From daf3556940b8d22839a7dab1e9feddb2624a1388 Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Wed, 17 Jan 2024 11:46:54 +0000
Subject: [PATCH 01/14] Edit markdown documents

---
 README.md                                | 10 +++++-----
 examples/fscloud/README.md               | 22 +++++++++++-----------
 examples/multi-resource-rule/README.md   |  6 +++---
 examples/multi-service-profile/README.md | 20 ++++++++++----------
 examples/multizone-rule/README.md        |  8 ++++----
 examples/zone/README.md                  |  2 +-
 modules/fscloud/README.md                | 12 ++++++------
 tests/README.md                          |  2 +-
 8 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/README.md b/README.md
index fc91850a..3041e349 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# Context-based restrictions module
+# Context-based Restrictions Module
 
 [![Graduated (Supported)](https://img.shields.io/badge/Status-Graduated%20(Supported)-brightgreen)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
 [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
@@ -6,9 +6,9 @@
 [![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-cbr?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-cbr/releases/latest)
 [![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)
 
-This module can be used to provision and configure [Context Based Restrictions](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-create&interface=ui).
+This module can be used to provision and configure [Context-Based Restrictions](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-create&interface=ui).
 
-See in particular the [fscloud module](./modules/fscloud/) that enables creating an opiniated account-level coarse-grained set of CBR rules and zones aligned with the "secure by default" principles.
+See in particular the [fscloud module](./modules/fscloud/) that enables creating an opinionated account-level coarse-grained set of CBR rules and zones aligned with the "secure by default" principles.
 
 <!-- BEGIN OVERVIEW HOOK -->
 ## Overview
@@ -23,7 +23,7 @@ See in particular the [fscloud module](./modules/fscloud/) that enables creating
     * [Multi resource rule example](./examples/multi-resource-rule)
     * [Multi-zone example](./examples/multizone-rule)
     * [Pre-wired CBR configuration for FS Cloud example](./examples/fscloud)
-    * [Zone example](./examples/zone)
+    * [Zone Example](./examples/zone)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 
@@ -147,4 +147,4 @@ You need the following permissions to run this module.
 
 You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md).
 
-To set up your local development environment, see [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.
+To set up your local development environment, see [Local Development Setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.
diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
index dbc5a2a8..b91a8863 100644
--- a/examples/fscloud/README.md
+++ b/examples/fscloud/README.md
@@ -1,20 +1,20 @@
-# Pre-wired CBR configuration for FS Cloud example
+# Pre-wired CBR Configuration for FS Cloud Example
 
 This example demonstrates how to use the [fscloud profile](../../profiles/fscloud/) module to lay out a complete "secure by default" coarse-grained CBR topology in a given account.
 
-This examples is designed to show case some of the key customization options for the module. In addition to the pre-wired CBR rules documented at [fscloud profile](../../profiles/fscloud/), this examples show how to customize the module to:
-1. Open up network traffic flow from ICD mongodb, ICD Postgresql to the Key Protect private endpoints.
-2. Open up network traffic flow from Schematics to Key Protect public endpoints.
-3. Open up network traffic flow from a block of IPs to the Schematics public endpoint.
-4. Open up network traffic flow from the VPC created in this example to ICD postgresql private endpoints.
+This example is designed to showcase some of the key customization options for the module. In addition to the pre-wired CBR rules documented at [fscloud profile](../../profiles/fscloud/), this example shows how to customize the module to:
+1. Allow network traffic flow from ICD MongoDB, ICD PostgreSQL to the Key Protect private endpoints.
+2. Allow network traffic flow from Schematics to Key Protect public endpoints.
+3. Allow network traffic flow from a block of IPs to the Schematics public endpoint.
+4. Open up network traffic flow from the VPC created in this example to ICD PostgreSQL private endpoints.
 5. Customize the rule description for `kms` and the zone name for `codeengine`.
 
-Context: this examples covers a "pseudo" real-world scenario where:
-1. ICD Mongodb and Postgresql instances are encrypted using keys storage in Key Protect.
-2. Schematics is used to execute terraform that create Key Protect keys and key ring over its public endpoint.
+Context: This example covers a "pseudo" real-world scenario where:
+1. ICD Mongodb and Postgresql instances are encrypted using keys stored in Key Protect.
+2. Schematics is used to execute terraform that creates Key Protect keys and key rings over its public endpoint.
 3. Operators use machines with a set list of public IPs to interact with Schematics.
-4. Applications are running the VPC and need access to PostgreSQL via the private endpoint - eg: a VPE.
+4. Applications are running in the VPC and need access to PostgreSQL via the private endpoint - e.g., a VPE.
 5. Skips creation of zones for these two service references ["user-management", "iam-groups"].
 
 ## Note
-- The services 'compliance', 'directlink', 'iam-groups', 'containers-kubernetes', 'user-management' do not support restriction per location for zone creation.
+- The services 'compliance', 'directlink', 'iam-groups', 'containers-kubernetes', 'user-management' do not support location-based restrictions for zone creation.
diff --git a/examples/multi-resource-rule/README.md b/examples/multi-resource-rule/README.md
index 91729321..7ba88b84 100644
--- a/examples/multi-resource-rule/README.md
+++ b/examples/multi-resource-rule/README.md
@@ -1,9 +1,9 @@
-# Multi resource rule example
+# Multi-Resource Rule Example
 
-An end-to-end example to show how to apply a rule to multiple resources. This example uses the IBM Cloud Provider to automate the following infrastructure:
+An end-to-end example to demonstrate how to apply a rule to multiple resources. This example leverages the IBM Cloud Provider to automate the following infrastructure:
 
 - Creates a VPC
 - Creates a VPC Subnet
 - Creates a CBR Zone for the VPC
 - Creates a COS Instance and a COS Bucket
-- Applies a single CBR rule to only allow access form the VPC zone to the COS Instance and the same rule for the Bucket
+- Applies a single CBR rule to only allow access from the VPC zone to the COS Instance and the same rule for the Bucket
diff --git a/examples/multi-service-profile/README.md b/examples/multi-service-profile/README.md
index b04ea593..210300a5 100644
--- a/examples/multi-service-profile/README.md
+++ b/examples/multi-service-profile/README.md
@@ -1,12 +1,12 @@
-# CBR multi service profile
+# CBR Multi Service Profile
 
-An end-to-end example that uses the submodule cbr-service-profile. This example uses the IBM Cloud Provider to automate the following infrastructure::
+An end-to-end example that uses the submodule cbr-service-profile. This example leverages the IBM Cloud Provider to automate the following infrastructure:
 
- - Create a VPC and create a CBR zone to allowlist the VPC.
- - Create a service reference based CBR zone.
- - Create a set of CBR rules.
-   - Based on the list of target service details provided, create rules for each of them.
-   - Target service instances access is granted based on the following parameters.
-     - Based on the account.
-     - Based on the access tags.
-     - Based on the resource group.
+- Create a VPC and create a CBR zone to allowlist the VPC.
+- Create a service reference-based CBR zone.
+- Create a set of CBR rules.
+  - Based on the list of target service details provided, create rules for each of them.
+  - Target service instances access is granted based on the following parameters:
+    - Based on the account.
+    - Based on the access tags.
+    - Based on the resource group.
diff --git a/examples/multizone-rule/README.md b/examples/multizone-rule/README.md
index 6f738690..2ae9049f 100644
--- a/examples/multizone-rule/README.md
+++ b/examples/multizone-rule/README.md
@@ -1,6 +1,6 @@
-# Multi-zone example
+# Multi-zone Example
 
-An end-to-end example that uses the module's default variable values. This example uses the IBM Cloud Provider to automate the following infrastructure::
+An end-to-end example that utilizes the module's default variable values. This example leverages the IBM Cloud Provider to automate the following infrastructure:
 
- - Create two zones for context-based restrictions.
- - Create a rule for context-based restrictions that uses the zone and attaches the service to it.
+* Create two zones for context-based restrictions.
+* Create a rule for context-based restrictions that uses the zone and attaches the service to it.
diff --git a/examples/zone/README.md b/examples/zone/README.md
index 9011329c..593734b8 100644
--- a/examples/zone/README.md
+++ b/examples/zone/README.md
@@ -1,3 +1,3 @@
-# Zone example
+# Zone Example
 
 Example that creates a zone for context-based restrictions.
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index 3cb1961f..7e5fdb2e 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -1,6 +1,6 @@
 # Pre-wired CBR configuration for FS Cloud
 
-This module creates default coarse-grained CBR rules in a given account following a "secure by default" approach - that is: deny all flows by default, except known documented communication in the [Financial Services Cloud Reference Architecture](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-vpc-architecture-about):
+This module creates default coarse-grained CBR rules in a given account, following a "secure by default" approach - that is, denying all flows by default, except for known documented communication in the [Financial Services Cloud Reference Architecture](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-vpc-architecture-about):
 - Cloud Object Storage (COS) -> Key Management Service (KMS)
 - Block Storage -> Key Management Service (KMS)
 - IBM Cloud Kubernetes Service (IKS) -> Key Management Service (KMS)
@@ -8,20 +8,20 @@ This module creates default coarse-grained CBR rules in a given account followin
 - Activity Tracker route -> Cloud Object Storage (COS)
 - Virtual Private Clouds (VPCs) where clusters are deployed -> Cloud Object Storage (COS)
 - IBM Cloud VPC Infrastructure Services (IS) -> Cloud Object Storage (COS)
-- Virtual Private Cloud workload (eg: Kubernetes worker nodes) -> IBM Cloud Container Registry
+- Virtual Private Cloud workload (e.g., Kubernetes worker nodes) -> IBM Cloud Container Registry
 - IBM Cloud Databases (ICD) -> Hyper Protect Crypto Services (HPCS)
 - IBM Cloud Kubernetes Service (IKS) -> IS (VPC Infrastructure Services)
 
 
-**Note on KMS**: the module supports setting up rules for Key Protect, and Hyper Protect Crypto Services. By default the modules set rules for Hyper Protect Crypto Services, but this can be modified to use Key Protect, Hyper Protect, or both Key Protect and Hyper Protect Crypto Services using the input variable `kms_service_targeted_by_prewired_rules`.
+**Note on KMS**: The module supports setting up rules for Key Protect and Hyper Protect Crypto Services. By default, the module sets rules for Hyper Protect Crypto Services, but this can be modified to use Key Protect, Hyper Protect, or both Key Protect and Hyper Protect Crypto Services using the input variable `kms_service_targeted_by_prewired_rules`.
 
-**Note on containers-kubernetes**: the module supports the pseudo-service names `containers-kubernetes-management` and `containers-kubernetes-cluster` to distinguish between the cluster and management APIs (see [details](https://cloud.ibm.com/docs/containers?topic=containers-cbr&interface=ui#protect-api-types-cbr) ). The module creates separates CBR rules for the two types of APIs by default to align with common real-world scenarios. `containers-kubernetes` can be used to create a CBR targetting both the cluster and management APIs.
+**Note on containers-kubernetes**: The module supports the pseudo-service names `containers-kubernetes-management` and `containers-kubernetes-cluster` to distinguish between the cluster and management APIs (see [details](https://cloud.ibm.com/docs/containers?topic=containers-cbr&interface=ui#protect-api-types-cbr) ). The module creates separate CBR rules for the two types of APIs by default to align with common real-world scenarios. `containers-kubernetes` can be used to create a CBR targeting both the cluster and management APIs.
 
 This module is designed to allow the consumer to add additional custom rules to open up additional flows necessarity for their usage. See the `custom_rule_contexts_by_service` input variable, and an [usage example](../../examples/fscloud/) demonstrating how to open up more flows.
 
-The module also pre-create CBR zone for each service in the account as a best practice. CBR rules associated with these CBR zone can be set by using the `custom_rule_contexts_by_service` variable.
+The module also pre-creates CBR zones for each service in the account as a best practice. CBR rules associated with these CBR zones can be set by using the `custom_rule_contexts_by_service` variable.
 
-Important: In order to avoid unexpected breakage in the account against which this module is executed, the CBR rule enforcement mode is set to 'report' (or 'disabled' for services not supporting 'report' mode) by default. It is recommended to test out this module first with these default, and then use the `target_service_details` variable to set the enforcement mode to "enabled" gradually by service. The [usage example](../../examples/fscloud/) demonstrates how to set the enforcement mode to 'enabled' for the key protect ("kms") service.
+Important: To avoid unexpected breakage in the account against which this module is executed, the CBR rule enforcement mode is set to 'report' (or 'disabled' for services not supporting 'report' mode) by default. It is recommended to test this module first with these default settings and then use the `target_service_details` variable to set the enforcement mode to "enabled" gradually by service. The [usage example](../../examples/fscloud/) demonstrates how to set the enforcement mode to 'enabled' for the Key Protect ("kms") service.
 
 ## Note
 The services 'compliance', 'directlink', 'iam-groups', 'containers-kubernetes', 'user-management' does not support restriction per location.
diff --git a/tests/README.md b/tests/README.md
index 581aa046..352c72bc 100644
--- a/tests/README.md
+++ b/tests/README.md
@@ -2,7 +2,7 @@
 
 # Tests
 
-For information about how to create and run tests, see [Validation tests](https://terraform-ibm-modules.github.io/documentation/#/tests) in the project documentation.
+For information about how to create and run tests, see [Validation Tests](https://terraform-ibm-modules.github.io/documentation/#/tests) in the project documentation.
 
 <!-- Add any more steps that are specific to testing this module and that are not in the docs. -->
 <!-- END TESTS HOOK -->

From 9fee943ac3a01e1d9f86aa1e40bac898941f389e Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Wed, 17 Jan 2024 14:02:33 +0000
Subject: [PATCH 02/14] docs: manual adjustment

---
 README.md                  | 8 ++++----
 examples/fscloud/README.md | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 3041e349..9a98b831 100644
--- a/README.md
+++ b/README.md
@@ -19,10 +19,10 @@ See in particular the [fscloud module](./modules/fscloud/) that enables creating
     * [cbr-zone-module](./modules/cbr-zone-module)
     * [fscloud](./modules/fscloud)
 * [Examples](./examples)
-    * [CBR multi service profile](./examples/multi-service-profile)
-    * [Multi resource rule example](./examples/multi-resource-rule)
-    * [Multi-zone example](./examples/multizone-rule)
-    * [Pre-wired CBR configuration for FS Cloud example](./examples/fscloud)
+    * [CBR Multi Service Profile](./examples/multi-service-profile)
+    * [Multi-Resource Rule Example](./examples/multi-resource-rule)
+    * [Multi-zone Example](./examples/multizone-rule)
+    * [Pre-wired CBR Configuration for FS Cloud Example](./examples/fscloud)
     * [Zone Example](./examples/zone)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
index b91a8863..451002b8 100644
--- a/examples/fscloud/README.md
+++ b/examples/fscloud/README.md
@@ -6,7 +6,7 @@ This example is designed to showcase some of the key customization options for t
 1. Allow network traffic flow from ICD MongoDB, ICD PostgreSQL to the Key Protect private endpoints.
 2. Allow network traffic flow from Schematics to Key Protect public endpoints.
 3. Allow network traffic flow from a block of IPs to the Schematics public endpoint.
-4. Open up network traffic flow from the VPC created in this example to ICD PostgreSQL private endpoints.
+4. Allow network traffic flow from the VPC created in this example to ICD PostgreSQL private endpoints.
 5. Customize the rule description for `kms` and the zone name for `codeengine`.
 
 Context: This example covers a "pseudo" real-world scenario where:

From 1bdaf0cf8ba02b2ae3fb76d1dc45aa957e2abaab Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Mon, 29 Jan 2024 11:25:18 +0000
Subject: [PATCH 03/14] Update examples/fscloud/README.md

Co-authored-by: Allen Dean <allen.dean@us.ibm.com>
---
 examples/fscloud/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
index 451002b8..a0c95e8d 100644
--- a/examples/fscloud/README.md
+++ b/examples/fscloud/README.md
@@ -2,7 +2,7 @@
 
 This example demonstrates how to use the [fscloud profile](../../profiles/fscloud/) module to lay out a complete "secure by default" coarse-grained CBR topology in a given account.
 
-This example is designed to showcase some of the key customization options for the module. In addition to the pre-wired CBR rules documented at [fscloud profile](../../profiles/fscloud/), this example shows how to customize the module to:
+This example showcases some of the key customization options for the module. In addition to the pre-wired CBR rules documented at [fscloud profile](../../profiles/fscloud/), this example includes the following customizations:
 1. Allow network traffic flow from ICD MongoDB, ICD PostgreSQL to the Key Protect private endpoints.
 2. Allow network traffic flow from Schematics to Key Protect public endpoints.
 3. Allow network traffic flow from a block of IPs to the Schematics public endpoint.

From 9aa4c4a771542ddb0fff532140893d377814a746 Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Mon, 29 Jan 2024 11:25:23 +0000
Subject: [PATCH 04/14] Update examples/fscloud/README.md

Co-authored-by: Allen Dean <allen.dean@us.ibm.com>
---
 examples/fscloud/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
index a0c95e8d..02834db0 100644
--- a/examples/fscloud/README.md
+++ b/examples/fscloud/README.md
@@ -12,7 +12,7 @@ This example showcases some of the key customization options for the module. In
 Context: This example covers a "pseudo" real-world scenario where:
 1. ICD Mongodb and Postgresql instances are encrypted using keys stored in Key Protect.
 2. Schematics is used to execute terraform that creates Key Protect keys and key rings over its public endpoint.
-3. Operators use machines with a set list of public IPs to interact with Schematics.
+- Operators use machines with a set list of public IPs to interact with Schematics.
 4. Applications are running in the VPC and need access to PostgreSQL via the private endpoint - e.g., a VPE.
 5. Skips creation of zones for these two service references ["user-management", "iam-groups"].
 

From 5814065765689ebb735116219ca7775f6a27deff Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Mon, 29 Jan 2024 11:25:34 +0000
Subject: [PATCH 05/14] Update examples/fscloud/README.md

Co-authored-by: Allen Dean <allen.dean@us.ibm.com>
---
 examples/fscloud/README.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
index 02834db0..9969230f 100644
--- a/examples/fscloud/README.md
+++ b/examples/fscloud/README.md
@@ -9,9 +9,11 @@ This example showcases some of the key customization options for the module. In
 4. Allow network traffic flow from the VPC created in this example to ICD PostgreSQL private endpoints.
 5. Customize the rule description for `kms` and the zone name for `codeengine`.
 
-Context: This example covers a "pseudo" real-world scenario where:
-1. ICD Mongodb and Postgresql instances are encrypted using keys stored in Key Protect.
-2. Schematics is used to execute terraform that creates Key Protect keys and key rings over its public endpoint.
+
+The example covers the following example scenario:
+
+- The instances of Databases for MongoDB and Databases for Postgresql are encrypted with keys that are stored in Key Protect.
+- Schematics is used to execute the Terraform logic that creates Key Protect keys and key rings over its public endpoint.
 - Operators use machines with a set list of public IPs to interact with Schematics.
 4. Applications are running in the VPC and need access to PostgreSQL via the private endpoint - e.g., a VPE.
 5. Skips creation of zones for these two service references ["user-management", "iam-groups"].

From f30b37d3fe61b3b76a0ff8518fce40aa82d5d2ec Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Mon, 29 Jan 2024 11:25:53 +0000
Subject: [PATCH 06/14] Update examples/fscloud/README.md

Co-authored-by: Allen Dean <allen.dean@us.ibm.com>
---
 examples/fscloud/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
index 9969230f..75e6f107 100644
--- a/examples/fscloud/README.md
+++ b/examples/fscloud/README.md
@@ -15,7 +15,7 @@ The example covers the following example scenario:
 - The instances of Databases for MongoDB and Databases for Postgresql are encrypted with keys that are stored in Key Protect.
 - Schematics is used to execute the Terraform logic that creates Key Protect keys and key rings over its public endpoint.
 - Operators use machines with a set list of public IPs to interact with Schematics.
-4. Applications are running in the VPC and need access to PostgreSQL via the private endpoint - e.g., a VPE.
+- Applications are running in the VPC and need access to PostgreSQL via the private endpoint. For example with a VPE.
 5. Skips creation of zones for these two service references ["user-management", "iam-groups"].
 
 ## Note

From 403b15f2e6e7441cac193c5fafaead5a9a7adc78 Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Mon, 29 Jan 2024 11:26:00 +0000
Subject: [PATCH 07/14] Update modules/fscloud/README.md

Co-authored-by: Allen Dean <allen.dean@us.ibm.com>
---
 modules/fscloud/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index 7e5fdb2e..7df4fde4 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -19,7 +19,7 @@ This module creates default coarse-grained CBR rules in a given account, followi
 
 This module is designed to allow the consumer to add additional custom rules to open up additional flows necessarity for their usage. See the `custom_rule_contexts_by_service` input variable, and an [usage example](../../examples/fscloud/) demonstrating how to open up more flows.
 
-The module also pre-creates CBR zones for each service in the account as a best practice. CBR rules associated with these CBR zones can be set by using the `custom_rule_contexts_by_service` variable.
+As a best practice, the module also creates CBR zones for each service in the account. You can set CBR rules for these CBR zones by using the `custom_rule_contexts_by_service` variable.
 
 Important: To avoid unexpected breakage in the account against which this module is executed, the CBR rule enforcement mode is set to 'report' (or 'disabled' for services not supporting 'report' mode) by default. It is recommended to test this module first with these default settings and then use the `target_service_details` variable to set the enforcement mode to "enabled" gradually by service. The [usage example](../../examples/fscloud/) demonstrates how to set the enforcement mode to 'enabled' for the Key Protect ("kms") service.
 

From bb3765f3e6ceec7eedf86e1fa8534021e99b2bbd Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Mon, 29 Jan 2024 11:26:20 +0000
Subject: [PATCH 08/14] Update examples/fscloud/README.md

Co-authored-by: Allen Dean <allen.dean@us.ibm.com>
---
 examples/fscloud/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
index 75e6f107..4b08d8ed 100644
--- a/examples/fscloud/README.md
+++ b/examples/fscloud/README.md
@@ -16,7 +16,7 @@ The example covers the following example scenario:
 - Schematics is used to execute the Terraform logic that creates Key Protect keys and key rings over its public endpoint.
 - Operators use machines with a set list of public IPs to interact with Schematics.
 - Applications are running in the VPC and need access to PostgreSQL via the private endpoint. For example with a VPE.
-5. Skips creation of zones for these two service references ["user-management", "iam-groups"].
+- Skips creation of zones for these two service references ["user-management", "iam-groups"].
 
 ## Note
 - The services 'compliance', 'directlink', 'iam-groups', 'containers-kubernetes', 'user-management' do not support location-based restrictions for zone creation.

From ac1cdff6dd59f04604a03daeb2eff0bc2cfb7656 Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Mon, 29 Jan 2024 11:26:33 +0000
Subject: [PATCH 09/14] Update examples/multi-resource-rule/README.md

Co-authored-by: Allen Dean <allen.dean@us.ibm.com>
---
 examples/multi-resource-rule/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/multi-resource-rule/README.md b/examples/multi-resource-rule/README.md
index 7ba88b84..33f3f9d0 100644
--- a/examples/multi-resource-rule/README.md
+++ b/examples/multi-resource-rule/README.md
@@ -6,4 +6,4 @@ An end-to-end example to demonstrate how to apply a rule to multiple resources.
 - Creates a VPC Subnet
 - Creates a CBR Zone for the VPC
 - Creates a COS Instance and a COS Bucket
-- Applies a single CBR rule to only allow access from the VPC zone to the COS Instance and the same rule for the Bucket
+- Applies a single CBR rule to allow access only from the VPC zone to the COS Instance and to the bucket

From fcc912690dfdccd115323633bf5511bb395b0033 Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Mon, 29 Jan 2024 11:26:41 +0000
Subject: [PATCH 10/14] Update modules/fscloud/README.md

Co-authored-by: Allen Dean <allen.dean@us.ibm.com>
---
 modules/fscloud/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index 7df4fde4..4e80011b 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -21,7 +21,7 @@ This module is designed to allow the consumer to add additional custom rules to
 
 As a best practice, the module also creates CBR zones for each service in the account. You can set CBR rules for these CBR zones by using the `custom_rule_contexts_by_service` variable.
 
-Important: To avoid unexpected breakage in the account against which this module is executed, the CBR rule enforcement mode is set to 'report' (or 'disabled' for services not supporting 'report' mode) by default. It is recommended to test this module first with these default settings and then use the `target_service_details` variable to set the enforcement mode to "enabled" gradually by service. The [usage example](../../examples/fscloud/) demonstrates how to set the enforcement mode to 'enabled' for the Key Protect ("kms") service.
+Important: To avoid failures in the account against which this module is executed, be default, the CBR rule enforcement mode is set to 'report' mode (or to 'disabled' for services that don't support 'report' mode). Test the module with these default settings. Then, service by service, update the enforcement mode in the `target_service_details` variable to "enabled". The [usage example](../../examples/fscloud/) demonstrates how to set the enforcement mode to 'enabled' for the Key Protect ("kms") service.
 
 ## Note
 The services 'compliance', 'directlink', 'iam-groups', 'containers-kubernetes', 'user-management' does not support restriction per location.

From ea859b2769194f9542fb98a32f9a2ccd0d8ae68a Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Mon, 29 Jan 2024 11:26:58 +0000
Subject: [PATCH 11/14] Update examples/multi-service-profile/README.md

Co-authored-by: Allen Dean <allen.dean@us.ibm.com>
---
 examples/multi-service-profile/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/multi-service-profile/README.md b/examples/multi-service-profile/README.md
index 210300a5..d6bdeb7b 100644
--- a/examples/multi-service-profile/README.md
+++ b/examples/multi-service-profile/README.md
@@ -2,7 +2,7 @@
 
 An end-to-end example that uses the submodule cbr-service-profile. This example leverages the IBM Cloud Provider to automate the following infrastructure:
 
-- Create a VPC and create a CBR zone to allowlist the VPC.
+- Create a VPC and create a CBR zone to allow access to the VPC.
 - Create a service reference-based CBR zone.
 - Create a set of CBR rules.
   - Based on the list of target service details provided, create rules for each of them.

From 5ea1c3892f04cdfb6150f60997d05bef0bc0c2ca Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Mon, 29 Jan 2024 11:27:05 +0000
Subject: [PATCH 12/14] Update README.md

Co-authored-by: Allen Dean <allen.dean@us.ibm.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9a98b831..33252d4c 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@
 
 This module can be used to provision and configure [Context-Based Restrictions](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-create&interface=ui).
 
-See in particular the [fscloud module](./modules/fscloud/) that enables creating an opinionated account-level coarse-grained set of CBR rules and zones aligned with the "secure by default" principles.
+See in particular the [fscloud module](./modules/fscloud/) that creates an opinionated account-level set of CBR rules and zones that are aligned with "secure by default" principles.
 
 <!-- BEGIN OVERVIEW HOOK -->
 ## Overview

From 49e3da210eafe2c995e6e9f3d13332b89fe18e6a Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Mon, 29 Jan 2024 11:27:24 +0000
Subject: [PATCH 13/14] Update modules/fscloud/README.md

Co-authored-by: Allen Dean <allen.dean@us.ibm.com>
---
 modules/fscloud/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index 4e80011b..79c55d0b 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -1,6 +1,8 @@
 # Pre-wired CBR configuration for FS Cloud
 
-This module creates default coarse-grained CBR rules in a given account, following a "secure by default" approach - that is, denying all flows by default, except for known documented communication in the [Financial Services Cloud Reference Architecture](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-vpc-architecture-about):
+This module creates default coarse-grained CBR rules in a given account, following a "secure by default" approach. By default, the rules deny all flows except for the documented communication in the [reference architecture for IBM Cloud for Financial Services](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-vpc-architecture-about).
+
+The module creates the following rules:
 - Cloud Object Storage (COS) -> Key Management Service (KMS)
 - Block Storage -> Key Management Service (KMS)
 - IBM Cloud Kubernetes Service (IKS) -> Key Management Service (KMS)

From 1238fa878d28749087a5e71335604f6146cd385d Mon Sep 17 00:00:00 2001
From: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>
Date: Mon, 29 Jan 2024 11:27:53 +0000
Subject: [PATCH 14/14] Update modules/fscloud/README.md

Co-authored-by: Allen Dean <allen.dean@us.ibm.com>
---
 modules/fscloud/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index 79c55d0b..4853a010 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -17,7 +17,7 @@ The module creates the following rules:
 
 **Note on KMS**: The module supports setting up rules for Key Protect and Hyper Protect Crypto Services. By default, the module sets rules for Hyper Protect Crypto Services, but this can be modified to use Key Protect, Hyper Protect, or both Key Protect and Hyper Protect Crypto Services using the input variable `kms_service_targeted_by_prewired_rules`.
 
-**Note on containers-kubernetes**: The module supports the pseudo-service names `containers-kubernetes-management` and `containers-kubernetes-cluster` to distinguish between the cluster and management APIs (see [details](https://cloud.ibm.com/docs/containers?topic=containers-cbr&interface=ui#protect-api-types-cbr) ). The module creates separate CBR rules for the two types of APIs by default to align with common real-world scenarios. `containers-kubernetes` can be used to create a CBR targeting both the cluster and management APIs.
+**Note on containers-kubernetes**: The module supports the pseudo-service names `containers-kubernetes-management` and `containers-kubernetes-cluster` to distinguish between the cluster and management APIs. For more information, see the [Protecting specific APIs](https://cloud.ibm.com/docs/containers?topic=containers-cbr&interface=ui#protect-api-types-cbr) section of Protecting cluster resources with context-based restrictions. By default, the module creates separate CBR rules for the two types of APIs to align with common real-world scenarios. `containers-kubernetes` can be used to create a CBR that targets both the cluster and management APIs.
 
 This module is designed to allow the consumer to add additional custom rules to open up additional flows necessarity for their usage. See the `custom_rule_contexts_by_service` input variable, and an [usage example](../../examples/fscloud/) demonstrating how to open up more flows.