Add support for lockdowns in CIS resource

[pauljegouic]

Hi there,

We would like to be able to manage CIS lockdowns rules through Terraform instead of using null_resource and bash scripts.

Thanks in advance

[hkantare]

Can you provide me some links to understand this feature and can you also provider us the null resource/bash script

[pauljegouic]

Yep for sure.

Here is the IBM documentation: https://cloud.ibm.com/docs/cis?topic=cis-how-cis-keeps-your-work-secure

Here is a snippet we have made:

resource "local_file" "lockdown" {
  content  = jsonencode(local.lockdown_payload)
  filename = "${path.module}/lockdown.json"
}
resource "null_resource" "ip_filtering_lockdown" {
  depends_on = [local_file.lockdown]
  triggers = {
    build_number = "${timestamp()}"
  }
  provisioner "local-exec" {
    command = <<EOT
         ibmcloud login -r ${var.region} -g ${var.resource_group_id}
         existing_rules=$(ibmcloud cis firewalls -t lockdowns -i ${var.cis_id}  -d ${element(split(":", var.domain_id), 0)} --output json)
         for row in $(echo "$existing_rules" | jq -r '.[] | @base64'); do
                   _jq() {
                            echo $row | base64 -d | jq -r $1
                     }
                   if [ $(_jq '.urls[0]') == ${local.full_domain} ];then
                            ibmcloud cis firewall-delete $(_jq '.id') -t lockdowns -d ${element(split(":", var.domain_id), 0)} -i ${var.cis_id}
                   fi
          done
         ibmcloud cis firewall-create -t lockdowns -d ${element(split(":", var.domain_id), 0)} -i ${var.cis_id} -j "${path.module}/lockdown.json"
 EOT
  }
}

[pauljegouic]

We would like to achieve the CRUD actions on cis_lockdown !

[pauljegouic]

@hkantare seeing a lot of commit :) :)

When can we expect this feature to be released ?

[pauljegouic]

[pauljegouic]

@hkantare we definetly need the documentation !

[hkantare]

Docs will be update in couple of days....I'm rasining request against doc team

[ifs-saraqasmi]

@hkantare while waiting for the doc, can you give an example of using ibm_cis_firewall with lockdown param please

[hkantare]

doc file: https://github.com/IBM-Cloud/terraform-provider-ibm/blob/master/website/docs/r/cis_firewall.html.markdown

[kavya498]

Available in
https://github.com/IBM-Cloud/terraform-provider-ibm/releases/tag/v1.4.0
https://github.com/IBM-Cloud/terraform-provider-ibm/releases/tag/v0.26.0

[pauljegouic]

@hkantare & @kavya498 thanks for the update.

There is something that lead us to some 404 errors which is the inconsistency of usage of the IDs syntax, in all your documentation that refers to id.

In that case:

• for ibm_cis_dns_record: The ID of the domain for which you want to add a DNS record.
• for ibm_cis_firewall: The ID of the domain where you want to apply the firewall rules.

But in fact, the syntax of the expected ID is not the same.

• ibm_cis_dns_record.domain_id expect this form of ID: 19364270fc6XXXXXX7f940fd292e:crn:v1:bluemix:public:internet-svcs:global:a/9e87f2cde0feXXXXXX056bdad79d285d:ad5b006d-0c7a-40ff-94e6-0f6a9a77ef7c:: (barely the domain_id:cis_id)
• ibm_cis_firewall.domain_id: expect this for of ID of this type : 19364270fc6XXXXXX7f940fd292e

I would suggest, since IBM Cloud has multiple IDs syntax for resource, to provide a more accurated information/examples to the end-user.

I will close this issue after you see my message and suggest an enhancement.

[hkantare]

We will make changes to be inline with other CIS resources..as enhancement

[pauljegouic]

Is it possible to have non-regression that you both support those two types of syntax ? @hkantare

[pauljegouic]

I will create another case for this domain_id inconsistency between TF resources/datasources and the CLI.

[hkantare]

We will have inconsistency issues if we support both types...because we need to set back all the schema attributes to store in a statefile...If we support both types we will not be aware if user has passed which type ...