feat: added support to optionally pass an existing CBR zone ID in whi…

…ch all VPCs created will be added to (#745)

cbr.tf

@@ -0,0 +1,15 @@
+##############################################################################
+# Update existing CBR VPC network zone
+##############################################################################
+module "update_cbr_vpc_zone" {
+  source                = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
+  version               = "1.26.0"
+  count                 = var.existing_vpc_cbr_zone_id != null ? 1 : 0
+  use_existing_cbr_zone = true
+  existing_zone_id      = var.existing_vpc_cbr_zone_id
+  addresses = [
+    for network in module.vpc :
+    { "type" = "vpc",
+    value = network.vpc_crn }
+  ]
+}

examples/one-vpc-one-vsi/override.json

@@ -3,6 +3,7 @@
   "transit_gateway_global": false,
   "virtual_private_endpoints": [],
   "service_endpoints": "public-and-private",
+  "existing_vpc_cbr_zone_id" : null,
   "security_groups": [],
   "vpn_gateways": [],
   "atracker": {

examples/override-example/override.json

@@ -77,6 +77,7 @@
     }
   ],
   "service_endpoints": "public-and-private",
+  "existing_vpc_cbr_zone_id" : null,
   "security_groups": [],
   "vpn_gateways": [
     {

ibm_catalog.json

@@ -43,6 +43,10 @@
         {
           "description": "Provisions and manages SSH keys for the VSIs so that you can securely administer the instances.\n",
           "title": "Provisions SSH keys"
+        },
+        {
+          "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n",
+          "title": "Configures CBR"
         }
       ],
       "flavors": [
@@ -475,6 +479,10 @@
               {
                 "title": "Uses floating IP addresses for access through the public internet",
                 "description": "No"
+              },
+              {
+                "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n",
+                "title": "Configures CBR"
               }
             ],
             "diagrams": [
@@ -927,6 +935,10 @@
               {
                 "title": "Uses Floating IP address for access through the public internet",
                 "description": "No"
+              },
+              {
+                "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n",
+                "title": "Configures CBR"
               }
             ],
             "diagrams": [
@@ -1435,6 +1447,10 @@
               {
                 "title": "Uses Floating IP address for access through the public internet",
                 "description": "No"
+              },
+              {
+                "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n",
+                "title": "Configures CBR"
               }
             ],
             "diagrams": [

patterns/mixed/config.tf

@@ -257,6 +257,7 @@ locals {
     virtual_private_endpoints              = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                                    = lookup(local.override[local.override_type], "cos", local.config.object_storage)
     service_endpoints                      = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
+    existing_vpc_cbr_zone_id               = lookup(local.override[local.override_type], "existing_vpc_cbr_zone_id", var.existing_vpc_cbr_zone_id)
     skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy)
     skip_all_s2s_auth_policies             = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies)
     key_management                         = lookup(local.override[local.override_type], "key_management", local.config.key_management)

patterns/mixed/main.tf

@@ -34,6 +34,7 @@ module "landing_zone" {
   virtual_private_endpoints              = local.env.virtual_private_endpoints
   cos                                    = local.env.cos
   service_endpoints                      = local.env.service_endpoints
+  existing_vpc_cbr_zone_id               = local.env.existing_vpc_cbr_zone_id
   key_management                         = local.env.key_management
   skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy
   skip_all_s2s_auth_policies             = local.env.skip_all_s2s_auth_policies

patterns/mixed/override.json

@@ -162,6 +162,7 @@
         "resource_group": "slz-service-rg",
         "use_hs_crypto": false,
         "service_endpoints": "public-and-private"
+
     },
     "resource_groups": [
         {
@@ -179,6 +180,7 @@
     ],
     "security_groups": [],
     "service_endpoints": "public-and-private",
+    "existing_vpc_cbr_zone_id" : null,
     "ssh_keys": [
         {
             "name": "slz-ssh-key",

patterns/mixed/variables.tf

@@ -592,3 +592,15 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+
+##############################################################################
+# CBR variables
+##############################################################################
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################

patterns/roks/main.tf

@@ -105,6 +105,7 @@ module "roks_landing_zone" {
   teleport_management_zones              = var.teleport_management_zones
   IC_SCHEMATICS_WORKSPACE_ID             = var.IC_SCHEMATICS_WORKSPACE_ID
   kms_wait_for_apply                     = var.kms_wait_for_apply
+  existing_vpc_cbr_zone_id               = var.existing_vpc_cbr_zone_id
 }
 
 moved {

patterns/roks/module/config.tf

@@ -244,6 +244,7 @@ locals {
     virtual_private_endpoints              = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                                    = lookup(local.override[local.override_type], "cos", local.config.object_storage)
     service_endpoints                      = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
+    existing_vpc_cbr_zone_id               = lookup(local.override[local.override_type], "existing_vpc_cbr_zone_id", var.existing_vpc_cbr_zone_id)
     skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy)
     skip_all_s2s_auth_policies             = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies)
     key_management                         = lookup(local.override[local.override_type], "key_management", local.config.key_management)

patterns/roks/module/main.tf

@@ -21,6 +21,7 @@ module "landing_zone" {
   virtual_private_endpoints              = local.env.virtual_private_endpoints
   cos                                    = local.env.cos
   service_endpoints                      = local.env.service_endpoints
+  existing_vpc_cbr_zone_id               = local.env.existing_vpc_cbr_zone_id
   key_management                         = local.env.key_management
   skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy
   skip_all_s2s_auth_policies             = local.env.skip_all_s2s_auth_policies

patterns/roks/module/variables.tf

@@ -682,3 +682,14 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################

patterns/roks/outputs.tf

@@ -193,4 +193,4 @@ output "schematics_workspace_id" {
   description = "ID of the IBM Cloud Schematics workspace. Returns null if not ran in Schematics"
   value       = var.IC_SCHEMATICS_WORKSPACE_ID
 }
-##############################################################################
+#############################################################################

patterns/roks/override.json

@@ -220,6 +220,7 @@
     ],
     "security_groups": [],
     "service_endpoints": "public-and-private",
+    "existing_vpc_cbr_zone_id" : null,
     "ssh_keys": [],
     "transit_gateway_connections": [
         "management",

patterns/roks/variables.tf

@@ -669,3 +669,14 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################

patterns/vpc/main.tf

@@ -81,6 +81,7 @@ module "vpc_landing_zone" {
   tmos_admin_password                    = var.tmos_admin_password
   license_type                           = var.license_type
   teleport_management_zones              = var.teleport_management_zones
+  existing_vpc_cbr_zone_id               = var.existing_vpc_cbr_zone_id
 }
 
 moved {

patterns/vpc/module/config.tf

@@ -187,6 +187,7 @@ locals {
     virtual_private_endpoints              = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                                    = lookup(local.override[local.override_type], "cos", local.config.object_storage)
     service_endpoints                      = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
+    existing_vpc_cbr_zone_id               = lookup(local.override[local.override_type], "existing_vpc_cbr_zone_id", var.existing_vpc_cbr_zone_id)
     skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy)
     skip_all_s2s_auth_policies             = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies)
     key_management                         = lookup(local.override[local.override_type], "key_management", local.config.key_management)

patterns/vpc/module/main.tf

@@ -21,6 +21,7 @@ module "landing_zone" {
   virtual_private_endpoints              = local.env.virtual_private_endpoints
   cos                                    = local.env.cos
   service_endpoints                      = local.env.service_endpoints
+  existing_vpc_cbr_zone_id               = local.env.existing_vpc_cbr_zone_id
   key_management                         = local.env.key_management
   skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy
   skip_all_s2s_auth_policies             = local.env.skip_all_s2s_auth_policies

patterns/vpc/module/variables.tf

@@ -498,3 +498,14 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################

patterns/vpc/override.json

@@ -139,6 +139,7 @@
     ],
     "security_groups": [],
     "service_endpoints": "public-and-private",
+    "existing_vpc_cbr_zone_id" : null,
     "ssh_keys": [],
     "transit_gateway_connections": [
         "management",

patterns/vpc/variables.tf

@@ -481,3 +481,14 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################

patterns/vsi/main.tf

@@ -86,6 +86,7 @@ module "vsi_landing_zone" {
   override                               = var.override
   override_json_string                   = var.override_json_string
   override_json_path                     = local.override_json_path
+  existing_vpc_cbr_zone_id               = var.existing_vpc_cbr_zone_id
 }
 
 moved {

patterns/vsi/module/config.tf

@@ -222,6 +222,7 @@ locals {
     virtual_private_endpoints              = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
     cos                                    = lookup(local.override[local.override_type], "cos", local.config.object_storage)
     service_endpoints                      = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
+    existing_vpc_cbr_zone_id               = lookup(local.override[local.override_type], "existing_vpc_cbr_zone_id", var.existing_vpc_cbr_zone_id)
     skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy)
     skip_all_s2s_auth_policies             = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies)
     key_management                         = lookup(local.override[local.override_type], "key_management", local.config.key_management)

patterns/vsi/module/main.tf

@@ -21,6 +21,7 @@ module "landing_zone" {
   virtual_private_endpoints              = local.env.virtual_private_endpoints
   cos                                    = local.env.cos
   service_endpoints                      = local.env.service_endpoints
+  existing_vpc_cbr_zone_id               = local.env.existing_vpc_cbr_zone_id
   key_management                         = local.env.key_management
   skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy
   skip_all_s2s_auth_policies             = local.env.skip_all_s2s_auth_policies

patterns/vsi/module/variables.tf

@@ -530,3 +530,15 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################

patterns/vsi/outputs.tf

@@ -138,5 +138,3 @@ output "config" {
   description = "Output configuration as encoded JSON"
   value       = module.vsi_landing_zone.config
 }
-
-##############################################################################

patterns/vsi/override.json

@@ -139,6 +139,7 @@
     ],
     "security_groups": [],
     "service_endpoints": "public-and-private",
+    "existing_vpc_cbr_zone_id" : null,
     "ssh_keys": [
         {
             "name": "slz-ssh-key",

patterns/vsi/variables.tf

@@ -514,3 +514,15 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################

variables.tf

@@ -1334,3 +1334,14 @@ variable "skip_all_s2s_auth_policies" {
 }
 
 ##############################################################################
+
+##############################################################################
+# CBR variables
+##############################################################################
+variable "existing_vpc_cbr_zone_id" {
+  type        = string
+  description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
+  default     = null
+}
+
+##############################################################################

version.tf

@@ -8,7 +8,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.67.0, < 2.0.0"
+      version = ">= 1.68.1, < 2.0.0"
     }
     random = {
       source  = "hashicorp/random"