_description = optional(string, null)
  }))
 | `[]` | no |

|  [enforce\_allowed\_ip\_addresses](#input\_enforce\_allowed\_ip\_addresses) | If true IP address restriction will be enforced, If false, traffic originated outside specified allowed IP address set is monitored with audit events sent to SIEM and Activity Tracker. After running in monitored mode to test this variable, it should then explicitly be set to true to enforce IP allow listing. | `bool` | `true` | no |

|  [inactive\_session\_timeout](#input\_inactive\_session\_timeout) | Specify how long (seconds) a user is allowed to stay logged in the account while being inactive/idle | `string` | `"7200"` | no |

|  [max\_sessions\_per\_identity](#input\_max\_sessions\_per\_identity) | Defines the maximum allowed sessions per identity required by the account. Supports any whole number greater than '0', or 'NOT\_SET' to unset account setting and use service default. | `string` | `"NOT_SET"` | no |

|  [mfa](#input\_mfa) | Specify Multi-Factor Authentication method in the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users). | `string` | `"TOTP4ALL"` | no |

|  [public\_access\_enabled](#input\_public\_access\_enabled) | Enable/Disable public access group in which resources are open anyone regardless if they are member of your account or not | `bool` | `false` | no |

|  [refresh\_token\_expiration](#input\_refresh\_token\_expiration) | Defines the refresh token expiration in seconds | `string` | `"259200"` | no |

|  [serviceid\_creation](#input\_serviceid\_creation) | When restriction is enabled, only users, including the account owner, assigned the Service ID creator role on the IAM Identity Service can create service IDs. Allowed values are 'RESTRICTED', 'NOT\_RESTRICTED', or 'NOT\_SET' (to 'unset' a previous set value). | `string` | `"RESTRICTED"` | no |

|  [shell\_settings\_enabled](#input\_shell\_settings\_enabled) | Enable global shell settings to all users in the account. If `skip_cloud_shell_calls` is set to true, then this setting is ignored. | `bool` | `false` | no |

|  [skip\_cloud\_shell\_calls](#input\_skip\_cloud\_shell\_calls) | Skip Cloud Shell calls in the account. | `bool` | `false` | no |

|  [user\_mfa](#input\_user\_mfa) | Specify Multi-Factor Authentication method for specific users the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users). Example of format is available here > https://github.com/terraform-ibm-modules/terraform-ibm-iam-account-settings#usage | 
set(object({
    iam_id = string
    mfa    = string
  }))
 | `[]` | no |

|  [user\_mfa\_reset](#input\_user\_mfa\_reset) | Set to true to delete all user MFA settings configured in the targeted account, and ignoring entries declared in var `user_mfa` | `bool` | `false` | no |



### Outputs



| Name | Description |

|------|-------------|

|  [account\_allowed\_ip\_addresses](#output\_account\_allowed\_ip\_addresses) | Current allowed IP addresses |

|  [account\_allowed\_ip\_addresses\_control\_mode](#output\_account\_allowed\_ip\_addresses\_control\_mode) | Current allowed IP addresses enforcement control mode, will indicate RESTRICT if account\_allowed\_ip\_addresses\_enforced is TRUE |

|  [account\_allowed\_ip\_addresses\_enforced](#output\_account\_allowed\_ip\_addresses\_enforced) | Current allowed IP addresses enforcement state |

|  [account\_iam\_access\_token\_expiration](#output\_account\_iam\_access\_token\_expiration) | Current access token expiration |

|  [account\_iam\_active\_session\_timeout](#output\_account\_iam\_active\_session\_timeout) | Current active session timeout |

|  [account\_iam\_apikey\_creation](#output\_account\_iam\_apikey\_creation) | Current state of API key creation restriction |

|  [account\_iam\_inactive\_session\_timeout](#output\_account\_iam\_inactive\_session\_timeout) | Current inactive session timeout |

|  [account\_iam\_mfa](#output\_account\_iam\_mfa) | Current MFA setting |

|  [account\_iam\_refresh\_token\_expiration](#output\_account\_iam\_refresh\_token\_expiration) | Current refresh token expiration |

|  [account\_iam\_serviceid\_creation](#output\_account\_iam\_serviceid\_creation) | Current state of ServiceID creation restriction |

|  [account\_iam\_user\_mfa\_list](#output\_account\_iam\_user\_mfa\_list) | Current list of users with specific MFA settings |

|  [account\_public\_access](#output\_account\_public\_access) | Current state of public access group setting |

|  [account\_shell\_settings\_status](#output\_account\_shell\_settings\_status) | Current state of global shell setting |

|  [account\_zones](#output\_account\_zones) | Current CBR zones managed by the module |



## Contributing



You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md).



To set up your local development environment, see [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.