feat: added pre-wired rule for IKS -> IS (VPC infrastructure) in fscloud submodule (#306)

Co-authored-by: Vincent Burckhardt <vincent.burckhardt@ie.ibm.com>

Author: Ak-sky

examples/fscloud/main.tf

@@ -69,6 +69,7 @@ module "cbr_account_level" {
   allow_vpcs_to_container_registry = var.allow_vpcs_to_container_registry
   allow_vpcs_to_cos                = var.allow_vpcs_to_cos
   allow_at_to_cos                  = var.allow_at_to_cos
+  allow_iks_to_is                  = var.allow_iks_to_is
 
   # Demonstrates how zone creation will be skipped for these two service references ["user-management", "iam-groups"]
   skip_specific_services_for_zone_creation = ["user-management", "iam-groups"]

examples/fscloud/variables.tf

@@ -69,3 +69,9 @@ variable "allow_at_to_cos" {
   description = "Set rule for Activity Tracker to COS, default is true"
   default     = true
 }
+
+variable "allow_iks_to_is" {
+  type        = bool
+  description = "Set rule for IKS to IS (VPC Infrastructure Services), default is true"
+  default     = true
+}

modules/fscloud/README.md

@@ -8,6 +8,7 @@ This module creates default coarse-grained CBR rules in a given account followin
 - VPCs where clusters are deployed -> COS
 - VPCs -> container registry
 - All ICD -> KMS
+- IKS -> IS (VPC Infrastructure Services)
 
 This module is designed to allow the consumer to add additional custom rules to open up additional flows necessarity for their usage. See the `custom_rule_contexts_by_service` input variable, and an [usage example](../../examples/fscloud/) demonstrating how to open up more flows.
 
@@ -50,6 +51,7 @@ The services 'compliance', 'directlink', 'iam-groups', 'containers-kubernetes',
 | <a name="input_allow_block_storage_to_kms"></a> [allow\_block\_storage\_to\_kms](#input\_allow\_block\_storage\_to\_kms) | Set rule for block storage to KMS, default is true | `bool` | `true` | no |
 | <a name="input_allow_cos_to_kms"></a> [allow\_cos\_to\_kms](#input\_allow\_cos\_to\_kms) | Set rule for COS to KMS, default is true | `bool` | `true` | no |
 | <a name="input_allow_icd_to_kms"></a> [allow\_icd\_to\_kms](#input\_allow\_icd\_to\_kms) | Set rule for ICD to KMS, deafult is true | `bool` | `true` | no |
+| <a name="input_allow_iks_to_is"></a> [allow\_iks\_to\_is](#input\_allow\_iks\_to\_is) | Set rule for IKS to IS (VPC Infrastructure Services), default is true | `bool` | `true` | no |
 | <a name="input_allow_roks_to_kms"></a> [allow\_roks\_to\_kms](#input\_allow\_roks\_to\_kms) | Set rule for ROKS to KMS, default is true | `bool` | `true` | no |
 | <a name="input_allow_vpcs_to_container_registry"></a> [allow\_vpcs\_to\_container\_registry](#input\_allow\_vpcs\_to\_container\_registry) | Set rule for VPCs to container registry, default is true | `bool` | `true` | no |
 | <a name="input_allow_vpcs_to_cos"></a> [allow\_vpcs\_to\_cos](#input\_allow\_vpcs\_to\_cos) | Set rule for VPCs to COS, default is true | `bool` | `true` | no |

modules/fscloud/main.tf

@@ -236,6 +236,13 @@ locals {
         var.allow_vpcs_to_container_registry ? [local.cbr_zone_vpcs.zone_id] : []
       ])
     }],
+    # IKS -> IS
+    "is" : [{
+      endpointType : "private",
+      networkZoneIds : flatten([
+        var.allow_iks_to_is ? [local.containers-kubernetes_cbr_zone_id] : []
+      ])
+    }],
   }
 
   prewired_rule_contexts_by_service_check = { for key, value in local.prewired_rule_contexts_by_service :

modules/fscloud/variables.tf

@@ -50,6 +50,12 @@ variable "allow_at_to_cos" {
   default     = true
 }
 
+variable "allow_iks_to_is" {
+  type        = bool
+  description = "Set rule for IKS to IS (VPC Infrastructure Services), default is true"
+  default     = true
+}
+
 variable "zone_service_ref_list" {
   type = list(string)
   validation {