update(cloud-databases): Make Service Endpoints Required and send warning when public endpoints are in use #5402

omaraibrahim · 2024-05-31T16:25:12Z

Community Note

Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #0000

Example of Warning in terraform plan When Public Endpoints are in Use:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # ibm_database.elasticsearch will be updated in-place
  ~ resource "ibm_database" "elasticsearch" {
        id                      = "crn:v1:bluemix:public:databases-for-elasticsearch:us-south:a/40ddc34a953a8c02f10987b59085b60e:678da497-8106-46ab-8823-7e60b0398afd::"
        name                    = "omar-test-icd-elasticsearch-05-30"
      ~ service_endpoints       = "public" -> "private"
        tags                    = []
        # (16 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
╷
│ Warning: IBM recommends using private endpoints only to improve security by restricting access to your database to the IBM Cloud private network. For more information, please refer to our security best practices, https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-manage-security-compliance.
│ 
│   with ibm_database.elasticsearch,
│   on main.tf line 44, in resource "ibm_database" "elasticsearch":
│   44: resource "ibm_database" "elasticsearch" {
│

Example of Warning in terraform apply after user set service endpoints to public:

 Warning: IBM recommends using private endpoints only to improve security by restricting access to your database to the IBM Cloud private network. For more information, please refer to our security best practices, https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-manage-security-compliance.
│ 
│   with ibm_database.elasticsearch,
│   on main.tf line 44, in resource "ibm_database" "elasticsearch":
│   44: resource "ibm_database" "elasticsearch" {
│ 
╵

Example of Error when user left out service_endpoints:

╷
│ Error: Missing required argument
│ 
│   on main.tf line 44, in resource "ibm_database" "elasticsearch":
│   44: resource "ibm_database" "elasticsearch" {
│ 
│ The argument "service_endpoints" is required, but no definition was found.

Output from acceptance testing:

$ make testacc TEST=./ibm/service/database
--- PASS: TestValidateUserPassword (0.00s)
--- PASS: TestValidateRBACRole (0.00s)
--- PASS: TestAppendSwitchoverWarning (0.00s)
--- PASS: TestPublicServiceEndpointsWarning (0.00s)
--- PASS: TestAccIBMDatabaseConnectionDataSourceBasic (647.50s)
--- PASS: TestAccIBMDatabaseInstanceEtcdImport (475.67s)
--- PASS: TestAccIBMDatabaseInstanceRedisImport (510.50s)
--- PASS: TestAccIBMDatabaseInstancePostgresImport (617.13s)
--- PASS: TestAccIBMDatabaseDataSource_basic (708.68s)
--- PASS: TestAccIBMDatabaseInstance_Redis_Basic (932.09s)
--- PASS: TestAccIBMDatabaseInstanceRabbitmqImport (372.72s)
--- PASS: TestAccIBMDatabaseInstance_Rabbitmq_Basic (1331.18s)
--- PASS: TestAccIBMDatabaseInstance_ElasticsearchPlatinum_Group (1479.86s)
--- PASS: TestAccIBMDatabaseInstanceElasticsearchPlatinumImport (3738.51s)
--- PASS: TestAccIBMDatabaseInstance_ElasticsearchPlatinum_Basic (1005.96s)
--- PASS: TestAccIBMDatabaseInstance_Etcd_Basic (5107.58s)
--- PASS: TestAccIBMMysqlDatabaseInstanceBasic (3526.58s)
--- PASS: TestAccIBMDatabaseInstanceMongodbBasic (3695.07s)
--- PASS: TestAccIBMDatabaseInstancePostgresPITR (1343.35s)
--- PASS: TestAccIBMDatabaseInstance_ElasticsearchPlatinum_Node (1772.69s)
...

make testacc TEST=./ibm/service/database TESTARGS='-run=TestAccIBMDatabaseInstance_Rabbitmq_Basic'
--- PASS: TestAccIBMDatabaseInstance_Rabbitmq_Basic (649.87s)
PASS
ok  	github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/database	651.479s

make testacc TEST=./ibm/service/database TESTARGS='-run=TestAccIBMDatabaseInstance_Elasticsearch_Basic'
--- PASS: TestAccIBMDatabaseInstance_Elasticsearch_Basic (1359.22s)
PASS
ok  	github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/database	1360.896s

make testacc TEST=./ibm/service/database TESTARGS='-run=TestAccIBMDatabaseInstanceMongodbBasic'
--- PASS: TestAccIBMDatabaseInstanceMongodbBasic (782.25s)
PASS
ok  	github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/database	783.853s

make testacc TEST=./ibm/service/database TESTARGS='-run=TestAccIBMDatabaseInstance_Redis_Basic'
--- PASS: TestAccIBMDatabaseInstance_Redis_Basic (686.74s)
PASS
ok  	github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/database	688.063s

make testacc TEST=./ibm/service/database TESTARGS='-run=TestAccIBMMysqlDatabaseInstanceBasic'
--- PASS: TestAccIBMMysqlDatabaseInstanceBasic (841.64s)
PASS
ok  	github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/database	843.264s

alexhemard

LGTM

…ning when public endpoints are in use (IBM-Cloud#5402)

…s_tag. Fixed 5566 too. (IBM-Cloud#5567) * Deprecated ibm_resource_access_tag in favor of ibm_iam_access_tag * changes * Fix * Changed resource to speed up tests * fix * PR changes * PR changes SM New error formatting + crypto_key label name changes (IBM-Cloud#5562) * SC addition * SC addition * SC addition * update function updated * SC unit tests added * SC unit tests added * d * tests fixes * tests fixes * update sdk * .secrets.baseline update * .secrets.baseline update * .secrets.baseline update * Update sm_service_credentials_secret_metadata.html.markdown * bugs fixes * bugs fixes * bugs fixes * docs bugs fixes * preferred_chain added for public cert lets encrypt configuration * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * preferred chain docs update * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * fix public cert bug * update docs * reordering bug in alt_names * name regex fix in docs * imported cert bug fix * crypto_key addition * crypto_key addition * crypto_key addition * crypto_key addition * rejections fixes * rejections fixes * rejections fixes * rejections fixes * rejections fixes * test label name changed * test label name changed * error formating update * go sdk version update --------- Co-authored-by: Yonathan-Yellin <yonathan.yellin@ibm.com> Co-authored-by: Avi Ribchinsky <avir@il.ibm.com> Co-authored-by: Tatyana <tatyanab@il.ibm.com> Co-authored-by: Idan Adar <iadar@il.ibm.com> Deprecating alias and bindings APIs and schema items (IBM-Cloud#5612) * Deprecating alias and bindings APIs and schema items Signed-off-by: arshabbir <arshabbir@gmail.com> * Deprecating alias and bindings APIs and schema items --------- Signed-off-by: arshabbir <arshabbir@gmail.com> Add region parameter to logs-routing resources and data sources (IBM-Cloud#5634) * Added region parameter to logs-routing resources and data sources Signed-off-by: Ian Reyes <ianre@ibm.com> * Fixed examples for logs-routing resources --------- Signed-off-by: Ian Reyes <ianre@ibm.com> Co-authored-by: Ian Reyes <ianre@ibm.com> update(cloud-databases): Make Service Endpoints Required and send warning when public endpoints are in use (IBM-Cloud#5402) Added support for reserved ip patch resource (IBM-Cloud#5603) * Added support for ibm_is_subnet_reserved_ip_patch resource * updated the name to optional * Update is_subnet_reserved_ip_patch.html.markdown fix(is_share): added empty check and moved source_share_crn outside (IBM-Cloud#5632) discourage use of ibm_container_bind_service (IBM-Cloud#5588) * discourage use of ibm_container_bind_service Signed-off-by: Bence Vidosits <bence.vidosits1@ibm.com> * fix link --------- Signed-off-by: Bence Vidosits <bence.vidosits1@ibm.com> Co-authored-by: Bence Vidosits <bence.vidosits1@ibm.com> updated resources, data source and documentation for Slack Direct destination support Add test bucket endpoints (IBM-Cloud#5636) * add changes for test bucket endpoints * update code --------- Co-authored-by: Deeksha Sharma <deekshasharma@Deekshas-MacBook-Pro.local> Add support for Code Engine functions (IBM-Cloud#5596) * Add support for Code Engine functions * update .secrets.baseline * remove unnecessary check Fix the 5635 - The ibm_resource_tag now checks the response in the api tags calls (IBM-Cloud#5641) * Deprecated ibm_resource_access_tag in favor of ibm_iam_access_tag * changes * Fix * Changed resource to speed up tests * fix * PR changes * PR changes --------- ---------

Deprecated ibm_resource_access_tag and replaced it with ibm_iam_access_tag. Fixed 5566 too. (IBM-Cloud#5567) * Deprecated ibm_resource_access_tag in favor of ibm_iam_access_tag * changes * Fix * Changed resource to speed up tests * fix * PR changes * PR changes SM New error formatting + crypto_key label name changes (IBM-Cloud#5562) * SC addition * SC addition * SC addition * update function updated * SC unit tests added * SC unit tests added * d * tests fixes * tests fixes * update sdk * .secrets.baseline update * .secrets.baseline update * .secrets.baseline update * Update sm_service_credentials_secret_metadata.html.markdown * bugs fixes * bugs fixes * bugs fixes * docs bugs fixes * preferred_chain added for public cert lets encrypt configuration * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * preferred chain docs update * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * fix public cert bug * update docs * reordering bug in alt_names * name regex fix in docs * imported cert bug fix * crypto_key addition * crypto_key addition * crypto_key addition * crypto_key addition * rejections fixes * rejections fixes * rejections fixes * rejections fixes * rejections fixes * test label name changed * test label name changed * error formating update * go sdk version update --------- Co-authored-by: Yonathan-Yellin <yonathan.yellin@ibm.com> Co-authored-by: Avi Ribchinsky <avir@il.ibm.com> Co-authored-by: Tatyana <tatyanab@il.ibm.com> Co-authored-by: Idan Adar <iadar@il.ibm.com> Deprecating alias and bindings APIs and schema items (IBM-Cloud#5612) * Deprecating alias and bindings APIs and schema items Signed-off-by: arshabbir <arshabbir@gmail.com> * Deprecating alias and bindings APIs and schema items --------- Signed-off-by: arshabbir <arshabbir@gmail.com> Add region parameter to logs-routing resources and data sources (IBM-Cloud#5634) * Added region parameter to logs-routing resources and data sources Signed-off-by: Ian Reyes <ianre@ibm.com> * Fixed examples for logs-routing resources --------- Signed-off-by: Ian Reyes <ianre@ibm.com> Co-authored-by: Ian Reyes <ianre@ibm.com> update(cloud-databases): Make Service Endpoints Required and send warning when public endpoints are in use (IBM-Cloud#5402) Added support for reserved ip patch resource (IBM-Cloud#5603) * Added support for ibm_is_subnet_reserved_ip_patch resource * updated the name to optional * Update is_subnet_reserved_ip_patch.html.markdown fix(is_share): added empty check and moved source_share_crn outside (IBM-Cloud#5632) discourage use of ibm_container_bind_service (IBM-Cloud#5588) * discourage use of ibm_container_bind_service Signed-off-by: Bence Vidosits <bence.vidosits1@ibm.com> * fix link --------- Signed-off-by: Bence Vidosits <bence.vidosits1@ibm.com> Co-authored-by: Bence Vidosits <bence.vidosits1@ibm.com> updated resources, data source and documentation for Slack Direct destination support Add test bucket endpoints (IBM-Cloud#5636) * add changes for test bucket endpoints * update code --------- Co-authored-by: Deeksha Sharma <deekshasharma@Deekshas-MacBook-Pro.local> Add support for Code Engine functions (IBM-Cloud#5596) * Add support for Code Engine functions * update .secrets.baseline * remove unnecessary check Fix the 5635 - The ibm_resource_tag now checks the response in the api tags calls (IBM-Cloud#5641) * Deprecated ibm_resource_access_tag in favor of ibm_iam_access_tag * changes * Fix * Changed resource to speed up tests * fix * PR changes * PR changes --------- --------- Deprecating alias and bindings APIs and schema items (IBM-Cloud#5612) --------- IAM Policy Assignment: S2S Policy Assignments ET and AG (IBM-Cloud#5624) * IAM Policy Assignment: S2S Policy Assignments ET and AG Signed-off-by: Alluri-Varma <alluri.varma@ibm.com> * resolving CVE's for EPAP * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG --------- Signed-off-by: Alluri-Varma <alluri.varma@ibm.com> Co-authored-by: Alluri-Varma <alluri.varma@ibm.com> migrattion of vpc-go-sdk to 0.58.0 (IBM-Cloud#5652) * migration of vpc-go-sdk to 0.58.0 * make fmt changes

Deprecated ibm_resource_access_tag and replaced it with ibm_iam_access_tag. Fixed 5566 too. (IBM-Cloud#5567) * Deprecated ibm_resource_access_tag in favor of ibm_iam_access_tag * changes * Fix * Changed resource to speed up tests * fix * PR changes * PR changes SM New error formatting + crypto_key label name changes (IBM-Cloud#5562) * SC addition * SC addition * SC addition * update function updated * SC unit tests added * SC unit tests added * d * tests fixes * tests fixes * update sdk * .secrets.baseline update * .secrets.baseline update * .secrets.baseline update * Update sm_service_credentials_secret_metadata.html.markdown * bugs fixes * bugs fixes * bugs fixes * docs bugs fixes * preferred_chain added for public cert lets encrypt configuration * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * preferred chain docs update * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * support for creating secret version for username password & version_custom_metadata for all * fix public cert bug * update docs * reordering bug in alt_names * name regex fix in docs * imported cert bug fix * crypto_key addition * crypto_key addition * crypto_key addition * crypto_key addition * rejections fixes * rejections fixes * rejections fixes * rejections fixes * rejections fixes * test label name changed * test label name changed * error formating update * go sdk version update --------- Co-authored-by: Yonathan-Yellin <yonathan.yellin@ibm.com> Co-authored-by: Avi Ribchinsky <avir@il.ibm.com> Co-authored-by: Tatyana <tatyanab@il.ibm.com> Co-authored-by: Idan Adar <iadar@il.ibm.com> Deprecating alias and bindings APIs and schema items (IBM-Cloud#5612) * Deprecating alias and bindings APIs and schema items Signed-off-by: arshabbir <arshabbir@gmail.com> * Deprecating alias and bindings APIs and schema items --------- Signed-off-by: arshabbir <arshabbir@gmail.com> Add region parameter to logs-routing resources and data sources (IBM-Cloud#5634) * Added region parameter to logs-routing resources and data sources Signed-off-by: Ian Reyes <ianre@ibm.com> * Fixed examples for logs-routing resources --------- Signed-off-by: Ian Reyes <ianre@ibm.com> Co-authored-by: Ian Reyes <ianre@ibm.com> update(cloud-databases): Make Service Endpoints Required and send warning when public endpoints are in use (IBM-Cloud#5402) Added support for reserved ip patch resource (IBM-Cloud#5603) * Added support for ibm_is_subnet_reserved_ip_patch resource * updated the name to optional * Update is_subnet_reserved_ip_patch.html.markdown fix(is_share): added empty check and moved source_share_crn outside (IBM-Cloud#5632) discourage use of ibm_container_bind_service (IBM-Cloud#5588) * discourage use of ibm_container_bind_service Signed-off-by: Bence Vidosits <bence.vidosits1@ibm.com> * fix link --------- Signed-off-by: Bence Vidosits <bence.vidosits1@ibm.com> Co-authored-by: Bence Vidosits <bence.vidosits1@ibm.com> updated resources, data source and documentation for Slack Direct destination support Add test bucket endpoints (IBM-Cloud#5636) * add changes for test bucket endpoints * update code --------- Co-authored-by: Deeksha Sharma <deekshasharma@Deekshas-MacBook-Pro.local> Add support for Code Engine functions (IBM-Cloud#5596) * Add support for Code Engine functions * update .secrets.baseline * remove unnecessary check Fix the 5635 - The ibm_resource_tag now checks the response in the api tags calls (IBM-Cloud#5641) * Deprecated ibm_resource_access_tag in favor of ibm_iam_access_tag * changes * Fix * Changed resource to speed up tests * fix * PR changes * PR changes --------- --------- Deprecating alias and bindings APIs and schema items (IBM-Cloud#5612) --------- IAM Policy Assignment: S2S Policy Assignments ET and AG (IBM-Cloud#5624) * IAM Policy Assignment: S2S Policy Assignments ET and AG Signed-off-by: Alluri-Varma <alluri.varma@ibm.com> * resolving CVE's for EPAP * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG --------- Signed-off-by: Alluri-Varma <alluri.varma@ibm.com> Co-authored-by: Alluri-Varma <alluri.varma@ibm.com> migrattion of vpc-go-sdk to 0.58.0 (IBM-Cloud#5652) * migration of vpc-go-sdk to 0.58.0 * make fmt changes IAM Policy Assignment: S2S Policy Assignments ET and AG (IBM-Cloud#5624) * IAM Policy Assignment: S2S Policy Assignments ET and AG Signed-off-by: Alluri-Varma <alluri.varma@ibm.com> * resolving CVE's for EPAP * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG * IAM Policy Assignment: S2S Policy Assignments ET and AG --------- Signed-off-by: Alluri-Varma <alluri.varma@ibm.com> Co-authored-by: Alluri-Varma <alluri.varma@ibm.com> migrattion of vpc-go-sdk to 0.58.0 (IBM-Cloud#5652) * migration of vpc-go-sdk to 0.58.0 * make fmt changes

…ning when public endpoints are in use (IBM-Cloud#5402)

omaraibrahim added 5 commits May 31, 2024 12:23

Added warnings when public endpoints are in use

71f8cfc

added test case

a244d85

changed public endpoints messaging

76a60e1

updated messaging

e16680b

fixed test cases

3fcfa44

omaraibrahim marked this pull request as ready for review June 12, 2024 16:03

updated docs for service_endpoints

372d946

omaraibrahim closed this Jun 12, 2024

omaraibrahim reopened this Aug 19, 2024

omaraibrahim and others added 3 commits August 19, 2024 11:25

Merge branch 'master' into make-endpoints-required

c4a10f4

Merge remote-tracking branch 'origin' into make-endpoints-required

a92525c

synced with master and fixed documentation

2dae65f

alexhemard approved these changes Sep 12, 2024

View reviewed changes

omaraibrahim merged commit d04d432 into master Sep 12, 2024
1 check passed

srikant-sahu pushed a commit to srikant-sahu/terraform-provider-ibm that referenced this pull request Sep 24, 2024

update(cloud-databases): Make Service Endpoints Required and send war…

a5fecff

…ning when public endpoints are in use (IBM-Cloud#5402)

Ramya-c4 pushed a commit to Ramya-c4/terraform-provider-ibm that referenced this pull request Sep 26, 2024

update(cloud-databases): Make Service Endpoints Required and send war…

66d26a3

…ning when public endpoints are in use (IBM-Cloud#5402)

Ramya-c4 pushed a commit to Ramya-c4/terraform-provider-ibm that referenced this pull request Sep 27, 2024

update(cloud-databases): Make Service Endpoints Required and send war…

9e5bb61

…ning when public endpoints are in use (IBM-Cloud#5402)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

update(cloud-databases): Make Service Endpoints Required and send warning when public endpoints are in use #5402

update(cloud-databases): Make Service Endpoints Required and send warning when public endpoints are in use #5402

omaraibrahim commented May 31, 2024 •

edited

Loading

alexhemard left a comment

update(cloud-databases): Make Service Endpoints Required and send warning when public endpoints are in use #5402

update(cloud-databases): Make Service Endpoints Required and send warning when public endpoints are in use #5402

Conversation

omaraibrahim commented May 31, 2024 • edited Loading

Community Note

alexhemard left a comment

Choose a reason for hiding this comment

omaraibrahim commented May 31, 2024 •

edited

Loading