feat: adds prefix filters functionality to the transit gateway connec…

…tions that is used to permit or deny specific IP address ranges (called prefixes) on specific network connections(#544)

README.md

@@ -20,6 +20,7 @@ This module includes the `terraform-ibm-transit-gateway-action` [approval action
     * [terraform-ibm-transit-gateway-action](./modules/terraform-ibm-transit-gateway-action)
 * [Examples](./examples)
     * [ Example transit gateway that connects two VPCs in two accounts](./examples/crossaccounts)
+    * [ Example transit gateway that connects two VPCs with prefix filtering](./examples/add-prefix-filter)
     * [ Example transit gateway that connects two VPCs](./examples/two-vpcs)
     * [Example basic transit gateway](./examples/basic)
 * [Contributing](#contributing)
@@ -65,7 +66,7 @@ You need the following permissions to run this module.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.52.0, < 2.0.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 |
 
 ### Modules
 
@@ -77,13 +78,15 @@ No modules.
 |------|------|
 | [ibm_tg_connection.classic_connections](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/tg_connection) | resource |
 | [ibm_tg_connection.vpc_connections](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/tg_connection) | resource |
+| [ibm_tg_connection_prefix_filter.add_prefix_filter](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/tg_connection_prefix_filter) | resource |
 | [ibm_tg_gateway.tg_gw_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/tg_gateway) | resource |
 | [ibm_tg_gateway.existing_tg_gw_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/tg_gateway) | data source |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_add_prefix_filters"></a> [add\_prefix\_filters](#input\_add\_prefix\_filters) | Map of VPC CRN to optionally add prefix filter to set an ordered list of filters that determine the routes that transit gateway should accept or deny. Connections are denied or permitted based on the order of the filters passed. See https://cloud.ibm.com/docs/transit-gateway?topic=transit-gateway-adding-prefix-filters&interface=ui | <pre>list(object({<br/>    action     = string<br/>    prefix     = string<br/>    le         = optional(number)<br/>    ge         = optional(number)<br/>    before     = optional(string)<br/>    connection = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_classic_connections_count"></a> [classic\_connections\_count](#input\_classic\_connections\_count) | Number of classic connections to add. | `number` | n/a | yes |
 | <a name="input_delete_timeout"></a> [delete\_timeout](#input\_delete\_timeout) | Deleting timeout value of the ibm\_tg\_gateway | `string` | `"45m"` | no |
 | <a name="input_existing_transit_gateway_name"></a> [existing\_transit\_gateway\_name](#input\_existing\_transit\_gateway\_name) | Name of an existing transit gateway to connect VPCs. If null a new Transit Gateway will be created (transit\_gateway\_name and region required) | `string` | `null` | no |
@@ -92,13 +95,14 @@ No modules.
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | Resource group ID where the transit gateway to be created. | `string` | `null` | no |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | List of tags | `list(string)` | `null` | no |
 | <a name="input_transit_gateway_name"></a> [transit\_gateway\_name](#input\_transit\_gateway\_name) | Name of the transit gateway to create. It can be null if existing\_transit\_gateway\_name is not null | `string` | `null` | no |
-| <a name="input_vpc_connections"></a> [vpc\_connections](#input\_vpc\_connections) | The list of vpc instance resource\_crn to add network connections for. | `list(string)` | n/a | yes |
+| <a name="input_vpc_connections"></a> [vpc\_connections](#input\_vpc\_connections) | The list of VPC instance connections with their associated default prefix filter. Customise the default filter setting for each VPC connections to `permit` or `deny` specifiv IP ranges. `permit` makes it to accept all prefixes after processing all the entries in the prefix filters list. `deny` makes it to deny all prefixes after processing all the entries in the prefix filters list. By default it is set to `permit`. Refer to https://cloud.ibm.com/docs/transit-gateway?topic=transit-gateway-adding-prefix-filters&interface=ui for more details. | <pre>list(object({<br/>    vpc_crn               = string<br/>    default_prefix_filter = optional(string)<br/>  }))</pre> | n/a | yes |
 
 ### Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_classic_conn_ids"></a> [classic\_conn\_ids](#output\_classic\_conn\_ids) | List of classic connection IDs |
+| <a name="output_filter_ids"></a> [filter\_ids](#output\_filter\_ids) | Prefix filter IDs |
 | <a name="output_tg_crn"></a> [tg\_crn](#output\_tg\_crn) | CRN of the gateway |
 | <a name="output_tg_id"></a> [tg\_id](#output\_tg\_id) | The ID of the transit gateway |
 | <a name="output_vpc_conn_ids"></a> [vpc\_conn\_ids](#output\_vpc\_conn\_ids) | List of VPC connection IDs |

examples/add-prefix-filter/README.md

@@ -0,0 +1,13 @@
+#  Example transit gateway that connects two VPCs with prefix filtering
+
+This example provisions two VPCs and a transit gateway that configures connectivity between them.
+
+Add prefix filtering that determine the routes that transit gateway should accept or deny.
+
+**Explanation:**
+- Prefix filters can be used to permit or deny specific specific IP address ranges (called prefixes) on specific network connections.
+- This helps to allow only traffic from trusted networks and block unwanted traffic from certain ranges.
+- In this example, once deployed-
+  - For both VPC connections vpc_conn_inst1 and vpc_conn_inst2, prefix filter will be created.
+  - For VPC connection vpc_conn_inst1, default_prefix_filter is set to `permit` and prefix filters are `allow` 10.10.10.0/24 but `deny` 10.20.10.0/24. This means after processing the entries in the prefix filter list (allow 10.10.10.0/24 and deny 10.20.10.0/24) it accepts rest of the IP addresses.
+  - For VPC connection vpc_conn_inst2, default_prefix_filter is set to `deny` and prefix filters is `allow` 10.20.10.0/24. This means after processing the entries in the prefix filter list (allow 10.20.10.0/24) it denies rest of the IP addresses.

examples/add-prefix-filter/main.tf

@@ -0,0 +1,92 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.6"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# 2 VPCs
+##############################################################################
+
+module "vpc_1" {
+  source            = "terraform-ibm-modules/landing-zone-vpc/ibm"
+  version           = "7.19.0"
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  prefix            = var.prefix
+  tags              = var.resource_tags
+  name              = "${var.prefix}-vpc1"
+  use_public_gateways = {
+    zone-1 = false
+    zone-2 = false
+    zone-3 = false
+  }
+}
+
+module "vpc_2" {
+  source            = "terraform-ibm-modules/landing-zone-vpc/ibm"
+  version           = "7.19.0"
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  prefix            = var.prefix
+  tags              = var.resource_tags
+  name              = "${var.prefix}-vpc2"
+  use_public_gateways = {
+    zone-1 = false
+    zone-2 = false
+    zone-3 = false
+  }
+}
+
+##############################################################################
+# Transit Gateway connects the 2 VPCs with prefix filters
+##############################################################################
+
+module "tg_gateway_connection" {
+  source                    = "../.."
+  transit_gateway_name      = var.transit_gateway_name
+  region                    = var.region
+  global_routing            = false
+  resource_tags             = var.resource_tags
+  resource_group_id         = module.resource_group.resource_group_id
+  classic_connections_count = 0
+  vpc_connections = [
+    {
+      vpc_crn               = module.vpc_1.vpc_crn
+      default_prefix_filter = "permit"
+    },
+    {
+      vpc_crn               = module.vpc_2.vpc_crn
+      default_prefix_filter = "deny"
+    }
+  ]
+  add_prefix_filters = [
+    {
+      action     = "permit"
+      prefix     = "10.10.10.0/24"
+      le         = 24
+      ge         = 24
+      connection = module.vpc_1.vpc_crn
+    },
+    {
+      action     = "deny"
+      prefix     = "10.20.10.0/24"
+      le         = 24
+      ge         = 24
+      connection = module.vpc_1.vpc_crn
+    },
+    {
+      action     = "permit"
+      prefix     = "10.20.10.0/24"
+      le         = 24
+      ge         = 24
+      connection = module.vpc_2.vpc_crn
+    }
+  ]
+}

examples/add-prefix-filter/outputs.tf

@@ -0,0 +1,13 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "tg_id" {
+  description = "The ID of the transit gateway"
+  value       = module.tg_gateway_connection.tg_id
+}
+
+output "filter_ids" {
+  description = "Prefix filter IDs"
+  value       = module.tg_gateway_connection.filter_ids
+}

examples/add-prefix-filter/provider.tf

@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/add-prefix-filter/variables.tf

@@ -0,0 +1,32 @@
+variable "ibmcloud_api_key" {
+  description = "API key that is associated with the account to provision resources to"
+  type        = string
+  sensitive   = true
+}
+
+variable "prefix" {
+  description = "The prefix to append to your resources"
+  type        = string
+}
+
+variable "transit_gateway_name" {
+  description = "Name of the transit gateway"
+  type        = string
+}
+
+variable "region" {
+  description = "Location of the transit gateway."
+  type        = string
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example. If not set, a new resource group is created."
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "List of tags"
+  default     = null
+}

examples/add-prefix-filter/versions.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_version = ">= 1.0.0"
+  # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
+  # module's version.tf (basic), and 1 example that will always use the latest provider version.
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">= 1.69.0"
+    }
+  }
+}

examples/basic/variables.tf

@@ -32,8 +32,11 @@ variable "global_routing" {
 }
 
 variable "vpc_connections" {
-  type        = list(string)
-  description = "The list of vpc instance resource_crn to add network connections for."
+  type = list(object({
+    vpc_crn               = string
+    default_prefix_filter = string
+  }))
+  description = "The list of VPC instance connections with their associated default prefix filter. Customise the default filter setting for each VPC connections to `permit` or `deny` specifiv IP ranges. `permit` makes it to accept all prefixes after processing all the entries in the prefix filters list. `deny` makes it to deny all prefixes after processing all the entries in the prefix filters list. By default it is set to `permit`. Refer to https://cloud.ibm.com/docs/transit-gateway?topic=transit-gateway-adding-prefix-filters&interface=ui for more details."
 }
 
 variable "classic_connections_count" {

examples/basic/versions.tf

@@ -5,7 +5,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.52.0"
+      version = "1.69.0"
     }
   }
 }

examples/crossaccounts/versions.tf

@@ -5,7 +5,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.52.0"
+      version = ">= 1.69.0"
     }
   }
 }

examples/two-vpcs/main.tf

@@ -55,6 +55,13 @@ module "tg_gateway_connection" {
   global_routing            = false
   resource_tags             = var.resource_tags
   resource_group_id         = module.resource_group.resource_group_id
-  vpc_connections           = [module.vpc_1.vpc_crn, module.vpc_2.vpc_crn]
   classic_connections_count = 0
+  vpc_connections = [
+    {
+      vpc_crn = module.vpc_1.vpc_crn
+    },
+    {
+      vpc_crn = module.vpc_2.vpc_crn
+    }
+  ]
 }

examples/two-vpcs/versions.tf

@@ -5,7 +5,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.52.0"
+      version = ">= 1.69.0"
     }
   }
 }

main.tf

@@ -21,18 +21,36 @@ resource "ibm_tg_gateway" "tg_gw_instance" {
 }
 
 resource "ibm_tg_connection" "vpc_connections" {
-  count = length(var.vpc_connections)
-
-  gateway      = local.transit_gateway_id
-  network_type = "vpc"
-  name         = "vpc_conn_inst${count.index}"
-  network_id   = var.vpc_connections[count.index]
+  count                 = length(var.vpc_connections)
+  gateway               = local.transit_gateway_id
+  network_type          = "vpc"
+  name                  = "vpc_conn_inst${count.index + 1}"
+  network_id            = var.vpc_connections[count.index].vpc_crn
+  default_prefix_filter = var.vpc_connections[count.index].default_prefix_filter
+}
+locals {
+  filter_list = flatten([
+    for conn in ibm_tg_connection.vpc_connections :
+    [
+      for filter in var.add_prefix_filters :
+      merge(filter, { connection_id = conn.connection_id
+      gateway = conn.gateway }) if filter.connection == conn.network_id
+    ]
+  ])
 }
-
 resource "ibm_tg_connection" "classic_connections" {
-  count = var.classic_connections_count
-
+  count        = var.classic_connections_count
   gateway      = local.transit_gateway_id
   network_type = "classic"
   name         = "classic_conn_inst${count.index}"
 }
+
+resource "ibm_tg_connection_prefix_filter" "add_prefix_filter" {
+  count         = length(var.add_prefix_filters) > 0 ? length(var.add_prefix_filters) : 0
+  gateway       = local.filter_list[count.index].gateway
+  connection_id = local.filter_list[count.index].connection_id
+  action        = local.filter_list[count.index].action
+  prefix        = local.filter_list[count.index].prefix
+  le            = local.filter_list[count.index].le
+  ge            = local.filter_list[count.index].ge
+}

modules/terraform-ibm-transit-gateway-action/README.md

@@ -40,7 +40,7 @@ module "tg_gateway_connection_crossaccounts_approve" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.52.0, < 2.0.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 |
 
 ### Modules
 

modules/terraform-ibm-transit-gateway-action/versions.tf

@@ -4,7 +4,7 @@ terraform {
     # Use "greater than or equal to" range in modules
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.52.0, < 2.0.0"
+      version = ">= 1.69.0, < 2.0.0"
     }
   }
 }

outputs.tf

@@ -17,3 +17,8 @@ output "classic_conn_ids" {
   description = "List of classic connection IDs"
   value       = { for k, v in ibm_tg_connection.classic_connections : v.network_id => v.connection_id }
 }
+
+output "filter_ids" {
+  description = "Prefix filter IDs"
+  value       = ibm_tg_connection_prefix_filter.add_prefix_filter[*].filter_id
+}