feat: Created DA solution (#418)

.catalog-onboard-pipeline.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+offerings:
+  - name: deploy-arch-ibm-kms
+    kind: solution
+    catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
+    offering_id: 2cad4789-fa90-4886-9c9e-857081c273ee
+    variations:
+      - name: standard
+        mark_ready: true
+        install_type: fullstack
+        scc:
+          instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
+          region: us-south

.github/settings.yml

@@ -23,4 +23,4 @@ repository:
   # Uncomment this description property
   # and update the description to the current repo description.
   description: "Creates a Key Protect instance, key rings for different services, and a key for each instance of the service."
-  topics: core-team, terraform, ibm-cloud, terraform-module, key-protect, kms, supported, graduated
+  topics: core-team, terraform, ibm-cloud, terraform-module, key-protect, kms, supported, graduated, deployable-architecture

.releaserc

@@ -10,6 +10,10 @@
     }],
     ["@semantic-release/exec", {
       "successCmd": "echo \"SEMVER_VERSION=${nextRelease.version}\" >> $GITHUB_ENV"
+    }],
+    ["@semantic-release/exec", {
+      "successCmd": "echo \"SEMVER_VERSION=${nextRelease.version}\" >> $GITHUB_ENV",
+      "publishCmd": "./ci/trigger-catalog-onboarding-pipeline.sh --version=v${nextRelease.version}"
     }]
   ]
 }

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-01-19T01:54:32Z",
+  "generated_at": "2024-02-28T10:49:36Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -82,7 +82,7 @@
         "hashed_secret": "ff9ee043d85595eb255c05dfe32ece02a53efbb2",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 63,
+        "line_number": 74,
         "type": "Secret Keyword",
         "verified_result": null
       }

README.md

@@ -29,6 +29,17 @@ The following example shows a typical topology for a KMS instance:
 
 In this scenario `cos` and `ocp` represent different IBM Cloud Services that utilize KMS keys to encrypt data at rest, each of the keys represent a different bucket or cluster in your environment.
 
+## Known limitations
+There is currently a known issue with the IBM provider (https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5154) where the provider is always trying to use the public endpoint when communicating with the Key Protect instance, even if the instance has public endpoint disabled. You will see an error like below on apply:
+```
+Error: [ERROR] Get Policies failed with error : kp.Error: correlation_id='1920e5b8-d5af-4b13-8e67-11872f43bc87', msg='Unauthorized: Either the user does not have access to the specified resource, the resource does not exist, or the region is incorrectly set'
+```
+As a workaround, you can set the following environment variable before running apply:
+```
+export IBMCLOUD_KP_API_ENDPOINT=https://private.REGION.kms.cloud.ibm.com
+```
+where `REGION` is the value you have set for the `region` input variable.
+
 ## Using HPCS instead of Key Protect
 
 This module supports creating key rings and keys for Key Protect or Hyper Protect Crypto Services (HPCS). By default the module creates a Key Protect instance and creates the key rings and keys in that service instance, but this can be modified to use an existing HPCS instance by providing the GUID of your HPCS instance in the `var.existing_kms_instance_guid` input variable, and then setting the `var.create_key_protect_instance` input variable to `false`. For more information on provisioning an HPCS instance, please see: <https://github.com/terraform-ibm-modules/terraform-ibm-hpcs>
@@ -159,12 +170,12 @@ No resources.
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the Key Protect instance created by the module. | `list(string)` | `[]` | no |
 | <a name="input_create_key_protect_instance"></a> [create\_key\_protect\_instance](#input\_create\_key\_protect\_instance) | A flag to control whether a Key Protect instance is created, defaults to true. | `bool` | `true` | no |
 | <a name="input_dual_auth_delete_enabled"></a> [dual\_auth\_delete\_enabled](#input\_dual\_auth\_delete\_enabled) | If set to true, Key Protect enables a dual authorization policy on the instance. Note: Once the dual authorization policy is set on the instance, it cannot be reverted. An instance with dual authorization policy enabled cannot be destroyed using Terraform. | `bool` | `false` | no |
-| <a name="input_enable_metrics"></a> [enable\_metrics](#input\_enable\_metrics) | Set to true to enable metrics on the Key Protect instance (ignored is value for 'existing\_key\_protect\_instance\_guid' is passed). In order to view metrics, you will need a Monitoring (Sysdig) instance that is located in the same region as the Key Protect instance. Once you provision the Monitoring instance, you will need to enable platform metrics. | `bool` | `true` | no |
+| <a name="input_enable_metrics"></a> [enable\_metrics](#input\_enable\_metrics) | Set to true to enable metrics on the Key Protect instance (ignored is value for 'existing\_kms\_instance\_guid' is passed). In order to view metrics, you will need a Monitoring (Sysdig) instance that is located in the same region as the Key Protect instance. Once you provision the Monitoring instance, you will need to enable platform metrics. | `bool` | `true` | no |
 | <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of an existing Key Protect or Hyper Protect Crypto Services instance, required if 'var.create\_key\_protect\_instance' is false. | `string` | `null` | no |
 | <a name="input_key_create_import_access_enabled"></a> [key\_create\_import\_access\_enabled](#input\_key\_create\_import\_access\_enabled) | If set to true, Key Protect enables a key create import access policy on the instance | `bool` | `true` | no |
 | <a name="input_key_create_import_access_settings"></a> [key\_create\_import\_access\_settings](#input\_key\_create\_import\_access\_settings) | Key create import access policy settings to configure if var.enable\_key\_create\_import\_access\_policy is true. For more info see https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess | <pre>object({<br>    create_root_key     = optional(bool, true)<br>    create_standard_key = optional(bool, true)<br>    import_root_key     = optional(bool, true)<br>    import_standard_key = optional(bool, true)<br>    enforce_token       = optional(bool, false)<br>  })</pre> | `{}` | no |
 | <a name="input_key_endpoint_type"></a> [key\_endpoint\_type](#input\_key\_endpoint\_type) | The type of endpoint to be used for creating keys. Accepts 'public' or 'private' | `string` | `"public"` | no |
-| <a name="input_key_protect_allowed_network"></a> [key\_protect\_allowed\_network](#input\_key\_protect\_allowed\_network) | The type of the allowed network to be set for the Key Protect instance. Possible values are 'private-only', or 'public-and-private'. Ignored is value for 'existing\_key\_protect\_instance\_guid' is passed. | `string` | `"public-and-private"` | no |
+| <a name="input_key_protect_allowed_network"></a> [key\_protect\_allowed\_network](#input\_key\_protect\_allowed\_network) | The type of the allowed network to be set for the Key Protect instance. Possible values are 'private-only', or 'public-and-private'. Ignored is value for 'existing\_kms\_instance\_guid' is passed. | `string` | `"public-and-private"` | no |
 | <a name="input_key_protect_instance_name"></a> [key\_protect\_instance\_name](#input\_key\_protect\_instance\_name) | The name to give the Key Protect instance that will be provisioned by this module. Only used if 'create\_key\_protect\_instance' is true | `string` | `null` | no |
 | <a name="input_key_protect_plan"></a> [key\_protect\_plan](#input\_key\_protect\_plan) | Plan for the Key Protect instance. Currently only 'tiered-pricing' is supported. Only used if 'create\_key\_protect\_instance' is true | `string` | `"tiered-pricing"` | no |
 | <a name="input_key_ring_endpoint_type"></a> [key\_ring\_endpoint\_type](#input\_key\_ring\_endpoint\_type) | The type of endpoint to be used for creating key rings. Accepts 'public' or 'private' | `string` | `"public"` | no |

cra-config.yaml

@@ -1,11 +1,8 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/default" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "solutions/standard" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
     PROFILE_ID: "0e6e7b5a-817d-4344-ab6f-e5d7a9c49520" # SCC profile ID (currently set to the FSCloud 1.4.0 profile).
-    # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.
-    # SCC_REGION: "" # The IBM Cloud region that the SCC instance is in. If not provided, a default global value will be used.
-    # CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
-    #   TF_VAR_sample: "sample value"
-    #   TF_VAR_other:  "another value"
+    CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
+      TF_VAR_resource_group_name: "test"

ibm_catalog.json

@@ -0,0 +1,90 @@
+{
+    "products": [
+      {
+        "name": "deploy-arch-ibm-kms",
+        "label": "Key Management Services",
+        "product_kind": "solution",
+        "tags": [
+          "ibm_created",
+          "target_terraform",
+          "terraform",
+          "solution",
+          "security"
+        ],
+        "keywords": [
+          "KMS",
+          "Key",
+          "Key Ring",
+          "Key Protect",
+          "IaC",
+          "infrastructure as code",
+          "terraform",
+          "solution"
+        ],
+        "short_description": "Creates and configures IBM Cloud Key Management resources",
+        "long_description": "This architecture supports creating and configuring an IBM Key Protect instance, Key Rings, and Keys.",
+        "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/blob/main/solutions/standard/README.md",
+        "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/main/images/key_protect_icon.svg",
+        "provider_name": "IBM",
+        "features": [
+          {
+            "title": "Creates a Key Protect instance.",
+            "description": "Creates and configures a Key Protect instance."
+          },
+          {
+            "title": "Creates Key Rings and Keys",
+            "description": "Creates Key Rings and Keys in a KMS instance (Key Protect or HPCS)."
+          }
+        ],
+        "flavors": [
+          {
+            "label": "Standard",
+            "name": "standard",
+            "install_type": "fullstack",
+            "working_directory": "solutions/standard",
+            "compliance": {
+              "authority": "scc-v3",
+              "profiles": [
+                {
+                  "profile_name": "IBM Cloud Framework for Financial Services",
+                  "profile_version": "1.5.0"
+                }
+              ]
+            },
+            "iam_permissions": [
+              {
+                "role_crns": [
+                  "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+                  "crn:v1:bluemix:public:iam::::role:Editor"
+                ],
+                "service_name": "kms"
+              }
+            ],
+            "architecture": {
+              "descriptions": "This architecture supports creating and configuring an Key Protect instance.",
+              "features": [
+                {
+                  "title": "Creates a Key Protect instance.",
+                  "description": "Creates and configures a Key Protect instance."
+                },
+                {
+                  "title": "Creates Key Rings and Keys",
+                  "description": "Creates Key Rings and Keys in a KMS instance (Key Protect or HPCS)."
+                }
+              ],
+              "diagrams": [
+                {
+                  "diagram": {
+                    "caption": "IBM Key Management Services",
+                    "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/main/reference-architecture/key_protect.svg",
+                    "type": "image/svg+xml"
+                  },
+                  "description": "This architecture supports creating and configuring IBM Key Management resources"
+                }
+              ]
+            }
+          }
+        ]
+      }
+    ]
+}

renovate.json

@@ -1,4 +1,18 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>terraform-ibm-modules/common-dev-assets:commonRenovateConfig"]
+  "extends": ["github>terraform-ibm-modules/common-dev-assets:commonRenovateConfig"],
+  "packageRules": [
+    {
+      "description": "Allow the locked in provider version to be updated to the latest for deployable architectures",
+      "enabled": true,
+      "matchFileNames": ["solutions/**"],
+      "matchManagers": ["terraform"],
+      "matchDepTypes": ["required_provider"],
+      "rangeStrategy": "bump",
+      "semanticCommitType": "fix",
+      "group": true,
+      "groupName": "required_provider",
+      "commitMessageExtra": "to latest for the deployable architecture solution"
+    }
+  ]
 }

solutions/standard/README.md

@@ -0,0 +1,21 @@
+# KMS standard solution
+
+This solution supports the following:
+- Creating a new resource group, or taking in an existing one.
+- Provisioning of a Key Protect instance (private and public-and-private), or taking in an existing KMS instance (Key Protect or Hyper Protect Crypto Services).
+- Creation of a KMS Key Rings and Keys.
+
+**NB:** This solution is not intended to be called by one or more other modules since it contains a provider configurations, meaning it is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers)
+
+## Known limitations
+There is currently a known issue with the IBM provider (https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5154) where the provider is always trying to use the public endpoint when communicating with the Key Protect instance, even if the instance has public endpoint disabled. You will see an error like below on apply:
+```
+Error: [ERROR] Get Policies failed with error : kp.Error: correlation_id='1920e5b8-d5af-4b13-8e67-11872f43bc87', msg='Unauthorized: Either the user does not have access to the specified resource, the resource does not exist, or the region is incorrectly set'
+```
+As a workaround, you can set the following environment variable before running apply:
+```
+export IBMCLOUD_KP_API_ENDPOINT=https://private.REGION.kms.cloud.ibm.com
+```
+where `REGION` is the value you have set for the `region` input variable.
+
+![key-protect](https://github.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/blob/main/reference-architecture/key_protect.svg)

solutions/standard/catalogValidationValues.json.template

@@ -0,0 +1,4 @@
+{
+  "ibmcloud_api_key": $VALIDATION_APIKEY,
+  "resource_group_name": $PREFIX
+}

solutions/standard/main.tf

@@ -0,0 +1,36 @@
+########################################################################################################################
+# Resource Group
+########################################################################################################################
+
+module "resource_group" {
+  source                       = "terraform-ibm-modules/resource-group/ibm"
+  version                      = "1.1.4"
+  resource_group_name          = var.existing_resource_group == false ? var.resource_group_name : null
+  existing_resource_group_name = var.existing_resource_group == true ? var.resource_group_name : null
+}
+
+########################################################################################################################
+# KMS
+########################################################################################################################
+
+module "kms" {
+  source                            = "../.."
+  resource_group_id                 = module.resource_group.resource_group_id
+  region                            = var.region
+  create_key_protect_instance       = var.existing_kms_guid != null ? false : true
+  key_protect_instance_name         = var.key_protect_instance_name
+  key_protect_plan                  = "tiered-pricing"
+  rotation_enabled                  = true
+  rotation_interval_month           = 3
+  dual_auth_delete_enabled          = false
+  enable_metrics                    = true
+  key_create_import_access_enabled  = false
+  key_create_import_access_settings = {} # TBC - should this be exposed to consumer? Or hard coded to best practise?
+  key_protect_allowed_network       = var.service_endpoints == "private" ? "private-only" : var.service_endpoints
+  key_ring_endpoint_type            = var.service_endpoints == "public-and-private" ? "public" : var.service_endpoints
+  key_endpoint_type                 = var.service_endpoints == "public-and-private" ? "public" : var.service_endpoints
+  existing_kms_instance_guid        = var.existing_kms_guid
+  resource_tags                     = var.resource_tags
+  access_tags                       = var.access_tags
+  keys                              = var.keys
+}