Terraform IBM Service-to-service authorization module

This module generates authorization policies and context-based restriction (CBR) rules to enable access and restrictions between a source service and a target service.

Overview

• terraform-ibm-s2s-auth
• Examples
  • Basic example
  • Complete example
• Contributing

terraform-ibm-s2s-auth

Usage

module "service_auth_cbr_rules" {
  source                = "terraform-ibm-modules/s2s-auth/ibm"
  version               = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  service_map           = {
    "test-policy-1" = {
        "description"= "This is a test auth policy",
        "enforcement_mode"= "report",
        "roles"= [
            "Reader"
        ],
        "source_resource_instance_id"= "<source_resource_instance_guid>",
        "source_service_name"= "cloud-object-storage",
        "target_resource_instance_id"= "<target_resource_instance_guid>",
        "target_service_name"= "kms"
    },
    "test-policy-2" = {
        "description"= "This is a test auth policy",
        "enforcement_mode"= "report",
        "roles"= [
            "Reader"
        ],
        "source_rg"= "<source_rg>",
        "source_service_name"= "containers-kubernetes",
        "target_rg"= "<target_rg>",
        "target_service_name"= "kms"
    }
  }
}

Required IAM access policies

You need the following permissions to run this module.

• You must have access to the target service to create an authorization between services. You can grant only the level of access that you have as a user of the target service. For example, if you have viewer access on the target service, you can assign only the viewer role for the authorization.

Requirements

Name	Version
terraform	>= 1.9.0
ibm	>= 1.79.0, <2.0.0

Modules

Name	Source	Version
cbr_rules	terraform-ibm-modules/cbr/ibm//modules/cbr-service-profile	1.33.2

Resources

Name	Type
ibm_iam_authorization_policy.auth_policies	resource

Inputs

Name	Description	Type	Default	Required
cbr_target_service_details	Details of the target service for which the rule has to be created.	list(object({ target_service_name = string target_rg = optional(string) enforcement_mode = string tags = optional(list(string)) }))	[]	no
enable_cbr	Set to true to enable creation of Context Based restrictions (CBR) for services defined in var.cbr_target_service_details. When true, var.zone_vpc_crn_list and var.zone_service_ref_list must be provided to create and attach the required CBR zones. When false, no CBR zones or rules are created.	bool	true	no
prefix	Prefix for new CBR zones and rules.	string	null	no
service_map	Map of unique service pairs and their authorization config.	map(object({ source_service_name = string target_service_name = string roles = list(string) description = optional(string, null) source_service_account_id = optional(string, null) source_resource_instance_id = optional(string, null) target_resource_instance_id = optional(string, null) source_resource_group_id = optional(string, null) target_resource_group_id = optional(string, null) }))	{}	no
zone_service_ref_list	Service reference for the zone creation.	map(object({ service_ref_location = optional(list(string), []) }))	{}	no
zone_vpc_crn_list	CRN of the VPC for the zones.	list(string)	[]	no

Outputs

Name	Description
auth_policies	Authorizations created
cbr_rules	CBR Rules created

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.