Updating context-based restrictions
You can update context rules at any time by providing a new description, which helps identifying the purpose of the rule, or selecting a new list of resources and network environments.
To update a context-based restrictions rule, you must be assigned the administrator role on the account management service.
Updating rules
To edit the context-based restrictions on your cloud resources, complete the following steps.
- In the IBM Cloud console, click Manage > Context-based restrictions, and select Rules.
- Select the Actions icon
on the rule you want to update, and select Edit. - To update the scope of APIs whose operations are restricted by your rule, select All APIs or Specific APIs. Then, click Apply or Continue.
- To update the scope of resources for the restriction, you can select All resources or Specific resources based on the available attributes, such as resource group or location. Then, click Apply or Continue.
- Click the Edit icon
in the summary panel to update an existing context.
- Update the allowed endpoint types.
- Set the toggle to No to allow all service supported endpoint types.
- Set the toggle to Yes to allow only specific endpoint types.
- Update the nework zones. You can select new network zones or deselect network zones to remove them.
- Update the allowed endpoint types.
- Then, click Apply.
- Click the Remove icon
in the summary panel to remove a context. - Configure a new context by selecting all endpoints or a specific endpoint, and by selecting your network zones. Then, click Add.
- Click Apply or Continue.
- Provide a new description for your rule. Click Apply to update the description, or click Continue.
- To update the enforcement of a rule, click the Edit icon . You can Enable, Disable, or set the rule to Report-only.
- Click Apply to finish.
Updating rules by using the CLI
To update the context-based restrictions on your cloud resources, use the ibmcloud cbr rule-update command. The following example updates description,
allowed endpoint type, and network zone for a rule with the ID 30fd58c9b75f40e854b89c432318b4a2.
ibmcloud cbr rule-update 30fd58c9b75f40e854b89c432318b4a2 --description 'Example rule description' --service-name kms --context-attributes endpointType=private --zone-id 93de8d3f588ab2c457ff576c364d1145
Updating rules by using the API
To update restrictions to your cloud resources by creating rules, call the Context-based restrictions API.
-
Get the rule that you want to replace. In in response body, copy the rule ID and in the response headers copy the ETag header.
curl -X GET --location --header "Authorization: Bearer {iam_token}" --header "Accept: application/json" "https://cbr.cloud.ibm.com/v1/rules/{rule_id}"GetRuleOptions getRuleOptions = new GetRuleOptions.Builder() .ruleId(ruleID) .build(); Response<Rule> response = contextBasedRestrictionsService.getRule(getRuleOptions).execute(); Rule rule = response.getResult(); System.out.println(rule);const params = { ruleId, }; try { const res = await contextBasedRestrictionsService.getRule(params); console.log(JSON.stringify(res.result, null, 2)); } catch (err) { console.warn(err); }rule = context_based_restrictions_service.get_rule( rule_id=rule_id ) rule = rule.get_result() print(json.dumps(rule, indent=2))getRuleOptions := contextBasedRestrictionsService.NewGetRuleOptions( ruleID, ) rule, response, err := contextBasedRestrictionsService.GetRule(getRuleOptions) if err != nil { panic(err) } b, _ := json.MarshalIndent(rule, "", " ") fmt.Println(string(b)) -
The following example replaces a rule with an updated version.
The ETag value is required in the replace request’s
If-Matchheader.curl -X PUT --location --header "Authorization: Bearer {iam_token}" --header "Accept: application/json" --header "If-Match: {if_match}" --header "Content-Type: application/json" --data '{ "description": "this is an example of rule", "resources": [ { "attributes": [ { "name": "accountId", "value": "12ab34cd56ef78ab90cd12ef34ab56cd" }, { "name": "serviceName", "value": "kms" } ] } ], "contexts": [ { "attributes": [ { "name": "networkZoneId", "value": "76921bd873115033bd2a0909fe081b45" } ] } ], "enforcement_mode": "disabled" }' "{base_url}/v1/rules/{rule_id}"RuleContextAttribute ruleContextAttributeModel = new RuleContextAttribute.Builder() .name("networkZoneId") .value("76921bd873115033bd2a0909fe081b45") .build(); RuleContext ruleContextModel = new RuleContext.Builder() .attributes(new java.util.ArrayList<RuleContextAttribute>(java.util.Arrays.asList(ruleContextAttributeModel))) .build(); ResourceAttribute resourceAttributeModel = new ResourceAttribute.Builder() .name("accountId") .value("12ab34cd56ef78ab90cd12ef34ab56cd") .build(); Resource resourceModel = new Resource.Builder() .attributes(new java.util.ArrayList<ResourceAttribute>(java.util.Arrays.asList(resourceAttributeModel))) .build(); ReplaceRuleOptions replaceRuleOptions = new ReplaceRuleOptions.Builder() .ruleId("testString") .ifMatch("testString") .description("this is an example of rule") .enforcementMode("disabled") .contexts(new java.util.ArrayList<RuleContext>(java.util.Arrays.asList(ruleContextModel))) .resources(new java.util.ArrayList<Resource>(java.util.Arrays.asList(resourceModel))) .build(); Response<OutRule> response = contextBasedRestrictionsService.replaceRule(replaceRuleOptions).execute(); OutRule outRule = response.getResult(); System.out.println(outRule);// Request models needed by this operation. // RuleContextAttribute const ruleContextAttributeModel = { name: 'networkZoneId', value: '76921bd873115033bd2a0909fe081b45', }; // RuleContext const ruleContextModel = { attributes: [ruleContextAttributeModel], }; // ResourceAttribute const resourceAttributeModel = { name: 'accountId', value: '12ab34cd56ef78ab90cd12ef34ab56cd', }; // Resource const resourceModel = { attributes: [resourceAttributeModel], }; const params = { ruleId: 'testString', ifMatch: 'testString', contexts: [ruleContextModel], resources: [resourceModel], description: 'this is an example of rule', enforcementMode: 'disabled', }; contextBasedRestrictionsService.replaceRule(params) .then(res => { console.log(JSON.stringify(res.result, null, 2)); }) .catch(err => { console.warn(err) });rule_context_attribute_model = { 'name': 'networkZoneId', 'value': '76921bd873115033bd2a0909fe081b45', } rule_context_model = { 'attributes': [rule_context_attribute_model], } resource_attribute_model = { 'name': 'accountId', 'value': '12ab34cd56ef78ab90cd12ef34ab56cd', } resource_model = { 'attributes': [resource_attribute_model], } out_rule = context_based_restrictions_service.replace_rule( rule_id='testString', if_match='testString', contexts=[rule_context_model], resources=[resource_model], description='this is an example of rule', enforcement_mode='disabled' ).get_result() print(json.dumps(out_rule, indent=2))ruleContextAttributeModel := &contextbasedrestrictionsv1.RuleContextAttribute{ Name: core.StringPtr("networkZoneId"), Value: core.StringPtr("76921bd873115033bd2a0909fe081b45"), } ruleContextModel := &contextbasedrestrictionsv1.RuleContext{ Attributes: []contextbasedrestrictionsv1.RuleContextAttribute{*ruleContextAttributeModel}, } resourceAttributeModel := &contextbasedrestrictionsv1.ResourceAttribute{ Name: core.StringPtr("accountId"), Value: core.StringPtr("12ab34cd56ef78ab90cd12ef34ab56cd"), } resourceModel := &contextbasedrestrictionsv1.Resource{ Attributes: []contextbasedrestrictionsv1.ResourceAttribute{*resourceAttributeModel}, } replaceRuleOptions := contextBasedRestrictionsService.NewReplaceRuleOptions( "testString", "testString", ) replaceRuleOptions.SetDescription("this is an example of rule") replaceRuleOptions.SetContexts([]contextbasedrestrictionsv1.RuleContext{*ruleContextModel}) replaceRuleOptions.SetResources([]contextbasedrestrictionsv1.Resource{*resourceModel}) replaceRuleOptions.SetEnforcementMode(contextbasedrestrictionsv1.ReplaceRuleOptionsEnforcementModeDisabledConst) outRule, response, err := contextBasedRestrictionsService.ReplaceRule(replaceRuleOptions) if err != nil { panic(err) } b, _ := json.MarshalIndent(outRule, "", " ") fmt.Println(string(b))
Updating network zones
You can modify the list of allowed locations where an access request can originate. A set of one or more network locations can be specified by IP addresses (individual addresses, ranges, or subnets), VPCs, or service references. You can update a network zone that is used in a rule, or integrate the new updated network zones into your rules later.
- In the IBM Cloud console, click Manage > Context-based restrictions, and select Network zones.
- Select the Actions icon on the network zone that you want to update, and select Edit.
- You can update your zone name and description.
- You can edit the list of allowed IP addresses where an access request can originate. Include exceptions in the deny list, if necessary.
- You can add or remove allowed VPCs.
- You can add or remove service references. Select a service to associate its IP addresses with your network zone.
- Click Next to review your new configuration.
- To apply changes, click Update.
Updating network zones by using the CLI
To update a network zone, complete the following steps.
-
Retrieve the zone ID for the network zone that you want to update by using the ibmcloud cbr zones command to list all zones in the account.
ibmcloud cbr zones -
Update the network zone by using the ibmcloud cbr zone-update command. The following example updates the zone name, allowed addresses, and excluded addresses for a network zone with the ID
65810ac762004f22ac19f8f8edf70a34.ibmcloud cbr zone-update 65810ac762004f22ac19f8f8edf70a34 --name 'Example Zone Name' --addresses 166.22.23.0-166.22.23.108 --excluded 166.22.23.100
Updating network zones by using the API
To update a network zone, complete the following steps.
-
Get the zone that you want to replace. In the response body, copy the zone ID and in the response headers copy the ETag header.
curl -X GET --location --header "Authorization: Bearer {iam_token}" --header "Accept: application/json" "https://cbr.cloud.ibm.com/v1/zones/{zone_id}"GetZoneOptions getZoneOptions = new GetZoneOptions.Builder() .zoneId(zoneID) .build(); Response<Zone> response = contextBasedRestrictionsService.getZone(getZoneOptions).execute(); Zone zone = response.getResult(); System.out.println(zone);const params = { zoneId, }; try { const res = await contextBasedRestrictionsService.getZone(params); console.log(JSON.stringify(res.result, null, 2)); } catch (err) { console.warn(err); }get_zone_response = context_based_restrictions_service.get_zone( zone_id=zone_id ) zone = get_zone_response.get_result() print(json.dumps(zone, indent=2))getZoneOptions := contextBasedRestrictionsService.NewGetZoneOptions( zoneID, ) zone, response, err := contextBasedRestrictionsService.GetZone(getZoneOptions) if err != nil { panic(err) } b, _ := json.MarshalIndent(zone, "", " ") fmt.Println(string(b)) -
Update the network zone by using the Replace zone method.
The ETag value is required in the replace request’s
If-Matchheader.curl -X PUT --location --header "Authorization: Bearer {iam_token}" --header "Accept: application/json" --header "If-Match: {if_match}" --header "Content-Type: application/json" --data '{ "name": "new zone name", "description": "new zone description", "account_id": "12ab34cd56ef78ab90cd12ef34ab56cd", "addresses": [ { "type": "ipAddress", "value": "169.23.56.234" }, { "type": "ipRange", "value": "169.23.22.0-169.23.22.255" }, { "type": "vpc", "value": "crn:v1:cloud:public:is:us-south:a/12ab34cd56ef78ab90cd12ef34ab56cd::vpc:r134-d98a1702-b39a-449a-86d4-ef8dbacf281e" } ] }' "{base_url}/v1/zones/{zone_id}"AddressIPAddress addressModel = new AddressIPAddress.Builder() .type("ipAddress") .value("169.23.56.234") .build(); ReplaceZoneOptions replaceZoneOptions = new ReplaceZoneOptions.Builder() .zoneId("testString") .ifMatch("testString") .name("an example of zone") .accountId("12ab34cd56ef78ab90cd12ef34ab56cd") .description("this is an example of zone") .addresses(new java.util.ArrayList<Address>(java.util.Arrays.asList(addressModel))) .build(); Response<OutZone> response = contextBasedRestrictionsService.replaceZone(replaceZoneOptions).execute(); OutZone outZone = response.getResult(); System.out.println(outZone);// Request models needed by this operation. // AddressIPAddress const addressModel = { type: 'ipAddress', value: '169.23.56.234', }; const params = { zoneId: 'testString', ifMatch: 'testString', name: 'an example of zone', accountId: '12ab34cd56ef78ab90cd12ef34ab56cd', addresses: [addressModel], description: 'this is an example of zone', }; contextBasedRestrictionsService.replaceZone(params) .then(res => { console.log(JSON.stringify(res.result, null, 2)); }) .catch(err => { console.warn(err) });address_model = { 'type': 'ipAddress', 'value': '169.23.56.234', } out_zone = context_based_restrictions_service.replace_zone( zone_id='testString', if_match='testString', name='an example of zone', account_id='12ab34cd56ef78ab90cd12ef34ab56cd', addresses=[address_model], description='this is an example of zone' ).get_result() print(json.dumps(out_zone, indent=2))addressModel := &contextbasedrestrictionsv1.AddressIPAddress{ Type: core.StringPtr("ipAddress"), Value: core.StringPtr("169.23.56.234"), } replaceZoneOptions := contextBasedRestrictionsService.NewReplaceZoneOptions( "testString", "testString", ) replaceZoneOptions.SetName("an example of zone") replaceZoneOptions.SetAccountID("12ab34cd56ef78ab90cd12ef34ab56cd") replaceZoneOptions.SetDescription("this is an example of updated zone") replaceZoneOptions.SetAddresses([]contextbasedrestrictionsv1.AddressIntf{addressModel}) outZone, response, err := contextBasedRestrictionsService.ReplaceZone(replaceZoneOptions) if err != nil { panic(err) } b, _ := json.MarshalIndent(outZone, "", " ") fmt.Println(string(b))