chore: add pattern for vsi creation on existing vpc (#595)

Author: Aashiq-J

patterns/vsi-extension/README.md

@@ -0,0 +1,7 @@
+# Add a VSI to a landing zone VPC
+
+This logic creates a VSI to an existing landing zone VPC.
+
+This code creates and configures the following infrastructure:
+- Adds an SSH key to IBM Cloud or uses an existing one.
+- Adds a VSI in each subnet of the landing zone VPC.

patterns/vsi-extension/config.tf

@@ -0,0 +1,70 @@
+##############################################################################
+# Create Pattern Dynamic Variables
+# > Values are created inside the `dynamic_modules/` module to allow them to
+#   be tested
+##############################################################################
+
+module "default_vsi_sg_rules" {
+  source = "../dynamic_values/config_modules/default_security_group_rules"
+}
+##############################################################################
+
+
+##############################################################################
+# Dynamically Create Default Configuration
+##############################################################################
+
+locals {
+  ##############################################################################
+  # VALIDATION FOR SSH_KEY
+  ##############################################################################
+
+  sshkey_var_validation = (var.ssh_public_key == null && var.existing_ssh_key_name == null) ? true : false
+
+  # tflint-ignore: terraform_unused_declarations
+  validate_ssh = local.sshkey_var_validation ? tobool("Invalid input: both ssh_public_key and existing_ssh_key_name variables cannot be null together. Please provide a value for at least one of them.") : true
+
+  ##############################################################################
+  # Default SSH key
+  ##############################################################################
+
+  ssh_keys = {
+    name       = var.ssh_public_key != null ? "${var.prefix}-ssh-key" : var.existing_ssh_key_name
+    public_key = var.existing_ssh_key_name == null ? var.ssh_public_key : null
+  }
+
+  ##############################################################################
+
+  ##############################################################################
+  # Dynamic configuration for landing zone environment
+  ##############################################################################
+
+  config = {
+    ##############################################################################
+    # Deployment Configuration From Dynamic Values
+    ##############################################################################
+
+    security_groups = flatten(
+      [
+        {
+          name           = "${data.ibm_is_vpc.vpc_by_id.name}-vpe-sg"
+          resource_group = data.ibm_is_vpc.vpc_by_id.resource_group_name
+          rules          = module.default_vsi_sg_rules.all_tcp_rules
+          vpc_name       = data.ibm_is_vpc.vpc_by_id.name
+        }
+      ]
+    )
+
+    ##############################################################################
+  }
+
+  ##############################################################################
+  # Compile Environment for Config output
+  ##############################################################################
+  env = {
+    security_groups = local.config.security_groups
+  }
+  ##############################################################################
+}
+
+##############################################################################

patterns/vsi-extension/main.tf

@@ -0,0 +1,74 @@
+##############################################################################
+# Locals
+##############################################################################
+
+locals {
+  ssh_key_id = var.ssh_public_key != null ? ibm_is_ssh_key.ssh_key[0].id : data.ibm_is_ssh_key.ssh_key[0].id
+}
+
+##############################################################################
+# Resource Group
+##############################################################################
+
+data "ibm_resource_group" "existing_resource_group" {
+  name = var.resource_group
+}
+
+##############################################################################
+# SSH key
+##############################################################################
+resource "ibm_is_ssh_key" "ssh_key" {
+  count          = local.ssh_keys != null ? 1 : 0
+  name           = local.ssh_keys.name
+  public_key     = replace(local.ssh_keys.public_key, "/==.*$/", "==")
+  resource_group = data.ibm_resource_group.existing_resource_group.id
+  tags           = var.resource_tags
+}
+
+data "ibm_is_ssh_key" "ssh_key" {
+  count = var.existing_ssh_key_name == null ? 0 : 1
+  name  = var.existing_ssh_key_name
+}
+
+data "ibm_is_vpc" "vpc_by_id" {
+  identifier = var.vpc_id
+}
+
+
+data "ibm_is_image" "image" {
+  name = var.image_name
+}
+
+locals {
+  subnets = [
+    for subnet in data.ibm_is_vpc.vpc_by_id.subnets :
+    subnet if can(regex(join("|", var.subnet_names), subnet.name))
+  ]
+}
+
+module "vsi" {
+  source                        = "terraform-ibm-modules/landing-zone-vsi/ibm"
+  version                       = "2.8.2"
+  resource_group_id             = data.ibm_resource_group.existing_resource_group.id
+  create_security_group         = true
+  prefix                        = "${var.prefix}-vsi"
+  vpc_id                        = var.vpc_id
+  subnets                       = var.subnet_names != null ? local.subnets : data.ibm_is_vpc.vpc_by_id.subnets
+  tags                          = var.resource_tags
+  access_tags                   = var.access_tags
+  kms_encryption_enabled        = true
+  skip_iam_authorization_policy = var.skip_iam_authorization_policy
+  user_data                     = var.user_data
+  image_id                      = data.ibm_is_image.image.id
+  boot_volume_encryption_key    = var.boot_volume_encryption_key
+  existing_kms_instance_guid    = var.existing_kms_instance_guid
+  security_group_ids            = var.security_group_ids
+  ssh_key_ids                   = [local.ssh_key_id]
+  machine_type                  = var.machine_type
+  vsi_per_subnet                = var.vsi_per_subnet
+  security_group                = local.env.security_groups[0]
+  load_balancers                = var.load_balancers
+  block_storage_volumes         = var.block_storage_volumes
+  enable_floating_ip            = var.enable_floating_ip
+  placement_group_id            = var.placement_group_id
+}

patterns/vsi-extension/outputs.tf

@@ -0,0 +1,4 @@
+output "vsi_data" {
+  description = "Details of the VSI including name, id, zone, and primary ipv4 address, VPC Name, and floating IP."
+  value       = module.vsi
+}

patterns/vsi-extension/provider.tf

@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

patterns/vsi-extension/variables.tf

@@ -0,0 +1,188 @@
+variable "ibmcloud_api_key" {
+  description = "The API key that's associated with the account to provision resources to"
+  type        = string
+  sensitive   = true
+}
+
+variable "resource_group" {
+  type        = string
+  description = "The resource group name of the landing zone VPC."
+}
+
+variable "region" {
+  description = "The region of the landing zone VPC."
+  type        = string
+}
+
+variable "prefix" {
+  description = "The prefix to add to the VSI, block storage, security group, floating IP, and load balancer resources."
+  type        = string
+  default     = "slz-vsi"
+}
+
+variable "vpc_id" {
+  description = "The ID of the VPC where the VSI will be created."
+  type        = string
+}
+
+variable "existing_ssh_key_name" {
+  description = "The ID of the VPC where the VSI will be created."
+  type        = string
+  default     = null
+}
+
+
+variable "ssh_public_key" {
+  description = "SSH keys to use to provision a VSI. Must be an RSA key with a key size of either 2048 bits or 4096 bits (recommended). If `public_key` is not provided, the named key will be looked up from data. See https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys."
+  type        = string
+
+  validation {
+    error_message = "The public SSH key must be a valid SSH RSA public key."
+    condition     = var.ssh_public_key == null || can(regex("ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3} ?([^@]+@[^@]+)?", var.ssh_public_key))
+  }
+}
+
+variable "resource_tags" {
+  description = "A list of tags to add to the VSI, block storage, security group, floating IP, and load balancer created by the module."
+  type        = list(string)
+  default     = []
+}
+
+variable "access_tags" {
+  type        = list(string)
+  description = "A list of access tags to apply to the VSI resources created by the module."
+  default     = []
+}
+
+variable "image_name" {
+  description = "Image ID used for the VSI. Run the 'ibmcloud is images' CLI command to find available images. The IDs are different in each region."
+  type        = string
+  default     = "ibm-ubuntu-22-04-2-minimal-amd64-1"
+}
+
+variable "machine_type" {
+  description = "VSI machine type"
+  type        = string
+  default     = "cx2-2x4"
+}
+
+variable "user_data" {
+  description = "User data to initialize VSI deployment."
+  type        = string
+  default     = null
+}
+
+variable "boot_volume_encryption_key" {
+  description = "The CRN of the boot volume encryption key."
+  type        = string
+}
+
+variable "existing_kms_instance_guid" {
+  description = "The GUID of the KMS instance that holds the key specified in `var.boot_volume_encryption_key`."
+  type        = string
+}
+
+variable "skip_iam_authorization_policy" {
+  type        = bool
+  description = "Set to `true` to skip the creation of an IAM authorization policy that permits all storage blocks to read the encryption key from the KMS instance. If set to `false` (and creating a policy), specify the GUID of the KMS instance in the `existing_kms_instance_guid` variable."
+  default     = false
+}
+
+variable "vsi_per_subnet" {
+  description = "The number of VSI instances for each subnet."
+  type        = number
+  default     = 1
+}
+
+variable "subnet_names" {
+  description = "The subnets to deploy the VSI instances to."
+  type        = list(string)
+  default = [
+    "vpe-zone-1",
+    "vpe-zone-2",
+    "vpe-zone-3"
+  ]
+}
+
+variable "security_group_ids" {
+  description = "IDs of additional security groups to add to the VSI deployment primary interface. A VSI interface can have a maximum of 5 security groups."
+  type        = list(string)
+  default     = []
+}
+
+variable "block_storage_volumes" {
+  description = "The list of block storage volumes to attach to each VSI."
+  type = list(
+    object({
+      name           = string
+      profile        = string
+      capacity       = optional(number)
+      iops           = optional(number)
+      encryption_key = optional(string)
+    })
+  )
+  default = []
+}
+
+variable "enable_floating_ip" {
+  description = "Set to `true` to create a floating IP for each virtual server."
+  type        = bool
+  default     = false
+}
+
+variable "placement_group_id" {
+  description = "Unique Identifier of the Placement Group for restricting the placement of the instance, default behaviour is placement on any host"
+  type        = string
+  default     = null
+}
+
+variable "load_balancers" {
+  description = "The load balancers to add to the VSI."
+  type = list(
+    object({
+      name              = string
+      type              = string
+      listener_port     = number
+      listener_protocol = string
+      connection_limit  = number
+      algorithm         = string
+      protocol          = string
+      health_delay      = number
+      health_retries    = number
+      health_timeout    = number
+      health_type       = string
+      pool_member_port  = string
+      security_group = optional(
+        object({
+          name = string
+          rules = list(
+            object({
+              name      = string
+              direction = string
+              source    = string
+              tcp = optional(
+                object({
+                  port_max = number
+                  port_min = number
+                })
+              )
+              udp = optional(
+                object({
+                  port_max = number
+                  port_min = number
+                })
+              )
+              icmp = optional(
+                object({
+                  type = number
+                  code = number
+                })
+              )
+            })
+          )
+        })
+      )
+    })
+  )
+  default = []
+}

patterns/vsi-extension/version.tf

@@ -0,0 +1,21 @@
+##############################################################################
+# Terraform Providers
+##############################################################################
+
+terraform {
+  required_version = ">= 1.3, < 1.6"
+  # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.56.1"
+    }
+    # tflint-ignore: terraform_unused_required_providers
+    external = {
+      source  = "hashicorp/external"
+      version = "2.2.3"
+    }
+  }
+}
+
+##############################################################################