IBM Cloud Account infrastructure base module

This module is a general base layer module for setting up a newly provisioned account with a default provision of:

• Base Resource Group
• IAM Account Settings
• Trusted Profile + Access Group for Projects

This module also optionally supports provisioning the following resources:

• Activity Tracker routing + COS instance and bucket

Overview

• terraform-ibm-account-infrastructure-base
• Contributing

Reference architectures

• IBM Cloud Account Infrastructure Base solution

terraform-ibm-account-infrastructure-base

Current limitations:

The module currently does not support setting the following FSCloud requirements:

• Check whether user list visibility restrictions are configured in IAM settings for the account owner
  • Follow these steps as a workaround to set this manually in the UI
• Check whether the Financial Services Validated setting is enabled in account settings
  • Follow these steps as a workaround to set this manually in the UI

Tracking issue with IBM provider -> IBM-Cloud/terraform-provider-ibm#4204

Usage

Before You Begin

If you are using this module to create an ATracker route and IBM Cloud Object Storage instance and bucket, and using a key from a key management service in a separate account, you will need an IAM authorization policy in the account where the key management service resides which grants the IBM Cloud Object Storage service in this account Reader access to the key management service.

locals {
  at_endpoint = "https://api.us-south.logging.cloud.ibm.com"
}

provider "logdna" {
  alias      = "at"
  servicekey = ""
  url        = local.at_endpoint
}

provider "logdna" {
  alias      = "ld"
  servicekey = ""
  url        = local.at_endpoint
}

module "enterprise_account" {
    source  = "terraform-ibm-modules/account-infrastructure-base/ibm"
    version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
    providers = { # providers block necessary for logdna provider aliases
        logdna.at = logdna.at
        logdna.ld = logdna.ld
    }
    region                            = "us-south"
    resource_group_name               = "account-base-resource-group"
    provision_atracker_cos            = true # setting this enables provisioning of the ATracker + COS resources
    cos_skip_iam_authorization_policy = false # setting this enables provisioning an authorization policy between the COS instances and the KMS instance given via the CRN
    kms_key_crn                       = "crn:v1:bluemix:public:(kms|hs-crypto):(region):a/(Account ID):(KMS instance GUID)::"
    cos_instance_name                 = "account-base-cos-instance"
    cos_bucket_name                   = "atracker-cos-bucket"
    cos_target_name                   = "atracker-cos-target"
    trusted_profile_name              = "account-base-trusted-profile"
    activity_tracker_route_name       = "atracker-cos-route"
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • All Account Management services
    • Administrator platform access
  • IAM Services
    • Cloud Object Storage service
      • Editor platform access
      • Manager service access
    • Activity Tracker service
      • Administrator platform access
      • Writer service access

Requirements

Name	Version
terraform	>= 1.0.0
ibm	>= 1.62.0, < 2.0.0
logdna	>= 1.14.2, < 2.0.0

Modules

Name	Source	Version
account_settings	terraform-ibm-modules/iam-account-settings/ibm	2.10.1
activity_tracker	terraform-ibm-modules/observability-instances/ibm//modules/activity_tracker	2.13.1
cos	terraform-ibm-modules/cos/ibm//modules/fscloud	8.4.1
existing_resource_group	terraform-ibm-modules/resource-group/ibm	1.1.6
resource_group	terraform-ibm-modules/resource-group/ibm	1.1.6
trusted_profile_projects	terraform-ibm-modules/trusted-profile/ibm	1.0.4

Resources

No resources.

Inputs

Name	Description	Type	Default	Required
access_token_expiration	Defines the access token expiration in seconds	string	"3600"	no
active_session_timeout	Specify how long (seconds) a user is allowed to work continuously in the account	number	86400	no
activity_tracker_locations	Location of the route for the Activity Tracker, logs from these locations will be sent to the specified target. Supports passing individual regions, as well as global and *.	list(string)	[ "*", "global" ]	no
activity_tracker_route_name	Name of the route for the Activity Tracker, required if 'var.provision_atracker_cos' is true.	string	null	no
allowed_ip_addresses	List of the IP addresses and subnets from which IAM tokens can be created for the account.	list(any)	[]	no
api_creation	When restriction is enabled, only users, including the account owner, assigned the User API key creator role on the IAM Identity Service can create API keys. Allowed values are 'RESTRICTED', 'NOT_RESTRICTED', or 'NOT_SET' (to 'unset' a previous set value).	string	"RESTRICTED"	no
audit_resource_group_name	The name of the audit resource group to create.	string	null	no
cos_bucket_access_tags	A list of Access Tags applied to the created bucket.	list(string)	[]	no
cos_bucket_archive_days	Number of days to archive objects in the bucket.	number	20	no
cos_bucket_archive_enabled	Set as true to enable archiving on the COS bucket.	bool	false	no
cos_bucket_archive_type	Type of archiving to use on bucket.	string	"Glacier"	no
cos_bucket_cbr_rules	COS Bucket CBR Rules	list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string tags = optional(list(object({ name = string value = string })), []) operations = optional(list(object({ api_types = list(object({ api_type_id = string })) }))) }))	[]	no
cos_bucket_expire_days	Number of days before expiry.	number	365	no
cos_bucket_expire_enabled	A flag to control expiry rule on the bucket.	bool	false	no
cos_bucket_management_endpoint_type	The type of endpoint for the IBM terraform provider to use to manage the bucket. (public, private or direct)	string	"public"	no
cos_bucket_name	The name to give the newly provisioned COS bucket which will be used for Activity Tracker logs, required if 'var.provision_atracker_cos' is true.	string	null	no
cos_bucket_object_versioning_enabled	A flag to control object versioning on the bucket.	bool	false	no
cos_bucket_retention_default	Specifies default duration of time an object that can be kept unmodified for COS bucket.	number	90	no
cos_bucket_retention_enabled	Retention enabled for COS bucket.	bool	false	no
cos_bucket_retention_maximum	Specifies maximum duration of time an object that can be kept unmodified for COS bucket.	number	350	no
cos_bucket_retention_minimum	Specifies minimum duration of time an object must be kept unmodified for COS bucket.	number	90	no
cos_bucket_retention_permanent	Specifies a permanent retention status either enable or disable for COS bucket.	bool	false	no
cos_bucket_storage_class	COS Bucket storage class type	string	null	no
cos_instance_access_tags	A list of Access Tags applied to the created COS instance.	list(string)	[]	no
cos_instance_cbr_rules	CBR Rules for the COS instance.	list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string tags = optional(list(object({ name = string value = string })), []) operations = optional(list(object({ api_types = list(object({ api_type_id = string })) }))) }))	[]	no
cos_instance_name	The name to give the cloud object storage instance that will be provisioned by this module, required if 'var.provision_atracker_cos' is true.	string	null	no
cos_plan	Plan of the COS instance created by the module	string	"standard"	no
cos_target_name	Name of the COS Target for Activity Tracker, required if 'var.provision_atracker_cos' is true.	string	null	no
devops_resource_group_name	The name of the devops resource group to create.	string	null	no
edge_resource_group_name	The name of the edge resource group to create.	string	null	no
enforce_allowed_ip_addresses	If true IP address restriction will be enforced, If false, traffic originated outside specified allowed IP address set is monitored with audit events sent to SIEM and Activity Tracker. After running in monitored mode to test this variable, it should then explicitly be set to true to enforce IP allow listing.	bool	true	no
existing_cos_resource_group_name	The name of an existing resource group to use for the COS instance/bucket, required if var.provision_artacker_cos is true and var.observability_resource_group_name is not provided.	string	null	no
inactive_session_timeout	Specify how long (seconds) a user is allowed to stay logged in the account while being inactive/idle	string	"7200"	no
kms_key_crn	CRN of the KMS key to use to encrypt the data in the COS bucket, required if 'var.provision_atracker_cos' is true.	string	null	no
management_resource_group_name	The name of the management resource group to create.	string	null	no
max_sessions_per_identity	Defines the maximum allowed sessions per identity required by the account. Supports any whole number greater than '0', or 'NOT_SET' to unset account setting and use service default.	string	"NOT_SET"	no
mfa	Specify Multi-Factor Authentication method in the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users).	string	"TOTP4ALL"	no
observability_resource_group_name	The name of the observability resource group to create. Required if var.provision_atracker_cos is true and var.existing_cos_resource_group_name is not provided.	string	null	no
provision_atracker_cos	Enable to create an Atracker route and COS instance + bucket.	bool	false	no
provision_trusted_profile_projects	Controls whether the Trusted Profile for Projects is provisioned.	bool	true	no
public_access_enabled	Enable/Disable public access group in which resources are open anyone regardless if they are member of your account or not	bool	false	no
refresh_token_expiration	Defines the refresh token expiration in seconds	string	"259200"	no
region	Region to provision the COS resources created by this solution.	string	"us-south"	no
resource_tags	A list of tags applied to the COS resources created by the module.	list(string)	[]	no
security_resource_group_name	The name of the security resource group to create.	string	null	no
serviceid_creation	When restriction is enabled, only users, including the account owner, assigned the Service ID creator role on the IAM Identity Service can create service IDs. Allowed values are 'RESTRICTED', 'NOT_RESTRICTED', or 'NOT_SET' (to 'unset' a previous set value).	string	"RESTRICTED"	no
shell_settings_enabled	Enable global shell settings to all users in the account	bool	false	no
skip_atracker_cos_iam_auth_policy	Set to true to skip the creation of an IAM authorization policy that permits the Activity Tracker service Object Writer access to the Cloud Object Storage instance provisioned by this module. NOTE: If skipping, you must ensure the auth policy exists on the account before running the module.	bool	false	no
skip_cloud_shell_calls	Skip Cloud Shell calls in the account.	bool	false	no
skip_cos_kms_auth_policy	Whether to enable creating an IAM authoriation policy between the IBM Cloud Object Storage instance and the Key Management service instance of the CRN provided in kms_key_crn. This variable has no effect if provision_atracker_cos is false.	bool	false	no
trusted_profile_description	Description of the trusted profile.	string	"Trusted Profile for Projects access"	no
trusted_profile_name	Name of the trusted profile, required if provision_trusted_profile_projects is true.	string	null	no
trusted_profile_roles	List of roles given to the trusted profile.	list(string)	[ "Administrator" ]	no
user_mfa	Specify Multi-Factor Authentication method for specific users the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users). Example of format is available here > https://github.com/terraform-ibm-modules/terraform-ibm-iam-account-settings#usage	set(object({ iam_id = string mfa = string }))	[]	no
user_mfa_reset	Set to true to delete all user MFA settings configured in the targeted account, and ignoring entries declared in var user_mfa	bool	false	no
workload_resource_group_name	The name of the workload resource group to create.	string	null	no

Outputs

Name	Description
account_allowed_ip_addresses	Account Settings Allowed IP Addresses
account_allowed_ip_addresses_control_mode	Account Settings Allowed IP Addresses Control Mode
account_allowed_ip_addresses_enforced	Account Settings Allowed IP Addresses Enforced
account_iam_access_token_expiration	Account Settings IAM Access Token Expiration
account_iam_active_session_timeout	Account Settings IAM Active Session Timeout
account_iam_apikey_creation	Account Settings IAM API Key Creation
account_iam_inactive_session_timeout	Account Settings IAM Inactive Session Timeout
account_iam_mfa	Account Settings IAM MFA
account_iam_refresh_token_expiration	Account Settings IAM Refresh Token Expiration
account_iam_serviceid_creation	Account Settings IAM Service ID Creation
account_iam_user_mfa_list	Account Settings IAM User MFA List
account_public_access	Account Settings Public Access
account_shell_settings_status	Account Settings Shell Settings Status
activity_tracker_routes	Activity Tracker Routes
activity_tracker_targets	Activity Tracker Targets
audit_resource_group_id	ID of the Resource Group created by the module.
audit_resource_group_name	Name of the Resource Group created by the module.
cos_bucket	COS Bucket
cos_instance_guid	COS Instance GUID
cos_instance_id	COS Instance ID
devops_resource_group_id	ID of the Resource Group created by the module.
devops_resource_group_name	Name of the Resource Group created by the module.
edge_resource_group_id	ID of the Resource Group created by the module.
edge_resource_group_name	Name of the Resource Group created by the module.
management_resource_group_id	ID of the Resource Group created by the module.
management_resource_group_name	Name of the Resource Group created by the module.
observability_resource_group_id	ID of the Resource Group created by the module.
observability_resource_group_name	Name of the Resource Group created by the module.
security_resource_group_id	ID of the Resource Group created by the module.
security_resource_group_name	Name of the Resource Group created by the module.
trusted_profile_projects	Trusted Profile Projects Profile
trusted_profile_projects_claim_rules	Trusted Profile Projects Profile Claim Rules
trusted_profile_projects_links	Trusted Profile Projects Profile Links
trusted_profile_projects_policies	Trusted Profile Projects Profile Policies
workload_resource_group_id	ID of the Resource Group created by the module.
workload_resource_group_name	Name of the Resource Group created by the module.

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.