feat: introduce allow dns resolution binding (#429)

BREAKING CHANGE: Significant review of the interface of this module as part of the introduction of DNS resolution binding. Note that you can upgrade to this version without impacting existing resources.

Author: vburckhardt

README.md

@@ -58,12 +58,18 @@ module "vpes" {
   ]
   resource_group_id    = "00ae4b38253f43a3acd14619dd385632" # pragma: allowlist secret
   security_group_ids   = ["r014-2d4f8cd6-6g3s-4ab5-ac3f-8fc717ce2a1f"]
-  cloud_services       = ["kms", "cloud-object-storage"]
-  cloud_service_by_crn = [
+  cloud_services = [
     {
-      name = "subnet-1"
-      crn  = "crn:v1:bluemix:public:kms:au-syd:a/abac0df06b644a9cabc6e44f55b3880e:12d2244b-g3d3-4978-7s3f-81b60a1fb7a4::"
+      service_name = "kms"
     },
+    {
+      service_name = "cloud-object-storage"
+    }
+  ]
+  cloud_service_by_crn = [
+    {
+      crn          = "crn:v1:bluemix:public:databases-for-postgresql:us-south:a/abac0df06b644a9cabc6e44f55b3880d:93f97b1a-fe35-4f17-a8be-ecf197a36bed::"
+    }
   ]
   service_endpoints = "private"
 }
@@ -85,7 +91,7 @@ You need the following permissions to run this module.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.3, <1.6.0 |
-| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.52.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.58.0 |
 
 ### Modules
 
@@ -104,8 +110,8 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_cloud_service_by_crn"></a> [cloud\_service\_by\_crn](#input\_cloud\_service\_by\_crn) | List of cloud service CRNs. Each CRN will have a unique endpoint gateways created. For a list of supported services, see the docs [here](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services). | <pre>list(<br>    object({<br>      name = string # service name<br>      crn  = string # service crn<br>    })<br>  )</pre> | `[]` | no |
-| <a name="input_cloud_services"></a> [cloud\_services](#input\_cloud\_services) | List of cloud services to create an endpoint gateway. | `list(string)` | <pre>[<br>  "kms",<br>  "cloud-object-storage"<br>]</pre> | no |
+| <a name="input_cloud_service_by_crn"></a> [cloud\_service\_by\_crn](#input\_cloud\_service\_by\_crn) | List of cloud service CRNs. The keys are the CRN. The values (all optional) give some level of control on the created VPEs. Each CRN will have a unique endpoint gateways created. For a list of supported services, see the docs [here](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services). | <pre>set(<br>    object({<br>      crn                          = string<br>      vpe_name                     = optional(string) # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.<br>      service_name                 = optional(string) # Name of the service used to compute the name of the VPE. If not specified, the service name will be obtained from the crn.<br>      allow_dns_resolution_binding = optional(bool, true)<br>    })<br>  )</pre> | `[]` | no |
+| <a name="input_cloud_services"></a> [cloud\_services](#input\_cloud\_services) | List of cloud services to create an endpoint gateway. The keys are the service names, the values (all optional) give some level of control on the created VPEs. | <pre>set(object({<br>    service_name                 = string<br>    vpe_name                     = optional(string), # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.<br>    allow_dns_resolution_binding = optional(bool, false)<br>  }))</pre> | n/a | yes |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | `"vpe"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region where VPC and services are deployed | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | ID of the resource group where endpoint gateways will be provisioned | `string` | `null` | no |
@@ -114,7 +120,6 @@ No modules.
 | <a name="input_subnet_zone_list"></a> [subnet\_zone\_list](#input\_subnet\_zone\_list) | List of subnets in the VPC where gateways and reserved IPs will be provisioned. This value is intended to use the `subnet_zone_list` output from the Landing Zone VPC Subnet Module (https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc) or from templates using that module for subnet creation. | <pre>list(<br>    object({<br>      name = string<br>      id   = string<br>      zone = optional(string)<br>      cidr = optional(string)<br>    })<br>  )</pre> | `[]` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC where the Endpoint Gateways will be created | `string` | `null` | no |
 | <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | Name of the VPC where the Endpoint Gateways will be created. This value is used to dynamically generate VPE names. | `string` | `"vpc"` | no |
-| <a name="input_vpe_names"></a> [vpe\_names](#input\_vpe\_names) | A map whose keys are the service(s) you are overriding the name of and the values are the names you want the gateways for those services to have. | `map(string)` | `{}` | no |
 
 ### Outputs
 

common-dev-assets

@@ -1,11 +1,3 @@
-### randomising the custom vpe names
-locals {
-  vpe_names = {
-    for k, v in var.vpe_names :
-    k => "${var.prefix}-${v}"
-  }
-}
-
 ##############################################################################
 # Resource Group
 ##############################################################################
@@ -79,29 +71,36 @@ module "postgresql_db" {
   region            = var.region
 }
 
-locals {
-  cloud_service_by_crn = concat([{
-    name = "postgresql" # name of the vpe
-    crn = module.postgresql_db.crn }
-  ], var.cloud_service_by_crn)
-}
 
 ##############################################################################
 # Create VPEs in the VPC
 ##############################################################################
 module "vpes" {
-  source               = "../../"
-  region               = var.region
-  prefix               = var.prefix
-  vpc_name             = var.vpc_name
-  vpc_id               = var.vpc_id != null ? var.vpc_id : module.vpc[0].vpc_id
-  subnet_zone_list     = var.vpc_id != null ? var.subnet_zone_list : module.vpc[0].subnet_zone_list
-  resource_group_id    = module.resource_group.resource_group_id
-  security_group_ids   = var.security_group_ids != null ? var.security_group_ids : [module.vpe_security_group.security_group_id]
-  cloud_services       = var.cloud_services
-  cloud_service_by_crn = local.cloud_service_by_crn
-  service_endpoints    = var.service_endpoints
-  vpe_names            = local.vpe_names
+  source             = "../../"
+  region             = var.region
+  prefix             = var.prefix
+  vpc_name           = var.vpc_name
+  vpc_id             = var.vpc_id != null ? var.vpc_id : module.vpc[0].vpc_id
+  subnet_zone_list   = var.vpc_id != null ? var.subnet_zone_list : module.vpc[0].subnet_zone_list
+  resource_group_id  = module.resource_group.resource_group_id
+  security_group_ids = var.security_group_ids != null ? var.security_group_ids : [module.vpe_security_group.security_group_id]
+  cloud_services = [
+    {
+      service_name = "kms"
+    },
+    {
+      service_name = "cloud-object-storage"
+    }
+
+  ]
+  cloud_service_by_crn = [
+    {
+      crn          = (module.postgresql_db.crn)
+      service_name = "postgresql" # Optional - with this set, the service name would be derived from the crn which would be database-for-postgresql. service_name is used in this example to maintain backward compatibility with version <= 3.1.0 of the module
+    }
+  ]
+  service_endpoints = var.service_endpoints
+  #vpe_names            = local.vpe_names
   #  See comments below (resource "time_sleep" "sleep_time") for explaination on why this is needed.
   depends_on = [time_sleep.sleep_time]
 }

examples/default/main.tf

@@ -63,23 +63,6 @@ variable "security_group_ids" {
   default     = null
 }
 
-variable "cloud_services" {
-  description = "List of cloud services to create an endpoint gateway."
-  type        = list(string)
-  default     = ["kms", "cloud-object-storage"]
-}
-
-variable "cloud_service_by_crn" {
-  description = "List of cloud service CRNs. Each CRN will have a unique endpoint gateways created. For a list of supported services, see the docs [here](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services)."
-  type = list(
-    object({
-      name = string # service name
-      crn  = string # service crn
-    })
-  )
-  default = []
-}
-
 variable "service_endpoints" {
   description = "Service endpoints to use to create endpoint gateways. Can be `public`, or `private`."
   type        = string
@@ -91,12 +74,6 @@ variable "service_endpoints" {
   }
 }
 
-variable "vpe_names" {
-  description = "A Map to specify custom names for endpoint gateways whose keys are services and values are names to use for that service's endpoint gateway. Each name will be prefixed with prefix value for isolated testing purposes."
-  type        = map(string)
-  default     = {}
-}
-
 variable "resource_tags" {
   type        = list(string)
   description = "Optional list of tags to be added to created resources"

examples/default/variables.tf

@@ -27,47 +27,113 @@ module "vpc" {
 # Create every multi-tenant VPEs in the VPC
 ##############################################################################
 module "vpes" {
-  source   = "../../"
-  region   = var.region
-  prefix   = var.prefix
-  vpc_name = module.vpc.vpc_name
-  vpc_id   = module.vpc.vpc_id
-  #subnet_zone_list  = module.vpc.subnet_zone_list
+  source            = "../../"
+  region            = var.region
+  prefix            = var.prefix
+  vpc_name          = module.vpc.vpc_name
+  vpc_id            = module.vpc.vpc_id
+  subnet_zone_list  = module.vpc.subnet_zone_list
   resource_group_id = module.resource_group.resource_group_id
   cloud_services = [
-    "account-management",
-    "billing",
-    "cloud-object-storage",
-    "cloud-object-storage-config",
-    "codeengine",
-    "container-registry",
-    "containers-kubernetes",
-    "context-based-restrictions",
-    "directlink",
-    "dns-svcs",
-    "enterprise",
-    "global-search-tagging",
-    "globalcatalog",
-    "hs-crypto",
-    "hs-crypto-cert-mgr",
-    "hs-crypto-ep11",
-    "hs-crypto-ep11-az1",
-    "hs-crypto-ep11-az2",
-    "hs-crypto-ep11-az3",
-    "hs-crypto-kmip",
-    "hs-crypto-tke",
-    "hyperp-dbaas-mongodb",
-    "hyperp-dbaas-postgresql",
-    "iam-svcs",
-    "is",
-    "kms",
-    "messaging",
-    "resource-controller",
-    "support-center",
-    "transit",
-    "user-management",
-    "vmware",
-    "ntp",
+    {
+      service_name = "account-management"
+    },
+    {
+      service_name = "billing"
+    },
+    {
+      service_name = "cloud-object-storage"
+    },
+    {
+      service_name = "cloud-object-storage-config"
+    },
+    {
+      service_name = "codeengine"
+    },
+    {
+      service_name = "container-registry"
+    },
+    {
+      service_name = "containers-kubernetes"
+    },
+    {
+      service_name = "context-based-restrictions"
+    },
+    {
+      service_name = "directlink"
+    },
+    {
+      service_name = "dns-svcs"
+    },
+    {
+      service_name = "enterprise"
+    },
+    {
+      service_name = "global-search-tagging"
+    },
+    {
+      service_name = "globalcatalog"
+    },
+    {
+      service_name = "hs-crypto"
+    },
+    {
+      service_name = "hs-crypto-cert-mgr"
+    },
+    {
+      service_name = "hs-crypto-ep11"
+    },
+    {
+      service_name = "hs-crypto-ep11-az1"
+    },
+    {
+      service_name = "hs-crypto-ep11-az2"
+    },
+    {
+      service_name = "hs-crypto-ep11-az3"
+    },
+    {
+      service_name = "hs-crypto-kmip"
+    },
+    {
+      service_name = "hs-crypto-tke"
+    },
+    {
+      service_name = "hyperp-dbaas-mongodb"
+    },
+    {
+      service_name = "hyperp-dbaas-postgresql"
+    },
+    {
+      service_name = "iam-svcs"
+    },
+    {
+      service_name = "is"
+    },
+    {
+      service_name = "kms"
+    },
+    {
+      service_name = "messaging"
+    },
+    {
+      service_name = "resource-controller"
+    },
+    {
+      service_name = "support-center"
+    },
+    {
+      service_name = "transit"
+    },
+    {
+      service_name = "user-management"
+    },
+    {
+      service_name = "vmware"
+    },
+    {
+      service_name = "ntp"
+    }
   ]
 }
 

examples/every-mt-vpe/main.tf

@@ -10,17 +10,19 @@ locals {
     # Create object for each service
     for service in var.cloud_services :
     {
-      name    = lookup(var.vpe_names, service, "${var.prefix}-${var.vpc_name}-${service}")
-      service = service
-      crn     = local.service_to_endpoint_map[service]
+      name                         = service.vpe_name != null ? service.vpe_name : "${var.prefix}-${var.vpc_name}-${service.service_name}"
+      service                      = service.service_name
+      crn                          = local.service_to_endpoint_map[service.service_name]
+      allow_dns_resolution_binding = service.allow_dns_resolution_binding
     }
     ],
     [
       for service in var.cloud_service_by_crn :
       {
-        name    = lookup(var.vpe_names, service.name, "${var.prefix}-${var.vpc_name}-${service.name}")
-        service = null
-        crn     = service.crn
+        name                         = service.vpe_name != null ? service.vpe_name : "${var.prefix}-${var.vpc_name}-${service.service_name != null ? service.service_name : element(split(":", service.crn), 4)}" # service-name part of crn - see https://cloud.ibm.com/docs/account?topic=account-crn
+        service                      = null
+        crn                          = service.crn
+        allow_dns_resolution_binding = service.allow_dns_resolution_binding
       }
     ]
   )
@@ -32,17 +34,17 @@ locals {
     concat([
       for service in var.cloud_services :
       {
-        ip_name      = "${subnet.name}-${service}-gateway-${replace(subnet.zone, "/${var.region}-/", "")}-ip"
+        ip_name      = "${subnet.name}-${service.service_name}-gateway-${replace(subnet.zone, "/${var.region}-/", "")}-ip"
         subnet_id    = subnet.id
-        gateway_name = lookup(var.vpe_names, service, "${var.prefix}-${var.vpc_name}-${service}")
+        gateway_name = service.vpe_name != null ? service.vpe_name : "${var.prefix}-${var.vpc_name}-${service.service_name}"
       }
       ],
       [
         for service in var.cloud_service_by_crn :
         {
-          ip_name      = "${subnet.name}-${service.name}-gateway-${replace(subnet.zone, "/${var.region}-/", "")}-ip"
+          ip_name      = service.vpe_name != null ? "${subnet.name}-${service.vpe_name}-gateway-${replace(subnet.zone, "/${var.region}-/", "")}-ip" : "${subnet.name}-${service.service_name != null ? service.service_name : element(split(":", service.crn), 4)}-gateway-${replace(subnet.zone, "/${var.region}-/", "")}-ip"
           subnet_id    = subnet.id
-          gateway_name = lookup(var.vpe_names, service.name, "${var.prefix}-${var.vpc_name}-${service.name}")
+          gateway_name = service.vpe_name != null ? service.vpe_name : "${var.prefix}-${var.vpc_name}-${service.service_name != null ? service.service_name : element(split(":", service.crn), 4)}"
         }
     ])
   ])
@@ -67,6 +69,7 @@ resource "ibm_is_subnet_reserved_ip" "ip" {
     for gateway_ip in local.endpoint_ip_list :
     (gateway_ip.ip_name) => gateway_ip
   }
+  # name  # Tracked at https://github.com/terraform-ibm-modules/terraform-ibm-vpe-gateway/issues/435
   subnet = each.value.subnet_id
 }
 
@@ -92,6 +95,7 @@ resource "ibm_is_virtual_endpoint_gateway" "vpe" {
     crn           = length(regexall("crn:v1:([^:]*:){6}", each.value.crn)) > 0 ? each.value.crn : null
     resource_type = length(regexall("crn:v1:([^:]*:){6}", each.value.crn)) > 0 ? "provider_cloud_service" : "provider_infrastructure_service"
   }
+  allow_dns_resolution_binding = each.value.allow_dns_resolution_binding
 }
 
 ##############################################################################