Merge branch 'main' into deprecate_refs

imprateeksh · imprateeksh · commit f23ebe93f0e9 · 2025-11-27T17:23:55.000+05:30
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,10 +5,8 @@ on:
   issue_comment:
     types:
       - created
+
 jobs:
   call-terraform-ci-pipeline:
-    uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/common-terraform-module-ci-v2.yml@v1.22.5
+    uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/common-terraform-module-ci-v2.yml@v1.24.0
     secrets: inherit
-    with:
-        craSCCv2: true
-        craConfigYamlFile: "cra-config.yaml"
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-08-29T15:52:08Z",
+  "generated_at": "2025-10-28T06:31:36Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -77,7 +77,7 @@
     }
   ],
   "results": {},
-  "version": "0.13.1+ibm.62.dss",
+  "version": "0.13.1+ibm.64.dss",
   "word_list": {
     "file": null,
     "hash": null
diff --git a/README.md b/README.md
@@ -248,10 +248,8 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="input_dns_instance_name"></a> [dns\_instance\_name](#input\_dns\_instance\_name) | The name to give the provisioned DNS instance. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no |
 | <a name="input_dns_location"></a> [dns\_location](#input\_dns\_location) | The target location or environment for the DNS instance created to host the custom resolver in a hub-spoke DNS resolution topology. Only used if enable\_hub is true and skip\_custom\_resolver\_hub\_creation is false (defaults). | `string` | `"global"` | no |
 | <a name="input_dns_plan"></a> [dns\_plan](#input\_dns\_plan) | The plan for the DNS resource instance created to host the custom resolver in a hub-spoke DNS resolution topology. Only used if enable\_hub is true and skip\_custom\_resolver\_hub\_creation is false (defaults). | `string` | `"standard-dns"` | no |
-| <a name="input_dns_records"></a> [dns\_records](#input\_dns\_records) | List of DNS records to be created. | <pre>list(object({<br/>    name       = string<br/>    type       = string<br/>    ttl        = number<br/>    rdata      = string<br/>    preference = optional(number, null)<br/>    service    = optional(string, null)<br/>    protocol   = optional(string, null)<br/>    priority   = optional(number, null)<br/>    weight     = optional(number, null)<br/>    port       = optional(number, null)<br/>  }))</pre> | `[]` | no |
-| <a name="input_dns_zone_description"></a> [dns\_zone\_description](#input\_dns\_zone\_description) | The description of the DNS zone. | `string` | `"Default DNS Zone"` | no |
-| <a name="input_dns_zone_label"></a> [dns\_zone\_label](#input\_dns\_zone\_label) | Label associated with the DNS zone. | `string` | `"dns-zone"` | no |
-| <a name="input_dns_zone_name"></a> [dns\_zone\_name](#input\_dns\_zone\_name) | The name of the DNS zone to be created. | `string` | `null` | no |
+| <a name="input_dns_records"></a> [dns\_records](#input\_dns\_records) | List of DNS records to be created. | <pre>map(list(object({<br/>    name       = string<br/>    type       = string<br/>    ttl        = number<br/>    rdata      = string<br/>    preference = optional(number, null)<br/>    service    = optional(string, null)<br/>    protocol   = optional(string, null)<br/>    priority   = optional(number, null)<br/>    weight     = optional(number, null)<br/>    port       = optional(number, null)<br/>  })))</pre> | `{}` | no |
+| <a name="input_dns_zones"></a> [dns\_zones](#input\_dns\_zones) | List of the DNS zone to be created. | <pre>list(object({<br/>    name        = string<br/>    description = optional(string)<br/>    label       = optional(string, "dns-zone")<br/>  }))</pre> | `[]` | no |
 | <a name="input_enable_hub"></a> [enable\_hub](#input\_enable\_hub) | Indicates whether this VPC is enabled as a DNS name resolution hub. | `bool` | `false` | no |
 | <a name="input_enable_hub_vpc_crn"></a> [enable\_hub\_vpc\_crn](#input\_enable\_hub\_vpc\_crn) | Indicates whether Hub VPC CRN is passed. | `bool` | `false` | no |
 | <a name="input_enable_hub_vpc_id"></a> [enable\_hub\_vpc\_id](#input\_enable\_hub\_vpc\_id) | Indicates whether Hub VPC ID is passed. | `bool` | `false` | no |
diff --git a/common-dev-assets b/common-dev-assets
@@ -1 +1 @@
-Subproject commit 84e744a27f774dac276e9381db01b6fe378c0af3
+Subproject commit c4328778ce1a62bc85f641d9249adaac0493cfc9
diff --git a/cra-config.yaml b/cra-config.yaml
diff --git a/cra-tf-validate-ignore-rules.json b/cra-tf-validate-ignore-rules.json
diff --git a/examples/hub-spoke-delegated-resolver/main.tf b/examples/hub-spoke-delegated-resolver/main.tf
@@ -36,7 +36,11 @@ module "hub_vpc" {
   prefix            = "${var.prefix}-hub"
   tags              = var.resource_tags
   enable_hub        = true
-  dns_zone_name     = "hnsexample.com"
+  dns_zones = [
+    {
+      name = "hnsexample.com"
+    }
+  ]
   subnets = {
     zone-1 = [
       {
diff --git a/examples/vpc-with-dns/main.tf b/examples/vpc-with-dns/main.tf
@@ -46,7 +46,7 @@ module "slz_vpc" {
   prefix            = var.prefix
   tags              = var.resource_tags
   enable_hub        = true
-  dns_zone_name     = var.dns_zone_name
+  dns_zones         = var.dns_zones
   dns_records       = var.dns_records
   subnets           = local.subnets
 }
diff --git a/examples/vpc-with-dns/variables.tf b/examples/vpc-with-dns/variables.tf
@@ -36,7 +36,7 @@ variable "resource_tags" {
 
 variable "dns_records" {
   description = "List of DNS records to create"
-  type = list(object({
+  type = map(list(object({
     name       = string
     type       = string
     rdata      = string
@@ -47,8 +47,8 @@ variable "dns_records" {
     protocol   = optional(string)
     service    = optional(string)
     weight     = optional(number)
-  }))
-  default = [
+  })))
+  default = { "dns-example.com" = [
     {
       name  = "testA"
       type  = "A"
@@ -77,11 +77,21 @@ variable "dns_records" {
       rdata = "textinformation"
       ttl   = 900
     }
-  ]
+    ]
+  }
 }
 
-variable "dns_zone_name" {
-  description = "The name of the DNS zone to be created."
-  type        = string
-  default     = "dns-example.com"
+variable "dns_zones" {
+  description = "The DNS zones to be created."
+  type = list(object({
+    name        = string
+    description = optional(string)
+    label       = optional(string, "dns-zone")
+  }))
+  default = [
+    {
+      name        = "dns-example.com"
+      description = "Example DNS zone"
+    }
+  ]
 }
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -68,15 +68,6 @@
           "install_type": "fullstack",
           "working_directory": "solutions/fully-configurable",
           "release_notes_url": "https://cloud.ibm.com/docs/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-secure-infrastructure-vpc-relnotes",
-          "compliance": {
-            "authority": "scc-v3",
-            "profiles": [
-              {
-                "profile_name": "IBM Cloud Framework for Financial Services",
-                "profile_version": "1.7.0"
-              }
-            ]
-          },
           "architecture": {
             "features": [
               {
@@ -395,9 +386,19 @@
                 {
                   "type": "regex",
                   "description": "The value provided for 'existing_cos_instance_crn' is not valid.",
-                  "value": "^crn:(.*:){3}cloud-object-storage:(.*:){2}[0-9a-fA-F]{8}(?:-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}::$"
+                  "value": "^__NULL__$|^crn:(.*:){3}cloud-object-storage:(.*:){2}[0-9a-fA-F]{8}(?:-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}::$"
                 }
-              ]
+              ],
+              "custom_config": {
+                "type": "platform_resource",
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "resourceType": "cloud-object-storage",
+                  "selection": "single_select",
+                  "valueType": "crn"
+                }
+              }
             },
             {
               "key": "skip_vpc_cos_iam_auth_policy"
@@ -585,15 +586,11 @@
                 {
                   "version_input": "kms_encryption_enabled_bucket",
                   "value": true
-                },
-                {
-                  "version_input": "enable_vpc_flow_logs",
-                  "value": true
                 }
               ],
               "optional": true,
               "on_by_default": true,
-              "version": "v5.4.0"
+              "version": "v5.4.8"
             },
             {
               "name": "deploy-arch-ibm-cos",
@@ -625,7 +622,7 @@
               ],
               "optional": true,
               "on_by_default": true,
-              "version": "v10.5.0"
+              "version": "v10.5.5"
             },
             {
               "name": "deploy-arch-ibm-cloud-logs",
@@ -635,7 +632,7 @@
                 "fully-configurable"
               ],
               "id": "63d8ae58-fbf3-41ce-b844-0fb5b85882ab-global",
-              "version": "v1.9.0",
+              "version": "v1.9.10",
               "optional": true,
               "on_by_default": true,
               "input_mapping": [
@@ -675,7 +672,7 @@
               "name": "deploy-arch-ibm-cloud-monitoring",
               "description": "Sets up a Cloud Monitoring instance to collect the platform metrics.",
               "id": "73debdbf-894f-4c14-81c7-5ece3a70b67d-global",
-              "version": "v1.9.0",
+              "version": "v1.10.6",
               "flavors": [
                 "fully-configurable"
               ],
@@ -709,7 +706,7 @@
               "name": "deploy-arch-ibm-activity-tracker",
               "description": "Configure Activity Tracker Event Routing to route the auditing events.",
               "id": "918453c3-4f97-4583-8c4a-83ef12fc7916-global",
-              "version": "v1.4.3",
+              "version": "v1.4.11",
               "flavors": [
                 "fully-configurable"
               ],
@@ -748,7 +745,7 @@
               "name": "deploy-arch-ibm-scc-workload-protection",
               "description": "Configure an IBM Cloud Security and Compliance Center Workload Protection instance to help you manage security and compliance for your organization.",
               "id": "4322cf44-2289-49aa-a719-dd79e39b14dc-global",
-              "version": "v1.14.0",
+              "version": "v1.15.3",
               "flavors": [
                 "fully-configurable"
               ],
@@ -775,7 +772,8 @@
             }
           ],
           "dependency_version_2": true,
-          "terraform_version": "1.10.5"
+          "terraform_version": "1.12.2",
+          "ignore_readme": true
         }
       ]
     }
diff --git a/main.tf b/main.tf
@@ -40,6 +40,14 @@ resource "ibm_is_vpc" "vpc" {
   access_tags                 = var.access_tags
   no_sg_acl_rules             = var.clean_default_sg_acl
 
+  # Ensures the VPC CRN region matches var.region; fails early if there is a mismatch.
+  lifecycle {
+    postcondition {
+      condition     = regex("^crn(\\:\\w+\\:\\w+\\:\\w+\\:\\w+)\\:([\\w-\\.]+)\\:\\w\\/([\\w-\\.]*\\:[\\w-\\.]*\\:[\\w-\\.]*\\:)[\\w-\\.]*$", self.crn)[1] == var.region
+      error_message = "The region in the VPC CRN and the region specified in `var.region` must be the same and are not. The mismatch might be caused by different regions in the provider region and in the`var.region` input variable. Check the region values and try again"
+    }
+  }
+
   dns {
     enable_hub = var.enable_hub
 
@@ -361,21 +369,21 @@ resource "ibm_is_flow_log" "flow_logs" {
 ###############################################################################
 
 resource "ibm_dns_zone" "dns_zone" {
-  count       = var.enable_hub && !var.skip_custom_resolver_hub_creation && alltrue([var.dns_zone_name != null, var.dns_zone_name != ""]) ? 1 : 0
-  name        = var.dns_zone_name
+  for_each    = var.enable_hub && !var.skip_custom_resolver_hub_creation ? { for zone in var.dns_zones : zone.name => zone } : {}
+  name        = each.key
   instance_id = var.use_existing_dns_instance ? var.existing_dns_instance_id : ibm_resource_instance.dns_instance_hub[0].guid
-  description = var.dns_zone_description
-  label       = var.dns_zone_label
+  description = each.value.description == null ? "Hosted zone for ${each.key}" : each.value.description
+  label       = each.value.label
 }
 
 ##############################################################################
 # DNS PERMITTED NETWORK
 ##############################################################################
 
 resource "ibm_dns_permitted_network" "dns_permitted_network" {
-  count       = var.enable_hub && !var.skip_custom_resolver_hub_creation ? 1 : 0
+  for_each    = var.enable_hub && !var.skip_custom_resolver_hub_creation ? ibm_dns_zone.dns_zone : {}
   instance_id = var.use_existing_dns_instance ? var.existing_dns_instance_id : ibm_resource_instance.dns_instance_hub[0].guid
-  zone_id     = ibm_dns_zone.dns_zone[0].zone_id
+  zone_id     = each.value.zone_id
   vpc_crn     = local.vpc_crn
   type        = "vpc"
 }
@@ -384,10 +392,19 @@ resource "ibm_dns_permitted_network" "dns_permitted_network" {
 # DNS Records
 ##############################################################################
 
+locals {
+  dns_records = flatten([
+    for key, value in var.dns_records : [
+      for idx, record in value : merge(record, { identifier = "${key}-${idx}", dns_zone = (key) })
+    ]
+  ])
+
+}
+
 resource "ibm_dns_resource_record" "dns_record" {
-  for_each    = length(ibm_dns_zone.dns_zone) > 0 ? { for idx, record in var.dns_records : idx => record } : {}
+  for_each    = length(ibm_dns_zone.dns_zone) > 0 ? { for record in local.dns_records : record.identifier => record } : {}
   instance_id = var.use_existing_dns_instance ? var.existing_dns_instance_id : ibm_resource_instance.dns_instance_hub[0].guid
-  zone_id     = ibm_dns_zone.dns_zone[0].zone_id
+  zone_id     = ibm_dns_zone.dns_zone[each.value.dns_zone].zone_id
   name        = each.value.name
   type        = each.value.type
 
@@ -407,7 +424,10 @@ resource "ibm_dns_resource_record" "dns_record" {
 }
 
 locals {
-  record_ids = [for record in ibm_dns_resource_record.dns_record : element(split("/", record.id), 2)]
+  record_ids = {
+    for k in distinct([for d in local.dns_records : d.dns_zone]) :
+    k => [for d in local.dns_records : element(split("/", ibm_dns_resource_record.dns_record[d.identifier].id), 2) if d.dns_zone == k]
+  }
 }
 
 ##############################################################################
@@ -431,6 +451,7 @@ resource "ibm_is_vpn_gateway" "vpn_gateway" {
   access_tags    = each.value.access_tags
 
   timeouts {
+    create = "1h"
     delete = "1h"
   }
 }
diff --git a/outputs.tf b/outputs.tf
@@ -180,17 +180,17 @@ output "dns_custom_resolver_id" {
 ## DNS Zone and Records
 output "dns_zone_state" {
   description = "The state of the DNS zone."
-  value       = length(ibm_dns_zone.dns_zone) > 0 ? ibm_dns_zone.dns_zone[0].state : null
+  value       = length(ibm_dns_zone.dns_zone) > 0 ? [for zone in var.dns_zones : { (zone.name) = ibm_dns_zone.dns_zone[zone.name].state }] : null
 }
 
 output "dns_zone_id" {
   description = "The ID of the DNS zone."
-  value       = length(ibm_dns_zone.dns_zone) > 0 ? ibm_dns_zone.dns_zone[0].zone_id : null
+  value       = length(ibm_dns_zone.dns_zone) > 0 ? [for zone in var.dns_zones : { (zone.name) = ibm_dns_zone.dns_zone[zone.name].zone_id }] : null
 }
 
 output "dns_zone" {
   description = "A map representing DNS zone information."
-  value       = length(ibm_dns_zone.dns_zone) > 0 ? ibm_dns_zone.dns_zone[0] : null
+  value       = length(ibm_dns_zone.dns_zone) > 0 ? [for zone in ibm_dns_zone.dns_zone : zone] : null
 }
 
 output "dns_record_ids" {
diff --git a/tests/other_test.go b/tests/other_test.go
diff --git a/tests/pr_test.go b/tests/pr_test.go
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ module "slz_vpc" {`
`46`	`46`	`prefix = var.prefix`
`47`	`47`	`tags = var.resource_tags`
`48`	`48`	`enable_hub = true`
`49`		`- dns_zone_name = var.dns_zone_name`
	`49`	`+ dns_zones = var.dns_zones`
`50`	`50`	`dns_records = var.dns_records`
`51`	`51`	`subnets = local.subnets`
`52`	`52`	`}`