From 7121c838ecdcab4566dec97f605353f34f950b51 Mon Sep 17 00:00:00 2001
From: whoffler <WHoffler@ie.ibm.com>
Date: Tue, 13 May 2025 11:22:25 +0100
Subject: [PATCH 1/4] support private endpoints

---
 README.md                                 | 2 +-
 ibm_catalog.json                          | 4 ++++
 modules/fscloud/main.tf                   | 2 +-
 solutions/fully-configurable/README.md    | 2 +-
 solutions/fully-configurable/variables.tf | 6 +++---
 solutions/security-enforced/main.tf       | 2 +-
 variables.tf                              | 8 ++++----
 7 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 402c54e8..6b51d316 100644
--- a/README.md
+++ b/README.md
@@ -112,7 +112,7 @@ To create service credentials, access the Event Notifications service, and acces
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group where the Event Notifications instance is created. | `string` | n/a | yes |
 | <a name="input_root_key_id"></a> [root\_key\_id](#input\_root\_key\_id) | The key ID of a root key, existing in the KMS instance passed in `var.existing_kms_instance_crn`, which will be used to encrypt the data encryption keys which are then used to encrypt the data. Required only if `var.kms_encryption_enabled` is set to `true`. | `string` | `null` | no |
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event Notifications instance. | `map(string)` | `{}` | no |
-| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private` | `string` | `"public-and-private"` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private`. | `string` | `"private"` | no |
 | <a name="input_skip_en_cos_auth_policy"></a> [skip\_en\_cos\_auth\_policy](#input\_skip\_en\_cos\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance `Object Writer` and `Reader` access to the given Object Storage bucket. Ignored if `cos_integration_enabled` is set to `false`. | `bool` | `false` | no |
 | <a name="input_skip_en_kms_auth_policy"></a> [skip\_en\_kms\_auth\_policy](#input\_skip\_en\_kms\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance to read the encryption key from the KMS instance. If set to `false`, a value must be passed for the KMS instance and key using inputs `existing_kms_instance_crn` and `root_key_id`. In addition, no policy is created if `kms_encryption_enabled` is set to `false`. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | The list of tags to add to the Event Notifications instance. | `list(string)` | `[]` | no |
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 4211a043..e034b129 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -332,6 +332,10 @@
                   "displayname": "public",
                   "value": "public"
                 },
+                {
+                  "displayname": "private",
+                  "value": "private"
+                },
                 {
                   "displayname": "public-and-private",
                   "value": "public-and-private"
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
index ac5c1f8d..3d27f4f4 100644
--- a/modules/fscloud/main.tf
+++ b/modules/fscloud/main.tf
@@ -9,7 +9,7 @@ module "event_notification" {
   root_key_id               = var.root_key_id
   kms_endpoint_url          = var.kms_endpoint_url
   tags                      = var.tags
-  service_endpoints         = "public-and-private"
+  service_endpoints         = "private"
   cbr_rules                 = var.cbr_rules
   region                    = var.region
   service_credential_names  = var.service_credential_names
diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
index a43d3afc..deebedc0 100644
--- a/solutions/fully-configurable/README.md
+++ b/solutions/fully-configurable/README.md
@@ -90,7 +90,7 @@ When `existing_en_instance_crn` is passed, this solution ignores ALL other input
 | <a name="input_region"></a> [region](#input\_region) | The region in which the Event Notifications resources are provisioned. | `string` | `"us-south"` | no |
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event Notifications instance. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/solutions/fully-configurable/DA-types.md#service-credential-secrets | `map(string)` | `{}` | no |
 | <a name="input_service_credential_secrets"></a> [service\_credential\_secrets](#input\_service\_credential\_secrets) | Service credential secrets configuration for Event Notification. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/solutions/fully-configurable/DA-types.md#service-credential-secrets). | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool)<br/>    service_credentials = list(object({<br/>      secret_name                                 = string<br/>      service_credentials_source_service_role_crn = string<br/>      secret_labels                               = optional(list(string))<br/>      secret_auto_rotation                        = optional(bool)<br/>      secret_auto_rotation_unit                   = optional(string)<br/>      secret_auto_rotation_interval               = optional(number)<br/>      service_credentials_ttl                     = optional(string)<br/>      service_credential_secret_description       = optional(string)<br/><br/>    }))<br/>  }))</pre> | `[]` | no |
-| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private` | `string` | `"public-and-private"` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private` | `string` | `"public-and-private"` | no |
 | <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The pricing plan of the Event Notifications instance. Possible values: `Lite`, `Standard` | `string` | `"standard"` | no |
 | <a name="input_skip_cos_kms_auth_policy"></a> [skip\_cos\_kms\_auth\_policy](#input\_skip\_cos\_kms\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits the COS instance to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_key_management_service_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
 | <a name="input_skip_event_notifications_cos_auth_policy"></a> [skip\_event\_notifications\_cos\_auth\_policy](#input\_skip\_event\_notifications\_cos\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance `Object Writer` and `Reader` access to the given Object Storage bucket. Set to `true` to use an existing policy. | `bool` | `false` | no |
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index 5da2e87b..aa2a557f 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -97,11 +97,11 @@ variable "service_plan" {
 
 variable "service_endpoints" {
   type        = string
-  description = "Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private`"
+  description = "Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private`"
   default     = "public-and-private"
   validation {
-    condition     = contains(["public", "public-and-private"], var.service_endpoints)
-    error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `public-and-private`"
+    condition     = contains(["public", "private", "public-and-private"], var.service_endpoints)
+    error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `private`, `public-and-private`"
   }
 }
 
diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf
index 38e33770..c304d871 100644
--- a/solutions/security-enforced/main.tf
+++ b/solutions/security-enforced/main.tf
@@ -10,7 +10,7 @@ module "event_notifications" {
   service_credential_names                  = var.service_credential_names
   event_notifications_instance_name         = var.event_notifications_instance_name
   service_plan                              = "standard"
-  service_endpoints                         = "public-and-private"
+  service_endpoints                         = "private"
   event_notifications_resource_tags         = var.event_notifications_resource_tags
   existing_event_notifications_instance_crn = var.existing_event_notifications_instance_crn
   # KMS Related
diff --git a/variables.tf b/variables.tf
index 8b65f0c0..35d9a41b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -77,11 +77,11 @@ variable "kms_endpoint_url" {
 
 variable "service_endpoints" {
   type        = string
-  description = "Specify whether you want to enable public, or both public and private service endpoints. Possible values: `public`, `public-and-private`"
-  default     = "public-and-private"
+  description = "Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private`."
+  default     = "private"
   validation {
-    condition     = contains(["public", "public-and-private"], var.service_endpoints)
-    error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `public-and-private`"
+    condition     = contains(["public", "private", "public-and-private"], var.service_endpoints)
+    error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `private`, `public-and-private`."
   }
 }
 

From 2bb443086bec90a4b278cf570f3e213f2881c7ff Mon Sep 17 00:00:00 2001
From: whoffler <WHoffler@ie.ibm.com>
Date: Tue, 13 May 2025 11:59:13 +0100
Subject: [PATCH 2/4] private by default for fully configurable

---
 solutions/fully-configurable/README.md    | 2 +-
 solutions/fully-configurable/variables.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
index deebedc0..7c5b0eb5 100644
--- a/solutions/fully-configurable/README.md
+++ b/solutions/fully-configurable/README.md
@@ -90,7 +90,7 @@ When `existing_en_instance_crn` is passed, this solution ignores ALL other input
 | <a name="input_region"></a> [region](#input\_region) | The region in which the Event Notifications resources are provisioned. | `string` | `"us-south"` | no |
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event Notifications instance. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/solutions/fully-configurable/DA-types.md#service-credential-secrets | `map(string)` | `{}` | no |
 | <a name="input_service_credential_secrets"></a> [service\_credential\_secrets](#input\_service\_credential\_secrets) | Service credential secrets configuration for Event Notification. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/solutions/fully-configurable/DA-types.md#service-credential-secrets). | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool)<br/>    service_credentials = list(object({<br/>      secret_name                                 = string<br/>      service_credentials_source_service_role_crn = string<br/>      secret_labels                               = optional(list(string))<br/>      secret_auto_rotation                        = optional(bool)<br/>      secret_auto_rotation_unit                   = optional(string)<br/>      secret_auto_rotation_interval               = optional(number)<br/>      service_credentials_ttl                     = optional(string)<br/>      service_credential_secret_description       = optional(string)<br/><br/>    }))<br/>  }))</pre> | `[]` | no |
-| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private` | `string` | `"public-and-private"` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private` | `string` | `"private"` | no |
 | <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The pricing plan of the Event Notifications instance. Possible values: `Lite`, `Standard` | `string` | `"standard"` | no |
 | <a name="input_skip_cos_kms_auth_policy"></a> [skip\_cos\_kms\_auth\_policy](#input\_skip\_cos\_kms\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits the COS instance to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_key_management_service_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
 | <a name="input_skip_event_notifications_cos_auth_policy"></a> [skip\_event\_notifications\_cos\_auth\_policy](#input\_skip\_event\_notifications\_cos\_auth\_policy) | Set to `true` to skip the creation of an IAM authorization policy that permits the Event Notifications instance `Object Writer` and `Reader` access to the given Object Storage bucket. Set to `true` to use an existing policy. | `bool` | `false` | no |
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index aa2a557f..600c47b9 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -98,7 +98,7 @@ variable "service_plan" {
 variable "service_endpoints" {
   type        = string
   description = "Specify whether you want to enable public, private, or both public and private service endpoints. Possible values: `public`, `private`, `public-and-private`"
-  default     = "public-and-private"
+  default     = "private"
   validation {
     condition     = contains(["public", "private", "public-and-private"], var.service_endpoints)
     error_message = "The specified service endpoint is not supported. The following endpoint options are supported: `public`, `private`, `public-and-private`"

From 422a65b39d8cf7d92828850f4b851a8569ea4ead Mon Sep 17 00:00:00 2001
From: whoffler <WHoffler@ie.ibm.com>
Date: Tue, 13 May 2025 14:15:36 +0100
Subject: [PATCH 3/4] SKIP UPGRADE TEST update upgrade test

---
 tests/pr_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/pr_test.go b/tests/pr_test.go
index 53ebf5c9..e2032906 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -313,7 +313,7 @@ func TestRunSecurityEnforcedUpgradeDASolution(t *testing.T) {
 		{Name: "kms_endpoint_url", Value: permanentResources["hpcs_south_public_endpoint"], DataType: "string"},
 		{Name: "existing_cos_instance_crn", Value: permanentResources["general_test_storage_cos_instance_crn"], DataType: "string"},
 	}
-	err := options.RunSchematicTest()
+	err := options.RunSchematicUpgradeTest()
 	assert.NoError(t, err, "TestRunSecurityEnforcedUpgradeDASolution using existing RG, KMS and COS Failed")
 }
 

From 5df337c15ea24b2bb33f7c30b971722ca7702b40 Mon Sep 17 00:00:00 2001
From: whoffler <WHoffler@ie.ibm.com>
Date: Tue, 13 May 2025 14:31:20 +0100
Subject: [PATCH 4/4] SKIP UPGRADE TEST update upgrade test

---
 tests/pr_test.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tests/pr_test.go b/tests/pr_test.go
index e2032906..d260fd3c 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -314,7 +314,9 @@ func TestRunSecurityEnforcedUpgradeDASolution(t *testing.T) {
 		{Name: "existing_cos_instance_crn", Value: permanentResources["general_test_storage_cos_instance_crn"], DataType: "string"},
 	}
 	err := options.RunSchematicUpgradeTest()
-	assert.NoError(t, err, "TestRunSecurityEnforcedUpgradeDASolution using existing RG, KMS and COS Failed")
+	if !options.UpgradeTestSkipped {
+		assert.Nil(t, err, "This should not have errored")
+	}
 }
 
 func TestRunExistingResourcesInstances(t *testing.T) {