diff --git a/.secrets.baseline b/.secrets.baseline index 1028e0c5..8ff176e5 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-10-04T03:51:30Z", + "generated_at": "2025-10-20T10:40:25Z", "plugins_used": [ { "name": "AWSKeyDetector" diff --git a/ibm_catalog.json b/ibm_catalog.json index 84da07e5..4e62c2d4 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -59,41 +59,130 @@ "dependency_version_2": true, "dependencies": [ { - "flavors": [ - "standard" - ], - "id": "95fccffc-ae3b-42df-b6d9-80be5914d852-global", - "name": "deploy-arch-ibm-slz-ocp", - "version": ">=1.0.0", - "optional": true - }, - { - "flavors": [ - "standard" - ], - "id": "9fc0fa64-27af-4fed-9dce-47b3640ba739-global", "name": "deploy-arch-ibm-slz-vpc", - "version": ">=1.0.0", - "optional": true - }, - { + "description": "Configure the VPC and subnets required to deploy VPN Server.", + "id": "9fc0fa64-27af-4fed-9dce-47b3640ba739-global", + "version": "v8.7.0", "flavors": [ - "standard" + "fully-configurable" ], - "id": "ef663980-4c71-4fac-af4f-4a510a9bcf68-global", - "name": "deploy-arch-ibm-slz-vsi", - "version": ">=1.0.0", - "optional": true + "catalog_id": "1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc", + "optional": true, + "on_by_default": true, + "input_mapping": [ + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "existing_resource_group_name", + "version_input": "existing_resource_group_name", + "reference_version": true + }, + { + "dependency_input": "region", + "version_input": "region", + "reference_version": true + }, + { + "dependency_output": "subnet_ids", + "version_input": "existing_subnet_ids" + }, + { + "dependency_output": "vpc_crn", + "version_input": "existing_vpc_crn" + }, + { + "dependency_input": "subnets", + "version_input": "subnets", + "reference_version": true + }, + { + "dependency_input": "network_acls", + "version_input": "network_acls", + "reference_version": true + } + ] }, { + "name": "deploy-arch-secrets-manager-private-cert", + "description": "Configures secrets manager instance, private certificate engine and VPN server certificate. Client certificate will not get created and will have to be created manually.", + "id": "422283a7-9cb2-4149-8093-a36a799e1d27-global", + "version": "v1.7.0", "flavors": [ "fully-configurable" ], "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", - "id": "6d6ebc76-7bbd-42f5-8bc7-78f4fabd5944-global", - "name": "deploy-arch-ibm-secrets-manager", - "version": ">=1.0.0", - "optional": true + "optional": true, + "on_by_default": true, + "ignore_auto_referencing": [ + "*" + ], + "input_mapping": [ + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_output": "secrets_manager_crn", + "version_input": "existing_secrets_manager_instance_crn" + }, + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "secrets_manager_region", + "version_input": "region", + "reference_version": true + }, + { + "dependency_input": "secrets_manager_service_plan", + "version_input": "secrets_manager_service_plan", + "reference_version": true + }, + { + "dependency_input": "root_ca_name", + "version_input": "root_ca_name", + "reference_version": true + }, + { + "dependency_input": "root_ca_common_name", + "version_input": "root_ca_common_name", + "reference_version": true + }, + { + "dependency_input": "intermediate_ca_name", + "version_input": "intermediate_ca_name", + "reference_version": true + }, + { + "dependency_input": "intermediate_ca_common_name", + "version_input": "intermediate_ca_common_name", + "reference_version": true + }, + { + "dependency_input": "certificate_template_name", + "version_input": "certificate_template_name", + "reference_version": true + }, + { + "dependency_input": "template_max_ttl", + "version_input": "template_max_ttl", + "reference_version": true + }, + { + "version_input": "enable_certificate_auth", + "value": false + }, + { + "dependency_output": "secret_crn", + "version_input": "existing_secrets_manager_cert_crn" + } + ] } ], "configuration": [ @@ -102,10 +191,15 @@ }, { "key": "prefix", + "required": true, + "default_value": "dev", + "random_string": { + "length": 4 + }, "value_constraints": [ { "type": "regex", - "description": "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen ('-'), and cannot contain consecutive hyphens ('--'). It should not exceed 16 characters.", + "description": "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--'). It should not exceed 16 characters.", "value": "^$|^__NULL__$|^[a-z](?!.*--)(?:[a-z0-9-]{0,14}[a-z0-9])?$" } ] @@ -124,9 +218,66 @@ "config_constraints": { "identifier": "rg_name" } + } + }, + { + "key": "region", + "required": true, + "type": "string", + "custom_config": { + "config_constraints": { + "generationType": "2" + }, + "grouping": "deployment", + "original_grouping": "deployment", + "type": "vpc_region" }, - "default_value": "Default", - "description": "The name of an existing resource group to provision the resources." + "description": "Region in which all resources will be deployed. [Learn More](https://terraform-ibm-modules.github.io/documentation/#/region).", + "virtual": true, + "default_value": "us-south" + }, + { + "key": "subnets", + "default_value": "{\n zone-1 = [\n {\n name = \"subnet-a\"\n cidr = \"10.10.10.0/24\"\n public_gateway = true\n acl_name = \"vpc-acl\"\n no_addr_prefix = false\n }\n ],\n zone-2 = [\n {\n name = \"subnet-b\"\n cidr = \"10.20.10.0/24\"\n public_gateway = true\n acl_name = \"vpc-acl\"\n no_addr_prefix = false\n }\n ],\n zone-3 = []\n }", + "description": "List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addresses. Public gateways will be enabled only in zones where a gateway has been created. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#subnets-).", + "required": false, + "virtual": true, + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "type": "code_editor" + } + }, + { + "key": "network_acls", + "type": "list(object)", + "default_value": "[\n {\n name = \"vpc-acl\"\n add_ibm_cloud_internal_rules = true\n add_vpc_connectivity_rules = true\n prepend_ibm_rules = true\n rules = [\n {\n name = \"allow-all-443-inbound\"\n action = \"allow\"\n direction = \"inbound\"\n tcp = {\n port_min = 443\n port_max = 443\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-80-inbound\"\n action = \"allow\"\n direction = \"inbound\"\n tcp = {\n port_min = 80\n port_max = 80\n source_port_min = 80\n source_port_max = 80\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-ingress-inbound\"\n action = \"allow\"\n direction = \"inbound\"\n tcp = {\n source_port_min = 30000\n source_port_max = 32767\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-443-outbound\"\n action = \"allow\"\n direction = \"outbound\"\n tcp = {\n source_port_min = 443\n source_port_max = 443\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-80-outbound\"\n action = \"allow\"\n direction = \"outbound\"\n tcp = {\n source_port_min = 80\n source_port_max = 80\n port_min = 80\n port_max = 80\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-ingress-outbound\"\n action = \"allow\"\n direction = \"outbound\"\n tcp = {\n port_min = 30000\n port_max = 32767\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-udp-80-443-inbound\"\n action = \"allow\"\n direction = \"inbound\"\n udp = {\n port_min = 80\n port_max = 443\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-udp-all-outbound\"\n action = \"allow\"\n direction = \"outbound\"\n udp = {\n port_min = 1\n port_max = 65535\n source_port_min = 1\n source_port_max = 65535\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n }\n ]\n }\n]", + "description": "The list of ACLs to create. Provide at least one rule for each ACL. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#network-acls-).", + "required": false, + "virtual": true, + "custom_config": { + "type": "code_editor", + "grouping": "deployment", + "original_grouping": "deployment" + } + }, + { + "key": "secrets_manager_service_plan", + "required": true, + "virtual": true, + "type": "string", + "options": [ + { + "displayname": "Standard", + "value": "standard" + }, + { + "displayname": "Trial", + "value": "trial" + } + ], + "default_value": "standard", + "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." }, { "key": "existing_secrets_manager_instance_crn" @@ -134,6 +285,54 @@ { "key": "existing_secrets_manager_cert_crn" }, + { + "key": "root_ca_name", + "type": "string", + "required": false, + "virtual": true, + "default_value": "root-ca", + "description": "The name of the Root Certificate Authority you want to create." + }, + { + "key": "root_ca_common_name", + "type": "string", + "required": false, + "virtual": true, + "default_value": "example-root.com", + "description": "The common name of the Root Certificate Authority you want to create." + }, + { + "key": "intermediate_ca_name", + "type": "string", + "required": false, + "virtual": true, + "default_value": "intermediate-ca", + "description": "The name of the Intermediate Certificate Authority you want to create." + }, + { + "key": "intermediate_ca_common_name", + "type": "string", + "required": false, + "virtual": true, + "default_value": "example-int.com", + "description": "The common name of the Intermediate Certificate Authority you want to create." + }, + { + "key": "certificate_template_name", + "type": "string", + "required": false, + "virtual": true, + "default_value": "template", + "description": "The name of the Certificate Template you want to create." + }, + { + "key": "template_max_ttl", + "type": "string", + "required": false, + "virtual": true, + "default_value": "8760h", + "description": "Max TTL for the certificate template you want to create." + }, { "key": "private_cert_engine_config_root_ca_common_name" }, diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 9117223c..11bf1797 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -33,8 +33,8 @@ variable "prefix" { variable "existing_resource_group_name" { type = string - description = "The name of an existing resource group to provision the resources. If not provided the default resource group will be used." - default = null + description = "The name of an existing resource group to provision the resources. [Learn more](https://cloud.ibm.com/docs/account?topic=account-rgs&interface=ui#create_rgs) about how to create a resource group." + default = "Default" } ############################################################################## @@ -211,10 +211,6 @@ variable "existing_subnet_ids" { error_message = "Set 'vpn_subnet_cidr_zone_1' and 'remote_cidr input variables' if 'existing_subnet_ids' input variable is not set." } - validation { - condition = length(var.existing_subnet_ids) > 0 ? (var.vpn_subnet_cidr_zone_1 == null && var.remote_cidr == null) : true - error_message = "'vpn_subnet_cidr_zone_1' and 'remote_cidr' input variables can not be set if a 'existing_subnet_ids' input variable is already set" - } } variable "client_ip_pool" { diff --git a/tests/go.mod b/tests/go.mod index d4f00d42..9a367bec 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -7,7 +7,7 @@ toolchain go1.25.3 require ( github.com/gruntwork-io/terratest v0.51.0 github.com/stretchr/testify v1.11.1 - github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.15 + github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.17 ) require ( diff --git a/tests/go.sum b/tests/go.sum index 9d276d30..40652bf9 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -296,8 +296,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= -github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.15 h1:vTLAB97MQ45Hfla67pIWYnb/Z5YuEzRLjQ6WN4GHWgI= -github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.15/go.mod h1:g0kmBhFk6pVoTmse42tMNCSNktiOYJHAda/pAzOIxco= +github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.17 h1:unGRxvM9OJBTsfDQg/AZCYOeJZ5TqrCsPphjWJ2wI94= +github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.17/go.mod h1:g0kmBhFk6pVoTmse42tMNCSNktiOYJHAda/pAzOIxco= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tmccombs/hcl2json v0.6.4 h1:/FWnzS9JCuyZ4MNwrG4vMrFrzRgsWEOVi+1AyYUVLGw= github.com/tmccombs/hcl2json v0.6.4/go.mod h1:+ppKlIW3H5nsAsZddXPy2iMyvld3SHxyjswOZhavRDk= diff --git a/tests/pr_test.go b/tests/pr_test.go index b61760ea..c099e66c 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -15,6 +15,7 @@ import ( "github.com/stretchr/testify/require" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/cloudinfo" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common" + "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testaddons" "github.com/stretchr/testify/assert" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" @@ -251,3 +252,56 @@ func TestFullyConfigurableSolutionExistingResources(t *testing.T) { logger.Log(t, "END: Destroy (existing resources)") } } + +func TestAddonsDefaultConfiguration(t *testing.T) { + + t.Parallel() + + options := testaddons.TestAddonsOptionsDefault(&testaddons.TestAddonOptions{ + Testing: t, + Prefix: "cts-vpn", + QuietMode: false, // Suppress logs except on failure + }) + + options.AddonConfig = cloudinfo.NewAddonConfigTerraform( + options.Prefix, + "deploy-arch-ibm-client-to-site-vpn", + "fully-configurable", + map[string]interface{}{ + "region": "eu-de", + "secrets_manager_service_plan": "trial", + }, + ) + + // use existing secrets manager instance to prevent hitting 20 trial instance limit in account + options.AddonConfig.Dependencies = []cloudinfo.AddonConfig{ + { + OfferingName: "deploy-arch-ibm-secrets-manager", + OfferingFlavor: "fully-configurable", + Inputs: map[string]interface{}{ + "existing_secrets_manager_crn": permanentResources["privateOnlySecMgrCRN"], + "service_plan": "__NULL__", // no plan value needed when using existing SM + "skip_secrets_manager_iam_auth_policy": true, // since using an existing Secrets Manager instance, attempting to re-create auth policy can cause conflicts if the policy already exists + "secret_groups": []string{}, // passing empty array for secret groups as default value is creating general group and it will cause conflicts as we are using an existing SM + }, + }, + // // Disable target / route creation to prevent hitting quota in account + { + OfferingName: "deploy-arch-ibm-cloud-monitoring", + OfferingFlavor: "fully-configurable", + Inputs: map[string]interface{}{ + "enable_metrics_routing_to_cloud_monitoring": false, + }, + }, + { + OfferingName: "deploy-arch-ibm-activity-tracker", + OfferingFlavor: "fully-configurable", + Inputs: map[string]interface{}{ + "enable_activity_tracker_event_routing_to_cloud_logs": false, + }, + }, + } + + err := options.RunAddonTest() + require.NoError(t, err) +}