From b576712110dfcb9be5cd07b38210bc673246b679 Mon Sep 17 00:00:00 2001 From: Akash Kumar Date: Thu, 19 Sep 2024 13:57:14 +0530 Subject: [PATCH] feat: added support to optionally pass an existing CBR zone ID in which all VPCs created will be added to (#745) --- README.md | 5 ++++- cbr.tf | 15 +++++++++++++++ examples/one-vpc-one-vsi/override.json | 1 + examples/override-example/override.json | 1 + ibm_catalog.json | 16 ++++++++++++++++ patterns/mixed/config.tf | 1 + patterns/mixed/main.tf | 1 + patterns/mixed/override.json | 2 ++ patterns/mixed/variables.tf | 12 ++++++++++++ patterns/roks/main.tf | 1 + patterns/roks/module/config.tf | 1 + patterns/roks/module/main.tf | 1 + patterns/roks/module/variables.tf | 11 +++++++++++ patterns/roks/outputs.tf | 2 +- patterns/roks/override.json | 1 + patterns/roks/variables.tf | 11 +++++++++++ patterns/vpc/main.tf | 1 + patterns/vpc/module/config.tf | 1 + patterns/vpc/module/main.tf | 1 + patterns/vpc/module/variables.tf | 11 +++++++++++ patterns/vpc/override.json | 1 + patterns/vpc/variables.tf | 11 +++++++++++ patterns/vsi/main.tf | 1 + patterns/vsi/module/config.tf | 1 + patterns/vsi/module/main.tf | 1 + patterns/vsi/module/variables.tf | 12 ++++++++++++ patterns/vsi/outputs.tf | 2 -- patterns/vsi/override.json | 1 + patterns/vsi/variables.tf | 12 ++++++++++++ variables.tf | 11 +++++++++++ version.tf | 2 +- 31 files changed, 146 insertions(+), 5 deletions(-) create mode 100644 cbr.tf diff --git a/README.md b/README.md index 5ed8aebe1..bf6b055cc 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,7 @@ Each pattern creates the following infrastructure on the VPC: - The virtual server (VSI) pattern deploys identical virtual servers across the VSI subnet tier in each VPC - The Red Hat OpenShift Kubernetes (ROKS) pattern deploys identical clusters across the VSI subnet tier in each VPC - The mixed pattern provisions both of these elements +- Landing zone VPC CRNs can be added to an existing CBR (Context-based restrictions) network zone if the existing CBR zone ID is specified. For more information about the default configuration, see [Default Secure Landing Zone configuration](.docs/pattern-defaults.md). @@ -842,7 +843,7 @@ module "cluster_pattern" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3 | -| [ibm](#requirement\_ibm) | >= 1.67.0, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.68.1, < 2.0.0 | | [random](#requirement\_random) | >= 3.4.3, < 4.0.0 | | [time](#requirement\_time) | >= 0.9.1, < 1.0.0 | @@ -857,6 +858,7 @@ module "cluster_pattern" { | [placement\_group\_map](#module\_placement\_group\_map) | ./dynamic_values/config_modules/list_to_map | n/a | | [ssh\_keys](#module\_ssh\_keys) | ./ssh_key | n/a | | [teleport\_config](#module\_teleport\_config) | ./teleport_config | n/a | +| [update\_cbr\_vpc\_zone](#module\_update\_cbr\_vpc\_zone) | terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module | 1.26.0 | | [vpc](#module\_vpc) | terraform-ibm-modules/landing-zone-vpc/ibm | 7.19.0 | | [vsi](#module\_vsi) | terraform-ibm-modules/landing-zone-vsi/ibm | 3.3.0 | @@ -911,6 +913,7 @@ module "cluster_pattern" { | [clusters](#input\_clusters) | A list describing clusters workloads to create | 
list(
    object({
      name                                = string           # Name of Cluster
      vpc_name                            = string           # Name of VPC
      subnet_names                        = list(string)     # List of vpc subnets for cluster
      workers_per_subnet                  = number           # Worker nodes per subnet.
      machine_type                        = string           # Worker node flavor
      kube_type                           = string           # iks or openshift
      kube_version                        = optional(string) # Can be a version from `ibmcloud ks versions` or `default`
      entitlement                         = optional(string) # entitlement option for openshift
      secondary_storage                   = optional(string) # Secondary storage type
      pod_subnet                          = optional(string) # Portable subnet for pods
      service_subnet                      = optional(string) # Portable subnet for services
      resource_group                      = string           # Resource Group used for cluster
      cos_name                            = optional(string) # Name of COS instance Required only for OpenShift clusters
      access_tags                         = optional(list(string), [])
      boot_volume_crk_name                = optional(string)       # Boot volume encryption key name
      disable_public_endpoint             = optional(bool, true)   # disable cluster public, leaving only private endpoint
      disable_outbound_traffic_protection = optional(bool, false)  # public outbound access from the cluster workers
      cluster_force_delete_storage        = optional(bool, false)  # force the removal of persistent storage associated with the cluster during cluster deletion
      operating_system                    = optional(string, null) #The operating system of the workers in the default worker pool. If no value is specified, the current default version OS will be used. See https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions#openshift_versions_available .
      kms_wait_for_apply                  = optional(bool, true)   # make terraform wait until KMS is applied to master and it is ready and deployed
      addons = optional(object({                                   # Map of OCP cluster add-on versions to install
        debug-tool                = optional(string)
        image-key-synchronizer    = optional(string)
        openshift-data-foundation = optional(string)
        vpc-file-csi-driver       = optional(string)
        static-route              = optional(string)
        cluster-autoscaler        = optional(string)
        vpc-block-csi-driver      = optional(string)
        ibm-storage-operator      = optional(string)
      }), {})
      manage_all_addons = optional(bool, false) # Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module will destroy any addons that were installed by other sources.
      kms_config = optional(
        object({
          crk_name         = string         # Name of key
          private_endpoint = optional(bool) # Private endpoint
        })
      )

      worker_pools = optional(
        list(
          object({
            name                 = string           # Worker pool name
            vpc_name             = string           # VPC name
            workers_per_subnet   = number           # Worker nodes per subnet
            flavor               = string           # Worker node flavor
            subnet_names         = list(string)     # List of vpc subnets for worker pool
            entitlement          = optional(string) # entitlement option for openshift
            secondary_storage    = optional(string) # Secondary storage type
            boot_volume_crk_name = optional(string) # Boot volume encryption key name
            operating_system     = optional(string) # The operating system of the workers in the default worker pool. If no value is specified, the current default version OS will be used. See https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions#openshift_versions_available .
          })
        )
      )
    })
  )
| n/a | yes | | [cos](#input\_cos) | Object describing the cloud object storage instance, buckets, and keys. Set `use_data` to false to create instance | 
list(
    object({
      name                          = string
      use_data                      = optional(bool)
      resource_group                = string
      plan                          = optional(string)
      random_suffix                 = optional(bool) # Use a random suffix for COS instance
      access_tags                   = optional(list(string), [])
      skip_kms_s2s_auth_policy      = optional(bool, false) # skip auth policy between this instance and kms instance, useful if existing resources are used
      skip_flowlogs_s2s_auth_policy = optional(bool, false) # skip auth policy between flow logs service and this instance, set to true if this policy is already in place on account
      skip_atracker_s2s_auth_policy = optional(bool, false) # skip auth policyt between atracker service and this instance, set to true if this is existing recipient of atracker already
      buckets = list(object({
        name                  = string
        storage_class         = string
        endpoint_type         = string
        force_delete          = bool
        single_site_location  = optional(string)
        region_location       = optional(string)
        cross_region_location = optional(string)
        kms_key               = optional(string)
        access_tags           = optional(list(string), [])
        allowed_ip            = optional(list(string), [])
        hard_quota            = optional(number)
        archive_rule = optional(object({
          days    = number
          enable  = bool
          rule_id = optional(string)
          type    = string
        }))
        expire_rule = optional(object({
          days                         = optional(number)
          date                         = optional(string)
          enable                       = bool
          expired_object_delete_marker = optional(string)
          prefix                       = optional(string)
          rule_id                      = optional(string)
        }))
        activity_tracking = optional(object({
          activity_tracker_crn = string
          read_data_events     = bool
          write_data_events    = bool
          management_events    = bool
        }))
        metrics_monitoring = optional(object({
          metrics_monitoring_crn  = string
          request_metrics_enabled = optional(bool)
          usage_metrics_enabled   = optional(bool)
        }))
      }))
      keys = optional(
        list(object({
          name        = string
          role        = string
          enable_HMAC = bool
        }))
      )

    })
  )
| n/a | yes | | [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Create transit gateway | `bool` | `true` | no | +| [existing\_vpc\_cbr\_zone\_id](#input\_existing\_vpc\_cbr\_zone\_id) | ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services. | `string` | `null` | no | | [f5\_template\_data](#input\_f5\_template\_data) | Data for all f5 templates | 
object({
    tmos_admin_password     = optional(string)
    license_type            = optional(string)
    byol_license_basekey    = optional(string)
    license_host            = optional(string)
    license_username        = optional(string)
    license_password        = optional(string)
    license_pool            = optional(string)
    license_sku_keyword_1   = optional(string)
    license_sku_keyword_2   = optional(string)
    license_unit_of_measure = optional(string)
    do_declaration_url      = optional(string)
    as3_declaration_url     = optional(string)
    ts_declaration_url      = optional(string)
    phone_home_url          = optional(string)
    template_source         = optional(string)
    template_version        = optional(string)
    app_id                  = optional(string)
    tgactive_url            = optional(string)
    tgstandby_url           = optional(string)
    tgrefresh_url           = optional(string)
  })
| 
{
  "license_type": "none"
}
| no | | [f5\_vsi](#input\_f5\_vsi) | A list describing F5 VSI workloads to create | 
list(
    object({
      name                   = string
      vpc_name               = string
      primary_subnet_name    = string
      secondary_subnet_names = list(string)
      secondary_subnet_security_group_names = list(
        object({
          group_name     = string
          interface_name = string
        })
      )
      ssh_keys                        = list(string)
      f5_image_name                   = string
      machine_type                    = string
      resource_group                  = optional(string)
      enable_management_floating_ip   = optional(bool)
      enable_external_floating_ip     = optional(bool)
      security_groups                 = optional(list(string))
      boot_volume_encryption_key_name = optional(string)
      hostname                        = string
      domain                          = string
      access_tags                     = optional(list(string), [])
      security_group = optional(
        object({
          name = string
          rules = list(
            object({
              name      = string
              direction = string
              source    = string
              tcp = optional(
                object({
                  port_max = number
                  port_min = number
                })
              )
              udp = optional(
                object({
                  port_max = number
                  port_min = number
                })
              )
              icmp = optional(
                object({
                  type = number
                  code = number
                })
              )
            })
          )
        })
      )
      block_storage_volumes = optional(list(
        object({
          name           = string
          profile        = string
          capacity       = optional(number)
          iops           = optional(number)
          encryption_key = optional(string)
        })
      ))
      load_balancers = optional(list(
        object({
          name                    = string
          type                    = string
          listener_port           = number
          listener_protocol       = string
          connection_limit        = number
          algorithm               = string
          protocol                = string
          health_delay            = number
          health_retries          = number
          health_timeout          = number
          health_type             = string
          pool_member_port        = string
          idle_connection_timeout = optional(number)
          security_group = optional(
            object({
              name = string
              rules = list(
                object({
                  name      = string
                  direction = string
                  source    = string
                  tcp = optional(
                    object({
                      port_max = number
                      port_min = number
                    })
                  )
                  udp = optional(
                    object({
                      port_max = number
                      port_min = number
                    })
                  )
                  icmp = optional(
                    object({
                      type = number
                      code = number
                    })
                  )
                })
              )
            })
          )
        })
      ))
    })
  )
| `[]` | no | | [key\_management](#input\_key\_management) | Key Protect instance variables | 
object({
    name              = optional(string)
    resource_group    = optional(string)
    use_data          = optional(bool)
    use_hs_crypto     = optional(bool)
    access_tags       = optional(list(string), [])
    service_endpoints = optional(string, "public-and-private")
    keys = optional(
      list(
        object({
          name             = string
          root_key         = optional(bool)
          payload          = optional(string)
          key_ring         = optional(string) # Any key_ring added will be created
          force_delete     = optional(bool)
          existing_key_crn = optional(string) # CRN of an existing key in the same or different account.
          endpoint         = optional(string) # can be public or private
          iv_value         = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
          encrypted_nonce  = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
          policies = optional(
            object({
              rotation = optional(
                object({
                  interval_month = number
                })
              )
              dual_auth_delete = optional(
                object({
                  enabled = bool
                })
              )
            })
          )
        })
      )
    )
  })
| n/a | yes | diff --git a/cbr.tf b/cbr.tf new file mode 100644 index 000000000..aa8404309 --- /dev/null +++ b/cbr.tf @@ -0,0 +1,15 @@ +############################################################################## +# Update existing CBR VPC network zone +############################################################################## +module "update_cbr_vpc_zone" { + source = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module" + version = "1.26.0" + count = var.existing_vpc_cbr_zone_id != null ? 1 : 0 + use_existing_cbr_zone = true + existing_zone_id = var.existing_vpc_cbr_zone_id + addresses = [ + for network in module.vpc : + { "type" = "vpc", + value = network.vpc_crn } + ] +} diff --git a/examples/one-vpc-one-vsi/override.json b/examples/one-vpc-one-vsi/override.json index 5a28a82df..a1c1e736c 100644 --- a/examples/one-vpc-one-vsi/override.json +++ b/examples/one-vpc-one-vsi/override.json @@ -3,6 +3,7 @@ "transit_gateway_global": false, "virtual_private_endpoints": [], "service_endpoints": "public-and-private", + "existing_vpc_cbr_zone_id" : null, "security_groups": [], "vpn_gateways": [], "atracker": { diff --git a/examples/override-example/override.json b/examples/override-example/override.json index 56871316a..ef49db38e 100644 --- a/examples/override-example/override.json +++ b/examples/override-example/override.json @@ -77,6 +77,7 @@ } ], "service_endpoints": "public-and-private", + "existing_vpc_cbr_zone_id" : null, "security_groups": [], "vpn_gateways": [ { diff --git a/ibm_catalog.json b/ibm_catalog.json index b9072e970..93116d241 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -43,6 +43,10 @@ { "description": "Provisions and manages SSH keys for the VSIs so that you can securely administer the instances.\n", "title": "Provisions SSH keys" + }, + { + "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n", + "title": "Configures CBR" } ], "flavors": [ @@ -475,6 +479,10 @@ { "title": "Uses floating IP addresses for access through the public internet", "description": "No" + }, + { + "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n", + "title": "Configures CBR" } ], "diagrams": [ @@ -927,6 +935,10 @@ { "title": "Uses Floating IP address for access through the public internet", "description": "No" + }, + { + "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n", + "title": "Configures CBR" } ], "diagrams": [ @@ -1435,6 +1447,10 @@ { "title": "Uses Floating IP address for access through the public internet", "description": "No" + }, + { + "description": "Configures existing CBR (Context-based restrictions) rules to allow traffic to flow only from the landing zone VPCs to specific cloud services.\n", + "title": "Configures CBR" } ], "diagrams": [ diff --git a/patterns/mixed/config.tf b/patterns/mixed/config.tf index 9601b39a1..8b65a95e8 100644 --- a/patterns/mixed/config.tf +++ b/patterns/mixed/config.tf @@ -257,6 +257,7 @@ locals { virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints) cos = lookup(local.override[local.override_type], "cos", local.config.object_storage) service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints) + existing_vpc_cbr_zone_id = lookup(local.override[local.override_type], "existing_vpc_cbr_zone_id", var.existing_vpc_cbr_zone_id) skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy) skip_all_s2s_auth_policies = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies) key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management) diff --git a/patterns/mixed/main.tf b/patterns/mixed/main.tf index e2fba9099..19db25af0 100644 --- a/patterns/mixed/main.tf +++ b/patterns/mixed/main.tf @@ -34,6 +34,7 @@ module "landing_zone" { virtual_private_endpoints = local.env.virtual_private_endpoints cos = local.env.cos service_endpoints = local.env.service_endpoints + existing_vpc_cbr_zone_id = local.env.existing_vpc_cbr_zone_id key_management = local.env.key_management skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy skip_all_s2s_auth_policies = local.env.skip_all_s2s_auth_policies diff --git a/patterns/mixed/override.json b/patterns/mixed/override.json index 7139628ce..0cfe810a4 100644 --- a/patterns/mixed/override.json +++ b/patterns/mixed/override.json @@ -162,6 +162,7 @@ "resource_group": "slz-service-rg", "use_hs_crypto": false, "service_endpoints": "public-and-private" + }, "resource_groups": [ { @@ -179,6 +180,7 @@ ], "security_groups": [], "service_endpoints": "public-and-private", + "existing_vpc_cbr_zone_id" : null, "ssh_keys": [ { "name": "slz-ssh-key", diff --git a/patterns/mixed/variables.tf b/patterns/mixed/variables.tf index 619536e72..5cf7d62c9 100644 --- a/patterns/mixed/variables.tf +++ b/patterns/mixed/variables.tf @@ -592,3 +592,15 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" { } ############################################################################## + + +############################################################################## +# CBR variables +############################################################################## +variable "existing_vpc_cbr_zone_id" { + type = string + description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services." + default = null +} + +############################################################################## diff --git a/patterns/roks/main.tf b/patterns/roks/main.tf index eba03ac37..45c9c344b 100644 --- a/patterns/roks/main.tf +++ b/patterns/roks/main.tf @@ -105,6 +105,7 @@ module "roks_landing_zone" { teleport_management_zones = var.teleport_management_zones IC_SCHEMATICS_WORKSPACE_ID = var.IC_SCHEMATICS_WORKSPACE_ID kms_wait_for_apply = var.kms_wait_for_apply + existing_vpc_cbr_zone_id = var.existing_vpc_cbr_zone_id } moved { diff --git a/patterns/roks/module/config.tf b/patterns/roks/module/config.tf index 6f436d5ae..8e0ee5cff 100644 --- a/patterns/roks/module/config.tf +++ b/patterns/roks/module/config.tf @@ -244,6 +244,7 @@ locals { virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints) cos = lookup(local.override[local.override_type], "cos", local.config.object_storage) service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints) + existing_vpc_cbr_zone_id = lookup(local.override[local.override_type], "existing_vpc_cbr_zone_id", var.existing_vpc_cbr_zone_id) skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy) skip_all_s2s_auth_policies = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies) key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management) diff --git a/patterns/roks/module/main.tf b/patterns/roks/module/main.tf index 0c0a2dc07..1d6030a7e 100644 --- a/patterns/roks/module/main.tf +++ b/patterns/roks/module/main.tf @@ -21,6 +21,7 @@ module "landing_zone" { virtual_private_endpoints = local.env.virtual_private_endpoints cos = local.env.cos service_endpoints = local.env.service_endpoints + existing_vpc_cbr_zone_id = local.env.existing_vpc_cbr_zone_id key_management = local.env.key_management skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy skip_all_s2s_auth_policies = local.env.skip_all_s2s_auth_policies diff --git a/patterns/roks/module/variables.tf b/patterns/roks/module/variables.tf index f7da01a4e..7935dea80 100644 --- a/patterns/roks/module/variables.tf +++ b/patterns/roks/module/variables.tf @@ -682,3 +682,14 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" { } ############################################################################## + +############################################################################## +# CBR variables +############################################################################## +variable "existing_vpc_cbr_zone_id" { + type = string + description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services." + default = null +} + +############################################################################## diff --git a/patterns/roks/outputs.tf b/patterns/roks/outputs.tf index fa514ec08..a7a077e02 100644 --- a/patterns/roks/outputs.tf +++ b/patterns/roks/outputs.tf @@ -193,4 +193,4 @@ output "schematics_workspace_id" { description = "ID of the IBM Cloud Schematics workspace. Returns null if not ran in Schematics" value = var.IC_SCHEMATICS_WORKSPACE_ID } -############################################################################## +############################################################################# diff --git a/patterns/roks/override.json b/patterns/roks/override.json index 52eedfb53..52cd9e562 100644 --- a/patterns/roks/override.json +++ b/patterns/roks/override.json @@ -220,6 +220,7 @@ ], "security_groups": [], "service_endpoints": "public-and-private", + "existing_vpc_cbr_zone_id" : null, "ssh_keys": [], "transit_gateway_connections": [ "management", diff --git a/patterns/roks/variables.tf b/patterns/roks/variables.tf index 1a4a4f77c..6ca56793f 100644 --- a/patterns/roks/variables.tf +++ b/patterns/roks/variables.tf @@ -669,3 +669,14 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" { } ############################################################################## + +############################################################################## +# CBR variables +############################################################################## +variable "existing_vpc_cbr_zone_id" { + type = string + description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services." + default = null +} + +############################################################################## diff --git a/patterns/vpc/main.tf b/patterns/vpc/main.tf index 379e7eec7..fc0426da1 100644 --- a/patterns/vpc/main.tf +++ b/patterns/vpc/main.tf @@ -81,6 +81,7 @@ module "vpc_landing_zone" { tmos_admin_password = var.tmos_admin_password license_type = var.license_type teleport_management_zones = var.teleport_management_zones + existing_vpc_cbr_zone_id = var.existing_vpc_cbr_zone_id } moved { diff --git a/patterns/vpc/module/config.tf b/patterns/vpc/module/config.tf index c60f52396..c68b16253 100644 --- a/patterns/vpc/module/config.tf +++ b/patterns/vpc/module/config.tf @@ -187,6 +187,7 @@ locals { virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints) cos = lookup(local.override[local.override_type], "cos", local.config.object_storage) service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints) + existing_vpc_cbr_zone_id = lookup(local.override[local.override_type], "existing_vpc_cbr_zone_id", var.existing_vpc_cbr_zone_id) skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy) skip_all_s2s_auth_policies = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies) key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management) diff --git a/patterns/vpc/module/main.tf b/patterns/vpc/module/main.tf index 0c0a2dc07..1d6030a7e 100644 --- a/patterns/vpc/module/main.tf +++ b/patterns/vpc/module/main.tf @@ -21,6 +21,7 @@ module "landing_zone" { virtual_private_endpoints = local.env.virtual_private_endpoints cos = local.env.cos service_endpoints = local.env.service_endpoints + existing_vpc_cbr_zone_id = local.env.existing_vpc_cbr_zone_id key_management = local.env.key_management skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy skip_all_s2s_auth_policies = local.env.skip_all_s2s_auth_policies diff --git a/patterns/vpc/module/variables.tf b/patterns/vpc/module/variables.tf index 0daa4abfb..ad440af92 100644 --- a/patterns/vpc/module/variables.tf +++ b/patterns/vpc/module/variables.tf @@ -498,3 +498,14 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" { } ############################################################################## + +############################################################################## +# CBR variables +############################################################################## +variable "existing_vpc_cbr_zone_id" { + type = string + description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services." + default = null +} + +############################################################################## diff --git a/patterns/vpc/override.json b/patterns/vpc/override.json index 8edee9637..978ee7a48 100644 --- a/patterns/vpc/override.json +++ b/patterns/vpc/override.json @@ -139,6 +139,7 @@ ], "security_groups": [], "service_endpoints": "public-and-private", + "existing_vpc_cbr_zone_id" : null, "ssh_keys": [], "transit_gateway_connections": [ "management", diff --git a/patterns/vpc/variables.tf b/patterns/vpc/variables.tf index 3a25590bb..b8ab41711 100644 --- a/patterns/vpc/variables.tf +++ b/patterns/vpc/variables.tf @@ -481,3 +481,14 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" { } ############################################################################## + +############################################################################## +# CBR variables +############################################################################## +variable "existing_vpc_cbr_zone_id" { + type = string + description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services." + default = null +} + +############################################################################## diff --git a/patterns/vsi/main.tf b/patterns/vsi/main.tf index 17cc0a373..255313cb1 100644 --- a/patterns/vsi/main.tf +++ b/patterns/vsi/main.tf @@ -86,6 +86,7 @@ module "vsi_landing_zone" { override = var.override override_json_string = var.override_json_string override_json_path = local.override_json_path + existing_vpc_cbr_zone_id = var.existing_vpc_cbr_zone_id } moved { diff --git a/patterns/vsi/module/config.tf b/patterns/vsi/module/config.tf index 25515c3d4..7e97dbf36 100644 --- a/patterns/vsi/module/config.tf +++ b/patterns/vsi/module/config.tf @@ -222,6 +222,7 @@ locals { virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints) cos = lookup(local.override[local.override_type], "cos", local.config.object_storage) service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints) + existing_vpc_cbr_zone_id = lookup(local.override[local.override_type], "existing_vpc_cbr_zone_id", var.existing_vpc_cbr_zone_id) skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy) skip_all_s2s_auth_policies = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies) key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management) diff --git a/patterns/vsi/module/main.tf b/patterns/vsi/module/main.tf index ebaf97008..c18068ca9 100644 --- a/patterns/vsi/module/main.tf +++ b/patterns/vsi/module/main.tf @@ -21,6 +21,7 @@ module "landing_zone" { virtual_private_endpoints = local.env.virtual_private_endpoints cos = local.env.cos service_endpoints = local.env.service_endpoints + existing_vpc_cbr_zone_id = local.env.existing_vpc_cbr_zone_id key_management = local.env.key_management skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy skip_all_s2s_auth_policies = local.env.skip_all_s2s_auth_policies diff --git a/patterns/vsi/module/variables.tf b/patterns/vsi/module/variables.tf index 18976c2d4..0ea8df517 100644 --- a/patterns/vsi/module/variables.tf +++ b/patterns/vsi/module/variables.tf @@ -530,3 +530,15 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" { } ############################################################################## + +############################################################################## +# CBR variables +############################################################################## + +variable "existing_vpc_cbr_zone_id" { + type = string + description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services." + default = null +} + +############################################################################## diff --git a/patterns/vsi/outputs.tf b/patterns/vsi/outputs.tf index 9ca2db3c2..d5797005c 100644 --- a/patterns/vsi/outputs.tf +++ b/patterns/vsi/outputs.tf @@ -138,5 +138,3 @@ output "config" { description = "Output configuration as encoded JSON" value = module.vsi_landing_zone.config } - -############################################################################## diff --git a/patterns/vsi/override.json b/patterns/vsi/override.json index bcd2165a8..c83c7c505 100644 --- a/patterns/vsi/override.json +++ b/patterns/vsi/override.json @@ -139,6 +139,7 @@ ], "security_groups": [], "service_endpoints": "public-and-private", + "existing_vpc_cbr_zone_id" : null, "ssh_keys": [ { "name": "slz-ssh-key", diff --git a/patterns/vsi/variables.tf b/patterns/vsi/variables.tf index f0775ffbd..93924ad5c 100644 --- a/patterns/vsi/variables.tf +++ b/patterns/vsi/variables.tf @@ -514,3 +514,15 @@ variable "IC_SCHEMATICS_WORKSPACE_ID" { } ############################################################################## + +############################################################################## +# CBR variables +############################################################################## + +variable "existing_vpc_cbr_zone_id" { + type = string + description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services." + default = null +} + +############################################################################## diff --git a/variables.tf b/variables.tf index 0924c065a..6a023b233 100644 --- a/variables.tf +++ b/variables.tf @@ -1334,3 +1334,14 @@ variable "skip_all_s2s_auth_policies" { } ############################################################################## + +############################################################################## +# CBR variables +############################################################################## +variable "existing_vpc_cbr_zone_id" { + type = string + description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services." + default = null +} + +############################################################################## diff --git a/version.tf b/version.tf index 99de062a8..60f83f598 100644 --- a/version.tf +++ b/version.tf @@ -8,7 +8,7 @@ terraform { required_providers { ibm = { source = "IBM-Cloud/ibm" - version = ">= 1.67.0, < 2.0.0" + version = ">= 1.68.1, < 2.0.0" } random = { source = "hashicorp/random"