terraform-ibm-modules · maheshwarishikha · Jan 10, 2025 · Oct 7, 2024 · Oct 7, 2024 · Oct 16, 2024
@@ -20,6 +20,7 @@ This module includes the `terraform-ibm-transit-gateway-action` [approval action
     * [terraform-ibm-transit-gateway-action](./modules/terraform-ibm-transit-gateway-action)
 * [Examples](./examples)
     * [ Example transit gateway that connects two VPCs in two accounts](./examples/crossaccounts)
+    * [ Example transit gateway that connects two VPCs](./examples/add-prefix-filter)
     * [ Example transit gateway that connects two VPCs](./examples/two-vpcs)
     * [Example basic transit gateway](./examples/basic)
 * [Contributing](#contributing)
@@ -65,7 +66,7 @@ You need the following permissions to run this module.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.52.0, < 2.0.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 |
 
 ### Modules
 
@@ -77,14 +78,17 @@ No modules.
 |------|------|
 | [ibm_tg_connection.classic_connections](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/tg_connection) | resource |
 | [ibm_tg_connection.vpc_connections](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/tg_connection) | resource |
+| [ibm_tg_connection_prefix_filter.test_tg_prefix_filter](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/tg_connection_prefix_filter) | resource |
 | [ibm_tg_gateway.tg_gw_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/tg_gateway) | resource |
 | [ibm_tg_gateway.existing_tg_gw_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/tg_gateway) | data source |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_add_prefix_filters"></a> [add\_prefix\_filters](#input\_add\_prefix\_filters) | Add prefix filter to set an ordered list of filters that determine the routes that transit gateway should accept or deny. Connections are denied or permitted based on the order of the filters passed. | <pre>list(object({<br>    action = string<br>    prefix = string<br>    le     = number<br>    ge     = number<br>  }))</pre> | `[]` | no |
 | <a name="input_classic_connections_count"></a> [classic\_connections\_count](#input\_classic\_connections\_count) | Number of classic connections to add. | `number` | n/a | yes |
+| <a name="input_default_prefix_filter"></a> [default\_prefix\_filter](#input\_default\_prefix\_filter) | Create prefix filters to permit or deny specific routes on specific connections. By default accepts all prefixes after entries in the prefix filter list are processed. Deny prefixes denies all prefixes after entries in the prefix filter list are processed. | `string` | `"permit"` | no |
 | <a name="input_delete_timeout"></a> [delete\_timeout](#input\_delete\_timeout) | Deleting timeout value of the ibm\_tg\_gateway | `string` | `"45m"` | no |
 | <a name="input_existing_transit_gateway_name"></a> [existing\_transit\_gateway\_name](#input\_existing\_transit\_gateway\_name) | Name of an existing transit gateway to connect VPCs. If null a new Transit Gateway will be created (transit\_gateway\_name and region required) | `string` | `null` | no |
 | <a name="input_global_routing"></a> [global\_routing](#input\_global\_routing) | Gateways with global routing (true) to connect to the networks outside their associated region | `bool` | `false` | no |

@@ -0,0 +1,5 @@
+#  Example transit gateway that connects two VPCs
+
+This example provisions two VPCs and a transit gateway that configures connectivity between them.
+
+Add prefix filtering that determine the routes that transit gateway should accept or deny.
@@ -0,0 +1,74 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.6"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# 2 VPCs
+##############################################################################
+
+module "vpc_1" {
+  source            = "terraform-ibm-modules/landing-zone-vpc/ibm"
+  version           = "7.19.0"
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  prefix            = var.prefix
+  tags              = var.resource_tags
+  name              = var.vpc1_name
+  use_public_gateways = {
+    zone-1 = false
+    zone-2 = false
+    zone-3 = false
+  }
+}
+
+module "vpc_2" {
+  source            = "terraform-ibm-modules/landing-zone-vpc/ibm"
+  version           = "7.19.0"
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  prefix            = var.prefix
+  tags              = var.resource_tags
+  name              = var.vpc2_name
+  use_public_gateways = {
+    zone-1 = false
+    zone-2 = false
+    zone-3 = false
+  }
+}
+
+##############################################################################
+# Transit Gateway connects the 2 VPCs
+##############################################################################
+
+module "tg_gateway_connection" {
+  source                    = "../.."
+  transit_gateway_name      = var.transit_gateway_name
+  region                    = var.region
+  global_routing            = false
+  resource_tags             = var.resource_tags
+  resource_group_id         = module.resource_group.resource_group_id
+  vpc_connections           = [module.vpc_1.vpc_crn, module.vpc_2.vpc_crn]
+  classic_connections_count = 0
+  add_prefix_filters = [
+    {
+      action        = "permit"
+      prefix        = "10.10.10.0/24"
+      le            = 24
+      ge            = 24
+    },
+    {
+      action        = "deny"
+      prefix        = "10.20.10.0/24"
+      le            = 24
+      ge            = 24
+    }
+  ]
+}
@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
@@ -0,0 +1,44 @@
+variable "ibmcloud_api_key" {
+  description = "API key that is associated with the account to provision resources to"
+  type        = string
+  sensitive   = true
+}
+
+variable "prefix" {
+  description = "The prefix to append to your resources"
+  type        = string
+}
+
+variable "transit_gateway_name" {
+  description = "Name of the transit gateway"
+  type        = string
+}
+
+variable "region" {
+  description = "Location of the transit gateway."
+  type        = string
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example. If not set, a new resource group is created."
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "List of tags"
+  default     = null
+}
+
+variable "vpc1_name" {
+  type        = string
+  description = "Name of the first VPC"
+  default     = "vpc1"
+}
+
+variable "vpc2_name" {
+  type        = string
+  description = "Name of the second VPC"
+  default     = "vpc2"
+}
@@ -0,0 +1,11 @@
+terraform {
+  required_version = ">= 1.0.0"
+  # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
+  # module's version.tf (basic), and 1 example that will always use the latest provider version.
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">= 1.69.0"
+    }
+  }
+}
@@ -5,7 +5,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.52.0"
+      version = "1.69.0"
     }
   }
 }
@@ -5,7 +5,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.52.0"
+      version = ">= 1.69.0"
     }
   }
 }
@@ -5,7 +5,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.52.0"
+      version = ">= 1.69.0"
     }
   }
 }
@@ -23,16 +23,30 @@ resource "ibm_tg_gateway" "tg_gw_instance" {
 resource "ibm_tg_connection" "vpc_connections" {
   count = length(var.vpc_connections)
 
-  gateway      = local.transit_gateway_id
-  network_type = "vpc"
-  name         = "vpc_conn_inst${count.index}"
-  network_id   = var.vpc_connections[count.index]
+  gateway               = local.transit_gateway_id
+  network_type          = "vpc"
+  name                  = "vpc_conn_inst${count.index}"
+  network_id            = var.vpc_connections[count.index]
+  default_prefix_filter = var.default_prefix_filter
 }
 
 resource "ibm_tg_connection" "classic_connections" {
   count = var.classic_connections_count
 
-  gateway      = local.transit_gateway_id
-  network_type = "classic"
-  name         = "classic_conn_inst${count.index}"
+  gateway               = local.transit_gateway_id
+  network_type          = "classic"
+  name                  = "classic_conn_inst${count.index}"
+  default_prefix_filter = var.default_prefix_filter
+}
+
+
+resource "ibm_tg_connection_prefix_filter" "test_tg_prefix_filter" {
+  count = length(var.add_prefix_filters) > 0 ? length(var.add_prefix_filters) : 0
+
+  gateway       = ibm_tg_gateway.tg_gw_instance[0].id
+  connection_id = ibm_tg_connection.vpc_connections[count.index].connection_id
+  action        = var.add_prefix_filters[count.index].action
+  prefix        = var.add_prefix_filters[count.index].prefix
+  le            = var.add_prefix_filters[count.index].le
+  ge            = var.add_prefix_filters[count.index].ge
 }
@@ -40,7 +40,7 @@ module "tg_gateway_connection_crossaccounts_approve" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.52.0, < 2.0.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 |
 
 ### Modules
 

@@ -4,7 +4,7 @@ terraform {
     # Use "greater than or equal to" range in modules
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.52.0, < 2.0.0"
+      version = ">= 1.69.0, < 2.0.0"
     }
   }
 }
@@ -81,6 +81,27 @@ func setupOptions2VpcsExample(t *testing.T, prefix string) *testhelper.TestOptio
 	return options
 }
 
+func setupOptions2VpcsPrefixFilterExample(t *testing.T, prefix string) *testhelper.TestOptions {
+	const TwoVpcsExampleTerraformDir = "examples/add-prefix-filter"
+
+	options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
+		Testing:          t,
+		Prefix:           prefix,
+		ResourceGroup:    resourceGroup,
+		CloudInfoService: sharedInfoSvc, // use pointer to shared info svc to keep track of region selections
+		DefaultRegion:    "us-south",
+		TerraformDir:     TwoVpcsExampleTerraformDir,
+	})
+
+	terraformVars := map[string]interface{}{
+		"transit_gateway_name": fmt.Sprintf("%s-%s", options.Prefix, "tg"),
+	}
+
+	maps.Copy(options.TerraformVars, terraformVars)
+
+	return options
+}
+
 // func setupOptionsCrossaccountsExample(t *testing.T, prefix string) *testhelper.TestOptions {
 // 	const TwoVpcsExampleTerraformDir = "examples/crossaccounts"
 
@@ -143,6 +164,16 @@ func TestRun2VpcsExample(t *testing.T) {
 	assert.NotNil(t, output, "Expected some output")
 }
 
+func TestRun2VpcsPrefixFilterExample(t *testing.T) {
+	t.Parallel()
+
+	options := setupOptions2VpcsPrefixFilterExample(t, "prefix-tg")
+
+	output, err := options.RunTestConsistency()
+	assert.Nil(t, err, "This should not have errored")
+	assert.NotNil(t, output, "Expected some output")
+}
+
 // The account that this test was using has been removed so disabling the test until we decide what account can be used
 
 // func TestRunCrossaccountsExample(t *testing.T) {

@@ -49,3 +49,35 @@ variable "delete_timeout" {
   description = "Deleting timeout value of the ibm_tg_gateway"
   default     = "45m"
 }
+
+variable "default_prefix_filter" {
+  type        = string
+  description = "Create prefix filters to permit or deny specific routes on specific connections. By default accepts all prefixes after entries in the prefix filter list are processed. Deny prefixes denies all prefixes after entries in the prefix filter list are processed."
+  validation {
+    condition     = contains(["permit", "deny"], var.default_prefix_filter)
+    error_message = "Valid values to set default prefix filter is `permit` or `deny`"
+  }
+  default = "permit"
+}
+
+
+variable "add_prefix_filters" {
+  type = list(object({
+    action = string
+    prefix = string
+    le     = number
+    ge     = number
+  }))
+
+  validation {
+    condition = alltrue([
+      for filter in var.add_prefix_filters :
+      filter.le >= 0 && filter.le <= 32 && filter.ge >= 0 && filter.ge <= 32
+    ])
+    error_message = "Both 'le' and 'ge' must be between 0 and 32."
+  }
+
+  description = "Add prefix filter to set an ordered list of filters that determine the routes that transit gateway should accept or deny. Connections are denied or permitted based on the order of the filters passed."
+
+  default = []
+}
@@ -4,7 +4,7 @@ terraform {
     # Use "greater than or equal to" range in modules
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.52.0, < 2.0.0"
+      version = ">= 1.69.0, < 2.0.0"
     }
   }
 }