diff --git a/.secrets.baseline b/.secrets.baseline
index 7a65824b..1785bdb0 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
"files": "go.sum|^.secrets.baseline$",
"lines": null
},
- "generated_at": "2023-03-21T00:26:22Z",
+ "generated_at": "2023-03-31T22:07:49Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
diff --git a/README.md b/README.md
index 4ed9fba3..5158b493 100644
--- a/README.md
+++ b/README.md
@@ -95,6 +95,7 @@ You need the following permissions to run this module.
| [ibm_is_vpc_address_prefix.subnet_prefix](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource |
| [ibm_is_vpc_routing_table.route_table](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource |
| [ibm_is_vpc_routing_table_route.routing_table_routes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource |
+| [ibm_is_vpc_address_prefixes.get_address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_address_prefixes) | data source |
## Inputs
@@ -127,6 +128,7 @@ You need the following permissions to run this module.
| Name | Description |
|------|-------------|
+| [cidr\_blocks](#output\_cidr\_blocks) | List of CIDR blocks present in VPC stack |
| [network\_acls](#output\_network\_acls) | List of shortnames and IDs of network ACLs |
| [public\_gateways](#output\_public\_gateways) | Map of public gateways by zone |
| [subnet\_detail\_list](#output\_subnet\_detail\_list) | A list of subnets containing names, CIDR blocks, and zones. |
diff --git a/examples/default/main.tf b/examples/default/main.tf
index f0942fae..74699444 100644
--- a/examples/default/main.tf
+++ b/examples/default/main.tf
@@ -52,4 +52,5 @@ module "slz_vpc" {
create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
existing_cos_instance_guid = ibm_resource_instance.cos_instance[0].guid
existing_storage_bucket_name = ibm_cos_bucket.cos_bucket[0].bucket_name
+ address_prefixes = var.address_prefixes
}
diff --git a/examples/default/outputs.tf b/examples/default/outputs.tf
index 043fd717..fc8a8470 100644
--- a/examples/default/outputs.tf
+++ b/examples/default/outputs.tf
@@ -26,3 +26,8 @@ output "cos_bucket_name" {
value = ibm_cos_bucket.cos_bucket[0].bucket_name
description = "COS bucket name"
}
+
+output "cidr_blocks" {
+ value = module.slz_vpc.cidr_blocks
+ description = "CIDR values"
+}
diff --git a/examples/default/variables.tf b/examples/default/variables.tf
index 17f420f7..7ed05151 100644
--- a/examples/default/variables.tf
+++ b/examples/default/variables.tf
@@ -61,3 +61,21 @@ variable "create_authorization_policy_vpc_to_cos" {
type = bool
default = true
}
+
+variable "address_prefixes" {
+ description = "OPTIONAL - IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes"
+ type = object({
+ zone-1 = optional(list(string))
+ zone-2 = optional(list(string))
+ zone-3 = optional(list(string))
+ })
+ default = {
+ zone-1 = ["10.10.10.0/24"]
+ zone-2 = ["10.20.10.0/24"]
+ zone-3 = ["10.30.10.0/24"]
+ }
+ validation {
+ error_message = "Keys for `use_public_gateways` must be in the order `zone-1`, `zone-2`, `zone-3`."
+ condition = var.address_prefixes == null ? true : (keys(var.address_prefixes)[0] == "zone-1" && keys(var.address_prefixes)[1] == "zone-2" && keys(var.address_prefixes)[2] == "zone-3")
+ }
+}
diff --git a/main.tf b/main.tf
index fbf30fcd..a9d92e87 100644
--- a/main.tf
+++ b/main.tf
@@ -36,6 +36,10 @@ resource "ibm_is_vpc_address_prefix" "address_prefixes" {
cidr = each.value.cidr
}
+data "ibm_is_vpc_address_prefixes" "get_address_prefixes" {
+ depends_on = [ibm_is_vpc_address_prefix.address_prefixes, ibm_is_vpc_address_prefix.subnet_prefix]
+ vpc = ibm_is_vpc.vpc.id
+}
##############################################################################
diff --git a/module-metadata.json b/module-metadata.json
index 15cfacc6..ed659a5e 100644
--- a/module-metadata.json
+++ b/module-metadata.json
@@ -372,6 +372,14 @@
}
},
"outputs": {
+ "cidr_blocks": {
+ "name": "cidr_blocks",
+ "description": "List of CIDR blocks present in VPC stack",
+ "pos": {
+ "filename": "outputs.tf",
+ "line": 137
+ }
+ },
"network_acls": {
"name": "network_acls",
"description": "List of shortnames and IDs of network ACLs",
@@ -490,7 +498,7 @@
},
"pos": {
"filename": "main.tf",
- "line": 102
+ "line": 106
}
},
"ibm_is_flow_log.flow_logs": {
@@ -510,7 +518,7 @@
},
"pos": {
"filename": "main.tf",
- "line": 113
+ "line": 117
}
},
"ibm_is_network_acl.network_acl": {
@@ -526,7 +534,7 @@
},
"pos": {
"filename": "network_acls.tf",
- "line": 133
+ "line": 137
}
},
"ibm_is_public_gateway.gateway": {
@@ -543,7 +551,7 @@
},
"pos": {
"filename": "main.tf",
- "line": 81
+ "line": 85
}
},
"ibm_is_security_group_rule.default_vpc_rule": {
@@ -632,7 +640,7 @@
},
"pos": {
"filename": "main.tf",
- "line": 46
+ "line": 50
}
},
"ibm_is_vpc_routing_table_route.routing_table_routes": {
@@ -647,11 +655,24 @@
},
"pos": {
"filename": "main.tf",
- "line": 55
+ "line": 59
+ }
+ }
+ },
+ "data_resources": {
+ "data.ibm_is_vpc_address_prefixes.get_address_prefixes": {
+ "mode": "data",
+ "type": "ibm_is_vpc_address_prefixes",
+ "name": "get_address_prefixes",
+ "provider": {
+ "name": "ibm"
+ },
+ "pos": {
+ "filename": "main.tf",
+ "line": 39
}
}
},
- "data_resources": {},
"module_calls": {
"dynamic_values": {
"name": "dynamic_values",
diff --git a/network_acls.tf b/network_acls.tf
index 0e679e2e..bb97dd1a 100644
--- a/network_acls.tf
+++ b/network_acls.tf
@@ -47,24 +47,26 @@ locals {
}
]
- vpc_connectivity_rules = [
- # All connectivity across any subnet within VPC
- # TODO: narrow down to VPC address spaces
+ vpc_inbound_rule = [
+ for address in data.ibm_is_vpc_address_prefixes.get_address_prefixes.address_prefixes :
{
- name = "ibmflow-allow-vpc-connectivity-inbound"
+ name = "ibmflow-allow-vpc-connectivity-inbound-${substr(address.id, -4, -1)}" # Providing unique rule names
action = "allow"
- source = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ source = address.cidr
destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
direction = "inbound"
tcp = null
udp = null
icmp = null
- },
+ }
+ ]
+ vpc_outbound_rule = [
+ for address in data.ibm_is_vpc_address_prefixes.get_address_prefixes.address_prefixes :
{
- name = "ibmflow-allow-vpc-connectivity-outbound"
+ name = "ibmflow-allow-vpc-connectivity-outbound-${substr(address.name, -4, -1)}"
action = "allow"
source = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
- destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+ destination = address.cidr
direction = "outbound"
tcp = null
udp = null
@@ -72,6 +74,8 @@ locals {
}
]
+ vpc_connectivity_rules = distinct(flatten(concat(local.vpc_inbound_rule, local.vpc_outbound_rule)))
+
deny_all_rules = [
{
name = "ibmflow-deny-all-inbound"
diff --git a/outputs.tf b/outputs.tf
index a7f7fbf0..15aa2c43 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -134,3 +134,7 @@ output "vpc_flow_logs" {
}
##############################################################################
+output "cidr_blocks" {
+ description = "List of CIDR blocks present in VPC stack"
+ value = [for address in data.ibm_is_vpc_address_prefixes.get_address_prefixes.address_prefixes : address.cidr]
+}
diff --git a/tests/pr_test.go b/tests/pr_test.go
index 6fd03874..3071759d 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -10,12 +10,18 @@ import (
const defaultExampleTerraformDir = "examples/default"
const resourceGroup = "geretain-test-resources"
+// The ACL ignores can be removed once we merge this PR (https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/pull/471)
+var ignoreUpdates = []string{"module.slz_vpc.ibm_is_network_acl.network_acl[\"vpc-acl\"]"}
+
func setupOptions(t *testing.T, prefix string) *testhelper.TestOptions {
options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
Testing: t,
TerraformDir: defaultExampleTerraformDir,
Prefix: prefix,
ResourceGroup: resourceGroup,
+ IgnoreUpdates: testhelper.Exemptions{
+ List: ignoreUpdates,
+ },
})
return options