Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add option to clear rules from default VPC security group and ACL #516

Merged
merged 25 commits into from
May 5, 2023
Merged
Show file tree
Hide file tree
Changes from 20 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
bd9d99b
feat: add clean default sec group option
toddgiguere Apr 18, 2023
d59a84a
fix: use refresh token for sg cleanup script
toddgiguere Apr 19, 2023
cca7177
feat: add option and resource to remove all default VPC ACL rules
toddgiguere Apr 19, 2023
eff5b11
fix: add sg and acl clean booleans to submodule and example
toddgiguere Apr 19, 2023
8e971ae
Merge branch 'main' into fix-default-acl-sg
toddgiguere Apr 20, 2023
b2a76c8
fix: pre-commit issues
toddgiguere Apr 20, 2023
67834f0
Merge branch 'main' into fix-default-acl-sg
ocofaigh Apr 21, 2023
e3edfc1
fix: python scripts now use all native imports
toddgiguere Apr 21, 2023
a4c8ab7
refactor: pre-commit changes and formatting
toddgiguere Apr 21, 2023
ecaafb3
Merge branch 'main' into fix-default-acl-sg
ocofaigh Apr 24, 2023
d99eb3d
fix: private endpoint support and python common module
toddgiguere Apr 24, 2023
043322f
refactor: removed unintended python files
toddgiguere Apr 24, 2023
3576457
refactor: fixed pre-commit python issues
toddgiguere Apr 24, 2023
0eca7cb
feat: added bash/cli versions of rule removal
toddgiguere Apr 24, 2023
1db71d3
refactor: pre-commit fixes
toddgiguere Apr 24, 2023
96dafea
feat: convert clean rule scripts to bash and cli
toddgiguere Apr 26, 2023
118d156
fix: shellcheck fixes and other pre-commit issues
toddgiguere Apr 26, 2023
315ac89
fix: add resource group to CLI login
toddgiguere Apr 26, 2023
68314d3
fix: null_resource CLI scripts now use unique config dir
toddgiguere Apr 27, 2023
0deadb8
refactor: pre-commit fixes
toddgiguere Apr 27, 2023
ada4fbc
docs: added more verbose variable descriptions
toddgiguere Apr 28, 2023
a76c688
fix: cli remove temp config on exit/error
toddgiguere Apr 28, 2023
5cb28b1
refactor: pre-commit fixes
toddgiguere Apr 28, 2023
9470747
Merge branch 'main' into fix-default-acl-sg
vburckhardt Apr 29, 2023
664753c
Merge branch 'main' into fix-default-acl-sg
toddgiguere May 1, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -54,3 +54,8 @@ Brewfile.lock.json

# Ignore vscode
.vscode

# Python
venv/
.coverage
__pycache__/
11 changes: 11 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ This module creates the following IBM Cloud® Virtual Private Cloud (VPC) net

In addition to this root module, this repository provides two submodules that call the root module with presets and defaults that are aligned with the general [Framework for Financial Services](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-vpc-architecture-about) management and workload VPC topologies. See the [landing-zone-submodules](/landing-zone-submodule/) for details.

## Before you begin

Some features of this module require additional software beyond the [Terraform CLI](https://www.terraform.io/).
- Make sure that you have a recent version of the [IBM Cloud CLI](https://cloud.ibm.com/docs/cli?topic=cli-getting-started)

## Usage
```terraform
Expand Down Expand Up @@ -78,6 +82,7 @@ You need the following permissions to run this module.
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.52.0 |
| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |

## Modules

Expand All @@ -101,6 +106,8 @@ You need the following permissions to run this module.
| [ibm_is_vpc_address_prefix.subnet_prefix](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource |
| [ibm_is_vpc_routing_table.route_table](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource |
| [ibm_is_vpc_routing_table_route.routing_table_routes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource |
| [null_resource.clean_default_acl](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.clean_default_security_group](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [ibm_is_vpc_address_prefixes.get_address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_address_prefixes) | data source |

## Inputs
Expand All @@ -109,13 +116,17 @@ You need the following permissions to run this module.
|------|-------------|------|---------|:--------:|
| <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | OPTIONAL - IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes | <pre>object({<br> zone-1 = optional(list(string))<br> zone-2 = optional(list(string))<br> zone-3 = optional(list(string))<br> })</pre> | <pre>{<br> "zone-1": null,<br> "zone-2": null,<br> "zone-3": null<br>}</pre> | no |
| <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | OPTIONAL - Classic Access to the VPC | `bool` | `false` | no |
| <a name="input_clean_default_acl"></a> [clean\_default\_acl](#input\_clean\_default\_acl) | Remove all rules from the default VPC ACL (less permissive) | `bool` | `false` | no |
| <a name="input_clean_default_security_group"></a> [clean\_default\_security\_group](#input\_clean\_default\_security\_group) | Remove all rules from the default VPC security group (less permissive) | `bool` | `false` | no |
| <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Create authorisation policy for VPC to access COS. Set as false if authorization policy exists already | `bool` | `false` | no |
| <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | OPTIONAL - Name of the Default ACL. If null, a name will be automatically generated | `string` | `null` | no |
| <a name="input_default_routing_table_name"></a> [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | OPTIONAL - Name of the Default Routing Table. If null, a name will be automatically generated | `string` | `null` | no |
| <a name="input_default_security_group_name"></a> [default\_security\_group\_name](#input\_default\_security\_group\_name) | OPTIONAL - Name of the Default Security Group. If null, a name will be automatically generated | `string` | `null` | no |
| <a name="input_enable_vpc_flow_logs"></a> [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | Flag to enable vpc flow logs. If true, flow log collector will be created | `bool` | `false` | no |
| <a name="input_existing_cos_instance_guid"></a> [existing\_cos\_instance\_guid](#input\_existing\_cos\_instance\_guid) | GUID of the COS instance to create Flow log collector | `string` | `null` | no |
| <a name="input_existing_storage_bucket_name"></a> [existing\_storage\_bucket\_name](#input\_existing\_storage\_bucket\_name) | Name of the COS bucket to collect VPC flow logs | `string` | `null` | no |
| <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | IBM Cloud API Key that will be used for authentication in scripts run in this module. | `string` | `null` | no |
| <a name="input_ibmcloud_api_visibility"></a> [ibmcloud\_api\_visibility](#input\_ibmcloud\_api\_visibility) | IBM Cloud API visibility used by scripts run in this module. Must be 'public', 'private', or 'public-and-private' | `string` | `"public"` | no |
| <a name="input_is_flow_log_collector_active"></a> [is\_flow\_log\_collector\_active](#input\_is\_flow\_log\_collector\_active) | Indicates whether the collector is active. If false, this collector is created in inactive mode. | `bool` | `true` | no |
| <a name="input_name"></a> [name](#input\_name) | Name for VPC | `string` | n/a | yes |
| <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | The list of ACLs to create. Provide at least one rule for each ACL. | <pre>list(<br> object({<br> name = string<br> add_ibm_cloud_internal_rules = optional(bool)<br> add_vpc_connectivity_rules = optional(bool)<br> prepend_ibm_rules = optional(bool)<br> rules = list(<br> object({<br> name = string<br> action = string<br> destination = string<br> direction = string<br> source = string<br> tcp = optional(<br> object({<br> port_max = optional(number)<br> port_min = optional(number)<br> source_port_max = optional(number)<br> source_port_min = optional(number)<br> })<br> )<br> udp = optional(<br> object({<br> port_max = optional(number)<br> port_min = optional(number)<br> source_port_max = optional(number)<br> source_port_min = optional(number)<br> })<br> )<br> icmp = optional(<br> object({<br> type = optional(number)<br> code = optional(number)<br> })<br> )<br> })<br> )<br> })<br> )</pre> | <pre>[<br> {<br> "add_ibm_cloud_internal_rules": true,<br> "add_vpc_connectivity_rules": true,<br> "name": "vpc-acl",<br> "prepend_ibm_rules": true,<br> "rules": []<br> }<br>]</pre> | no |
Expand Down
16 changes: 11 additions & 5 deletions examples/landing_zone/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -40,15 +40,21 @@ module "workload_vpc" {
create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
existing_cos_instance_guid = module.cos_bucket[0].cos_instance_guid
existing_cos_bucket_name = module.cos_bucket[0].bucket_name[0]
clean_default_security_group = true
clean_default_acl = true
ibmcloud_api_key = var.ibmcloud_api_key
}


module "management_vpc" {
source = "../../landing-zone-submodule/management-vpc/"
resource_group_id = module.resource_group.resource_group_id
region = var.region
prefix = var.prefix
tags = var.resource_tags
source = "../../landing-zone-submodule/management-vpc/"
resource_group_id = module.resource_group.resource_group_id
region = var.region
prefix = var.prefix
tags = var.resource_tags
clean_default_security_group = true
clean_default_acl = true
ibmcloud_api_key = var.ibmcloud_api_key
}


Expand Down
4 changes: 4 additions & 0 deletions landing-zone-submodule/management-vpc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ No resources.
|------|-------------|------|---------|:--------:|
| <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually. | <pre>object({<br> zone-1 = optional(list(string))<br> zone-2 = optional(list(string))<br> zone-3 = optional(list(string))<br> })</pre> | `null` | no |
| <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | Optionally allow VPC to access classic infrastructure network | `bool` | `null` | no |
| <a name="input_clean_default_acl"></a> [clean\_default\_acl](#input\_clean\_default\_acl) | Remove all rules from the default VPC ACL (less permissive) | `bool` | `false` | no |
| <a name="input_clean_default_security_group"></a> [clean\_default\_security\_group](#input\_clean\_default\_security\_group) | Remove all rules from the default VPC security group (less permissive) | `bool` | `false` | no |
| <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Set it to true if authorization policy is required for VPC to access COS | `bool` | `false` | no |
| <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Override default ACL name | `string` | `null` | no |
| <a name="input_default_routing_table_name"></a> [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | Override default VPC routing table name | `string` | `null` | no |
Expand All @@ -37,6 +39,8 @@ No resources.
| <a name="input_enable_vpc_flow_logs"></a> [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | Enable VPC Flow Logs, it will create Flow logs collector if set to true | `bool` | `false` | no |
| <a name="input_existing_cos_bucket_name"></a> [existing\_cos\_bucket\_name](#input\_existing\_cos\_bucket\_name) | Name of the COS bucket to collect VPC flow logs | `string` | `null` | no |
| <a name="input_existing_cos_instance_guid"></a> [existing\_cos\_instance\_guid](#input\_existing\_cos\_instance\_guid) | GUID of the COS instance to create Flow log collector | `string` | `null` | no |
| <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | IBM Cloud API Key that will be used for authentication in scripts run in this module. | `string` | `null` | no |
| <a name="input_ibmcloud_api_visibility"></a> [ibmcloud\_api\_visibility](#input\_ibmcloud\_api\_visibility) | IBM Cloud API visibility used by scripts run in this module. Must be 'public', 'private', or 'public-and-private' | `string` | `"public"` | no |
| <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | List of network ACLs to create with VPC | <pre>list(<br> object({<br> name = string<br> add_ibm_cloud_internal_rules = optional(bool)<br> add_vpc_connectivity_rules = optional(bool)<br> prepend_ibm_rules = optional(bool)<br> rules = list(<br> object({<br> name = string<br> action = string<br> destination = string<br> direction = string<br> source = string<br> tcp = optional(<br> object({<br> port_max = optional(number)<br> port_min = optional(number)<br> source_port_max = optional(number)<br> source_port_min = optional(number)<br> })<br> )<br> udp = optional(<br> object({<br> port_max = optional(number)<br> port_min = optional(number)<br> source_port_max = optional(number)<br> source_port_min = optional(number)<br> })<br> )<br> icmp = optional(<br> object({<br> type = optional(number)<br> code = optional(number)<br> })<br> )<br> })<br> )<br> })<br> )</pre> | <pre>[<br> {<br> "add_ibm_cloud_internal_rules": true,<br> "add_vpc_connectivity_rules": true,<br> "name": "management-acl",<br> "prepend_ibm_rules": true,<br> "rules": []<br> }<br>]</pre> | no |
| <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | `"management"` | no |
Expand Down
4 changes: 4 additions & 0 deletions landing-zone-submodule/management-vpc/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,8 @@ module "management_vpc" {
create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
existing_cos_instance_guid = var.existing_cos_instance_guid
existing_storage_bucket_name = var.existing_cos_bucket_name
clean_default_security_group = var.clean_default_security_group
clean_default_acl = var.clean_default_acl
ibmcloud_api_visibility = var.ibmcloud_api_visibility
ibmcloud_api_key = var.ibmcloud_api_key
}
30 changes: 30 additions & 0 deletions landing-zone-submodule/management-vpc/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,36 @@ variable "default_security_group_rules" {
default = []
}

variable "clean_default_security_group" {
description = "Remove all rules from the default VPC security group (less permissive)"
type = bool
default = false
}

variable "clean_default_acl" {
description = "Remove all rules from the default VPC ACL (less permissive)"
type = bool
default = false
}

variable "ibmcloud_api_visibility" {
description = "IBM Cloud API visibility used by scripts run in this module. Must be 'public', 'private', or 'public-and-private'"
type = string
default = "public"

validation {
error_message = "IBM Cloud API visibility must be either 'public', 'private', or 'public-and-private'"
condition = (var.ibmcloud_api_visibility == "public") || (var.ibmcloud_api_visibility == "private") || (var.ibmcloud_api_visibility == "public-and-private")
}
}

variable "ibmcloud_api_key" {
description = "IBM Cloud API Key that will be used for authentication in scripts run in this module."
type = string
sensitive = true
default = null
}

variable "address_prefixes" {
description = "Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually."
type = object({
Expand Down
4 changes: 4 additions & 0 deletions landing-zone-submodule/workload-vpc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ No resources.
|------|-------------|------|---------|:--------:|
| <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually. | <pre>object({<br> zone-1 = optional(list(string))<br> zone-2 = optional(list(string))<br> zone-3 = optional(list(string))<br> })</pre> | `null` | no |
| <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | Optionally allow VPC to access classic infrastructure network | `bool` | `null` | no |
| <a name="input_clean_default_acl"></a> [clean\_default\_acl](#input\_clean\_default\_acl) | Remove all rules from the default VPC ACL (less permissive) | `bool` | `false` | no |
| <a name="input_clean_default_security_group"></a> [clean\_default\_security\_group](#input\_clean\_default\_security\_group) | Remove all rules from the default VPC security group (less permissive) | `bool` | `false` | no |
| <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Set it to true if authorization policy is required for VPC to access COS | `bool` | `false` | no |
| <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Override default ACL name | `string` | `null` | no |
| <a name="input_default_routing_table_name"></a> [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | Override default VPC routing table name | `string` | `null` | no |
Expand All @@ -38,6 +40,8 @@ No resources.
| <a name="input_enable_vpc_flow_logs"></a> [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | Enable VPC Flow Logs, it will create Flow logs collector if set to true | `bool` | `false` | no |
| <a name="input_existing_cos_bucket_name"></a> [existing\_cos\_bucket\_name](#input\_existing\_cos\_bucket\_name) | Name of the COS bucket to collect VPC flow logs | `string` | `null` | no |
| <a name="input_existing_cos_instance_guid"></a> [existing\_cos\_instance\_guid](#input\_existing\_cos\_instance\_guid) | GUID of the COS instance to create Flow log collector | `string` | `null` | no |
| <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | IBM Cloud API Key that will be used for authentication in scripts run in this module. | `string` | `null` | no |
| <a name="input_ibmcloud_api_visibility"></a> [ibmcloud\_api\_visibility](#input\_ibmcloud\_api\_visibility) | IBM Cloud API visibility used by scripts run in this module. Must be 'public', 'private', or 'public-and-private' | `string` | `"public"` | no |
| <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | List of network ACLs to create with VPC | <pre>list(<br> object({<br> name = string<br> add_ibm_cloud_internal_rules = optional(bool)<br> add_vpc_connectivity_rules = optional(bool)<br> prepend_ibm_rules = optional(bool)<br> rules = list(<br> object({<br> name = string<br> action = string<br> destination = string<br> direction = string<br> source = string<br> tcp = optional(<br> object({<br> port_max = optional(number)<br> port_min = optional(number)<br> source_port_max = optional(number)<br> source_port_min = optional(number)<br> })<br> )<br> udp = optional(<br> object({<br> port_max = optional(number)<br> port_min = optional(number)<br> source_port_max = optional(number)<br> source_port_min = optional(number)<br> })<br> )<br> icmp = optional(<br> object({<br> type = optional(number)<br> code = optional(number)<br> })<br> )<br> })<br> )<br> })<br> )</pre> | <pre>[<br> {<br> "add_ibm_cloud_internal_rules": true,<br> "add_vpc_connectivity_rules": true,<br> "name": "workload-acl",<br> "prepend_ibm_rules": true,<br> "rules": []<br> }<br>]</pre> | no |
| <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | `"workload"` | no |
Expand Down
Loading