Fixes issue using an existing VPC

- Adds count to acl_rule resources using provision flag - count #63
- Updates workflows to use action-workflows - count #61

Signed-off-by: Sean Sundberg <[email protected]>

Author: Sean Sundberg

.github/workflows/notify.yaml

@@ -1,22 +1,11 @@
+name: Notify
+
 on:
   release:
     types: [published]
 
 jobs:
   notify:
-    runs-on: ubuntu-latest
-
-    strategy:
-      matrix:
-        repo:
-          - cloud-native-toolkit/ibm-garage-iteration-zero
-          - cloud-native-toolkit/garage-terraform-modules
-
-    steps:
-      - name: Repository dispatch ${{ matrix.repo }}
-        uses: cloud-native-toolkit/action-repository-dispatch@main
-        with:
-          notifyRepo: ${{ matrix.repo }}
-          eventType: released
-        env:
-          GITHUB_TOKEN: ${{ secrets.TOKEN }}
+    uses: cloud-native-toolkit/action-workflows/.github/workflows/notify.yaml@v1
+    secrets:
+      TOKEN: ${{ secrets.TOKEN }}

.github/workflows/publish-assets.yaml

@@ -0,0 +1,12 @@
+name: Publish metadata
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  publish-assets:
+    uses: cloud-native-toolkit/action-workflows/.github/workflows/publish-metadata.yaml@v1
+    secrets:
+      TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish-metadata.yaml

@@ -0,0 +1,23 @@
+name: Verify PR
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the main branch
+on:
+  pull_request:
+    branches: [ main ]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  verify:
+    if: ${{ !contains( github.event.pull_request.labels.*.name, 'skip ci' ) }}
+    uses: ./.github/workflows/verify-workflow.yaml
+    secrets:
+      IBMCLOUD_API_KEY: ${{ secrets.IBMCLOUD_API_KEY }}
+
+  verifyMetadata:
+    uses: cloud-native-toolkit/action-workflows/.github/workflows/verify-module-metadata.yaml@v1
+
+  securityScan:
+    uses: cloud-native-toolkit/action-workflows/.github/workflows/gitguardian-scan.yaml@v1
+    secrets:
+      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}

.github/workflows/verify-pr.yaml

@@ -0,0 +1,48 @@
+name: Verify
+
+# Controls when the action will run.
+on:
+  workflow_call:
+    secrets:
+      IBMCLOUD_API_KEY:
+        required: true
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    container: quay.io/cloudnativetoolkit/terraform:v1.1
+
+    strategy:
+      matrix:
+        testcase:
+          - vpc_count
+          - vpc_count_cidr
+      fail-fast: true
+      max-parallel: 1
+
+    env:
+      HOME: /home/devops
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+
+      - name: Verify deploy on ${{ matrix.testcase }}
+        uses: cloud-native-toolkit/action-module-verify-deploy@main
+        with:
+          clusterId: ${{ matrix.testcase }}
+          validateDeployScript: .github/scripts/validate-deploy.sh
+        env:
+          TF_VAR_ibmcloud_api_key: ${{ secrets.IBMCLOUD_API_KEY }}
+          IBMCLOUD_API_KEY: ${{ secrets.IBMCLOUD_API_KEY }}
+
+      - name: Verify destroy on ${{ matrix.testcase }}
+        uses: cloud-native-toolkit/action-module-verify-destroy@main
+        if: ${{ always() }}
+        with:
+          clusterId: ${{ matrix.testcase }}
+        env:
+          TF_VAR_ibmcloud_api_key: ${{ secrets.IBMCLOUD_API_KEY }}
+          IBMCLOUD_API_KEY: ${{ secrets.IBMCLOUD_API_KEY }}

.github/workflows/verify-workflow.yaml

@@ -1,82 +1,29 @@
-name: Verify and release module
+name: Verify
 
 # Controls when the action will run. Triggers the workflow on push or pull request
 # events but only for the main branch
 on:
   push:
     branches: [ main ]
-  pull_request:
-    branches: [ main ]
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   verify:
     if: ${{ !contains( github.event.pull_request.labels.*.name, 'skip ci' ) }}
-    runs-on: ubuntu-latest
-    container: quay.io/cloudnativetoolkit/terraform:v1.1
-
-    strategy:
-      matrix:
-        platform:
-          - vpc_count
-          - vpc_count_cidr
-      max-parallel: 1
-      fail-fast: true
-
-    env:
-      HOME: /home/devops
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v1
-
-      - name: Verify deploy on ${{ matrix.platform }}
-        uses: ibm-garage-cloud/action-module-verify-deploy@main
-        with:
-          clusterId: ${{ matrix.platform }}
-          validateDeployScript: .github/scripts/validate-deploy.sh
-        env:
-          TF_VAR_ibmcloud_api_key: ${{ secrets.IBMCLOUD_API_KEY }}
-          IBMCLOUD_API_KEY: ${{ secrets.IBMCLOUD_API_KEY }}
-
-      - name: Verify destroy on ${{ matrix.platform }}
-        uses: ibm-garage-cloud/action-module-verify-destroy@main
-        if: ${{ always() }}
-        with:
-          clusterId: ${{ matrix.platform }}
-        env:
-          TF_VAR_ibmcloud_api_key: ${{ secrets.IBMCLOUD_API_KEY }}
-          IBMCLOUD_API_KEY: ${{ secrets.IBMCLOUD_API_KEY }}
+    uses: ./.github/workflows/verify-workflow.yaml
+    secrets:
+      IBMCLOUD_API_KEY: ${{ secrets.IBMCLOUD_API_KEY }}
 
   verifyMetadata:
-    runs-on: ubuntu-latest
-
-    env:
-      DIST_DIR: ./dist
-      PUBLISH_BRANCH: gh-pages
+    uses: cloud-native-toolkit/action-workflows/.github/workflows/verify-module-metadata.yaml@v1
 
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - uses: cloud-native-toolkit/action-module-metadata-create@v1
-        with:
-          strict: true
-          validate: true
+  securityScan:
+    uses: cloud-native-toolkit/action-workflows/.github/workflows/gitguardian-scan.yaml@v1
+    secrets:
+      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
 
   release:
-    needs: [verify, verifyMetadata]
-    runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'push' }}
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
-    steps:
-      # Drafts your next Release notes as Pull Requests are merged into "main"
-      - uses: release-drafter/release-drafter@v5
-        with:
-          # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
-          config-name: release-drafter.yaml
-          publish: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.TOKEN }}
+    needs: [verify, verifyMetadata, securityScan]
+    uses: cloud-native-toolkit/action-workflows/.github/workflows/release-module.yaml@v1
+    secrets:
+      TOKEN: ${{ secrets.TOKEN }}

.github/workflows/verify.yaml

@@ -48,7 +48,7 @@ data ibm_is_vpc vpc {
 }
 
 resource ibm_is_vpc_address_prefix cidr_prefix {
-  count = local.provision_cidr ? var.address_prefix_count : 0
+  count = var.provision && local.provision_cidr ? var.address_prefix_count : 0
 
   name  = "${local.vpc_name}-cidr-${format("%02s", count.index)}"
   zone  = local.vpc_zone_names[count.index]
@@ -58,6 +58,7 @@ resource ibm_is_vpc_address_prefix cidr_prefix {
 }
 
 resource ibm_is_network_acl_rule allow_internal_egress {
+  count = var.provision ? 1 : 0
 
   network_acl = lookup(local.vpc, "default_network_acl", "")
   name        = "allow-internal-egress"
@@ -68,17 +69,19 @@ resource ibm_is_network_acl_rule allow_internal_egress {
 }
 
 resource ibm_is_network_acl_rule allow_internal_ingress {
+  count = var.provision ? 1 : 0
 
   network_acl = lookup(local.vpc, "default_network_acl", "")
   name        = "allow-internal-ingress"
   action      = "allow"
   source      = var.internal_cidr
   destination = var.internal_cidr
   direction   = "inbound"
-  before      = lookup(ibm_is_network_acl_rule.deny_external_ssh, "rule_id", "")
+  before      = lookup(ibm_is_network_acl_rule.deny_external_ssh[0], "rule_id", "")
 }
 
 resource ibm_is_network_acl_rule deny_external_ssh {
+  count = var.provision ? 1 : 0
 
   network_acl = lookup(local.vpc, "default_network_acl", "")
   name        = "deny-external-ssh"
@@ -92,10 +95,11 @@ resource ibm_is_network_acl_rule deny_external_ssh {
     source_port_max = 22
     source_port_min = 22
   }
-  before      = lookup(ibm_is_network_acl_rule.deny_external_rdp, "rule_id", "")
+  before      = lookup(ibm_is_network_acl_rule.deny_external_rdp[0], "rule_id", "")
 }
 
 resource ibm_is_network_acl_rule deny_external_rdp {
+  count = var.provision ? 1 : 0
 
   network_acl = lookup(local.vpc, "default_network_acl", "")
   name        = "deny-external-rdp"
@@ -109,10 +113,11 @@ resource ibm_is_network_acl_rule deny_external_rdp {
     source_port_max = 3389
     source_port_min = 3389
   }
-  before      = lookup(ibm_is_network_acl_rule.deny_external_ingress, "rule_id", "")
+  before      = lookup(ibm_is_network_acl_rule.deny_external_ingress[0], "rule_id", "")
 }
 
 resource ibm_is_network_acl_rule deny_external_ingress {
+  count = var.provision ? 1 : 0
 
   network_acl    = lookup(local.vpc, "default_network_acl", "")
   name           = "deny-external-ingress"
@@ -138,6 +143,7 @@ data ibm_is_security_group base {
 
 # from https://cloud.ibm.com/docs/vpc?topic=vpc-service-endpoints-for-vpc
 resource ibm_is_security_group_rule default_inbound_ping {
+  count = var.provision ? 1 : 0
 
   group     = lookup(local.vpc, "default_security_group", "")
   direction = "inbound"
@@ -149,6 +155,7 @@ resource ibm_is_security_group_rule default_inbound_ping {
 }
 
 resource ibm_is_security_group_rule default_inbound_http {
+  count = var.provision ? 1 : 0
 
   group     = lookup(local.vpc, "default_security_group", "")
   direction = "inbound"
@@ -161,7 +168,7 @@ resource ibm_is_security_group_rule default_inbound_http {
 }
 
 resource ibm_is_security_group_rule cse_dns_1 {
-  count = local.security_group_count
+  count = var.provision ? local.security_group_count : 0
 
   group     = local.security_group_ids[count.index]
   direction = "outbound"
@@ -173,7 +180,7 @@ resource ibm_is_security_group_rule cse_dns_1 {
 }
 
 resource ibm_is_security_group_rule cse_dns_2 {
-  count = local.security_group_count
+  count = var.provision ? local.security_group_count : 0
 
   group     = local.security_group_ids[count.index]
   direction = "outbound"
@@ -185,7 +192,7 @@ resource ibm_is_security_group_rule cse_dns_2 {
 }
 
 resource ibm_is_security_group_rule private_dns_1 {
-  count = local.security_group_count
+  count = var.provision ? local.security_group_count : 0
 
   group     = local.security_group_ids[count.index]
   direction = "outbound"
@@ -197,7 +204,7 @@ resource ibm_is_security_group_rule private_dns_1 {
 }
 
 resource ibm_is_security_group_rule private_dns_2 {
-  count = local.security_group_count
+  count = var.provision ? local.security_group_count : 0
 
   group     = local.security_group_ids[count.index]
   direction = "outbound"

main.tf

@@ -2,5 +2,5 @@ module "resource_group" {
   source = "github.com/cloud-native-toolkit/terraform-ibm-resource-group.git"
 
   resource_group_name = var.resource_group_name
-  provision           = false
+  ibmcloud_api_key    = var.ibmcloud_api_key
 }