Merge branch 'main' into deprecate_refs

Author: imprateeksh

.catalog-onboard-pipeline.yaml

@@ -1,13 +1,13 @@
 ---
 apiVersion: v1
 offerings:
-  - name: deploy-arch-ibm-vpc
+  - name: deploy-arch-ibm-slz-vpc
     kind: solution
-    catalog_id: f64499c8-eb50-4985-bf91-29f9e605a433
-    offering_id: 2af61763-f8ef-4527-a815-b92166f29bc8
+    catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
+    offering_id: 9fc0fa64-27af-4fed-9dce-47b3640ba739
     variations:
       - name: fully-configurable
-        mark_ready: true
+        mark_ready: false
         install_type: fullstack
         scc:
           instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-08-29T15:52:09Z",
+  "generated_at": "2024-08-29T15:52:08Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

README.md

@@ -8,7 +8,7 @@
 
 This module creates the following IBM Cloud® Virtual Private Cloud (VPC) network components:
 
-- VPC: Creates a VPC in a resource group and supports classic access. The VPC and components are specified in the [main.tf](main.tf) file.
+- VPC: Creates a VPC in a resource group. The VPC and components are specified in the [main.tf](main.tf) file.
 - Public gateways: Optionally create public gateways in the VPC in each of the three zones of the VPC's region.
 - Subnets: Create one to three zones in the [subnet.tf](subnet.tf) file.
 - Network ACLs: Create network ACLs with multiple rules. By default, VPC network ACLs can have no more than 25 rules.
@@ -44,6 +44,7 @@ Expected network connectivity downtime of typically around 20 seconds.
     * [workload-vpc](./modules/workload-vpc)
 * [Examples](./examples)
     * [Basic Example](./examples/basic)
+    * [Custom Security Group Example](./examples/custom_security_group)
     * [Default Example](./examples/default)
     * [Existing VPC and subnets Example](./examples/existing_vpc)
     * [Hub and Spoke VPC Example](./examples/hub-spoke-delegated-resolver)
@@ -72,7 +73,6 @@ module vpc {
   prefix              = "my-test"
   tags                = ["tag1", "tag2"]
   vpc_name            = "my-vpc"
-  classic_access      = true
   network_acls = [
     {
       name                         = "acl1"
@@ -276,14 +276,14 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the VPC to be created | `string` | n/a | yes |
 | <a name="input_routes"></a> [routes](#input\_routes) | OPTIONAL - Allows you to specify the next hop for packets based on their destination address | <pre>list(<br/>    object({<br/>      name                          = string<br/>      route_direct_link_ingress     = optional(bool)<br/>      route_transit_gateway_ingress = optional(bool)<br/>      route_vpc_zone_ingress        = optional(bool)<br/>      routes = optional(<br/>        list(<br/>          object({<br/>            action      = optional(string)<br/>            zone        = number<br/>            destination = string<br/>            next_hop    = string<br/>          })<br/>      ))<br/>    })<br/>  )</pre> | `[]` | no |
 | <a name="input_routing_table_name"></a> [routing\_table\_name](#input\_routing\_table\_name) | The name to give the provisioned routing tables. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no |
-| <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | A list of security group rules to be added to the default vpc security group (default empty) | <pre>list(<br/>    object({<br/>      name      = string<br/>      direction = string<br/>      remote    = optional(string)<br/>      tcp = optional(<br/>        object({<br/>          port_max = optional(number)<br/>          port_min = optional(number)<br/>        })<br/>      )<br/>      udp = optional(<br/>        object({<br/>          port_max = optional(number)<br/>          port_min = optional(number)<br/>        })<br/>      )<br/>      icmp = optional(<br/>        object({<br/>          type = optional(number)<br/>          code = optional(number)<br/>        })<br/>      )<br/>    })<br/>  )</pre> | `[]` | no |
+| <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | A list of security group rules to be added to the default vpc security group (default empty) | <pre>list(<br/>    object({<br/>      name       = string<br/>      direction  = string<br/>      remote     = optional(string)<br/>      local      = optional(string)<br/>      ip_version = optional(string)<br/>      tcp = optional(<br/>        object({<br/>          port_max = optional(number)<br/>          port_min = optional(number)<br/>        })<br/>      )<br/>      udp = optional(<br/>        object({<br/>          port_max = optional(number)<br/>          port_min = optional(number)<br/>        })<br/>      )<br/>      icmp = optional(<br/>        object({<br/>          type = optional(number)<br/>          code = optional(number)<br/>        })<br/>      )<br/>    })<br/>  )</pre> | `[]` | no |
 | <a name="input_skip_custom_resolver_hub_creation"></a> [skip\_custom\_resolver\_hub\_creation](#input\_skip\_custom\_resolver\_hub\_creation) | Indicates whether to skip the configuration of a custom resolver in the hub VPC. Only relevant if enable\_hub is set to true. | `bool` | `false` | no |
 | <a name="input_skip_spoke_auth_policy"></a> [skip\_spoke\_auth\_policy](#input\_skip\_spoke\_auth\_policy) | Set to true to skip the creation of an authorization policy between the DNS resolution spoke and hub, only enable this if a policy already exists between these two VPCs. See https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-dns-sharing-s2s-auth&interface=ui for more details. | `bool` | `false` | no |
-| <a name="input_subnets"></a> [subnets](#input\_subnets) | List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addresses. Public gateways will be enabled only in zones where a gateway has been created | <pre>object({<br/>    zone-1 = list(object({<br/>      name           = string<br/>      cidr           = string<br/>      public_gateway = optional(bool)<br/>      acl_name       = string<br/>      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true<br/>      subnet_tags    = optional(list(string), [])<br/>    }))<br/>    zone-2 = optional(list(object({<br/>      name           = string<br/>      cidr           = string<br/>      public_gateway = optional(bool)<br/>      acl_name       = string<br/>      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true<br/>      subnet_tags    = optional(list(string), [])<br/>    })))<br/>    zone-3 = optional(list(object({<br/>      name           = string<br/>      cidr           = string<br/>      public_gateway = optional(bool)<br/>      acl_name       = string<br/>      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true<br/>      subnet_tags    = optional(list(string), [])<br/>    })))<br/>  })</pre> | <pre>{<br/>  "zone-1": [<br/>    {<br/>      "acl_name": "vpc-acl",<br/>      "cidr": "10.10.10.0/24",<br/>      "name": "subnet-a",<br/>      "no_addr_prefix": false,<br/>      "public_gateway": true<br/>    }<br/>  ],<br/>  "zone-2": [<br/>    {<br/>      "acl_name": "vpc-acl",<br/>      "cidr": "10.20.10.0/24",<br/>      "name": "subnet-b",<br/>      "no_addr_prefix": false,<br/>      "public_gateway": true<br/>    }<br/>  ],<br/>  "zone-3": [<br/>    {<br/>      "acl_name": "vpc-acl",<br/>      "cidr": "10.30.10.0/24",<br/>      "name": "subnet-c",<br/>      "no_addr_prefix": false,<br/>      "public_gateway": false<br/>    }<br/>  ]<br/>}</pre> | no |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addresses. Public gateways will be enabled only in zones where a gateway has been created | <pre>object({<br/>    zone-1 = list(object({<br/>      name           = string<br/>      cidr           = string<br/>      public_gateway = optional(bool)<br/>      acl_name       = string<br/>      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true<br/>      subnet_tags    = optional(list(string), [])<br/>    }))<br/>    zone-2 = optional(list(object({<br/>      name           = string<br/>      cidr           = string<br/>      public_gateway = optional(bool)<br/>      acl_name       = string<br/>      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true<br/>      subnet_tags    = optional(list(string), [])<br/>    })))<br/>    zone-3 = optional(list(object({<br/>      name           = string<br/>      cidr           = string<br/>      public_gateway = optional(bool)<br/>      acl_name       = string<br/>      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true<br/>      subnet_tags    = optional(list(string), [])<br/>    })))<br/>  })</pre> | <pre>{<br/>  "zone-1": [<br/>    {<br/>      "acl_name": "vpc-acl",<br/>      "cidr": "10.10.10.0/24",<br/>      "name": "subnet-a",<br/>      "no_addr_prefix": false,<br/>      "public_gateway": true<br/>    }<br/>  ],<br/>  "zone-2": [<br/>    {<br/>      "acl_name": "vpc-acl",<br/>      "cidr": "10.20.10.0/24",<br/>      "name": "subnet-b",<br/>      "no_addr_prefix": false,<br/>      "public_gateway": true<br/>    }<br/>  ],<br/>  "zone-3": [<br/>    {<br/>      "acl_name": "vpc-acl",<br/>      "cidr": "10.30.10.0/24",<br/>      "name": "subnet-c",<br/>      "no_addr_prefix": false,<br/>      "public_gateway": true<br/>    }<br/>  ]<br/>}</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of Tags for the resource created | `list(string)` | `null` | no |
 | <a name="input_update_delegated_resolver"></a> [update\_delegated\_resolver](#input\_update\_delegated\_resolver) | If set to true, and if the vpc is configured to be a spoke for DNS resolution (enable\_hub\_vpc\_crn or enable\_hub\_vpc\_id set), then the spoke VPC resolver will be updated to a delegated resolver. | `bool` | `false` | no |
 | <a name="input_use_existing_dns_instance"></a> [use\_existing\_dns\_instance](#input\_use\_existing\_dns\_instance) | Whether to use an existing dns instance. If true, existing\_dns\_instance\_id must be set. | `bool` | `false` | no |
-| <a name="input_use_public_gateways"></a> [use\_public\_gateways](#input\_use\_public\_gateways) | Create a public gateway in any of the three zones with `true`. | <pre>object({<br/>    zone-1 = optional(bool)<br/>    zone-2 = optional(bool)<br/>    zone-3 = optional(bool)<br/>  })</pre> | <pre>{<br/>  "zone-1": true,<br/>  "zone-2": false,<br/>  "zone-3": false<br/>}</pre> | no |
+| <a name="input_use_public_gateways"></a> [use\_public\_gateways](#input\_use\_public\_gateways) | Create a public gateway in any of the three zones with `true`. | <pre>object({<br/>    zone-1 = optional(bool)<br/>    zone-2 = optional(bool)<br/>    zone-3 = optional(bool)<br/>  })</pre> | <pre>{<br/>  "zone-1": true,<br/>  "zone-2": true,<br/>  "zone-3": true<br/>}</pre> | no |
 | <a name="input_vpc_flow_logs_name"></a> [vpc\_flow\_logs\_name](#input\_vpc\_flow\_logs\_name) | The name to give the provisioned VPC flow logs. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no |
 | <a name="input_vpn_gateways"></a> [vpn\_gateways](#input\_vpn\_gateways) | List of VPN gateways to create. | <pre>list(<br/>    object({<br/>      name           = string<br/>      subnet_name    = string # Do not include prefix, use same name as in `var.subnets`<br/>      mode           = optional(string)<br/>      resource_group = optional(string)<br/>      access_tags    = optional(list(string), [])<br/>    })<br/>  )</pre> | `[]` | no |
 

common-dev-assets

@@ -11,10 +11,12 @@ locals {
 }
 
 resource "ibm_is_security_group_rule" "default_vpc_rule" {
-  for_each  = local.security_group_rule_object
-  group     = var.create_vpc == true ? ibm_is_vpc.vpc[0].default_security_group : data.ibm_is_vpc.vpc.default_security_group
-  direction = each.value.direction
-  remote    = each.value.remote
+  for_each   = local.security_group_rule_object
+  group      = var.create_vpc == true ? ibm_is_vpc.vpc[0].default_security_group : data.ibm_is_vpc.vpc.default_security_group
+  direction  = each.value.direction
+  remote     = each.value.remote
+  local      = each.value.local
+  ip_version = each.value.ip_version
 
   dynamic "tcp" {
     for_each = each.value.tcp == null ? [] : [each.value]

default_security_group.tf

@@ -0,0 +1,8 @@
+# Custom Security Group Example
+
+A simple example to provision a Secure Landing Zone (SLZ) Virtual Private Cloud (VPC) with Security Group Rules set.
+
+The following resources are provisioned by this example:
+
+* A new resource group, if an existing one is not passed in.
+* An IBM Virtual Private Cloud (VPC) with custom security group rules.

examples/custom_security_group/README.md

@@ -0,0 +1,33 @@
+
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.3.0"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Create new VPC
+# (if var.vpc_id is null, create a new VPC)
+##############################################################################
+
+module "vpc" {
+  source            = "../.."
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  prefix            = var.prefix
+  name              = "sg-vpc"
+  tags              = var.resource_tags
+  security_group_rules = [{
+    name       = "allow-all-inbound-sg"
+    direction  = "inbound"
+    remote     = "0.0.0.0/0" # source of the traffic. 0.0.0.0/0 traffic from all across the internet.
+    local      = "0.0.0.0/0" # A CIDR block of 0.0.0.0/0 allows traffic to all local IP addresses (or from all local IP addresses, for outbound rules).
+    ip_version = "ipv4"
+  }]
+}

examples/custom_security_group/main.tf

@@ -0,0 +1,13 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "vpc_id" {
+  value       = module.vpc.vpc_id
+  description = "VPC id"
+}
+
+output "vpc_crn" {
+  value       = module.vpc.vpc_crn
+  description = "VPC crn"
+}

examples/custom_security_group/outputs.tf

@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/custom_security_group/provider.tf

@@ -0,0 +1,27 @@
+variable "ibmcloud_api_key" {
+  description = "APIkey that's associated with the account to provision resources to"
+  type        = string
+  sensitive   = true
+}
+
+variable "region" {
+  description = "The region to which to deploy the VPC"
+  type        = string
+}
+
+variable "prefix" {
+  description = "The prefix that you would like to append to your resources"
+  type        = string
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  description = "List of Tags for the resource created"
+  type        = list(string)
+  default     = null
+}