feat: refactor connectivity modules and add DNS zone support

CODEOWNERS

@@ -1,3 +1,3 @@
-*         david.wenzel@stackit.cloud @mahauber
+*         @dweezl @mahauber @simpe00
 docs/*    @lweberru
 scripts/* @lweberru

examples/01-standalone/README.md

@@ -36,7 +36,6 @@ No resources.
 | <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id) | Container ID of the root organization. | `string` | n/a | yes |
 | <a name="input_organization_owners"></a> [organization\_owners](#input\_organization\_owners) | List of organization owners. | `list(string)` | `[]` | no |
 | <a name="input_owner_email"></a> [owner\_email](#input\_owner\_email) | Email address of the owner. Required for STACKIT resource manager. | `string` | n/a | yes |
-| <a name="input_platform_admins"></a> [platform\_admins](#input\_platform\_admins) | List of platform administrators. | `list(string)` | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | STACKIT region for regional resources. | `string` | `"eu01"` | no |
 | <a name="input_sandboxes"></a> [sandboxes](#input\_sandboxes) | List of sandboxes to create. | <pre>list(object({<br/>    project_name        = string<br/>    owner_emails        = optional(list(string))<br/>    project_owner_email = string<br/>  }))</pre> | `[]` | no |
 

examples/01-standalone/backend.tf

@@ -0,0 +1,14 @@
+# terraform {
+#   backend "s3" {
+#     bucket = "<BUCKET_NAME>"
+#     endpoints = {
+#       s3 = "https://object.storage.eu01.onstackit.cloud"
+#     }
+#     key                         = "terraform.tfstate"
+#     region                      = "eu01"
+#     skip_credentials_validation = true
+#     skip_region_validation      = true
+#     skip_requesting_account_id  = true
+#     skip_s3_checksum            = true
+#   }
+# }

examples/01-standalone/main.tf

@@ -50,6 +50,7 @@ module "management" {
 
 module "devops" {
   source = "../../modules/devops"
+  count  = var.devops_enabled ? 1 : 0
 
   owner_email         = var.owner_email
   naming_pattern      = "${var.company_code}-pltfm-devops-prod"
@@ -64,8 +65,9 @@ module "devops" {
 
 module "sandboxes" {
   source = "../../modules/sandboxes"
+  count  = length(var.sandboxes) > 0 ? 1 : 0
 
-  naming_prefix      = "${var.company_code}-sbx"
+  naming_prefix       = "${var.company_code}-sbx"
   parent_container_id = module.governance.folder_container_ids["sandboxes"]
   sandboxes           = var.sandboxes
 }

examples/01-standalone/outputs.tf

@@ -9,7 +9,7 @@ output "governance_folder_ids" {
 
 output "devops_project_id" {
   description = "The project ID of the DevOps project."
-  value       = module.devops.project_id
+  value       = length(module.devops) > 0 ? module.devops[0].project_id : null
 }
 
 output "management_project_id" {
@@ -19,7 +19,7 @@ output "management_project_id" {
 
 output "sandbox_projects" {
   description = "The created sandbox projects."
-  value       = module.sandboxes.projects
+  value       = length(module.sandboxes) > 0 ? module.sandboxes[0].projects : {}
 }
 
 output "landing_zone_projects" {

examples/01-standalone/terraform.tfvars

@@ -27,11 +27,6 @@ organization_auditors = [
   "auditor@example.com"
 ]
 
-# Users with admin access to the Platform folder (DevOps, Management)
-platform_admins = [
-  "platform-admin@example.com"
-]
-
 # Sandbox projects for experimentation / PoCs
 sandboxes = [
   {

examples/01-standalone/variables.tf

@@ -46,10 +46,10 @@ variable "organization_auditors" {
   default     = []
 }
 
-variable "platform_admins" {
-  type        = list(string)
-  description = "List of platform administrators."
-  default     = []
+variable "devops_enabled" {
+  type        = bool
+  description = "Whether to deploy the DevOps module (Git repository project)."
+  default     = true
 }
 
 variable "sandboxes" {

examples/02-hub-spoke/README.md

@@ -45,7 +45,6 @@ No resources.
 | <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id) | Container ID of the root organization. | `string` | n/a | yes |
 | <a name="input_organization_owners"></a> [organization\_owners](#input\_organization\_owners) | List of organization owners. | `list(string)` | `[]` | no |
 | <a name="input_owner_email"></a> [owner\_email](#input\_owner\_email) | Email address of the owner. Required for STACKIT resource manager. | `string` | n/a | yes |
-| <a name="input_platform_admins"></a> [platform\_admins](#input\_platform\_admins) | List of platform administrators. | `list(string)` | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | STACKIT region for regional resources. | `string` | `"eu01"` | no |
 | <a name="input_sandboxes"></a> [sandboxes](#input\_sandboxes) | List of sandboxes to create. | <pre>list(object({<br/>    project_name        = string<br/>    owner_emails        = optional(list(string))<br/>    project_owner_email = string<br/>  }))</pre> | `[]` | no |
 

examples/02-hub-spoke/backend.tf

@@ -0,0 +1,14 @@
+# terraform {
+#   backend "s3" {
+#     bucket = "<BUCKET_NAME>"
+#     endpoints = {
+#       s3 = "https://object.storage.eu01.onstackit.cloud"
+#     }
+#     key                         = "terraform.tfstate"
+#     region                      = "eu01"
+#     skip_credentials_validation = true
+#     skip_region_validation      = true
+#     skip_requesting_account_id  = true
+#     skip_s3_checksum            = true
+#   }
+# }

examples/02-hub-spoke/main.tf

@@ -49,37 +49,21 @@ module "management" {
   labels              = var.labels
 }
 
-###########################
-## CONNECTIVITY - GLOBAL ##
-###########################
+##################
+## CONNECTIVITY ##
+##################
 
-module "connectivity_global" {
-  source = "../../modules/connectivity-global"
-
-  organization_id = var.organization_id
-  labels          = var.labels
-  network_areas   = var.network_areas
-}
-
-#############################
-## CONNECTIVITY - REGIONAL ##
-#############################
-
-module "connectivity_regional" {
-  source = "../../modules/connectivity-regional"
+module "connectivity" {
+  source = "../../modules/connectivity"
 
   owner_email         = var.owner_email
   naming_pattern      = "${var.company_code}-pltfm-hub-prod"
   parent_container_id = module.governance.folder_container_ids["platform"]
   organization_id     = var.organization_id
-  network_area_id     = module.connectivity_global.network_area_ids[var.connectivity_regional_network_area]
   labels              = var.labels
-  firewall_zone       = var.firewall_zone
-  firewall_flavor     = var.firewall_flavor
-  vnet_range          = var.connectivity_vnet_range
-  firewall_ip         = var.firewall_ip
-
-  # for multiple regions define alias
+  dns_zones           = var.dns_zones
+  network_area        = var.network_area
+  firewall            = var.firewall
 }
 
 ############
@@ -88,6 +72,7 @@ module "connectivity_regional" {
 
 module "devops" {
   source = "../../modules/devops"
+  count  = var.devops_enabled ? 1 : 0
 
   owner_email         = var.owner_email
   naming_pattern      = "${var.company_code}-pltfm-devops-prod"
@@ -102,6 +87,7 @@ module "devops" {
 
 module "sandboxes" {
   source = "../../modules/sandboxes"
+  count  = length(var.sandboxes) > 0 ? 1 : 0
 
   naming_prefix       = "${var.company_code}-sbx"
   parent_container_id = module.governance.folder_container_ids["sandboxes"]
@@ -116,14 +102,16 @@ module "landing_zone" {
   source   = "../../modules/landing-zone"
   for_each = var.landing_zones
 
-  organization_id       = var.organization_id 
+  organization_id       = var.organization_id
   parent_container_id   = each.value.corporate ? module.governance.folder_container_ids["landing_zones_corporate"] : module.governance.folder_container_ids["landing_zones_public"]
   naming_pattern        = "${var.company_code}-lz-${each.value.project_code}-${each.value.env}"
-  network_area_id       = each.value.corporate ? module.connectivity_global.network_area_ids[var.connectivity_regional_network_area] : null
+  dns_zone_name         = "${each.value.project_code}-${each.value.env}-${var.region}-${split(".", values(module.connectivity.dns_zone_dns_names)[0])[0]}.stackit.run"
+  network_area_id       = each.value.corporate ? module.connectivity.network_area_id : null
+  corporate             = each.value.corporate
   owner_email           = each.value.owner_email
   labels                = var.labels
   role_assignments      = each.value.role_assignments
   network_prefix_length = each.value.network_prefix_length
   custom_roles          = each.value.custom_roles
-  firewall_next_hop_ip  = module.connectivity_regional.firewall_next_hop_ip
+  firewall_next_hop_ip  = var.firewall != null ? module.connectivity.firewall_next_hop_ip : null # if firewall is enabled, pass the next hop IP to the landing zones for route configuration
 }

examples/02-hub-spoke/outputs.tf

@@ -9,40 +9,43 @@ output "governance_folder_ids" {
 
 output "devops_project_id" {
   description = "The project ID of the DevOps project."
-  value       = module.devops.project_id
+  value       = length(module.devops) > 0 ? module.devops[0].project_id : null
 }
 
 output "management_project_id" {
   description = "The project ID of the Management project."
   value       = module.management.project_id
 }
 
-output "connectivity_global_network_area_ids" {
-  description = "Map of network area names to their IDs."
-  value       = module.connectivity_global.network_area_ids
+output "connectivity_network_area_id" {
+  description = "The network area ID created by the regional module."
+  value       = module.connectivity.network_area_id
 }
 
-output "connectivity_regional_project_id" {
-  description = "The project ID of the regional connectivity project."
-  value       = module.connectivity_regional.project_id
+output "connectivity_project_id" {
+  description = "The project ID of the connectivity project."
+  value       = module.connectivity.project_id
 }
 
-output "connectivity_regional_firewall_public_ip" {
+output "connectivity_firewall_public_ip" {
   description = "The public IP of the firewall."
-  value       = module.connectivity_regional.firewall_public_ip
+  value       = module.connectivity.firewall_public_ip
 }
 
 output "sandbox_projects" {
   description = "The created sandbox projects."
-  value       = module.sandboxes.projects
+  value       = length(module.sandboxes) > 0 ? module.sandboxes[0].projects : {}
 }
 
 output "landing_zone_projects" {
   description = "Map of landing zone project IDs."
   value = {
     for k, v in module.landing_zone : k => {
-      project_id   = v.project_id
-      project_name = v.project_name
+      project_id    = v.project_id
+      project_name  = v.project_name
+      dns_zone_name = v.dns_zone_dns_name
+      landing_zone_type = v.landing_zone_type
+      connected_network_area_id = v.connected_network_area_id == null ? "" : v.connected_network_area_id
     }
   }
 }