feat: The value of service_endpoints now defaults to "private" (was previously "public-and-private"). This means when updating to this version from a previous version, the instance will be updated in place and public endpoint access will be removed. If public access is still required, ensure to explicitly set thre service_endpoints to either "public" or "public-and-private" (#449)

whoffler · web-flow · commit fdb5b5f59ec5 · 2025-05-13T15:30:04.000+01:00
diff --git a/README.md b/README.md
@@ -112,7 +112,7 @@ To create service credentials, access the Event Notifications service, and acces
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group where the Event Notifications instance is created. | `string` | n/a | yes |
 | <a name="input_root_key_id"></a> [root\_key\_id](#input\_root\_key\_id) | The key ID of a root key, existing in the KMS instance passed in `var.existing_kms_instance_crn`, which will be used to encrypt the data encryption keys which are then used to encrypt the data. Required only if `var.kms_encryption_enabled` is set to `true`. | `string` | `null` | no |
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event Notifications instance. | `map(string)` | `{}` | no |
-| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private` | `string` | `"public-and-private"` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private`. | `string` | `"private"` | no |
 | <a name="input_skip_en_cos_auth_policy"></a> [skip\_en\_cos\_auth\_policy](#input\_skip\_en\_cos\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance `Object Writer` and `Reader` access to the given Object Storage bucket. Ignored if `cos_integration_enabled` is set to `false`. | `bool` | `false` | no |
 | <a name="input_skip_en_kms_auth_policy"></a> [skip\_en\_kms\_auth\_policy](#input\_skip\_en\_kms\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance to read the encryption key from the KMS instance. If set to `false`, a value must be passed for the KMS instance and key using inputs `existing_kms_instance_crn` and `root_key_id`. In addition, no policy is created if `kms_encryption_enabled` is set to `false`. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | The list of tags to add to the Event Notifications instance. | `list(string)` | `[]` | no |
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -332,6 +332,10 @@
                   "displayname": "public",
                   "value": "public"
                 },
+                {
+                  "displayname": "private",
+                  "value": "private"
+                },
                 {
                   "displayname": "public-and-private",
                   "value": "public-and-private"
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -9,7 +9,7 @@ module "event_notification" {
   root_key_id               = var.root_key_id
   kms_endpoint_url          = var.kms_endpoint_url
   tags                      = var.tags
-  service_endpoints         = "public-and-private"
+  service_endpoints         = "private"
   cbr_rules                 = var.cbr_rules
   region                    = var.region
   service_credential_names  = var.service_credential_names
diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
@@ -90,7 +90,7 @@ When `existing_en_instance_crn` is passed, this solution ignores ALL other input
 | <a name="input_region"></a> [region](#input\_region) | The region in which the Event Notifications resources are provisioned. | `string` | `"us-south"` | no |
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event Notifications instance. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/solutions/fully-configurable/DA-types.md#service-credential-secrets | `map(string)` | `{}` | no |
 | <a name="input_service_credential_secrets"></a> [service\_credential\_secrets](#input\_service\_credential\_secrets) | Service credential secrets configuration for Event Notification. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/solutions/fully-configurable/DA-types.md#service-credential-secrets). | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool)<br/>    service_credentials = list(object({<br/>      secret_name                                 = string<br/>      service_credentials_source_service_role_crn = string<br/>      secret_labels                               = optional(list(string))<br/>      secret_auto_rotation                        = optional(bool)<br/>      secret_auto_rotation_unit                   = optional(string)<br/>      secret_auto_rotation_interval               = optional(number)<br/>      service_credentials_ttl                     = optional(string)<br/>      service_credential_secret_description       = optional(string)<br/><br/>    }))<br/>  }))</pre> | `[]` | no |
-| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private` | `string` | `"public-and-private"` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private` | `string` | `"private"` | no |
 | <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The pricing plan of the Event Notifications instance. Possible values: `Lite`, `Standard` | `string` | `"standard"` | no |
 | <a name="input_skip_cos_kms_auth_policy"></a> [skip\_cos\_kms\_auth\_policy](#input\_skip\_cos\_kms\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits the COS instance to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_key_management_service_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
 | <a name="input_skip_event_notifications_cos_auth_policy"></a> [skip\_event\_notifications\_cos\_auth\_policy](#input\_skip\_event\_notifications\_cos\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance `Object Writer` and `Reader` access to the given Object Storage bucket. Set to `true` to use an existing policy. | `bool` | `false` | no |
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
@@ -97,11 +97,11 @@ variable "service_plan" {
 
 variable "service_endpoints" {
   type        = string
-  description = "Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private`"
-  default     = "public-and-private"
+  description = "Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private`"
+  default     = "private"
   validation {
-    condition     = contains(["public", "public-and-private"], var.service_endpoints)
-    error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `public-and-private`"
+    condition     = contains(["public", "private", "public-and-private"], var.service_endpoints)
+    error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `private`, `public-and-private`"
   }
 }
 
diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf
@@ -10,7 +10,7 @@ module "event_notifications" {
   service_credential_names                  = var.service_credential_names
   event_notifications_instance_name         = var.event_notifications_instance_name
   service_plan                              = "standard"
-  service_endpoints                         = "public-and-private"
+  service_endpoints                         = "private"
   event_notifications_resource_tags         = var.event_notifications_resource_tags
   existing_event_notifications_instance_crn = var.existing_event_notifications_instance_crn
   # KMS Related
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -313,8 +313,10 @@ func TestRunSecurityEnforcedUpgradeDASolution(t *testing.T) {
 		{Name: "kms_endpoint_url", Value: permanentResources["hpcs_south_public_endpoint"], DataType: "string"},
 		{Name: "existing_cos_instance_crn", Value: permanentResources["general_test_storage_cos_instance_crn"], DataType: "string"},
 	}
-	err := options.RunSchematicTest()
-	assert.NoError(t, err, "TestRunSecurityEnforcedUpgradeDASolution using existing RG, KMS and COS Failed")
+	err := options.RunSchematicUpgradeTest()
+	if !options.UpgradeTestSkipped {
+		assert.Nil(t, err, "This should not have errored")
+	}
 }
 
 func TestRunExistingResourcesInstances(t *testing.T) {
diff --git a/variables.tf b/variables.tf
@@ -77,11 +77,11 @@ variable "kms_endpoint_url" {
 
 variable "service_endpoints" {
   type        = string
-  description = "Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private`"
-  default     = "public-and-private"
+  description = "Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private`."
+  default     = "private"
   validation {
-    condition     = contains(["public", "public-and-private"], var.service_endpoints)
-    error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `public-and-private`"
+    condition     = contains(["public", "private", "public-and-private"], var.service_endpoints)
+    error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `private`, `public-and-private`."
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -97,11 +97,11 @@ variable "service_plan" {`
`97`	`97`
`98`	`98`	`variable "service_endpoints" {`
`99`	`99`	`type = string`
`100`		- description = "Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private`"
`101`		`- default = "public-and-private"`
	`100`	+ description = "Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private`"
	`101`	`+ default = "private"`
`102`	`102`	`validation {`
`103`		`- condition = contains(["public", "public-and-private"], var.service_endpoints)`
`104`		- error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `public-and-private`"
	`103`	`+ condition = contains(["public", "private", "public-and-private"], var.service_endpoints)`
	`104`	+ error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `private`, `public-and-private`"
`105`	`105`	`}`
`106`	`106`	`}`
`107`	`107`
Original file line number	Diff line number	Diff line change
`@@ -313,8 +313,10 @@ func TestRunSecurityEnforcedUpgradeDASolution(t *testing.T) {`
`313`	`313`	`{Name: "kms_endpoint_url", Value: permanentResources["hpcs_south_public_endpoint"], DataType: "string"},`
`314`	`314`	`{Name: "existing_cos_instance_crn", Value: permanentResources["general_test_storage_cos_instance_crn"], DataType: "string"},`
`315`	`315`	`}`
`316`		`- err := options.RunSchematicTest()`
`317`		`- assert.NoError(t, err, "TestRunSecurityEnforcedUpgradeDASolution using existing RG, KMS and COS Failed")`
	`316`	`+ err := options.RunSchematicUpgradeTest()`
	`317`	`+ if !options.UpgradeTestSkipped {`
	`318`	`+ assert.Nil(t, err, "This should not have errored")`
	`319`	`+ }`
`318`	`320`	`}`
`319`	`321`
`320`	`322`	`func TestRunExistingResourcesInstances(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -77,11 +77,11 @@ variable "kms_endpoint_url" {`
`77`	`77`
`78`	`78`	`variable "service_endpoints" {`
`79`	`79`	`type = string`
`80`		- description = "Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private`"
`81`		`- default = "public-and-private"`
	`80`	+ description = "Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private`."
	`81`	`+ default = "private"`
`82`	`82`	`validation {`
`83`		`- condition = contains(["public", "public-and-private"], var.service_endpoints)`
`84`		- error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `public-and-private`"
	`83`	`+ condition = contains(["public", "private", "public-and-private"], var.service_endpoints)`
	`84`	+ error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `private`, `public-and-private`."
`85`	`85`	`}`
`86`	`86`	`}`
`87`	`87`