-
Notifications
You must be signed in to change notification settings - Fork 18
Expand file tree
/
Copy pathmain.tf
More file actions
204 lines (183 loc) · 9.42 KB
/
main.tf
File metadata and controls
204 lines (183 loc) · 9.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
locals {
prefix = (var.prefix != null && trimspace(var.prefix) != "" ? var.prefix : "")
}
##############################################################################
# Resource Group
##############################################################################
module "resource_group" {
source = "terraform-ibm-modules/resource-group/ibm"
version = "1.1.6"
existing_resource_group_name = var.existing_resource_group_name
}
#############################################################################
# COS Bucket for VPC flow logs
#############################################################################
# parse COS details from the existing COS instance CRN
module "existing_cos_crn_parser" {
count = var.existing_cos_instance_crn != null ? 1 : 0
source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
version = "1.1.0"
crn = var.existing_cos_instance_crn
}
locals {
cos_instance_guid = var.existing_cos_instance_crn != null ? module.existing_cos_crn_parser[0].service_instance : null
bucket_name = "${local.prefix}${var.flow_logs_cos_bucket_name}"
kms_guid = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? module.existing_kms_key_crn_parser[0].service_instance : module.existing_kms_instance_crn_parser[0].service_instance) : null
kms_account_id = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? module.existing_kms_key_crn_parser[0].account_id : module.existing_kms_instance_crn_parser[0].account_id) : null
kms_service = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? module.existing_kms_instance_crn_parser[0].service_name : module.existing_kms_key_crn_parser[0].service_name) : null
cos_kms_key_crn = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? var.existing_flow_logs_bucket_kms_key_crn : module.kms[0].keys[format("%s.%s", local.kms_key_ring_name, local.kms_key_name)].crn) : null
create_cos_kms_iam_auth_policy = var.enable_vpc_flow_logs && var.kms_encryption_enabled_bucket && !var.skip_cos_kms_iam_auth_policy
bucket_config = [{
access_tags = var.access_tags
bucket_name = local.bucket_name
add_bucket_name_suffix = var.add_bucket_name_suffix
kms_encryption_enabled = var.kms_encryption_enabled_bucket
kms_guid = local.kms_guid
kms_key_crn = local.cos_kms_key_crn
skip_iam_authorization_policy = var.skip_cos_kms_iam_auth_policy
management_endpoint_type = var.management_endpoint_type_for_bucket
storage_class = var.cos_bucket_class
resource_instance_id = var.existing_cos_instance_crn
region_location = var.region
force_delete = var.force_delete
archive_days = null
expire_days = null
retention_enabled = false
object_versioning_enabled = true
}]
}
module "cos_buckets" {
count = var.enable_vpc_flow_logs ? 1 : 0
source = "terraform-ibm-modules/cos/ibm//modules/buckets"
version = "8.19.2"
bucket_configs = local.bucket_config
}
# Create IAM Authorization Policy to allow COS to access KMS for the encryption key
resource "ibm_iam_authorization_policy" "cos_kms_iam_auth_policy" {
count = local.create_cos_kms_iam_auth_policy ? 1 : 0
source_service_name = "cloud-object-storage"
source_resource_instance_id = local.cos_instance_guid
roles = ["Reader"]
description = "Allow the COS instance ${local.cos_instance_guid} to read the ${local.kms_service} key ${local.cos_kms_key_crn} from the instance ${local.kms_guid}"
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = local.kms_service
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = local.kms_account_id
}
resource_attributes {
name = "serviceInstance"
operator = "stringEquals"
value = local.kms_guid
}
resource_attributes {
name = "resourceType"
operator = "stringEquals"
value = "key"
}
resource_attributes {
name = "resource"
operator = "stringEquals"
value = local.cos_kms_key_crn
}
# Scope of policy now includes the key, so ensure to create new policy before
# destroying old one to prevent any disruption to every day services.
lifecycle {
create_before_destroy = true
}
}
#######################################################################################################################
# KMS Key
#######################################################################################################################
# parse KMS details from the existing KMS instance CRN
module "existing_kms_instance_crn_parser" {
count = var.kms_encryption_enabled_bucket && var.existing_kms_instance_crn != null ? 1 : 0
source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
version = "1.1.0"
crn = var.existing_kms_instance_crn
}
# parse KMS details from the existing KMS instance CRN
module "existing_kms_key_crn_parser" {
count = var.kms_encryption_enabled_bucket && var.existing_flow_logs_bucket_kms_key_crn != null ? 1 : 0
source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
version = "1.1.0"
crn = var.existing_flow_logs_bucket_kms_key_crn
}
locals {
# fetch KMS region from existing_kms_instance_crn if KMS resources are required
kms_region = var.kms_encryption_enabled_bucket && var.existing_kms_instance_crn != null ? module.existing_kms_instance_crn_parser[0].region : null
kms_key_ring_name = "${local.prefix}${var.flow_logs_cos_key_ring_name}"
kms_key_name = "${local.prefix}${var.flow_logs_cos_key_name}"
create_kms_key = (var.enable_vpc_flow_logs && var.kms_encryption_enabled_bucket) ? (var.existing_flow_logs_bucket_kms_key_crn == null ? (var.existing_kms_instance_crn != null ? true : false) : false) : false
}
module "kms" {
count = local.create_kms_key ? 1 : 0 # no need to create any KMS resources if not passing an existing KMS CRN or existing KMS key CRN is provided
source = "terraform-ibm-modules/kms-all-inclusive/ibm"
version = "4.19.5"
create_key_protect_instance = false
region = local.kms_region
existing_kms_instance_crn = var.existing_kms_instance_crn
key_ring_endpoint_type = var.kms_endpoint_type
key_endpoint_type = var.kms_endpoint_type
keys = [
{
key_ring_name = local.kms_key_ring_name
existing_key_ring = false
force_delete_key_ring = true
keys = [
{
key_name = local.kms_key_name
standard_key = false
rotation_interval_month = 3
dual_auth_delete_enabled = false
force_delete = true
}
]
}
]
}
#############################################################################
# VPC
#############################################################################
locals {
# create 'use_public_gateways' object
public_gateway_object = {
for key, value in var.subnets : key => value != null ? length([for sub in value : sub.public_gateway if sub.public_gateway]) > 0 ? [for sub in value : sub.public_gateway if sub.public_gateway][0] : false : false
}
}
module "vpc" {
source = "../../"
resource_group_id = module.resource_group.resource_group_id
region = var.region
create_vpc = true
name = var.vpc_name
prefix = local.prefix
tags = var.resource_tags
access_tags = var.access_tags
subnets = var.subnets
default_network_acl_name = var.default_network_acl_name
default_security_group_name = var.default_security_group_name
default_routing_table_name = var.default_routing_table_name
network_acls = var.network_acls
clean_default_sg_acl = var.clean_default_sg_acl
use_public_gateways = local.public_gateway_object
address_prefixes = var.address_prefixes
routes = var.routes
enable_vpc_flow_logs = var.enable_vpc_flow_logs
create_authorization_policy_vpc_to_cos = !var.skip_vpc_cos_iam_auth_policy
existing_cos_instance_guid = var.enable_vpc_flow_logs ? local.cos_instance_guid : null
existing_storage_bucket_name = var.enable_vpc_flow_logs ? module.cos_buckets[0].buckets[0].bucket_name : null
enable_vpn_gateways = true
vpn_gateways = var.vpn_gateways
}
#############################################################################
# VPE Gateway
#############################################################################
# module "vpe_gateway" {
# source = "terraform-ibm-modules/vpe-gateway/ibm"
# version = "4.5.0"
# }