From d13a7c9b6eaf603fc7ecee38ddaaefc14ea61e73 Mon Sep 17 00:00:00 2001 From: Shikha Maheshwari Date: Sat, 15 Feb 2025 00:21:53 +0530 Subject: [PATCH 1/8] feat: initial commit --- solutions/simple/README.md | 11 + .../catalogValidationValues.json.template | 6 + solutions/simple/main.tf | 128 ++++++ solutions/simple/outputs.tf | 36 ++ solutions/simple/provider.tf | 9 + solutions/simple/variables.tf | 400 ++++++++++++++++++ solutions/simple/version.tf | 10 + 7 files changed, 600 insertions(+) create mode 100644 solutions/simple/README.md create mode 100644 solutions/simple/catalogValidationValues.json.template create mode 100644 solutions/simple/main.tf create mode 100644 solutions/simple/outputs.tf create mode 100644 solutions/simple/provider.tf create mode 100644 solutions/simple/variables.tf create mode 100644 solutions/simple/version.tf diff --git a/solutions/simple/README.md b/solutions/simple/README.md new file mode 100644 index 00000000..2e70f5f9 --- /dev/null +++ b/solutions/simple/README.md @@ -0,0 +1,11 @@ +# IBM VPC deployable architecture + +This deployable architecture supports provisioning the following resources: + +- A new resource group if one is not passed in. +- A VPC. + + +![vpc-deployable-architecture](../../reference-architecture/vpc-quickstart-da.svg) + +:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers). diff --git a/solutions/simple/catalogValidationValues.json.template b/solutions/simple/catalogValidationValues.json.template new file mode 100644 index 00000000..2815de1b --- /dev/null +++ b/solutions/simple/catalogValidationValues.json.template @@ -0,0 +1,6 @@ +{ + "ibmcloud_api_key": $VALIDATION_APIKEY, + "region": "us-south", + "resource_tags": $TAGS, + "resource_group_name": $PREFIX +} diff --git a/solutions/simple/main.tf b/solutions/simple/main.tf new file mode 100644 index 00000000..2f93dd55 --- /dev/null +++ b/solutions/simple/main.tf @@ -0,0 +1,128 @@ +locals { + prefix = var.prefix != null ? (var.prefix != "" ? var.prefix : null) : null +} + +############################################################################## +# Resource Group +############################################################################## + +module "resource_group" { + source = "terraform-ibm-modules/resource-group/ibm" + version = "1.1.6" + resource_group_name = var.use_existing_resource_group == false ? try("${local.prefix}-${var.resource_group_name}", var.resource_group_name) : null + existing_resource_group_name = var.use_existing_resource_group == true ? var.resource_group_name : null +} + +############################################################################# +# COS Bucket for VPC flow logs +############################################################################# + +# parse COS details from the existing COS instance CRN +module "existing_cos_crn_parser" { + count = var.existing_cos_instance_crn != null ? 1 : 0 + source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" + version = "1.1.0" + crn = var.existing_cos_instance_crn +} + +locals { + bucket_name = try("${local.prefix}-${var.cos_bucket_name}", var.cos_bucket_name) + + bucket_config = [{ + access_tags = var.access_tags + bucket_name = local.bucket_name + kms_encryption_enabled = var.kms_encryption_enabled_bucket + kms_guid = var.kms_encryption_enabled_bucket ? module.existing_kms_crn_parser[0].service_instance : null + kms_key_crn = var.kms_encryption_enabled_bucket ? var.existing_kms_instance_crn : null + skip_iam_authorization_policy = var.skip_cos_kms_auth_policy + management_endpoint_type = var.management_endpoint_type_for_bucket + storage_class = var.cos_bucket_class + resource_instance_id = var.existing_cos_instance_crn + region_location = var.region + force_delete = true + }] +} + +module "cos_buckets" { + count = var.enable_vpc_flow_logs ? 1 : 0 + source = "terraform-ibm-modules/cos/ibm//modules/buckets" + version = "8.19.2" + bucket_configs = local.bucket_config +} + +####################################################################################################################### +# KMS Key +####################################################################################################################### + +# parse KMS details from the existing KMS instance CRN +module "existing_kms_crn_parser" { + count = var.kms_encryption_enabled_bucket && var.existing_kms_instance_crn != null ? 1 : 0 + source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" + version = "1.1.0" + crn = var.existing_kms_instance_crn +} + +locals { + # fetch KMS region from existing_kms_instance_crn if KMS resources are required + kms_region = var.kms_encryption_enabled_bucket && var.existing_kms_instance_crn != null ? module.existing_kms_crn_parser[0].region : null + + kms_key_ring_name = try("${var.prefix}-${var.kms_key_ring_name}", var.kms_key_ring_name) + kms_key_name = try("${var.prefix}-${var.kms_key_name}", var.kms_key_name) +} + +module "kms" { + count = (var.enable_vpc_flow_logs && var.kms_encryption_enabled_bucket && var.existing_kms_instance_crn != null) ? 1 : 0 # no need to create any KMS resources if not passing an existing KMS CRN + source = "terraform-ibm-modules/kms-all-inclusive/ibm" + version = "4.19.5" + create_key_protect_instance = false + region = local.kms_region + existing_kms_instance_crn = var.existing_kms_instance_crn + key_ring_endpoint_type = var.kms_endpoint_type + key_endpoint_type = var.kms_endpoint_type + keys = [ + { + key_ring_name = local.kms_key_ring_name + existing_key_ring = false + force_delete_key_ring = true + keys = [ + { + key_name = local.kms_key_name + standard_key = false + rotation_interval_month = 3 + dual_auth_delete_enabled = false + force_delete = true + } + ] + } + ] +} + +############################################################################# +# VPC +############################################################################# + +locals { + # //TO DO + # to create use_public_gateways object +} + +module "vpc" { + source = "../../" + resource_group_id = module.resource_group.resource_group_id + region = var.region + create_vpc = true + name = var.vpc_name + prefix = local.prefix + tags = var.resource_tags + access_tags = var.access_tags + subnets = var.subnets + default_network_acl_name = var.default_network_acl_name + default_security_group_name = var.default_security_group_name + default_routing_table_name = var.default_routing_table_name + network_acls = var.network_acls + # use_public_gateways = local.public_gateway_object + enable_vpc_flow_logs = var.enable_vpc_flow_logs + create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos + existing_cos_instance_guid = var.enable_vpc_flow_logs ? module.existing_cos_crn_parser[0].service_instance : null + existing_storage_bucket_name = var.enable_vpc_flow_logs ? module.cos_buckets[0].buckets[0].bucket_name : null +} diff --git a/solutions/simple/outputs.tf b/solutions/simple/outputs.tf new file mode 100644 index 00000000..e6b2071e --- /dev/null +++ b/solutions/simple/outputs.tf @@ -0,0 +1,36 @@ +############################################################################## +# VPC +############################################################################## + +output "vpc_name" { + description = "Name of VPC created" + value = module.vpc.vpc_name +} + +output "vpc_id" { + description = "ID of VPC created" + value = module.vpc.vpc_id +} + +output "vpc_crn" { + description = "CRN of VPC created" + value = module.vpc.vpc_crn +} + +############################################################################## +# Public Gateways +############################################################################## + +output "public_gateways" { + description = "Map of public gateways by zone" + value = module.vpc.public_gateways +} + +############################################################################## +# VPC flow logs +############################################################################## + +output "vpc_flow_logs" { + description = "Details of VPC flow logs collector" + value = module.vpc.vpc_flow_logs +} diff --git a/solutions/simple/provider.tf b/solutions/simple/provider.tf new file mode 100644 index 00000000..e669b7ba --- /dev/null +++ b/solutions/simple/provider.tf @@ -0,0 +1,9 @@ +######################################################################################################################## +# Provider config +######################################################################################################################## + +provider "ibm" { + ibmcloud_api_key = var.ibmcloud_api_key + region = var.region + visibility = var.provider_visibility +} diff --git a/solutions/simple/variables.tf b/solutions/simple/variables.tf new file mode 100644 index 00000000..da6e2037 --- /dev/null +++ b/solutions/simple/variables.tf @@ -0,0 +1,400 @@ +############################################################################## +# Input Variables +############################################################################## + +variable "ibmcloud_api_key" { + type = string + description = "The IBM Cloud API key to deploy resources." + sensitive = true +} + +variable "provider_visibility" { + description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)." + type = string + default = "public" + + validation { + condition = contains(["public", "private", "public-and-private"], var.provider_visibility) + error_message = "Invalid visibility option. Allowed values are 'public', 'private', or 'public-and-private'." + } +} + +variable "use_existing_resource_group" { + type = bool + description = "Whether to use an existing resource group." + default = true +} + +variable "resource_group_name" { + type = string + description = "The name of a new or an existing resource group to provision the watsonx.ai resources. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + default = "Default" +} + +variable "prefix" { + type = string + description = "Prefix to add to all the resources created by this solution. To not use any prefix value, you can set this value to `null` or an empty string." + default = "dev" +} + +variable "vpc_name" { + default = "simple" + description = "Name of the VPC." + type = string +} + +variable "region" { + default = "us-south" + description = "Region to deploy the VPC." + type = string +} + +variable "resource_tags" { + description = "Optional list of tags for the resources created by this solution." + type = list(string) + default = [] +} + +variable "access_tags" { + type = list(string) + description = "A list of access tags to apply to the VPC resources created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial." + default = [] + + validation { + condition = alltrue([ + for tag in var.access_tags : can(regex("[\\w\\-_\\.]+:[\\w\\-_\\.]+", tag)) && length(tag) <= 128 + ]) + error_message = "Tags must match the regular expression \"[\\w\\-_\\.]+:[\\w\\-_\\.]+\". For more information, see https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits." + } +} + +############################################################################## +# Subnets +############################################################################## + +variable "subnets" { + description = "List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addressess. Public gateways will be enabled only in zones where a gateway has been created" + type = object({ + zone-1 = list(object({ + name = string + cidr = string + public_gateway = optional(bool) + acl_name = string + no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true + })) + zone-2 = optional(list(object({ + name = string + cidr = string + public_gateway = optional(bool) + acl_name = string + no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true + }))) + zone-3 = optional(list(object({ + name = string + cidr = string + public_gateway = optional(bool) + acl_name = string + no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true + }))) + }) + + default = { + zone-1 = [ + { + name = "subnet-a" + cidr = "10.10.10.0/24" + public_gateway = true + acl_name = "vpc-acl" + no_addr_prefix = false + } + ] + } +} + +############################################################################## +# Network ACLs +############################################################################## + +variable "network_acls" { + description = "The list of ACLs to create. Provide at least one rule for each ACL." + type = list( + object({ + name = string + add_ibm_cloud_internal_rules = optional(bool) + add_vpc_connectivity_rules = optional(bool) + prepend_ibm_rules = optional(bool) + rules = list( + object({ + name = string + action = string + destination = string + direction = string + source = string + tcp = optional( + object({ + port_max = optional(number) + port_min = optional(number) + source_port_max = optional(number) + source_port_min = optional(number) + }) + ) + udp = optional( + object({ + port_max = optional(number) + port_min = optional(number) + source_port_max = optional(number) + source_port_min = optional(number) + }) + ) + icmp = optional( + object({ + type = optional(number) + code = optional(number) + }) + ) + }) + ) + }) + ) + + default = [ + { + name = "vpc-acl" + add_ibm_cloud_internal_rules = true + add_vpc_connectivity_rules = true + prepend_ibm_rules = true + rules = [ + { + name = "allow-all-443-inbound" + action = "allow" + direction = "inbound" + tcp = { + port_min = 443 + port_max = 443 + source_port_min = 1024 + source_port_max = 65535 + } + destination = "0.0.0.0/0" + source = "0.0.0.0/0" + }, + { + name = "allow-all-80-inbound" + action = "allow" + direction = "inbound" + tcp = { + port_min = 80 + port_max = 80 + source_port_min = 1024 + source_port_max = 65535 + } + destination = "0.0.0.0/0" + source = "0.0.0.0/0" + }, + { + name = "allow-all-22-inbound" + action = "allow" + direction = "inbound" + tcp = { + port_min = 22 + port_max = 22 + source_port_min = 1024 + source_port_max = 65535 + } + destination = "0.0.0.0/0" + source = "0.0.0.0/0" + }, + { + name = "allow-all-443-outbound" + action = "allow" + direction = "outbound" + tcp = { + source_port_min = 443 + source_port_max = 443 + port_min = 1024 + port_max = 65535 + } + destination = "0.0.0.0/0" + source = "0.0.0.0/0" + }, + { + name = "allow-all-80-outbound" + action = "allow" + direction = "outbound" + tcp = { + source_port_min = 80 + source_port_max = 80 + port_min = 1024 + port_max = 65535 + } + destination = "0.0.0.0/0" + source = "0.0.0.0/0" + }, + { + name = "allow-all-22-outbound" + action = "allow" + direction = "outbound" + tcp = { + source_port_min = 22 + source_port_max = 22 + port_min = 1024 + port_max = 65535 + } + destination = "0.0.0.0/0" + source = "0.0.0.0/0" + } + ] + } + ] + + validation { + error_message = "ACL rule actions can only be `allow` or `deny`." + condition = length(distinct( + flatten([ + # Check through rules + for rule in flatten([var.network_acls[*].rules]) : + # Return false action is not valid + false if !contains(["allow", "deny"], rule.action) + ]) + )) == 0 + } + + validation { + error_message = "ACL rule direction can only be `inbound` or `outbound`." + condition = length(distinct( + flatten([ + # Check through rules + for rule in flatten([var.network_acls[*].rules]) : + # Return false if direction is not valid + false if !contains(["inbound", "outbound"], rule.direction) + ]) + )) == 0 + } + + validation { + error_message = "ACL rule names must match the regex pattern ^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$." + condition = length(distinct( + flatten([ + # Check through rules + for rule in flatten([var.network_acls[*].rules]) : + # Return false if direction is not valid + false if !can(regex("^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$", rule.name)) + ]) + )) == 0 + } + +} + + +############################################################################## +# VPC Flow Logs Variables +############################################################################## + +variable "enable_vpc_flow_logs" { + description = "Flag to enable vpc flow logs. If true, flow log collector will be created" + type = bool + default = false +} + +variable "create_authorization_policy_vpc_to_cos" { + description = "Create authorisation policy for VPC to access COS. Set as false if authorization policy exists already" + type = bool + default = true +} + +variable "existing_cos_instance_crn" { + description = "GUID of the COS instance to create Flow log collector" + type = string + default = null +} + +variable "cos_bucket_name" { + description = "Name of the COS bucket to collect VPC flow logs" + type = string + default = "cos-bucket" +} + +variable "kms_encryption_enabled_bucket" { + description = "Set to true if bucket needs to be KMS encryption enabled" + type = bool + default = false +} + +variable "skip_cos_kms_auth_policy" { + type = bool + description = "To skip creating auth policy that allows COS to access KMS key." + default = false +} + +variable "management_endpoint_type_for_bucket" { + description = "The type of endpoint for the IBM Terraform provider to use to manage Cloud Object Storage buckets (`public`, `private`, or `direct`). If you are using a private endpoint, make sure that you enable virtual routing and forwarding (VRF) in your account, and that the Terraform runtime can access the IBM Cloud Private network." + type = string + default = "public" + validation { + condition = contains(["public", "private", "direct"], var.management_endpoint_type_for_bucket) + error_message = "The specified `management_endpoint_type_for_bucket` is not valid. Specify a valid type of endpoint for the IBM Terraform provider to use to manage Cloud Object Storage buckets." + } +} + +variable "cos_bucket_class" { + type = string + default = "standard" + description = "The storage class of the newly provisioned Cloud Object Storage bucket. Specify one of the following values for the storage class: `standard`, `vault`, `cold`, `smart` (default), or `onerate_active`." + validation { + condition = contains(["standard", "vault", "cold", "smart", "onerate_active"], var.cos_bucket_class) + error_message = "Specify one of the following values for the `cos_bucket_class`: `standard`, `vault`, `cold`, `smart`, or `onerate_active`." + } +} + +############################################################################################################### +# KMS +############################################################################################################### + +variable "existing_kms_instance_crn" { + type = string + default = null + description = "The CRN of the existing key management service (KMS) that is used to create keys for encrypting the Cloud Object Storage bucket." +} + +variable "kms_endpoint_type" { + type = string + description = "The type of endpoint to use for communicating with the Key Protect instance. Possible values: `public`, `private`. Applies only if `existing_cos_kms_key_crn` is not specified." + default = "public" + validation { + condition = can(regex("public|private", var.kms_endpoint_type)) + error_message = "Valid values for the `kms_endpoint_type_value` are `public` or `private`." + } +} + +variable "kms_key_ring_name" { + type = string + default = "cos-key-ring" + description = "The name of the key ring to create for the Cloud Object Storage bucket key. If an existing key is used, this variable is not required. If the prefix input variable is passed, the name of the key ring is prefixed to the value in the `-value` format." +} + +variable "kms_key_name" { + type = string + default = "cos-key" + description = "The name of the key to create for the Cloud Object Storage bucket. If an existing key is used, this variable is not required. If the prefix input variable is passed, the name of the key is prefixed to the value in the `-value` format." +} + +############################################################################## +# Optional VPC Variables +############################################################################## + +variable "default_network_acl_name" { + description = "OPTIONAL - Name of the Default ACL. If null, a name will be automatically generated" + type = string + default = null +} + +variable "default_security_group_name" { + description = "OPTIONAL - Name of the Default Security Group. If null, a name will be automatically generated" + type = string + default = null +} + +variable "default_routing_table_name" { + description = "OPTIONAL - Name of the Default Routing Table. If null, a name will be automatically generated" + type = string + default = null +} diff --git a/solutions/simple/version.tf b/solutions/simple/version.tf new file mode 100644 index 00000000..c27e769e --- /dev/null +++ b/solutions/simple/version.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3.0" + required_providers { + # Use "greater than or equal to" range in modules + ibm = { + source = "IBM-Cloud/ibm" + version = ">= 1.59.0, < 2.0.0" + } + } +} From 0635ef84b45a7fcbf80b5847c0dd0b61dfac3028 Mon Sep 17 00:00:00 2001 From: Shikha Maheshwari Date: Mon, 17 Feb 2025 08:49:44 +0530 Subject: [PATCH 2/8] update defalt value of resource group --- solutions/simple/variables.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/solutions/simple/variables.tf b/solutions/simple/variables.tf index da6e2037..a762c75c 100644 --- a/solutions/simple/variables.tf +++ b/solutions/simple/variables.tf @@ -28,7 +28,6 @@ variable "use_existing_resource_group" { variable "resource_group_name" { type = string description = "The name of a new or an existing resource group to provision the watsonx.ai resources. If a prefix input variable is specified, the prefix is added to the name in the `-` format." - default = "Default" } variable "prefix" { From af8271a121e90b63086aadf65a1eeb4094795a14 Mon Sep 17 00:00:00 2001 From: Shikha Maheshwari Date: Mon, 17 Feb 2025 09:37:14 +0530 Subject: [PATCH 3/8] update code --- solutions/simple/main.tf | 2 +- solutions/simple/variables.tf | 24 ++++++++++++------------ solutions/simple/version.tf | 2 +- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/solutions/simple/main.tf b/solutions/simple/main.tf index 2f93dd55..a6873cd9 100644 --- a/solutions/simple/main.tf +++ b/solutions/simple/main.tf @@ -122,7 +122,7 @@ module "vpc" { network_acls = var.network_acls # use_public_gateways = local.public_gateway_object enable_vpc_flow_logs = var.enable_vpc_flow_logs - create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos + create_authorization_policy_vpc_to_cos = !var.skip_vpc_cos_authorization_policy existing_cos_instance_guid = var.enable_vpc_flow_logs ? module.existing_cos_crn_parser[0].service_instance : null existing_storage_bucket_name = var.enable_vpc_flow_logs ? module.cos_buckets[0].buckets[0].bucket_name : null } diff --git a/solutions/simple/variables.tf b/solutions/simple/variables.tf index a762c75c..c2d44cb2 100644 --- a/solutions/simple/variables.tf +++ b/solutions/simple/variables.tf @@ -22,12 +22,12 @@ variable "provider_visibility" { variable "use_existing_resource_group" { type = bool description = "Whether to use an existing resource group." - default = true + default = false } variable "resource_group_name" { type = string - description = "The name of a new or an existing resource group to provision the watsonx.ai resources. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + description = "The name of a new or an existing resource group to provision the resources. If a prefix input variable is specified, the prefix is added to the name in the `-` format." } variable "prefix" { @@ -38,7 +38,7 @@ variable "prefix" { variable "vpc_name" { default = "simple" - description = "Name of the VPC." + description = "Name of the VPC. If a prefix input variable is specified, the prefix is added to the name in the `-` format." type = string } @@ -56,7 +56,7 @@ variable "resource_tags" { variable "access_tags" { type = list(string) - description = "A list of access tags to apply to the VPC resources created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial." + description = "A list of access tags to apply to the VPC resources created by this solution. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial." default = [] validation { @@ -285,42 +285,42 @@ variable "network_acls" { ############################################################################## -# VPC Flow Logs Variables +# VPC Flow Logs ############################################################################## variable "enable_vpc_flow_logs" { - description = "Flag to enable vpc flow logs. If true, flow log collector will be created" + description = "To enable vpc flow logs, set this to true." type = bool default = false } -variable "create_authorization_policy_vpc_to_cos" { - description = "Create authorisation policy for VPC to access COS. Set as false if authorization policy exists already" +variable "skip_vpc_cos_authorization_policy" { + description = "To skip creating an IAM authorization policy that allows the VPC to access the Cloud Object Storage, set this variable to `true`." type = bool default = true } variable "existing_cos_instance_crn" { - description = "GUID of the COS instance to create Flow log collector" + description = "CRN of the existing COS instance. It is required to create the bucket used for flow logs." type = string default = null } variable "cos_bucket_name" { - description = "Name of the COS bucket to collect VPC flow logs" + description = "Name of the Cloud Object Storage bucket to be created collect VPC flow logs." type = string default = "cos-bucket" } variable "kms_encryption_enabled_bucket" { - description = "Set to true if bucket needs to be KMS encryption enabled" + description = "Set to true if Cloud Object Storage bucket needs to be KMS encryption enabled." type = bool default = false } variable "skip_cos_kms_auth_policy" { type = bool - description = "To skip creating auth policy that allows COS to access KMS key." + description = "To skip creating auth policy that allows Cloud Object Storage(COS) to access KMS key." default = false } diff --git a/solutions/simple/version.tf b/solutions/simple/version.tf index c27e769e..8146ac7d 100644 --- a/solutions/simple/version.tf +++ b/solutions/simple/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.9.0" required_providers { # Use "greater than or equal to" range in modules ibm = { From 41eaba05023cf48809b3ee068c312a598a5962e6 Mon Sep 17 00:00:00 2001 From: Shikha Maheshwari Date: Thu, 27 Feb 2025 23:47:47 +0530 Subject: [PATCH 4/8] update code --- .../{simple => fully-configurable}/README.md | 0 .../catalogValidationValues.json.template | 0 .../{simple => fully-configurable}/main.tf | 7 +- .../{simple => fully-configurable}/outputs.tf | 0 .../provider.tf | 0 .../variables.tf | 67 +++++++++++++++++-- .../{simple => fully-configurable}/version.tf | 4 +- 7 files changed, 71 insertions(+), 7 deletions(-) rename solutions/{simple => fully-configurable}/README.md (100%) rename solutions/{simple => fully-configurable}/catalogValidationValues.json.template (100%) rename solutions/{simple => fully-configurable}/main.tf (91%) rename solutions/{simple => fully-configurable}/outputs.tf (100%) rename solutions/{simple => fully-configurable}/provider.tf (100%) rename solutions/{simple => fully-configurable}/variables.tf (84%) rename solutions/{simple => fully-configurable}/version.tf (52%) diff --git a/solutions/simple/README.md b/solutions/fully-configurable/README.md similarity index 100% rename from solutions/simple/README.md rename to solutions/fully-configurable/README.md diff --git a/solutions/simple/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template similarity index 100% rename from solutions/simple/catalogValidationValues.json.template rename to solutions/fully-configurable/catalogValidationValues.json.template diff --git a/solutions/simple/main.tf b/solutions/fully-configurable/main.tf similarity index 91% rename from solutions/simple/main.tf rename to solutions/fully-configurable/main.tf index a6873cd9..35e413b2 100644 --- a/solutions/simple/main.tf +++ b/solutions/fully-configurable/main.tf @@ -68,10 +68,12 @@ locals { kms_key_ring_name = try("${var.prefix}-${var.kms_key_ring_name}", var.kms_key_ring_name) kms_key_name = try("${var.prefix}-${var.kms_key_name}", var.kms_key_name) + + create_kms_key = var.existing_kms_key_crn == null ? ((var.enable_vpc_flow_logs && var.kms_encryption_enabled_bucket && var.existing_kms_instance_crn != null) ? true : false) : false } module "kms" { - count = (var.enable_vpc_flow_logs && var.kms_encryption_enabled_bucket && var.existing_kms_instance_crn != null) ? 1 : 0 # no need to create any KMS resources if not passing an existing KMS CRN + count = local.create_kms_key ? 1 : 0 # no need to create any KMS resources if not passing an existing KMS CRN or existing KMS key CRN is provided source = "terraform-ibm-modules/kms-all-inclusive/ibm" version = "4.19.5" create_key_protect_instance = false @@ -120,7 +122,10 @@ module "vpc" { default_security_group_name = var.default_security_group_name default_routing_table_name = var.default_routing_table_name network_acls = var.network_acls + clean_default_sg_acl = var.clean_default_sg_acl # use_public_gateways = local.public_gateway_object + address_prefixes = var.address_prefixes + routes = var.routes enable_vpc_flow_logs = var.enable_vpc_flow_logs create_authorization_policy_vpc_to_cos = !var.skip_vpc_cos_authorization_policy existing_cos_instance_guid = var.enable_vpc_flow_logs ? module.existing_cos_crn_parser[0].service_instance : null diff --git a/solutions/simple/outputs.tf b/solutions/fully-configurable/outputs.tf similarity index 100% rename from solutions/simple/outputs.tf rename to solutions/fully-configurable/outputs.tf diff --git a/solutions/simple/provider.tf b/solutions/fully-configurable/provider.tf similarity index 100% rename from solutions/simple/provider.tf rename to solutions/fully-configurable/provider.tf diff --git a/solutions/simple/variables.tf b/solutions/fully-configurable/variables.tf similarity index 84% rename from solutions/simple/variables.tf rename to solutions/fully-configurable/variables.tf index c2d44cb2..b73dcd8e 100644 --- a/solutions/simple/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -49,7 +49,7 @@ variable "region" { } variable "resource_tags" { - description = "Optional list of tags for the resources created by this solution." + description = "List of tags for the resources created by this solution." type = list(string) default = [] } @@ -283,6 +283,59 @@ variable "network_acls" { } +variable "clean_default_sg_acl" { + description = "Remove all rules from the default VPC security group and VPC ACL (less permissive)" + type = bool + default = false +} + +variable "address_prefixes" { + description = "The IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes" + type = object({ + zone-1 = optional(list(string)) + zone-2 = optional(list(string)) + zone-3 = optional(list(string)) + }) + default = { + zone-1 = null + zone-2 = null + zone-3 = null + } + validation { + error_message = "Keys for `use_public_gateways` must be in the order `zone-1`, `zone-2`, `zone-3`." + condition = var.address_prefixes == null ? true : ( + (length(var.address_prefixes) == 1 && keys(var.address_prefixes)[0] == "zone-1") || + (length(var.address_prefixes) == 2 && keys(var.address_prefixes)[0] == "zone-1" && keys(var.address_prefixes)[1] == "zone-2") || + (length(var.address_prefixes) == 3 && keys(var.address_prefixes)[0] == "zone-1" && keys(var.address_prefixes)[1] == "zone-2") && keys(var.address_prefixes)[2] == "zone-3" + ) + } +} + +############################################################################## +# Add routes to VPC +############################################################################## + +variable "routes" { + description = "Allows you to specify the next hop for packets based on their destination address" + type = list( + object({ + name = string + route_direct_link_ingress = optional(bool) + route_transit_gateway_ingress = optional(bool) + route_vpc_zone_ingress = optional(bool) + routes = optional( + list( + object({ + action = optional(string) + zone = number + destination = string + next_hop = string + }) + )) + }) + ) + default = [] +} ############################################################################## # VPC Flow Logs @@ -348,6 +401,12 @@ variable "cos_bucket_class" { # KMS ############################################################################################################### +variable "existing_kms_key_crn" { + type = string + default = null + description = "The CRN of the existing root key of key management service (KMS) that is used to encrypt the Cloud Object Storage bucket." +} + variable "existing_kms_instance_crn" { type = string default = null @@ -381,19 +440,19 @@ variable "kms_key_name" { ############################################################################## variable "default_network_acl_name" { - description = "OPTIONAL - Name of the Default ACL. If null, a name will be automatically generated" + description = "Name of the Default ACL. If null, a name will be automatically generated" type = string default = null } variable "default_security_group_name" { - description = "OPTIONAL - Name of the Default Security Group. If null, a name will be automatically generated" + description = "Name of the Default Security Group. If null, a name will be automatically generated" type = string default = null } variable "default_routing_table_name" { - description = "OPTIONAL - Name of the Default Routing Table. If null, a name will be automatically generated" + description = "Name of the Default Routing Table. If null, a name will be automatically generated" type = string default = null } diff --git a/solutions/simple/version.tf b/solutions/fully-configurable/version.tf similarity index 52% rename from solutions/simple/version.tf rename to solutions/fully-configurable/version.tf index 8146ac7d..a6c8e06e 100644 --- a/solutions/simple/version.tf +++ b/solutions/fully-configurable/version.tf @@ -1,10 +1,10 @@ terraform { required_version = ">= 1.9.0" required_providers { - # Use "greater than or equal to" range in modules + # Lock DA into an exact provider version - renovate automation will keep it updated ibm = { source = "IBM-Cloud/ibm" - version = ">= 1.59.0, < 2.0.0" + version = "1.75.2" } } } From faf01ac37f4c5a8c19a312a94180efbc0609de31 Mon Sep 17 00:00:00 2001 From: Shikha Maheshwari Date: Fri, 28 Feb 2025 00:38:16 +0530 Subject: [PATCH 5/8] add validations --- solutions/fully-configurable/main.tf | 6 +++--- solutions/fully-configurable/variables.tf | 19 +++++++++++++++++-- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 35e413b2..619fe5c9 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -32,7 +32,7 @@ locals { access_tags = var.access_tags bucket_name = local.bucket_name kms_encryption_enabled = var.kms_encryption_enabled_bucket - kms_guid = var.kms_encryption_enabled_bucket ? module.existing_kms_crn_parser[0].service_instance : null + kms_guid = var.kms_encryption_enabled_bucket ? module.existing_kms_instance_crn_parser[0].service_instance : null kms_key_crn = var.kms_encryption_enabled_bucket ? var.existing_kms_instance_crn : null skip_iam_authorization_policy = var.skip_cos_kms_auth_policy management_endpoint_type = var.management_endpoint_type_for_bucket @@ -55,7 +55,7 @@ module "cos_buckets" { ####################################################################################################################### # parse KMS details from the existing KMS instance CRN -module "existing_kms_crn_parser" { +module "existing_kms_instance_crn_parser" { count = var.kms_encryption_enabled_bucket && var.existing_kms_instance_crn != null ? 1 : 0 source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" version = "1.1.0" @@ -64,7 +64,7 @@ module "existing_kms_crn_parser" { locals { # fetch KMS region from existing_kms_instance_crn if KMS resources are required - kms_region = var.kms_encryption_enabled_bucket && var.existing_kms_instance_crn != null ? module.existing_kms_crn_parser[0].region : null + kms_region = var.kms_encryption_enabled_bucket && var.existing_kms_instance_crn != null ? module.existing_kms_instance_crn_parser[0].region : null kms_key_ring_name = try("${var.prefix}-${var.kms_key_ring_name}", var.kms_key_ring_name) kms_key_name = try("${var.prefix}-${var.kms_key_name}", var.kms_key_name) diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index b73dcd8e..e03a9c25 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -357,6 +357,11 @@ variable "existing_cos_instance_crn" { description = "CRN of the existing COS instance. It is required to create the bucket used for flow logs." type = string default = null + + validation { + condition = var.enable_vpc_flow_logs ? (var.existing_cos_instance_crn != null ? true : false) : true + error_message = "'existing_cos_instance_crn' is required if 'enable_vpc_flow_logs' is set to true." + } } variable "cos_bucket_name" { @@ -368,12 +373,22 @@ variable "cos_bucket_name" { variable "kms_encryption_enabled_bucket" { description = "Set to true if Cloud Object Storage bucket needs to be KMS encryption enabled." type = bool - default = false + default = true + + validation { + condition = !var.enable_vpc_flow_logs ? (var.kms_encryption_enabled_bucket ? false : true) : true + error_message = "'kms_encryption_enabled_bucket' should be false if 'enable_vpc_flow_logs' is set to false." + } + + validation { + condition = var.kms_encryption_enabled_bucket ? ((var.existing_kms_key_crn != null || var.existing_kms_instance_crn != null) ? true : false) : true + error_message = "Either 'existing_kms_key_crn' or 'existing_kms_instance_crn' is required if 'kms_encryption_enabled_bucket' is set to true." + } } variable "skip_cos_kms_auth_policy" { type = bool - description = "To skip creating auth policy that allows Cloud Object Storage(COS) to access KMS key." + description = "To skip creating an IAM authorization policy that allows Cloud Object Storage(COS) to access KMS key." default = false } From cc592f73a404070aed240496bf75a1d4b030c2af Mon Sep 17 00:00:00 2001 From: Shikha Maheshwari Date: Tue, 4 Mar 2025 11:33:18 +0530 Subject: [PATCH 6/8] create public_gateway object and added validation --- .../catalogValidationValues.json.template | 2 +- solutions/fully-configurable/main.tf | 39 ++++++++++--------- solutions/fully-configurable/variables.tf | 19 +++++---- 3 files changed, 30 insertions(+), 30 deletions(-) diff --git a/solutions/fully-configurable/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template index 2815de1b..47adc9b3 100644 --- a/solutions/fully-configurable/catalogValidationValues.json.template +++ b/solutions/fully-configurable/catalogValidationValues.json.template @@ -2,5 +2,5 @@ "ibmcloud_api_key": $VALIDATION_APIKEY, "region": "us-south", "resource_tags": $TAGS, - "resource_group_name": $PREFIX + "existing_resource_group_name": $PREFIX } diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 619fe5c9..3d4164f8 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -9,8 +9,7 @@ locals { module "resource_group" { source = "terraform-ibm-modules/resource-group/ibm" version = "1.1.6" - resource_group_name = var.use_existing_resource_group == false ? try("${local.prefix}-${var.resource_group_name}", var.resource_group_name) : null - existing_resource_group_name = var.use_existing_resource_group == true ? var.resource_group_name : null + existing_resource_group_name = var.existing_resource_group_name } ############################################################################# @@ -104,26 +103,28 @@ module "kms" { ############################################################################# locals { - # //TO DO - # to create use_public_gateways object + # create 'use_public_gateways' object + public_gateway_object = { + for key, value in var.subnets : key => value != null ? length([for sub in value : sub.public_gateway if sub.public_gateway]) > 0 ? [for sub in value : sub.public_gateway if sub.public_gateway][0] : false : false + } } module "vpc" { - source = "../../" - resource_group_id = module.resource_group.resource_group_id - region = var.region - create_vpc = true - name = var.vpc_name - prefix = local.prefix - tags = var.resource_tags - access_tags = var.access_tags - subnets = var.subnets - default_network_acl_name = var.default_network_acl_name - default_security_group_name = var.default_security_group_name - default_routing_table_name = var.default_routing_table_name - network_acls = var.network_acls - clean_default_sg_acl = var.clean_default_sg_acl - # use_public_gateways = local.public_gateway_object + source = "../../" + resource_group_id = module.resource_group.resource_group_id + region = var.region + create_vpc = true + name = var.vpc_name + prefix = local.prefix + tags = var.resource_tags + access_tags = var.access_tags + subnets = var.subnets + default_network_acl_name = var.default_network_acl_name + default_security_group_name = var.default_security_group_name + default_routing_table_name = var.default_routing_table_name + network_acls = var.network_acls + clean_default_sg_acl = var.clean_default_sg_acl + use_public_gateways = local.public_gateway_object address_prefixes = var.address_prefixes routes = var.routes enable_vpc_flow_logs = var.enable_vpc_flow_logs diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index e03a9c25..48fda473 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -19,15 +19,9 @@ variable "provider_visibility" { } } -variable "use_existing_resource_group" { - type = bool - description = "Whether to use an existing resource group." - default = false -} - -variable "resource_group_name" { +variable "existing_resource_group_name" { type = string - description = "The name of a new or an existing resource group to provision the resources. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + description = "The name of an existing resource group to provision the resources." } variable "prefix" { @@ -37,7 +31,7 @@ variable "prefix" { } variable "vpc_name" { - default = "simple" + default = "vpc" description = "Name of the VPC. If a prefix input variable is specified, the prefix is added to the name in the `-` format." type = string } @@ -108,6 +102,11 @@ variable "subnets" { } ] } + + validation { + condition = alltrue([for key, value in var.subnets : value != null ? length([for subnet in value : subnet.public_gateway if subnet.public_gateway]) > 1 ? false : true : true]) + error_message = "var.subnets has more than one public gateway in a zone. Only one public gateway can be attached to a zone for the virtual private cloud." + } } ############################################################################## @@ -373,7 +372,7 @@ variable "cos_bucket_name" { variable "kms_encryption_enabled_bucket" { description = "Set to true if Cloud Object Storage bucket needs to be KMS encryption enabled." type = bool - default = true + default = false validation { condition = !var.enable_vpc_flow_logs ? (var.kms_encryption_enabled_bucket ? false : true) : true From c083207eda7ca2376631d1868febfcc991cf18c1 Mon Sep 17 00:00:00 2001 From: Shikha Maheshwari Date: Thu, 6 Mar 2025 13:59:45 +0530 Subject: [PATCH 7/8] added vpn gateway feature --- README.md | 3 +++ main.tf | 24 +++++++++++++++++++++- solutions/fully-configurable/main.tf | 2 ++ solutions/fully-configurable/variables.tf | 22 +++++++++++++++++++- variables.tf | 25 +++++++++++++++++++++++ 5 files changed, 74 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c78ad649..fef27e42 100644 --- a/README.md +++ b/README.md @@ -169,6 +169,7 @@ To attach access management tags to resources in this module, you need the follo | [ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_dns_resolution_binding) | resource | | [ibm_is_vpc_routing_table.route_table](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource | | [ibm_is_vpc_routing_table_route.routing_table_routes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource | +| [ibm_is_vpn_gateway.gateway](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpn_gateway) | resource | | [ibm_resource_instance.dns_instance_hub](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource | | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [time_sleep.wait_for_vpc_creation_data](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | @@ -203,6 +204,7 @@ To attach access management tags to resources in this module, you need the follo | [enable\_hub\_vpc\_crn](#input\_enable\_hub\_vpc\_crn) | Indicates whether Hub VPC CRN is passed. | `bool` | `false` | no | | [enable\_hub\_vpc\_id](#input\_enable\_hub\_vpc\_id) | Indicates whether Hub VPC ID is passed. | `bool` | `false` | no | | [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | Flag to enable vpc flow logs. If true, flow log collector will be created | `bool` | `false` | no | +| [enable\_vpn\_gateways](#input\_enable\_vpn\_gateways) | Set to true to add VPN gateways. If true, VPN gateways will be created using the variable 'vpn\_gateways'. | `bool` | `false` | no | | [existing\_cos\_instance\_guid](#input\_existing\_cos\_instance\_guid) | GUID of the COS instance to create Flow log collector | `string` | `null` | no | | [existing\_dns\_instance\_id](#input\_existing\_dns\_instance\_id) | Id of an existing dns instance in which the custom resolver is created. Only relevant if enable\_hub is set to true. | `string` | `null` | no | | [existing\_storage\_bucket\_name](#input\_existing\_storage\_bucket\_name) | Name of the COS bucket to collect VPC flow logs | `string` | `null` | no | @@ -232,6 +234,7 @@ To attach access management tags to resources in this module, you need the follo | [use\_existing\_dns\_instance](#input\_use\_existing\_dns\_instance) | Whether to use an existing dns instance. If true, existing\_dns\_instance\_id must be set. | `bool` | `false` | no | | [use\_public\_gateways](#input\_use\_public\_gateways) | Create a public gateway in any of the three zones with `true`. | 
object({
    zone-1 = optional(bool)
    zone-2 = optional(bool)
    zone-3 = optional(bool)
  })
| 
{
  "zone-1": true,
  "zone-2": false,
  "zone-3": false
}
| no | | [vpc\_flow\_logs\_name](#input\_vpc\_flow\_logs\_name) | The name to give the provisioned VPC flow logs. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | +| [vpn\_gateways](#input\_vpn\_gateways) | List of VPN gateways to create. | 
list(
    object({
      name           = string
      vpc_name       = string
      subnet_name    = string # Do not include prefix, use same name as in `var.subnets`
      mode           = optional(string)
      resource_group = optional(string)
      access_tags    = optional(list(string), [])
    })
  )
| `[]` | no | ### Outputs diff --git a/main.tf b/main.tf index 6b7fab72..68789284 100644 --- a/main.tf +++ b/main.tf @@ -356,7 +356,7 @@ resource "ibm_is_flow_log" "flow_logs" { ############################################################################## # DNS ZONE -# ############################################################################## +############################################################################### resource "ibm_dns_zone" "dns_zone" { count = var.enable_hub && !var.skip_custom_resolver_hub_creation && alltrue([var.dns_zone_name != null, var.dns_zone_name != ""]) ? 1 : 0 @@ -406,6 +406,28 @@ resource "ibm_dns_resource_record" "dns_record" { locals { record_ids = [for record in ibm_dns_resource_record.dns_record : element(split("/", record.id), 2)] + + # Convert the vpn_gateway input from list to a map + vpn_gateway_map = !var.enable_vpn_gateways ? {} : { for gateway in var.vpn_gateways : gateway.name => gateway } + +} + +############################################################################## +# Create VPN Gateways +############################################################################## + +resource "ibm_is_vpn_gateway" "gateway" { + for_each = local.vpn_gateway_map + name = "${var.prefix}-${each.key}" + subnet = each.value.subnet_name + mode = each.value.mode + resource_group = each.value.resource_group == null ? var.resource_group_id : each.value.resource_group + tags = var.tags + access_tags = each.value.access_tags + + timeouts { + delete = "1h" + } } ############################################################################## diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 3d4164f8..1a4231fb 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -131,4 +131,6 @@ module "vpc" { create_authorization_policy_vpc_to_cos = !var.skip_vpc_cos_authorization_policy existing_cos_instance_guid = var.enable_vpc_flow_logs ? module.existing_cos_crn_parser[0].service_instance : null existing_storage_bucket_name = var.enable_vpc_flow_logs ? module.cos_buckets[0].buckets[0].bucket_name : null + enable_vpn_gateways = true + vpn_gateways = var.vpn_gateways } diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 48fda473..ac4c804e 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -26,8 +26,8 @@ variable "existing_resource_group_name" { variable "prefix" { type = string + nullable = true description = "Prefix to add to all the resources created by this solution. To not use any prefix value, you can set this value to `null` or an empty string." - default = "dev" } variable "vpc_name" { @@ -470,3 +470,23 @@ variable "default_routing_table_name" { type = string default = null } + +############################################################################## +# VPN Gateways +############################################################################## + +variable "vpn_gateways" { + description = "List of VPN Gateways to create." + type = list( + object({ + name = string + vpc_name = string + subnet_name = string # Do not include prefix, use same name as in `var.subnets` + mode = optional(string) + resource_group = optional(string) + access_tags = optional(list(string), []) + }) + ) + + default = [] +} diff --git a/variables.tf b/variables.tf index 6428db7f..c68b4a3d 100644 --- a/variables.tf +++ b/variables.tf @@ -718,3 +718,28 @@ variable "dns_records" { error_message = "Invalid MX record configuration. For 'MX' records, value for 'preference' must be provided." } } + +############################################################################## +# VPN Gateways +############################################################################## + +variable "enable_vpn_gateways" { + type = bool + description = "Set to true to add VPN gateways. If true, VPN gateways will be created using the variable 'vpn_gateways'." + default = false +} + +variable "vpn_gateways" { + description = "List of VPN gateways to create." + type = list( + object({ + name = string + vpc_name = string + subnet_name = string # Do not include prefix, use same name as in `var.subnets` + mode = optional(string) + resource_group = optional(string) + access_tags = optional(list(string), []) + }) + ) + default = [] +} From e5cc87a6407a1039eb2816cb56b598512b339f83 Mon Sep 17 00:00:00 2001 From: Shikha Maheshwari Date: Mon, 10 Mar 2025 17:38:00 +0530 Subject: [PATCH 8/8] update outputs --- solutions/fully-configurable/outputs.tf | 33 +++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/solutions/fully-configurable/outputs.tf b/solutions/fully-configurable/outputs.tf index e6b2071e..cfca496d 100644 --- a/solutions/fully-configurable/outputs.tf +++ b/solutions/fully-configurable/outputs.tf @@ -34,3 +34,36 @@ output "vpc_flow_logs" { description = "Details of VPC flow logs collector" value = module.vpc.vpc_flow_logs } + +############################################################################## +# Network ACLs +############################################################################## + +output "network_acls" { + description = "List of shortnames and IDs of network ACLs" + value = module.vpc.network_acls +} + +############################################################################## +# Subnet Outputs +############################################################################## + +output "subnet_ids" { + description = "The IDs of the subnets" + value = module.vpc.subnet_ids +} + +output "subnet_detail_list" { + description = "A list of subnets containing names, CIDR blocks, and zones." + value = module.vpc.subnet_detail_list +} + +output "subnet_zone_list" { + description = "A list containing subnet IDs and subnet zones" + value = module.vpc.subnet_zone_list +} + +output "subnet_detail_map" { + description = "A map of subnets containing IDs, CIDR blocks, and zones" + value = module.vpc.subnet_detail_map +}