Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: expose hub vpc inputs #662

Merged
merged 11 commits into from
Nov 8, 2023
Merged

feat: expose hub vpc inputs #662

merged 11 commits into from
Nov 8, 2023

Conversation

rajatagarwal-ibm
Copy link
Member

Description

hub_vpc_id input (used in spoke vpc)

  • configures delegated resolver pointing to hub vpc
  • configures DNS resolution binding
  • creates ibm_is_vpc_dns_resolution_binding resource under the hood - with source being the VPC

Release required?

  • No release
  • Patch release (x.x.X)
  • Minor release (x.X.x)
  • Major release (X.x.x)
Release notes content

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

  • If relevant, a test for the change is included or updated with this PR.
  • If relevant, documentation for the change is included or updated with this PR.

For mergers

  • Use a conventional commit message to set the release level. Follow the guidelines.
  • Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
  • Use the Squash and merge option.

@rajatagarwal-ibm
Copy link
Member Author

Can add validation to check both "enable_hub" and "enable_hub_vpc" are not true at the same time once @vburckhardt PR is in.

@vburckhardt
Copy link
Member

Hi @rajatagarwal-ibm - the goal here is not to create a second VPC, but to expose the variable in the interface of the module allowing a consumer to use this module to create a spoke VPC.

vburckhardt
vburckhardt reviewed Nov 8, 2023
View reviewed changes
variables.tf Outdated Show resolved Hide resolved
main.tf
resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding" {
count = var.hub_vpc_id != null ? 1 : 0
name = "${var.prefix}-dns-binding"
vpc_id = ibm_is_vpc.vpc.id # Source VPC
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you just double check that the source should be the vpc id as opposed to the hub vpc. Doc is not very clear on this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the docs are not very clear. However, looking at the curl command below gives a better picture. In the highlighted part "hub_vpc_id" is passed in the vpc block, which is similar to the terraform block.

curl -sX POST "$vpc_api_endpoint/v1/vpcs/$spoke_vpc_id/dns_resolution_bindings?version=$version&generation=2" -H "Authorization: Bearer ${iam_token}" -d '{"vpc": {"id": "'$hub_vpc_id'"}}'

That's from the documentation https://cloud.ibm.com/docs/vpc?topic=vpc-hub-spoke-resolution-bindings&interface=api

main.tf Outdated Show resolved Hide resolved
@rajatagarwal-ibm
Copy link
Member Author

/run pipeline

vburckhardt
vburckhardt reviewed Nov 8, 2023
View reviewed changes
Copy link
Member

@vburckhardt vburckhardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one small comment.

main.tf Outdated
@@ -25,6 +28,30 @@ resource "ibm_is_vpc" "vpc" {

dns {
enable_hub = var.enable_hub
# Creates a delegated resolver. Requires dns.enable_hub to be false.
resolver {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think using a dynamic block would make the code more readable here and avoid the repeats.

Also perhaps double check that having a resolver of type null is not going to throw an error.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no it won't throw an error, have a look at the below findings.

@rajatagarwal-ibm
Copy link
Member Author

I have also added a check if enable_hub is false then only it should create ibm_is_vpc_dns_resolution_binding based on hub_vpc_id / hub_vpc_crn, as you would not create DNS resolution binding unless you already have hub info.

Here is the terraform plan for the basic example in all the scenarios:

  1. When both hub_vpc_id and hub_vpc_crn are not passed.
 # module.slz_vpc.ibm_is_vpc.vpc will be created
  + resource "ibm_is_vpc" "vpc" {
      + access_tags                 = (known after apply)
      + address_prefix_management   = "auto"
      + classic_access              = false
      + crn                         = (known after apply)
      + cse_source_addresses        = (known after apply)
      + default_network_acl         = (known after apply)
      + default_network_acl_crn     = (known after apply)
      + default_network_acl_name    = (known after apply)
      + default_routing_table       = (known after apply)
      + default_routing_table_name  = (known after apply)
      + default_security_group      = (known after apply)
      + default_security_group_crn  = (known after apply)
      + default_security_group_name = (known after apply)
      + health_reasons              = (known after apply)
      + health_state                = (known after apply)
      + id                          = (known after apply)
      + name                        = "basic-slz-vpc-vpc-vpc"
      + no_sg_acl_rules             = false
      + resource_controller_url     = (known after apply)
      + resource_crn                = (known after apply)
      + resource_group              = (known after apply)
      + resource_group_name         = (known after apply)
      + resource_name               = (known after apply)
      + resource_status             = (known after apply)
      + security_group              = (known after apply)
      + status                      = (known after apply)
      + subnets                     = (known after apply)
      + tags                        = (known after apply)

      + dns {
          + enable_hub               = false
          + resolution_binding_count = (known after apply)
        }
    }
  1. When hub_vpc_id is passed
 # module.slz_vpc.ibm_is_vpc.vpc will be created
  + resource "ibm_is_vpc" "vpc" {
      + access_tags                 = (known after apply)
      + address_prefix_management   = "auto"
      + classic_access              = false
      + crn                         = (known after apply)
      + cse_source_addresses        = (known after apply)
      + default_network_acl         = (known after apply)
      + default_network_acl_crn     = (known after apply)
      + default_network_acl_name    = (known after apply)
      + default_routing_table       = (known after apply)
      + default_routing_table_name  = (known after apply)
      + default_security_group      = (known after apply)
      + default_security_group_crn  = (known after apply)
      + default_security_group_name = (known after apply)
      + health_reasons              = (known after apply)
      + health_state                = (known after apply)
      + id                          = (known after apply)
      + name                        = "basic-slz-vpc-vpc-vpc"
      + no_sg_acl_rules             = false
      + resource_controller_url     = (known after apply)
      + resource_crn                = (known after apply)
      + resource_group              = (known after apply)
      + resource_group_name         = (known after apply)
      + resource_name               = (known after apply)
      + resource_status             = (known after apply)
      + security_group              = (known after apply)
      + status                      = (known after apply)
      + subnets                     = (known after apply)
      + tags                        = (known after apply)

      + dns {
          + enable_hub               = false
          + resolution_binding_count = (known after apply)

          + resolver {
              + configuration         = (known after apply)
              + servers               = (known after apply)
              + type                  = "delegated"
              + vpc_id                = "abc"
              + vpc_name              = (known after apply)
              + vpc_remote_account_id = (known after apply)
              + vpc_remote_region     = (known after apply)
            }
        }
    }


 # module.slz_vpc.ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id[0] will be created
  + resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_id" {
      + created_at        = (known after apply)
      + endpoint_gateways = (known after apply)
      + href              = (known after apply)
      + id                = (known after apply)
      + lifecycle_state   = (known after apply)
      + name              = "basic-slz-vpc-dns-binding"
      + resource_type     = (known after apply)
      + vpc_id            = (known after apply)

      + vpc {
          + crn           = (known after apply)
          + href          = (known after apply)
          + id            = "abc"
          + name          = (known after apply)
          + remote        = (known after apply)
          + resource_type = (known after apply)
        }
    }
  1. When hub_vpc_crn is passed
 # module.slz_vpc.ibm_is_vpc.vpc will be created
  + resource "ibm_is_vpc" "vpc" {
      + access_tags                 = (known after apply)
      + address_prefix_management   = "auto"
      + classic_access              = false
      + crn                         = (known after apply)
      + cse_source_addresses        = (known after apply)
      + default_network_acl         = (known after apply)
      + default_network_acl_crn     = (known after apply)
      + default_network_acl_name    = (known after apply)
      + default_routing_table       = (known after apply)
      + default_routing_table_name  = (known after apply)
      + default_security_group      = (known after apply)
      + default_security_group_crn  = (known after apply)
      + default_security_group_name = (known after apply)
      + health_reasons              = (known after apply)
      + health_state                = (known after apply)
      + id                          = (known after apply)
      + name                        = "basic-slz-vpc-vpc-vpc"
      + no_sg_acl_rules             = false
      + resource_controller_url     = (known after apply)
      + resource_crn                = (known after apply)
      + resource_group              = (known after apply)
      + resource_group_name         = (known after apply)
      + resource_name               = (known after apply)
      + resource_status             = (known after apply)
      + security_group              = (known after apply)
      + status                      = (known after apply)
      + subnets                     = (known after apply)
      + tags                        = (known after apply)

      + dns {
          + enable_hub               = false
          + resolution_binding_count = (known after apply)

          + resolver {
              + configuration         = (known after apply)
              + servers               = (known after apply)
              + type                  = "delegated"
              + vpc_crn               = "abc"
              + vpc_name              = (known after apply)
              + vpc_remote_account_id = (known after apply)
              + vpc_remote_region     = (known after apply)
            }
        }
    }


# module.slz_vpc.ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn[0] will be created
  + resource "ibm_is_vpc_dns_resolution_binding" "vpc_dns_resolution_binding_crn" {
      + created_at        = (known after apply)
      + endpoint_gateways = (known after apply)
      + href              = (known after apply)
      + id                = (known after apply)
      + lifecycle_state   = (known after apply)
      + name              = "basic-slz-vpc-dns-binding"
      + resource_type     = (known after apply)
      + vpc_id            = (known after apply)

      + vpc {
          + crn           = "abc"
          + href          = (known after apply)
          + id            = (known after apply)
          + name          = (known after apply)
          + remote        = (known after apply)
          + resource_type = (known after apply)
        }
    }

@rajatagarwal-ibm
Copy link
Member Author

Ran both pr_test and others_test locally, and both passed

PASS
ok      github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc 333.621s

@vburckhardt vburckhardt changed the title feat: enable hub vpc feat: expose hub vpc inputs Nov 8, 2023
@vburckhardt vburckhardt merged commit 1c15668 into main Nov 8, 2023
@vburckhardt vburckhardt deleted the configure-hub-vpc-id branch November 8, 2023 18:01
@terraform-ibm-modules-ops
Copy link
Contributor

🎉 This PR is included in version 7.9.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vburckhardt vburckhardt vburckhardt approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rajatagarwal-ibm @vburckhardt @terraform-ibm-modules-ops