From 10ed599b8d51b880e34adf755e5589c95043acc1 Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Thu, 26 Jun 2025 14:05:54 +0100 Subject: [PATCH 01/21] conditional dns resolution binding --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index d908f2a0..ffe419dd 100644 --- a/main.tf +++ b/main.tf @@ -126,7 +126,7 @@ resource "ibm_iam_authorization_policy" "vpc_dns_resolution_auth_policy" { # Enable Hub to dns resolve in spoke VPC resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_id" { - count = (var.enable_hub == false && var.enable_hub_vpc_id) ? 1 : 0 + count = (var.enable_hub == false && var.enable_hub_vpc_id && var.update_delegated_resolver) ? 1 : 0 # Depends on required as the authorization policy cannot be directly referenced depends_on = [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy] @@ -142,7 +142,7 @@ resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_id" { } resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_crn" { - count = (var.enable_hub == false && var.enable_hub_vpc_crn) ? 1 : 0 + count = (var.enable_hub == false && var.enable_hub_vpc_crn && var.update_delegated_resolver) ? 1 : 0 # Depends on required as the authorization policy cannot be directly referenced depends_on = [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy] From d54cc06bd3007b3983207f901a3fc8a51aa458cd Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Thu, 26 Jun 2025 14:26:53 +0100 Subject: [PATCH 02/21] conditional dns resolution binding --- README.md | 3 --- main.tf | 62 ++++++++++++++++++++++++++-------------------------- variables.tf | 10 ++++----- 3 files changed, 36 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index cbef2a5d..a176ffbc 100644 --- a/README.md +++ b/README.md @@ -165,8 +165,6 @@ To attach access management tags to resources in this module, you need the follo | [ibm_is_vpc.vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc) | resource | | [ibm_is_vpc_address_prefix.address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource | | [ibm_is_vpc_address_prefix.subnet_prefix](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource | -| [ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_dns_resolution_binding) | resource | -| [ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_dns_resolution_binding) | resource | | [ibm_is_vpc_routing_table.route_table](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource | | [ibm_is_vpc_routing_table_route.routing_table_routes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource | | [ibm_is_vpn_gateway.vpn_gateway](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpn_gateway) | resource | @@ -191,7 +189,6 @@ To attach access management tags to resources in this module, you need the follo | [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | OPTIONAL - Name of the Default ACL. If null, a name will be automatically generated | `string` | `null` | no | | [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | OPTIONAL - Name of the Default Routing Table. If null, a name will be automatically generated | `string` | `null` | no | | [default\_security\_group\_name](#input\_default\_security\_group\_name) | OPTIONAL - Name of the Default Security Group. If null, a name will be automatically generated | `string` | `null` | no | -| [dns\_binding\_name](#input\_dns\_binding\_name) | The name to give the provisioned VPC DNS resolution binding. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | | [dns\_custom\_resolver\_name](#input\_dns\_custom\_resolver\_name) | The name to give the provisioned DNS custom resolver instance. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | | [dns\_instance\_name](#input\_dns\_instance\_name) | The name to give the provisioned DNS instance. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | | [dns\_location](#input\_dns\_location) | The target location or environment for the DNS instance created to host the custom resolver in a hub-spoke DNS resolution topology. Only used if enable\_hub is true and skip\_custom\_resolver\_hub\_creation is false (defaults). | `string` | `"global"` | no | diff --git a/main.tf b/main.tf index ffe419dd..1836db73 100644 --- a/main.tf +++ b/main.tf @@ -125,37 +125,37 @@ resource "ibm_iam_authorization_policy" "vpc_dns_resolution_auth_policy" { } # Enable Hub to dns resolve in spoke VPC -resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_id" { - count = (var.enable_hub == false && var.enable_hub_vpc_id && var.update_delegated_resolver) ? 1 : 0 - # Depends on required as the authorization policy cannot be directly referenced - depends_on = [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy] - - # Use var.dns_binding_name if not null, otherwise, use var.prefix and var.name combination. - name = coalesce( - var.dns_binding_name, - "${var.prefix != null ? "${var.prefix}-${var.name}" : var.name}-dns-binding" - ) - vpc_id = local.vpc_id # Source VPC - vpc { - id = var.hub_vpc_id # Target VPC ID - } -} - -resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_crn" { - count = (var.enable_hub == false && var.enable_hub_vpc_crn && var.update_delegated_resolver) ? 1 : 0 - # Depends on required as the authorization policy cannot be directly referenced - depends_on = [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy] - - # Use var.dns_binding_name if not null, otherwise, use var.prefix and var.name combination. - name = coalesce( - var.dns_binding_name, - "${var.prefix != null ? "${var.prefix}-${var.name}" : var.name}-dns-binding" - ) - vpc_id = local.vpc_id # Source VPC - vpc { - crn = var.hub_vpc_crn # Target VPC CRN - } -} +#resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_id" { +# count = (var.enable_hub == false && var.enable_hub_vpc_id && var.update_delegated_resolver) ? 1 : 0 +# # Depends on required as the authorization policy cannot be directly referenced +# depends_on = [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy] +# +# # Use var.dns_binding_name if not null, otherwise, use var.prefix and var.name combination. +# name = coalesce( +# var.dns_binding_name, +# "${var.prefix != null ? "${var.prefix}-${var.name}" : var.name}-dns-binding" +# ) +# vpc_id = local.vpc_id # Source VPC +# vpc { +# id = var.hub_vpc_id # Target VPC ID +# } +#} + +#resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_crn" { +# count = (var.enable_hub == false && var.enable_hub_vpc_crn && var.update_delegated_resolver) ? 1 : 0 +# # Depends on required as the authorization policy cannot be directly referenced +# depends_on = [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy] +# +# # Use var.dns_binding_name if not null, otherwise, use var.prefix and var.name combination. +# name = coalesce( +# var.dns_binding_name, +# "${var.prefix != null ? "${var.prefix}-${var.name}" : var.name}-dns-binding" +# ) +# vpc_id = local.vpc_id # Source VPC +# vpc { +# crn = var.hub_vpc_crn # Target VPC CRN +# } +#} # Configure custom resolver on the hub vpc resource "ibm_resource_instance" "dns_instance_hub" { diff --git a/variables.tf b/variables.tf index ce79b4a4..a0a844f4 100644 --- a/variables.tf +++ b/variables.tf @@ -68,11 +68,11 @@ variable "name" { type = string } -variable "dns_binding_name" { - description = "The name to give the provisioned VPC DNS resolution binding. If not set, the module generates a name based on the `prefix` and `name` variables." - type = string - default = null -} +#variable "dns_binding_name" { +# description = "The name to give the provisioned VPC DNS resolution binding. If not set, the module generates a name based on the `prefix` and `name` variables." +# type = string +# default = null +#} variable "dns_instance_name" { description = "The name to give the provisioned DNS instance. If not set, the module generates a name based on the `prefix` and `name` variables." From f466278b477e1258beec5266842fd178daca18b4 Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Thu, 26 Jun 2025 14:29:58 +0100 Subject: [PATCH 03/21] conditional dns resolution binding --- README.md | 2 -- outputs.tf | 18 +++++++++--------- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index a176ffbc..66991f47 100644 --- a/README.md +++ b/README.md @@ -239,8 +239,6 @@ To attach access management tags to resources in this module, you need the follo | [cidr\_blocks](#output\_cidr\_blocks) | List of CIDR blocks present in VPC stack | | [custom\_resolver\_hub](#output\_custom\_resolver\_hub) | The custom resolver created for the hub vpc. Only set if enable\_hub is set and skip\_custom\_resolver\_hub\_creation is false. | | [dns\_custom\_resolver\_id](#output\_dns\_custom\_resolver\_id) | The ID of the DNS Custom Resolver. | -| [dns\_endpoint\_gateways\_by\_crn](#output\_dns\_endpoint\_gateways\_by\_crn) | The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id are true. | -| [dns\_endpoint\_gateways\_by\_id](#output\_dns\_endpoint\_gateways\_by\_id) | The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id are true. | | [dns\_instance\_id](#output\_dns\_instance\_id) | The ID of the DNS instance. | | [dns\_record\_ids](#output\_dns\_record\_ids) | List of all the domain resource records. | | [dns\_zone](#output\_dns\_zone) | A map representing DNS zone information. | diff --git a/outputs.tf b/outputs.tf index e679654b..3c21766d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -157,15 +157,15 @@ output "custom_resolver_hub" { value = length(ibm_dns_custom_resolver.custom_resolver_hub) == 1 ? ibm_dns_custom_resolver.custom_resolver_hub[0] : null } -output "dns_endpoint_gateways_by_id" { - description = "The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable_hub is false and enable_hub_vpc_id are true." - value = length(ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id) == 1 ? ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id[0] : null -} - -output "dns_endpoint_gateways_by_crn" { - description = "The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable_hub is false and enable_hub_vpc_id are true." - value = length(ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn) == 1 ? ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn[0] : null -} +#output "dns_endpoint_gateways_by_id" { +# description = "The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable_hub is false and enable_hub_vpc_id are true." +# value = length(ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id) == 1 ? ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id[0] : null +#} +# +#output "dns_endpoint_gateways_by_crn" { +# description = "The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable_hub is false and enable_hub_vpc_id are true." +# value = length(ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn) == 1 ? ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn[0] : null +#} output "dns_instance_id" { description = "The ID of the DNS instance." From 55dd67106eceaa8e0785d0cc19753584ebe20b35 Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Thu, 26 Jun 2025 21:33:38 +0100 Subject: [PATCH 04/21] conditional dns resolution binding --- .../hub-spoke-delegated-resolver/outputs.tf | 18 +++++++++--------- tests/other_test.go | 8 +++++++- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/examples/hub-spoke-delegated-resolver/outputs.tf b/examples/hub-spoke-delegated-resolver/outputs.tf index f28a0abd..96fafa44 100644 --- a/examples/hub-spoke-delegated-resolver/outputs.tf +++ b/examples/hub-spoke-delegated-resolver/outputs.tf @@ -42,15 +42,15 @@ output "custom_resolver_hub_vpc" { description = "The custom resolver created for the hub vpc." } -output "dns_endpoint_gateways_by_spoke_vpc_crn" { - value = module.spoke_vpc.dns_endpoint_gateways_by_crn - description = "The list of VPEs that are made available for DNS resolution in the created VPC." -} - -output "dns_endpoint_gateways_by_spoke_vpc_id" { - value = module.spoke_vpc.dns_endpoint_gateways_by_id - description = "The list of VPEs that are made available for DNS resolution in the created VPC." -} +#output "dns_endpoint_gateways_by_spoke_vpc_crn" { +# value = module.spoke_vpc.dns_endpoint_gateways_by_crn +# description = "The list of VPEs that are made available for DNS resolution in the created VPC." +#} +# +#output "dns_endpoint_gateways_by_spoke_vpc_id" { +# value = module.spoke_vpc.dns_endpoint_gateways_by_id +# description = "The list of VPEs that are made available for DNS resolution in the created VPC." +#} output "dns_instance_id" { description = "The ID of the DNS instance." diff --git a/tests/other_test.go b/tests/other_test.go index 8027efdb..23953e0b 100644 --- a/tests/other_test.go +++ b/tests/other_test.go @@ -2,6 +2,7 @@ package test import ( + "github.com/gruntwork-io/terratest/modules/terraform" "testing" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" @@ -33,8 +34,13 @@ func TestRunHubAndSpokeDelegatedExample(t *testing.T) { Prefix: "has-slz", ResourceGroup: resourceGroup, Region: "us-south", + PostApplyHook: func(options *testhelper.TestOptions) error { + terraformOptions := options.TerraformOptions + terraformOptions.Vars["update_delegated_resolver"] = true + _, err := terraform.ApplyE(options.Testing, terraformOptions) + return err + }, }) - output, err := options.RunTestConsistency() assert.Nil(t, err, "This should not have errored") assert.NotNil(t, output, "Expected some output") From 4d08eb826fe495e7d44a70e07cc1832b96437183 Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Fri, 27 Jun 2025 10:55:41 +0100 Subject: [PATCH 05/21] conditional dns resolution binding --- .../hub-spoke-delegated-resolver/outputs.tf | 10 ------ main.tf | 33 ------------------- outputs.tf | 10 ------ variables.tf | 6 ---- 4 files changed, 59 deletions(-) diff --git a/examples/hub-spoke-delegated-resolver/outputs.tf b/examples/hub-spoke-delegated-resolver/outputs.tf index 96fafa44..ee2ca802 100644 --- a/examples/hub-spoke-delegated-resolver/outputs.tf +++ b/examples/hub-spoke-delegated-resolver/outputs.tf @@ -42,16 +42,6 @@ output "custom_resolver_hub_vpc" { description = "The custom resolver created for the hub vpc." } -#output "dns_endpoint_gateways_by_spoke_vpc_crn" { -# value = module.spoke_vpc.dns_endpoint_gateways_by_crn -# description = "The list of VPEs that are made available for DNS resolution in the created VPC." -#} -# -#output "dns_endpoint_gateways_by_spoke_vpc_id" { -# value = module.spoke_vpc.dns_endpoint_gateways_by_id -# description = "The list of VPEs that are made available for DNS resolution in the created VPC." -#} - output "dns_instance_id" { description = "The ID of the DNS instance." value = module.hub_vpc.dns_instance_id diff --git a/main.tf b/main.tf index 1836db73..8e8a7947 100644 --- a/main.tf +++ b/main.tf @@ -124,39 +124,6 @@ resource "ibm_iam_authorization_policy" "vpc_dns_resolution_auth_policy" { } } -# Enable Hub to dns resolve in spoke VPC -#resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_id" { -# count = (var.enable_hub == false && var.enable_hub_vpc_id && var.update_delegated_resolver) ? 1 : 0 -# # Depends on required as the authorization policy cannot be directly referenced -# depends_on = [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy] -# -# # Use var.dns_binding_name if not null, otherwise, use var.prefix and var.name combination. -# name = coalesce( -# var.dns_binding_name, -# "${var.prefix != null ? "${var.prefix}-${var.name}" : var.name}-dns-binding" -# ) -# vpc_id = local.vpc_id # Source VPC -# vpc { -# id = var.hub_vpc_id # Target VPC ID -# } -#} - -#resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_crn" { -# count = (var.enable_hub == false && var.enable_hub_vpc_crn && var.update_delegated_resolver) ? 1 : 0 -# # Depends on required as the authorization policy cannot be directly referenced -# depends_on = [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy] -# -# # Use var.dns_binding_name if not null, otherwise, use var.prefix and var.name combination. -# name = coalesce( -# var.dns_binding_name, -# "${var.prefix != null ? "${var.prefix}-${var.name}" : var.name}-dns-binding" -# ) -# vpc_id = local.vpc_id # Source VPC -# vpc { -# crn = var.hub_vpc_crn # Target VPC CRN -# } -#} - # Configure custom resolver on the hub vpc resource "ibm_resource_instance" "dns_instance_hub" { count = var.enable_hub && !var.skip_custom_resolver_hub_creation && !var.use_existing_dns_instance ? 1 : 0 diff --git a/outputs.tf b/outputs.tf index 3c21766d..a7335dca 100644 --- a/outputs.tf +++ b/outputs.tf @@ -157,16 +157,6 @@ output "custom_resolver_hub" { value = length(ibm_dns_custom_resolver.custom_resolver_hub) == 1 ? ibm_dns_custom_resolver.custom_resolver_hub[0] : null } -#output "dns_endpoint_gateways_by_id" { -# description = "The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable_hub is false and enable_hub_vpc_id are true." -# value = length(ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id) == 1 ? ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id[0] : null -#} -# -#output "dns_endpoint_gateways_by_crn" { -# description = "The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable_hub is false and enable_hub_vpc_id are true." -# value = length(ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn) == 1 ? ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn[0] : null -#} - output "dns_instance_id" { description = "The ID of the DNS instance." value = (var.enable_hub && !var.skip_custom_resolver_hub_creation) ? (var.use_existing_dns_instance ? var.existing_dns_instance_id : ibm_resource_instance.dns_instance_hub[0].guid) : null diff --git a/variables.tf b/variables.tf index a0a844f4..3342a3c2 100644 --- a/variables.tf +++ b/variables.tf @@ -68,12 +68,6 @@ variable "name" { type = string } -#variable "dns_binding_name" { -# description = "The name to give the provisioned VPC DNS resolution binding. If not set, the module generates a name based on the `prefix` and `name` variables." -# type = string -# default = null -#} - variable "dns_instance_name" { description = "The name to give the provisioned DNS instance. If not set, the module generates a name based on the `prefix` and `name` variables." type = string From e3c05ed4e21ca4bffd683eccbd3ee919d05b6ecc Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Fri, 27 Jun 2025 11:04:36 +0100 Subject: [PATCH 06/21] conditional dns resolution binding --- examples/hub-spoke-manual-resolver/outputs.tf | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/examples/hub-spoke-manual-resolver/outputs.tf b/examples/hub-spoke-manual-resolver/outputs.tf index f28a0abd..ee2ca802 100644 --- a/examples/hub-spoke-manual-resolver/outputs.tf +++ b/examples/hub-spoke-manual-resolver/outputs.tf @@ -42,16 +42,6 @@ output "custom_resolver_hub_vpc" { description = "The custom resolver created for the hub vpc." } -output "dns_endpoint_gateways_by_spoke_vpc_crn" { - value = module.spoke_vpc.dns_endpoint_gateways_by_crn - description = "The list of VPEs that are made available for DNS resolution in the created VPC." -} - -output "dns_endpoint_gateways_by_spoke_vpc_id" { - value = module.spoke_vpc.dns_endpoint_gateways_by_id - description = "The list of VPEs that are made available for DNS resolution in the created VPC." -} - output "dns_instance_id" { description = "The ID of the DNS instance." value = module.hub_vpc.dns_instance_id From ace186bb77b273a04867686a50c70af7fa73aaeb Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Mon, 14 Jul 2025 13:58:24 +0100 Subject: [PATCH 07/21] conditional dns resolution binding --- README.md | 1 + common-dev-assets | 2 +- main.tf | 4 ++++ variables.tf | 6 ++++++ 4 files changed, 12 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 66991f47..a9cd0fb7 100644 --- a/README.md +++ b/README.md @@ -189,6 +189,7 @@ To attach access management tags to resources in this module, you need the follo | [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | OPTIONAL - Name of the Default ACL. If null, a name will be automatically generated | `string` | `null` | no | | [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | OPTIONAL - Name of the Default Routing Table. If null, a name will be automatically generated | `string` | `null` | no | | [default\_security\_group\_name](#input\_default\_security\_group\_name) | OPTIONAL - Name of the Default Security Group. If null, a name will be automatically generated | `string` | `null` | no | +| [dns\_binding\_name](#input\_dns\_binding\_name) | The name to give the provisioned VPC DNS resolution binding. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | | [dns\_custom\_resolver\_name](#input\_dns\_custom\_resolver\_name) | The name to give the provisioned DNS custom resolver instance. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | | [dns\_instance\_name](#input\_dns\_instance\_name) | The name to give the provisioned DNS instance. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | | [dns\_location](#input\_dns\_location) | The target location or environment for the DNS instance created to host the custom resolver in a hub-spoke DNS resolution topology. Only used if enable\_hub is true and skip\_custom\_resolver\_hub\_creation is false (defaults). | `string` | `"global"` | no | diff --git a/common-dev-assets b/common-dev-assets index 0016b862..6739b3a0 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 0016b862c0020937bfa5233435594d8b106a3b72 +Subproject commit 6739b3a089aa08a072dd83c8b594311e42fc96d4 diff --git a/main.tf b/main.tf index 8e8a7947..66047663 100644 --- a/main.tf +++ b/main.tf @@ -50,6 +50,10 @@ resource "ibm_is_vpc" "vpc" { type = "delegated" vpc_id = var.hub_vpc_id != null ? var.hub_vpc_id : null vpc_crn = var.hub_vpc_crn != null ? var.hub_vpc_crn : null + dns_binding_name = coalesce( + var.dns_binding_name, + "${var.prefix != null ? "${var.prefix}-${var.name}" : var.name}-dns-binding" + ) } } diff --git a/variables.tf b/variables.tf index 3342a3c2..ce79b4a4 100644 --- a/variables.tf +++ b/variables.tf @@ -68,6 +68,12 @@ variable "name" { type = string } +variable "dns_binding_name" { + description = "The name to give the provisioned VPC DNS resolution binding. If not set, the module generates a name based on the `prefix` and `name` variables." + type = string + default = null +} + variable "dns_instance_name" { description = "The name to give the provisioned DNS instance. If not set, the module generates a name based on the `prefix` and `name` variables." type = string From f9ade8a79b55c72ca56e91cca22fef961011721e Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Mon, 14 Jul 2025 14:50:58 +0100 Subject: [PATCH 08/21] conditional dns resolution binding --- examples/hub-spoke-delegated-resolver/README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/examples/hub-spoke-delegated-resolver/README.md b/examples/hub-spoke-delegated-resolver/README.md index c364b9bd..056435b8 100644 --- a/examples/hub-spoke-delegated-resolver/README.md +++ b/examples/hub-spoke-delegated-resolver/README.md @@ -12,6 +12,4 @@ This example demonstrates how to deploy hub and spoke VPCs, inclusive of enablin 1. The first terraform apply lay down all of the topology, but does not configure the DNS resolver to delegated in the spoke 2. The second terraform apply should have the update_delegated_resolver variable to true to configure the DNS resolver to be delegated ```terraform apply -var=update_delegated_resolver=true``` -In order to perform a successful destroy, please set to the resolver to "system" in the spoke VPC through the UI before issuing the terraform destroy - see https://cloud.ibm.com/docs/solution-tutorials?topic=solution-tutorials-vpc-transit2 - You may also be interested in the [Hub and Spoke VPC with manual DNS resolver Example](../hub-spoke-manual-resolver/) which does not exhibit those issues. From e8a8c1f9fd2f1819571b3a3635863af2b7472eeb Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Tue, 22 Jul 2025 11:18:37 +0100 Subject: [PATCH 09/21] conditional dns resolution binding --- README.md | 3 +++ examples/hub-spoke-delegated-resolver/outputs.tf | 10 ++++++++++ examples/hub-spoke-manual-resolver/outputs.tf | 10 ++++++++++ main.tf | 6 ++++++ outputs.tf | 10 ++++++++++ 5 files changed, 39 insertions(+) diff --git a/README.md b/README.md index a9cd0fb7..2a7e429e 100644 --- a/README.md +++ b/README.md @@ -175,6 +175,7 @@ To attach access management tags to resources in this module, you need the follo | [ibm_is_subnet.subnet](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_subnet) | data source | | [ibm_is_vpc.vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc) | data source | | [ibm_is_vpc_address_prefixes.get_address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_address_prefixes) | data source | +| [ibm_is_vpc_dns_resolution_bindings.dns_bindings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_dns_resolution_bindings) | data source | ### Inputs @@ -240,6 +241,8 @@ To attach access management tags to resources in this module, you need the follo | [cidr\_blocks](#output\_cidr\_blocks) | List of CIDR blocks present in VPC stack | | [custom\_resolver\_hub](#output\_custom\_resolver\_hub) | The custom resolver created for the hub vpc. Only set if enable\_hub is set and skip\_custom\_resolver\_hub\_creation is false. | | [dns\_custom\_resolver\_id](#output\_dns\_custom\_resolver\_id) | The ID of the DNS Custom Resolver. | +| [dns\_endpoint\_gateways\_by\_crn](#output\_dns\_endpoint\_gateways\_by\_crn) | The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id are true. | +| [dns\_endpoint\_gateways\_by\_id](#output\_dns\_endpoint\_gateways\_by\_id) | The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id are true. | | [dns\_instance\_id](#output\_dns\_instance\_id) | The ID of the DNS instance. | | [dns\_record\_ids](#output\_dns\_record\_ids) | List of all the domain resource records. | | [dns\_zone](#output\_dns\_zone) | A map representing DNS zone information. | diff --git a/examples/hub-spoke-delegated-resolver/outputs.tf b/examples/hub-spoke-delegated-resolver/outputs.tf index ee2ca802..f28a0abd 100644 --- a/examples/hub-spoke-delegated-resolver/outputs.tf +++ b/examples/hub-spoke-delegated-resolver/outputs.tf @@ -42,6 +42,16 @@ output "custom_resolver_hub_vpc" { description = "The custom resolver created for the hub vpc." } +output "dns_endpoint_gateways_by_spoke_vpc_crn" { + value = module.spoke_vpc.dns_endpoint_gateways_by_crn + description = "The list of VPEs that are made available for DNS resolution in the created VPC." +} + +output "dns_endpoint_gateways_by_spoke_vpc_id" { + value = module.spoke_vpc.dns_endpoint_gateways_by_id + description = "The list of VPEs that are made available for DNS resolution in the created VPC." +} + output "dns_instance_id" { description = "The ID of the DNS instance." value = module.hub_vpc.dns_instance_id diff --git a/examples/hub-spoke-manual-resolver/outputs.tf b/examples/hub-spoke-manual-resolver/outputs.tf index ee2ca802..f28a0abd 100644 --- a/examples/hub-spoke-manual-resolver/outputs.tf +++ b/examples/hub-spoke-manual-resolver/outputs.tf @@ -42,6 +42,16 @@ output "custom_resolver_hub_vpc" { description = "The custom resolver created for the hub vpc." } +output "dns_endpoint_gateways_by_spoke_vpc_crn" { + value = module.spoke_vpc.dns_endpoint_gateways_by_crn + description = "The list of VPEs that are made available for DNS resolution in the created VPC." +} + +output "dns_endpoint_gateways_by_spoke_vpc_id" { + value = module.spoke_vpc.dns_endpoint_gateways_by_id + description = "The list of VPEs that are made available for DNS resolution in the created VPC." +} + output "dns_instance_id" { description = "The ID of the DNS instance." value = module.hub_vpc.dns_instance_id diff --git a/main.tf b/main.tf index 66047663..9faa71da 100644 --- a/main.tf +++ b/main.tf @@ -82,6 +82,12 @@ resource "ibm_is_vpc" "vpc" { } } + +data "ibm_is_vpc_dns_resolution_bindings" "dns_bindings" { + count = (var.create_vpc == true && var.enable_hub == false && var.enable_hub_vpc_id) ? 1 : 0 + vpc_id = local.vpc_id +} + ############################################################################### ############################################################################## diff --git a/outputs.tf b/outputs.tf index b3b73783..0cb561f8 100644 --- a/outputs.tf +++ b/outputs.tf @@ -157,6 +157,16 @@ output "custom_resolver_hub" { value = length(ibm_dns_custom_resolver.custom_resolver_hub) == 1 ? ibm_dns_custom_resolver.custom_resolver_hub[0] : null } +output "dns_endpoint_gateways_by_id" { + description = "The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable_hub is false and enable_hub_vpc_id are true." + value = length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings : null +} + +output "dns_endpoint_gateways_by_crn" { + description = "The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable_hub is false and enable_hub_vpc_id are true." + value = length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings : null +} + output "dns_instance_id" { description = "The ID of the DNS instance." value = (var.enable_hub && !var.skip_custom_resolver_hub_creation) ? (var.use_existing_dns_instance ? var.existing_dns_instance_id : ibm_resource_instance.dns_instance_hub[0].guid) : null From 11e385c69b82370807b0ddddf5500f4a9e886f2d Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Tue, 22 Jul 2025 14:16:23 +0100 Subject: [PATCH 10/21] conditional dns resolution binding --- README.md | 4 ++-- main.tf | 2 +- outputs.tf | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 2a7e429e..ea30ff9a 100644 --- a/README.md +++ b/README.md @@ -241,8 +241,8 @@ To attach access management tags to resources in this module, you need the follo | [cidr\_blocks](#output\_cidr\_blocks) | List of CIDR blocks present in VPC stack | | [custom\_resolver\_hub](#output\_custom\_resolver\_hub) | The custom resolver created for the hub vpc. Only set if enable\_hub is set and skip\_custom\_resolver\_hub\_creation is false. | | [dns\_custom\_resolver\_id](#output\_dns\_custom\_resolver\_id) | The ID of the DNS Custom Resolver. | -| [dns\_endpoint\_gateways\_by\_crn](#output\_dns\_endpoint\_gateways\_by\_crn) | The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id are true. | -| [dns\_endpoint\_gateways\_by\_id](#output\_dns\_endpoint\_gateways\_by\_id) | The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id are true. | +| [dns\_endpoint\_gateways\_by\_crn](#output\_dns\_endpoint\_gateways\_by\_crn) | The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id OR enable\_hub\_vpc\_crn are true. | +| [dns\_endpoint\_gateways\_by\_id](#output\_dns\_endpoint\_gateways\_by\_id) | The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id OR enable\_hub\_vpc\_crn are true. | | [dns\_instance\_id](#output\_dns\_instance\_id) | The ID of the DNS instance. | | [dns\_record\_ids](#output\_dns\_record\_ids) | List of all the domain resource records. | | [dns\_zone](#output\_dns\_zone) | A map representing DNS zone information. | diff --git a/main.tf b/main.tf index 9faa71da..2b0aaba4 100644 --- a/main.tf +++ b/main.tf @@ -84,7 +84,7 @@ resource "ibm_is_vpc" "vpc" { data "ibm_is_vpc_dns_resolution_bindings" "dns_bindings" { - count = (var.create_vpc == true && var.enable_hub == false && var.enable_hub_vpc_id) ? 1 : 0 + count = (!var.enable_hub && (var.enable_hub_vpc_id || var.enable_hub_vpc_crn)) ? 1 : 0 vpc_id = local.vpc_id } diff --git a/outputs.tf b/outputs.tf index 0cb561f8..863618af 100644 --- a/outputs.tf +++ b/outputs.tf @@ -158,13 +158,13 @@ output "custom_resolver_hub" { } output "dns_endpoint_gateways_by_id" { - description = "The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable_hub is false and enable_hub_vpc_id are true." - value = length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings : null + description = "The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable_hub is false and enable_hub_vpc_id OR enable_hub_vpc_crn are true." + value = length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].id : null } output "dns_endpoint_gateways_by_crn" { - description = "The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable_hub is false and enable_hub_vpc_id are true." - value = length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings : null + description = "The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable_hub is false and enable_hub_vpc_id OR enable_hub_vpc_crn are true." + value = length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].crn : null } output "dns_instance_id" { From 63bc7a8c618d714426301950bc36a8082eed37bd Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Thu, 31 Jul 2025 11:59:50 +0100 Subject: [PATCH 11/21] conditional dns resolution binding --- common-dev-assets | 2 +- main.tf | 1 - outputs.tf | 6 ++++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/common-dev-assets b/common-dev-assets index fb0c336b..875f11b6 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit fb0c336ba3864be28a8367e78074d79cd70d406d +Subproject commit 875f11b64778671daff496f5986d19c28553fff2 diff --git a/main.tf b/main.tf index 2b0aaba4..0f580e95 100644 --- a/main.tf +++ b/main.tf @@ -82,7 +82,6 @@ resource "ibm_is_vpc" "vpc" { } } - data "ibm_is_vpc_dns_resolution_bindings" "dns_bindings" { count = (!var.enable_hub && (var.enable_hub_vpc_id || var.enable_hub_vpc_crn)) ? 1 : 0 vpc_id = local.vpc_id diff --git a/outputs.tf b/outputs.tf index 863618af..00c820ab 100644 --- a/outputs.tf +++ b/outputs.tf @@ -159,12 +159,14 @@ output "custom_resolver_hub" { output "dns_endpoint_gateways_by_id" { description = "The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable_hub is false and enable_hub_vpc_id OR enable_hub_vpc_crn are true." - value = length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].id : null + # value = length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].id : null + value = data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0] != null ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].id : null } output "dns_endpoint_gateways_by_crn" { description = "The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable_hub is false and enable_hub_vpc_id OR enable_hub_vpc_crn are true." - value = length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].crn : null + # value = length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].crn : null + value = data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0] != null ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].crn : null } output "dns_instance_id" { From ea603d3cc5ff6c48d1ad67736f6d38d9fa5daaaa Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Thu, 31 Jul 2025 12:31:43 +0100 Subject: [PATCH 12/21] conditional dns resolution binding --- outputs.tf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/outputs.tf b/outputs.tf index 00c820ab..815e8af7 100644 --- a/outputs.tf +++ b/outputs.tf @@ -159,14 +159,12 @@ output "custom_resolver_hub" { output "dns_endpoint_gateways_by_id" { description = "The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable_hub is false and enable_hub_vpc_id OR enable_hub_vpc_crn are true." - # value = length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].id : null - value = data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0] != null ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].id : null + value = try(length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].id : null, null) } output "dns_endpoint_gateways_by_crn" { description = "The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable_hub is false and enable_hub_vpc_id OR enable_hub_vpc_crn are true." - # value = length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].crn : null - value = data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0] != null ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].crn : null + value = try(length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].crn : null, null) } output "dns_instance_id" { From 8f980a6a1209ed946e7abcf10347262b8f07a7fc Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Fri, 1 Aug 2025 11:00:52 +0100 Subject: [PATCH 13/21] conditional dns resolution binding --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index ea30ff9a..81e1bf3f 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,15 @@ This module creates the following IBM Cloud® Virtual Private Cloud (VPC) net ![vpc-module](https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/main/.docs/vpc-module.png) +:exclamation: [Major Version Upgrade to v8.0.0]: + +This major version upgrade affects the Hub-and-Spoke VPC topology. The `ibm_is_vpc_dns_resolution_binding` resources are no longer created explicitly. Instead, DNS resolution bindings for Spoke VPCs are now handled within the `ibm_is_vpc` resource when the DNS resolver type is set to `delegated`. + +To upgrade your resources, follow this two-step process: +1. Run `terraform apply`: This will remove the existing `ibm_is_vpc_dns_resolution_binding` resources. +2. Run `terraform apply -var=update_delegated_resolver=true`: This will create the DNS resolution bindings and set the DNS resolver type to `delegated` for the Spoke VPCs. + + ## Overview From e1592db57ea7b5a578bfb72e92976cf0f2de8452 Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Fri, 1 Aug 2025 11:01:18 +0100 Subject: [PATCH 14/21] conditional dns resolution binding --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 81e1bf3f..71560f39 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ This module creates the following IBM Cloud® Virtual Private Cloud (VPC) net ![vpc-module](https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/main/.docs/vpc-module.png) -:exclamation: [Major Version Upgrade to v8.0.0]: +:exclamation: **[Major Version Upgrade to v8.0.0]**: This major version upgrade affects the Hub-and-Spoke VPC topology. The `ibm_is_vpc_dns_resolution_binding` resources are no longer created explicitly. Instead, DNS resolution bindings for Spoke VPCs are now handled within the `ibm_is_vpc` resource when the DNS resolver type is set to `delegated`. From 7c359d13774f132bde2f38f5bca6536383954b9b Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Fri, 1 Aug 2025 11:04:21 +0100 Subject: [PATCH 15/21] conditional dns resolution binding --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 71560f39..43c441d0 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ This module creates the following IBM Cloud® Virtual Private Cloud (VPC) net :exclamation: **[Major Version Upgrade to v8.0.0]**: -This major version upgrade affects the Hub-and-Spoke VPC topology. The `ibm_is_vpc_dns_resolution_binding` resources are no longer created explicitly. Instead, DNS resolution bindings for Spoke VPCs are now handled within the `ibm_is_vpc` resource when the DNS resolver type is set to `delegated`. +This major version upgrade affects the Hub and Spoke VPC topology. The `ibm_is_vpc_dns_resolution_binding` resources are no longer created explicitly. Instead, DNS resolution bindings for Spoke VPCs are now handled within the `ibm_is_vpc` resource when the DNS resolver type is set to `delegated`. To upgrade your resources, follow this two-step process: 1. Run `terraform apply`: This will remove the existing `ibm_is_vpc_dns_resolution_binding` resources. From 85d0c6692593da059ab1b0463a9f6f7e052de613 Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Wed, 6 Aug 2025 16:31:49 +0100 Subject: [PATCH 16/21] conditional dns resolution binding --- README.md | 4 ++- common-dev-assets | 2 +- examples/hub-spoke-delegated-resolver/main.tf | 1 + main.tf | 36 ++++++++++++++++++- tests/other_test.go | 22 ------------ tests/pr_test.go | 22 ++++++++++++ variables.tf | 9 ++--- 7 files changed, 67 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 43c441d0..4c3edf90 100644 --- a/README.md +++ b/README.md @@ -174,6 +174,8 @@ To attach access management tags to resources in this module, you need the follo | [ibm_is_vpc.vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc) | resource | | [ibm_is_vpc_address_prefix.address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource | | [ibm_is_vpc_address_prefix.subnet_prefix](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource | +| [ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_dns_resolution_binding) | resource | +| [ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_dns_resolution_binding) | resource | | [ibm_is_vpc_routing_table.route_table](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource | | [ibm_is_vpc_routing_table_route.routing_table_routes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource | | [ibm_is_vpn_gateway.vpn_gateway](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpn_gateway) | resource | @@ -228,7 +230,7 @@ To attach access management tags to resources in this module, you need the follo | [prefix](#input\_prefix) | The value that you would like to prefix to the name of the resources provisioned by this module. Explicitly set to null if you do not wish to use a prefix. This value is ignored if using one of the optional variables for explicit control over naming. | `string` | `null` | no | | [public\_gateway\_name](#input\_public\_gateway\_name) | The name to give the provisioned VPC public gateways. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | | [region](#input\_region) | The region to which to deploy the VPC | `string` | n/a | yes | -| [resolver\_type](#input\_resolver\_type) | Resolver type. Can be system or manual. For delegated resolver type, see the update\_delegated\_resolver variable instead. | `string` | `null` | no | +| [resolver\_type](#input\_resolver\_type) | Resolver type. Can be system or manual or delegated. | `string` | `null` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the VPC to be created | `string` | n/a | yes | | [routes](#input\_routes) | OPTIONAL - Allows you to specify the next hop for packets based on their destination address | 
list(
    object({
      name                          = string
      route_direct_link_ingress     = optional(bool)
      route_transit_gateway_ingress = optional(bool)
      route_vpc_zone_ingress        = optional(bool)
      routes = optional(
        list(
          object({
            action      = optional(string)
            zone        = number
            destination = string
            next_hop    = string
          })
      ))
    })
  )
| `[]` | no | | [routing\_table\_name](#input\_routing\_table\_name) | The name to give the provisioned routing tables. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | diff --git a/common-dev-assets b/common-dev-assets index 875f11b6..2ba5cc2c 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 875f11b64778671daff496f5986d19c28553fff2 +Subproject commit 2ba5cc2c867361e8bcf34bd95f7359cc03d82b25 diff --git a/examples/hub-spoke-delegated-resolver/main.tf b/examples/hub-spoke-delegated-resolver/main.tf index 9c65f95b..7005039a 100644 --- a/examples/hub-spoke-delegated-resolver/main.tf +++ b/examples/hub-spoke-delegated-resolver/main.tf @@ -79,6 +79,7 @@ module "spoke_vpc" { hub_account_id = data.ibm_iam_account_settings.iam_account_settings.account_id hub_vpc_crn = module.hub_vpc.vpc_crn enable_hub_vpc_crn = true + resolver_type = "delegated" update_delegated_resolver = var.update_delegated_resolver subnets = { zone-1 = [ diff --git a/main.tf b/main.tf index 0f580e95..b48a4911 100644 --- a/main.tf +++ b/main.tf @@ -45,7 +45,7 @@ resource "ibm_is_vpc" "vpc" { # Delegated resolver dynamic "resolver" { - for_each = (var.enable_hub_vpc_id || var.enable_hub_vpc_crn) && var.update_delegated_resolver ? [1] : [] + for_each = (var.enable_hub_vpc_id || var.enable_hub_vpc_crn) && var.update_delegated_resolver && var.resolver_type == "delegated" ? [1] : [] content { type = "delegated" vpc_id = var.hub_vpc_id != null ? var.hub_vpc_id : null @@ -133,6 +133,40 @@ resource "ibm_iam_authorization_policy" "vpc_dns_resolution_auth_policy" { } } +# Set up separate DNS resolution binding in case the resolver type is NOT delegated. +resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_id" { + count = (var.enable_hub == false && var.enable_hub_vpc_id) && var.resolver_type != "delegated" ? 1 : 0 + # Depends on required as the authorization policy cannot be directly referenced + depends_on = [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy] + + # Use var.dns_binding_name if not null, otherwise, use var.prefix and var.name combination. + name = coalesce( + var.dns_binding_name, + "${var.prefix != null ? "${var.prefix}-${var.name}" : var.name}-dns-binding" + ) + vpc_id = local.vpc_id # Source VPC + vpc { + id = var.hub_vpc_id # Target VPC ID + } +} + +# Set up separate DNS resolution binding in case the resolver type is NOT delegated. +resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_crn" { + count = (var.enable_hub == false && var.enable_hub_vpc_crn) && var.resolver_type != "delegated" ? 1 : 0 + # Depends on required as the authorization policy cannot be directly referenced + depends_on = [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy] + + # Use var.dns_binding_name if not null, otherwise, use var.prefix and var.name combination. + name = coalesce( + var.dns_binding_name, + "${var.prefix != null ? "${var.prefix}-${var.name}" : var.name}-dns-binding" + ) + vpc_id = local.vpc_id # Source VPC + vpc { + crn = var.hub_vpc_crn # Target VPC CRN + } +} + # Configure custom resolver on the hub vpc resource "ibm_resource_instance" "dns_instance_hub" { count = var.enable_hub && !var.skip_custom_resolver_hub_creation && !var.use_existing_dns_instance ? 1 : 0 diff --git a/tests/other_test.go b/tests/other_test.go index 23953e0b..058aae85 100644 --- a/tests/other_test.go +++ b/tests/other_test.go @@ -2,7 +2,6 @@ package test import ( - "github.com/gruntwork-io/terratest/modules/terraform" "testing" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" @@ -25,27 +24,6 @@ func TestRunBasicExample(t *testing.T) { assert.NotNil(t, output, "Expected some output") } -func TestRunHubAndSpokeDelegatedExample(t *testing.T) { - t.Parallel() - - options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{ - Testing: t, - TerraformDir: hubAndSpokeDelegatedExampleTerraformDir, - Prefix: "has-slz", - ResourceGroup: resourceGroup, - Region: "us-south", - PostApplyHook: func(options *testhelper.TestOptions) error { - terraformOptions := options.TerraformOptions - terraformOptions.Vars["update_delegated_resolver"] = true - _, err := terraform.ApplyE(options.Testing, terraformOptions) - return err - }, - }) - output, err := options.RunTestConsistency() - assert.Nil(t, err, "This should not have errored") - assert.NotNil(t, output, "Expected some output") -} - func TestRunSpecificZoneExample(t *testing.T) { t.Parallel() diff --git a/tests/pr_test.go b/tests/pr_test.go index 260fb03d..d4036251 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -322,3 +322,25 @@ func TestRunUpgradeFullyConfigurable(t *testing.T) { assert.Nil(t, err, "This should not have errored") } } + +func TestRunHubAndSpokeDelegatedExample(t *testing.T) { + t.Parallel() + + options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{ + Testing: t, + TerraformDir: hubAndSpokeDelegatedExampleTerraformDir, + Prefix: "has-slz", + ResourceGroup: resourceGroup, + Region: "us-south", + PostApplyHook: func(options *testhelper.TestOptions) error { + terraformOptions := options.TerraformOptions + terraformOptions.Vars["update_delegated_resolver"] = true + _, err := terraform.ApplyE(options.Testing, terraformOptions) + return err + }, + }) + + output, err := options.RunTestConsistency() + assert.Nil(t, err, "This should not have errored") + assert.NotNil(t, output, "Expected some output") +} diff --git a/variables.tf b/variables.tf index ce79b4a4..40b9bafb 100644 --- a/variables.tf +++ b/variables.tf @@ -641,8 +641,8 @@ variable "update_delegated_resolver" { default = false validation { - condition = !(var.update_delegated_resolver == true && var.resolver_type != null) - error_message = "var.resolver_type cannot be set if var.update_delegated_resolver is true. Only one type of resolver can be created by VPC." + condition = !(var.update_delegated_resolver == true && var.resolver_type != "delegated") + error_message = "If var.update_delegated_resolver is true then var.resolver_type must be set to 'delegated'." } } @@ -665,7 +665,7 @@ variable "use_existing_dns_instance" { } variable "resolver_type" { - description = "Resolver type. Can be system or manual. For delegated resolver type, see the update_delegated_resolver variable instead. " + description = "Resolver type. Can be system or manual or delegated." type = string default = null validation { @@ -673,8 +673,9 @@ variable "resolver_type" { var.resolver_type == null, var.resolver_type == "system", var.resolver_type == "manual", + var.resolver_type == "delegated" ]) - error_message = "`resolver_type` can either be null, or set to the string 'system' or 'manual'." + error_message = "`resolver_type` can either be null, or set to the string 'system', 'delegated' or 'manual'." } } From a526830c8019bd2d65667ce786596be24204da1a Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Wed, 6 Aug 2025 16:36:19 +0100 Subject: [PATCH 17/21] conditional dns resolution binding --- README.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/README.md b/README.md index 4c3edf90..a3f77b14 100644 --- a/README.md +++ b/README.md @@ -18,15 +18,6 @@ This module creates the following IBM Cloud® Virtual Private Cloud (VPC) net ![vpc-module](https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/main/.docs/vpc-module.png) -:exclamation: **[Major Version Upgrade to v8.0.0]**: - -This major version upgrade affects the Hub and Spoke VPC topology. The `ibm_is_vpc_dns_resolution_binding` resources are no longer created explicitly. Instead, DNS resolution bindings for Spoke VPCs are now handled within the `ibm_is_vpc` resource when the DNS resolver type is set to `delegated`. - -To upgrade your resources, follow this two-step process: -1. Run `terraform apply`: This will remove the existing `ibm_is_vpc_dns_resolution_binding` resources. -2. Run `terraform apply -var=update_delegated_resolver=true`: This will create the DNS resolution bindings and set the DNS resolver type to `delegated` for the Spoke VPCs. - - ## Overview From 3e662e1a1ffb3a1284e570f9b1e5de3c42b6d644 Mon Sep 17 00:00:00 2001 From: Rajat Agrawal Date: Tue, 12 Aug 2025 10:26:19 +0100 Subject: [PATCH 18/21] conditional dns resolution binding --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index a3f77b14..7f631d69 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,13 @@ This module creates the following IBM Cloud® Virtual Private Cloud (VPC) net ![vpc-module](https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/main/.docs/vpc-module.png) +:exclamation: **[Major Version Upgrade to v8.0.0]**: + +This major version upgrade affects the Hub and Spoke VPC topology. The `ibm_is_vpc_dns_resolution_binding` resources are no longer used for creating DNS resolution binding for `Delegated` resolver type. + +- Upgrade to the latest module (>= `v8.0.0`). +- Run `terraform apply -var=update_delegated_resolver=true` to re-create the DNS resolution binding. The downtime is typically 20 seconds. + ## Overview From 2efc7082d6fb318187f43283d7673686bbb3324e Mon Sep 17 00:00:00 2001 From: Vincent Burckhardt Date: Tue, 12 Aug 2025 13:24:09 +0200 Subject: [PATCH 19/21] docs: improve message --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7f631d69..fab2baed 100644 --- a/README.md +++ b/README.md @@ -18,12 +18,16 @@ This module creates the following IBM Cloud® Virtual Private Cloud (VPC) net ![vpc-module](https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/main/.docs/vpc-module.png) -:exclamation: **[Major Version Upgrade to v8.0.0]**: -This major version upgrade affects the Hub and Spoke VPC topology. The `ibm_is_vpc_dns_resolution_binding` resources are no longer used for creating DNS resolution binding for `Delegated` resolver type. + +### Upgrade notice for Hub-and-Spoke topology users (version 8.0.0 and above) + +> **Note:** This upgrade notice applies **only** to users of the advanced Hub-and-Spoke VPC topology who are upgrading from a previous version of this module to v8.0.0 or later. If you are using to standard topology, or a new user starting with v8.0.0 or above, you can safely ignore this section. + +If you are upgrading, note that the `ibm_is_vpc_dns_resolution_binding` resources are no longer used for DNS resolution binding with the `Delegated` resolver type. - Upgrade to the latest module (>= `v8.0.0`). -- Run `terraform apply -var=update_delegated_resolver=true` to re-create the DNS resolution binding. The downtime is typically 20 seconds. +- Run `terraform apply -var=update_delegated_resolver=true` to re-create the DNS resolution binding. Expected downtime is typically around 20 seconds. From 73f12373d7f005c29de911e97aa7dc341e9126a4 Mon Sep 17 00:00:00 2001 From: Vincent Burckhardt Date: Tue, 12 Aug 2025 13:32:16 +0200 Subject: [PATCH 20/21] docs: improve message --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fab2baed..8978a072 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,13 @@ This module creates the following IBM Cloud® Virtual Private Cloud (VPC) net If you are upgrading, note that the `ibm_is_vpc_dns_resolution_binding` resources are no longer used for DNS resolution binding with the `Delegated` resolver type. - Upgrade to the latest module (>= `v8.0.0`). -- Run `terraform apply -var=update_delegated_resolver=true` to re-create the DNS resolution binding. Expected downtime is typically around 20 seconds. +- Set `update_delegated_resolver = true` in your Terraform configuration (along with any other input parameters you previously used) and run `terraform apply` to re-create the DNS resolution binding with the `Delegated` resolver type. For example: + +```bash +terraform apply -var="update_delegated_resolver=true" +``` + +Expected network connectivity downtime of typically around 20 seconds. From 3870b2daf8ac7f1d6ed1893bcb9c3b772c8478ba Mon Sep 17 00:00:00 2001 From: Vincent Burckhardt Date: Tue, 12 Aug 2025 13:32:47 +0200 Subject: [PATCH 21/21] docs: improve message --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8978a072..69463978 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ This module creates the following IBM Cloud® Virtual Private Cloud (VPC) net ### Upgrade notice for Hub-and-Spoke topology users (version 8.0.0 and above) -> **Note:** This upgrade notice applies **only** to users of the advanced Hub-and-Spoke VPC topology who are upgrading from a previous version of this module to v8.0.0 or later. If you are using to standard topology, or a new user starting with v8.0.0 or above, you can safely ignore this section. +> **Note:** This upgrade notice applies **only** to users of the advanced Hub-and-Spoke VPC topology who are upgrading from a previous version of this module to v8.0.0 or later. If you are using the standard topology, or a new user starting with v8.0.0 or above, you can safely ignore this section. If you are upgrading, note that the `ibm_is_vpc_dns_resolution_binding` resources are no longer used for DNS resolution binding with the `Delegated` resolver type.