feat: initial release (#52)

Author: Ak-sky

README.md

@@ -1,5 +1,5 @@
 # Event Notification module
-[![Incubating (Not yet consumable)](https://img.shields.io/badge/status-Incubating%20(Not%20yet%20consumable)-red)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
+[![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
 [![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-event-notifications?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/releases/latest)
 [![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)
@@ -12,76 +12,105 @@ A module to create IBM Cloud Event Notifications.
 * [terraform-ibm-event-notifications](#terraform-ibm-event-notifications)
 * [Examples](./examples)
     * [Basic example](./examples/basic)
-    * [Complete example](./examples/complete)
+    * [Complete example with BYOK encryption and CBR rules](./examples/complete)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 
 ## terraform-ibm-event-notifications
 
 ### Usage
 
-<!--
-Add an example of the use of the module in the following code block.
-
-Use real values instead of "var.<var_name>" or other placeholder values
-unless real values don't help users know what to change.
--->
-
 ```hcl
-
+module "event_notification" {
+  source            = "terraform-ibm-modules/event-notifications/ibm"
+  version           = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
+  resource_group_id = "a8cff104f1764e98aac9ab879198230a" # pragma: allowlist secret
+  name              = "event-notification"
+  tags              = ["dev", "qa"]
+  plan              = "lite"
+  service_endpoints = "public"
+  service_credential_names = {
+                                "en_manager" : "Manager",
+                                "en_writer" : "Writer",
+                                "en_reader" : "Reader",
+                             }
+}
 ```
 
 ### Required IAM access policies
 
-<!-- PERMISSIONS REQUIRED TO RUN MODULE
-If this module requires permissions, uncomment the following block and update
-the sample permissions, following the format.
-Replace the sample Account and IBM Cloud service names and roles with the
-information in the console at
-Manage > Access (IAM) > Access groups > Access policies.
--->
-
-<!--
 You need the following permissions to run this module.
 
 - Account Management
-    - **Sample Account Service** service
-        - `Editor` platform access
-        - `Manager` service access
-    - IAM Services
-        - **Sample Cloud Service** service
-            - `Administrator` platform access
--->
-
-<!-- NO PERMISSIONS FOR MODULE
-If no permissions are required for the module, uncomment the following
-statement instead the previous block.
--->
-
-<!-- No permissions are needed to run this module.-->
-<!-- END MODULE HOOK -->
+    - **Event Notification** service
+        - Platform Management Roles
+            - `Editor` platform role access
+
+To create service credentials, access to Event Notifications and access to call the Event Notifications API, you need the following access.
+
+- Service Access Roles
+    - `Reader` - View Event Notifications instance data
+    - `Writer` - View and edit an Event Notifications instance
+    - `Channel Editor` - View, create, and delete Event Notifications subscriptions
+    - `Manager`	- View, edit, and delete data in an Event Notifications instance
+    - `Service Configuration Reader` - Read services configuration for Governance management
+    - `Event Source Manager` - Source integration with Event Notifications by using service to service authorization
+    - `Event Notifications Publisher` - Create notification and view notifications count
+    - `Device Manager` - Custom role to handle push device registration with the Event Notifications service
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ### Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0, <1.6.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.56.1, < 2.0.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1 |
 
 ### Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.15.1 |
 
 ### Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [ibm_en_integration.en_kms_integration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/en_integration) | resource |
+| [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
+| [ibm_resource_instance.en_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
+| [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource |
+| [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [ibm_en_integrations.en_integrations](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/en_integrations) | data source |
 
 ### Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
+| <a name="input_existing_kms_instance_crn"></a> [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of the Hyper Protect Crypto Services or Key Protect instance. Required only if var.kms\_encryption\_enabled is set to true | `string` | `null` | no |
+| <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in Event Notification. If set to false, the data is encrypted by using randomly generated keys. For more info on Managing Encryption, see https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-en-managing-encryption | `bool` | `false` | no |
+| <a name="input_kms_endpoint"></a> [kms\_endpoint](#input\_kms\_endpoint) | The KMS endpoint to use when configuring KMS encryption. Must be private or public. | `string` | `"public"` | no |
+| <a name="input_kms_region"></a> [kms\_region](#input\_kms\_region) | The region where KMS instance exists if using KMS encryption. | `string` | `"us-south"` | no |
+| <a name="input_name"></a> [name](#input\_name) | The name to give the IBM Event Notification instance created by this module. | `string` | n/a | yes |
+| <a name="input_plan"></a> [plan](#input\_plan) | Plan for the event notification instance : lite or standard | `string` | `"standard"` | no |
+| <a name="input_region"></a> [region](#input\_region) | IBM Cloud region where event notification will be created, supported regions are: us-south (Dallas), eu-gb (London), eu-de (Frankfurt), au-syd (Sydney), eu-es (Madrid) | `string` | `"us-south"` | no |
+| <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Notification instance will be created. | `string` | n/a | yes |
+| <a name="input_root_key_id"></a> [root\_key\_id](#input\_root\_key\_id) | The Key ID of a root key, existing in the KMS instance passed in var.existing\_kms\_instance\_crn, which will be used to encrypt the data encryption keys (DEKs) which are then used to encrypt the data. Required if var.kms\_encryption\_enabled is set to true. | `string` | `null` | no |
+| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the event notification | `map(string)` | `{}` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable the public or both public and private service endpoints. Supported values are 'public' or 'public-and-private'. | `string` | `"public-and-private"` | no |
+| <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Notification instances in the resource group to read the encryption key from the KMS instance. No policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Optional list of tags to be added to the Event Notification instance | `list(string)` | `[]` | no |
 
 ### Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_crn"></a> [crn](#output\_crn) | Event Notification crn |
+| <a name="output_guid"></a> [guid](#output\_guid) | Event Notification guid |
+| <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | Service credentials json map |
+| <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | Service credentials object |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 <!-- BEGIN CONTRIBUTING HOOK -->

examples/basic/README.md

@@ -1,8 +1,5 @@
 # Basic example
 
-<!-- There is a pre-commit hook that will take the title of each example add include it in the repos main README.md  -->
-<!-- The text below should describe exactly what resources are provisioned / configured by the example  -->
-
 An end-to-end basic example that will provision the following:
 - A new resource group if one is not passed in.
-- A new Cloud Object Storage instance.
+- A new Event Notification lite instance.

examples/basic/main.tf

@@ -11,14 +11,15 @@ module "resource_group" {
 }
 
 ##############################################################################
-# COS instance
+# Events-notification-instance
 ##############################################################################
 
-resource "ibm_resource_instance" "cos_instance" {
-  name              = "${var.prefix}-cos"
+module "event_notification" {
+  source            = "../../"
   resource_group_id = module.resource_group.resource_group_id
-  service           = "cloud-object-storage"
-  plan              = "standard"
-  location          = "global"
+  name              = "${var.prefix}-en"
   tags              = var.resource_tags
+  plan              = "lite"
+  service_endpoints = "public"
+  region            = var.region
 }

examples/basic/outputs.tf

@@ -2,11 +2,6 @@
 # Outputs
 ##############################################################################
 
-output "cos_instance_id" {
-  description = "COS instance id"
-  value       = ibm_resource_instance.cos_instance.id
-}
-
 output "resource_group_name" {
   description = "Resource group name"
   value       = module.resource_group.resource_group_name
@@ -16,3 +11,13 @@ output "resource_group_id" {
   description = "Resource group ID"
   value       = module.resource_group.resource_group_id
 }
+
+output "crn" {
+  description = "Event notification instance crn"
+  value       = module.event_notification.crn
+}
+
+output "guid" {
+  description = "Event Notification guid"
+  value       = module.event_notification.guid
+}

examples/basic/variables.tf

@@ -10,7 +10,7 @@ variable "ibmcloud_api_key" {
 
 variable "region" {
   type        = string
-  description = "Region to provision all resources created by this example"
+  description = "IBM Cloud region where event notification will be created, supported regions are: us-south (Dallas), eu-gb (London), eu-de (Frankfurt), au-syd (Sydney), eu-es (Madrid)"
   default     = "us-south"
 }
 

examples/basic/version.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.49.0"
+      version = "1.56.1"
     }
   }
 }

examples/complete/README.md

@@ -1,4 +1,10 @@
-# Complete example
+# Complete example with BYOK encryption and CBR rules
 
-<!-- There is a pre-commit hook that will take the title of each example add include it in the repos main README.md  -->
-<!-- Add text below should describe exactly what resources are provisioned / configured by the example  -->
+An end-to-end example that does the following:
+
+- Create a new resource group if one is not passed in.
+- Create Key Protect instance with root key.
+- Create a new Event Notification instance with BYOK encryption.
+- Create a Virtual Private Cloud (VPC).
+- Create a context-based restriction (CBR) rule to only allow Event Notification to be accessible from within the VPC.
+- Create a service credentials for the Event Notification instance.

examples/complete/main.tf

@@ -1,3 +1,103 @@
 ##############################################################################
-# Complete example
+# Resource group
 ##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.0"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Key Protect All Inclusive
+##############################################################################
+
+locals {
+  key_ring_name = "en-key-ring"
+  key_name      = "${var.prefix}-en"
+}
+module "key_protect_all_inclusive" {
+  source                    = "terraform-ibm-modules/key-protect-all-inclusive/ibm"
+  version                   = "4.2.0"
+  resource_group_id         = module.resource_group.resource_group_id
+  region                    = var.region
+  key_protect_instance_name = "${var.prefix}-kp"
+  resource_tags             = var.resource_tags
+  key_map = {
+    (local.key_ring_name) = [local.key_name]
+  }
+}
+
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+
+module "cbr_zone" {
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
+  version          = "1.15.1"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone representing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc",
+    value = ibm_is_vpc.example_vpc.crn
+  }]
+}
+
+module "event_notification" {
+  source                    = "../../"
+  resource_group_id         = module.resource_group.resource_group_id
+  name                      = "${var.prefix}-en"
+  kms_encryption_enabled    = true
+  existing_kms_instance_crn = module.key_protect_all_inclusive.key_protect_id
+  root_key_id               = module.key_protect_all_inclusive.keys["${local.key_ring_name}.${local.key_name}"].key_id
+  tags                      = var.resource_tags
+  service_endpoints         = "public"
+  service_credential_names  = var.service_credential_names
+  region                    = var.region
+  kms_region                = var.region
+  cbr_rules = [
+    {
+      description      = "${var.prefix}-event notification access only from vpc"
+      enforcement_mode = "report"
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "public"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
+}

examples/complete/outputs.tf

@@ -2,22 +2,34 @@
 # Outputs
 ##############################################################################
 
-output "region" {
-  description = "The region all resources were provisioned in"
-  value       = var.region
+output "resource_group_name" {
+  description = "Resource group name"
+  value       = module.resource_group.resource_group_name
 }
 
-output "prefix" {
-  description = "The prefix used to name all provisioned resources"
-  value       = var.prefix
+output "resource_group_id" {
+  description = "Resource group ID"
+  value       = module.resource_group.resource_group_id
 }
 
-output "resource_group_name" {
-  description = "The name of the resource group used"
-  value       = var.resource_group
+output "crn" {
+  description = "Event notification instance crn"
+  value       = module.event_notification.crn
+}
+
+output "guid" {
+  description = "Event Notification guid"
+  value       = module.event_notification.guid
+}
+
+output "service_credentials_json" {
+  description = "Service credentials json map"
+  value       = module.event_notification.service_credentials_json
+  sensitive   = true
 }
 
-output "resource_tags" {
-  description = "List of resource tags"
-  value       = var.resource_tags
+output "service_credentials_object" {
+  description = "Service credentials json object"
+  value       = module.event_notification.service_credentials_object
+  sensitive   = true
 }