generated from terraform-ibm-modules/terraform-ibm-module-template
-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: fix issue preventing destroy of vpn routes (#46)
- Loading branch information
Showing
38 changed files
with
655 additions
and
250 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml | ||
version: "v1" | ||
CRA_TARGETS: | ||
- CRA_TARGET: "examples/ha-complete" # Target directory for CRA scan. If not provided, the CRA Scan will not be run. | ||
CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
{ | ||
"scc_rules": [] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# Basic example creating a standalone VPN server | ||
|
||
Requirements: | ||
- An existing Secrets Manager instance configured with the private cert engine | ||
- A Certificate Template in the Secrets Manager instance to use for private cert creation. | ||
|
||
This example will: | ||
- Create a new resource group if one is not passed in. | ||
- Create a new secret group in the Secrets Manager instance provided. | ||
- Create a new private cert and place it in a secret in the newly created secret group. | ||
- Create a new VPC in the resource group and region provided. | ||
- Create a standalone VPN server |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
######################################################################################################################## | ||
# Resource Group | ||
######################################################################################################################## | ||
|
||
module "resource_group" { | ||
source = "terraform-ibm-modules/resource-group/ibm" | ||
version = "1.0.6" | ||
# if an existing resource group is not set (null) create a new one using prefix | ||
resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null | ||
existing_resource_group_name = var.resource_group | ||
} | ||
|
||
######################################################################################################################## | ||
## Generate Private Cert using Secrets Manager | ||
######################################################################################################################## | ||
|
||
# Create a secret group to place the certificate in | ||
module "secrets_manager_group" { | ||
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm" | ||
version = "1.0.0" | ||
region = var.secrets_manager_region | ||
secrets_manager_guid = var.secrets_manager_guid | ||
secret_group_name = "${var.prefix}-certs" | ||
secret_group_description = "A secret group to store private certs" | ||
providers = { | ||
ibm = ibm.ibm-sm | ||
} | ||
} | ||
|
||
# Create the private cert | ||
module "secrets_manager_private_certificate" { | ||
source = "terraform-ibm-modules/secrets-manager-private-cert/ibm" | ||
version = "1.0.1" | ||
cert_name = "${var.prefix}-cts-vpn-private-cert" | ||
cert_description = "an example private cert" | ||
cert_template = var.certificate_template_name | ||
cert_secrets_group_id = module.secrets_manager_group.secret_group_id | ||
cert_common_name = "example.com" | ||
secrets_manager_guid = var.secrets_manager_guid | ||
secrets_manager_region = var.secrets_manager_region | ||
providers = { | ||
ibm = ibm.ibm-sm | ||
} | ||
} | ||
|
||
######################################################################################################################## | ||
## VPC | ||
######################################################################################################################## | ||
|
||
# Minimal VPC for illustration purpose: 1 subnet across 1 availability zone | ||
module "basic_vpc" { | ||
source = "terraform-ibm-modules/landing-zone-vpc/ibm" | ||
version = "7.3.1" | ||
resource_group_id = module.resource_group.resource_group_id | ||
region = var.region | ||
name = "vpc" | ||
prefix = var.prefix | ||
tags = var.resource_tags | ||
enable_vpc_flow_logs = false | ||
use_public_gateways = { | ||
zone-1 = false | ||
zone-2 = false | ||
zone-3 = false | ||
} | ||
subnets = { | ||
zone-1 = [ | ||
{ | ||
name = "subnet-a" | ||
cidr = "10.10.10.0/24" | ||
public_gateway = false | ||
acl_name = "vpc-acl" | ||
} | ||
], | ||
zone-2 = [] | ||
zone-3 = [] | ||
} | ||
} | ||
|
||
data "ibm_is_vpc" "basic_vpc" { | ||
depends_on = [module.basic_vpc] # Explicit "depends_on" here to wait for the full subnet creations | ||
identifier = module.basic_vpc.vpc_id | ||
} | ||
|
||
######################################################################################################################## | ||
## VPN | ||
######################################################################################################################## | ||
|
||
module "vpn" { | ||
source = "../.." | ||
server_cert_crn = module.secrets_manager_private_certificate.secret_crn | ||
vpn_gateway_name = "${var.prefix}-c2s-vpn" | ||
resource_group_id = module.resource_group.resource_group_id | ||
subnet_ids = slice([for subnet in data.ibm_is_vpc.basic_vpc.subnets : subnet["id"]], 0, 1) | ||
create_policy = var.create_policy | ||
vpn_client_access_group_users = var.vpn_client_access_group_users | ||
access_group_name = "${var.prefix}-access-group" | ||
secrets_manager_id = var.secrets_manager_guid | ||
vpn_server_routes = var.vpn_server_routes | ||
} |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
provider "ibm" { | ||
ibmcloud_api_key = var.ibmcloud_api_key | ||
region = var.secrets_manager_region | ||
alias = "ibm-sm" | ||
} | ||
|
||
provider "ibm" { | ||
ibmcloud_api_key = var.ibmcloud_api_key | ||
region = var.region | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
variable "ibmcloud_api_key" { | ||
type = string | ||
description = "API key that is associated with the account to use." | ||
sensitive = true | ||
} | ||
|
||
variable "region" { | ||
type = string | ||
description = "Region to provision all resources created by this example." | ||
default = "us-south" | ||
} | ||
|
||
variable "prefix" { | ||
type = string | ||
description = "Prefix to append to all resources created by this example" | ||
default = "tf-ibm" | ||
} | ||
|
||
variable "resource_group" { | ||
type = string | ||
description = "Name of the resource group to use for this example. If not set, a resource group is created." | ||
default = null | ||
} | ||
|
||
variable "resource_tags" { | ||
type = list(string) | ||
description = "Optional list of tags to add to the created resources." | ||
default = [] | ||
} | ||
|
||
variable "secrets_manager_guid" { | ||
type = string | ||
description = "Existing Secrets Manager GUID. The existing Secret Manager instance must have private certificate engine configured." | ||
} | ||
|
||
variable "secrets_manager_region" { | ||
type = string | ||
description = "The region in which the Secrets Manager instance exists." | ||
} | ||
|
||
variable "certificate_template_name" { | ||
type = string | ||
description = "Name of an existing Certificate Template in the Secrets Manager instance to use for private cert creation." | ||
} | ||
|
||
variable "create_policy" { | ||
description = "Set to true to create a new access group (using the value of var.access_group_name) with a VPN Client role" | ||
type = bool | ||
default = true | ||
} | ||
|
||
variable "vpn_client_access_group_users" { | ||
description = "List of users in the Client to Site VPN Access Group" | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "vpn_server_routes" { | ||
type = map(object({ | ||
destination = string | ||
action = string | ||
})) | ||
description = "Map of server routes to be added to created VPN server." | ||
default = { | ||
"vpc-10" = { | ||
destination = "10.0.0.0/8" | ||
action = "deliver" | ||
} | ||
} | ||
} |
Oops, something went wrong.