-green){kind=icon}
A Terraform module for provisioning the infrastructure required by the DevSecOps CI, CD and CC toolchains. Both free and standard resources can be deployed.
module "terraform_devsecops_infra" {
source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-infrastructure?ref=v1.2.0-beta.5"
region = "us-south"
resource_group = "my-resource-group" #creates the resource group
#or
#existing_resource_group = "Default"
registry_namespace = "my-registry-namespace-xyz1"
vpc_name = "my-vpc-cluster-name"
cluster_name = "my-cluster"
cos_bucket_name = "my-cos-bucket-xyz1"
cos_instance_name = "my-cos-instance"
}
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| ibm | >= 1.60.0 |
| time | >= 0.9.1 |
| Name | Source | Version |
|---|---|---|
| cd | ./continuous_delivery | n/a |
| cos | ./cos/cos_instance | n/a |
| cos_bucket | ./cos/cos_bucket | n/a |
| icr | ./icr | n/a |
| kp | ./keyprotect/keyprotect_instance | n/a |
| kp_secret_cos_api_key | ./keyprotect/keyprotect_key | n/a |
| kp_secret_iamcloud_api_key | ./keyprotect/keyprotect_key | n/a |
| kp_secret_signing_certifcate | ./keyprotect/keyprotect_key | n/a |
| kp_secret_signing_key | ./keyprotect/keyprotect_key | n/a |
| resource_group | ./resource_group | n/a |
| signing_keys | ./gpg-key | n/a |
| sm | ./secrets_manager/secrets_manager_instance | n/a |
| sm_arbitrary_secret_cos_api_key | ./secrets_manager/arbitrary_secret | n/a |
| sm_arbitrary_secret_ibmcloud_api_key | ./secrets_manager/arbitrary_secret | n/a |
| sm_arbitrary_secret_signing_certifcate | ./secrets_manager/arbitrary_secret | n/a |
| sm_arbitrary_secret_signing_key | ./secrets_manager/arbitrary_secret | n/a |
| sm_secret_group | ./secrets_manager/secret_group | n/a |
| vpc_cluster | ./cluster/vpc | n/a |
| Name | Type |
|---|---|
| ibm_iam_api_key.cos_iam_api_key | resource |
| ibm_iam_api_key.iam_api_key | resource |
| time_static.timestamp | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cd_instance_name | The CD instance name. | string |
"my-cd-instance" |
no |
| cd_instance_region | The CD instance region. | string |
"us-south" |
no |
| cd_resource_group_id | The resource group ID containing the CD instance. | string |
"" |
no |
| cd_service_plan | The type of the plan lite or professional. |
string |
"" |
no |
| cluster_name | Name of the Kubernetes cluster where the application is deployed. This sets the same cluster for both CI and CD toolchains. See ci_cluster_name and cd_cluster_name to set different clusters. By default , the cluster namespace for CI will be set to dev and CD to prod. These can be changed using ci_cluster_namespace and cd_cluster_namespace. |
string |
"iks-cluster-name" |
no |
| cluster_resource_group_id | The ID of the cluster resource group. | string |
"" |
no |
| cos_add_random_cos_bucket_suffix | Set to true to append a 4 character random string to the specified COS bucket name. |
bool |
true |
no |
| cos_api_key_secret | apikey | string |
"Place Holder" |
no |
| cos_api_key_secret_name | The name of the secret as it appears in Secret Manager. | string |
"cos-api-key" |
no |
| cos_bucket_name | Set the name of your COS bucket. | string |
"" |
no |
| cos_bucket_region | The COS region. | string |
"" |
no |
| cos_default_retention | The default retention period are defined by this policy and apply to all objects in the bucket. | string |
"365" |
no |
| cos_instance_id | The Id of the COS instance that contains the COS buckets. | string |
"" |
no |
| cos_instance_name | The name of the COS instance that contains the COS buckets. | string |
"my-cos-instance" |
no |
| cos_instance_region | The location of the COS instance. | string |
"global" |
no |
| cos_maximum_retention | Specifies maximum duration of time an object that can be kept unmodified in the bucket. | string |
"730" |
no |
| cos_minimum_retention | Specifies minimum duration of time an object must be kept unmodified in the bucket. | string |
"365" |
no |
| cos_resource_group_id | The resource group ID containing the COS instance. | string |
"" |
no |
| cos_service_plan | The plan type of the Cloud Object Storage instance. Can be lite, standard, graduated-tier |
string |
"" |
no |
| cos_storage_class | The type of storage | string |
"smart" |
no |
| create_cd_instance | Set to true to create the CD instance. |
bool |
true |
no |
| create_cluster | Set to true to create cluster. |
bool |
true |
no |
| create_cos | Set to true to create COS. |
bool |
true |
no |
| create_cos_bucket | Set to true to create a COS bucket. |
bool |
true |
no |
| create_icr | Set to true to create ICR namespace |
bool |
true |
no |
| create_key_protect | Set to true to create Key Protect instance. |
bool |
false |
no |
| create_or_link_to_secrets_manager | Set to true to setup Secrets Manager. If sm_instance_id instance is set then that Secrets Manager will be used. Otherwise a new Secrets Manager instance will be provisioned. |
bool |
true |
no |
| create_secrets | Set to true to create ibmcloud-api-key, cos-api-key and signing_key. |
bool |
true |
no |
| existing_resource_group | The name of an existing resource group to use. This supercedes the creation of a named resource group. See resource_group input. |
string |
"" |
no |
| expiration_duration | Time in hrs representing the validity period of secrets in Secrets Manager. Default 90 days. | string |
"2160h" |
no |
| flavor | The cluster specs. | string |
"bx2.2x8" |
no |
| gpg_email | The email address associated with the GPG key. | string |
"ibmer@ibm.com" |
no |
| gpg_name | The name to be associated with the GPG key. | string |
"IBMer" |
no |
| iam_api_key_secret | apikey | string |
"Place Holder" |
no |
| iam_api_key_secret_name | The name of the secret as it appears in Secret Manager. | string |
"ibmcloud-api-key" |
no |
| ibmcloud_api_key | API key belonging to the account in which all the resources are created. | string |
n/a | yes |
| icr_resource_group_id | The resource group Id containing the registry region namespace. | string |
"" |
no |
| is_permanant | Specifies a permanent retention status either enable or disable for a bucket. | bool |
false |
no |
| kp_location | The region location of the Key Protect instance. | string |
"" |
no |
| kp_name | The name of the Key Protect instance. | string |
"" |
no |
| kp_resource_group_id | The ID of the resource group. | string |
"" |
no |
| kube_version | The version of Kubernetes to use. Uses the latest version if not set. | string |
"" |
no |
| region | The region used for all resource creation unless a resource specific region is used. | string |
"us-south" |
no |
| registry_namespace | A unique namespace within the IBM Cloud Container Registry region where the application image is stored. | string |
"my-registry-namespace" |
no |
| resource_group | The resource group that will be created and used, by default, for all resource creation and service instance lookups. | string |
"" |
no |
| signing_certifcate_secret_name | The name of the secret as it appears in Secret Manager. | string |
"signing-certificate" |
no |
| signing_certificate_secret | apikey | string |
"" |
no |
| signing_key_secret | apikey | string |
"" |
no |
| signing_key_secret_name | The name of the secret as it appears in Secret Manager. | string |
"signing_key" |
no |
| sm_existing_secret_group_id | The Secret Group ID of an exiting secret group in a Secrets Manager instance. This will take precendence over sm_secret_group_name. |
string |
"" |
no |
| sm_instance_id | The instance ID of the Secrets Manager. | string |
"" |
no |
| sm_location | The region location of the Secrets Manager instance. | string |
"" |
no |
| sm_name | The name of the Secrets Manager instance. | string |
"Secrets Manager" |
no |
| sm_resource_group_id | The ID of the resource group. | string |
"" |
no |
| sm_resource_group_name | The name of the resource group. | string |
"" |
no |
| sm_secret_group_name | The name of the Secrets Group that is created. | string |
"devsecops" |
no |
| sm_service_endpoints | The types of service endpoints supported by Secrets Manager. Can be public, private or public-and-private. |
string |
"public-and-private" |
no |
| sm_service_plan | The Secrets Manager service plan. standard or trial. |
string |
"" |
no |
| use_free_tier | Set to true to use free tier. VPC cluster is not suported in a free tier. |
bool |
false |
no |
| vpc_name | Name of the VPC. | string |
"vpc-name" |
no |
| vpc_region | The VPC region. | string |
"us-south" |
no |
| wait_till | A status state check for the VPC cluster creation. Terraform will acknowledge a successful run based on the wait_till status value. To wait for full creation status including workers and ingress. Set the value to IngressReady. Other values include Normal and MasterNodeReady. |
string |
"OneWorkerNodeReady" |
no |
| worker_count | The number of worker nodes per zone in the default worker pool. | number |
1 |
no |
| Name | Description |
|---|---|
| cluster_name | The name of the VPC cluster. |
| cos_bucket_name | The name of COS bucket. |
| cos_instance_id | The instance Id of the COS instance. |
| cos_s3_endpoint_direct | The COS bucket direct endpoint. |
| cos_s3_endpoint_private | The COS bucket private endpoint. |
| cos_s3_endpoint_public | The COS bucket public endpoint. |
| icr_namespace | The ICR namespace. |
| keyprotect_instance_id | The instance Id of the Key Protect instance. |
| resource_group_id | The Id of the resource group. |
| resource_group_name | The name of the resource group. |
| secrets_manager_instance_id | The instance Id of the Secrets Manager instance. |
| secrets_manager_location | The region containing the Secrets Manager instance. |
| secrets_manager_name | The Secrets Manager name. |
| secrets_manager_resource_group_name | The name of the resource group containing the Secrets Manager instance. |
| secrets_manager_secrets_group | The secret group containing the ibmcloud-api-key for running the pipelines. |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.