Skip to content

Added VPC Quickstart DA with predefined ACL profiles and optional VPC Flow Logs #1082

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
+843 −1
Open

Added VPC Quickstart DA with predefined ACL profiles and optional VPC Flow Logs #1082

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
45fbddc
added vpc quickstart DA
Nov 17, 2025
6e1016f
init commit
Nov 23, 2025
469f0b5
Merge branch 'main' into issue_15496
Khuzaima05 Nov 23, 2025
7252064
SKIP UPGRADE TEST: upgrade test failing due to breaking change
Nov 23, 2025
eea4579
resolve review comments
Nov 27, 2025
24afd60
Merge branch 'main' into issue_15496
Khuzaima05 Nov 27, 2025
f3531a4
Updated PR as per discussion
Dec 2, 2025
03442a6
resolve conflicts
Dec 2, 2025
76df8dd
added readme.md
Dec 2, 2025
996d5b6
fix pre-commit
Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
188 changes: 188 additions & 0 deletions ibm_catalog.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -774,6 +774,194 @@
"dependency_version_2": true,
"terraform_version": "1.12.2",
"ignore_readme": true
},
{
"label": "QuickStart - Basic and Simple",
"name": "quickstart",
"index": 2,
"install_type": "fullstack",
"working_directory": "solutions/quickstart",
"release_notes_url": "https://cloud.ibm.com/docs/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-secure-infrastructure-vpc-relnotes",
"architecture": {
"features": [
{
"title": " ",
"description": "Ideal for users new to IBM Cloud or Virtual Private Cloud (VPC) who want to get started without configuring underlying infrastructure."
},
{
"title": " ",
"description": "A lightweight, experimental configuration for quickly provisioning Virtual Private Cloud (VPC) instances on IBM Cloud."
}
],
"diagrams": [
{
"diagram": {
"caption": "Virtual Private Cloud topology - Quickstart (Basic and simple)",
"url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/main/reference-architectures/deployable-architecture-quickstart-vpc.svg",
"type": "image/svg+xml"
},
"description": "This architecture provisions and configures a <b>Virtual Private Cloud (VPC)</b> environment. This basic configuration creates a VPC with one subnet in each zone (three subnets total) and applies a predefined network ACL."
}
]
},
"iam_permissions": [
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Viewer"
],
"service_name": "Resource group only",
"notes": "Viewer access is required in the resource group you want to provision in."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator"
],
"service_name": "All Account Management services",
"notes": "[Optional] Required to create new resource groups when enabling the Account Configuration integration."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator"
],
"service_name": "All Identity and Access enabled services",
"notes": "[Optional] Required to to create trusted profile for App Configuration aggregator which is used for compliance scanning."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator"
],
"service_name": "is.vpc",
"notes": "Required to create Virtual Private Cloud(VPC)"
},
{
"service_name": "cloud-object-storage",
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"notes": "[Optional] Required if VPC Flow Logs are enabled."
}
],
"configuration": [
{
"key": "ibmcloud_api_key"
},
{
"key": "prefix",
"required": true,
"default_value": "dev",
"random_string": {
"length": 4
},
"value_constraints": [
{
"type": "regex",
"description": "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--'). It should not exceed 16 characters.",
"value": "^$|^__NULL__$|^[a-z](?!.*--)(?:[a-z0-9-]{0,14}[a-z0-9])?$"
}
]
},
{
"key": "region",
"required": true,
"custom_config": {
"config_constraints": {
"generationType": "2"
},
"grouping": "deployment",
"original_grouping": "deployment",
"type": "vpc_region"
}
},
{
"key": "vpc_name",
"required": true
},
{
"key": "existing_resource_group_name",
"display_name": "resource_group",
"custom_config": {
"type": "resource_group",
"grouping": "deployment",
"original_grouping": "deployment",
"config_constraints": {
"identifier": "rg_name"
}
},
"default_value": "Default",
"description": "The name of an existing resource group to provision the resources."
},
{
"key": "skip_vpc_cos_iam_auth_policy"
},
{
"key": "network_acls",
"description": "Select a predefined ACL profile for the VPC. Options: open (allow all inbound/outbound), common (allow SSH/HTTP/HTTPS with IBM internal + VPC connectivity), ibm-internal (only IBM internal + VPC connectivity), closed (fully restricted).",
"options": [
{
"displayname": "open",
"value": "open"
},
{
"displayname": "common",
"value": "common"
},
{
"displayname": "ibm-internal",
"value": "ibm-internal"
},
{
"displayname": "closed",
"value": "closed"
}
]
},
{
"key": "resource_tags",
"custom_config": {
"type": "array",
"grouping": "deployment",
"original_grouping": "deployment",
"config_constraints": {
"type": "string"
}
}
},
{
"key": "access_tags",
"custom_config": {
"type": "array",
"grouping": "deployment",
"original_grouping": "deployment",
"config_constraints": {
"type": "string"
}
}
},
{
"key": "enable_vpc_flow_logs"
},
{
"key": "provider_visibility",
"hidden": true,
"options": [
{
"displayname": "private",
"value": "private"
},
{
"displayname": "public",
"value": "public"
},
{
"displayname": "public-and-private",
"value": "public-and-private"
}
]
}
],
"terraform_version": "1.12.2",
"ignore_readme": true
}
]
}
Expand Down
4 changes: 4 additions & 0 deletions reference-architectures/deployable-architecture-quickstart-vpc.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
3 changes: 3 additions & 0 deletions solutions/quickstart/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Cloud automation for VPC (Quickstart)

:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).
7 changes: 7 additions & 0 deletions solutions/quickstart/catalogValidationValues.json.template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"ibmcloud_api_key": $VALIDATION_APIKEY,
"region": "us-south",
"resource_tags": $TAGS,
"existing_resource_group_name": "geretain-test-resources",
"prefix": $PREFIX
}
165 changes: 165 additions & 0 deletions solutions/quickstart/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
locals {
prefix = var.prefix != null ? (trimspace(var.prefix) != "" ? "${var.prefix}-" : "") : ""
}

##############################################################################
# Resource Group
##############################################################################

module "resource_group" {
source = "terraform-ibm-modules/resource-group/ibm"
version = "1.4.0"
existing_resource_group_name = var.existing_resource_group_name
}


#############################################################################
# Provision cloud object storage and bucket
#############################################################################

module "cos" {
count = var.enable_vpc_flow_logs ? 1 : 0
source = "terraform-ibm-modules/cos/ibm"
version = "10.5.8"
resource_group_id = module.resource_group.resource_group_id
region = var.region
cos_instance_name = "${var.prefix}-cos"
cos_tags = var.resource_tags
bucket_name = "${var.prefix}-bucket"
kms_encryption_enabled = false
}

###########################################################################
# NETWORK ACL PROFILES
###########################################################################

locals {
acl_profiles = {
open = [
{
name = "${local.prefix}acl"
add_ibm_cloud_internal_rules = false
add_vpc_connectivity_rules = false
prepend_ibm_rules = false
rules = [
{
name = "allow-all-inbound"
action = "allow"
direction = "inbound"
source = "0.0.0.0/0"
destination = "0.0.0.0/0"
},
{
name = "allow-all-outbound"
action = "allow"
direction = "outbound"
source = "0.0.0.0/0"
destination = "0.0.0.0/0"
}
]
}
]
common = [
{
name = "${local.prefix}acl"
add_ibm_cloud_internal_rules = true
add_vpc_connectivity_rules = true
prepend_ibm_rules = true
rules = [
{
name = "allow-ssh"
action = "allow"
direction = "inbound"
source = "0.0.0.0/0"
destination = "0.0.0.0/0"
tcp = { port_min = 22, port_max = 22 }
},
{
name = "allow-https"
action = "allow"
direction = "inbound"
source = "0.0.0.0/0"
destination = "0.0.0.0/0"
tcp = { port_min = 443, port_max = 443 }
},
{
name = "allow-http"
action = "allow"
direction = "inbound"
source = "0.0.0.0/0"
destination = "0.0.0.0/0"
tcp = { port_min = 80, port_max = 80 }
}
]
}
]
ibm-internal = [
{
name = "${local.prefix}acl"
add_ibm_cloud_internal_rules = true
add_vpc_connectivity_rules = true
prepend_ibm_rules = true
rules = []
}
]
closed = [
{
name = "${local.prefix}acl"
add_ibm_cloud_internal_rules = false
add_vpc_connectivity_rules = false
prepend_ibm_rules = false
rules = []
}
]
}
network_acls = lookup(local.acl_profiles, var.network_acls, local.acl_profiles["common"])
}

#############################################################################
# VPC
#############################################################################

module "vpc" {
source = "../../"
resource_group_id = module.resource_group.resource_group_id
region = var.region
create_vpc = true
name = var.vpc_name
prefix = local.prefix != "" ? trimspace(var.prefix) : null
tags = var.resource_tags
access_tags = var.access_tags
subnets = {
zone-1 = [
{
name = "${local.prefix}subnet-a"
cidr = "10.10.10.0/24"
public_gateway = true
acl_name = "${local.prefix}acl"
no_addr_prefix = false
}
]
zone-2 = [
{
name = "${local.prefix}subnet-b"
cidr = "10.20.10.0/24"
public_gateway = true
acl_name = "${local.prefix}acl"
no_addr_prefix = false
}
]
zone-3 = [
{
name = "${local.prefix}subnet-c"
cidr = "10.30.10.0/24"
public_gateway = true
acl_name = "${local.prefix}acl"
no_addr_prefix = false
}
]
}
network_acls = local.network_acls
enable_vpc_flow_logs = var.enable_vpc_flow_logs
create_authorization_policy_vpc_to_cos = !var.skip_vpc_cos_iam_auth_policy
existing_cos_instance_guid = var.enable_vpc_flow_logs ? module.cos[0].cos_instance_guid : null
existing_storage_bucket_name = var.enable_vpc_flow_logs ? module.cos[0].bucket_name : null
}
Loading