-value` format. | `string` | `"cloud-monitoring-target"` | no |
+| [network\_acls](#input\_network\_acls) | The list of ACLs to create. Provide at least one rule for each ACL. | list(
object({
name = string
add_ibm_cloud_internal_rules = optional(bool)
add_vpc_connectivity_rules = optional(bool)
prepend_ibm_rules = optional(bool)
rules = list(
object({
name = string
action = string
destination = string
direction = string
source = string
tcp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
udp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
icmp = optional(
object({
type = optional(number)
code = optional(number)
})
)
})
)
})
)
| [
{
"add_ibm_cloud_internal_rules": true,
"add_vpc_connectivity_rules": true,
"name": "vpc-acl",
"prepend_ibm_rules": true,
"rules": [
{
"action": "allow",
"destination": "0.0.0.0/0",
"direction": "inbound",
"name": "allow-443-inbound-source",
"source": "0.0.0.0/0",
"tcp": {
"source_port_max": 443,
"source_port_min": 443
}
},
{
"action": "allow",
"destination": "0.0.0.0/0",
"direction": "inbound",
"name": "allow-443-inbound-dest",
"source": "0.0.0.0/0",
"tcp": {
"port_max": 443,
"port_min": 443
}
},
{
"action": "allow",
"destination": "0.0.0.0/0",
"direction": "inbound",
"name": "allow-all-80-inbound",
"source": "0.0.0.0/0",
"tcp": {
"source_port_max": 80,
"source_port_min": 80
}
},
{
"action": "allow",
"destination": "0.0.0.0/0",
"direction": "inbound",
"name": "allow-all-ingress-inbound",
"source": "0.0.0.0/0",
"tcp": {
"source_port_max": 32767,
"source_port_min": 30000
}
},
{
"action": "allow",
"destination": "0.0.0.0/0",
"direction": "outbound",
"name": "allow-443-outbound-source",
"source": "0.0.0.0/0",
"tcp": {
"source_port_max": 443,
"source_port_min": 443
}
},
{
"action": "allow",
"destination": "0.0.0.0/0",
"direction": "outbound",
"name": "allow-443-outbound-dest",
"source": "0.0.0.0/0",
"tcp": {
"port_max": 443,
"port_min": 443
}
},
{
"action": "allow",
"destination": "0.0.0.0/0",
"direction": "outbound",
"name": "allow-all-80-outbound",
"source": "0.0.0.0/0",
"tcp": {
"port_max": 80,
"port_min": 80
}
},
{
"action": "allow",
"destination": "0.0.0.0/0",
"direction": "outbound",
"name": "allow-all-ingress-outbound",
"source": "0.0.0.0/0",
"tcp": {
"port_max": 32767,
"port_min": 30000
}
}
]
}
]
| no |
+| [number\_of\_lbs](#input\_number\_of\_lbs) | The total number of Load Balancers in the cluster that should be associated with the security groups defined in `additional_lb_security_group_ids` variable. | `number` | `1` | no |
+| [ocp\_cbr\_rules](#input\_ocp\_cbr\_rules) | The list of context-based restriction rules to create. | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
tags = optional(list(object({
name = string
value = string
})), [])
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
+| [ocp\_entitlement](#input\_ocp\_entitlement) | Value that is applied to the entitlements for OCP cluster provisioning. | `string` | `null` | no |
+| [openshift\_version](#input\_openshift\_version) | Version of the OpenShift cluster to provision. | `string` | `"4.19"` | no |
+| [pod\_subnet\_cidr](#input\_pod\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for pods. The subnet must have a CIDR of at least `/23` or larger. Default value is `172.30.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
+| [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To skip using a prefix, set this value to null or an empty string. | `string` | n/a | yes |
+| [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. | `string` | `"private"` | no |
+| [region](#input\_region) | The region to provision all resources in. | `string` | `"us-south"` | no |
+| [resource\_group\_id](#input\_resource\_group\_id) | The ID of an existing IBM Cloud resource group where the cluster is grouped. | `string` | n/a | yes |
+| [rotation\_enabled](#input\_rotation\_enabled) | If set to `true`, a rotation policy is enabled on the Key Protect instance. Only used if 'create\_key\_protect\_instance' is set to `true`. | `bool` | `true` | no |
+| [rotation\_interval\_month](#input\_rotation\_interval\_month) | Specifies how often keys are rotated in months. Value must be between `1` and `12` inclusive. Only used if 'create\_key\_protect\_instance' is set to `true`. | `number` | `1` | no |
+| [routes](#input\_routes) | Allows you to specify the next hop for packets based on their destination address. | list(
object({
name = string
route_direct_link_ingress = optional(bool)
route_transit_gateway_ingress = optional(bool)
route_vpc_zone_ingress = optional(bool)
routes = optional(
list(
object({
action = optional(string)
zone = number
destination = string
next_hop = string
})
))
})
)
| `[]` | no |
+| [scc\_workload\_protection\_access\_tags](#input\_scc\_workload\_protection\_access\_tags) | A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons. | `list(string)` | `[]` | no |
+| [scc\_workload\_protection\_instance\_name](#input\_scc\_workload\_protection\_instance\_name) | The name for the Workload Protection instance that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"scc-workload-protection"` | no |
+| [scc\_workload\_protection\_instance\_tags](#input\_scc\_workload\_protection\_instance\_tags) | The list of tags to add to the Workload Protection instance. | `list(string)` | `[]` | no |
+| [scc\_workload\_protection\_resource\_key\_tags](#input\_scc\_workload\_protection\_resource\_key\_tags) | The tags associated with the Workload Protection resource key. | `list(string)` | `[]` | no |
+| [scc\_workload\_protection\_service\_plan](#input\_scc\_workload\_protection\_service\_plan) | The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`. | `string` | `"graduated-tier"` | no |
+| [scc\_workload\_protection\_trusted\_profile\_name](#input\_scc\_workload\_protection\_trusted\_profile\_name) | The name to give the trusted profile that is created by this module if `cspm_enabled` is `true. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `-` format.` | `string` | `"workload-protection-trusted-profile"` | no |
+| [scc\_wp\_cbr\_rules](#input\_scc\_wp\_cbr\_rules) | The list of context-based restriction rules to create for the instance. | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
tags = optional(list(object({
name = string
value = string
})), [])
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
+| [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. If you do not wish to create any groups, set the value to `[]`. | list(object({
secret_group_name = string
secret_group_description = optional(string)
create_access_group = optional(bool, true)
access_group_name = optional(string)
access_group_roles = optional(list(string), ["SecretsReader"])
access_group_tags = optional(list(string))
})) | [
{
"access_group_name": "general-secrets-group-access-group",
"access_group_roles": [
"SecretsReader"
],
"create_access_group": true,
"secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",
"secret_group_name": "General"
}
]
| no |
+| [secrets\_manager\_allowed\_network](#input\_secrets\_manager\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"private-only"` | no |
+| [secrets\_manager\_cbr\_rules](#input\_secrets\_manager\_cbr\_rules) | (Optional, list) List of CBR rules to create. | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
+| [secrets\_manager\_endpoint\_type](#input\_secrets\_manager\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"private"` | no |
+| [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no |
+| [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(string)` | `[]` | no |
+| [secrets\_manager\_secret\_group\_id](#input\_secrets\_manager\_secret\_group\_id) | Secret group ID where Ingress secrets are stored in the Secrets Manager instance. If 'enable\_secrets\_manager\_integration' is set to true and 'secrets\_manager\_secret\_group\_id' is not provided, a new group will be created with the same name as cluster\_id. | `string` | `null` | no |
+| [secrets\_manager\_service\_plan](#input\_secrets\_manager\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. | `string` | `"standard"` | no |
+| [security\_group\_rules](#input\_security\_group\_rules) | A list of security group rules to be added to the default vpc security group (default empty). | list(
object({
name = string
direction = string
remote = optional(string)
local = optional(string)
ip_version = optional(string)
tcp = optional(
object({
port_max = optional(number)
port_min = optional(number)
})
)
udp = optional(
object({
port_max = optional(number)
port_min = optional(number)
})
)
icmp = optional(
object({
type = optional(number)
code = optional(number)
})
)
})
)
| `[]` | no |
+| [service\_cred](#input\_service\_cred) | Service configuration for COS. | list(object({
secret_group_name = string # pragma: allowlist secret
secret_group_description = optional(string) # pragma: allowlist secret
existing_secret_group = optional(bool) # pragma: allowlist secret
service_credentials = list(object({ # pragma: allowlist secret
secret_name = string # pragma: allowlist secret
service_credentials_source_service_role_crn = string # pragma: allowlist secret
secret_labels = optional(list(string)) # pragma: allowlist secret
secret_auto_rotation = optional(bool) # pragma: allowlist secret
secret_auto_rotation_unit = optional(string) # pragma: allowlist secret
secret_auto_rotation_interval = optional(number) # pragma: allowlist secret
service_credentials_ttl = optional(string) # pragma: allowlist secret
service_credential_secret_description = optional(string) # pragma: allowlist secret
}))
})) | `[]` | no |
+| [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
+| [skip\_activity\_tracker\_cos\_auth\_policy](#input\_skip\_activity\_tracker\_cos\_auth\_policy) | To skip creating an IAM authorization policy that allows the Activity Tracker to write to the Cloud Object Storage instance, set this variable to `true`. | `bool` | `false` | no |
+| [skip\_app\_config\_event\_notifications\_auth\_policy](#input\_skip\_app\_config\_event\_notifications\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits App configuration instances to integrate with Event Notification in the same account. | `bool` | `false` | no |
+| [skip\_app\_config\_kms\_auth\_policy](#input\_skip\_app\_config\_kms\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits App configuration instances in the resource group to read the encryption key from the KMS instance in the same account. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the other account. | `bool` | `false` | no |
+| [skip\_cloud\_logs\_cos\_auth\_policy](#input\_skip\_cloud\_logs\_cos\_auth\_policy) | To skip creating an IAM authorization policy that allows the IBM Cloud logs to write to the Cloud Object Storage bucket, set this variable to `true`. | `bool` | `false` | no |
+| [skip\_event\_notifications\_cos\_auth\_policy](#input\_skip\_event\_notifications\_cos\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance `Object Writer` and `Reader` access to the given Object Storage bucket. Set to `true` to use an existing policy. | `bool` | `false` | no |
+| [skip\_event\_notifications\_kms\_auth\_policy](#input\_skip\_event\_notifications\_kms\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits the Event Notifications instance to read the encryption key from the KMS instance. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
+| [skip\_event\_notifications\_secrets\_manager\_auth\_policy](#input\_skip\_event\_notifications\_secrets\_manager\_auth\_policy) | Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Event Notification.If set to false, the Secrets Manager instance passed by the user is granted the Key Manager access to the Event Notifications instance created by the Deployable Architecture. Set to `true` to use an existing policy. The value of this is ignored if any value for 'existing\_secrets\_manager\_crn' is not passed. | `bool` | `false` | no |
+| [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits the Logs Routing server 'Sender' access to the IBM Cloud Logs instance created by this Deployable Architecture. | `bool` | `false` | no |
+| [skip\_ocp\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_ocp\_secrets\_manager\_iam\_auth\_policy) | To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates. | `bool` | `false` | no |
+| [skip\_secrets\_manager\_cos\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_cos\_iam\_auth\_policy) | Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Cloud Object Storage. Set to `true` to use an existing policy. | `bool` | `false` | no |
+| [skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no |
+| [skip\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
+| [skip\_secrets\_manager\_kms\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_kms\_iam\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. | `bool` | `false` | no |
+| [skip\_vpc\_cos\_iam\_auth\_policy](#input\_skip\_vpc\_cos\_iam\_auth\_policy) | To skip creating an IAM authorization policy that allows the VPC to access the Cloud Object Storage, set this variable to `true`. Required only if `enable_vpc_flow_logs` is set to true. | `bool` | `false` | no |
+| [subnets](#input\_subnets) | List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addresses. Public gateways will be enabled only in zones where a gateway has been createds. | object({
zone-1 = list(object({
name = string
cidr = string
public_gateway = optional(bool)
acl_name = string
no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
subnet_tags = optional(list(string), [])
}))
zone-2 = optional(list(object({
name = string
cidr = string
public_gateway = optional(bool)
acl_name = string
no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
subnet_tags = optional(list(string), [])
})))
zone-3 = optional(list(object({
name = string
cidr = string
public_gateway = optional(bool)
acl_name = string
no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
subnet_tags = optional(list(string), [])
})))
}) | {
"zone-1": [
{
"acl_name": "vpc-acl",
"cidr": "10.10.10.0/24",
"name": "subnet-a",
"no_addr_prefix": false,
"public_gateway": true
}
],
"zone-2": [
{
"acl_name": "vpc-acl",
"cidr": "10.20.10.0/24",
"name": "subnet-b",
"no_addr_prefix": false,
"public_gateway": true
}
],
"zone-3": [
{
"acl_name": "vpc-acl",
"cidr": "10.30.10.0/24",
"name": "subnet-c",
"no_addr_prefix": false,
"public_gateway": true
}
]
} | no |
+| [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script runs kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, set this value to false. | `bool` | `true` | no |
+| [vpc\_access\_tags](#input\_vpc\_access\_tags) | The list of access tags to add to the VPC instance. | `list(string)` | `[]` | no |
+| [vpc\_flow\_logs\_access\_tags](#input\_vpc\_flow\_logs\_access\_tags) | The list of access tags to add to the VPC instance. | `list(string)` | `[]` | no |
+| [vpc\_name](#input\_vpc\_name) | Name of the VPC. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"vpc"` | no |
+| [vpc\_resource\_tags](#input\_vpc\_resource\_tags) | The list of tags to add to the VPC instance. | `list(string)` | `[]` | no |
+| [vpe\_gateway\_cloud\_service\_by\_crn](#input\_vpe\_gateway\_cloud\_service\_by\_crn) | The list of cloud service CRNs used to create endpoint gateways. Use this list to identify services that are not supported by service name in the `cloud_services` variable. For a list of supported services, see [VPE-enabled services](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services). If `service_name` is not specified, the CRN is used to find the name. If `vpe_name` is not specified in the list, VPE names are created in the format `--`. | set(
object({
crn = string
vpe_name = optional(string) # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
service_name = optional(string) # Name of the service used to compute the name of the VPE. If not specified, the service name will be obtained from the crn.
allow_dns_resolution_binding = optional(bool, true)
})
)
| `[]` | no |
+| [vpe\_gateway\_cloud\_services](#input\_vpe\_gateway\_cloud\_services) | The list of cloud services used to create endpoint gateways. If `vpe_name` is not specified in the list, VPE names are created in the format `--`. | set(object({
service_name = string
vpe_name = optional(string), # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
allow_dns_resolution_binding = optional(bool, false)
})) | `[]` | no |
+| [vpe\_gateway\_reserved\_ips](#input\_vpe\_gateway\_reserved\_ips) | Map of existing reserved IP names and values. Leave this value as default if you want to create new reserved ips, this value is used when a user passes their existing reserved ips created here and not attempt to recreate those. | object({
name = optional(string) # reserved ip name
}) | `{}` | no |
+| [vpe\_gateway\_security\_group\_ids](#input\_vpe\_gateway\_security\_group\_ids) | List of security group ids to attach to each endpoint gateway. | `list(string)` | `null` | no |
+| [vpe\_gateway\_service\_endpoints](#input\_vpe\_gateway\_service\_endpoints) | Service endpoints to use to create endpoint gateways. Can be `public`, or `private`. | `string` | `"private"` | no |
+| [vpn\_gateways](#input\_vpn\_gateways) | List of VPN Gateways to create. | list(
object({
name = string
subnet_name = string # Do not include prefix, use same name as in `var.subnets`
mode = optional(string)
resource_group = optional(string)
access_tags = optional(list(string), [])
})
)
| `[]` | no |
+| [worker\_pools\_taints](#input\_worker\_pools\_taints) | Optional, Map of lists containing node taints by node-pool name. | `map(list(object({ key = string, value = string, effect = string })))` | `null` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| [activity\_tracker\_cos\_target\_bucket\_name](#output\_activity\_tracker\_cos\_target\_bucket\_name) | he name of the object storage bucket which is set as activity tracker event routing target to collect audit events. |
+| [activity\_tracker\_routes](#output\_activity\_tracker\_routes) | The map of created Activity Tracker Event Routing routes |
+| [activity\_tracker\_targets](#output\_activity\_tracker\_targets) | The map of created Activity Tracker Event Routing targets |
+| [cloud\_logs\_crn](#output\_cloud\_logs\_crn) | The id of the provisioned IBM Cloud Logs instance. |
+| [cloud\_logs\_guid](#output\_cloud\_logs\_guid) | The guid of the provisioned IBM Cloud Logs instance. |
+| [cloud\_logs\_ingress\_endpoint](#output\_cloud\_logs\_ingress\_endpoint) | The public ingress endpoint of the provisioned IBM Cloud Logs instance. |
+| [cloud\_logs\_ingress\_private\_endpoint](#output\_cloud\_logs\_ingress\_private\_endpoint) | The private ingress endpoint of the provisioned IBM Cloud Logs instance. |
+| [cloud\_logs\_logs\_policies\_details](#output\_cloud\_logs\_logs\_policies\_details) | The details of the IBM Cloud logs policies created. |
+| [cloud\_logs\_name](#output\_cloud\_logs\_name) | The name of the provisioned IBM Cloud Logs instance. |
+| [cloud\_monitoring\_access\_key](#output\_cloud\_monitoring\_access\_key) | The IBM Cloud Monitoring access key for agents to use |
+| [cloud\_monitoring\_access\_key\_name](#output\_cloud\_monitoring\_access\_key\_name) | The name of the IBM Cloud Monitoring access key for agents to use |
+| [cloud\_monitoring\_crn](#output\_cloud\_monitoring\_crn) | The id of the provisioned IBM Cloud Monitoring instance. |
+| [cloud\_monitoring\_guid](#output\_cloud\_monitoring\_guid) | The guid of the provisioned IBM Cloud Monitoring instance. |
+| [cloud\_monitoring\_name](#output\_cloud\_monitoring\_name) | The name of the provisioned IBM Cloud Monitoring instance. |
+| [cluster\_crn](#output\_cluster\_crn) | The Cloud Resource Name (CRN) of the provisioned OpenShift cluster. |
+| [cluster\_id](#output\_cluster\_id) | The unique identifier assigned to the provisioned OpenShift cluster. |
+| [cluster\_name](#output\_cluster\_name) | The name of the provisioned OpenShift cluster. |
+| [cos\_instance\_crn](#output\_cos\_instance\_crn) | COS instance crn |
+| [cos\_instance\_guid](#output\_cos\_instance\_guid) | COS instance guid |
+| [cos\_instance\_id](#output\_cos\_instance\_id) | COS instance ID |
+| [events\_notification\_crn](#output\_events\_notification\_crn) | Event Notification crn |
+| [events\_notification\_guid](#output\_events\_notification\_guid) | Event Notification guid |
+| [kms\_account\_id](#output\_kms\_account\_id) | The account ID of the KMS instance. |
+| [kms\_guid](#output\_kms\_guid) | KMS instance GUID |
+| [kms\_instance\_crn](#output\_kms\_instance\_crn) | The CRN of the KMS instance |
+| [logs\_bucket\_crn](#output\_logs\_bucket\_crn) | Logs Cloud Object Storage bucket CRN |
+| [metrics\_bucket\_crn](#output\_metrics\_bucket\_crn) | Metrics Cloud Object Storage bucket CRN |
+| [network\_acls](#output\_network\_acls) | List of shortnames and IDs of network ACLs. |
+| [ocp\_version](#output\_ocp\_version) | The version of OpenShift running on the provisioned cluster. |
+| [private\_path\_subnet\_id](#output\_private\_path\_subnet\_id) | The IDs of the subnets. |
+| [public\_gateways](#output\_public\_gateways) | Map of the public gateways by zone. |
+| [scc\_workload\_protection\_api\_endpoint](#output\_scc\_workload\_protection\_api\_endpoint) | SCC Workload Protection API endpoint |
+| [scc\_workload\_protection\_crn](#output\_scc\_workload\_protection\_crn) | SCC Workload Protection instance CRN |
+| [scc\_workload\_protection\_id](#output\_scc\_workload\_protection\_id) | SCC Workload Protection instance ID |
+| [scc\_workload\_protection\_ingestion\_endpoint](#output\_scc\_workload\_protection\_ingestion\_endpoint) | SCC Workload Protection instance ingestion endpoint |
+| [scc\_workload\_protection\_name](#output\_scc\_workload\_protection\_name) | SCC Workload Protection instance name |
+| [secrets\_manager\_crn](#output\_secrets\_manager\_crn) | CRN of the Secrets Manager instance |
+| [secrets\_manager\_guid](#output\_secrets\_manager\_guid) | GUID of Secrets Manager instance |
+| [secrets\_manager\_region](#output\_secrets\_manager\_region) | Region of the Secrets Manager instance |
+| [subnet\_detail\_list](#output\_subnet\_detail\_list) | A list of subnets containing names, CIDR blocks, and zones. |
+| [subnet\_detail\_map](#output\_subnet\_detail\_map) | A map of subnets containing IDs, CIDR blocks, and zones. |
+| [subnet\_ids](#output\_subnet\_ids) | The IDs of the subnets. |
+| [subnet\_zone\_list](#output\_subnet\_zone\_list) | A list of subnet IDs and subnet zones. |
+| [vpc\_crn](#output\_vpc\_crn) | CRN of the VPC created. |
+| [vpc\_flow\_logs](#output\_vpc\_flow\_logs) | Details of the VPC flow logs collector. |
+| [vpc\_id](#output\_vpc\_id) | ID of the VPC created. |
+| [vpc\_name](#output\_vpc\_name) | Name of the VPC created. |
+| [vpe\_crn](#output\_vpe\_crn) | The CRN of the endpoint gateway. |
+| [vpe\_ips](#output\_vpe\_ips) | The reserved IPs for endpoint gateways. |
+| [vpn\_gateways\_data](#output\_vpn\_gateways\_data) | Details of VPN gateways data. |
+| [vpn\_gateways\_name](#output\_vpn\_gateways\_name) | List of names of VPN gateways. |
+| [workerpools](#output\_workerpools) | A list of worker pools associated with the provisioned cluster |
+
diff --git a/modules/containerized_app_landing_zone/main.tf b/modules/containerized_app_landing_zone/main.tf
new file mode 100644
index 00000000..fc2dc5c0
--- /dev/null
+++ b/modules/containerized_app_landing_zone/main.tf
@@ -0,0 +1,1072 @@
+#################################################################################
+# KMS
+#################################################################################
+
+module "existing_kms_crn_parser" {
+ count = var.existing_kms_instance_crn != null ? 1 : 0
+ source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+ version = "1.3.0"
+ crn = var.existing_kms_instance_crn
+}
+
+module "existing_cluster_kms_key_crn_parser" {
+ count = var.existing_cluster_kms_key_crn != null ? 1 : 0
+ source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+ version = "1.3.0"
+ crn = var.existing_cluster_kms_key_crn
+}
+
+module "existing_boot_volume_kms_key_crn_parser" {
+ count = var.existing_boot_volume_kms_key_crn != null ? 1 : 0
+ source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+ version = "1.3.0"
+ crn = var.existing_boot_volume_kms_key_crn
+}
+
+locals {
+ prefix = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : ""
+ cluster_existing_kms_guid = var.existing_kms_instance_crn != null && var.kms_encryption_enabled_cluster ? module.existing_kms_crn_parser[0].service_instance : var.existing_cluster_kms_key_crn != null ? module.existing_cluster_kms_key_crn_parser[0].service_instance : var.kms_encryption_enabled_cluster ? module.kms[0].kms_guid : null
+ cluster_kms_account_id = var.existing_kms_instance_crn != null && var.kms_encryption_enabled_cluster ? module.existing_kms_crn_parser[0].account_id : var.existing_cluster_kms_key_crn != null ? module.existing_cluster_kms_key_crn_parser[0].account_id : var.kms_encryption_enabled_cluster ? module.kms[0].kms_account_id : null
+ cluster_kms_key_id = var.existing_kms_instance_crn != null && var.kms_encryption_enabled_cluster ? module.kms[0].keys[format("%s.%s", local.cluster_key_ring_name, local.cluster_key_name)].key_id : var.existing_cluster_kms_key_crn != null ? module.existing_cluster_kms_key_crn_parser[0].resource : var.kms_encryption_enabled_cluster ? module.kms[0].keys[format("%s.%s", local.cluster_key_ring_name, local.cluster_key_name)].key_id : null
+ cluster_kms_key_crn = var.kms_encryption_enabled_cluster ? module.kms[0].keys[format("%s.%s", local.cluster_key_ring_name, local.cluster_key_name)].crn : var.existing_cluster_kms_key_crn != null ? var.existing_boot_volume_kms_key_crn : var.kms_encryption_enabled_cluster ? module.kms[0].key_protect_crn : null
+ cluster_key_ring_name = "${local.prefix}${var.cluster_kms_key_ring_name}"
+ cluster_key_name = "${local.prefix}${var.cluster_kms_key_name}"
+ cluster_name = "${local.prefix}${var.cluster_name}"
+
+ boot_volume_key_ring_name = "${local.prefix}${var.boot_volume_kms_key_ring_name}"
+ boot_volume_key_name = "${local.prefix}${var.boot_volume_kms_key_name}"
+ boot_volume_existing_kms_guid = var.existing_kms_instance_crn != null && var.kms_encryption_enabled_boot_volume ? module.existing_kms_crn_parser[0].service_instance : var.existing_boot_volume_kms_key_crn != null ? module.existing_boot_volume_kms_key_crn_parser[0].service_instance : var.kms_encryption_enabled_cluster ? module.kms[0].kms_guid : null
+ boot_volume_kms_account_id = var.existing_kms_instance_crn != null && var.kms_encryption_enabled_boot_volume ? module.existing_kms_crn_parser[0].account_id : var.existing_boot_volume_kms_key_crn != null ? module.existing_boot_volume_kms_key_crn_parser[0].account_id : var.kms_encryption_enabled_cluster ? module.kms[0].kms_account_id : null
+ boot_volume_kms_key_id = var.existing_kms_instance_crn != null && var.kms_encryption_enabled_boot_volume ? module.kms[0].keys[format("%s.%s", local.boot_volume_key_ring_name, local.boot_volume_key_name)].key_id : var.existing_boot_volume_kms_key_crn != null ? module.existing_boot_volume_kms_key_crn_parser[0].resource : var.kms_encryption_enabled_boot_volume ? module.kms[0].keys[format("%s.%s", local.boot_volume_key_ring_name, local.boot_volume_key_name)].key_id : null
+ parsed_service_name = var.existing_kms_instance_crn != null ? module.existing_kms_crn_parser[0].service_name : (var.existing_cluster_kms_key_crn != null ? module.existing_cluster_kms_key_crn_parser[0].service_name : null)
+ is_hpcs_key = local.parsed_service_name == "hs-crypto" ? true : false
+
+ kms_config = var.kms_encryption_enabled_cluster ? {
+ crk_id = local.cluster_kms_key_id
+ instance_id = local.cluster_existing_kms_guid
+ private_endpoint = var.kms_endpoint_type == "private" ? true : false
+ account_id = local.cluster_kms_account_id
+ } : null
+
+ keys = [
+ var.kms_encryption_enabled_cluster ? {
+ key_ring_name = local.cluster_key_ring_name
+ existing_key_ring = false
+ keys = [
+ {
+ key_name = local.cluster_key_name
+ standard_key = false
+ rotation_interval_month = 3
+ dual_auth_delete_enabled = false
+ force_delete = true
+ }
+ ]
+ } : null,
+ var.kms_encryption_enabled_boot_volume ? {
+ key_ring_name = local.boot_volume_key_ring_name
+ existing_key_ring = false
+ keys = [
+ {
+ key_name = local.boot_volume_key_name
+ standard_key = false
+ rotation_interval_month = 3
+ dual_auth_delete_enabled = false
+ force_delete = true
+ }
+ ]
+ } : null
+ ]
+}
+
+module "kms" {
+ count = (var.kms_encryption_enabled_boot_volume && var.existing_boot_volume_kms_key_crn == null) || (var.kms_encryption_enabled_cluster && var.existing_cluster_kms_key_crn == null) ? 1 : 0
+ source = "terraform-ibm-modules/kms-all-inclusive/ibm"
+ version = "5.4.5"
+ resource_group_id = var.resource_group_id
+ region = var.region
+ create_key_protect_instance = var.existing_kms_instance_crn != null || var.existing_cluster_kms_key_crn != null || var.existing_boot_volume_kms_key_crn != null ? false : true
+ existing_kms_instance_crn = var.existing_kms_instance_crn
+ key_protect_instance_name = "${local.prefix}${var.kms_instance_name}"
+ key_protect_plan = var.kms_plan
+ rotation_enabled = var.rotation_enabled
+ rotation_interval_month = var.rotation_interval_month
+ dual_auth_delete_enabled = var.dual_auth_delete_enabled
+ enable_metrics = var.enable_metrics
+ key_create_import_access_enabled = var.key_create_import_access_enabled
+ key_protect_allowed_network = var.key_protect_allowed_network
+ key_ring_endpoint_type = var.kms_endpoint_type
+ key_endpoint_type = var.kms_endpoint_type
+ resource_tags = var.kms_resource_tags
+ access_tags = var.kms_access_tags
+ keys = [for key in local.keys : key if key != null]
+ cbr_rules = var.kms_cbr_rules
+}
+
+#################################################################################
+# Cloud Monitoring
+#################################################################################
+
+module "existing_cloud_monitoring_crn_parser" {
+ count = var.existing_cloud_monitoring_crn != null ? 1 : 0
+ source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+ version = "1.3.0"
+ crn = var.existing_cloud_monitoring_crn
+}
+
+locals {
+ create_cloud_monitoring = var.existing_cloud_monitoring_crn == null
+ cloud_monitoring_crn = local.create_cloud_monitoring ? module.cloud_monitoring[0].crn : var.existing_cloud_monitoring_crn
+ cloud_monitoring_instance_name = "${local.prefix}${var.cloud_monitoring_instance_name}"
+ metrics_router_target_name = "${local.prefix}${var.metrics_routing_target_name}"
+ metrics_router_route_name = "${local.prefix}${var.metrics_routing_route_name}"
+
+ default_metrics_router_route = var.enable_metrics_routing_to_cloud_monitoring ? [{
+ name = local.metrics_router_route_name
+ rules = [{
+ action = "send"
+ targets = [{
+ id = module.metrics_routing[0].metrics_router_targets[local.metrics_router_target_name].id
+ }]
+ inclusion_filters = []
+ }]
+ }] : []
+}
+
+module "cloud_monitoring" {
+ count = local.create_cloud_monitoring ? 1 : 0
+ source = "terraform-ibm-modules/cloud-monitoring/ibm"
+ version = "1.11.0"
+ resource_group_id = var.resource_group_id
+ region = var.region
+ instance_name = local.cloud_monitoring_instance_name
+ plan = var.cloud_monitoring_plan
+ resource_tags = var.cloud_monitoring_resource_tags
+ access_tags = var.cloud_monitoring_access_tags
+ resource_keys = var.cloud_monitoring_resource_keys
+ disable_access_key_creation = var.disable_access_key_creation
+ service_endpoints = "public-and-private"
+ enable_platform_metrics = var.enable_platform_metrics
+ cbr_rules = var.cloud_monitoring_cbr_rules
+}
+
+module "metrics_routing" {
+ count = var.enable_metrics_routing_to_cloud_monitoring ? 1 : 0
+ source = "terraform-ibm-modules/cloud-monitoring/ibm//modules/metrics_routing"
+ version = "1.11.0"
+ metrics_router_targets = [
+ {
+ destination_crn = local.cloud_monitoring_crn
+ target_name = local.metrics_router_target_name
+ target_region = var.region
+ skip_metrics_router_auth_policy = false
+ }
+ ]
+
+ metrics_router_routes = length(var.metrics_router_routes) != 0 ? var.metrics_router_routes : local.default_metrics_router_route
+ metrics_router_settings = var.enable_primary_metadata_region ? { primary_metadata_region = var.region } : null
+}
+
+
+
+########################################################################################################################
+# Event Notifications
+########################################################################################################################
+
+# If existing EN instance CRN passed, parse details from it
+module "existing_en_crn_parser" {
+ count = var.existing_event_notifications_instance_crn != null ? 1 : 0
+ source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+ version = "1.3.0"
+ crn = var.existing_event_notifications_instance_crn
+}
+
+locals {
+ use_existing_en_instance = var.existing_event_notifications_instance_crn != null
+ existing_en_instance_guid = local.use_existing_en_instance ? module.existing_en_crn_parser[0].service_instance : null
+ eventnotification_guid = local.use_existing_en_instance ? local.existing_en_instance_guid : module.event_notifications[0].guid
+ eventnotification_crn = local.use_existing_en_instance ? var.existing_event_notifications_instance_crn : module.event_notifications[0].crn
+ en_cos_bucket_name = "${local.prefix}${var.en_cos_bucket_name}"
+}
+
+module "event_notifications" {
+ count = local.use_existing_en_instance ? 0 : 1
+ source = "terraform-ibm-modules/event-notifications/ibm"
+ version = "2.7.0"
+ resource_group_id = var.resource_group_id
+ region = var.region
+ name = "${local.prefix}${var.event_notifications_instance_name}"
+ plan = var.en_service_plan
+ tags = var.en_resource_tags
+ access_tags = var.en_access_tags
+ service_endpoints = var.en_service_endpoints
+ service_credential_names = var.en_service_credential_names
+ # KMS Related
+ kms_encryption_enabled = var.kms_encryption_enabled_cluster
+ kms_endpoint_url = (var.kms_encryption_enabled_boot_volume && var.existing_boot_volume_kms_key_crn == null) || (var.kms_encryption_enabled_cluster && var.existing_cluster_kms_key_crn == null) ? var.kms_endpoint_type == "private" ? module.kms[0].kms_private_endpoint : module.kms[0].kms_public_endpoint : var.kms_endpoint_url
+ existing_kms_instance_crn = var.existing_kms_instance_crn != null ? var.existing_kms_instance_crn : module.kms[0].key_protect_crn
+ root_key_id = local.cluster_kms_key_id
+ skip_en_kms_auth_policy = var.skip_event_notifications_kms_auth_policy
+ # COS Related
+ cos_integration_enabled = var.enable_collecting_failed_events
+ cos_bucket_name = var.existing_event_notifications_instance_crn == null && var.enable_collecting_failed_events ? module.en_cos_buckets[0].buckets[local.en_cos_bucket_name].bucket_name : null
+ cos_instance_id = var.existing_cos_instance_crn != null ? module.existing_cos_instance_crn_parser[0].resource : module.cos[0].cos_instance_id
+ skip_en_cos_auth_policy = var.skip_event_notifications_cos_auth_policy
+ cos_endpoint = var.existing_event_notifications_instance_crn == null && var.enable_collecting_failed_events ? "https://${module.en_cos_buckets[0].buckets[local.en_cos_bucket_name].s3_endpoint_direct}" : null
+ cbr_rules = var.en_cbr_rules
+}
+
+locals {
+ bucket_config = [{
+ access_tags = var.en_cos_bucket_access_tags
+ bucket_name = local.en_cos_bucket_name
+ add_bucket_name_suffix = var.append_random_bucket_name_suffix
+ kms_encryption_enabled = var.kms_encryption_enabled_buckets
+ kms_guid = local.cluster_existing_kms_guid
+ kms_key_crn = local.cluster_kms_key_crn
+ skip_iam_authorization_policy = false
+ management_endpoint_type = var.management_endpoint_type_for_buckets
+ storage_class = var.cos_buckets_class
+ resource_instance_id = var.existing_cos_instance_crn != null ? module.existing_cos_instance_crn_parser[0].resource : module.cos[0].cos_instance_id
+ region_location = var.region
+ activity_tracking = {
+ read_data_events = true
+ write_data_events = true
+ management_events = true
+ }
+ metrics_monitoring = {
+ usage_metrics_enabled = true
+ request_metrics_enabled = true
+ metrics_monitoring_crn = var.existing_cloud_monitoring_crn != null ? var.existing_cloud_monitoring_crn : module.cloud_monitoring[0].crn
+ }
+ force_delete = true
+ }]
+}
+
+module "en_cos_buckets" {
+ count = var.enable_collecting_failed_events && var.existing_event_notifications_instance_crn == null ? 1 : 0
+ source = "terraform-ibm-modules/cos/ibm//modules/buckets"
+ version = "10.5.8"
+ bucket_configs = local.bucket_config
+}
+
+########################################################################################################################
+# Service Credentials
+########################################################################################################################
+
+# If existing EN instance CRN passed, parse details from it
+module "existing_sm_crn_parser" {
+ count = var.existing_secrets_manager_crn != null ? 1 : 0
+ source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+ version = "1.3.0"
+ crn = var.existing_secrets_manager_crn
+}
+
+locals {
+ en_service_credential_secrets = [
+ for service_credentials in var.en_service_credential_secrets : {
+ secret_group_name = service_credentials.secret_group_name
+ secret_group_description = service_credentials.secret_group_description
+ existing_secret_group = service_credentials.existing_secret_group
+ secrets = [
+ for secret in service_credentials.service_credentials : {
+ secret_name = secret.secret_name
+ secret_labels = secret.secret_labels
+ secret_auto_rotation = secret.secret_auto_rotation
+ secret_auto_rotation_unit = secret.secret_auto_rotation_unit
+ secret_auto_rotation_interval = secret.secret_auto_rotation_interval
+ service_credentials_ttl = secret.service_credentials_ttl
+ service_credential_secret_description = secret.service_credential_secret_description
+ service_credentials_source_service_role_crn = secret.service_credentials_source_service_role_crn
+ service_credentials_source_service_crn = local.eventnotification_crn
+ secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6
+ }
+ ]
+ }
+ ]
+}
+
+# create a service authorization between Secrets Manager and the target service (Event Notification)
+resource "ibm_iam_authorization_policy" "en_secrets_manager_key_manager" {
+ count = var.skip_event_notifications_secrets_manager_auth_policy || var.existing_secrets_manager_crn == null ? 0 : 1
+ source_service_name = "secrets-manager"
+ source_resource_instance_id = local.existing_secrets_manager_instance_guid
+ target_service_name = "event-notifications"
+ target_resource_instance_id = local.eventnotification_guid
+ roles = ["Key Manager"]
+ description = "Allow Secrets Manager instance to manage key for the event-notification instance"
+}
+
+# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
+resource "time_sleep" "wait_for_en_authorization_policy" {
+ depends_on = [ibm_iam_authorization_policy.en_secrets_manager_key_manager]
+ create_duration = "30s"
+}
+
+module "en_secrets_manager_service_credentials" {
+ count = length(local.en_service_credential_secrets) > 0 ? 1 : 0
+ depends_on = [time_sleep.wait_for_en_authorization_policy]
+ source = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
+ version = "2.11.9"
+ existing_sm_instance_guid = local.existing_secrets_manager_instance_guid
+ existing_sm_instance_region = local.existing_secrets_manager_instance_region
+ endpoint_type = var.secrets_manager_endpoint_type
+ secrets = local.en_service_credential_secrets
+}
+
+#################################################################################
+# Secrets Manager
+#################################################################################
+
+locals {
+ enable_secrets_manager_cluster = var.existing_secrets_manager_crn == null ? true : false
+ parsed_existing_secrets_manager_crn = var.existing_secrets_manager_crn != null ? split(":", var.existing_secrets_manager_crn) : []
+ secrets_manager_guid = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[7] : null) : module.secrets_manager[0].secrets_manager_guid
+ secrets_manager_crn = var.existing_secrets_manager_crn != null ? var.existing_secrets_manager_crn : module.secrets_manager[0].secrets_manager_crn
+ secrets_manager_region = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[5] : null) : module.secrets_manager[0].secrets_manager_region
+ secret_groups_with_prefix = [
+ for group in var.secret_groups : merge(group, {
+ access_group_name = group.access_group_name != null ? "${local.prefix}${group.access_group_name}" : null
+ })
+ ]
+}
+
+module "secrets_manager_crn_parser" {
+ count = var.existing_secrets_manager_crn != null ? 1 : 0
+ source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+ version = "1.3.0"
+ crn = var.existing_secrets_manager_crn
+}
+
+module "secrets_manager" {
+ count = local.enable_secrets_manager_cluster ? 1 : 0
+ source = "terraform-ibm-modules/secrets-manager/ibm"
+ version = "2.11.9"
+ existing_sm_instance_crn = var.existing_secrets_manager_crn
+ resource_group_id = var.resource_group_id
+ region = var.region
+ secrets_manager_name = "${local.prefix}${var.secrets_manager_instance_name}"
+ sm_service_plan = var.secrets_manager_service_plan
+ sm_tags = var.secrets_manager_resource_tags
+ skip_iam_authorization_policy = var.skip_secrets_manager_iam_auth_policy
+ # kms dependency
+ is_hpcs_key = local.is_hpcs_key
+ kms_encryption_enabled = var.kms_encryption_enabled_cluster
+ kms_key_crn = local.cluster_kms_key_crn
+ skip_kms_iam_authorization_policy = var.skip_secrets_manager_kms_iam_auth_policy #|| local.create_cross_account_auth_policy
+ # event notifications dependency
+ enable_event_notification = true
+ existing_en_instance_crn = local.eventnotification_crn
+ skip_en_iam_authorization_policy = var.skip_secrets_manager_event_notifications_iam_auth_policy
+ cbr_rules = var.secrets_manager_cbr_rules
+ endpoint_type = var.secrets_manager_endpoint_type
+ allowed_network = var.secrets_manager_allowed_network
+ secrets = local.secret_groups_with_prefix
+}
+
+#################################################################################
+# Secrets Manager Event Notifications Configuration
+#################################################################################
+
+locals {
+ parsed_existing_en_instance_crn = split(":", local.eventnotification_crn)
+ existing_en_guid = length(local.parsed_existing_en_instance_crn) > 0 ? local.parsed_existing_en_instance_crn[7] : null
+}
+
+data "ibm_en_destinations" "en_sm_destinations" {
+ # if existing SM instance CRN is passed (!= null), then never do data lookup for EN destinations
+ count = var.existing_secrets_manager_crn == null && local.enable_secrets_manager_cluster ? 1 : 0
+ instance_guid = local.existing_en_guid
+}
+
+# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5533
+resource "time_sleep" "wait_for_secrets_manager" {
+ # if existing SM instance CRN is passed (!= null), then never work with EN
+ count = var.existing_secrets_manager_crn == null && local.enable_secrets_manager_cluster ? 1 : 0
+ depends_on = [module.secrets_manager]
+
+ create_duration = "30s"
+}
+
+resource "ibm_en_topic" "en_sm_topic" {
+ # if existing SM instance CRN is passed (!= null), then never create EN topic
+ count = var.existing_secrets_manager_crn == null && local.enable_secrets_manager_cluster ? 1 : 0
+ depends_on = [time_sleep.wait_for_secrets_manager]
+ instance_guid = local.existing_en_guid
+ name = "Topic for Secrets Manager instance ${module.secrets_manager[0].secrets_manager_guid}"
+ description = "Topic for Secrets Manager events routing"
+ sources {
+ id = local.secrets_manager_crn
+ rules {
+ enabled = true
+ event_type_filter = "$.*"
+ }
+ }
+}
+
+resource "ibm_en_subscription_email" "en_email_subscription" {
+ # if existing SM instance CRN is passed (!= null), then never create EN email subscription
+ count = var.existing_secrets_manager_crn == null && length(var.event_notifications_email_list) > 0 && local.enable_secrets_manager_cluster ? 1 : 0
+ instance_guid = local.existing_en_guid
+ name = "Email for Secrets Manager Subscription"
+ description = "Subscription for Secret Manager Events"
+ destination_id = [for s in toset(data.ibm_en_destinations.en_sm_destinations[count.index].destinations) : s.id if s.type == "smtp_ibm"][0]
+ topic_id = ibm_en_topic.en_sm_topic[count.index].topic_id
+ attributes {
+ add_notification_payload = true
+ reply_to_mail = var.event_notifications_reply_to_email
+ reply_to_name = "Secret Manager Event Notifications Bot"
+ from_name = var.event_notifications_from_email
+ invited = var.event_notifications_email_list
+ }
+}
+
+#################################################################################
+# COS
+#################################################################################
+
+locals {
+ create_cos_instance = var.existing_cos_instance_crn == null ? true : false
+ existing_secrets_manager_instance_guid = var.existing_secrets_manager_crn != null ? module.secrets_manager_crn_parser[0].service_instance : local.enable_secrets_manager_cluster ? module.secrets_manager[0].secrets_manager_guid : ""
+ existing_secrets_manager_instance_region = var.existing_secrets_manager_crn != null ? module.secrets_manager_crn_parser[0].region : local.enable_secrets_manager_cluster ? module.secrets_manager[0].secrets_manager_region : ""
+
+ cos_service_credential_secrets = [
+ for service_credentials in var.service_cred : {
+ secret_group_name = service_credentials.secret_group_name
+ secret_group_description = service_credentials.secret_group_description
+ existing_secret_group = service_credentials.existing_secret_group
+ secrets = [
+ for secret in service_credentials.service_credentials : {
+ secret_name = secret.secret_name
+ secret_labels = secret.secret_labels
+ secret_auto_rotation = secret.secret_auto_rotation
+ secret_auto_rotation_unit = secret.secret_auto_rotation_unit
+ secret_auto_rotation_interval = secret.secret_auto_rotation_interval
+ service_credentials_ttl = secret.service_credentials_ttl
+ service_credential_secret_description = secret.service_credential_secret_description
+ service_credentials_source_service_role_crn = secret.service_credentials_source_service_role_crn
+ service_credentials_source_service_crn = var.existing_cos_instance_crn != null ? module.existing_cos_instance_crn_parser[0].service_instance : module.cos[0].cos_instance_id
+ secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6
+ }
+ ]
+ }
+ ]
+}
+
+module "existing_cos_instance_crn_parser" {
+ count = var.existing_cos_instance_crn != null ? 1 : 0
+ source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+ version = "1.3.0"
+ crn = var.existing_cos_instance_crn
+}
+
+module "cos" {
+ count = local.create_cos_instance != false ? 1 : 0
+ source = "terraform-ibm-modules/cos/ibm//modules/fscloud"
+ version = "10.5.9"
+ resource_group_id = var.resource_group_id
+ create_cos_instance = local.create_cos_instance
+ cos_instance_name = "${local.prefix}${var.cos_instance_name}"
+ resource_keys = []
+ cos_plan = var.cos_instance_plan
+ cos_tags = var.cos_instance_resource_tags
+ access_tags = var.cos_instance_access_tags
+ instance_cbr_rules = var.cos_instance_cbr_rules
+}
+
+#################################################################################
+# Secrets Manager service credentials for COS
+#################################################################################
+
+# create s2s auth policy with Secrets Manager
+resource "ibm_iam_authorization_policy" "cos_secrets_manager_key_manager" {
+ count = !var.skip_secrets_manager_cos_iam_auth_policy && (var.existing_secrets_manager_crn != null || local.enable_secrets_manager_cluster) ? 1 : 0
+ source_service_name = "secrets-manager"
+ source_resource_instance_id = local.existing_secrets_manager_instance_guid
+ target_service_name = "cloud-object-storage"
+ target_resource_instance_id = var.existing_cos_instance_crn != null ? module.existing_cos_instance_crn_parser[0].service_instance : module.cos[0].cos_instance_guid
+ roles = ["Key Manager"]
+ description = "Allow Secrets Manager with instance id ${local.existing_secrets_manager_instance_guid} to manage key for the COS instance"
+}
+
+# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
+resource "time_sleep" "wait_for_cos_authorization_policy" {
+ count = length(local.cos_service_credential_secrets) > 0 ? 1 : 0
+ depends_on = [ibm_iam_authorization_policy.cos_secrets_manager_key_manager]
+ create_duration = "30s"
+}
+
+module "cos_secrets_manager_service_credentials" {
+ count = length(local.cos_service_credential_secrets) > 0 ? 1 : 0
+ depends_on = [time_sleep.wait_for_cos_authorization_policy]
+ source = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
+ version = "2.11.9"
+ existing_sm_instance_guid = local.existing_secrets_manager_instance_guid
+ existing_sm_instance_region = local.existing_secrets_manager_instance_region
+ endpoint_type = var.secrets_manager_endpoint_type
+ secrets = local.cos_service_credential_secrets
+}
+
+#################################################################################
+# Cloud Logs
+#################################################################################
+
+locals {
+ cloud_logs_instance_name = "${local.prefix}${var.cloud_logs_instance_name}"
+ create_cloud_logs = var.existing_cloud_logs_crn == null
+ cloud_logs_crn = local.create_cloud_logs ? module.cloud_logs[0].crn : var.existing_cloud_logs_crn
+
+ data_bucket_name = "${local.prefix}${var.cloud_logs_data_cos_bucket_name}"
+ metrics_bucket_name = "${local.prefix}${var.cloud_logs_metrics_cos_bucket_name}"
+ cos_instance_guid = var.existing_cos_instance_crn != null ? module.existing_cos_instance_crn_parser[0].service_instance : module.cos[0].cos_instance_guid
+}
+
+module "cloud_logs" {
+ depends_on = [time_sleep.wait_for_cos_authorization_policy[0]]
+ count = local.create_cloud_logs ? 1 : 0
+ source = "terraform-ibm-modules/cloud-logs/ibm"
+ version = "1.10.0"
+ resource_group_id = var.resource_group_id
+ region = var.region
+ instance_name = local.cloud_logs_instance_name
+ plan = "standard" # not a variable because there is only one option
+ resource_tags = var.cloud_logs_resource_tags
+ access_tags = var.cloud_logs_access_tags
+ retention_period = var.cloud_logs_retention_period
+ service_endpoints = "public-and-private" # not a variable because there is only one option
+ existing_event_notifications_instances = var.existing_event_notifications_instances
+ cbr_rules = var.cloud_logs_cbr_rules
+ data_storage = {
+ logs_data = {
+ enabled = true
+ bucket_crn = module.cloud_logs_buckets.buckets[local.data_bucket_name].bucket_crn
+ bucket_endpoint = module.cloud_logs_buckets.buckets[local.data_bucket_name].s3_endpoint_direct
+ skip_cos_auth_policy = var.skip_cloud_logs_cos_auth_policy
+ },
+ metrics_data = {
+ enabled = true
+ bucket_crn = module.cloud_logs_buckets.buckets[local.metrics_bucket_name].bucket_crn
+ bucket_endpoint = module.cloud_logs_buckets.buckets[local.metrics_bucket_name].s3_endpoint_direct
+ skip_cos_auth_policy = var.skip_cloud_logs_cos_auth_policy
+ }
+ }
+ logs_routing_tenant_regions = var.logs_routing_tenant_regions
+ skip_logs_routing_auth_policy = var.skip_logs_routing_auth_policy
+ policies = var.logs_policies
+}
+
+module "cloud_logs_buckets" {
+ source = "terraform-ibm-modules/cos/ibm//modules/buckets"
+ version = "10.5.8"
+ bucket_configs = [
+ {
+ bucket_name = local.data_bucket_name
+ kms_key_crn = var.kms_encryption_enabled_buckets ? local.cluster_kms_key_crn : null
+ kms_guid = var.kms_encryption_enabled_buckets ? local.cluster_existing_kms_guid : null
+ kms_encryption_enabled = var.kms_encryption_enabled_buckets
+ region_location = var.region
+ resource_instance_id = var.existing_cos_instance_crn != null ? module.existing_cos_instance_crn_parser[0].resource : module.cos[0].cos_instance_id
+ add_bucket_name_suffix = var.append_random_bucket_name_suffix
+ management_endpoint_type = var.management_endpoint_type_for_buckets
+ storage_class = var.cos_buckets_class
+ force_delete = true # If this is set to false, and the bucket contains data, the destroy will fail. Setting it to false on destroy has no impact, it has to be set on apply, so hence hard coding to true."
+ activity_tracking = {
+ read_data_events = true
+ write_data_events = true
+ management_events = true
+ }
+ metrics_monitoring = {
+ usage_metrics_enabled = true
+ request_metrics_enabled = true
+ metrics_monitoring_crn = var.existing_cloud_monitoring_crn != null ? var.existing_cloud_monitoring_crn : module.cloud_monitoring[0].crn
+ }
+ },
+ {
+ bucket_name = local.metrics_bucket_name
+ kms_key_crn = var.kms_encryption_enabled_buckets ? local.cluster_kms_key_crn : null
+ kms_guid = var.kms_encryption_enabled_buckets ? local.cluster_existing_kms_guid : null
+ kms_encryption_enabled = var.kms_encryption_enabled_buckets
+ region_location = var.region
+ resource_instance_id = var.existing_cos_instance_crn != null ? module.existing_cos_instance_crn_parser[0].resource : module.cos[0].cos_instance_id
+ add_bucket_name_suffix = var.append_random_bucket_name_suffix
+ management_endpoint_type = var.management_endpoint_type_for_buckets
+ storage_class = var.cos_buckets_class
+ skip_iam_authorization_policy = true
+ force_delete = true # If this is set to false, and the bucket contains data, the destroy will fail. Setting it to false on destroy has no impact, it has to be set on apply, so hence hard coding to true."
+ activity_tracking = {
+ read_data_events = true
+ write_data_events = true
+ management_events = true
+ }
+ metrics_monitoring = {
+ usage_metrics_enabled = true
+ request_metrics_enabled = true
+ metrics_monitoring_crn = var.existing_cloud_monitoring_crn != null ? var.existing_cloud_monitoring_crn : module.cloud_monitoring[0].crn
+ }
+ }
+ ]
+}
+
+#################################################################################
+# Activity Tracker
+#################################################################################
+locals {
+ activity_tracker_cos_target_bucket_name = try("${local.prefix}${var.activity_tracker_cos_target_bucket_name}", var.activity_tracker_cos_target_bucket_name)
+ cos_target_bucket_name = var.existing_activity_tracker_cos_target_bucket_name != null ? var.existing_activity_tracker_cos_target_bucket_name : var.enable_activity_tracker_event_routing_to_cos_bucket ? module.at_cos_bucket[0].buckets[local.activity_tracker_cos_target_bucket_name].bucket_name : null
+ cos_target_bucket_endpoint = var.existing_activity_tracker_cos_target_bucket_endpoint != null ? var.existing_activity_tracker_cos_target_bucket_endpoint : var.enable_activity_tracker_event_routing_to_cos_bucket ? module.at_cos_bucket[0].buckets[local.activity_tracker_cos_target_bucket_name].s3_endpoint_private : null
+ cos_target_name = var.cos_target_name != null ? var.cos_target_name : local.create_cos_instance ? module.cos[0].cos_instance_name : try("${local.prefix}-cos-target", "cos-target")
+ cloud_logs_target_name = var.cloud_logs_target_name != null ? var.cloud_logs_target_name : local.create_cos_instance ? module.cos[0].cos_instance_name : try("${local.prefix}-cloud-logs-target", "cloud-logs-target")
+ activity_tracker_cos_route_name = var.activity_tracker_cos_route_name != null ? var.activity_tracker_cos_route_name : try("${local.prefix}at-cos-route", "at-cos-route")
+ activity_tracker_cloud_logs_route_name = var.activity_tracker_cloud_logs_route_name != null ? var.activity_tracker_cloud_logs_route_name : try("${local.prefix}at-cloud-logs-route", "at-cloud-logs-route")
+ activity_tracker_bucket_config = var.existing_activity_tracker_cos_target_bucket_name == null && var.enable_activity_tracker_event_routing_to_cos_bucket ? {
+ class = var.activity_tracker_cos_target_bucket_class
+ name = local.activity_tracker_cos_target_bucket_name
+ tag = var.activity_tracker_cos_bucket_access_tags
+ } : null
+
+
+ bucket_retention_configs = local.activity_tracker_bucket_config != null ? { (local.activity_tracker_cos_target_bucket_name) = var.activity_tracker_cos_bucket_retention_policy } : null
+
+ at_buckets_config = local.activity_tracker_bucket_config != null ? [local.activity_tracker_bucket_config] : []
+
+ archive_rule = length(local.at_buckets_config) != 0 ? {
+ enable = true
+ days = 90
+ type = "Glacier"
+ } : null
+
+ expire_rule = length(local.at_buckets_config) != 0 ? {
+ enable = true
+ days = 366
+ } : null
+
+ activity_tracker_cos_route = var.enable_activity_tracker_event_routing_to_cos_bucket ? [{
+ route_name = local.activity_tracker_cos_route_name
+ locations = ["*"]
+ target_ids = [module.activity_tracker.activity_tracker_targets[local.cos_target_name].id]
+ }] : []
+
+ activity_tracker_cloud_logs_route = var.enable_activity_tracker_event_routing_to_cloud_logs ? [{
+ route_name = local.activity_tracker_cloud_logs_route_name
+ locations = ["*"]
+ target_ids = [module.activity_tracker.activity_tracker_targets[local.cloud_logs_target_name].id]
+ }] : []
+ activity_tracker_routes = concat(local.activity_tracker_cos_route, local.activity_tracker_cloud_logs_route)
+
+}
+
+module "activity_tracker" {
+ source = "terraform-ibm-modules/activity-tracker/ibm"
+ version = "1.5.0"
+ cos_targets = var.enable_activity_tracker_event_routing_to_cos_bucket ? [
+ {
+ bucket_name = local.cos_target_bucket_name
+ endpoint = local.cos_target_bucket_endpoint
+ instance_id = var.existing_cos_instance_crn != null ? var.existing_cos_instance_crn : module.cos[0].cos_instance_crn
+ target_region = var.region
+ target_name = local.cos_target_name
+ skip_atracker_cos_iam_auth_policy = var.skip_activity_tracker_cos_auth_policy
+ service_to_service_enabled = true
+ }
+ ] : []
+
+ cloud_logs_targets = var.enable_activity_tracker_event_routing_to_cloud_logs ? [
+ {
+ instance_id = var.existing_cloud_logs_crn != null ? var.existing_cloud_logs_crn : module.cloud_logs[0].crn
+ target_region = var.region
+ target_name = local.cloud_logs_target_name
+ }
+ ] : []
+
+ # Routes
+ activity_tracker_routes = local.activity_tracker_routes
+}
+
+module "at_cos_bucket" {
+ count = length(coalesce(local.at_buckets_config, [])) != 0 ? 1 : 0 # no need to call COS module if consumer is using existing COS bucket
+ source = "terraform-ibm-modules/cos/ibm//modules/buckets"
+ version = "10.5.8"
+ bucket_configs = [
+ for value in local.at_buckets_config :
+ {
+ access_tags = value.tag
+ bucket_name = value.name
+ add_bucket_name_suffix = var.append_random_bucket_name_suffix
+ kms_guid = local.cluster_existing_kms_guid
+ kms_encryption_enabled = var.kms_encryption_enabled_buckets
+ kms_key_crn = local.cluster_kms_key_crn
+ skip_iam_authorization_policy = false
+ management_endpoint_type = var.management_endpoint_type_for_buckets
+ storage_class = value.class
+ resource_instance_id = var.existing_cos_instance_crn != null ? module.existing_cos_instance_crn_parser[0].resource : module.cos[0].cos_instance_id
+ region_location = var.region
+ force_delete = true
+ archive_rule = local.archive_rule
+ expire_rule = local.expire_rule
+ retention_rule = lookup(local.bucket_retention_configs, value.name, null)
+ metrics_monitoring = {
+ usage_metrics_enabled = true
+ request_metrics_enabled = true
+ # If `existing_monitoring_crn` is not passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration.
+ metrics_monitoring_crn = var.existing_cloud_monitoring_crn != null ? var.existing_cloud_monitoring_crn : module.cloud_monitoring[0].crn
+ }
+ activity_tracking = {
+ read_data_events = true
+ write_data_events = true
+ management_events = true
+ }
+ }
+ ]
+}
+
+########################################################################################################################
+# App Config
+########################################################################################################################
+module "app_config" {
+ source = "terraform-ibm-modules/app-configuration/ibm"
+ version = "1.14.2"
+ resource_group_id = var.resource_group_id
+ region = var.region
+ app_config_name = "${local.prefix}${var.app_config_name}"
+ app_config_plan = var.app_config_plan
+ app_config_service_endpoints = var.app_config_service_endpoints
+ app_config_tags = var.app_config_tags
+ app_config_collections = var.app_config_collections
+ enable_config_aggregator = var.enable_config_aggregator
+ config_aggregator_trusted_profile_name = "${local.prefix}${var.config_aggregator_trusted_profile_name}"
+ config_aggregator_resource_collection_regions = var.config_aggregator_resource_collection_regions
+ config_aggregator_enterprise_id = var.config_aggregator_enterprise_id
+ config_aggregator_enterprise_trusted_profile_name = "${local.prefix}${var.config_aggregator_enterprise_trusted_profile_name}"
+ config_aggregator_enterprise_trusted_profile_template_name = "${local.prefix}${var.config_aggregator_enterprise_trusted_profile_template_name}"
+ config_aggregator_enterprise_account_group_ids_to_assign = var.config_aggregator_enterprise_account_group_ids_to_assign
+ config_aggregator_enterprise_account_ids_to_assign = var.config_aggregator_enterprise_account_ids_to_assign
+ cbr_rules = var.apprapp_cbr_rules
+ kms_encryption_enabled = var.kms_encryption_enabled_cluster
+ skip_app_config_kms_auth_policy = var.skip_app_config_kms_auth_policy
+ existing_kms_instance_crn = var.existing_kms_instance_crn != null ? var.existing_kms_instance_crn : module.kms[0].key_protect_crn
+ kms_endpoint_url = (var.kms_encryption_enabled_boot_volume && var.existing_boot_volume_kms_key_crn == null) || (var.kms_encryption_enabled_cluster && var.existing_cluster_kms_key_crn == null) ? var.kms_endpoint_type == "private" ? module.kms[0].kms_private_endpoint : module.kms[0].kms_public_endpoint : var.kms_endpoint_url
+ root_key_id = local.cluster_kms_key_id
+ enable_event_notifications = true
+ skip_app_config_event_notifications_auth_policy = var.skip_app_config_event_notifications_auth_policy
+ existing_event_notifications_instance_crn = local.eventnotification_crn
+ event_notifications_endpoint_url = var.existing_event_notifications_instance_crn != null ? var.event_notifications_endpoint_url : var.en_service_endpoints == "private" ? module.event_notifications[0].event_notifications_private_endpoint : module.event_notifications[0].event_notifications_public_endpoint
+ app_config_event_notifications_source_name = "${local.prefix}${var.app_config_event_notifications_source_name}"
+ event_notifications_integration_description = "The App Configuration integration to send notifications of events to users from the Event Notifications instance GUID ${local.existing_en_guid}"
+}
+
+#######################################################################################################################
+# App Configuration Event Notifications Configuration
+#######################################################################################################################
+
+data "ibm_en_destinations" "en_apprapp_destinations" {
+ instance_guid = local.existing_en_guid
+}
+
+resource "ibm_en_topic" "en_apprapp_topic" {
+ depends_on = [module.app_config]
+ instance_guid = local.existing_en_guid
+ name = "Topic for App Configuration instance ${module.app_config.app_config_guid}"
+ description = "Topic for App Configuration events routing"
+ sources {
+ id = module.app_config.app_config_crn
+ rules {
+ enabled = true
+ event_type_filter = "$.*"
+ }
+ }
+}
+
+resource "ibm_en_subscription_email" "apprapp_email_subscription" {
+ count = length(var.event_notifications_email_list) > 0 ? 1 : 0
+ instance_guid = local.existing_en_guid
+ name = "Email for App Configuration Subscription"
+ description = "Subscription for App Configuration Events"
+ destination_id = [for s in toset(data.ibm_en_destinations.en_apprapp_destinations[count.index].destinations) : s.id if s.type == "smtp_ibm"][0]
+ topic_id = ibm_en_topic.en_apprapp_topic[count.index].topic_id
+ attributes {
+ add_notification_payload = true
+ reply_to_mail = var.event_notifications_reply_to_email
+ reply_to_name = "App Configuration Event Notifications Bot"
+ from_name = var.event_notifications_from_email
+ invited = var.event_notifications_email_list
+ }
+}
+
+#################################################################################
+# SCC Workload Protection
+#################################################################################
+
+locals {
+ scc_workload_protection_instance_name = "${local.prefix}${var.scc_workload_protection_instance_name}"
+ scc_workload_protection_resource_key_name = "${local.prefix}${var.scc_workload_protection_instance_name}-key"
+}
+
+module "scc_wp" {
+ source = "terraform-ibm-modules/scc-workload-protection/ibm"
+ version = "1.16.4"
+ name = local.scc_workload_protection_instance_name
+ region = var.region
+ resource_group_id = var.resource_group_id
+ resource_tags = var.scc_workload_protection_instance_tags
+ resource_key_name = local.scc_workload_protection_resource_key_name
+ resource_key_tags = var.scc_workload_protection_resource_key_tags
+ cloud_monitoring_instance_crn = var.existing_cloud_monitoring_crn != null ? var.existing_cloud_monitoring_crn : module.cloud_monitoring[0].crn
+ access_tags = var.scc_workload_protection_access_tags
+ scc_wp_service_plan = var.scc_workload_protection_service_plan
+ app_config_crn = module.app_config.app_config_crn
+ scc_workload_protection_trusted_profile_name = "${local.prefix}${var.scc_workload_protection_trusted_profile_name}"
+ cbr_rules = var.scc_wp_cbr_rules
+ cspm_enabled = var.cspm_enabled
+}
+
+#############################################################################
+# COS Bucket for VPC flow logs
+#############################################################################
+
+
+locals {
+ vpc_flow_logs_bucket_name = "${local.prefix}${var.flow_logs_cos_bucket_name}"
+ # configuration for the flow logs bucket
+ flow_logs_bucket_config = [{
+ access_tags = var.vpc_flow_logs_access_tags
+ bucket_name = local.vpc_flow_logs_bucket_name
+ add_bucket_name_suffix = var.append_random_bucket_name_suffix
+ kms_encryption_enabled = var.kms_encryption_enabled_buckets
+ kms_guid = local.cluster_existing_kms_guid
+ kms_key_crn = local.cluster_kms_key_crn
+ skip_iam_authorization_policy = true
+ management_endpoint_type = var.management_endpoint_type_for_buckets
+ storage_class = var.cos_buckets_class
+ resource_instance_id = var.existing_cos_instance_crn != null ? module.existing_cos_instance_crn_parser[0].resource : module.cos[0].cos_instance_id
+ region_location = var.region
+ force_delete = true
+ archive_rule = var.flow_logs_cos_bucket_archive_days != null ? {
+ enable = true
+ days = var.flow_logs_cos_bucket_archive_days
+ type = var.flow_logs_cos_bucket_archive_type
+ } : null
+ expire_rule = var.flow_logs_cos_bucket_expire_days != null ? {
+ enable = true
+ days = var.flow_logs_cos_bucket_expire_days
+ } : null
+ retention_rule = var.flow_logs_cos_bucket_enable_retention ? {
+ default = var.flow_logs_cos_bucket_default_retention_days
+ maximum = var.flow_logs_cos_bucket_maximum_retention_days
+ minimum = var.flow_logs_cos_bucket_minimum_retention_days
+ permanent = var.flow_logs_cos_bucket_enable_permanent_retention
+ } : null
+ object_versioning_enabled = var.flow_logs_cos_bucket_enable_object_versioning
+ }]
+}
+
+# Create COS bucket using the defined bucket configuration
+module "vpc_cos_buckets" {
+ count = var.enable_vpc_flow_logs ? 1 : 0
+ source = "terraform-ibm-modules/cos/ibm//modules/buckets"
+ version = "10.5.8"
+ bucket_configs = local.flow_logs_bucket_config
+}
+
+#############################################################################
+# VPC
+#############################################################################
+
+locals {
+ # create 'use_public_gateways' object
+ public_gateway_object = {
+ for key, value in var.subnets : key => value != null ? length([for sub in value : sub.public_gateway if sub.public_gateway]) > 0 ? [for sub in value : sub.public_gateway if sub.public_gateway][0] : false : false
+ }
+}
+
+# Create VPC
+module "vpc" {
+ source = "terraform-ibm-modules/landing-zone-vpc/ibm"
+ version = "8.9.1"
+ resource_group_id = var.resource_group_id
+ region = var.region
+ create_vpc = true
+ name = var.vpc_name
+ prefix = local.prefix != "" ? trimspace(var.prefix) : null
+ tags = var.vpc_resource_tags
+ access_tags = var.vpc_access_tags
+ subnets = var.subnets
+ default_network_acl_name = var.default_network_acl_name
+ default_security_group_name = var.default_security_group_name
+ default_routing_table_name = var.default_routing_table_name
+ network_acls = var.network_acls
+ security_group_rules = var.security_group_rules
+ clean_default_sg_acl = var.clean_default_security_group_acl
+ use_public_gateways = local.public_gateway_object
+ address_prefixes = var.address_prefixes
+ routes = var.routes
+ enable_vpc_flow_logs = var.enable_vpc_flow_logs
+ create_authorization_policy_vpc_to_cos = !var.skip_vpc_cos_iam_auth_policy
+ existing_cos_instance_guid = var.enable_vpc_flow_logs ? local.cos_instance_guid : null
+ existing_storage_bucket_name = var.enable_vpc_flow_logs ? module.vpc_cos_buckets[0].buckets[local.vpc_flow_logs_bucket_name].bucket_name : null
+ vpn_gateways = var.vpn_gateways
+}
+
+#############################################################################
+# VPE Gateway
+#############################################################################
+
+module "vpe_gateway" {
+ source = "terraform-ibm-modules/vpe-gateway/ibm"
+ version = "4.6.6"
+ resource_group_id = var.resource_group_id
+ region = var.region
+ prefix = local.prefix
+ security_group_ids = var.vpe_gateway_security_group_ids
+ vpc_name = module.vpc.vpc_name
+ vpc_id = module.vpc.vpc_id
+ subnet_zone_list = module.vpc.subnet_zone_list
+ cloud_services = var.vpe_gateway_cloud_services
+ cloud_service_by_crn = var.vpe_gateway_cloud_service_by_crn
+ service_endpoints = var.vpe_gateway_service_endpoints
+ reserved_ips = var.vpe_gateway_reserved_ips
+}
+
+########################################################################################################################
+# OCP VPC cluster
+########################################################################################################################
+
+locals {
+ vpc_subnets = {
+ # The default behavior is to deploy the worker pool across all subnets within the VPC.
+ "default" = [
+ for subnet in module.vpc.subnet_zone_list :
+ {
+ id = subnet.id
+ zone = subnet.zone
+ cidr_block = subnet.cidr
+ }
+ ]
+ }
+
+ worker_pools = concat([
+ {
+ subnet_prefix = "default"
+ pool_name = "default"
+ machine_type = var.default_worker_pool_machine_type
+ workers_per_zone = var.default_worker_pool_workers_per_zone
+ resource_group_id = var.resource_group_id
+ operating_system = var.default_worker_pool_operating_system
+ labels = var.default_worker_pool_labels
+ minSize = var.default_pool_minimum_number_of_nodes
+ maxSize = var.default_pool_maximum_number_of_nodes
+ enableAutoscaling = var.enable_autoscaling_for_default_pool
+ boot_volume_encryption_kms_config = {
+ crk = local.boot_volume_kms_key_id
+ kms_instance_id = local.boot_volume_existing_kms_guid
+ kms_account_id = local.boot_volume_kms_account_id
+ }
+ additional_security_group_ids = var.additional_security_group_ids
+ }
+ ], [for pool in var.additional_worker_pools : merge(pool, { resource_group_id = var.resource_group_id
+ boot_volume_encryption_kms_config = {
+ crk = local.boot_volume_kms_key_id
+ kms_instance_id = local.boot_volume_existing_kms_guid
+ kms_account_id = local.boot_volume_kms_account_id
+ } }) if length(pool.vpc_subnets) > 0],
+ [for pool in var.additional_worker_pools : {
+ pool_name = pool.pool_name
+ machine_type = pool.machine_type
+ workers_per_zone = pool.workers_per_zone
+ resource_group_id = var.resource_group_id
+ operating_system = pool.operating_system
+ labels = pool.labels
+ minSize = pool.minSize
+ secondary_storage = pool.secondary_storage
+ maxSize = pool.maxSize
+ enableAutoscaling = pool.enableAutoscaling
+ boot_volume_encryption_kms_config = {
+ crk = local.boot_volume_kms_key_id
+ kms_instance_id = local.boot_volume_existing_kms_guid
+ kms_account_id = local.boot_volume_kms_account_id
+ }
+ additional_security_group_ids = pool.additional_security_group_ids
+ subnet_prefix = "default"
+ } if length(pool.vpc_subnets) == 0])
+
+ # Managing the ODF version accordingly, as it changes with each OCP version.
+ addons = lookup(var.addons, "openshift-data-foundation", null) != null ? lookup(var.addons["openshift-data-foundation"], "version", null) == null ? { for key, value in var.addons :
+ key => value != null ? {
+ version = lookup(value, "version", null) == null && key == "openshift-data-foundation" ? "${var.openshift_version}.0" : lookup(value, "version", null)
+ parameters_json = lookup(value, "parameters_json", null)
+ } : null } : var.addons : var.addons
+}
+
+module "ocp_base" {
+ source = "../.."
+ resource_group_id = var.resource_group_id
+ region = var.region
+ tags = var.cluster_resource_tags
+ cluster_name = local.cluster_name
+ force_delete_storage = true
+ use_existing_cos = true
+ existing_cos_id = var.existing_cos_instance_crn != null ? module.existing_cos_instance_crn_parser[0].resource : module.cos[0].cos_instance_crn
+ vpc_id = module.vpc.vpc_id
+ vpc_subnets = local.vpc_subnets
+ ocp_version = var.openshift_version
+ worker_pools = local.worker_pools
+ access_tags = var.access_tags
+ ocp_entitlement = var.ocp_entitlement
+ additional_lb_security_group_ids = var.additional_lb_security_group_ids
+ additional_vpe_security_group_ids = var.additional_vpe_security_group_ids
+ addons = local.addons
+ allow_default_worker_pool_replacement = var.allow_default_worker_pool_replacement
+ attach_ibm_managed_security_group = var.attach_ibm_managed_security_group
+ cluster_config_endpoint_type = var.cluster_config_endpoint_type
+ cbr_rules = var.ocp_cbr_rules
+ cluster_ready_when = var.cluster_ready_when
+ custom_security_group_ids = var.custom_security_group_ids
+ disable_outbound_traffic_protection = var.allow_outbound_traffic
+ disable_public_endpoint = !var.allow_public_access_to_cluster_management
+ enable_ocp_console = var.enable_ocp_console
+ ignore_worker_pool_size_changes = var.ignore_worker_pool_size_changes
+ kms_config = local.kms_config
+ manage_all_addons = var.manage_all_addons
+ number_of_lbs = var.number_of_lbs
+ pod_subnet_cidr = var.pod_subnet_cidr
+ service_subnet_cidr = var.service_subnet_cidr
+ verify_worker_network_readiness = var.verify_worker_network_readiness
+ worker_pools_taints = var.worker_pools_taints
+ enable_secrets_manager_integration = var.enable_secrets_manager_integration
+ existing_secrets_manager_instance_crn = local.secrets_manager_crn
+ secrets_manager_secret_group_id = var.secrets_manager_secret_group_id != null ? var.secrets_manager_secret_group_id : (var.enable_secrets_manager_integration ? module.secret_group[0].secret_group_id : null)
+ skip_ocp_secrets_manager_iam_auth_policy = var.skip_ocp_secrets_manager_iam_auth_policy
+}
+
+resource "terraform_data" "delete_secrets" {
+ count = var.enable_secrets_manager_integration && var.secrets_manager_secret_group_id == null ? 1 : 0
+ input = {
+ secret_id = module.secret_group[0].secret_group_id
+ provider_visibility = var.provider_visibility
+ secrets_manager_instance_id = local.secrets_manager_guid
+ secrets_manager_region = local.secrets_manager_region
+ secrets_manager_endpoint = var.secrets_manager_endpoint_type
+ }
+ # api key in triggers_replace to avoid it to be printed out in clear text in terraform_data output
+ triggers_replace = {
+ api_key = var.ibmcloud_api_key
+ }
+ provisioner "local-exec" {
+ when = destroy
+ command = "${path.module}/../../solutions/fully-configurable/scripts/delete_secrets.sh ${self.input.secret_id} ${self.input.provider_visibility} ${self.input.secrets_manager_instance_id} ${self.input.secrets_manager_region} ${self.input.secrets_manager_endpoint}"
+ interpreter = ["/bin/bash", "-c"]
+
+ environment = {
+ API_KEY = self.triggers_replace.api_key
+ }
+ }
+}
+
+module "secret_group" {
+ count = var.enable_secrets_manager_integration && var.secrets_manager_secret_group_id == null ? 1 : 0
+ source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
+ version = "1.3.15"
+ region = local.secrets_manager_region
+ secrets_manager_guid = local.secrets_manager_guid
+ secret_group_name = module.ocp_base.cluster_id
+ secret_group_description = "Secret group for storing ingress certificates for cluster ${local.cluster_name} with id: ${module.ocp_base.cluster_id}"
+ endpoint_type = var.secrets_manager_endpoint_type
+}
diff --git a/modules/containerized_app_landing_zone/outputs.tf b/modules/containerized_app_landing_zone/outputs.tf
new file mode 100644
index 00000000..a2009339
--- /dev/null
+++ b/modules/containerized_app_landing_zone/outputs.tf
@@ -0,0 +1,326 @@
+##############################################################################
+# Cluster Outputs
+##############################################################################
+
+output "cluster_name" {
+ value = module.ocp_base.cluster_name
+ description = "The name of the provisioned OpenShift cluster."
+}
+
+output "cluster_id" {
+ value = module.ocp_base.cluster_id
+ description = "The unique identifier assigned to the provisioned OpenShift cluster."
+}
+
+output "cluster_crn" {
+ description = "The Cloud Resource Name (CRN) of the provisioned OpenShift cluster."
+ value = module.ocp_base.cluster_crn
+}
+
+output "workerpools" {
+ description = "A list of worker pools associated with the provisioned cluster"
+ value = module.ocp_base.workerpools
+}
+
+output "ocp_version" {
+ description = "The version of OpenShift running on the provisioned cluster."
+ value = module.ocp_base.ocp_version
+}
+
+##############################################################################
+# VPC
+##############################################################################
+
+output "vpc_name" {
+ description = "Name of the VPC created."
+ value = module.vpc.vpc_name
+}
+
+output "vpc_id" {
+ description = "ID of the VPC created."
+ value = module.vpc.vpc_id
+}
+
+output "vpc_crn" {
+ description = "CRN of the VPC created."
+ value = module.vpc.vpc_crn
+}
+
+##############################################################################
+# Public Gateways
+##############################################################################
+
+output "public_gateways" {
+ description = "Map of the public gateways by zone."
+ value = module.vpc.public_gateways
+}
+
+##############################################################################
+# VPC flow logs
+##############################################################################
+
+output "vpc_flow_logs" {
+ description = "Details of the VPC flow logs collector."
+ value = module.vpc.vpc_flow_logs
+}
+
+##############################################################################
+# Network ACLs
+##############################################################################
+
+output "network_acls" {
+ description = "List of shortnames and IDs of network ACLs."
+ value = module.vpc.network_acls
+}
+
+##############################################################################
+# Subnet Outputs
+##############################################################################
+
+output "subnet_ids" {
+ description = "The IDs of the subnets."
+ value = module.vpc.subnet_ids
+}
+
+output "private_path_subnet_id" {
+ description = "The IDs of the subnets."
+ value = length(module.vpc.subnet_ids) > 0 ? module.vpc.subnet_ids[0] : null
+}
+
+output "subnet_detail_list" {
+ description = "A list of subnets containing names, CIDR blocks, and zones."
+ value = module.vpc.subnet_detail_list
+}
+
+output "subnet_zone_list" {
+ description = "A list of subnet IDs and subnet zones."
+ value = module.vpc.subnet_zone_list
+}
+
+output "subnet_detail_map" {
+ description = "A map of subnets containing IDs, CIDR blocks, and zones."
+ value = module.vpc.subnet_detail_map
+}
+
+##############################################################################
+# VPN Gateways Outputs
+##############################################################################
+
+output "vpn_gateways_name" {
+ description = "List of names of VPN gateways."
+ value = module.vpc.vpn_gateways_name
+}
+
+output "vpn_gateways_data" {
+ description = "Details of VPN gateways data."
+ value = module.vpc.vpn_gateways_data
+}
+
+##############################################################################
+# VPE Outputs
+##############################################################################
+
+output "vpe_ips" {
+ description = "The reserved IPs for endpoint gateways."
+ value = module.vpe_gateway.vpe_ips
+}
+
+output "vpe_crn" {
+ description = "The CRN of the endpoint gateway."
+ value = module.vpe_gateway.crn
+}
+
+##############################################################################
+# KMS Outputs
+##############################################################################
+
+output "kms_guid" {
+ description = "KMS instance GUID"
+ value = local.cluster_existing_kms_guid
+}
+
+output "kms_account_id" {
+ description = "The account ID of the KMS instance."
+ value = local.cluster_kms_account_id
+}
+
+output "kms_instance_crn" {
+ value = var.existing_kms_instance_crn == null ? var.kms_encryption_enabled_cluster ? module.kms[0].key_protect_crn : null : var.existing_kms_instance_crn
+ description = "The CRN of the KMS instance"
+}
+
+##############################################################################
+# Events Notification Outputs
+##############################################################################
+
+output "events_notification_crn" {
+ description = "Event Notification crn"
+ value = local.eventnotification_crn
+}
+
+output "events_notification_guid" {
+ description = "Event Notification guid"
+ value = local.eventnotification_guid
+}
+
+
+##############################################################################
+# Secrets Manager Outputs
+##############################################################################
+
+output "secrets_manager_guid" {
+ description = "GUID of Secrets Manager instance"
+ value = local.secrets_manager_guid
+}
+
+output "secrets_manager_crn" {
+ value = local.secrets_manager_crn
+ description = "CRN of the Secrets Manager instance"
+}
+
+output "secrets_manager_region" {
+ value = local.secrets_manager_region
+ description = "Region of the Secrets Manager instance"
+}
+
+##############################################################################
+# COS Outputs
+##############################################################################
+
+output "cos_instance_crn" {
+ description = "COS instance crn"
+ value = var.existing_cos_instance_crn != null ? var.existing_cos_instance_crn : module.cos[0].cos_instance_crn
+}
+
+output "cos_instance_guid" {
+ description = "COS instance guid"
+ value = var.existing_cos_instance_crn != null ? module.existing_cos_instance_crn_parser[0].service_instance : module.cos[0].cos_instance_guid
+}
+
+output "cos_instance_id" {
+ description = "COS instance ID"
+ value = var.existing_cos_instance_crn != null ? module.existing_cos_instance_crn_parser[0].resource : module.cos[0].cos_instance_crn
+}
+
+
+##############################################################################
+# Cloud Monitoring Outputs
+##############################################################################
+
+output "cloud_monitoring_crn" {
+ value = local.cloud_monitoring_crn
+ description = "The id of the provisioned IBM Cloud Monitoring instance."
+}
+output "cloud_monitoring_name" {
+ value = local.create_cloud_monitoring ? module.cloud_monitoring[0].name : null
+ description = "The name of the provisioned IBM Cloud Monitoring instance."
+}
+
+output "cloud_monitoring_guid" {
+ value = local.create_cloud_monitoring ? module.cloud_monitoring[0].guid : module.existing_cloud_monitoring_crn_parser[0].service_instance
+ description = "The guid of the provisioned IBM Cloud Monitoring instance."
+}
+
+output "cloud_monitoring_access_key_name" {
+ value = local.create_cloud_monitoring ? module.cloud_monitoring[0].access_key_name : null
+ description = "The name of the IBM Cloud Monitoring access key for agents to use"
+}
+
+output "cloud_monitoring_access_key" {
+ value = local.create_cloud_monitoring ? module.cloud_monitoring[0].access_key : null
+ description = "The IBM Cloud Monitoring access key for agents to use"
+ sensitive = true
+}
+
+##############################################################################
+# Cloud Logs Outputs
+##############################################################################
+
+output "cloud_logs_crn" {
+ value = local.cloud_logs_crn
+ description = "The id of the provisioned IBM Cloud Logs instance."
+}
+
+output "cloud_logs_guid" {
+ value = local.create_cloud_logs ? module.cloud_logs[0].guid : null
+ description = "The guid of the provisioned IBM Cloud Logs instance."
+}
+
+output "cloud_logs_name" {
+ value = local.create_cloud_logs ? module.cloud_logs[0].name : null
+ description = "The name of the provisioned IBM Cloud Logs instance."
+}
+
+output "cloud_logs_ingress_endpoint" {
+ value = local.create_cloud_logs ? module.cloud_logs[0].ingress_endpoint : null
+ description = "The public ingress endpoint of the provisioned IBM Cloud Logs instance."
+}
+
+output "cloud_logs_ingress_private_endpoint" {
+ value = local.create_cloud_logs ? module.cloud_logs[0].ingress_private_endpoint : null
+ description = "The private ingress endpoint of the provisioned IBM Cloud Logs instance."
+}
+
+output "cloud_logs_logs_policies_details" {
+ value = local.create_cloud_logs ? module.cloud_logs[0].logs_policies_details : null
+ description = "The details of the IBM Cloud logs policies created."
+}
+
+output "logs_bucket_crn" {
+ description = "Logs Cloud Object Storage bucket CRN"
+ value = module.cloud_logs_buckets.buckets[local.data_bucket_name].bucket_crn
+}
+
+output "metrics_bucket_crn" {
+ description = "Metrics Cloud Object Storage bucket CRN"
+ value = module.cloud_logs_buckets.buckets[local.metrics_bucket_name].bucket_crn
+}
+
+##############################################################################
+# Activity Tracker Event Routing Outputs
+##############################################################################
+
+output "activity_tracker_cos_target_bucket_name" {
+ value = var.existing_activity_tracker_cos_target_bucket_name == null ? var.enable_activity_tracker_event_routing_to_cos_bucket ? module.at_cos_bucket[0].buckets[local.activity_tracker_cos_target_bucket_name].bucket_name : null : var.existing_activity_tracker_cos_target_bucket_name
+ description = "he name of the object storage bucket which is set as activity tracker event routing target to collect audit events."
+}
+
+output "activity_tracker_targets" {
+ value = module.activity_tracker.activity_tracker_targets
+ description = "The map of created Activity Tracker Event Routing targets"
+}
+
+output "activity_tracker_routes" {
+ value = module.activity_tracker.activity_tracker_routes
+ description = "The map of created Activity Tracker Event Routing routes"
+}
+
+##############################################################################
+# SCC-WP Outputs
+##############################################################################
+
+output "scc_workload_protection_id" {
+ description = "SCC Workload Protection instance ID"
+ value = module.scc_wp.id
+}
+
+output "scc_workload_protection_crn" {
+ description = "SCC Workload Protection instance CRN"
+ value = module.scc_wp.crn
+}
+
+output "scc_workload_protection_name" {
+ description = "SCC Workload Protection instance name"
+ value = module.scc_wp.name
+}
+
+output "scc_workload_protection_ingestion_endpoint" {
+ description = "SCC Workload Protection instance ingestion endpoint"
+ value = module.scc_wp.name
+}
+
+output "scc_workload_protection_api_endpoint" {
+ description = "SCC Workload Protection API endpoint"
+ value = module.scc_wp.api_endpoint
+ sensitive = true
+}
diff --git a/modules/containerized_app_landing_zone/variables.tf b/modules/containerized_app_landing_zone/variables.tf
new file mode 100644
index 00000000..3d3008d7
--- /dev/null
+++ b/modules/containerized_app_landing_zone/variables.tf
@@ -0,0 +1,2352 @@
+variable "ibmcloud_api_key" {
+ type = string
+ description = "The IBM Cloud api token"
+ sensitive = true
+}
+
+variable "provider_visibility" {
+ description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`."
+ type = string
+ default = "private"
+ validation {
+ condition = contains(["public", "private", "public-and-private"], var.provider_visibility)
+ error_message = "Invalid visibility option. Allowed values are `public`, `private`, or `public-and-private`."
+ }
+}
+
+variable "prefix" {
+ type = string
+ nullable = true
+ description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To skip using a prefix, set this value to null or an empty string."
+
+ validation {
+ # - null and empty string is allowed
+ # - Must not contain consecutive hyphens (--): length(regexall("--", var.prefix)) == 0
+ # - Starts with a lowercase letter: [a-z]
+ # - Contains only lowercase letters (a–z), digits (0–9), and hyphens (-)
+ # - Must not end with a hyphen (-): [a-z0-9]
+ condition = (var.prefix == null || var.prefix == "" ? true :
+ alltrue([
+ can(regex("^[a-z][-a-z0-9]*[a-z0-9]$", var.prefix)),
+ length(regexall("--", var.prefix)) == 0
+ ])
+ )
+ error_message = "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--')."
+ }
+
+ validation {
+ # must not exceed 16 characters in length
+ condition = var.prefix == null || var.prefix == "" ? true : length(var.prefix) <= 16
+ error_message = "Prefix must not exceed 16 characters."
+ }
+}
+
+variable "region" {
+ type = string
+ description = "The region to provision all resources in."
+ default = "us-south"
+ nullable = false
+}
+
+variable "resource_group_id" {
+ type = string
+ description = "The ID of an existing IBM Cloud resource group where the cluster is grouped."
+}
+
+##############################################################
+# KMS Related
+##############################################################
+variable "kms_encryption_enabled_cluster" {
+ description = "Set to true to enable KMS encryption for the cluster's Object Storage bucket. When set to true, a value must be passed for either `existing_cluster_kms_key_crn` or `existing_kms_instance_crn`."
+ type = bool
+ default = false
+ nullable = false
+
+ validation {
+ condition = var.existing_kms_instance_crn != null ? var.kms_encryption_enabled_cluster : true
+ error_message = "If passing a value for 'existing_kms_instance_crn', you should set 'kms_encryption_enabled_cluster' to true."
+ }
+
+ validation {
+ condition = var.existing_cluster_kms_key_crn != null ? var.kms_encryption_enabled_cluster : true
+ error_message = "If passing a value for 'existing_cluster_kms_key_crn', you should set 'kms_encryption_enabled_cluster' to true."
+ }
+}
+
+variable "existing_kms_instance_crn" {
+ type = string
+ default = null
+ description = "The CRN of an existing KMS instance."
+
+ validation {
+ condition = anytrue([
+ can(regex("^crn:(.*:){3}(kms|hs-crypto):(.*:){2}[0-9a-fA-F]{8}(?:-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}::$", var.existing_kms_instance_crn)),
+ var.existing_kms_instance_crn == null,
+ ])
+ error_message = "The provided KMS instance CRN in the input 'existing_kms_instance_crn' in not valid."
+ }
+}
+
+variable "existing_cluster_kms_key_crn" {
+ type = string
+ default = null
+ description = "The CRN of an existing KMS key to use for encrypting the Object Storage of the Cluster. If no value is set for this variable, specify a value for `existing_kms_instance_crn` variable to create a key ring and key."
+
+ validation {
+ condition = anytrue([
+ can(regex("^crn:(.*:){3}(kms|hs-crypto):(.*:){2}[0-9a-fA-F]{8}(?:-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}:key:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", var.existing_cluster_kms_key_crn)),
+ var.existing_cluster_kms_key_crn == null,
+ ])
+ error_message = "The provided KMS key CRN in the input 'existing_cluster_kms_key_crn' in not valid."
+ }
+
+ validation {
+ condition = var.existing_cluster_kms_key_crn != null ? var.existing_kms_instance_crn == null : true
+ error_message = "A value should not be passed for 'existing_kms_instance_crn' when passing an existing key value using the 'existing_cluster_kms_key_crn' input."
+ }
+
+}
+
+variable "kms_endpoint_type" {
+ type = string
+ description = "The endpoint for communicating with the KMS instance. Possible values: `public`, `private`. Applies only if `kms_encryption_enabled_cluster` is true"
+ default = "private"
+ nullable = false
+ validation {
+ condition = can(regex("^(public|private)$", var.kms_endpoint_type))
+ error_message = "The kms_endpoint_type value must be 'public' or 'private'."
+ }
+}
+
+variable "cluster_kms_key_ring_name" {
+ type = string
+ default = "cluster-key-ring"
+ description = "The name of the key ring to be created for the cluster's Object Storage bucket encryption key. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+}
+
+variable "cluster_kms_key_name" {
+ type = string
+ default = "cluster-key"
+ description = "The name of the key to be created for the cluster's Object Storage bucket encryption. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+}
+
+variable "kms_encryption_enabled_boot_volume" {
+ type = bool
+ description = "Set this to true to control the encryption keys used to encrypt the data that for the block storage volumes for VPC. If set to false, the data is encrypted by using randomly generated keys. For more info on encrypting block storage volumes, see https://cloud.ibm.com/docs/vpc?topic=vpc-creating-instances-byok"
+ default = false
+ nullable = false
+
+ validation {
+ condition = var.existing_kms_instance_crn != null ? var.kms_encryption_enabled_boot_volume || var.kms_encryption_enabled_cluster : true
+ error_message = "If passing a value for 'existing_kms_instance_crn', you should set 'kms_encryption_enabled_boot_volume' to true."
+ }
+
+ validation {
+ condition = var.existing_boot_volume_kms_key_crn != null ? var.kms_encryption_enabled_boot_volume : true
+ error_message = "If passing a value for 'existing_boot_volume_kms_key_crn', you should set 'kms_encryption_enabled_boot_volume' to true."
+ }
+}
+
+variable "existing_boot_volume_kms_key_crn" {
+ type = string
+ default = null
+ description = "The CRN of an existing KMS key to use to encrypt the the block storage volumes for VPC. If no value is set for this variable, specify a value for either the `existing_kms_instance_crn` variable to create a key ring and key."
+
+ validation {
+ condition = anytrue([
+ can(regex("^crn:(.*:){3}(kms|hs-crypto):(.*:){2}[0-9a-fA-F]{8}(?:-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}:key:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", var.existing_boot_volume_kms_key_crn)),
+ var.existing_boot_volume_kms_key_crn == null,
+ ])
+ error_message = "The provided KMS key CRN in the input 'existing_boot_volume_kms_key_crn' in not valid."
+ }
+}
+
+variable "boot_volume_kms_key_ring_name" {
+ type = string
+ default = "boot-volume-key-ring"
+ description = "The name for the key ring created for the block storage volumes key. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+}
+
+variable "boot_volume_kms_key_name" {
+ type = string
+ default = "boot-volume-key"
+ description = "The name for the key created for the block storage volumes. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+}
+
+variable "kms_instance_name" {
+ type = string
+ description = "The name to give the Key Protect instance that that is created by this module. Only used if 'create_key_protect_instance' is set to `true`."
+ default = "key-protect"
+}
+
+variable "kms_plan" {
+ type = string
+ description = "Plan for the Key Protect instance. Supported values are 'tiered-pricing' and 'cross-region-resiliency'. Only used if 'create_key_protect_instance' is set to `true`."
+ default = "tiered-pricing"
+ # validation performed in terraform-ibm-key-protect module
+}
+
+variable "rotation_enabled" {
+ type = bool
+ description = "If set to `true`, a rotation policy is enabled on the Key Protect instance. Only used if 'create_key_protect_instance' is set to `true`."
+ default = true
+}
+
+variable "rotation_interval_month" {
+ type = number
+ description = "Specifies how often keys are rotated in months. Value must be between `1` and `12` inclusive. Only used if 'create_key_protect_instance' is set to `true`."
+ default = 1
+}
+
+variable "dual_auth_delete_enabled" {
+ type = bool
+ description = "If set to `true`, a dual authorization policy is enabled on the Key Protect instance. After the dual authorization policy is set on the instance, it cannot be reverted. An instance with dual authorization policy enabled cannot be destroyed by using Terraform. Only used if 'create_key_protect_instance' is set to `true`."
+ default = false
+}
+
+variable "enable_metrics" {
+ type = bool
+ description = "Set to `true` to enable metrics on the Key Protect instance. Only used if 'create_key_protect_instance' is set to `true`. In order to view metrics, you need an IBM Cloud Monitoring (Sysdig) instance that is located in the same region as the Key Protect instance. After you provision a Monitoring instance, enable platform metrics to monitor your Key Protect instance."
+ default = true
+}
+
+variable "key_create_import_access_enabled" {
+ type = bool
+ description = "If set to `true`, a key create and import access policy is enabled on the instance of Key Protect. Only used if 'create_key_protect_instance' is set to `true`."
+ default = true
+}
+
+variable "key_protect_allowed_network" {
+ type = string
+ description = "Allowed network types for the Key Protect instance. Possible values are 'private-only', or 'public-and-private'. Only used if 'create_key_protect_instance' is set to `true`."
+ default = "private-only"
+ validation {
+ condition = can(regex("private-only|public-and-private", var.key_protect_allowed_network))
+ error_message = "The `key_protect_allowed_network` value must be 'private-only' or 'public-and-private'."
+ }
+}
+
+variable "kms_resource_tags" {
+ type = list(string)
+ description = "Optional list of tags to add to the Key Protect instance. Only used if 'create_key_protect_instance' is set to `true`."
+ default = []
+}
+
+variable "kms_access_tags" {
+ type = list(string)
+ description = "A list of access tags to apply to the Key Protect instance. Only used if 'create_key_protect_instance' is set to `true`."
+ default = []
+}
+
+variable "kms_cbr_rules" {
+ type = list(object({
+ description = string
+ account_id = string
+ rule_contexts = list(object({
+ attributes = optional(list(object({
+ name = string
+ value = string
+ }))) }))
+ enforcement_mode = string
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
+ }))
+ description = "The context-based restrictions rule to create. Only one rule is allowed."
+ default = []
+ # Validation happens in the rule module
+ # NOTE: Context-based restriction rules applies to Key Protect instances only and is not supported by Hyper Protect Crypto Services (HPCS) instances
+
+ validation {
+ condition = var.existing_kms_instance_crn == null ? true : length(regexall(".*hscrypto.*", var.existing_kms_instance_crn)) > 0 ? length(var.kms_cbr_rules) == 0 : true
+ error_message = "When passing a Hyper Protect Crypto Services (HPCS) instance as a value for `existing_kms_instance_crn` you cannot provide `kms_cbr_rules`. Context-based restrictions are not supported by HPCS instances. For more information, go to [services that integrate with context-based restrictions](https://cloud.ibm.com/docs/account?topic=account-context-restrictions-whatis#cbr-adopters)."
+ }
+ validation {
+ condition = length(var.kms_cbr_rules) <= 1
+ error_message = "Only one CBR rule is allowed."
+ }
+}
+
+########################################################################################################################
+# Event Notifications
+########################################################################################################################
+
+variable "event_notifications_instance_name" {
+ type = string
+ description = "The name of the Event Notifications instance that is created by this solution. If a `prefix` input variable is specified, it is added to this name in the `-value` format."
+ default = "event-notifications"
+}
+
+variable "en_service_plan" {
+ type = string
+ description = "The pricing plan of the Event Notifications instance. Possible values: `Lite`, `Standard`."
+ default = "standard"
+ validation {
+ condition = contains(["lite", "standard"], var.en_service_plan)
+ error_message = "The specified pricing plan is not available. The following plans are supported: `Lite`, `Standard`"
+ }
+}
+
+variable "en_service_endpoints" {
+ type = string
+ description = "Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private`."
+ default = "private"
+ validation {
+ condition = contains(["public", "private", "public-and-private"], var.en_service_endpoints)
+ error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `private`, `public-and-private`"
+ }
+}
+
+variable "en_resource_tags" {
+ type = list(string)
+ description = "The list of tags to add to the Event Notifications instance."
+ default = []
+}
+
+variable "en_access_tags" {
+ type = list(string)
+ description = "A list of access tags to apply to the Event Notifications instance created by the solution. For more information, [see here](https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial)."
+ default = []
+
+ validation {
+ condition = alltrue([
+ for tag in var.en_access_tags : can(regex("[\\w\\-_\\.]+:[\\w\\-_\\.]+", tag)) && length(tag) <= 128
+ ])
+ error_message = "Tags must match the regular expression \"[\\w\\-_\\.]+:[\\w\\-_\\.]+\". For more information, [see here](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limit)."
+ }
+}
+
+variable "en_service_credential_names" {
+ type = map(string)
+ description = "A mapping of names and associated roles for service credentials that you want to create for the Event Notifications instance. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/blob/main/solutions/fully-configurable/DA-types.md#service-credentials-)."
+ default = {}
+
+ validation {
+ condition = alltrue([for name, role in var.en_service_credential_names : contains(["Manager", "Writer", "Reader", "Event Source Manager", "Channel Editor", "Event Notification Publisher", "Status Reporter", "Device Manager", "Email Sender", "Custom Email Status Reporter"], role)])
+ error_message = "The specified service credential role is not valid. The following values are valid for service credential roles: 'Manager', 'Writer', 'Reader', 'Event Source Manager', 'Channel Editor', 'Event Notification Publisher', 'Status Reporter', 'Device Manager', 'Email Sender', 'Custom Email Status Reporter'"
+ }
+}
+
+variable "kms_endpoint_url" {
+ type = string
+ description = "The KMS endpoint URL to use when you configure KMS encryption. When set to true, a value must be passed for either `existing_kms_root_key_crn` or `existing_kms_instance_crn` (to create a new key). The Hyper Protect Crypto Services endpoint URL format is `https://api.private..hs-crypto.cloud.ibm.com:` and the Key Protect endpoint URL format is `https://.kms.cloud.ibm.com`. Not required if passing an existing instance using the `existing_event_notifications_instance_crn` input."
+ default = null
+}
+
+variable "skip_event_notifications_kms_auth_policy" {
+ type = bool
+ description = "Set to true to skip the creation of an IAM authorization policy that permits the Event Notifications instance to read the encryption key from the KMS instance. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account."
+ default = false
+}
+
+variable "enable_collecting_failed_events" {
+ type = bool
+ description = "Set to true to enable Cloud Object Storage integration. If enabled, you must also provide a Cloud Object Storage instance (for storing failed events) using the `existing_cos_instance_crn` variable. For more information, [see here](https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-en-cfe-integrations)."
+ default = true
+}
+
+variable "en_cos_bucket_name" {
+ type = string
+ description = "The name to use when creating the Object Storage bucket for the storage of failed delivery events. Bucket names are globally unique. If `add_bucket_name_suffix` is set to `true`, a random 4 character string is added to this name to help ensure that the bucket name is unique. If a `prefix` input variable is specified, it is added to this name in the `-value` format."
+ default = "base-event-notifications-bucket"
+}
+
+variable "en_cos_bucket_access_tags" {
+ type = list(string)
+ description = "A list of access tags to apply to the Cloud Object Storage bucket created by the solution. For more information, [see here](https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial)."
+ default = []
+
+ validation {
+ condition = alltrue([
+ for tag in var.en_cos_bucket_access_tags : can(regex("[\\w\\-_\\.]+:[\\w\\-_\\.]+", tag)) && length(tag) <= 128
+ ])
+ error_message = "Tags must match the regular expression \"[\\w\\-_\\.]+:[\\w\\-_\\.]+\". For more information, [see here](https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits)."
+ }
+}
+
+variable "skip_event_notifications_secrets_manager_auth_policy" {
+ type = bool
+ default = false
+ description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Event Notification.If set to false, the Secrets Manager instance passed by the user is granted the Key Manager access to the Event Notifications instance created by the Deployable Architecture. Set to `true` to use an existing policy. The value of this is ignored if any value for 'existing_secrets_manager_crn' is not passed."
+}
+
+variable "en_cbr_rules" {
+ type = list(object({
+ description = string
+ account_id = string
+ rule_contexts = list(object({
+ attributes = optional(list(object({
+ name = string
+ value = string
+ }))) }))
+ enforcement_mode = string
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
+ }))
+ description = "The list of context-based restrictions rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/solutions/fully-configurable/DA-cbr_rules.md)."
+ default = []
+}
+
+variable "en_service_credential_secrets" { # pragma: allowlist secret
+ type = list(object({
+ secret_group_name = string # pragma: allowlist secret
+ secret_group_description = optional(string) # pragma: allowlist secret
+ existing_secret_group = optional(bool) # pragma: allowlist secret
+ service_credentials = list(object({ # pragma: allowlist secret
+ secret_name = string # pragma: allowlist secret
+ service_credentials_source_service_role_crn = string # pragma: allowlist secret
+ secret_labels = optional(list(string)) # pragma: allowlist secret
+ secret_auto_rotation = optional(bool) # pragma: allowlist secret
+ secret_auto_rotation_unit = optional(string) # pragma: allowlist secret
+ secret_auto_rotation_interval = optional(number) # pragma: allowlist secret
+ service_credentials_ttl = optional(string) # pragma: allowlist secret
+ service_credential_secret_description = optional(string) # pragma: allowlist secret
+
+ }))
+ }))
+ default = []
+ description = "Service credential secrets configuration for Event Notification. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/solutions/fully-configurable/DA-types.md#service-credential-secrets)."
+
+ validation {
+ # Service roles CRNs can be found at https://cloud.ibm.com/iam/roles, select Event Notifications and select the role
+ condition = alltrue([
+ for group in var.en_service_credential_secrets : alltrue([
+ # crn:v?:bluemix; two non-empty segments; three possibly empty segments; :serviceRole or role: non-empty segment
+ for credential in group.service_credentials : can(regex("^crn:v[0-9]:bluemix(:..*){2}(:.*){3}:(serviceRole|role):..*$", credential.service_credentials_source_service_role_crn))
+ ])
+ ])
+ error_message = "Provided value of `service_credentials_source_service_role_crn` is not valid. Refer [this](https://cloud.ibm.com/iam/roles) for allowed role/values."
+ }
+ validation {
+ condition = length(var.en_service_credential_secrets) > 0 ? var.existing_secrets_manager_crn != null : true
+ error_message = "'existing_secrets_manager_crn' is required when adding service credentials with the 'service_credential_secrets' input."
+ }
+
+}
+
+variable "skip_event_notifications_cos_auth_policy" {
+ type = bool
+ description = "Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance `Object Writer` and `Reader` access to the given Object Storage bucket. Set to `true` to use an existing policy."
+ default = false
+}
+
+variable "event_notifications_endpoint_url" {
+ type = string
+ description = "The URL of the Event Notifications service endpoint to use for notifying configuration changes. For more information on the endpoint URL for Event Notifications, go to [Service endpoints](https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-en-regions-endpoints#en-service-endpoints). It is required if `enable_event_notifications` is set to true."
+ default = null
+}
+
+##############################################################
+# Secrets Manager
+##############################################################
+
+variable "secrets_manager_instance_name" {
+ type = string
+ description = "The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided."
+ default = "secrets-manager"
+}
+
+variable "existing_secrets_manager_crn" {
+ type = string
+ description = "The CRN of an existing Secrets Manager instance. If not supplied, a new instance is created."
+ default = null
+}
+
+variable "secrets_manager_service_plan" {
+ type = string
+ description = "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation."
+ default = "standard"
+ validation {
+ condition = var.existing_secrets_manager_crn == null ? contains(["standard", "trial"], var.secrets_manager_service_plan) : true
+ error_message = "Only 'standard' and 'trial' are allowed values for 'secrets_manager_service_plan'. Applies only if not providing a value for the 'existing_secrets_manager_crn' input."
+ }
+}
+
+variable "skip_secrets_manager_iam_auth_policy" {
+ type = bool
+ description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
+ default = false
+}
+
+variable "secrets_manager_resource_tags" {
+ type = list(string)
+ description = "The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided."
+ default = []
+}
+
+variable "secrets_manager_endpoint_type" {
+ type = string
+ description = "The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications."
+ default = "private"
+ validation {
+ condition = contains(["public", "private"], var.secrets_manager_endpoint_type)
+ error_message = "The specified service endpoint is not a valid selection!"
+ }
+}
+
+variable "secrets_manager_allowed_network" {
+ type = string
+ description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`."
+ default = "private-only"
+ validation {
+ condition = contains(["private-only", "public-and-private"], var.secrets_manager_allowed_network)
+ error_message = "The specified allowed_network is not a valid selection!"
+ }
+}
+
+variable "skip_secrets_manager_kms_iam_auth_policy" {
+ type = bool
+ description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable."
+ default = false
+}
+
+variable "secret_groups" {
+ type = list(object({
+ secret_group_name = string
+ secret_group_description = optional(string)
+ create_access_group = optional(bool, true)
+ access_group_name = optional(string)
+ access_group_roles = optional(list(string), ["SecretsReader"])
+ access_group_tags = optional(list(string))
+ }))
+ description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. If you do not wish to create any groups, set the value to `[]`."
+ nullable = false
+ default = [
+ {
+ secret_group_name = "General"
+ secret_group_description = "A general purpose secrets group with an associated access group which has a secrets reader role"
+ create_access_group = true
+ access_group_name = "general-secrets-group-access-group"
+ access_group_roles = ["SecretsReader"]
+ }
+ ]
+ validation {
+ error_message = "The name of the secret group cannot be null or empty string."
+ condition = length([
+ for group in var.secret_groups :
+ true if(group.secret_group_name == "" || group.secret_group_name == null)
+ ]) == 0
+ }
+ validation {
+ error_message = "When creating an access group, a list of roles must be specified."
+ condition = length([
+ for group in var.secret_groups :
+ true if(group.create_access_group && group.access_group_roles == null)
+ ]) == 0
+ }
+}
+
+variable "secrets_manager_cbr_rules" {
+ type = list(object({
+ description = string
+ account_id = string
+ rule_contexts = list(object({
+ attributes = optional(list(object({
+ name = string
+ value = string
+ }))) }))
+ enforcement_mode = string
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
+ }))
+ description = "(Optional, list) List of CBR rules to create."
+ default = []
+ # Validation happens in the rule module
+}
+
+########################################################################################################################
+# Event Notifications
+########################################################################################################################
+
+variable "existing_event_notifications_instance_crn" {
+ type = string
+ description = "The CRN of the Event Notifications service used to enable lifecycle notifications for your Secrets Manager instance."
+ default = null
+}
+
+variable "skip_secrets_manager_event_notifications_iam_auth_policy" {
+ type = bool
+ description = "If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created."
+ default = false
+}
+
+variable "event_notifications_email_list" {
+ type = list(string)
+ description = "The list of email address to target out when Secrets Manager triggers an event"
+ default = []
+}
+
+variable "event_notifications_from_email" {
+ type = string
+ description = "The email address used to send any Secrets Manager event coming via Event Notifications"
+ default = "compliancealert@ibm.com"
+}
+
+variable "event_notifications_reply_to_email" {
+ type = string
+ description = "The email address specified in the 'reply_to' section for any Secret Manager event coming via Event Notifications"
+ default = "no-reply@ibm.com"
+}
+
+##############################################################
+# COS
+##############################################################
+
+variable "existing_cos_instance_crn" {
+ type = string
+ description = "The CRN of an existing Object Storage instance."
+ default = null
+}
+
+variable "cos_instance_name" {
+ description = "The name for the IBM Cloud Object Storage instance provisioned by this solution. If a value is passed for `prefix`, the instance will be named with the prefix value in the format of `-value`."
+ type = string
+ default = "cos-instance"
+}
+
+variable "cos_instance_plan" {
+ description = "The plan to use when Object Storage instances are created."
+ type = string
+ default = "standard"
+ validation {
+ condition = contains(["standard", "cos-one-rate-plan"], var.cos_instance_plan)
+ error_message = "The specified plan is not a valid selection!"
+ }
+}
+
+variable "cos_instance_resource_tags" {
+ description = "A list of resource tags to apply to the Object Storage instance."
+ type = list(string)
+ default = []
+}
+
+variable "cos_instance_access_tags" {
+ type = list(string)
+ description = "A list of access tags to apply to the Object Storage instance created by the module."
+ default = []
+}
+
+variable "skip_secrets_manager_cos_iam_auth_policy" {
+ type = bool
+ default = false
+ description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Cloud Object Storage. Set to `true` to use an existing policy."
+}
+
+variable "service_cred" { # pragma: allowlist secret
+ type = list(object({
+ secret_group_name = string # pragma: allowlist secret
+ secret_group_description = optional(string) # pragma: allowlist secret
+ existing_secret_group = optional(bool) # pragma: allowlist secret
+ service_credentials = list(object({ # pragma: allowlist secret
+ secret_name = string # pragma: allowlist secret
+ service_credentials_source_service_role_crn = string # pragma: allowlist secret
+ secret_labels = optional(list(string)) # pragma: allowlist secret
+ secret_auto_rotation = optional(bool) # pragma: allowlist secret
+ secret_auto_rotation_unit = optional(string) # pragma: allowlist secret
+ secret_auto_rotation_interval = optional(number) # pragma: allowlist secret
+ service_credentials_ttl = optional(string) # pragma: allowlist secret
+ service_credential_secret_description = optional(string) # pragma: allowlist secret
+
+ }))
+ }))
+ default = []
+ description = "Service configuration for COS."
+
+ validation {
+ # Service roles CRNs can be found at https://cloud.ibm.com/iam/roles, select Cloud Object Storage and select the role
+ condition = alltrue([
+ for group in var.service_cred : alltrue([
+ # crn:v?:bluemix; two non-empty segments; three possibly empty segments; :serviceRole or role: non-empty segment
+ for credential in group.service_credentials : can(regex("^crn:v[0-9]:bluemix(:..*){2}(:.*){3}:(serviceRole|role):..*$", credential.service_credentials_source_service_role_crn))
+ ])
+ ])
+ error_message = "service_credentials_source_service_role_crn must be a serviceRole CRN. See https://cloud.ibm.com/iam/roles"
+ }
+
+ validation {
+ condition = length(var.service_cred) > 0 ? var.existing_secrets_manager_crn != null : true
+ error_message = "When passing a value for 'service_credential', a value must be passed for 'existing_secrets_manager_crn'."
+ }
+}
+
+variable "cos_instance_cbr_rules" {
+ type = list(object({
+ description = string
+ account_id = string
+ rule_contexts = list(object({
+ attributes = optional(list(object({
+ name = string
+ value = string
+ }))) }))
+ enforcement_mode = string
+ tags = optional(list(object({
+ name = string
+ value = string
+ })), [])
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
+ }))
+ description = "The list of context-based restriction rules to create for the instance."
+ default = []
+ # Validation happens in the rule module
+}
+
+########################################################################################################################
+# Cloud Monitoring
+########################################################################################################################
+
+variable "existing_cloud_monitoring_crn" {
+ type = string
+ default = null
+ description = "The CRN of an existing Cloud Monitoring instance. If not supplied, a new instance will be created."
+}
+
+variable "cloud_monitoring_instance_name" {
+ type = string
+ description = "The name of the IBM Cloud Monitoring instance to create. If the prefix variable is passed, the name of the instance is prefixed to the value in the `-value` format."
+ default = "cloud-monitoring"
+}
+
+variable "cloud_monitoring_resource_tags" {
+ type = list(string)
+ description = "Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings)."
+ default = []
+}
+
+variable "cloud_monitoring_access_tags" {
+ type = list(string)
+ description = "A list of access tags to apply to the IBM Cloud Monitoring instance created by the DA. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial."
+ default = []
+}
+
+variable "disable_access_key_creation" {
+ type = bool
+ description = "When set to true, disables the creation of a default manager access key which is required by agents to ingest metrics."
+ default = false
+}
+
+variable "cloud_monitoring_resource_keys" {
+ description = "A list of maps representing resource keys to create for the IBM Cloud Monitoring instance. Each entry defines a single resource key. Use this list to manage custom keys and handle key rotation."
+ type = list(object({
+ name = string
+ generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret
+ role = optional(string, "Manager")
+ service_id_crn = optional(string, null)
+ }))
+ default = []
+}
+
+variable "cloud_monitoring_plan" {
+ type = string
+ description = "The IBM Cloud Monitoring plan to provision. Available values are `lite` and `graduated-tier` and graduated-tier-sysdig-secure-plus-monitor (available in region eu-fr2 only)."
+ default = "graduated-tier"
+
+ validation {
+ condition = can(regex("^lite$|^graduated-tier$|^graduated-tier-sysdig-secure-plus-monitor$", var.cloud_monitoring_plan))
+ error_message = "The plan value must be one of the following: lite, graduated-tier and graduated-tier-sysdig-secure-plus-monitor (available in region eu-fr2 only)."
+ }
+
+ validation {
+ condition = (var.cloud_monitoring_plan != "graduated-tier-sysdig-secure-plus-monitor") || var.region == "eu-fr2"
+ error_message = "When cloud_monitoring_plan is graduated-tier-sysdig-secure-plus-monitor region should be set to eu-fr2."
+ }
+}
+
+variable "enable_platform_metrics" {
+ type = bool
+ description = "When set to `true`, the IBM Cloud Monitoring instance collects the platform metrics."
+ default = false
+}
+
+########################################################################################################################
+# Metrics Routing
+########################################################################################################################
+
+variable "metrics_routing_target_name" {
+ type = string
+ description = "The name of the IBM Cloud Metrics Routing target where metrics are collected. If the prefix variable is passed, the name of the target is prefixed to the value in the `-value` format."
+ default = "cloud-monitoring-target"
+}
+
+variable "metrics_routing_route_name" {
+ type = string
+ description = "The name of the IBM Cloud Metrics Routing route for the default route that indicate what metrics are routed in a region and where to store them. If the prefix variable is passed, the name of the target is prefixed to the value in the `-value` format."
+ default = "metrics-routing-route"
+}
+
+variable "enable_metrics_routing_to_cloud_monitoring" {
+ type = bool
+ description = "Whether to enable metrics routing from IBM Cloud Metric Routing to Cloud Monitoring."
+ default = true
+}
+
+variable "enable_primary_metadata_region" {
+ type = bool
+ description = "When set to `true`, sets `primary_metadata_region` to `region`, storing Metrics Router metadata in that region. When `false`, no region is set and the default global region is used. For new accounts, creating targets and routes will fail until primary_metadata_region is set, so it is recommended to default enable_primary_metadata_region to true."
+ default = true
+}
+
+variable "metrics_router_routes" {
+ type = list(object({
+ name = string
+ rules = list(object({
+ action = string
+ targets = list(object({
+ id = string
+ }))
+ inclusion_filters = list(object({
+ operand = string
+ operator = string
+ values = list(string)
+ }))
+ }))
+ }))
+ default = []
+ description = "Routes for IBM Cloud Metrics Routing."
+}
+
+variable "cloud_monitoring_cbr_rules" {
+ type = list(object({
+ description = string
+ account_id = string
+ rule_contexts = list(object({
+ attributes = optional(list(object({
+ name = string
+ value = string
+ }))) }))
+ enforcement_mode = string
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
+ }))
+ description = "The list of context-based restriction rules to create for the instance."
+ default = []
+ # Validation happens in the rule module
+}
+
+########################################################################################################################
+# Cloud Logs
+########################################################################################################################
+
+variable "existing_cloud_logs_crn" {
+ type = string
+ default = null
+ description = "The CRN of an existing Cloud Logs instance. If not supplied, a new instance will be created."
+}
+
+variable "cloud_logs_instance_name" {
+ type = string
+ description = "The name of the IBM Cloud Logs instance to create. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+ default = "cloud-logs"
+}
+
+variable "cloud_logs_resource_tags" {
+ type = list(string)
+ description = "Tags associated with the IBM Cloud Logs instance (Optional, array of strings)."
+ default = []
+}
+
+variable "cloud_logs_access_tags" {
+ type = list(string)
+ description = "A list of access tags to apply to the IBM Cloud Logs instance created by the DA. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial."
+ default = []
+}
+
+variable "cloud_logs_retention_period" {
+ type = number
+ description = "The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90."
+ default = 7
+
+ validation {
+ condition = contains([7, 14, 30, 60, 90], var.cloud_logs_retention_period)
+ error_message = "Valid values 'cloud_logs_retention_period' are: 7, 14, 30, 60, 90"
+ }
+}
+
+variable "existing_event_notifications_instances" {
+ type = list(object({
+ crn = string
+ integration_name = optional(string)
+ skip_iam_auth_policy = optional(bool, false)
+ }))
+ default = []
+ description = "List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs."
+}
+
+variable "cloud_logs_cbr_rules" {
+ type = list(object({
+ description = string
+ account_id = string
+ rule_contexts = list(object({
+ attributes = optional(list(object({
+ name = string
+ value = string
+ }))) }))
+ enforcement_mode = string
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
+ }))
+ description = "(Optional, list) List of context-based restrictions rules to create."
+ default = []
+}
+
+variable "cloud_logs_data_cos_bucket_name" {
+ type = string
+ nullable = true
+ default = "cloud-logs-logs-bucket"
+ description = "The name of an to be given to a new bucket inside the existing Object Storage instance to use for IBM Cloud Logs. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+}
+
+variable "cloud_logs_metrics_cos_bucket_name" {
+ type = string
+ nullable = true
+ default = "cloud-logs-metrics-bucket"
+ description = "The name of an to be given to a new bucket inside the existing Object Storage instance to use for IBM Cloud Logs. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+}
+
+variable "skip_cloud_logs_cos_auth_policy" {
+ type = bool
+ description = "To skip creating an IAM authorization policy that allows the IBM Cloud logs to write to the Cloud Object Storage bucket, set this variable to `true`."
+ default = false
+}
+
+
+
+variable "kms_encryption_enabled_buckets" {
+ description = "Set to true to enable KMS encryption on the Object Storage buckets created for the IBM Cloud Logs instance. When set to true, a value must be passed for either `existing_cluster_kms_key_crn` or `existing_kms_instance_crn` (to create a new key). Can not be set to true if passing a value for `existing_cloud_logs_crn`."
+ type = bool
+ default = false
+ nullable = false
+
+ validation {
+ condition = var.kms_encryption_enabled_buckets ? var.existing_cloud_logs_crn == null : true
+ error_message = "'kms_encryption_enabled_buckets' should be false if passing a value for 'existing_cloud_logs_crn' as existing Cloud Logs instance will already have a bucket attached."
+ }
+
+ validation {
+ condition = var.existing_kms_instance_crn != null ? var.kms_encryption_enabled_buckets : true
+ error_message = "If passing a value for 'existing_kms_instance_crn', you should set 'kms_encryption_enabled_buckets' to true."
+ }
+
+ validation {
+ condition = var.existing_cluster_kms_key_crn != null ? var.kms_encryption_enabled_buckets : true
+ error_message = "If passing a value for 'existing_cluster_kms_key_crn', you should set 'kms_encryption_enabled_buckets' to true."
+ }
+
+ validation {
+ condition = var.kms_encryption_enabled_buckets ? ((var.existing_cluster_kms_key_crn != null || var.existing_kms_instance_crn != null) ? true : false) : true
+ error_message = "Either 'existing_cluster_kms_key_crn' or 'existing_kms_instance_crn' is required if 'kms_encryption_enabled_buckets' is set to true."
+ }
+}
+
+variable "append_random_bucket_name_suffix" {
+ type = bool
+ description = "Append random generated suffix (4 characters long) to the newly provisioned IBM Cloud Logs Object Storage bucket names."
+ default = true
+}
+
+variable "management_endpoint_type_for_buckets" {
+ description = "The type of endpoint for the IBM Terraform provider to use to manage Object Storage buckets. Possible values: `public`, `private`, `direct`. If you specify `private`, enable virtual routing and forwarding in your account, and the Terraform runtime must have access to the the IBM Cloud private network."
+ type = string
+ default = "direct"
+ validation {
+ condition = contains(["public", "private", "direct"], var.management_endpoint_type_for_buckets)
+ error_message = "The specified management_endpoint_type_for_buckets is not a valid selection!"
+ }
+}
+
+variable "cos_buckets_class" {
+ type = string
+ default = "smart"
+ description = "The storage class of the newly provisioned IBM Cloud Logs Object Storage buckets. Possible values: `standard` or `smart`. Applies only if `existing_cloud_logs_crn` is not provided."
+ validation {
+ condition = contains(["standard", "smart"], var.cos_buckets_class)
+ error_message = "Allowed values for cos_bucket_class are \"standard\" or \"smart\"."
+ }
+}
+
+##############################################################################
+# Logs Routing
+##############################################################################
+
+variable "logs_routing_tenant_regions" {
+ type = list(any)
+ default = []
+ description = "Pass a list of regions to create a tenant for that is targeted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. NOTE: You can only have 1 tenant per region in an account."
+ nullable = false
+}
+
+variable "skip_logs_routing_auth_policy" {
+ description = "Whether to create an IAM authorization policy that permits the Logs Routing server 'Sender' access to the IBM Cloud Logs instance created by this Deployable Architecture."
+ type = bool
+ default = false
+}
+
+variable "logs_policies" {
+ type = list(object({
+ logs_policy_name = string
+ logs_policy_description = optional(string, null)
+ logs_policy_priority = string
+ application_rule = optional(list(object({
+ name = string
+ rule_type_id = string
+ })))
+ subsystem_rule = optional(list(object({
+ name = string
+ rule_type_id = string
+ })))
+ log_rules = optional(list(object({
+ severities = list(string)
+ })))
+ archive_retention = optional(list(object({
+ id = string
+ })))
+ }))
+ description = "Configuration of Cloud Logs policies."
+ default = []
+
+ validation {
+ condition = alltrue([for config in var.logs_policies : (length(config.logs_policy_name) <= 4096 ? true : false)])
+ error_message = "Maximum length of logs_policy_name allowed is 4096 chars."
+ }
+
+ validation {
+ condition = alltrue([for config in var.logs_policies : contains(["type_unspecified", "type_block", "type_low", "type_medium", "type_high"], config.logs_policy_priority)])
+ error_message = "The specified priority for logs policy is not a valid selection. Allowed values are: type_unspecified, type_block, type_low, type_medium, type_high."
+ }
+
+ validation {
+ condition = alltrue(
+ [for config in var.logs_policies :
+ (config.application_rule != null ?
+ (alltrue([for rule in config.application_rule :
+ contains(["unspecified", "is", "is_not", "start_with", "includes"], rule.rule_type_id)]))
+ : true)
+ ])
+ error_message = "Identifier of application_rule 'rule_type_id' is not a valid selection. Allowed values are: unspecified, is, is_not, start_with, includes."
+ }
+
+ validation {
+ condition = alltrue(
+ [for config in var.logs_policies :
+ (config.application_rule != null ?
+ (alltrue([for rule in config.application_rule :
+ can(regex("^[\\p{L}\\p{N}\\p{P}\\p{Z}\\p{S}\\p{M}]+$", rule.name)) && length(rule.name) <= 4096 && length(rule.name) > 1]))
+ : true)
+ ])
+ error_message = "The name of the application_rule does not meet the required criteria."
+ }
+
+ validation {
+ condition = alltrue(
+ [for config in var.logs_policies :
+ (config.log_rules != null && length(config.log_rules) > 0 ? true : false)
+ ])
+ error_message = "The log_rules can not be empty and must contain at least 1 item."
+ }
+
+ validation {
+ condition = alltrue(
+ [for config in var.logs_policies :
+ (config.log_rules != null ?
+ (alltrue([for rule in config.log_rules :
+ alltrue([for severity in rule["severities"] :
+ contains(["unspecified", "debug", "verbose", "info", "warning", "error", "critical"], severity)])]))
+ : true
+ )])
+ error_message = "The 'severities' of log_rules is not a valid selection. Allowed values are: unspecified, debug, verbose, info, warning, error, critical."
+ }
+
+ validation {
+ condition = alltrue(
+ [for config in var.logs_policies :
+ (config.subsystem_rule != null ?
+ (alltrue([for rule in config.subsystem_rule :
+ contains(["unspecified", "is", "is_not", "start_with", "includes"], rule.rule_type_id)]))
+ : true
+ )])
+ error_message = "Identifier of subsystem_rule 'rule_type_id' is not a valid selection. Allowed values are: unspecified, is, is_not, start_with, includes."
+ }
+
+ validation {
+ condition = alltrue(
+ [for config in var.logs_policies :
+ (config.subsystem_rule != null ?
+ (alltrue([for rule in config.subsystem_rule :
+ can(regex("^[\\p{L}\\p{N}\\p{P}\\p{Z}\\p{S}\\p{M}]+$", rule.name)) && length(rule.name) <= 4096 && length(rule.name) > 1]))
+ : true)
+ ])
+ error_message = "The name of the subsystem_rule does not meet the required criteria."
+ }
+
+ validation {
+ condition = alltrue(
+ [for config in var.logs_policies :
+ (config.archive_retention != null ?
+ (alltrue(
+ [for rule in config.archive_retention : can(regex("^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", rule.id))]
+ )) : true
+ )])
+ error_message = "The id of the archive_retention does not meet the required criteria."
+ }
+}
+
+##############################################################################
+# Activity Tracker Event Routing
+##############################################################################
+
+variable "enable_activity_tracker_event_routing_to_cos_bucket" {
+ type = bool
+ description = "When set to `true`, you must provide a value for `existing_cos_instance_crn` to enable event routing from Activity Tracker to a Object Storage bucket."
+ default = true
+
+ validation {
+ condition = var.enable_activity_tracker_event_routing_to_cos_bucket || var.enable_activity_tracker_event_routing_to_cloud_logs
+ error_message = "At least one of 'enable_activity_tracker_event_routing_to_cos_bucket' or 'enable_activity_tracker_event_routing_to_cloud_logs' must be true to route audit events to COS bucket or Cloud Logs instance."
+ }
+
+}
+
+variable "activity_tracker_cos_target_bucket_name" {
+ type = string
+ default = "at-events-cos-bucket"
+ description = "The name of the Cloud Object Storage bucket to create for the Cloud Object Storage target to store AT events. Cloud Object Storage bucket names are globally unique. If the `add_bucket_name_suffix` variable is set to `true`, 4 random characters are added to this name to ensure that the name of the bucket is globally unique. If the prefix input variable is passed, the name of the instance is prefixed to the value in the `-value` format."
+}
+
+variable "existing_activity_tracker_cos_target_bucket_name" {
+ type = string
+ nullable = true
+ default = null
+ description = "The name of an existing bucket within the Cloud Object Storage instance in which to store IBM Cloud Activity Tracker Event Routing. If an existing Cloud Object Storage bucket is not specified, a bucket is created."
+}
+
+variable "existing_activity_tracker_cos_target_bucket_endpoint" {
+ type = string
+ nullable = true
+ default = null
+ description = "The name of an existing Cloud Object Storage bucket endpoint to use for setting up IBM Cloud Activity Tracker Event Routing. If an existing endpoint is not specified, the endpoint of the new Cloud Object Storage bucket is used."
+}
+
+variable "cos_target_name" {
+ type = string
+ description = "Name of the cos target for activity tracker event routing."
+ default = null
+}
+
+variable "cloud_logs_target_name" {
+ type = string
+ description = "Name of the cloud logs target for activity tracker event routing."
+ default = null
+}
+
+variable "activity_tracker_cos_route_name" {
+ type = string
+ description = "Name of the cos route for activity tracker event routing."
+ default = null
+}
+
+variable "activity_tracker_cloud_logs_route_name" {
+ type = string
+ description = "Name of the cloud logs route for activity tracker event routing."
+ default = null
+}
+
+variable "activity_tracker_cos_target_bucket_class" {
+ type = string
+ default = "smart"
+ description = "The storage class of the newly provisioned Cloud Object Storage bucket. Specify one of the following values for the storage class: `standard`, `vault`, `cold`, `smart` (default), or `onerate_active`."
+ validation {
+ condition = contains(["standard", "vault", "cold", "smart", "onerate_active"], var.activity_tracker_cos_target_bucket_class)
+ error_message = "Specify one of the following values for the `cos_bucket_class`: `standard`, `vault`, `cold`, `smart`, or `onerate_active`."
+ }
+}
+
+variable "activity_tracker_cos_bucket_access_tags" {
+ type = list(string)
+ default = []
+ description = "A list of optional access tags to add to the IBM Cloud Activity Tracker Event Routing Cloud Object Storage bucket."
+}
+
+variable "activity_tracker_cos_bucket_retention_policy" {
+ type = object({
+ default = optional(number, 90)
+ maximum = optional(number, 350)
+ minimum = optional(number, 90)
+ permanent = optional(bool, false)
+ })
+ description = "The retention policy of the IBM Cloud Activity Tracker Event Routing COS target bucket."
+ default = null
+}
+
+variable "enable_activity_tracker_event_routing_to_cloud_logs" {
+ type = bool
+ description = "When set to `true`, you must provide a value for `existing_cloud_logs_crn` to enable event routing from Activity Tracker to a Cloud Logs instance."
+ default = true
+}
+
+variable "skip_activity_tracker_cos_auth_policy" {
+ type = bool
+ description = "To skip creating an IAM authorization policy that allows the Activity Tracker to write to the Cloud Object Storage instance, set this variable to `true`."
+ default = false
+}
+
+########################################################################################################################
+# App Config variables
+########################################################################################################################
+
+variable "app_config_name" {
+ type = string
+ description = "Name for the App Configuration service instance."
+ default = "app-config"
+ nullable = false
+}
+
+variable "app_config_plan" {
+ type = string
+ description = "Plan for the App Configuration service instance."
+ default = "enterprise"
+ nullable = false
+}
+
+variable "app_config_service_endpoints" {
+ type = string
+ description = "Service Endpoints for the App Configuration service instance, valid endpoints are public or public-and-private."
+ default = "public-and-private"
+ nullable = false
+
+ validation {
+ condition = contains(["public", "public-and-private"], var.app_config_service_endpoints)
+ error_message = "Value for service endpoints must be one of the following: \"public\" or \"public-and-private\"."
+ }
+}
+
+variable "app_config_collections" {
+ description = "(Optional, list) A list of collections to be added to the App Configuration instance. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-app-configuration/tree/main/solutions/fully-configurable/DA-collections.md)."
+ type = list(object({
+ name = string
+ collection_id = string
+ description = optional(string, null)
+ tags = optional(string, null)
+ }))
+ default = []
+
+ validation {
+ condition = (
+ var.app_config_plan != "lite" ||
+ length(var.app_config_collections) <= 1
+ )
+ error_message = "When using the 'lite' plan, you can define at most 1 App Configuration collection."
+ }
+}
+
+variable "app_config_tags" {
+ type = list(string)
+ description = "Optional list of tags to be added to the App Config instance."
+ default = []
+}
+
+variable "enable_config_aggregator" {
+ description = "Set to true to enable configuration aggregator. By setting to true a trusted profile will be created with the required access to record configuration data from all resources across regions in your account. [Learn more](https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator)."
+ type = bool
+ default = true
+ nullable = false
+
+ # Lite plan does not support enabling Config Aggregator as mention in doc : https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator
+ validation {
+ condition = !(var.enable_config_aggregator && var.app_config_plan == "lite")
+ error_message = "The configuration aggregator cannot be enabled when the app_config_plan is set to 'lite'. Please use a different plan (e.g., 'basic', 'standardv2', or 'enterprise')."
+ }
+}
+
+variable "config_aggregator_trusted_profile_name" {
+ description = "The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+ type = string
+ default = "config-aggregator-trusted-profile"
+
+ validation {
+ condition = var.enable_config_aggregator ? var.config_aggregator_trusted_profile_name != null : true
+ error_message = "'config_aggregator_trusted_profile_name' cannot be null if 'enable_config_aggregator' is true."
+ }
+}
+
+variable "config_aggregator_resource_collection_regions" {
+ type = list(string)
+ description = "From which region do you want to collect configuration data? Only applies if `enable_config_aggregator` is set to true."
+ default = ["all"]
+}
+
+variable "config_aggregator_enterprise_id" {
+ type = string
+ description = "If the account is an enterprise account, this value should be set to the enterprise ID (NOTE: This is different to the account ID). "
+ default = null
+
+ validation {
+ condition = !var.enable_config_aggregator ? var.config_aggregator_enterprise_id == null : true
+ error_message = "A value can only be passed for 'config_aggregator_enterprise_id' if 'enable_config_aggregator' is true."
+ }
+}
+
+variable "config_aggregator_enterprise_trusted_profile_name" {
+ description = "The name to give the enterprise viewer trusted profile with that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+ type = string
+ default = "config-aggregator-enterprise-trusted-profile"
+
+ validation {
+ condition = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? var.config_aggregator_enterprise_trusted_profile_name != null : true
+ error_message = "'config_aggregator_enterprise_trusted_profile_name' cannot be null if 'enable_config_aggregator' is true and a value is being passed for 'config_aggregator_enterprise_id'."
+ }
+}
+
+variable "config_aggregator_enterprise_trusted_profile_template_name" {
+ description = "The name to give the trusted profile template that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+ type = string
+ default = "config-aggregator-trusted-profile-template"
+
+ validation {
+ condition = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? var.config_aggregator_enterprise_trusted_profile_template_name != null : true
+ error_message = "'config_aggregator_enterprise_trusted_profile_template_name' cannot be null if 'enable_config_aggregator' is true and a value is being passed for 'config_aggregator_enterprise_id'."
+ }
+}
+
+variable "config_aggregator_enterprise_account_group_ids_to_assign" {
+ type = list(string)
+ default = ["all"]
+ description = "A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all account groups. Only applies if `enable_config_aggregator` is true and a value is being passed for `config_aggregator_enterprise_id`."
+ nullable = false
+
+ validation {
+ condition = contains(var.config_aggregator_enterprise_account_group_ids_to_assign, "all") ? length(var.config_aggregator_enterprise_account_group_ids_to_assign) == 1 : true
+ error_message = "When specifying 'all' in the list, you cannot add any other values to the list"
+ }
+}
+
+variable "config_aggregator_enterprise_account_ids_to_assign" {
+ type = list(string)
+ default = []
+ description = "A list of enterprise account IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all accounts. Only applies if `enable_config_aggregator` is true and a value is being passed for `config_aggregator_enterprise_id`."
+ nullable = false
+
+ validation {
+ condition = contains(var.config_aggregator_enterprise_account_ids_to_assign, "all") ? length(var.config_aggregator_enterprise_account_ids_to_assign) == 1 : true
+ error_message = "When specifying 'all' in the list, you cannot add any other values to the list"
+ }
+}
+
+variable "skip_app_config_kms_auth_policy" {
+ type = bool
+ description = "Set to true to skip the creation of an IAM authorization policy that permits App configuration instances in the resource group to read the encryption key from the KMS instance in the same account. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the other account."
+ default = false
+}
+
+variable "skip_app_config_event_notifications_auth_policy" {
+ type = bool
+ description = "Set to true to skip the creation of an IAM authorization policy that permits App configuration instances to integrate with Event Notification in the same account."
+ default = false
+}
+
+variable "app_config_event_notifications_source_name" {
+ type = string
+ description = "The name by which Event Notifications source will be created in the existing Event Notification instance."
+ default = "app-config-en"
+}
+
+variable "apprapp_cbr_rules" {
+ type = list(object({
+ description = string
+ account_id = string
+ rule_contexts = list(object({
+ attributes = optional(list(object({
+ name = string
+ value = string
+ }))) }))
+ enforcement_mode = string
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
+ }))
+ description = "The list of context-based restrictions rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/solutions/fully-configurable/DA-cbr_rules.md)."
+ default = []
+}
+
+#######################################################################################################################
+# SCC Workload Protection
+#######################################################################################################################
+
+variable "scc_workload_protection_instance_name" {
+ description = "The name for the Workload Protection instance that is created by this solution. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+ type = string
+ default = "scc-workload-protection"
+}
+
+variable "scc_workload_protection_trusted_profile_name" {
+ description = "The name to give the trusted profile that is created by this module if `cspm_enabled` is `true. Must begin with a letter. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+ type = string
+ default = "workload-protection-trusted-profile"
+ validation {
+ condition = can(regex("^[a-zA-Z][a-zA-Z0-9\\-_\\.]+$", var.scc_workload_protection_trusted_profile_name))
+ error_message = "The trusted profile name must begin with a letter and can only contain letters, numbers, hyphens, underscores, and periods."
+ }
+ validation {
+ condition = !(var.cspm_enabled && var.scc_workload_protection_trusted_profile_name == null)
+ error_message = "Cannot be `null` if `cspm_enabled` is `true`."
+ }
+}
+
+variable "scc_workload_protection_instance_tags" {
+ type = list(string)
+ description = "The list of tags to add to the Workload Protection instance."
+ default = []
+}
+
+variable "scc_workload_protection_resource_key_tags" {
+ type = list(string)
+ description = "The tags associated with the Workload Protection resource key."
+ default = []
+}
+
+variable "scc_workload_protection_access_tags" {
+ type = list(string)
+ description = "A list of access tags to apply to the Workload Protection instance. Maximum length: 128 characters. Possible characters are A-Z, 0-9, spaces, underscores, hyphens, periods, and colons."
+ default = []
+
+ validation {
+ condition = alltrue([
+ for tag in var.scc_workload_protection_access_tags : can(regex("[\\w\\-_\\.]+:[\\w\\-_\\.]+", tag)) && length(tag) <= 128
+ ])
+ error_message = "Tags must match the regular expression \"[\\w\\-_\\.]+:[\\w\\-_\\.]+\", see https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits for more details"
+ }
+}
+
+variable "scc_workload_protection_service_plan" {
+ description = "The pricing plan for the Workload Protection instance service. Possible values: `free-trial`, `graduated-tier`."
+ type = string
+ default = "graduated-tier"
+ validation {
+ error_message = "Plan for Workload Protection instances can only be `free-trial` or `graduated-tier`."
+ condition = contains(
+ ["free-trial", "graduated-tier"],
+ var.scc_workload_protection_service_plan
+ )
+ }
+}
+
+variable "cspm_enabled" {
+ description = "Enable Cloud Security Posture Management (CSPM) for the Workload Protection instance. This will create a trusted profile associated with the SCC Workload Protection instance that has viewer / reader access to the App Config service and viewer access to the Enterprise service."
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "scc_wp_cbr_rules" {
+ type = list(object({
+ description = string
+ account_id = string
+ rule_contexts = list(object({
+ attributes = optional(list(object({
+ name = string
+ value = string
+ }))) }))
+ enforcement_mode = string
+ tags = optional(list(object({
+ name = string
+ value = string
+ })), [])
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
+ }))
+ description = "The list of context-based restriction rules to create for the instance."
+ default = []
+ # Validation happens in the rule module
+}
+
+#######################################################################################################################
+# VPC and VPE
+#######################################################################################################################
+
+variable "enable_vpc_flow_logs" {
+ description = "To enable VPC Flow logs, set this to true."
+ type = bool
+ nullable = false
+ default = false
+}
+
+variable "vpc_name" {
+ default = "vpc"
+ description = "Name of the VPC. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
+ type = string
+}
+
+variable "flow_logs_cos_bucket_name" {
+ description = "Name of the Cloud Object Storage bucket to be created to collect VPC flow logs."
+ type = string
+ default = "flow-logs-bucket"
+}
+
+variable "vpc_resource_tags" {
+ type = list(string)
+ description = "The list of tags to add to the VPC instance."
+ default = []
+}
+
+variable "vpc_access_tags" {
+ type = list(string)
+ description = "The list of access tags to add to the VPC instance."
+ default = []
+}
+
+variable "vpc_flow_logs_access_tags" {
+ type = list(string)
+ description = "The list of access tags to add to the VPC instance."
+ default = []
+}
+
+variable "flow_logs_cos_bucket_archive_days" {
+ description = "The number of days before the `archive_type` rule action takes effect for the flow logs cloud object storage bucket."
+ type = number
+ default = 90
+}
+
+variable "flow_logs_cos_bucket_archive_type" {
+ description = "The storage class or archive type you want the object to transition to in the flow logs cloud object storage bucket."
+ type = string
+ default = "Glacier"
+ validation {
+ condition = contains(["Glacier", "Accelerated"], var.flow_logs_cos_bucket_archive_type)
+ error_message = "The specified flow_logs_cos_bucket_archive_type is not a valid selection!"
+ }
+}
+
+variable "flow_logs_cos_bucket_expire_days" {
+ description = "The number of days before the expire rule action takes effect for the flow logs cloud object storage bucket."
+ type = number
+ default = 366
+}
+
+variable "flow_logs_cos_bucket_enable_object_versioning" {
+ description = "Set it to true if object versioning is enabled so that multiple versions of an object are retained in the flow logs cloud object storage bucket. Cannot be used if `flow_logs_cos_bucket_enable_retention` is true."
+ type = bool
+ nullable = false
+ default = false
+
+ validation {
+ condition = var.flow_logs_cos_bucket_enable_object_versioning ? (var.flow_logs_cos_bucket_enable_retention ? false : true) : true
+ error_message = "`flow_logs_cos_bucket_enable_object_versioning` cannot set true if `flow_logs_cos_bucket_enable_retention` is true."
+ }
+}
+
+variable "flow_logs_cos_bucket_enable_retention" {
+ description = "Set to true to enable retention for the flow logs cloud object storage bucket."
+ type = bool
+ nullable = false
+ default = false
+}
+
+variable "flow_logs_cos_bucket_default_retention_days" {
+ description = "The number of days that an object can remain unmodified in the flow logs cloud object storage bucket."
+ type = number
+ default = 90
+}
+
+variable "flow_logs_cos_bucket_maximum_retention_days" {
+ description = "The maximum number of days that an object can be kept unmodified in the flow logs cloud object storage."
+ type = number
+ default = 350
+}
+
+variable "flow_logs_cos_bucket_minimum_retention_days" {
+ description = "The minimum number of days that an object must be kept unmodified in the flow logs cloud object storage."
+ type = number
+ default = 90
+}
+
+variable "flow_logs_cos_bucket_enable_permanent_retention" {
+ description = "Whether permanent retention status is enabled for the flow logs cloud object storage bucket."
+ type = bool
+ nullable = false
+ default = false
+}
+
+variable "subnets" {
+ description = "List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addresses. Public gateways will be enabled only in zones where a gateway has been createds."
+ type = object({
+ zone-1 = list(object({
+ name = string
+ cidr = string
+ public_gateway = optional(bool)
+ acl_name = string
+ no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
+ subnet_tags = optional(list(string), [])
+ }))
+ zone-2 = optional(list(object({
+ name = string
+ cidr = string
+ public_gateway = optional(bool)
+ acl_name = string
+ no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
+ subnet_tags = optional(list(string), [])
+ })))
+ zone-3 = optional(list(object({
+ name = string
+ cidr = string
+ public_gateway = optional(bool)
+ acl_name = string
+ no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
+ subnet_tags = optional(list(string), [])
+ })))
+ })
+
+ default = {
+ zone-1 = [
+ {
+ name = "subnet-a"
+ cidr = "10.10.10.0/24"
+ public_gateway = true
+ acl_name = "vpc-acl"
+ no_addr_prefix = false
+ }
+ ],
+ zone-2 = [
+ {
+ name = "subnet-b"
+ cidr = "10.20.10.0/24"
+ public_gateway = true
+ acl_name = "vpc-acl"
+ no_addr_prefix = false
+ }
+ ],
+ zone-3 = [
+ {
+ name = "subnet-c"
+ cidr = "10.30.10.0/24"
+ public_gateway = true
+ acl_name = "vpc-acl"
+ no_addr_prefix = false
+ }
+ ]
+ }
+
+ validation {
+ condition = alltrue([for key, value in var.subnets : value != null ? length([for subnet in value : subnet.public_gateway if subnet.public_gateway]) > 1 ? false : true : true])
+ error_message = "var.subnets has more than one public gateway in a zone. Only one public gateway can be attached to a zone for the virtual private cloud."
+ }
+}
+
+variable "default_network_acl_name" {
+ description = "Name of the Default ACL. If null, a name will be automatically generated."
+ type = string
+ default = null
+}
+
+variable "default_security_group_name" {
+ description = "Name of the Default Security Group. If null, a name will be automatically generated."
+ type = string
+ default = null
+}
+
+variable "default_routing_table_name" {
+ description = "Name of the Default Routing Table. If null, a name will be automatically generated."
+ type = string
+ default = null
+}
+
+variable "network_acls" {
+ description = "The list of ACLs to create. Provide at least one rule for each ACL."
+ type = list(
+ object({
+ name = string
+ add_ibm_cloud_internal_rules = optional(bool)
+ add_vpc_connectivity_rules = optional(bool)
+ prepend_ibm_rules = optional(bool)
+ rules = list(
+ object({
+ name = string
+ action = string
+ destination = string
+ direction = string
+ source = string
+ tcp = optional(
+ object({
+ port_max = optional(number)
+ port_min = optional(number)
+ source_port_max = optional(number)
+ source_port_min = optional(number)
+ })
+ )
+ udp = optional(
+ object({
+ port_max = optional(number)
+ port_min = optional(number)
+ source_port_max = optional(number)
+ source_port_min = optional(number)
+ })
+ )
+ icmp = optional(
+ object({
+ type = optional(number)
+ code = optional(number)
+ })
+ )
+ })
+ )
+ })
+ )
+
+ default = [
+ {
+ name = "vpc-acl"
+ add_ibm_cloud_internal_rules = true
+ add_vpc_connectivity_rules = true
+ prepend_ibm_rules = true
+ rules = [
+ {
+ name = "allow-443-inbound-source"
+ action = "allow"
+ direction = "inbound"
+ tcp = {
+ source_port_min = 443
+ source_port_max = 443
+ }
+ destination = "0.0.0.0/0"
+ source = "0.0.0.0/0"
+ },
+ {
+ name = "allow-443-inbound-dest"
+ action = "allow"
+ direction = "inbound"
+ tcp = {
+ port_max = 443
+ port_min = 443
+ }
+ destination = "0.0.0.0/0"
+ source = "0.0.0.0/0"
+ },
+ {
+ name = "allow-all-80-inbound"
+ action = "allow"
+ direction = "inbound"
+ tcp = {
+ source_port_min = 80
+ source_port_max = 80
+ }
+ destination = "0.0.0.0/0"
+ source = "0.0.0.0/0"
+ },
+ {
+ name = "allow-all-ingress-inbound"
+ action = "allow"
+ direction = "inbound"
+ tcp = {
+ source_port_min = 30000
+ source_port_max = 32767
+ }
+ destination = "0.0.0.0/0"
+ source = "0.0.0.0/0"
+ },
+ {
+ name = "allow-443-outbound-source"
+ action = "allow"
+ direction = "outbound"
+ tcp = {
+ source_port_min = 443
+ source_port_max = 443
+ }
+ destination = "0.0.0.0/0"
+ source = "0.0.0.0/0"
+ },
+ {
+ name = "allow-443-outbound-dest"
+ action = "allow"
+ direction = "outbound"
+ tcp = {
+ port_min = 443
+ port_max = 443
+ }
+ destination = "0.0.0.0/0"
+ source = "0.0.0.0/0"
+ },
+ {
+ name = "allow-all-80-outbound"
+ action = "allow"
+ direction = "outbound"
+ tcp = {
+ port_min = 80
+ port_max = 80
+ }
+ destination = "0.0.0.0/0"
+ source = "0.0.0.0/0"
+ },
+ {
+ name = "allow-all-ingress-outbound"
+ action = "allow"
+ direction = "outbound"
+ tcp = {
+ port_min = 30000
+ port_max = 32767
+ }
+ destination = "0.0.0.0/0"
+ source = "0.0.0.0/0"
+ }
+ ]
+ }
+ ]
+
+ validation {
+ error_message = "ACL rule actions can only be `allow` or `deny`."
+ condition = length(distinct(
+ flatten([
+ # Check through rules
+ for rule in flatten([var.network_acls[*].rules]) :
+ # Return false action is not valid
+ false if !contains(["allow", "deny"], rule.action)
+ ])
+ )) == 0
+ }
+
+ validation {
+ error_message = "ACL rule direction can only be `inbound` or `outbound`."
+ condition = length(distinct(
+ flatten([
+ # Check through rules
+ for rule in flatten([var.network_acls[*].rules]) :
+ # Return false if direction is not valid
+ false if !contains(["inbound", "outbound"], rule.direction)
+ ])
+ )) == 0
+ }
+
+ validation {
+ error_message = "ACL rule names must match the regex pattern ^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$."
+ condition = length(distinct(
+ flatten([
+ # Check through rules
+ for rule in flatten([var.network_acls[*].rules]) :
+ # Return false if direction is not valid
+ false if !can(regex("^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$", rule.name))
+ ])
+ )) == 0
+ }
+
+}
+
+##############################################################################
+# Default Security Group Rules
+##############################################################################
+
+variable "security_group_rules" {
+ description = "A list of security group rules to be added to the default vpc security group (default empty)."
+ default = []
+ type = list(
+ object({
+ name = string
+ direction = string
+ remote = optional(string)
+ local = optional(string)
+ ip_version = optional(string)
+ tcp = optional(
+ object({
+ port_max = optional(number)
+ port_min = optional(number)
+ })
+ )
+ udp = optional(
+ object({
+ port_max = optional(number)
+ port_min = optional(number)
+ })
+ )
+ icmp = optional(
+ object({
+ type = optional(number)
+ code = optional(number)
+ })
+ )
+ })
+ )
+
+ validation {
+ error_message = "Security group rule direction can only be `inbound` or `outbound`."
+ condition = (var.security_group_rules == null || length(var.security_group_rules) == 0) ? true : length(distinct(
+ flatten([
+ # Check through rules
+ for rule in var.security_group_rules :
+ # Return false if direction is not valid
+ false if !contains(["inbound", "outbound"], rule.direction)
+ ])
+ )) == 0
+ }
+
+ validation {
+ error_message = "Security group rule names must match the regex pattern ^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$."
+ condition = (var.security_group_rules == null || length(var.security_group_rules) == 0) ? true : length(distinct(
+ flatten([
+ # Check through rules
+ for rule in var.security_group_rules :
+ # Return false if direction is not valid
+ false if !can(regex("^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$", rule.name))
+ ])
+ )) == 0
+ }
+}
+
+variable "clean_default_security_group_acl" {
+ description = "Remove all rules from the default VPC security group and VPC ACL (less permissive)."
+ type = bool
+ nullable = false
+ default = true
+}
+
+##############################################################################
+# Address Prefixes
+##############################################################################
+
+variable "address_prefixes" {
+ description = "The IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes."
+ type = object({
+ zone-1 = optional(list(string))
+ zone-2 = optional(list(string))
+ zone-3 = optional(list(string))
+ })
+ default = {
+ zone-1 = null
+ zone-2 = null
+ zone-3 = null
+ }
+ validation {
+ error_message = "Keys for `use_public_gateways` must be in the order `zone-1`, `zone-2`, `zone-3`."
+ condition = var.address_prefixes == null ? true : (
+ (length(var.address_prefixes) == 1 && keys(var.address_prefixes)[0] == "zone-1") ||
+ (length(var.address_prefixes) == 2 && keys(var.address_prefixes)[0] == "zone-1" && keys(var.address_prefixes)[1] == "zone-2") ||
+ (length(var.address_prefixes) == 3 && keys(var.address_prefixes)[0] == "zone-1" && keys(var.address_prefixes)[1] == "zone-2") && keys(var.address_prefixes)[2] == "zone-3"
+ )
+ }
+}
+
+##############################################################################
+# Add routes to VPC
+##############################################################################
+
+variable "routes" {
+ description = "Allows you to specify the next hop for packets based on their destination address."
+ type = list(
+ object({
+ name = string
+ route_direct_link_ingress = optional(bool)
+ route_transit_gateway_ingress = optional(bool)
+ route_vpc_zone_ingress = optional(bool)
+ routes = optional(
+ list(
+ object({
+ action = optional(string)
+ zone = number
+ destination = string
+ next_hop = string
+ })
+ ))
+ })
+ )
+ default = []
+}
+
+variable "skip_vpc_cos_iam_auth_policy" {
+ description = "To skip creating an IAM authorization policy that allows the VPC to access the Cloud Object Storage, set this variable to `true`. Required only if `enable_vpc_flow_logs` is set to true."
+ type = bool
+ nullable = false
+ default = false
+}
+
+variable "vpn_gateways" {
+ description = "List of VPN Gateways to create."
+ nullable = false
+ type = list(
+ object({
+ name = string
+ subnet_name = string # Do not include prefix, use same name as in `var.subnets`
+ mode = optional(string)
+ resource_group = optional(string)
+ access_tags = optional(list(string), [])
+ })
+ )
+
+ default = []
+}
+
+variable "vpe_gateway_cloud_services" {
+ description = "The list of cloud services used to create endpoint gateways. If `vpe_name` is not specified in the list, VPE names are created in the format `--`."
+ type = set(object({
+ service_name = string
+ vpe_name = optional(string), # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
+ allow_dns_resolution_binding = optional(bool, false)
+ }))
+ default = []
+}
+
+variable "vpe_gateway_cloud_service_by_crn" {
+ description = "The list of cloud service CRNs used to create endpoint gateways. Use this list to identify services that are not supported by service name in the `cloud_services` variable. For a list of supported services, see [VPE-enabled services](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services). If `service_name` is not specified, the CRN is used to find the name. If `vpe_name` is not specified in the list, VPE names are created in the format `--`."
+ type = set(
+ object({
+ crn = string
+ vpe_name = optional(string) # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
+ service_name = optional(string) # Name of the service used to compute the name of the VPE. If not specified, the service name will be obtained from the crn.
+ allow_dns_resolution_binding = optional(bool, true)
+ })
+ )
+ default = []
+}
+
+variable "vpe_gateway_service_endpoints" {
+ description = "Service endpoints to use to create endpoint gateways. Can be `public`, or `private`."
+ type = string
+ default = "private"
+
+ validation {
+ error_message = "Service endpoints can only be `public` or `private`."
+ condition = contains(["public", "private"], var.vpe_gateway_service_endpoints)
+ }
+}
+
+variable "vpe_gateway_security_group_ids" {
+
+ # Currently unused — the DA doesn't create any custom security groups.
+ # The default security group (automatically created with the VPC) is attached to the VPE gateway since no other security groups are present.
+ # May be useful in the future when DA supports using an existing VPC with custom security groups or if DA supports creating additional security groups we can take `vpe_gateway_security_group_names` as input.
+
+ description = "List of security group ids to attach to each endpoint gateway."
+ type = list(string)
+ default = null # Let this default value be null instead of []. Provider issue - https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4546
+}
+
+variable "vpe_gateway_reserved_ips" {
+ description = "Map of existing reserved IP names and values. Leave this value as default if you want to create new reserved ips, this value is used when a user passes their existing reserved ips created here and not attempt to recreate those."
+ type = object({
+ name = optional(string) # reserved ip name
+ })
+ default = {}
+}
+
+########################################################################################################################
+# OCP VPC cluster
+########################################################################################################################
+
+variable "cluster_name" {
+ type = string
+ description = "The name of the new IBM Cloud OpenShift Cluster. If a `prefix` input variable is specified, it is added to this name in the `-value` format."
+ default = "openshift"
+}
+
+variable "default_worker_pool_machine_type" {
+ type = string
+ description = "The machine type for worker nodes."
+ default = "bx2.4x16"
+ validation {
+ condition = length(regexall("^[a-z0-9]+(?:\\.[a-z0-9]+)*\\.\\d+x\\d+(?:\\.[a-z0-9]+)?$", var.default_worker_pool_machine_type)) > 0
+ error_message = "Invalid value provided for the machine type."
+ }
+}
+
+variable "default_worker_pool_workers_per_zone" {
+ type = number
+ description = "Number of worker nodes in each zone of the cluster."
+ default = 1
+}
+
+variable "default_worker_pool_operating_system" {
+ type = string
+ description = "The operating system installed on the worker nodes."
+ default = "RHCOS"
+}
+
+variable "default_worker_pool_labels" {
+ type = map(string)
+ description = "A set of key-value labels assigned to the worker pool for identification."
+ default = {}
+}
+
+variable "default_pool_minimum_number_of_nodes" {
+ type = number
+ description = "The minimum number of worker nodes allowed in the pool, ensuring at least one worker is always running."
+ default = 1
+}
+
+variable "default_pool_maximum_number_of_nodes" {
+ type = number
+ description = "The maximum number of worker nodes allowed in the pool, preventing the pool from exceeding three workers."
+ default = 3
+}
+
+variable "additional_security_group_ids" {
+ type = list(string)
+ description = "A list of security group IDs that are attached to the worker nodes for additional network security controls."
+ default = []
+}
+
+variable "additional_worker_pools" {
+ type = list(object({
+ vpc_subnets = optional(list(object({
+ id = string
+ zone = string
+ cidr_block = string
+ })), [])
+ pool_name = string
+ machine_type = string
+ workers_per_zone = number
+ operating_system = string
+ labels = optional(map(string))
+ minSize = optional(number)
+ secondary_storage = optional(string)
+ maxSize = optional(number)
+ enableAutoscaling = optional(bool)
+ additional_security_group_ids = optional(list(string))
+ }))
+ description = "List of additional worker pools."
+ default = []
+}
+
+variable "enable_autoscaling_for_default_pool" {
+ type = bool
+ description = "Set `true` to enable automatic scaling of worker based on workload demand."
+ default = false
+}
+
+variable "addons" {
+ type = object({
+ debug-tool = optional(object({
+ version = optional(string)
+ parameters_json = optional(string)
+ }))
+ image-key-synchronizer = optional(object({
+ version = optional(string)
+ parameters_json = optional(string)
+ }))
+ openshift-data-foundation = optional(object({
+ version = optional(string)
+ parameters_json = optional(string)
+ }))
+ vpc-file-csi-driver = optional(object({
+ version = optional(string)
+ parameters_json = optional(string)
+ }))
+ static-route = optional(object({
+ version = optional(string)
+ parameters_json = optional(string)
+ }))
+ cluster-autoscaler = optional(object({
+ version = optional(string)
+ parameters_json = optional(string)
+ }))
+ vpc-block-csi-driver = optional(object({
+ version = optional(string)
+ parameters_json = optional(string)
+ }))
+ ibm-storage-operator = optional(object({
+ version = optional(string)
+ parameters_json = optional(string)
+ }))
+ openshift-ai = optional(object({
+ version = optional(string)
+ parameters_json = optional(string)
+ }))
+ })
+ description = "Map of OCP cluster add-on versions to install (NOTE: The 'vpc-block-csi-driver' add-on is installed by default for VPC clusters and 'ibm-storage-operator' is installed by default in OCP 4.15 and later, however you can explicitly specify it here if you wish to choose a later version than the default one). [Check supported addons and versions here](https://cloud.ibm.com/docs/containers?topic=containers-supported-cluster-addon-versions)."
+ nullable = false
+ default = {}
+}
+
+variable "openshift_version" {
+ type = string
+ description = "Version of the OpenShift cluster to provision."
+ default = "4.19"
+}
+
+variable "cluster_resource_tags" {
+ type = list(string)
+ description = "Metadata labels describing this cluster deployment, i.e. test."
+ default = []
+}
+
+variable "access_tags" {
+ type = list(string)
+ description = "A list of access tags to apply to the resources created by the module."
+ default = []
+}
+
+variable "ocp_entitlement" {
+ type = string
+ description = "Value that is applied to the entitlements for OCP cluster provisioning."
+ default = null
+}
+
+variable "additional_lb_security_group_ids" {
+ description = "List of additional security group IDs to add to the load balancers associated with the cluster. Ensure that the `number_of_lbs` variable is set to the number of Load Balancers associated with the cluster. This comes in addition to the IBM maintained security group."
+ type = list(string)
+ default = []
+ nullable = false
+}
+
+variable "number_of_lbs" {
+ description = "The total number of Load Balancers in the cluster that should be associated with the security groups defined in `additional_lb_security_group_ids` variable."
+ type = number
+ default = 1
+ nullable = false
+}
+
+variable "additional_vpe_security_group_ids" {
+ description = "Additional security groups to add to all existing load balancers. This comes in addition to the IBM maintained security group."
+ type = object({
+ master = optional(list(string), [])
+ registry = optional(list(string), [])
+ api = optional(list(string), [])
+ })
+ default = {}
+}
+
+variable "allow_default_worker_pool_replacement" {
+ type = bool
+ description = "Set to true to allow the module to recreate a default worker pool. Only use in the case where you are getting an error indicating that the default worker pool cannot be replaced on apply. Once the default worker pool is handled separately, if you wish to make any change to the default worker pool which requires the re-creation of the default pool set this variable to true."
+ default = false
+ nullable = false
+}
+
+variable "attach_ibm_managed_security_group" {
+ description = "Specify whether to attach the IBM-defined default security group (whose name is kube-) to all worker nodes. Only applicable if `custom_security_group_ids` is set."
+ type = bool
+ default = true
+}
+
+variable "cluster_config_endpoint_type" {
+ description = "Specify which type of endpoint to use for cluster config access: 'default', 'private', 'vpe', 'link'. A 'default' value uses the default endpoint of the cluster."
+ type = string
+ default = "default"
+ nullable = false
+}
+
+variable "verify_worker_network_readiness" {
+ type = bool
+ description = "By setting this to true, a script runs kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, set this value to false."
+ default = true
+}
+
+variable "cluster_ready_when" {
+ type = string
+ description = "The cluster is ready based on one of the following:: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady."
+ default = "IngressReady"
+}
+
+variable "custom_security_group_ids" {
+ description = "Security groups to add to all worker nodes. This comes in addition to the IBM maintained security group if `attach_ibm_managed_security_group` is set to true. If this variable is set, the default VPC security group is NOT assigned to the worker nodes."
+ type = list(string)
+ default = null
+}
+
+variable "allow_outbound_traffic" {
+ type = bool
+ description = "Set to true to allow public outbound access from the cluster workers."
+ default = true
+}
+
+variable "allow_public_access_to_cluster_management" {
+ type = bool
+ description = "Set to true to access the cluster through a public cloud service endpoint."
+ default = true
+}
+
+variable "enable_ocp_console" {
+ description = "Flag to specify whether to enable or disable the OpenShift console. If set to `null` the module does not modify the current setting on the cluster. Keep in mind that when this input is set to `true` or `false` on a cluster with private only endpoint enabled, the runtime must be able to access the private endpoint."
+ type = bool
+ default = null
+ nullable = true
+}
+
+variable "ignore_worker_pool_size_changes" {
+ type = bool
+ description = "Enable if using worker autoscaling. Stops Terraform managing worker count."
+ default = false
+}
+
+variable "manage_all_addons" {
+ type = bool
+ default = false
+ nullable = false
+ description = "Instructs deployable architecture to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this deployable architecture destroys any addons that were installed by other sources."
+}
+
+variable "pod_subnet_cidr" {
+ type = string
+ description = "Specify a custom subnet CIDR to provide private IP addresses for pods. The subnet must have a CIDR of at least `/23` or larger. Default value is `172.30.0.0/16` when the variable is set to `null`."
+ default = null
+}
+
+variable "service_subnet_cidr" {
+ type = string
+ description = "Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`."
+ default = null
+}
+
+variable "worker_pools_taints" {
+ type = map(list(object({ key = string, value = string, effect = string })))
+ description = "Optional, Map of lists containing node taints by node-pool name."
+ default = null
+}
+
+variable "enable_secrets_manager_integration" {
+ type = bool
+ description = "Integrate with IBM Cloud Secrets Manager so you can centrally manage Ingress subdomain certificates and other secrets."
+ default = true
+ nullable = false
+}
+
+variable "secrets_manager_secret_group_id" {
+ type = string
+ description = "Secret group ID where Ingress secrets are stored in the Secrets Manager instance. If 'enable_secrets_manager_integration' is set to true and 'secrets_manager_secret_group_id' is not provided, a new group will be created with the same name as cluster_id."
+ default = null
+}
+
+variable "skip_ocp_secrets_manager_iam_auth_policy" {
+ type = bool
+ description = "To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates."
+ default = false
+}
+
+variable "ocp_cbr_rules" {
+ type = list(object({
+ description = string
+ account_id = string
+ rule_contexts = list(object({
+ attributes = optional(list(object({
+ name = string
+ value = string
+ }))) }))
+ enforcement_mode = string
+ tags = optional(list(object({
+ name = string
+ value = string
+ })), [])
+ operations = optional(list(object({
+ api_types = list(object({
+ api_type_id = string
+ }))
+ })))
+ }))
+ description = "The list of context-based restriction rules to create."
+ default = []
+}
diff --git a/modules/containerized_app_landing_zone/version.tf b/modules/containerized_app_landing_zone/version.tf
new file mode 100644
index 00000000..6d52d17c
--- /dev/null
+++ b/modules/containerized_app_landing_zone/version.tf
@@ -0,0 +1,13 @@
+terraform {
+ required_version = ">=1.9.0"
+ required_providers {
+ ibm = {
+ source = "IBM-Cloud/ibm"
+ version = ">= 1.78.2, < 2.0.0"
+ }
+ time = {
+ source = "hashicorp/time"
+ version = ">= 0.9.1, < 1.0.0"
+ }
+ }
+}
diff --git a/tests/other_test.go b/tests/other_test.go
index e25d9e8b..1fa0b7dc 100644
--- a/tests/other_test.go
+++ b/tests/other_test.go
@@ -17,6 +17,7 @@ const advancedExampleDir = "examples/advanced"
const basicExampleDir = "examples/basic"
const fscloudExampleDir = "examples/fscloud"
const crossKmsSupportExampleDir = "examples/cross_kms_support"
+const openshiftLandingZoneExampleDir = "examples/containerized_app_landing_zone"
func setupOptions(t *testing.T, prefix string, terraformDir string, ocpVersion string) *testhelper.TestOptions {
options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
@@ -193,6 +194,55 @@ func TestFSCloudInSchematic(t *testing.T) {
assert.Nil(t, err, "This should not have errored")
}
+func TestOpenshiftLandingZoneExample(t *testing.T) {
+ t.Parallel()
+
+ options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
+ Testing: t,
+ Prefix: "ocp-lz",
+ TarIncludePatterns: []string{
+ "*.tf",
+ openshiftLandingZoneExampleDir + "/*.tf",
+ fullyConfigurableTerraformDir + "/scripts/*.*",
+ "/scripts/*.*",
+ "kubeconfig/*.*",
+ "modules/kube-audit/*.*",
+ "modules/worker-pool/*.*",
+ "modules/kube-audit/kubeconfig/*.*",
+ "modules/kube-audit/scripts/*.*",
+ "modules/kube-audit/helm-charts/kube-audit/*.*",
+ "modules/kube-audit/helm-charts/kube-audit/templates/*.*",
+ "modules/containerized_app_landing_zone/*.tf",
+ },
+ TemplateFolder: openshiftLandingZoneExampleDir,
+ Tags: []string{"openshift-landing-zone-test"},
+ DeleteWorkspaceOnFail: false,
+ WaitJobCompleteMinutes: 240,
+ IgnoreAdds: testhelper.Exemptions{
+ List: []string{
+ "module.openshift_landing_zone.module.scc_wp.restapi_object.cspm",
+ },
+ },
+ IgnoreUpdates: testhelper.Exemptions{
+ List: []string{
+ "module.ocp_base.ibm_container_addons.addons",
+ "module.logs_agent.helm_release.logs_agent",
+ "module.monitoring_agent.helm_release.cloud_monitoring_agent",
+ // Have to ignore account settings as other tests may be updating them concurrently
+ // which can cause consistency test to fail if not ignored.
+ "module.openshift_landing_zone.module.metrics_routing[0].ibm_metrics_router_settings.metrics_router_settings[0]",
+ },
+ },
+ })
+ options.TerraformVars = []testschematic.TestSchematicTerraformVar{
+ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
+ {Name: "prefix", Value: options.Prefix, DataType: "string"},
+ }
+
+ err := options.RunSchematicTest()
+ assert.Nil(t, err, "This should not have errored")
+}
+
func TestAddonPermutations(t *testing.T) {
testCases := []testaddons.AddonTestCase{
{
