IAM account settings module

This module configures standard IAM account settings with the recommended values, in which the default values are aligned with FSCloud requirements, and exports the values as outputs.

The module handles the following account settings:

• Multifactor authentication (None - Federated Users - All - Email/TOPT/U2F based)
• User specific Multifactor authentication (None - Federated Users - All - Email/TOPT/U2F based)
• Restrict API key creation (on - off)
• Restrict service ID creation (on - off)
• Session activity timeout (seconds)
• Session inactivity timeout (seconds)
• Access token expiration (seconds)
• Refresh token expiration (seconds)
• Restrict IP address access (off/Any Allowed - on/Allow only specified IP subnets or IP addresses). Two control modes are supported:
  • Monitor: traffic that originates outside the specified allowed IP addresses is allowed but logged by audit events that are sent to SIEM and Activity Tracker
  • Restrict: traffic that originates outside the specified allowed IP addresses is blocked
• Global shell settings (on - off)
• Public access group (on - off)

The module supports creating and updating settings that are applied with the terraform apply command. With objects affected by the destroy command, the module preserves the most recent setting and doesn't change objects that are configured outside of Terraform's scope.

Current limitations:

The module currently does not support setting the following FSCloud requirements using the IBM provider:

• Check whether user list visibility restrictions are configured in IAM settings for the account owner
• Check whether the Financial Services Validated setting is enabled in account settings

Tracking issue with IBM provider -> IBM-Cloud/terraform-provider-ibm#4204

If you need to manage these FSCloud requirements via Terraform, please see the experimental submodule which uses the RestAPI provider to manage these settings.

Overview

• terraform-ibm-iam-account-settings
• Submodules
  • experimental
• Examples
  • Account Custom Settings example
  • Default Example
• Contributing

terraform-ibm-iam-account-settings

Usage

module "iam_account_settings" {
  source               = "terraform-ibm-modules/iam-account-settings/ibm"
  version              = "X.X.X"  # Replace "X.X.X" with a release version to lock into a specific release
  allowed_ip_addresses = ["17.5.7.8.0/16"]

  # example usage of creating CBR zones within the module
  # see https://github.com/terraform-ibm-modules/terraform-ibm-cbr/tree/main/modules/cbr-zone-module for more details
  cbr_zones = [{
    name             = "default-zone-1"
    zone_description = "test zone in iam-account-settings module"
    addresses = [{
      type = "serviceRef"
      ref = {
        account_id   = data.ibm_iam_account_settings.iam_account_settings.account_id
        service_name = "secrets-manager"
      }
    }]
  }]
}

User MFA

When specifying User MFA (user_mfa), use the following format:

variable "user_mfa" {
  type = set(object({
    iam_id = string
    mfa = string
  }))
  default = [{

    iam_id = "IBMid-3x000xx3xH"
    mfa    = "LEVEL3"
  },
  {
    iam_id = "IBMid-50xG4CxSQx"
    mfa = "NONE"
  }]
  }

When/if it is necessary to delete/reset the MFA configuration for all users, use the user_mfa_reset input var.

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • IAM Access Groups service
    • Administrator platform access
  • IAM Access Management service
    • Editor platform access
  • IAM Identity service
    • Operator platform access
  • IBM Cloud Shell service
    • Administrator platform access

Requirements

Name	Version
terraform	>= 1.3.0
ibm	>= 1.65.0, < 2.0.0

Modules

Name	Source	Version
cbr_zones	terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module	v1.24.1

Resources

Name	Type
ibm_cloud_shell_account_settings.cloud_shell_account_settings	resource
ibm_iam_access_group_account_settings.iam_access_group_account_settings	resource
ibm_iam_account_settings.iam_account_settings	resource
ibm_cloud_shell_account_settings.cloud_shell_account_settings	data source
ibm_iam_account_settings.iam_account_settings	data source

Inputs

Name	Description	Type	Default	Required
access_token_expiration	Defines the access token expiration in seconds	string	"3600"	no
active_session_timeout	Specify how long (seconds) a user is allowed to work continuously in the account	number	"86400"	no
allowed_ip_addresses	List of the IP addresses and subnets from which IAM tokens can be created for the account.	list(any)	[]	no
api_creation	When restriction is enabled, only users, including the account owner, assigned the User API key creator role on the IAM Identity Service can create API keys. Allowed values are 'RESTRICTED', 'NOT_RESTRICTED', or 'NOT_SET' (to 'unset' a previous set value).	string	"RESTRICTED"	no
cbr_zones	A list of CBR zones created by the module	list(object({ account_id = optional(string) addresses = optional(list(object({ type = optional(string) value = optional(string) ref = optional(object({ account_id = string location = optional(string) service_instance = optional(string) service_name = optional(string) service_type = optional(string) })) })), []) excluded_addresses = optional(list(object({ type = optional(string) value = optional(string) })), []) name = string zone_description = optional(string, null) }))	[]	no
enforce_allowed_ip_addresses	If true IP address restriction will be enforced, If false, traffic originated outside specified allowed IP address set is monitored with audit events sent to SIEM and Activity Tracker. After running in monitored mode to test this variable, it should then explicitly be set to true to enforce IP allow listing.	bool	true	no
inactive_session_timeout	Specify how long (seconds) a user is allowed to stay logged in the account while being inactive/idle	string	"7200"	no
max_sessions_per_identity	Defines the maximum allowed sessions per identity required by the account. Supports any whole number greater than '0', or 'NOT_SET' to unset account setting and use service default.	string	"NOT_SET"	no
mfa	Specify Multi-Factor Authentication method in the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users).	string	"TOTP4ALL"	no
public_access_enabled	Enable/Disable public access group in which resources are open anyone regardless if they are member of your account or not	bool	false	no
refresh_token_expiration	Defines the refresh token expiration in seconds	string	"259200"	no
serviceid_creation	When restriction is enabled, only users, including the account owner, assigned the Service ID creator role on the IAM Identity Service can create service IDs. Allowed values are 'RESTRICTED', 'NOT_RESTRICTED', or 'NOT_SET' (to 'unset' a previous set value).	string	"RESTRICTED"	no
shell_settings_enabled	Enable global shell settings to all users in the account. If skip_cloud_shell_calls is set to true, then this setting is ignored.	bool	false	no
skip_cloud_shell_calls	Skip Cloud Shell calls in the account.	bool	false	no
user_mfa	Specify Multi-Factor Authentication method for specific users the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users). Example of format is available here > https://github.com/terraform-ibm-modules/terraform-ibm-iam-account-settings#usage	set(object({ iam_id = string mfa = string }))	[]	no
user_mfa_reset	Set to true to delete all user MFA settings configured in the targeted account, and ignoring entries declared in var user_mfa	bool	false	no

Outputs

Name	Description
account_allowed_ip_addresses	Current allowed IP addresses
account_allowed_ip_addresses_control_mode	Current allowed IP addresses enforcement control mode, will indicate RESTRICT if account_allowed_ip_addresses_enforced is TRUE
account_allowed_ip_addresses_enforced	Current allowed IP addresses enforcement state
account_iam_access_token_expiration	Current access token expiration
account_iam_active_session_timeout	Current active session timeout
account_iam_apikey_creation	Current state of API key creation restriction
account_iam_inactive_session_timeout	Current inactive session timeout
account_iam_mfa	Current MFA setting
account_iam_refresh_token_expiration	Current refresh token expiration
account_iam_serviceid_creation	Current state of ServiceID creation restriction
account_iam_user_mfa_list	Current list of users with specific MFA settings
account_public_access	Current state of public access group setting
account_shell_settings_status	Current state of global shell setting
account_zones	Current CBR zones managed by the module

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.