diff --git a/README.md b/README.md
index 9ef5b941b..71e4aeaf4 100644
--- a/README.md
+++ b/README.md
@@ -942,7 +942,7 @@ module "cluster_pattern" {
| [vpc\_placement\_groups](#input\_vpc\_placement\_groups) | List of VPC placement groups to create | list(
object({
access_tags = optional(list(string), [])
name = string
resource_group = optional(string)
strategy = string
})
)
| `[]` | no |
| [vpcs](#input\_vpcs) | A map describing VPCs to be created in this repo. | list(
object({
prefix = string # VPC prefix
existing_vpc_id = optional(string)
existing_subnets = optional(
list(
object({
id = string
public_gateway = optional(bool, false)
})
)
)
resource_group = optional(string) # Name of the group where VPC will be created
access_tags = optional(list(string), [])
default_network_acl_name = optional(string)
default_security_group_name = optional(string)
clean_default_sg_acl = optional(bool, false)
dns_binding_name = optional(string, null)
dns_instance_name = optional(string, null)
dns_custom_resolver_name = optional(string, null)
dns_location = optional(string, "global")
dns_plan = optional(string, "standard-dns")
dns_zone_name = optional(string, null)
dns_zone_description = optional(string, null)
dns_zone_label = optional(string, null)
dns_records = optional(list(object({
name = string
type = string
ttl = number
rdata = string
preference = optional(number, null)
service = optional(string, null)
protocol = optional(string, null)
priority = optional(number, null)
weight = optional(number, null)
port = optional(number, null)
})), [])
existing_dns_instance_id = optional(string, null)
use_existing_dns_instance = optional(bool, false)
enable_hub = optional(bool, false)
skip_spoke_auth_policy = optional(bool, false)
hub_account_id = optional(string, null)
enable_hub_vpc_id = optional(bool, false)
hub_vpc_id = optional(string, null)
enable_hub_vpc_crn = optional(bool, false)
hub_vpc_crn = optional(string, null)
update_delegated_resolver = optional(bool, false)
skip_custom_resolver_hub_creation = optional(bool, false)
resolver_type = optional(string, null)
manual_servers = optional(list(object({
address = string
zone_affinity = optional(string)
})), [])
default_security_group_rules = optional(
list(
object({
name = string
direction = string
remote = string
tcp = optional(
object({
port_max = optional(number)
port_min = optional(number)
})
)
udp = optional(
object({
port_max = optional(number)
port_min = optional(number)
})
)
icmp = optional(
object({
type = optional(number)
code = optional(number)
})
)
})
)
)
default_routing_table_name = optional(string)
flow_logs_bucket_name = optional(string)
address_prefixes = optional(
object({
zone-1 = optional(list(string))
zone-2 = optional(list(string))
zone-3 = optional(list(string))
})
)
network_acls = list(
object({
name = string
add_ibm_cloud_internal_rules = optional(bool)
add_vpc_connectivity_rules = optional(bool)
prepend_ibm_rules = optional(bool)
rules = list(
object({
name = string
action = string
destination = string
direction = string
source = string
tcp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
udp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
icmp = optional(
object({
type = optional(number)
code = optional(number)
})
)
})
)
})
)
use_public_gateways = object({
zone-1 = optional(bool)
zone-2 = optional(bool)
zone-3 = optional(bool)
})
subnets = optional(object({
zone-1 = list(object({
name = string
cidr = string
public_gateway = optional(bool)
acl_name = string
no_addr_prefix = optional(bool, false)
}))
zone-2 = list(object({
name = string
cidr = string
public_gateway = optional(bool)
acl_name = string
no_addr_prefix = optional(bool, false)
}))
zone-3 = list(object({
name = string
cidr = string
public_gateway = optional(bool)
acl_name = string
no_addr_prefix = optional(bool, false)
}))
}))
})
)
| n/a | yes |
| [vpn\_gateways](#input\_vpn\_gateways) | List of VPN Gateways to create. | list(
object({
name = string
vpc_name = string
subnet_name = string # Do not include prefix, use same name as in `var.subnets`
mode = optional(string)
resource_group = optional(string)
access_tags = optional(list(string), [])
})
)
| n/a | yes |
-| [vsi](#input\_vsi) | A list describing VSI workloads to create | list(
object({
name = string
vpc_name = string
subnet_names = list(string)
ssh_keys = list(string)
image_name = string
machine_type = string
vsi_per_subnet = number
user_data = optional(string)
resource_group = optional(string)
enable_floating_ip = optional(bool)
security_groups = optional(list(string))
boot_volume_encryption_key_name = optional(string)
primary_vni_additional_ip_count = optional(number)
use_legacy_network_interface = optional(bool)
access_tags = optional(list(string), [])
security_group = optional(
object({
name = string
rules = list(
object({
name = string
direction = string
source = string
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
})
)
block_storage_volumes = optional(list(
object({
name = string
profile = string
capacity = optional(number)
iops = optional(number)
encryption_key = optional(string)
})
))
load_balancers = optional(list(
object({
name = string
type = string
listener_port = optional(number)
listener_port_max = optional(number)
listener_port_min = optional(number)
listener_protocol = string
connection_limit = optional(number)
idle_connection_timeout = optional(number)
algorithm = string
protocol = string
health_delay = number
health_retries = number
health_timeout = number
health_type = string
pool_member_port = string
profile = optional(string)
accept_proxy_protocol = optional(bool)
subnet_id_to_provision_nlb = optional(string) # Required for Network Load Balancer. If no value is provided, the first one from the VPC subnet list will be selected.
dns = optional(
object({
instance_crn = string
zone_id = string
})
)
security_group = optional(
object({
name = string
rules = list(
object({
name = string
direction = string
source = string
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
})
)
})
))
})
)
| n/a | yes |
+| [vsi](#input\_vsi) | A list describing VSI workloads to create | list(
object({
name = string
vpc_name = string
subnet_names = list(string)
ssh_keys = list(string)
image_name = string
machine_type = string
vsi_per_subnet = number
user_data = optional(string)
resource_group = optional(string)
enable_floating_ip = optional(bool)
allow_ip_spoofing = optional(bool)
security_groups = optional(list(string))
boot_volume_encryption_key_name = optional(string)
primary_vni_additional_ip_count = optional(number)
use_legacy_network_interface = optional(bool)
access_tags = optional(list(string), [])
security_group = optional(
object({
name = string
rules = list(
object({
name = string
direction = string
source = string
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
})
)
block_storage_volumes = optional(list(
object({
name = string
profile = string
capacity = optional(number)
iops = optional(number)
encryption_key = optional(string)
})
))
load_balancers = optional(list(
object({
name = string
type = string
listener_port = optional(number)
listener_port_max = optional(number)
listener_port_min = optional(number)
listener_protocol = string
connection_limit = optional(number)
idle_connection_timeout = optional(number)
algorithm = string
protocol = string
health_delay = number
health_retries = number
health_timeout = number
health_type = string
pool_member_port = string
profile = optional(string)
accept_proxy_protocol = optional(bool)
subnet_id_to_provision_nlb = optional(string) # Required for Network Load Balancer. If no value is provided, the first one from the VPC subnet list will be selected.
dns = optional(
object({
instance_crn = string
zone_id = string
})
)
security_group = optional(
object({
name = string
rules = list(
object({
name = string
direction = string
source = string
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
})
)
})
))
})
)
| n/a | yes |
| [wait\_till](#input\_wait\_till) | To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported args are `MasterNodeReady`, `OneWorkerNodeReady`, and `IngressReady` | `string` | `"IngressReady"` | no |
### Outputs
diff --git a/ibm_catalog.json b/ibm_catalog.json
index a00436b80..14e29a72c 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -295,6 +295,9 @@
{
"key": "use_legacy_network_interface"
},
+ {
+ "key": "allow_ip_spoofing"
+ },
{
"key": "add_edge_vpc",
"hidden": true
@@ -717,6 +720,9 @@
},
{
"key": "use_legacy_network_interface"
+ },
+ {
+ "key": "allow_ip_spoofing"
}
],
"iam_permissions": [
diff --git a/patterns/vsi-extension/main.tf b/patterns/vsi-extension/main.tf
index cb15c6a98..b27fbf124 100644
--- a/patterns/vsi-extension/main.tf
+++ b/patterns/vsi-extension/main.tf
@@ -68,4 +68,5 @@ module "vsi" {
placement_group_id = var.placement_group_id
primary_vni_additional_ip_count = var.primary_vni_additional_ip_count
use_legacy_network_interface = var.use_legacy_network_interface
+ allow_ip_spoofing = var.allow_ip_spoofing
}
diff --git a/patterns/vsi-extension/variables.tf b/patterns/vsi-extension/variables.tf
index 5e5cb486b..0e16c0717 100644
--- a/patterns/vsi-extension/variables.tf
+++ b/patterns/vsi-extension/variables.tf
@@ -209,3 +209,9 @@ variable "use_legacy_network_interface" {
type = bool
default = false
}
+
+variable "allow_ip_spoofing" {
+ description = "Allow IP spoofing on the primary network interface"
+ type = bool
+ default = false
+}
diff --git a/patterns/vsi/main.tf b/patterns/vsi/main.tf
index 07b8eef34..5d4c0ad03 100644
--- a/patterns/vsi/main.tf
+++ b/patterns/vsi/main.tf
@@ -89,6 +89,7 @@ module "vsi_landing_zone" {
existing_vpc_cbr_zone_id = var.existing_vpc_cbr_zone_id
user_data = var.user_data
use_legacy_network_interface = var.use_legacy_network_interface
+ allow_ip_spoofing = var.allow_ip_spoofing
}
moved {
diff --git a/patterns/vsi/module/config.tf b/patterns/vsi/module/config.tf
index 92222580f..7d5bfc3d0 100644
--- a/patterns/vsi/module/config.tf
+++ b/patterns/vsi/module/config.tf
@@ -86,6 +86,7 @@ locals {
boot_volume_encryption_key_name = "${var.prefix}-vsi-volume-key"
user_data = lookup(var.user_data, network, null) != null ? var.user_data[network].user_data : null
use_legacy_network_interface = var.use_legacy_network_interface
+ allow_ip_spoofing = var.allow_ip_spoofing
security_group = {
name = "${var.prefix}-${network}"
vpc_name = var.vpcs[0]
diff --git a/patterns/vsi/module/variables.tf b/patterns/vsi/module/variables.tf
index 4e360bedd..26e98009c 100644
--- a/patterns/vsi/module/variables.tf
+++ b/patterns/vsi/module/variables.tf
@@ -160,6 +160,12 @@ variable "use_legacy_network_interface" {
default = false
}
+variable "allow_ip_spoofing" {
+ description = "Allow IP spoofing on the primary network interface"
+ type = bool
+ default = false
+}
+
##############################################################################
diff --git a/patterns/vsi/override.json b/patterns/vsi/override.json
index 546c9c097..bc73a6f88 100644
--- a/patterns/vsi/override.json
+++ b/patterns/vsi/override.json
@@ -423,7 +423,8 @@
"vsi-zone-3"
],
"vpc_name": "management",
- "vsi_per_subnet": 1
+ "vsi_per_subnet": 1,
+ "allow_ip_spoofing": false
},
{
"boot_volume_encryption_key_name": "slz-vsi-volume-key",
diff --git a/patterns/vsi/variables.tf b/patterns/vsi/variables.tf
index c9d18a408..f7e8509ec 100644
--- a/patterns/vsi/variables.tf
+++ b/patterns/vsi/variables.tf
@@ -160,6 +160,12 @@ variable "use_legacy_network_interface" {
default = false
}
+variable "allow_ip_spoofing" {
+ description = "Allow IP spoofing on the primary network interface"
+ type = bool
+ default = false
+}
+
##############################################################################
diff --git a/variables.tf b/variables.tf
index 3199a94a1..61f6692b9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -317,6 +317,7 @@ variable "vsi" {
user_data = optional(string)
resource_group = optional(string)
enable_floating_ip = optional(bool)
+ allow_ip_spoofing = optional(bool)
security_groups = optional(list(string))
boot_volume_encryption_key_name = optional(string)
primary_vni_additional_ip_count = optional(number)
diff --git a/virtual_servers.tf b/virtual_servers.tf
index c38b427e0..0a726e8ec 100644
--- a/virtual_servers.tf
+++ b/virtual_servers.tf
@@ -88,6 +88,7 @@ module "vsi" {
}
]
enable_floating_ip = each.value.enable_floating_ip == true ? true : false
+ allow_ip_spoofing = each.value.allow_ip_spoofing
depends_on = [module.ssh_keys]
}