feat: cleanup, updated variables and basic example (#670)

Author: rajatagarwal-ibm

README.md

@@ -158,7 +158,6 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="input_existing_vpc_id"></a> [existing\_vpc\_id](#input\_existing\_vpc\_id) | The ID of the existing vpc. Required if 'create\_vpc' is false. | `string` | `null` | no |
 | <a name="input_hub_vpc_crn"></a> [hub\_vpc\_crn](#input\_hub\_vpc\_crn) | Indicates the crn of the hub VPC for DNS resolution. See https://cloud.ibm.com/docs/vpc?topic=vpc-hub-spoke-model. Mutually exclusive with hub\_vpc\_id. | `string` | `null` | no |
 | <a name="input_hub_vpc_id"></a> [hub\_vpc\_id](#input\_hub\_vpc\_id) | Indicates the id of the hub VPC for DNS resolution. See https://cloud.ibm.com/docs/vpc?topic=vpc-hub-spoke-model. Mutually exclusive with hub\_vpc\_crn. | `string` | `null` | no |
-| <a name="input_ibmcloud_api_visibility"></a> [ibmcloud\_api\_visibility](#input\_ibmcloud\_api\_visibility) | IBM Cloud API visibility used by scripts run in this module. Must be 'public', 'private', or 'public-and-private' | `string` | `"public"` | no |
 | <a name="input_is_flow_log_collector_active"></a> [is\_flow\_log\_collector\_active](#input\_is\_flow\_log\_collector\_active) | Indicates whether the collector is active. If false, this collector is created in inactive mode. | `bool` | `true` | no |
 | <a name="input_manual_servers"></a> [manual\_servers](#input\_manual\_servers) | The DNS server addresses to use for the VPC, replacing any existing servers. All the entries must either have a unique zone\_affinity, or not have a zone\_affinity. | <pre>list(object({<br>    address       = string<br>    zone_affinity = optional(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the newly provisioned VPC. Only used if 'create\_vpc' is true. | `string` | `"dev"` | no |
@@ -171,7 +170,7 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="input_routes"></a> [routes](#input\_routes) | OPTIONAL - Allows you to specify the next hop for packets based on their destination address | <pre>list(<br>    object({<br>      name                          = string<br>      route_direct_link_ingress     = optional(bool)<br>      route_transit_gateway_ingress = optional(bool)<br>      route_vpc_zone_ingress        = optional(bool)<br>      routes = optional(<br>        list(<br>          object({<br>            action      = optional(string)<br>            zone        = number<br>            destination = string<br>            next_hop    = string<br>          })<br>      ))<br>    })<br>  )</pre> | `[]` | no |
 | <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | A list of security group rules to be added to the default vpc security group (default empty) | <pre>list(<br>    object({<br>      name      = string<br>      direction = string<br>      remote    = string<br>      tcp = optional(<br>        object({<br>          port_max = optional(number)<br>          port_min = optional(number)<br>        })<br>      )<br>      udp = optional(<br>        object({<br>          port_max = optional(number)<br>          port_min = optional(number)<br>        })<br>      )<br>      icmp = optional(<br>        object({<br>          type = optional(number)<br>          code = optional(number)<br>        })<br>      )<br>    })<br>  )</pre> | `[]` | no |
 | <a name="input_skip_custom_resolver_hub_creation"></a> [skip\_custom\_resolver\_hub\_creation](#input\_skip\_custom\_resolver\_hub\_creation) | Indicates whether to skip the configuration of a custom resolver in the hub VPC. Only relevant if enable\_hub is set to true. | `bool` | `false` | no |
-| <a name="input_subnets"></a> [subnets](#input\_subnets) | List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addressess. Public gateways will be enabled only in zones where a gateway has been created | <pre>object({<br>    zone-1 = list(object({<br>      name           = string<br>      cidr           = string<br>      public_gateway = optional(bool)<br>      acl_name       = string<br>    }))<br>    zone-2 = list(object({<br>      name           = string<br>      cidr           = string<br>      public_gateway = optional(bool)<br>      acl_name       = string<br>    }))<br>    zone-3 = list(object({<br>      name           = string<br>      cidr           = string<br>      public_gateway = optional(bool)<br>      acl_name       = string<br>    }))<br>  })</pre> | <pre>{<br>  "zone-1": [<br>    {<br>      "acl_name": "vpc-acl",<br>      "cidr": "10.10.10.0/24",<br>      "name": "subnet-a",<br>      "public_gateway": true<br>    }<br>  ],<br>  "zone-2": [<br>    {<br>      "acl_name": "vpc-acl",<br>      "cidr": "10.20.10.0/24",<br>      "name": "subnet-b",<br>      "public_gateway": true<br>    }<br>  ],<br>  "zone-3": [<br>    {<br>      "acl_name": "vpc-acl",<br>      "cidr": "10.30.10.0/24",<br>      "name": "subnet-c",<br>      "public_gateway": false<br>    }<br>  ]<br>}</pre> | no |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addressess. Public gateways will be enabled only in zones where a gateway has been created | <pre>object({<br>    zone-1 = list(object({<br>      name           = string<br>      cidr           = string<br>      public_gateway = optional(bool)<br>      acl_name       = string<br>    }))<br>    zone-2 = optional(list(object({<br>      name           = string<br>      cidr           = string<br>      public_gateway = optional(bool)<br>      acl_name       = string<br>    })))<br>    zone-3 = optional(list(object({<br>      name           = string<br>      cidr           = string<br>      public_gateway = optional(bool)<br>      acl_name       = string<br>    })))<br>  })</pre> | <pre>{<br>  "zone-1": [<br>    {<br>      "acl_name": "vpc-acl",<br>      "cidr": "10.10.10.0/24",<br>      "name": "subnet-a",<br>      "public_gateway": true<br>    }<br>  ],<br>  "zone-2": [<br>    {<br>      "acl_name": "vpc-acl",<br>      "cidr": "10.20.10.0/24",<br>      "name": "subnet-b",<br>      "public_gateway": true<br>    }<br>  ],<br>  "zone-3": [<br>    {<br>      "acl_name": "vpc-acl",<br>      "cidr": "10.30.10.0/24",<br>      "name": "subnet-c",<br>      "public_gateway": false<br>    }<br>  ]<br>}</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of Tags for the resource created | `list(string)` | `null` | no |
 | <a name="input_update_delegated_resolver"></a> [update\_delegated\_resolver](#input\_update\_delegated\_resolver) | If set to true, and if the vpc is configured to be a spoke for DNS resolution (enable\_hub\_vpc\_crn or enable\_hub\_vpc\_id set), then the spoke VPC resolver will be updated to a delegated resolver. | `bool` | `false` | no |
 | <a name="input_use_existing_dns_instance"></a> [use\_existing\_dns\_instance](#input\_use\_existing\_dns\_instance) | Whether to use an existing dns instance. If true, existing\_dns\_instance\_id must be set. | `bool` | `false` | no |

dynamic_values.unit_tests.tf

@@ -21,9 +21,9 @@ locals {
 
 locals {
   # tflint-ignore: terraform_unused_declarations
-  assert_route_key_exists = lookup(module.unit_tests.routes, "test-route")
+  assert_route_key_exists = lookup(module.unit_tests.routes, "test-route", [])
   # tflint-ignore: terraform_unused_declarations
-  assert_route_has_route_table = lookup(module.unit_tests.routing_table_route_map, "ut-test-route-route-1")
+  assert_route_has_route_table = lookup(module.unit_tests.routing_table_route_map, "ut-test-route-route-1", [])
 }
 
 ##############################################################################
@@ -36,7 +36,7 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   assert_null_gateways_not_returned = regex("2", tostring(length(keys(module.unit_tests.use_public_gateways))))
   # tflint-ignore: terraform_unused_declarations
-  assert_zone_found_in_map = lookup(module.unit_tests.use_public_gateways, "zone-1")
+  assert_zone_found_in_map = lookup(module.unit_tests.use_public_gateways, "zone-1", [])
   # tflint-ignore: terraform_unused_declarations
   assert_zone_correct_name = regex("us-south-1", module.unit_tests.use_public_gateways["zone-1"])
 }
@@ -49,7 +49,7 @@ locals {
 
 locals {
   # tflint-ignore: terraform_unused_declarations
-  assert_rule_exists_in_map = lookup(module.unit_tests.security_group_rules, "test-rule")
+  assert_rule_exists_in_map = lookup(module.unit_tests.security_group_rules, "test-rule", [])
   # tflint-ignore: terraform_unused_declarations
   assert_rule_has_correct_field = regex("test-rule", module.unit_tests.security_group_rules["test-rule"].name)
 }
@@ -62,7 +62,7 @@ locals {
 
 locals {
   # tflint-ignore: terraform_unused_declarations
-  assert_acl_exists_in_map = lookup(module.unit_tests.acl_map, "acl")
+  assert_acl_exists_in_map = lookup(module.unit_tests.acl_map, "acl", [])
   # tflint-ignore: terraform_unused_declarations
   assert_cluster_rule_exists_in_position_0 = regex("roks-create-worker-nodes-inbound", module.unit_tests.acl_map["acl"].rules[0].name)
   # tflint-ignore: terraform_unused_declarations
@@ -97,7 +97,7 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   assert_even_if_gateway_true_no_pgw_provision_zone_return_null = regex("null", lookup(module.unit_tests.subnet_list[2], "public_gateway", null) == null ? "null" : "error")
   # tflint-ignore: terraform_unused_declarations
-  assert_subnet_exists_in_map = lookup(module.unit_tests.subnet_map, "ut-subnet-1")
+  assert_subnet_exists_in_map = lookup(module.unit_tests.subnet_map, "ut-subnet-1", [])
 }
 
 ##############################################################################

examples/basic/README.md

@@ -1,3 +1,8 @@
 # Basic Example
 
-A very basic example to provision SLZ VPC. It creates VPC with 3 subnets with 1 subnet is publically exposed.
+A simple example to provision a Secure Landing Zone (SLZ) Virtual Private Cloud (VPC).
+
+The following resources are provisioned by this example:
+
+* A new resource group, if an existing one is not passed in.
+* An IBM Virtual Private Cloud (VPC) with a publicly exposed subnet.

examples/basic/main.tf

@@ -29,22 +29,6 @@ module "slz_vpc" {
         public_gateway = true
         acl_name       = "vpc-acl"
       }
-    ],
-    zone-2 = [
-      {
-        name           = "subnet-b"
-        cidr           = "10.20.10.0/24"
-        public_gateway = false
-        acl_name       = "vpc-acl"
-      }
-    ],
-    zone-3 = [
-      {
-        name           = "subnet-c"
-        cidr           = "10.30.10.0/24"
-        public_gateway = false
-        acl_name       = "vpc-acl"
-      }
     ]
   }
 }

examples/hub-spoke-delegated-resolver/README.md

@@ -1,6 +1,6 @@
 # Hub and Spoke VPC Example
 
-This example demostrates how to deploy hub and spoke VPCs, inclusive of enabling DNS-sharing. See https://cloud.ibm.com/docs/vpc?topic=vpc-hub-spoke-model for details.
+This example demonstrates how to deploy hub and spoke VPCs, inclusive of enabling DNS-sharing. See https://cloud.ibm.com/docs/vpc?topic=vpc-hub-spoke-model for details.
 - The 2 VPCs are connected through a transit gateway.
 - The hub VPC is configured with a custom resolver.
 - The spoke VPC is configured with a delegated DNS resolver. DNS requests are resolved by the hub VPC.

landing-zone-submodule/management-vpc/README.md

@@ -30,8 +30,6 @@ No resources.
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | Optional list of access tags to add to the VPC resources that are created | `list(string)` | `[]` | no |
 | <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually. | <pre>object({<br>    zone-1 = optional(list(string))<br>    zone-2 = optional(list(string))<br>    zone-3 = optional(list(string))<br>  })</pre> | `null` | no |
 | <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | Optionally allow VPC to access classic infrastructure network | `bool` | `null` | no |
-| <a name="input_clean_default_acl"></a> [clean\_default\_acl](#input\_clean\_default\_acl) | DEPRECATED: if you wish to remove all rules from default VPC ACL and VPC Security Group, you can use the `clean_default_sg_acl` setting. | `bool` | `false` | no |
-| <a name="input_clean_default_security_group"></a> [clean\_default\_security\_group](#input\_clean\_default\_security\_group) | DEPRECATED: if you wish to remove all rules from default VPC Security Groups and VPC ACL, you can use the `clean_default_sg_acl` setting. | `bool` | `false` | no |
 | <a name="input_clean_default_sg_acl"></a> [clean\_default\_sg\_acl](#input\_clean\_default\_sg\_acl) | Remove all rules from the default VPC security group and VPC ACL (less permissive) | `bool` | `false` | no |
 | <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Set it to true if authorization policy is required for VPC to access COS | `bool` | `false` | no |
 | <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Override default ACL name | `string` | `null` | no |
@@ -41,7 +39,6 @@ No resources.
 | <a name="input_enable_vpc_flow_logs"></a> [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | Enable VPC Flow Logs, it will create Flow logs collector if set to true | `bool` | `false` | no |
 | <a name="input_existing_cos_bucket_name"></a> [existing\_cos\_bucket\_name](#input\_existing\_cos\_bucket\_name) | Name of the COS bucket to collect VPC flow logs | `string` | `null` | no |
 | <a name="input_existing_cos_instance_guid"></a> [existing\_cos\_instance\_guid](#input\_existing\_cos\_instance\_guid) | GUID of the COS instance to create Flow log collector | `string` | `null` | no |
-| <a name="input_ibmcloud_api_visibility"></a> [ibmcloud\_api\_visibility](#input\_ibmcloud\_api\_visibility) | IBM Cloud API visibility used by scripts run in this module. Must be 'public', 'private', or 'public-and-private' | `string` | `"public"` | no |
 | <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | List of network ACLs to create with VPC | <pre>list(<br>    object({<br>      name                         = string<br>      add_ibm_cloud_internal_rules = optional(bool)<br>      add_vpc_connectivity_rules   = optional(bool)<br>      prepend_ibm_rules            = optional(bool)<br>      rules = list(<br>        object({<br>          name        = string<br>          action      = string<br>          destination = string<br>          direction   = string<br>          source      = string<br>          tcp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = optional(number)<br>              code = optional(number)<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "add_ibm_cloud_internal_rules": true,<br>    "add_vpc_connectivity_rules": true,<br>    "name": "management-acl",<br>    "prepend_ibm_rules": true,<br>    "rules": []<br>  }<br>]</pre> | no |
 | <a name="input_network_cidrs"></a> [network\_cidrs](#input\_network\_cidrs) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `list(string)` | <pre>[<br>  "10.0.0.0/8"<br>]</pre> | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | `"management"` | no |

landing-zone-submodule/management-vpc/main.tf

@@ -25,5 +25,4 @@ module "management_vpc" {
   existing_cos_instance_guid             = var.existing_cos_instance_guid
   existing_storage_bucket_name           = var.existing_cos_bucket_name
   clean_default_sg_acl                   = var.clean_default_sg_acl
-  ibmcloud_api_visibility                = var.ibmcloud_api_visibility
 }

landing-zone-submodule/management-vpc/variables.tf

@@ -98,37 +98,6 @@ variable "clean_default_sg_acl" {
   default     = false
 }
 
-variable "clean_default_security_group" {
-  description = "DEPRECATED: if you wish to remove all rules from default VPC Security Groups and VPC ACL, you can use the `clean_default_sg_acl` setting."
-  type        = bool
-  default     = false
-  validation {
-    error_message = "DEPRECATED: if you wish to remove all rules from default VPC Security Groups and VPC ACL, you can use the `clean_default_sg_acl` setting."
-    condition     = var.clean_default_security_group == false
-  }
-}
-
-variable "clean_default_acl" {
-  description = "DEPRECATED: if you wish to remove all rules from default VPC ACL and VPC Security Group, you can use the `clean_default_sg_acl` setting."
-  type        = bool
-  default     = false
-  validation {
-    error_message = "DEPRECATED: if you wish to remove all rules from default VPC ACL and VPC Security Group, you can use the `clean_default_sg_acl` setting."
-    condition     = var.clean_default_acl == false
-  }
-}
-
-variable "ibmcloud_api_visibility" {
-  description = "IBM Cloud API visibility used by scripts run in this module. Must be 'public', 'private', or 'public-and-private'"
-  type        = string
-  default     = "public"
-
-  validation {
-    error_message = "IBM Cloud API visibility must be either 'public', 'private', or 'public-and-private'"
-    condition     = (var.ibmcloud_api_visibility == "public") || (var.ibmcloud_api_visibility == "private") || (var.ibmcloud_api_visibility == "public-and-private")
-  }
-}
-
 variable "address_prefixes" {
   description = "Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually."
   type = object({