feat: The module was incorrectly creating a COS destination instead of creating a COS integration needed for failed events to work. Due to this change, the cos_destination_name has been removed. If you are updating from a previous version, you will see the expected destroy of the destination (#242)

Author: Ak-sky

README.md

@@ -82,8 +82,8 @@ To create service credentials, access the Event Notifications service, and acces
 
 | Name | Type |
 |------|------|
-| [ibm_en_destination_cos.cos_en_destination](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/en_destination_cos) | resource |
 | [ibm_en_integration.en_kms_integration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/en_integration) | resource |
+| [ibm_en_integration_cos.en_cos_integration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/en_integration_cos) | resource |
 | [ibm_iam_authorization_policy.cos_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_resource_instance.en_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
@@ -99,7 +99,6 @@ To create service credentials, access the Event Notifications service, and acces
 |------|-------------|------|---------|:--------:|
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restrictions rules to create. | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
 | <a name="input_cos_bucket_name"></a> [cos\_bucket\_name](#input\_cos\_bucket\_name) | The name of an existing IBM Cloud Object Storage bucket which will be used for storage of failed delivery events. Required if `cos_integration_enabled` is set to true. | `string` | `null` | no |
-| <a name="input_cos_destination_name"></a> [cos\_destination\_name](#input\_cos\_destination\_name) | The name of the IBM Cloud Object Storage destination which will be created for the storage of failed delivery events. | `string` | `"COS Destination"` | no |
 | <a name="input_cos_endpoint"></a> [cos\_endpoint](#input\_cos\_endpoint) | The endpoint URL for your bucket region. For more information, see https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-endpoints. Required if `cos_integration_enabled` is set to true. | `string` | `null` | no |
 | <a name="input_cos_instance_id"></a> [cos\_instance\_id](#input\_cos\_instance\_id) | The ID of the IBM Cloud Object Storage instance in which the bucket that is defined in the `cos_bucket_name` variable exists. Required if `cos_integration_enabled` is set to true. | `string` | `null` | no |
 | <a name="input_cos_integration_enabled"></a> [cos\_integration\_enabled](#input\_cos\_integration\_enabled) | Set to `true` to connect a Cloud Object Storage service instance to your Event Notifications instance to collect events that failed delivery. If set to false, no failed events will be captured. | `bool` | `false` | no |

examples/complete/README.md

@@ -7,5 +7,5 @@ An end-to-end example that creates the following infrastructure:
 - An Event Notifications instance with bring-your-own-key encryption.
 - An IBM Cloud Object Storage service instance and bucket to collect events that fail delivery.
 - A Virtual Private Cloud (VPC).
-- A context-based restriction (CBR) rule to allow Event Notifications to be accessible only from within the VPC.
+- A context-based restriction (CBR) rule to allow Event Notifications to be accessible from VPC and Schematics.
 - Service credentials for the Event Notifications instance.

examples/complete/main.tf

@@ -111,6 +111,10 @@ module "cbr_zone_schematics" {
   }]
 }
 
+#############################################################################
+# Create EN instance, destination, topic and subscription
+##############################################################################
+
 module "event_notification" {
   source                    = "../../"
   resource_group_id         = module.resource_group.resource_group_id
@@ -125,9 +129,8 @@ module "event_notification" {
   region                    = var.region
   # COS Related
   cos_integration_enabled = true
-  cos_destination_name    = module.cos.cos_instance_name
   cos_bucket_name         = module.cos.bucket_name
-  cos_instance_id         = module.cos.cos_instance_guid
+  cos_instance_id         = module.cos.cos_instance_crn
   cos_endpoint            = "https://${module.cos.s3_endpoint_public}"
   cbr_rules = [
     {
@@ -158,3 +161,38 @@ module "event_notification" {
     }
   ]
 }
+
+resource "ibm_en_destination_webhook" "webhook_destination" {
+  instance_guid         = module.event_notification.guid
+  name                  = "${var.prefix}-webhook-destination"
+  type                  = "webhook"
+  collect_failed_events = false
+  description           = "Destination webhook for event notification"
+  config {
+    params {
+      verb = "POST"
+      url  = "https://testwebhook.com"
+      custom_headers = {
+        "authorization" = "authorization"
+      }
+      sensitive_headers = ["authorization"]
+    }
+  }
+}
+
+resource "ibm_en_topic" "webhook_topic" {
+  instance_guid = module.event_notification.guid
+  name          = "${var.prefix}-e2e-topic"
+  description   = "Topic for EN events routing"
+}
+
+resource "ibm_en_subscription_webhook" "webhook_subscription" {
+  instance_guid  = module.event_notification.guid
+  name           = "${var.prefix}-webhook-subscription"
+  description    = "The webhook subscription"
+  destination_id = ibm_en_destination_webhook.webhook_destination.destination_id
+  topic_id       = ibm_en_topic.webhook_topic.topic_id
+  attributes {
+    signing_enabled = true
+  }
+}

examples/fscloud/README.md

@@ -8,7 +8,7 @@ The example uses the IBM Cloud Terraform provider to create the following infras
 - An IAM authorization between all Event Notification instances in the given resource group and the KMS instance that is passed in.
 - An Event Notification instance that is encrypted with the KMS root key that is passed in.
 - A sample virtual private cloud (VPC).
-- A context-based restriction (CBR) rule to only allow Event Notification to be accessible from within the VPC.
+- A context-based restriction (CBR) rule to only allow Event Notification to be accessible from VPC and Schematics.
 
 :exclamation: **Important:** In this example, only the Event Notification instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.
 

examples/fscloud/main.tf

@@ -90,7 +90,7 @@ module "cos" {
     kms_guid                      = local.kms_instance_guid
     kms_key_crn                   = var.root_key_crn
     skip_iam_authorization_policy = false
-    management_endpoint_type      = "public"
+    management_endpoint_type      = "private"
     storage_class                 = "smart"
     region_location               = var.region
     force_delete                  = true
@@ -126,35 +126,38 @@ module "event_notification" {
   region = var.region
   # COS Related
   cos_bucket_name         = module.cos.buckets[local.bucket_name].bucket_name
-  cos_instance_id         = module.cos.cos_instance_guid
+  cos_instance_id         = module.cos.cos_instance_crn
   skip_en_cos_auth_policy = false
   cos_endpoint            = "https://${module.cos.buckets[local.bucket_name].s3_endpoint_private}"
-  cbr_rules = [
-    {
-      description      = "${var.prefix}-event notification access only from vpc"
-      enforcement_mode = "enabled"
-      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
-      rule_contexts = [{
-        attributes = [
-          {
-            "name" : "endpointType",
-            "value" : "private"
-          },
-          {
-            name  = "networkZoneId"
-            value = module.cbr_vpc_zone.zone_id
-        }]
-        }, {
-        attributes = [
-          {
-            "name" : "endpointType",
-            "value" : "private"
-          },
-          {
-            name  = "networkZoneId"
-            value = module.cbr_zone_schematics.zone_id
-        }]
-      }]
-    }
-  ]
+
+  # There is a known issue https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5525 when adding schematics network zone with private endpoint type to the EN CBR rule, causing this example to fail.
+
+  # cbr_rules = [
+  #   {
+  #     description      = "${var.prefix}-event notification access from vpc and schematics"
+  #     enforcement_mode = "enabled"
+  #     account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  #     rule_contexts = [{
+  #       attributes = [
+  #         {
+  #           "name" : "endpointType",
+  #           "value" : "private"
+  #         },
+  #         {
+  #           name  = "networkZoneId"
+  #           value = module.cbr_vpc_zone.zone_id
+  #       }]
+  #       }, {
+  #       attributes = [
+  #         {
+  #           "name" : "endpointType",
+  #           "value" : "private"
+  #         },
+  #         {
+  #           name  = "networkZoneId"
+  #           value = module.cbr_zone_schematics.zone_id
+  #       }]
+  #     }]
+  #   }
+  # ]
 }

main.tf

@@ -8,6 +8,10 @@ locals {
   validate_kms_values = !var.kms_encryption_enabled && (var.existing_kms_instance_crn != null || var.root_key_id != null || var.kms_endpoint_url != null) ? tobool("When passing values for var.existing_kms_instance_crn or/and var.root_key_id or/and var.kms_endpoint_url, you must set var.kms_encryption_enabled to true. Otherwise unset them to use default encryption") : true
   # tflint-ignore: terraform_unused_declarations
   validate_kms_vars = var.kms_encryption_enabled && (var.existing_kms_instance_crn == null || var.root_key_id == null || var.kms_endpoint_url == null) ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_crn, var.root_key_id and var.kms_endpoint_url") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_cos_values = !var.cos_integration_enabled && (var.cos_instance_id != null || var.cos_bucket_name != null || var.cos_endpoint != null) ? tobool("When passing values for var.cos_instance_id or/and var.cos_bucket_name or/and var.cos_endpoint, you must set var.cos_integration_enabled to true. Otherwise unset them to disable collection of failed delivery events") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_cos_vars = var.cos_integration_enabled && (var.cos_instance_id == null || var.cos_bucket_name == null || var.cos_endpoint == null) ? tobool("When setting var.cos_integration_enabled to true, a value must be passed for var.cos_instance_id, var.cos_bucket_name and var.cos_endpoint") : true
 
   # Determine what KMS service is being used for encryption
   kms_service = var.existing_kms_instance_crn != null ? (
@@ -31,23 +35,17 @@ resource "ibm_resource_instance" "en_instance" {
 }
 
 #############################################################################
-# Event Notification COS integration
+# Event Notification COS integration to Collect Failed Events
 #############################################################################
-
-resource "ibm_en_destination_cos" "cos_en_destination" {
-  depends_on            = [time_sleep.wait_for_cos_authorization_policy]
-  count                 = var.cos_integration_enabled ? 1 : 0
-  instance_guid         = ibm_resource_instance.en_instance.guid
-  name                  = var.cos_destination_name
-  type                  = "ibmcos"
-  collect_failed_events = true
-  description           = "IBM Cloud Object Storage destination for collection of failed events."
-  config {
-    params {
-      bucket_name = var.cos_bucket_name
-      instance_id = var.cos_instance_id
-      endpoint    = var.cos_endpoint
-    }
+resource "ibm_en_integration_cos" "en_cos_integration" {
+  depends_on    = [time_sleep.wait_for_cos_authorization_policy]
+  count         = var.cos_integration_enabled ? 1 : 0
+  instance_guid = ibm_resource_instance.en_instance.guid
+  type          = "collect_failed_events"
+  metadata {
+    endpoint    = var.cos_endpoint
+    crn         = var.cos_instance_id
+    bucket_name = var.cos_bucket_name
   }
 }
 
@@ -56,7 +54,11 @@ resource "ibm_en_destination_cos" "cos_en_destination" {
 #############################################################################
 
 locals {
-  en_integration_id = length(data.ibm_en_integrations.en_integrations) > 0 ? data.ibm_en_integrations.en_integrations[0].integrations[0]["id"] : null
+
+  en_integration_id = length(data.ibm_en_integrations.en_integrations) > 0 ? [
+    for integrations in data.ibm_en_integrations.en_integrations[0].integrations :
+    integrations.id if(integrations.type == "kms" || integrations.type == "hs-crypto")
+  ] : null
 }
 
 data "ibm_en_integrations" "en_integrations" {
@@ -68,7 +70,7 @@ resource "ibm_en_integration" "en_kms_integration" {
   depends_on     = [time_sleep.wait_for_kms_authorization_policy]
   count          = var.kms_encryption_enabled == false ? 0 : 1
   instance_guid  = ibm_resource_instance.en_instance.guid
-  integration_id = local.en_integration_id
+  integration_id = local.en_integration_id[0]
   type           = local.kms_service
   metadata {
     endpoint    = var.kms_endpoint_url
@@ -90,6 +92,7 @@ data "ibm_iam_account_settings" "iam_account_settings" {
 
 locals {
   existing_kms_instance_guid = var.kms_encryption_enabled == true ? element(split(":", var.existing_kms_instance_crn), length(split(":", var.existing_kms_instance_crn)) - 3) : null
+  existing_cos_instance_guid = var.cos_integration_enabled == true ? element(split(":", var.cos_instance_id), length(split(":", var.cos_instance_id)) - 3) : null
 }
 
 # Create IAM Authorization Policies to allow event notification to access cos
@@ -98,7 +101,7 @@ resource "ibm_iam_authorization_policy" "cos_policy" {
   source_service_name         = "event-notifications"
   source_resource_instance_id = ibm_resource_instance.en_instance.guid
   roles                       = ["Object Writer", "Reader"]
-  description                 = "Allow EN instance with GUID ${ibm_resource_instance.en_instance.guid} `Object Writer` and `Reader` access to the COS instance with ID ${var.cos_instance_id}."
+  description                 = "Allow EN instance with GUID ${ibm_resource_instance.en_instance.guid} `Object Writer` and `Reader` access to the COS instance with GUID ${local.existing_cos_instance_guid}."
 
   resource_attributes {
     name     = "serviceName"
@@ -114,7 +117,7 @@ resource "ibm_iam_authorization_policy" "cos_policy" {
   resource_attributes {
     name     = "serviceInstance"
     operator = "stringEquals"
-    value    = var.cos_instance_id
+    value    = local.existing_cos_instance_guid
   }
 
   resource_attributes {

modules/fscloud/README.md

@@ -82,10 +82,9 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restrictions rules to create. | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
 | <a name="input_cos_bucket_name"></a> [cos\_bucket\_name](#input\_cos\_bucket\_name) | The name of an existing Object Storage bucket to use for the storage of failed delivery events. | `string` | `null` | no |
-| <a name="input_cos_destination_name"></a> [cos\_destination\_name](#input\_cos\_destination\_name) | The name of the IBM Cloud Object Storage destination which will be created for the storage of failed delivery events. | `string` | `"COS Destination"` | no |
 | <a name="input_cos_endpoint"></a> [cos\_endpoint](#input\_cos\_endpoint) | The endpoint URL for your bucket region. Required if `cos_integration_enabled` is set to `true`. [Learn more](https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-endpoints). | `string` | `null` | no |
-| <a name="input_cos_instance_id"></a> [cos\_instance\_id](#input\_cos\_instance\_id) | The ID of the Object Storage instance that contains the bucket that is specified in the `cos_bucket_name` variable. Required only if `cos_integration_enabled` is set to `true`. | `string` | `null` | no |
-| <a name="input_cos_integration_enabled"></a> [cos\_integration\_enabled](#input\_cos\_integration\_enabled) | Whether to connect an Object Storage service instance to your Event Notifications instance to collect events that fail delivery. If set to `false`, no failed events are captured. | `bool` | `true` | no |
+| <a name="input_cos_instance_id"></a> [cos\_instance\_id](#input\_cos\_instance\_id) | The ID of the IBM Cloud Object Storage instance in which the bucket that is defined in the `cos_bucket_name` variable exists. Required if `cos_integration_enabled` is set to true. | `string` | `null` | no |
+| <a name="input_cos_integration_enabled"></a> [cos\_integration\_enabled](#input\_cos\_integration\_enabled) | Whether to connect an Object Storage service instance to your Event Notifications instance to collect events that failed delivery. If set to `false`, no failed events are captured. | `bool` | `true` | no |
 | <a name="input_existing_kms_instance_crn"></a> [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of the Hyper Protect Crypto Services or Key Protect instance. To ensure compliance with IBM Cloud Framework for Financial Services standards, it is required to use Hyper Protect Crypto Services only. | `string` | n/a | yes |
 | <a name="input_kms_endpoint_url"></a> [kms\_endpoint\_url](#input\_kms\_endpoint\_url) | The KMS endpoint URL to use when you configure KMS encryption. | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | The name of the Event Notifications instance that is created by this module. | `string` | n/a | yes |

modules/fscloud/main.tf

@@ -16,7 +16,6 @@ module "event_notification" {
   # COS Related
   cos_integration_enabled = var.cos_integration_enabled
   cos_endpoint            = var.cos_endpoint
-  cos_destination_name    = var.cos_destination_name
   cos_bucket_name         = var.cos_bucket_name
   cos_instance_id         = var.cos_instance_id
   skip_en_cos_auth_policy = var.skip_en_cos_auth_policy

modules/fscloud/variables.tf

@@ -70,12 +70,6 @@ variable "cbr_rules" {
 # COS
 ########################################################################################################################
 
-variable "cos_destination_name" {
-  type        = string
-  description = "The name of the IBM Cloud Object Storage destination which will be created for the storage of failed delivery events."
-  default     = "COS Destination"
-}
-
 variable "cos_bucket_name" {
   type        = string
   description = "The name of an existing Object Storage bucket to use for the storage of failed delivery events."
@@ -84,7 +78,7 @@ variable "cos_bucket_name" {
 
 variable "cos_instance_id" {
   type        = string
-  description = "The ID of the Object Storage instance that contains the bucket that is specified in the `cos_bucket_name` variable. Required only if `cos_integration_enabled` is set to `true`."
+  description = "The ID of the IBM Cloud Object Storage instance in which the bucket that is defined in the `cos_bucket_name` variable exists. Required if `cos_integration_enabled` is set to true."
   default     = null
 }
 
@@ -96,7 +90,7 @@ variable "skip_en_cos_auth_policy" {
 
 variable "cos_integration_enabled" {
   type        = bool
-  description = "Whether to connect an Object Storage service instance to your Event Notifications instance to collect events that fail delivery. If set to `false`, no failed events are captured."
+  description = "Whether to connect an Object Storage service instance to your Event Notifications instance to collect events that failed delivery. If set to `false`, no failed events are captured."
   default     = true
 }