feat: Create submodules with defaults aligned with landing-zone workload and management VPCs (#442)

* feat: add landing zone submodule

* fix: plain submodules

* fix: pre-commit fixes

* fix: enable flowlogs and add docs

* fix: pre-commit fixes

* fix: update the acl and use existing cos

* test: add example and update test

* fix: precommit fixes

* fix: update the resource group name

* fix: update docs and add tg

* fix: bug in pr_test

* fix: remove the extra resource groups

* docs: make content more accurate

* docs: make content more accurate

* docs: make content more accurate

* build: ignore false positive cra

* Update examples/landing_zone/README.md

Co-authored-by: Allen Dean <[email protected]>

* Update examples/landing_zone/README.md

Co-authored-by: Allen Dean <[email protected]>

* Update landing-zone-submodule/workload-vpc/README.md

Co-authored-by: Allen Dean <[email protected]>

* Update landing-zone-submodule/management-vpc/README.md

Co-authored-by: Allen Dean <[email protected]>

* Update README.md

Co-authored-by: Allen Dean <[email protected]>

* Update examples/landing_zone/README.md

Co-authored-by: Allen Dean <[email protected]>

* build: fix pre-commit + add cra ignore

---------

Co-authored-by: Vincent Burckhardt <[email protected]>
Co-authored-by: Allen Dean <[email protected]>

Author: 3 people

README.md

@@ -17,6 +17,11 @@ This module creates the following IBM Cloud® Virtual Private Cloud (VPC) net
 
 ![vpc-module](./.docs/vpc-module.png)
 
+## Presets
+
+In addition to this root module, this repository provides two submodules that call the root module with presets and defaults that are aligned with the general [Framework for Financial Services](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-vpc-architecture-about) management and workload VPC topologies. See the [landing-zone-submodules](/landing-zone-submodule/) for details.
+
+
 ## Usage
 ```terraform
 module vpc {
@@ -62,6 +67,7 @@ You need the following permissions to run this module.
 ## Examples
 
 - [ Default Example](examples/default)
+- [ Landing Zone example](examples/landing_zone)
 <!-- END EXAMPLES HOOK -->
 ---
 

common-dev-assets

@@ -35,6 +35,18 @@
             "description:": "Check whether Cloud Object Storage bucket resiliency is set to cross region",
             "ignore_reason": "This module does not create any Cloud object storage bucket and it is used in an example for testing purpose.",
             "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000451",
+            "description:": "Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to any port",
+            "ignore_reason": "False positive introduced in CRA 1.2.1. There is no such allow ingress ACL created by the module. There is a deny rule on 0.0.0.0/0 to any port.",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000452",
+            "description:": "Check whether Virtual Private Cloud (VPC) network access control lists don't allow egress from 0.0.0.0/0 to any port",
+            "ignore_reason": "False positive introduced in CRA 1.2.1. There is no such allow egress ACL created by the module. There is a deny rule on 0.0.0.0/0 to any port.",
+            "is_valid": false
         }
     ]
 }

cra-tf-validate-ignore-goals.json

@@ -0,0 +1,10 @@
+# Landing Zone example
+
+This example demonstrates how to use the management and workload VPC [modules](../../landing-zone-submodule/) to create a network VPC topology that is aligned with the network segregation key principles of the IBM Cloud [Framework for Financial Services](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-vpc-architecture-connectivity-overview).
+
+The example shows how to use the base modules to create the following topology:
+- A management VPC
+- A workload VPC
+- A transit gateway that connects the two VPCs
+
+:exclamation: **Important:** The topology created in this example does not meet all compliance controls for the IBM Cloud Framework for Financial Services. Use the [terraform-ibm-landing-zone](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone) module to create a fully compliant stack.

examples/landing_zone/README.md

@@ -0,0 +1,68 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-resource-group.git?ref=v1.0.5"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+#############################################################################
+# Provision cloud object storage and bucket
+#############################################################################
+
+module "cos_bucket" {
+  count                 = var.enable_vpc_flow_logs ? 1 : 0
+  source                = "git::https://github.com/terraform-ibm-modules/terraform-ibm-cos.git?ref=v6.0.0"
+  resource_group_id     = module.resource_group.resource_group_id
+  region                = var.region
+  cross_region_location = null
+  cos_instance_name     = "${var.prefix}-vpc-logs-cos"
+  cos_tags              = var.resource_tags
+  bucket_name           = "${var.prefix}-vpc-logs-cos-bucket"
+  encryption_enabled    = false
+  retention_enabled     = false
+}
+
+#############################################################################
+# Provision VPC
+#############################################################################
+
+module "workload_vpc" {
+  source                                 = "../../landing-zone-submodule/workload-vpc/"
+  resource_group_id                      = module.resource_group.resource_group_id
+  region                                 = var.region
+  prefix                                 = var.prefix
+  tags                                   = var.resource_tags
+  enable_vpc_flow_logs                   = var.enable_vpc_flow_logs
+  create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
+  existing_cos_instance_guid             = module.cos_bucket[0].cos_instance_guid
+  existing_cos_bucket_name               = module.cos_bucket[0].bucket_name[0]
+}
+
+
+module "management_vpc" {
+  source            = "../../landing-zone-submodule/management-vpc/"
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  prefix            = var.prefix
+  tags              = var.resource_tags
+}
+
+
+##############################################################################
+# Transit Gateway connects the 2 VPCs
+##############################################################################
+
+module "tg_gateway_connection" {
+  source                    = "git::https://github.com/terraform-ibm-modules/terraform-ibm-transit-gateway.git?ref=v2.0.2"
+  transit_gateway_name      = "${var.prefix}-tg"
+  region                    = var.region
+  global_routing            = false
+  resource_tags             = var.resource_tags
+  resource_group_id         = module.resource_group.resource_group_id
+  vpc_connections           = [module.workload_vpc.vpc_crn, module.management_vpc.vpc_crn]
+  classic_connections_count = 0
+}

examples/landing_zone/main.tf

@@ -0,0 +1,33 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "workload_vpc_name" {
+  description = "VPC name"
+  value       = module.workload_vpc.vpc_name
+}
+
+output "workload_vpc_id" {
+  description = "ID of VPC created"
+  value       = module.workload_vpc.vpc_id
+}
+
+output "workload_vpc_crn" {
+  description = "CRN of VPC created"
+  value       = module.workload_vpc.vpc_crn
+}
+
+output "management_vpc_name" {
+  description = "VPC name"
+  value       = module.management_vpc.vpc_name
+}
+
+output "management_vpc_id" {
+  description = "ID of VPC created"
+  value       = module.management_vpc.vpc_id
+}
+
+output "management_vpc_crn" {
+  description = "CRN of VPC created"
+  value       = module.management_vpc.vpc_crn
+}

examples/landing_zone/outputs.tf

@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/landing_zone/provider.tf

@@ -0,0 +1,46 @@
+variable "ibmcloud_api_key" {
+  description = "APIkey that's associated with the account to provision resources to"
+  type        = string
+  sensitive   = true
+}
+
+variable "region" {
+  description = "The region to which to deploy the VPC"
+  type        = string
+  default     = "us-south"
+}
+
+variable "prefix" {
+  description = "The prefix that you would like to append to your resources"
+  type        = string
+  default     = "test-landing-zone"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  description = "List of Tags for the resource created"
+  type        = list(string)
+  default     = null
+}
+
+
+##############################################################################
+# VPC flow logs variables
+##############################################################################
+
+variable "enable_vpc_flow_logs" {
+  type        = bool
+  description = "Enable VPC Flow Logs, it will create Flow logs collector if set to true"
+  default     = true
+}
+
+variable "create_authorization_policy_vpc_to_cos" {
+  description = "Set it to true if authorization policy is required for VPC to access COS"
+  type        = bool
+  default     = true
+}

examples/landing_zone/variables.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.51.0"
+    }
+  }
+}

examples/landing_zone/version.tf

@@ -0,0 +1,57 @@
+# Landing Zone management VPC (standalone)
+
+This specialized submodule calls the root [landing-zone-vpc module](../..) with a preset configuration that results in a management VPC with a topology that is identical to the management VPC that is created by the [terraform-ibm-landing-zone module](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone/tree/main).
+
+You can use this submodule when you need more modularity to create your topology than the terraform-ibm-landing-zone module provides. This submodule provides one of the building blocks for this topology.
+
+See the [Landing Zone example](../../examples/landing_zone/) for runnable code.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_management_vpc"></a> [management\_vpc](#module\_management\_vpc) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually. | <pre>object({<br>    zone-1 = optional(list(string))<br>    zone-2 = optional(list(string))<br>    zone-3 = optional(list(string))<br>  })</pre> | `null` | no |
+| <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | Optionally allow VPC to access classic infrastructure network | `bool` | `null` | no |
+| <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Set it to true if authorization policy is required for VPC to access COS | `bool` | `false` | no |
+| <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Override default ACL name | `string` | `null` | no |
+| <a name="input_default_routing_table_name"></a> [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | Override default VPC routing table name | `string` | `null` | no |
+| <a name="input_default_security_group_name"></a> [default\_security\_group\_name](#input\_default\_security\_group\_name) | Override default VPC security group name | `string` | `null` | no |
+| <a name="input_default_security_group_rules"></a> [default\_security\_group\_rules](#input\_default\_security\_group\_rules) | Override default security group rules | <pre>list(<br>    object({<br>      name      = string<br>      direction = string<br>      remote    = string<br>      tcp = optional(<br>        object({<br>          port_max = optional(number)<br>          port_min = optional(number)<br>        })<br>      )<br>      udp = optional(<br>        object({<br>          port_max = optional(number)<br>          port_min = optional(number)<br>        })<br>      )<br>      icmp = optional(<br>        object({<br>          type = optional(number)<br>          code = optional(number)<br>        })<br>      )<br>    })<br>  )</pre> | `[]` | no |
+| <a name="input_enable_vpc_flow_logs"></a> [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | Enable VPC Flow Logs, it will create Flow logs collector if set to true | `bool` | `false` | no |
+| <a name="input_existing_cos_bucket_name"></a> [existing\_cos\_bucket\_name](#input\_existing\_cos\_bucket\_name) | Name of the COS bucket to collect VPC flow logs | `string` | `null` | no |
+| <a name="input_existing_cos_instance_guid"></a> [existing\_cos\_instance\_guid](#input\_existing\_cos\_instance\_guid) | GUID of the COS instance to create Flow log collector | `string` | `null` | no |
+| <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | List of network ACLs to create with VPC | <pre>list(<br>    object({<br>      name              = string<br>      add_cluster_rules = optional(bool)<br>      rules = list(<br>        object({<br>          name        = string<br>          action      = string<br>          destination = string<br>          direction   = string<br>          source      = string<br>          tcp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = optional(number)<br>              code = optional(number)<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "add_ibm_cloud_internal_rules": true,<br>    "add_vpc_connectivity_rules": true,<br>    "name": "management-acl",<br>    "prepend_ibm_rules": true,<br>    "rules": []<br>  }<br>]</pre> | no |
+| <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | `"management"` | no |
+| <a name="input_region"></a> [region](#input\_region) | The region to which to deploy the VPC | `string` | `"au-syd"` | no |
+| <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the VPC to be created | `string` | n/a | yes |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | Object for subnets to be created in each zone, each zone can have any number of subnets | <pre>object({<br>    zone-1 = list(object({<br>      name           = string<br>      cidr           = string<br>      public_gateway = optional(bool)<br>      acl_name       = string<br>    }))<br>    zone-2 = list(object({<br>      name           = string<br>      cidr           = string<br>      public_gateway = optional(bool)<br>      acl_name       = string<br>    }))<br>    zone-3 = list(object({<br>      name           = string<br>      cidr           = string<br>      public_gateway = optional(bool)<br>      acl_name       = string<br>    }))<br>  })</pre> | <pre>{<br>  "zone-1": [<br>    {<br>      "acl_name": "management-acl",<br>      "cidr": "10.10.10.0/24",<br>      "name": "vsi-zone-1",<br>      "public_gateway": false<br>    },<br>    {<br>      "acl_name": "management-acl",<br>      "cidr": "10.10.20.0/24",<br>      "name": "vpe-zone-1",<br>      "public_gateway": false<br>    },<br>    {<br>      "acl_name": "management-acl",<br>      "cidr": "10.10.30.0/24",<br>      "name": "vpn-zone-1",<br>      "public_gateway": false<br>    }<br>  ],<br>  "zone-2": [<br>    {<br>      "acl_name": "management-acl",<br>      "cidr": "10.20.10.0/24",<br>      "name": "vsi-zone-2",<br>      "public_gateway": false<br>    },<br>    {<br>      "acl_name": "management-acl",<br>      "cidr": "10.20.20.0/24",<br>      "name": "vpe-zone-2",<br>      "public_gateway": false<br>    }<br>  ],<br>  "zone-3": [<br>    {<br>      "acl_name": "management-acl",<br>      "cidr": "10.30.10.0/24",<br>      "name": "vsi-zone-3",<br>      "public_gateway": false<br>    },<br>    {<br>      "acl_name": "management-acl",<br>      "cidr": "10.30.20.0/24",<br>      "name": "vpe-zone-3",<br>      "public_gateway": false<br>    }<br>  ]<br>}</pre> | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | List of tags to apply to resources created by this module. | `list(string)` | `[]` | no |
+| <a name="input_use_manual_address_prefixes"></a> [use\_manual\_address\_prefixes](#input\_use\_manual\_address\_prefixes) | Optionally assign prefixes to VPC manually. By default this is false, and prefixes will be created along with subnets | `bool` | `true` | no |
+| <a name="input_use_public_gateways"></a> [use\_public\_gateways](#input\_use\_public\_gateways) | For each `zone` that is set to `true`, a public gateway will be created in that zone | <pre>object({<br>    zone-1 = optional(bool)<br>    zone-2 = optional(bool)<br>    zone-3 = optional(bool)<br>  })</pre> | <pre>{<br>  "zone-1": false,<br>  "zone-2": false,<br>  "zone-3": false<br>}</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_vpc_crn"></a> [vpc\_crn](#output\_vpc\_crn) | CRN of VPC created |
+| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | ID of VPC created |
+| <a name="output_vpc_name"></a> [vpc\_name](#output\_vpc\_name) | VPC name |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->