Skip to content

cloud-design-dev/ibmcloud-vpc-with-bastion-vpn

BranchesTags

Repository files navigation

ibmcloud-mzr-lab

Terraform code to deploy an IBM Cloud MZR VPC with a VPN or Bastion host. This is a work in progress and currently creates:

  • ✅ MZR VPC
  • ✅ Public Gateway per zone for Frontend subnets
  • ✅ Frontend subnet per zone
  • ✅ Frontend Security Group for SSH, Web, and VPN
    • Inbound: 80/tcp, 443/tcp, 22/tcp, 51280/udp
    • Outbound: all
  • ✅ Cloud Object Storage instance for flowlogs (target existing or create new)
  • ✅ IAM Authorization policy so that Flowlogs can write to the COS instance.
  • ✅ COS bucket for each Frontend subnet
  • ✅ Flowlogs collector for each Frontend subnet
  • ✅ Logging instance with ability to use existing instance or deploy new one
  • ❌ VPN server with Wireguard
  • ✅ Bastion Server

Modules

Name Source Version
cos git::https://github.com/terraform-ibm-modules/terraform-ibm-cos v5.3.1
fowlogs_cos_bucket git::https://github.com/terraform-ibm-modules/terraform-ibm-cos v5.3.1
logging git::https://github.com/terraform-ibm-modules/terraform-ibm-observability-instances main
resource_group git::https://github.com/terraform-ibm-modules/terraform-ibm-resource-group.git v1.0.5
security_group terraform-ibm-modules/vpc/ibm//modules/security-group 1.1.1
vpc terraform-ibm-modules/vpc/ibm//modules/vpc 1.1.1

Resources

Name Type
ibm_iam_authorization_policy.cos_flowlogs resource
ibm_is_floating_ip.bastion resource
ibm_is_flow_log.frontend resource
ibm_is_instance.bastion resource
ibm_is_ssh_key.generated_key resource
null_resource.create_private_key resource
random_shuffle.region resource
random_string.prefix resource
tls_private_key.ssh resource
ibm_is_image.base data source
ibm_is_ssh_key.sshkey data source
ibm_is_zones.regional data source
ibm_resource_instance.cos data source

Inputs

Name Description Type Default Required
allow_ip_spoofing Allow IP spoofing on the bastion instance primary interface. bool false no
classic_access Allow classic access to the VPC. bool false no
default_address_prefix The address prefix to use for the VPC. Default is set to auto. string "auto" no
existing_cos_instance The name of an existing COS instance to use. If not specified, a new instance will be created. string "" no
existing_resource_group Resource group to use for all deployed resources. If not specified, a new one will be created. string n/a yes
existing_ssh_key The name of an existing SSH key to use. If not specified, a new key will be created. string "" no
frontend_rules A list of security group rules to be added to the Frontend security group 
list(
    object({
      name      = string
      direction = string
      remote    = string
      tcp = optional(
        object({
          port_max = optional(number)
          port_min = optional(number)
        })
      )
      udp = optional(
        object({
          port_max = optional(number)
          port_min = optional(number)
        })
      )
      icmp = optional(
        object({
          type = optional(number)
          code = optional(number)
        })
      )
    })
  )
 
[
  {
    "direction": "inbound",
    "ip_version": "ipv4",
    "name": "inbound-vpn-udp",
    "remote": "0.0.0.0/0",
    "udp": {
      "port_max": 51280,
      "port_min": 51280
    }
  },
  {
    "direction": "inbound",
    "ip_version": "ipv4",
    "name": "inbound-http",
    "remote": "0.0.0.0/0",
    "tcp": {
      "port_max": 80,
      "port_min": 80
    }
  },
  {
    "direction": "inbound",
    "ip_version": "ipv4",
    "name": "inbound-https",
    "remote": "0.0.0.0/0",
    "tcp": {
      "port_max": 443,
      "port_min": 443
    }
  },
  {
    "direction": "inbound",
    "ip_version": "ipv4",
    "name": "inbound-ssh",
    "remote": "0.0.0.0/0",
    "tcp": {
      "port_max": 22,
      "port_min": 22
    }
  },
  {
    "direction": "inbound",
    "icmp": {
      "code": 0,
      "type": 8
    },
    "ip_version": "ipv4",
    "name": "inbound-icmp",
    "remote": "0.0.0.0/0"
  },
  {
    "direction": "outbound",
    "ip_version": "ipv4",
    "name": "all-outbound",
    "remote": "0.0.0.0/0"
  }
]
 no
image_name The name of an existing OS image to use. You can list available images with the command 'ibmcloud is images'. string "ibm-ubuntu-22-04-1-minimal-amd64-3" no
instance_profile The name of an existing instance profile to use. You can list available instance profiles with the command 'ibmcloud is instance-profiles'. string "cx2-2x4" no
metadata_service_enabled Enable the metadata service on the bastion instance. bool true no
owner Project owner or identifier. This is used as a tag on all supported resources. string n/a yes
project_prefix Prefix to be added to all deployed resources. If none provided, one will be automatically generated. string n/a yes
region IBM Cloud Region where resources will be deployed. If not specified, one will be randomly selected. To see available regions, run 'ibmcloud is regions'. string n/a yes

Outputs

Name Description
bastion_public_ip Public IP of the bastion instance.
cos_bucket_names n/a
cos_instance_guid The details of the COS instance.
frontend_subnet_ids The IDs of the frontend subnets.
public_gateway_ids The IDs of the public gateways.
region IBM Cloud Region where resources are deployed.
vpc_id The ID of the VPC.

About

☁️ Base template for an IBM Cloud VPC with VPN or Bastion host

Topics

terraform deployable ibmcloud

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages