feat: replace ALB with NLB

cra-tf-validate-ignore-rules.json

@@ -11,18 +11,6 @@
             "description": "Check whether Flow Logs for VPC are enabled",
             "ignore_reason": "In order for this rule to pass, Context Based Restrictions (CBRs) support needs to be added to the module (tracking in https://github.ibm.com/GoldenEye/issues/issues/5626). Even after that is added, there is still a dependency on SCC to support scanning for CBR rules. SCC CBR support is being tracked in https://github.ibm.com/project-fortress/pm/issues/11800.",
             "is_valid": true
-        },
-        {
-            "scc_rule_id": "rule-8c923215-afdc-41b1-886c-64ce78741f8c",
-            "description": "Check whether Application Load Balancer for VPC has health check configured when created",
-            "ignore_reason": "In order for this rule to pass, Context Based Restrictions (CBRs) support needs to be added to the module (tracking in https://github.ibm.com/GoldenEye/issues/issues/5626). Even after that is added, there is still a dependency on SCC to support scanning for CBR rules. SCC CBR support is being tracked in https://github.ibm.com/project-fortress/pm/issues/11800.",
-            "is_valid": true
-        },
-        {
-            "scc_rule_id": "rule-65b61a0f-ffdb-41ba-873d-ad329e7fc0ee",
-            "description": "Check whether Application Load Balancer for VPC is configured to convert HTTP client requests to HTTPS",
-            "ignore_reason": "In order for this rule to pass, Context Based Restrictions (CBRs) support needs to be added to the module (tracking in https://github.ibm.com/GoldenEye/issues/issues/5626). Even after that is added, there is still a dependency on SCC to support scanning for CBR rules. SCC CBR support is being tracked in https://github.ibm.com/project-fortress/pm/issues/11800.",
-            "is_valid": true
         }
     ]
 }

ibm_catalog.json

@@ -378,7 +378,7 @@
               "key": "vsi_ssh_key_data"
             },
             {
-              "key": "application_load_balancer"
+              "key": "network_load_balancer"
             },
             {
               "key": "ssh_public_key"
@@ -1025,7 +1025,7 @@
               "key": "vsi_names"
             },
             {
-              "key": "application_load_balancer"
+              "key": "network_load_balancer"
             },
             {
               "key": "ssh_public_key"
@@ -1444,7 +1444,7 @@
               "key": "vsi_ssh_key_data"
             },
             {
-              "key": "application_load_balancer"
+              "key": "network_load_balancer"
             },
             {
               "key": "ssh_public_key"

modules/powervs-vpc-landing-zone/README.md

@@ -9,7 +9,7 @@ This module provisions the following resources in IBM Cloud:
     - Optional VSI for Monitoring host
     - Optional [Client to site VPN server](https://cloud.ibm.com/docs/vpc?topic=vpc-vpn-client-to-site-overview)
     - Optional [File storage share](https://cloud.ibm.com/docs/vpc?topic=vpc-file-storage-create&interface=ui)
-    - Optional [Application load balancer](https://cloud.ibm.com/docs/vpc?topic=vpc-load-balancers&interface=ui)
+    - Optional [Network load balancer](https://cloud.ibm.com/docs/vpc?group=network-load-balancer)
     - IBM Cloud Object storage(COS) Virtual Private endpoint gateway(VPE)
     - IBM Cloud Object storage(COS) Instance and buckets
     - VPC flow logs
@@ -118,14 +118,19 @@ Creates VPC Landing Zone | Performs VPC VSI OS Config | Creates PowerVS Infrastr
 | <a name="module_scc_wp_instance"></a> [scc\_wp\_instance](#module\_scc\_wp\_instance) | terraform-ibm-modules/scc-workload-protection/ibm | 1.10.13 |
 | <a name="module_secrets_manager_group"></a> [secrets\_manager\_group](#module\_secrets\_manager\_group) | terraform-ibm-modules/secrets-manager-secret-group/ibm | 1.3.12 |
 | <a name="module_secrets_manager_private_certificate"></a> [secrets\_manager\_private\_certificate](#module\_secrets\_manager\_private\_certificate) | terraform-ibm-modules/secrets-manager-private-cert/ibm | 1.4.3 |
-| <a name="module_vpc_file_share_alb"></a> [vpc\_file\_share\_alb](#module\_vpc\_file\_share\_alb) | ./submodules/fileshare-alb | n/a |
 
 ### Resources
 
 | Name | Type |
 |------|------|
+| [ibm_is_lb.file_share_nlb](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_lb) | resource |
+| [ibm_is_lb_listener.nfs_front_end_listener](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_lb_listener) | resource |
+| [ibm_is_lb_pool.nfs_backend_pool](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_lb_pool) | resource |
+| [ibm_is_share.file_share_nfs](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_share) | resource |
+| [ibm_is_share_mount_target.mount_target_nfs](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_share_mount_target) | resource |
 | [ibm_is_vpc_address_prefix.vpn_address_prefix](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource |
-| [ibm_is_vpc_routing_table.transit](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource |
+| [ibm_is_vpc_routing_table.routing_table](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource |
+| [ibm_is_vpc_routing_table_route.nfs_route](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource |
 | [ibm_resource_instance.monitoring_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [ibm_resource_instance.secrets_manager](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
 
@@ -168,12 +173,13 @@ Creates VPC Landing Zone | Performs VPC VSI OS Config | Creates PowerVS Infrastr
 |------|-------------|
 | <a name="output_access_host_or_ip"></a> [access\_host\_or\_ip](#output\_access\_host\_or\_ip) | Access host(jump/bastion) for created PowerVS infrastructure. |
 | <a name="output_ansible_host_or_ip"></a> [ansible\_host\_or\_ip](#output\_ansible\_host\_or\_ip) | Central Ansible node private IP address. |
-| <a name="output_application_load_balancer"></a> [application\_load\_balancer](#output\_application\_load\_balancer) | Details of application load balancer. |
 | <a name="output_dns_host_or_ip"></a> [dns\_host\_or\_ip](#output\_dns\_host\_or\_ip) | DNS forwarder host for created PowerVS infrastructure. |
 | <a name="output_kms_key_map"></a> [kms\_key\_map](#output\_kms\_key\_map) | Map of ids and keys for KMS keys created |
 | <a name="output_monitoring_instance"></a> [monitoring\_instance](#output\_monitoring\_instance) | Details of the IBM Cloud Monitoring Instance: CRN, location, guid, monitoring\_host\_ip. |
+| <a name="output_network_load_balancer"></a> [network\_load\_balancer](#output\_network\_load\_balancer) | Details of network load balancer. |
 | <a name="output_network_services_config"></a> [network\_services\_config](#output\_network\_services\_config) | Complete configuration of network management services. |
 | <a name="output_nfs_host_or_ip_path"></a> [nfs\_host\_or\_ip\_path](#output\_nfs\_host\_or\_ip\_path) | NFS host for created PowerVS infrastructure. |
+| <a name="output_nlb_nfs_network_services_ready"></a> [nlb\_nfs\_network\_services\_ready](#output\_nlb\_nfs\_network\_services\_ready) | Output value that always returns true but depends on nfs, nlb, and network services playbook. Used to create implicit dependency for PowerVS initialization so PowerVS instance creation can start in parallel with nfs, nlb, and network services. |
 | <a name="output_ntp_host_or_ip"></a> [ntp\_host\_or\_ip](#output\_ntp\_host\_or\_ip) | NTP host for created PowerVS infrastructure. |
 | <a name="output_powervs_backup_subnet"></a> [powervs\_backup\_subnet](#output\_powervs\_backup\_subnet) | Name, ID and CIDR of backup private network in created PowerVS infrastructure. |
 | <a name="output_powervs_images"></a> [powervs\_images](#output\_powervs\_images) | Object containing imported PowerVS image names and image ids. |

modules/powervs-vpc-landing-zone/client2sitevpn.tf

@@ -142,15 +142,15 @@ module "client_to_site_vpn" {
 }
 
 # Allows VPN Server <=> Transit Gateway traffic
-resource "ibm_is_vpc_routing_table" "transit" {
-  provider = ibm.ibm-is
-  count    = var.client_to_site_vpn.enable ? 1 : 0
-
-  vpc                              = [for vpc in module.landing_zone.vpc_data : vpc.vpc_id if vpc.vpc_name == "${var.prefix}-edge"][0]
-  name                             = "${var.prefix}-route-table-vpn-server-transit"
-  route_transit_gateway_ingress    = true
-  accept_routes_from_resource_type = ["vpn_server"]
-}
+# resource "ibm_is_vpc_routing_table" "transit" {
+#   provider = ibm.ibm-is
+#   count    = var.client_to_site_vpn.enable ? 1 : 0
+
+#   vpc                              = [for vpc in module.landing_zone.vpc_data : vpc.vpc_id if vpc.vpc_name == "${var.prefix}-edge"][0]
+#   name                             = "${var.prefix}-route-table-vpn-server-transit"
+#   route_transit_gateway_ingress    = true
+#   accept_routes_from_resource_type = ["vpn_server"]
+# }
 
 # Allows VPN Clients <=> Transit Gateway traffic
 resource "ibm_is_vpc_address_prefix" "vpn_address_prefix" {

modules/powervs-vpc-landing-zone/fileshare-nlb.tf

@@ -0,0 +1,112 @@
+#####################################################
+# File share for NFS and Network Load Balancer
+#####################################################
+
+locals {
+  vpc_zone                      = "${lookup(local.ibm_powervs_zone_cloud_region_map, var.powervs_zone, null)}-1"
+  resource_group_id             = module.landing_zone.resource_group_data["${var.prefix}-${local.second_rg_name}"]
+  file_share_name               = "${var.prefix}-file-share-nfs"
+  file_share_size               = var.nfs_server_config.size
+  file_share_iops               = var.nfs_server_config.iops
+  file_share_mount_target_name  = "${var.prefix}-nfs"
+  file_share_subnet_id          = [for subnet in module.landing_zone.subnet_data : subnet.id if subnet.name == "${var.prefix}-edge-vsi-edge-zone-1"][0]
+  file_share_security_group_ids = [for security_group in module.landing_zone.vpc_data[0].vpc_data.security_group : security_group.group_id if security_group.group_name == "network-services-sg"]
+  nlb_name                      = "${var.prefix}-file-share-nlb"
+  nlb_subnet_ids                = [for subnet in module.landing_zone.subnet_data : subnet.id if subnet.name == "${var.prefix}-edge-vsi-edge-zone-1"]
+  nlb_security_group_ids        = [for security_group in module.landing_zone.vpc_data[0].vpc_data.security_group : security_group.group_id if security_group.group_name == "network-services-sg"]
+  routing_table_name            = "${var.prefix}-routing"
+}
+
+resource "ibm_is_share" "file_share_nfs" {
+  provider = ibm.ibm-is
+  count    = var.configure_nfs_server ? 1 : 0
+
+  name                = local.file_share_name
+  size                = local.file_share_size
+  profile             = "dp2"
+  access_control_mode = "security_group"
+  iops                = local.file_share_iops
+  zone                = local.vpc_zone
+  resource_group      = local.resource_group_id
+}
+
+resource "ibm_is_share_mount_target" "mount_target_nfs" {
+  provider = ibm.ibm-is
+  count    = var.configure_nfs_server ? 1 : 0
+
+  name  = local.file_share_mount_target_name
+  share = ibm_is_share.file_share_nfs[0].id
+  virtual_network_interface {
+    name            = local.file_share_mount_target_name
+    resource_group  = local.resource_group_id
+    subnet          = local.file_share_subnet_id
+    security_groups = local.file_share_security_group_ids
+  }
+}
+
+resource "ibm_is_lb" "file_share_nlb" {
+  provider = ibm.ibm-is
+  count    = var.configure_nfs_server ? 1 : 0
+
+  name            = local.nlb_name
+  resource_group  = local.resource_group_id
+  type            = "private"
+  subnets         = local.nlb_subnet_ids
+  profile         = "network-fixed"
+  security_groups = local.nlb_security_group_ids
+  route_mode      = true
+}
+
+resource "ibm_is_lb_pool" "nfs_backend_pool" {
+  provider = ibm.ibm-is
+  count    = var.configure_nfs_server ? 1 : 0
+
+  name                = "nfs-backend-pool"
+  lb                  = ibm_is_lb.file_share_nlb[0].id
+  algorithm           = "round_robin"
+  protocol            = "tcp"
+  health_type         = "tcp"
+  health_delay        = 5
+  health_retries      = 2
+  health_timeout      = 2
+  health_monitor_port = 2049
+  failsafe_policy {
+    action = "bypass"
+  }
+}
+
+resource "ibm_is_lb_listener" "nfs_front_end_listener" {
+  provider = ibm.ibm-is
+  count    = var.configure_nfs_server ? 1 : 0
+
+  lb           = ibm_is_lb.file_share_nlb[0].id
+  default_pool = ibm_is_lb_pool.nfs_backend_pool[0].id
+  protocol     = "tcp"
+}
+
+resource "ibm_is_vpc_routing_table_route" "nfs_route" {
+  provider = ibm.ibm-is
+  count    = var.configure_nfs_server ? 1 : 0
+
+  name          = "nfs-route"
+  vpc           = ibm_is_share_mount_target.mount_target_nfs[0].vpc
+  routing_table = ibm_is_vpc_routing_table.routing_table[0].routing_table
+  zone          = local.vpc_zone
+  destination   = "${split(":", ibm_is_share_mount_target.mount_target_nfs[0].mount_path)[0]}/32"
+  action        = "deliver"
+  advertise     = false
+  next_hop      = ibm_is_lb.file_share_nlb[0].private_ips[0]
+}
+
+locals {
+  nfs_host_or_ip_path = var.configure_nfs_server ? ibm_is_share_mount_target.mount_target_nfs[0].mount_path : ""
+  file_share_nlb = var.configure_nfs_server ? {
+    name        = ibm_is_lb.file_share_nlb[0].name
+    id          = ibm_is_lb.file_share_nlb[0].id
+    private_ips = [for private_ip in ibm_is_lb.file_share_nlb[0].private_ip : private_ip.address]
+    } : {
+    name        = ""
+    id          = ""
+    private_ips = []
+  }
+}

modules/powervs-vpc-landing-zone/main.tf

@@ -105,27 +105,18 @@ locals {
   }
 }
 
-###########################################################
-# File share for NFS and Application Load Balancer module
-###########################################################
-
-module "vpc_file_share_alb" {
-  source    = "./submodules/fileshare-alb"
-  providers = { ibm = ibm.ibm-is }
-  count     = var.configure_nfs_server ? 1 : 0
-
-  vpc_zone                      = "${lookup(local.ibm_powervs_zone_cloud_region_map, var.powervs_zone, null)}-1"
-  resource_group_id             = module.landing_zone.resource_group_data["${var.prefix}-${local.second_rg_name}"]
-  file_share_name               = "${var.prefix}-file-share-nfs"
-  file_share_size               = var.nfs_server_config.size
-  file_share_iops               = var.nfs_server_config.iops
-  file_share_mount_target_name  = "${var.prefix}-nfs"
-  file_share_subnet_id          = [for subnet in module.landing_zone.subnet_data : subnet.id if subnet.name == "${var.prefix}-edge-vsi-edge-zone-1"][0]
-  file_share_security_group_ids = [for security_group in module.landing_zone.vpc_data[0].vpc_data.security_group : security_group.group_id if security_group.group_name == "network-services-sg"]
-  alb_name                      = "${var.prefix}-file-share-alb"
-  alb_subnet_ids                = [for subnet in module.landing_zone.subnet_data : subnet.id if subnet.name == "${var.prefix}-edge-vsi-edge-zone-1"]
-  alb_security_group_ids        = [for security_group in module.landing_zone.vpc_data[0].vpc_data.security_group : security_group.group_id if security_group.group_name == "network-services-sg"]
-
+# ###########################################################
+# # Routing table used by NLB for NFS and VPN
+# ###########################################################
+
+resource "ibm_is_vpc_routing_table" "routing_table" {
+  provider = ibm.ibm-is
+  count    = var.configure_nfs_server || var.client_to_site_vpn.enable ? 1 : 0
+
+  name                             = local.routing_table_name
+  vpc                              = [for vpc in module.landing_zone.vpc_data : vpc.vpc_id if vpc.vpc_name == "${var.prefix}-edge"][0]
+  route_transit_gateway_ingress    = true
+  accept_routes_from_resource_type = var.client_to_site_vpn.enable ? ["vpn_server"] : []
 }
 
 ###########################################################
@@ -195,7 +186,7 @@ locals {
     }
     nfs = {
       "enable"          = var.configure_nfs_server
-      "nfs_server_path" = var.configure_nfs_server ? module.vpc_file_share_alb[0].nfs_host_or_ip_path : ""
+      "nfs_server_path" = var.configure_nfs_server ? ibm_is_share_mount_target.mount_target_nfs[0].mount_path : ""
       "nfs_client_path" = var.configure_nfs_server ? var.nfs_server_config.mount_path : ""
       "opts"            = "sec=sys,nfsvers=4.1,nofail"
       "fstype"          = "nfs4"
@@ -207,7 +198,7 @@ locals {
 module "configure_network_services" {
 
   source     = "./submodules/ansible"
-  depends_on = [module.vpc_file_share_alb]
+  depends_on = [ibm_is_share_mount_target.mount_target_nfs]
 
   bastion_host_ip        = local.access_host_or_ip
   ansible_host_or_ip     = local.network_services_vsi_ip

modules/powervs-vpc-landing-zone/outputs.tf

@@ -62,9 +62,9 @@ output "resource_group_data" {
   value       = module.landing_zone.resource_group_data
 }
 
-output "application_load_balancer" {
-  description = "Details of application load balancer."
-  value       = var.configure_nfs_server ? module.vpc_file_share_alb[0].file_share_alb : { name = "", id = "", private_ips = [] }
+output "network_load_balancer" {
+  description = "Details of network load balancer."
+  value       = var.configure_nfs_server ? local.file_share_nlb : { name = "", id = "", private_ips = [] }
 }
 
 output "access_host_or_ip" {
@@ -89,7 +89,7 @@ output "ntp_host_or_ip" {
 
 output "nfs_host_or_ip_path" {
   description = "NFS host for created PowerVS infrastructure."
-  value       = var.configure_nfs_server ? module.vpc_file_share_alb[0].nfs_host_or_ip_path : ""
+  value       = var.configure_nfs_server ? local.nfs_host_or_ip_path : ""
 }
 
 output "ansible_host_or_ip" {
@@ -168,3 +168,8 @@ output "scc_wp_instance" {
   description = "Details of the Security and Compliance Center Workload Protection Instance: guid, access key, api_endpoint, ingestion_endpoint."
   value       = local.scc_wp_instance
 }
+
+output "nlb_nfs_network_services_ready" {
+  description = "Output value that always returns true but depends on nfs, nlb, and network services playbook. Used to create implicit dependency for PowerVS initialization so PowerVS instance creation can start in parallel with nfs, nlb, and network services."
+  value       = length([module.configure_network_services.playbook_output, ibm_is_vpc_routing_table_route.nfs_route, ibm_is_lb_listener.nfs_front_end_listener]) >= 0
+}

modules/powervs-vpc-landing-zone/submodules/ansible/README.md

@@ -42,5 +42,7 @@ No modules.
 
 ### Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_playbook_output"></a> [playbook\_output](#output\_playbook\_output) | Output from execute\_playbooks. Only available after apply. Can be used to create an implicit dependency on the playbook execution. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/powervs-vpc-landing-zone/submodules/ansible/outputs.tf

@@ -0,0 +1,4 @@
+output "playbook_output" {
+  description = "Output from execute_playbooks. Only available after apply. Can be used to create an implicit dependency on the playbook execution."
+  value       = var.ansible_vault_password == null ? terraform_data.execute_playbooks[0].output : terraform_data.execute_playbooks_with_vault[0].output
+}