Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add access tags and utilize in examples/tests #537

Merged
merged 4 commits into from
May 18, 2023
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
feat: add access tags and utilize in examples/tests
MatthewLemmond committed May 2, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit 36e15d03b42342098eb9e523fc28785fd9f73ae6
7 changes: 7 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -63,6 +63,12 @@ You need the following permissions to run this module.
- **Resource Group** \<your resource group>
- `Viewer` resource group access

Optionally, you need the following permissions to attach Access Management tags to resources in this module.

- IAM Services
- **Tagging** service
- `Administrator` platform access

<!-- BEGIN EXAMPLES HOOK -->
## Examples

@@ -107,6 +113,7 @@ You need the following permissions to run this module.

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the resources created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details | `list(string)` | `[]` | no |
| <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | OPTIONAL - IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes | <pre>object({<br> zone-1 = optional(list(string))<br> zone-2 = optional(list(string))<br> zone-3 = optional(list(string))<br> })</pre> | <pre>{<br> "zone-1": null,<br> "zone-2": null,<br> "zone-3": null<br>}</pre> | no |
| <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | OPTIONAL - Classic Access to the VPC | `bool` | `false` | no |
| <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Create authorisation policy for VPC to access COS. Set as false if authorization policy exists already | `bool` | `false` | no |
1 change: 1 addition & 0 deletions examples/default/main.tf
Original file line number Diff line number Diff line change
@@ -48,6 +48,7 @@ module "slz_vpc" {
name = var.name
prefix = var.prefix
tags = var.resource_tags
access_tags = var.access_tags
enable_vpc_flow_logs = var.enable_vpc_flow_logs
create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
existing_cos_instance_guid = ibm_resource_instance.cos_instance[0].guid
6 changes: 6 additions & 0 deletions examples/default/variables.tf
Original file line number Diff line number Diff line change
@@ -34,6 +34,12 @@ variable "resource_tags" {
default = null
}

variable "access_tags" {
type = list(string)
description = "Optional list of access tags to be added to the created Key Protect instance"
MatthewLemmond marked this conversation as resolved.
Show resolved Hide resolved
default = []
}

variable "enable_vpc_flow_logs" {
type = bool
description = "Enable VPC Flow Logs, it will create Flow logs collector if set to true"
2 changes: 2 additions & 0 deletions examples/landing_zone/main.tf
Original file line number Diff line number Diff line change
@@ -36,6 +36,7 @@ module "workload_vpc" {
region = var.region
prefix = var.prefix
tags = var.resource_tags
access_tags = var.access_tags
enable_vpc_flow_logs = var.enable_vpc_flow_logs
create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
existing_cos_instance_guid = module.cos_bucket[0].cos_instance_guid
@@ -49,6 +50,7 @@ module "management_vpc" {
region = var.region
prefix = var.prefix
tags = var.resource_tags
access_tags = var.access_tags
}


5 changes: 5 additions & 0 deletions examples/landing_zone/variables.tf
Original file line number Diff line number Diff line change
@@ -28,6 +28,11 @@ variable "resource_tags" {
default = null
}

variable "access_tags" {
type = list(string)
description = "Optional list of access tags to be added to the created Key Protect instance"
MatthewLemmond marked this conversation as resolved.
Show resolved Hide resolved
default = []
}

##############################################################################
# VPC flow logs variables
1 change: 1 addition & 0 deletions landing-zone-submodule/management-vpc/README.md
Original file line number Diff line number Diff line change
@@ -27,6 +27,7 @@ No resources.

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | Optional list of access tags to be added to the created Key Protect instance | `list(string)` | `[]` | no |
| <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually. | <pre>object({<br> zone-1 = optional(list(string))<br> zone-2 = optional(list(string))<br> zone-3 = optional(list(string))<br> })</pre> | `null` | no |
| <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | Optionally allow VPC to access classic infrastructure network | `bool` | `null` | no |
| <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Set it to true if authorization policy is required for VPC to access COS | `bool` | `false` | no |
1 change: 1 addition & 0 deletions landing-zone-submodule/management-vpc/main.tf
Original file line number Diff line number Diff line change
@@ -6,6 +6,7 @@ module "management_vpc" {
source = "../../"
name = "management"
tags = var.tags
access_tags = var.access_tags
resource_group_id = var.resource_group_id
region = var.region
prefix = var.prefix
5 changes: 5 additions & 0 deletions landing-zone-submodule/management-vpc/variables.tf
Original file line number Diff line number Diff line change
@@ -21,6 +21,11 @@ variable "tags" {
default = []
}

variable "access_tags" {
type = list(string)
description = "Optional list of access tags to be added to the created Key Protect instance"
MatthewLemmond marked this conversation as resolved.
Show resolved Hide resolved
default = []
}

#############################################################################
# VPC variables
1 change: 1 addition & 0 deletions landing-zone-submodule/workload-vpc/README.md
Original file line number Diff line number Diff line change
@@ -28,6 +28,7 @@ No resources.

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | Optional list of access tags to be added to the created Key Protect instance | `list(string)` | `[]` | no |
| <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually. | <pre>object({<br> zone-1 = optional(list(string))<br> zone-2 = optional(list(string))<br> zone-3 = optional(list(string))<br> })</pre> | `null` | no |
| <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | Optionally allow VPC to access classic infrastructure network | `bool` | `null` | no |
| <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Set it to true if authorization policy is required for VPC to access COS | `bool` | `false` | no |
1 change: 1 addition & 0 deletions landing-zone-submodule/workload-vpc/main.tf
Original file line number Diff line number Diff line change
@@ -6,6 +6,7 @@ module "workload_vpc" {
source = "../../"
name = "workload"
tags = var.tags
access_tags = var.access_tags
resource_group_id = var.resource_group_id
region = var.region
prefix = var.prefix
6 changes: 6 additions & 0 deletions landing-zone-submodule/workload-vpc/variables.tf
Original file line number Diff line number Diff line change
@@ -21,6 +21,12 @@ variable "tags" {
default = []
}

variable "access_tags" {
type = list(string)
description = "Optional list of access tags to be added to the created Key Protect instance"
MatthewLemmond marked this conversation as resolved.
Show resolved Hide resolved
default = []
}

#############################################################################
# VPC variables
#############################################################################
3 changes: 3 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
@@ -11,6 +11,7 @@ resource "ibm_is_vpc" "vpc" {
default_security_group_name = var.default_security_group_name
default_routing_table_name = var.default_routing_table_name
tags = var.tags
access_tags = var.access_tags
}

##############################################################################
@@ -89,6 +90,7 @@ resource "ibm_is_public_gateway" "gateway" {
resource_group = var.resource_group_id
zone = each.value
tags = var.tags
access_tags = var.access_tags
}

##############################################################################
@@ -123,6 +125,7 @@ resource "ibm_is_flow_log" "flow_logs" {
storage_bucket = var.existing_storage_bucket_name
resource_group = var.resource_group_id
tags = var.tags
access_tags = var.access_tags
}

##############################################################################
75 changes: 52 additions & 23 deletions module-metadata.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,30 @@
{
"path": ".",
"variables": {
"access_tags": {
"name": "access_tags",
"type": "list(string)",
"description": "A list of access tags to apply to the resources created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details",
"default": [],
"source": [
"ibm_is_flow_log.flow_logs.access_tags",
"ibm_is_network_acl.network_acl.access_tags",
"ibm_is_public_gateway.gateway.access_tags",
"ibm_is_subnet.subnet.access_tags",
"ibm_is_vpc.vpc.access_tags"
],
"pos": {
"filename": "variables.tf",
"line": 31
},
"min_length": 1,
"max_length": 128,
"matches": "^([A-Za-z0-9_.-]|[A-Za-z0-9_.-][A-Za-z0-9_ .-]*[A-Za-z0-9_.-]):([A-Za-z0-9_.-]|[A-Za-z0-9_.-][A-Za-z0-9_ .-]*[A-Za-z0-9_.-])$",
"computed": true,
"elem": {
"type": "TypeString"
}
},
"address_prefixes": {
"name": "address_prefixes",
"type": "object({\n zone-1 = optional(list(string))\n zone-2 = optional(list(string))\n zone-3 = optional(list(string))\n })",
@@ -16,7 +40,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 67
"line": 80
}
},
"classic_access": {
@@ -29,7 +53,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 43
"line": 56
},
"immutable": true
},
@@ -40,7 +64,7 @@
"default": false,
"pos": {
"filename": "variables.tf",
"line": 408
"line": 421
}
},
"default_network_acl_name": {
@@ -52,7 +76,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 49
"line": 62
},
"min_length": 1,
"max_length": 63,
@@ -68,7 +92,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 61
"line": 74
},
"min_length": 1,
"max_length": 63,
@@ -84,7 +108,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 55
"line": 68
},
"min_length": 1,
"max_length": 63,
@@ -102,7 +126,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 402
"line": 415
}
},
"existing_cos_instance_guid": {
@@ -114,7 +138,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 414
"line": 427
},
"immutable": true,
"computed": true
@@ -129,7 +153,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 420
"line": 433
},
"immutable": true
},
@@ -143,7 +167,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 426
"line": 439
}
},
"name": {
@@ -174,7 +198,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 92
"line": 105
}
},
"network_cidr": {
@@ -187,7 +211,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 37
"line": 50
}
},
"prefix": {
@@ -257,7 +281,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 374
"line": 387
}
},
"security_group_rules": {
@@ -276,7 +300,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 308
"line": 321
}
},
"subnets": {
@@ -314,7 +338,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 245
"line": 258
}
},
"tags": {
@@ -353,7 +377,7 @@
],
"pos": {
"filename": "variables.tf",
"line": 219
"line": 232
}
}
},
@@ -484,14 +508,15 @@
},
"pos": {
"filename": "main.tf",
"line": 106
"line": 108
}
},
"ibm_is_flow_log.flow_logs": {
"mode": "managed",
"type": "ibm_is_flow_log",
"name": "flow_logs",
"attributes": {
"access_tags": "access_tags",
"active": "is_flow_log_collector_active",
"count": "enable_vpc_flow_logs",
"name": "prefix",
@@ -504,14 +529,15 @@
},
"pos": {
"filename": "main.tf",
"line": 117
"line": 119
}
},
"ibm_is_network_acl.network_acl": {
"mode": "managed",
"type": "ibm_is_network_acl",
"name": "network_acl",
"attributes": {
"access_tags": "access_tags",
"name": "prefix",
"resource_group": "resource_group_id"
},
@@ -528,6 +554,7 @@
"type": "ibm_is_public_gateway",
"name": "gateway",
"attributes": {
"access_tags": "access_tags",
"name": "prefix",
"resource_group": "resource_group_id",
"tags": "tags"
@@ -537,7 +564,7 @@
},
"pos": {
"filename": "main.tf",
"line": 85
"line": 86
}
},
"ibm_is_security_group_rule.default_vpc_rule": {
@@ -557,6 +584,7 @@
"type": "ibm_is_subnet",
"name": "subnet",
"attributes": {
"access_tags": "access_tags",
"resource_group": "resource_group_id",
"tags": "tags"
},
@@ -573,6 +601,7 @@
"type": "ibm_is_vpc",
"name": "vpc",
"attributes": {
"access_tags": "access_tags",
"address_prefix_management": "address_prefixes",
"classic_access": "classic_access",
"default_network_acl_name": "default_network_acl_name",
@@ -599,7 +628,7 @@
},
"pos": {
"filename": "main.tf",
"line": 31
"line": 32
}
},
"ibm_is_vpc_address_prefix.subnet_prefix": {
@@ -626,7 +655,7 @@
},
"pos": {
"filename": "main.tf",
"line": 50
"line": 51
}
},
"ibm_is_vpc_routing_table_route.routing_table_routes": {
@@ -641,7 +670,7 @@
},
"pos": {
"filename": "main.tf",
"line": 59
"line": 60
}
}
},
@@ -655,7 +684,7 @@
},
"pos": {
"filename": "main.tf",
"line": 39
"line": 40
}
}
},
1 change: 1 addition & 0 deletions network_acls.tf
Original file line number Diff line number Diff line change
@@ -139,6 +139,7 @@ resource "ibm_is_network_acl" "network_acl" {
name = "${var.prefix}-${each.key}" #already has name of vpc in each.key
vpc = ibm_is_vpc.vpc.id
resource_group = var.resource_group_id
access_tags = var.access_tags

# Create ACL rules
dynamic "rules" {
1 change: 1 addition & 0 deletions subnet.tf
Original file line number Diff line number Diff line change
@@ -39,6 +39,7 @@ resource "ibm_is_subnet" "subnet" {
network_acl = ibm_is_network_acl.network_acl[each.value.acl].id
public_gateway = each.value.public_gateway
tags = var.tags
access_tags = var.access_tags
depends_on = [ibm_is_vpc_address_prefix.address_prefixes]
}

22 changes: 22 additions & 0 deletions tests/pr_test.go
Original file line number Diff line number Diff line change
@@ -1,22 +1,44 @@
package test

import (
"log"
"os"
"testing"

"github.com/stretchr/testify/assert"
"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common"
"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
)

const defaultExampleTerraformDir = "examples/default"
const landingZoneExampleTerraformDir = "examples/landing_zone"
const resourceGroup = "geretain-test-resources"

// Define a struct with fields that match the structure of the YAML data
const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml"

var permanentResources map[string]interface{}

func TestMain(m *testing.M) {
// Read the YAML file contents
var err error
permanentResources, err = common.LoadMapFromYaml(yamlLocation)
if err != nil {
log.Fatal(err)
}

os.Exit(m.Run())
}

func setupOptions(t *testing.T, prefix string, terraformDir string) *testhelper.TestOptions {
options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
Testing: t,
TerraformDir: terraformDir,
Prefix: prefix,
ResourceGroup: resourceGroup,
TerraformVars: map[string]interface{}{
"access_tags": permanentResources["accessTags"],
},
})

return options
13 changes: 13 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -28,6 +28,19 @@ variable "tags" {
default = null
}

variable "access_tags" {
type = list(string)
description = "A list of access tags to apply to the resources created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details"
default = []

validation {
condition = alltrue([
for tag in var.access_tags : can(regex("[\\w\\-_\\.]+:[\\w\\-_\\.]+", tag)) && length(tag) <= 128
])
error_message = "Tags must match the regular expression \"[\\w\\-_\\.]+:[\\w\\-_\\.]+\", see https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits for more details"
}
}

##############################################################################

##############################################################################