fscloud module: create global 'deny' rule when more narrow scoped rules are created by the module

[vburckhardt]

Description

2 related aspects in this ticket:

1. Add the ability to scope a rule per region (in addition to the existing instance_id, resourcegroup, tags)
2. When a scope is specified in a rule, get the fscloud module to also create a global 'deny' all rule for the service (using the 1.1.1.1 context). In other words, create 2 rules, a global one and a scoped one. There should be a flag to opt out of this behavior by service (or more exactly by pseudo service to take account of the 2 pseudo services management and cluster for kube)

Context:

• In the current approach, when a rule with a scope is created, the restriction only apply to the instances targeted by this rule. In the absence of a global rule, access is unrestricted for all other instances. This behavior can be see in the fscloud example for kms (scoped to an instance https://github.com/terraform-ibm-modules/terraform-ibm-cbr/blob/main/examples/fscloud/main.tf#L75 )

---

By submitting this issue, you agree to follow our Code of Conduct

[Aashiq-J]

@vburckhardt ,
For the 1st aspect, all the services doesn't support region attribute. For example, kms doesn't have an option of region as an attribute.

In that case, should we have a validation to check for which services support regions?
even if we dont have a validation and user provides region for a service which doesn't support region, the terraform apply doesn't fail. It creates without the region attribute.