feat: providing granuarity on network ACLs

README.md

@@ -95,6 +95,7 @@ You need the following permissions to run this module.
 | [ibm_is_vpc_address_prefix.subnet_prefix](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource |
 | [ibm_is_vpc_routing_table.route_table](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource |
 | [ibm_is_vpc_routing_table_route.routing_table_routes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource |
+| [ibm_is_vpc_address_prefixes.get_address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_address_prefixes) | data source |
 
 ## Inputs
 

examples/default/main.tf

@@ -52,4 +52,5 @@ module "slz_vpc" {
   create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
   existing_cos_instance_guid             = ibm_resource_instance.cos_instance[0].guid
   existing_storage_bucket_name           = ibm_cos_bucket.cos_bucket[0].bucket_name
+  address_prefixes                       = var.address_prefixes
 }

examples/default/variables.tf

@@ -61,3 +61,21 @@ variable "create_authorization_policy_vpc_to_cos" {
   type        = bool
   default     = true
 }
+
+variable "address_prefixes" {
+  description = "OPTIONAL - IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes"
+  type = object({
+    zone-1 = optional(list(string))
+    zone-2 = optional(list(string))
+    zone-3 = optional(list(string))
+  })
+  default = {
+    zone-1 = ["10.10.10.0/24", "10.10.12.0/24"]
+    zone-2 = ["10.20.10.0/24"]
+    zone-3 = ["10.30.10.0/24"]
+  }
+  validation {
+    error_message = "Keys for `use_public_gateways` must be in the order `zone-1`, `zone-2`, `zone-3`."
+    condition     = var.address_prefixes == null ? true : (keys(var.address_prefixes)[0] == "zone-1" && keys(var.address_prefixes)[1] == "zone-2" && keys(var.address_prefixes)[2] == "zone-3")
+  }
+}

module-metadata.json

@@ -526,7 +526,7 @@
       },
       "pos": {
         "filename": "network_acls.tf",
-        "line": 133
+        "line": 141
       }
     },
     "ibm_is_public_gateway.gateway": {
@@ -651,7 +651,20 @@
       }
     }
   },
-  "data_resources": {},
+  "data_resources": {
+    "data.ibm_is_vpc_address_prefixes.get_address_prefixes": {
+      "mode": "data",
+      "type": "ibm_is_vpc_address_prefixes",
+      "name": "get_address_prefixes",
+      "provider": {
+        "name": "ibm"
+      },
+      "pos": {
+        "filename": "network_acls.tf",
+        "line": 5
+      }
+    }
+  },
   "module_calls": {
     "dynamic_values": {
       "name": "dynamic_values",

network_acls.tf

@@ -2,6 +2,10 @@
 # Network ACL
 ##############################################################################
 
+data "ibm_is_vpc_address_prefixes" "get_address_prefixes" {
+  vpc = ibm_is_vpc.vpc.id
+}
+
 locals {
   ibm_cloud_internal_rules = [
     # IaaS and PaaS Rules. Note that this coarse grained list will be narrowed in upcoming releases.
@@ -47,31 +51,35 @@ locals {
     }
   ]
 
-  vpc_connectivity_rules = [
-    # All connectivity across any subnet within VPC
-    # TODO: narrow down to VPC address spaces
+  vpc_inbound_rule = [
+    for address in data.ibm_is_vpc_address_prefixes.get_address_prefixes.address_prefixes :
     {
-      name        = "ibmflow-allow-vpc-connectivity-inbound"
+      name        = "ibmflow-allow-vpc-connectivity-inbound-${substr(address.name, 0, 5)}" # Providing unique rule names
       action      = "allow"
-      source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      source      = address.cidr
       destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
       direction   = "inbound"
       tcp         = null
       udp         = null
       icmp        = null
-    },
+    }
+  ]
+  vpc_outbound_rule = [
+    for address in data.ibm_is_vpc_address_prefixes.get_address_prefixes.address_prefixes :
     {
-      name        = "ibmflow-allow-vpc-connectivity-outbound"
+      name        = "ibmflow-allow-vpc-connectivity-outbound-${substr(address.name, 0, 5)}"
       action      = "allow"
       source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
-      destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      destination = address.cidr
       direction   = "outbound"
       tcp         = null
       udp         = null
       icmp        = null
     }
   ]
 
+  vpc_connectivity_rules = distinct(flatten(concat(local.vpc_inbound_rule, local.vpc_outbound_rule)))
+
   deny_all_rules = [
     {
       name        = "ibmflow-deny-all-inbound"