Skip to content

Latest commit

 

History

History

fscloud

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
version.tf
version.tf
 
 

README.md

Profile for IBM Cloud Framework for Financial Services

This code is a version of the parent root module that includes a default configuration that complies with the relevant controls from the IBM Cloud Framework for Financial Services. See the Example for IBM Cloud Framework for Financial Services for logic that uses this module.

Exception: The Databases for Elasticsearch service is not yet Financial services validated. Therefore, the infrastructure that is deployed by this module is also not validated with the Framework for Financial Services. For more information, see the list of Financial Services Validated services.

The default values in this profile were scanned by IBM Code Risk Analyzer (CRA) for compliance with the IBM Cloud Framework for Financial Services profile that is specified by the IBM Security and Compliance Center.

The IBM Cloud Framework for Financial Services mandates the application of an inbound network-based allowlist in front of the IBM Cloud Databases for (ICD) Elasticsearch instance. You can comply with this requirement by using the cbr_rules variable in the module, which can be used to create a narrow context-based restriction rule that is scoped to the Elasticsearch instance.

Requirements

Name Version
terraform >= 1.3.0
ibm >= 1.70.0, <2.0.0

Modules

Name Source Version
elasticsearch ../../ n/a

Resources

No resources.

Inputs

Name Description Type Default Required
access_tags A list of access tags to apply to the Elasticsearch instance created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details list(string) [] no
admin_pass The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block. string null no
auto_scaling Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-autoscaling&interface=cli#autoscaling-considerations in the IBM Cloud Docs. 
object({
    disk = object({
      capacity_enabled             = optional(bool, false)
      free_space_less_than_percent = optional(number, 10)
      io_above_percent             = optional(number, 90)
      io_enabled                   = optional(bool, false)
      io_over_period               = optional(string, "15m")
      rate_increase_percent        = optional(number, 10)
      rate_limit_mb_per_member     = optional(number, 3670016)
      rate_period_seconds          = optional(number, 900)
      rate_units                   = optional(string, "mb")
    })
    memory = object({
      io_above_percent         = optional(number, 90)
      io_enabled               = optional(bool, false)
      io_over_period           = optional(string, "15m")
      rate_increase_percent    = optional(number, 10)
      rate_limit_mb_per_member = optional(number, 114688)
      rate_period_seconds      = optional(number, 900)
      rate_units               = optional(string, "mb")
    })
  })
 null no
backup_crn The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. string null no
backup_encryption_key_crn The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if use_ibm_owned_encryption_key is false and use_same_kms_key_for_backups is false. If no value is passed, and use_same_kms_key_for_backups is true, the value of kms_key_crn is used. Alternatively set use_default_backup_encryption_key to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See Bring your own key for backups and Using the HPCS Key for Backup encryption. string null no
cbr_rules (Optional, list) List of CBR rules to create 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
  }))
 [] no
elasticsearch_version Version of the Elasticsearch instance. If no value is passed, the current preferred version of IBM Cloud Databases is used. string null no
elser_model_type Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: .elser_model_1, .elser_model_2 and .elser_model_2_linux-x86_64. Learn more string ".elser_model_2_linux-x86_64" no
enable_elser_model Set it to true to install and start the Elastic's Natural Language Processing model. Learn more bool false no
kms_key_crn The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if use_ibm_owned_encryption_key is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the use_same_kms_key_for_backups and backup_encryption_key_crn inputs. Bare in mind that backups encryption is only available in certain regions. See Bring your own key for backups and Using the HPCS Key for Backup encryption. string null no
member_cpu_count Allocated dedicated CPU per member. For shared CPU, set to 0. Learn more number 0 no
member_disk_mb Allocated disk per-member. [Learn more}(https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-resources-scaling) number 5120 no
member_host_flavor Allocated host flavor per member. Learn more. string null no
member_memory_mb Allocated memory per member. Learn more. number 4096 no
members Allocated number of members. Learn more number 3 no
name Name given to the Elasticsearch instance string n/a yes
plan The name of the service plan that you choose for your Elasticsearch instance string "enterprise" no
region The region where you want to deploy your instance. Must be the same region as the Hyper Protect Crypto Services instance. string "us-south" no
resource_group_id The resource group ID where the Elasticsearch instance will be created. string n/a yes
service_credential_names Map of name, role for service credentials that you want to create for the database map(string) {} no
skip_iam_authorization_policy Set to true to skip the creation of IAM authorization policies that permits all Databases for Elasticsearch instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the kms_key_crn and backup_encryption_key_crn inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if use_ibm_owned_encryption_key is true. bool false no
tags Optional list of tags to be added to the Elasticsearch instance. list(any) [] no
use_default_backup_encryption_key When use_ibm_owned_encryption_key is set to false, backups will be encrypted with either the key specified in kms_key_crn, or in backup_encryption_key_crn if a value is passed. If you do not want to use your own key for backups encryption, you can set this to true to use the IBM Cloud Databases default encryption for backups. Alternatively set use_ibm_owned_encryption_key to true to use the default encryption for both backups and deployment data. bool false no
use_ibm_owned_encryption_key Set to true to use the default IBM Cloud® Databases randomly generated keys for disk and backups encryption. To control the encryption keys, use the kms_key_crn and backup_encryption_key_crn inputs. bool false no
use_same_kms_key_for_backups Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the backup_encryption_key_crn input. Alternatiely set use_default_backup_encryption_key to true to use the IBM Cloud Databases default encryption. Applies only if use_ibm_owned_encryption_key is false. Bare in mind that backups encryption is only available in certain regions. See Bring your own key for backups and Using the HPCS Key for Backup encryption. bool true no
users A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the Elasticsearch instance. This blocks creates native Elasticsearch database users, more info on that can be found here https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-user-management&interface=ui 
list(object({
    name     = string
    password = string # pragma: allowlist secret
    type     = optional(string)
    role     = optional(string)
  }))
 [] no

Outputs

Name Description
adminuser Database admin user name
cbr_rule_ids CBR rule ids created to restrict Elasticsearch
certificate_base64 Database connection certificate
crn Elasticsearch instance crn
guid Elasticsearch instance guid
hostname Database connection hostname
id Elasticsearch instance id
port Database connection port
service_credentials_json Service credentials json map
service_credentials_object Service credentials object
version Elasticsearch instance version