From 17a2a231ffb71d65ce70b52a95e612dc1c54336d Mon Sep 17 00:00:00 2001
From: Khuzaima-Shakeel <Khuzaima.Shakeel@ibm.com>
Date: Mon, 29 Sep 2025 13:28:30 +0530
Subject: [PATCH] feat: added local and ip_version attributes for the security
 group rule

---
 README.md                                     | 10 ++--
 .../security_groups/security_groups.tf        | 40 ++++++++-----
 patterns/vsi-extension/variables.tf           |  8 ++-
 security_groups.tf                            | 10 ++--
 variables.tf                                  | 56 ++++++++++++-------
 5 files changed, 76 insertions(+), 48 deletions(-)

diff --git a/README.md b/README.md
index 5f0cc90e5..cd2adf404 100644
--- a/README.md
+++ b/README.md
@@ -920,13 +920,13 @@ module "cluster_pattern" {
 | <a name="input_enable_transit_gateway"></a> [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Create transit gateway | `bool` | `true` | no |
 | <a name="input_existing_vpc_cbr_zone_id"></a> [existing\_vpc\_cbr\_zone\_id](#input\_existing\_vpc\_cbr\_zone\_id) | ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone/blob/main/patterns/DA-cbr-tutorial.md). | `string` | `null` | no |
 | <a name="input_f5_template_data"></a> [f5\_template\_data](#input\_f5\_template\_data) | Data for all f5 templates | <pre>object({<br/>    tmos_admin_password     = optional(string)<br/>    license_type            = optional(string)<br/>    byol_license_basekey    = optional(string)<br/>    license_host            = optional(string)<br/>    license_username        = optional(string)<br/>    license_password        = optional(string)<br/>    license_pool            = optional(string)<br/>    license_sku_keyword_1   = optional(string)<br/>    license_sku_keyword_2   = optional(string)<br/>    license_unit_of_measure = optional(string)<br/>    do_declaration_url      = optional(string)<br/>    as3_declaration_url     = optional(string)<br/>    ts_declaration_url      = optional(string)<br/>    phone_home_url          = optional(string)<br/>    template_source         = optional(string)<br/>    template_version        = optional(string)<br/>    app_id                  = optional(string)<br/>    tgactive_url            = optional(string)<br/>    tgstandby_url           = optional(string)<br/>    tgrefresh_url           = optional(string)<br/>  })</pre> | <pre>{<br/>  "license_type": "none"<br/>}</pre> | no |
-| <a name="input_f5_vsi"></a> [f5\_vsi](#input\_f5\_vsi) | A list describing F5 VSI workloads to create | <pre>list(<br/>    object({<br/>      name                   = string<br/>      vpc_name               = string<br/>      primary_subnet_name    = string<br/>      secondary_subnet_names = list(string)<br/>      secondary_subnet_security_group_names = list(<br/>        object({<br/>          group_name     = string<br/>          interface_name = string<br/>        })<br/>      )<br/>      ssh_keys                        = list(string)<br/>      f5_image_name                   = string<br/>      machine_type                    = string<br/>      resource_group                  = optional(string)<br/>      enable_management_floating_ip   = optional(bool)<br/>      enable_external_floating_ip     = optional(bool)<br/>      security_groups                 = optional(list(string))<br/>      boot_volume_encryption_key_name = optional(string)<br/>      hostname                        = string<br/>      domain                          = string<br/>      access_tags                     = optional(list(string), [])<br/>      security_group = optional(<br/>        object({<br/>          name = string<br/>          rules = list(<br/>            object({<br/>              name      = string<br/>              direction = string<br/>              source    = string<br/>              tcp = optional(<br/>                object({<br/>                  port_max = number<br/>                  port_min = number<br/>                })<br/>              )<br/>              udp = optional(<br/>                object({<br/>                  port_max = number<br/>                  port_min = number<br/>                })<br/>              )<br/>              icmp = optional(<br/>                object({<br/>                  type = number<br/>                  code = number<br/>                })<br/>              )<br/>            })<br/>          )<br/>        })<br/>      )<br/>      block_storage_volumes = optional(list(<br/>        object({<br/>          name           = string<br/>          profile        = string<br/>          capacity       = optional(number)<br/>          iops           = optional(number)<br/>          encryption_key = optional(string)<br/>        })<br/>      ))<br/>      load_balancers = optional(list(<br/>        object({<br/>          name                    = string<br/>          type                    = string<br/>          listener_port           = number<br/>          listener_protocol       = string<br/>          connection_limit        = number<br/>          algorithm               = string<br/>          protocol                = string<br/>          health_delay            = number<br/>          health_retries          = number<br/>          health_timeout          = number<br/>          health_type             = string<br/>          pool_member_port        = string<br/>          idle_connection_timeout = optional(number)<br/>          security_group = optional(<br/>            object({<br/>              name = string<br/>              rules = list(<br/>                object({<br/>                  name      = string<br/>                  direction = string<br/>                  source    = string<br/>                  tcp = optional(<br/>                    object({<br/>                      port_max = number<br/>                      port_min = number<br/>                    })<br/>                  )<br/>                  udp = optional(<br/>                    object({<br/>                      port_max = number<br/>                      port_min = number<br/>                    })<br/>                  )<br/>                  icmp = optional(<br/>                    object({<br/>                      type = number<br/>                      code = number<br/>                    })<br/>                  )<br/>                })<br/>              )<br/>            })<br/>          )<br/>        })<br/>      ))<br/>    })<br/>  )</pre> | `[]` | no |
+| <a name="input_f5_vsi"></a> [f5\_vsi](#input\_f5\_vsi) | A list describing F5 VSI workloads to create | <pre>list(<br/>    object({<br/>      name                   = string<br/>      vpc_name               = string<br/>      primary_subnet_name    = string<br/>      secondary_subnet_names = list(string)<br/>      secondary_subnet_security_group_names = list(<br/>        object({<br/>          group_name     = string<br/>          interface_name = string<br/>        })<br/>      )<br/>      ssh_keys                        = list(string)<br/>      f5_image_name                   = string<br/>      machine_type                    = string<br/>      resource_group                  = optional(string)<br/>      enable_management_floating_ip   = optional(bool)<br/>      enable_external_floating_ip     = optional(bool)<br/>      security_groups                 = optional(list(string))<br/>      boot_volume_encryption_key_name = optional(string)<br/>      hostname                        = string<br/>      domain                          = string<br/>      access_tags                     = optional(list(string), [])<br/>      security_group = optional(<br/>        object({<br/>          name = string<br/>          rules = list(<br/>            object({<br/>              name       = string<br/>              direction  = string<br/>              source     = string<br/>              local      = optional(string)<br/>              ip_version = optional(string)<br/>              tcp = optional(<br/>                object({<br/>                  port_max = number<br/>                  port_min = number<br/>                })<br/>              )<br/>              udp = optional(<br/>                object({<br/>                  port_max = number<br/>                  port_min = number<br/>                })<br/>              )<br/>              icmp = optional(<br/>                object({<br/>                  type = number<br/>                  code = number<br/>                })<br/>              )<br/>            })<br/>          )<br/>        })<br/>      )<br/>      block_storage_volumes = optional(list(<br/>        object({<br/>          name           = string<br/>          profile        = string<br/>          capacity       = optional(number)<br/>          iops           = optional(number)<br/>          encryption_key = optional(string)<br/>        })<br/>      ))<br/>      load_balancers = optional(list(<br/>        object({<br/>          name                    = string<br/>          type                    = string<br/>          listener_port           = number<br/>          listener_protocol       = string<br/>          connection_limit        = number<br/>          algorithm               = string<br/>          protocol                = string<br/>          health_delay            = number<br/>          health_retries          = number<br/>          health_timeout          = number<br/>          health_type             = string<br/>          pool_member_port        = string<br/>          idle_connection_timeout = optional(number)<br/>          security_group = optional(<br/>            object({<br/>              name = string<br/>              rules = list(<br/>                object({<br/>                  name       = string<br/>                  direction  = string<br/>                  source     = string<br/>                  local      = optional(string)<br/>                  ip_version = optional(string)<br/>                  tcp = optional(<br/>                    object({<br/>                      port_max = number<br/>                      port_min = number<br/>                    })<br/>                  )<br/>                  udp = optional(<br/>                    object({<br/>                      port_max = number<br/>                      port_min = number<br/>                    })<br/>                  )<br/>                  icmp = optional(<br/>                    object({<br/>                      type = number<br/>                      code = number<br/>                    })<br/>                  )<br/>                })<br/>              )<br/>            })<br/>          )<br/>        })<br/>      ))<br/>    })<br/>  )</pre> | `[]` | no |
 | <a name="input_key_management"></a> [key\_management](#input\_key\_management) | Key Protect instance variables | <pre>object({<br/>    name              = optional(string)<br/>    resource_group    = optional(string)<br/>    use_data          = optional(bool)<br/>    use_hs_crypto     = optional(bool)<br/>    access_tags       = optional(list(string), [])<br/>    service_endpoints = optional(string, "public-and-private")<br/>    keys = optional(<br/>      list(<br/>        object({<br/>          name             = string<br/>          root_key         = optional(bool)<br/>          payload          = optional(string)<br/>          key_ring         = optional(string) # Any key_ring added will be created<br/>          force_delete     = optional(bool)<br/>          existing_key_crn = optional(string) # CRN of an existing key in the same or different account.<br/>          endpoint         = optional(string) # can be public or private<br/>          iv_value         = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br/>          encrypted_nonce  = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br/>          policies = optional(<br/>            object({<br/>              rotation = optional(<br/>                object({<br/>                  interval_month = number<br/>                })<br/>              )<br/>              dual_auth_delete = optional(<br/>                object({<br/>                  enabled = bool<br/>                })<br/>              )<br/>            })<br/>          )<br/>        })<br/>      )<br/>    )<br/>  })</pre> | n/a | yes |
 | <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | A unique identifier for resources that is prepended to resources that are provisioned. Must begin with a lowercase letter and end with a lowercase letter or number. Must be 16 or fewer characters. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | Region where VPC will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions. | `string` | n/a | yes |
 | <a name="input_resource_groups"></a> [resource\_groups](#input\_resource\_groups) | Object describing resource groups to create or reference | <pre>list(<br/>    object({<br/>      name       = string<br/>      create     = optional(bool)<br/>      use_prefix = optional(bool)<br/>    })<br/>  )</pre> | n/a | yes |
-| <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | Security groups for VPC | <pre>list(<br/>    object({<br/>      name           = string<br/>      vpc_name       = string<br/>      resource_group = optional(string)<br/>      access_tags    = optional(list(string), [])<br/>      rules = list(<br/>        object({<br/>          name      = string<br/>          direction = string<br/>          source    = string<br/>          tcp = optional(<br/>            object({<br/>              port_max = number<br/>              port_min = number<br/>            })<br/>          )<br/>          udp = optional(<br/>            object({<br/>              port_max = number<br/>              port_min = number<br/>            })<br/>          )<br/>          icmp = optional(<br/>            object({<br/>              type = number<br/>              code = number<br/>            })<br/>          )<br/>        })<br/>      )<br/>    })<br/>  )</pre> | `[]` | no |
+| <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | Security groups for VPC | <pre>list(<br/>    object({<br/>      name           = string<br/>      vpc_name       = string<br/>      resource_group = optional(string)<br/>      access_tags    = optional(list(string), [])<br/>      rules = list(<br/>        object({<br/>          name       = string<br/>          direction  = string<br/>          source     = string<br/>          local      = optional(string)<br/>          ip_version = optional(string)<br/>          tcp = optional(<br/>            object({<br/>              port_max = number<br/>              port_min = number<br/>            })<br/>          )<br/>          udp = optional(<br/>            object({<br/>              port_max = number<br/>              port_min = number<br/>            })<br/>          )<br/>          icmp = optional(<br/>            object({<br/>              type = number<br/>              code = number<br/>            })<br/>          )<br/>        })<br/>      )<br/>    })<br/>  )</pre> | `[]` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Service endpoints for the App ID resource when created by the module. Can be `public`, `private`, or `public-and-private` | `string` | `"public-and-private"` | no |
 | <a name="input_skip_all_s2s_auth_policies"></a> [skip\_all\_s2s\_auth\_policies](#input\_skip\_all\_s2s\_auth\_policies) | Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning. | `bool` | `false` | no |
 | <a name="input_skip_kms_block_storage_s2s_auth_policy"></a> [skip\_kms\_block\_storage\_s2s\_auth\_policy](#input\_skip\_kms\_block\_storage\_s2s\_auth\_policy) | Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service. | `bool` | `false` | no |
@@ -934,15 +934,15 @@ module "cluster_pattern" {
 | <a name="input_ssh_keys"></a> [ssh\_keys](#input\_ssh\_keys) | SSH keys to use to provision a VSI. Must be an RSA key with a key size of either 2048 bits or 4096 bits (recommended). If `public_key` is not provided, the named key will be looked up from data. If a resource group name is added, it must be included in `var.resource_groups`. See https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys. | <pre>list(<br/>    object({<br/>      name           = string<br/>      public_key     = optional(string)<br/>      resource_group = optional(string)<br/>    })<br/>  )</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of resource tags to apply to resources created by this module. | `list(string)` | `[]` | no |
 | <a name="input_teleport_config_data"></a> [teleport\_config\_data](#input\_teleport\_config\_data) | Teleport config data. This is used to create a single template for all teleport instances to use. Creating a single template allows for values to remain sensitive | <pre>object({<br/>    teleport_license   = optional(string)<br/>    https_cert         = optional(string)<br/>    https_key          = optional(string)<br/>    domain             = optional(string)<br/>    cos_bucket_name    = optional(string)<br/>    cos_key_name       = optional(string)<br/>    teleport_version   = optional(string)<br/>    message_of_the_day = optional(string)<br/>    hostname           = optional(string)<br/>    app_id_key_name    = optional(string)<br/>    claims_to_roles = optional(<br/>      list(<br/>        object({<br/>          email = string<br/>          roles = list(string)<br/>        })<br/>      )<br/>    )<br/>  })</pre> | `null` | no |
-| <a name="input_teleport_vsi"></a> [teleport\_vsi](#input\_teleport\_vsi) | A list of teleport vsi deployments | <pre>list(<br/>    object(<br/>      {<br/>        name                            = string<br/>        vpc_name                        = string<br/>        resource_group                  = optional(string)<br/>        subnet_name                     = string<br/>        ssh_keys                        = list(string)<br/>        boot_volume_encryption_key_name = string<br/>        image_name                      = string<br/>        machine_type                    = string<br/>        access_tags                     = optional(list(string), [])<br/>        security_groups                 = optional(list(string))<br/>        security_group = optional(<br/>          object({<br/>            name = string<br/>            rules = list(<br/>              object({<br/>                name      = string<br/>                direction = string<br/>                source    = string<br/>                tcp = optional(<br/>                  object({<br/>                    port_max = number<br/>                    port_min = number<br/>                  })<br/>                )<br/>                udp = optional(<br/>                  object({<br/>                    port_max = number<br/>                    port_min = number<br/>                  })<br/>                )<br/>                icmp = optional(<br/>                  object({<br/>                    type = number<br/>                    code = number<br/>                  })<br/>                )<br/>              })<br/>            )<br/>          })<br/>        )<br/><br/><br/>      }<br/>    )<br/>  )</pre> | `[]` | no |
+| <a name="input_teleport_vsi"></a> [teleport\_vsi](#input\_teleport\_vsi) | A list of teleport vsi deployments | <pre>list(<br/>    object(<br/>      {<br/>        name                            = string<br/>        vpc_name                        = string<br/>        resource_group                  = optional(string)<br/>        subnet_name                     = string<br/>        ssh_keys                        = list(string)<br/>        boot_volume_encryption_key_name = string<br/>        image_name                      = string<br/>        machine_type                    = string<br/>        access_tags                     = optional(list(string), [])<br/>        security_groups                 = optional(list(string))<br/>        security_group = optional(<br/>          object({<br/>            name = string<br/>            rules = list(<br/>              object({<br/>                name       = string<br/>                direction  = string<br/>                source     = string<br/>                local      = optional(string)<br/>                ip_version = optional(string)<br/>                tcp = optional(<br/>                  object({<br/>                    port_max = number<br/>                    port_min = number<br/>                  })<br/>                )<br/>                udp = optional(<br/>                  object({<br/>                    port_max = number<br/>                    port_min = number<br/>                  })<br/>                )<br/>                icmp = optional(<br/>                  object({<br/>                    type = number<br/>                    code = number<br/>                  })<br/>                )<br/>              })<br/>            )<br/>          })<br/>        )<br/><br/><br/>      }<br/>    )<br/>  )</pre> | `[]` | no |
 | <a name="input_transit_gateway_connections"></a> [transit\_gateway\_connections](#input\_transit\_gateway\_connections) | Transit gateway vpc connections. Will only be used if transit gateway is enabled. | `list(string)` | n/a | yes |
 | <a name="input_transit_gateway_global"></a> [transit\_gateway\_global](#input\_transit\_gateway\_global) | Connect to the networks outside the associated region. Will only be used if transit gateway is enabled. | `bool` | `false` | no |
 | <a name="input_transit_gateway_resource_group"></a> [transit\_gateway\_resource\_group](#input\_transit\_gateway\_resource\_group) | Name of resource group to use for transit gateway. Must be included in `var.resource_group` | `string` | n/a | yes |
 | <a name="input_virtual_private_endpoints"></a> [virtual\_private\_endpoints](#input\_virtual\_private\_endpoints) | Object describing VPE to be created | <pre>list(<br/>    object({<br/>      service_name   = string<br/>      service_type   = string<br/>      resource_group = optional(string)<br/>      access_tags    = optional(list(string), [])<br/>      vpcs = list(<br/>        object({<br/>          name                = string<br/>          subnets             = list(string)<br/>          security_group_name = optional(string)<br/>        })<br/>      )<br/>    })<br/>  )</pre> | n/a | yes |
 | <a name="input_vpc_placement_groups"></a> [vpc\_placement\_groups](#input\_vpc\_placement\_groups) | List of VPC placement groups to create | <pre>list(<br/>    object({<br/>      access_tags    = optional(list(string), [])<br/>      name           = string<br/>      resource_group = optional(string)<br/>      strategy       = string<br/>    })<br/>  )</pre> | `[]` | no |
-| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map describing VPCs to be created in this repo. | <pre>list(<br/>    object({<br/>      prefix          = string # VPC prefix<br/>      existing_vpc_id = optional(string)<br/>      existing_subnets = optional(<br/>        list(<br/>          object({<br/>            id             = string<br/>            public_gateway = optional(bool, false)<br/>          })<br/>        )<br/>      )<br/>      resource_group              = optional(string) # Name of the group where VPC will be created<br/>      access_tags                 = optional(list(string), [])<br/>      default_network_acl_name    = optional(string)<br/>      default_security_group_name = optional(string)<br/>      clean_default_sg_acl        = optional(bool, false)<br/>      dns_binding_name            = optional(string, null)<br/>      dns_instance_name           = optional(string, null)<br/>      dns_custom_resolver_name    = optional(string, null)<br/>      dns_location                = optional(string, "global")<br/>      dns_plan                    = optional(string, "standard-dns")<br/>      dns_zone_name               = optional(string, null)<br/>      dns_zone_description        = optional(string, null)<br/>      dns_zone_label              = optional(string, null)<br/>      dns_records = optional(list(object({<br/>        name       = string<br/>        type       = string<br/>        ttl        = number<br/>        rdata      = string<br/>        preference = optional(number, null)<br/>        service    = optional(string, null)<br/>        protocol   = optional(string, null)<br/>        priority   = optional(number, null)<br/>        weight     = optional(number, null)<br/>        port       = optional(number, null)<br/>      })), [])<br/>      existing_dns_instance_id          = optional(string, null)<br/>      use_existing_dns_instance         = optional(bool, false)<br/>      enable_hub                        = optional(bool, false)<br/>      skip_spoke_auth_policy            = optional(bool, false)<br/>      hub_account_id                    = optional(string, null)<br/>      enable_hub_vpc_id                 = optional(bool, false)<br/>      hub_vpc_id                        = optional(string, null)<br/>      enable_hub_vpc_crn                = optional(bool, false)<br/>      hub_vpc_crn                       = optional(string, null)<br/>      update_delegated_resolver         = optional(bool, false)<br/>      skip_custom_resolver_hub_creation = optional(bool, false)<br/>      resolver_type                     = optional(string, null)<br/>      manual_servers = optional(list(object({<br/>        address       = string<br/>        zone_affinity = optional(string)<br/>      })), [])<br/>      default_security_group_rules = optional(<br/>        list(<br/>          object({<br/>            name      = string<br/>            direction = string<br/>            remote    = string<br/>            tcp = optional(<br/>              object({<br/>                port_max = optional(number)<br/>                port_min = optional(number)<br/>              })<br/>            )<br/>            udp = optional(<br/>              object({<br/>                port_max = optional(number)<br/>                port_min = optional(number)<br/>              })<br/>            )<br/>            icmp = optional(<br/>              object({<br/>                type = optional(number)<br/>                code = optional(number)<br/>              })<br/>            )<br/>          })<br/>        )<br/>      )<br/>      default_routing_table_name = optional(string)<br/>      flow_logs_bucket_name      = optional(string)<br/>      address_prefixes = optional(<br/>        object({<br/>          zone-1 = optional(list(string))<br/>          zone-2 = optional(list(string))<br/>          zone-3 = optional(list(string))<br/>        })<br/>      )<br/>      network_acls = list(<br/>        object({<br/>          name                         = string<br/>          add_ibm_cloud_internal_rules = optional(bool)<br/>          add_vpc_connectivity_rules   = optional(bool)<br/>          prepend_ibm_rules            = optional(bool)<br/>          rules = list(<br/>            object({<br/>              name        = string<br/>              action      = string<br/>              destination = string<br/>              direction   = string<br/>              source      = string<br/>              tcp = optional(<br/>                object({<br/>                  port_max        = optional(number)<br/>                  port_min        = optional(number)<br/>                  source_port_max = optional(number)<br/>                  source_port_min = optional(number)<br/>                })<br/>              )<br/>              udp = optional(<br/>                object({<br/>                  port_max        = optional(number)<br/>                  port_min        = optional(number)<br/>                  source_port_max = optional(number)<br/>                  source_port_min = optional(number)<br/>                })<br/>              )<br/>              icmp = optional(<br/>                object({<br/>                  type = optional(number)<br/>                  code = optional(number)<br/>                })<br/>              )<br/>            })<br/>          )<br/>        })<br/>      )<br/>      use_public_gateways = object({<br/>        zone-1 = optional(bool)<br/>        zone-2 = optional(bool)<br/>        zone-3 = optional(bool)<br/>      })<br/>      subnets = optional(object({<br/>        zone-1 = list(object({<br/>          name           = string<br/>          cidr           = string<br/>          public_gateway = optional(bool)<br/>          acl_name       = string<br/>          no_addr_prefix = optional(bool, false)<br/>        }))<br/>        zone-2 = list(object({<br/>          name           = string<br/>          cidr           = string<br/>          public_gateway = optional(bool)<br/>          acl_name       = string<br/>          no_addr_prefix = optional(bool, false)<br/>        }))<br/>        zone-3 = list(object({<br/>          name           = string<br/>          cidr           = string<br/>          public_gateway = optional(bool)<br/>          acl_name       = string<br/>          no_addr_prefix = optional(bool, false)<br/>        }))<br/>      }))<br/>    })<br/>  )</pre> | n/a | yes |
+| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map describing VPCs to be created in this repo. | <pre>list(<br/>    object({<br/>      prefix          = string # VPC prefix<br/>      existing_vpc_id = optional(string)<br/>      existing_subnets = optional(<br/>        list(<br/>          object({<br/>            id             = string<br/>            public_gateway = optional(bool, false)<br/>          })<br/>        )<br/>      )<br/>      resource_group              = optional(string) # Name of the group where VPC will be created<br/>      access_tags                 = optional(list(string), [])<br/>      default_network_acl_name    = optional(string)<br/>      default_security_group_name = optional(string)<br/>      clean_default_sg_acl        = optional(bool, false)<br/>      dns_binding_name            = optional(string, null)<br/>      dns_instance_name           = optional(string, null)<br/>      dns_custom_resolver_name    = optional(string, null)<br/>      dns_location                = optional(string, "global")<br/>      dns_plan                    = optional(string, "standard-dns")<br/>      dns_zone_name               = optional(string, null)<br/>      dns_zone_description        = optional(string, null)<br/>      dns_zone_label              = optional(string, null)<br/>      dns_records = optional(list(object({<br/>        name       = string<br/>        type       = string<br/>        ttl        = number<br/>        rdata      = string<br/>        preference = optional(number, null)<br/>        service    = optional(string, null)<br/>        protocol   = optional(string, null)<br/>        priority   = optional(number, null)<br/>        weight     = optional(number, null)<br/>        port       = optional(number, null)<br/>      })), [])<br/>      existing_dns_instance_id          = optional(string, null)<br/>      use_existing_dns_instance         = optional(bool, false)<br/>      enable_hub                        = optional(bool, false)<br/>      skip_spoke_auth_policy            = optional(bool, false)<br/>      hub_account_id                    = optional(string, null)<br/>      enable_hub_vpc_id                 = optional(bool, false)<br/>      hub_vpc_id                        = optional(string, null)<br/>      enable_hub_vpc_crn                = optional(bool, false)<br/>      hub_vpc_crn                       = optional(string, null)<br/>      update_delegated_resolver         = optional(bool, false)<br/>      skip_custom_resolver_hub_creation = optional(bool, false)<br/>      resolver_type                     = optional(string, null)<br/>      manual_servers = optional(list(object({<br/>        address       = string<br/>        zone_affinity = optional(string)<br/>      })), [])<br/>      default_security_group_rules = optional(<br/>        list(<br/>          object({<br/>            name       = string<br/>            direction  = string<br/>            remote     = string<br/>            local      = optional(string)<br/>            ip_version = optional(string)<br/>            tcp = optional(<br/>              object({<br/>                port_max = optional(number)<br/>                port_min = optional(number)<br/>              })<br/>            )<br/>            udp = optional(<br/>              object({<br/>                port_max = optional(number)<br/>                port_min = optional(number)<br/>              })<br/>            )<br/>            icmp = optional(<br/>              object({<br/>                type = optional(number)<br/>                code = optional(number)<br/>              })<br/>            )<br/>          })<br/>        )<br/>      )<br/>      default_routing_table_name = optional(string)<br/>      flow_logs_bucket_name      = optional(string)<br/>      address_prefixes = optional(<br/>        object({<br/>          zone-1 = optional(list(string))<br/>          zone-2 = optional(list(string))<br/>          zone-3 = optional(list(string))<br/>        })<br/>      )<br/>      network_acls = list(<br/>        object({<br/>          name                         = string<br/>          add_ibm_cloud_internal_rules = optional(bool)<br/>          add_vpc_connectivity_rules   = optional(bool)<br/>          prepend_ibm_rules            = optional(bool)<br/>          rules = list(<br/>            object({<br/>              name        = string<br/>              action      = string<br/>              destination = string<br/>              direction   = string<br/>              source      = string<br/>              tcp = optional(<br/>                object({<br/>                  port_max        = optional(number)<br/>                  port_min        = optional(number)<br/>                  source_port_max = optional(number)<br/>                  source_port_min = optional(number)<br/>                })<br/>              )<br/>              udp = optional(<br/>                object({<br/>                  port_max        = optional(number)<br/>                  port_min        = optional(number)<br/>                  source_port_max = optional(number)<br/>                  source_port_min = optional(number)<br/>                })<br/>              )<br/>              icmp = optional(<br/>                object({<br/>                  type = optional(number)<br/>                  code = optional(number)<br/>                })<br/>              )<br/>            })<br/>          )<br/>        })<br/>      )<br/>      use_public_gateways = object({<br/>        zone-1 = optional(bool)<br/>        zone-2 = optional(bool)<br/>        zone-3 = optional(bool)<br/>      })<br/>      subnets = optional(object({<br/>        zone-1 = list(object({<br/>          name           = string<br/>          cidr           = string<br/>          public_gateway = optional(bool)<br/>          acl_name       = string<br/>          no_addr_prefix = optional(bool, false)<br/>        }))<br/>        zone-2 = list(object({<br/>          name           = string<br/>          cidr           = string<br/>          public_gateway = optional(bool)<br/>          acl_name       = string<br/>          no_addr_prefix = optional(bool, false)<br/>        }))<br/>        zone-3 = list(object({<br/>          name           = string<br/>          cidr           = string<br/>          public_gateway = optional(bool)<br/>          acl_name       = string<br/>          no_addr_prefix = optional(bool, false)<br/>        }))<br/>      }))<br/>    })<br/>  )</pre> | n/a | yes |
 | <a name="input_vpn_gateways"></a> [vpn\_gateways](#input\_vpn\_gateways) | List of VPN Gateways to create. | <pre>list(<br/>    object({<br/>      name           = string<br/>      vpc_name       = string<br/>      subnet_name    = string # Do not include prefix, use same name as in `var.subnets`<br/>      mode           = optional(string)<br/>      resource_group = optional(string)<br/>      access_tags    = optional(list(string), [])<br/>    })<br/>  )</pre> | n/a | yes |
-| <a name="input_vsi"></a> [vsi](#input\_vsi) | A list describing VSI workloads to create | <pre>list(<br/>    object({<br/>      name                            = string<br/>      vpc_name                        = string<br/>      subnet_names                    = list(string)<br/>      ssh_keys                        = list(string)<br/>      image_name                      = string<br/>      machine_type                    = string<br/>      vsi_per_subnet                  = number<br/>      user_data                       = optional(string)<br/>      resource_group                  = optional(string)<br/>      enable_floating_ip              = optional(bool)<br/>      allow_ip_spoofing               = optional(bool)<br/>      security_groups                 = optional(list(string))<br/>      boot_volume_encryption_key_name = optional(string)<br/>      primary_vni_additional_ip_count = optional(number)<br/>      use_legacy_network_interface    = optional(bool)<br/>      access_tags                     = optional(list(string), [])<br/>      security_group = optional(<br/>        object({<br/>          name = string<br/>          rules = list(<br/>            object({<br/>              name      = string<br/>              direction = string<br/>              source    = string<br/>              tcp = optional(<br/>                object({<br/>                  port_max = number<br/>                  port_min = number<br/>                })<br/>              )<br/>              udp = optional(<br/>                object({<br/>                  port_max = number<br/>                  port_min = number<br/>                })<br/>              )<br/>              icmp = optional(<br/>                object({<br/>                  type = number<br/>                  code = number<br/>                })<br/>              )<br/>            })<br/>          )<br/>        })<br/>      )<br/>      block_storage_volumes = optional(list(<br/>        object({<br/>          name           = string<br/>          profile        = string<br/>          capacity       = optional(number)<br/>          iops           = optional(number)<br/>          encryption_key = optional(string)<br/>        })<br/>      ))<br/>      load_balancers = optional(list(<br/>        object({<br/>          name                       = string<br/>          type                       = string<br/>          listener_port              = optional(number)<br/>          listener_port_max          = optional(number)<br/>          listener_port_min          = optional(number)<br/>          listener_protocol          = string<br/>          connection_limit           = optional(number)<br/>          idle_connection_timeout    = optional(number)<br/>          algorithm                  = string<br/>          protocol                   = string<br/>          health_delay               = number<br/>          health_retries             = number<br/>          health_timeout             = number<br/>          health_type                = string<br/>          pool_member_port           = string<br/>          profile                    = optional(string)<br/>          accept_proxy_protocol      = optional(bool)<br/>          subnet_id_to_provision_nlb = optional(string) # Required for Network Load Balancer. If no value is provided, the first one from the VPC subnet list will be selected.<br/>          dns = optional(<br/>            object({<br/>              instance_crn = string<br/>              zone_id      = string<br/>            })<br/>          )<br/>          security_group = optional(<br/>            object({<br/>              name = string<br/>              rules = list(<br/>                object({<br/>                  name      = string<br/>                  direction = string<br/>                  source    = string<br/>                  tcp = optional(<br/>                    object({<br/>                      port_max = number<br/>                      port_min = number<br/>                    })<br/>                  )<br/>                  udp = optional(<br/>                    object({<br/>                      port_max = number<br/>                      port_min = number<br/>                    })<br/>                  )<br/>                  icmp = optional(<br/>                    object({<br/>                      type = number<br/>                      code = number<br/>                    })<br/>                  )<br/>                })<br/>              )<br/>            })<br/>          )<br/>        })<br/>      ))<br/>    })<br/>  )</pre> | n/a | yes |
+| <a name="input_vsi"></a> [vsi](#input\_vsi) | A list describing VSI workloads to create | <pre>list(<br/>    object({<br/>      name                            = string<br/>      vpc_name                        = string<br/>      subnet_names                    = list(string)<br/>      ssh_keys                        = list(string)<br/>      image_name                      = string<br/>      machine_type                    = string<br/>      vsi_per_subnet                  = number<br/>      user_data                       = optional(string)<br/>      resource_group                  = optional(string)<br/>      enable_floating_ip              = optional(bool)<br/>      allow_ip_spoofing               = optional(bool)<br/>      security_groups                 = optional(list(string))<br/>      boot_volume_encryption_key_name = optional(string)<br/>      primary_vni_additional_ip_count = optional(number)<br/>      use_legacy_network_interface    = optional(bool)<br/>      access_tags                     = optional(list(string), [])<br/>      security_group = optional(<br/>        object({<br/>          name = string<br/>          rules = list(<br/>            object({<br/>              name       = string<br/>              direction  = string<br/>              source     = string<br/>              local      = optional(string)<br/>              ip_version = optional(string)<br/>              tcp = optional(<br/>                object({<br/>                  port_max = number<br/>                  port_min = number<br/>                })<br/>              )<br/>              udp = optional(<br/>                object({<br/>                  port_max = number<br/>                  port_min = number<br/>                })<br/>              )<br/>              icmp = optional(<br/>                object({<br/>                  type = number<br/>                  code = number<br/>                })<br/>              )<br/>            })<br/>          )<br/>        })<br/>      )<br/>      block_storage_volumes = optional(list(<br/>        object({<br/>          name           = string<br/>          profile        = string<br/>          capacity       = optional(number)<br/>          iops           = optional(number)<br/>          encryption_key = optional(string)<br/>        })<br/>      ))<br/>      load_balancers = optional(list(<br/>        object({<br/>          name                       = string<br/>          type                       = string<br/>          listener_port              = optional(number)<br/>          listener_port_max          = optional(number)<br/>          listener_port_min          = optional(number)<br/>          listener_protocol          = string<br/>          connection_limit           = optional(number)<br/>          idle_connection_timeout    = optional(number)<br/>          algorithm                  = string<br/>          protocol                   = string<br/>          health_delay               = number<br/>          health_retries             = number<br/>          health_timeout             = number<br/>          health_type                = string<br/>          pool_member_port           = string<br/>          profile                    = optional(string)<br/>          accept_proxy_protocol      = optional(bool)<br/>          subnet_id_to_provision_nlb = optional(string) # Required for Network Load Balancer. If no value is provided, the first one from the VPC subnet list will be selected.<br/>          dns = optional(<br/>            object({<br/>              instance_crn = string<br/>              zone_id      = string<br/>            })<br/>          )<br/>          security_group = optional(<br/>            object({<br/>              name = string<br/>              rules = list(<br/>                object({<br/>                  name       = string<br/>                  direction  = string<br/>                  source     = string<br/>                  local      = optional(string)<br/>                  ip_version = optional(string)<br/>                  tcp = optional(<br/>                    object({<br/>                      port_max = number<br/>                      port_min = number<br/>                    })<br/>                  )<br/>                  udp = optional(<br/>                    object({<br/>                      port_max = number<br/>                      port_min = number<br/>                    })<br/>                  )<br/>                  icmp = optional(<br/>                    object({<br/>                      type = number<br/>                      code = number<br/>                    })<br/>                  )<br/>                })<br/>              )<br/>            })<br/>          )<br/>        })<br/>      ))<br/>    })<br/>  )</pre> | n/a | yes |
 | <a name="input_wait_till"></a> [wait\_till](#input\_wait\_till) | To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported args are `MasterNodeReady`, `OneWorkerNodeReady`, and `IngressReady` | `string` | `"IngressReady"` | no |
 
 ### Outputs
diff --git a/patterns/dynamic_values/config_modules/security_groups/security_groups.tf b/patterns/dynamic_values/config_modules/security_groups/security_groups.tf
index 8679ea5b8..a12ad9dca 100644
--- a/patterns/dynamic_values/config_modules/security_groups/security_groups.tf
+++ b/patterns/dynamic_values/config_modules/security_groups/security_groups.tf
@@ -31,9 +31,11 @@ variable "bastion_vsi_rules" {
   description = "List of rules for F5 External security group."
   type = list(
     object({
-      name      = string
-      source    = string
-      direction = string
+      name       = string
+      source     = string
+      direction  = string
+      local      = optional(string)
+      ip_version = optional(string)
       tcp = object({
         port_min = string
         port_max = string
@@ -46,9 +48,11 @@ variable "f5_management_rules" {
   description = "List of rules for F5 Management security group."
   type = list(
     object({
-      name      = string
-      source    = string
-      direction = string
+      name       = string
+      source     = string
+      direction  = string
+      local      = optional(string)
+      ip_version = optional(string)
       tcp = object({
         port_min = string
         port_max = string
@@ -61,9 +65,11 @@ variable "f5_external_rules" {
   description = "List of rules for F5 External security group."
   type = list(
     object({
-      name      = string
-      source    = string
-      direction = string
+      name       = string
+      source     = string
+      direction  = string
+      local      = optional(string)
+      ip_version = optional(string)
       tcp = object({
         port_min = string
         port_max = string
@@ -76,9 +82,11 @@ variable "f5_bastion_rules" {
   description = "List of rules for F5 External security group."
   type = list(
     object({
-      name      = string
-      source    = string
-      direction = string
+      name       = string
+      source     = string
+      direction  = string
+      local      = optional(string)
+      ip_version = optional(string)
       tcp = object({
         port_min = string
         port_max = string
@@ -91,9 +99,11 @@ variable "f5_workload_rules" {
   description = "List of rules for F5 Workload security group."
   type = list(
     object({
-      name      = string
-      source    = string
-      direction = string
+      name       = string
+      source     = string
+      direction  = string
+      local      = optional(string)
+      ip_version = optional(string)
       tcp = object({
         port_min = string
         port_max = string
diff --git a/patterns/vsi-extension/variables.tf b/patterns/vsi-extension/variables.tf
index 460daba60..8b1a8f368 100644
--- a/patterns/vsi-extension/variables.tf
+++ b/patterns/vsi-extension/variables.tf
@@ -167,9 +167,11 @@ variable "load_balancers" {
           name = string
           rules = list(
             object({
-              name      = string
-              direction = string
-              source    = string
+              name       = string
+              direction  = string
+              source     = string
+              local      = optional(string)
+              ip_version = optional(string)
               tcp = optional(
                 object({
                   port_max = number
diff --git a/security_groups.tf b/security_groups.tf
index 19eb0057b..66c976a22 100644
--- a/security_groups.tf
+++ b/security_groups.tf
@@ -31,10 +31,12 @@ resource "ibm_is_security_group" "security_group" {
 ##############################################################################
 
 resource "ibm_is_security_group_rule" "security_group_rules" {
-  for_each  = local.security_group_rules_map
-  group     = ibm_is_security_group.security_group[each.value.sg_name].id
-  direction = each.value.direction
-  remote    = each.value.source
+  for_each   = local.security_group_rules_map
+  group      = ibm_is_security_group.security_group[each.value.sg_name].id
+  direction  = each.value.direction
+  remote     = each.value.source
+  local      = each.value.local
+  ip_version = each.value.ip_version
 
   ##############################################################################
   # Dynamicaly create ICMP Block
diff --git a/variables.tf b/variables.tf
index 3a97208e1..3a6c5c9f7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -117,9 +117,11 @@ variable "vpcs" {
       default_security_group_rules = optional(
         list(
           object({
-            name      = string
-            direction = string
-            remote    = string
+            name       = string
+            direction  = string
+            remote     = string
+            local      = optional(string)
+            ip_version = optional(string)
             tcp = optional(
               object({
                 port_max = optional(number)
@@ -328,9 +330,11 @@ variable "vsi" {
           name = string
           rules = list(
             object({
-              name      = string
-              direction = string
-              source    = string
+              name       = string
+              direction  = string
+              source     = string
+              local      = optional(string)
+              ip_version = optional(string)
               tcp = optional(
                 object({
                   port_max = number
@@ -393,9 +397,11 @@ variable "vsi" {
               name = string
               rules = list(
                 object({
-                  name      = string
-                  direction = string
-                  source    = string
+                  name       = string
+                  direction  = string
+                  source     = string
+                  local      = optional(string)
+                  ip_version = optional(string)
                   tcp = optional(
                     object({
                       port_max = number
@@ -441,9 +447,11 @@ variable "security_groups" {
       access_tags    = optional(list(string), [])
       rules = list(
         object({
-          name      = string
-          direction = string
-          source    = string
+          name       = string
+          direction  = string
+          source     = string
+          local      = optional(string)
+          ip_version = optional(string)
           tcp = optional(
             object({
               port_max = number
@@ -1125,9 +1133,11 @@ variable "teleport_vsi" {
             name = string
             rules = list(
               object({
-                name      = string
-                direction = string
-                source    = string
+                name       = string
+                direction  = string
+                source     = string
+                local      = optional(string)
+                ip_version = optional(string)
                 tcp = optional(
                   object({
                     port_max = number
@@ -1200,9 +1210,11 @@ variable "f5_vsi" {
           name = string
           rules = list(
             object({
-              name      = string
-              direction = string
-              source    = string
+              name       = string
+              direction  = string
+              source     = string
+              local      = optional(string)
+              ip_version = optional(string)
               tcp = optional(
                 object({
                   port_max = number
@@ -1254,9 +1266,11 @@ variable "f5_vsi" {
               name = string
               rules = list(
                 object({
-                  name      = string
-                  direction = string
-                  source    = string
+                  name       = string
+                  direction  = string
+                  source     = string
+                  local      = optional(string)
+                  ip_version = optional(string)
                   tcp = optional(
                     object({
                       port_max = number