Conditional dns resolution binding

README.md

@@ -18,6 +18,15 @@ This module creates the following IBM Cloud® Virtual Private Cloud (VPC) net
 
 ![vpc-module](https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/main/.docs/vpc-module.png)
 
+:exclamation: **[Major Version Upgrade to v8.0.0]**:
+
+This major version upgrade affects the Hub and Spoke VPC topology. The `ibm_is_vpc_dns_resolution_binding` resources are no longer created explicitly. Instead, DNS resolution bindings for Spoke VPCs are now handled within the `ibm_is_vpc` resource when the DNS resolver type is set to `delegated`.
+
+To upgrade your resources, follow this two-step process:
+1. Run `terraform apply`: This will remove the existing `ibm_is_vpc_dns_resolution_binding` resources.
+2. Run `terraform apply -var=update_delegated_resolver=true`: This will create the DNS resolution bindings and set the DNS resolver type to `delegated` for the Spoke VPCs.
+
+
 <!-- Below content is automatically populated via pre-commit hook -->
 <!-- BEGIN OVERVIEW HOOK -->
 ## Overview
@@ -165,8 +174,6 @@ To attach access management tags to resources in this module, you need the follo
 | [ibm_is_vpc.vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc) | resource |
 | [ibm_is_vpc_address_prefix.address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource |
 | [ibm_is_vpc_address_prefix.subnet_prefix](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource |
-| [ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_dns_resolution_binding) | resource |
-| [ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_dns_resolution_binding) | resource |
 | [ibm_is_vpc_routing_table.route_table](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource |
 | [ibm_is_vpc_routing_table_route.routing_table_routes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource |
 | [ibm_is_vpn_gateway.vpn_gateway](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpn_gateway) | resource |
@@ -177,6 +184,7 @@ To attach access management tags to resources in this module, you need the follo
 | [ibm_is_subnet.subnet](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_subnet) | data source |
 | [ibm_is_vpc.vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc) | data source |
 | [ibm_is_vpc_address_prefixes.get_address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_address_prefixes) | data source |
+| [ibm_is_vpc_dns_resolution_bindings.dns_bindings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_dns_resolution_bindings) | data source |
 
 ### Inputs
 
@@ -242,8 +250,8 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="output_cidr_blocks"></a> [cidr\_blocks](#output\_cidr\_blocks) | List of CIDR blocks present in VPC stack |
 | <a name="output_custom_resolver_hub"></a> [custom\_resolver\_hub](#output\_custom\_resolver\_hub) | The custom resolver created for the hub vpc. Only set if enable\_hub is set and skip\_custom\_resolver\_hub\_creation is false. |
 | <a name="output_dns_custom_resolver_id"></a> [dns\_custom\_resolver\_id](#output\_dns\_custom\_resolver\_id) | The ID of the DNS Custom Resolver. |
-| <a name="output_dns_endpoint_gateways_by_crn"></a> [dns\_endpoint\_gateways\_by\_crn](#output\_dns\_endpoint\_gateways\_by\_crn) | The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id are true. |
-| <a name="output_dns_endpoint_gateways_by_id"></a> [dns\_endpoint\_gateways\_by\_id](#output\_dns\_endpoint\_gateways\_by\_id) | The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id are true. |
+| <a name="output_dns_endpoint_gateways_by_crn"></a> [dns\_endpoint\_gateways\_by\_crn](#output\_dns\_endpoint\_gateways\_by\_crn) | The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id OR enable\_hub\_vpc\_crn are true. |
+| <a name="output_dns_endpoint_gateways_by_id"></a> [dns\_endpoint\_gateways\_by\_id](#output\_dns\_endpoint\_gateways\_by\_id) | The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id OR enable\_hub\_vpc\_crn are true. |
 | <a name="output_dns_instance_id"></a> [dns\_instance\_id](#output\_dns\_instance\_id) | The ID of the DNS instance. |
 | <a name="output_dns_record_ids"></a> [dns\_record\_ids](#output\_dns\_record\_ids) | List of all the domain resource records. |
 | <a name="output_dns_zone"></a> [dns\_zone](#output\_dns\_zone) | A map representing DNS zone information. |

examples/hub-spoke-delegated-resolver/README.md

@@ -12,6 +12,4 @@ This example demonstrates how to deploy hub and spoke VPCs, inclusive of enablin
 1. The first terraform apply lay down all of the topology, but does not configure the DNS resolver to delegated in the spoke
 2. The second terraform apply should have the update_delegated_resolver variable to true to configure the DNS resolver to be delegated ```terraform apply -var=update_delegated_resolver=true```
 
-In order to perform a successful destroy, please set to the resolver to "system" in the spoke VPC through the UI before issuing the terraform destroy - see https://cloud.ibm.com/docs/solution-tutorials?topic=solution-tutorials-vpc-transit2
-
 You may also be interested in the [Hub and Spoke VPC with manual DNS resolver Example](../hub-spoke-manual-resolver/) which does not exhibit those issues.

main.tf

@@ -50,6 +50,10 @@ resource "ibm_is_vpc" "vpc" {
         type    = "delegated"
         vpc_id  = var.hub_vpc_id != null ? var.hub_vpc_id : null
         vpc_crn = var.hub_vpc_crn != null ? var.hub_vpc_crn : null
+        dns_binding_name = coalesce(
+          var.dns_binding_name,
+          "${var.prefix != null ? "${var.prefix}-${var.name}" : var.name}-dns-binding"
+        )
       }
     }
 
@@ -78,6 +82,11 @@ resource "ibm_is_vpc" "vpc" {
   }
 }
 
+data "ibm_is_vpc_dns_resolution_bindings" "dns_bindings" {
+  count  = (!var.enable_hub && (var.enable_hub_vpc_id || var.enable_hub_vpc_crn)) ? 1 : 0
+  vpc_id = local.vpc_id
+}
+
 ###############################################################################
 
 ##############################################################################
@@ -124,39 +133,6 @@ resource "ibm_iam_authorization_policy" "vpc_dns_resolution_auth_policy" {
   }
 }
 
-# Enable Hub to dns resolve in spoke VPC
-resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_id" {
-  count = (var.enable_hub == false && var.enable_hub_vpc_id) ? 1 : 0
-  # Depends on required as the authorization policy cannot be directly referenced
-  depends_on = [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy]
-
-  # Use var.dns_binding_name if not null, otherwise, use var.prefix and var.name combination.
-  name = coalesce(
-    var.dns_binding_name,
-    "${var.prefix != null ? "${var.prefix}-${var.name}" : var.name}-dns-binding"
-  )
-  vpc_id = local.vpc_id # Source VPC
-  vpc {
-    id = var.hub_vpc_id # Target VPC ID
-  }
-}
-
-resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_crn" {
-  count = (var.enable_hub == false && var.enable_hub_vpc_crn) ? 1 : 0
-  # Depends on required as the authorization policy cannot be directly referenced
-  depends_on = [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy]
-
-  # Use var.dns_binding_name if not null, otherwise, use var.prefix and var.name combination.
-  name = coalesce(
-    var.dns_binding_name,
-    "${var.prefix != null ? "${var.prefix}-${var.name}" : var.name}-dns-binding"
-  )
-  vpc_id = local.vpc_id # Source VPC
-  vpc {
-    crn = var.hub_vpc_crn # Target VPC CRN
-  }
-}
-
 # Configure custom resolver on the hub vpc
 resource "ibm_resource_instance" "dns_instance_hub" {
   count = var.enable_hub && !var.skip_custom_resolver_hub_creation && !var.use_existing_dns_instance ? 1 : 0

outputs.tf

@@ -158,13 +158,13 @@ output "custom_resolver_hub" {
 }
 
 output "dns_endpoint_gateways_by_id" {
-  description = "The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable_hub is false and enable_hub_vpc_id are true."
-  value       = length(ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id) == 1 ? ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id[0] : null
+  description = "The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable_hub is false and enable_hub_vpc_id OR enable_hub_vpc_crn are true."
+  value       = try(length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].id : null, null)
 }
 
 output "dns_endpoint_gateways_by_crn" {
-  description = "The list of VPEs that are made available for DNS resolution in the created VPC. Only set if enable_hub is false and enable_hub_vpc_id are true."
-  value       = length(ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn) == 1 ? ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn[0] : null
+  description = "The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable_hub is false and enable_hub_vpc_id OR enable_hub_vpc_crn are true."
+  value       = try(length(data.ibm_is_vpc_dns_resolution_bindings.dns_bindings) == 1 ? data.ibm_is_vpc_dns_resolution_bindings.dns_bindings[0].dns_resolution_bindings[0].vpc[0].crn : null, null)
 }
 
 output "dns_instance_id" {

tests/other_test.go

@@ -2,6 +2,7 @@
 package test
 
 import (
+	"github.com/gruntwork-io/terratest/modules/terraform"
 	"testing"
 
 	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
@@ -33,8 +34,13 @@ func TestRunHubAndSpokeDelegatedExample(t *testing.T) {
 		Prefix:        "has-slz",
 		ResourceGroup: resourceGroup,
 		Region:        "us-south",
+		PostApplyHook: func(options *testhelper.TestOptions) error {
+			terraformOptions := options.TerraformOptions
+			terraformOptions.Vars["update_delegated_resolver"] = true
+			_, err := terraform.ApplyE(options.Testing, terraformOptions)
+			return err
+		},
 	})
-
 	output, err := options.RunTestConsistency()
 	assert.Nil(t, err, "This should not have errored")
 	assert.NotNil(t, output, "Expected some output")