terraform-ibm-modules
diff --git a/‎README.md
-4 b/‎README.md
-4
diff --git a/‎cra-config.yaml
+1-1 b/‎cra-config.yaml
+1-1
diff --git a/‎examples/complete/README.md
+2 b/‎examples/complete/README.md
+2
diff --git a/‎examples/complete/main.tf
+57 b/‎examples/complete/main.tf
+57
diff --git a/‎examples/fscloud/README.md
-17 b/‎examples/fscloud/README.md
-17
diff --git a/‎examples/fscloud/main.tf
-82 b/‎examples/fscloud/main.tf
-82
diff --git a/‎examples/fscloud/variables.tf
-60 b/‎examples/fscloud/variables.tf
-60
diff --git a/‎modules/fscloud/README.md
+1-1 b/‎modules/fscloud/README.md
+1-1
diff --git a/‎reference-architecture/da-fscloud.svg
+4 b/‎reference-architecture/da-fscloud.svg
+4
diff --git a/‎renovate.json
+15-1 b/‎renovate.json
+15-1
diff --git a/‎solutions/fscloud/README.md
+18 b/‎solutions/fscloud/README.md
+18
diff --git a/‎solutions/fscloud/main.tf
+17 b/‎solutions/fscloud/main.tf
+17
diff --git a/‎examples/fscloud/outputs.tf ‎solutions/fscloud/outputs.tf b/‎examples/fscloud/outputs.tf ‎solutions/fscloud/outputs.tf
diff --git a/‎examples/fscloud/provider.tf ‎solutions/fscloud/provider.tf b/‎examples/fscloud/provider.tf ‎solutions/fscloud/provider.tf
@@ -23,7 +23,6 @@ You can't manage the policy in the same Terraform state file as the Event Stream
 * [Submodules](./modules)
     * [fscloud](./modules/fscloud)
 * [Examples](./examples)
-    * [ Financial Services Cloud profile example](./examples/fscloud)
     * [Basic example](./examples/basic)
     * [Complete example with topics and schema creation.](./examples/complete)
 * [Contributing](#contributing)
@@ -100,9 +99,6 @@ You need the following permissions to run this module.
     - **Resource Group** service
         - `Viewer` platform access
 - IAM Services
-    - **IBM Authorization Policy**
-        - `Editor` platform access
-        - `Manager` service access
     - **Event Streams** service
         - `Editor` platform access
         - `Manager` service access
 
@@ -1,7 +1,7 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/fscloud" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "examples/complete" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
     PROFILE_ID: "0e6e7b5a-817d-4344-ab6f-e5d7a9c49520" # SCC profile ID (currently set to the FSCloud 1.4.0 profile).
     CRA_ENVIRONMENT_VARIABLES:
 
@@ -3,4 +3,6 @@
 An end-to-end example that creates an event streams instance.
 This example uses the IBM Cloud terraform provider to:
  - Create a new resource group if one is not passed in.
+ - A sample virtual private cloud (VPC).
+ - A context-based restriction (CBR) rule to only allow Event Streams to be accessible from within the VPC.
  - Create a new event streams instance in the resource group and region provided along with configured topics and schemas.
@@ -10,6 +10,45 @@ module "resource_group" {
   existing_resource_group_name = var.resource_group
 }
 
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+module "cbr_zone" {
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
+  version          = "1.18.0"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone representing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc", # to bind a specific vpc to the zone
+    value = ibm_is_vpc.example_vpc.crn,
+  }]
+}
+
 ##############################################################################
 # Events-streams-instance
 ##############################################################################
@@ -21,4 +60,22 @@ module "event_streams" {
   schemas           = var.schemas
   tags              = var.resource_tags
   topics            = var.topics
+  cbr_rules = [
+    {
+      description      = "${var.prefix}-event stream access only from vpc"
+      enforcement_mode = "enabled"
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
 }
@@ -1,6 +1,6 @@
 # Profile for IBM Cloud Framework for Financial Services
 
-This code is a version of the [parent root module](../../) that includes a default configuration that complies with the relevant controls from the [IBM Cloud Framework for Financial Services](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-about). See the [Example for IBM Cloud Framework for Financial Services](/examples/fscloud/) for logic that uses this module. The profile assumes you are deploying into an account that complies with the framework.
+This code is a version of the [parent root module](../../) that includes a default configuration that complies with the relevant controls from the [IBM Cloud Framework for Financial Services](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-about). See the [Solution for IBM Cloud Framework for Financial Services](/solutions/fscloud/) for logic that uses this module. The profile assumes you are deploying into an account that complies with the framework.
 
 The default values in this profile were scanned by [IBM Code Risk Analyzer (CRA)](https://cloud.ibm.com/docs/code-risk-analyzer-cli-plugin?topic=code-risk-analyzer-cli-plugin-cra-cli-plugin#terraform-command) for compliance with the IBM Cloud Framework for Financial Services profile that is specified by the IBM Security and Compliance Center. The scan passed for all applicable rules.
 
 
@@ -1,4 +1,18 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["local>terraform-ibm-modules/common-dev-assets:commonRenovateConfig"]
+  "extends": ["local>terraform-ibm-modules/common-dev-assets:commonRenovateConfig"],
+  "packageRules": [
+    {
+      "description": "Allow the locked in provider version to be updated to the latest for DAs",
+      "enabled": true,
+      "matchFileNames": ["solutions/fscloud/**"],
+      "matchManagers": ["terraform"],
+      "matchDepTypes": ["required_provider"],
+      "rangeStrategy": "bump",
+      "semanticCommitType": "fix",
+      "group": true,
+      "groupName": "required_provider",
+      "commitMessageExtra": "to latest for the DA solution"
+    }
+  ]
 }
@@ -0,0 +1,18 @@
+# Event Streams for IBM Cloud - Financial Services Cloud solution
+
+This architecture creates an Event Streams for IBM Cloud Enterprise plan instance which is IBM Cloud® Financial Services certified. The solution supports provisioning the following resources:
+
+- (Optional) A resource group
+- An Event Streams for IBM Cloud Enterprise plan instance, set up with KMS encryption to encrypt data.
+- (Optional) Topics
+- (Optional) Schemas
+- Context Based Restriction rules for the instance
+
+![da-fscloud](../../reference-architecture/da-fscloud.svg)
+
+## Before you begin
+
+To deploy your Event Streams instance you need:
+- Hyper Protect Crypto Services instance,
+- root key CRN of a Hyper Protect Crypto Services instance and
+- configure an authorization policy to allow the Event Streams service to access the Hyper Protect Crypto Services instance.
@@ -0,0 +1,17 @@
+module "resource_group" {
+  source                       = "terraform-ibm-modules/resource-group/ibm"
+  version                      = "1.1.4"
+  resource_group_name          = var.existing_resource_group == false ? var.resource_group_name : null
+  existing_resource_group_name = var.existing_resource_group == true ? var.resource_group_name : null
+}
+
+module "event_streams" {
+  source            = "../../modules/fscloud"
+  resource_group_id = module.resource_group.resource_group_id
+  es_name           = var.es_name
+  kms_key_crn       = var.kms_key_crn
+  schemas           = var.schemas
+  topics            = var.topics
+  tags              = var.resource_tags
+  cbr_rules         = var.cbr_rules
+}