Description

resolves #50

Adds context-based restrictions as an additional security measure to help ensure the Cloudability and IBM Cloud Billing are the primary consumers of the bucket. Schematics is added as a zone to allow provisioning/de-provisioning from projects. Support adding an additional user provided zone or list of ip addresses so they can acces the COS bucket.

Release required?

• No release
• Patch release (x.x.X)
• Minor release (x.X.x)
• Major release (X.x.x)

Release notes content

• Adds context-based restrictions to the cos bucket to ensure that only Cloudability, IBM Cloud Billing, Schematics, and a user provided zone can access the bucket from the expected IP Addresses. This provides additional security beyond IAM access control.

New access permissions are required:

• Viewer role on the CBR service to view the CBR zones
• Administrator role on Schematics to be able to create a CBR on schematics

New inputs:

• cbr_enforcement_mode
• additional_allowed_cbr_bucket_ip_addresses
• existing_allowed_cbr_bucket_zone_id
• cbr_additional_zone_name
• cbr_billing_zone_name
• cbr_cloudability_zone_name
• cbr_cos_zone_name
• cbr_schematics_zone_name

New outputs:

• bucket_cbr_rule_ids
• bucket_cbr_rules

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

• If relevant, a test for the change is included or updated with this PR.
• If relevant, documentation for the change is included or updated with this PR.

For mergers

• Use a conventional commit message to set the release level. Follow the guidelines.
• Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
• Use the Squash and merge option.