deafult filter fixes for each conn

README.md

@@ -88,15 +88,14 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_add_prefix_filters"></a> [add\_prefix\_filters](#input\_add\_prefix\_filters) | Map of VPC CRN to optionally add prefix filter to set an ordered list of filters that determine the routes that transit gateway should accept or deny. Connections are denied or permitted based on the order of the filters passed. See https://cloud.ibm.com/docs/transit-gateway?topic=transit-gateway-adding-prefix-filters&interface=ui | <pre>list(object({<br/>    action     = string<br/>    prefix     = string<br/>    le         = optional(number)<br/>    ge         = optional(number)<br/>    before     = optional(string)<br/>    connection = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_classic_connections_count"></a> [classic\_connections\_count](#input\_classic\_connections\_count) | Number of classic connections to add. | `number` | n/a | yes |
-| <a name="input_default_prefix_filter"></a> [default\_prefix\_filter](#input\_default\_prefix\_filter) | Customise the default filter setting. `permit` makes it to accept all prefixes after processing all the entries in the prefix filters list. `deny` makes it to deny all prefixes after processing all the entries in the prefix filters list. Default to `permit`. Refer to https://cloud.ibm.com/docs/transit-gateway?topic=transit-gateway-adding-prefix-filters&interface=ui for more details. | `string` | `"permit"` | no |
 | <a name="input_delete_timeout"></a> [delete\_timeout](#input\_delete\_timeout) | Deleting timeout value of the ibm\_tg\_gateway | `string` | `"45m"` | no |
 | <a name="input_existing_transit_gateway_name"></a> [existing\_transit\_gateway\_name](#input\_existing\_transit\_gateway\_name) | Name of an existing transit gateway to connect VPCs. If null a new Transit Gateway will be created (transit\_gateway\_name and region required) | `string` | `null` | no |
 | <a name="input_global_routing"></a> [global\_routing](#input\_global\_routing) | Gateways with global routing (true) to connect to the networks outside their associated region | `bool` | `false` | no |
 | <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where all resources are provisioned. It can be null if existing\_transit\_gateway\_name is not null | `string` | `null` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | Resource group ID where the transit gateway to be created. | `string` | `null` | no |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | List of tags | `list(string)` | `null` | no |
 | <a name="input_transit_gateway_name"></a> [transit\_gateway\_name](#input\_transit\_gateway\_name) | Name of the transit gateway to create. It can be null if existing\_transit\_gateway\_name is not null | `string` | `null` | no |
-| <a name="input_vpc_connections"></a> [vpc\_connections](#input\_vpc\_connections) | The list of vpc instance resource\_crn to add network connections for. | `list(string)` | n/a | yes |
+| <a name="input_vpc_connections"></a> [vpc\_connections](#input\_vpc\_connections) | The list of VPC instance connections with their associated default prefix filter. Customise the default filter setting for each VPC connections to `permit` or `deny` specifiv IP ranges. `permit` makes it to accept all prefixes after processing all the entries in the prefix filters list. `deny` makes it to deny all prefixes after processing all the entries in the prefix filters list. By default it is set to `permit`. Refer to https://cloud.ibm.com/docs/transit-gateway?topic=transit-gateway-adding-prefix-filters&interface=ui for more details. | <pre>list(object({<br/>    vpc_crn               = string<br/>    default_prefix_filter = string<br/>  }))</pre> | n/a | yes |
 
 ### Outputs
 

examples/add-prefix-filter/README.md

@@ -3,3 +3,11 @@
 This example provisions two VPCs and a transit gateway that configures connectivity between them.
 
 Add prefix filtering that determine the routes that transit gateway should accept or deny.
+
+**Explanation:**
+- Prefix filters can be used to permit or deny specific specific IP address ranges (called prefixes) on specific network connections.
+- This helps to allow only traffic from trusted networks and block unwanted traffic from certain ranges.
+- In this example, once deployed-
+  - For both VPC connections vpc_conn_inst1 and vpc_conn_inst2, prefix filter will be created.
+  - For VPC connection vpc_conn_inst1, default_prefix_filter is set to `permit` and prefix filters are `allow` 10.10.10.0/24 but `deny` 10.20.10.0/24. This means after processing the entries in the prefix filter list (allow 10.10.10.0/24 and deny 10.20.10.0/24) it accepts rest of the IP addresses.
+  - For VPC connection vpc_conn_inst2, default_prefix_filter is set to `deny` and prefix filters is `allow` 10.20.10.0/24. This means after processing the entries in the prefix filter list (allow 10.20.10.0/24) it denies rest of the IP addresses.

examples/add-prefix-filter/main.tf

@@ -55,8 +55,17 @@ module "tg_gateway_connection" {
   global_routing            = false
   resource_tags             = var.resource_tags
   resource_group_id         = module.resource_group.resource_group_id
-  vpc_connections           = [module.vpc_1.vpc_crn, module.vpc_2.vpc_crn]
   classic_connections_count = 0
+  vpc_connections = [
+    {
+      vpc_crn               = module.vpc_1.vpc_crn
+      default_prefix_filter = "permit"
+    },
+    {
+      vpc_crn               = module.vpc_2.vpc_crn
+      default_prefix_filter = "deny"
+    }
+  ]
   add_prefix_filters = [
     {
       action     = "permit"
@@ -73,7 +82,7 @@ module "tg_gateway_connection" {
       connection = module.vpc_1.vpc_crn
     },
     {
-      action     = "deny"
+      action     = "permit"
       prefix     = "10.20.10.0/24"
       le         = 24
       ge         = 24

examples/basic/variables.tf

@@ -32,8 +32,11 @@ variable "global_routing" {
 }
 
 variable "vpc_connections" {
-  type        = list(string)
-  description = "The list of vpc instance resource_crn to add network connections for."
+  type = list(object({
+    vpc_crn               = string
+    default_prefix_filter = string
+  }))
+  description = "The list of VPC instance connections with their associated default prefix filter. Customise the default filter setting for each VPC connections to `permit` or `deny` specifiv IP ranges. `permit` makes it to accept all prefixes after processing all the entries in the prefix filters list. `deny` makes it to deny all prefixes after processing all the entries in the prefix filters list. By default it is set to `permit`. Refer to https://cloud.ibm.com/docs/transit-gateway?topic=transit-gateway-adding-prefix-filters&interface=ui for more details."
 }
 
 variable "classic_connections_count" {

main.tf

@@ -25,8 +25,8 @@ resource "ibm_tg_connection" "vpc_connections" {
   gateway               = local.transit_gateway_id
   network_type          = "vpc"
   name                  = "vpc_conn_inst${count.index + 1}"
-  network_id            = var.vpc_connections[count.index]
-  default_prefix_filter = var.default_prefix_filter
+  network_id            = var.vpc_connections[count.index].vpc_crn
+  default_prefix_filter = var.vpc_connections[count.index].default_prefix_filter
 }
 locals {
   filter_list = flatten([
@@ -39,11 +39,10 @@ locals {
   ])
 }
 resource "ibm_tg_connection" "classic_connections" {
-  count                 = var.classic_connections_count
-  gateway               = local.transit_gateway_id
-  network_type          = "classic"
-  name                  = "classic_conn_inst${count.index}"
-  default_prefix_filter = var.default_prefix_filter
+  count        = var.classic_connections_count
+  gateway      = local.transit_gateway_id
+  network_type = "classic"
+  name         = "classic_conn_inst${count.index}"
 }
 
 resource "ibm_tg_connection_prefix_filter" "add_prefix_filter" {

variables.tf

@@ -35,8 +35,15 @@ variable "resource_tags" {
 }
 
 variable "vpc_connections" {
-  type        = list(string)
-  description = "The list of vpc instance resource_crn to add network connections for."
+  type = list(object({
+    vpc_crn               = string
+    default_prefix_filter = string
+  }))
+  description = "The list of VPC instance connections with their associated default prefix filter. Customise the default filter setting for each VPC connections to `permit` or `deny` specifiv IP ranges. `permit` makes it to accept all prefixes after processing all the entries in the prefix filters list. `deny` makes it to deny all prefixes after processing all the entries in the prefix filters list. By default it is set to `permit`. Refer to https://cloud.ibm.com/docs/transit-gateway?topic=transit-gateway-adding-prefix-filters&interface=ui for more details."
+  validation {
+    condition     = alltrue([for default_filter in var.vpc_connections : default_filter.default_prefix_filter == "permit" || default_filter.default_prefix_filter == "deny"])
+    error_message = "Valid values to set default prefix filter is `permit` or `deny`"
+  }
 }
 
 variable "classic_connections_count" {
@@ -50,16 +57,6 @@ variable "delete_timeout" {
   default     = "45m"
 }
 
-variable "default_prefix_filter" {
-  type        = string
-  description = "Customise the default filter setting. `permit` makes it to accept all prefixes after processing all the entries in the prefix filters list. `deny` makes it to deny all prefixes after processing all the entries in the prefix filters list. Default to `permit`. Refer to https://cloud.ibm.com/docs/transit-gateway?topic=transit-gateway-adding-prefix-filters&interface=ui for more details."
-  validation {
-    condition     = contains(["permit", "deny"], var.default_prefix_filter)
-    error_message = "Valid values to set default prefix filter is `permit` or `deny`"
-  }
-  default = "permit"
-}
-
 variable "add_prefix_filters" {
   description = "Map of VPC CRN to optionally add prefix filter to set an ordered list of filters that determine the routes that transit gateway should accept or deny. Connections are denied or permitted based on the order of the filters passed. See https://cloud.ibm.com/docs/transit-gateway?topic=transit-gateway-adding-prefix-filters&interface=ui"
   type = list(object({