feat: Added new Quickstart DA variation (#1082)

Author: Khuzaima05

.catalog-onboard-pipeline.yaml

@@ -13,3 +13,6 @@ offerings:
           instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
           region: us-south
           scope_resource_group_var_name: existing_resource_group_name
+      - name: quickstart
+        mark_ready: false
+        install_type: fullstack

common-dev-assets

@@ -69,7 +69,7 @@
           "label": "Standard - Integrated setup with configurable services",
           "name": "fully-configurable",
           "short_description": "Ideal for users who want flexibility with a reliable starting point.",
-          "index": 1,
+          "index": 2,
           "install_type": "fullstack",
           "working_directory": "solutions/fully-configurable",
           "release_notes_url": "https://cloud.ibm.com/docs/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-secure-infrastructure-vpc-relnotes",
@@ -224,7 +224,6 @@
               "key": "enable_platform_metrics",
               "type": "boolean",
               "default_value": false,
-              "description": "When set to `true`, the IBM Cloud Monitoring instance will be configured to collect platform metrics from the provided region. You can configure 1 instance only of the IBM Cloud Monitoring service per region to collect platform metrics in that location. Check with the account or service administrator if another monitoring instance has already been configured. You may not have permissions to see all monitoring instances in the region. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-platform_metrics_enabling).",
               "required": true,
               "virtual": true,
               "options": [
@@ -242,7 +241,6 @@
               "key": "logs_routing_tenant_regions",
               "type": "array",
               "default_value": [],
-              "description": "To manage platform logs that are generated by IBM Cloud services in a region of IBM Cloud, you must create a tenant in each region that you operate. Pass a list of regions to create a tenant in. [Learn more](https://cloud.ibm.com/docs/logs-router?topic=logs-router-about-platform-logs).",
               "required": true,
               "virtual": true,
               "custom_config": {
@@ -263,9 +261,7 @@
                 "config_constraints": {
                   "identifier": "rg_name"
                 }
-              },
-              "default_value": "Default",
-              "description": "The name of an existing resource group to provision the resources."
+              }
             },
             {
               "key": "subnets"
@@ -826,6 +822,197 @@
           "dependency_version_2": true,
           "terraform_version": "1.12.2",
           "ignore_readme": true
+        },
+        {
+          "label": "QuickStart - Basic and simple",
+          "short_description": "Ideal for users new to IBM Cloud or Virtual Private Cloud (VPC) who want to get started without configuring underlying infrastructure.",
+          "name": "quickstart",
+          "index": 1,
+          "install_type": "fullstack",
+          "working_directory": "solutions/quickstart",
+          "release_notes_url": "https://cloud.ibm.com/docs/secure-infrastructure-vpc?topic=secure-infrastructure-vpc-secure-infrastructure-vpc-relnotes",
+          "architecture": {
+            "features": [
+              {
+                "title": " ",
+                "description": "A lightweight, experimental configuration for quickly provisioning Virtual Private Cloud (VPC) instances on IBM Cloud."
+              }
+            ],
+            "diagrams": [
+              {
+                "diagram": {
+                  "caption": "Virtual Private Cloud topology - Quickstart (Basic and simple)",
+                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/main/reference-architectures/deployable-architecture-quickstart-vpc.svg",
+                  "type": "image/svg+xml"
+                },
+                "description": "This architecture provisions and configures a Virtual Private Cloud (VPC) environment with one subnet per zone, resulting in three subnets. The network behavior is controlled by a user-selected Network Profile - Unrestricted, Public Web Services, Private Only, or Isolated - each enforcing a predefined ACL configuration that defines permitted traffic patterns. The chosen profile also determines whether a public gateway is created and whether default security groups are cleaned up. Refer the [Network Profile](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/quickstart/DA-types.md) documentation for more details. The solution optionally enables VPC Flow Logs, creating a Cloud Object Storage instance and bucket for storing VPC Flow Logs."
+              }
+            ]
+          },
+          "iam_permissions": [
+            {
+              "role_crns": [
+                "crn:v1:bluemix:public:iam::::role:Viewer"
+              ],
+              "service_name": "Resource group only",
+              "notes": "Viewer access is required in the resource group you want to provision in."
+            },
+            {
+              "role_crns": [
+                "crn:v1:bluemix:public:iam::::role:Administrator"
+              ],
+              "service_name": "is.vpc",
+              "notes": "Required to create Virtual Private Cloud(VPC)."
+            },
+            {
+              "service_name": "cloud-object-storage",
+              "role_crns": [
+                "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+                "crn:v1:bluemix:public:iam::::role:Editor"
+              ],
+              "notes": "[Optional] Required if VPC Flow Logs are enabled."
+            }
+          ],
+          "configuration": [
+            {
+              "key": "ibmcloud_api_key"
+            },
+            {
+              "key": "existing_resource_group_name",
+              "display_name": "resource_group",
+              "custom_config": {
+                "type": "resource_group",
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "identifier": "rg_name"
+                }
+              }
+            },
+            {
+              "key": "prefix",
+              "required": true,
+              "default_value": "dev",
+              "random_string": {
+                "length": 4
+              },
+              "value_constraints": [
+                {
+                  "type": "regex",
+                  "description": "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--'). It should not exceed 16 characters.",
+                  "value": "^$|^__NULL__$|^[a-z](?!.*--)(?:[a-z0-9-]{0,14}[a-z0-9])?$"
+                }
+              ]
+            },
+            {
+              "key": "region",
+              "required": true,
+              "custom_config": {
+                "config_constraints": {
+                  "generationType": "2"
+                },
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "type": "vpc_region"
+              }
+            },
+            {
+              "key": "vpc_name",
+              "required": true
+            },
+            {
+              "key": "network_profile",
+              "type": "string",
+              "displayname": "Network Profile",
+              "required": true,
+              "default_value": "public_web_services",
+              "options": [
+                {
+                  "displayname": "Unrestricted (All Traffic Allowed)",
+                  "value": "unrestricted",
+                  "description": "Allows all inbound and outbound traffic from any source (0.0.0.0/0). No network filtering applied. Use only for development or testing environments."
+                },
+                {
+                  "displayname": "Public Web Services (SSH, HTTP, HTTPS + IBM Cloud Internal)",
+                  "value": "public_web_services",
+                  "description": "Allows inbound traffic on SSH (port 22), HTTP (port 80), and HTTPS (port 443). Includes IBM Cloud internal service connectivity and VPC-to-VPC communication. Suitable for web-facing applications."
+                },
+                {
+                  "displayname": "Private Only (IBM Cloud Internal + VPC)",
+                  "value": "private_only",
+                  "description": "No public internet connectivity. Only allows IBM Cloud internal service communication and VPC-to-VPC traffic. Ideal for backend services and databases."
+                },
+                {
+                  "displayname": "Isolated (No Network Access)",
+                  "value": "isolated",
+                  "description": "Completely isolated with no inbound or outbound network traffic allowed. Maximum security for highly sensitive workloads requiring manual network configuration."
+                }
+              ]
+            },
+            {
+              "key": "resource_tags",
+              "custom_config": {
+                "type": "array",
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "type": "string"
+                }
+              }
+            },
+            {
+              "key": "access_tags",
+              "custom_config": {
+                "type": "array",
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "type": "string"
+                }
+              }
+            },
+            {
+              "key": "enable_vpc_flow_logs",
+              "type": "boolean",
+              "type_metadata": "boolean",
+              "options": [
+                {
+                  "description": "Do not collect VPC network traffic metadata.",
+                  "displayname": "False",
+                  "value": false
+                },
+                {
+                  "description": "Collect and store VPC network traffic metadata to Object Storage for monitoring, analysis, and troubleshooting.",
+                  "displayname": "True",
+                  "value": true
+                }
+              ]
+            },
+            {
+              "key": "skip_vpc_cos_iam_auth_policy",
+              "hidden": true
+            },
+            {
+              "key": "provider_visibility",
+              "hidden": true,
+              "options": [
+                {
+                  "displayname": "private",
+                  "value": "private"
+                },
+                {
+                  "displayname": "public",
+                  "value": "public"
+                },
+                {
+                  "displayname": "public-and-private",
+                  "value": "public-and-private"
+                }
+              ]
+            }
+          ],
+          "terraform_version": "1.12.2",
+          "ignore_readme": true
         }
       ]
     }

ibm_catalog.json

@@ -0,0 +1,116 @@
+---
+
+copyright:
+  years: 2025
+lastupdated: "2025-12-02"
+
+keywords:
+
+subcollection: deployable-reference-architectures
+
+authors:
+  - name: "Khuzaima Shakeel"
+
+# The release that the reference architecture describes
+version: 8.11.0
+
+# Whether the reference architecture is published to Cloud Docs production.
+# When set to false, the file is available only in staging. Default is false.
+production: true
+
+# Use if the reference architecture has deployable code.
+# Value is the URL to land the user in the IBM Cloud catalog details page
+# for the deployable architecture.
+# See https://test.cloud.ibm.com/docs/get-coding?topic=get-coding-deploy-button
+deployment-url: https://cloud.ibm.com/catalog/architecture/deploy-arch-ibm-slz-vpc-9fc0fa64-27af-4fed-9dce-47b3640ba739-global
+
+docs: https://cloud.ibm.com/docs/secure-infrastructure-vpc
+
+image_source: https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/reference-architectures/deployable-architecture-quickstart-vpc.svg
+
+related_links:
+  - title: "Cloud foundation for VPC (Standard - Integrated setup with configurable services)"
+    url: "https://cloud.ibm.com/docs/deployable-reference-architectures?topic=deployable-reference-architectures-vpc-fully-configurable"
+    description: "A deployable architecture that provides full control over VPC networking, security, and connectivity components."
+  - title: "Cloud foundation for VPC (Standard - Financial Services edition)"
+    url: "https://cloud.ibm.com/docs/deployable-reference-architectures?topic=deployable-reference-architectures-vpc-ra"
+    description: "A VPC architecture based on IBM Cloud for Financial Services controls."
+
+use-case: Foundational Infrastructure
+compliance: None
+
+content-type: reference-architecture
+
+---
+
+{{site.data.keyword.attribute-definition-list}}
+
+# Cloud foundation for VPC – QuickStart (Basic and simple)
+{: #vpc-quickstart-ra}
+{: toc-content-type="reference-architecture"}
+{: toc-industry="CrossIndustry"}
+{: toc-use-case="Foundational Infrastructure"}
+{: toc-version="1.0.0"}
+
+The QuickStart variation of the Cloud foundation for VPC provides a **basic and simple** Virtual Private Cloud (VPC) deployment that requires minimal configuration. It enables users to quickly create a functional network environment on IBM Cloud. This variation is best suited for users who need a **basic VPC configuration** with lightweight networking defaults and support for VPC Flow Logs.
+
+
+---
+
+## Architecture diagram
+{: #ra-vpc-quickstart-architecture}
+
+![Architecture diagram for the QuickStart variation of Cloud foundation for VPC](deployable-architecture-quickstart-vpc.svg "QuickStart VPC architecture"){: caption="Quickstart variation of Cloud foundation for VPC" caption-side="bottom"}{: external download="deployable-architecture-quickstart-vpc.svg"}
+
+## Design requirements
+{: #ra-vpc-qs-design-requirements}
+
+![Design requirements for Cloud foundation for VPC](heat-map-deploy-arch-slz-vpc-quickstart.svg "Design requirements"){: caption="Scope of the design requirements" caption-side="bottom"}
+
+
+## Requirements
+{: #ra-vpc-quickstart-components}
+
+The following table outlines the requirements that are addressed in this architecture.
+
+| Requirement | Component | Reasons for choice | Alternative choice |
+|------------|-----------|--------------------|--------------------|
+| Provide a basic, ready-to-use VPC with minimal inputs | Predefined VPC | Deploys a VPC quickly without requiring users to design networking components | Use the fully configurable variation for granular control |
+| Create availability-zone redundancy | Fixed three-zone subnets | Ensures high availability by provisioning one subnet per zone automatically | Use the fully configurable variation for flexibility |
+| Basic traffic governance | Network profile selector (unrestricted, public_web_services, private_only, isolated) | Provides simple, predefined ACL behavior without requiring custom rules | Define custom ACL rules and SG rules manually in the fully configurable variation |
+
+{: caption="QuickStart variation of Cloud foundation for VPC" caption-side="bottom"}
+
+
+# Key features
+{: #ra-vpc-quickstart-features}
+
+## VPC Setup
+- Automatically creates a new VPC with IBM-recommended defaults
+- Sets up one subnet per zone, resulting in three subnets.
+
+## Built-in Network Profiles
+
+The following network profiles provide predefined security postures by configuring **Network ACLs**, **public gateway access**, and **default security group behavior**. These profiles align exactly with the options exposed in the IBM Cloud catalog UI.
+
+- **Unrestricted (All Traffic Allowed)**
+  Allows all inbound and outbound traffic. Suitable for testing or unrestricted workloads.
+
+- **Public Web Services (SSH, HTTP, HTTPS + IBM Cloud Internal)** *(Default)*
+  Allows traffic on common service ports (SSH 22, HTTP 80, HTTPS 443), enables IBM Cloud internal connectivity.
+
+- **Private Only (IBM Cloud Internal + VPC)**
+  No external/public connectivity. Only IBM internal and VPC connectivity allowed. Intended for internal-only workloads that must not be exposed publicly.
+  Learn more: https://cloud.ibm.com/docs/vpc?topic=vpc-about-networking#private-network
+
+- **Isolated (No Network Access)**
+  Fully locked-down environment with no inbound or outbound connectivity. Suitable for highly sensitive or isolated security scenarios.
+
+
+## Security & Network Defaults
+- ACLs applied according to the selected network profile
+- Security group automatically cleaned for restrictive profiles
+- Public gateways created only when allowed by the profile
+
+## Flow Logs
+- When enabled, VPC Flow Logs capture network traffic metadata and automatically create an IBM Cloud Object Storage (COS) instance and bucket to store the logs.

reference-architectures/deploy-arch-ibm-vpc-quickstart-vpc.md

@@ -0,0 +1,29 @@
+## Configuring network profile input for VPC <a name="network-profile"></a>
+
+This variable lets you choose from predefined network security profiles that control the default **Network ACL behavior**, **public gateway availability**, and whether **default Security Group (SG) rules are cleaned**. It simplifies deployment by offering four security levels ranging from fully open to fully restricted.
+
+- **Variable name:** `network_profile`
+- **Type:** `string`
+- **Default value:** `"public_web_services"`
+- **Allowed values:** `unrestricted`, `public_web_services`, `private_only`, `isolated`
+
+The selected network profile automatically defines the following behavior:
+
+| Profile                                   | Default Behavior                                                                 | Public Gateway | Default Security Group Rules |
+|-------------------------------------------------------------|----------------------------------------------------------------------------------|----------------|------------------------------|
+| **Unrestricted (All Traffic Allowed)**                              | Allows all inbound and outbound traffic                                          | **Enabled**    | Explicit SG rules added: allow all inbound and outbound traffic.               |
+| **Public Web Services (SSH, HTTP, HTTPS + IBM Cloud Internal)** *(Default)* | Allows traffic on common service ports (SSH 22, HTTP 80, HTTPS 443), enables IBM Cloud internal connectivity.     | **Enabled**    | Explicit SG rules added: inbound SSH (22), HTTP (80), HTTPS (443). Default SG outbound behavior (allow all outbound) is preserved.               |
+| **Private Only (IBM Cloud Internal + VPC)**       | No external/public connectivity. Only IBM internal and VPC connectivity allowed. | **Disabled**   | **Cleaned**                  |
+| **Isolated (No Network Access)**                                  | Fully locked-down environment with no inbound or outbound traffic                | **Disabled**   | **Cleaned**                  |
+
+
+### When to use which profile?
+
+| Scenario / Intent                                                  | Recommended Profile |
+|-------------------------------------------------------------------|---------------------|
+| Experimenting or testing without restrictions                     | `Unrestricted`              |
+| Standard workloads that require access on common ports such as SSH, HTTP, and HTTPS. | `Public Web Services`            |
+| Internal-only workloads that must communicate only within IBM Cloud using the private backbone network (no public internet exposure). [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-private-network-connectivity#:~:text=A%20private%20backbone%20for%20all%20connectivity) | `Private Only` |
+| High-security isolated setups without external communication      | `Isolated`            |
+
+---