feat: DA updates:<br>- The "Fully configurable" variation now deploys a cluster with a public endpoint enabled by default. This can be toggled using the disable_public_service_endpoint input.<br>- If VPC DA is selected (it is by default), there is now an option to configure the network ACLs. By default, it will create ACLs to allow public (port 80 and 443) so the Openshift console can be reached.(#740)

Aashiq-J · web-flow · commit d60279fe8f83 · 2025-07-23T17:27:03.000+01:00
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -739,6 +739,14 @@
               "required": false,
               "virtual": true
             },
+            {
+              "key": "network_acls",
+              "type": "array",
+              "default_value": "[\n  {\n    name                         = \"vpc-acl\"\n    add_ibm_cloud_internal_rules = true\n    add_vpc_connectivity_rules   = true\n    prepend_ibm_rules            = true\n    rules = [\n      {\n        name      = \"allow-all-443-inbound\"\n        action    = \"allow\"\n        direction = \"inbound\"\n        tcp = {\n          port_min = 443\n          port_max = 443\n        }\n        destination = \"0.0.0.0/0\"\n        source      = \"0.0.0.0/0\"\n      },\n      {\n        name      = \"allow-all-80-inbound\"\n        action    = \"allow\"\n        direction = \"inbound\"\n        tcp = {\n          port_min        = 80\n          port_max        = 80\n          source_port_min = 80\n          source_port_max = 80\n        }\n        destination = \"0.0.0.0/0\"\n        source      = \"0.0.0.0/0\"\n      },\n      {\n        name      = \"allow-all-ingress-inbound\"\n        action    = \"allow\"\n        direction = \"inbound\"\n        tcp = {\n          source_port_min = 30000\n          source_port_max = 32767\n        }\n        destination = \"0.0.0.0/0\"\n        source      = \"0.0.0.0/0\"\n      },\n      {\n        name      = \"allow-all-443-outbound\"\n        action    = \"allow\"\n        direction = \"outbound\"\n        tcp = {\n          source_port_min = 443\n          source_port_max = 443\n        }\n        destination = \"0.0.0.0/0\"\n        source      = \"0.0.0.0/0\"\n      },\n      {\n        name      = \"allow-all-80-outbound\"\n        action    = \"allow\"\n        direction = \"outbound\"\n        tcp = {\n          source_port_min = 80\n          source_port_max = 80\n          port_min        = 80\n          port_max        = 80\n        }\n        destination = \"0.0.0.0/0\"\n        source      = \"0.0.0.0/0\"\n      },\n      {\n        name      = \"allow-all-ingress-outbound\"\n        action    = \"allow\"\n        direction = \"outbound\"\n        tcp = {\n          port_min = 30000\n          port_max = 32767\n        }\n        destination = \"0.0.0.0/0\"\n        source      = \"0.0.0.0/0\"\n      }\n    ]\n  }\n]",
+              "description": "The list of ACLs to create. Provide at least one rule for each ACL. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#network-acls-).",
+              "required": false,
+              "virtual": true
+            },
             {
               "key": "provider_visibility",
               "options": [
@@ -794,6 +802,11 @@
                   "dependency_input": "subnets",
                   "version_input": "subnets",
                   "reference_version": true
+                },
+                {
+                  "dependency_input": "network_acls",
+                  "version_input": "network_acls",
+                  "reference_version": true
                 }
               ]
             },
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
@@ -269,7 +269,7 @@ variable "use_private_endpoint" {
 variable "disable_public_endpoint" {
   type        = bool
   description = "Whether access to the public service endpoint is disabled when the cluster is created. Does not affect existing clusters. You can't disable a public endpoint on an existing cluster, so you can't convert a public cluster to a private cluster. To change a public endpoint to private, create another cluster with this input set to `true`."
-  default     = true
+  default     = false
 }
 
 variable "cluster_config_endpoint_type" {

Original file line number	Diff line number	Diff line change
`@@ -269,7 +269,7 @@ variable "use_private_endpoint" {`
`269`	`269`	`variable "disable_public_endpoint" {`
`270`	`270`	`type = bool`
`271`	`271`	description = "Whether access to the public service endpoint is disabled when the cluster is created. Does not affect existing clusters. You can't disable a public endpoint on an existing cluster, so you can't convert a public cluster to a private cluster. To change a public endpoint to private, create another cluster with this input set to `true`."
`272`		`- default = true`
	`272`	`+ default = false`
`273`	`273`	`}`
`274`	`274`
`275`	`275`	`variable "cluster_config_endpoint_type" {`