From 5fe5e709e55f0dabd0c2a141699dda785dae4600 Mon Sep 17 00:00:00 2001 From: Manish Kumar <30774250+manish-jangra@users.noreply.github.com> Date: Wed, 25 Feb 2026 13:56:25 +0530 Subject: [PATCH 1/5] feat: add routing table and route IDs to module outputs The module creates routing tables and routes but did not expose their IDs, making it difficult for consumers to reference them. This adds `routing_table_ids` and `routing_table_routes` outputs. Co-authored-by: Cursor --- outputs.tf | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/outputs.tf b/outputs.tf index 043389ea..c1ee8163 100644 --- a/outputs.tf +++ b/outputs.tf @@ -148,6 +148,38 @@ output "vpc_data" { value = data.ibm_is_vpc.vpc } +############################################################################## +# Routing Tables +############################################################################## + +output "routing_table_ids" { + description = "List of routing table IDs created by this module." + value = [ + for table in ibm_is_vpc_routing_table.route_table : + { + name = table.name + routing_table_id = table.routing_table + } + ] +} + +output "routing_table_routes" { + description = "List of routing table routes created by this module." + value = [ + for route in ibm_is_vpc_routing_table_route.routing_table_routes : + { + name = route.name + routing_table_id = route.routing_table + destination = route.destination + action = route.action + next_hop = route.next_hop + zone = route.zone + } + ] +} + +############################################################################## + ############################################################################## # Hub and Spoke specific configuration ############################################################################## From d931375d48a75a3125391b8f5b4cc2c5476d3210 Mon Sep 17 00:00:00 2001 From: Manish Kumar <30774250+manish-jangra@users.noreply.github.com> Date: Thu, 26 Feb 2026 09:53:04 +0530 Subject: [PATCH 2/5] feat: add default routing table to module outputs Expose the VPC's default routing table ID and name via a new `default_routing_table` output, sourced from the `data.ibm_is_vpc` data source so it works for both created and existing VPCs. Made-with: Cursor --- outputs.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/outputs.tf b/outputs.tf index c1ee8163..ff82570c 100644 --- a/outputs.tf +++ b/outputs.tf @@ -152,6 +152,14 @@ output "vpc_data" { # Routing Tables ############################################################################## +output "default_routing_table" { + description = "The default routing table ID and name that is created along with the VPC." + value = { + routing_table_id = data.ibm_is_vpc.vpc.default_routing_table + routing_table_name = data.ibm_is_vpc.vpc.default_routing_table_name + } +} + output "routing_table_ids" { description = "List of routing table IDs created by this module." value = [ From 63ff4e0880e5f8572c853bbec44dfb09e0f83446 Mon Sep 17 00:00:00 2001 From: Manish Kumar <30774250+manish-jangra@users.noreply.github.com> Date: Thu, 5 Mar 2026 20:08:10 +0530 Subject: [PATCH 3/5] feat: add routing table outputs to fully-configurable DA solution Propagate the three new routing table outputs (default_routing_table, routing_table_ids, routing_table_routes) to the fully-configurable deployable architecture solution. Made-with: Cursor --- solutions/fully-configurable/outputs.tf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/solutions/fully-configurable/outputs.tf b/solutions/fully-configurable/outputs.tf index 6775160f..22a64436 100644 --- a/solutions/fully-configurable/outputs.tf +++ b/solutions/fully-configurable/outputs.tf @@ -44,6 +44,25 @@ output "network_acls" { value = module.vpc.network_acls } +############################################################################## +# Routing Tables +############################################################################## + +output "default_routing_table" { + description = "The default routing table ID and name that is created along with the VPC." + value = module.vpc.default_routing_table +} + +output "routing_table_ids" { + description = "List of routing table IDs created by this module." + value = module.vpc.routing_table_ids +} + +output "routing_table_routes" { + description = "List of routing table routes created by this module." + value = module.vpc.routing_table_routes +} + ############################################################################## # Subnet Outputs ############################################################################## From 16c373f86d14ea592410962af3cea4efdb1f6472 Mon Sep 17 00:00:00 2001 From: Manish Kumar <30774250+manish-jangra@users.noreply.github.com> Date: Tue, 10 Mar 2026 14:03:58 +0530 Subject: [PATCH 4/5] docs: regenerate README files with new routing table outputs Run terraform-docs to update the Outputs tables in the root module and fully-configurable DA solution README files. Made-with: Cursor --- README.md | 147 +++++++++++++++++++++++++ solutions/fully-configurable/README.md | 118 ++++++++++++++++++++ 2 files changed, 265 insertions(+) diff --git a/README.md b/README.md index 73c65c4e..b4770a26 100644 --- a/README.md +++ b/README.md @@ -301,3 +301,150 @@ For a list of common known issues see: You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md). To set up your local development environment, see [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.9.0 | +| [ibm](#requirement\_ibm) | >= 1.87.3, < 2.0.0 | +| [time](#requirement\_time) | >= 0.9.1, < 1.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [ibm](#provider\_ibm) | >= 1.87.3, < 2.0.0 | +| [terraform](#provider\_terraform) | n/a | +| [time](#provider\_time) | >= 0.9.1, < 1.0.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [dynamic\_values](#module\_dynamic\_values) | ./dynamic_values | n/a | +| [unit\_tests](#module\_unit\_tests) | ./dynamic_values | n/a | + +## Resources + +| Name | Type | +|------|------| +| [ibm_dns_custom_resolver.custom_resolver_hub](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/dns_custom_resolver) | resource | +| [ibm_dns_permitted_network.dns_permitted_network](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/dns_permitted_network) | resource | +| [ibm_dns_resource_record.dns_record](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/dns_resource_record) | resource | +| [ibm_dns_zone.dns_zone](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/dns_zone) | resource | +| [ibm_iam_authorization_policy.policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | +| [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | +| [ibm_is_flow_log.flow_logs](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_flow_log) | resource | +| [ibm_is_network_acl.network_acl](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_network_acl) | resource | +| [ibm_is_public_gateway.gateway](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_public_gateway) | resource | +| [ibm_is_security_group_rule.default_vpc_rule](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_security_group_rule) | resource | +| [ibm_is_subnet.subnet](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_subnet) | resource | +| [ibm_is_subnet_public_gateway_attachment.exist_subnet_gw](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_subnet_public_gateway_attachment) | resource | +| [ibm_is_vpc.vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc) | resource | +| [ibm_is_vpc_address_prefix.address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource | +| [ibm_is_vpc_address_prefix.subnet_prefix](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource | +| [ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_dns_resolution_binding) | resource | +| [ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_dns_resolution_binding) | resource | +| [ibm_is_vpc_routing_table.route_table](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource | +| [ibm_is_vpc_routing_table_route.routing_table_routes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource | +| [ibm_is_vpn_gateway.vpn_gateway](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpn_gateway) | resource | +| [ibm_resource_instance.dns_instance_hub](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource | +| [terraform_data.deprecation_warning](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | +| [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [time_sleep.wait_for_vpc_creation_data](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source | +| [ibm_is_subnet.subnet](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_subnet) | data source | +| [ibm_is_vpc.vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc) | data source | +| [ibm_is_vpc_address_prefixes.get_address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_address_prefixes) | data source | +| [ibm_is_vpc_dns_resolution_bindings.dns_bindings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_dns_resolution_bindings) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_tags](#input\_access\_tags) | A list of access tags to apply to the VPC resources created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no | +| [address\_prefixes](#input\_address\_prefixes) | OPTIONAL - IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes | 
object({
    zone-1 = optional(list(string))
    zone-2 = optional(list(string))
    zone-3 = optional(list(string))
  })
| 
{
  "zone-1": null,
  "zone-2": null,
  "zone-3": null
}
| no | +| [clean\_default\_sg\_acl](#input\_clean\_default\_sg\_acl) | Remove all rules from the default VPC security group and VPC ACL (less permissive) | `bool` | `false` | no | +| [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Create authorisation policy for VPC to access COS. Set as false if authorization policy exists already | `bool` | `false` | no | +| [create\_subnets](#input\_create\_subnets) | Indicates whether user wants to use existing subnets or create new. Set it to true to create new subnets. | `bool` | `true` | no | +| [create\_vpc](#input\_create\_vpc) | Indicates whether user wants to use an existing vpc or create a new one. Set it to true to create a new vpc | `bool` | `true` | no | +| [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | OPTIONAL - Name of the Default ACL. If null, a name will be automatically generated | `string` | `null` | no | +| [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | OPTIONAL - Name of the Default Routing Table. If null, a name will be automatically generated | `string` | `null` | no | +| [default\_security\_group\_name](#input\_default\_security\_group\_name) | OPTIONAL - Name of the Default Security Group. If null, a name will be automatically generated | `string` | `null` | no | +| [dns\_binding\_name](#input\_dns\_binding\_name) | The name to give the provisioned VPC DNS resolution binding. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | +| [dns\_custom\_resolver\_name](#input\_dns\_custom\_resolver\_name) | The name to give the provisioned DNS custom resolver instance. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | +| [dns\_custom\_resolver\_profile](#input\_dns\_custom\_resolver\_profile) | The profile name for the provisioned DNS custom resolver instance. | `string` | `"essential"` | no | +| [dns\_instance\_name](#input\_dns\_instance\_name) | The name to give the provisioned DNS instance. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | +| [dns\_location](#input\_dns\_location) | The target location or environment for the DNS instance created to host the custom resolver in a hub-spoke DNS resolution topology. Only used if enable\_hub is true and skip\_custom\_resolver\_hub\_creation is false (defaults). | `string` | `"global"` | no | +| [dns\_plan](#input\_dns\_plan) | The plan for the DNS resource instance created to host the custom resolver in a hub-spoke DNS resolution topology. Only used if enable\_hub is true and skip\_custom\_resolver\_hub\_creation is false (defaults). | `string` | `"standard-dns"` | no | +| [dns\_records](#input\_dns\_records) | List of DNS records to be created. | 
map(list(object({
    name       = string
    type       = string
    ttl        = number
    rdata      = string
    preference = optional(number, null)
    service    = optional(string, null)
    protocol   = optional(string, null)
    priority   = optional(number, null)
    weight     = optional(number, null)
    port       = optional(number, null)
  })))
| `{}` | no | +| [dns\_zones](#input\_dns\_zones) | List of the DNS zone to be created. | 
list(object({
    name        = string
    description = optional(string)
    label       = optional(string, "dns-zone")
  }))
| `[]` | no | +| [enable\_hub](#input\_enable\_hub) | Indicates whether this VPC is enabled as a DNS name resolution hub. | `bool` | `false` | no | +| [enable\_hub\_vpc\_crn](#input\_enable\_hub\_vpc\_crn) | Indicates whether Hub VPC CRN is passed. | `bool` | `false` | no | +| [enable\_hub\_vpc\_id](#input\_enable\_hub\_vpc\_id) | Indicates whether Hub VPC ID is passed. | `bool` | `false` | no | +| [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | Flag to enable vpc flow logs. If true, flow log collector will be created | `bool` | `false` | no | +| [existing\_cos\_instance\_guid](#input\_existing\_cos\_instance\_guid) | GUID of the COS instance to create Flow log collector | `string` | `null` | no | +| [existing\_dns\_instance\_id](#input\_existing\_dns\_instance\_id) | Id of an existing dns instance in which the custom resolver is created. Only relevant if enable\_hub is set to true. | `string` | `null` | no | +| [existing\_storage\_bucket\_name](#input\_existing\_storage\_bucket\_name) | Name of the COS bucket to collect VPC flow logs | `string` | `null` | no | +| [existing\_subnets](#input\_existing\_subnets) | The detail of the existing subnets and required mappings to other resources. Required if 'create\_subnets' is false. | 
list(object({
    id             = string
    public_gateway = optional(bool, false)
  }))
| `[]` | no | +| [existing\_vpc\_id](#input\_existing\_vpc\_id) | The ID of the existing vpc. Required if 'create\_vpc' is false. | `string` | `null` | no | +| [hub\_account\_id](#input\_hub\_account\_id) | ID of the hub account for DNS resolution, required if 'skip\_spoke\_auth\_policy' is false. | `string` | `null` | no | +| [hub\_vpc\_crn](#input\_hub\_vpc\_crn) | Indicates the crn of the hub VPC for DNS resolution. See https://cloud.ibm.com/docs/vpc?topic=vpc-hub-spoke-model. Mutually exclusive with hub\_vpc\_id. | `string` | `null` | no | +| [hub\_vpc\_id](#input\_hub\_vpc\_id) | Indicates the id of the hub VPC for DNS resolution. See https://cloud.ibm.com/docs/vpc?topic=vpc-hub-spoke-model. Mutually exclusive with hub\_vpc\_crn. | `string` | `null` | no | +| [is\_flow\_log\_collector\_active](#input\_is\_flow\_log\_collector\_active) | Indicates whether the collector is active. If false, this collector is created in inactive mode. | `bool` | `true` | no | +| [manual\_servers](#input\_manual\_servers) | The DNS server addresses to use for the VPC, replacing any existing servers. All the entries must either have a unique zone\_affinity, or not have a zone\_affinity. | 
list(object({
    address       = string
    zone_affinity = optional(string)
  }))
| `[]` | no | +| [name](#input\_name) | Used for the naming of the VPC (if create\_vpc is set to true), as well as in the naming for any resources created inside the VPC (unless using one of the optional variables for explicit control over naming). | `string` | n/a | yes | +| [network\_acls](#input\_network\_acls) | The list of ACLs to create. Provide at least one rule for each ACL. | 
list(
    object({
      name                         = string
      add_ibm_cloud_internal_rules = optional(bool)
      add_vpc_connectivity_rules   = optional(bool)
      prepend_ibm_rules            = optional(bool)
      rules = list(
        object({
          name        = string
          action      = string
          destination = string
          direction   = string
          source      = string
          tcp = optional(
            object({
              port_max        = optional(number)
              port_min        = optional(number)
              source_port_max = optional(number)
              source_port_min = optional(number)
            })
          )
          udp = optional(
            object({
              port_max        = optional(number)
              port_min        = optional(number)
              source_port_max = optional(number)
              source_port_min = optional(number)
            })
          )
          icmp = optional(
            object({
              type = optional(number)
              code = optional(number)
            })
          )
        })
      )
    })
  )
| 
[
  {
    "add_ibm_cloud_internal_rules": true,
    "add_vpc_connectivity_rules": true,
    "name": "vpc-acl",
    "prepend_ibm_rules": true,
    "rules": []
  }
]
| no | +| [network\_cidrs](#input\_network\_cidrs) | List of Network CIDRs for the VPC. This is used to manage network ACL rules for cluster provisioning. | `list(string)` | 
[
  "10.0.0.0/8"
]
| no | +| [prefix](#input\_prefix) | The value that you would like to prefix to the name of the resources provisioned by this module. Explicitly set to null if you do not wish to use a prefix. This value is ignored if using one of the optional variables for explicit control over naming. **Important:** Changing the prefix after initial deployment will cause Terraform to plan destruction and recreation of resources. Changing the prefix should be treated as provisioning a new environment, not renaming existing resources. | `string` | `null` | no | +| [public\_gateway\_name](#input\_public\_gateway\_name) | The name to give the provisioned VPC public gateways. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | +| [region](#input\_region) | The region to which to deploy the VPC | `string` | n/a | yes | +| [resolver\_type](#input\_resolver\_type) | Resolver type. Can be system or manual or delegated. | `string` | `null` | no | +| [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the VPC to be created | `string` | n/a | yes | +| [routes](#input\_routes) | OPTIONAL - Allows you to specify the next hop for packets based on their destination address | 
list(
    object({
      name                          = string
      route_direct_link_ingress     = optional(bool)
      route_transit_gateway_ingress = optional(bool)
      route_vpc_zone_ingress        = optional(bool)
      routes = optional(
        list(
          object({
            action      = optional(string)
            zone        = number
            destination = string
            next_hop    = string
          })
      ))
    })
  )
| `[]` | no | +| [routing\_table\_name](#input\_routing\_table\_name) | The name to give the provisioned routing tables. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | +| [security\_group\_rules](#input\_security\_group\_rules) | A list of security group rules to be added to the default vpc security group (default empty) | 
list(
    object({
      name       = string
      direction  = string
      remote     = optional(string)
      local      = optional(string)
      ip_version = optional(string)
      tcp = optional(
        object({
          port_max = optional(number)
          port_min = optional(number)
        })
      )
      udp = optional(
        object({
          port_max = optional(number)
          port_min = optional(number)
        })
      )
      icmp = optional(
        object({
          type = optional(number)
          code = optional(number)
        })
      )
    })
  )
| `[]` | no | +| [skip\_custom\_resolver\_hub\_creation](#input\_skip\_custom\_resolver\_hub\_creation) | Indicates whether to skip the configuration of a custom resolver in the hub VPC. Only relevant if enable\_hub is set to true. | `bool` | `false` | no | +| [skip\_spoke\_auth\_policy](#input\_skip\_spoke\_auth\_policy) | Set to true to skip the creation of an authorization policy between the DNS resolution spoke and hub, only enable this if a policy already exists between these two VPCs. See https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-dns-sharing-s2s-auth&interface=ui for more details. | `bool` | `false` | no | +| [subnets](#input\_subnets) | List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addresses. Public gateways will be enabled only in zones where a gateway has been created | 
object({
    zone-1 = list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    }))
    zone-2 = optional(list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    })))
    zone-3 = optional(list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    })))
  })
| 
{
  "zone-1": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.10.10.0/24",
      "name": "subnet-a",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ],
  "zone-2": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.20.10.0/24",
      "name": "subnet-b",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ],
  "zone-3": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.30.10.0/24",
      "name": "subnet-c",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ]
}
| no | +| [tags](#input\_tags) | List of Tags for the resource created | `list(string)` | `null` | no | +| [update\_delegated\_resolver](#input\_update\_delegated\_resolver) | If set to true, and if the vpc is configured to be a spoke for DNS resolution (enable\_hub\_vpc\_crn or enable\_hub\_vpc\_id set), then the spoke VPC resolver will be updated to a delegated resolver. | `bool` | `false` | no | +| [use\_existing\_dns\_instance](#input\_use\_existing\_dns\_instance) | Whether to use an existing dns instance. If true, existing\_dns\_instance\_id must be set. | `bool` | `false` | no | +| [use\_public\_gateways](#input\_use\_public\_gateways) | Create a public gateway in any of the three zones with `true`. | 
object({
    zone-1 = optional(bool)
    zone-2 = optional(bool)
    zone-3 = optional(bool)
  })
| 
{
  "zone-1": true,
  "zone-2": true,
  "zone-3": true
}
| no | +| [vpc\_flow\_logs\_name](#input\_vpc\_flow\_logs\_name) | The name to give the provisioned VPC flow logs. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | +| [vpn\_gateways](#input\_vpn\_gateways) | [DEPRECATED] List of VPN gateways to create. For more information please refer the [migration guide](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/docs/migration_guide.md). | 
list(
    object({
      name           = string
      subnet_name    = string # Do not include prefix, use same name as in `var.subnets`
      mode           = optional(string, "route")
      resource_group = optional(string)
      access_tags    = optional(list(string), [])
    })
  )
| `[]` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [cidr\_blocks](#output\_cidr\_blocks) | List of CIDR blocks present in VPC stack | +| [custom\_resolver\_hub](#output\_custom\_resolver\_hub) | The custom resolver created for the hub vpc. Only set if enable\_hub is set and skip\_custom\_resolver\_hub\_creation is false. | +| [default\_routing\_table](#output\_default\_routing\_table) | The default routing table ID and name that is created along with the VPC. | +| [dns\_custom\_resolver\_id](#output\_dns\_custom\_resolver\_id) | The ID of the DNS Custom Resolver. | +| [dns\_endpoint\_gateways\_by\_crn](#output\_dns\_endpoint\_gateways\_by\_crn) | The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id OR enable\_hub\_vpc\_crn are true. | +| [dns\_endpoint\_gateways\_by\_id](#output\_dns\_endpoint\_gateways\_by\_id) | The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id OR enable\_hub\_vpc\_crn are true. | +| [dns\_instance\_id](#output\_dns\_instance\_id) | The ID of the DNS instance. | +| [dns\_record\_ids](#output\_dns\_record\_ids) | List of all the domain resource records. | +| [dns\_zone](#output\_dns\_zone) | A map representing DNS zone information. | +| [dns\_zone\_id](#output\_dns\_zone\_id) | The ID of the DNS zone. | +| [dns\_zone\_state](#output\_dns\_zone\_state) | The state of the DNS zone. | +| [network\_acls](#output\_network\_acls) | List of shortnames and IDs of network ACLs | +| [public\_gateways](#output\_public\_gateways) | Map of public gateways by zone | +| [routing\_table\_ids](#output\_routing\_table\_ids) | List of routing table IDs created by this module. | +| [routing\_table\_routes](#output\_routing\_table\_routes) | List of routing table routes created by this module. | +| [security\_group\_details](#output\_security\_group\_details) | Details of security group. | +| [subnet\_detail\_list](#output\_subnet\_detail\_list) | A list of subnets containing names, CIDR blocks, and zones. | +| [subnet\_detail\_map](#output\_subnet\_detail\_map) | A map of subnets containing IDs, CIDR blocks, and zones | +| [subnet\_ids](#output\_subnet\_ids) | The IDs of the subnets | +| [subnet\_zone\_list](#output\_subnet\_zone\_list) | A list containing subnet IDs and subnet zones | +| [vpc\_crn](#output\_vpc\_crn) | CRN of VPC created | +| [vpc\_data](#output\_vpc\_data) | Data of the VPC used in this module, created or existing. | +| [vpc\_flow\_logs](#output\_vpc\_flow\_logs) | Details of VPC flow logs collector | +| [vpc\_id](#output\_vpc\_id) | ID of VPC created | +| [vpc\_name](#output\_vpc\_name) | Name of VPC created | +| [vpn\_gateways\_data](#output\_vpn\_gateways\_data) | [DEPRECATED] Details of VPN gateways data. For more information please refer the [migration guide](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/docs/migration_guide.md). | +| [vpn\_gateways\_name](#output\_vpn\_gateways\_name) | [DEPRECATED] List of names of VPN gateways. For more information please refer the [migration guide](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/docs/migration_guide.md). | + \ No newline at end of file diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index 0d9c0bc8..641894b2 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -1,3 +1,121 @@ # Cloud automation for VPC (Fully configurable) :exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers). + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.9.0 | +| [ibm](#requirement\_ibm) | 1.88.2 | +| [time](#requirement\_time) | 0.13.1 | + +## Providers + +| Name | Version | +|------|---------| +| [ibm.kms](#provider\_ibm.kms) | 1.88.2 | +| [time](#provider\_time) | 0.13.1 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [cos\_buckets](#module\_cos\_buckets) | terraform-ibm-modules/cos/ibm//modules/buckets | 10.14.1 | +| [existing\_cos\_crn\_parser](#module\_existing\_cos\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.4.2 | +| [existing\_kms\_instance\_crn\_parser](#module\_existing\_kms\_instance\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.4.2 | +| [existing\_kms\_key\_crn\_parser](#module\_existing\_kms\_key\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.4.2 | +| [kms](#module\_kms) | terraform-ibm-modules/kms-all-inclusive/ibm | 5.5.31 | +| [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.4.8 | +| [vpc](#module\_vpc) | ../../ | n/a | +| [vpe\_gateway](#module\_vpe\_gateway) | terraform-ibm-modules/vpe-gateway/ibm | 5.0.4 | + +## Resources + +| Name | Type | +|------|------| +| [ibm_iam_authorization_policy.cos_kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.88.2/docs/resources/iam_authorization_policy) | resource | +| [time_sleep.wait_for_cross_account_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/0.13.1/docs/resources/sleep) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_tags](#input\_access\_tags) | The list of access tags to add to the VPC instance. | `list(string)` | `[]` | no | +| [add\_bucket\_name\_suffix](#input\_add\_bucket\_name\_suffix) | Add a randomly generated suffix that is 4 characters in length, to the name of the newly provisioned Cloud Object Storage bucket. Do not use this suffix if you are passing the existing Cloud Object Storage bucket. To manage the name of the Cloud Object Storage bucket manually, use the `flow_logs_cos_bucket_name` variables. | `bool` | `true` | no | +| [address\_prefixes](#input\_address\_prefixes) | The IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#address-prefixes-). | 
object({
    zone-1 = optional(list(string))
    zone-2 = optional(list(string))
    zone-3 = optional(list(string))
  })
| 
{
  "zone-1": null,
  "zone-2": null,
  "zone-3": null
}
| no | +| [clean\_default\_security\_group\_acl](#input\_clean\_default\_security\_group\_acl) | Remove all rules from the default VPC security group and VPC ACL (less permissive). | `bool` | `true` | no | +| [cos\_bucket\_class](#input\_cos\_bucket\_class) | The storage class of the newly provisioned Cloud Object Storage bucket. Specify one of the following values for the storage class: `standard`, `vault`, `cold`, `smart` (default), or `onerate_active`. | `string` | `"standard"` | no | +| [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Name of the Default ACL. If null, a name will be automatically generated. | `string` | `null` | no | +| [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | Name of the Default Routing Table. If null, a name will be automatically generated. | `string` | `null` | no | +| [default\_security\_group\_name](#input\_default\_security\_group\_name) | Name of the Default Security Group. If null, a name will be automatically generated. | `string` | `null` | no | +| [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | To enable VPC Flow logs, set this to true. | `bool` | `false` | no | +| [existing\_cos\_instance\_crn](#input\_existing\_cos\_instance\_crn) | CRN of the existing COS instance. It is only required if `enable_vpc_flow_logs` is set to true and will be used to create the flow logs bucket. | `string` | `null` | no | +| [existing\_flow\_logs\_bucket\_kms\_key\_crn](#input\_existing\_flow\_logs\_bucket\_kms\_key\_crn) | The CRN of the existing root key of key management service (KMS) that is used to encrypt the flow logs Cloud Object Storage bucket. If no value is set for this variable, specify a value for the `existing_kms_instance_crn` variable to create a key ring and key. | `string` | `null` | no | +| [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of the existing key management service (KMS) that is used to create keys for encrypting the flow logs Cloud Object Storage bucket. Used to create a new KMS key unless an existing key is passed using the `existing_flow_logs_bucket_kms_key_crn` input. | `string` | `null` | no | +| [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of an existing resource group to provision the resources. [Learn more](https://cloud.ibm.com/docs/account?topic=account-rgs&interface=ui#create_rgs) about how to create a resource group. | `string` | `"Default"` | no | +| [flow\_logs\_cos\_bucket\_archive\_days](#input\_flow\_logs\_cos\_bucket\_archive\_days) | The number of days before the `archive_type` rule action takes effect for the flow logs cloud object storage bucket. | `number` | `90` | no | +| [flow\_logs\_cos\_bucket\_archive\_type](#input\_flow\_logs\_cos\_bucket\_archive\_type) | The storage class or archive type you want the object to transition to in the flow logs cloud object storage bucket. | `string` | `"Glacier"` | no | +| [flow\_logs\_cos\_bucket\_default\_retention\_days](#input\_flow\_logs\_cos\_bucket\_default\_retention\_days) | The number of days that an object can remain unmodified in the flow logs cloud object storage bucket. | `number` | `90` | no | +| [flow\_logs\_cos\_bucket\_enable\_object\_versioning](#input\_flow\_logs\_cos\_bucket\_enable\_object\_versioning) | Set it to true if object versioning is enabled so that multiple versions of an object are retained in the flow logs cloud object storage bucket. Cannot be used if `flow_logs_cos_bucket_enable_retention` is true. | `bool` | `false` | no | +| [flow\_logs\_cos\_bucket\_enable\_permanent\_retention](#input\_flow\_logs\_cos\_bucket\_enable\_permanent\_retention) | Whether permanent retention status is enabled for the flow logs cloud object storage bucket. [Learn more](https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-immutable). | `bool` | `false` | no | +| [flow\_logs\_cos\_bucket\_enable\_retention](#input\_flow\_logs\_cos\_bucket\_enable\_retention) | Set to true to enable retention for the flow logs cloud object storage bucket. | `bool` | `false` | no | +| [flow\_logs\_cos\_bucket\_expire\_days](#input\_flow\_logs\_cos\_bucket\_expire\_days) | The number of days before the expire rule action takes effect for the flow logs cloud object storage bucket. | `number` | `366` | no | +| [flow\_logs\_cos\_bucket\_maximum\_retention\_days](#input\_flow\_logs\_cos\_bucket\_maximum\_retention\_days) | The maximum number of days that an object can be kept unmodified in the flow logs cloud object storage. | `number` | `350` | no | +| [flow\_logs\_cos\_bucket\_minimum\_retention\_days](#input\_flow\_logs\_cos\_bucket\_minimum\_retention\_days) | The minimum number of days that an object must be kept unmodified in the flow logs cloud object storage. | `number` | `90` | no | +| [flow\_logs\_cos\_bucket\_name](#input\_flow\_logs\_cos\_bucket\_name) | Name of the Cloud Object Storage bucket to be created to collect VPC flow logs. | `string` | `"flow-logs-bucket"` | no | +| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | +| [ibmcloud\_kms\_api\_key](#input\_ibmcloud\_kms\_api\_key) | The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud\_api\_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Cloud Object Storage instance. Leave this input empty if the same account owns both instances. | `string` | `null` | no | +| [kms\_encryption\_enabled\_bucket](#input\_kms\_encryption\_enabled\_bucket) | Set to true to encrypt the Cloud Object Storage Flow Logs bucket with a KMS key. If set to true, a value must be passed for existing\_flow\_logs\_bucket\_kms\_key\_crn (to use that key) or existing\_kms\_instance\_crn (to create a new key). Value cannot be set to true if enable\_vpc\_flow\_logs is set to false. | `bool` | `false` | no | +| [kms\_endpoint\_type](#input\_kms\_endpoint\_type) | The type of endpoint to use for communicating with the KMS. Possible values: `public`, `private`. Applies only if `existing_flow_logs_bucket_kms_key_crn` is not specified. | `string` | `"private"` | no | +| [kms\_key\_name](#input\_kms\_key\_name) | The name of the key to encrypt the flow logs Cloud Object Storage bucket. If an existing key is used, this variable is not required. If the prefix input variable is passed, the name of the key is prefixed to the value in the `-value` format. | `string` | `"flow-logs-cos-key"` | no | +| [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name of the key ring to create for the Cloud Object Storage bucket key. If an existing key is used, this variable is not required. If the prefix input variable is passed, the name of the key ring is prefixed to the value in the `-value` format. | `string` | `"flow-logs-cos-key-ring"` | no | +| [management\_endpoint\_type\_for\_bucket](#input\_management\_endpoint\_type\_for\_bucket) | The type of endpoint for the IBM Terraform provider to use to manage Cloud Object Storage buckets (`public`, `private`, or `direct`). If you are using a private endpoint, make sure that you enable virtual routing and forwarding (VRF) in your account, and that the Terraform runtime can access the IBM Cloud Private network. | `string` | `"direct"` | no | +| [network\_acls](#input\_network\_acls) | The list of ACLs to create. Provide at least one rule for each ACL. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#network-acls-). | 
list(
    object({
      name                         = string
      add_ibm_cloud_internal_rules = optional(bool)
      add_vpc_connectivity_rules   = optional(bool)
      prepend_ibm_rules            = optional(bool)
      rules = list(
        object({
          name        = string
          action      = string
          destination = string
          direction   = string
          source      = string
          tcp = optional(
            object({
              port_max        = optional(number)
              port_min        = optional(number)
              source_port_max = optional(number)
              source_port_min = optional(number)
            })
          )
          udp = optional(
            object({
              port_max        = optional(number)
              port_min        = optional(number)
              source_port_max = optional(number)
              source_port_min = optional(number)
            })
          )
          icmp = optional(
            object({
              type = optional(number)
              code = optional(number)
            })
          )
        })
      )
    })
  )
| 
[
  {
    "add_ibm_cloud_internal_rules": true,
    "add_vpc_connectivity_rules": true,
    "name": "vpc-acl",
    "prepend_ibm_rules": true,
    "rules": [
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "inbound",
        "name": "allow-22-inbound",
        "source": "0.0.0.0/0",
        "tcp": {
          "port_max": 22,
          "port_min": 22
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "outbound",
        "name": "allow-22-inbound-response",
        "source": "0.0.0.0/0",
        "tcp": {
          "source_port_max": 22,
          "source_port_min": 22
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "inbound",
        "name": "allow-80-inbound",
        "source": "0.0.0.0/0",
        "tcp": {
          "port_max": 80,
          "port_min": 80
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "outbound",
        "name": "allow-80-inbound-response",
        "source": "0.0.0.0/0",
        "tcp": {
          "source_port_max": 80,
          "source_port_min": 80
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "inbound",
        "name": "allow-443-inbound",
        "source": "0.0.0.0/0",
        "tcp": {
          "port_max": 443,
          "port_min": 443
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "outbound",
        "name": "allow-443-inbound-response",
        "source": "0.0.0.0/0",
        "tcp": {
          "source_port_max": 443,
          "source_port_min": 443
        }
      }
    ]
  }
]
| no | +| [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To skip using a prefix, set this value to null or an empty string. **Important:** Changing the prefix after initial deployment will cause Terraform to plan destruction and recreation of resources. Changing the prefix should be treated as provisioning a new environment, not renaming existing resources. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md). | `string` | n/a | yes | +| [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no | +| [region](#input\_region) | The region to provision all resources in. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/region) about how to select different regions for different services. | `string` | `"us-south"` | no | +| [resource\_tags](#input\_resource\_tags) | The list of tags to add to the VPC instance. | `list(string)` | `[]` | no | +| [routes](#input\_routes) | Allows you to specify the next hop for packets based on their destination address. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#routes-). | 
list(
    object({
      name                          = string
      route_direct_link_ingress     = optional(bool)
      route_transit_gateway_ingress = optional(bool)
      route_vpc_zone_ingress        = optional(bool)
      routes = optional(
        list(
          object({
            action      = optional(string)
            zone        = number
            destination = string
            next_hop    = string
          })
      ))
    })
  )
| `[]` | no | +| [security\_group\_rules](#input\_security\_group\_rules) | A list of security group rules to be added to the default vpc security group (default empty). [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#security-group-rules-). | 
list(
    object({
      name       = string
      direction  = string
      remote     = optional(string)
      local      = optional(string)
      ip_version = optional(string)
      tcp = optional(
        object({
          port_max = optional(number)
          port_min = optional(number)
        })
      )
      udp = optional(
        object({
          port_max = optional(number)
          port_min = optional(number)
        })
      )
      icmp = optional(
        object({
          type = optional(number)
          code = optional(number)
        })
      )
    })
  )
| `[]` | no | +| [skip\_cos\_kms\_iam\_auth\_policy](#input\_skip\_cos\_kms\_iam\_auth\_policy) | To skip creating an IAM authorization policy that allows Cloud Object Storage(COS) to access KMS key. | `bool` | `false` | no | +| [skip\_vpc\_cos\_iam\_auth\_policy](#input\_skip\_vpc\_cos\_iam\_auth\_policy) | To skip creating an IAM authorization policy that allows the VPC to access the Cloud Object Storage, set this variable to `true`. Required only if `enable_vpc_flow_logs` is set to true. | `bool` | `false` | no | +| [subnets](#input\_subnets) | List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addresses. Public gateways will be enabled only in zones where a gateway has been created. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#subnets-). | 
object({
    zone-1 = list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    }))
    zone-2 = optional(list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    })))
    zone-3 = optional(list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    })))
  })
| 
{
  "zone-1": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.10.10.0/24",
      "name": "subnet-a",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ],
  "zone-2": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.20.10.0/24",
      "name": "subnet-b",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ],
  "zone-3": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.30.10.0/24",
      "name": "subnet-c",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ]
}
| no | +| [vpc\_name](#input\_vpc\_name) | Name of the VPC. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"vpc"` | no | +| [vpe\_gateway\_cloud\_service\_by\_crn](#input\_vpe\_gateway\_cloud\_service\_by\_crn) | The list of cloud service CRNs used to create endpoint gateways. Use this list to identify services that are not supported by service name in the `cloud_services` variable. For a list of supported services, see [VPE-enabled services](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services). If `service_name` is not specified, the CRN is used to find the name. If `vpe_name` is not specified in the list, VPE names are created in the format `--`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#vpe-gateway-cloud-service-by-crn-). | 
set(
    object({
      crn                         = string
      vpe_name                    = optional(string) # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
      service_name                = optional(string) # Name of the service used to compute the name of the VPE. If not specified, the service name will be obtained from the crn.
      dns_resolution_binding_mode = optional(string, "primary")
    })
  )
| `[]` | no | +| [vpe\_gateway\_cloud\_services](#input\_vpe\_gateway\_cloud\_services) | The list of cloud services used to create endpoint gateways. If `vpe_name` is not specified in the list, VPE names are created in the format `--`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#vpe-gateway-cloud-services-). | 
set(object({
    service_name                = string
    vpe_name                    = optional(string), # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
    dns_resolution_binding_mode = optional(string, "disabled")
  }))
| `[]` | no | +| [vpe\_gateway\_reserved\_ips](#input\_vpe\_gateway\_reserved\_ips) | Map of existing reserved IP names and values. Leave this value as default if you want to create new reserved ips, this value is used when a user passes their existing reserved ips created here and not attempt to recreate those. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#reserved-ips-). | 
object({
    name = optional(string) # reserved ip name
  })
| `{}` | no | +| [vpe\_gateway\_security\_group\_ids](#input\_vpe\_gateway\_security\_group\_ids) | List of security group ids to attach to each endpoint gateway. | `list(string)` | `null` | no | +| [vpe\_gateway\_service\_endpoints](#input\_vpe\_gateway\_service\_endpoints) | Service endpoints to use to create endpoint gateways. Can be `public`, or `private`. | `string` | `"private"` | no | +| [vpn\_gateways](#input\_vpn\_gateways) | List of VPN Gateways to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#vpn-gateways-). | 
list(
    object({
      name           = string
      subnet_name    = string # Do not include prefix, use same name as in `var.subnets`
      mode           = optional(string)
      resource_group = optional(string)
      access_tags    = optional(list(string), [])
    })
  )
| `[]` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [default\_routing\_table](#output\_default\_routing\_table) | The default routing table ID and name that is created along with the VPC. | +| [network\_acls](#output\_network\_acls) | List of shortnames and IDs of network ACLs. | +| [next\_step\_primary\_label](#output\_next\_step\_primary\_label) | Primary label | +| [next\_step\_primary\_url](#output\_next\_step\_primary\_url) | Primary URL | +| [next\_step\_secondary\_label](#output\_next\_step\_secondary\_label) | Secondary label | +| [next\_step\_secondary\_url](#output\_next\_step\_secondary\_url) | Secondary URL | +| [next\_steps\_text](#output\_next\_steps\_text) | Next steps text | +| [private\_path\_subnet\_id](#output\_private\_path\_subnet\_id) | The IDs of the subnets. | +| [public\_gateways](#output\_public\_gateways) | Map of the public gateways by zone. | +| [routing\_table\_ids](#output\_routing\_table\_ids) | List of routing table IDs created by this module. | +| [routing\_table\_routes](#output\_routing\_table\_routes) | List of routing table routes created by this module. | +| [security\_group\_details](#output\_security\_group\_details) | Details of security group. | +| [subnet\_detail\_list](#output\_subnet\_detail\_list) | A list of subnets containing names, CIDR blocks, and zones. | +| [subnet\_detail\_map](#output\_subnet\_detail\_map) | A map of subnets containing IDs, CIDR blocks, and zones. | +| [subnet\_ids](#output\_subnet\_ids) | The IDs of the subnets. | +| [subnet\_zone\_list](#output\_subnet\_zone\_list) | A list of subnet IDs and subnet zones. | +| [vpc\_crn](#output\_vpc\_crn) | CRN of the VPC created. | +| [vpc\_flow\_logs](#output\_vpc\_flow\_logs) | Details of the VPC flow logs collector. | +| [vpc\_id](#output\_vpc\_id) | ID of the VPC created. | +| [vpc\_name](#output\_vpc\_name) | Name of the VPC created. | +| [vpe\_crn](#output\_vpe\_crn) | The CRN of the endpoint gateway. | +| [vpe\_ips](#output\_vpe\_ips) | The reserved IPs for endpoint gateways. | +| [vpn\_gateways\_data](#output\_vpn\_gateways\_data) | Details of VPN gateways data. | +| [vpn\_gateways\_name](#output\_vpn\_gateways\_name) | List of names of VPN gateways. | + \ No newline at end of file From 6c2ba974fcce05c6fee210f4852428fab0acee6e Mon Sep 17 00:00:00 2001 From: Shikha Maheshwari Date: Mon, 23 Mar 2026 10:16:19 +0530 Subject: [PATCH 5/5] fix readme docs --- README.md | 150 +------------------------ solutions/fully-configurable/README.md | 118 ------------------- 2 files changed, 3 insertions(+), 265 deletions(-) diff --git a/README.md b/README.md index b4770a26..dda4d6ea 100644 --- a/README.md +++ b/README.md @@ -267,6 +267,7 @@ To attach access management tags to resources in this module, you need the follo |------|-------------| | [cidr\_blocks](#output\_cidr\_blocks) | List of CIDR blocks present in VPC stack | | [custom\_resolver\_hub](#output\_custom\_resolver\_hub) | The custom resolver created for the hub vpc. Only set if enable\_hub is set and skip\_custom\_resolver\_hub\_creation is false. | +| [default\_routing\_table](#output\_default\_routing\_table) | The default routing table ID and name that is created along with the VPC. | | [dns\_custom\_resolver\_id](#output\_dns\_custom\_resolver\_id) | The ID of the DNS Custom Resolver. | | [dns\_endpoint\_gateways\_by\_crn](#output\_dns\_endpoint\_gateways\_by\_crn) | The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id OR enable\_hub\_vpc\_crn are true. | | [dns\_endpoint\_gateways\_by\_id](#output\_dns\_endpoint\_gateways\_by\_id) | The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id OR enable\_hub\_vpc\_crn are true. | @@ -277,6 +278,8 @@ To attach access management tags to resources in this module, you need the follo | [dns\_zone\_state](#output\_dns\_zone\_state) | The state of the DNS zone. | | [network\_acls](#output\_network\_acls) | List of shortnames and IDs of network ACLs | | [public\_gateways](#output\_public\_gateways) | Map of public gateways by zone | +| [routing\_table\_ids](#output\_routing\_table\_ids) | List of routing table IDs created by this module. | +| [routing\_table\_routes](#output\_routing\_table\_routes) | List of routing table routes created by this module. | | [security\_group\_details](#output\_security\_group\_details) | Details of security group. | | [subnet\_detail\_list](#output\_subnet\_detail\_list) | A list of subnets containing names, CIDR blocks, and zones. | | [subnet\_detail\_map](#output\_subnet\_detail\_map) | A map of subnets containing IDs, CIDR blocks, and zones | @@ -301,150 +304,3 @@ For a list of common known issues see: You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md). To set up your local development environment, see [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation. - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.0 | -| [ibm](#requirement\_ibm) | >= 1.87.3, < 2.0.0 | -| [time](#requirement\_time) | >= 0.9.1, < 1.0.0 | - -## Providers - -| Name | Version | -|------|---------| -| [ibm](#provider\_ibm) | >= 1.87.3, < 2.0.0 | -| [terraform](#provider\_terraform) | n/a | -| [time](#provider\_time) | >= 0.9.1, < 1.0.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [dynamic\_values](#module\_dynamic\_values) | ./dynamic_values | n/a | -| [unit\_tests](#module\_unit\_tests) | ./dynamic_values | n/a | - -## Resources - -| Name | Type | -|------|------| -| [ibm_dns_custom_resolver.custom_resolver_hub](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/dns_custom_resolver) | resource | -| [ibm_dns_permitted_network.dns_permitted_network](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/dns_permitted_network) | resource | -| [ibm_dns_resource_record.dns_record](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/dns_resource_record) | resource | -| [ibm_dns_zone.dns_zone](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/dns_zone) | resource | -| [ibm_iam_authorization_policy.policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | -| [ibm_iam_authorization_policy.vpc_dns_resolution_auth_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | -| [ibm_is_flow_log.flow_logs](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_flow_log) | resource | -| [ibm_is_network_acl.network_acl](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_network_acl) | resource | -| [ibm_is_public_gateway.gateway](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_public_gateway) | resource | -| [ibm_is_security_group_rule.default_vpc_rule](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_security_group_rule) | resource | -| [ibm_is_subnet.subnet](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_subnet) | resource | -| [ibm_is_subnet_public_gateway_attachment.exist_subnet_gw](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_subnet_public_gateway_attachment) | resource | -| [ibm_is_vpc.vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc) | resource | -| [ibm_is_vpc_address_prefix.address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource | -| [ibm_is_vpc_address_prefix.subnet_prefix](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource | -| [ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_crn](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_dns_resolution_binding) | resource | -| [ibm_is_vpc_dns_resolution_binding.vpc_dns_resolution_binding_id](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_dns_resolution_binding) | resource | -| [ibm_is_vpc_routing_table.route_table](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource | -| [ibm_is_vpc_routing_table_route.routing_table_routes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource | -| [ibm_is_vpn_gateway.vpn_gateway](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpn_gateway) | resource | -| [ibm_resource_instance.dns_instance_hub](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource | -| [terraform_data.deprecation_warning](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | -| [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | -| [time_sleep.wait_for_vpc_creation_data](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | -| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source | -| [ibm_is_subnet.subnet](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_subnet) | data source | -| [ibm_is_vpc.vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc) | data source | -| [ibm_is_vpc_address_prefixes.get_address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_address_prefixes) | data source | -| [ibm_is_vpc_dns_resolution_bindings.dns_bindings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_dns_resolution_bindings) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [access\_tags](#input\_access\_tags) | A list of access tags to apply to the VPC resources created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no | -| [address\_prefixes](#input\_address\_prefixes) | OPTIONAL - IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes | 
object({
    zone-1 = optional(list(string))
    zone-2 = optional(list(string))
    zone-3 = optional(list(string))
  })
| 
{
  "zone-1": null,
  "zone-2": null,
  "zone-3": null
}
| no | -| [clean\_default\_sg\_acl](#input\_clean\_default\_sg\_acl) | Remove all rules from the default VPC security group and VPC ACL (less permissive) | `bool` | `false` | no | -| [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Create authorisation policy for VPC to access COS. Set as false if authorization policy exists already | `bool` | `false` | no | -| [create\_subnets](#input\_create\_subnets) | Indicates whether user wants to use existing subnets or create new. Set it to true to create new subnets. | `bool` | `true` | no | -| [create\_vpc](#input\_create\_vpc) | Indicates whether user wants to use an existing vpc or create a new one. Set it to true to create a new vpc | `bool` | `true` | no | -| [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | OPTIONAL - Name of the Default ACL. If null, a name will be automatically generated | `string` | `null` | no | -| [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | OPTIONAL - Name of the Default Routing Table. If null, a name will be automatically generated | `string` | `null` | no | -| [default\_security\_group\_name](#input\_default\_security\_group\_name) | OPTIONAL - Name of the Default Security Group. If null, a name will be automatically generated | `string` | `null` | no | -| [dns\_binding\_name](#input\_dns\_binding\_name) | The name to give the provisioned VPC DNS resolution binding. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | -| [dns\_custom\_resolver\_name](#input\_dns\_custom\_resolver\_name) | The name to give the provisioned DNS custom resolver instance. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | -| [dns\_custom\_resolver\_profile](#input\_dns\_custom\_resolver\_profile) | The profile name for the provisioned DNS custom resolver instance. | `string` | `"essential"` | no | -| [dns\_instance\_name](#input\_dns\_instance\_name) | The name to give the provisioned DNS instance. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | -| [dns\_location](#input\_dns\_location) | The target location or environment for the DNS instance created to host the custom resolver in a hub-spoke DNS resolution topology. Only used if enable\_hub is true and skip\_custom\_resolver\_hub\_creation is false (defaults). | `string` | `"global"` | no | -| [dns\_plan](#input\_dns\_plan) | The plan for the DNS resource instance created to host the custom resolver in a hub-spoke DNS resolution topology. Only used if enable\_hub is true and skip\_custom\_resolver\_hub\_creation is false (defaults). | `string` | `"standard-dns"` | no | -| [dns\_records](#input\_dns\_records) | List of DNS records to be created. | 
map(list(object({
    name       = string
    type       = string
    ttl        = number
    rdata      = string
    preference = optional(number, null)
    service    = optional(string, null)
    protocol   = optional(string, null)
    priority   = optional(number, null)
    weight     = optional(number, null)
    port       = optional(number, null)
  })))
| `{}` | no | -| [dns\_zones](#input\_dns\_zones) | List of the DNS zone to be created. | 
list(object({
    name        = string
    description = optional(string)
    label       = optional(string, "dns-zone")
  }))
| `[]` | no | -| [enable\_hub](#input\_enable\_hub) | Indicates whether this VPC is enabled as a DNS name resolution hub. | `bool` | `false` | no | -| [enable\_hub\_vpc\_crn](#input\_enable\_hub\_vpc\_crn) | Indicates whether Hub VPC CRN is passed. | `bool` | `false` | no | -| [enable\_hub\_vpc\_id](#input\_enable\_hub\_vpc\_id) | Indicates whether Hub VPC ID is passed. | `bool` | `false` | no | -| [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | Flag to enable vpc flow logs. If true, flow log collector will be created | `bool` | `false` | no | -| [existing\_cos\_instance\_guid](#input\_existing\_cos\_instance\_guid) | GUID of the COS instance to create Flow log collector | `string` | `null` | no | -| [existing\_dns\_instance\_id](#input\_existing\_dns\_instance\_id) | Id of an existing dns instance in which the custom resolver is created. Only relevant if enable\_hub is set to true. | `string` | `null` | no | -| [existing\_storage\_bucket\_name](#input\_existing\_storage\_bucket\_name) | Name of the COS bucket to collect VPC flow logs | `string` | `null` | no | -| [existing\_subnets](#input\_existing\_subnets) | The detail of the existing subnets and required mappings to other resources. Required if 'create\_subnets' is false. | 
list(object({
    id             = string
    public_gateway = optional(bool, false)
  }))
| `[]` | no | -| [existing\_vpc\_id](#input\_existing\_vpc\_id) | The ID of the existing vpc. Required if 'create\_vpc' is false. | `string` | `null` | no | -| [hub\_account\_id](#input\_hub\_account\_id) | ID of the hub account for DNS resolution, required if 'skip\_spoke\_auth\_policy' is false. | `string` | `null` | no | -| [hub\_vpc\_crn](#input\_hub\_vpc\_crn) | Indicates the crn of the hub VPC for DNS resolution. See https://cloud.ibm.com/docs/vpc?topic=vpc-hub-spoke-model. Mutually exclusive with hub\_vpc\_id. | `string` | `null` | no | -| [hub\_vpc\_id](#input\_hub\_vpc\_id) | Indicates the id of the hub VPC for DNS resolution. See https://cloud.ibm.com/docs/vpc?topic=vpc-hub-spoke-model. Mutually exclusive with hub\_vpc\_crn. | `string` | `null` | no | -| [is\_flow\_log\_collector\_active](#input\_is\_flow\_log\_collector\_active) | Indicates whether the collector is active. If false, this collector is created in inactive mode. | `bool` | `true` | no | -| [manual\_servers](#input\_manual\_servers) | The DNS server addresses to use for the VPC, replacing any existing servers. All the entries must either have a unique zone\_affinity, or not have a zone\_affinity. | 
list(object({
    address       = string
    zone_affinity = optional(string)
  }))
| `[]` | no | -| [name](#input\_name) | Used for the naming of the VPC (if create\_vpc is set to true), as well as in the naming for any resources created inside the VPC (unless using one of the optional variables for explicit control over naming). | `string` | n/a | yes | -| [network\_acls](#input\_network\_acls) | The list of ACLs to create. Provide at least one rule for each ACL. | 
list(
    object({
      name                         = string
      add_ibm_cloud_internal_rules = optional(bool)
      add_vpc_connectivity_rules   = optional(bool)
      prepend_ibm_rules            = optional(bool)
      rules = list(
        object({
          name        = string
          action      = string
          destination = string
          direction   = string
          source      = string
          tcp = optional(
            object({
              port_max        = optional(number)
              port_min        = optional(number)
              source_port_max = optional(number)
              source_port_min = optional(number)
            })
          )
          udp = optional(
            object({
              port_max        = optional(number)
              port_min        = optional(number)
              source_port_max = optional(number)
              source_port_min = optional(number)
            })
          )
          icmp = optional(
            object({
              type = optional(number)
              code = optional(number)
            })
          )
        })
      )
    })
  )
| 
[
  {
    "add_ibm_cloud_internal_rules": true,
    "add_vpc_connectivity_rules": true,
    "name": "vpc-acl",
    "prepend_ibm_rules": true,
    "rules": []
  }
]
| no | -| [network\_cidrs](#input\_network\_cidrs) | List of Network CIDRs for the VPC. This is used to manage network ACL rules for cluster provisioning. | `list(string)` | 
[
  "10.0.0.0/8"
]
| no | -| [prefix](#input\_prefix) | The value that you would like to prefix to the name of the resources provisioned by this module. Explicitly set to null if you do not wish to use a prefix. This value is ignored if using one of the optional variables for explicit control over naming. **Important:** Changing the prefix after initial deployment will cause Terraform to plan destruction and recreation of resources. Changing the prefix should be treated as provisioning a new environment, not renaming existing resources. | `string` | `null` | no | -| [public\_gateway\_name](#input\_public\_gateway\_name) | The name to give the provisioned VPC public gateways. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | -| [region](#input\_region) | The region to which to deploy the VPC | `string` | n/a | yes | -| [resolver\_type](#input\_resolver\_type) | Resolver type. Can be system or manual or delegated. | `string` | `null` | no | -| [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the VPC to be created | `string` | n/a | yes | -| [routes](#input\_routes) | OPTIONAL - Allows you to specify the next hop for packets based on their destination address | 
list(
    object({
      name                          = string
      route_direct_link_ingress     = optional(bool)
      route_transit_gateway_ingress = optional(bool)
      route_vpc_zone_ingress        = optional(bool)
      routes = optional(
        list(
          object({
            action      = optional(string)
            zone        = number
            destination = string
            next_hop    = string
          })
      ))
    })
  )
| `[]` | no | -| [routing\_table\_name](#input\_routing\_table\_name) | The name to give the provisioned routing tables. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | -| [security\_group\_rules](#input\_security\_group\_rules) | A list of security group rules to be added to the default vpc security group (default empty) | 
list(
    object({
      name       = string
      direction  = string
      remote     = optional(string)
      local      = optional(string)
      ip_version = optional(string)
      tcp = optional(
        object({
          port_max = optional(number)
          port_min = optional(number)
        })
      )
      udp = optional(
        object({
          port_max = optional(number)
          port_min = optional(number)
        })
      )
      icmp = optional(
        object({
          type = optional(number)
          code = optional(number)
        })
      )
    })
  )
| `[]` | no | -| [skip\_custom\_resolver\_hub\_creation](#input\_skip\_custom\_resolver\_hub\_creation) | Indicates whether to skip the configuration of a custom resolver in the hub VPC. Only relevant if enable\_hub is set to true. | `bool` | `false` | no | -| [skip\_spoke\_auth\_policy](#input\_skip\_spoke\_auth\_policy) | Set to true to skip the creation of an authorization policy between the DNS resolution spoke and hub, only enable this if a policy already exists between these two VPCs. See https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-dns-sharing-s2s-auth&interface=ui for more details. | `bool` | `false` | no | -| [subnets](#input\_subnets) | List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addresses. Public gateways will be enabled only in zones where a gateway has been created | 
object({
    zone-1 = list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    }))
    zone-2 = optional(list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    })))
    zone-3 = optional(list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    })))
  })
| 
{
  "zone-1": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.10.10.0/24",
      "name": "subnet-a",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ],
  "zone-2": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.20.10.0/24",
      "name": "subnet-b",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ],
  "zone-3": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.30.10.0/24",
      "name": "subnet-c",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ]
}
| no | -| [tags](#input\_tags) | List of Tags for the resource created | `list(string)` | `null` | no | -| [update\_delegated\_resolver](#input\_update\_delegated\_resolver) | If set to true, and if the vpc is configured to be a spoke for DNS resolution (enable\_hub\_vpc\_crn or enable\_hub\_vpc\_id set), then the spoke VPC resolver will be updated to a delegated resolver. | `bool` | `false` | no | -| [use\_existing\_dns\_instance](#input\_use\_existing\_dns\_instance) | Whether to use an existing dns instance. If true, existing\_dns\_instance\_id must be set. | `bool` | `false` | no | -| [use\_public\_gateways](#input\_use\_public\_gateways) | Create a public gateway in any of the three zones with `true`. | 
object({
    zone-1 = optional(bool)
    zone-2 = optional(bool)
    zone-3 = optional(bool)
  })
| 
{
  "zone-1": true,
  "zone-2": true,
  "zone-3": true
}
| no | -| [vpc\_flow\_logs\_name](#input\_vpc\_flow\_logs\_name) | The name to give the provisioned VPC flow logs. If not set, the module generates a name based on the `prefix` and `name` variables. | `string` | `null` | no | -| [vpn\_gateways](#input\_vpn\_gateways) | [DEPRECATED] List of VPN gateways to create. For more information please refer the [migration guide](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/docs/migration_guide.md). | 
list(
    object({
      name           = string
      subnet_name    = string # Do not include prefix, use same name as in `var.subnets`
      mode           = optional(string, "route")
      resource_group = optional(string)
      access_tags    = optional(list(string), [])
    })
  )
| `[]` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [cidr\_blocks](#output\_cidr\_blocks) | List of CIDR blocks present in VPC stack | -| [custom\_resolver\_hub](#output\_custom\_resolver\_hub) | The custom resolver created for the hub vpc. Only set if enable\_hub is set and skip\_custom\_resolver\_hub\_creation is false. | -| [default\_routing\_table](#output\_default\_routing\_table) | The default routing table ID and name that is created along with the VPC. | -| [dns\_custom\_resolver\_id](#output\_dns\_custom\_resolver\_id) | The ID of the DNS Custom Resolver. | -| [dns\_endpoint\_gateways\_by\_crn](#output\_dns\_endpoint\_gateways\_by\_crn) | The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id OR enable\_hub\_vpc\_crn are true. | -| [dns\_endpoint\_gateways\_by\_id](#output\_dns\_endpoint\_gateways\_by\_id) | The list of VPEs that are made available for DNS resolution in the created Spoke VPC. Only set if enable\_hub is false and enable\_hub\_vpc\_id OR enable\_hub\_vpc\_crn are true. | -| [dns\_instance\_id](#output\_dns\_instance\_id) | The ID of the DNS instance. | -| [dns\_record\_ids](#output\_dns\_record\_ids) | List of all the domain resource records. | -| [dns\_zone](#output\_dns\_zone) | A map representing DNS zone information. | -| [dns\_zone\_id](#output\_dns\_zone\_id) | The ID of the DNS zone. | -| [dns\_zone\_state](#output\_dns\_zone\_state) | The state of the DNS zone. | -| [network\_acls](#output\_network\_acls) | List of shortnames and IDs of network ACLs | -| [public\_gateways](#output\_public\_gateways) | Map of public gateways by zone | -| [routing\_table\_ids](#output\_routing\_table\_ids) | List of routing table IDs created by this module. | -| [routing\_table\_routes](#output\_routing\_table\_routes) | List of routing table routes created by this module. | -| [security\_group\_details](#output\_security\_group\_details) | Details of security group. | -| [subnet\_detail\_list](#output\_subnet\_detail\_list) | A list of subnets containing names, CIDR blocks, and zones. | -| [subnet\_detail\_map](#output\_subnet\_detail\_map) | A map of subnets containing IDs, CIDR blocks, and zones | -| [subnet\_ids](#output\_subnet\_ids) | The IDs of the subnets | -| [subnet\_zone\_list](#output\_subnet\_zone\_list) | A list containing subnet IDs and subnet zones | -| [vpc\_crn](#output\_vpc\_crn) | CRN of VPC created | -| [vpc\_data](#output\_vpc\_data) | Data of the VPC used in this module, created or existing. | -| [vpc\_flow\_logs](#output\_vpc\_flow\_logs) | Details of VPC flow logs collector | -| [vpc\_id](#output\_vpc\_id) | ID of VPC created | -| [vpc\_name](#output\_vpc\_name) | Name of VPC created | -| [vpn\_gateways\_data](#output\_vpn\_gateways\_data) | [DEPRECATED] Details of VPN gateways data. For more information please refer the [migration guide](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/docs/migration_guide.md). | -| [vpn\_gateways\_name](#output\_vpn\_gateways\_name) | [DEPRECATED] List of names of VPN gateways. For more information please refer the [migration guide](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/docs/migration_guide.md). | - \ No newline at end of file diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index 641894b2..0d9c0bc8 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -1,121 +1,3 @@ # Cloud automation for VPC (Fully configurable) :exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers). - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.0 | -| [ibm](#requirement\_ibm) | 1.88.2 | -| [time](#requirement\_time) | 0.13.1 | - -## Providers - -| Name | Version | -|------|---------| -| [ibm.kms](#provider\_ibm.kms) | 1.88.2 | -| [time](#provider\_time) | 0.13.1 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [cos\_buckets](#module\_cos\_buckets) | terraform-ibm-modules/cos/ibm//modules/buckets | 10.14.1 | -| [existing\_cos\_crn\_parser](#module\_existing\_cos\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.4.2 | -| [existing\_kms\_instance\_crn\_parser](#module\_existing\_kms\_instance\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.4.2 | -| [existing\_kms\_key\_crn\_parser](#module\_existing\_kms\_key\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.4.2 | -| [kms](#module\_kms) | terraform-ibm-modules/kms-all-inclusive/ibm | 5.5.31 | -| [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.4.8 | -| [vpc](#module\_vpc) | ../../ | n/a | -| [vpe\_gateway](#module\_vpe\_gateway) | terraform-ibm-modules/vpe-gateway/ibm | 5.0.4 | - -## Resources - -| Name | Type | -|------|------| -| [ibm_iam_authorization_policy.cos_kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.88.2/docs/resources/iam_authorization_policy) | resource | -| [time_sleep.wait_for_cross_account_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/0.13.1/docs/resources/sleep) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [access\_tags](#input\_access\_tags) | The list of access tags to add to the VPC instance. | `list(string)` | `[]` | no | -| [add\_bucket\_name\_suffix](#input\_add\_bucket\_name\_suffix) | Add a randomly generated suffix that is 4 characters in length, to the name of the newly provisioned Cloud Object Storage bucket. Do not use this suffix if you are passing the existing Cloud Object Storage bucket. To manage the name of the Cloud Object Storage bucket manually, use the `flow_logs_cos_bucket_name` variables. | `bool` | `true` | no | -| [address\_prefixes](#input\_address\_prefixes) | The IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#address-prefixes-). | 
object({
    zone-1 = optional(list(string))
    zone-2 = optional(list(string))
    zone-3 = optional(list(string))
  })
| 
{
  "zone-1": null,
  "zone-2": null,
  "zone-3": null
}
| no | -| [clean\_default\_security\_group\_acl](#input\_clean\_default\_security\_group\_acl) | Remove all rules from the default VPC security group and VPC ACL (less permissive). | `bool` | `true` | no | -| [cos\_bucket\_class](#input\_cos\_bucket\_class) | The storage class of the newly provisioned Cloud Object Storage bucket. Specify one of the following values for the storage class: `standard`, `vault`, `cold`, `smart` (default), or `onerate_active`. | `string` | `"standard"` | no | -| [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Name of the Default ACL. If null, a name will be automatically generated. | `string` | `null` | no | -| [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | Name of the Default Routing Table. If null, a name will be automatically generated. | `string` | `null` | no | -| [default\_security\_group\_name](#input\_default\_security\_group\_name) | Name of the Default Security Group. If null, a name will be automatically generated. | `string` | `null` | no | -| [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | To enable VPC Flow logs, set this to true. | `bool` | `false` | no | -| [existing\_cos\_instance\_crn](#input\_existing\_cos\_instance\_crn) | CRN of the existing COS instance. It is only required if `enable_vpc_flow_logs` is set to true and will be used to create the flow logs bucket. | `string` | `null` | no | -| [existing\_flow\_logs\_bucket\_kms\_key\_crn](#input\_existing\_flow\_logs\_bucket\_kms\_key\_crn) | The CRN of the existing root key of key management service (KMS) that is used to encrypt the flow logs Cloud Object Storage bucket. If no value is set for this variable, specify a value for the `existing_kms_instance_crn` variable to create a key ring and key. | `string` | `null` | no | -| [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of the existing key management service (KMS) that is used to create keys for encrypting the flow logs Cloud Object Storage bucket. Used to create a new KMS key unless an existing key is passed using the `existing_flow_logs_bucket_kms_key_crn` input. | `string` | `null` | no | -| [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of an existing resource group to provision the resources. [Learn more](https://cloud.ibm.com/docs/account?topic=account-rgs&interface=ui#create_rgs) about how to create a resource group. | `string` | `"Default"` | no | -| [flow\_logs\_cos\_bucket\_archive\_days](#input\_flow\_logs\_cos\_bucket\_archive\_days) | The number of days before the `archive_type` rule action takes effect for the flow logs cloud object storage bucket. | `number` | `90` | no | -| [flow\_logs\_cos\_bucket\_archive\_type](#input\_flow\_logs\_cos\_bucket\_archive\_type) | The storage class or archive type you want the object to transition to in the flow logs cloud object storage bucket. | `string` | `"Glacier"` | no | -| [flow\_logs\_cos\_bucket\_default\_retention\_days](#input\_flow\_logs\_cos\_bucket\_default\_retention\_days) | The number of days that an object can remain unmodified in the flow logs cloud object storage bucket. | `number` | `90` | no | -| [flow\_logs\_cos\_bucket\_enable\_object\_versioning](#input\_flow\_logs\_cos\_bucket\_enable\_object\_versioning) | Set it to true if object versioning is enabled so that multiple versions of an object are retained in the flow logs cloud object storage bucket. Cannot be used if `flow_logs_cos_bucket_enable_retention` is true. | `bool` | `false` | no | -| [flow\_logs\_cos\_bucket\_enable\_permanent\_retention](#input\_flow\_logs\_cos\_bucket\_enable\_permanent\_retention) | Whether permanent retention status is enabled for the flow logs cloud object storage bucket. [Learn more](https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-immutable). | `bool` | `false` | no | -| [flow\_logs\_cos\_bucket\_enable\_retention](#input\_flow\_logs\_cos\_bucket\_enable\_retention) | Set to true to enable retention for the flow logs cloud object storage bucket. | `bool` | `false` | no | -| [flow\_logs\_cos\_bucket\_expire\_days](#input\_flow\_logs\_cos\_bucket\_expire\_days) | The number of days before the expire rule action takes effect for the flow logs cloud object storage bucket. | `number` | `366` | no | -| [flow\_logs\_cos\_bucket\_maximum\_retention\_days](#input\_flow\_logs\_cos\_bucket\_maximum\_retention\_days) | The maximum number of days that an object can be kept unmodified in the flow logs cloud object storage. | `number` | `350` | no | -| [flow\_logs\_cos\_bucket\_minimum\_retention\_days](#input\_flow\_logs\_cos\_bucket\_minimum\_retention\_days) | The minimum number of days that an object must be kept unmodified in the flow logs cloud object storage. | `number` | `90` | no | -| [flow\_logs\_cos\_bucket\_name](#input\_flow\_logs\_cos\_bucket\_name) | Name of the Cloud Object Storage bucket to be created to collect VPC flow logs. | `string` | `"flow-logs-bucket"` | no | -| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | -| [ibmcloud\_kms\_api\_key](#input\_ibmcloud\_kms\_api\_key) | The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud\_api\_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Cloud Object Storage instance. Leave this input empty if the same account owns both instances. | `string` | `null` | no | -| [kms\_encryption\_enabled\_bucket](#input\_kms\_encryption\_enabled\_bucket) | Set to true to encrypt the Cloud Object Storage Flow Logs bucket with a KMS key. If set to true, a value must be passed for existing\_flow\_logs\_bucket\_kms\_key\_crn (to use that key) or existing\_kms\_instance\_crn (to create a new key). Value cannot be set to true if enable\_vpc\_flow\_logs is set to false. | `bool` | `false` | no | -| [kms\_endpoint\_type](#input\_kms\_endpoint\_type) | The type of endpoint to use for communicating with the KMS. Possible values: `public`, `private`. Applies only if `existing_flow_logs_bucket_kms_key_crn` is not specified. | `string` | `"private"` | no | -| [kms\_key\_name](#input\_kms\_key\_name) | The name of the key to encrypt the flow logs Cloud Object Storage bucket. If an existing key is used, this variable is not required. If the prefix input variable is passed, the name of the key is prefixed to the value in the `-value` format. | `string` | `"flow-logs-cos-key"` | no | -| [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name of the key ring to create for the Cloud Object Storage bucket key. If an existing key is used, this variable is not required. If the prefix input variable is passed, the name of the key ring is prefixed to the value in the `-value` format. | `string` | `"flow-logs-cos-key-ring"` | no | -| [management\_endpoint\_type\_for\_bucket](#input\_management\_endpoint\_type\_for\_bucket) | The type of endpoint for the IBM Terraform provider to use to manage Cloud Object Storage buckets (`public`, `private`, or `direct`). If you are using a private endpoint, make sure that you enable virtual routing and forwarding (VRF) in your account, and that the Terraform runtime can access the IBM Cloud Private network. | `string` | `"direct"` | no | -| [network\_acls](#input\_network\_acls) | The list of ACLs to create. Provide at least one rule for each ACL. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#network-acls-). | 
list(
    object({
      name                         = string
      add_ibm_cloud_internal_rules = optional(bool)
      add_vpc_connectivity_rules   = optional(bool)
      prepend_ibm_rules            = optional(bool)
      rules = list(
        object({
          name        = string
          action      = string
          destination = string
          direction   = string
          source      = string
          tcp = optional(
            object({
              port_max        = optional(number)
              port_min        = optional(number)
              source_port_max = optional(number)
              source_port_min = optional(number)
            })
          )
          udp = optional(
            object({
              port_max        = optional(number)
              port_min        = optional(number)
              source_port_max = optional(number)
              source_port_min = optional(number)
            })
          )
          icmp = optional(
            object({
              type = optional(number)
              code = optional(number)
            })
          )
        })
      )
    })
  )
| 
[
  {
    "add_ibm_cloud_internal_rules": true,
    "add_vpc_connectivity_rules": true,
    "name": "vpc-acl",
    "prepend_ibm_rules": true,
    "rules": [
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "inbound",
        "name": "allow-22-inbound",
        "source": "0.0.0.0/0",
        "tcp": {
          "port_max": 22,
          "port_min": 22
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "outbound",
        "name": "allow-22-inbound-response",
        "source": "0.0.0.0/0",
        "tcp": {
          "source_port_max": 22,
          "source_port_min": 22
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "inbound",
        "name": "allow-80-inbound",
        "source": "0.0.0.0/0",
        "tcp": {
          "port_max": 80,
          "port_min": 80
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "outbound",
        "name": "allow-80-inbound-response",
        "source": "0.0.0.0/0",
        "tcp": {
          "source_port_max": 80,
          "source_port_min": 80
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "inbound",
        "name": "allow-443-inbound",
        "source": "0.0.0.0/0",
        "tcp": {
          "port_max": 443,
          "port_min": 443
        }
      },
      {
        "action": "allow",
        "destination": "0.0.0.0/0",
        "direction": "outbound",
        "name": "allow-443-inbound-response",
        "source": "0.0.0.0/0",
        "tcp": {
          "source_port_max": 443,
          "source_port_min": 443
        }
      }
    ]
  }
]
| no | -| [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To skip using a prefix, set this value to null or an empty string. **Important:** Changing the prefix after initial deployment will cause Terraform to plan destruction and recreation of resources. Changing the prefix should be treated as provisioning a new environment, not renaming existing resources. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md). | `string` | n/a | yes | -| [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no | -| [region](#input\_region) | The region to provision all resources in. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/region) about how to select different regions for different services. | `string` | `"us-south"` | no | -| [resource\_tags](#input\_resource\_tags) | The list of tags to add to the VPC instance. | `list(string)` | `[]` | no | -| [routes](#input\_routes) | Allows you to specify the next hop for packets based on their destination address. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#routes-). | 
list(
    object({
      name                          = string
      route_direct_link_ingress     = optional(bool)
      route_transit_gateway_ingress = optional(bool)
      route_vpc_zone_ingress        = optional(bool)
      routes = optional(
        list(
          object({
            action      = optional(string)
            zone        = number
            destination = string
            next_hop    = string
          })
      ))
    })
  )
| `[]` | no | -| [security\_group\_rules](#input\_security\_group\_rules) | A list of security group rules to be added to the default vpc security group (default empty). [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#security-group-rules-). | 
list(
    object({
      name       = string
      direction  = string
      remote     = optional(string)
      local      = optional(string)
      ip_version = optional(string)
      tcp = optional(
        object({
          port_max = optional(number)
          port_min = optional(number)
        })
      )
      udp = optional(
        object({
          port_max = optional(number)
          port_min = optional(number)
        })
      )
      icmp = optional(
        object({
          type = optional(number)
          code = optional(number)
        })
      )
    })
  )
| `[]` | no | -| [skip\_cos\_kms\_iam\_auth\_policy](#input\_skip\_cos\_kms\_iam\_auth\_policy) | To skip creating an IAM authorization policy that allows Cloud Object Storage(COS) to access KMS key. | `bool` | `false` | no | -| [skip\_vpc\_cos\_iam\_auth\_policy](#input\_skip\_vpc\_cos\_iam\_auth\_policy) | To skip creating an IAM authorization policy that allows the VPC to access the Cloud Object Storage, set this variable to `true`. Required only if `enable_vpc_flow_logs` is set to true. | `bool` | `false` | no | -| [subnets](#input\_subnets) | List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addresses. Public gateways will be enabled only in zones where a gateway has been created. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#subnets-). | 
object({
    zone-1 = list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    }))
    zone-2 = optional(list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    })))
    zone-3 = optional(list(object({
      name           = string
      cidr           = string
      public_gateway = optional(bool)
      acl_name       = string
      no_addr_prefix = optional(bool, false) # do not automatically add address prefix for subnet, overrides other conditions if set to true
      subnet_tags    = optional(list(string), [])
    })))
  })
| 
{
  "zone-1": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.10.10.0/24",
      "name": "subnet-a",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ],
  "zone-2": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.20.10.0/24",
      "name": "subnet-b",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ],
  "zone-3": [
    {
      "acl_name": "vpc-acl",
      "cidr": "10.30.10.0/24",
      "name": "subnet-c",
      "no_addr_prefix": false,
      "public_gateway": true
    }
  ]
}
| no | -| [vpc\_name](#input\_vpc\_name) | Name of the VPC. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"vpc"` | no | -| [vpe\_gateway\_cloud\_service\_by\_crn](#input\_vpe\_gateway\_cloud\_service\_by\_crn) | The list of cloud service CRNs used to create endpoint gateways. Use this list to identify services that are not supported by service name in the `cloud_services` variable. For a list of supported services, see [VPE-enabled services](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services). If `service_name` is not specified, the CRN is used to find the name. If `vpe_name` is not specified in the list, VPE names are created in the format `--`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#vpe-gateway-cloud-service-by-crn-). | 
set(
    object({
      crn                         = string
      vpe_name                    = optional(string) # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
      service_name                = optional(string) # Name of the service used to compute the name of the VPE. If not specified, the service name will be obtained from the crn.
      dns_resolution_binding_mode = optional(string, "primary")
    })
  )
| `[]` | no | -| [vpe\_gateway\_cloud\_services](#input\_vpe\_gateway\_cloud\_services) | The list of cloud services used to create endpoint gateways. If `vpe_name` is not specified in the list, VPE names are created in the format `--`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#vpe-gateway-cloud-services-). | 
set(object({
    service_name                = string
    vpe_name                    = optional(string), # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
    dns_resolution_binding_mode = optional(string, "disabled")
  }))
| `[]` | no | -| [vpe\_gateway\_reserved\_ips](#input\_vpe\_gateway\_reserved\_ips) | Map of existing reserved IP names and values. Leave this value as default if you want to create new reserved ips, this value is used when a user passes their existing reserved ips created here and not attempt to recreate those. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#reserved-ips-). | 
object({
    name = optional(string) # reserved ip name
  })
| `{}` | no | -| [vpe\_gateway\_security\_group\_ids](#input\_vpe\_gateway\_security\_group\_ids) | List of security group ids to attach to each endpoint gateway. | `list(string)` | `null` | no | -| [vpe\_gateway\_service\_endpoints](#input\_vpe\_gateway\_service\_endpoints) | Service endpoints to use to create endpoint gateways. Can be `public`, or `private`. | `string` | `"private"` | no | -| [vpn\_gateways](#input\_vpn\_gateways) | List of VPN Gateways to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#vpn-gateways-). | 
list(
    object({
      name           = string
      subnet_name    = string # Do not include prefix, use same name as in `var.subnets`
      mode           = optional(string)
      resource_group = optional(string)
      access_tags    = optional(list(string), [])
    })
  )
| `[]` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [default\_routing\_table](#output\_default\_routing\_table) | The default routing table ID and name that is created along with the VPC. | -| [network\_acls](#output\_network\_acls) | List of shortnames and IDs of network ACLs. | -| [next\_step\_primary\_label](#output\_next\_step\_primary\_label) | Primary label | -| [next\_step\_primary\_url](#output\_next\_step\_primary\_url) | Primary URL | -| [next\_step\_secondary\_label](#output\_next\_step\_secondary\_label) | Secondary label | -| [next\_step\_secondary\_url](#output\_next\_step\_secondary\_url) | Secondary URL | -| [next\_steps\_text](#output\_next\_steps\_text) | Next steps text | -| [private\_path\_subnet\_id](#output\_private\_path\_subnet\_id) | The IDs of the subnets. | -| [public\_gateways](#output\_public\_gateways) | Map of the public gateways by zone. | -| [routing\_table\_ids](#output\_routing\_table\_ids) | List of routing table IDs created by this module. | -| [routing\_table\_routes](#output\_routing\_table\_routes) | List of routing table routes created by this module. | -| [security\_group\_details](#output\_security\_group\_details) | Details of security group. | -| [subnet\_detail\_list](#output\_subnet\_detail\_list) | A list of subnets containing names, CIDR blocks, and zones. | -| [subnet\_detail\_map](#output\_subnet\_detail\_map) | A map of subnets containing IDs, CIDR blocks, and zones. | -| [subnet\_ids](#output\_subnet\_ids) | The IDs of the subnets. | -| [subnet\_zone\_list](#output\_subnet\_zone\_list) | A list of subnet IDs and subnet zones. | -| [vpc\_crn](#output\_vpc\_crn) | CRN of the VPC created. | -| [vpc\_flow\_logs](#output\_vpc\_flow\_logs) | Details of the VPC flow logs collector. | -| [vpc\_id](#output\_vpc\_id) | ID of the VPC created. | -| [vpc\_name](#output\_vpc\_name) | Name of the VPC created. | -| [vpe\_crn](#output\_vpe\_crn) | The CRN of the endpoint gateway. | -| [vpe\_ips](#output\_vpe\_ips) | The reserved IPs for endpoint gateways. | -| [vpn\_gateways\_data](#output\_vpn\_gateways\_data) | Details of VPN gateways data. | -| [vpn\_gateways\_name](#output\_vpn\_gateways\_name) | List of names of VPN gateways. | - \ No newline at end of file