terraform-ibm-modules · ocofaigh · May 5, 2023 · Apr 18, 2023 · Apr 19, 2023 · Apr 19, 2023
@@ -78,6 +78,7 @@ You need the following permissions to run this module.
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.52.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
 
 ## Modules
 
@@ -101,6 +102,9 @@ You need the following permissions to run this module.
 | [ibm_is_vpc_address_prefix.subnet_prefix](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource |
 | [ibm_is_vpc_routing_table.route_table](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource |
 | [ibm_is_vpc_routing_table_route.routing_table_routes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource |
+| [null_resource.clean_default_acl](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.clean_default_security_group](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [ibm_iam_auth_token.tokendata](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/iam_auth_token) | data source |
 | [ibm_is_vpc_address_prefixes.get_address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_address_prefixes) | data source |
 
 ## Inputs
@@ -109,6 +113,8 @@ You need the following permissions to run this module.
 |------|-------------|------|---------|:--------:|
 | <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | OPTIONAL - IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes | <pre>object({<br>    zone-1 = optional(list(string))<br>    zone-2 = optional(list(string))<br>    zone-3 = optional(list(string))<br>  })</pre> | <pre>{<br>  "zone-1": null,<br>  "zone-2": null,<br>  "zone-3": null<br>}</pre> | no |
 | <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | OPTIONAL - Classic Access to the VPC | `bool` | `false` | no |
+| <a name="input_clean_default_acl"></a> [clean\_default\_acl](#input\_clean\_default\_acl) | Remove all rules from the default VPC ACL (less permissive) | `bool` | `false` | no |
+| <a name="input_clean_default_security_group"></a> [clean\_default\_security\_group](#input\_clean\_default\_security\_group) | Remove all rules from the default VPC security group (less permissive) | `bool` | `false` | no |
 | <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Create authorisation policy for VPC to access COS. Set as false if authorization policy exists already | `bool` | `false` | no |
 | <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | OPTIONAL - Name of the Default ACL. If null, a name will be automatically generated | `string` | `null` | no |
 | <a name="input_default_routing_table_name"></a> [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | OPTIONAL - Name of the Default Routing Table. If null, a name will be automatically generated | `string` | `null` | no |

@@ -40,15 +40,19 @@ module "workload_vpc" {
   create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
   existing_cos_instance_guid             = module.cos_bucket[0].cos_instance_guid
   existing_cos_bucket_name               = module.cos_bucket[0].bucket_name[0]
+  clean_default_security_group           = true
+  clean_default_acl                      = true
 }
 
 
 module "management_vpc" {
-  source            = "../../landing-zone-submodule/management-vpc/"
-  resource_group_id = module.resource_group.resource_group_id
-  region            = var.region
-  prefix            = var.prefix
-  tags              = var.resource_tags
+  source                       = "../../landing-zone-submodule/management-vpc/"
+  resource_group_id            = module.resource_group.resource_group_id
+  region                       = var.region
+  prefix                       = var.prefix
+  tags                         = var.resource_tags
+  clean_default_security_group = true
+  clean_default_acl            = true
 }
 
 

@@ -29,6 +29,8 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually. | <pre>object({<br>    zone-1 = optional(list(string))<br>    zone-2 = optional(list(string))<br>    zone-3 = optional(list(string))<br>  })</pre> | `null` | no |
 | <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | Optionally allow VPC to access classic infrastructure network | `bool` | `null` | no |
+| <a name="input_clean_default_acl"></a> [clean\_default\_acl](#input\_clean\_default\_acl) | Remove all rules from the default VPC ACL (less permissive) | `bool` | `false` | no |
+| <a name="input_clean_default_security_group"></a> [clean\_default\_security\_group](#input\_clean\_default\_security\_group) | Remove all rules from the default VPC security group (less permissive) | `bool` | `false` | no |
 | <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Set it to true if authorization policy is required for VPC to access COS | `bool` | `false` | no |
 | <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Override default ACL name | `string` | `null` | no |
 | <a name="input_default_routing_table_name"></a> [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | Override default VPC routing table name | `string` | `null` | no |

@@ -23,4 +23,6 @@ module "management_vpc" {
   create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
   existing_cos_instance_guid             = var.existing_cos_instance_guid
   existing_storage_bucket_name           = var.existing_cos_bucket_name
+  clean_default_security_group           = var.clean_default_security_group
+  clean_default_acl                      = var.clean_default_acl
 }
@@ -87,6 +87,18 @@ variable "default_security_group_rules" {
   default = []
 }
 
+variable "clean_default_security_group" {
+  description = "Remove all rules from the default VPC security group (less permissive)"
+  type        = bool
+  default     = false
+}
+
+variable "clean_default_acl" {
+  description = "Remove all rules from the default VPC ACL (less permissive)"
+  type        = bool
+  default     = false
+}
+
 variable "address_prefixes" {
   description = "Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually."
   type = object({

@@ -30,6 +30,8 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually. | <pre>object({<br>    zone-1 = optional(list(string))<br>    zone-2 = optional(list(string))<br>    zone-3 = optional(list(string))<br>  })</pre> | `null` | no |
 | <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | Optionally allow VPC to access classic infrastructure network | `bool` | `null` | no |
+| <a name="input_clean_default_acl"></a> [clean\_default\_acl](#input\_clean\_default\_acl) | Remove all rules from the default VPC ACL (less permissive) | `bool` | `false` | no |
+| <a name="input_clean_default_security_group"></a> [clean\_default\_security\_group](#input\_clean\_default\_security\_group) | Remove all rules from the default VPC security group (less permissive) | `bool` | `false` | no |
 | <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Set it to true if authorization policy is required for VPC to access COS | `bool` | `false` | no |
 | <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Override default ACL name | `string` | `null` | no |
 | <a name="input_default_routing_table_name"></a> [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | Override default VPC routing table name | `string` | `null` | no |

@@ -23,4 +23,6 @@ module "workload_vpc" {
   create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
   existing_cos_instance_guid             = var.existing_cos_instance_guid
   existing_storage_bucket_name           = var.existing_cos_bucket_name
+  clean_default_security_group           = var.clean_default_security_group
+  clean_default_acl                      = var.clean_default_acl
 }
@@ -87,6 +87,18 @@ variable "default_security_group_rules" {
   default = []
 }
 
+variable "clean_default_security_group" {
+  description = "Remove all rules from the default VPC security group (less permissive)"
+  type        = bool
+  default     = false
+}
+
+variable "clean_default_acl" {
+  description = "Remove all rules from the default VPC ACL (less permissive)"
+  type        = bool
+  default     = false
+}
+
 variable "address_prefixes" {
   description = "Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually."
   type = object({

@@ -126,3 +126,49 @@ resource "ibm_is_flow_log" "flow_logs" {
 }
 
 ##############################################################################
+
+##############################################################################
+# Clean default network objects if required
+##############################################################################
+
+locals {
+  # only get auth tokens if needed
+  auth_token_required = (var.clean_default_security_group || var.clean_default_acl) ? true : false
+}
+
+# valid refresh token from provider is needed for scripts
+data "ibm_iam_auth_token" "tokendata" {
+  count = local.auth_token_required ? 1 : 0
+}
+
+resource "null_resource" "clean_default_security_group" {
+  count = (var.clean_default_security_group) ? 1 : 0
+  # only clean if default security group changes
+  triggers = {
+    security_group_id = ibm_is_vpc.vpc.default_security_group
+  }
+
+  provisioner "local-exec" {
+    command     = "/usr/bin/env python3 ${path.module}/scripts/fix_security_group.py --ibmApiRefreshTokenEnvName \"IBMCLOUD_REFRESH_TOKEN\" --security_group_id \"${ibm_is_vpc.vpc.default_security_group}\" --region \"${var.region}\""
+    interpreter = ["/bin/bash", "-c"]
+    environment = {
+      IBMCLOUD_REFRESH_TOKEN = data.ibm_iam_auth_token.tokendata[0].iam_refresh_token
+    }
+  }
+}
+
+resource "null_resource" "clean_default_acl" {
+  count = (var.clean_default_acl) ? 1 : 0
+  # only clean if default acl changes
+  triggers = {
+    acl_id = ibm_is_vpc.vpc.default_network_acl
+  }
+
+  provisioner "local-exec" {
+    command     = "/usr/bin/env python3 ${path.module}/scripts/fix_access_control_list.py --ibmApiRefreshTokenEnvName \"IBMCLOUD_REFRESH_TOKEN\" --acl_id \"${ibm_is_vpc.vpc.default_network_acl}\" --region \"${var.region}\""
+    interpreter = ["/bin/bash", "-c"]
+    environment = {
+      IBMCLOUD_REFRESH_TOKEN = data.ibm_iam_auth_token.tokendata[0].iam_refresh_token
+    }
+  }
+}
@@ -33,14 +33,40 @@
       },
       "immutable": true
     },
+    "clean_default_acl": {
+      "name": "clean_default_acl",
+      "type": "bool",
+      "description": "Remove all rules from the default VPC ACL (less permissive)",
+      "default": false,
+      "source": [
+        "null_resource.clean_default_acl.count"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 372
+      }
+    },
+    "clean_default_security_group": {
+      "name": "clean_default_security_group",
+      "type": "bool",
+      "description": "Remove all rules from the default VPC security group (less permissive)",
+      "default": false,
+      "source": [
+        "null_resource.clean_default_security_group.count"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 366
+      }
+    },
     "create_authorization_policy_vpc_to_cos": {
       "name": "create_authorization_policy_vpc_to_cos",
       "type": "bool",
       "description": "Create authorisation policy for VPC to access COS. Set as false if authorization policy exists already",
       "default": false,
       "pos": {
         "filename": "variables.tf",
-        "line": 408
+        "line": 419
       }
     },
     "default_network_acl_name": {
@@ -102,7 +128,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 402
+        "line": 413
       }
     },
     "existing_cos_instance_guid": {
@@ -114,7 +140,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 414
+        "line": 425
       },
       "immutable": true,
       "computed": true
@@ -129,7 +155,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 420
+        "line": 431
       },
       "immutable": true
     },
@@ -143,7 +169,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 426
+        "line": 437
       }
     },
     "name": {
@@ -257,7 +283,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 374
+        "line": 385
       }
     },
     "security_group_rules": {
@@ -468,6 +494,12 @@
       "version_constraints": [
         "\u003e= 1.52.0"
       ]
+    },
+    "null": {
+      "source": "hashicorp/null",
+      "version_constraints": [
+        "\u003e= 3.2.1"
+      ]
     }
   },
   "managed_resources": {
@@ -643,9 +675,51 @@
         "filename": "main.tf",
         "line": 59
       }
+    },
+    "null_resource.clean_default_acl": {
+      "mode": "managed",
+      "type": "null_resource",
+      "name": "clean_default_acl",
+      "attributes": {
+        "count": "clean_default_acl"
+      },
+      "provider": {
+        "name": "null"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 160
+      }
+    },
+    "null_resource.clean_default_security_group": {
+      "mode": "managed",
+      "type": "null_resource",
+      "name": "clean_default_security_group",
+      "attributes": {
+        "count": "clean_default_security_group"
+      },
+      "provider": {
+        "name": "null"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 144
+      }
     }
   },
   "data_resources": {
+    "data.ibm_iam_auth_token.tokendata": {
+      "mode": "data",
+      "type": "ibm_iam_auth_token",
+      "name": "tokendata",
+      "provider": {
+        "name": "ibm"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 140
+      }
+    },
     "data.ibm_is_vpc_address_prefixes.get_address_prefixes": {
       "mode": "data",
       "type": "ibm_is_vpc_address_prefixes",