Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/terraform-ibm-modules/terraform-ibm-s2s-auth

This module is to set up a list of s2s authorization policies, and cbr rules
https://github.com/terraform-ibm-modules/terraform-ibm-s2s-auth

core-team graduated iam ibm-cloud s2s-auth supported terraform terraform-module

Last synced: about 2 months ago
JSON representation

This module is to set up a list of s2s authorization policies, and cbr rules

Awesome Lists containing this project

README 

        

# Terraform IBM Service-to-service authorization module



[![Graduated (Supported)](https://img.shields.io/badge/Status-Graduated%20(Supported)-brightgreen)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)

[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-s2s-auth?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-s2s-auth/releases/latest)

[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)

[![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)

[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)



This module generates authorization policies and context-based restriction (CBR) rules to enable access and restrictions between a source service and a target service.



## Overview

* [terraform-ibm-s2s-auth](#terraform-ibm-s2s-auth)

* [Examples](./examples)

    * [Basic example](./examples/basic)

    * [Complete example](./examples/complete)

* [Contributing](#contributing)



## terraform-ibm-s2s-auth



### Usage



```hcl

module "service_auth_cbr_rules" {

  source                = "terraform-ibm-modules/s2s-auth/ibm"

  version               = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release

  service_map           = [

    {

        "description"= "This is a test auth policy",

        "enforcement_mode"= "report",

        "roles"= [

            "Reader"

        ],

        "source_resource_instance_id"= "",

        "source_service_name"= "cloud-object-storage",

        "target_resource_instance_id"= "",

        "target_service_name"= "kms"

    },

    {

        "description"= "This is a test auth policy",

        "enforcement_mode"= "report",

        "roles"= [

            "Reader"

        ],

        "source_rg"= "",

        "source_service_name"= "containers-kubernetes",

        "target_rg"= "",

        "target_service_name"= "kms"

    }

  ]

}

```



### Required IAM access policies



You need the following permissions to run this module.



* You must have access to the target service to create an authorization between services. You can grant only the level of access that you have as a user of the target service. For example, if you have viewer access on the target service, you can assign only the viewer role for the authorization.



### Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.3.0 |

|  [ibm](#requirement\_ibm) | >= 1.70.0, <2.0.0 |



### Modules



| Name | Source | Version |

|------|--------|---------|

|  [cbr\_rules](#module\_cbr\_rules) | terraform-ibm-modules/cbr/ibm//modules/cbr-service-profile | 1.29.0 |



### Resources



| Name | Type |

|------|------|

| [ibm_iam_authorization_policy.auth_policies](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |



### Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [cbr\_target\_service\_details](#input\_cbr\_target\_service\_details) | Details of the target service for which the rule has to be created. | 
list(object({
    target_service_name = string
    target_rg           = optional(string)
    enforcement_mode    = string
    tags                = optional(list(string))
  }))
 | `[]` | no |

|  [prefix](#input\_prefix) | Prefix for new CBR zones and rules. | `string` | `null` | no |

|  [service\_map](#input\_service\_map) | Map of source service and the corresponding target service details. | 
list(object({
    source_service_name         = string
    target_service_name         = string
    roles                       = list(string)
    description                 = optional(string, null)
    source_resource_instance_id = optional(string, null)
    target_resource_instance_id = optional(string, null)
    source_resource_group_id    = optional(string, null)
    target_resource_group_id    = optional(string, null)
  }))
 | `[]` | no |

|  [zone\_service\_ref\_list](#input\_zone\_service\_ref\_list) | Service reference for the zone creation. | 
map(object({
    service_ref_location = optional(list(string), [])
  }))
 | `{}` | no |

|  [zone\_vpc\_crn\_list](#input\_zone\_vpc\_crn\_list) | CRN of the VPC for the zones. | `list(string)` | `[]` | no |



### Outputs



| Name | Description |

|------|-------------|

|  [auth\_policies](#output\_auth\_policies) | Authorizations created |

|  [cbr\_rules](#output\_cbr\_rules) | CBR Rules created |



## Contributing



You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md).



To set up your local development environment, see [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.