feat: initial commit (#126)

* feat: initial commit

* fix: tests

* fix: testOptions

* chore(deps): update module github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper to v1.3.2 (#101)

Co-authored-by: Renovate Bot <[email protected]>

* chore(deps): update module github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper to v1.3.4 (#102)

Co-authored-by: Renovate Bot <[email protected]>

* chore(deps): update module github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper to v1.3.5 (#104)

Co-authored-by: Renovate Bot <[email protected]>

* chore(deps): update module github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper to v1.3.7 (#107)

Co-authored-by: Renovate Bot <[email protected]>

* chore(deps): update module github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper to v1.3.8 (#108)

Co-authored-by: Renovate Bot <[email protected]>

* chore(deps): update module github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper to v1.4.0 (#115)

Co-authored-by: Renovate Bot <[email protected]>

* chore(deps): update module github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper to v1.4.1 (#116)

Co-authored-by: Renovate Bot <[email protected]>

* chore(deps): update module github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper to v1.4.2 (#124)

Co-authored-by: Renovate Bot <[email protected]>

* feat: initial commit

Co-authored-by: Terraform IBM Modules Operations <[email protected]>
Co-authored-by: Renovate Bot <[email protected]>

README.md

@@ -128,28 +128,42 @@ statement instead the previous block.
 <!-- BEGIN EXAMPLES HOOK -->
 ## Examples
 
-- [ Default example](examples/default)
-- [ Example that uses existing resources](examples/existing-resources)
-- [ Non default example](examples/non-default)
+- [Examples](examples)
 <!-- END EXAMPLES HOOK -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.2 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | ~>1.43.0 |
 
 ## Modules
 
 No modules.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [ibm_is_subnet_reserved_ip.ip](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_subnet_reserved_ip) | resource |
+| [ibm_is_virtual_endpoint_gateway.vpe](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_virtual_endpoint_gateway) | resource |
+| [ibm_is_virtual_endpoint_gateway_ip.endpoint_gateway_ip](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_virtual_endpoint_gateway_ip) | resource |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cloud_service_by_crn"></a> [cloud\_service\_by\_crn](#input\_cloud\_service\_by\_crn) | List of cloud service CRNs. Each CRN will have a unique endpoint gateways created. For a list of supported services, see the docs [here](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services). | <pre>list(<br>    object({<br>      name = string # service name<br>      crn  = string # service crn<br>    })<br>  )</pre> | `[]` | no |
+| <a name="input_cloud_services"></a> [cloud\_services](#input\_cloud\_services) | List of cloud services to create an endpoint gateway. | `list(string)` | <pre>[<br>  "kms",<br>  "cloud-object-storage"<br>]</pre> | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | `"vpe"` | no |
+| <a name="input_region"></a> [region](#input\_region) | The region where VPC and services are deployed | `string` | `"us-south"` | no |
+| <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | ID of the resource group where endpoint gateways will be provisioned | `string` | `null` | no |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | List of security group ids to attach to each endpoint gateway. | `list(string)` | `null` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Service endpoints to use to create endpoint gateways. Can be `public`, or `private`. | `string` | `"private"` | no |
+| <a name="input_subnet_zone_list"></a> [subnet\_zone\_list](#input\_subnet\_zone\_list) | List of subnets in the VPC where gateways and reserved IPs will be provisioned. This value is intended to use the `subnet_zone_list` output from the ICSE VPC Subnet Module (https://github.com/Cloud-Schematics/vpc-subnet-module) or from templates using that module for subnet creation. | <pre>list(<br>    object({<br>      name = string<br>      id   = string<br>      zone = optional(string)<br>      cidr = optional(string)<br>    })<br>  )</pre> | `[]` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC where the Endpoint Gateways will be created | `string` | `null` | no |
+| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | Name of the VPC where the Endpoint Gateways will be created. This value is used to dynamically generate VPE names. | `string` | `"vpc"` | no |
 
 ## Outputs
 

examples/default/main.tf

@@ -1,20 +1,103 @@
 ##############################################################################
-# Resource Group
+# VPE Locals
 ##############################################################################
 
-module "resource_group" {
-  source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-resource-group.git?ref=v1.0.5"
-  # if an existing resource group is not set (null) create a new one using prefix
-  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
-  existing_resource_group_name = var.resource_group
+locals {
+  # List of Gateways to create
+  gateway_list = var.vpc_id == null ? [] : concat([
+    # Create object for each service
+    for service in var.cloud_services :
+    {
+      name    = "${var.vpc_name}-${service}"
+      service = service
+      crn     = null
+    }
+    ],
+    [
+      for service in var.cloud_service_by_crn :
+      {
+        name    = "${var.vpc_name}-${service.name}"
+        service = null
+        crn     = service.crn
+      }
+    ]
+  )
+
+  # List of IPs to create
+  endpoint_ip_list = var.vpc_id == null ? [] : flatten([
+    # Create object for each subnet
+    for subnet in var.subnet_zone_list :
+    [
+      for service in var.cloud_services :
+      {
+        ip_name      = "${subnet.name}-${service}-gateway-${replace(subnet.zone, "/${var.region}-/", "")}-ip"
+        subnet_id    = subnet.id
+        gateway_name = "${var.vpc_name}-${service}"
+      }
+    ]
+  ])
+
+  # Map of Services to endpoints
+  service_to_endpoint_map = {
+    kms                  = "crn:v1:bluemix:public:kms:${var.region}:::endpoint:${var.service_endpoints}.${var.region}.kms.cloud.ibm.com"
+    hs-crypt             = "crn:v1:bluemix:public:hs-crypto:${var.region}:::endpoint:api.${var.service_endpoints}.${var.region}.hs-crypto.cloud.ibm.com"
+    cloud-object-storage = "crn:v1:bluemix:public:cloud-object-storage:global:::endpoint:s3.direct.${var.region}.cloud-object-storage.appdomain.cloud"
+    container-registry   = "crn:v1:bluemix:public:container-registry:${var.region}:::endpoint:vpe.${var.region}.container-registry.cloud.ibm.com"
+  }
 }
 
 ##############################################################################
-# VPC
+
+##############################################################################
+# Create Reserved IPs
 ##############################################################################
 
-resource "ibm_is_vpc" "vpc" {
-  name           = "${var.prefix}-vpc"
-  resource_group = module.resource_group.resource_group_id
-  tags           = var.resource_tags
+resource "ibm_is_subnet_reserved_ip" "ip" {
+  for_each = {
+    # Create a map based on endpoint IP name
+    for gateway_ip in local.endpoint_ip_list :
+    (gateway_ip.ip_name) => gateway_ip
+  }
+  subnet = each.value.subnet_id
 }
+
+##############################################################################
+
+##############################################################################
+# Create Endpoint Gateways
+##############################################################################
+
+resource "ibm_is_virtual_endpoint_gateway" "vpe" {
+  for_each = {
+    # Create map based on gateway name if enabled
+    for gateway in local.gateway_list :
+    (gateway.name) => gateway
+  }
+
+  name            = "${var.prefix}-${each.key}-endpoint-gateway"
+  vpc             = var.vpc_id
+  resource_group  = var.resource_group_id
+  security_groups = var.security_group_ids
+  target {
+    crn           = each.value.service == null ? each.value.crn : local.service_to_endpoint_map[each.value.service]
+    resource_type = "provider_cloud_service"
+  }
+}
+
+##############################################################################
+
+##############################################################################
+# Attach Endpoint Gateways to Reserved IPs
+##############################################################################
+
+resource "ibm_is_virtual_endpoint_gateway_ip" "endpoint_gateway_ip" {
+  for_each = {
+    # Create a map based on endpoint IP
+    for gateway_ip in local.endpoint_ip_list :
+    (gateway_ip.ip_name) => gateway_ip
+  }
+  gateway     = ibm_is_virtual_endpoint_gateway.vpe[each.value.gateway_name].id
+  reserved_ip = ibm_is_subnet_reserved_ip.ip[each.key].reserved_ip
+}
+
+##############################################################################

examples/default/outputs.tf

@@ -1,18 +1,3 @@
 ##############################################################################
-# Outputs
+# Please open an issue to suggest outputs for this module
 ##############################################################################
-
-output "vpc_id" {
-  description = "ID of VPC created"
-  value       = ibm_is_vpc.vpc.id
-}
-
-output "resource_group_name" {
-  description = "Resource group name"
-  value       = module.resource_group.resource_group_name
-}
-
-output "resource_group_id" {
-  description = "Resource group ID"
-  value       = module.resource_group.resource_group_id
-}

examples/default/variables.tf

@@ -1,29 +1,102 @@
-variable "ibmcloud_api_key" {
-  type        = string
-  description = "The IBM Cloud API Key"
-  sensitive   = true
-}
+##############################################################################
+# VPC Variables
+##############################################################################
 
 variable "region" {
+  description = "The region where VPC and services are deployed"
   type        = string
-  description = "Region to provision all resources created by this example"
   default     = "us-south"
 }
 
 variable "prefix" {
+  description = "The prefix that you would like to append to your resources"
   type        = string
-  description = "Prefix to append to all resources created by this example"
-  default     = "terraform"
+  default     = "vpe"
 }
 
-variable "resource_group" {
+variable "vpc_name" {
+  description = "Name of the VPC where the Endpoint Gateways will be created. This value is used to dynamically generate VPE names."
+  type        = string
+  default     = "vpc"
+}
+
+variable "vpc_id" {
+  description = "ID of the VPC where the Endpoint Gateways will be created"
+  type        = string
+  default     = null
+}
+
+variable "subnet_zone_list" {
+  description = "List of subnets in the VPC where gateways and reserved IPs will be provisioned. This value is intended to use the `subnet_zone_list` output from the ICSE VPC Subnet Module (https://github.com/Cloud-Schematics/vpc-subnet-module) or from templates using that module for subnet creation."
+  type = list(
+    object({
+      name = string
+      id   = string
+      zone = optional(string)
+      cidr = optional(string)
+    })
+  )
+  default = []
+}
+
+##############################################################################
+
+##############################################################################
+# VPE Variables
+##############################################################################
+
+variable "resource_group_id" {
+  description = "ID of the resource group where endpoint gateways will be provisioned"
   type        = string
-  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
   default     = null
 }
 
-variable "resource_tags" {
+variable "security_group_ids" {
+  description = "List of security group ids to attach to each endpoint gateway."
   type        = list(string)
-  description = "Optional list of tags to be added to created resources"
-  default     = []
+  default     = null
 }
+
+
+variable "cloud_services" {
+  description = "List of cloud services to create an endpoint gateway."
+  type        = list(string)
+  default     = ["kms", "cloud-object-storage"]
+
+  validation {
+    error_message = "Currently the only supported services are Key Protect (`kms`), Cloud Object Storage (`cloud-object-storage`), Container Registry (`container-registry`), and Hyper Protect Crypto Services (`hs-crypto`). Any other VPE services must be added using `cloud_service_by_crn`."
+    condition = length(var.cloud_services) == 0 ? true : length([
+      for service in var.cloud_services :
+      service if !contains([
+        "kms",
+        "hs-crypto",
+        "cloud-object-storage",
+        "container-registry"
+      ], service)
+    ]) == 0
+  }
+}
+
+variable "cloud_service_by_crn" {
+  description = "List of cloud service CRNs. Each CRN will have a unique endpoint gateways created. For a list of supported services, see the docs [here](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services)."
+  type = list(
+    object({
+      name = string # service name
+      crn  = string # service crn
+    })
+  )
+  default = []
+}
+
+variable "service_endpoints" {
+  description = "Service endpoints to use to create endpoint gateways. Can be `public`, or `private`."
+  type        = string
+  default     = "private"
+
+  validation {
+    error_message = "Service endpoints can only be `public` or `private`."
+    condition     = contains(["public", "private"], var.service_endpoints)
+  }
+}
+
+##############################################################################

examples/default/versions.tf

@@ -0,0 +1,16 @@
+##############################################################################
+# Terraform Providers
+##############################################################################
+
+terraform {
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "~>1.43.0"
+    }
+  }
+  required_version = ">=1.2"
+  experiments      = [module_variable_optional_attrs]
+}
+
+##############################################################################