feat: add tags to resources, add default key policy rotation & attach…

… VPE to its own security group (#27)
terraform-ibm-modules · Aug 4, 2022 · 4fb36c6 · 4fb36c6
1 parent a5b4cdd
commit 4fb36c6
Show file tree

Hide file tree

Showing 15 changed files with 42 additions and 12 deletions.
diff --git a/appid.tf b/appid.tf
@@ -52,6 +52,7 @@ resource "ibm_resource_instance" "appid" {
   plan              = "graduated-tier"
   location          = var.region
   resource_group_id = local.resource_groups[var.appid.resource_group]
+  tags              = var.tags
 }
 
 ##############################################################################
@@ -82,6 +83,7 @@ resource "ibm_resource_key" "appid_key" {
   name                 = "${var.prefix}-${each.key}-app-id-key"
   resource_instance_id = local.appid_instance_id
   role                 = "Writer"
+  tags                 = var.tags
 }
 
 ##############################################################################

diff --git a/kms/main.tf b/kms/main.tf
@@ -25,6 +25,7 @@ resource "ibm_resource_instance" "kms" {
   plan              = "tiered-pricing"
   location          = var.region
   resource_group_id = var.key_management.resource_group_id
+  tags              = var.key_management.tags
 }
 
 data "ibm_resource_instance" "kms" {

diff --git a/kms/variables.tf b/kms/variables.tf
@@ -21,6 +21,7 @@ variable "key_management" {
     use_hs_crypto     = optional(bool) # can be hpcs or keyprotect
     use_data          = optional(bool)
     resource_group_id = optional(string)
+    tags              = list(string)
   })
 }
 

diff --git a/main.tf b/main.tf
@@ -11,6 +11,7 @@ module "vpc" {
   source                      = "git::https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc.git?ref=v2.0.0"
   for_each                    = local.vpc_map
   name                        = each.value.prefix
+  tags                        = var.tags
   resource_group_id           = each.value.resource_group == null ? null : local.resource_groups[each.value.resource_group]
   region                      = var.region
   prefix                      = var.prefix
@@ -42,6 +43,7 @@ resource "ibm_is_flow_log" "flow_logs" {
   active         = true
   storage_bucket = ibm_cos_bucket.buckets[each.value.bucket].bucket_name
   resource_group = each.value.resource_group == null ? null : local.resource_groups[each.value.resource_group]
+  tags           = var.tags
 
   depends_on = [ibm_cos_bucket.buckets, ibm_iam_authorization_policy.policy]
 }

diff --git a/outputs.tf b/outputs.tf
@@ -43,7 +43,7 @@ output "atracker_target_name" {
 
 output "atracker_route_name" {
   description = "Name of atracker route"
-  value       = local.valid_atracker_region ? ibm_atracker_route.atracker_route.*.name[0] : null
+  value       = local.valid_atracker_region && var.atracker.add_route == true ? ibm_atracker_route.atracker_route.*.name[0] : null
 }
 
 ##############################################################################

diff --git a/patterns/dynamic_values/config_modules/key_management/key_management.tf b/patterns/dynamic_values/config_modules/key_management/key_management.tf
@@ -57,6 +57,12 @@ locals {
       name     = "${var.prefix}-${service}-key"
       root_key = true
       key_ring = "${var.prefix}-slz-ring"
+      policies = (
+        {
+          rotation = {
+            interval_month = 12
+        } }
+      )
     }
   ]
 }

diff --git a/patterns/dynamic_values/outputs.tf b/patterns/dynamic_values/outputs.tf
@@ -82,7 +82,18 @@ output "vpcs" {
 
 output "security_groups" {
   description = "List of additional security groups to be created by landing-zone module"
-  value       = local.security_groups
+  value = flatten([
+    local.security_groups,
+    [
+      for network in local.vpc_list :
+      {
+        name           = "${network}-vpe-sg"
+        resource_group = "${var.prefix}-${network}-rg"
+        rules          = local.default_vsi_sg_rules_force_tcp
+        vpc_name       = network
+      }
+    ]
+  ])
 }
 
 ##############################################################################

diff --git a/patterns/mixed/config.tf b/patterns/mixed/config.tf
@@ -56,7 +56,7 @@ locals {
         vpc_name                        = var.vpcs[0]
         subnet_names                    = ["vsi-zone-1", "vsi-zone-2", "vsi-zone-3"]
         image_name                      = var.vsi_image_name
-        vsi_per_subnet                  = 1
+        vsi_per_subnet                  = var.vsi_per_subnet
         machine_type                    = var.vsi_instance_profile
         resource_group                  = "${var.prefix}-${var.vpcs[0]}-rg"
         boot_volume_encryption_key_name = "${var.prefix}-vsi-volume-key"
@@ -145,8 +145,9 @@ locals {
         # Create VPE for each VPC in VPE tier
         for network in module.dynamic_values.vpc_list :
         {
-          name    = network
-          subnets = ["vpe-zone-1", "vpe-zone-2", "vpe-zone-3"]
+          name                = network
+          subnets             = ["vpe-zone-1", "vpe-zone-2", "vpe-zone-3"]
+          security_group_name = "${network}-vpe-sg"
         }
       ]
     }]

diff --git a/patterns/roks/config.tf b/patterns/roks/config.tf
@@ -129,8 +129,9 @@ locals {
         # Create VPE for each VPC in VPE tier
         for network in module.dynamic_values.vpc_list :
         {
-          name    = network
-          subnets = ["vpe-zone-1", "vpe-zone-2", "vpe-zone-3"]
+          name                = network
+          subnets             = ["vpe-zone-1", "vpe-zone-2", "vpe-zone-3"]
+          security_group_name = "${network}-vpe-sg"
         }
       ]
     }]

diff --git a/patterns/vsi/config.tf b/patterns/vsi/config.tf
@@ -60,7 +60,7 @@ locals {
         resource_group                  = "${var.prefix}-${network}-rg"
         subnet_names                    = ["vsi-zone-1", "vsi-zone-2", "vsi-zone-3"]
         image_name                      = var.vsi_image_name
-        vsi_per_subnet                  = 1
+        vsi_per_subnet                  = var.vsi_per_subnet
         machine_type                    = var.vsi_instance_profile
         boot_volume_encryption_key_name = "${var.prefix}-vsi-volume-key"
         security_group = {
@@ -106,8 +106,9 @@ locals {
         # Create VPE for each VPC in VPE tier
         for network in module.dynamic_values.vpc_list :
         {
-          name    = network
-          subnets = ["vpe-zone-1", "vpe-zone-2", "vpe-zone-3"]
+          name                = network
+          subnets             = ["vpe-zone-1", "vpe-zone-2", "vpe-zone-3"]
+          security_group_name = "${network}-vpe-sg"
         }
       ]
     }]

diff --git a/resource_groups.tf b/resource_groups.tf
@@ -16,6 +16,7 @@ resource "ibm_resource_group" "resource_groups" {
     (group.name) => group if group.create == true
   }
   name = each.value.use_prefix == true ? "${var.prefix}-${each.key}" : each.key
+  tags = var.tags
 }
 
 ##############################################################################

diff --git a/secrets_manager.tf b/secrets_manager.tf
@@ -9,7 +9,7 @@ resource "ibm_resource_instance" "secrets_manager" {
   location          = var.region
   plan              = "standard"
   resource_group_id = var.secrets_manager.resource_group == null ? null : local.resource_groups[var.secrets_manager.resource_group]
-
+  tags              = var.tags
 
   parameters = {
     kms_key = (

diff --git a/services.tf b/services.tf
@@ -10,6 +10,7 @@ module "key_management" {
     resource_group_id = var.key_management.resource_group == null ? null : local.resource_groups[var.key_management.resource_group]
     use_data          = var.key_management.use_data
     use_hs_crypto     = var.key_management.use_hs_crypto
+    tags              = var.tags
   }
   keys = var.key_management.keys == null ? [] : var.key_management.keys
 }

diff --git a/virtual_servers.tf b/virtual_servers.tf
@@ -47,6 +47,7 @@ module "vsi" {
   prefix                = "${var.prefix}-${each.value.name}"
   vpc_id                = module.vpc[each.value.vpc_name].vpc_id
   subnets               = each.value.subnets
+  tags                  = var.tags
   user_data             = lookup(each.value, "user_data", null)
   image_id              = data.ibm_is_image.image["${var.prefix}-${each.value.name}"].id
   boot_volume_encryption_key = each.value.boot_volume_encryption_key_name == null ? "" : [

diff --git a/vpe.tf b/vpe.tf
@@ -24,7 +24,8 @@ resource "ibm_is_virtual_endpoint_gateway" "endpoint_gateway" {
   name            = "${var.prefix}-${each.key}"
   vpc             = each.value.vpc_id
   resource_group  = each.value.resource_group == null ? null : local.resource_groups[each.value.resource_group]
-  security_groups = each.value.security_group_name == null ? null : [each.value.security_group_name]
+  security_groups = each.value.security_group_name == null ? null : [ibm_is_security_group.security_group[each.value.security_group_name].id]
+  tags            = var.tags
 
   target {
     crn           = each.value.crn