terraform-ibm-modules · surajsbharadwaj · Oct 14, 2025 · Oct 9, 2025 · Oct 9, 2025 · Oct 10, 2025
@@ -220,6 +220,14 @@
                 "type": "multiline_secure_value"
               }
             },
+            {
+              "key": "vpc_subnet_cidrs",
+              "custom_config": {
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "type": "code_editor"
+              }
+            },
             {
               "key": "powervs_management_network"
             },
@@ -472,7 +480,7 @@
               {
                 "diagram": {
                   "caption": "Power Virtual Server with VPC landing zone 'Standard Landscape' variation",
-                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v10.0.1/reference-architectures/standard/deploy-arch-ibm-pvs-inf-standard.svg",
+                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v10.1.1/reference-architectures/standard/deploy-arch-ibm-pvs-inf-standard.svg",
                   "type": "image/svg+xml"
                 },
                 "description": "The Power Virtual Server with VPC landing zone as variation 'Create a new architecture' deploys VPC services and a Power Virtual Server workspace and interconnects them.\n \nRequired and optional management components are configured."
@@ -871,6 +879,14 @@
                 "type": "code_editor"
               }
             },
+            {
+              "key": "vpc_subnet_cidrs",
+              "custom_config": {
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "type": "code_editor"
+              }
+            },
             {
               "key": "powervs_management_network"
             },
@@ -1088,7 +1104,7 @@
               {
                 "diagram": {
                   "caption": "Power Virtual Server with VPC landing zone 'Quickstart' variation",
-                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v10.0.1/reference-architectures/standard-plus-vsi/deploy-arch-ibm-pvs-inf-standard-plus-vsi.svg",
+                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v10.1.1/reference-architectures/standard-plus-vsi/deploy-arch-ibm-pvs-inf-standard-plus-vsi.svg",
                   "type": "image/svg+xml"
                 },
                 "description": "The Power Virtual Server with VPC landing zone as 'Quickstart' variation of 'Create a new architecture' option deploys VPC services and a Power Virtual Server workspace and interconnects them. It also creates one Power virtual server instance of chosen t-shirt size or custom configuration.\n \nRequired and optional management components are configured."
@@ -1494,7 +1510,7 @@
               {
                 "diagram": {
                   "caption": "Power Virtual Server with VPC landing zone 'Quickstart OpenShift' variation",
-                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v10.0.1/reference-architectures/standard-openshift/deploy-arch-ibm-pvs-inf-standard-openshift.svg",
+                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v10.1.1/reference-architectures/standard-openshift/deploy-arch-ibm-pvs-inf-standard-openshift.svg",
                   "type": "image/svg+xml"
                 },
                 "description": "The Power Virtual Server with VPC landing zone as variation 'Quickstart OpenShift' deploys VPC services and an Openshift Cluster on PowerVS and interconnects them.\n \nRequired and optional management components are configured."

@@ -142,7 +142,7 @@ Creates VPC Landing Zone | Performs VPC VSI OS Config | Creates PowerVS Infrastr
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_ansible_vault_password"></a> [ansible\_vault\_password](#input\_ansible\_vault\_password) | Vault password to encrypt ansible playbooks that contain sensitive information. Required when SCC workload Protection is enabled. Password requirements: 15-100 characters and at least one uppercase letter, one lowercase letter, one number, and one special character. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]\_{\|}~. | `string` | `null` | no |
-| <a name="input_client_to_site_vpn"></a> [client\_to\_site\_vpn](#input\_client\_to\_site\_vpn) | VPN configuration - the client ip pool and list of users email ids to access the environment. If enabled, then a Secret Manager instance is also provisioned with certificates generated. See optional parameters to reuse an existing Secrets manager instance. PowerVS server routes need to be created for the VPN so the PowerVS instances can be reached. Each route must have a unique name and destination CIDR. | <pre>object({<br/>    enable                        = bool<br/>    client_ip_pool                = string<br/>    vpn_client_access_group_users = list(string)<br/>    powervs_server_routes = list(object({<br/>      route_name  = string<br/>      destination = string<br/>      action      = string<br/>    }))<br/>    }<br/>  )</pre> | <pre>{<br/>  "client_ip_pool": "192.168.0.0/16",<br/>  "enable": false,<br/>  "powervs_server_routes": null,<br/>  "vpn_client_access_group_users": []<br/>}</pre> | no |
+| <a name="input_client_to_site_vpn"></a> [client\_to\_site\_vpn](#input\_client\_to\_site\_vpn) | VPN configuration - the client ip pool and list of users email ids to access the environment. If enabled, then a Secret Manager instance is also provisioned with certificates generated. See optional parameters to reuse an existing Secrets manager instance. PowerVS server routes will create additional entries in the routing table to establish connectivity between the VPN and PowerVS. This is only needed if the PowerVS subnets are in this module are set to null and additional subnets are created outside of this module. Each route must have a unique name and destination CIDR. | <pre>object({<br/>    enable                        = bool<br/>    client_ip_pool                = string<br/>    vpn_client_access_group_users = list(string)<br/>    powervs_server_routes = optional(list(object({<br/>      route_name  = string<br/>      destination = string<br/>      action      = string<br/>    })))<br/>    }<br/>  )</pre> | <pre>{<br/>  "client_ip_pool": "192.168.0.0/16",<br/>  "enable": false,<br/>  "powervs_server_routes": null,<br/>  "vpn_client_access_group_users": []<br/>}</pre> | no |
 | <a name="input_configure_dns_forwarder"></a> [configure\_dns\_forwarder](#input\_configure\_dns\_forwarder) | Specify if DNS forwarder will be configured. This will allow you to use central DNS servers (e.g. IBM Cloud DNS servers) sitting outside of the created IBM PowerVS infrastructure. If yes, ensure 'dns\_forwarder\_config' optional variable is set properly. DNS forwarder will be installed on the network-services vsi. | `bool` | `false` | no |
 | <a name="input_configure_nfs_server"></a> [configure\_nfs\_server](#input\_configure\_nfs\_server) | Specify if NFS server will be configured. This will allow you easily to share files between PowerVS instances (e.g., SAP installation files). [File storage share and mount target](https://cloud.ibm.com/docs/vpc?topic=vpc-file-storage-create&interface=ui) in VPC will be created.. If yes, ensure 'nfs\_server\_config' optional variable is set properly below. Default value is '200GB' which will be mounted on specified directory in network-service vsi. | `bool` | `false` | no |
 | <a name="input_configure_ntp_forwarder"></a> [configure\_ntp\_forwarder](#input\_configure\_ntp\_forwarder) | Specify if NTP forwarder will be configured. This will allow you to synchronize time between IBM PowerVS instances. NTP forwarder will be installed on the network-services vsi. | `bool` | `false` | no |
@@ -171,6 +171,7 @@ Creates VPC Landing Zone | Performs VPC VSI OS Config | Creates PowerVS Infrastr
 | <a name="input_transit_gateway_global"></a> [transit\_gateway\_global](#input\_transit\_gateway\_global) | Connect to the networks outside the associated region. | `bool` | `false` | no |
 | <a name="input_user_data"></a> [user\_data](#input\_user\_data) | User data that automatically performs common configuration tasks or runs scripts. For more information, see https://cloud.ibm.com/docs/vpc?topic=vpc-user-data. For information on using the user\_data variable, please refer: https://cloud.ibm.com/docs/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-user-data | `string` | `null` | no |
 | <a name="input_vpc_intel_images"></a> [vpc\_intel\_images](#input\_vpc\_intel\_images) | Stock OS image names for creating VPC landing zone VSI instances: RHEL (management and network services) and SLES (monitoring). | <pre>object({<br/>    rhel_image = string<br/>    sles_image = string<br/>  })</pre> | n/a | yes |
+| <a name="input_vpc_subnet_cidrs"></a> [vpc\_subnet\_cidrs](#input\_vpc\_subnet\_cidrs) | CIDR values for the VPC subnets to be created. It's customer responsibility that none of the defined networks collide, including the PowerVS subnets and VPN client pool. | <pre>object({<br/>    vpn  = string<br/>    mgmt = string<br/>    vpe  = string<br/>    edge = string<br/>  })</pre> | <pre>{<br/>  "edge": "10.30.40.0/24",<br/>  "mgmt": "10.30.20.0/24",<br/>  "vpe": "10.30.30.0/24",<br/>  "vpn": "10.30.10.0/24"<br/>}</pre> | no |
 
 ### Outputs
 

@@ -20,25 +20,52 @@ locals {
   intermediate_ca_name = "${var.prefix}-intermediate-ca"
   cert_common_name     = "example"
 
-  default_server_routes = {
-    "vpc-vsis" = {
-      destination = "10.0.0.0/8"
+  # powervs routes
+  powervs_mgmt_route = var.powervs_management_network != null ? {
+    (replace(var.powervs_management_network.name, "_", "-")) : {
+      destination = var.powervs_management_network.cidr
+      action      = "deliver"
+    }
+  } : {}
+  powervs_bckp_route = var.powervs_backup_network != null ? {
+    (replace(var.powervs_backup_network.name, "_", "-")) : {
+      destination = var.powervs_backup_network.cidr
+      action      = "deliver"
+    }
+  } : {}
+
+  # vpc routes
+  vpc_server_routes = {
+    "vpc-vpn" : {
+      destination = var.vpc_subnet_cidrs.vpn
+      action      = "deliver"
+    },
+    "vpc-mgmt" : {
+      destination = var.vpc_subnet_cidrs.mgmt
+      action      = "deliver"
+    },
+    "vpc-vpe" : {
+      destination = var.vpc_subnet_cidrs.vpe
+      action      = "deliver"
+    },
+    "vpc-edge" : {
+      destination = var.vpc_subnet_cidrs.edge
       action      = "deliver"
     }
   }
 
-  vpn_server_routes = var.client_to_site_vpn.powervs_server_routes != null ? merge(local.default_server_routes,
-    tomap(
-      {
-        for instance in var.client_to_site_vpn.powervs_server_routes :
-        instance.route_name => {
-          destination = instance.destination
-          action      = instance.action
-        }
-        if !startswith(instance.destination, "10.")
+  # add additional routes (needed for networks created outside of this module)
+  additional_routes = var.client_to_site_vpn.powervs_server_routes != null ? tomap(
+    {
+      for instance in var.client_to_site_vpn.powervs_server_routes :
+      instance.route_name => {
+        destination = instance.destination
+        action      = instance.action
       }
-    )
-  ) : local.default_server_routes
+    }
+  ) : {}
+
+  vpn_server_routes = merge(local.powervs_mgmt_route, local.powervs_bckp_route, local.vpc_server_routes, local.additional_routes)
 }
 
 

@@ -17,6 +17,10 @@ locals {
       sles_image                   = var.vpc_intel_images.sles_image,
       second_rg_name               = local.second_rg_name,
       tgw_rg_name                  = local.tgw_rg_name
+      vpc_subnet_cidrs             = var.vpc_subnet_cidrs
+      powervs_mgmt_cidr            = var.powervs_management_network != null ? var.powervs_management_network.cidr : null
+      powervs_bckp_cidr            = var.powervs_backup_network != null ? var.powervs_backup_network.cidr : null
+      vpn_client_cidr              = var.client_to_site_vpn.enable ? var.client_to_site_vpn.client_ip_pool : null
     }
   )
 }