diff --git a/.secrets.baseline b/.secrets.baseline
index ac2646a39..3cbe448bd 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
"files": "go.sum|^.secrets.baseline$",
"lines": null
},
- "generated_at": "2025-11-03T14:00:38Z",
+ "generated_at": "2025-11-03T14:01:38Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
diff --git a/README.md b/README.md
index e940c13fa..045213862 100644
--- a/README.md
+++ b/README.md
@@ -845,17 +845,17 @@ module "cluster_pattern" {
| Name | Source | Version |
|------|--------|---------|
-| [bastion\_host](#module\_bastion\_host) | terraform-ibm-modules/landing-zone-vsi/ibm | 5.14.0 |
-| [cluster](#module\_cluster) | terraform-ibm-modules/base-ocp-vpc/ibm | 3.69.0 |
+| [bastion\_host](#module\_bastion\_host) | terraform-ibm-modules/landing-zone-vsi/ibm | 5.15.3 |
+| [cluster](#module\_cluster) | terraform-ibm-modules/base-ocp-vpc/ibm | 3.70.0 |
| [dynamic\_values](#module\_dynamic\_values) | ./dynamic_values | n/a |
-| [f5\_vsi](#module\_f5\_vsi) | terraform-ibm-modules/landing-zone-vsi/ibm | 5.14.0 |
+| [f5\_vsi](#module\_f5\_vsi) | terraform-ibm-modules/landing-zone-vsi/ibm | 5.15.3 |
| [key\_management](#module\_key\_management) | ./kms | n/a |
| [placement\_group\_map](#module\_placement\_group\_map) | ./dynamic_values/config_modules/list_to_map | n/a |
| [ssh\_keys](#module\_ssh\_keys) | ./ssh_key | n/a |
| [teleport\_config](#module\_teleport\_config) | ./teleport_config | n/a |
-| [update\_cbr\_vpc\_zone](#module\_update\_cbr\_vpc\_zone) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.33.7 |
-| [vpc](#module\_vpc) | terraform-ibm-modules/landing-zone-vpc/ibm | 8.7.0 |
-| [vsi](#module\_vsi) | terraform-ibm-modules/landing-zone-vsi/ibm | 5.14.0 |
+| [update\_cbr\_vpc\_zone](#module\_update\_cbr\_vpc\_zone) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.33.8 |
+| [vpc](#module\_vpc) | terraform-ibm-modules/landing-zone-vpc/ibm | 8.8.2 |
+| [vsi](#module\_vsi) | terraform-ibm-modules/landing-zone-vsi/ibm | 5.15.3 |
### Resources
@@ -934,7 +934,7 @@ module "cluster_pattern" {
| [transit\_gateway\_resource\_group](#input\_transit\_gateway\_resource\_group) | Name of resource group to use for transit gateway. Must be included in `var.resource_group` | `string` | n/a | yes |
| [virtual\_private\_endpoints](#input\_virtual\_private\_endpoints) | Object describing VPE to be created | list(
object({
service_name = string
service_type = string
resource_group = optional(string)
access_tags = optional(list(string), [])
vpcs = list(
object({
name = string
subnets = list(string)
security_group_name = optional(string)
})
)
})
)
| n/a | yes |
| [vpc\_placement\_groups](#input\_vpc\_placement\_groups) | List of VPC placement groups to create | list(
object({
access_tags = optional(list(string), [])
name = string
resource_group = optional(string)
strategy = string
})
)
| `[]` | no |
-| [vpcs](#input\_vpcs) | A map describing VPCs to be created in this repo. | list(
object({
prefix = string # VPC prefix
existing_vpc_id = optional(string)
existing_subnets = optional(
list(
object({
id = string
public_gateway = optional(bool, false)
})
)
)
resource_group = optional(string) # Name of the group where VPC will be created
access_tags = optional(list(string), [])
default_network_acl_name = optional(string)
default_security_group_name = optional(string)
clean_default_sg_acl = optional(bool, false)
dns_binding_name = optional(string, null)
dns_instance_name = optional(string, null)
dns_custom_resolver_name = optional(string, null)
dns_location = optional(string, "global")
dns_plan = optional(string, "standard-dns")
dns_zone_name = optional(string, null)
dns_zone_description = optional(string, null)
dns_zone_label = optional(string, null)
dns_records = optional(list(object({
name = string
type = string
ttl = number
rdata = string
preference = optional(number, null)
service = optional(string, null)
protocol = optional(string, null)
priority = optional(number, null)
weight = optional(number, null)
port = optional(number, null)
})), [])
existing_dns_instance_id = optional(string, null)
use_existing_dns_instance = optional(bool, false)
enable_hub = optional(bool, false)
skip_spoke_auth_policy = optional(bool, false)
hub_account_id = optional(string, null)
enable_hub_vpc_id = optional(bool, false)
hub_vpc_id = optional(string, null)
enable_hub_vpc_crn = optional(bool, false)
hub_vpc_crn = optional(string, null)
update_delegated_resolver = optional(bool, false)
skip_custom_resolver_hub_creation = optional(bool, false)
resolver_type = optional(string, null)
manual_servers = optional(list(object({
address = string
zone_affinity = optional(string)
})), [])
default_security_group_rules = optional(
list(
object({
name = string
direction = string
remote = string
local = optional(string)
ip_version = optional(string)
tcp = optional(
object({
port_max = optional(number)
port_min = optional(number)
})
)
udp = optional(
object({
port_max = optional(number)
port_min = optional(number)
})
)
icmp = optional(
object({
type = optional(number)
code = optional(number)
})
)
})
)
)
default_routing_table_name = optional(string)
flow_logs_bucket_name = optional(string)
address_prefixes = optional(
object({
zone-1 = optional(list(string))
zone-2 = optional(list(string))
zone-3 = optional(list(string))
})
)
network_acls = list(
object({
name = string
add_ibm_cloud_internal_rules = optional(bool)
add_vpc_connectivity_rules = optional(bool)
prepend_ibm_rules = optional(bool)
rules = list(
object({
name = string
action = string
destination = string
direction = string
source = string
tcp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
udp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
icmp = optional(
object({
type = optional(number)
code = optional(number)
})
)
})
)
})
)
use_public_gateways = object({
zone-1 = optional(bool)
zone-2 = optional(bool)
zone-3 = optional(bool)
})
subnets = optional(object({
zone-1 = list(object({
name = string
cidr = string
public_gateway = optional(bool)
acl_name = string
no_addr_prefix = optional(bool, false)
}))
zone-2 = list(object({
name = string
cidr = string
public_gateway = optional(bool)
acl_name = string
no_addr_prefix = optional(bool, false)
}))
zone-3 = list(object({
name = string
cidr = string
public_gateway = optional(bool)
acl_name = string
no_addr_prefix = optional(bool, false)
}))
}))
})
)
| n/a | yes |
+| [vpcs](#input\_vpcs) | A map describing VPCs to be created in this repo. | list(
object({
prefix = string # VPC prefix
existing_vpc_id = optional(string)
existing_subnets = optional(
list(
object({
id = string
public_gateway = optional(bool, false)
})
)
)
resource_group = optional(string) # Name of the group where VPC will be created
access_tags = optional(list(string), [])
default_network_acl_name = optional(string)
default_security_group_name = optional(string)
clean_default_sg_acl = optional(bool, false)
dns_binding_name = optional(string, null)
dns_instance_name = optional(string, null)
dns_custom_resolver_name = optional(string, null)
dns_location = optional(string, "global")
dns_plan = optional(string, "standard-dns")
dns_zones = optional(list(object({
name = string
description = optional(string)
label = optional(string, "dns-zone")
})), [])
dns_records = optional(map(list(object({
name = string
type = string
ttl = number
rdata = string
preference = optional(number, null)
service = optional(string, null)
protocol = optional(string, null)
priority = optional(number, null)
weight = optional(number, null)
port = optional(number, null)
}))), {})
existing_dns_instance_id = optional(string, null)
use_existing_dns_instance = optional(bool, false)
enable_hub = optional(bool, false)
skip_spoke_auth_policy = optional(bool, false)
hub_account_id = optional(string, null)
enable_hub_vpc_id = optional(bool, false)
hub_vpc_id = optional(string, null)
enable_hub_vpc_crn = optional(bool, false)
hub_vpc_crn = optional(string, null)
update_delegated_resolver = optional(bool, false)
skip_custom_resolver_hub_creation = optional(bool, false)
resolver_type = optional(string, null)
manual_servers = optional(list(object({
address = string
zone_affinity = optional(string)
})), [])
default_security_group_rules = optional(
list(
object({
name = string
direction = string
remote = string
local = optional(string)
ip_version = optional(string)
tcp = optional(
object({
port_max = optional(number)
port_min = optional(number)
})
)
udp = optional(
object({
port_max = optional(number)
port_min = optional(number)
})
)
icmp = optional(
object({
type = optional(number)
code = optional(number)
})
)
})
)
)
default_routing_table_name = optional(string)
flow_logs_bucket_name = optional(string)
address_prefixes = optional(
object({
zone-1 = optional(list(string))
zone-2 = optional(list(string))
zone-3 = optional(list(string))
})
)
network_acls = list(
object({
name = string
add_ibm_cloud_internal_rules = optional(bool)
add_vpc_connectivity_rules = optional(bool)
prepend_ibm_rules = optional(bool)
rules = list(
object({
name = string
action = string
destination = string
direction = string
source = string
tcp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
udp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
icmp = optional(
object({
type = optional(number)
code = optional(number)
})
)
})
)
})
)
use_public_gateways = object({
zone-1 = optional(bool)
zone-2 = optional(bool)
zone-3 = optional(bool)
})
subnets = optional(object({
zone-1 = list(object({
name = string
cidr = string
public_gateway = optional(bool)
acl_name = string
no_addr_prefix = optional(bool, false)
}))
zone-2 = list(object({
name = string
cidr = string
public_gateway = optional(bool)
acl_name = string
no_addr_prefix = optional(bool, false)
}))
zone-3 = list(object({
name = string
cidr = string
public_gateway = optional(bool)
acl_name = string
no_addr_prefix = optional(bool, false)
}))
}))
})
)
| n/a | yes |
| [vpn\_gateways](#input\_vpn\_gateways) | List of VPN Gateways to create. | list(
object({
name = string
vpc_name = string
subnet_name = string # Do not include prefix, use same name as in `var.subnets`
mode = optional(string)
resource_group = optional(string)
access_tags = optional(list(string), [])
})
)
| n/a | yes |
| [vsi](#input\_vsi) | A list describing VSI workloads to create | list(
object({
name = string
vpc_name = string
subnet_names = list(string)
ssh_keys = list(string)
image_name = string
machine_type = string
vsi_per_subnet = number
user_data = optional(string)
resource_group = optional(string)
enable_floating_ip = optional(bool)
allow_ip_spoofing = optional(bool)
security_groups = optional(list(string))
boot_volume_encryption_key_name = optional(string)
primary_vni_additional_ip_count = optional(number)
use_legacy_network_interface = optional(bool)
access_tags = optional(list(string), [])
security_group = optional(
object({
name = string
rules = list(
object({
name = string
direction = string
source = string
local = optional(string)
ip_version = optional(string)
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
})
)
block_storage_volumes = optional(list(
object({
name = string
profile = string
capacity = optional(number)
iops = optional(number)
encryption_key = optional(string)
})
))
load_balancers = optional(list(
object({
name = string
type = string
listener_port = optional(number)
listener_port_max = optional(number)
listener_port_min = optional(number)
listener_protocol = string
connection_limit = optional(number)
idle_connection_timeout = optional(number)
algorithm = string
protocol = string
health_delay = number
health_retries = number
health_timeout = number
health_type = string
pool_member_port = string
profile = optional(string)
accept_proxy_protocol = optional(bool)
subnet_id_to_provision_nlb = optional(string) # Required for Network Load Balancer. If no value is provided, the first one from the VPC subnet list will be selected.
dns = optional(
object({
instance_crn = string
zone_id = string
})
)
security_group = optional(
object({
name = string
rules = list(
object({
name = string
direction = string
source = string
local = optional(string)
ip_version = optional(string)
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
})
)
})
))
})
)
| n/a | yes |
| [wait\_till](#input\_wait\_till) | To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported args are `MasterNodeReady`, `OneWorkerNodeReady`, and `IngressReady` | `string` | `"IngressReady"` | no |
diff --git a/bastion_host.tf b/bastion_host.tf
index a0607d91f..11272e281 100644
--- a/bastion_host.tf
+++ b/bastion_host.tf
@@ -42,7 +42,7 @@ module "teleport_config" {
module "bastion_host" {
source = "terraform-ibm-modules/landing-zone-vsi/ibm"
- version = "5.14.0"
+ version = "5.15.3"
for_each = local.bastion_vsi_map
resource_group_id = each.value.resource_group == null ? null : local.resource_groups[each.value.resource_group]
create_security_group = each.value.security_group == null ? false : true
diff --git a/cbr.tf b/cbr.tf
index 350f37ec0..0d3c6bb8f 100644
--- a/cbr.tf
+++ b/cbr.tf
@@ -3,7 +3,7 @@
##############################################################################
module "update_cbr_vpc_zone" {
source = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
- version = "1.33.7"
+ version = "1.33.8"
count = var.existing_vpc_cbr_zone_id != null ? 1 : 0
use_existing_cbr_zone = true
existing_zone_id = var.existing_vpc_cbr_zone_id
diff --git a/cluster.tf b/cluster.tf
index 9b2877b93..2ff0cbbfa 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -244,7 +244,7 @@ module "cluster" {
if cluster.kube_type == "openshift"
}
source = "terraform-ibm-modules/base-ocp-vpc/ibm"
- version = "3.69.0"
+ version = "3.70.0"
resource_group_id = local.resource_groups[each.value.resource_group]
region = var.region
cluster_name = each.value.cluster_name
diff --git a/common-dev-assets b/common-dev-assets
index c4328778c..633c66c4d 160000
--- a/common-dev-assets
+++ b/common-dev-assets
@@ -1 +1 @@
-Subproject commit c4328778ce1a62bc85f641d9249adaac0493cfc9
+Subproject commit 633c66c4db0583f9d2172b84b218469df60cd199
diff --git a/f5_vsi.tf b/f5_vsi.tf
index c6739d703..fbee4608f 100644
--- a/f5_vsi.tf
+++ b/f5_vsi.tf
@@ -117,7 +117,7 @@ locals {
module "f5_vsi" {
source = "terraform-ibm-modules/landing-zone-vsi/ibm"
- version = "5.14.0"
+ version = "5.15.3"
for_each = local.f5_vsi_map
resource_group_id = each.value.resource_group == null ? null : local.resource_groups[each.value.resource_group]
create_security_group = each.value.security_group == null ? false : true
diff --git a/main.tf b/main.tf
index c4bd15f9d..cb3974a73 100644
--- a/main.tf
+++ b/main.tf
@@ -33,7 +33,7 @@ locals {
# Due to existing implicit dependencies we do not think this will be an issue, including auth policies for activity tracker.
module "vpc" {
source = "terraform-ibm-modules/landing-zone-vpc/ibm"
- version = "8.7.0"
+ version = "8.8.2"
for_each = local.vpc_map
name = each.value.prefix
existing_vpc_id = each.value.existing_vpc_id
@@ -64,9 +64,7 @@ module "vpc" {
dns_custom_resolver_name = each.value.dns_custom_resolver_name
dns_location = each.value.dns_location
dns_plan = each.value.dns_plan
- dns_zone_name = each.value.dns_zone_name
- dns_zone_description = each.value.dns_zone_description
- dns_zone_label = each.value.dns_zone_label
+ dns_zones = each.value.dns_zones
dns_records = each.value.dns_records
existing_dns_instance_id = each.value.existing_dns_instance_id
use_existing_dns_instance = each.value.use_existing_dns_instance
diff --git a/patterns/vsi-extension/main.tf b/patterns/vsi-extension/main.tf
index b07185415..40c5cd420 100644
--- a/patterns/vsi-extension/main.tf
+++ b/patterns/vsi-extension/main.tf
@@ -44,7 +44,7 @@ locals {
module "vsi" {
source = "terraform-ibm-modules/landing-zone-vsi/ibm"
- version = "5.14.0"
+ version = "5.15.3"
resource_group_id = data.ibm_is_vpc.vpc_by_id.resource_group
create_security_group = true
prefix = "${var.prefix}-vsi"
diff --git a/tests/go.mod b/tests/go.mod
index 132ada313..da653f27f 100644
--- a/tests/go.mod
+++ b/tests/go.mod
@@ -5,9 +5,9 @@ go 1.24.0
toolchain go1.25.3
require (
- github.com/gruntwork-io/terratest v0.51.0
+ github.com/gruntwork-io/terratest v0.52.0
github.com/stretchr/testify v1.11.1
- github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.17
+ github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.18
)
require (
diff --git a/tests/go.sum b/tests/go.sum
index 40652bf9b..73ff268fb 100644
--- a/tests/go.sum
+++ b/tests/go.sum
@@ -149,8 +149,8 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gruntwork-io/terratest v0.51.0 h1:RCXlCwWlHqhUoxgF6n3hvywvbvrsTXqoqt34BrnLekw=
-github.com/gruntwork-io/terratest v0.51.0/go.mod h1:evZHXb8VWDgv5O5zEEwfkwMhkx9I53QR/RB11cISrpg=
+github.com/gruntwork-io/terratest v0.52.0 h1:7+I3FqEImowIajZ9Qyo5ngr7n2AUINJko6x+KzlWNjU=
+github.com/gruntwork-io/terratest v0.52.0/go.mod h1:y2Evi+Ac04QpzF3mbRPqrBjipDN7gjqlw6+OZoy2vX4=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -296,8 +296,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.17 h1:unGRxvM9OJBTsfDQg/AZCYOeJZ5TqrCsPphjWJ2wI94=
-github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.17/go.mod h1:g0kmBhFk6pVoTmse42tMNCSNktiOYJHAda/pAzOIxco=
+github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.18 h1:iu4RNBcDYQ1JLx+b9CqlU6kvUo/Vgv8N+VLJreqgFqU=
+github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.18/go.mod h1:g0kmBhFk6pVoTmse42tMNCSNktiOYJHAda/pAzOIxco=
github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
github.com/tmccombs/hcl2json v0.6.4 h1:/FWnzS9JCuyZ4MNwrG4vMrFrzRgsWEOVi+1AyYUVLGw=
github.com/tmccombs/hcl2json v0.6.4/go.mod h1:+ppKlIW3H5nsAsZddXPy2iMyvld3SHxyjswOZhavRDk=
diff --git a/variables.tf b/variables.tf
index 9f0ba1cef..db6ef637f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -83,10 +83,12 @@ variable "vpcs" {
dns_custom_resolver_name = optional(string, null)
dns_location = optional(string, "global")
dns_plan = optional(string, "standard-dns")
- dns_zone_name = optional(string, null)
- dns_zone_description = optional(string, null)
- dns_zone_label = optional(string, null)
- dns_records = optional(list(object({
+ dns_zones = optional(list(object({
+ name = string
+ description = optional(string)
+ label = optional(string, "dns-zone")
+ })), [])
+ dns_records = optional(map(list(object({
name = string
type = string
ttl = number
@@ -97,7 +99,7 @@ variable "vpcs" {
priority = optional(number, null)
weight = optional(number, null)
port = optional(number, null)
- })), [])
+ }))), {})
existing_dns_instance_id = optional(string, null)
use_existing_dns_instance = optional(bool, false)
enable_hub = optional(bool, false)
diff --git a/virtual_servers.tf b/virtual_servers.tf
index 5afe7a3aa..67fc63a02 100644
--- a/virtual_servers.tf
+++ b/virtual_servers.tf
@@ -41,7 +41,7 @@ data "ibm_is_image" "image" {
module "vsi" {
source = "terraform-ibm-modules/landing-zone-vsi/ibm"
- version = "5.14.0"
+ version = "5.15.3"
for_each = local.vsi_map
resource_group_id = each.value.resource_group == null ? null : local.resource_groups[each.value.resource_group]
create_security_group = each.value.security_group == null ? false : true