diff --git a/cra-tf-validate-ignore-rules.json b/cra-tf-validate-ignore-rules.json
index a9ad3b2..8196ecf 100644
--- a/cra-tf-validate-ignore-rules.json
+++ b/cra-tf-validate-ignore-rules.json
@@ -9,7 +9,7 @@
{
"scc_rule_id": "rule-d544f217-3723-4376-b3aa-037c5f201e8d",
"description": "Check whether Application Load Balancer for VPC uses HTTPS (SSL & TLS) instead of HTTP",
- "ignore_reason": "This rule is not relevant since ALB will be a member of the Private path NLB.",
+ "ignore_reason": "This rule is not relevant since ALB will be a member of the Private Path NLB.",
"is_valid": false
}
]
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 695f1d1..aeb1410 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -23,29 +23,43 @@
"terraform",
"solution"
],
- "short_description": "Automates the deployment of a VPC Private path service on IBM Cloud with integration of Application loadbalancer for external connectivity.",
- "long_description": "Private network connectivity is essential for IBM Cloud customers who prioritize privacy, security, and compliance.\n\nThrough Private path services for VPC, providers can deliver their cloud and on-premises services over the IBM Cloud private network backbone, ensuring secure and private interactions for consumers.\n\nYou can use this solution to provision and configure a VPC Private path service to securely connect services hosted in IBM Cloud VPC, on-premise or other reachable external locations.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
+ "short_description": "Automates the deployment of a VPC Private Path service on IBM Cloud with integration of Application load balancer for external connectivity.",
+ "long_description": "Private network connectivity is essential for IBM Cloud customers who prioritize privacy, security, and compliance.\n\nThrough Private Path services for VPC, providers can deliver their cloud and on-premises services over the IBM Cloud private network backbone, ensuring secure and private interactions for consumers.\n\n\nYou can use this solution to provision and configure a VPC Private Path service to securely connect services hosted in IBM Cloud VPC, on-premise or other reachable external locations.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
"offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-vpc-private-path-external-connectivity/blob/main/solutions/fully-configurable/README.md",
"offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-vpc-private-path-external-connectivity/main/images/private_path.svg",
"provider_name": "IBM",
"features": [
{
"title": "Application load balancer",
- "description": "Sets up an IBM Cloud Application load balancer (ALB) within a Virtual Private Cloud (VPC) environment to manage and distribute incoming network traffic across multiple backend targets. [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-load-balancers)."
+ "description": "Sets up an IBM Cloud Application load balancer (ALB) within a Virtual Private Cloud (VPC) environment to manage and distribute incoming network traffic across multiple backend targets. [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-load-balancers)"
},
{
"title": "Private Path Network load balancer.",
- "description": "Sets up an IBM Private Path Network load balancer with a backend pool to connect to the VPE Gateway. [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-ppnlb-ui-creating-private-path-network-load-balancer&interface=ui)."
+ "description": "Sets up an IBM Private Path Network load balancer with a backend pool to connect to the VPE Gateway. [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-ppnlb-ui-creating-private-path-network-load-balancer&interface=ui)"
},
{
"title": "Private Path service",
- "description": "Creates an IBM VPC Private Path services provide private connectivity for IBM Cloud and third-party services. [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-private-path-service-intro)."
+ "description": "Creates an IBM VPC Private Path services provide private connectivity for IBM Cloud and third-party services. [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-private-path-service-intro)"
+ },
+ {
+ "title": "Observability",
+ "description": "This solution can leverage [Cloud automation for Observability](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-observability-a3137d28-79e0-479d-8a24-758ebd5a0eab-global) that supports configuring resources for logging, monitoring and activity tracker event routing (optional)."
+ },
+ {
+ "title": "Object Storage",
+ "description": "Creates and configures an [Object Storage bucket](https://cloud.ibm.com/docs/openshift?topic=openshift-storage-cos-understand) to store VPC flow logs as part of the deployment. You can provide an existing COS Instance or use the [Cloud automation for Object Storage](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cos-68921490-2778-4930-ac6d-bae7be6cd958-global) for creating a new instance."
+ },
+ {
+ "title": "KMS Encryption",
+ "description": "Optionally you can enable key management services(KMS) [encryption](https://cloud.ibm.com/docs/openshift?topic=openshift-encryption-secrets) of the Object Storage bucket using either a newly created key or an existing one."
}
],
+ "support_details": "This product is in the community registry, as such support is handled through the [original repo](https://github.com/terraform-ibm-modules/terraform-ibm-vpc-private-path-external-connectivity). If you experience issues please open an issue [here](https://github.com/terraform-ibm-modules/terraform-ibm-vpc-private-path-external-connectivity/issues). Please note this product is not supported via the IBM Cloud Support Center.",
"flavors": [
{
"label": "Fully configurable",
"name": "fully-configurable",
+ "index": 1,
"install_type": "fullstack",
"working_directory": "solutions/fully-configurable",
"compliance": {
@@ -58,12 +72,26 @@
]
},
"iam_permissions": [
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::role:Viewer"
+ ],
+ "service_name": "Resource group only",
+ "notes": "Viewer access is required in the resource group you want to provision in."
+ },
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::role:Administrator"
+ ],
+ "service_name": "All Account Management services",
+ "notes": "[Optional] Required for consuming Account Configuration deployable architecture which creates resource group."
+ },
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator"
],
- "service_name": "iam-identity",
- "notes": "[Optional] Required if Cloud automation for account configuration is enabled."
+ "service_name": "All Identity and Access enabled services",
+ "notes": "[Optional] Required for consuming Account Configuration deployable architecture which creates resource group with account settings."
},
{
"role_crns": [
@@ -74,17 +102,51 @@
},
{
"role_crns": [
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
- "service_name": "is.vpc",
- "notes": "Required for creating Private-path service and Application Load balancer."
+ "service_name": "cloud-object-storage",
+ "notes": "[Optional] Required if Cloud automation for Virtual Private Cloud(VPC) is enabled which sets up a bucket to store VPC flow logs as part of the deployment."
},
{
"role_crns": [
- "crn:v1:bluemix:public:iam::::role:Viewer"
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+ "crn:v1:bluemix:public:iam::::role:Editor"
],
- "service_name": "Resource group only",
- "notes": "Viewer access is required in the resource group you want to provision in."
+ "service_name": "kms",
+ "notes": "[Optional] Required if Key protect is used for encryption of Object Storage bucket which stores VPC flow logs."
+ },
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+ "crn:v1:bluemix:public:iam::::role:Editor"
+ ],
+ "service_name": "hs-crypto",
+ "notes": "[Optional] Required if you are creating/configuring keys in an existing Hyper Protect Crypto Services (HPCS) instance for encryption."
+ },
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+ "crn:v1:bluemix:public:iam::::role:Editor"
+ ],
+ "service_name": "sysdig-monitor",
+ "notes": "[Optional] Required if you are consuming Observability deployable architecture which sets up Cloud monitoring."
+ },
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+ "crn:v1:bluemix:public:iam::::role:Editor"
+ ],
+ "service_name": "logs",
+ "notes": "[Optional] Required if you are consuming Observability deployable architecture which sets up Cloud logs."
+ },
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::serviceRole:Writer",
+ "crn:v1:bluemix:public:iam::::role:Editor"
+ ],
+ "service_name": "atracker",
+ "notes": "[Optional] Required if you are consuming Observability deployable architecture which sets up Activity Tracker Event Routing."
}
],
"configuration": [
@@ -107,10 +169,33 @@
"key": "prefix",
"required": true
},
+ {
+ "key": "enable_platform_metrics",
+ "type": "string",
+ "default_value": true,
+ "description": "When set to `true`, the IBM Cloud Monitoring instance will be configured to collect platform metrics from the provided region. You can configure 1 instance only of the IBM Cloud Monitoring service per region to collect platform metrics in that location. Check with the account or service administrator if another monitoring instance has already been configured. You may not have permissions to see all monitoring instances in the region. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-platform_metrics_enabling).",
+ "required": true,
+ "virtual": true
+ },
+ {
+ "key": "logs_routing_tenant_regions",
+ "type": "list(string)",
+ "default_value": "[]",
+ "description": "To manage platform logs that are generated by IBM Cloud services in a region of IBM Cloud, you must create a tenant in each region that you operate. Pass a list of regions to create a tenant in. [Learn more](https://cloud.ibm.com/docs/logs-router?topic=logs-router-about-platform-logs).",
+ "required": true,
+ "virtual": true,
+ "custom_config": {
+ "grouping": "deployment",
+ "original_grouping": "deployment",
+ "config_constraints": {
+ "type": "string"
+ }
+ }
+ },
{
"key": "existing_resource_group_name",
"display_name": "resource_group",
- "required": true,
+ "type": "string",
"custom_config": {
"type": "resource_group",
"grouping": "deployment",
@@ -240,11 +325,11 @@
"key": "application_loadbalancer_type",
"options": [
{
- "displayname": "public",
+ "displayname": "Public",
"value": "public"
},
{
- "displayname": "private",
+ "displayname": "Private",
"value": "private"
}
]
@@ -284,15 +369,15 @@
"hidden": true,
"options": [
{
- "displayname": "private",
+ "displayname": "Private",
"value": "private"
},
{
- "displayname": "public",
+ "displayname": "Public",
"value": "public"
},
{
- "displayname": "public-and-private",
+ "displayname": "Public-and-Private",
"value": "public-and-private"
}
]
@@ -309,10 +394,10 @@
{
"diagram": {
"caption": "VPC Private Path topology",
- "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-vpc-private-path-external-connectivity/main/reference-architectures/private-path-external-connectivity.svg",
+ "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-vpc-private-path-external-connectivity/main/reference-architectures/deployable-architecture-private-path-external-connectivity.svg",
"type": "image/svg+xml"
},
- "description": "You can deploy a Private Path service on IBM Cloud to facilitate secure, private connectivity between IBM Cloud Virtual Private Cloud (VPC) environments and on-premises networks or external services using this solution. This solution automates the deployment of IBM Cloud's Private Path and Application Load Balancer (ALB) services to enable enterprises to establish robust, private, and scalable network connections.
The Private Path service establishes private Layer 3 network connectivity between IBM Cloud VPC resources and external destinations such as on-premises data centers or other cloud environments. It leverages secure IPsec tunnels and Direct Link connections to maintain encrypted, low-latency communication, ensuring sensitive workloads can operate within a highly secure, isolated network path that bypasses the public internet.
By automating the provisioning and configuration of these components, the solution delivers a seamless, production-ready framework for establishing hybrid connectivity, optimizing both performance and security. This approach enhances operational agility while maintaining enterprise-grade standards for secure data exchange across cloud and on-premises boundaries.
You can create a fully-configured VPC by selecting the [Cloud automation for VPC](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-vpc-2af61763-f8ef-4527-a815-b92166f29bc8-global) dependency or you can use an existing VPC if any. The VPC can be provisioned either in a single-zone or multi-zone configuration, depending on your availability requirements. By default, the VPC addon provisions a three-zone VPC."
+ "description": "This architecture provisions a Private Path service on IBM Cloud to facilitate secure, private connectivity between IBM Cloud Virtual Private Cloud (VPC) environments and on-premises networks or external services using this solution. This solution automates the deployment of IBM Cloud's Private Path and Application Load Balancer (ALB) services to enable enterprises to establish robust, private, and scalable network connections.
The Private Path service establishes private Layer 3 network connectivity between IBM Cloud VPC resources and external destinations such as on-premises data centers or other cloud environments. It leverages secure IPsec tunnels and Direct Link connections to maintain encrypted, low-latency communication, ensuring sensitive workloads can operate within a highly secure, isolated network path that bypasses the public internet.
By automating the provisioning and configuration of these components, the solution delivers a seamless, production-ready framework for establishing hybrid connectivity, optimizing both performance and security. This approach enhances operational agility while maintaining enterprise-grade standards for secure data exchange across cloud and on-premises boundaries.
You can create a fully-configured VPC by selecting the [Cloud automation for VPC](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-vpc-2af61763-f8ef-4527-a815-b92166f29bc8-global) dependency or you can use an existing VPC if any. The VPC can be provisioned either in a single-zone or multi-zone configuration, depending on your availability requirements. By default, the VPC addon provisions a three-zone VPC."
}
]
},
@@ -344,7 +429,7 @@
},
{
"name": "deploy-arch-ibm-vpc",
- "description": "Provisions and configure the VPC instance and subnets where the Private path resources will be deployed.",
+ "description": "Provisions and configures the VPC instance and subnets where the Private Path resources will be deployed.",
"catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
"flavors": [
"fully-configurable"
@@ -369,6 +454,16 @@
{
"dependency_output": "vpc_id",
"version_input": "existing_vpc_id"
+ },
+ {
+ "dependency_input": "enable_platform_metrics",
+ "version_input": "enable_platform_metrics",
+ "reference_version": true
+ },
+ {
+ "dependency_input": "logs_routing_tenant_regions",
+ "version_input": "logs_routing_tenant_regions",
+ "reference_version": true
}
],
"optional": true,
diff --git a/reference-architectures/private-path-external-connectivity.svg b/reference-architectures/deployable-architecture-private-path-external-connectivity.svg
similarity index 100%
rename from reference-architectures/private-path-external-connectivity.svg
rename to reference-architectures/deployable-architecture-private-path-external-connectivity.svg
diff --git a/solutions/fully-configurable/outputs.tf b/solutions/fully-configurable/outputs.tf
index 0f0ffac..d4550c7 100644
--- a/solutions/fully-configurable/outputs.tf
+++ b/solutions/fully-configurable/outputs.tf
@@ -65,7 +65,7 @@ output "nlb_listener_id" {
}
output "private_path_crn" {
- description = "The CRN for this private path service gateway."
+ description = "The CRN for this Private Path service gateway."
value = module.private_path.private_path_crn
}
@@ -75,7 +75,7 @@ output "private_path_id" {
}
output "private_path_vpc" {
- description = "The VPC this private path service gateway resides in."
+ description = "The VPC this Private Path service gateway resides in."
value = module.private_path.private_path_vpc
}
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index ba3b157..c2244b9 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -10,13 +10,14 @@ variable "ibmcloud_api_key" {
variable "existing_resource_group_name" {
type = string
- description = "The name of an existing resource group to provision the resources. If not provided the default resource group will be used."
+ description = "The name of an existing resource group to provision the resources."
default = null
}
variable "region" {
type = string
- description = "The region in which the VPC resources are provisioned."
+ description = "The region to provision all the resources in. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/region) about how to select different regions for different services."
+ default = "us-south"
}
variable "provider_visibility" {
@@ -59,13 +60,13 @@ variable "prefix" {
variable "private_path_tags" {
type = list(string)
- description = "Optional list of tags to be added to the private path service."
+ description = "Optional list of tags to be added to the Private Path service."
default = []
}
variable "private_path_access_tags" {
type = list(string)
- description = "A list of access tags to apply to the private path service created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details."
+ description = "A list of access tags to apply to the Private Path service created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details."
default = []
}
@@ -74,7 +75,7 @@ variable "private_path_access_tags" {
##############################################################################
variable "existing_vpc_id" {
- description = "The ID of an existing VPC. If the user provides only the `existing_vpc_id` the private path service will be provisioned in the first subnet."
+ description = "The ID of an existing VPC. If the user provides only the `existing_vpc_id`, the Private Path service will be provisioned in the first subnet."
type = string
default = null
validation {
@@ -107,7 +108,7 @@ variable "application_loadbalancer_type" {
variable "application_loadbalancer_pool_algorithm" {
type = string
- description = "The load-balancing algorithm for private path netwrok load balancer pool members. Supported values are `round_robin` or `weighted_round_robin`."
+ description = "The load-balancing algorithm for Private Path network load balancer pool members. Supported values are `round_robin` or `weighted_round_robin`."
default = "round_robin"
}
@@ -149,7 +150,7 @@ variable "application_loadbalancer_pool_protocol" {
variable "application_loadbalancer_listener_port" {
type = number
- description = "The listener port for the private path netwrok load balancer."
+ description = "The listener port for the Private Path network load balancer."
default = 80
}
@@ -183,13 +184,13 @@ variable "application_loadbalancer_listener_certificate_instance" {
variable "network_loadbalancer_name" {
type = string
- description = "The name of the private path netwrok load balancer."
+ description = "The name of the Private Path network load balancer."
default = "pp-nlb"
}
variable "network_loadbalancer_listener_port" {
type = number
- description = "The listener port for the private path netwrok load balancer."
+ description = "The listener port for the Private Path network load balancer."
default = 80
}
@@ -201,7 +202,7 @@ variable "network_loadbalancer_listener_accept_proxy_protocol" {
variable "network_loadbalancer_pool_algorithm" {
type = string
- description = "The load-balancing algorithm for private path netwrok load balancer pool members. Supported values are `round_robin` or `weighted_round_robin`."
+ description = "The load-balancing algorithm for Private Path network load balancer pool members. Supported values are `round_robin` or `weighted_round_robin`."
default = "round_robin"
}
@@ -276,7 +277,7 @@ variable "private_path_name" {
variable "private_path_publish" {
type = bool
- description = "Set this variable to `true` to allows any account to request access to to the Private Path service. If need be, you can also unpublish where access is restricted to the account that created the Private Path service by setting this variable to `false`."
+ description = "Set this variable to `true` to allow any account to request access to the Private Path service. If need be, you can also unpublish where access is restricted to the account that created the Private Path service by setting this variable to `false`."
default = false
}