/terraform-ibm-vpe-gateway

Create Virtual Private Endpoint Gateways across VPC subnets.

Primary LanguageHCLApache License 2.0Apache-2.0

IBM Virtual Private Endpoint Gateway module

Graduated (Supported) semantic-release pre-commit latest release Renovate enabled

This module creates and configures virtual private endpoint gateways (https://cloud.ibm.com/docs/vpc?topic=vpc-ordering-endpoint-gateway) for an IBM Cloud service.

The module supports the following actions:

  • Create virtual private endpoint gateways
  • Create reserved IP addresses
  • Attach endpoint gateways to reserved IP addresses.

Known provider issues

An IBM Provider issue has been raised that impacts this module. When changing the name of reserved ip addresses for the VPE gateways, the outputs of this module may not be updated in the terraform state file. When this issue occurs, run a terraform apply -refresh-only to update the terraform state.

Overview

terraform-ibm-vpe-gateway

Usage

provider "ibm" {
  ibmcloud_api_key = "XXXXXXXXXX" # pragma: allowlist secret
  region           = "us-south"
}

# Creates:
# - VPE
module "vpes" {
  source           = "terraform-ibm-modules/vpe-gateway/ibm"
  version          = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  region           = "us-south"
  prefix           = "vpe"
  vpc_name         = "my-vpc-instance"
  vpc_id           = "r022-ae2a6785-gd62-7d4j-af62-b4891e949345"
  subnet_zone_list = [
    {
      id             = "0757-b21b9565-bc4c-4847-bc6f-277ecd0a7cf6"
      name           = "subnet-1"
      cidr           = "10.0.10.0/24"
      public_gateway = true
      acl_name       = "acl"
      zone           = "zone-1"
    },
    {
      id             = "0757-b21b9565-bc4c-4847-bc6f-277ecd0a7cf6"
      name           = "subnet-2"
      cidr           = "10.0.11.0/24"
      acl_name       = "acl"
      public_gateway = null
      zone           = "zone-2"
    }
  ]
  resource_group_id    = "00ae4b38253f43a3acd14619dd385632" # pragma: allowlist secret
  security_group_ids   = ["r014-2d4f8cd6-6g3s-4ab5-ac3f-8fc717ce2a1f"]
  cloud_services = [
    {
      service_name = "kms"
    },
    {
      service_name = "cloud-object-storage"
    }
  ]
  cloud_service_by_crn = [
    {
      crn          = "crn:v1:bluemix:public:databases-for-postgresql:us-south:a/abac0df06b644a9cabc6e44f55b3880d:93f97b1a-fe35-4f17-a8be-ecf197a36bed::"
    }
  ]
  service_endpoints = "private"
}

Required IAM access policies

You need the following permissions to run this module.

  • Account Management
    • Resource Group service
      • Viewer platform access
  • IAM services
    • VPE Infrastructure services
      • Editor platform access

Requirements

Name Version
terraform >=1.3
ibm >=1.61.0, <2.0.0

Modules

Name Source Version
ip ./modules/reserved-ips n/a

Resources

Name Type
ibm_is_virtual_endpoint_gateway.vpe resource
ibm_is_virtual_endpoint_gateway_ip.endpoint_gateway_ip resource
ibm_is_virtual_endpoint_gateway.vpe data source

Inputs

Name Description Type Default Required
cloud_service_by_crn The list of cloud service CRNs used to create endpoint gateways. Use this list to identify services that are not supported by service name in the cloud_services variable. For a list of supported services, see VPE-enabled services. If service_name is not specified, the CRN is used to find the name. If vpe_name is not specified in the list, VPE names are created in the format <prefix>-<vpc_name>-<service_name>. The value that you specify for vpc_name must be known at Terraform plan time.
set(
object({
crn = string
vpe_name = optional(string) # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
service_name = optional(string) # Name of the service used to compute the name of the VPE. If not specified, the service name will be obtained from the crn.
allow_dns_resolution_binding = optional(bool, true)
})
)
[] no
cloud_services The list of cloud services used to create endpoint gateways. If vpe_name is not specified in the list, VPE names are created in the format <prefix>-<vpc_name>-<service_name>. The value that you specify for vpc_name must be known at Terraform plan time.
set(object({
service_name = string
vpe_name = optional(string), # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
allow_dns_resolution_binding = optional(bool, false)
}))
[] no
prefix The prefix that you would like to append to your resources. Value is only used if no value is passed for the vpe_name option in the cloud_services input variable. string "vpe" no
region The region where VPC and services are deployed string "us-south" no
reserved_ips Map of existing reserved IP names and values. If you wish to create your reserved ips independently and not create new ones you can first run the reserved-ips submodule and then copy the output reserved_ip_map here.
object({
name = optional(string) # reserved ip name
})
{} no
resource_group_id ID of the resource group where endpoint gateways will be provisioned string null no
security_group_ids List of security group ids to attach to each endpoint gateway. list(string) null no
service_endpoints Service endpoints to use to create endpoint gateways. Can be public, or private. string "private" no
subnet_zone_list List of subnets in the VPC where gateways and reserved IPs will be provisioned. This value is intended to use the subnet_zone_list output from the Landing Zone VPC Subnet Module (https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc) or from templates using that module for subnet creation.
list(
object({
name = string
id = string
zone = string
cidr = optional(string)
})
)
[] no
vpc_id ID of the VPC where the Endpoint Gateways will be created string null no
vpc_name A label that can be used as a short name for virtual private endpoints. If vpe_name is not specified in the cloud_services or cloud_service_by_crn input variable lists, VPE names are created in the format <prefix>-<vpc_name>-<service_name>. The value that you specify for vpc_name must be known at Terraform plan time. string "vpc" no

Outputs

Name Description
crn The CRN of the endpoint gateway
vpe_ips The endpoint gateway reserved ips

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.