diff --git a/.trivyignore b/.trivyignore
deleted file mode 100644
index c81f7732..00000000
--- a/.trivyignore
+++ /dev/null
@@ -1 +0,0 @@
-AVD-AZU-0012
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 36a73883..8c7a9121 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -220,6 +220,14 @@
"type": "multiline_secure_value"
}
},
+ {
+ "key": "vpc_subnet_cidrs",
+ "custom_config": {
+ "grouping": "deployment",
+ "original_grouping": "deployment",
+ "type": "code_editor"
+ }
+ },
{
"key": "powervs_management_network"
},
@@ -472,7 +480,7 @@
{
"diagram": {
"caption": "Power Virtual Server with VPC landing zone 'Standard Landscape' variation",
- "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v10.0.1/reference-architectures/standard/deploy-arch-ibm-pvs-inf-standard.svg",
+ "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v10.1.1/reference-architectures/standard/deploy-arch-ibm-pvs-inf-standard.svg",
"type": "image/svg+xml"
},
"description": "The Power Virtual Server with VPC landing zone as variation 'Create a new architecture' deploys VPC services and a Power Virtual Server workspace and interconnects them.\n \nRequired and optional management components are configured."
@@ -871,6 +879,14 @@
"type": "code_editor"
}
},
+ {
+ "key": "vpc_subnet_cidrs",
+ "custom_config": {
+ "grouping": "deployment",
+ "original_grouping": "deployment",
+ "type": "code_editor"
+ }
+ },
{
"key": "powervs_management_network"
},
@@ -1088,7 +1104,7 @@
{
"diagram": {
"caption": "Power Virtual Server with VPC landing zone 'Quickstart' variation",
- "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v10.0.1/reference-architectures/standard-plus-vsi/deploy-arch-ibm-pvs-inf-standard-plus-vsi.svg",
+ "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v10.1.1/reference-architectures/standard-plus-vsi/deploy-arch-ibm-pvs-inf-standard-plus-vsi.svg",
"type": "image/svg+xml"
},
"description": "The Power Virtual Server with VPC landing zone as 'Quickstart' variation of 'Create a new architecture' option deploys VPC services and a Power Virtual Server workspace and interconnects them. It also creates one Power virtual server instance of chosen t-shirt size or custom configuration.\n \nRequired and optional management components are configured."
@@ -1494,7 +1510,7 @@
{
"diagram": {
"caption": "Power Virtual Server with VPC landing zone 'Quickstart OpenShift' variation",
- "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v10.0.1/reference-architectures/standard-openshift/deploy-arch-ibm-pvs-inf-standard-openshift.svg",
+ "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v10.1.1/reference-architectures/standard-openshift/deploy-arch-ibm-pvs-inf-standard-openshift.svg",
"type": "image/svg+xml"
},
"description": "The Power Virtual Server with VPC landing zone as variation 'Quickstart OpenShift' deploys VPC services and an Openshift Cluster on PowerVS and interconnects them.\n \nRequired and optional management components are configured."
diff --git a/modules/powervs-vpc-landing-zone/README.md b/modules/powervs-vpc-landing-zone/README.md
index 8ac95621..b4a93d4e 100644
--- a/modules/powervs-vpc-landing-zone/README.md
+++ b/modules/powervs-vpc-landing-zone/README.md
@@ -142,7 +142,7 @@ Creates VPC Landing Zone | Performs VPC VSI OS Config | Creates PowerVS Infrastr
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [ansible\_vault\_password](#input\_ansible\_vault\_password) | Vault password to encrypt ansible playbooks that contain sensitive information. Required when SCC workload Protection is enabled. Password requirements: 15-100 characters and at least one uppercase letter, one lowercase letter, one number, and one special character. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]\_{\|}~. | `string` | `null` | no |
-| [client\_to\_site\_vpn](#input\_client\_to\_site\_vpn) | VPN configuration - the client ip pool and list of users email ids to access the environment. If enabled, then a Secret Manager instance is also provisioned with certificates generated. See optional parameters to reuse an existing Secrets manager instance. PowerVS server routes need to be created for the VPN so the PowerVS instances can be reached. Each route must have a unique name and destination CIDR. | object({
enable = bool
client_ip_pool = string
vpn_client_access_group_users = list(string)
powervs_server_routes = list(object({
route_name = string
destination = string
action = string
}))
}
) | {
"client_ip_pool": "192.168.0.0/16",
"enable": false,
"powervs_server_routes": null,
"vpn_client_access_group_users": []
} | no |
+| [client\_to\_site\_vpn](#input\_client\_to\_site\_vpn) | VPN configuration - the client ip pool and list of users email ids to access the environment. If enabled, then a Secret Manager instance is also provisioned with certificates generated. See optional parameters to reuse an existing Secrets manager instance. PowerVS server routes will create additional entries in the routing table to establish connectivity between the VPN and PowerVS. This is only needed if the PowerVS subnets are in this module are set to null and additional subnets are created outside of this module. Each route must have a unique name and destination CIDR. | object({
enable = bool
client_ip_pool = string
vpn_client_access_group_users = list(string)
powervs_server_routes = optional(list(object({
route_name = string
destination = string
action = string
})))
}
) | {
"client_ip_pool": "192.168.0.0/16",
"enable": false,
"powervs_server_routes": null,
"vpn_client_access_group_users": []
} | no |
| [configure\_dns\_forwarder](#input\_configure\_dns\_forwarder) | Specify if DNS forwarder will be configured. This will allow you to use central DNS servers (e.g. IBM Cloud DNS servers) sitting outside of the created IBM PowerVS infrastructure. If yes, ensure 'dns\_forwarder\_config' optional variable is set properly. DNS forwarder will be installed on the network-services vsi. | `bool` | `false` | no |
| [configure\_nfs\_server](#input\_configure\_nfs\_server) | Specify if NFS server will be configured. This will allow you easily to share files between PowerVS instances (e.g., SAP installation files). [File storage share and mount target](https://cloud.ibm.com/docs/vpc?topic=vpc-file-storage-create&interface=ui) in VPC will be created.. If yes, ensure 'nfs\_server\_config' optional variable is set properly below. Default value is '200GB' which will be mounted on specified directory in network-service vsi. | `bool` | `false` | no |
| [configure\_ntp\_forwarder](#input\_configure\_ntp\_forwarder) | Specify if NTP forwarder will be configured. This will allow you to synchronize time between IBM PowerVS instances. NTP forwarder will be installed on the network-services vsi. | `bool` | `false` | no |
@@ -171,6 +171,7 @@ Creates VPC Landing Zone | Performs VPC VSI OS Config | Creates PowerVS Infrastr
| [transit\_gateway\_global](#input\_transit\_gateway\_global) | Connect to the networks outside the associated region. | `bool` | `false` | no |
| [user\_data](#input\_user\_data) | User data that automatically performs common configuration tasks or runs scripts. For more information, see https://cloud.ibm.com/docs/vpc?topic=vpc-user-data. For information on using the user\_data variable, please refer: https://cloud.ibm.com/docs/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-user-data | `string` | `null` | no |
| [vpc\_intel\_images](#input\_vpc\_intel\_images) | Stock OS image names for creating VPC landing zone VSI instances: RHEL (management and network services) and SLES (monitoring). | object({
rhel_image = string
sles_image = string
}) | n/a | yes |
+| [vpc\_subnet\_cidrs](#input\_vpc\_subnet\_cidrs) | CIDR values for the VPC subnets to be created. It's customer responsibility that none of the defined networks collide, including the PowerVS subnets and VPN client pool. | object({
vpn = string
mgmt = string
vpe = string
edge = string
}) | {
"edge": "10.30.40.0/24",
"mgmt": "10.30.20.0/24",
"vpe": "10.30.30.0/24",
"vpn": "10.30.10.0/24"
} | no |
### Outputs
diff --git a/modules/powervs-vpc-landing-zone/client2sitevpn.tf b/modules/powervs-vpc-landing-zone/client2sitevpn.tf
index 01ccf097..ed648147 100644
--- a/modules/powervs-vpc-landing-zone/client2sitevpn.tf
+++ b/modules/powervs-vpc-landing-zone/client2sitevpn.tf
@@ -20,25 +20,52 @@ locals {
intermediate_ca_name = "${var.prefix}-intermediate-ca"
cert_common_name = "example"
- default_server_routes = {
- "vpc-vsis" = {
- destination = "10.0.0.0/8"
+ # powervs routes
+ powervs_mgmt_route = var.powervs_management_network != null ? {
+ (replace(var.powervs_management_network.name, "_", "-")) : {
+ destination = var.powervs_management_network.cidr
+ action = "deliver"
+ }
+ } : {}
+ powervs_bckp_route = var.powervs_backup_network != null ? {
+ (replace(var.powervs_backup_network.name, "_", "-")) : {
+ destination = var.powervs_backup_network.cidr
+ action = "deliver"
+ }
+ } : {}
+
+ # vpc routes
+ vpc_server_routes = {
+ "vpc-vpn" : {
+ destination = var.vpc_subnet_cidrs.vpn
+ action = "deliver"
+ },
+ "vpc-mgmt" : {
+ destination = var.vpc_subnet_cidrs.mgmt
+ action = "deliver"
+ },
+ "vpc-vpe" : {
+ destination = var.vpc_subnet_cidrs.vpe
+ action = "deliver"
+ },
+ "vpc-edge" : {
+ destination = var.vpc_subnet_cidrs.edge
action = "deliver"
}
}
- vpn_server_routes = var.client_to_site_vpn.powervs_server_routes != null ? merge(local.default_server_routes,
- tomap(
- {
- for instance in var.client_to_site_vpn.powervs_server_routes :
- instance.route_name => {
- destination = instance.destination
- action = instance.action
- }
- if !startswith(instance.destination, "10.")
+ # add additional routes (needed for networks created outside of this module)
+ additional_routes = var.client_to_site_vpn.powervs_server_routes != null ? tomap(
+ {
+ for instance in var.client_to_site_vpn.powervs_server_routes :
+ instance.route_name => {
+ destination = instance.destination
+ action = instance.action
}
- )
- ) : local.default_server_routes
+ }
+ ) : {}
+
+ vpn_server_routes = merge(local.powervs_mgmt_route, local.powervs_bckp_route, local.vpc_server_routes, local.additional_routes)
}
diff --git a/modules/powervs-vpc-landing-zone/main.tf b/modules/powervs-vpc-landing-zone/main.tf
index 61a49d8d..5faec60a 100644
--- a/modules/powervs-vpc-landing-zone/main.tf
+++ b/modules/powervs-vpc-landing-zone/main.tf
@@ -17,6 +17,10 @@ locals {
sles_image = var.vpc_intel_images.sles_image,
second_rg_name = local.second_rg_name,
tgw_rg_name = local.tgw_rg_name
+ vpc_subnet_cidrs = var.vpc_subnet_cidrs
+ powervs_mgmt_cidr = var.powervs_management_network != null ? var.powervs_management_network.cidr : null
+ powervs_bckp_cidr = var.powervs_backup_network != null ? var.powervs_backup_network.cidr : null
+ vpn_client_cidr = var.client_to_site_vpn.enable ? var.client_to_site_vpn.client_ip_pool : null
}
)
}
diff --git a/modules/powervs-vpc-landing-zone/presets/slz-preset.json.tftpl b/modules/powervs-vpc-landing-zone/presets/slz-preset.json.tftpl
index 3b35533d..a05f03fe 100644
--- a/modules/powervs-vpc-landing-zone/presets/slz-preset.json.tftpl
+++ b/modules/powervs-vpc-landing-zone/presets/slz-preset.json.tftpl
@@ -130,32 +130,74 @@
"source": "161.26.0.0/16"
},
{
- "name": "allow-private1-inbound",
+ "name": "allow-vpn-inbound",
"direction": "inbound",
- "source": "10.0.0.0/8",
+ "source": "${vpc_subnet_cidrs.vpn}",
"tcp": {
"port_max": 22,
"port_min": 22
}
},
{
- "name": "allow-private2-inbound",
+ "name": "allow-mgmt-inbound",
"direction": "inbound",
- "source": "172.16.0.0/12",
+ "source": "${vpc_subnet_cidrs.mgmt}",
"tcp": {
"port_max": 22,
"port_min": 22
}
},
{
- "name": "allow-private3-inbound",
+ "name": "allow-vpe-inbound",
"direction": "inbound",
- "source": "192.168.0.0/16",
+ "source": "${vpc_subnet_cidrs.vpe}",
"tcp": {
"port_max": 22,
"port_min": 22
}
},
+ {
+ "name": "allow-edge-inbound",
+ "direction": "inbound",
+ "source": "${vpc_subnet_cidrs.edge}",
+ "tcp": {
+ "port_max": 22,
+ "port_min": 22
+ }
+ },
+ %{ if "${powervs_mgmt_cidr}" != null }
+ {
+ "name": "allow-pvs-mgmt-inbound",
+ "direction": "inbound",
+ "source": "${powervs_mgmt_cidr}",
+ "tcp": {
+ "port_max": 22,
+ "port_min": 22
+ }
+ },
+ %{ endif }
+ %{ if "${powervs_bckp_cidr}" != null }
+ {
+ "name": "allow-pvs-bckp-inbound",
+ "direction": "inbound",
+ "source": "${powervs_bckp_cidr}",
+ "tcp": {
+ "port_max": 22,
+ "port_min": 22
+ }
+ },
+ %{ endif }
+ %{ if "${vpn_client_cidr}" != null }
+ {
+ "name": "allow-vpn-client-inbound",
+ "direction": "inbound",
+ "source": "${vpn_client_cidr}",
+ "tcp": {
+ "port_max": 22,
+ "port_min": 22
+ }
+ },
+ %{ endif }
{
"name": "allow-ssh-inbound-schematics1",
"direction": "inbound",
@@ -571,20 +613,46 @@
"source": "161.26.0.0/16"
},
{
+ "name": "allow-vpn-inbound",
+ "direction": "inbound",
+ "source": "${vpc_subnet_cidrs.vpn}"
+ },
+ {
+ "name": "allow-mgmt-inbound",
"direction": "inbound",
- "name": "allow-private1-inbound",
- "source": "10.0.0.0/8"
+ "source": "${vpc_subnet_cidrs.mgmt}"
},
{
+ "name": "allow-vpe-inbound",
"direction": "inbound",
- "name": "allow-private2-inbound",
- "source": "172.16.0.0/12"
+ "source": "${vpc_subnet_cidrs.vpe}"
},
{
+ "name": "allow-edge-inbound",
"direction": "inbound",
- "name": "allow-private3-inbound",
- "source": "192.168.0.0/16"
+ "source": "${vpc_subnet_cidrs.edge}"
},
+ %{ if "${powervs_mgmt_cidr}" != null }
+ {
+ "name": "allow-pvs-mgmt-inbound",
+ "direction": "inbound",
+ "source": "${powervs_mgmt_cidr}"
+ },
+ %{ endif }
+ %{ if "${powervs_bckp_cidr}" != null }
+ {
+ "name": "allow-pvs-bckp-inbound",
+ "direction": "inbound",
+ "source": "${powervs_bckp_cidr}"
+ },
+ %{ endif }
+ %{ if "${vpn_client_cidr}" != null }
+ {
+ "direction": "inbound",
+ "name": "allow-vpn-client-inbound",
+ "source": "${vpn_client_cidr}"
+ },
+ %{ endif }
{
"direction": "outbound",
"name": "allow-all-outbound",
@@ -598,35 +666,60 @@
"resource_group": "${second_rg_name}",
"show": false,
"rules": [
+ %{ if "${powervs_mgmt_cidr}" != null }
+ {
+ "name": "allow-pvs-mgmt-inbound",
+ "direction": "inbound",
+ "source": "${powervs_mgmt_cidr}"
+ },
+ %{ endif }
+ %{ if "${powervs_bckp_cidr}" != null }
+ {
+ "name": "allow-pvs-bckp-inbound",
+ "direction": "inbound",
+ "source": "${powervs_bckp_cidr}"
+ },
+ %{ endif }
+ %{ if "${vpn_client_cidr}" != null }
+ {
+ "direction": "inbound",
+ "name": "allow-vpn-client-inbound",
+ "source": "${vpn_client_cidr}"
+ },
+ {
+ "direction": "outbound",
+ "name": "allow-all-outbound",
+ "source": "0.0.0.0/0"
+ },
+ %{ endif }
{
"direction": "inbound",
"name": "allow-ibm-inbound",
"source": "161.26.0.0/16"
},
{
+ "name": "allow-vpn-inbound",
"direction": "inbound",
- "name": "allow-private1-inbound",
- "source": "10.0.0.0/8"
+ "source": "${vpc_subnet_cidrs.vpn}"
},
{
+ "name": "allow-mgmt-inbound",
"direction": "inbound",
- "name": "allow-private2-inbound",
- "source": "172.16.0.0/12"
+ "source": "${vpc_subnet_cidrs.mgmt}"
},
{
+ "name": "allow-vpe-inbound",
"direction": "inbound",
- "name": "allow-private3-inbound",
- "source": "192.168.0.0/16"
+ "source": "${vpc_subnet_cidrs.vpe}"
},
{
- "direction": "outbound",
- "name": "allow-all-outbound",
- "source": "0.0.0.0/0"
+ "name": "allow-edge-inbound",
+ "direction": "inbound",
+ "source": "${vpc_subnet_cidrs.edge}"
}
]
}
],
- "network_cidr": "10.0.0.0/8",
"vpcs": [
{
"prefix": "edge",
@@ -642,10 +735,10 @@
],
"address_prefixes": {
"zone-1": [
- "10.30.10.4/24",
- "10.30.20.0/24",
- "10.30.30.0/24",
- "10.30.40.0/24"
+ "${vpc_subnet_cidrs.vpn}",
+ "${vpc_subnet_cidrs.mgmt}",
+ "${vpc_subnet_cidrs.vpe}",
+ "${vpc_subnet_cidrs.edge}"
]
},
"network_acls": [
@@ -673,25 +766,25 @@
"zone-1": [
{
"name": "vpn-zone-1",
- "cidr": "10.30.10.0/24",
+ "cidr": "${vpc_subnet_cidrs.vpn}",
"public_gateway": false,
"acl_name": "acl"
},
{
"name": "vsi-management-zone-1",
- "cidr": "10.30.20.0/24",
+ "cidr": "${vpc_subnet_cidrs.mgmt}",
"public_gateway": false,
"acl_name": "acl"
},
{
"name": "vpe-zone-1",
- "cidr": "10.30.30.0/24",
+ "cidr": "${vpc_subnet_cidrs.vpe}",
"public_gateway": false,
"acl_name": "acl"
},
{
"name": "vsi-edge-zone-1",
- "cidr": "10.30.40.0/24",
+ "cidr": "${vpc_subnet_cidrs.edge}",
"public_gateway": true,
"acl_name": "acl"
}
diff --git a/modules/powervs-vpc-landing-zone/variables.tf b/modules/powervs-vpc-landing-zone/variables.tf
index 4f7478db..b7d79630 100644
--- a/modules/powervs-vpc-landing-zone/variables.tf
+++ b/modules/powervs-vpc-landing-zone/variables.tf
@@ -45,6 +45,26 @@ variable "ssh_private_key" {
sensitive = true
}
+#####################################################
+# Optional Parameters VPC
+#####################################################
+
+variable "vpc_subnet_cidrs" {
+ description = "CIDR values for the VPC subnets to be created. It's customer responsibility that none of the defined networks collide, including the PowerVS subnets and VPN client pool."
+ type = object({
+ vpn = string
+ mgmt = string
+ vpe = string
+ edge = string
+ })
+ default = {
+ "vpn" = "10.30.10.0/24"
+ "mgmt" = "10.30.20.0/24"
+ "vpe" = "10.30.30.0/24"
+ "edge" = "10.30.40.0/24"
+ }
+}
+
#####################################################
# Optional Parameters IBM Cloud Services
#####################################################
@@ -248,16 +268,16 @@ variable "powervs_custom_image_cos_service_credentials" {
#####################################################
variable "client_to_site_vpn" {
- description = "VPN configuration - the client ip pool and list of users email ids to access the environment. If enabled, then a Secret Manager instance is also provisioned with certificates generated. See optional parameters to reuse an existing Secrets manager instance. PowerVS server routes need to be created for the VPN so the PowerVS instances can be reached. Each route must have a unique name and destination CIDR."
+ description = "VPN configuration - the client ip pool and list of users email ids to access the environment. If enabled, then a Secret Manager instance is also provisioned with certificates generated. See optional parameters to reuse an existing Secrets manager instance. PowerVS server routes will create additional entries in the routing table to establish connectivity between the VPN and PowerVS. This is only needed if the PowerVS subnets are in this module are set to null and additional subnets are created outside of this module. Each route must have a unique name and destination CIDR."
type = object({
enable = bool
client_ip_pool = string
vpn_client_access_group_users = list(string)
- powervs_server_routes = list(object({
+ powervs_server_routes = optional(list(object({
route_name = string
destination = string
action = string
- }))
+ })))
}
)
diff --git a/reference-architectures/standard-openshift/deploy-arch-ibm-pvs-inf-standard-openshift.md b/reference-architectures/standard-openshift/deploy-arch-ibm-pvs-inf-standard-openshift.md
index 8c11e9fd..bd02d32e 100644
--- a/reference-architectures/standard-openshift/deploy-arch-ibm-pvs-inf-standard-openshift.md
+++ b/reference-architectures/standard-openshift/deploy-arch-ibm-pvs-inf-standard-openshift.md
@@ -1,7 +1,7 @@
---
copyright:
years: 2024, 2025
-lastupdated: "2025-10-08"
+lastupdated: "2025-10-09"
keywords:
subcollection: deployable-reference-architectures
authors:
@@ -15,7 +15,7 @@ image_source: https://github.com/terraform-ibm-modules/terraform-ibm-powervs-inf
use-case: ITServiceManagement
industry: Technology
content-type: reference-architecture
-version: v10.0.1
+version: v10.1.1
compliance:
---
@@ -27,7 +27,7 @@ compliance:
{: toc-content-type="reference-architecture"}
{: toc-industry="Technology"}
{: toc-use-case="ITServiceManagement"}
-{: toc-version="v10.0.1"}
+{: toc-version="v10.1.1"}
The Quickstart OpenShift deployment on Power Virtual Server with a VPC landing zone uses the Red Hat IPI installer to set up an OpenShift cluster. Before the deployment begins, it provisions VPC services and creates a Power Virtual Server workspace, which together form the landing zone used to access and manage the cluster.
diff --git a/reference-architectures/standard-plus-vsi/deploy-arch-ibm-pvs-inf-standard-plus-vsi.md b/reference-architectures/standard-plus-vsi/deploy-arch-ibm-pvs-inf-standard-plus-vsi.md
index 011c10de..29f360d9 100644
--- a/reference-architectures/standard-plus-vsi/deploy-arch-ibm-pvs-inf-standard-plus-vsi.md
+++ b/reference-architectures/standard-plus-vsi/deploy-arch-ibm-pvs-inf-standard-plus-vsi.md
@@ -1,7 +1,7 @@
---
copyright:
years: 2024, 2025
-lastupdated: "2025-10-08"
+lastupdated: "2025-10-09"
keywords:
subcollection: deployable-reference-architectures
authors:
@@ -16,7 +16,7 @@ image_source: https://github.com/terraform-ibm-modules/terraform-ibm-powervs-inf
use-case: ITServiceManagement
industry: Technology
content-type: reference-architecture
-version: v10.0.1
+version: v10.1.1
compliance:
---
@@ -28,7 +28,7 @@ compliance:
{: toc-content-type="reference-architecture"}
{: toc-industry="Technology"}
{: toc-use-case="ITServiceManagement"}
-{: toc-version="v10.0.1"}
+{: toc-version="v10.1.1"}
Quickstart deployment of the Power Virtual Server with VPC landing zone creates VPC services, a Power Virtual Server workspace, and interconnects them. It also deploys a Power Virtual Server of chosen T-shirt size or custom configuration. Supported Os are Aix, IBM i, and Linux images.
diff --git a/reference-architectures/standard/deploy-arch-ibm-pvs-inf-standard.md b/reference-architectures/standard/deploy-arch-ibm-pvs-inf-standard.md
index 6fea1c95..41182c0c 100644
--- a/reference-architectures/standard/deploy-arch-ibm-pvs-inf-standard.md
+++ b/reference-architectures/standard/deploy-arch-ibm-pvs-inf-standard.md
@@ -1,7 +1,7 @@
---
copyright:
years: 2024, 2025
-lastupdated: "2025-10-08"
+lastupdated: "2025-10-09"
keywords:
subcollection: deployable-reference-architectures
authors:
@@ -15,7 +15,7 @@ image_source: https://github.com/terraform-ibm-modules/terraform-ibm-powervs-inf
use-case: ITServiceManagement
industry: Technology
content-type: reference-architecture
-version: v10.0.1
+version: v10.1.1
compliance: SAPCertified
---
@@ -28,7 +28,7 @@ compliance: SAPCertified
{: toc-industry="Technology"}
{: toc-use-case="ITServiceManagement"}
{: toc-compliance="SAPCertified"}
-{: toc-version="v10.0.1"}
+{: toc-version="v10.1.1"}
The Standard deployment of the Power Virtual Server with VPC landing zone creates VPC services and a Power Virtual Server workspace and interconnects them.
diff --git a/solutions/standard-plus-vsi/README.md b/solutions/standard-plus-vsi/README.md
index 7294e387..7b901f73 100644
--- a/solutions/standard-plus-vsi/README.md
+++ b/solutions/standard-plus-vsi/README.md
@@ -99,6 +99,7 @@ This example sets up the following infrastructure:
| [tags](#input\_tags) | List of tag names for the IBM Cloud PowerVS workspace | `list(string)` | `[]` | no |
| [tshirt\_size](#input\_tshirt\_size) | PowerVS instance profiles. These profiles can be overridden by specifying 'custom\_profile\_instance\_boot\_image' and 'custom\_profile' values in optional parameters. | object({
tshirt_size = string
image = string
}) | n/a | yes |
| [vpc\_intel\_images](#input\_vpc\_intel\_images) | Stock OS image names for creating VPC landing zone VSI instances: RHEL (management and network services) and SLES (monitoring). | object({
rhel_image = string
sles_image = string
}) | {
"rhel_image": "ibm-redhat-9-6-amd64-sap-applications-1",
"sles_image": "ibm-sles-15-7-amd64-sap-applications-1"
} | no |
+| [vpc\_subnet\_cidrs](#input\_vpc\_subnet\_cidrs) | CIDR values for the VPC subnets to be created. It's customer responsibility that none of the defined networks collide, including the PowerVS subnets and VPN client pool. | object({
vpn = string
mgmt = string
vpe = string
edge = string
}) | {
"edge": "10.30.40.0/24",
"mgmt": "10.30.20.0/24",
"vpe": "10.30.30.0/24",
"vpn": "10.30.10.0/24"
} | no |
### Outputs
diff --git a/solutions/standard-plus-vsi/locals.tf b/solutions/standard-plus-vsi/locals.tf
index c72bde16..d42e2275 100644
--- a/solutions/standard-plus-vsi/locals.tf
+++ b/solutions/standard-plus-vsi/locals.tf
@@ -64,7 +64,7 @@ locals {
pi_instance_os_type = can(regex("RHEL|SLES", local.qs_tshirt_choice.image)) ? "linux" : can(regex("^7\\d{3}-\\d{2}-\\d{2}$", local.qs_tshirt_choice.image)) ? "aix" : "ibm_i"
pi_instance = {
pi_image_id = local.qs_tshirt_choice.image
- pi_networks = [module.standard.powervs_management_subnet, module.standard.powervs_backup_subnet]
+ pi_networks = concat([module.standard.powervs_management_subnet], module.standard.powervs_backup_subnet != null ? [module.standard.powervs_backup_subnet] : [])
pi_instance_name = "${var.prefix}-pi-qs"
pi_sap_profile_id = local.sap_system_creation_enabled ? local.qs_tshirt_choice.sap_profile_id : null
pi_server_type = local.sap_system_creation_enabled ? null : local.qs_tshirt_choice.server_type
@@ -97,7 +97,7 @@ locals {
}
network_services_config = {
- squid = { enable = true, squid_server_ip_port = module.standard.proxy_host_or_ip_port, no_proxy_hosts = "161.0.0.0/0,10.0.0.0/8" }
+ squid = { enable = true, squid_server_ip_port = module.standard.proxy_host_or_ip_port, no_proxy_hosts = "161.0.0.0/0,${var.vpc_subnet_cidrs.vpn},${var.vpc_subnet_cidrs.mgmt},${var.vpc_subnet_cidrs.vpe},${var.vpc_subnet_cidrs.edge},${var.powervs_management_network != null ? "${var.powervs_management_network.cidr}," : ""}${var.powervs_backup_network != null ? "${var.powervs_backup_network.cidr}," : ""}${var.client_to_site_vpn.client_ip_pool}" }
nfs = { enable = var.configure_nfs_server, nfs_server_path = module.standard.nfs_host_or_ip_path, nfs_client_path = lookup(var.nfs_server_config, "mount_path", ""), opts = "sec=sys,nfsvers=4.1,nofail", fstype = "nfs4" }
dns = { enable = var.configure_dns_forwarder, dns_server_ip = module.standard.dns_host_or_ip }
ntp = { enable = var.configure_ntp_forwarder, ntp_server_ip = module.standard.ntp_host_or_ip }
diff --git a/solutions/standard-plus-vsi/main.tf b/solutions/standard-plus-vsi/main.tf
index 12c43d9e..8be1e687 100644
--- a/solutions/standard-plus-vsi/main.tf
+++ b/solutions/standard-plus-vsi/main.tf
@@ -2,22 +2,6 @@
# PowerVS with VPC landing zone module
#####################################################
-locals {
- powervs_server_routes = [
- {
- route_name = var.powervs_management_network.name
- destination = var.powervs_management_network.cidr
- action = "deliver"
- },
- {
- route_name = var.powervs_backup_network.name
- destination = var.powervs_backup_network.cidr
- action = "deliver"
- }
- ]
- client_to_site_vpn = merge(var.client_to_site_vpn, { "powervs_server_routes" : local.powervs_server_routes })
-}
-
module "standard" {
source = "../../modules/powervs-vpc-landing-zone"
@@ -28,7 +12,8 @@ module "standard" {
external_access_ip = var.external_access_ip
ssh_public_key = var.ssh_public_key
ssh_private_key = var.ssh_private_key
- client_to_site_vpn = local.client_to_site_vpn
+ client_to_site_vpn = var.client_to_site_vpn
+ vpc_subnet_cidrs = var.vpc_subnet_cidrs
vpc_intel_images = var.vpc_intel_images
configure_dns_forwarder = var.configure_dns_forwarder
configure_ntp_forwarder = var.configure_ntp_forwarder
diff --git a/solutions/standard-plus-vsi/variables.tf b/solutions/standard-plus-vsi/variables.tf
index be7222a3..892a93bf 100644
--- a/solutions/standard-plus-vsi/variables.tf
+++ b/solutions/standard-plus-vsi/variables.tf
@@ -44,6 +44,26 @@ variable "ansible_vault_password" {
sensitive = true
}
+#####################################################
+# Optional Parameters VPC
+#####################################################
+
+variable "vpc_subnet_cidrs" {
+ description = "CIDR values for the VPC subnets to be created. It's customer responsibility that none of the defined networks collide, including the PowerVS subnets and VPN client pool."
+ type = object({
+ vpn = string
+ mgmt = string
+ vpe = string
+ edge = string
+ })
+ default = {
+ "vpn" = "10.30.10.0/24"
+ "mgmt" = "10.30.20.0/24"
+ "vpe" = "10.30.30.0/24"
+ "edge" = "10.30.40.0/24"
+ }
+}
+
#####################################################
# Optional Parameters PowerVS Instance
#####################################################
@@ -100,6 +120,11 @@ variable "powervs_management_network" {
"name" : "mgmt_net",
"cidr" : "10.51.0.0/24"
}
+
+ validation {
+ condition = can(regex("^([a-z]|[a-z][-_a-z0-9]*[a-z0-9])$", var.powervs_management_network.name))
+ error_message = "powervs_management_network.name can only contain 'a-z', '0-9', '-', '_' and must end on a letter or number."
+ }
}
variable "powervs_backup_network" {
@@ -113,6 +138,11 @@ variable "powervs_backup_network" {
"name" : "bkp_net",
"cidr" : "10.52.0.0/24"
}
+
+ validation {
+ condition = var.powervs_backup_network != null ? can(regex("^([a-z]|[a-z][-_a-z0-9]*[a-z0-9])$", var.powervs_backup_network.name)) : true
+ error_message = "powervs_backup_network.name can only contain 'a-z', '0-9', '-', '_' and must end on a letter or number."
+ }
}
variable "powervs_resource_group_name" {
diff --git a/solutions/standard/README.md b/solutions/standard/README.md
index 577cd202..e228c3c9 100644
--- a/solutions/standard/README.md
+++ b/solutions/standard/README.md
@@ -96,6 +96,7 @@ This example sets up the following infrastructure:
| [tags](#input\_tags) | List of tag names for the IBM Cloud PowerVS workspace. | `list(string)` | `[]` | no |
| [transit\_gateway\_global](#input\_transit\_gateway\_global) | Connect to the networks outside the associated region. | `bool` | `false` | no |
| [vpc\_intel\_images](#input\_vpc\_intel\_images) | Stock OS image names for creating VPC landing zone VSI instances: RHEL (management and network services) and SLES (monitoring). | object({
rhel_image = string
sles_image = string
}) | {
"rhel_image": "ibm-redhat-9-6-amd64-sap-applications-1",
"sles_image": "ibm-sles-15-7-amd64-sap-applications-1"
} | no |
+| [vpc\_subnet\_cidrs](#input\_vpc\_subnet\_cidrs) | CIDR values for the VPC subnets to be created. It's customer responsibility that none of the defined networks collide, including the PowerVS subnets and VPN client pool. | object({
vpn = string
mgmt = string
vpe = string
edge = string
}) | {
"edge": "10.30.40.0/24",
"mgmt": "10.30.20.0/24",
"vpe": "10.30.30.0/24",
"vpn": "10.30.10.0/24"
} | no |
### Outputs
diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
index 6564dcd1..9314c5ac 100644
--- a/solutions/standard/main.tf
+++ b/solutions/standard/main.tf
@@ -2,22 +2,6 @@
# PowerVS with VPC landing zone module
####################################################
-locals {
- powervs_server_routes = [
- {
- route_name = var.powervs_management_network.name
- destination = var.powervs_management_network.cidr
- action = "deliver"
- },
- {
- route_name = var.powervs_backup_network.name
- destination = var.powervs_backup_network.cidr
- action = "deliver"
- }
- ]
- client_to_site_vpn = merge(var.client_to_site_vpn, { "powervs_server_routes" : local.powervs_server_routes })
-}
-
module "standard" {
source = "../../modules/powervs-vpc-landing-zone"
@@ -28,7 +12,8 @@ module "standard" {
external_access_ip = var.external_access_ip
ssh_public_key = var.ssh_public_key
ssh_private_key = var.ssh_private_key
- client_to_site_vpn = local.client_to_site_vpn
+ client_to_site_vpn = var.client_to_site_vpn
+ vpc_subnet_cidrs = var.vpc_subnet_cidrs
vpc_intel_images = var.vpc_intel_images
transit_gateway_global = var.transit_gateway_global
configure_dns_forwarder = var.configure_dns_forwarder
diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf
index 0941810b..62323cf7 100644
--- a/solutions/standard/variables.tf
+++ b/solutions/standard/variables.tf
@@ -35,6 +35,26 @@ variable "ibmcloud_api_key" {
sensitive = true
}
+#####################################################
+# Optional Parameters VPC
+#####################################################
+
+variable "vpc_subnet_cidrs" {
+ description = "CIDR values for the VPC subnets to be created. It's customer responsibility that none of the defined networks collide, including the PowerVS subnets and VPN client pool."
+ type = object({
+ vpn = string
+ mgmt = string
+ vpe = string
+ edge = string
+ })
+ default = {
+ "vpn" = "10.30.10.0/24"
+ "mgmt" = "10.30.20.0/24"
+ "vpe" = "10.30.30.0/24"
+ "edge" = "10.30.40.0/24"
+ }
+}
+
#####################################################
# Optional Parameters PowerVS Workspace
#####################################################
@@ -50,6 +70,11 @@ variable "powervs_management_network" {
"name" : "mgmt_net",
"cidr" : "10.51.0.0/24"
}
+
+ validation {
+ condition = var.powervs_management_network != null ? can(regex("^([a-z]|[a-z][-_a-z0-9]*[a-z0-9])$", var.powervs_management_network.name)) : true
+ error_message = "powervs_management_network.name can only contain 'a-z', '0-9', '-', '_' and must end on a letter or number."
+ }
}
variable "powervs_backup_network" {
@@ -63,6 +88,11 @@ variable "powervs_backup_network" {
"name" : "bkp_net",
"cidr" : "10.52.0.0/24"
}
+
+ validation {
+ condition = var.powervs_backup_network != null ? can(regex("^([a-z]|[a-z][-_a-z0-9]*[a-z0-9])$", var.powervs_backup_network.name)) : true
+ error_message = "powervs_backup_network.name can only contain 'a-z', '0-9', '-', '_' and must end on a letter or number."
+ }
}
variable "tags" {