feat: added support to optionally pass an existing CBR zone ID in which all VPCs created will be added to (#745)

Ak-sky · web-flow · commit b576712110df · 2024-09-19T09:27:14.000+01:00
diff --git a/README.md b/README.md
diff --git a/cbr.tf b/cbr.tf
@@ -0,0 +1,15 @@
+##############################################################################
+# Update existing CBR VPC network zone
+##############################################################################
+module "update_cbr_vpc_zone" {
+  source                = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
+  version               = "1.26.0"
+  count                 = var.existing_vpc_cbr_zone_id != null ? 1 : 0
+  use_existing_cbr_zone = true
+  existing_zone_id      = var.existing_vpc_cbr_zone_id
+  addresses = [
+    for network in module.vpc :
+    { "type" = "vpc",
+    value = network.vpc_crn }
+  ]
+}
diff --git a/examples/one-vpc-one-vsi/override.json b/examples/one-vpc-one-vsi/override.json
@@ -3,6 +3,7 @@
   "transit_gateway_global": false,
   "virtual_private_endpoints": [],
   "service_endpoints": "public-and-private",
+  "existing_vpc_cbr_zone_id" : null,
   "security_groups": [],
   "vpn_gateways": [],
   "atracker": {
diff --git a/examples/override-example/override.json b/examples/override-example/override.json
@@ -77,6 +77,7 @@
     }
   ],
   "service_endpoints": "public-and-private",
+  "existing_vpc_cbr_zone_id" : null,
   "security_groups": [],
   "vpn_gateways": [
     {
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -43,6 +43,10 @@
         {
           "description": "Provisions and manages SSH keys for the VSIs so that you can securely administer the instances.\n",
           "title": "Provisions SSH keys"
+        },
+        {
+          "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n",
+          "title": "Configures CBR"
         }
       ],
       "flavors": [
@@ -475,6 +479,10 @@
               {
                 "title": "Uses floating IP addresses for access through the public internet",
                 "description": "No"
+              },
+              {
+                "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n",
+                "title": "Configures CBR"
               }
             ],
             "diagrams": [
@@ -927,6 +935,10 @@
               {
                 "title": "Uses Floating IP address for access through the public internet",
                 "description": "No"
+              },
+              {
+                "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n",
+                "title": "Configures CBR"
               }
             ],
             "diagrams": [
@@ -1435,6 +1447,10 @@
               {
                 "title": "Uses Floating IP address for access through the public internet",
                 "description": "No"
+              },
+              {
+                "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n",
+                "title": "Configures CBR"
               }
             ],
             "diagrams": [
diff --git a/patterns/mixed/config.tf b/patterns/mixed/config.tf
@@ -257,6 +257,7 @@ locals {
     virtual_private_endpoints              = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                                    = lookup(local.override[local.override_type], "cos", local.config.object_storage)
     service_endpoints                      = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
+    existing_vpc_cbr_zone_id               = lookup(local.override[local.override_type], "existing_vpc_cbr_zone_id", var.existing_vpc_cbr_zone_id)
     skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy)
     skip_all_s2s_auth_policies             = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies)
     key_management                         = lookup(local.override[local.override_type], "key_management", local.config.key_management)
diff --git a/patterns/mixed/main.tf b/patterns/mixed/main.tf
@@ -34,6 +34,7 @@ module "landing_zone" {
   virtual_private_endpoints              = local.env.virtual_private_endpoints
   cos                                    = local.env.cos
   service_endpoints                      = local.env.service_endpoints
+  existing_vpc_cbr_zone_id               = local.env.existing_vpc_cbr_zone_id
   key_management                         = local.env.key_management
   skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy
   skip_all_s2s_auth_policies             = local.env.skip_all_s2s_auth_policies
diff --git a/patterns/mixed/override.json b/patterns/mixed/override.json
@@ -162,6 +162,7 @@
         "resource_group": "slz-service-rg",
         "use_hs_crypto": false,
         "service_endpoints": "public-and-private"
+
     },
     "resource_groups": [
         {
@@ -179,6 +180,7 @@
     ],
     "security_groups": [],
     "service_endpoints": "public-and-private",
+    "existing_vpc_cbr_zone_id" : null,
     "ssh_keys": [
         {
             "name": "slz-ssh-key",
diff --git a/patterns/mixed/variables.tf b/patterns/mixed/variables.tf
@@ -592,3 +592,15 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+
+##############################################################################
+# CBR variables
+##############################################################################
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################
diff --git a/patterns/roks/main.tf b/patterns/roks/main.tf
@@ -105,6 +105,7 @@ module "roks_landing_zone" {
   teleport_management_zones              = var.teleport_management_zones
   IC_SCHEMATICS_WORKSPACE_ID             = var.IC_SCHEMATICS_WORKSPACE_ID
   kms_wait_for_apply                     = var.kms_wait_for_apply
+  existing_vpc_cbr_zone_id               = var.existing_vpc_cbr_zone_id
 }
 
 moved {
diff --git a/patterns/roks/module/config.tf b/patterns/roks/module/config.tf
@@ -244,6 +244,7 @@ locals {
     virtual_private_endpoints              = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                                    = lookup(local.override[local.override_type], "cos", local.config.object_storage)
     service_endpoints                      = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
+    existing_vpc_cbr_zone_id               = lookup(local.override[local.override_type], "existing_vpc_cbr_zone_id", var.existing_vpc_cbr_zone_id)
     skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy)
     skip_all_s2s_auth_policies             = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies)
     key_management                         = lookup(local.override[local.override_type], "key_management", local.config.key_management)
diff --git a/patterns/roks/module/main.tf b/patterns/roks/module/main.tf
@@ -21,6 +21,7 @@ module "landing_zone" {
   virtual_private_endpoints              = local.env.virtual_private_endpoints
   cos                                    = local.env.cos
   service_endpoints                      = local.env.service_endpoints
+  existing_vpc_cbr_zone_id               = local.env.existing_vpc_cbr_zone_id
   key_management                         = local.env.key_management
   skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy
   skip_all_s2s_auth_policies             = local.env.skip_all_s2s_auth_policies
diff --git a/patterns/roks/module/variables.tf b/patterns/roks/module/variables.tf
@@ -682,3 +682,14 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################
diff --git a/patterns/roks/outputs.tf b/patterns/roks/outputs.tf
@@ -193,4 +193,4 @@ output "schematics_workspace_id" {
   description = "ID of the IBM Cloud Schematics workspace. Returns null if not ran in Schematics"
   value       = var.IC_SCHEMATICS_WORKSPACE_ID
 }
-##############################################################################
+#############################################################################
diff --git a/patterns/roks/override.json b/patterns/roks/override.json
@@ -220,6 +220,7 @@
     ],
     "security_groups": [],
     "service_endpoints": "public-and-private",
+    "existing_vpc_cbr_zone_id" : null,
     "ssh_keys": [],
     "transit_gateway_connections": [
         "management",
diff --git a/patterns/roks/variables.tf b/patterns/roks/variables.tf
@@ -669,3 +669,14 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################
diff --git a/patterns/vpc/main.tf b/patterns/vpc/main.tf
@@ -81,6 +81,7 @@ module "vpc_landing_zone" {
   tmos_admin_password                    = var.tmos_admin_password
   license_type                           = var.license_type
   teleport_management_zones              = var.teleport_management_zones
+  existing_vpc_cbr_zone_id               = var.existing_vpc_cbr_zone_id
 }
 
 moved {
diff --git a/patterns/vpc/module/config.tf b/patterns/vpc/module/config.tf
@@ -187,6 +187,7 @@ locals {
     virtual_private_endpoints              = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                                    = lookup(local.override[local.override_type], "cos", local.config.object_storage)
     service_endpoints                      = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
+    existing_vpc_cbr_zone_id               = lookup(local.override[local.override_type], "existing_vpc_cbr_zone_id", var.existing_vpc_cbr_zone_id)
     skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy)
     skip_all_s2s_auth_policies             = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies)
     key_management                         = lookup(local.override[local.override_type], "key_management", local.config.key_management)
diff --git a/patterns/vpc/module/main.tf b/patterns/vpc/module/main.tf
@@ -21,6 +21,7 @@ module "landing_zone" {
   virtual_private_endpoints              = local.env.virtual_private_endpoints
   cos                                    = local.env.cos
   service_endpoints                      = local.env.service_endpoints
+  existing_vpc_cbr_zone_id               = local.env.existing_vpc_cbr_zone_id
   key_management                         = local.env.key_management
   skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy
   skip_all_s2s_auth_policies             = local.env.skip_all_s2s_auth_policies
diff --git a/patterns/vpc/module/variables.tf b/patterns/vpc/module/variables.tf
@@ -498,3 +498,14 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################
diff --git a/patterns/vpc/override.json b/patterns/vpc/override.json
@@ -139,6 +139,7 @@
     ],
     "security_groups": [],
     "service_endpoints": "public-and-private",
+    "existing_vpc_cbr_zone_id" : null,
     "ssh_keys": [],
     "transit_gateway_connections": [
         "management",
diff --git a/patterns/vpc/variables.tf b/patterns/vpc/variables.tf
@@ -481,3 +481,14 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################
diff --git a/patterns/vsi/main.tf b/patterns/vsi/main.tf
@@ -86,6 +86,7 @@ module "vsi_landing_zone" {
   override                               = var.override
   override_json_string                   = var.override_json_string
   override_json_path                     = local.override_json_path
+  existing_vpc_cbr_zone_id               = var.existing_vpc_cbr_zone_id
 }
 
 moved {
diff --git a/patterns/vsi/module/config.tf b/patterns/vsi/module/config.tf
@@ -222,6 +222,7 @@ locals {
     virtual_private_endpoints              = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                                    = lookup(local.override[local.override_type], "cos", local.config.object_storage)
     service_endpoints                      = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
+    existing_vpc_cbr_zone_id               = lookup(local.override[local.override_type], "existing_vpc_cbr_zone_id", var.existing_vpc_cbr_zone_id)
     skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy)
     skip_all_s2s_auth_policies             = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies)
     key_management                         = lookup(local.override[local.override_type], "key_management", local.config.key_management)
diff --git a/patterns/vsi/module/main.tf b/patterns/vsi/module/main.tf
@@ -21,6 +21,7 @@ module "landing_zone" {
   virtual_private_endpoints              = local.env.virtual_private_endpoints
   cos                                    = local.env.cos
   service_endpoints                      = local.env.service_endpoints
+  existing_vpc_cbr_zone_id               = local.env.existing_vpc_cbr_zone_id
   key_management                         = local.env.key_management
   skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy
   skip_all_s2s_auth_policies             = local.env.skip_all_s2s_auth_policies
diff --git a/patterns/vsi/module/variables.tf b/patterns/vsi/module/variables.tf
@@ -530,3 +530,15 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################
diff --git a/patterns/vsi/outputs.tf b/patterns/vsi/outputs.tf
@@ -138,5 +138,3 @@ output "config" {
   description = "Output configuration as encoded JSON"
   value       = module.vsi_landing_zone.config
 }
-
-##############################################################################
diff --git a/patterns/vsi/override.json b/patterns/vsi/override.json
@@ -139,6 +139,7 @@
     ],
     "security_groups": [],
     "service_endpoints": "public-and-private",
+    "existing_vpc_cbr_zone_id" : null,
     "ssh_keys": [
         {
             "name": "slz-ssh-key",
diff --git a/patterns/vsi/variables.tf b/patterns/vsi/variables.tf
@@ -514,3 +514,15 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################
diff --git a/variables.tf b/variables.tf
@@ -1334,3 +1334,14 @@ variable "skip_all_s2s_auth_policies" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################
diff --git a/version.tf b/version.tf
@@ -8,7 +8,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.67.0, < 2.0.0"
+      version = ">= 1.68.1, < 2.0.0"
     }
     random = {
       source  = "hashicorp/random"

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,7 @@`
`77`	`77`	`}`
`78`	`78`	`],`
`79`	`79`	`"service_endpoints": "public-and-private",`
	`80`	`+ "existing_vpc_cbr_zone_id" : null,`
`80`	`81`	`"security_groups": [],`
`81`	`82`	`"vpn_gateways": [`
`82`	`83`	`{`
Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,10 @@`
`43`	`43`	`{`
`44`	`44`	`"description": "Provisions and manages SSH keys for the VSIs so that you can securely administer the instances.\n",`
`45`	`45`	`"title": "Provisions SSH keys"`
	`46`	`+ },`
	`47`	`+ {`
	`48`	`+ "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n",`
	`49`	`+ "title": "Configures CBR"`
`46`	`50`	`}`
`47`	`51`	`],`
`48`	`52`	`"flavors": [`
`@@ -475,6 +479,10 @@`
`475`	`479`	`{`
`476`	`480`	`"title": "Uses floating IP addresses for access through the public internet",`
`477`	`481`	`"description": "No"`
	`482`	`+ },`
	`483`	`+ {`
	`484`	`+ "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n",`
	`485`	`+ "title": "Configures CBR"`
`478`	`486`	`}`
`479`	`487`	`],`
`480`	`488`	`"diagrams": [`
`@@ -927,6 +935,10 @@`
`927`	`935`	`{`
`928`	`936`	`"title": "Uses Floating IP address for access through the public internet",`
`929`	`937`	`"description": "No"`
	`938`	`+ },`
	`939`	`+ {`
	`940`	`+ "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n",`
	`941`	`+ "title": "Configures CBR"`
`930`	`942`	`}`
`931`	`943`	`],`
`932`	`944`	`"diagrams": [`
`@@ -1435,6 +1447,10 @@`
`1435`	`1447`	`{`
`1436`	`1448`	`"title": "Uses Floating IP address for access through the public internet",`
`1437`	`1449`	`"description": "No"`
	`1450`	`+ },`
	`1451`	`+ {`
	`1452`	`+ "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n",`
	`1453`	`+ "title": "Configures CBR"`
`1438`	`1454`	`}`
`1439`	`1455`	`],`
`1440`	`1456`	`"diagrams": [`
Original file line number	Diff line number	Diff line change
`@@ -105,6 +105,7 @@ module "roks_landing_zone" {`
`105`	`105`	`teleport_management_zones = var.teleport_management_zones`
`106`	`106`	`IC_SCHEMATICS_WORKSPACE_ID = var.IC_SCHEMATICS_WORKSPACE_ID`
`107`	`107`	`kms_wait_for_apply = var.kms_wait_for_apply`
	`108`	`+ existing_vpc_cbr_zone_id = var.existing_vpc_cbr_zone_id`
`108`	`109`	`}`
`109`	`110`
`110`	`111`	`moved {`