feat: create global 'deny' rule when more narrow scoped rules are created by the module

[Aashiq-J]

Description

Issue : #388

Release required?

• No release
• Patch release (x.x.X)
• Minor release (x.X.x)
• Major release (X.x.x)

Release notes content

• minimum required provider version is 1.62.0.
• Ability to scope a rule per region.
• Support for multiple attributes per rule for a service.
• Remove public default context set to 1.1.1.1
• 0 context rule for services by default, which will deny all requests made to a service. (Note: By default enforcement mode is set to report-only).
• option create a global 'deny' rule for all the scoped rule for a service. By default it is set to true.

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

• If relevant, a test for the change is included or updated with this PR.
• If relevant, documentation for the change is included or updated with this PR.

For mergers

• Use a conventional commit message to set the release level. Follow the guidelines.
• Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
• Use the Squash and merge option.

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

Adding ignoreUpdates because its just a update-in-place.

[Aashiq-J]

Added the feature to pass multiple attribute in this PR.

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[shemau]

I am not sure, but maybe those upgrade issues can be overcome.

[Aashiq-J]

/run pipeline

[shemau]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[vburckhardt]

for this one "Default 1.1.1.1 context is not needed now as all Cloud services now have this implicit deny." -> have we actually checked it. I've been getting inconsistent answers from services, so I would suggest to actually test this out.

[Aashiq-J]

Tested IKS rule with 0 context scoping to instance id, region and all the resources. Unable to access the cluster when the rule was in-place.

Also tested the same for VPC, created rule with 0 context scoping to a region.

[Aashiq-J]

The implicit deny feature is only available in the new provider version which is in beta stage.

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Ak-sky]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[shemau]

This is a very new version of the provider. So new in fact that many consumers will have to upgrade. IMHO it would be good to put a note and reason (what was fixed) in the release notes section of the PR. These seems particularly important because so many modules support CBR and thus implicitly require 1.62.0.

It may be this feature to allow global deny? terraform-provider-ibm pull 5058.

Any example in our modules that is pinned to a lower level will immediately fail and require updating.

[Aashiq-J]

/run pipeline

[Aashiq-J]

updated the release notes.

Requested changes in review have been resolved.

[terraform-ibm-modules-ops]

🎉 This PR is included in version 1.20.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀