From 6718c016d08c915a59987e30673bf507fa17036d Mon Sep 17 00:00:00 2001
From: Aashiq-J <122446118+Aashiq-J@users.noreply.github.com>
Date: Wed, 14 Jun 2023 10:31:28 +0530
Subject: [PATCH] feat: Enable creating network acls for disjoint ip address
spaces (#542)
* feat: Enable creating network acls for disjoint ip address spaces
* test: ignore vpc-acl
* test: update variable description
* test: update test for network_cidr
* fix: update the looping logic
* fix: update variable description
---
README.md | 2 +-
dynamic_values.tf | 4 +-
dynamic_values.unit_tests.tf | 2 +-
dynamic_values/network_acls.tf | 58 ++++++++++----
dynamic_values/outputs.tf | 2 +-
dynamic_values/variables.tf | 6 +-
examples/default/main.tf | 1 +
examples/default/variables.tf | 6 ++
.../management-vpc/README.md | 2 +-
landing-zone-submodule/management-vpc/main.tf | 2 +-
.../management-vpc/variables.tf | 6 +-
landing-zone-submodule/workload-vpc/README.md | 2 +-
landing-zone-submodule/workload-vpc/main.tf | 2 +-
.../workload-vpc/variables.tf | 6 +-
module-metadata.json | 20 ++---
network_acls.tf | 77 +++++++++++--------
tests/pr_test.go | 5 ++
variables.tf | 8 +-
18 files changed, 134 insertions(+), 77 deletions(-)
diff --git a/README.md b/README.md
index db6c9943..c9c17782 100644
--- a/README.md
+++ b/README.md
@@ -141,7 +141,7 @@ To attach access management tags to resources in this module, you need the follo
| [is\_flow\_log\_collector\_active](#input\_is\_flow\_log\_collector\_active) | Indicates whether the collector is active. If false, this collector is created in inactive mode. | `bool` | `true` | no |
| [name](#input\_name) | Name for VPC | `string` | n/a | yes |
| [network\_acls](#input\_network\_acls) | The list of ACLs to create. Provide at least one rule for each ACL. | list(
object({
name = string
add_ibm_cloud_internal_rules = optional(bool)
add_vpc_connectivity_rules = optional(bool)
prepend_ibm_rules = optional(bool)
rules = list(
object({
name = string
action = string
destination = string
direction = string
source = string
tcp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
udp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
icmp = optional(
object({
type = optional(number)
code = optional(number)
})
)
})
)
})
)
| [
{
"add_ibm_cloud_internal_rules": true,
"add_vpc_connectivity_rules": true,
"name": "vpc-acl",
"prepend_ibm_rules": true,
"rules": []
}
]
| no |
-| [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
+| [network\_cidrs](#input\_network\_cidrs) | List of Network CIDRs for the VPC. This is used to manage network ACL rules for cluster provisioning. | `list(string)` | [
"10.0.0.0/8"
]
| no |
| [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | n/a | yes |
| [region](#input\_region) | The region to which to deploy the VPC | `string` | n/a | yes |
| [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the VPC to be created | `string` | n/a | yes |
diff --git a/dynamic_values.tf b/dynamic_values.tf
index 78017ef4..bd9b4c0b 100644
--- a/dynamic_values.tf
+++ b/dynamic_values.tf
@@ -10,7 +10,7 @@ module "dynamic_values" {
routes = var.routes
use_public_gateways = var.use_public_gateways
security_group_rules = var.security_group_rules
- network_cidr = var.network_cidr
+ network_cidrs = var.network_cidrs
network_acls = var.network_acls
subnets = var.subnets
public_gateways = ibm_is_public_gateway.gateway
@@ -54,7 +54,7 @@ module "unit_tests" {
name = "test-rule"
}
]
- network_cidr = "1.2.3.4/5"
+ network_cidrs = ["1.2.3.4/5"]
network_acls = [
{
name = "acl"
diff --git a/dynamic_values.unit_tests.tf b/dynamic_values.unit_tests.tf
index 7022564a..655876ca 100644
--- a/dynamic_values.unit_tests.tf
+++ b/dynamic_values.unit_tests.tf
@@ -66,7 +66,7 @@ locals {
# tflint-ignore: terraform_unused_declarations
assert_cluster_rule_exists_in_position_0 = regex("roks-create-worker-nodes-inbound", module.unit_tests.acl_map["acl"].rules[0].name)
# tflint-ignore: terraform_unused_declarations
- assert_cluster_rule_uses_network_cidr = regex("1.2.3.4/5", module.unit_tests.acl_map["acl"].rules[0].destination)
+ assert_cluster_rule_uses_network_cidr = regex("0.0.0.0/0", module.unit_tests.acl_map["acl"].rules[0].destination)
# tflint-ignore: terraform_unused_declarations
assert_acl_rule_exists_in_last_position = regex("test-rule", module.unit_tests.acl_map["acl"].rules[length(module.unit_tests.acl_map["acl"].rules) - 1].name)
# tflint-ignore: terraform_unused_declarations
diff --git a/dynamic_values/network_acls.tf b/dynamic_values/network_acls.tf
index 1bc3de6c..24b26a79 100644
--- a/dynamic_values/network_acls.tf
+++ b/dynamic_values/network_acls.tf
@@ -10,7 +10,7 @@ locals {
[
# These rules cannot be added in a conditional operator due to inconsistant typing
# This will add all cluster_rules if the acl object contains prepend_ibm_rules as true
- for rule in local.cluster_rules :
+ for rule in local.rules :
rule if network_acl.prepend_ibm_rules == true
],
network_acl.rules
@@ -33,7 +33,7 @@ locals {
name = "roks-create-worker-nodes-inbound"
action = "allow"
source = "161.26.0.0/16"
- destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ destination = "0.0.0.0/0"
direction = "inbound"
tcp = null
udp = null
@@ -43,7 +43,7 @@ locals {
name = "roks-create-worker-nodes-outbound"
action = "allow"
destination = "161.26.0.0/16"
- source = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ source = "0.0.0.0/0"
direction = "outbound"
tcp = null
udp = null
@@ -53,7 +53,7 @@ locals {
name = "roks-nodes-to-service-inbound"
action = "allow"
source = "166.8.0.0/14"
- destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ destination = "0.0.0.0/0"
direction = "inbound"
tcp = null
udp = null
@@ -63,18 +63,31 @@ locals {
name = "roks-nodes-to-service-outbound"
action = "allow"
destination = "166.8.0.0/14"
- source = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ source = "0.0.0.0/0"
direction = "outbound"
tcp = null
udp = null
icmp = null
- },
- # App Rules
+ }
+ ]
+
+ cluster_rules_list = flatten([
+ for rules in local.cluster_rules : [
+ for index, cidrs in var.network_cidrs != null ? var.network_cidrs : ["0.0.0.0/0"] :
+ merge(rules, {
+ name = "${rules.name}-${index}"
+ source = cidrs
+ })
+ ]
+ ])
+
+ # App Rules
+ app_rules = [
{
name = "allow-app-incoming-traffic-requests"
action = "allow"
- source = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
- destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ source = "0.0.0.0/0"
+ destination = "0.0.0.0/0"
direction = "inbound"
tcp = {
source_port_min = 30000
@@ -86,8 +99,8 @@ locals {
{
name = "allow-app-outgoing-traffic-requests"
action = "allow"
- source = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
- destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ source = "0.0.0.0/0"
+ destination = "0.0.0.0/0"
direction = "outbound"
tcp = {
port_min = 30000
@@ -99,8 +112,8 @@ locals {
{
name = "allow-lb-incoming-traffic-requests"
action = "allow"
- source = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
- destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ source = "0.0.0.0/0"
+ destination = "0.0.0.0/0"
direction = "inbound"
tcp = {
port_min = 443
@@ -112,8 +125,8 @@ locals {
{
name = "allow-lb-outgoing-traffic-requests"
action = "allow"
- source = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
- destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ source = "0.0.0.0/0"
+ destination = "0.0.0.0/0"
direction = "outbound"
tcp = {
source_port_min = 443
@@ -123,6 +136,21 @@ locals {
icmp = null
}
]
+
+
+ app_rules_list = flatten([
+ for rules in local.app_rules : [
+ for index, cidrs in var.network_cidrs != null ? var.network_cidrs : ["0.0.0.0/0"] :
+ merge(rules, {
+ name = "${rules.name}-${index}"
+ source = cidrs
+ destination = cidrs
+ })
+ ]
+ ])
+
+ rules = concat(local.cluster_rules_list, local.app_rules_list)
+
}
##############################################################################
diff --git a/dynamic_values/outputs.tf b/dynamic_values/outputs.tf
index 1c6f9d5f..67cb9eee 100644
--- a/dynamic_values/outputs.tf
+++ b/dynamic_values/outputs.tf
@@ -48,7 +48,7 @@ output "security_group_rules" {
output "cluster_rules" {
description = "Cluster creation ACL allow rules"
- value = local.cluster_rules
+ value = local.rules
}
##############################################################################
diff --git a/dynamic_values/variables.tf b/dynamic_values/variables.tf
index 0e6b9543..bfb39b79 100644
--- a/dynamic_values/variables.tf
+++ b/dynamic_values/variables.tf
@@ -108,9 +108,9 @@ variable "security_group_rules" {
# Network CIDR
##############################################################################
-variable "network_cidr" {
- description = "direct reference to network cidr"
- type = string
+variable "network_cidrs" {
+ description = "direct reference to network cidrs"
+ type = list(string)
}
##############################################################################
diff --git a/examples/default/main.tf b/examples/default/main.tf
index 9e983d60..d6958b11 100644
--- a/examples/default/main.tf
+++ b/examples/default/main.tf
@@ -54,4 +54,5 @@ module "slz_vpc" {
existing_cos_instance_guid = ibm_resource_instance.cos_instance[0].guid
existing_storage_bucket_name = ibm_cos_bucket.cos_bucket[0].bucket_name
address_prefixes = var.address_prefixes
+ network_cidrs = var.network_cidrs
}
diff --git a/examples/default/variables.tf b/examples/default/variables.tf
index b347d595..6eef8956 100644
--- a/examples/default/variables.tf
+++ b/examples/default/variables.tf
@@ -85,3 +85,9 @@ variable "address_prefixes" {
condition = var.address_prefixes == null ? true : (keys(var.address_prefixes)[0] == "zone-1" && keys(var.address_prefixes)[1] == "zone-2" && keys(var.address_prefixes)[2] == "zone-3")
}
}
+
+variable "network_cidrs" {
+ description = "List of Network CIDRs for the VPC. This is used to manage network ACL rules for cluster provisioning."
+ type = list(string)
+ default = ["10.0.0.0/8", "164.0.0.0/8"]
+}
diff --git a/landing-zone-submodule/management-vpc/README.md b/landing-zone-submodule/management-vpc/README.md
index dd8fb75f..7b316ecf 100644
--- a/landing-zone-submodule/management-vpc/README.md
+++ b/landing-zone-submodule/management-vpc/README.md
@@ -43,7 +43,7 @@ No resources.
| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | IBM Cloud API Key that will be used for authentication in scripts run in this module. Only required if certain options are chosen, such as the 'clean\_default\_*' variables being 'true'. | `string` | `null` | no |
| [ibmcloud\_api\_visibility](#input\_ibmcloud\_api\_visibility) | IBM Cloud API visibility used by scripts run in this module. Must be 'public', 'private', or 'public-and-private' | `string` | `"public"` | no |
| [network\_acls](#input\_network\_acls) | List of network ACLs to create with VPC | list(
object({
name = string
add_ibm_cloud_internal_rules = optional(bool)
add_vpc_connectivity_rules = optional(bool)
prepend_ibm_rules = optional(bool)
rules = list(
object({
name = string
action = string
destination = string
direction = string
source = string
tcp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
udp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
icmp = optional(
object({
type = optional(number)
code = optional(number)
})
)
})
)
})
)
| [
{
"add_ibm_cloud_internal_rules": true,
"add_vpc_connectivity_rules": true,
"name": "management-acl",
"prepend_ibm_rules": true,
"rules": []
}
]
| no |
-| [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
+| [network\_cidrs](#input\_network\_cidrs) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `list(string)` | [
"10.0.0.0/8"
]
| no |
| [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | `"management"` | no |
| [region](#input\_region) | The region to which to deploy the VPC | `string` | `"au-syd"` | no |
| [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the VPC to be created | `string` | n/a | yes |
diff --git a/landing-zone-submodule/management-vpc/main.tf b/landing-zone-submodule/management-vpc/main.tf
index 3af3aadc..19a0d056 100644
--- a/landing-zone-submodule/management-vpc/main.tf
+++ b/landing-zone-submodule/management-vpc/main.tf
@@ -10,7 +10,7 @@ module "management_vpc" {
resource_group_id = var.resource_group_id
region = var.region
prefix = var.prefix
- network_cidr = var.network_cidr
+ network_cidrs = var.network_cidrs
classic_access = var.classic_access
default_network_acl_name = var.default_network_acl_name
default_security_group_name = var.default_security_group_name
diff --git a/landing-zone-submodule/management-vpc/variables.tf b/landing-zone-submodule/management-vpc/variables.tf
index 55d39ecb..88e15623 100644
--- a/landing-zone-submodule/management-vpc/variables.tf
+++ b/landing-zone-submodule/management-vpc/variables.tf
@@ -31,10 +31,10 @@ variable "access_tags" {
# VPC variables
#############################################################################
-variable "network_cidr" {
+variable "network_cidrs" {
description = "Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning."
- type = string
- default = "10.0.0.0/8"
+ type = list(string)
+ default = ["10.0.0.0/8"]
}
variable "classic_access" {
diff --git a/landing-zone-submodule/workload-vpc/README.md b/landing-zone-submodule/workload-vpc/README.md
index 143ab086..3dadcccf 100644
--- a/landing-zone-submodule/workload-vpc/README.md
+++ b/landing-zone-submodule/workload-vpc/README.md
@@ -44,7 +44,7 @@ No resources.
| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | IBM Cloud API Key that will be used for authentication in scripts run in this module. Only required if certain options are chosen, such as the 'clean\_default\_*' variables being 'true'. | `string` | `null` | no |
| [ibmcloud\_api\_visibility](#input\_ibmcloud\_api\_visibility) | IBM Cloud API visibility used by scripts run in this module. Must be 'public', 'private', or 'public-and-private' | `string` | `"public"` | no |
| [network\_acls](#input\_network\_acls) | List of network ACLs to create with VPC | list(
object({
name = string
add_ibm_cloud_internal_rules = optional(bool)
add_vpc_connectivity_rules = optional(bool)
prepend_ibm_rules = optional(bool)
rules = list(
object({
name = string
action = string
destination = string
direction = string
source = string
tcp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
udp = optional(
object({
port_max = optional(number)
port_min = optional(number)
source_port_max = optional(number)
source_port_min = optional(number)
})
)
icmp = optional(
object({
type = optional(number)
code = optional(number)
})
)
})
)
})
)
| [
{
"add_ibm_cloud_internal_rules": true,
"add_vpc_connectivity_rules": true,
"name": "workload-acl",
"prepend_ibm_rules": true,
"rules": []
}
]
| no |
-| [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
+| [network\_cidrs](#input\_network\_cidrs) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `list(string)` | [
"10.0.0.0/8"
]
| no |
| [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | `"workload"` | no |
| [region](#input\_region) | The region to which to deploy the VPC | `string` | `"au-syd"` | no |
| [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the VPC to be created | `string` | n/a | yes |
diff --git a/landing-zone-submodule/workload-vpc/main.tf b/landing-zone-submodule/workload-vpc/main.tf
index bcb53c02..913e2419 100644
--- a/landing-zone-submodule/workload-vpc/main.tf
+++ b/landing-zone-submodule/workload-vpc/main.tf
@@ -10,7 +10,7 @@ module "workload_vpc" {
resource_group_id = var.resource_group_id
region = var.region
prefix = var.prefix
- network_cidr = var.network_cidr
+ network_cidrs = var.network_cidrs
classic_access = var.classic_access
default_network_acl_name = var.default_network_acl_name
default_security_group_name = var.default_security_group_name
diff --git a/landing-zone-submodule/workload-vpc/variables.tf b/landing-zone-submodule/workload-vpc/variables.tf
index 175c9bde..47d670c3 100644
--- a/landing-zone-submodule/workload-vpc/variables.tf
+++ b/landing-zone-submodule/workload-vpc/variables.tf
@@ -31,10 +31,10 @@ variable "access_tags" {
# VPC variables
#############################################################################
-variable "network_cidr" {
+variable "network_cidrs" {
description = "Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning."
- type = string
- default = "10.0.0.0/8"
+ type = list(string)
+ default = ["10.0.0.0/8"]
}
variable "classic_access" {
diff --git a/module-metadata.json b/module-metadata.json
index caa901f6..fe09bea4 100644
--- a/module-metadata.json
+++ b/module-metadata.json
@@ -247,11 +247,13 @@
"line": 105
}
},
- "network_cidr": {
- "name": "network_cidr",
- "type": "string",
- "description": "Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning.",
- "default": "10.0.0.0/8",
+ "network_cidrs": {
+ "name": "network_cidrs",
+ "type": "list(string)",
+ "description": "List of Network CIDRs for the VPC. This is used to manage network ACL rules for cluster provisioning.",
+ "default": [
+ "10.0.0.0/8"
+ ],
"source": [
"module.dynamic_values"
],
@@ -598,7 +600,7 @@
},
"pos": {
"filename": "network_acls.tf",
- "line": 137
+ "line": 152
}
},
"ibm_is_public_gateway.gateway": {
@@ -777,7 +779,7 @@
"attributes": {
"address_prefixes": "address_prefixes",
"network_acls": "network_acls",
- "network_cidr": "network_cidr",
+ "network_cidrs": "network_cidrs",
"prefix": "prefix",
"region": "region",
"routes": "routes",
@@ -809,7 +811,7 @@
"cluster_rules": {
"name": "cluster_rules",
"description": "Cluster creation ACL allow rules",
- "value": "local.cluster_rules",
+ "value": "local.rules",
"pos": {
"filename": "dynamic_values/outputs.tf",
"line": 49
@@ -911,7 +913,7 @@
"cluster_rules": {
"name": "cluster_rules",
"description": "Cluster creation ACL allow rules",
- "value": "local.cluster_rules",
+ "value": "local.rules",
"pos": {
"filename": "dynamic_values/outputs.tf",
"line": 49
diff --git a/network_acls.tf b/network_acls.tf
index c30d0ef3..b13f3bce 100644
--- a/network_acls.tf
+++ b/network_acls.tf
@@ -3,13 +3,13 @@
##############################################################################
locals {
- ibm_cloud_internal_rules = [
+ internal_rules = [
# IaaS and PaaS Rules. Note that this coarse grained list will be narrowed in upcoming releases.
{
name = "ibmflow-iaas-inbound"
action = "allow"
source = "161.26.0.0/16"
- destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ destination = "0.0.0.0/0"
direction = "inbound"
tcp = null
udp = null
@@ -19,7 +19,7 @@ locals {
name = "ibmflow-iaas-outbound"
action = "allow"
destination = "161.26.0.0/16"
- source = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ source = "0.0.0.0/0"
direction = "outbound"
tcp = null
udp = null
@@ -29,7 +29,7 @@ locals {
name = "ibmflow-paas-inbound"
action = "allow"
source = "166.8.0.0/14"
- destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ destination = "0.0.0.0/0"
direction = "inbound"
tcp = null
udp = null
@@ -39,7 +39,7 @@ locals {
name = "ibmflow-paas-outbound"
action = "allow"
destination = "166.8.0.0/14"
- source = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ source = "0.0.0.0/0"
direction = "outbound"
tcp = null
udp = null
@@ -47,32 +47,47 @@ locals {
}
]
- vpc_inbound_rule = [
- for address in data.ibm_is_vpc_address_prefixes.get_address_prefixes.address_prefixes :
- {
- name = "ibmflow-allow-vpc-connectivity-inbound-${substr(address.id, -4, -1)}" # Providing unique rule names
- action = "allow"
- source = address.cidr
- destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
- direction = "inbound"
- tcp = null
- udp = null
- icmp = null
- }
- ]
- vpc_outbound_rule = [
- for address in data.ibm_is_vpc_address_prefixes.get_address_prefixes.address_prefixes :
- {
- name = "ibmflow-allow-vpc-connectivity-outbound-${substr(address.id, -4, -1)}"
- action = "allow"
- source = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
- destination = address.cidr
- direction = "outbound"
- tcp = null
- udp = null
- icmp = null
- }
- ]
+ ibm_cloud_internal_rules = flatten([
+ for rules in local.internal_rules : [
+ for index, cidrs in var.network_cidrs != null ? var.network_cidrs : ["0.0.0.0/0"] :
+ merge(rules, {
+ name = "${rules.name}-${index}"
+ source = cidrs
+ })
+ ]
+ ])
+
+ vpc_inbound_rule = flatten([
+ for address in data.ibm_is_vpc_address_prefixes.get_address_prefixes.address_prefixes : [
+ for index, cidrs in var.network_cidrs != null ? var.network_cidrs : ["0.0.0.0/0"] :
+ {
+ name = "ibmflow-allow-vpc-connectivity-inbound-${substr(address.id, -4, -1)}-${index}" # Providing unique rule names
+ action = "allow"
+ source = address.cidr
+ destination = cidrs
+ direction = "inbound"
+ tcp = null
+ udp = null
+ icmp = null
+ }
+ ]
+ ])
+ vpc_outbound_rule = flatten([
+ for address in data.ibm_is_vpc_address_prefixes.get_address_prefixes.address_prefixes : [
+ for index, cidrs in var.network_cidrs != null ? var.network_cidrs : ["0.0.0.0/0"] :
+
+ {
+ name = "ibmflow-allow-vpc-connectivity-outbound-${substr(address.id, -4, -1)}-${index}"
+ action = "allow"
+ source = cidrs
+ destination = address.cidr
+ direction = "outbound"
+ tcp = null
+ udp = null
+ icmp = null
+ }
+ ]
+ ])
vpc_connectivity_rules = distinct(flatten(concat(local.vpc_inbound_rule, local.vpc_outbound_rule)))
diff --git a/tests/pr_test.go b/tests/pr_test.go
index 1d7de464..01df4889 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -36,6 +36,11 @@ func setupOptions(t *testing.T, prefix string, terraformDir string) *testhelper.
TerraformDir: terraformDir,
Prefix: prefix,
ResourceGroup: resourceGroup,
+ IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check
+ List: []string{
+ "module.slz_vpc.ibm_is_network_acl.network_acl[\"vpc-acl\"]",
+ },
+ },
TerraformVars: map[string]interface{}{
"access_tags": permanentResources["accessTags"],
},
diff --git a/variables.tf b/variables.tf
index 4f2065c1..23147e63 100644
--- a/variables.tf
+++ b/variables.tf
@@ -47,10 +47,10 @@ variable "access_tags" {
# Optional VPC Variables
##############################################################################
-variable "network_cidr" {
- description = "Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning."
- type = string
- default = "10.0.0.0/8"
+variable "network_cidrs" {
+ description = "List of Network CIDRs for the VPC. This is used to manage network ACL rules for cluster provisioning."
+ type = list(string)
+ default = ["10.0.0.0/8"]
}
variable "classic_access" {