diff --git a/README.md b/README.md
index 3ff753c47..467d544a0 100644
--- a/README.md
+++ b/README.md
@@ -900,7 +900,6 @@ module "cluster_pattern" {
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [add\_kms\_block\_storage\_s2s](#input\_add\_kms\_block\_storage\_s2s) | Whether to create a service-to-service authorization between block storage and the key management service. | `bool` | `true` | no |
| [appid](#input\_appid) | The App ID instance to be used for the teleport vsi deployments | object({
name = optional(string)
resource_group = optional(string)
use_data = optional(bool)
keys = optional(list(string))
use_appid = bool
}) | {
"use_appid": false
} | no |
| [atracker](#input\_atracker) | atracker variables | object({
resource_group = string
receive_global_events = bool
collector_bucket_name = string
add_route = bool
}) | n/a | yes |
| [clusters](#input\_clusters) | A list describing clusters workloads to create | list(
object({
name = string # Name of Cluster
vpc_name = string # Name of VPC
subnet_names = list(string) # List of vpc subnets for cluster
workers_per_subnet = number # Worker nodes per subnet.
machine_type = string # Worker node flavor
kube_type = string # iks or openshift
kube_version = optional(string) # Can be a version from `ibmcloud ks versions`, `latest` or `default`
entitlement = optional(string) # entitlement option for openshift
pod_subnet = optional(string) # Portable subnet for pods
service_subnet = optional(string) # Portable subnet for services
resource_group = string # Resource Group used for cluster
cos_name = optional(string) # Name of COS instance Required only for OpenShift clusters
update_all_workers = optional(bool) # If true force workers to update
access_tags = optional(list(string), [])
boot_volume_crk_name = optional(string) # Boot volume encryption key name
kms_config = optional(
object({
crk_name = string # Name of key
private_endpoint = optional(bool) # Private endpoint
})
)
worker_pools = optional(
list(
object({
name = string # Worker pool name
vpc_name = string # VPC name
workers_per_subnet = number # Worker nodes per subnet
flavor = string # Worker node flavor
subnet_names = list(string) # List of vpc subnets for worker pool
entitlement = optional(string) # entitlement option for openshift
boot_volume_crk_name = optional(string) # Boot volume encryption key name
})
)
)
})
)
| n/a | yes |
@@ -915,6 +914,8 @@ module "cluster_pattern" {
| [resource\_groups](#input\_resource\_groups) | Object describing resource groups to create or reference | list(
object({
name = string
create = optional(bool)
use_prefix = optional(bool)
})
)
| n/a | yes |
| [security\_groups](#input\_security\_groups) | Security groups for VPC | list(
object({
name = string
vpc_name = string
resource_group = optional(string)
access_tags = optional(list(string), [])
rules = list(
object({
name = string
direction = string
source = string
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
})
)
| `[]` | no |
| [service\_endpoints](#input\_service\_endpoints) | Service endpoints. Can be `public`, `private`, or `public-and-private` | `string` | `"public-and-private"` | no |
+| [skip\_all\_s2s\_auth\_policies](#input\_skip\_all\_s2s\_auth\_policies) | Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning. | `bool` | `false` | no |
+| [skip\_kms\_block\_storage\_s2s\_auth\_policy](#input\_skip\_kms\_block\_storage\_s2s\_auth\_policy) | Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service. | `bool` | `false` | no |
| [ssh\_keys](#input\_ssh\_keys) | SSH keys to use to provision a VSI. Must be an RSA key with a key size of either 2048 bits or 4096 bits (recommended). If `public_key` is not provided, the named key will be looked up from data. If a resource group name is added, it must be included in `var.resource_groups`. See https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys. | list(
object({
name = string
public_key = optional(string)
resource_group = optional(string)
})
)
| n/a | yes |
| [tags](#input\_tags) | List of resource tags to apply to resources created by this module. | `list(string)` | `[]` | no |
| [teleport\_config\_data](#input\_teleport\_config\_data) | Teleport config data. This is used to create a single template for all teleport instances to use. Creating a single template allows for values to remain sensitive | object({
teleport_license = optional(string)
https_cert = optional(string)
https_key = optional(string)
domain = optional(string)
cos_bucket_name = optional(string)
cos_key_name = optional(string)
teleport_version = optional(string)
message_of_the_day = optional(string)
hostname = optional(string)
app_id_key_name = optional(string)
claims_to_roles = optional(
list(
object({
email = string
roles = list(string)
})
)
)
}) | `null` | no |
diff --git a/common-dev-assets b/common-dev-assets
index 482110405..30f54d8d9 160000
--- a/common-dev-assets
+++ b/common-dev-assets
@@ -1 +1 @@
-Subproject commit 48211040563a866ee52215c2a54fb494b8340e5c
+Subproject commit 30f54d8d96323f6f10f34474ca61b8a923c0eda0
diff --git a/dynamic_values.tf b/dynamic_values.tf
index 0e604cde5..77603c7df 100644
--- a/dynamic_values.tf
+++ b/dynamic_values.tf
@@ -3,34 +3,35 @@
##############################################################################
module "dynamic_values" {
- source = "./dynamic_values"
- region = var.region
- prefix = var.prefix
- key_management = var.key_management
- key_management_guid = module.key_management.key_management_guid
- clusters = var.clusters
- vpcs = var.vpcs
- resource_groups = local.resource_groups
- vpc_modules = module.vpc
- cos = var.cos
- cos_data_source = data.ibm_resource_instance.cos
- cos_resource = ibm_resource_instance.cos
- cos_resource_keys = ibm_resource_key.key
- suffix = random_string.random_cos_suffix.result
- ssh_keys = var.ssh_keys
- vsi = var.vsi
- virtual_private_endpoints = var.virtual_private_endpoints
- vpn_gateways = var.vpn_gateways
- security_groups = var.security_groups
- bastion_vsi = var.teleport_vsi
- appid = var.appid
- appid_resource = ibm_resource_instance.appid
- appid_data = data.ibm_resource_instance.appid
- teleport_domain = tostring(try(var.teleport_config_data.domain, null))
- f5_vsi = var.f5_vsi
- f5_template_data = var.f5_template_data
- add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
- atracker_cos_bucket = var.atracker.add_route == true ? var.atracker.collector_bucket_name : null
+ source = "./dynamic_values"
+ region = var.region
+ prefix = var.prefix
+ key_management = var.key_management
+ key_management_guid = module.key_management.key_management_guid
+ clusters = var.clusters
+ vpcs = var.vpcs
+ resource_groups = local.resource_groups
+ vpc_modules = module.vpc
+ cos = var.cos
+ cos_data_source = data.ibm_resource_instance.cos
+ cos_resource = ibm_resource_instance.cos
+ cos_resource_keys = ibm_resource_key.key
+ suffix = random_string.random_cos_suffix.result
+ ssh_keys = var.ssh_keys
+ vsi = var.vsi
+ virtual_private_endpoints = var.virtual_private_endpoints
+ vpn_gateways = var.vpn_gateways
+ security_groups = var.security_groups
+ bastion_vsi = var.teleport_vsi
+ appid = var.appid
+ appid_resource = ibm_resource_instance.appid
+ appid_data = data.ibm_resource_instance.appid
+ teleport_domain = tostring(try(var.teleport_config_data.domain, null))
+ f5_vsi = var.f5_vsi
+ f5_template_data = var.f5_template_data
+ skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = var.skip_all_s2s_auth_policies
+ atracker_cos_bucket = var.atracker.add_route == true ? var.atracker.collector_bucket_name : null
}
##############################################################################
diff --git a/dynamic_values/config_modules/service_authorizations/service_authorizations.tf b/dynamic_values/config_modules/service_authorizations/service_authorizations.tf
index 44df24429..efb0325bf 100644
--- a/dynamic_values/config_modules/service_authorizations/service_authorizations.tf
+++ b/dynamic_values/config_modules/service_authorizations/service_authorizations.tf
@@ -18,10 +18,14 @@ variable "cos" {
description = "COS variable"
}
-variable "add_kms_block_storage_s2s" {
+variable "skip_kms_block_storage_s2s_auth_policy" {
description = "Add kms to block storage s2s"
}
+variable "skip_all_s2s_auth_policies" {
+ description = "Add s2s authorization policies"
+}
+
variable "atracker_cos_bucket" {
description = "Add atracker to cos s2s"
}
@@ -39,7 +43,7 @@ locals {
module "kms_to_block_storage" {
source = "../list_to_map"
list = [
- for instance in(var.add_kms_block_storage_s2s ? ["block-storage"] : []) :
+ for instance in(var.skip_kms_block_storage_s2s_auth_policy ? [] : ["block-storage"]) :
{
name = instance
source_service_name = "server-protect"
diff --git a/dynamic_values/service_authorizations.tf b/dynamic_values/service_authorizations.tf
index 5760c106c..d94545534 100644
--- a/dynamic_values/service_authorizations.tf
+++ b/dynamic_values/service_authorizations.tf
@@ -3,13 +3,14 @@
##############################################################################
module "service_authorizations" {
- source = "./config_modules/service_authorizations"
- key_management = var.key_management
- key_management_guid = var.key_management_guid
- cos = var.cos
- cos_instance_ids = local.cos_instance_ids
- add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
- atracker_cos_bucket = var.atracker_cos_bucket
+ source = "./config_modules/service_authorizations"
+ key_management = var.key_management
+ key_management_guid = var.key_management_guid
+ cos = var.cos
+ cos_instance_ids = local.cos_instance_ids
+ skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = var.skip_all_s2s_auth_policies
+ atracker_cos_bucket = var.atracker_cos_bucket
}
##############################################################################
diff --git a/dynamic_values/variables.tf b/dynamic_values/variables.tf
index 5567f1499..177a1e462 100644
--- a/dynamic_values/variables.tf
+++ b/dynamic_values/variables.tf
@@ -180,10 +180,14 @@ variable "f5_template_data" {
# Service Authorization Variables
##############################################################################
-variable "add_kms_block_storage_s2s" {
+variable "skip_kms_block_storage_s2s_auth_policy" {
description = "Direct reference to kms block storage variable"
}
+variable "skip_all_s2s_auth_policies" {
+ description = "Direct reference to s2s authorization variable"
+}
+
variable "atracker_cos_bucket" {
description = "Direct reference to atracker to cos variable"
}
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 5ea2f0f9e..08cc6eb8f 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -548,7 +548,7 @@
}
],
"architecture": {
- "descriptions": "This architecture creates virtual server instances (VSI) in some or all of the subnets of one VPC of an existing landing zone deployable architecture. To create VSIs in multiple VPCs, deploy the extension once for each VPC.\r\n\r\n## Before you begin\r\n\r\n- You must have either the [VPC landing zone](https:\/\/cloud.ibm.com\/catalog\/architecture\/deploy-arch-ibm-slz-vpc-9fc0fa64-27af-4fed-9dce-47b3640ba739-global) or [Red Hat OpenShift Container Platform on VPC landing zone](https:\/\/cloud.ibm.com\/catalog\/architecture\/deploy-arch-ibm-slz-ocp-95fccffc-ae3b-42df-b6d9-80be5914d852-global) deployable architecture deployed.\r\n- You need an authorization policy that grants access between block storage and the KMS. The policy exists if you set the `add_kms_block_storage_s2s` input variable to `true` (the default value) in your existing landing zone deployable architecture.\r\n- You need the VPC ID, subnet names, and boot volume encryption key from your existing landing zone deployable architecture. For information about finding these values, see [Adding a VSI to your VPC landing zone deployable architecture](https:\/\/cloud.ibm.com\/docs\/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-ext-with-vsi).",
+ "descriptions": "This architecture creates virtual server instances (VSI) in some or all of the subnets of one VPC of an existing landing zone deployable architecture. To create VSIs in multiple VPCs, deploy the extension once for each VPC.\r\n\r\n## Before you begin\r\n\r\n- You must have either the [VPC landing zone](https:\/\/cloud.ibm.com\/catalog\/architecture\/deploy-arch-ibm-slz-vpc-9fc0fa64-27af-4fed-9dce-47b3640ba739-global) or [Red Hat OpenShift Container Platform on VPC landing zone](https:\/\/cloud.ibm.com\/catalog\/architecture\/deploy-arch-ibm-slz-ocp-95fccffc-ae3b-42df-b6d9-80be5914d852-global) deployable architecture deployed.\r\n- You need an authorization policy that grants access between block storage and the KMS. The policy exists if you set the `skip_kms_block_storage_s2s_auth_policy` input variable to `false` (the default value) in your existing landing zone deployable architecture.\r\n- You need the VPC ID, subnet names, and boot volume encryption key from your existing landing zone deployable architecture. For information about finding these values, see [Adding a VSI to your VPC landing zone deployable architecture](https:\/\/cloud.ibm.com\/docs\/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-ext-with-vsi).",
"features": [
{
"title": "Adds a virtual server instance in every VPC subnet",
diff --git a/patterns/mixed/config.tf b/patterns/mixed/config.tf
index 0f4f6a2cc..afabf2790 100644
--- a/patterns/mixed/config.tf
+++ b/patterns/mixed/config.tf
@@ -191,7 +191,8 @@ locals {
##############################################################################
# S2S Authorization
##############################################################################
- add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
+ skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = var.skip_all_s2s_auth_policies
##############################################################################
@@ -241,27 +242,28 @@ locals {
# Compile Environment for Config output
##############################################################################
env = {
- resource_groups = lookup(local.override[local.override_type], "resource_groups", local.config.resource_groups)
- vpcs = lookup(local.override[local.override_type], "vpcs", local.config.vpcs)
- vpn_gateways = lookup(local.override[local.override_type], "vpn_gateways", local.config.vpn_gateways)
- enable_transit_gateway = lookup(local.override[local.override_type], "enable_transit_gateway", local.config.enable_transit_gateway)
- transit_gateway_global = lookup(local.override[local.override_type], "transit_gateway_global", local.config.transit_gateway_global)
- transit_gateway_resource_group = lookup(local.override[local.override_type], "transit_gateway_resource_group", local.config.transit_gateway_resource_group)
- transit_gateway_connections = lookup(local.override[local.override_type], "transit_gateway_connections", local.config.transit_gateway_connections)
- ssh_keys = lookup(local.override[local.override_type], "ssh_keys", local.ssh_keys)
- network_cidr = lookup(local.override[local.override_type], "network_cidr", var.network_cidr)
- vsi = lookup(local.override[local.override_type], "vsi", local.config.vsi)
- security_groups = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
- virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
- cos = lookup(local.override[local.override_type], "cos", local.config.object_storage)
- service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
- add_kms_block_storage_s2s = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
- key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management)
- atracker = lookup(local.override[local.override_type], "atracker", local.config.atracker)
- clusters = lookup(local.override[local.override_type], "clusters", local.config.clusters)
- wait_till = lookup(local.override[local.override_type], "wait_till", var.wait_till)
- appid = lookup(local.override[local.override_type], "appid", local.config.appid)
- f5_vsi = lookup(local.override[local.override_type], "f5_vsi", local.config.f5_deployments)
+ resource_groups = lookup(local.override[local.override_type], "resource_groups", local.config.resource_groups)
+ vpcs = lookup(local.override[local.override_type], "vpcs", local.config.vpcs)
+ vpn_gateways = lookup(local.override[local.override_type], "vpn_gateways", local.config.vpn_gateways)
+ enable_transit_gateway = lookup(local.override[local.override_type], "enable_transit_gateway", local.config.enable_transit_gateway)
+ transit_gateway_global = lookup(local.override[local.override_type], "transit_gateway_global", local.config.transit_gateway_global)
+ transit_gateway_resource_group = lookup(local.override[local.override_type], "transit_gateway_resource_group", local.config.transit_gateway_resource_group)
+ transit_gateway_connections = lookup(local.override[local.override_type], "transit_gateway_connections", local.config.transit_gateway_connections)
+ ssh_keys = lookup(local.override[local.override_type], "ssh_keys", local.ssh_keys)
+ network_cidr = lookup(local.override[local.override_type], "network_cidr", var.network_cidr)
+ vsi = lookup(local.override[local.override_type], "vsi", local.config.vsi)
+ security_groups = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
+ virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
+ cos = lookup(local.override[local.override_type], "cos", local.config.object_storage)
+ service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
+ skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy)
+ skip_all_s2s_auth_policies = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies)
+ key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management)
+ atracker = lookup(local.override[local.override_type], "atracker", local.config.atracker)
+ clusters = lookup(local.override[local.override_type], "clusters", local.config.clusters)
+ wait_till = lookup(local.override[local.override_type], "wait_till", var.wait_till)
+ appid = lookup(local.override[local.override_type], "appid", local.config.appid)
+ f5_vsi = lookup(local.override[local.override_type], "f5_vsi", local.config.f5_deployments)
f5_template_data = {
tmos_admin_password = lookup(local.override[local.override_type], "f5_template_data", null) == null ? var.tmos_admin_password : lookup(local.override[local.override_type].f5_template_data, "tmos_admin_password", var.tmos_admin_password)
license_type = lookup(local.override[local.override_type], "f5_template_data", null) == null ? var.license_type : lookup(local.override[local.override_type].f5_template_data, "license_type", var.license_type)
diff --git a/patterns/mixed/main.tf b/patterns/mixed/main.tf
index 2067ca813..e2fba9099 100644
--- a/patterns/mixed/main.tf
+++ b/patterns/mixed/main.tf
@@ -16,35 +16,36 @@ provider "ibm" {
##############################################################################
module "landing_zone" {
- source = "../../"
- prefix = var.prefix
- region = var.region
- tags = var.tags
- resource_groups = local.env.resource_groups
- network_cidr = local.env.network_cidr
- vpcs = local.env.vpcs
- vpn_gateways = local.env.vpn_gateways
- enable_transit_gateway = local.env.enable_transit_gateway
- transit_gateway_global = local.env.transit_gateway_global
- transit_gateway_resource_group = local.env.transit_gateway_resource_group
- transit_gateway_connections = local.env.transit_gateway_connections
- ssh_keys = local.env.ssh_keys
- vsi = local.env.vsi
- security_groups = local.env.security_groups
- virtual_private_endpoints = local.env.virtual_private_endpoints
- cos = local.env.cos
- service_endpoints = local.env.service_endpoints
- key_management = local.env.key_management
- add_kms_block_storage_s2s = local.env.add_kms_block_storage_s2s
- atracker = local.env.atracker
- clusters = local.env.clusters
- wait_till = local.env.wait_till
- f5_vsi = local.env.f5_vsi
- f5_template_data = local.env.f5_template_data
- appid = local.env.appid
- teleport_config_data = local.env.teleport_config
- teleport_vsi = local.env.teleport_vsi
- vpc_placement_groups = local.env.vpc_placement_groups
+ source = "../../"
+ prefix = var.prefix
+ region = var.region
+ tags = var.tags
+ resource_groups = local.env.resource_groups
+ network_cidr = local.env.network_cidr
+ vpcs = local.env.vpcs
+ vpn_gateways = local.env.vpn_gateways
+ enable_transit_gateway = local.env.enable_transit_gateway
+ transit_gateway_global = local.env.transit_gateway_global
+ transit_gateway_resource_group = local.env.transit_gateway_resource_group
+ transit_gateway_connections = local.env.transit_gateway_connections
+ ssh_keys = local.env.ssh_keys
+ vsi = local.env.vsi
+ security_groups = local.env.security_groups
+ virtual_private_endpoints = local.env.virtual_private_endpoints
+ cos = local.env.cos
+ service_endpoints = local.env.service_endpoints
+ key_management = local.env.key_management
+ skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = local.env.skip_all_s2s_auth_policies
+ atracker = local.env.atracker
+ clusters = local.env.clusters
+ wait_till = local.env.wait_till
+ f5_vsi = local.env.f5_vsi
+ f5_template_data = local.env.f5_template_data
+ appid = local.env.appid
+ teleport_config_data = local.env.teleport_config
+ teleport_vsi = local.env.teleport_vsi
+ vpc_placement_groups = local.env.vpc_placement_groups
}
##############################################################################
diff --git a/patterns/mixed/variables.tf b/patterns/mixed/variables.tf
index 03aa4bd49..d0aa88c0a 100644
--- a/patterns/mixed/variables.tf
+++ b/patterns/mixed/variables.tf
@@ -533,10 +533,16 @@ variable "teleport_admin_email" {
# s2s variables
##############################################################################
-variable "add_kms_block_storage_s2s" {
- description = "Whether to create a service-to-service authorization between block storage and the key management service."
+variable "skip_kms_block_storage_s2s_auth_policy" {
+ description = "Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service."
type = bool
- default = true
+ default = false
+}
+
+variable "skip_all_s2s_auth_policies" {
+ description = "Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning."
+ type = bool
+ default = false
}
##############################################################################
diff --git a/patterns/roks/main.tf b/patterns/roks/main.tf
index 87067a7ad..ca10fcca2 100644
--- a/patterns/roks/main.tf
+++ b/patterns/roks/main.tf
@@ -20,76 +20,77 @@ locals {
}
module "roks_landing_zone" {
- source = "./module"
- prefix = var.prefix
- region = var.region
- tags = var.tags
- wait_till = var.wait_till
- network_cidr = var.network_cidr
- vpcs = var.vpcs
- enable_transit_gateway = var.enable_transit_gateway
- transit_gateway_global = var.transit_gateway_global
- ssh_public_key = var.ssh_public_key
- update_all_workers = var.update_all_workers
- existing_ssh_key_name = var.existing_ssh_key_name
- entitlement = var.entitlement
- workers_per_zone = var.workers_per_zone
- flavor = var.flavor
- kube_version = var.kube_version
- add_atracker_route = var.add_atracker_route
- hs_crypto_instance_name = var.hs_crypto_instance_name
- hs_crypto_resource_group = var.hs_crypto_resource_group
- use_random_cos_suffix = var.use_random_cos_suffix
- add_edge_vpc = var.add_edge_vpc
- create_f5_network_on_management_vpc = var.create_f5_network_on_management_vpc
- provision_teleport_in_f5 = var.provision_teleport_in_f5
- f5_instance_profile = var.f5_instance_profile
- hostname = var.hostname
- domain = var.domain
- byol_license_basekey = var.byol_license_basekey
- license_host = var.license_host
- license_username = var.license_username
- license_password = var.license_password
- license_pool = var.license_pool
- license_sku_keyword_1 = var.license_sku_keyword_1
- license_sku_keyword_2 = var.license_sku_keyword_2
- license_unit_of_measure = var.license_unit_of_measure
- do_declaration_url = var.do_declaration_url
- as3_declaration_url = var.as3_declaration_url
- ts_declaration_url = var.ts_declaration_url
- phone_home_url = var.phone_home_url
- template_source = var.template_source
- template_version = var.template_version
- app_id = var.app_id
- tgactive_url = var.tgactive_url
- tgstandby_url = var.tgstandby_url
- tgrefresh_url = var.tgrefresh_url
- enable_f5_management_fip = var.enable_f5_management_fip
- enable_f5_external_fip = var.enable_f5_external_fip
- use_existing_appid = var.use_existing_appid
- appid_name = var.appid_name
- appid_resource_group = var.appid_resource_group
- teleport_instance_profile = var.teleport_instance_profile
- teleport_vsi_image_name = var.teleport_vsi_image_name
- teleport_license = var.teleport_license
- https_cert = var.https_cert
- https_key = var.https_key
- teleport_hostname = var.teleport_hostname
- teleport_domain = var.teleport_domain
- teleport_version = var.teleport_version
- message_of_the_day = var.message_of_the_day
- teleport_admin_email = var.teleport_admin_email
- override = var.override
- override_json_string = var.override_json_string
- override_json_path = local.override_json_path
- add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
- cluster_zones = var.cluster_zones
- vpn_firewall_type = var.vpn_firewall_type
- f5_image_name = var.f5_image_name
- tmos_admin_password = var.tmos_admin_password
- license_type = var.license_type
- teleport_management_zones = var.teleport_management_zones
- IC_SCHEMATICS_WORKSPACE_ID = var.IC_SCHEMATICS_WORKSPACE_ID
+ source = "./module"
+ prefix = var.prefix
+ region = var.region
+ tags = var.tags
+ wait_till = var.wait_till
+ network_cidr = var.network_cidr
+ vpcs = var.vpcs
+ enable_transit_gateway = var.enable_transit_gateway
+ transit_gateway_global = var.transit_gateway_global
+ ssh_public_key = var.ssh_public_key
+ update_all_workers = var.update_all_workers
+ existing_ssh_key_name = var.existing_ssh_key_name
+ entitlement = var.entitlement
+ workers_per_zone = var.workers_per_zone
+ flavor = var.flavor
+ kube_version = var.kube_version
+ add_atracker_route = var.add_atracker_route
+ hs_crypto_instance_name = var.hs_crypto_instance_name
+ hs_crypto_resource_group = var.hs_crypto_resource_group
+ use_random_cos_suffix = var.use_random_cos_suffix
+ add_edge_vpc = var.add_edge_vpc
+ create_f5_network_on_management_vpc = var.create_f5_network_on_management_vpc
+ provision_teleport_in_f5 = var.provision_teleport_in_f5
+ f5_instance_profile = var.f5_instance_profile
+ hostname = var.hostname
+ domain = var.domain
+ byol_license_basekey = var.byol_license_basekey
+ license_host = var.license_host
+ license_username = var.license_username
+ license_password = var.license_password
+ license_pool = var.license_pool
+ license_sku_keyword_1 = var.license_sku_keyword_1
+ license_sku_keyword_2 = var.license_sku_keyword_2
+ license_unit_of_measure = var.license_unit_of_measure
+ do_declaration_url = var.do_declaration_url
+ as3_declaration_url = var.as3_declaration_url
+ ts_declaration_url = var.ts_declaration_url
+ phone_home_url = var.phone_home_url
+ template_source = var.template_source
+ template_version = var.template_version
+ app_id = var.app_id
+ tgactive_url = var.tgactive_url
+ tgstandby_url = var.tgstandby_url
+ tgrefresh_url = var.tgrefresh_url
+ enable_f5_management_fip = var.enable_f5_management_fip
+ enable_f5_external_fip = var.enable_f5_external_fip
+ use_existing_appid = var.use_existing_appid
+ appid_name = var.appid_name
+ appid_resource_group = var.appid_resource_group
+ teleport_instance_profile = var.teleport_instance_profile
+ teleport_vsi_image_name = var.teleport_vsi_image_name
+ teleport_license = var.teleport_license
+ https_cert = var.https_cert
+ https_key = var.https_key
+ teleport_hostname = var.teleport_hostname
+ teleport_domain = var.teleport_domain
+ teleport_version = var.teleport_version
+ message_of_the_day = var.message_of_the_day
+ teleport_admin_email = var.teleport_admin_email
+ override = var.override
+ override_json_string = var.override_json_string
+ override_json_path = local.override_json_path
+ skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = var.skip_all_s2s_auth_policies
+ cluster_zones = var.cluster_zones
+ vpn_firewall_type = var.vpn_firewall_type
+ f5_image_name = var.f5_image_name
+ tmos_admin_password = var.tmos_admin_password
+ license_type = var.license_type
+ teleport_management_zones = var.teleport_management_zones
+ IC_SCHEMATICS_WORKSPACE_ID = var.IC_SCHEMATICS_WORKSPACE_ID
}
moved {
diff --git a/patterns/roks/module/config.tf b/patterns/roks/module/config.tf
index 9cc6ef2e8..3f5d022c5 100644
--- a/patterns/roks/module/config.tf
+++ b/patterns/roks/module/config.tf
@@ -171,7 +171,8 @@ locals {
##############################################################################
# S2S Authorization
##############################################################################
- add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
+ skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = var.skip_all_s2s_auth_policies
##############################################################################
@@ -221,27 +222,28 @@ locals {
# Compile Environment for Config output
##############################################################################
env = {
- resource_groups = lookup(local.override[local.override_type], "resource_groups", local.config.resource_groups)
- vpcs = lookup(local.override[local.override_type], "vpcs", local.config.vpcs)
- vpn_gateways = lookup(local.override[local.override_type], "vpn_gateways", local.config.vpn_gateways)
- enable_transit_gateway = lookup(local.override[local.override_type], "enable_transit_gateway", local.config.enable_transit_gateway)
- transit_gateway_global = lookup(local.override[local.override_type], "transit_gateway_global", local.config.transit_gateway_global)
- transit_gateway_resource_group = lookup(local.override[local.override_type], "transit_gateway_resource_group", local.config.transit_gateway_resource_group)
- transit_gateway_connections = lookup(local.override[local.override_type], "transit_gateway_connections", local.config.transit_gateway_connections)
- ssh_keys = lookup(local.override[local.override_type], "ssh_keys", local.config.ssh_keys)
- network_cidr = lookup(local.override[local.override_type], "network_cidr", var.network_cidr)
- vsi = lookup(local.override[local.override_type], "vsi", local.config.vsi)
- security_groups = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
- virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
- cos = lookup(local.override[local.override_type], "cos", local.config.object_storage)
- service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
- add_kms_block_storage_s2s = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
- key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management)
- atracker = lookup(local.override[local.override_type], "atracker", local.config.atracker)
- clusters = lookup(local.override[local.override_type], "clusters", local.config.clusters)
- wait_till = lookup(local.override[local.override_type], "wait_till", var.wait_till)
- appid = lookup(local.override[local.override_type], "appid", local.config.appid)
- f5_vsi = lookup(local.override[local.override_type], "f5_vsi", local.config.f5_deployments)
+ resource_groups = lookup(local.override[local.override_type], "resource_groups", local.config.resource_groups)
+ vpcs = lookup(local.override[local.override_type], "vpcs", local.config.vpcs)
+ vpn_gateways = lookup(local.override[local.override_type], "vpn_gateways", local.config.vpn_gateways)
+ enable_transit_gateway = lookup(local.override[local.override_type], "enable_transit_gateway", local.config.enable_transit_gateway)
+ transit_gateway_global = lookup(local.override[local.override_type], "transit_gateway_global", local.config.transit_gateway_global)
+ transit_gateway_resource_group = lookup(local.override[local.override_type], "transit_gateway_resource_group", local.config.transit_gateway_resource_group)
+ transit_gateway_connections = lookup(local.override[local.override_type], "transit_gateway_connections", local.config.transit_gateway_connections)
+ ssh_keys = lookup(local.override[local.override_type], "ssh_keys", local.config.ssh_keys)
+ network_cidr = lookup(local.override[local.override_type], "network_cidr", var.network_cidr)
+ vsi = lookup(local.override[local.override_type], "vsi", local.config.vsi)
+ security_groups = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
+ virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
+ cos = lookup(local.override[local.override_type], "cos", local.config.object_storage)
+ service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
+ skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy)
+ skip_all_s2s_auth_policies = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies)
+ key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management)
+ atracker = lookup(local.override[local.override_type], "atracker", local.config.atracker)
+ clusters = lookup(local.override[local.override_type], "clusters", local.config.clusters)
+ wait_till = lookup(local.override[local.override_type], "wait_till", var.wait_till)
+ appid = lookup(local.override[local.override_type], "appid", local.config.appid)
+ f5_vsi = lookup(local.override[local.override_type], "f5_vsi", local.config.f5_deployments)
f5_template_data = {
tmos_admin_password = lookup(local.override[local.override_type], "f5_template_data", null) == null ? var.tmos_admin_password : lookup(local.override[local.override_type].f5_template_data, "tmos_admin_password", var.tmos_admin_password)
license_type = lookup(local.override[local.override_type], "f5_template_data", null) == null ? var.license_type : lookup(local.override[local.override_type].f5_template_data, "license_type", var.license_type)
diff --git a/patterns/roks/module/main.tf b/patterns/roks/module/main.tf
index e94aa6e82..0c0a2dc07 100644
--- a/patterns/roks/module/main.tf
+++ b/patterns/roks/module/main.tf
@@ -3,35 +3,36 @@
##############################################################################
module "landing_zone" {
- source = "../../../"
- prefix = var.prefix
- region = var.region
- tags = var.tags
- resource_groups = local.env.resource_groups
- network_cidr = local.env.network_cidr
- vpcs = local.env.vpcs
- vpn_gateways = local.env.vpn_gateways
- enable_transit_gateway = local.env.enable_transit_gateway
- transit_gateway_global = local.env.transit_gateway_global
- transit_gateway_resource_group = local.env.transit_gateway_resource_group
- transit_gateway_connections = local.env.transit_gateway_connections
- ssh_keys = local.env.ssh_keys
- vsi = local.env.vsi
- security_groups = local.env.security_groups
- virtual_private_endpoints = local.env.virtual_private_endpoints
- cos = local.env.cos
- service_endpoints = local.env.service_endpoints
- key_management = local.env.key_management
- add_kms_block_storage_s2s = local.env.add_kms_block_storage_s2s
- atracker = local.env.atracker
- clusters = local.env.clusters
- wait_till = local.env.wait_till
- f5_vsi = local.env.f5_vsi
- f5_template_data = local.env.f5_template_data
- appid = local.env.appid
- teleport_config_data = local.env.teleport_config
- teleport_vsi = local.env.teleport_vsi
- vpc_placement_groups = local.env.vpc_placement_groups
+ source = "../../../"
+ prefix = var.prefix
+ region = var.region
+ tags = var.tags
+ resource_groups = local.env.resource_groups
+ network_cidr = local.env.network_cidr
+ vpcs = local.env.vpcs
+ vpn_gateways = local.env.vpn_gateways
+ enable_transit_gateway = local.env.enable_transit_gateway
+ transit_gateway_global = local.env.transit_gateway_global
+ transit_gateway_resource_group = local.env.transit_gateway_resource_group
+ transit_gateway_connections = local.env.transit_gateway_connections
+ ssh_keys = local.env.ssh_keys
+ vsi = local.env.vsi
+ security_groups = local.env.security_groups
+ virtual_private_endpoints = local.env.virtual_private_endpoints
+ cos = local.env.cos
+ service_endpoints = local.env.service_endpoints
+ key_management = local.env.key_management
+ skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = local.env.skip_all_s2s_auth_policies
+ atracker = local.env.atracker
+ clusters = local.env.clusters
+ wait_till = local.env.wait_till
+ f5_vsi = local.env.f5_vsi
+ f5_template_data = local.env.f5_template_data
+ appid = local.env.appid
+ teleport_config_data = local.env.teleport_config
+ teleport_vsi = local.env.teleport_vsi
+ vpc_placement_groups = local.env.vpc_placement_groups
}
##############################################################################
diff --git a/patterns/roks/module/variables.tf b/patterns/roks/module/variables.tf
index ad07c661c..62385b91b 100644
--- a/patterns/roks/module/variables.tf
+++ b/patterns/roks/module/variables.tf
@@ -500,10 +500,16 @@ variable "teleport_admin_email" {
# s2s variables
##############################################################################
-variable "add_kms_block_storage_s2s" {
- description = "Whether to create a service-to-service authorization between block storage and the key management service."
+variable "skip_kms_block_storage_s2s_auth_policy" {
+ description = "Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service."
type = bool
- default = true
+ default = false
+}
+
+variable "skip_all_s2s_auth_policies" {
+ description = "Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning."
+ type = bool
+ default = false
}
##############################################################################
diff --git a/patterns/roks/variables.tf b/patterns/roks/variables.tf
index 0059eac7d..99cf314b8 100644
--- a/patterns/roks/variables.tf
+++ b/patterns/roks/variables.tf
@@ -514,10 +514,16 @@ variable "teleport_admin_email" {
# s2s variables
##############################################################################
-variable "add_kms_block_storage_s2s" {
- description = "Whether to create a service-to-service authorization between block storage and the key management service."
+variable "skip_kms_block_storage_s2s_auth_policy" {
+ description = "Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service."
type = bool
- default = true
+ default = false
+}
+
+variable "skip_all_s2s_auth_policies" {
+ description = "Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning."
+ type = bool
+ default = false
}
##############################################################################
diff --git a/patterns/vpc/main.tf b/patterns/vpc/main.tf
index 8005ede18..379e7eec7 100644
--- a/patterns/vpc/main.tf
+++ b/patterns/vpc/main.tf
@@ -19,67 +19,68 @@ locals {
}
module "vpc_landing_zone" {
- source = "./module"
- prefix = var.prefix
- region = var.region
- tags = var.tags
- network_cidr = var.network_cidr
- vpcs = var.vpcs
- enable_transit_gateway = var.enable_transit_gateway
- transit_gateway_global = var.transit_gateway_global
- add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
- add_atracker_route = var.add_atracker_route
- hs_crypto_instance_name = var.hs_crypto_instance_name
- hs_crypto_resource_group = var.hs_crypto_resource_group
- use_random_cos_suffix = var.use_random_cos_suffix
- add_edge_vpc = var.add_edge_vpc
- create_f5_network_on_management_vpc = var.create_f5_network_on_management_vpc
- provision_teleport_in_f5 = var.provision_teleport_in_f5
- f5_instance_profile = var.f5_instance_profile
- hostname = var.hostname
- domain = var.domain
- byol_license_basekey = var.byol_license_basekey
- license_host = var.license_host
- license_username = var.license_username
- license_password = var.license_password
- license_pool = var.license_pool
- license_sku_keyword_1 = var.license_sku_keyword_1
- license_sku_keyword_2 = var.license_sku_keyword_2
- license_unit_of_measure = var.license_unit_of_measure
- do_declaration_url = var.do_declaration_url
- as3_declaration_url = var.as3_declaration_url
- ts_declaration_url = var.ts_declaration_url
- phone_home_url = var.phone_home_url
- template_source = var.template_source
- template_version = var.template_version
- app_id = var.app_id
- tgactive_url = var.tgactive_url
- tgstandby_url = var.tgstandby_url
- tgrefresh_url = var.tgrefresh_url
- enable_f5_management_fip = var.enable_f5_management_fip
- enable_f5_external_fip = var.enable_f5_external_fip
- use_existing_appid = var.use_existing_appid
- appid_name = var.appid_name
- appid_resource_group = var.appid_resource_group
- teleport_instance_profile = var.teleport_instance_profile
- teleport_vsi_image_name = var.teleport_vsi_image_name
- teleport_license = var.teleport_license
- https_cert = var.https_cert
- https_key = var.https_key
- teleport_hostname = var.teleport_hostname
- teleport_domain = var.teleport_domain
- teleport_version = var.teleport_version
- message_of_the_day = var.message_of_the_day
- teleport_admin_email = var.teleport_admin_email
- override = var.override
- override_json_string = var.override_json_string
- override_json_path = local.override_json_path
- vpn_firewall_type = var.vpn_firewall_type
- ssh_public_key = var.ssh_public_key
- f5_image_name = var.f5_image_name
- tmos_admin_password = var.tmos_admin_password
- license_type = var.license_type
- teleport_management_zones = var.teleport_management_zones
+ source = "./module"
+ prefix = var.prefix
+ region = var.region
+ tags = var.tags
+ network_cidr = var.network_cidr
+ vpcs = var.vpcs
+ enable_transit_gateway = var.enable_transit_gateway
+ transit_gateway_global = var.transit_gateway_global
+ skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = var.skip_all_s2s_auth_policies
+ add_atracker_route = var.add_atracker_route
+ hs_crypto_instance_name = var.hs_crypto_instance_name
+ hs_crypto_resource_group = var.hs_crypto_resource_group
+ use_random_cos_suffix = var.use_random_cos_suffix
+ add_edge_vpc = var.add_edge_vpc
+ create_f5_network_on_management_vpc = var.create_f5_network_on_management_vpc
+ provision_teleport_in_f5 = var.provision_teleport_in_f5
+ f5_instance_profile = var.f5_instance_profile
+ hostname = var.hostname
+ domain = var.domain
+ byol_license_basekey = var.byol_license_basekey
+ license_host = var.license_host
+ license_username = var.license_username
+ license_password = var.license_password
+ license_pool = var.license_pool
+ license_sku_keyword_1 = var.license_sku_keyword_1
+ license_sku_keyword_2 = var.license_sku_keyword_2
+ license_unit_of_measure = var.license_unit_of_measure
+ do_declaration_url = var.do_declaration_url
+ as3_declaration_url = var.as3_declaration_url
+ ts_declaration_url = var.ts_declaration_url
+ phone_home_url = var.phone_home_url
+ template_source = var.template_source
+ template_version = var.template_version
+ app_id = var.app_id
+ tgactive_url = var.tgactive_url
+ tgstandby_url = var.tgstandby_url
+ tgrefresh_url = var.tgrefresh_url
+ enable_f5_management_fip = var.enable_f5_management_fip
+ enable_f5_external_fip = var.enable_f5_external_fip
+ use_existing_appid = var.use_existing_appid
+ appid_name = var.appid_name
+ appid_resource_group = var.appid_resource_group
+ teleport_instance_profile = var.teleport_instance_profile
+ teleport_vsi_image_name = var.teleport_vsi_image_name
+ teleport_license = var.teleport_license
+ https_cert = var.https_cert
+ https_key = var.https_key
+ teleport_hostname = var.teleport_hostname
+ teleport_domain = var.teleport_domain
+ teleport_version = var.teleport_version
+ message_of_the_day = var.message_of_the_day
+ teleport_admin_email = var.teleport_admin_email
+ override = var.override
+ override_json_string = var.override_json_string
+ override_json_path = local.override_json_path
+ vpn_firewall_type = var.vpn_firewall_type
+ ssh_public_key = var.ssh_public_key
+ f5_image_name = var.f5_image_name
+ tmos_admin_password = var.tmos_admin_password
+ license_type = var.license_type
+ teleport_management_zones = var.teleport_management_zones
}
moved {
diff --git a/patterns/vpc/module/config.tf b/patterns/vpc/module/config.tf
index b8d599ebf..c60f52396 100644
--- a/patterns/vpc/module/config.tf
+++ b/patterns/vpc/module/config.tf
@@ -121,7 +121,8 @@ locals {
##############################################################################
# S2S Authorization
##############################################################################
- add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
+ skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = var.skip_all_s2s_auth_policies
##############################################################################
@@ -172,27 +173,28 @@ locals {
# Compile Environment for Config output
##############################################################################
env = {
- resource_groups = lookup(local.override[local.override_type], "resource_groups", local.config.resource_groups)
- vpcs = lookup(local.override[local.override_type], "vpcs", local.config.vpcs)
- vpn_gateways = lookup(local.override[local.override_type], "vpn_gateways", local.config.vpn_gateways)
- enable_transit_gateway = lookup(local.override[local.override_type], "enable_transit_gateway", local.config.enable_transit_gateway)
- transit_gateway_global = lookup(local.override[local.override_type], "transit_gateway_global", local.config.transit_gateway_global)
- transit_gateway_resource_group = lookup(local.override[local.override_type], "transit_gateway_resource_group", local.config.transit_gateway_resource_group)
- transit_gateway_connections = lookup(local.override[local.override_type], "transit_gateway_connections", local.config.transit_gateway_connections)
- ssh_keys = lookup(local.override[local.override_type], "ssh_keys", local.config.ssh_keys)
- network_cidr = lookup(local.override[local.override_type], "network_cidr", var.network_cidr)
- vsi = lookup(local.override[local.override_type], "vsi", local.config.vsi)
- security_groups = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
- virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
- cos = lookup(local.override[local.override_type], "cos", local.config.object_storage)
- service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
- add_kms_block_storage_s2s = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
- key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management)
- atracker = lookup(local.override[local.override_type], "atracker", local.config.atracker)
- clusters = lookup(local.override[local.override_type], "clusters", local.config.clusters)
- wait_till = lookup(local.override[local.override_type], "wait_till", "IngressReady")
- appid = lookup(local.override[local.override_type], "appid", local.config.appid)
- f5_vsi = lookup(local.override[local.override_type], "f5_vsi", local.config.f5_deployments)
+ resource_groups = lookup(local.override[local.override_type], "resource_groups", local.config.resource_groups)
+ vpcs = lookup(local.override[local.override_type], "vpcs", local.config.vpcs)
+ vpn_gateways = lookup(local.override[local.override_type], "vpn_gateways", local.config.vpn_gateways)
+ enable_transit_gateway = lookup(local.override[local.override_type], "enable_transit_gateway", local.config.enable_transit_gateway)
+ transit_gateway_global = lookup(local.override[local.override_type], "transit_gateway_global", local.config.transit_gateway_global)
+ transit_gateway_resource_group = lookup(local.override[local.override_type], "transit_gateway_resource_group", local.config.transit_gateway_resource_group)
+ transit_gateway_connections = lookup(local.override[local.override_type], "transit_gateway_connections", local.config.transit_gateway_connections)
+ ssh_keys = lookup(local.override[local.override_type], "ssh_keys", local.config.ssh_keys)
+ network_cidr = lookup(local.override[local.override_type], "network_cidr", var.network_cidr)
+ vsi = lookup(local.override[local.override_type], "vsi", local.config.vsi)
+ security_groups = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
+ virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
+ cos = lookup(local.override[local.override_type], "cos", local.config.object_storage)
+ service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
+ skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy)
+ skip_all_s2s_auth_policies = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies)
+ key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management)
+ atracker = lookup(local.override[local.override_type], "atracker", local.config.atracker)
+ clusters = lookup(local.override[local.override_type], "clusters", local.config.clusters)
+ wait_till = lookup(local.override[local.override_type], "wait_till", "IngressReady")
+ appid = lookup(local.override[local.override_type], "appid", local.config.appid)
+ f5_vsi = lookup(local.override[local.override_type], "f5_vsi", local.config.f5_deployments)
f5_template_data = {
tmos_admin_password = lookup(local.override[local.override_type], "f5_template_data", null) == null ? var.tmos_admin_password : lookup(local.override[local.override_type].f5_template_data, "tmos_admin_password", var.tmos_admin_password)
license_type = lookup(local.override[local.override_type], "f5_template_data", null) == null ? var.license_type : lookup(local.override[local.override_type].f5_template_data, "license_type", var.license_type)
diff --git a/patterns/vpc/module/main.tf b/patterns/vpc/module/main.tf
index e94aa6e82..0c0a2dc07 100644
--- a/patterns/vpc/module/main.tf
+++ b/patterns/vpc/module/main.tf
@@ -3,35 +3,36 @@
##############################################################################
module "landing_zone" {
- source = "../../../"
- prefix = var.prefix
- region = var.region
- tags = var.tags
- resource_groups = local.env.resource_groups
- network_cidr = local.env.network_cidr
- vpcs = local.env.vpcs
- vpn_gateways = local.env.vpn_gateways
- enable_transit_gateway = local.env.enable_transit_gateway
- transit_gateway_global = local.env.transit_gateway_global
- transit_gateway_resource_group = local.env.transit_gateway_resource_group
- transit_gateway_connections = local.env.transit_gateway_connections
- ssh_keys = local.env.ssh_keys
- vsi = local.env.vsi
- security_groups = local.env.security_groups
- virtual_private_endpoints = local.env.virtual_private_endpoints
- cos = local.env.cos
- service_endpoints = local.env.service_endpoints
- key_management = local.env.key_management
- add_kms_block_storage_s2s = local.env.add_kms_block_storage_s2s
- atracker = local.env.atracker
- clusters = local.env.clusters
- wait_till = local.env.wait_till
- f5_vsi = local.env.f5_vsi
- f5_template_data = local.env.f5_template_data
- appid = local.env.appid
- teleport_config_data = local.env.teleport_config
- teleport_vsi = local.env.teleport_vsi
- vpc_placement_groups = local.env.vpc_placement_groups
+ source = "../../../"
+ prefix = var.prefix
+ region = var.region
+ tags = var.tags
+ resource_groups = local.env.resource_groups
+ network_cidr = local.env.network_cidr
+ vpcs = local.env.vpcs
+ vpn_gateways = local.env.vpn_gateways
+ enable_transit_gateway = local.env.enable_transit_gateway
+ transit_gateway_global = local.env.transit_gateway_global
+ transit_gateway_resource_group = local.env.transit_gateway_resource_group
+ transit_gateway_connections = local.env.transit_gateway_connections
+ ssh_keys = local.env.ssh_keys
+ vsi = local.env.vsi
+ security_groups = local.env.security_groups
+ virtual_private_endpoints = local.env.virtual_private_endpoints
+ cos = local.env.cos
+ service_endpoints = local.env.service_endpoints
+ key_management = local.env.key_management
+ skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = local.env.skip_all_s2s_auth_policies
+ atracker = local.env.atracker
+ clusters = local.env.clusters
+ wait_till = local.env.wait_till
+ f5_vsi = local.env.f5_vsi
+ f5_template_data = local.env.f5_template_data
+ appid = local.env.appid
+ teleport_config_data = local.env.teleport_config
+ teleport_vsi = local.env.teleport_vsi
+ vpc_placement_groups = local.env.vpc_placement_groups
}
##############################################################################
diff --git a/patterns/vpc/module/variables.tf b/patterns/vpc/module/variables.tf
index e81f79f9b..e3375e6d2 100644
--- a/patterns/vpc/module/variables.tf
+++ b/patterns/vpc/module/variables.tf
@@ -432,10 +432,16 @@ variable "teleport_admin_email" {
# s2s variables
##############################################################################
-variable "add_kms_block_storage_s2s" {
- description = "Whether to create a service-to-service authorization between block storage and the key management service."
+variable "skip_kms_block_storage_s2s_auth_policy" {
+ description = "Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service."
type = bool
- default = true
+ default = false
+}
+
+variable "skip_all_s2s_auth_policies" {
+ description = "Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning."
+ type = bool
+ default = false
}
##############################################################################
diff --git a/patterns/vpc/variables.tf b/patterns/vpc/variables.tf
index f9738929a..82456a7cf 100644
--- a/patterns/vpc/variables.tf
+++ b/patterns/vpc/variables.tf
@@ -437,10 +437,16 @@ variable "teleport_admin_email" {
# s2s variables
##############################################################################
-variable "add_kms_block_storage_s2s" {
- description = "Whether to create a service-to-service authorization between block storage and the key management service."
+variable "skip_kms_block_storage_s2s_auth_policy" {
+ description = "Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service."
type = bool
- default = true
+ default = false
+}
+
+variable "skip_all_s2s_auth_policies" {
+ description = "Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning."
+ type = bool
+ default = false
}
##############################################################################
diff --git a/patterns/vsi-extension/README.md b/patterns/vsi-extension/README.md
index 127ab26a7..71072428a 100644
--- a/patterns/vsi-extension/README.md
+++ b/patterns/vsi-extension/README.md
@@ -5,7 +5,7 @@ This architecture creates virtual server instances (VSI) in some or all of the s
## Before you begin
- You must have either the [VPC landing zone](https://cloud.ibm.com/catalog/architecture/deploy-arch-ibm-slz-vpc-9fc0fa64-27af-4fed-9dce-47b3640ba739-global) or [Red Hat OpenShift Container Platform on VPC landing zone](https://cloud.ibm.com/catalog/architecture/deploy-arch-ibm-slz-ocp-95fccffc-ae3b-42df-b6d9-80be5914d852-global) deployable architecture deployed.
-- You need an authorization policy that grants access between block storage and the KMS. The policy exists if you set the `add_kms_block_storage_s2s` input variable to `true` (the default value) in your existing landing zone deployable architecture.
-- You need the VPC ID, subnet names, and boot volume encryption key from your existing landing zone deployable architecture. For information about finding these values, see [Adding a VSI to your VPC landing zone deployable architecture](https://cloud.ibm.com/docs/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-ext-with-vsi).
+- The block storage to KMS auth policy must exist. This policy would have been created by one of the above deployable architectures if the `skip_kms_block_storage_s2s_auth_policy` variable was set to `false`, which is default value.
+- You need the VPC ID, subnet names, and boot volume encryption key from your existing landing zone VPC deployable architecture. For information about finding these values, see [Adding a VSI to your VPC landing zone deployable architecture](https://cloud.ibm.com/docs/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-ext-with-vsi).
diff --git a/patterns/vsi/main.tf b/patterns/vsi/main.tf
index f068017cb..17cc0a373 100644
--- a/patterns/vsi/main.tf
+++ b/patterns/vsi/main.tf
@@ -20,71 +20,72 @@ locals {
}
module "vsi_landing_zone" {
- source = "./module"
- prefix = var.prefix
- region = var.region
- tags = var.tags
- network_cidr = var.network_cidr
- vpcs = var.vpcs
- enable_transit_gateway = var.enable_transit_gateway
- transit_gateway_global = var.transit_gateway_global
- ssh_public_key = var.ssh_public_key
- existing_ssh_key_name = var.existing_ssh_key_name
- add_atracker_route = var.add_atracker_route
- hs_crypto_instance_name = var.hs_crypto_instance_name
- hs_crypto_resource_group = var.hs_crypto_resource_group
- use_random_cos_suffix = var.use_random_cos_suffix
- vsi_image_name = var.vsi_image_name
- vsi_instance_profile = var.vsi_instance_profile
- vsi_per_subnet = var.vsi_per_subnet
- add_edge_vpc = var.add_edge_vpc
- create_f5_network_on_management_vpc = var.create_f5_network_on_management_vpc
- provision_teleport_in_f5 = var.provision_teleport_in_f5
- vpn_firewall_type = var.vpn_firewall_type
- f5_image_name = var.f5_image_name
- f5_instance_profile = var.f5_instance_profile
- hostname = var.hostname
- domain = var.domain
- tmos_admin_password = var.tmos_admin_password
- license_type = var.license_type
- byol_license_basekey = var.byol_license_basekey
- license_host = var.license_host
- license_username = var.license_username
- license_password = var.license_password
- license_pool = var.license_pool
- license_sku_keyword_1 = var.license_sku_keyword_1
- license_sku_keyword_2 = var.license_sku_keyword_2
- license_unit_of_measure = var.license_unit_of_measure
- do_declaration_url = var.do_declaration_url
- as3_declaration_url = var.as3_declaration_url
- ts_declaration_url = var.ts_declaration_url
- phone_home_url = var.phone_home_url
- template_source = var.template_source
- template_version = var.template_version
- app_id = var.app_id
- tgactive_url = var.tgactive_url
- tgstandby_url = var.tgstandby_url
- tgrefresh_url = var.tgrefresh_url
- enable_f5_management_fip = var.enable_f5_management_fip
- enable_f5_external_fip = var.enable_f5_external_fip
- teleport_management_zones = var.teleport_management_zones
- use_existing_appid = var.use_existing_appid
- appid_name = var.appid_name
- appid_resource_group = var.appid_resource_group
- teleport_instance_profile = var.teleport_instance_profile
- teleport_vsi_image_name = var.teleport_vsi_image_name
- teleport_license = var.teleport_license
- https_cert = var.https_cert
- https_key = var.https_key
- teleport_hostname = var.teleport_hostname
- teleport_domain = var.teleport_domain
- teleport_version = var.teleport_version
- message_of_the_day = var.message_of_the_day
- teleport_admin_email = var.teleport_admin_email
- add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
- override = var.override
- override_json_string = var.override_json_string
- override_json_path = local.override_json_path
+ source = "./module"
+ prefix = var.prefix
+ region = var.region
+ tags = var.tags
+ network_cidr = var.network_cidr
+ vpcs = var.vpcs
+ enable_transit_gateway = var.enable_transit_gateway
+ transit_gateway_global = var.transit_gateway_global
+ ssh_public_key = var.ssh_public_key
+ existing_ssh_key_name = var.existing_ssh_key_name
+ add_atracker_route = var.add_atracker_route
+ hs_crypto_instance_name = var.hs_crypto_instance_name
+ hs_crypto_resource_group = var.hs_crypto_resource_group
+ use_random_cos_suffix = var.use_random_cos_suffix
+ vsi_image_name = var.vsi_image_name
+ vsi_instance_profile = var.vsi_instance_profile
+ vsi_per_subnet = var.vsi_per_subnet
+ add_edge_vpc = var.add_edge_vpc
+ create_f5_network_on_management_vpc = var.create_f5_network_on_management_vpc
+ provision_teleport_in_f5 = var.provision_teleport_in_f5
+ vpn_firewall_type = var.vpn_firewall_type
+ f5_image_name = var.f5_image_name
+ f5_instance_profile = var.f5_instance_profile
+ hostname = var.hostname
+ domain = var.domain
+ tmos_admin_password = var.tmos_admin_password
+ license_type = var.license_type
+ byol_license_basekey = var.byol_license_basekey
+ license_host = var.license_host
+ license_username = var.license_username
+ license_password = var.license_password
+ license_pool = var.license_pool
+ license_sku_keyword_1 = var.license_sku_keyword_1
+ license_sku_keyword_2 = var.license_sku_keyword_2
+ license_unit_of_measure = var.license_unit_of_measure
+ do_declaration_url = var.do_declaration_url
+ as3_declaration_url = var.as3_declaration_url
+ ts_declaration_url = var.ts_declaration_url
+ phone_home_url = var.phone_home_url
+ template_source = var.template_source
+ template_version = var.template_version
+ app_id = var.app_id
+ tgactive_url = var.tgactive_url
+ tgstandby_url = var.tgstandby_url
+ tgrefresh_url = var.tgrefresh_url
+ enable_f5_management_fip = var.enable_f5_management_fip
+ enable_f5_external_fip = var.enable_f5_external_fip
+ teleport_management_zones = var.teleport_management_zones
+ use_existing_appid = var.use_existing_appid
+ appid_name = var.appid_name
+ appid_resource_group = var.appid_resource_group
+ teleport_instance_profile = var.teleport_instance_profile
+ teleport_vsi_image_name = var.teleport_vsi_image_name
+ teleport_license = var.teleport_license
+ https_cert = var.https_cert
+ https_key = var.https_key
+ teleport_hostname = var.teleport_hostname
+ teleport_domain = var.teleport_domain
+ teleport_version = var.teleport_version
+ message_of_the_day = var.message_of_the_day
+ teleport_admin_email = var.teleport_admin_email
+ skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = var.skip_all_s2s_auth_policies
+ override = var.override
+ override_json_string = var.override_json_string
+ override_json_path = local.override_json_path
}
moved {
diff --git a/patterns/vsi/module/config.tf b/patterns/vsi/module/config.tf
index 7dbc1ffb5..25515c3d4 100644
--- a/patterns/vsi/module/config.tf
+++ b/patterns/vsi/module/config.tf
@@ -156,7 +156,8 @@ locals {
##############################################################################
# S2S Authorization
##############################################################################
- add_kms_block_storage_s2s = var.add_kms_block_storage_s2s
+ skip_kms_block_storage_s2s_auth_policy = var.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = var.skip_all_s2s_auth_policies
##############################################################################
@@ -214,20 +215,21 @@ locals {
transit_gateway_resource_group = lookup(local.override[local.override_type], "transit_gateway_resource_group", local.config.transit_gateway_resource_group)
transit_gateway_connections = lookup(local.override[local.override_type], "transit_gateway_connections", local.config.transit_gateway_connections)
- ssh_keys = lookup(local.override[local.override_type], "ssh_keys", local.ssh_keys)
- network_cidr = lookup(local.override[local.override_type], "network_cidr", var.network_cidr)
- vsi = lookup(local.override[local.override_type], "vsi", local.config.vsi)
- security_groups = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
- virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
- cos = lookup(local.override[local.override_type], "cos", local.config.object_storage)
- service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
- add_kms_block_storage_s2s = lookup(local.override[local.override_type], "add_kms_block_storage_s2s", local.config.add_kms_block_storage_s2s)
- key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management)
- atracker = lookup(local.override[local.override_type], "atracker", local.config.atracker)
- clusters = lookup(local.override[local.override_type], "clusters", local.config.clusters)
- wait_till = lookup(local.override[local.override_type], "wait_till", "IngressReady")
- appid = lookup(local.override[local.override_type], "appid", local.config.appid)
- f5_vsi = lookup(local.override[local.override_type], "f5_vsi", local.config.f5_deployments)
+ ssh_keys = lookup(local.override[local.override_type], "ssh_keys", local.ssh_keys)
+ network_cidr = lookup(local.override[local.override_type], "network_cidr", var.network_cidr)
+ vsi = lookup(local.override[local.override_type], "vsi", local.config.vsi)
+ security_groups = lookup(local.override[local.override_type], "security_groups", local.config.security_groups)
+ virtual_private_endpoints = lookup(local.override[local.override_type], "virtual_private_endpoints", local.config.virtual_private_endpoints)
+ cos = lookup(local.override[local.override_type], "cos", local.config.object_storage)
+ service_endpoints = lookup(local.override[local.override_type], "service_endpoints", var.service_endpoints)
+ skip_kms_block_storage_s2s_auth_policy = lookup(local.override[local.override_type], "skip_kms_block_storage_s2s_auth_policy", local.config.skip_kms_block_storage_s2s_auth_policy)
+ skip_all_s2s_auth_policies = lookup(local.override[local.override_type], "skip_all_s2s_auth_policies", local.config.skip_all_s2s_auth_policies)
+ key_management = lookup(local.override[local.override_type], "key_management", local.config.key_management)
+ atracker = lookup(local.override[local.override_type], "atracker", local.config.atracker)
+ clusters = lookup(local.override[local.override_type], "clusters", local.config.clusters)
+ wait_till = lookup(local.override[local.override_type], "wait_till", "IngressReady")
+ appid = lookup(local.override[local.override_type], "appid", local.config.appid)
+ f5_vsi = lookup(local.override[local.override_type], "f5_vsi", local.config.f5_deployments)
f5_template_data = {
tmos_admin_password = lookup(local.override[local.override_type], "f5_template_data", null) == null ? var.tmos_admin_password : lookup(local.override[local.override_type].f5_template_data, "tmos_admin_password", var.tmos_admin_password)
license_type = lookup(local.override[local.override_type], "f5_template_data", null) == null ? var.license_type : lookup(local.override[local.override_type].f5_template_data, "license_type", var.license_type)
diff --git a/patterns/vsi/module/main.tf b/patterns/vsi/module/main.tf
index cd5986baa..ebaf97008 100644
--- a/patterns/vsi/module/main.tf
+++ b/patterns/vsi/module/main.tf
@@ -3,35 +3,36 @@
##############################################################################
module "landing_zone" {
- source = "../../../"
- prefix = var.prefix
- region = var.region
- tags = var.tags
- resource_groups = local.env.resource_groups
- network_cidr = local.env.network_cidr
- vpcs = local.env.vpcs
- enable_transit_gateway = local.env.enable_transit_gateway
- transit_gateway_global = local.env.transit_gateway_global
- vpn_gateways = local.env.vpn_gateways
- transit_gateway_resource_group = local.env.transit_gateway_resource_group
- transit_gateway_connections = local.env.transit_gateway_connections
- ssh_keys = local.env.ssh_keys
- vsi = local.env.vsi
- security_groups = local.env.security_groups
- virtual_private_endpoints = local.env.virtual_private_endpoints
- cos = local.env.cos
- service_endpoints = local.env.service_endpoints
- key_management = local.env.key_management
- add_kms_block_storage_s2s = local.env.add_kms_block_storage_s2s
- atracker = local.env.atracker
- clusters = local.env.clusters
- wait_till = local.env.wait_till
- f5_vsi = local.env.f5_vsi
- f5_template_data = local.env.f5_template_data
- appid = local.env.appid
- teleport_config_data = local.env.teleport_config
- teleport_vsi = local.env.teleport_vsi
- vpc_placement_groups = local.env.vpc_placement_groups
+ source = "../../../"
+ prefix = var.prefix
+ region = var.region
+ tags = var.tags
+ resource_groups = local.env.resource_groups
+ network_cidr = local.env.network_cidr
+ vpcs = local.env.vpcs
+ enable_transit_gateway = local.env.enable_transit_gateway
+ transit_gateway_global = local.env.transit_gateway_global
+ vpn_gateways = local.env.vpn_gateways
+ transit_gateway_resource_group = local.env.transit_gateway_resource_group
+ transit_gateway_connections = local.env.transit_gateway_connections
+ ssh_keys = local.env.ssh_keys
+ vsi = local.env.vsi
+ security_groups = local.env.security_groups
+ virtual_private_endpoints = local.env.virtual_private_endpoints
+ cos = local.env.cos
+ service_endpoints = local.env.service_endpoints
+ key_management = local.env.key_management
+ skip_kms_block_storage_s2s_auth_policy = local.env.skip_kms_block_storage_s2s_auth_policy
+ skip_all_s2s_auth_policies = local.env.skip_all_s2s_auth_policies
+ atracker = local.env.atracker
+ clusters = local.env.clusters
+ wait_till = local.env.wait_till
+ f5_vsi = local.env.f5_vsi
+ f5_template_data = local.env.f5_template_data
+ appid = local.env.appid
+ teleport_config_data = local.env.teleport_config
+ teleport_vsi = local.env.teleport_vsi
+ vpc_placement_groups = local.env.vpc_placement_groups
}
##############################################################################
diff --git a/patterns/vsi/module/variables.tf b/patterns/vsi/module/variables.tf
index 16fcbe31d..287ffdada 100644
--- a/patterns/vsi/module/variables.tf
+++ b/patterns/vsi/module/variables.tf
@@ -464,10 +464,16 @@ variable "teleport_admin_email" {
# s2s variables
##############################################################################
-variable "add_kms_block_storage_s2s" {
- description = "Whether to create a service-to-service authorization between block storage and the key management service."
+variable "skip_kms_block_storage_s2s_auth_policy" {
+ description = "Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service."
type = bool
- default = true
+ default = false
+}
+
+variable "skip_all_s2s_auth_policies" {
+ description = "Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning."
+ type = bool
+ default = false
}
##############################################################################
diff --git a/patterns/vsi/variables.tf b/patterns/vsi/variables.tf
index 8e5bcbf6a..77fee9975 100644
--- a/patterns/vsi/variables.tf
+++ b/patterns/vsi/variables.tf
@@ -470,10 +470,16 @@ variable "teleport_admin_email" {
# s2s variables
##############################################################################
-variable "add_kms_block_storage_s2s" {
- description = "Whether to create a service-to-service authorization between block storage and the key management service."
+variable "skip_kms_block_storage_s2s_auth_policy" {
+ description = "Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service."
type = bool
- default = true
+ default = false
+}
+
+variable "skip_all_s2s_auth_policies" {
+ description = "Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning."
+ type = bool
+ default = false
}
##############################################################################
diff --git a/service_authorizations.tf b/service_authorizations.tf
index 2b2187396..8f2307853 100644
--- a/service_authorizations.tf
+++ b/service_authorizations.tf
@@ -16,7 +16,7 @@ locals {
##############################################################################
resource "ibm_iam_authorization_policy" "policy" {
- for_each = local.authorization_policies
+ for_each = var.skip_all_s2s_auth_policies == true ? null : local.authorization_policies
source_service_name = each.value.source_service_name
source_resource_type = lookup(each.value, "source_resource_type", null)
source_resource_instance_id = lookup(each.value, "source_resource_instance_id", null)
diff --git a/tests/other_test.go b/tests/other_test.go
index 475e3dba2..21a9078a6 100644
--- a/tests/other_test.go
+++ b/tests/other_test.go
@@ -15,7 +15,7 @@ func TestRunRoksPatternWithHPCS(t *testing.T) {
options.TerraformVars["hs_crypto_instance_name"] = permanentResources["hpcs_name_south"]
options.TerraformVars["hs_crypto_resource_group"] = permanentResources["hpcs_rg_south"]
- options.TerraformVars["add_kms_block_storage_s2s"] = false
+ options.TerraformVars["skip_kms_block_storage_s2s_auth_policy"] = true
// If "jp-osa" was the best region selected, default to us-south instead.
// "jp-osa" is currently not allowing hs-crypto be used for encrypting buckets in that region.
currentRegion, ok := options.TerraformVars["region"]
@@ -36,7 +36,7 @@ func TestRunVSIPatternWithHPCS(t *testing.T) {
options.TerraformVars["hs_crypto_instance_name"] = permanentResources["hpcs_name_south"]
options.TerraformVars["hs_crypto_resource_group"] = permanentResources["hpcs_rg_south"]
- options.TerraformVars["add_kms_block_storage_s2s"] = false
+ options.TerraformVars["skip_kms_block_storage_s2s_auth_policy"] = true
// If "jp-osa" was the best region selected, default to us-south instead.
// "jp-osa" is currently not allowing hs-crypto be used for encrypting buckets in that region.
currentRegion, ok := options.TerraformVars["region"]
diff --git a/variables.tf b/variables.tf
index ee12fc311..cd34b6cd7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1247,10 +1247,16 @@ variable "vpc_placement_groups" {
# s2s variables
##############################################################################
-variable "add_kms_block_storage_s2s" {
- description = "Whether to create a service-to-service authorization between block storage and the key management service."
+variable "skip_kms_block_storage_s2s_auth_policy" {
+ description = "Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service."
type = bool
- default = true
+ default = false
+}
+
+variable "skip_all_s2s_auth_policies" {
+ description = "Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning."
+ type = bool
+ default = false
}
##############################################################################