diff --git a/README.md b/README.md
index 14197c4..59bc324 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,9 @@
[](https://renovatebot.com/)
[](https://github.com/semantic-release/semantic-release)
+> [!IMPORTANT]
+> Databases for EnterpriseDB is deprecated. As of 16 June 2025 you can't deploy new instances. Existing instances are supported until 15 October 2025. Any instances that still exist on that date will be deleted. For more information, see [Deprecation of Databases for EnterpriseDB](https://cloud.ibm.com/docs/databases-for-enterprisedb?topic=databases-for-enterprisedb-deprecation).
+
This module implements an instance of the IBM Cloud Databases for EnterpriseDB service.
:exclamation: The module does not support major version upgrades or updates to encryption and backup encryption keys. To upgrade the version, create another instance of Databases for EnterpriseDBs with the updated version.
@@ -77,17 +80,21 @@ To attach access management tags to resources in this module, you need the follo
| Name | Source | Version |
|------|--------|---------|
+| [backup\_key\_crn\_parser](#module\_backup\_key\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
| [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.29.0 |
+| [kms\_key\_crn\_parser](#module\_kms\_key\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
### Resources
| Name | Type |
|------|------|
| [ibm_database.enterprise_db](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database) | resource |
+| [ibm_iam_authorization_policy.backup_kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
| [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
| [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource |
| [ibm_resource_tag.enterprisedb_tag](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_tag) | resource |
| [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.wait_for_backup_kms_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [ibm_database_connection.database_connection](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/database_connection) | data source |
### Inputs
@@ -98,13 +105,11 @@ To attach access management tags to resources in this module, you need the follo
| [admin\_pass](#input\_admin\_pass) | The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block. | `string` | `null` | no |
| [auto\_scaling](#input\_auto\_scaling) | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://ibm.biz/autoscaling-considerations in the IBM Cloud Docs. |
| `null` | no |
| [backup\_crn](#input\_backup\_crn) | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. | `string` | `null` | no |
-| [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a KMS (Key Protect or Hyper Protect Crypto Services) key to use for encrypting the disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. There are limitation per region on the type of KMS service (Key Protect or Hyper Protect Crypto Services) and region for those services. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups | `string` | `null` | no |
+| [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false and `use_same_kms_key_for_backups` is false. If no value is passed, and `use_same_kms_key_for_backups` is true, the value of `kms_key_crn` is used. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create |
| `null` | no |
| [edb\_version](#input\_edb\_version) | Version of the Enterprise DB instance to provision. If no value is passed, the current preferred version of IBM Cloud Databases is used. For our version policy, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-versioning-policy for more details | `string` | `null` | no |
-| [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms\_key\_crn and var.backup\_encryption\_key\_crn is coming from. Only required if var.kms\_encryption\_enabled is true, var.skip\_iam\_authorization\_policy is false, and passing a value for var.kms\_key\_crn, var.backup\_encryption\_key\_crn, or both. | `string` | `null` | no |
-| [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs | `bool` | `false` | no |
-| [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Services (HPCS) to use for disk encryption. Only used if var.kms\_encryption\_enabled is set to true. | `string` | `null` | no |
+| [kms\_key\_crn](#input\_kms\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the `use_same_kms_key_for_backups` and `backup_encryption_key_crn` inputs. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
| [member\_cpu\_count](#input\_member\_cpu\_count) | Allocated dedicated CPU per member. Minimum number of CPU allowed is 3. [Learn more](https://cloud.ibm.com/docs/databases-for-enterprisedb?topic=databases-for-enterprisedb-resources-scaling) | `number` | `3` | no |
| [member\_disk\_mb](#input\_member\_disk\_mb) | Allocated disk per member. [Learn more](https://cloud.ibm.com/docs/databases-for-enterprisedb?topic=databases-for-enterprisedb-resources-scaling) | `number` | `20480` | no |
| [member\_host\_flavor](#input\_member\_host\_flavor) | Allocated host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor). | `string` | `null` | no |
@@ -119,8 +124,10 @@ To attach access management tags to resources in this module, you need the follo
| [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to the Enterprise DB instance. | `list(string)` | `[]` | no |
| [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the database | `map(string)` | `{}` | no |
| [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. | `string` | `"private"` | no |
-| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Enterprise database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing\_kms\_instance\_guid variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no |
-| [use\_default\_backup\_encryption\_key](#input\_use\_default\_backup\_encryption\_key) | Set to true to use default ICD randomly generated keys. | `bool` | `false` | no |
+| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of IAM authorization policies that permits all Databases for EnterpriseDB instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the `kms_key_crn` and `backup_encryption_key_crn` inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if `use_ibm_owned_encryption_key` is true. | `bool` | `false` | no |
+| [use\_default\_backup\_encryption\_key](#input\_use\_default\_backup\_encryption\_key) | When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `kms_key_crn`, or in `backup_encryption_key_crn` if a value is passed. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data. | `bool` | `false` | no |
+| [use\_ibm\_owned\_encryption\_key](#input\_use\_ibm\_owned\_encryption\_key) | IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for the `kms_key_crn` input. | `bool` | `true` | no |
+| [use\_same\_kms\_key\_for\_backups](#input\_use\_same\_kms\_key\_for\_backups) | Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatiely set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `bool` | `true` | no |
| [users](#input\_users) | A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service\_credential\_names) is sufficient to control access to the Enterprise Db instance. This blocks creates native enterprise database users, more info on that can be found here https://cloud.ibm.com/docs/databases-for-enterprisedb?topic=databases-for-enterprisedb-user-management&interface=api |
list(object({ name = string password = string # pragma: allowlist secret type = optional(string) role = optional(string) }))
| `[]` | no |
### Outputs
diff --git a/cra-config.yaml b/cra-config.yaml
index 652d3e8..2fe1230 100644
--- a/cra-config.yaml
+++ b/cra-config.yaml
@@ -5,7 +5,6 @@ CRA_TARGETS:
CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3" # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
CRA_ENVIRONMENT_VARIABLES:
- TF_VAR_existing_kms_instance_guid: "e6dce284-e80f-46e1-a3c1-830f7adff7a9"
TF_VAR_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533"
# SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.
# SCC_REGION: "" # The IBM Cloud region that the SCC instance is in. If not provided, a default global value will be used.
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index d2749c9..1d86e89 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -14,6 +14,11 @@ module "resource_group" {
# Key Protect All Inclusive
##############################################################################
+locals {
+ data_key_name = "${var.prefix}-enterprisedb"
+ backups_key_name = "${var.prefix}-enterprisedb-backups"
+}
+
module "key_protect_all_inclusive" {
source = "terraform-ibm-modules/kms-all-inclusive/ibm"
version = "4.19.2"
@@ -28,7 +33,11 @@ module "key_protect_all_inclusive" {
key_ring_name = "icd-edb"
keys = [
{
- key_name = "${var.prefix}-edb"
+ key_name = local.data_key_name
+ force_delete = true
+ },
+ {
+ key_name = local.backups_key_name
force_delete = true
}
]
@@ -80,20 +89,27 @@ module "cbr_zone" {
##############################################################################
module "enterprise_db" {
- source = "../../"
- resource_group_id = module.resource_group.resource_group_id
- name = "${var.prefix}-edb"
- region = var.region
- edb_version = var.edb_version
- admin_pass = var.admin_pass
- users = var.users
- kms_encryption_enabled = true
- kms_key_crn = module.key_protect_all_inclusive.keys["icd-edb.${var.prefix}-edb"].crn
- existing_kms_instance_guid = module.key_protect_all_inclusive.kms_guid
- resource_tags = var.resource_tags
- service_credential_names = var.service_credential_names
- access_tags = var.access_tags
- member_host_flavor = "b3c.4x16.encrypted"
+ source = "../../"
+ resource_group_id = module.resource_group.resource_group_id
+ name = "${var.prefix}-edb"
+ region = var.region
+ edb_version = var.edb_version
+ admin_pass = var.admin_pass
+ users = var.users
+ resource_tags = var.resource_tags
+ # Example of how to use different KMS keys for data and backups
+ use_ibm_owned_encryption_key = false
+ use_same_kms_key_for_backups = false
+ kms_key_crn = module.key_protect_all_inclusive.keys["icd-edb.${var.prefix}-edb"].crn
+ backup_encryption_key_crn = module.key_protect_all_inclusive.keys["icd.${local.data_key_name}"].crn
+ service_credential_names = {
+ "enterprisedb_admin" : "Administrator",
+ "enterprisedb_operator" : "Operator",
+ "enterprisedb_viewer" : "Viewer",
+ "enterprisedb_editor" : "Editor",
+ }
+ access_tags = var.access_tags
+ member_host_flavor = "b3c.4x16.encrypted"
configuration = {
max_connections = 250
}
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
index d253fc1..d42cc6f 100644
--- a/examples/complete/variables.tf
+++ b/examples/complete/variables.tf
@@ -58,14 +58,3 @@ variable "users" {
sensitive = true
description = "A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters."
}
-
-variable "service_credential_names" {
- description = "Map of name, role for service credentials that you want to create for the database"
- type = map(string)
- default = {
- "enterprise_db_admin" : "Administrator",
- "enterprise_db_operator" : "Operator",
- "enterprise_db_viewer" : "Viewer",
- "enterprise_db_editor" : "Editor",
- }
-}
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
index 0be3cdd..6bd04fb 100644
--- a/examples/fscloud/main.tf
+++ b/examples/fscloud/main.tf
@@ -54,20 +54,32 @@ module "cbr_zone" {
##############################################################################
module "enterprise_db" {
- source = "../../modules/fscloud"
- resource_group_id = module.resource_group.resource_group_id
- name = "${var.prefix}-edb"
- region = var.region
- edb_version = var.edb_version
- kms_key_crn = var.kms_key_crn
- existing_kms_instance_guid = var.existing_kms_instance_guid
- resource_tags = var.resource_tags
- service_credential_names = var.service_credential_names
- access_tags = var.access_tags
- auto_scaling = var.auto_scaling
- member_host_flavor = "b3c.4x16.encrypted"
- backup_encryption_key_crn = var.backup_encryption_key_crn
- backup_crn = var.backup_crn
+ source = "../../modules/fscloud"
+ resource_group_id = module.resource_group.resource_group_id
+ name = "${var.prefix}-edb"
+ region = var.region
+ edb_version = var.edb_version
+ resource_tags = var.resource_tags
+ kms_key_crn = var.kms_key_crn
+ backup_encryption_key_crn = var.backup_encryption_key_crn
+ backup_crn = var.backup_crn
+ service_credential_names = {
+ "enterprisedb_admin" : "Administrator",
+ "enterprisedb_operator" : "Operator",
+ "enterprisedb_viewer" : "Viewer",
+ "enterprisedb_editor" : "Editor",
+ }
+ auto_scaling = {
+ disk = {
+ capacity_enabled : true,
+ io_enabled : true
+ }
+ memory = {
+ io_enabled : true,
+ }
+ }
+ member_host_flavor = "b3c.4x16.encrypted"
+ access_tags = var.access_tags
cbr_rules = [
{
description = "${var.prefix}-edb access only from vpc"
diff --git a/examples/fscloud/variables.tf b/examples/fscloud/variables.tf
index 28be909..0e5573e 100644
--- a/examples/fscloud/variables.tf
+++ b/examples/fscloud/variables.tf
@@ -40,62 +40,11 @@ variable "edb_version" {
default = null
}
-variable "existing_kms_instance_guid" {
- description = "The GUID of the Hyper Protect Crypto services in which the key specified in var.kms_key_crn is coming from"
- type = string
-}
-
variable "kms_key_crn" {
type = string
description = "The root key CRN of a Hyper Protect Crypto Services (HPCS) that you want to use for disk encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs&interface=ui for more information on integrating HPCS with Enterprise database."
}
-variable "service_credential_names" {
- description = "Map of name, role for service credentials that you want to create for the database"
- type = map(string)
- default = {
- "enterprise_db_admin" : "Administrator",
- "enterprise_db_operator" : "Operator",
- "enterprise_db_viewer" : "Viewer",
- "enterprise_db_editor" : "Editor",
- }
-}
-
-variable "auto_scaling" {
- type = object({
- disk = object({
- capacity_enabled = optional(bool)
- free_space_less_than_percent = optional(number)
- io_above_percent = optional(number)
- io_enabled = optional(bool)
- io_over_period = optional(string)
- rate_increase_percent = optional(number)
- rate_limit_mb_per_member = optional(number)
- rate_period_seconds = optional(number)
- rate_units = optional(string)
- })
- memory = object({
- io_above_percent = optional(number)
- io_enabled = optional(bool)
- io_over_period = optional(string)
- rate_increase_percent = optional(number)
- rate_limit_mb_per_member = optional(number)
- rate_period_seconds = optional(number)
- rate_units = optional(string)
- })
- })
- description = "Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://ibm.biz/autoscaling-considerations in the IBM Cloud Docs."
- default = {
- disk = {
- capacity_enabled : true,
- io_enabled : true
- }
- memory = {
- io_enabled : true,
- }
- }
-}
-
variable "backup_crn" {
type = string
description = "The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty."
diff --git a/main.tf b/main.tf
index b9adb42..1159790 100644
--- a/main.tf
+++ b/main.tf
@@ -5,72 +5,184 @@
locals {
# Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
# tflint-ignore: terraform_unused_declarations
- validate_kms_values = !var.kms_encryption_enabled && (var.kms_key_crn != null || var.backup_encryption_key_crn != null) ? tobool("When passing values for var.backup_encryption_key_crn or var.kms_key_crn, you must set var.kms_encryption_enabled to true. Otherwise unset them to use default encryption") : true
+ validate_kms_values = var.use_ibm_owned_encryption_key && (var.kms_key_crn != null || var.backup_encryption_key_crn != null) ? tobool("When passing values for 'kms_key_crn' or 'backup_encryption_key_crn', you must set 'use_ibm_owned_encryption_key' to false. Otherwise unset them to use default encryption.") : true
# tflint-ignore: terraform_unused_declarations
- validate_pitr_vars = (var.pitr_id != null && var.pitr_time == null) || (var.pitr_time != null && var.pitr_id == null) ? tobool("To use Point-In-Time Recovery (PITR), values for both var.pitr_id and var.pitr_time need to be set. Otherwise, unset both of these.") : true
- # tflint-ignore: terraform_unused_declarations
- validate_kms_vars = var.kms_encryption_enabled && var.kms_key_crn == null && var.backup_encryption_key_crn == null ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn and/or var.backup_encryption_key_crn") : true
+ validate_kms_vars = !var.use_ibm_owned_encryption_key && var.kms_key_crn == null ? tobool("When setting 'use_ibm_owned_encryption_key' to false, a value must be passed for 'kms_key_crn'.") : true
# tflint-ignore: terraform_unused_declarations
- validate_auth_policy = var.kms_encryption_enabled && var.skip_iam_authorization_policy == false && var.existing_kms_instance_guid == null ? tobool("When var.skip_iam_authorization_policy is set to false, and var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_guid in order to create the auth policy.") : true
+ validate_backup_key = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn != null && (var.use_default_backup_encryption_key || var.use_same_kms_key_for_backups) ? tobool("When passing a value for 'backup_encryption_key_crn' you cannot set 'use_default_backup_encryption_key' to true or 'use_ibm_owned_encryption_key' to false.") : true
# tflint-ignore: terraform_unused_declarations
- validate_backup_key = var.backup_encryption_key_crn != null && var.use_default_backup_encryption_key == true ? tobool("When passing a value for 'backup_encryption_key_crn' you cannot set 'use_default_backup_encryption_key' to 'true'") : true
+ validate_backup_key_2 = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn == null && !var.use_same_kms_key_for_backups ? tobool("When 'use_same_kms_key_for_backups' is set to false, a value needs to be passed for 'backup_encryption_key_crn'.") : true
# If no value passed for 'backup_encryption_key_crn' use the value of 'kms_key_crn' and perform validation of 'kms_key_crn' to check if region is supported by backup encryption key.
- # For more info, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups"
+ # If 'use_ibm_owned_encryption_key' is true or 'use_default_backup_encryption_key' is true, default to null.
+ # If no value is passed for 'backup_encryption_key_crn', then default to use 'kms_key_crn'.
+ backup_encryption_key_crn = var.use_ibm_owned_encryption_key || var.use_default_backup_encryption_key ? null : (var.backup_encryption_key_crn != null ? var.backup_encryption_key_crn : var.kms_key_crn)
+
+ # tflint-ignore: terraform_unused_declarations
+ validate_pitr_vars = (var.pitr_id != null && var.pitr_time == null) || (var.pitr_time != null && var.pitr_id == null) ? tobool("To use Point-In-Time Recovery (PITR), values for both var.pitr_id and var.pitr_time need to be set. Otherwise, unset both of these.") : true
- backup_encryption_key_crn = var.use_default_backup_encryption_key == true ? null : (var.backup_encryption_key_crn != null ? var.backup_encryption_key_crn : var.kms_key_crn)
+ # Determine if restore, from backup or point in time recovery
+ recovery_mode = var.backup_crn != null || var.pitr_id != null
# Determine if auto scaling is enabled
auto_scaling_enabled = var.auto_scaling == null ? [] : [1]
# Determine if host_flavor is used
host_flavor_set = var.member_host_flavor != null ? true : false
+}
- # Determine if restore, from backup or point in time recovery
- recovery_mode = var.backup_crn != null || var.pitr_id != null
+########################################################################################################################
+# Parse info from KMS key CRNs
+########################################################################################################################
- # Determine what KMS service is being used for database encryption
- kms_service = var.kms_key_crn != null ? (
- can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : (
- can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null
- )
- ) : null
+module "kms_key_crn_parser" {
+ count = var.use_ibm_owned_encryption_key ? 0 : 1
+ source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+ version = "1.1.0"
+ crn = var.kms_key_crn
+}
+
+module "backup_key_crn_parser" {
+ count = var.use_ibm_owned_encryption_key ? 0 : 1
+ source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+ version = "1.1.0"
+ crn = local.backup_encryption_key_crn
+}
+
+# Put parsed values into locals
+locals {
+ kms_service = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].service_name : null
+ kms_account_id = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].account_id : null
+ kms_key_id = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].resource : null
+ kms_key_instance_guid = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].service_instance : null
+ backup_kms_service = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].service_name : null
+ backup_kms_account_id = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].account_id : null
+ backup_kms_key_id = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].resource : null
+ backup_kms_key_instance_guid = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].service_instance : null
+}
+
+########################################################################################################################
+# KMS IAM Authorization Policies
+########################################################################################################################
+
+locals {
+ # only create auth policy if 'use_ibm_owned_encryption_key' is false, and 'skip_iam_authorization_policy' is false
+ create_kms_auth_policy = !var.use_ibm_owned_encryption_key && !var.skip_iam_authorization_policy ? 1 : 0
+ # only create backup auth policy if 'use_ibm_owned_encryption_key' is false, 'skip_iam_authorization_policy' is false and 'use_same_kms_key_for_backups' is false
+ create_backup_kms_auth_policy = !var.use_ibm_owned_encryption_key && !var.skip_iam_authorization_policy && !var.use_same_kms_key_for_backups ? 1 : 0
}
# Create IAM Authorization Policies to allow EDB to access KMS for the encryption key
resource "ibm_iam_authorization_policy" "kms_policy" {
- count = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
- source_service_name = "databases-for-enterprisedb"
- source_resource_group_id = var.resource_group_id
- target_service_name = local.kms_service
- target_resource_instance_id = var.existing_kms_instance_guid
- roles = ["Reader"]
- description = "Allow all Enterprise db instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service} instance GUID ${var.existing_kms_instance_guid}"
+ count = local.create_kms_auth_policy
+ source_service_name = "databases-for-enterprisedb"
+ source_resource_group_id = var.resource_group_id
+ roles = ["Reader"]
+ description = "Allow all EnterpriseDB instances in the resource group ${var.resource_group_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_key_instance_guid}"
+ resource_attributes {
+ name = "serviceName"
+ operator = "stringEquals"
+ value = local.kms_service
+ }
+ resource_attributes {
+ name = "accountId"
+ operator = "stringEquals"
+ value = local.kms_account_id
+ }
+ resource_attributes {
+ name = "serviceInstance"
+ operator = "stringEquals"
+ value = local.kms_key_instance_guid
+ }
+ resource_attributes {
+ name = "resourceType"
+ operator = "stringEquals"
+ value = "key"
+ }
+ resource_attributes {
+ name = "resource"
+ operator = "stringEquals"
+ value = local.kms_key_id
+ }
+ # Scope of policy now includes the key, so ensure to create new policy before
+ # destroying old one to prevent any disruption to every day services.
+ lifecycle {
+ create_before_destroy = true
+ }
}
# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
resource "time_sleep" "wait_for_authorization_policy" {
+ count = local.create_kms_auth_policy
depends_on = [ibm_iam_authorization_policy.kms_policy]
create_duration = "30s"
}
+resource "ibm_iam_authorization_policy" "backup_kms_policy" {
+ count = local.create_backup_kms_auth_policy
+ source_service_name = "databases-for-enterprisedb"
+ source_resource_group_id = var.resource_group_id
+ roles = ["Reader"]
+ description = "Allow all EnterpriseDB instances in the Resource Group ${var.resource_group_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_key_instance_guid}"
+ resource_attributes {
+ name = "serviceName"
+ operator = "stringEquals"
+ value = local.backup_kms_service
+ }
+ resource_attributes {
+ name = "accountId"
+ operator = "stringEquals"
+ value = local.backup_kms_account_id
+ }
+ resource_attributes {
+ name = "serviceInstance"
+ operator = "stringEquals"
+ value = local.backup_kms_key_instance_guid
+ }
+ resource_attributes {
+ name = "resourceType"
+ operator = "stringEquals"
+ value = "key"
+ }
+ resource_attributes {
+ name = "resource"
+ operator = "stringEquals"
+ value = local.backup_kms_key_id
+ }
+ # Scope of policy now includes the key, so ensure to create new policy before
+ # destroying old one to prevent any disruption to every day services.
+ lifecycle {
+ create_before_destroy = true
+ }
+}
+
+# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
+resource "time_sleep" "wait_for_backup_kms_authorization_policy" {
+ count = local.create_backup_kms_auth_policy
+ depends_on = [ibm_iam_authorization_policy.backup_kms_policy]
+ create_duration = "30s"
+}
+
+########################################################################################################################
+# EDB instance
+########################################################################################################################
+
# Create edb database
resource "ibm_database" "enterprise_db" {
- depends_on = [time_sleep.wait_for_authorization_policy]
- resource_group_id = var.resource_group_id
- name = var.name
- service = "databases-for-enterprisedb"
- location = var.region
- plan = "standard" # Only standard plan is available for edb
- backup_id = var.backup_crn
- remote_leader_id = var.remote_leader_crn
- version = var.edb_version
- tags = var.resource_tags
- adminpassword = var.admin_pass
- service_endpoints = var.service_endpoints
- # remove elements with null values: see https://github.com/terraform-ibm-modules/terraform-ibm-icd-postgresql/issues/273
+ depends_on = [time_sleep.wait_for_authorization_policy]
+ resource_group_id = var.resource_group_id
+ name = var.name
+ service = "databases-for-enterprisedb"
+ location = var.region
+ plan = "standard" # Only standard plan is available for edb
+ backup_id = var.backup_crn
+ remote_leader_id = var.remote_leader_crn
+ version = var.edb_version
+ tags = var.resource_tags
+ adminpassword = var.admin_pass
+ service_endpoints = var.service_endpoints
configuration = var.configuration != null ? jsonencode({ for k, v in var.configuration : k => v if v != null }) : null
key_protect_key = var.kms_key_crn
backup_encryption_key_crn = local.backup_encryption_key_crn
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index 36c1c5c..778d58a 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -20,7 +20,7 @@ The IBM Cloud Framework for Financial Services mandates the application of an in
| Name | Source | Version |
|------|--------|---------|
-| [enterprise\_db](#module\_enterprise\_db) | ../../ | n/a |
+| [enterprise\_db](#module\_enterprise\_db) | ../.. | n/a |
### Resources
@@ -34,12 +34,11 @@ No resources.
| [admin\_pass](#input\_admin\_pass) | The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block. | `string` | `null` | no |
| [auto\_scaling](#input\_auto\_scaling) | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://ibm.biz/autoscaling-considerations in the IBM Cloud Docs. |
| `null` | no |
| [backup\_crn](#input\_backup\_crn) | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. | `string` | `null` | no |
-| [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Hyper Protect Crypto Services use for encrypting the disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. There are limitation per region on the Hyper Protect Crypto Services and region for those services. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups | `string` | `null` | no |
+| [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false and `use_same_kms_key_for_backups` is false. If no value is passed, and `use_same_kms_key_for_backups` is true, the value of `kms_key_crn` is used. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create |
| `null` | no |
| [edb\_version](#input\_edb\_version) | Version of the Enterprise DB instance. If no value is passed, the current preferred version of IBM Cloud Databases is used. | `string` | `null` | no |
-| [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services instance. | `string` | n/a | yes |
-| [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of the Hyper Protect Crypto Services (HPCS) to use for disk encryption. | `string` | n/a | yes |
+| [kms\_key\_crn](#input\_kms\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the `use_same_kms_key_for_backups` and `backup_encryption_key_crn` inputs. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
| [member\_cpu\_count](#input\_member\_cpu\_count) | Allocated dedicated CPU per member. Minimum number of CPU allowed is 3. [Learn more](https://cloud.ibm.com/docs/databases-for-enterprisedb?topic=databases-for-enterprisedb-resources-scaling) | `number` | `3` | no |
| [member\_disk\_mb](#input\_member\_disk\_mb) | Allocated disk per member. [Learn more](https://cloud.ibm.com/docs/databases-for-enterprisedb?topic=databases-for-enterprisedb-resources-scaling) | `number` | `20480` | no |
| [member\_host\_flavor](#input\_member\_host\_flavor) | Allocated host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor). | `string` | `null` | no |
@@ -50,7 +49,10 @@ No resources.
| [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Enterprise DB instance will be created. | `string` | n/a | yes |
| [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to the Enterprise DB instance. | `list(string)` | `[]` | no |
| [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the database | `map(string)` | `{}` | no |
-| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Enterprise database instances in the resource group to read the encryption key from the Hyper Protect Crypto Services instance. The HPCS instance is passed in through the var.existing\_kms\_instance\_guid variable. | `bool` | `false` | no |
+| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of IAM authorization policies that permits all Databases for EnterpriseDB instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the `kms_key_crn` and `backup_encryption_key_crn` inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if `use_ibm_owned_encryption_key` is true. | `bool` | `false` | no |
+| [use\_default\_backup\_encryption\_key](#input\_use\_default\_backup\_encryption\_key) | When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `kms_key_crn`, or in `backup_encryption_key_crn` if a value is passed. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data. | `bool` | `false` | no |
+| [use\_ibm\_owned\_encryption\_key](#input\_use\_ibm\_owned\_encryption\_key) | Set to true to use the default IBM Cloud® Databases randomly generated keys for disk and backups encryption. To control the encryption keys, use the `kms_key_crn` and `backup_encryption_key_crn` inputs. | `string` | `false` | no |
+| [use\_same\_kms\_key\_for\_backups](#input\_use\_same\_kms\_key\_for\_backups) | Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatiely set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `bool` | `true` | no |
| [users](#input\_users) | A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service\_credential\_names) is sufficient to control access to the Enterprise Db instance. This blocks creates native enterprise database users, more info on that can be found here https://cloud.ibm.com/docs/databases-for-enterprisedb?topic=databases-for-enterprisedb-user-management&interface=api |
list(object({ name = string password = string # pragma: allowlist secret type = optional(string) role = optional(string) }))
| `[]` | no |
### Outputs
@@ -58,11 +60,14 @@ No resources.
| Name | Description |
|------|-------------|
| [adminuser](#output\_adminuser) | Database admin user name |
+| [cbr\_rule\_ids](#output\_cbr\_rule\_ids) | CBR rule ids created to restrict EnterpriseDB |
| [certificate\_base64](#output\_certificate\_base64) | Database connection certificate |
| [crn](#output\_crn) | Enterprise DB instance crn |
| [guid](#output\_guid) | Enterprise DB instance guid |
| [hostname](#output\_hostname) | Database connection hostname |
| [id](#output\_id) | Enterprise DB instance id |
| [port](#output\_port) | Database connection port |
+| [service\_credentials\_json](#output\_service\_credentials\_json) | Service credentials json map |
+| [service\_credentials\_object](#output\_service\_credentials\_object) | Service credentials object |
| [version](#output\_version) | Enterprise DB instance version |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
index 872f471..66eae25 100644
--- a/modules/fscloud/main.tf
+++ b/modules/fscloud/main.tf
@@ -1,27 +1,28 @@
module "enterprise_db" {
- source = "../../"
- resource_group_id = var.resource_group_id
- name = var.name
- region = var.region
- skip_iam_authorization_policy = var.skip_iam_authorization_policy
- service_endpoints = "private"
- edb_version = var.edb_version
- kms_encryption_enabled = true
- existing_kms_instance_guid = var.existing_kms_instance_guid
- kms_key_crn = var.kms_key_crn
- backup_crn = var.backup_crn
- backup_encryption_key_crn = var.backup_encryption_key_crn
- resource_tags = var.resource_tags
- access_tags = var.access_tags
- cbr_rules = var.cbr_rules
- configuration = var.configuration
- member_memory_mb = var.member_memory_mb
- member_disk_mb = var.member_disk_mb
- member_cpu_count = var.member_cpu_count
- member_host_flavor = var.member_host_flavor
- members = var.members
- service_credential_names = var.service_credential_names
- auto_scaling = var.auto_scaling
- admin_pass = var.admin_pass
- users = var.users
+ source = "../.."
+ resource_group_id = var.resource_group_id
+ edb_version = var.edb_version
+ region = var.region
+ skip_iam_authorization_policy = var.skip_iam_authorization_policy
+ name = var.name
+ service_endpoints = "private"
+ cbr_rules = var.cbr_rules
+ configuration = var.configuration
+ member_cpu_count = var.member_cpu_count
+ member_memory_mb = var.member_memory_mb
+ member_disk_mb = var.member_disk_mb
+ member_host_flavor = var.member_host_flavor
+ members = var.members
+ admin_pass = var.admin_pass
+ users = var.users
+ use_ibm_owned_encryption_key = var.use_ibm_owned_encryption_key
+ use_same_kms_key_for_backups = var.use_same_kms_key_for_backups
+ use_default_backup_encryption_key = var.use_default_backup_encryption_key
+ kms_key_crn = var.kms_key_crn
+ backup_crn = var.backup_crn
+ backup_encryption_key_crn = var.backup_encryption_key_crn
+ auto_scaling = var.auto_scaling
+ access_tags = var.access_tags
+ resource_tags = var.resource_tags
+ service_credential_names = var.service_credential_names
}
diff --git a/modules/fscloud/outputs.tf b/modules/fscloud/outputs.tf
index 86b55d9..85bb0b3 100644
--- a/modules/fscloud/outputs.tf
+++ b/modules/fscloud/outputs.tf
@@ -42,3 +42,20 @@ output "certificate_base64" {
value = module.enterprise_db.certificate_base64
sensitive = true
}
+
+output "cbr_rule_ids" {
+ description = "CBR rule ids created to restrict EnterpriseDB"
+ value = module.enterprise_db.cbr_rule_ids
+}
+
+output "service_credentials_json" {
+ description = "Service credentials json map"
+ value = module.enterprise_db.service_credentials_json
+ sensitive = true
+}
+
+output "service_credentials_object" {
+ description = "Service credentials object"
+ value = module.enterprise_db.service_credentials_object
+ sensitive = true
+}
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
index e1b7bac..21f707f 100644
--- a/modules/fscloud/variables.tf
+++ b/modules/fscloud/variables.tf
@@ -149,26 +149,56 @@ variable "auto_scaling" {
# Encryption
##############################################################
+variable "use_ibm_owned_encryption_key" {
+ type = string
+ description = "Set to true to use the default IBM Cloud® Databases randomly generated keys for disk and backups encryption. To control the encryption keys, use the `kms_key_crn` and `backup_encryption_key_crn` inputs."
+ default = false
+}
+
variable "kms_key_crn" {
type = string
- description = "The root key CRN of the Hyper Protect Crypto Services (HPCS) to use for disk encryption."
+ description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the `use_same_kms_key_for_backups` and `backup_encryption_key_crn` inputs. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
+ default = null
+ validation {
+ condition = anytrue([
+ var.kms_key_crn == null,
+ can(regex(".*kms.*", var.kms_key_crn)),
+ can(regex(".*hs-crypto.*", var.kms_key_crn)),
+ ])
+ error_message = "Value must be the KMS key CRN from a Key Protect or Hyper Protect Crypto Services instance."
+ }
+}
+
+variable "use_same_kms_key_for_backups" {
+ type = bool
+ description = "Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatiely set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
+ default = true
}
variable "backup_encryption_key_crn" {
type = string
- description = "The CRN of a Hyper Protect Crypto Services use for encrypting the disk that holds deployment backups. Only used if var.kms_encryption_enabled is set to true. There are limitation per region on the Hyper Protect Crypto Services and region for those services. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups"
+ description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false and `use_same_kms_key_for_backups` is false. If no value is passed, and `use_same_kms_key_for_backups` is true, the value of `kms_key_crn` is used. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
default = null
+ validation {
+ condition = anytrue([
+ var.backup_encryption_key_crn == null,
+ can(regex(".*kms.*", var.backup_encryption_key_crn)),
+ can(regex(".*hs-crypto.*", var.backup_encryption_key_crn)),
+ ])
+ error_message = "Value must be the KMS key CRN from a Key Protect or Hyper Protect Crypto Services instance in one of the supported backup regions."
+ }
}
-variable "skip_iam_authorization_policy" {
+variable "use_default_backup_encryption_key" {
type = bool
- description = "Set to true to skip the creation of an IAM authorization policy that permits all Enterprise database instances in the resource group to read the encryption key from the Hyper Protect Crypto Services instance. The HPCS instance is passed in through the var.existing_kms_instance_guid variable."
+ description = "When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `kms_key_crn`, or in `backup_encryption_key_crn` if a value is passed. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data."
default = false
}
-variable "existing_kms_instance_guid" {
- type = string
- description = "The GUID of the Hyper Protect Crypto Services instance."
+variable "skip_iam_authorization_policy" {
+ type = bool
+ description = "Set to true to skip the creation of IAM authorization policies that permits all Databases for EnterpriseDB instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the `kms_key_crn` and `backup_encryption_key_crn` inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if `use_ibm_owned_encryption_key` is true."
+ default = false
}
##############################################################
diff --git a/reference-architecture/deployable-architecture-enterprisedb.svg b/reference-architecture/deployable-architecture-enterprisedb.svg
new file mode 100644
index 0000000..7f30d5b
--- /dev/null
+++ b/reference-architecture/deployable-architecture-enterprisedb.svg
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/tests/pr_test.go b/tests/pr_test.go
index b6558a3..df7eeda 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -57,10 +57,9 @@ func TestRunFSCloudExample(t *testing.T) {
*/
//ResourceGroup: resourceGroup,
TerraformVars: map[string]interface{}{
- "access_tags": permanentResources["accessTags"],
- "existing_kms_instance_guid": permanentResources["hpcs_south"],
- "kms_key_crn": permanentResources["hpcs_south_root_key_crn"],
- "edb_version": "12", // Always lock this test into the latest supported Enterprise DB version
+ "access_tags": permanentResources["accessTags"],
+ "kms_key_crn": permanentResources["hpcs_south_root_key_crn"],
+ "edb_version": "12", // Always lock this test into the latest supported Enterprise DB version
},
CloudInfoService: sharedInfoSvc,
})
@@ -87,6 +86,7 @@ func TestRunUpgradeCompleteExample(t *testing.T) {
if err != nil {
log.Fatal(err)
}
+
randomPass := "A1" + base64.URLEncoding.EncodeToString(randomBytes)[:13]
options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
diff --git a/variables.tf b/variables.tf
index 147ca87..3e29f8f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -191,21 +191,21 @@ variable "auto_scaling" {
# Encryption
##############################################################
-variable "kms_encryption_enabled" {
+variable "use_ibm_owned_encryption_key" {
type = bool
- description = "Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs"
- default = false
+ description = "IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for the `kms_key_crn` input."
+ default = true
}
variable "use_default_backup_encryption_key" {
type = bool
- description = "Set to true to use default ICD randomly generated keys."
+ description = "When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `kms_key_crn`, or in `backup_encryption_key_crn` if a value is passed. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data."
default = false
}
variable "kms_key_crn" {
type = string
- description = "The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Services (HPCS) to use for disk encryption. Only used if var.kms_encryption_enabled is set to true."
+ description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the `use_same_kms_key_for_backups` and `backup_encryption_key_crn` inputs. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
default = null
validation {
@@ -214,33 +214,37 @@ variable "kms_key_crn" {
can(regex(".*kms.*", var.kms_key_crn)),
can(regex(".*hs-crypto.*", var.kms_key_crn)),
])
- error_message = "Value must be the root key CRN from either the Key Protect or Hyper Protect Crypto Services (HPCS)"
+ error_message = "Value must be the KMS key CRN from a Key Protect or Hyper Protect Crypto Services instance."
}
}
+variable "use_same_kms_key_for_backups" {
+ type = bool
+ description = "Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatiely set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
+ default = true
+}
+
variable "backup_encryption_key_crn" {
type = string
- description = "The CRN of a KMS (Key Protect or Hyper Protect Crypto Services) key to use for encrypting the disk that holds deployment backups. Only used if var.kms_encryption_enabled is set to true. There are limitation per region on the type of KMS service (Key Protect or Hyper Protect Crypto Services) and region for those services. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups"
+ description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false and `use_same_kms_key_for_backups` is false. If no value is passed, and `use_same_kms_key_for_backups` is true, the value of `kms_key_crn` is used. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
default = null
validation {
- condition = var.backup_encryption_key_crn == null ? true : length(regexall("^crn:v1:bluemix:public:kms:(us-south|us-east|eu-de):a/[[:xdigit:]]{32}:[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}:key:[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$|^crn:v1:bluemix:public:hs-crypto:[a-z-]+:a/[[:xdigit:]]{32}:[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}:key:[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$", var.backup_encryption_key_crn)) > 0
- error_message = "Valid values for backup_encryption_key_crn is null, a Hyper Protect Crypto Services key CRN or a Key Protect key CRN from us-south, us-east or eu-de"
+ condition = anytrue([
+ var.backup_encryption_key_crn == null,
+ can(regex(".*kms.*", var.backup_encryption_key_crn)),
+ can(regex(".*hs-crypto.*", var.backup_encryption_key_crn)),
+ ])
+ error_message = "Value must be the KMS key CRN from a Key Protect or Hyper Protect Crypto Services instance in one of the supported backup regions."
}
}
variable "skip_iam_authorization_policy" {
type = bool
- description = "Set to true to skip the creation of an IAM authorization policy that permits all Enterprise database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing_kms_instance_guid variable. In addition, no policy is created if var.kms_encryption_enabled is set to false."
+ description = "Set to true to skip the creation of IAM authorization policies that permits all Databases for EnterpriseDB instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the `kms_key_crn` and `backup_encryption_key_crn` inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if `use_ibm_owned_encryption_key` is true."
default = false
}
-variable "existing_kms_instance_guid" {
- type = string
- description = "The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms_key_crn and var.backup_encryption_key_crn is coming from. Only required if var.kms_encryption_enabled is true, var.skip_iam_authorization_policy is false, and passing a value for var.kms_key_crn, var.backup_encryption_key_crn, or both."
- default = null
-}
-
##############################################################
# Context-based restriction (CBR)
##############################################################