feat: added support to create resources in existing VPC and use existing subnets. See [Existing VPC and subnets Example](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/tree/main/examples/existing_vpc) (#638)

Author: Aayush-Abhyarthi

README.md

@@ -83,6 +83,7 @@ To attach access management tags to resources in this module, you need the follo
 
 - [ Basic Example](examples/basic)
 - [ Default Example](examples/default)
+- [ Existing VPC and subnets Example](examples/existing_vpc)
 - [ Hub and Spoke VPC Example](examples/hub-spoke-delegated-resolver)
 - [ Hub and Spoke VPC with manual DNS resolver Example](examples/hub-spoke-manual-resolver)
 - [ Landing Zone example](examples/landing_zone)
@@ -126,6 +127,8 @@ To attach access management tags to resources in this module, you need the follo
 | [ibm_is_vpc_routing_table_route.routing_table_routes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource |
 | [ibm_resource_instance.dns_instance_hub](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [ibm_is_subnet.subnet](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_subnet) | data source |
+| [ibm_is_vpc.vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc) | data source |
 | [ibm_is_vpc_address_prefixes.get_address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_address_prefixes) | data source |
 
 ### Inputs
@@ -137,6 +140,8 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | OPTIONAL - Classic Access to the VPC | `bool` | `false` | no |
 | <a name="input_clean_default_sg_acl"></a> [clean\_default\_sg\_acl](#input\_clean\_default\_sg\_acl) | Remove all rules from the default VPC security group and VPC ACL (less permissive) | `bool` | `false` | no |
 | <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Create authorisation policy for VPC to access COS. Set as false if authorization policy exists already | `bool` | `false` | no |
+| <a name="input_create_subnets"></a> [create\_subnets](#input\_create\_subnets) | Indicates whether user wants to use existing subnets or create new. Set it to true to create new subnets. | `bool` | `true` | no |
+| <a name="input_create_vpc"></a> [create\_vpc](#input\_create\_vpc) | Indicates whether user wants to use an existing vpc or create a new one. Set it to true to create a new vpc | `bool` | `true` | no |
 | <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | OPTIONAL - Name of the Default ACL. If null, a name will be automatically generated | `string` | `null` | no |
 | <a name="input_default_routing_table_name"></a> [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | OPTIONAL - Name of the Default Routing Table. If null, a name will be automatically generated | `string` | `null` | no |
 | <a name="input_default_security_group_name"></a> [default\_security\_group\_name](#input\_default\_security\_group\_name) | OPTIONAL - Name of the Default Security Group. If null, a name will be automatically generated | `string` | `null` | no |
@@ -149,15 +154,17 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="input_existing_cos_instance_guid"></a> [existing\_cos\_instance\_guid](#input\_existing\_cos\_instance\_guid) | GUID of the COS instance to create Flow log collector | `string` | `null` | no |
 | <a name="input_existing_dns_instance_id"></a> [existing\_dns\_instance\_id](#input\_existing\_dns\_instance\_id) | Id of an existing dns instance in which the custom resolver is created. Only relevant if enable\_hub is set to true. | `string` | `null` | no |
 | <a name="input_existing_storage_bucket_name"></a> [existing\_storage\_bucket\_name](#input\_existing\_storage\_bucket\_name) | Name of the COS bucket to collect VPC flow logs | `string` | `null` | no |
+| <a name="input_existing_subnet_ids"></a> [existing\_subnet\_ids](#input\_existing\_subnet\_ids) | The IDs of the existing subnets. Required if 'create\_subnets' is false. | `list(string)` | `null` | no |
+| <a name="input_existing_vpc_id"></a> [existing\_vpc\_id](#input\_existing\_vpc\_id) | The ID of the existing vpc. Required if 'create\_vpc' is false. | `string` | `null` | no |
 | <a name="input_hub_vpc_crn"></a> [hub\_vpc\_crn](#input\_hub\_vpc\_crn) | Indicates the crn of the hub VPC for DNS resolution. See https://cloud.ibm.com/docs/vpc?topic=vpc-hub-spoke-model. Mutually exclusive with hub\_vpc\_id. | `string` | `null` | no |
 | <a name="input_hub_vpc_id"></a> [hub\_vpc\_id](#input\_hub\_vpc\_id) | Indicates the id of the hub VPC for DNS resolution. See https://cloud.ibm.com/docs/vpc?topic=vpc-hub-spoke-model. Mutually exclusive with hub\_vpc\_crn. | `string` | `null` | no |
 | <a name="input_ibmcloud_api_visibility"></a> [ibmcloud\_api\_visibility](#input\_ibmcloud\_api\_visibility) | IBM Cloud API visibility used by scripts run in this module. Must be 'public', 'private', or 'public-and-private' | `string` | `"public"` | no |
 | <a name="input_is_flow_log_collector_active"></a> [is\_flow\_log\_collector\_active](#input\_is\_flow\_log\_collector\_active) | Indicates whether the collector is active. If false, this collector is created in inactive mode. | `bool` | `true` | no |
 | <a name="input_manual_servers"></a> [manual\_servers](#input\_manual\_servers) | The DNS server addresses to use for the VPC, replacing any existing servers. All the entries must either have a unique zone\_affinity, or not have a zone\_affinity. | <pre>list(object({<br>    address       = string<br>    zone_affinity = optional(string)<br>  }))</pre> | `[]` | no |
-| <a name="input_name"></a> [name](#input\_name) | Name for VPC | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | The name to give the newly provisioned VPC. Only used if 'create\_vpc' is true. | `string` | `"dev"` | no |
 | <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | The list of ACLs to create. Provide at least one rule for each ACL. | <pre>list(<br>    object({<br>      name                         = string<br>      add_ibm_cloud_internal_rules = optional(bool)<br>      add_vpc_connectivity_rules   = optional(bool)<br>      prepend_ibm_rules            = optional(bool)<br>      rules = list(<br>        object({<br>          name        = string<br>          action      = string<br>          destination = string<br>          direction   = string<br>          source      = string<br>          tcp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = optional(number)<br>              code = optional(number)<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "add_ibm_cloud_internal_rules": true,<br>    "add_vpc_connectivity_rules": true,<br>    "name": "vpc-acl",<br>    "prepend_ibm_rules": true,<br>    "rules": []<br>  }<br>]</pre> | no |
 | <a name="input_network_cidrs"></a> [network\_cidrs](#input\_network\_cidrs) | List of Network CIDRs for the VPC. This is used to manage network ACL rules for cluster provisioning. | `list(string)` | <pre>[<br>  "10.0.0.0/8"<br>]</pre> | no |
-| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that you would like to append to your resources. Explicitly set to null if you do not wish to use a prefix. | `string` | n/a | yes |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | The value that you would like to prefix to the name of the resources provisioned by this module. Explicitly set to null if you do not wish to use a prefix. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to which to deploy the VPC | `string` | n/a | yes |
 | <a name="input_resolver_type"></a> [resolver\_type](#input\_resolver\_type) | Resolver type. Can be system or manual. For delegated resolver type, see the update\_delegated\_resolver variable instead. | `string` | `null` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the VPC to be created | `string` | n/a | yes |

default_security_group.tf

@@ -12,7 +12,7 @@ locals {
 
 resource "ibm_is_security_group_rule" "default_vpc_rule" {
   for_each  = local.security_group_rule_object
-  group     = ibm_is_vpc.vpc.default_security_group
+  group     = var.create_vpc == true ? ibm_is_vpc.vpc[0].default_security_group : data.ibm_is_vpc.vpc[0].default_security_group
   direction = each.value.direction
   remote    = each.value.remote
 

examples/existing_vpc/README.md

@@ -0,0 +1,3 @@
+# Existing VPC and subnets Example
+
+An example of calling the module with an existing VPC and subnets.

examples/existing_vpc/main.tf

@@ -0,0 +1,20 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.0"
+  # if an existing resource group is not set (null) create a new one using prefix
+  existing_resource_group_name = var.existing_resource_group_name
+}
+
+module "slz_vpc" {
+  source              = "../../"
+  resource_group_id   = module.resource_group.resource_group_id
+  region              = var.region
+  create_vpc          = false
+  existing_vpc_id     = var.vpc_id
+  create_subnets      = false
+  existing_subnet_ids = var.subnet_ids
+}

examples/existing_vpc/outputs.tf

@@ -0,0 +1,8 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "vpc_data" {
+  value       = module.slz_vpc
+  description = "Details of the VPC"
+}

examples/existing_vpc/provider.tf

@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/existing_vpc/variables.tf

@@ -0,0 +1,24 @@
+variable "ibmcloud_api_key" {
+  description = "APIkey that's associated with the account to provision resources to"
+  type        = string
+  sensitive   = true
+}
+
+variable "region" {
+  description = "The region to which to deploy the VPC"
+  type        = string
+  default     = "us-south"
+}
+variable "vpc_id" {
+  description = "The ID of the VPC where the VSI will be created."
+  type        = string
+}
+variable "subnet_ids" {
+  description = "The ID of the VPC where the VSI will be created."
+  type        = list(string)
+}
+
+variable "existing_resource_group_name" {
+  type        = string
+  description = "An existing resource group name to use for this example."
+}

examples/existing_vpc/version.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0, <1.6.0"
+  required_providers {
+    # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.59.0"
+    }
+  }
+}

main.tf

@@ -5,6 +5,12 @@ locals {
   # input variable validation
   # tflint-ignore: terraform_unused_declarations
   validate_default_secgroup_rules = var.clean_default_sg_acl && (var.security_group_rules != null && length(var.security_group_rules) > 0) ? tobool("var.clean_default_sg_acl is true and var.security_group_rules are not empty, which are in direct conflict of each other. If you would like the default VPC Security Group to be empty, you must remove default rules from var.security_group_rules.") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_existing_vpc_id = !var.create_vpc && var.existing_vpc_id == null ? tobool("If var.create_vpc is false, then provide a value for var.existing_vpc_id to create vpc.") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_existing_subnet_id = !var.create_subnets && var.existing_subnet_ids == null ? tobool("If var.create_subnet is false, then provide a value for var.existing_subnet_ids to create subnets.") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_existing_vpc_and_subnet = var.create_vpc == true && var.create_subnets == false ? tobool("If user is not providing a vpc then they should also not be providing a subnet") : true
 
   # tflint-ignore: terraform_unused_declarations
   validate_hub_vpc_input = (var.hub_vpc_id != null && var.hub_vpc_crn != null) ? tobool("var.hub_vpc_id and var.hub_vpc_crn are mutually exclusive. Hence cannot have values at the same time.") : true
@@ -33,6 +39,7 @@ locals {
 ##############################################################################
 
 resource "ibm_is_vpc" "vpc" {
+  count                       = var.create_vpc == true ? 1 : 0
   name                        = var.prefix != null ? "${var.prefix}-${var.name}-vpc" : "${var.name}-vpc"
   resource_group              = var.resource_group_id
   classic_access              = var.classic_access
@@ -94,7 +101,7 @@ resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_id" {
   count = (var.enable_hub == false && var.enable_hub_vpc_id) ? 1 : 0
 
   name   = "${var.prefix}-dns-binding"
-  vpc_id = ibm_is_vpc.vpc.id # Source VPC
+  vpc_id = local.vpc_id # Source VPC
   vpc {
     id = var.hub_vpc_id # Target VPC ID
   }
@@ -103,12 +110,21 @@ resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_id" {
 resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_crn" {
   count  = (var.enable_hub == false && var.enable_hub_vpc_crn) ? 1 : 0
   name   = "${var.prefix}-dns-binding"
-  vpc_id = ibm_is_vpc.vpc.id # Source VPC
+  vpc_id = local.vpc_id # Source VPC
   vpc {
     crn = var.hub_vpc_crn # Target VPC CRN
   }
 }
 
+data "ibm_is_vpc" "vpc" {
+  count      = var.create_vpc == false ? 1 : 0
+  identifier = var.existing_vpc_id
+}
+
+locals {
+  vpc_id = var.create_vpc ? ibm_is_vpc.vpc[0].id : var.existing_vpc_id
+}
+
 # Configure custom resolver on the hub vpc
 resource "ibm_resource_instance" "dns_instance_hub" {
   count             = var.enable_hub && !var.skip_custom_resolver_hub_creation && !var.use_existing_dns_instance ? 1 : 0
@@ -127,7 +143,7 @@ resource "ibm_dns_custom_resolver" "custom_resolver_hub" {
   enabled           = true
 
   dynamic "locations" {
-    for_each = ibm_is_subnet.subnet
+    for_each = local.subnets
     content {
       subnet_crn = locations.value.crn
       enabled    = true
@@ -153,21 +169,21 @@ locals {
 resource "ibm_is_vpc_address_prefix" "address_prefixes" {
   for_each = local.address_prefixes
   name     = each.value.name
-  vpc      = ibm_is_vpc.vpc.id
+  vpc      = local.vpc_id
   zone     = each.value.zone
   cidr     = each.value.cidr
 }
 
 data "ibm_is_vpc_address_prefixes" "get_address_prefixes" {
   depends_on = [ibm_is_vpc_address_prefix.address_prefixes, ibm_is_vpc_address_prefix.subnet_prefix]
-  vpc        = ibm_is_vpc.vpc.id
+  vpc        = local.vpc_id
 }
 ##############################################################################
 
 # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
 resource "time_sleep" "wait_for_authorization_policy" {
-  depends_on = [ibm_iam_authorization_policy.policy]
-
+  depends_on      = [ibm_iam_authorization_policy.policy]
+  count           = (var.enable_vpc_flow_logs) ? ((var.create_authorization_policy_vpc_to_cos) ? 1 : 0) : 0
   create_duration = "30s"
 }
 
@@ -178,15 +194,15 @@ resource "time_sleep" "wait_for_authorization_policy" {
 resource "ibm_is_vpc_routing_table" "route_table" {
   for_each                      = module.dynamic_values.routing_table_map
   name                          = var.prefix != null ? "${var.prefix}-${var.name}-route-${each.value.name}" : "${var.name}-route-${each.value.name}"
-  vpc                           = ibm_is_vpc.vpc.id
+  vpc                           = local.vpc_id
   route_direct_link_ingress     = each.value.route_direct_link_ingress
   route_transit_gateway_ingress = each.value.route_transit_gateway_ingress
   route_vpc_zone_ingress        = each.value.route_vpc_zone_ingress
 }
 
 resource "ibm_is_vpc_routing_table_route" "routing_table_routes" {
   for_each      = module.dynamic_values.routing_table_route_map
-  vpc           = ibm_is_vpc.vpc.id
+  vpc           = local.vpc_id
   routing_table = ibm_is_vpc_routing_table.route_table[each.value.route_table].routing_table
   zone          = "${var.region}-${each.value.zone}"
   name          = each.key
@@ -213,7 +229,7 @@ locals {
 resource "ibm_is_public_gateway" "gateway" {
   for_each       = local.gateway_object
   name           = var.prefix != null ? "${var.prefix}-${var.name}-public-gateway-${each.key}" : "${var.name}-public-gateway-${each.key}"
-  vpc            = ibm_is_vpc.vpc.id
+  vpc            = local.vpc_id
   resource_group = var.resource_group_id
   zone           = each.value
   tags           = var.tags
@@ -247,7 +263,7 @@ resource "ibm_is_flow_log" "flow_logs" {
   count = (var.enable_vpc_flow_logs) ? 1 : 0
 
   name           = var.prefix != null ? "${var.prefix}-${var.name}-logs" : "${var.name}-logs"
-  target         = ibm_is_vpc.vpc.id
+  target         = local.vpc_id
   active         = var.is_flow_log_collector_active
   storage_bucket = var.existing_storage_bucket_name
   resource_group = var.resource_group_id