feat: enable usage of existing VPC/Subnets feature (#666)

toddgiguere · web-flow · commit 60b38f0e38d6 · 2023-12-24T14:01:12.000-05:00
Added the following optional properties to the configuration map for `vpcs` in order to support deployment of landing-zone into existing VPCs and Subnets.

* `existing_vpc_id` (string)
* `existing_subnet_ids` (list(string))
diff --git a/README.md b/README.md
@@ -855,7 +855,7 @@ module "cluster_pattern" {
 | <a name="module_placement_group_map"></a> [placement\_group\_map](#module\_placement\_group\_map) | ./dynamic_values/config_modules/list_to_map | n/a |
 | <a name="module_ssh_keys"></a> [ssh\_keys](#module\_ssh\_keys) | ./ssh_key | n/a |
 | <a name="module_teleport_config"></a> [teleport\_config](#module\_teleport\_config) | ./teleport_config | n/a |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-ibm-modules/landing-zone-vpc/ibm | 7.13.2 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-ibm-modules/landing-zone-vpc/ibm | 7.13.3 |
 | <a name="module_vsi"></a> [vsi](#module\_vsi) | terraform-ibm-modules/landing-zone-vsi/ibm | 3.0.0 |
 
 ### Resources
@@ -931,7 +931,7 @@ module "cluster_pattern" {
 | <a name="input_transit_gateway_resource_group"></a> [transit\_gateway\_resource\_group](#input\_transit\_gateway\_resource\_group) | Name of resource group to use for transit gateway. Must be included in `var.resource_group` | `string` | n/a | yes |
 | <a name="input_virtual_private_endpoints"></a> [virtual\_private\_endpoints](#input\_virtual\_private\_endpoints) | Object describing VPE to be created | <pre>list(<br>    object({<br>      service_name   = string<br>      service_type   = string<br>      resource_group = optional(string)<br>      access_tags    = optional(list(string), [])<br>      vpcs = list(<br>        object({<br>          name                = string<br>          subnets             = list(string)<br>          security_group_name = optional(string)<br>        })<br>      )<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_vpc_placement_groups"></a> [vpc\_placement\_groups](#input\_vpc\_placement\_groups) | List of VPC placement groups to create | <pre>list(<br>    object({<br>      access_tags    = optional(list(string), [])<br>      name           = string<br>      resource_group = optional(string)<br>      strategy       = string<br>    })<br>  )</pre> | `[]` | no |
-| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map describing VPCs to be created in this repo. | <pre>list(<br>    object({<br>      prefix                      = string           # VPC prefix<br>      resource_group              = optional(string) # Name of the group where VPC will be created<br>      access_tags                 = optional(list(string), [])<br>      classic_access              = optional(bool)<br>      default_network_acl_name    = optional(string)<br>      default_security_group_name = optional(string)<br>      clean_default_sg_acl        = optional(bool, false)<br>      default_security_group_rules = optional(<br>        list(<br>          object({<br>            name      = string<br>            direction = string<br>            remote    = string<br>            tcp = optional(<br>              object({<br>                port_max = optional(number)<br>                port_min = optional(number)<br>              })<br>            )<br>            udp = optional(<br>              object({<br>                port_max = optional(number)<br>                port_min = optional(number)<br>              })<br>            )<br>            icmp = optional(<br>              object({<br>                type = optional(number)<br>                code = optional(number)<br>              })<br>            )<br>          })<br>        )<br>      )<br>      default_routing_table_name = optional(string)<br>      flow_logs_bucket_name      = optional(string)<br>      address_prefixes = optional(<br>        object({<br>          zone-1 = optional(list(string))<br>          zone-2 = optional(list(string))<br>          zone-3 = optional(list(string))<br>        })<br>      )<br>      network_acls = list(<br>        object({<br>          name                         = string<br>          add_ibm_cloud_internal_rules = optional(bool)<br>          add_vpc_connectivity_rules   = optional(bool)<br>          prepend_ibm_rules            = optional(bool)<br>          rules = list(<br>            object({<br>              name        = string<br>              action      = string<br>              destination = string<br>              direction   = string<br>              source      = string<br>              tcp = optional(<br>                object({<br>                  port_max        = optional(number)<br>                  port_min        = optional(number)<br>                  source_port_max = optional(number)<br>                  source_port_min = optional(number)<br>                })<br>              )<br>              udp = optional(<br>                object({<br>                  port_max        = optional(number)<br>                  port_min        = optional(number)<br>                  source_port_max = optional(number)<br>                  source_port_min = optional(number)<br>                })<br>              )<br>              icmp = optional(<br>                object({<br>                  type = optional(number)<br>                  code = optional(number)<br>                })<br>              )<br>            })<br>          )<br>        })<br>      )<br>      use_public_gateways = object({<br>        zone-1 = optional(bool)<br>        zone-2 = optional(bool)<br>        zone-3 = optional(bool)<br>      })<br>      subnets = object({<br>        zone-1 = list(object({<br>          name           = string<br>          cidr           = string<br>          public_gateway = optional(bool)<br>          acl_name       = string<br>        }))<br>        zone-2 = list(object({<br>          name           = string<br>          cidr           = string<br>          public_gateway = optional(bool)<br>          acl_name       = string<br>        }))<br>        zone-3 = list(object({<br>          name           = string<br>          cidr           = string<br>          public_gateway = optional(bool)<br>          acl_name       = string<br>        }))<br>      })<br>    })<br>  )</pre> | n/a | yes |
+| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map describing VPCs to be created in this repo. | <pre>list(<br>    object({<br>      prefix                      = string # VPC prefix<br>      existing_vpc_id             = optional(string)<br>      existing_subnet_ids         = optional(list(string))<br>      resource_group              = optional(string) # Name of the group where VPC will be created<br>      access_tags                 = optional(list(string), [])<br>      classic_access              = optional(bool)<br>      default_network_acl_name    = optional(string)<br>      default_security_group_name = optional(string)<br>      clean_default_sg_acl        = optional(bool, false)<br>      default_security_group_rules = optional(<br>        list(<br>          object({<br>            name      = string<br>            direction = string<br>            remote    = string<br>            tcp = optional(<br>              object({<br>                port_max = optional(number)<br>                port_min = optional(number)<br>              })<br>            )<br>            udp = optional(<br>              object({<br>                port_max = optional(number)<br>                port_min = optional(number)<br>              })<br>            )<br>            icmp = optional(<br>              object({<br>                type = optional(number)<br>                code = optional(number)<br>              })<br>            )<br>          })<br>        )<br>      )<br>      default_routing_table_name = optional(string)<br>      flow_logs_bucket_name      = optional(string)<br>      address_prefixes = optional(<br>        object({<br>          zone-1 = optional(list(string))<br>          zone-2 = optional(list(string))<br>          zone-3 = optional(list(string))<br>        })<br>      )<br>      network_acls = list(<br>        object({<br>          name                         = string<br>          add_ibm_cloud_internal_rules = optional(bool)<br>          add_vpc_connectivity_rules   = optional(bool)<br>          prepend_ibm_rules            = optional(bool)<br>          rules = list(<br>            object({<br>              name        = string<br>              action      = string<br>              destination = string<br>              direction   = string<br>              source      = string<br>              tcp = optional(<br>                object({<br>                  port_max        = optional(number)<br>                  port_min        = optional(number)<br>                  source_port_max = optional(number)<br>                  source_port_min = optional(number)<br>                })<br>              )<br>              udp = optional(<br>                object({<br>                  port_max        = optional(number)<br>                  port_min        = optional(number)<br>                  source_port_max = optional(number)<br>                  source_port_min = optional(number)<br>                })<br>              )<br>              icmp = optional(<br>                object({<br>                  type = optional(number)<br>                  code = optional(number)<br>                })<br>              )<br>            })<br>          )<br>        })<br>      )<br>      use_public_gateways = object({<br>        zone-1 = optional(bool)<br>        zone-2 = optional(bool)<br>        zone-3 = optional(bool)<br>      })<br>      subnets = optional(object({<br>        zone-1 = list(object({<br>          name           = string<br>          cidr           = string<br>          public_gateway = optional(bool)<br>          acl_name       = string<br>        }))<br>        zone-2 = list(object({<br>          name           = string<br>          cidr           = string<br>          public_gateway = optional(bool)<br>          acl_name       = string<br>        }))<br>        zone-3 = list(object({<br>          name           = string<br>          cidr           = string<br>          public_gateway = optional(bool)<br>          acl_name       = string<br>        }))<br>      }))<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_vpn_gateways"></a> [vpn\_gateways](#input\_vpn\_gateways) | List of VPN Gateways to create. | <pre>list(<br>    object({<br>      name           = string<br>      vpc_name       = string<br>      subnet_name    = string # Do not include prefix, use same name as in `var.subnets`<br>      mode           = optional(string)<br>      resource_group = optional(string)<br>      access_tags    = optional(list(string), [])<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_vsi"></a> [vsi](#input\_vsi) | A list describing VSI workloads to create | <pre>list(<br>    object({<br>      name                            = string<br>      vpc_name                        = string<br>      subnet_names                    = list(string)<br>      ssh_keys                        = list(string)<br>      image_name                      = string<br>      machine_type                    = string<br>      vsi_per_subnet                  = number<br>      user_data                       = optional(string)<br>      resource_group                  = optional(string)<br>      enable_floating_ip              = optional(bool)<br>      security_groups                 = optional(list(string))<br>      boot_volume_encryption_key_name = optional(string)<br>      access_tags                     = optional(list(string), [])<br>      security_group = optional(<br>        object({<br>          name = string<br>          rules = list(<br>            object({<br>              name      = string<br>              direction = string<br>              source    = string<br>              tcp = optional(<br>                object({<br>                  port_max = number<br>                  port_min = number<br>                })<br>              )<br>              udp = optional(<br>                object({<br>                  port_max = number<br>                  port_min = number<br>                })<br>              )<br>              icmp = optional(<br>                object({<br>                  type = number<br>                  code = number<br>                })<br>              )<br>            })<br>          )<br>        })<br>      )<br>      block_storage_volumes = optional(list(<br>        object({<br>          name           = string<br>          profile        = string<br>          capacity       = optional(number)<br>          iops           = optional(number)<br>          encryption_key = optional(string)<br>        })<br>      ))<br>      load_balancers = optional(list(<br>        object({<br>          name                    = string<br>          type                    = string<br>          listener_port           = number<br>          listener_protocol       = string<br>          connection_limit        = number<br>          algorithm               = string<br>          protocol                = string<br>          health_delay            = number<br>          health_retries          = number<br>          health_timeout          = number<br>          health_type             = string<br>          pool_member_port        = string<br>          idle_connection_timeout = optional(number)<br>          security_group = optional(<br>            object({<br>              name = string<br>              rules = list(<br>                object({<br>                  name      = string<br>                  direction = string<br>                  source    = string<br>                  tcp = optional(<br>                    object({<br>                      port_max = number<br>                      port_min = number<br>                    })<br>                  )<br>                  udp = optional(<br>                    object({<br>                      port_max = number<br>                      port_min = number<br>                    })<br>                  )<br>                  icmp = optional(<br>                    object({<br>                      type = number<br>                      code = number<br>                    })<br>                  )<br>                })<br>              )<br>            })<br>          )<br>        })<br>      ))<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_wait_till"></a> [wait\_till](#input\_wait\_till) | To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported args are `MasterNodeReady`, `OneWorkerNodeReady`, and `IngressReady` | `string` | `"IngressReady"` | no |
diff --git a/dynamic_values/config_modules/bastion_vsi_list_to_map/bastion_vsi_list_to_map.tf b/dynamic_values/config_modules/bastion_vsi_list_to_map/bastion_vsi_list_to_map.tf
@@ -36,7 +36,7 @@ module "vsi_subnets" {
   source           = "../get_subnets"
   for_each         = module.vsi_list_to_map.value
   subnet_zone_list = var.vpc_modules[each.value.vpc_name].subnet_zone_list
-  regex            = "${var.prefix}-${each.value.vpc_name}-${each.value.subnet_name}"
+  regex            = each.value.subnet_name
 }
 
 ##############################################################################
diff --git a/dynamic_values/config_modules/f5/f5.tf b/dynamic_values/config_modules/f5/f5.tf
@@ -17,7 +17,7 @@ module "f5_primary_subnets" {
   source           = "../get_subnets"
   for_each         = module.f5_vsi_map.value
   subnet_zone_list = var.vpc_modules[each.value.vpc_name].subnet_zone_list
-  regex            = "${var.prefix}-${each.value.vpc_name}-${each.value.primary_subnet_name}"
+  regex            = each.value.primary_subnet_name
 }
 
 ##############################################################################
diff --git a/dynamic_values/config_modules/vpe/vpe.tf b/dynamic_values/config_modules/vpe/vpe.tf
@@ -63,7 +63,7 @@ module "vpe_ip_map" {
           vpc_name     = vpcs.name
           ip_name      = "${vpcs.name}-${service.service_name}-gateway-${subnet}-ip"
           gateway_name = "${vpcs.name}-${service.service_name}"
-          subnet_name  = "${var.prefix}-${vpcs.name}-${subnet}"
+          subnet_name  = subnet
         }
       ]
     ]
diff --git a/dynamic_values/config_modules/vpn/vpn.tf b/dynamic_values/config_modules/vpn/vpn.tf
@@ -9,7 +9,7 @@ module "vpn_subnet_map" {
     {
       name            = gateway.name
       vpc_name        = gateway.vpc_name
-      vpc_subnet_name = "${var.prefix}-${gateway.vpc_name}-${gateway.subnet_name}"
+      vpc_subnet_name = gateway.subnet_name
     }
   ]
 }
diff --git a/main.tf b/main.tf
@@ -6,27 +6,35 @@ locals {
   vpc_map = module.dynamic_values.vpc_map
 }
 
+# VPC module explicit dependencies (using 'depends_on') have been removed.
+# The 'depends_on' option was causing VPC module data blocks to not gather data for existing VPC or subnets during plan time,
+# which was causing issues with other modules in LZ.
+# Due to existing implicit dependencies we do not think this will be an issue, including auth policies for activity tracker.
 module "vpc" {
-  source                                 = "terraform-ibm-modules/landing-zone-vpc/ibm"
-  version                                = "7.13.2"
-  for_each                               = local.vpc_map
-  depends_on                             = [ibm_iam_authorization_policy.policy]
-  name                                   = each.value.prefix
-  tags                                   = var.tags
-  access_tags                            = each.value.access_tags
-  resource_group_id                      = each.value.resource_group == null ? null : local.resource_groups[each.value.resource_group]
-  region                                 = var.region
-  prefix                                 = var.prefix
-  network_cidrs                          = [var.network_cidr]
-  classic_access                         = each.value.classic_access
-  default_network_acl_name               = each.value.default_network_acl_name
-  default_security_group_name            = each.value.default_security_group_name
-  security_group_rules                   = each.value.default_security_group_rules == null ? [] : each.value.default_security_group_rules
-  default_routing_table_name             = each.value.default_routing_table_name
-  address_prefixes                       = each.value.address_prefixes
-  network_acls                           = each.value.network_acls
-  use_public_gateways                    = each.value.use_public_gateways
-  subnets                                = each.value.subnets
+  source                      = "terraform-ibm-modules/landing-zone-vpc/ibm"
+  version                     = "7.13.3"
+  for_each                    = local.vpc_map
+  name                        = each.value.prefix
+  existing_vpc_id             = each.value.existing_vpc_id
+  create_vpc                  = each.value.existing_vpc_id == null ? true : false
+  tags                        = var.tags
+  access_tags                 = each.value.access_tags
+  resource_group_id           = each.value.resource_group == null ? null : local.resource_groups[each.value.resource_group]
+  region                      = var.region
+  prefix                      = var.prefix
+  network_cidrs               = [var.network_cidr]
+  classic_access              = each.value.classic_access
+  default_network_acl_name    = each.value.default_network_acl_name
+  default_security_group_name = each.value.default_security_group_name
+  security_group_rules        = each.value.default_security_group_rules == null ? [] : each.value.default_security_group_rules
+  default_routing_table_name  = each.value.default_routing_table_name
+  address_prefixes            = each.value.address_prefixes
+  network_acls                = each.value.network_acls
+  use_public_gateways         = each.value.use_public_gateways
+  create_subnets              = length(coalesce(each.value.existing_subnet_ids, [])) == 0 ? true : false
+  # NOTE: for existing subnets scenario, current VPC module does not accept null for subnets map, so sending in a map with empty arrays instead
+  subnets                                = length(coalesce(each.value.existing_subnet_ids, [])) == 0 ? each.value.subnets : { "zone-1" : [], "zone-2" : [], "zone-3" : [] }
+  existing_subnet_ids                    = each.value.existing_subnet_ids
   enable_vpc_flow_logs                   = (each.value.flow_logs_bucket_name != null) ? true : false
   create_authorization_policy_vpc_to_cos = false
   existing_storage_bucket_name           = (each.value.flow_logs_bucket_name != null) ? ibm_cos_bucket.buckets[each.value.flow_logs_bucket_name].bucket_name : null
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ module "vsi_subnets" {`
`36`	`36`	`source = "../get_subnets"`
`37`	`37`	`for_each = module.vsi_list_to_map.value`
`38`	`38`	`subnet_zone_list = var.vpc_modules[each.value.vpc_name].subnet_zone_list`
`39`		`- regex = "${var.prefix}-${each.value.vpc_name}-${each.value.subnet_name}"`
	`39`	`+ regex = each.value.subnet_name`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`##############################################################################`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ module "f5_primary_subnets" {`
`17`	`17`	`source = "../get_subnets"`
`18`	`18`	`for_each = module.f5_vsi_map.value`
`19`	`19`	`subnet_zone_list = var.vpc_modules[each.value.vpc_name].subnet_zone_list`
`20`		`- regex = "${var.prefix}-${each.value.vpc_name}-${each.value.primary_subnet_name}"`
	`20`	`+ regex = each.value.primary_subnet_name`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`##############################################################################`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ module "vpe_ip_map" {`
`63`	`63`	`vpc_name = vpcs.name`
`64`	`64`	`ip_name = "${vpcs.name}-${service.service_name}-gateway-${subnet}-ip"`
`65`	`65`	`gateway_name = "${vpcs.name}-${service.service_name}"`
`66`		`- subnet_name = "${var.prefix}-${vpcs.name}-${subnet}"`
	`66`	`+ subnet_name = subnet`
`67`	`67`	`}`
`68`	`68`	`]`
`69`	`69`	`]`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ module "vpn_subnet_map" {`
`9`	`9`	`{`
`10`	`10`	`name = gateway.name`
`11`	`11`	`vpc_name = gateway.vpc_name`
`12`		`- vpc_subnet_name = "${var.prefix}-${gateway.vpc_name}-${gateway.subnet_name}"`
	`12`	`+ vpc_subnet_name = gateway.subnet_name`
`13`	`13`	`}`
`14`	`14`	`]`
`15`	`15`	`}`