Terraform IBM Service-to-service authorization module

This module generates authorization policies and context-based restriction (CBR) rules to enable access and restrictions between a source service and a target service.

Overview

• terraform-ibm-s2s-auth
• Examples
  • Basic example
  • Complete example
• Contributing

terraform-ibm-s2s-auth

Usage

module "service_auth_cbr_rules" {
  source                = "terraform-ibm-modules/s2s-auth/ibm"
  version               = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  service_map           = [
    {
        "description"= "This is a test auth policy",
        "enforcement_mode"= "report",
        "roles"= [
            "Reader"
        ],
        "source_resource_instance_id"= "<source_resource_instance_guid>",
        "source_service_name"= "cloud-object-storage",
        "target_resource_instance_id"= "<target_resource_instance_guid>",
        "target_service_name"= "kms"
    },
    {
        "description"= "This is a test auth policy",
        "enforcement_mode"= "report",
        "roles"= [
            "Reader"
        ],
        "source_rg"= "<source_rg>",
        "source_service_name"= "containers-kubernetes",
        "target_rg"= "<target_rg>",
        "target_service_name"= "kms"
    }
  ]
}

Required IAM access policies

You need the following permissions to run this module.

• You must have access to the target service to create an authorization between services. You can grant only the level of access that you have as a user of the target service. For example, if you have viewer access on the target service, you can assign only the viewer role for the authorization.

Requirements

Name	Version
terraform	>= 1.3.0
ibm	>= 1.70.0, <2.0.0

Modules

Name	Source	Version
cbr_rules	terraform-ibm-modules/cbr/ibm//modules/cbr-service-profile	1.29.0

Resources

Name	Type
ibm_iam_authorization_policy.auth_policies	resource

Inputs

Name	Description	Type	Default	Required
cbr_target_service_details	Details of the target service for which the rule has to be created.	list(object({ target_service_name = string target_rg = optional(string) enforcement_mode = string tags = optional(list(string)) }))	[]	no
prefix	Prefix for new CBR zones and rules.	string	null	no
service_map	Map of source service and the corresponding target service details.	list(object({ source_service_name = string target_service_name = string roles = list(string) description = optional(string, null) source_resource_instance_id = optional(string, null) target_resource_instance_id = optional(string, null) source_resource_group_id = optional(string, null) target_resource_group_id = optional(string, null) }))	[]	no
zone_service_ref_list	Service reference for the zone creation.	map(object({ service_ref_location = optional(list(string), []) }))	{}	no
zone_vpc_crn_list	CRN of the VPC for the zones.	list(string)	[]	no

Outputs

Name	Description
auth_policies	Authorizations created
cbr_rules	CBR Rules created

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.