fix: remove invalid multi-tenant VPE references (#393)

fix: remove invalid multi-tenant VPE references
fix: ensure idempotent of existing VPEs

BREAKING CHANGE: Upon apply all existing VPE created in previous version of this module will be deleted and immediately re-created, which may result in a network termination. The IP of the VPE may change as part of this process.

Author: vburckhardt

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-06-27T03:41:24Z",
+  "generated_at": "2023-09-21T11:21:48Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

README.md

@@ -19,6 +19,7 @@ The module supports the following actions:
 * [terraform-ibm-vpe-gateway](#terraform-ibm-vpe-gateway)
 * [Examples](./examples)
     * [End-to-end example](./examples/default)
+    * [Every multi-tenant VPE](./examples/every-mt-vpe)
 * [Contributing](#contributing)
 
 ## terraform-ibm-vpe-gateway

common-dev-assets

@@ -0,0 +1,3 @@
+# Every multi-tenant VPE
+
+This example creates every multi-tenant VPE supported by this module. This example does not follow a real-world scenario, but rather, can be used to quickly experiment with this module. It is also used in regression testing for the module.

examples/every-mt-vpe/README.md

@@ -0,0 +1,59 @@
+##############################################################################
+# Resource Group
+##############################################################################
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.0.6"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Create a VPC for this example using defaults from terraform-ibm-landing-zone-vpc
+# ( 3 subnets across the 3 AZs in the region )
+##############################################################################
+
+module "vpc" {
+  source            = "terraform-ibm-modules/landing-zone-vpc/ibm"
+  version           = "7.5.0"
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  prefix            = var.prefix
+  name              = "vpc"
+}
+
+##############################################################################
+# Create every multi-tenant VPEs in the VPC
+##############################################################################
+module "vpes" {
+  source   = "../../"
+  region   = var.region
+  prefix   = var.prefix
+  vpc_name = module.vpc.vpc_name
+  vpc_id   = module.vpc.vpc_id
+  #subnet_zone_list  = module.vpc.subnet_zone_list
+  resource_group_id = module.resource_group.resource_group_id
+  cloud_services = ["account-management",
+    "billing",
+    "cloud-object-storage",
+    "codeengine",
+    #"container-registry", # to fix in https://github.com/terraform-ibm-modules/terraform-ibm-vpe-gateway/issues/390
+    "directlink",
+    "dns-svcs",
+    "enterprise",
+    "global-search-tagging",
+    "globalcatalog",
+    "hs-crypto",
+    "hyperp-dbaas-mongodb",
+    "hyperp-dbaas-postgresql",
+    "iam-svcs",
+    "is",
+    "kms",
+    "resource-controller",
+    "transit",
+  "user-management"]
+}
+
+
+##############################################################################

examples/every-mt-vpe/main.tf

@@ -0,0 +1,9 @@
+output "vpe_ips" {
+  description = "The endpoint gateway reserved ips"
+  value       = module.vpes.vpe_ips
+}
+
+output "crn" {
+  description = "The CRN of the endpoint gateway"
+  value       = module.vpes.crn
+}

examples/every-mt-vpe/outputs.tf

@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/every-mt-vpe/provider.tf

@@ -0,0 +1,23 @@
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "region" {
+  description = "The region where VPC and services are deployed"
+  type        = string
+  default     = "us-south"
+}
+
+variable "prefix" {
+  description = "The prefix that you would like to append to your resources"
+  type        = string
+  default     = "vpe"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}

examples/every-mt-vpe/variables.tf

@@ -0,0 +1,16 @@
+##############################################################################
+# Terraform Providers
+##############################################################################
+
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    ibm = {
+      source = "IBM-Cloud/ibm"
+      # pin above lowest vesion, required for postgresql and IAM auth policy
+      version = ">= 1.54.0"
+    }
+  }
+}
+
+##############################################################################

examples/every-mt-vpe/versions.tf

@@ -53,33 +53,25 @@ locals {
 
   # Map of Services to endpoints
   service_to_endpoint_map = {
-    account-management          = "crn:v1:bluemix:public:account-management:global:::endpoint:${var.service_endpoints}.accounts.cloud.ibm.com"
-    billing                     = "crn:v1:bluemix:public:billing:global:::endpoint:${var.service_endpoints}.billing.cloud.ibm.com"
-    cloud-object-storage        = "crn:v1:bluemix:public:cloud-object-storage:global:::endpoint:s3.direct.${var.region}.cloud-object-storage.appdomain.cloud"
-    codeengine                  = "crn:v1:bluemix:public:codeengine:${var.region}:::endpoint:${var.service_endpoints}.${var.region}.codeengine.cloud.ibm.com"
-    container-registry          = "crn:v1:bluemix:public:container-registry:${var.region}:::endpoint:vpe.${var.region}.container-registry.cloud.ibm.com"
-    databases-for-cassandra     = "crn:v1:bluemix:public:databases-for-cassandra:${var.region}:::endpoint:${var.service_endpoints}.databases-for-cassandra.cloud.ibm.com"
-    databases-for-elasticsearch = "crn:v1:bluemix:public:databases-for-elasticsearch:${var.region}:::endpoint:${var.service_endpoints}.databases-for-elasticsearch.cloud.ibm.com"
-    databases-for-enterprisedb  = "crn:v1:bluemix:public:databases-for-enterprisedb:${var.region}:::${var.service_endpoints}.databases-for-enterprisedb.cloud.ibm.com"
-    databases-for-mongodb       = "crn:v1:bluemix:public:databases-for-mongodb:${var.region}:::endpoint:${var.service_endpoints}.databases-for-mongodb.cloud.ibm.com"
-    databases-for-postgresql    = "crn:v1:bluemix:public:databases-for-postgresql:${var.region}:::endpoint:${var.service_endpoints}.databases-for-postgresql.cloud.ibm.com"
-    databases-for-redis         = "crn:v1:bluemix:public:databases-for-redis:${var.region}:::endpoint:${var.service_endpoints}.databases-for-redis.cloud.ibm.com"
-    directlink                  = "crn:v1:bluemix:public:directlink:global:::endpoint:${var.service_endpoints}.directlink.cloud.ibm.com"
-    dns-svcs                    = "crn:v1:bluemix:public:dns-svcs:global::::"
-    enterprise                  = "crn:v1:bluemix:public:enterprise:global:::endpoint:${var.service_endpoints}.enterprise.cloud.ibm.com"
-    global-search-tagging       = "crn:v1:bluemix:public:global-search-tagging:global:::endpoint:api.${var.service_endpoints}.global-search-tagging.cloud.ibm.com"
-    globalcatalog               = "crn:v1:bluemix:public:globalcatalog:global:::endpoint:${var.service_endpoints}.globalcatalog.cloud.ibm.com"
-    hs-crypto                   = "crn:v1:bluemix:public:hs-crypto:${var.region}:::endpoint:api.${var.service_endpoints}.${var.region}.hs-crypto.cloud.ibm.com"
-    hyperp-dbaas-mongodb        = "crn:v1:bluemix:public:hyperp-dbaas-mongodb:${var.region}:::endpoint:dbaas900-mongodb.${var.service_endpoints}.hyperp-dbaas.cloud.ibm.com"
-    hyperp-dbaas-postgresql     = "crn:v1:bluemix:public:hyperp-dbaas-postgresql:${var.region}:::endpoint:dbaas900-postgresql.${var.service_endpoints}.hyperp-dbaas.cloud.ibm.com"
-    iam-identity                = "crn:v1:bluemix:public:iam-identity:global:::endpoint:${var.service_endpoints}.iam.cloud.ibm.com"
-    iam-svcs                    = "crn:v1:bluemix:public:iam-svcs:global:::endpoint:${var.service_endpoints}.iam.cloud.ibm.com"
-    is                          = "crn:v1:bluemix:public:is:${var.region}:::endpoint:${var.region}.${var.service_endpoints}.iaas.cloud.ibm.com"
-    kms                         = "crn:v1:bluemix:public:kms:${var.region}:::endpoint:${var.service_endpoints}.${var.region}.kms.cloud.ibm.com"
-    resource-controller         = "crn:v1:bluemix:public:resource-controller:global:::endpoint:${var.service_endpoints}.resource-controller.cloud.ibm.com"
-    secrets-manager             = "crn:v1:bluemix:public:secrets-manager:${var.region}:::endpoint:${var.service_endpoints}.secrets-manager.cloud.ibm.com"
-    transit                     = "crn:v1:bluemix:public:transit:global:::endpoint:${var.service_endpoints}.transit.cloud.ibm.com"
-    user-management             = "crn:v1:bluemix:public:user-management:global:::endpoint:${var.service_endpoints}.user-management.cloud.ibm.com"
+    account-management      = "crn:v1:bluemix:public:account-management:global:::endpoint:${var.service_endpoints}.accounts.cloud.ibm.com"
+    billing                 = "crn:v1:bluemix:public:billing:global:::endpoint:${var.service_endpoints}.billing.cloud.ibm.com"
+    cloud-object-storage    = "crn:v1:bluemix:public:cloud-object-storage:global:::endpoint:s3.direct.${var.region}.cloud-object-storage.appdomain.cloud"
+    codeengine              = "crn:v1:bluemix:public:codeengine:${var.region}:::endpoint:${var.service_endpoints}.${var.region}.codeengine.cloud.ibm.com"
+    container-registry      = "crn:v1:bluemix:public:container-registry:${var.region}:::endpoint:${var.region}.icr.io"
+    directlink              = "crn:v1:bluemix:public:directlink:global:::endpoint:${var.service_endpoints}.directlink.cloud.ibm.com"
+    dns-svcs                = "crn:v1:bluemix:public:dns-svcs:global::::"
+    enterprise              = "crn:v1:bluemix:public:enterprise:global:::endpoint:${var.service_endpoints}.enterprise.cloud.ibm.com"
+    global-search-tagging   = "crn:v1:bluemix:public:global-search-tagging:global:::endpoint:api.${var.service_endpoints}.global-search-tagging.cloud.ibm.com"
+    globalcatalog           = "crn:v1:bluemix:public:globalcatalog:global:::endpoint:${var.service_endpoints}.globalcatalog.cloud.ibm.com"
+    hs-crypto               = "crn:v1:bluemix:public:hs-crypto:${var.region}:::endpoint:api.${var.service_endpoints}.${var.region}.hs-crypto.cloud.ibm.com"
+    hyperp-dbaas-mongodb    = "crn:v1:bluemix:public:hyperp-dbaas-mongodb:${var.region}:::endpoint:dbaas900-mongodb.${var.service_endpoints}.hyperp-dbaas.cloud.ibm.com"
+    hyperp-dbaas-postgresql = "crn:v1:bluemix:public:hyperp-dbaas-postgresql:${var.region}:::endpoint:dbaas900-postgresql.${var.service_endpoints}.hyperp-dbaas.cloud.ibm.com"
+    iam-svcs                = "crn:v1:bluemix:public:iam-svcs:global:::endpoint:${var.service_endpoints}.iam.cloud.ibm.com"
+    is                      = "crn:v1:bluemix:public:is:${var.region}:::endpoint:${var.region}.${var.service_endpoints}.iaas.cloud.ibm.com"
+    kms                     = "crn:v1:bluemix:public:kms:${var.region}:::endpoint:${var.service_endpoints}.${var.region}.kms.cloud.ibm.com"
+    resource-controller     = "crn:v1:bluemix:public:resource-controller:global:::endpoint:${var.service_endpoints}.resource-controller.cloud.ibm.com"
+    transit                 = "crn:v1:bluemix:public:transit:global:::endpoint:${var.service_endpoints}.transit.cloud.ibm.com"
+    user-management         = "crn:v1:bluemix:public:user-management:global:::endpoint:${var.service_endpoints}.user-management.cloud.ibm.com"
   }
 }
 
@@ -105,13 +97,16 @@ resource "ibm_is_subnet_reserved_ip" "ip" {
 ##############################################################################
 
 resource "ibm_is_virtual_endpoint_gateway" "vpe" {
-  count           = length(local.gateway_list)
-  name            = local.gateway_list[count.index].name
+  for_each = { # Create a map based on gateway name
+    for gateway in local.gateway_list :
+    (gateway.name) => gateway
+  }
+  name            = each.key
   vpc             = var.vpc_id
   resource_group  = var.resource_group_id
   security_groups = var.security_group_ids
   target {
-    crn           = local.gateway_list[count.index].service == null ? local.gateway_list[count.index].crn : local.service_to_endpoint_map[local.gateway_list[count.index].service]
+    crn           = each.value.service == null ? each.value.crn : local.service_to_endpoint_map[each.value.service]
     resource_type = "provider_cloud_service"
   }
 }
@@ -140,6 +135,6 @@ resource "ibm_is_virtual_endpoint_gateway_ip" "endpoint_gateway_ip" {
 
 data "ibm_is_virtual_endpoint_gateway" "vpe" {
   depends_on = [ibm_is_virtual_endpoint_gateway_ip.endpoint_gateway_ip]
-  count      = length(ibm_is_virtual_endpoint_gateway.vpe)
-  name       = ibm_is_virtual_endpoint_gateway.vpe[count.index].name
+  for_each   = ibm_is_virtual_endpoint_gateway.vpe
+  name       = each.key
 }