feat: Exposed the service_endpoints input variable to all patterns,…

… with a default value of `public-and-private`. The value will be used for App ID and Key Protect instance provisioning. (#663)

README.md

@@ -914,7 +914,7 @@ module "cluster_pattern" {
 | <a name="input_region"></a> [region](#input\_region) | Region where VPC will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions. | `string` | n/a | yes |
 | <a name="input_resource_groups"></a> [resource\_groups](#input\_resource\_groups) | Object describing resource groups to create or reference | <pre>list(<br>    object({<br>      name       = string<br>      create     = optional(bool)<br>      use_prefix = optional(bool)<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | Security groups for VPC | <pre>list(<br>    object({<br>      name           = string<br>      vpc_name       = string<br>      resource_group = optional(string)<br>      access_tags    = optional(list(string), [])<br>      rules = list(<br>        object({<br>          name      = string<br>          direction = string<br>          source    = string<br>          tcp = optional(<br>            object({<br>              port_max = number<br>              port_min = number<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max = number<br>              port_min = number<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = number<br>              code = number<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | `[]` | no |
-| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Service endpoints. Can be `public`, `private`, or `public-and-private` | `string` | `"private"` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Service endpoints. Can be `public`, `private`, or `public-and-private` | `string` | `"public-and-private"` | no |
 | <a name="input_ssh_keys"></a> [ssh\_keys](#input\_ssh\_keys) | SSH keys to use to provision a VSI. Must be an RSA key with a key size of either 2048 bits or 4096 bits (recommended). If `public_key` is not provided, the named key will be looked up from data. If a resource group name is added, it must be included in `var.resource_groups`. See https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys. | <pre>list(<br>    object({<br>      name           = string<br>      public_key     = optional(string)<br>      resource_group = optional(string)<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of resource tags to apply to resources created by this module. | `list(string)` | `[]` | no |
 | <a name="input_teleport_config_data"></a> [teleport\_config\_data](#input\_teleport\_config\_data) | Teleport config data. This is used to create a single template for all teleport instances to use. Creating a single template allows for values to remain sensitive | <pre>object({<br>    teleport_license   = optional(string)<br>    https_cert         = optional(string)<br>    https_key          = optional(string)<br>    domain             = optional(string)<br>    cos_bucket_name    = optional(string)<br>    cos_key_name       = optional(string)<br>    teleport_version   = optional(string)<br>    message_of_the_day = optional(string)<br>    hostname           = optional(string)<br>    app_id_key_name    = optional(string)<br>    claims_to_roles = optional(<br>      list(<br>        object({<br>          email = string<br>          roles = list(string)<br>        })<br>      )<br>    )<br>  })</pre> | `null` | no |

appid.tf

@@ -53,6 +53,7 @@ resource "ibm_resource_instance" "appid" {
   location          = var.region
   resource_group_id = local.resource_groups[var.appid.resource_group]
   tags              = var.tags
+  service_endpoints = var.service_endpoints
 }
 
 ##############################################################################

examples/one-vpc-one-vsi/override.json

@@ -2,7 +2,7 @@
   "enable_transit_gateway": false,
   "transit_gateway_global": false,
   "virtual_private_endpoints": [],
-  "service_endpoints": "private",
+  "service_endpoints": "public-and-private",
   "security_groups": [],
   "vpn_gateways": [],
   "atracker": {

examples/override-example/override.json

@@ -39,7 +39,7 @@
       ]
     }
   ],
-  "service_endpoints": "private",
+  "service_endpoints": "public-and-private",
   "security_groups": [],
   "vpn_gateways": [
     {

kms/main.tf

@@ -25,6 +25,7 @@ resource "ibm_resource_instance" "kms" {
   location          = var.region
   resource_group_id = var.key_management.resource_group_id
   tags              = var.key_management.tags
+  service_endpoints = var.service_endpoints
 }
 
 resource "ibm_resource_tag" "tag" {

kms/variables.tf

@@ -83,4 +83,14 @@ variable "keys" {
   }
 }
 
+variable "service_endpoints" {
+  description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
+  type        = string
+  default     = "public-and-private"
+
+  validation {
+    error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."
+    condition     = contains(["public", "private", "public-and-private"], var.service_endpoints)
+  }
+}
 ##############################################################################

patterns/mixed/config.tf

@@ -254,7 +254,7 @@ locals {
     security_groups                = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
     virtual_private_endpoints      = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                            = lookup(local.override[local.override_type], "cos", local.config.object_storage)
-    service_endpoints              = lookup(local.override[local.override_type], "service_endpoints", "private")
+    service_endpoints              = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
     add_kms_block_storage_s2s      = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
     key_management                 = lookup(local.override[local.override_type], "key_management", local.config.key_management)
     atracker                       = lookup(local.override[local.override_type], "atracker", local.config.atracker)

patterns/mixed/override.json

@@ -133,7 +133,7 @@
         }
     ],
     "security_groups": [],
-    "service_endpoints": "private",
+    "service_endpoints": "public-and-private",
     "ssh_keys": [
         {
             "name": "slz-ssh-key",

patterns/mixed/variables.tf

@@ -541,6 +541,22 @@ variable "add_kms_block_storage_s2s" {
 
 ##############################################################################
 
+##############################################################################
+# KMS and App ID variables
+##############################################################################
+variable "service_endpoints" {
+  description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
+  type        = string
+  default     = "public-and-private"
+
+  validation {
+    error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."
+    condition     = contains(["public", "private", "public-and-private"], var.service_endpoints)
+  }
+}
+
+##############################################################################
+
 ##############################################################################
 # Override JSON
 ##############################################################################

patterns/roks/module/config.tf

@@ -234,7 +234,7 @@ locals {
     security_groups                = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
     virtual_private_endpoints      = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                            = lookup(local.override[local.override_type], "cos", local.config.object_storage)
-    service_endpoints              = lookup(local.override[local.override_type], "service_endpoints", "private")
+    service_endpoints              = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
     add_kms_block_storage_s2s      = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
     key_management                 = lookup(local.override[local.override_type], "key_management", local.config.key_management)
     atracker                       = lookup(local.override[local.override_type], "atracker", local.config.atracker)

patterns/roks/module/variables.tf

@@ -508,6 +508,22 @@ variable "add_kms_block_storage_s2s" {
 
 ##############################################################################
 
+##############################################################################
+# KMS and App ID variables
+##############################################################################
+variable "service_endpoints" {
+  description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
+  type        = string
+  default     = "public-and-private"
+
+  validation {
+    error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."
+    condition     = contains(["public", "private", "public-and-private"], var.service_endpoints)
+  }
+}
+
+##############################################################################
+
 ##############################################################################
 # Override JSON
 ##############################################################################

patterns/roks/override.json

@@ -168,7 +168,7 @@
         }
     ],
     "security_groups": [],
-    "service_endpoints": "private",
+    "service_endpoints": "public-and-private",
     "ssh_keys": [],
     "transit_gateway_connections": [
         "management",

patterns/vpc/module/config.tf

@@ -185,7 +185,7 @@ locals {
     security_groups                = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
     virtual_private_endpoints      = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                            = lookup(local.override[local.override_type], "cos", local.config.object_storage)
-    service_endpoints              = lookup(local.override[local.override_type], "service_endpoints", "private")
+    service_endpoints              = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
     add_kms_block_storage_s2s      = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
     key_management                 = lookup(local.override[local.override_type], "key_management", local.config.key_management)
     atracker                       = lookup(local.override[local.override_type], "atracker", local.config.atracker)

patterns/vpc/module/variables.tf

@@ -440,6 +440,22 @@ variable "add_kms_block_storage_s2s" {
 
 ##############################################################################
 
+##############################################################################
+# KMS and App ID variables
+##############################################################################
+variable "service_endpoints" {
+  description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
+  type        = string
+  default     = "public-and-private"
+
+  validation {
+    error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."
+    condition     = contains(["public", "private", "public-and-private"], var.service_endpoints)
+  }
+}
+
+##############################################################################
+
 ##############################################################################
 # Override JSON
 ##############################################################################

patterns/vpc/override.json

@@ -92,7 +92,7 @@
         }
     ],
     "security_groups": [],
-    "service_endpoints": "private",
+    "service_endpoints": "public-and-private",
     "ssh_keys": [],
     "transit_gateway_connections": [
         "management",

patterns/vsi/module/config.tf

@@ -220,7 +220,7 @@ locals {
     security_groups           = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
     virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                       = lookup(local.override[local.override_type], "cos", local.config.object_storage)
-    service_endpoints         = lookup(local.override[local.override_type], "service_endpoints", "private")
+    service_endpoints         = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
     add_kms_block_storage_s2s = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
     key_management            = lookup(local.override[local.override_type], "key_management", local.config.key_management)
     atracker                  = lookup(local.override[local.override_type], "atracker", local.config.atracker)

patterns/vsi/module/variables.tf

@@ -472,6 +472,22 @@ variable "add_kms_block_storage_s2s" {
 
 ##############################################################################
 
+##############################################################################
+# KMS and App ID variables
+##############################################################################
+variable "service_endpoints" {
+  description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
+  type        = string
+  default     = "public-and-private"
+
+  validation {
+    error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."
+    condition     = contains(["public", "private", "public-and-private"], var.service_endpoints)
+  }
+}
+
+##############################################################################
+
 ##############################################################################
 # Override JSON
 ##############################################################################

patterns/vsi/override.json

@@ -92,7 +92,7 @@
         }
     ],
     "security_groups": [],
-    "service_endpoints": "private",
+    "service_endpoints": "public-and-private",
     "ssh_keys": [
         {
             "name": "slz-ssh-key",

tests/pr_test.go

@@ -33,6 +33,9 @@ const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-res
 // Setting "add_atracker_route" to false for VPC and VSI tests to avoid hitting AT route quota, right now its 4 routes per account.
 const add_atracker_route = false
 
+// Setting "service_endpoints" to `private` to test support for 'private' service_endpoints (schematics have access to private network).
+const service_endpoints = "private"
+
 var sharedInfoSvc *cloudinfo.CloudInfoService
 var permanentResources map[string]interface{}
 
@@ -305,6 +308,7 @@ func TestRunVSIQuickStartPatternSchematics(t *testing.T) {
 		{Name: "region", Value: options.Region, DataType: "string"},
 		{Name: "prefix", Value: options.Prefix, DataType: "string"},
 		{Name: "ssh_key", Value: sshPublicKey(t), DataType: "string"},
+		{Name: "service_endpoints", Value: "private", DataType: "string"},
 	}
 
 	err := options.RunSchematicTest()
@@ -322,6 +326,7 @@ func TestRunVSIPatternSchematics(t *testing.T) {
 		{Name: "prefix", Value: options.Prefix, DataType: "string"},
 		{Name: "ssh_public_key", Value: sshPublicKey(t), DataType: "string"},
 		{Name: "add_atracker_route", Value: add_atracker_route, DataType: "bool"},
+		{Name: "service_endpoints", Value: "private", DataType: "string"},
 	}
 
 	err := options.RunSchematicTest()
@@ -340,6 +345,7 @@ func TestRunRoksPatternSchematics(t *testing.T) {
 		{Name: "region", Value: options.Region, DataType: "string"},
 		{Name: "prefix", Value: options.Prefix, DataType: "string"},
 		{Name: "tags", Value: options.Tags, DataType: "list(string)"},
+		{Name: "service_endpoints", Value: "private", DataType: "string"},
 	}
 
 	err := options.RunSchematicTest()
@@ -357,6 +363,7 @@ func TestRunVPCPatternSchematics(t *testing.T) {
 		{Name: "prefix", Value: options.Prefix, DataType: "string"},
 		{Name: "tags", Value: options.Tags, DataType: "list(string)"},
 		{Name: "add_atracker_route", Value: add_atracker_route, DataType: "bool"},
+		{Name: "service_endpoints", Value: "private", DataType: "string"},
 	}
 
 	err := options.RunSchematicTest()

variables.tf

@@ -691,11 +691,10 @@ variable "cos" {
 # Service Instance Variables
 ##############################################################################
 
-# tflint-ignore: terraform_unused_declarations
 variable "service_endpoints" {
   description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
   type        = string
-  default     = "private"
+  default     = "public-and-private"
 
   validation {
     error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."