test: replace landing zone vpc in examples and fix ingress (#206)

Author: toddgiguere

cra-tf-validate-ignore-rules.json

@@ -1,11 +1,22 @@
 {
     "scc_rules": [
-
         {
             "scc_rule_id": "rule-ded212fe-7def-44ce-9480-0487067b64c4",
-            "description:": "Check whether Kubernetes Service is accessible only by using private endpoints",
+            "description": "Check whether Kubernetes Service is accessible only by using private endpoints",
             "ignore_reason": "This is a valid issue - tracking in https://github.ibm.com/GoldenEye/issues/issues/174",
             "is_valid": true
+        },
+        {
+            "scc_rule_id": "rule-216e2449-27d7-4afc-929a-b66e196a9cf9",
+            "description": "Check whether Flow Logs for VPC are enabled",
+            "ignore_reason": "Rule is related to VPC, not OCP Clusters",
+            "is_valid": true
+        },
+        {
+            "scc_rule_id": "rule-64c0bea0-8760-4a6b-a56c-ee375a48961e",
+            "description": "Check whether Virtual Private Cloud (VPC) has no public gateways attached",
+            "ignore_reason": "Rule is related to VPC, not OCP Clusters",
+            "is_valid": true
         }
     ]
 }

examples/add_rules_to_sg/main.tf

@@ -10,36 +10,57 @@ module "resource_group" {
   existing_resource_group_name = var.resource_group
 }
 
-###############################################################################
-# VPC
-###############################################################################
-
-module "vpc" {
-  source              = "terraform-ibm-modules/landing-zone-vpc/ibm"
-  version             = "7.4.0"
-  resource_group_id   = module.resource_group.resource_group_id
-  region              = var.region
-  prefix              = var.prefix
-  tags                = var.resource_tags
-  name                = var.vpc_name
-  address_prefixes    = var.addresses
-  subnets             = var.subnets
-  use_public_gateways = var.public_gateway
+##############################################################################
+# Create a VPC with single subnet and zone, and public gateway
+# NOTE: this is a very simple VPC/Subnet configuration for example purposes only,
+# that will allow all traffic ingress/egress by default.
+# For production use cases this would need to be enhanced by adding more subnets
+# and zones for resiliency, and ACLs/Security Groups for network security.
+##############################################################################
+
+resource "ibm_is_vpc" "vpc" {
+  name                      = "${var.prefix}-vpc"
+  resource_group            = module.resource_group.resource_group_id
+  address_prefix_management = "auto"
+  tags                      = var.resource_tags
 }
 
+resource "ibm_is_public_gateway" "gateway" {
+  name           = "${var.prefix}-gateway-1"
+  vpc            = ibm_is_vpc.vpc.id
+  resource_group = module.resource_group.resource_group_id
+  zone           = "${var.region}-1"
+}
+
+resource "ibm_is_subnet" "subnet_zone_1" {
+  name                     = "${var.prefix}-subnet-1"
+  vpc                      = ibm_is_vpc.vpc.id
+  resource_group           = module.resource_group.resource_group_id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  public_gateway           = ibm_is_public_gateway.gateway.id
+}
 
 ##############################################################################
 # Security Group Rules addition.
 ##############################################################################
 
+locals {
+  standard_cluster_allow_rules = [
+    { name = "allow-port-8080", direction = "inbound", tcp = { port_max = 8080, port_min = 8080 }, udp = null, icmp = null, remote = ibm_is_subnet.subnet_zone_1.ipv4_cidr_block },
+    { name = "allow-port-443", direction = "inbound", tcp = { port_max = 443, port_min = 443 }, udp = null, icmp = null, remote = ibm_is_subnet.subnet_zone_1.ipv4_cidr_block },
+    { name = "udp-range", direction = "inbound", udp = { port_max = 30103, port_min = 30103 }, tcp = null, icmp = null, remote = ibm_is_subnet.subnet_zone_1.ipv4_cidr_block },
+  ]
+}
+
 # Kube-<vpc id> Security Group
 data "ibm_is_security_group" "kube_vpc_sg" {
   name = "kube-${module.ocp_base.vpc_id}"
 }
 
 resource "ibm_is_security_group_rule" "kube_vpc_rules" {
 
-  for_each  = { for rule in var.sg_rules_vpc : rule.name => rule }
+  for_each  = { for rule in local.standard_cluster_allow_rules : rule.name => rule }
   group     = data.ibm_is_security_group.kube_vpc_sg.id
   direction = each.value.direction
   remote    = each.value.remote
@@ -76,7 +97,7 @@ data "ibm_is_security_group" "kube_cluster_sg" {
 
 resource "ibm_is_security_group_rule" "kube_cluster_rules" {
 
-  for_each  = { for rule in var.sg_rules_cluster : rule.name => rule }
+  for_each  = { for rule in local.standard_cluster_allow_rules : rule.name => rule }
   group     = data.ibm_is_security_group.kube_cluster_sg.id
   direction = each.value.direction
   remote    = each.value.remote
@@ -124,16 +145,39 @@ module "kp_all_inclusive" {
 # Base OCP Cluster
 ##############################################################################
 
+locals {
+  cluster_vpc_subnets = {
+    default = [
+      {
+        id         = ibm_is_subnet.subnet_zone_1.id
+        cidr_block = ibm_is_subnet.subnet_zone_1.ipv4_cidr_block
+        zone       = ibm_is_subnet.subnet_zone_1.zone
+      }
+    ]
+  }
+
+  worker_pools = [
+    {
+      subnet_prefix     = "default"
+      pool_name         = "default" # ibm_container_vpc_cluster automatically names standard pool "standard" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
+      machine_type      = "bx2.4x16"
+      workers_per_zone  = 2
+      labels            = {}
+      resource_group_id = module.resource_group.resource_group_id
+    }
+  ]
+}
+
 module "ocp_base" {
   source               = "../.."
   cluster_name         = var.prefix
   ibmcloud_api_key     = var.ibmcloud_api_key
   resource_group_id    = module.resource_group.resource_group_id
   region               = var.region
   force_delete_storage = true
-  vpc_id               = module.vpc.vpc_id
-  vpc_subnets          = module.vpc.subnet_detail_map
-  worker_pools         = var.worker_pools
+  vpc_id               = ibm_is_vpc.vpc.id
+  vpc_subnets          = local.cluster_vpc_subnets
+  worker_pools         = local.worker_pools
   ocp_version          = var.ocp_version
   tags                 = var.resource_tags
   kms_config = {

examples/add_rules_to_sg/variables.tf

@@ -41,224 +41,3 @@ variable "ocp_version" {
   description = "Version of the OCP cluster to provision"
   default     = null
 }
-
-variable "worker_pools" {
-  type = list(object({
-    subnet_prefix     = string
-    pool_name         = string
-    machine_type      = string
-    workers_per_zone  = number
-    resource_group_id = optional(string)
-    labels            = optional(map(string))
-  }))
-  description = "List of worker pools."
-  default = [
-    {
-      subnet_prefix    = "zone-1"
-      pool_name        = "default" # ibm_container_vpc_cluster automatically names standard pool "standard" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
-      machine_type     = "bx2.4x16"
-      workers_per_zone = 2
-    },
-    {
-      subnet_prefix    = "zone-2"
-      pool_name        = "zone-2"
-      machine_type     = "bx2.4x16"
-      workers_per_zone = 2
-    }
-  ]
-}
-
-##############################################################################
-# VPC variables
-##############################################################################
-
-variable "vpc_name" {
-  type        = string
-  description = "Name of the VPC"
-  default     = "management"
-}
-
-variable "public_gateway" {
-  description = "Create a public gateway in any of the three zones with `true`."
-  type = object({
-    zone-1 = optional(bool)
-    zone-2 = optional(bool)
-    zone-3 = optional(bool)
-  })
-  default = {
-    zone-1 = true
-    zone-2 = false
-    zone-3 = false
-  }
-}
-
-variable "addresses" {
-  description = "OPTIONAL - IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes"
-  type = object({
-    zone-1 = optional(list(string))
-    zone-2 = optional(list(string))
-    zone-3 = optional(list(string))
-  })
-  default = {
-    zone-1 = ["10.10.10.0/24"]
-    zone-2 = ["10.20.10.0/24"]
-    zone-3 = ["10.30.10.0/24"]
-  }
-}
-
-variable "subnets" {
-  description = "List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addressess. Public gateways will be enabled only in zones where a gateway has been created"
-  type = object({
-    zone-1 = list(object({
-      acl_name       = string
-      name           = string
-      cidr           = string
-      public_gateway = optional(bool)
-    }))
-    zone-2 = list(object({
-      acl_name       = string
-      name           = string
-      cidr           = string
-      public_gateway = optional(bool)
-    }))
-    zone-3 = list(object({
-      acl_name       = string
-      name           = string
-      cidr           = string
-      public_gateway = optional(bool)
-    }))
-  })
-
-  default = {
-    zone-1 = [
-      {
-        acl_name = "vpc-acl"
-        name     = "zone-1"
-        cidr     = "10.10.10.0/24"
-      }
-    ],
-    zone-2 = [
-      {
-        acl_name = "vpc-acl"
-        name     = "zone-2"
-        cidr     = "10.20.10.0/24"
-      }
-    ],
-    zone-3 = [
-      {
-        acl_name = "vpc-acl"
-        name     = "zone-3"
-        cidr     = "10.30.10.0/24"
-      }
-    ]
-  }
-}
-
-##############################################################################
-# Security Groups
-##############################################################################
-
-variable "sg_rules_vpc" {
-  description = "List of security group rules to be added to the kube-<vpcid> security group"
-
-  default = [
-    { name = "allow-port-8080", direction = "inbound", tcp = { port_max = 8080, port_min = 8080 }, remote = "10.10.10.0/24" },
-    { name = "allow-port-443", direction = "inbound", tcp = { port_max = 443, port_min = 443 }, remote = "10.10.10.0/24" },
-    { name = "udp-range", direction = "inbound", udp = { port_max = 30103, port_min = 30103 }, remote = "10.10.10.0/24" },
-  ]
-
-  type = list(
-    object({
-      name      = string
-      direction = string
-      remote    = string
-      tcp = optional(
-        object({
-          port_max = optional(number)
-          port_min = optional(number)
-        })
-      )
-      udp = optional(
-        object({
-          port_max = optional(number)
-          port_min = optional(number)
-        })
-      )
-      icmp = optional(
-        object({
-          type = optional(number)
-          code = optional(number)
-        })
-      )
-    })
-  )
-
-  validation {
-    error_message = "Security group rule direction can only be `inbound` or `outbound`."
-    condition = (var.sg_rules_vpc == null || length(var.sg_rules_vpc) == 0) ? true : length(distinct(
-      # Return false if direction is not valid
-      flatten([for rule in var.sg_rules_vpc : false if !contains(["inbound", "outbound"], rule.direction)])
-    )) == 0
-  }
-
-  validation {
-    error_message = "Security group rule names must match the regex pattern ^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$."
-    condition = (var.sg_rules_vpc == null || length(var.sg_rules_vpc) == 0) ? true : length(distinct(
-      # Return false if rule name is not valid
-      flatten([for rule in var.sg_rules_vpc : false if !can(regex("^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$", rule.name))])
-    )) == 0
-  }
-}
-
-variable "sg_rules_cluster" {
-  description = "List of security group rules to be added to the kube-<clusterid> security group"
-
-  default = [
-    { name = "allow-port-8080", direction = "inbound", tcp = { port_max = 8080, port_min = 8080 }, remote = "10.10.10.0/24" },
-    { name = "allow-port-443", direction = "inbound", tcp = { port_max = 443, port_min = 443 }, remote = "10.10.10.0/24" },
-    { name = "udp-range", direction = "inbound", udp = { port_max = 30103, port_min = 30103 }, remote = "10.10.10.0/24" },
-  ]
-
-  type = list(
-    object({
-      name      = string
-      direction = string
-      remote    = string
-      tcp = optional(
-        object({
-          port_max = optional(number)
-          port_min = optional(number)
-        })
-      )
-      udp = optional(
-        object({
-          port_max = optional(number)
-          port_min = optional(number)
-        })
-      )
-      icmp = optional(
-        object({
-          type = optional(number)
-          code = optional(number)
-        })
-      )
-    })
-  )
-
-  validation {
-    error_message = "Security group rule direction can only be `inbound` or `outbound`."
-    condition = (var.sg_rules_cluster == null || length(var.sg_rules_cluster) == 0) ? true : length(distinct(
-      # Return false if direction is not valid
-      flatten([for rule in var.sg_rules_cluster : false if !contains(["inbound", "outbound"], rule.direction)])
-    )) == 0
-  }
-
-  validation {
-    error_message = "Security group rule names must match the regex pattern ^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$."
-    condition = (var.sg_rules_cluster == null || length(var.sg_rules_cluster) == 0) ? true : length(distinct(
-      # Return false if rule name is not valid
-      flatten([for rule in var.sg_rules_cluster : false if !can(regex("^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$", rule.name))])
-    )) == 0
-  }
-}
-##############################################################################