terraform-ibm-modules · maheshwarishikha · Jun 19, 2025 · Apr 24, 2025 · Apr 27, 2025 · Apr 28, 2025
diff --git a/examples/custom_sg/variables.tf b/examples/custom_sg/variables.tf
@@ -37,7 +37,7 @@ variable "resource_tags" {
 variable "ocp_version" {
   type        = string
   description = "Version of the OCP cluster to provision"
-  default     = "4.14"
+  default     = "4.18"
 }
 
 variable "access_tags" {

@@ -127,12 +127,12 @@ This variable defines the worker node pools for your OCP cluster, with each pool
   {
     vpc_subnets                       = [
       {
-        id = "0717-a4b3c2d1-e5f6-g7h8-i9j0-k1l2m3n4o5p6" # pragma: allowlist secret
+        id = "<REPLACE ME>"
         zone = "us-south-1"
         cidr_block = " "10.10.10.0/24"
       },
       {
-        id = "0717-b4c3d2e1-f5g6-h7i8-j9k0-l1m2n3o4p5q6" # pragma: allowlist secret
+        id = "<REPLACE ME>"
         zone = "us-south-2"
         cidr_block = "10.20.10.0/24"
       }
@@ -230,10 +230,10 @@ This variable allows you to provide a rule for the target service to enforce acc
 ### Example for cbr_rules
 
 ```hcl
-cbr_rules = [
+[
   {
   description = "Event Notifications can be accessed from xyz"
-  account_id = "defc0df06b644a9cabc6e44f55b3880s."
+  account_id = "<REPLACE ME>"
   rule_contexts= [{
       attributes = [
                 {
@@ -242,11 +242,11 @@ cbr_rules = [
                 },
                 {
                   name  = "networkZoneId"
-                  value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
+                  value = "<REPLACE ME>"
                 }
         ]
      }
-   ]
+  ]
   enforcement_mode = "enabled"
   operations = [{
     api_types = [{

@@ -39,11 +39,11 @@ locals {
   cluster_existing_kms_guid = var.existing_kms_instance_crn != null && var.kms_encryption_enabled_cluster ? module.existing_kms_crn_parser[0].service_instance : var.existing_cluster_kms_key_crn != null ? module.existing_cluster_kms_key_crn_parser[0].service_instance : null
   cluster_kms_account_id    = var.existing_kms_instance_crn != null && var.kms_encryption_enabled_cluster ? module.existing_kms_crn_parser[0].account_id : var.existing_cluster_kms_key_crn != null ? module.existing_cluster_kms_key_crn_parser[0].account_id : null
   cluster_kms_key_id        = var.existing_kms_instance_crn != null && var.kms_encryption_enabled_cluster ? module.kms[0].keys[format("%s.%s", local.cluster_key_ring_name, local.cluster_key_name)].key_id : var.existing_cluster_kms_key_crn != null ? module.existing_cluster_kms_key_crn_parser[0].resource : null
-  cluster_key_ring_name     = "${local.prefix}${var.cluster_key_ring_name}"
-  cluster_key_name          = "${local.prefix}${var.cluster_key_name}"
+  cluster_key_ring_name     = "${local.prefix}${var.cluster_kms_key_ring_name}"
+  cluster_key_name          = "${local.prefix}${var.cluster_kms_key_name}"
 
-  boot_volume_key_ring_name     = "${local.prefix}${var.boot_volume_key_ring_name}"
-  boot_volume_key_name          = "${local.prefix}${var.boot_volume_key_name}"
+  boot_volume_key_ring_name     = "${local.prefix}${var.boot_volume_kms_key_ring_name}"
+  boot_volume_key_name          = "${local.prefix}${var.boot_volume_kms_key_name}"
   boot_volume_existing_kms_guid = var.existing_kms_instance_crn != null && var.kms_encryption_enabled_boot_volume ? module.existing_kms_crn_parser[0].service_instance : var.existing_boot_volume_kms_key_crn != null ? module.existing_boot_volume_kms_key_crn_parser[0].service_instance : null
   boot_volume_kms_account_id    = var.existing_kms_instance_crn != null && var.kms_encryption_enabled_boot_volume ? module.existing_kms_crn_parser[0].account_id : var.existing_boot_volume_kms_key_crn != null ? module.existing_boot_volume_kms_key_crn_parser[0].account_id : null
   boot_volume_kms_key_id        = var.existing_kms_instance_crn != null && var.kms_encryption_enabled_boot_volume ? module.kms[0].keys[format("%s.%s", local.boot_volume_key_ring_name, local.boot_volume_key_name)].key_id : var.existing_boot_volume_kms_key_crn != null ? module.existing_boot_volume_kms_key_crn_parser[0].resource : null

@@ -3,21 +3,24 @@
 ########################################################################################################################
 
 provider "ibm" {
-  ibmcloud_api_key = var.ibmcloud_api_key
-  region           = local.vpc_region
-  visibility       = var.provider_visibility
+  ibmcloud_api_key      = var.ibmcloud_api_key
+  region                = local.vpc_region
+  visibility            = var.provider_visibility
+  private_endpoint_type = (var.provider_visibility == "private" && local.vpc_region == "ca-mon") ? "vpe" : null
 }
 
 provider "ibm" {
-  alias            = "kms"
-  ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
-  region           = local.cluster_kms_region
-  visibility       = var.provider_visibility
+  alias                 = "kms"
+  ibmcloud_api_key      = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
+  region                = local.cluster_kms_region
+  visibility            = var.provider_visibility
+  private_endpoint_type = (var.provider_visibility == "private" && local.vpc_region == "ca-mon") ? "vpe" : null
 }
 
 provider "ibm" {
-  alias            = "secrets_manager"
-  ibmcloud_api_key = var.ibmcloud_api_key
-  region           = var.enable_secrets_manager_integration ? module.existing_secrets_manager_instance_parser[0].region : local.vpc_region
-  visibility       = var.provider_visibility
+  alias                 = "secrets_manager"
+  ibmcloud_api_key      = var.ibmcloud_api_key
+  region                = var.enable_secrets_manager_integration ? module.existing_secrets_manager_instance_parser[0].region : local.vpc_region
+  visibility            = var.provider_visibility
+  private_endpoint_type = (var.provider_visibility == "private" && local.vpc_region == "ca-mon") ? "vpe" : null
 }
@@ -13,19 +13,32 @@ variable "ibmcloud_api_key" {
 
 variable "prefix" {
   type        = string
-  description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string."
   nullable    = true
+  description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-0405-ocp. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)."
+
   validation {
-    condition = (var.prefix == null ? true :
+    # - null and empty string is allowed
+    # - Must not contain consecutive hyphens (--): length(regexall("--", var.prefix)) == 0
+    # - Starts with a lowercase letter: [a-z]
+    # - Contains only lowercase letters (a–z), digits (0–9), and hyphens (-)
+    # - Must not end with a hyphen (-): [a-z0-9]
+    condition = (var.prefix == null || var.prefix == "" ? true :
       alltrue([
-        can(regex("^[a-z]{0,1}[-a-z0-9]{0,14}[a-z0-9]{0,1}$", var.prefix)),
-        length(regexall("^.*--.*", var.prefix)) == 0
+        can(regex("^[a-z][-a-z0-9]*[a-z0-9]$", var.prefix)),
+        length(regexall("--", var.prefix)) == 0
       ])
     )
-    error_message = "Prefix must begin with a lowercase letter, contain only lowercase letters, numbers, and - characters. Prefixes must end with a lowercase letter or number and be 16 or fewer characters."
+    error_message = "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--')."
+  }
+
+  validation {
+    # must not exceed 16 characters in length
+    condition     = length(var.prefix) <= 16
+    error_message = "Prefix must not exceed 16 characters."
   }
 }
 
+
 variable "existing_resource_group_name" {
   type        = string
   description = "The name of an existing resource group to provision the cluster."
@@ -57,7 +70,7 @@ variable "cluster_name" {
 variable "ocp_version" {
   type        = string
   description = "Version of the OCP cluster to provision."
-  default     = "4.17"
+  default     = "4.18"
 }
 
 variable "ocp_entitlement" {
@@ -118,7 +131,7 @@ variable "addons" {
       parameters_json = optional(string)
     }))
   })
-  description = "Map of OCP cluster add-on versions to install (NOTE: The 'vpc-block-csi-driver' add-on is installed by default for VPC clusters and 'ibm-storage-operator' is installed by default in OCP 4.15 and later, however you can explicitly specify it here if you wish to choose a later version than the default one). For full list of all supported add-ons and versions, see https://cloud.ibm.com/docs/containers?topic=containers-supported-cluster-addon-versions. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/blob/main/solutions/fully-configurable/DA_docs.md#options-with-addons)"
+  description = "Map of OCP cluster add-on versions to install (NOTE: The 'vpc-block-csi-driver' add-on is installed by default for VPC clusters and 'ibm-storage-operator' is installed by default in OCP 4.15 and later, however you can explicitly specify it here if you wish to choose a later version than the default one). [Check supported addons and versions here](https://cloud.ibm.com/docs/containers?topic=containers-supported-cluster-addon-versions). [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/blob/main/solutions/fully-configurable/DA_docs.md#options-with-addons)"
   nullable    = false
   default     = {}
 }
@@ -168,7 +181,7 @@ variable "default_worker_pool_workers_per_zone" {
 variable "default_worker_pool_operating_system" {
   type        = string
   description = "The operating system installed on the worker nodes. [Learn more](https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-flavors)"
-  default     = "RHEL_9_64"
+  default     = "RHCOS"
 }
 
 variable "default_worker_pool_labels" {
@@ -406,13 +419,13 @@ variable "kms_endpoint_type" {
   }
 }
 
-variable "cluster_key_ring_name" {
+variable "cluster_kms_key_ring_name" {
   type        = string
   default     = "cluster-key-ring"
   description = "The name of the key ring to be created for the cluster's Object Storage bucket encryption key. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
 }
 
-variable "cluster_key_name" {
+variable "cluster_kms_key_name" {
   type        = string
   default     = "cluster-key"
   description = "The name of the key to be created for the cluster's Object Storage bucket encryption. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
@@ -461,13 +474,13 @@ variable "existing_boot_volume_kms_key_crn" {
   }
 }
 
-variable "boot_volume_key_ring_name" {
+variable "boot_volume_kms_key_ring_name" {
   type        = string
   default     = "boot-volume-key-ring"
   description = "The name for the key ring created for the block storage volumes key. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
 }
 
-variable "boot_volume_key_name" {
+variable "boot_volume_kms_key_name" {
   type        = string
   default     = "boot-volume-key"
   description = "The name for the key created for the block storage volumes. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
@@ -538,6 +551,21 @@ variable "secrets_manager_endpoint_type" {
   }
 }
 
+# tflint-ignore: all
+variable "secrets_manager_service_plan" {
+  type        = string
+  description = "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)."
+  default     = "standard"
+  validation {
+    condition     = contains(["standard", "trial"], var.secrets_manager_service_plan)
+    error_message = "Only 'standard' and 'trial' are allowed values for 'service_plan'. Applies only if not providing a value for the 'existing_secrets_manager_instance_crn' input."
+  }
+  validation {
+    condition     = var.existing_secrets_manager_instance_crn == null && var.enable_secrets_manager_integration ? var.secrets_manager_service_plan != null : true
+    error_message = "A value for 'service_plan' is required if not providing a value for 'existing_secrets_manager_instance_crn'"
+  }
+}
+
 variable "skip_ocp_secrets_manager_iam_auth_policy" {
   type        = bool
   description = "To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates."

diff --git a/variables.tf b/variables.tf
@@ -112,7 +112,7 @@ variable "worker_pools" {
       for wp in var.worker_pools :
       (local.ocp_version_num == "4.14" && wp.operating_system == local.os_rhel) ||
       (local.ocp_version_num == "4.15" && contains([local.os_rhel, local.os_rhcos], wp.operating_system)) ||
-      (contains(["4.16", "4.17"], local.ocp_version_num) && contains([local.os_rhel9, local.os_rhel, local.os_rhcos], wp.operating_system))
+      (contains(["4.16", "4.17", "4.18"], local.ocp_version_num) && contains([local.os_rhel9, local.os_rhel, local.os_rhcos], wp.operating_system))
     ])
     error_message = "Invalid operating system for the given OCP version. Ensure the OS is compatible with the OCP version. Supported compatible OCP version and OS are v4.14: (REDHAT_8_64); v4.15: (REDHAT_8_64, RHCOS) ; v4.16 and v4.17: (REDHAT_8_64, RHCOS, RHEL_9_64)"
   }
@@ -200,6 +200,7 @@ variable "ocp_version" {
       var.ocp_version == "4.15",
       var.ocp_version == "4.16",
       var.ocp_version == "4.17",
+      var.ocp_version == "4.18",
     ])
     error_message = "The specified ocp_version is not of the valid versions."
   }