IBM Virtual Private Endpoint Gateway module

This module creates and configures virtual private endpoint gateways (https://cloud.ibm.com/docs/vpc?topic=vpc-ordering-endpoint-gateway) for an IBM Cloud service.

The module supports the following actions:

• Create virtual private endpoint gateways
• Create reserved IP addresses
• Attach endpoint gateways to reserved IP addresses

Known provider issues

An IBM Provider issue has been raised that impacts this module. When changing the name of reserved ip addresses for the VPE gateways, the outputs of this module may not be updated in the terraform state file. When this issue occurs, run a terraform apply -refresh-only to update the terraform state.

Overview

• terraform-ibm-vpe-gateway
• Examples
  • End-to-end example
  • Every multi-tenant VPE
• Contributing

terraform-ibm-vpe-gateway

Usage

provider "ibm" {
  ibmcloud_api_key = "XXXXXXXXXX" # pragma: allowlist secret
  region           = "us-south"
}

# Creates:
# - VPE
module "vpes" {
  source           = "terraform-ibm-modules/vpe-gateway/ibm"
  version          = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  region           = "us-south"
  prefix           = "vpe"
  vpc_name         = "my-vpc-instance"
  vpc_id           = "r022-ae2a6785-gd62-7d4j-af62-b4891e949345"
  subnet_zone_list = [
    {
      name           = "subnet-1"
      cidr           = "10.0.10.0/24"
      public_gateway = true
      acl_name       = "acl"
    },
    {
      name           = "subnet-2"
      cidr           = "10.0.11.0/24"
      acl_name       = "acl"
      public_gateway = null
    }
  ]
  resource_group_id    = "00ae4b38253f43a3acd14619dd385632" # pragma: allowlist secret
  security_group_ids   = ["r014-2d4f8cd6-6g3s-4ab5-ac3f-8fc717ce2a1f"]
  cloud_services = [
    {
      service_name = "kms"
    },
    {
      service_name = "cloud-object-storage"
    }
  ]
  cloud_service_by_crn = [
    {
      crn          = "crn:v1:bluemix:public:databases-for-postgresql:us-south:a/abac0df06b644a9cabc6e44f55b3880d:93f97b1a-fe35-4f17-a8be-ecf197a36bed::"
    }
  ]
  service_endpoints = "private"
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • Resource Group service
    • Viewer platform access
• IAM services
  • VPE Infrastructure services
    • Editor platform access

Requirements

Name	Version
terraform	>=1.3, <1.7.0
ibm	>=1.61.0, <2.0.0

Modules

No modules.

Resources

Name	Type
ibm_is_subnet_reserved_ip.ip	resource
ibm_is_virtual_endpoint_gateway.vpe	resource
ibm_is_virtual_endpoint_gateway_ip.endpoint_gateway_ip	resource
ibm_is_virtual_endpoint_gateway.vpe	data source

Inputs

Name	Description	Type	Default	Required
cloud_service_by_crn	List of cloud service CRNs. The keys are the CRN. The values (all optional) give some level of control on the created VPEs. Each CRN will have a unique endpoint gateways created. For a list of supported services, see the docs here.	set( object({ crn = string vpe_name = optional(string) # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name. service_name = optional(string) # Name of the service used to compute the name of the VPE. If not specified, the service name will be obtained from the crn. allow_dns_resolution_binding = optional(bool, true) }) )	[]	no
cloud_services	List of cloud services to create an endpoint gateway. The keys are the service names, the values (all optional) give some level of control on the created VPEs.	set(object({ service_name = string vpe_name = optional(string), # Full control on the VPE name. If not specified, the VPE name will be computed based on prefix, vpc name and service name. allow_dns_resolution_binding = optional(bool, false) }))	[]	no
prefix	The prefix that you would like to append to your resources	string	"vpe"	no
region	The region where VPC and services are deployed	string	"us-south"	no
resource_group_id	ID of the resource group where endpoint gateways will be provisioned	string	null	no
security_group_ids	List of security group ids to attach to each endpoint gateway.	list(string)	null	no
service_endpoints	Service endpoints to use to create endpoint gateways. Can be public, or private.	string	"private"	no
subnet_zone_list	List of subnets in the VPC where gateways and reserved IPs will be provisioned. This value is intended to use the subnet_zone_list output from the Landing Zone VPC Subnet Module (https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc) or from templates using that module for subnet creation.	list( object({ name = string id = string zone = optional(string) cidr = optional(string) }) )	[]	no
vpc_id	ID of the VPC where the Endpoint Gateways will be created	string	null	no
vpc_name	Name of the VPC where the Endpoint Gateways will be created. This value is used to dynamically generate VPE names.	string	"vpc"	no

Outputs

Name	Description
crn	The CRN of the endpoint gateway
vpe_ips	The endpoint gateway reserved ips

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.