From 29a907da5c15835344621b0e610d4e17390df7d4 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Thu, 26 Jun 2025 11:25:02 +0530 Subject: [PATCH 1/4] feat: improve DA user experience --- ibm_catalog.json | 75 ++++++++++--- solutions/fully-configurable/README.md | 131 ---------------------- solutions/fully-configurable/provider.tf | 7 +- solutions/fully-configurable/variables.tf | 14 ++- 4 files changed, 73 insertions(+), 154 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 8ef6f9e9..c6533b90 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -20,7 +20,7 @@ "solution" ], "short_description": "Automates VPC deployment on IBM Cloud, offering full configurability and flexibility for diverse workloads.", - "long_description": "The Cloud automation for VPC sets up a foundational IBM Cloud [Virtual Private Cloud (VPC)](https://www.ibm.com/cloud/vpc) environment. It lays the groundwork for adding Virtual Servers Instances (VSI) or Red Hat OpenShift clusters and other advanced resources. This can be used as a base deployable architecture for many others deployable architectures like [Cloud automation for Red Hat OpenShift Container Platform on VPC](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-ocp-vpc-1728a4fd-f561-4cf9-82ef-2b1eeb5da1a8-global), [Cloud automation for Red Hat OpenShift AI](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-ocp-ai-ba708aed-bb8a-4ac0-83a7-53a066701db5-global), [Cloud automation for Virtual Servers for Virtual Private Cloud](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-vsi-vpc-28e2b12c-858f-4ae8-8717-60db8cec2e6e-global).
", + "long_description": "The Cloud automation for VPC sets up a foundational IBM Cloud [Virtual Private Cloud (VPC)](https://www.ibm.com/cloud/vpc) environment. It lays the groundwork for adding Virtual Servers Instances (VSI) or Red Hat OpenShift clusters and other advanced resources. This can be used as a base deployable architecture for many others deployable architectures like [Cloud automation for Red Hat OpenShift Container Platform on VPC](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-ocp-vpc-1728a4fd-f561-4cf9-82ef-2b1eeb5da1a8-global), [Cloud automation for Red Hat OpenShift AI](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-ocp-ai-ba708aed-bb8a-4ac0-83a7-53a066701db5-global), [Cloud automation for Virtual Servers for Virtual Private Cloud](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-vsi-vpc-28e2b12c-858f-4ae8-8717-60db8cec2e6e-global).\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/README.md", "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/main/images/vpc_icon.svg", "provider_name": "IBM", @@ -93,12 +93,8 @@ "architecture": { "features": [ { - "title": "VPC instance", - "description": "Sets up nd configures a VPC with subnets across three zones and implements ACLs. The predefined ACLs allows traffic on ports 443, 80 and 22." - }, - { - "title": "Public Gateway", - "description": "Configures a public gateway with one of the subnets." + "title": " ", + "description": "Configured to use IBM secure by default standards, but can be edited to fit your use case." } ], "diagrams": [ @@ -113,6 +109,16 @@ ] }, "iam_permissions": [ + { + "role_crns": ["crn:v1:bluemix:public:iam::::role:Administrator"], + "service_name": "iam-identity", + "notes": "[Optional] Required if Cloud automation for account configuration is enabled." + }, + { + "role_crns": ["crn:v1:bluemix:public:iam::::role:Viewer"], + "service_name": "Resource group only", + "notes": "Viewer access is required in the resource group you want to provision in." + }, { "role_crns": ["crn:v1:bluemix:public:iam::::role:Administrator"], "service_name": "iam-identity", @@ -121,7 +127,7 @@ { "role_crns": ["crn:v1:bluemix:public:iam::::role:Administrator"], "service_name": "is.vpc", - "notes": "Required for creating Virtual Private Cloud(VPC)." + "notes": "Required for creating Virtual Private Cloud(VPC)." }, { "service_name": "cloud-object-storage", @@ -226,25 +232,55 @@ } }, { - "key": "subnets" + "key": "subnets", + "type": "array", + "custom_config": { + "type": "textarea", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { - "key": "network_acls" + "key": "network_acls", + "type": "array", + "custom_config": { + "type": "textarea", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { "key": "address_prefixes" }, { - "key": "security_group_rules" + "key": "security_group_rules", + "type": "array", + "custom_config": { + "type": "textarea", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { "key": "clean_default_security_group_acl" }, { - "key": "vpn_gateways" + "key": "vpn_gateways", + "type": "array", + "custom_config": { + "type": "textarea", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { - "key": "routes" + "key": "routes", + "type": "array", + "custom_config": { + "type": "textarea", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { "key": "vpe_gateway_cloud_services" @@ -253,7 +289,14 @@ "key": "vpe_gateway_cloud_service_by_crn" }, { - "key": "vpe_gateway_security_group_ids" + "key": "vpe_gateway_security_group_ids", + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } }, { "key": "vpe_gateway_service_endpoints", @@ -548,9 +591,7 @@ "description": "Configure IBM Cloud Logs, Cloud Monitoring and Activity Tracker event routing for analysing logs and metrics generated by the VPC instance.", "id": "a3137d28-79e0-479d-8a24-758ebd5a0eab-global", "version": "v3.0.3", - "flavors": [ - "instances" - ], + "flavors": ["instances"], "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", "optional": true, "on_by_default": true, diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index da166969..0d9c0bc8 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -1,134 +1,3 @@ # Cloud automation for VPC (Fully configurable) -### Prerequisites - -- An existing resource group. -- An existing COS istance if VPC flow logs is enabled. -- An existing KMS instance (or key) if encryption of the flow logs COS bucket is required. - -### Configuration - -This solution supports provisioning and configuring the following infrastructure: - -- A VPC -- A Cloud Object Storage bucket which is required to store flow logs -- KMS key-ring and key if existing key is not passed in -- Configures the following for the created VPC: - - subnets - - network ACLs - - security group rules - - address prefixes - - customized routing table and routes - - public gateway - - VPN gateway - - VPE gateway - - flow logs - - -![vpc-deployable-architecture](../../reference-architecture/deployable-architecture-vpc.svg) - :exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers). - - - -### Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.0 | -| [ibm](#requirement\_ibm) | 1.79.2 | -| [time](#requirement\_time) | 0.13.1 | - -### Modules - -| Name | Source | Version | -|------|--------|---------| -| [cos\_buckets](#module\_cos\_buckets) | terraform-ibm-modules/cos/ibm//modules/buckets | 9.0.6 | -| [existing\_cos\_crn\_parser](#module\_existing\_cos\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.2.0 | -| [existing\_kms\_instance\_crn\_parser](#module\_existing\_kms\_instance\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.2.0 | -| [existing\_kms\_key\_crn\_parser](#module\_existing\_kms\_key\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.2.0 | -| [kms](#module\_kms) | terraform-ibm-modules/kms-all-inclusive/ibm | 5.1.8 | -| [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.2.1 | -| [vpc](#module\_vpc) | ../../ | n/a | -| [vpe\_gateway](#module\_vpe\_gateway) | terraform-ibm-modules/vpe-gateway/ibm | 4.6.6 | - -### Resources - -| Name | Type | -|------|------| -| [ibm_iam_authorization_policy.cos_kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.79.2/docs/resources/iam_authorization_policy) | resource | -| [time_sleep.wait_for_cross_account_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/0.13.1/docs/resources/sleep) | resource | - -### Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [access\_tags](#input\_access\_tags) | The list of access tags to add to the VPC instance. | `list(string)` | `[]` | no | -| [add\_bucket\_name\_suffix](#input\_add\_bucket\_name\_suffix) | Add a randomly generated suffix that is 4 characters in length, to the name of the newly provisioned Cloud Object Storage bucket. Do not use this suffix if you are passing the existing Cloud Object Storage bucket. To manage the name of the Cloud Object Storage bucket manually, use the `flow_logs_cos_bucket_name` variables. | `bool` | `true` | no | -| [address\_prefixes](#input\_address\_prefixes) | The IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#address-prefixes-). | 
object({
    zone-1 = optional(list(string))
    zone-2 = optional(list(string))
    zone-3 = optional(list(string))
  })
| 
{
  "zone-1": null,
  "zone-2": null,
  "zone-3": null
}
| no | -| [clean\_default\_security\_group\_acl](#input\_clean\_default\_security\_group\_acl) | Remove all rules from the default VPC security group and VPC ACL (less permissive) | `bool` | `true` | no | -| [cos\_bucket\_class](#input\_cos\_bucket\_class) | The storage class of the newly provisioned Cloud Object Storage bucket. Specify one of the following values for the storage class: `standard`, `vault`, `cold`, `smart` (default), or `onerate_active`. | `string` | `"standard"` | no | -| [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Name of the Default ACL. If null, a name will be automatically generated. | `string` | `null` | no | -| [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | Name of the Default Routing Table. If null, a name will be automatically generated. | `string` | `null` | no | -| [default\_security\_group\_name](#input\_default\_security\_group\_name) | Name of the Default Security Group. If null, a name will be automatically generated. | `string` | `null` | no | -| [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | To enable VPC Flow logs, set this to true. | `bool` | `false` | no | -| [existing\_cos\_instance\_crn](#input\_existing\_cos\_instance\_crn) | CRN of the existing COS instance. It is only required if `enable_vpc_flow_logs` is set to true and will be used to create the flow logs bucket. | `string` | `null` | no | -| [existing\_flow\_logs\_bucket\_kms\_key\_crn](#input\_existing\_flow\_logs\_bucket\_kms\_key\_crn) | The CRN of the existing root key of key management service (KMS) that is used to encrypt the flow logs Cloud Object Storage bucket. If no value is set for this variable, specify a value for the `existing_kms_instance_crn` variable to create a key ring and key. | `string` | `null` | no | -| [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of the existing key management service (KMS) that is used to create keys for encrypting the flow logs Cloud Object Storage bucket. Used to create a new KMS key unless an existing key is passed using the `existing_flow_logs_bucket_kms_key_crn` input. | `string` | `null` | no | -| [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of an existing resource group to provision the resources. | `string` | `"Default"` | no | -| [flow\_logs\_cos\_bucket\_archive\_days](#input\_flow\_logs\_cos\_bucket\_archive\_days) | The number of days before the `archive_type` rule action takes effect for the flow logs cloud object storage bucket. | `number` | `90` | no | -| [flow\_logs\_cos\_bucket\_archive\_type](#input\_flow\_logs\_cos\_bucket\_archive\_type) | The storage class or archive type you want the object to transition to in the flow logs cloud object storage bucket. | `string` | `"Glacier"` | no | -| [flow\_logs\_cos\_bucket\_default\_retention\_days](#input\_flow\_logs\_cos\_bucket\_default\_retention\_days) | The number of days that an object can remain unmodified in the flow logs cloud object storage bucket. | `number` | `90` | no | -| [flow\_logs\_cos\_bucket\_enable\_object\_versioning](#input\_flow\_logs\_cos\_bucket\_enable\_object\_versioning) | Set it to true if object versioning is enabled so that multiple versions of an object are retained in the flow logs cloud object storage bucket. Cannot be used if `flow_logs_cos_bucket_enable_retention` is true. | `bool` | `false` | no | -| [flow\_logs\_cos\_bucket\_enable\_permanent\_retention](#input\_flow\_logs\_cos\_bucket\_enable\_permanent\_retention) | Whether permanent retention status is enabled for the flow logs cloud object storage bucket. [Learn more](https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-immutable). | `bool` | `false` | no | -| [flow\_logs\_cos\_bucket\_enable\_retention](#input\_flow\_logs\_cos\_bucket\_enable\_retention) | Set to true to enable retention for the flow logs cloud object storage bucket. | `bool` | `false` | no | -| [flow\_logs\_cos\_bucket\_expire\_days](#input\_flow\_logs\_cos\_bucket\_expire\_days) | The number of days before the expire rule action takes effect for the flow logs cloud object storage bucket. | `number` | `366` | no | -| [flow\_logs\_cos\_bucket\_maximum\_retention\_days](#input\_flow\_logs\_cos\_bucket\_maximum\_retention\_days) | The maximum number of days that an object can be kept unmodified in the flow logs cloud object storage. | `number` | `350` | no | -| [flow\_logs\_cos\_bucket\_minimum\_retention\_days](#input\_flow\_logs\_cos\_bucket\_minimum\_retention\_days) | The minimum number of days that an object must be kept unmodified in the flow logs cloud object storage. | `number` | `90` | no | -| [flow\_logs\_cos\_bucket\_name](#input\_flow\_logs\_cos\_bucket\_name) | Name of the Cloud Object Storage bucket to be created to collect VPC flow logs. | `string` | `"flow-logs-bucket"` | no | -| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | -| [ibmcloud\_kms\_api\_key](#input\_ibmcloud\_kms\_api\_key) | The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud\_api\_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Cloud Object Storage instance. Leave this input empty if the same account owns both instances. | `string` | `null` | no | -| [kms\_encryption\_enabled\_bucket](#input\_kms\_encryption\_enabled\_bucket) | Set to true to encrypt the Cloud Object Storage Flow Logs bucket with a KMS key. If set to true, a value must be passed for existing\_flow\_logs\_bucket\_kms\_key\_crn (to use that key) or existing\_kms\_instance\_crn (to create a new key). Value cannot be set to true if enable\_vpc\_flow\_logs is set to false. | `bool` | `false` | no | -| [kms\_endpoint\_type](#input\_kms\_endpoint\_type) | The type of endpoint to use for communicating with the KMS. Possible values: `public`, `private`. Applies only if `existing_flow_logs_bucket_kms_key_crn` is not specified. | `string` | `"private"` | no | -| [kms\_key\_name](#input\_kms\_key\_name) | The name of the key to encrypt the flow logs Cloud Object Storage bucket. If an existing key is used, this variable is not required. If the prefix input variable is passed, the name of the key is prefixed to the value in the `-value` format. | `string` | `"flow-logs-cos-key"` | no | -| [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name of the key ring to create for the Cloud Object Storage bucket key. If an existing key is used, this variable is not required. If the prefix input variable is passed, the name of the key ring is prefixed to the value in the `-value` format. | `string` | `"flow-logs-cos-key-ring"` | no | -| [management\_endpoint\_type\_for\_bucket](#input\_management\_endpoint\_type\_for\_bucket) | The type of endpoint for the IBM Terraform provider to use to manage Cloud Object Storage buckets (`public`, `private`, or `direct`). If you are using a private endpoint, make sure that you enable virtual routing and forwarding (VRF) in your account, and that the Terraform runtime can access the IBM Cloud Private network. | `string` | `"direct"` | no | -| [network\_acls](#input\_network\_acls) | The list of ACLs to create. Provide at least one rule for each ACL. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#network-acls-). | 
list(
    object({
      name                         = string
      add_ibm_cloud_internal_rules = optional(bool)
      add_vpc_connectivity_rules   = optional(bool)
      prepend_ibm_rules            = optional(bool)
      rules = list(
        object({
          name        = string
          action      = string
          destination = string
          direction   = string
          source      = string
          tcp = optional(
            object({
              port_max        = optional(number)
              port_min        = optional(number)
              source_port_max = optional(number)
              source_port_min = optional(number)
            })
          )
          udp = optional(
            object({
              port_max        = optional(number)
              port_min        = optional(number)
              source_port_max = optional(number)
              source_port_min = optional(number)
            })
          )
          icmp = optional(
            object({
              type = optional(number)
              code = optional(number)
            })
          )
        })
      )
    })
  )
| 
[
  {
    "add_ibm_cloud_internal_rules": true,
    "add_vpc_connectivity_rules": true,
    "name": "vpc-acl",
    "prepend_ibm_rules": true,
    "rules": [
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "inbound",
        "name": "allow-all-443-inbound",
        "source": "0.0.0.0/0",
        "tcp": {
          "port_max": 443,
          "port_min": 443,
          "source_port_max": 443,
          "source_port_min": 443
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "inbound",
        "name": "allow-all-80-inbound",
        "source": "0.0.0.0/0",
        "tcp": {
          "port_max": 80,
          "port_min": 80,
          "source_port_max": 80,
          "source_port_min": 80
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "inbound",
        "name": "allow-all-22-inbound",
        "source": "0.0.0.0/0",
        "tcp": {
          "port_max": 22,
          "port_min": 22,
          "source_port_max": 22,
          "source_port_min": 22
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "outbound",
        "name": "allow-all-443-outbound",
        "source": "0.0.0.0/0",
        "tcp": {
          "port_max": 443,
          "port_min": 443,
          "source_port_max": 443,
          "source_port_min": 443
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "outbound",
        "name": "allow-all-80-outbound",
        "source": "0.0.0.0/0",
        "tcp": {
          "port_max": 80,
          "port_min": 80,
          "source_port_max": 80,
          "source_port_min": 80
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "outbound",
        "name": "allow-all-22-outbound",
        "source": "0.0.0.0/0",
        "tcp": {
          "port_max": 22,
          "port_min": 22,
          "source_port_max": 22,
          "source_port_min": 22
        }
      }
    ]
  }
]
| no | -| [prefix](#input\_prefix) | The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-0205-vpc. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix). | `string` | n/a | yes | -| [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no | -| [region](#input\_region) | Region to deploy the VPC. | `string` | `"us-south"` | no | -| [resource\_tags](#input\_resource\_tags) | The list of tags to add to the VPC instance. | `list(string)` | `[]` | no | -| [routes](#input\_routes) | Allows you to specify the next hop for packets based on their destination address. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#routes-). | 
list(
    object({
      name                          = string
      route_direct_link_ingress     = optional(bool)
      route_transit_gateway_ingress = optional(bool)
      route_vpc_zone_ingress        = optional(bool)
      routes = optional(
        list(
          object({
            action      = optional(string)
            zone        = number
            destination = string
            next_hop    = string
          })
      ))
    })
  )
| `[]` | no | -| [security\_group\_rules](#input\_security\_group\_rules) | A list of security group rules to be added to the default vpc security group (default empty). [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#security-group-rules-). | 
list(
    object({
      name      = string
      direction = string
      remote    = optional(string)
      tcp = optional(
        object({
          port_max = optional(number)
          port_min = optional(number)
        })
      )
      udp = optional(
        object({
          port_max = optional(number)
          port_min = optional(number)
        })
      )
      icmp = optional(
        object({
          type = optional(number)
          code = optional(number)
        })
      )
    })
  )
| `[]` | no | -| [skip\_cos\_kms\_iam\_auth\_policy](#input\_skip\_cos\_kms\_iam\_auth\_policy) | To skip creating an IAM authorization policy that allows Cloud Object Storage(COS) to access KMS key. | `bool` | `false` | no | -| [skip\_vpc\_cos\_iam\_auth\_policy](#input\_skip\_vpc\_cos\_iam\_auth\_policy) | To skip creating an IAM authorization policy that allows the VPC to access the Cloud Object Storage, set this variable to `true`. Required only if `enable_vpc_flow_logs` is set to true. | `bool` | `false` | no | -| [subnets](#input\_subnets) | List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addressess. Public gateways will be enabled only in zones where a gateway has been created. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#subnets-). | 
object({
    zone-1 = list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    }))
    zone-2 = optional(list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    })))
    zone-3 = optional(list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    })))
  })
| 
{
  "zone-1": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.10.10.0/24",
      "name": "subnet-a",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ],
  "zone-2": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.20.10.0/24",
      "name": "subnet-b",
      "no_addr_prefix": false,
      "public_gateway": false
    }
  ],
  "zone-3": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.30.10.0/24",
      "name": "subnet-c",
      "no_addr_prefix": false,
      "public_gateway": false
    }
  ]
}
| no | -| [vpc\_name](#input\_vpc\_name) | Name of the VPC. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"vpc"` | no | -| [vpe\_gateway\_cloud\_service\_by\_crn](#input\_vpe\_gateway\_cloud\_service\_by\_crn) | The list of cloud service CRNs used to create endpoint gateways. Use this list to identify services that are not supported by service name in the `cloud_services` variable. For a list of supported services, see [VPE-enabled services](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services). If `service_name` is not specified, the CRN is used to find the name. If `vpe_name` is not specified in the list, VPE names are created in the format `--`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#vpe-gateway-cloud-service-by-crn-). | 
set(
    object({
      crn                          = string
      vpe_name                     = optional(string) # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
      service_name                 = optional(string) # Name of the service used to compute the name of the VPE. If not specified, the service name will be obtained from the crn.
      allow_dns_resolution_binding = optional(bool, true)
    })
  )
| `[]` | no | -| [vpe\_gateway\_cloud\_services](#input\_vpe\_gateway\_cloud\_services) | The list of cloud services used to create endpoint gateways. If `vpe_name` is not specified in the list, VPE names are created in the format `--`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#vpe-gateway-cloud-services-). | 
set(object({
    service_name                 = string
    vpe_name                     = optional(string), # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
    allow_dns_resolution_binding = optional(bool, false)
  }))
| `[]` | no | -| [vpe\_gateway\_reserved\_ips](#input\_vpe\_gateway\_reserved\_ips) | Map of existing reserved IP names and values. Leave this value as default if you want to create new reserved ips, this value is used when a user passes their existing reserved ips created here and not attempt to recreate those. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#reserved-ips-). | 
object({
    name = optional(string) # reserved ip name
  })
| `{}` | no | -| [vpe\_gateway\_security\_group\_ids](#input\_vpe\_gateway\_security\_group\_ids) | List of security group ids to attach to each endpoint gateway. | `list(string)` | `null` | no | -| [vpe\_gateway\_service\_endpoints](#input\_vpe\_gateway\_service\_endpoints) | Service endpoints to use to create endpoint gateways. Can be `public`, or `private`. | `string` | `"private"` | no | -| [vpn\_gateways](#input\_vpn\_gateways) | List of VPN Gateways to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#vpn-gateways-). | 
list(
    object({
      name           = string
      subnet_name    = string # Do not include prefix, use same name as in `var.subnets`
      mode           = optional(string)
      resource_group = optional(string)
      access_tags    = optional(list(string), [])
    })
  )
| `[]` | no | - -### Outputs - -| Name | Description | -|------|-------------| -| [network\_acls](#output\_network\_acls) | List of shortnames and IDs of network ACLs | -| [private\_path\_subnet\_id](#output\_private\_path\_subnet\_id) | The IDs of the subnets | -| [public\_gateways](#output\_public\_gateways) | Map of public gateways by zone | -| [security\_group\_details](#output\_security\_group\_details) | Details of security group. | -| [subnet\_detail\_list](#output\_subnet\_detail\_list) | A list of subnets containing names, CIDR blocks, and zones. | -| [subnet\_detail\_map](#output\_subnet\_detail\_map) | A map of subnets containing IDs, CIDR blocks, and zones | -| [subnet\_ids](#output\_subnet\_ids) | The IDs of the subnets | -| [subnet\_zone\_list](#output\_subnet\_zone\_list) | A list containing subnet IDs and subnet zones | -| [vpc\_crn](#output\_vpc\_crn) | CRN of VPC created | -| [vpc\_flow\_logs](#output\_vpc\_flow\_logs) | Details of VPC flow logs collector | -| [vpc\_id](#output\_vpc\_id) | ID of VPC created | -| [vpc\_name](#output\_vpc\_name) | Name of VPC created | -| [vpe\_crn](#output\_vpe\_crn) | The CRN of the endpoint gateway | -| [vpe\_ips](#output\_vpe\_ips) | The reserved IPs for endpoint gateways. | -| [vpn\_gateways\_data](#output\_vpn\_gateways\_data) | Details of VPN gateways data | -| [vpn\_gateways\_name](#output\_vpn\_gateways\_name) | List of names of VPN gateways. | - diff --git a/solutions/fully-configurable/provider.tf b/solutions/fully-configurable/provider.tf index b97eb3ca..2486a9b1 100644 --- a/solutions/fully-configurable/provider.tf +++ b/solutions/fully-configurable/provider.tf @@ -3,9 +3,10 @@ ######################################################################################################################## provider "ibm" { - ibmcloud_api_key = var.ibmcloud_api_key - region = var.region - visibility = var.provider_visibility + ibmcloud_api_key = var.ibmcloud_api_key + region = var.region + visibility = var.provider_visibility + private_endpoint_type = (var.provider_visibility == "private" && var.region == "ca-mon") ? "vpe" : null } provider "ibm" { diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 4e110a6c..00b43f47 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -27,9 +27,15 @@ variable "existing_resource_group_name" { variable "prefix" { type = string - description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-0205-vpc. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix)." + nullable = true + description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-0205-vpc. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)." validation { + # - null and empty string is allowed + # - Must not contain consecutive hyphens (--): length(regexall("--", var.prefix)) == 0 + # - Starts with a lowercase letter: [a-z] + # - Contains only lowercase letters (a–z), digits (0–9), and hyphens (-) + # - Must not end with a hyphen (-): [a-z0-9] condition = (var.prefix == null || var.prefix == "" ? true : alltrue([ can(regex("^[a-z][-a-z0-9]*[a-z0-9]$", var.prefix)), @@ -38,7 +44,9 @@ variable "prefix" { ) error_message = "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--')." } + validation { + # must not exceed 16 characters in length condition = length(var.prefix) <= 16 error_message = "Prefix must not exceed 16 characters." } @@ -51,9 +59,9 @@ variable "vpc_name" { } variable "region" { - default = "us-south" - description = "Region to deploy the VPC." type = string + description = "The region to provision all resources in. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/region) about how to select different regions for different services." + default = "us-south" } variable "resource_tags" { From 03d10d312bf12c211a7a745e317ba3419aeb6a60 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Thu, 26 Jun 2025 11:36:10 +0530 Subject: [PATCH 2/4] updated support_details --- ibm_catalog.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index c6533b90..ec0a3d65 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -74,7 +74,7 @@ "description": "This solution can be integrated with [Cloud automation for Observability](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-observability-a3137d28-79e0-479d-8a24-758ebd5a0eab-global) that supports configuring resources for logging, monitoring and activity tracker event routing." } ], - "support_details": "This product is in the community registry, as such support is handled through the originated repository. If you experience issues, kindly open an issue [here](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/issues). Please note that this product is not currently supported through the IBM Cloud Support Center.", + "support_details": "This product is in the community registry. As such support is handled through the originated repo. If you experience issues, please open an issue in the repository [here](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/issues). Please note this product is not supported via the IBM Cloud Support Center.", "flavors": [ { "label": "Fully configurable", From 7264a6996167c5838ada3e9c07c55d8d6b9c2f3a Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Thu, 26 Jun 2025 15:18:27 +0530 Subject: [PATCH 3/4] minor fix --- solutions/fully-configurable/outputs.tf | 24 +++++++++++------------ solutions/fully-configurable/variables.tf | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/solutions/fully-configurable/outputs.tf b/solutions/fully-configurable/outputs.tf index 0a8cfef0..733e4113 100644 --- a/solutions/fully-configurable/outputs.tf +++ b/solutions/fully-configurable/outputs.tf @@ -3,17 +3,17 @@ ############################################################################## output "vpc_name" { - description = "Name of VPC created" + description = "Name of VPC created." value = module.vpc.vpc_name } output "vpc_id" { - description = "ID of VPC created" + description = "ID of VPC created." value = module.vpc.vpc_id } output "vpc_crn" { - description = "CRN of VPC created" + description = "CRN of VPC created." value = module.vpc.vpc_crn } @@ -22,7 +22,7 @@ output "vpc_crn" { ############################################################################## output "public_gateways" { - description = "Map of public gateways by zone" + description = "Map of public gateways by zone." value = module.vpc.public_gateways } @@ -31,7 +31,7 @@ output "public_gateways" { ############################################################################## output "vpc_flow_logs" { - description = "Details of VPC flow logs collector" + description = "Details of VPC flow logs collector." value = module.vpc.vpc_flow_logs } @@ -40,7 +40,7 @@ output "vpc_flow_logs" { ############################################################################## output "network_acls" { - description = "List of shortnames and IDs of network ACLs" + description = "List of shortnames and IDs of network ACLs." value = module.vpc.network_acls } @@ -49,12 +49,12 @@ output "network_acls" { ############################################################################## output "subnet_ids" { - description = "The IDs of the subnets" + description = "The IDs of the subnets." value = module.vpc.subnet_ids } output "private_path_subnet_id" { - description = "The IDs of the subnets" + description = "The IDs of the subnets." value = length(module.vpc.subnet_ids) > 0 ? module.vpc.subnet_ids[0] : null } @@ -64,12 +64,12 @@ output "subnet_detail_list" { } output "subnet_zone_list" { - description = "A list containing subnet IDs and subnet zones" + description = "A list containing subnet IDs and subnet zones." value = module.vpc.subnet_zone_list } output "subnet_detail_map" { - description = "A map of subnets containing IDs, CIDR blocks, and zones" + description = "A map of subnets containing IDs, CIDR blocks, and zones." value = module.vpc.subnet_detail_map } @@ -83,7 +83,7 @@ output "vpn_gateways_name" { } output "vpn_gateways_data" { - description = "Details of VPN gateways data" + description = "Details of VPN gateways data." value = module.vpc.vpn_gateways_data } @@ -97,7 +97,7 @@ output "vpe_ips" { } output "vpe_crn" { - description = "The CRN of the endpoint gateway" + description = "The CRN of the endpoint gateway." value = module.vpe_gateway.crn } diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 00b43f47..672a4f95 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -377,7 +377,7 @@ variable "security_group_rules" { } variable "clean_default_security_group_acl" { - description = "Remove all rules from the default VPC security group and VPC ACL (less permissive)" + description = "Remove all rules from the default VPC security group and VPC ACL (less permissive)." type = bool nullable = false default = true From ef350c5bd820160b32b395b0c786e4966a8196f1 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Fri, 27 Jun 2025 11:18:39 +0530 Subject: [PATCH 4/4] resolve review comments --- ibm_catalog.json | 24 +++++++++++------------ solutions/fully-configurable/outputs.tf | 12 ++++++------ solutions/fully-configurable/variables.tf | 2 +- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index ec0a3d65..d2ec6072 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -19,7 +19,7 @@ "infrastructure as code", "solution" ], - "short_description": "Automates VPC deployment on IBM Cloud, offering full configurability and flexibility for diverse workloads.", + "short_description": "Deploy a Virtual Private Cloud (VPC) on IBM Cloud, offering full configurability and flexibility for diverse workloads.", "long_description": "The Cloud automation for VPC sets up a foundational IBM Cloud [Virtual Private Cloud (VPC)](https://www.ibm.com/cloud/vpc) environment. It lays the groundwork for adding Virtual Servers Instances (VSI) or Red Hat OpenShift clusters and other advanced resources. This can be used as a base deployable architecture for many others deployable architectures like [Cloud automation for Red Hat OpenShift Container Platform on VPC](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-ocp-vpc-1728a4fd-f561-4cf9-82ef-2b1eeb5da1a8-global), [Cloud automation for Red Hat OpenShift AI](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-ocp-ai-ba708aed-bb8a-4ac0-83a7-53a066701db5-global), [Cloud automation for Virtual Servers for Virtual Private Cloud](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-vsi-vpc-28e2b12c-858f-4ae8-8717-60db8cec2e6e-global).\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/README.md", "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/main/images/vpc_icon.svg", @@ -74,11 +74,12 @@ "description": "This solution can be integrated with [Cloud automation for Observability](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-observability-a3137d28-79e0-479d-8a24-758ebd5a0eab-global) that supports configuring resources for logging, monitoring and activity tracker event routing." } ], - "support_details": "This product is in the community registry. As such support is handled through the originated repo. If you experience issues, please open an issue in the repository [here](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/issues). Please note this product is not supported via the IBM Cloud Support Center.", + "support_details": "This product is in the community registry, support is handled through the [original repo](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc). If you experience issues, please open an issue in the repository [here](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/issues). Please note this product is not supported via the IBM Cloud Support Center.", "flavors": [ { "label": "Fully configurable", "name": "fully-configurable", + "index": 1, "install_type": "fullstack", "working_directory": "solutions/fully-configurable", "compliance": { @@ -109,11 +110,6 @@ ] }, "iam_permissions": [ - { - "role_crns": ["crn:v1:bluemix:public:iam::::role:Administrator"], - "service_name": "iam-identity", - "notes": "[Optional] Required if Cloud automation for account configuration is enabled." - }, { "role_crns": ["crn:v1:bluemix:public:iam::::role:Viewer"], "service_name": "Resource group only", @@ -151,7 +147,7 @@ "crn:v1:bluemix:public:iam::::role:Editor" ], "service_name": "sysdig-monitor", - "notes": "[Optional] Required if you are consuming Observability deployable architecture which sets up Cloud monitoring." + "notes": "[Optional] Required for consuming Observability deployable architecture which sets up Cloud monitoring." }, { "role_crns": [ @@ -159,7 +155,7 @@ "crn:v1:bluemix:public:iam::::role:Editor" ], "service_name": "logs", - "notes": "[Optional] Required if you are consuming Observability deployable architecture which sets up Cloud logs." + "notes": "[Optional] Required for consuming Observability deployable architecture which sets up Cloud logs." } ], "configuration": [ @@ -283,10 +279,12 @@ } }, { - "key": "vpe_gateway_cloud_services" + "key": "vpe_gateway_cloud_services", + "type": "array" }, { - "key": "vpe_gateway_cloud_service_by_crn" + "key": "vpe_gateway_cloud_service_by_crn", + "type": "array" }, { "key": "vpe_gateway_security_group_ids", @@ -326,6 +324,7 @@ { "key": "resource_tags", "custom_config": { + "type": "array", "grouping": "deployment", "original_grouping": "deployment", "config_constraints": { @@ -335,7 +334,8 @@ }, { "key": "access_tags", - "custom_config": { + "custom_config": { + "type": "array", "grouping": "deployment", "original_grouping": "deployment", "config_constraints": { diff --git a/solutions/fully-configurable/outputs.tf b/solutions/fully-configurable/outputs.tf index 733e4113..c0b1f6ac 100644 --- a/solutions/fully-configurable/outputs.tf +++ b/solutions/fully-configurable/outputs.tf @@ -3,17 +3,17 @@ ############################################################################## output "vpc_name" { - description = "Name of VPC created." + description = "Name of the VPC created." value = module.vpc.vpc_name } output "vpc_id" { - description = "ID of VPC created." + description = "ID of the VPC created." value = module.vpc.vpc_id } output "vpc_crn" { - description = "CRN of VPC created." + description = "CRN of the VPC created." value = module.vpc.vpc_crn } @@ -22,7 +22,7 @@ output "vpc_crn" { ############################################################################## output "public_gateways" { - description = "Map of public gateways by zone." + description = "Map of the public gateways by zone." value = module.vpc.public_gateways } @@ -31,7 +31,7 @@ output "public_gateways" { ############################################################################## output "vpc_flow_logs" { - description = "Details of VPC flow logs collector." + description = "Details of the VPC flow logs collector." value = module.vpc.vpc_flow_logs } @@ -64,7 +64,7 @@ output "subnet_detail_list" { } output "subnet_zone_list" { - description = "A list containing subnet IDs and subnet zones." + description = "A list of subnet IDs and subnet zones." value = module.vpc.subnet_zone_list } diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 672a4f95..b2bc9ce9 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -28,7 +28,7 @@ variable "existing_resource_group_name" { variable "prefix" { type = string nullable = true - description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-0205-vpc. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)." + description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--'). Example: prod-0205-vpc. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)." validation { # - null and empty string is allowed