Adds logic to create address prefixes for the VPC if provided (#27)

- Adds address_prefix_count and address_prefixes variables
- Generates address prefixes and sets the first three to default values if prefix_count and prefixes have values
- Handles null values in template and updates test
- Adds auth_id variable to coordinate creation of authorization and flow log
- Consolodates tests and enhances for address_prefixes and auth_id
- Removes source resource group from flow-log auth in test to get it to pass (evidently the auth for flow-log cannot be resource group to resource group)

Signed-off-by: Sean Sundberg <[email protected]>

Author: Sean Sundberg

.github/workflows/verify.yaml

@@ -19,6 +19,8 @@ jobs:
       matrix:
         platform:
           - vpc_count
+          - vpc_count_cidr
+      max-parallel: 1
       fail-fast: false
 
     env:

main.tf

@@ -1,52 +1,75 @@
 
 locals {
+  tmp_dir           = "${path.cwd}/.tmp"
+  zone_count        = 3
+  vpc_zone_names    = [ for index in range(local.zone_count): "${var.region}-${(index % local.zone_count) + 1}" ]
   prefix_name       = var.name_prefix != "" ? var.name_prefix : var.resource_group_name
   vpc_name          = lower(replace(var.name != "" ? var.name : "${local.prefix_name}-vpc", "_", "-"))
   vpc_id            = data.ibm_is_vpc.vpc.id
   security_group_id = data.ibm_is_vpc.vpc.default_security_group
   acl_id            = data.ibm_is_vpc.vpc.default_network_acl
   crn               = data.ibm_is_vpc.vpc.resource_crn
+  ipv4_cidr_provided = length(var.address_prefixes) >= var.address_prefix_count
+  ipv4_cidr_block    = local.ipv4_cidr_provided ? var.address_prefixes : [ for val in range(var.address_prefix_count): "" ]
+  address_prefix_management = local.ipv4_cidr_provided ? "manual" : "auto"
+  provision_cidr     = var.provision && local.ipv4_cidr_provided
+}
+
+resource null_resource print_values {
+  provisioner "local-exec" {
+    command = "echo 'Bucket name: ${var.flow_log_cos_bucket_name != null ? var.flow_log_cos_bucket_name : ""}'"
+  }
+  provisioner "local-exec" {
+    command = "echo 'Auth policy id: ${var.auth_id}'"
+  }
+}
+
+resource ibm_is_vpc_address_prefix cidr_prefix {
+  count = local.provision_cidr ? var.address_prefix_count : 0
+
+  name  = "${local.vpc_name}-cidr-${format("%02s", count.index)}"
+  zone  = local.vpc_zone_names[count.index]
+  vpc   = data.ibm_is_vpc.vpc.id
+  cidr  = local.ipv4_cidr_block[count.index]
 }
 
 resource ibm_is_vpc vpc {
   count = var.provision ? 1 : 0
 
   name                        = local.vpc_name
   resource_group              = var.resource_group_id
+  address_prefix_management   = local.address_prefix_management
   default_security_group_name = "${local.vpc_name}-security-group"
   default_network_acl_name    = "${local.vpc_name}-acl"
   default_routing_table_name  = "${local.vpc_name}-routing"
 }
 
+# Set the address prefixes as the default.  This will allow us to specify the number of ips required
+# in each subnet, instead of figuring out specific cidrs.
+# Note the "split" function call - this is because the id returned from creating the address
+# comes back as <vpc_id>/<address_range_id> and the update call wants these passed as separate
+# arguments.  I suspect this is actually a defect in what is returned from ibm_is_vpc_address_prefix
+# and it may one day be fixed and trip up this code.
+resource null_resource post_vpc_address_pfx_default {
+  count = local.provision_cidr ? var.address_prefix_count : 0
+  depends_on = [ibm_is_vpc_address_prefix.cidr_prefix]
+
+  provisioner "local-exec" {
+    command = <<COMMAND
+      ibmcloud login --apikey ${var.ibmcloud_api_key} -r ${var.region} -g ${var.resource_group_name} --quiet ; \
+      ibmcloud is vpc-address-prefix-update '${local.provision_cidr ? ibm_is_vpc.vpc[0].id : ""}' '${split("/", local.provision_cidr ? ibm_is_vpc_address_prefix.cidr_prefix[0].id : "/")[1]}' --default true ; \
+      ibmcloud is vpc-address-prefix-update '${local.provision_cidr ? ibm_is_vpc.vpc[0].id : ""}' '${split("/", local.provision_cidr ? ibm_is_vpc_address_prefix.cidr_prefix[1].id : "/")[1]}' --default true ; \
+      ibmcloud is vpc-address-prefix-update '${local.provision_cidr ? ibm_is_vpc.vpc[0].id : ""}' '${split("/", local.provision_cidr ? ibm_is_vpc_address_prefix.cidr_prefix[2].id : "/")[1]}' --default true ; \
+     COMMAND
+  }
+}
+
 data ibm_is_vpc vpc {
   depends_on = [ibm_is_vpc.vpc]
 
   name = local.vpc_name
 }
 
-resource ibm_is_network_acl network_acl {
-  count      = var.provision ? 1 : 0
-
-  name           = "${local.vpc_name}-acl2"
-  resource_group = var.resource_group_id
-  vpc            = data.ibm_is_vpc.vpc.id
-
-  rules {
-    name        = "egress"
-    action      = "allow"
-    source      = "0.0.0.0/0"
-    destination = "0.0.0.0/0"
-    direction   = "outbound"
-  }
-  rules {
-    name        = "ingress"
-    action      = "allow"
-    source      = "0.0.0.0/0"
-    destination = "0.0.0.0/0"
-    direction   = "inbound"
-  }
-}
-
 resource ibm_is_security_group_rule rule_icmp_ping {
   count = var.provision ? 1 : 0
 
@@ -109,7 +132,8 @@ resource ibm_is_security_group_rule private_dns_2 {
 
 resource ibm_is_flow_log flowlog_instance {
   count = length(var.flow_log_cos_bucket_name) > 0 ? 1 : 0
-  depends_on = [ibm_is_vpc.vpc]
+  depends_on = [ibm_is_vpc.vpc, null_resource.print_values]
+
   name = "${local.vpc_name}-flowlog"
   active = true
   //target can be VPC or Virtual Server Instance or Subnet or Primary Network Interface or Secondary Network Interface 

module.yaml

@@ -16,6 +16,9 @@ versions:
         - source: github.com/cloud-native-toolkit/terraform-ibm-object-storage-bucket
           version: ">= 0.0.1"
       optional: true
+    - id: auth
+      refs: []
+      optional: true
   variables:
     - name: resource_group_id
       moduleRef:
@@ -38,3 +41,8 @@ versions:
         id: cos_bucket
         output: bucket_name
       optional: true
+    - name: auth_id
+      moduleRef:
+        id: auth
+        output: id
+      optional: true

test/stages/stage3-vpc-flow-log.tf renamed to test/stages/stage1-cos.tf

@@ -1,15 +1,20 @@
 module "cos" {
   source = "github.com/ibm-garage-cloud/terraform-ibm-object-storage.git"
 
-  resource_group_name = var.resource_group_name
+  resource_group_name = module.resource_group.name
   name_prefix         = var.name_prefix
-  name                = "flow-log-cos-instance"
 }
 
 resource null_resource print_cos_id {
   depends_on = [module.cos.id]
   provisioner "local-exec" {
-    command = "echo 'Provisioning bucket into COS instance: ${module.cos.id}'"
+    command = "echo 'Provisioning bucket into COS instance: ${module.cos.id != null ? module.cos.id : ""}'"
+  }
+}
+
+resource null_resource pre_print_bucket {
+  provisioner "local-exec" {
+    command = "echo 'Name prefix: ${var.name_prefix}'"
   }
 }
 
@@ -20,26 +25,12 @@ module "dev_cos_bucket" {
   cos_instance_id     = module.cos.id
   name_prefix         = var.name_prefix
   ibmcloud_api_key    = var.ibmcloud_api_key
-  name                = "fl-testing-gsi2"
   region              = var.region
+  label               = "flow-log"
 }
 
 resource null_resource print_bucket {
   provisioner "local-exec" {
-    command = "echo 'Bucket created: ${module.dev_cos_bucket.bucket_name}'"
+    command = "echo 'Bucket created: ${module.dev_cos_bucket.bucket_name != null ? module.dev_cos_bucket.bucket_name : ""}'"
   }
 }
-
-
-module "dev_vpc_with_flowlog" {
-  source = "./module"
-
-
-  resource_group_id   = module.resource_group.id
-  resource_group_name = module.resource_group.name
-  region              = var.region
-  name_prefix         = var.name_prefix
-  name                = "vpc-with-fl-${module.cos.name}-${length(null_resource.print_bucket)}"
-  ibmcloud_api_key    = var.ibmcloud_api_key
-  flow_log_cos_bucket_name = module.dev_cos_bucket.bucket_name
-}

test/stages/stage1-flow-log-auth.tf

@@ -0,0 +1,10 @@
+module "flow-log-auth" {
+  source = "github.com/cloud-native-toolkit/terraform-ibm-iam-service-authorization"
+
+  source_service_name = "is"
+  source_resource_type = "flow-log-collector"
+  provision = true
+  target_service_name = "cloud-object-storage"
+  target_resource_group_id = module.resource_group.id
+  roles = ["Writer"]
+}

test/stages/stage2-vpc.tf

@@ -6,4 +6,8 @@ module "dev_vpc" {
   region              = var.region
   name_prefix         = var.name_prefix
   ibmcloud_api_key    = var.ibmcloud_api_key
+  address_prefix_count = var.address_prefix_count
+  address_prefixes = tolist(setsubtract(split(",", var.address_prefixes), [""]))
+  auth_id             = module.flow-log-auth.id
+  flow_log_cos_bucket_name = module.dev_cos_bucket.bucket_name
 }

test/stages/variables.tf

@@ -49,3 +49,11 @@ variable "vpc_subnets" {
   description = "JSON representation of list of object, e.g. [{\"label\"=\"default\"}]"
   default     = "[]"
 }
+
+variable "address_prefixes" {
+  default = ""
+}
+
+variable "address_prefix_count" {
+  default = 0
+}

variables.tf

@@ -41,3 +41,21 @@ variable "flow_log_cos_bucket_name" {
   description = "Cloud Object Storage bucket id for flow logs (optional)"
   default     = ""
 }
+
+variable "address_prefix_count" {
+  type        = number
+  description = "The number of ipv4_cidr_blocks"
+  default     = 0
+}
+
+variable "address_prefixes" {
+  type        = list(string)
+  description = "List of ipv4 cidr blocks for the address prefixes (e.g. ['10.10.10.0/24']). If you are providing cidr blocks then a value must be provided for each of the subnets. If you don't provide cidr blocks for each of the subnets then values will be generated using the {ipv4_address_count} value."
+  default     = []
+}
+
+variable "auth_id" {
+  type        = string
+  description = "The id of the authorization policy that allows the Flow Log to access the Object Storage bucket. This is optional and provided to sequence the authorization before the flow log creation."
+  default     = ""
+}