From d47d168c8f7473f31245580bd3d701c6df9d593b Mon Sep 17 00:00:00 2001 From: Nupur Goyal Date: Thu, 13 Jun 2024 19:22:48 +0530 Subject: [PATCH] updating catalog json and Custom File Share support for Login node --- .catalog-onboard-pipeline.yaml | 2 +- hpcaas-arch-1.5.0.svg | 4 -- hpcaas-arch-1.6.svg | 4 ++ ibm_catalog.json | 61 +++++++++++++------ .../configure_management_vsi.sh | 16 ++++- .../configuration_steps/management_values.tpl | 1 + modules/landing_zone_vsi/template_files.tf | 3 + .../templates/login_user_data.tpl | 2 + .../landing_zone_vsi/templates/login_vsi.sh | 37 +++++++++-- modules/landing_zone_vsi/variables.tf | 5 ++ samples/configs/hpc_schematics_values.json | 3 +- solutions/hpc/README.md | 51 ++++++++-------- solutions/hpc/main.tf | 1 + solutions/hpc/variables.tf | 16 ++--- tests/common_utils/deploy_utils.go | 3 +- 15 files changed, 143 insertions(+), 66 deletions(-) delete mode 100644 hpcaas-arch-1.5.0.svg create mode 100644 hpcaas-arch-1.6.svg diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml index ebd106ff..d89fea83 100644 --- a/.catalog-onboard-pipeline.yaml +++ b/.catalog-onboard-pipeline.yaml @@ -8,7 +8,7 @@ offerings: offering_id: bf3c07f8-5a62-4289-8ea0-94dbb2b410e6 # list all of the variations (flavors) you have included in the ibm_catalog.json variations: - - name: Cluster-with-LSF-v10.1.0.14 + - name: Cluster-with-LSF mark_ready: false # have pipeline mark as visible if validation passes install_type: fullstack # ensure value matches what is in ibm_catalog.json (fullstack or extension) destroy_resources_on_failure: false # defaults to false if not specified so resources can be inspected to debug failures during validation diff --git a/hpcaas-arch-1.5.0.svg b/hpcaas-arch-1.5.0.svg deleted file mode 100644 index 59fd6930..00000000 --- a/hpcaas-arch-1.5.0.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - -
IBM Cloud
IBM Cloud
Public
Network
Public...
Internet
Int...
User
Use...
Region
Region
VPC
HPC
VPC...
Availability Zone
Availability Zone
Subnet
Login
Subnet...
Floating IP
Flo...
Public Gateway
Pub...
Subnet
HPC
Subnet...
Login SG
Login SG
HPC SG
HPC SG



HPC LSF Management Nodes - v10.1.014 

HPC LSF Management Nodes...
File Storage
Fil...
LDAP Server
LDA...
Bastion Node
Bas...
Login Node
Log...
IBM Storage Scale
(Optional)
IBM...
VPN Gateway (optional)
VPN...
DNS Service
DNS...

IBM Cloud HPC
VPC Endpoint

IBM Cloud HPC...
SSH
SSH
Virtual Server
Dynamic Compute Nodes
Virtual Server...





Text is not SVG - cannot display \ No newline at end of file diff --git a/hpcaas-arch-1.6.svg b/hpcaas-arch-1.6.svg new file mode 100644 index 00000000..0db6e4f9 --- /dev/null +++ b/hpcaas-arch-1.6.svg @@ -0,0 +1,4 @@ + + + +
IBM Cloud
IBM Cloud
Region
Region
Availability Zone
Availability Zone
Public
Network
Public...
Internet
Int...
User
Use...
Cloud Services
Cloud Services
DNS Service
DNS...
VPC Flow Logs
(Optional)
VPC...
ICD MySQL
(Optional)
ICD...
COS
(Optional)
COS...
Key Protect
(Optional)
Key...
Secrets Manager
(Optional)
Sec...
IBM Cloud Monitoring
(Optional)
IBM...
IBM Cloud® Activity Tracker Event Routing
(Optional)
IBM...
Security and Compliance Center
(Optional)
Sec...
Event Notification Service
(Optional)
Eve...
VPC
HPC
VPC...
SSH
SSH
VPN Gateway (optional)
VPN...
VPC Endpoint
IBM Cloud HPC
VPC...
Subnet
Login
Subnet...
Floating IP
Flo...
Public Gateway
Pub...
Subnet
HPC
Subnet...





Virtual Server
Dynamic Compute Nodes
Virtual Server...
HPC SG
HPC SG



HPC LSF Management Nodes - v10.1.014 

HPC LSF Management Nodes...
LDAP Server
LDA...
Login SG
Login SG
File Storage
Fil...
Bastion Node
Bas...
Login Node
Log...
IBM Storage Scale
(Optional)
IBM...Text is not SVG - cannot display \ No newline at end of file diff --git a/ibm_catalog.json b/ibm_catalog.json index ae4d2dd7..3d780261 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -43,8 +43,8 @@ ], "flavors": [ { - "label": "Cluster-with-LSF-v10.1.0.14", - "name": "Cluster-with-LSF-v10.1.0.14", + "label": "Cluster with LSF v10.1.0.14", + "name": "Cluster-with-LSF", "install_type": "fullstack", "working_directory": "solutions/hpc", "compliance": { @@ -72,10 +72,36 @@ "key": "cluster_id" }, { - "key": "bastion_ssh_keys" + "key": "bastion_ssh_keys", + "type": "array", + "default_value": "", + "display_name": "VPC SSH Key", + "required": true, + "custom_config": { + "type": "vpc_ssh_key", + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "selection": "multi_select", + "valueType": "name" + } + } }, { - "key": "compute_ssh_keys" + "key": "compute_ssh_keys", + "type": "array", + "default_value": "", + "display_name": "VPC SSH Key", + "required": true, + "custom_config": { + "type": "vpc_ssh_key", + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "selection": "multi_select", + "valueType": "name" + } + } }, { "key": "remote_allowed_ips" @@ -317,12 +343,6 @@ } ], "iam_permissions": [ - { - "role_crns": [ - "crn:v1:bluemix:public:iam::::serviceRole:Manager" - ], - "service_name": "schematics" - }, { "role_crns": [ "crn:v1:bluemix:public:iam::::serviceRole:writer" @@ -343,21 +363,28 @@ }, { "role_crns": [ - "crn:v1:bluemix:public:iam::::role:Administrator" + "crn:v1:bluemix:public:iam::::role:Editor" ], - "service_name": "project" + "service_name": "is.vpc" }, { "role_crns": [ "crn:v1:bluemix:public:iam::::role:Editor" ], - "service_name": "is.vpc" + "service_name": "dns-svcs" }, { + "service_name": "is.flow-log-collector", "role_crns": [ "crn:v1:bluemix:public:iam::::role:Editor" - ], - "service_name": "dns-svcs" + ] + }, + { + "service_name": "sysdig-monitor", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Administrator" + ] } ], "architecture": { @@ -377,7 +404,7 @@ }, { "title": "Reduces failure events by using multizone regions", - "description": "Yes" + "description": "No" }, { "title": "Collects and stores Internet Protocol (IP) traffic information with Activity Tracker and Flow Logs", @@ -393,7 +420,7 @@ }, { "title": "Uses Floating IP address for access through the public internet", - "description": "No" + "description": "Yes" } ], "diagrams": [ diff --git a/modules/landing_zone_vsi/configuration_steps/configure_management_vsi.sh b/modules/landing_zone_vsi/configuration_steps/configure_management_vsi.sh index 4c694d5f..722e196e 100644 --- a/modules/landing_zone_vsi/configuration_steps/configure_management_vsi.sh +++ b/modules/landing_zone_vsi/configuration_steps/configure_management_vsi.sh @@ -162,6 +162,11 @@ LSF_RSH="ssh -o 'PasswordAuthentication no' -o 'StrictHostKeyChecking no'" EOT sed -i "s/LSF_MASTER_LIST=.*/LSF_MASTER_LIST=\"${mgmt_hostnames}\"/g" $LSF_CONF_FILE + # Updating the worker node count to 2000 when no VPC file share is declared. + if [[ $vpc_file_share_count == 0 ]]; then + sed -i 's/THRESHOLD\[250\]/THRESHOLD\[2000\]/' $LSF_CONF_FILE + fi + if [ "$hyperthreading" == true ]; then ego_define_ncpus="threads" else @@ -572,7 +577,7 @@ dns_domain="${dns_domain}" ManagementHostNames="${mgmt_hostnames}" lsf_public_key="${cluster_public_key_content}" hyperthreading=${hyperthreading} -nfs_server_with_mount_path="${nfs_server_with_mount_path}" +nfs_server_with_mount_path="" custom_file_shares="${custom_file_shares}" custom_mount_paths="${custom_mount_paths}" login_ip_address="${login_ip}" @@ -634,8 +639,6 @@ echo "Setting LSF share" # Setup file share if [ -n "${nfs_server_with_mount_path}" ]; then echo "File share ${nfs_server_with_mount_path} found" - # Create a data directory for sharing HPC workload data ### is this used? - mkdir -p "${LSF_TOP}/data" nfs_client_mount_path="/mnt/lsf" rm -rf "${nfs_client_mount_path}" mkdir -p "${nfs_client_mount_path}" @@ -674,6 +677,13 @@ if [ -n "${nfs_server_with_mount_path}" ]; then ln -fs "${nfs_client_mount_path}/gui-conf" "${LSF_SUITE_GUI_CONF}" chown -R lsfadmin:root "${LSF_SUITE_GUI_CONF}" + # Create a data directory for sharing HPC workload data + if [ "$on_primary" == "true" ]; then + mkdir -p "${nfs_client_mount_path}/data" + ln -s "${nfs_client_mount_path}/data" "$LSF_TOP/work/data" + chown -R lsfadmin:root "$LSF_TOP/work/data" + fi + # VNC Sessions if [ "$on_primary" == "true" ]; then mkdir -p "${nfs_client_mount_path}/repository-path" diff --git a/modules/landing_zone_vsi/configuration_steps/management_values.tpl b/modules/landing_zone_vsi/configuration_steps/management_values.tpl index 564fbaf7..be3e111b 100644 --- a/modules/landing_zone_vsi/configuration_steps/management_values.tpl +++ b/modules/landing_zone_vsi/configuration_steps/management_values.tpl @@ -36,6 +36,7 @@ hyperthreading="${hyperthreading}" network_interface=${network_interface} dns_domain="${dns_domain}" mount_path="${mount_path}" +vpc_file_share_count="${vpc_file_share_count}" custom_file_shares="${custom_file_shares}" custom_mount_paths="${custom_mount_paths}" contract_id="${contract_id}" diff --git a/modules/landing_zone_vsi/template_files.tf b/modules/landing_zone_vsi/template_files.tf index 69ac53d4..7e080bbf 100644 --- a/modules/landing_zone_vsi/template_files.tf +++ b/modules/landing_zone_vsi/template_files.tf @@ -25,6 +25,8 @@ data "template_file" "login_user_data" { cluster_private_key_content = local.enable_management ? module.compute_key[0].private_key_content : "" cluster_public_key_content = local.enable_management ? module.compute_key[0].public_key_content : "" mount_path = var.share_path + custom_mount_paths = join(" ", concat(local.vpc_file_share[*]["mount_path"], local.nfs_file_share[*]["mount_path"])) + custom_file_shares = join(" ", concat([for file_share in var.file_share : file_share], local.nfs_file_share[*]["nfs_share"])) enable_ldap = var.enable_ldap rc_cidr_block = local.bastion_subnets[0].cidr cluster_prefix = var.prefix @@ -78,6 +80,7 @@ data "template_file" "management_values" { network_interface = local.vsi_interfaces[0] dns_domain = var.dns_domain_names["compute"] mount_path = var.share_path + vpc_file_share_count = var.vpc_file_share_count custom_mount_paths = join(" ", concat(local.vpc_file_share[*]["mount_path"], local.nfs_file_share[*]["mount_path"])) custom_file_shares = join(" ", concat([for file_share in var.file_share : file_share], local.nfs_file_share[*]["nfs_share"])) contract_id = var.contract_id diff --git a/modules/landing_zone_vsi/templates/login_user_data.tpl b/modules/landing_zone_vsi/templates/login_user_data.tpl index 30f63d28..b928bb0b 100644 --- a/modules/landing_zone_vsi/templates/login_user_data.tpl +++ b/modules/landing_zone_vsi/templates/login_user_data.tpl @@ -15,6 +15,8 @@ dns_domain="${dns_domain}" cluster_private_key_content="${cluster_private_key_content}" cluster_public_key_content="${cluster_public_key_content}" mount_path="${mount_path}" +custom_mount_paths="${custom_mount_paths}" +custom_file_shares="${custom_file_shares}" enable_ldap="${enable_ldap}" network_interface=""${network_interface}"" rc_cidr_block="${rc_cidr_block}" diff --git a/modules/landing_zone_vsi/templates/login_vsi.sh b/modules/landing_zone_vsi/templates/login_vsi.sh index c2b82e0a..48bc6d96 100644 --- a/modules/landing_zone_vsi/templates/login_vsi.sh +++ b/modules/landing_zone_vsi/templates/login_vsi.sh @@ -15,7 +15,8 @@ LSF_CONF=$LSF_TOP/conf LSF_HOSTS_FILE="/etc/hosts" nfs_server_with_mount_path=${mount_path} - +custom_mount_paths="${custom_mount_paths}" +custom_file_shares="${custom_file_shares}" # Setup logs for user data echo "START $(date '+%Y-%m-%d %H:%M:%S')" >> $logfile @@ -107,10 +108,9 @@ EOT sh $command && (crontab -l 2>/dev/null; echo "@reboot $command") | crontab - fi -# Setup LSF -echo "Setting LSF share." >> $logfile -# Setup file share +# Setup Default LSF Share if [ -n "${nfs_server_with_mount_path}" ]; then + echo "Setting Default LSF share." >> $logfile echo "File share ${nfs_server_with_mount_path} found" >> $logfile nfs_client_mount_path="/mnt/lsf" rm -rf "${nfs_client_mount_path}" @@ -133,11 +133,38 @@ if [ -n "${nfs_server_with_mount_path}" ]; then ln -fs "${nfs_client_mount_path}/$dir" "${LSF_TOP}" chown -R lsfadmin:root "${LSF_TOP}" done + echo "Setting Default LSF share is completed." >> $logfile else echo "No mount point value found, exiting!" >> $logfile exit 1 fi -echo "Setting LSF share is completed." >> $logfile + +# Setup Custom File shares +if [ -n "${custom_file_shares}" ]; then + echo "Setting custom file shares." >> $logfile + echo "Custom file share ${custom_file_shares} found" >> $logfile + file_share_array=(${custom_file_shares}) + mount_path_array=(${custom_mount_paths}) + length=${#file_share_array[@]} + for (( i=0; i> /etc/fstab + echo "Setting custom file shares is completed." >> $logfile + done +fi echo "source ${LSF_CONF}/profile.lsf" >> "${lsfadmin_home_dir}"/.bashrc echo "source ${LSF_CONF}/profile.lsf" >> /root/.bashrc diff --git a/modules/landing_zone_vsi/variables.tf b/modules/landing_zone_vsi/variables.tf index ab3bdaff..e799780f 100644 --- a/modules/landing_zone_vsi/variables.tf +++ b/modules/landing_zone_vsi/variables.tf @@ -236,6 +236,11 @@ variable "file_share" { description = "VPC file share mount points considering the ip address and the file share name" } +variable "vpc_file_share_count" { + type = number + description = "Requested number of VPC file shares." +} + variable "login_private_ips" { description = "Login private IPs" type = string diff --git a/samples/configs/hpc_schematics_values.json b/samples/configs/hpc_schematics_values.json index 9e76e252..a7171cad 100644 --- a/samples/configs/hpc_schematics_values.json +++ b/samples/configs/hpc_schematics_values.json @@ -59,7 +59,8 @@ "value": "Default", "type": "string", "secure": false, - "description": "Resource group name from your IBM Cloud account where the VPC resources should be deployed. Note. If the resource group value is set as null, automation creates two different RG with the name (workload-rg and service-rg). For additional information on resource groups, see [Managing resource groups](https://cloud.ibm.com/docs/account?topic=account-rgs)." + "description": "Specify the existing resource group name from your IBM Cloud account where the VPC resources should be deployed. By default, the resource group name is set to 'Default.' Note that in some older accounts, the resource group name may be 'default,' so please validate the resource_group name before deployment. If the resource group value is set to null, the automation will create two different resource groups named 'workload-rg' and 'service-rg.' For more information on resource groups, refer to Managing resource groups." + }, { "name": "zones", diff --git a/solutions/hpc/README.md b/solutions/hpc/README.md index 6a99962a..c18c20c4 100644 --- a/solutions/hpc/README.md +++ b/solutions/hpc/README.md @@ -2,17 +2,17 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.3, < 1.7 | -| [http](#requirement\_http) | 3.4.2 | -| [ibm](#requirement\_ibm) | 1.65.1 | +| [terraform](#requirement\_terraform) | >= 1.3 | +| [http](#requirement\_http) | 3.4.3 | +| [ibm](#requirement\_ibm) | 1.66.0 | | [null](#requirement\_null) | 3.2.2 | ## Providers | Name | Version | |------|---------| -| [http](#provider\_http) | 3.4.2 | -| [ibm](#provider\_ibm) | 1.65.1 | +| [http](#provider\_http) | 3.4.3 | +| [ibm](#provider\_ibm) | 1.66.0 | | [null](#provider\_null) | 3.2.2 | ## Modules @@ -52,19 +52,19 @@ | Name | Type | |------|------| -| [ibm_dns_resource_record.pac_cname](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.65.1/docs/resources/dns_resource_record) | resource | -| [ibm_is_subnet_public_gateway_attachment.zone_1_attachment](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.65.1/docs/resources/is_subnet_public_gateway_attachment) | resource | +| [ibm_dns_resource_record.pac_cname](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/resources/dns_resource_record) | resource | +| [ibm_is_subnet_public_gateway_attachment.zone_1_attachment](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/resources/is_subnet_public_gateway_attachment) | resource | | [null_resource.destroy_compute_resources](https://registry.terraform.io/providers/hashicorp/null/3.2.2/docs/resources/resource) | resource | -| [http_http.reservation_id_validation](https://registry.terraform.io/providers/hashicorp/http/3.4.2/docs/data-sources/http) | data source | -| [ibm_iam_auth_token.auth_token](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.65.1/docs/data-sources/iam_auth_token) | data source | -| [ibm_is_public_gateways.public_gateways](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.65.1/docs/data-sources/is_public_gateways) | data source | -| [ibm_is_region.region](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.65.1/docs/data-sources/is_region) | data source | -| [ibm_is_subnet.existing_login_subnet](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.65.1/docs/data-sources/is_subnet) | data source | -| [ibm_is_subnet.existing_subnet](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.65.1/docs/data-sources/is_subnet) | data source | -| [ibm_is_vpc.existing_vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.65.1/docs/data-sources/is_vpc) | data source | -| [ibm_is_vpc.itself](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.65.1/docs/data-sources/is_vpc) | data source | -| [ibm_is_vpc.vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.65.1/docs/data-sources/is_vpc) | data source | -| [ibm_is_vpc_address_prefixes.existing_vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.65.1/docs/data-sources/is_vpc_address_prefixes) | data source | +| [http_http.reservation_id_validation](https://registry.terraform.io/providers/hashicorp/http/3.4.3/docs/data-sources/http) | data source | +| [ibm_iam_auth_token.auth_token](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/data-sources/iam_auth_token) | data source | +| [ibm_is_public_gateways.public_gateways](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/data-sources/is_public_gateways) | data source | +| [ibm_is_region.region](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/data-sources/is_region) | data source | +| [ibm_is_subnet.existing_login_subnet](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/data-sources/is_subnet) | data source | +| [ibm_is_subnet.existing_subnet](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/data-sources/is_subnet) | data source | +| [ibm_is_vpc.existing_vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/data-sources/is_vpc) | data source | +| [ibm_is_vpc.itself](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/data-sources/is_vpc) | data source | +| [ibm_is_vpc.vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/data-sources/is_vpc) | data source | +| [ibm_is_vpc_address_prefixes.existing_vpc](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.66.0/docs/data-sources/is_vpc_address_prefixes) | data source | ## Inputs @@ -74,7 +74,7 @@ | [TF\_VALIDATION\_SCRIPT\_FILES](#input\_TF\_VALIDATION\_SCRIPT\_FILES) | List of script file names used by validation test suites. If provided, these scripts will be executed as part of validation test suites execution. | `list(string)` | `[]` | no | | [TF\_VERSION](#input\_TF\_VERSION) | The version of the Terraform engine that's used in the Schematics workspace. | `string` | `"1.5"` | no | | [app\_center\_gui\_pwd](#input\_app\_center\_gui\_pwd) | Password for IBM Spectrum LSF Application Center GUI. Note: Password should be at least 8 characters, must have one number, one lowercase letter, one uppercase letter, and at least one special character. | `string` | `""` | no | -| [app\_center\_high\_availability](#input\_app\_center\_high\_availability) | Set to false to disable the IBM Spectrum LSF Application Center GUI High Availability (default: true). | `bool` | `true` | no | +| [app\_center\_high\_availability](#input\_app\_center\_high\_availability) | Set to false to disable the IBM Spectrum LSF Application Center GUI High Availability (default: true). If the value is set as true, provide a certificate instance crn under existing\_certificate\_instance value for the VPC load balancer to enable HTTPS connections.[certificate instance requirements](https://cloud.ibm.com/docs/allowlist/hpc-service?topic=hpc-service-before-deploy-application-center). | `bool` | `true` | no | | [bastion\_instance\_name](#input\_bastion\_instance\_name) | Bastion instance name. If none given then new bastion will be created. | `string` | `null` | no | | [bastion\_instance\_public\_ip](#input\_bastion\_instance\_public\_ip) | Bastion instance public ip address. | `string` | `null` | no | | [bastion\_security\_group\_id](#input\_bastion\_security\_group\_id) | Bastion security group id. | `string` | `null` | no | @@ -87,9 +87,9 @@ | [compute\_ssh\_keys](#input\_compute\_ssh\_keys) | Provide the list of SSH key names configured in your IBM Cloud account to establish a connection to the IBM Cloud HPC cluster node. Ensure the SSH key is present in the same resource group and region where the cluster is being provisioned. If you do not have an SSH key in your IBM Cloud account, create one by following the provided instructions.[SSH Keys](https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys). | `list(string)` | n/a | yes | | [cos\_instance\_name](#input\_cos\_instance\_name) | Provide the name of the existing cos instance to store vpc flow logs. | `string` | `null` | no | | [custom\_file\_shares](#input\_custom\_file\_shares) | Mount points and sizes in GB and IOPS range of file shares that can be used to customize shared file storage layout. Provide the details for up to 5 shares. Each file share size in GB supports different range of IOPS. For more information, see [file share IOPS value](https://cloud.ibm.com/docs/vpc?topic=vpc-file-storage-profiles&interface=ui). | 
list(object({
    mount_path = string,
    size       = optional(number),
    iops       = optional(number),
    nfs_share  = optional(string)
  }))
| 
[
  {
    "iops": 2000,
    "mount_path": "/mnt/vpcstorage/tools",
    "size": 100
  },
  {
    "iops": 6000,
    "mount_path": "/mnt/vpcstorage/data",
    "size": 100
  },
  {
    "mount_path": "/mnt/scale/tools",
    "nfs_share": ""
  }
]
| no | -| [dns\_custom\_resolver\_id](#input\_dns\_custom\_resolver\_id) | Provide the id of existing IBM Cloud DNS custom resolver to skip creating a new custom resolver. Note: A VPC can be associated only to a single custom resolver, please provide the id of custom resolver if it is already associated to the VPC. | `string` | `null` | no | +| [dns\_custom\_resolver\_id](#input\_dns\_custom\_resolver\_id) | Provide the id of existing IBM Cloud DNS custom resolver to skip creating a new custom resolver. If the value is set to null, a new dns custom resolver shall be created and associated to the vpc. Note: A VPC can be associated only to a single custom resolver, please provide the id of custom resolver if it is already associated to the VPC. | `string` | `null` | no | | [dns\_domain\_name](#input\_dns\_domain\_name) | IBM Cloud DNS Services domain name to be used for the IBM Cloud HPC cluster. | 
object({
    compute = string
    #storage  = string
    #protocol = string
  })
| 
{
  "compute": "hpcaas.com"
}
| no | -| [dns\_instance\_id](#input\_dns\_instance\_id) | Provide the id of existing IBM Cloud DNS services domain to skip creating a new DNS service instance name. Note: If dns\_instance\_id is not equal to null, a new dns zone will be created under the existing dns service instance. | `string` | `null` | no | +| [dns\_instance\_id](#input\_dns\_instance\_id) | Provide the id of existing IBM Cloud DNS services domain to skip creating a new DNS service instance name.Note: If dns\_instance\_id is not equal to null, a new dns zone will be created under the existing dns service instance. | `string` | `null` | no | | [enable\_app\_center](#input\_enable\_app\_center) | Set to true to enable the IBM Spectrum LSF Application Center GUI (default: false). [System requirements](https://www.ibm.com/docs/en/slac/10.2.0?topic=requirements-system-102-fix-pack-14) for IBM Spectrum LSF Application Center Version 10.2 Fix Pack 14. | `bool` | `false` | no | | [enable\_cos\_integration](#input\_enable\_cos\_integration) | Set to true to create an extra cos bucket to integrate with HPC cluster deployment. | `bool` | `false` | no | | [enable\_fip](#input\_enable\_fip) | The solution supports multiple ways to connect to your IBM Cloud HPC cluster for example, using a login node, or using VPN or direct connection. If connecting to the IBM Cloud HPC cluster using VPN or direct connection, set this value to false. | `bool` | `true` | no | @@ -98,9 +98,9 @@ | [existing\_certificate\_instance](#input\_existing\_certificate\_instance) | When app\_center\_high\_availability is enable/set as true, The Application Center will be configured for high availability and requires a Application Load Balancer Front End listener to use a certificate CRN value stored in the Secret Manager. Provide the valid 'existing\_certificate\_instance' to configure the Application load balancer. | `string` | `""` | no | | [hyperthreading\_enabled](#input\_hyperthreading\_enabled) | Setting this to true will enable hyper-threading in the compute nodes of the cluster (default). Otherwise, hyper-threading will be disabled. | `bool` | `true` | no | | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | IBM Cloud API key for the IBM Cloud account where the IBM Cloud HPC cluster needs to be deployed. For more information on how to create an API key, see [Managing user API keys](https://cloud.ibm.com/docs/account?topic=account-userapikey). | `string` | n/a | yes | -| [key\_management](#input\_key\_management) | Set the value as key\_protect to enable customer managed encryption for boot volume and file share. If the key\_management is set as null, encryption will be always provider managed. | `string` | `"key_protect"` | no | -| [kms\_instance\_name](#input\_kms\_instance\_name) | Provide the name of the existing Key Protect instance associated with the Key Management Service. Note: To use existing kms\_instance\_name shall be considered only if key\_management value is set as key\_protect under key\_management variable. The name can be found under the details of the KMS, see [View key-protect ID](https://cloud.ibm.com/docs/key-protect?topic=key-protect-retrieve-instance-ID&interface=ui). | `string` | `null` | no | -| [kms\_key\_name](#input\_kms\_key\_name) | Provide the existing KMS encryption key name that you want to use for the IBM Cloud HPC cluster. Note: kms\_key\_name to be considered only if key\_management value is set as key\_protect under key\_management variable.(for example kms\_key\_name: my-encryption-key). | `string` | `null` | no | +| [key\_management](#input\_key\_management) | Set the value as key\_protect to enable customer managed encryption for boot volume and file share. If the key\_management is set as null, IBM Cloud resources will be always be encrypted through provider managed. | `string` | `"key_protect"` | no | +| [kms\_instance\_name](#input\_kms\_instance\_name) | Provide the name of the existing Key Protect instance associated with the Key Management Service. Note: To use existing kms\_instance\_name set key\_management as key\_protect. The name can be found under the details of the KMS, see [View key-protect ID](https://cloud.ibm.com/docs/key-protect?topic=key-protect-retrieve-instance-ID&interface=ui). | `string` | `null` | no | +| [kms\_key\_name](#input\_kms\_key\_name) | Provide the existing kms key name that you want to use for the IBM Cloud HPC cluster. Note: kms\_key\_name to be considered only if key\_management value is set as key\_protect.(for example kms\_key\_name: my-encryption-key). | `string` | `null` | no | | [ldap\_admin\_password](#input\_ldap\_admin\_password) | The LDAP administrative password should be 8 to 20 characters long, with a mix of at least three alphabetic characters, including one uppercase and one lowercase letter. It must also include two numerical digits and at least one special character from (~@\_+:) are required. It is important to avoid including the username in the password for enhanced security.[This value is ignored for an existing LDAP server]. | `string` | `""` | no | | [ldap\_basedns](#input\_ldap\_basedns) | The dns domain name is used for configuring the LDAP server. If an LDAP server is already in existence, ensure to provide the associated DNS domain name. | `string` | `"hpcaas.com"` | no | | [ldap\_server](#input\_ldap\_server) | Provide the IP address for the existing LDAP server. If no address is given, a new LDAP server will be created. | `string` | `"null"` | no | @@ -120,13 +120,13 @@ | [observability\_monitoring\_plan](#input\_observability\_monitoring\_plan) | Type of service plan for IBM Cloud Monitoring instance. You can choose one of the following: lite, graduated-tier. For all details visit [IBM Cloud Monitoring Service Plans](https://cloud.ibm.com/docs/monitoring?topic=monitoring-service_plans). | `string` | `"graduated-tier"` | no | | [remote\_allowed\_ips](#input\_remote\_allowed\_ips) | Comma-separated list of IP addresses that can access the IBM Cloud HPC cluster instance through an SSH interface. For security purposes, provide the public IP addresses assigned to the devices that are authorized to establish SSH connections (for example, ["169.45.117.34"]). To fetch the IP address of the device, use [https://ipv4.icanhazip.com/](https://ipv4.icanhazip.com/). | `list(string)` | n/a | yes | | [reservation\_id](#input\_reservation\_id) | Ensure that you have received the reservation ID from IBM technical sales. Reservation ID is a unique identifier to distinguish different IBM Cloud HPC service agreements. It must start with a letter and can only contain letters, numbers, hyphens (-), or underscores (\_). | `string` | n/a | yes | -| [resource\_group](#input\_resource\_group) | Resource group name from your IBM Cloud account where the VPC resources should be deployed. Note. If the resource group value is set as null, automation creates two different RG with the name (workload-rg and service-rg). For additional information on resource groups, see [Managing resource groups](https://cloud.ibm.com/docs/account?topic=account-rgs). | `string` | `"Default"` | no | +| [resource\_group](#input\_resource\_group) | Specify the existing resource group name from your IBM Cloud account where the VPC resources should be deployed. By default, the resource group name is set to 'Default.' Note that in some older accounts, the resource group name may be 'default,' so please validate the resource\_group name before deployment. If the resource group value is set to null, the automation will create two different resource groups named 'workload-rg' and 'service-rg.' For more information on resource groups, refer to Managing resource groups. | `string` | `"Default"` | no | | [scc\_enable](#input\_scc\_enable) | Flag to enable SCC instance creation. If true, an instance of SCC (Security and Compliance Center) will be created. | `bool` | `false` | no | | [scc\_event\_notification\_plan](#input\_scc\_event\_notification\_plan) | Event Notifications Instance plan to be used (it's used with S.C.C. instance), possible values 'lite' and 'standard'. | `string` | `"lite"` | no | | [scc\_location](#input\_scc\_location) | Location where the SCC instance is provisioned (possible choices 'us-south', 'eu-de', 'ca-tor', 'eu-es') | `string` | `"us-south"` | no | | [scc\_profile](#input\_scc\_profile) | Profile to be set on the SCC Instance (accepting empty, 'CIS IBM Cloud Foundations Benchmark' and 'IBM Cloud Framework for Financial Services') | `string` | `"CIS IBM Cloud Foundations Benchmark"` | no | | [scc\_profile\_version](#input\_scc\_profile\_version) | Version of the Profile to be set on the SCC Instance (accepting empty, CIS and Financial Services profiles versions) | `string` | `"1.0.0"` | no | -| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set it to false if authorization policy is required for VPC block storage volumes to access kms. This can be set to true if authorization policy already exists. For more information on how to create authorization policy manually, see [creating authorization policies for block storage volume](https://cloud.ibm.com/docs/vpc?topic=vpc-block-s2s-auth&interface=ui). | `string` | `false` | no | +| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to false if authorization policy is required for VPC block storage volumes to access kms. This can be set to true if authorization policy already exists. For more information on how to create authorization policy manually, see [creating authorization policies for block storage volume](https://cloud.ibm.com/docs/vpc?topic=vpc-block-s2s-auth&interface=ui). | `string` | `false` | no | | [skip\_iam\_share\_authorization\_policy](#input\_skip\_iam\_share\_authorization\_policy) | Set it to false if authorization policy is required for VPC file share to access kms. This can be set to true if authorization policy already exists. For more information on how to create authorization policy manually, see [creating authorization policies for VPC file share](https://cloud.ibm.com/docs/vpc?topic=vpc-file-s2s-auth&interface=ui). | `bool` | `false` | no | | [storage\_security\_group\_id](#input\_storage\_security\_group\_id) | Provide the storage security group ID created from the Spectrum Scale storage cluster if the nfs\_share value is updated to use the scale fileset mountpoints under the cluster\_file\_share variable. | `string` | `null` | no | | [vpc\_cidr](#input\_vpc\_cidr) | Creates the address prefix for the new VPC, when the vpc\_name variable is empty. The VPC requires an address prefix for creation of subnet in a single zone. The subnet are created with the specified CIDR blocks. For more information, see [Setting IP ranges](https://cloud.ibm.com/docs/vpc?topic=vpc-vpc-addressing-plan-design). | `string` | `"10.241.0.0/18"` | no | @@ -143,6 +143,7 @@ | [application\_center\_tunnel](#output\_application\_center\_tunnel) | Available if IBM Spectrum LSF Application Center GUI is installed | | [application\_center\_url](#output\_application\_center\_url) | Available if IBM Spectrum LSF Application Center GUI is installed | | [application\_center\_url\_note](#output\_application\_center\_url\_note) | Available if IBM Spectrum LSF Application Center GUI is installed in High Availability | +| [cloud\_monitoring\_url](#output\_cloud\_monitoring\_url) | IBM Cloud Monitoring URL | | [image\_entry\_found](#output\_image\_entry\_found) | Available if the image name provided is located within the image map | | [ldap\_hostnames](#output\_ldap\_hostnames) | LDAP nodes have these hostnames: | | [ldap\_ips](#output\_ldap\_ips) | LDAP nodes have these IPs: | diff --git a/solutions/hpc/main.tf b/solutions/hpc/main.tf index ba68c198..a9e006d0 100644 --- a/solutions/hpc/main.tf +++ b/solutions/hpc/main.tf @@ -95,6 +95,7 @@ module "landing_zone_vsi" { kms_encryption_enabled = local.kms_encryption_enabled boot_volume_encryption_key = local.boot_volume_encryption_key share_path = local.share_path + vpc_file_share_count = length(local.vpc_file_share) hyperthreading_enabled = var.hyperthreading_enabled app_center_gui_pwd = var.app_center_gui_pwd enable_app_center = var.enable_app_center diff --git a/solutions/hpc/variables.tf b/solutions/hpc/variables.tf index 05937dec..5d4fb56e 100644 --- a/solutions/hpc/variables.tf +++ b/solutions/hpc/variables.tf @@ -17,7 +17,7 @@ variable "ibmcloud_api_key" { ############################################################################## variable "resource_group" { - description = "Resource group name from your IBM Cloud account where the VPC resources should be deployed. Note. If the resource group value is set as null, automation creates two different RG with the name (workload-rg and service-rg). For additional information on resource groups, see [Managing resource groups](https://cloud.ibm.com/docs/account?topic=account-rgs)." + description = "Specify the existing resource group name from your IBM Cloud account where the VPC resources should be deployed. By default, the resource group name is set to 'Default.' Note that in some older accounts, the resource group name may be 'default,' so please validate the resource_group name before deployment. If the resource group value is set to null, the automation will create two different resource groups named 'workload-rg' and 'service-rg.' For more information on resource groups, refer to Managing resource groups." type = string default = "Default" validation { @@ -253,7 +253,7 @@ variable "storage_security_group_id" { variable "dns_instance_id" { type = string default = null - description = "Provide the id of existing IBM Cloud DNS services domain to skip creating a new DNS service instance name. Note: If dns_instance_id is not equal to null, a new dns zone will be created under the existing dns service instance." + description = "Provide the id of existing IBM Cloud DNS services domain to skip creating a new DNS service instance name.Note: If dns_instance_id is not equal to null, a new dns zone will be created under the existing dns service instance." } variable "dns_domain_name" { @@ -278,7 +278,7 @@ variable "dns_domain_name" { variable "dns_custom_resolver_id" { type = string default = null - description = "Provide the id of existing IBM Cloud DNS custom resolver to skip creating a new custom resolver. Note: A VPC can be associated only to a single custom resolver, please provide the id of custom resolver if it is already associated to the VPC." + description = "Provide the id of existing IBM Cloud DNS custom resolver to skip creating a new custom resolver. If the value is set to null, a new dns custom resolver shall be created and associated to the vpc. Note: A VPC can be associated only to a single custom resolver, please provide the id of custom resolver if it is already associated to the VPC." } ############################################################################## @@ -344,7 +344,7 @@ variable "observability_monitoring_plan" { variable "key_management" { type = string default = "key_protect" - description = "Set the value as key_protect to enable customer managed encryption for boot volume and file share. If the key_management is set as null, encryption will be always provider managed." + description = "Set the value as key_protect to enable customer managed encryption for boot volume and file share. If the key_management is set as null, IBM Cloud resources will be always be encrypted through provider managed." validation { condition = var.key_management == "null" || var.key_management == null || var.key_management == "key_protect" error_message = "key_management must be either 'null' or 'key_protect'." @@ -354,13 +354,13 @@ variable "key_management" { variable "kms_instance_name" { type = string default = null - description = "Provide the name of the existing Key Protect instance associated with the Key Management Service. Note: To use existing kms_instance_name shall be considered only if key_management value is set as key_protect under key_management variable. The name can be found under the details of the KMS, see [View key-protect ID](https://cloud.ibm.com/docs/key-protect?topic=key-protect-retrieve-instance-ID&interface=ui)." + description = "Provide the name of the existing Key Protect instance associated with the Key Management Service. Note: To use existing kms_instance_name set key_management as key_protect. The name can be found under the details of the KMS, see [View key-protect ID](https://cloud.ibm.com/docs/key-protect?topic=key-protect-retrieve-instance-ID&interface=ui)." } variable "kms_key_name" { type = string default = null - description = "Provide the existing KMS encryption key name that you want to use for the IBM Cloud HPC cluster. Note: kms_key_name to be considered only if key_management value is set as key_protect under key_management variable.(for example kms_key_name: my-encryption-key)." + description = "Provide the existing kms key name that you want to use for the IBM Cloud HPC cluster. Note: kms_key_name to be considered only if key_management value is set as key_protect.(for example kms_key_name: my-encryption-key)." } ############################################################################## @@ -442,7 +442,7 @@ variable "app_center_gui_pwd" { variable "app_center_high_availability" { type = bool default = true - description = "Set to false to disable the IBM Spectrum LSF Application Center GUI High Availability (default: true)." + description = "Set to false to disable the IBM Spectrum LSF Application Center GUI High Availability (default: true). If the value is set as true, provide a certificate instance crn under existing_certificate_instance value for the VPC load balancer to enable HTTPS connections.[certificate instance requirements](https://cloud.ibm.com/docs/allowlist/hpc-service?topic=hpc-service-before-deploy-application-center)." } variable "enable_fip" { @@ -507,7 +507,7 @@ variable "ldap_vsi_osimage_name" { variable "skip_iam_authorization_policy" { type = string default = false - description = "Set it to false if authorization policy is required for VPC block storage volumes to access kms. This can be set to true if authorization policy already exists. For more information on how to create authorization policy manually, see [creating authorization policies for block storage volume](https://cloud.ibm.com/docs/vpc?topic=vpc-block-s2s-auth&interface=ui)." + description = "Set to false if authorization policy is required for VPC block storage volumes to access kms. This can be set to true if authorization policy already exists. For more information on how to create authorization policy manually, see [creating authorization policies for block storage volume](https://cloud.ibm.com/docs/vpc?topic=vpc-block-s2s-auth&interface=ui)." } variable "skip_iam_share_authorization_policy" { diff --git a/tests/common_utils/deploy_utils.go b/tests/common_utils/deploy_utils.go index 3f3c035e..65a3de7e 100644 --- a/tests/common_utils/deploy_utils.go +++ b/tests/common_utils/deploy_utils.go @@ -77,11 +77,10 @@ func GetConfigFromYAML(filePath string) (*Config, error) { } // Get the public IP - ip, err := GetPublicIP() + ip, err = GetPublicIP() if err != nil { return nil, fmt.Errorf("failed to get public IP: %v", err) } - config.RemoteAllowedIPs = ip // Load permanent resources from YAML permanentResources, err := common.LoadMapFromYaml(yamlLocation)