diff --git a/README.md b/README.md
index 39fd0eab9..3ff753c47 100644
--- a/README.md
+++ b/README.md
@@ -914,7 +914,7 @@ module "cluster_pattern" {
| [region](#input\_region) | Region where VPC will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions. | `string` | n/a | yes |
| [resource\_groups](#input\_resource\_groups) | Object describing resource groups to create or reference | list(
object({
name = string
create = optional(bool)
use_prefix = optional(bool)
})
)
| n/a | yes |
| [security\_groups](#input\_security\_groups) | Security groups for VPC | list(
object({
name = string
vpc_name = string
resource_group = optional(string)
access_tags = optional(list(string), [])
rules = list(
object({
name = string
direction = string
source = string
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
})
)
| `[]` | no |
-| [service\_endpoints](#input\_service\_endpoints) | Service endpoints. Can be `public`, `private`, or `public-and-private` | `string` | `"private"` | no |
+| [service\_endpoints](#input\_service\_endpoints) | Service endpoints. Can be `public`, `private`, or `public-and-private` | `string` | `"public-and-private"` | no |
| [ssh\_keys](#input\_ssh\_keys) | SSH keys to use to provision a VSI. Must be an RSA key with a key size of either 2048 bits or 4096 bits (recommended). If `public_key` is not provided, the named key will be looked up from data. If a resource group name is added, it must be included in `var.resource_groups`. See https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys. | list(
object({
name = string
public_key = optional(string)
resource_group = optional(string)
})
)
| n/a | yes |
| [tags](#input\_tags) | List of resource tags to apply to resources created by this module. | `list(string)` | `[]` | no |
| [teleport\_config\_data](#input\_teleport\_config\_data) | Teleport config data. This is used to create a single template for all teleport instances to use. Creating a single template allows for values to remain sensitive | object({
teleport_license = optional(string)
https_cert = optional(string)
https_key = optional(string)
domain = optional(string)
cos_bucket_name = optional(string)
cos_key_name = optional(string)
teleport_version = optional(string)
message_of_the_day = optional(string)
hostname = optional(string)
app_id_key_name = optional(string)
claims_to_roles = optional(
list(
object({
email = string
roles = list(string)
})
)
)
}) | `null` | no |
diff --git a/appid.tf b/appid.tf
index ad5e4ddf9..548844770 100644
--- a/appid.tf
+++ b/appid.tf
@@ -53,6 +53,7 @@ resource "ibm_resource_instance" "appid" {
location = var.region
resource_group_id = local.resource_groups[var.appid.resource_group]
tags = var.tags
+ service_endpoints = var.service_endpoints
}
##############################################################################
diff --git a/examples/one-vpc-one-vsi/override.json b/examples/one-vpc-one-vsi/override.json
index 6299ed988..14e5117f8 100644
--- a/examples/one-vpc-one-vsi/override.json
+++ b/examples/one-vpc-one-vsi/override.json
@@ -2,7 +2,7 @@
"enable_transit_gateway": false,
"transit_gateway_global": false,
"virtual_private_endpoints": [],
- "service_endpoints": "private",
+ "service_endpoints": "public-and-private",
"security_groups": [],
"vpn_gateways": [],
"atracker": {
diff --git a/examples/override-example/override.json b/examples/override-example/override.json
index 60af582c3..ae596efbd 100644
--- a/examples/override-example/override.json
+++ b/examples/override-example/override.json
@@ -39,7 +39,7 @@
]
}
],
- "service_endpoints": "private",
+ "service_endpoints": "public-and-private",
"security_groups": [],
"vpn_gateways": [
{
diff --git a/kms/main.tf b/kms/main.tf
index af6ef7bb2..ad312850a 100644
--- a/kms/main.tf
+++ b/kms/main.tf
@@ -25,6 +25,7 @@ resource "ibm_resource_instance" "kms" {
location = var.region
resource_group_id = var.key_management.resource_group_id
tags = var.key_management.tags
+ service_endpoints = var.service_endpoints
}
resource "ibm_resource_tag" "tag" {
diff --git a/kms/variables.tf b/kms/variables.tf
index 7abf713ec..e7ac00f40 100644
--- a/kms/variables.tf
+++ b/kms/variables.tf
@@ -83,4 +83,14 @@ variable "keys" {
}
}
+variable "service_endpoints" {
+ description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
+ type = string
+ default = "public-and-private"
+
+ validation {
+ error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."
+ condition = contains(["public", "private", "public-and-private"], var.service_endpoints)
+ }
+}
##############################################################################
diff --git a/patterns/mixed/config.tf b/patterns/mixed/config.tf
index 0f08f55f6..0f4f6a2cc 100644
--- a/patterns/mixed/config.tf
+++ b/patterns/mixed/config.tf
@@ -254,7 +254,7 @@ locals {
security_groups = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
cos = lookup(local.override[local.override_type], "cos", local.config.object_storage)
- service_endpoints = lookup(local.override[local.override_type], "service_endpoints", "private")
+ service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
add_kms_block_storage_s2s = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management)
atracker = lookup(local.override[local.override_type], "atracker", local.config.atracker)
diff --git a/patterns/mixed/override.json b/patterns/mixed/override.json
index b093d987d..cecd62ba5 100644
--- a/patterns/mixed/override.json
+++ b/patterns/mixed/override.json
@@ -133,7 +133,7 @@
}
],
"security_groups": [],
- "service_endpoints": "private",
+ "service_endpoints": "public-and-private",
"ssh_keys": [
{
"name": "slz-ssh-key",
diff --git a/patterns/mixed/variables.tf b/patterns/mixed/variables.tf
index 67ef7702c..03aa4bd49 100644
--- a/patterns/mixed/variables.tf
+++ b/patterns/mixed/variables.tf
@@ -541,6 +541,22 @@ variable "add_kms_block_storage_s2s" {
##############################################################################
+##############################################################################
+# KMS and App ID variables
+##############################################################################
+variable "service_endpoints" {
+ description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
+ type = string
+ default = "public-and-private"
+
+ validation {
+ error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."
+ condition = contains(["public", "private", "public-and-private"], var.service_endpoints)
+ }
+}
+
+##############################################################################
+
##############################################################################
# Override JSON
##############################################################################
diff --git a/patterns/roks/module/config.tf b/patterns/roks/module/config.tf
index 78c2e9661..9cc6ef2e8 100644
--- a/patterns/roks/module/config.tf
+++ b/patterns/roks/module/config.tf
@@ -234,7 +234,7 @@ locals {
security_groups = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
cos = lookup(local.override[local.override_type], "cos", local.config.object_storage)
- service_endpoints = lookup(local.override[local.override_type], "service_endpoints", "private")
+ service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
add_kms_block_storage_s2s = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management)
atracker = lookup(local.override[local.override_type], "atracker", local.config.atracker)
diff --git a/patterns/roks/module/variables.tf b/patterns/roks/module/variables.tf
index 543779e45..ad07c661c 100644
--- a/patterns/roks/module/variables.tf
+++ b/patterns/roks/module/variables.tf
@@ -508,6 +508,22 @@ variable "add_kms_block_storage_s2s" {
##############################################################################
+##############################################################################
+# KMS and App ID variables
+##############################################################################
+variable "service_endpoints" {
+ description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
+ type = string
+ default = "public-and-private"
+
+ validation {
+ error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."
+ condition = contains(["public", "private", "public-and-private"], var.service_endpoints)
+ }
+}
+
+##############################################################################
+
##############################################################################
# Override JSON
##############################################################################
diff --git a/patterns/roks/override.json b/patterns/roks/override.json
index 6baa2f701..546996435 100644
--- a/patterns/roks/override.json
+++ b/patterns/roks/override.json
@@ -168,7 +168,7 @@
}
],
"security_groups": [],
- "service_endpoints": "private",
+ "service_endpoints": "public-and-private",
"ssh_keys": [],
"transit_gateway_connections": [
"management",
diff --git a/patterns/vpc/module/config.tf b/patterns/vpc/module/config.tf
index 31c841499..b8d599ebf 100644
--- a/patterns/vpc/module/config.tf
+++ b/patterns/vpc/module/config.tf
@@ -185,7 +185,7 @@ locals {
security_groups = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
cos = lookup(local.override[local.override_type], "cos", local.config.object_storage)
- service_endpoints = lookup(local.override[local.override_type], "service_endpoints", "private")
+ service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
add_kms_block_storage_s2s = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management)
atracker = lookup(local.override[local.override_type], "atracker", local.config.atracker)
diff --git a/patterns/vpc/module/variables.tf b/patterns/vpc/module/variables.tf
index c027996d8..e81f79f9b 100644
--- a/patterns/vpc/module/variables.tf
+++ b/patterns/vpc/module/variables.tf
@@ -440,6 +440,22 @@ variable "add_kms_block_storage_s2s" {
##############################################################################
+##############################################################################
+# KMS and App ID variables
+##############################################################################
+variable "service_endpoints" {
+ description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
+ type = string
+ default = "public-and-private"
+
+ validation {
+ error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."
+ condition = contains(["public", "private", "public-and-private"], var.service_endpoints)
+ }
+}
+
+##############################################################################
+
##############################################################################
# Override JSON
##############################################################################
diff --git a/patterns/vpc/override.json b/patterns/vpc/override.json
index 44707243e..39e39c56e 100644
--- a/patterns/vpc/override.json
+++ b/patterns/vpc/override.json
@@ -92,7 +92,7 @@
}
],
"security_groups": [],
- "service_endpoints": "private",
+ "service_endpoints": "public-and-private",
"ssh_keys": [],
"transit_gateway_connections": [
"management",
diff --git a/patterns/vsi/module/config.tf b/patterns/vsi/module/config.tf
index 4a732f89c..7dbc1ffb5 100644
--- a/patterns/vsi/module/config.tf
+++ b/patterns/vsi/module/config.tf
@@ -220,7 +220,7 @@ locals {
security_groups = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
cos = lookup(local.override[local.override_type], "cos", local.config.object_storage)
- service_endpoints = lookup(local.override[local.override_type], "service_endpoints", "private")
+ service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
add_kms_block_storage_s2s = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management)
atracker = lookup(local.override[local.override_type], "atracker", local.config.atracker)
diff --git a/patterns/vsi/module/variables.tf b/patterns/vsi/module/variables.tf
index 3ddfe8bab..16fcbe31d 100644
--- a/patterns/vsi/module/variables.tf
+++ b/patterns/vsi/module/variables.tf
@@ -472,6 +472,22 @@ variable "add_kms_block_storage_s2s" {
##############################################################################
+##############################################################################
+# KMS and App ID variables
+##############################################################################
+variable "service_endpoints" {
+ description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
+ type = string
+ default = "public-and-private"
+
+ validation {
+ error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."
+ condition = contains(["public", "private", "public-and-private"], var.service_endpoints)
+ }
+}
+
+##############################################################################
+
##############################################################################
# Override JSON
##############################################################################
diff --git a/patterns/vsi/override.json b/patterns/vsi/override.json
index e6d1ceba1..a3c76b056 100644
--- a/patterns/vsi/override.json
+++ b/patterns/vsi/override.json
@@ -92,7 +92,7 @@
}
],
"security_groups": [],
- "service_endpoints": "private",
+ "service_endpoints": "public-and-private",
"ssh_keys": [
{
"name": "slz-ssh-key",
diff --git a/tests/pr_test.go b/tests/pr_test.go
index 48afd77b1..f39a8a3c9 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -33,6 +33,9 @@ const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-res
// Setting "add_atracker_route" to false for VPC and VSI tests to avoid hitting AT route quota, right now its 4 routes per account.
const add_atracker_route = false
+// Setting "service_endpoints" to `private` to test support for 'private' service_endpoints (schematics have access to private network).
+const service_endpoints = "private"
+
var sharedInfoSvc *cloudinfo.CloudInfoService
var permanentResources map[string]interface{}
@@ -305,6 +308,7 @@ func TestRunVSIQuickStartPatternSchematics(t *testing.T) {
{Name: "region", Value: options.Region, DataType: "string"},
{Name: "prefix", Value: options.Prefix, DataType: "string"},
{Name: "ssh_key", Value: sshPublicKey(t), DataType: "string"},
+ {Name: "service_endpoints", Value: "private", DataType: "string"},
}
err := options.RunSchematicTest()
@@ -322,6 +326,7 @@ func TestRunVSIPatternSchematics(t *testing.T) {
{Name: "prefix", Value: options.Prefix, DataType: "string"},
{Name: "ssh_public_key", Value: sshPublicKey(t), DataType: "string"},
{Name: "add_atracker_route", Value: add_atracker_route, DataType: "bool"},
+ {Name: "service_endpoints", Value: "private", DataType: "string"},
}
err := options.RunSchematicTest()
@@ -340,6 +345,7 @@ func TestRunRoksPatternSchematics(t *testing.T) {
{Name: "region", Value: options.Region, DataType: "string"},
{Name: "prefix", Value: options.Prefix, DataType: "string"},
{Name: "tags", Value: options.Tags, DataType: "list(string)"},
+ {Name: "service_endpoints", Value: "private", DataType: "string"},
}
err := options.RunSchematicTest()
@@ -357,6 +363,7 @@ func TestRunVPCPatternSchematics(t *testing.T) {
{Name: "prefix", Value: options.Prefix, DataType: "string"},
{Name: "tags", Value: options.Tags, DataType: "list(string)"},
{Name: "add_atracker_route", Value: add_atracker_route, DataType: "bool"},
+ {Name: "service_endpoints", Value: "private", DataType: "string"},
}
err := options.RunSchematicTest()
diff --git a/variables.tf b/variables.tf
index 941036c4c..ee12fc311 100644
--- a/variables.tf
+++ b/variables.tf
@@ -691,11 +691,10 @@ variable "cos" {
# Service Instance Variables
##############################################################################
-# tflint-ignore: terraform_unused_declarations
variable "service_endpoints" {
description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
type = string
- default = "private"
+ default = "public-and-private"
validation {
error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."