feat: Updated the naming of VSIs provisioned by this module. If upgra…

…ding from a previous version be aware that your VSI will be renamed non-disruptively. For example a VSI named `my-vsi-1` will now be renamed to `my-vsi-001` (#536)

README.md

@@ -105,6 +105,7 @@ You need the following permissions to run this module.
 ## Examples
 
 - [ End to end basic example](examples/basic)
+- [ Complete Example using a placement group, attaching a load balancer, and adding additional data volumes](examples/complete)
 - [ Financial Services Cloud profile example](examples/fscloud)
 <!-- END EXAMPLES HOOK -->
 
@@ -155,7 +156,7 @@ No modules.
 | <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services instance in which the key specified in var.boot\_volume\_encryption\_key is coming from. | `string` | `null` | no |
 | <a name="input_image_id"></a> [image\_id](#input\_image\_id) | Image ID used for VSI. Run 'ibmcloud is images' to find available images in a region | `string` | n/a | yes |
 | <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that for the block storage volumes for VPC. If set to false, the data is encrypted by using randomly generated keys. For more info on encrypting block storage volumes, see https://cloud.ibm.com/docs/vpc?topic=vpc-creating-instances-byok | `bool` | `false` | no |
-| <a name="input_load_balancers"></a> [load\_balancers](#input\_load\_balancers) | Load balancers to add to VSI | <pre>list(<br>    object({<br>      name              = string<br>      type              = string<br>      listener_port     = number<br>      listener_protocol = string<br>      connection_limit  = number<br>      algorithm         = string<br>      protocol          = string<br>      health_delay      = number<br>      health_retries    = number<br>      health_timeout    = number<br>      health_type       = string<br>      pool_member_port  = string<br>      security_group = optional(<br>        object({<br>          name = string<br>          rules = list(<br>            object({<br>              name      = string<br>              direction = string<br>              source    = string<br>              tcp = optional(<br>                object({<br>                  port_max = number<br>                  port_min = number<br>                })<br>              )<br>              udp = optional(<br>                object({<br>                  port_max = number<br>                  port_min = number<br>                })<br>              )<br>              icmp = optional(<br>                object({<br>                  type = number<br>                  code = number<br>                })<br>              )<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | `[]` | no |
+| <a name="input_load_balancers"></a> [load\_balancers](#input\_load\_balancers) | Load balancers to add to VSI | <pre>list(<br>    object({<br>      name              = string<br>      type              = string<br>      listener_port     = number<br>      listener_protocol = string<br>      connection_limit  = number<br>      algorithm         = string<br>      protocol          = string<br>      health_delay      = number<br>      health_retries    = number<br>      health_timeout    = number<br>      health_type       = string<br>      pool_member_port  = string<br>      profile           = optional(string)<br>      dns = optional(<br>        object({<br>          instance_crn = string<br>          zone_id      = string<br>        })<br>      )<br>      security_group = optional(<br>        object({<br>          name = string<br>          rules = list(<br>            object({<br>              name      = string<br>              direction = string<br>              source    = string<br>              tcp = optional(<br>                object({<br>                  port_max = number<br>                  port_min = number<br>                })<br>              )<br>              udp = optional(<br>                object({<br>                  port_max = number<br>                  port_min = number<br>                })<br>              )<br>              icmp = optional(<br>                object({<br>                  type = number<br>                  code = number<br>                })<br>              )<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | `[]` | no |
 | <a name="input_machine_type"></a> [machine\_type](#input\_machine\_type) | VSI machine type. Run 'ibmcloud is instance-profiles' to get a list of regional profiles | `string` | n/a | yes |
 | <a name="input_placement_group_id"></a> [placement\_group\_id](#input\_placement\_group\_id) | Unique Identifier of the Placement Group for restricting the placement of the instance, default behaviour is placement on any host | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The IBM Cloud platform API key needed to deploy IAM enabled resources | `string` | n/a | yes |

examples/basic/main.tf

@@ -3,24 +3,19 @@
 ##############################################################################
 
 locals {
-  resource_group_id = var.resource_group != null ? data.ibm_resource_group.existing_resource_group[0].id : ibm_resource_group.resource_group[0].id
-  ssh_key_id        = var.ssh_key != null ? data.ibm_is_ssh_key.existing_ssh_key[0].id : resource.ibm_is_ssh_key.ssh_key[0].id
+  ssh_key_id = var.ssh_key != null ? data.ibm_is_ssh_key.existing_ssh_key[0].id : resource.ibm_is_ssh_key.ssh_key[0].id
 }
 
 ##############################################################################
 # Resource Group
-# (if var.resource_group is null, create a new RG using var.prefix)
 ##############################################################################
 
-resource "ibm_resource_group" "resource_group" {
-  count    = var.resource_group != null ? 0 : 1
-  name     = "${var.prefix}-rg"
-  quota_id = null
-}
-
-data "ibm_resource_group" "existing_resource_group" {
-  count = var.resource_group != null ? 1 : 0
-  name  = var.resource_group
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.0.6"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
 }
 
 ##############################################################################
@@ -51,7 +46,7 @@ data "ibm_is_ssh_key" "existing_ssh_key" {
 module "slz_vpc" {
   source            = "terraform-ibm-modules/landing-zone-vpc/ibm"
   version           = "7.5.0"
-  resource_group_id = local.resource_group_id
+  resource_group_id = module.resource_group.resource_group_id
   region            = var.region
   prefix            = var.prefix
   tags              = var.resource_tags
@@ -64,7 +59,7 @@ module "slz_vpc" {
 
 resource "ibm_is_placement_group" "placement_group" {
   name           = "${var.prefix}-host-spread"
-  resource_group = local.resource_group_id
+  resource_group = module.resource_group.resource_group_id
   strategy       = "host_spread"
   tags           = var.resource_tags
 }
@@ -75,7 +70,7 @@ resource "ibm_is_placement_group" "placement_group" {
 
 module "slz_vsi" {
   source                     = "../../"
-  resource_group_id          = local.resource_group_id
+  resource_group_id          = module.resource_group.resource_group_id
   image_id                   = var.image_id
   create_security_group      = var.create_security_group
   security_group             = var.security_group

examples/complete/README.md

@@ -0,0 +1,10 @@
+# Complete Example using a placement group, attaching a load balancer, and adding additional data volumes
+
+It will provision the following:
+
+- A new resource group if one is not passed in.
+- A new public SSH key if one is not passed in.
+- A new VPC with 3 subnets.
+- A new placement group.
+- A VSI in each subnet placed in the placement group.
+- A new Application Load Balancer to balance traffic between all virtual servers that are created by this example.

examples/complete/main.tf

@@ -0,0 +1,125 @@
+##############################################################################
+# Locals
+##############################################################################
+
+locals {
+  ssh_key_id = var.ssh_key != null ? data.ibm_is_ssh_key.existing_ssh_key[0].id : resource.ibm_is_ssh_key.ssh_key[0].id
+}
+
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.0.6"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Key Protect All Inclusive
+##############################################################################
+
+module "key_protect_all_inclusive" {
+  source                    = "terraform-ibm-modules/key-protect-all-inclusive/ibm"
+  version                   = "4.2.0"
+  resource_group_id         = module.resource_group.resource_group_id
+  region                    = var.region
+  key_protect_instance_name = "${var.prefix}-kp"
+  resource_tags             = var.resource_tags
+  key_map                   = { "slz-vsi" = ["${var.prefix}-vsi"] }
+}
+
+##############################################################################
+# Create new SSH key
+##############################################################################
+
+resource "tls_private_key" "tls_key" {
+  count     = var.ssh_key != null ? 0 : 1
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "ibm_is_ssh_key" "ssh_key" {
+  count      = var.ssh_key != null ? 0 : 1
+  name       = "${var.prefix}-ssh-key"
+  public_key = resource.tls_private_key.tls_key[0].public_key_openssh
+}
+
+data "ibm_is_ssh_key" "existing_ssh_key" {
+  count = var.ssh_key != null ? 1 : 0
+  name  = var.ssh_key
+}
+
+#############################################################################
+# Provision VPC
+#############################################################################
+
+module "slz_vpc" {
+  source            = "terraform-ibm-modules/landing-zone-vpc/ibm"
+  version           = "7.5.0"
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  prefix            = var.prefix
+  tags              = var.resource_tags
+  name              = "${var.prefix}-vpc"
+}
+
+#############################################################################
+# Placement group
+#############################################################################
+
+resource "ibm_is_placement_group" "placement_group" {
+  name           = "${var.prefix}-host-spread"
+  resource_group = module.resource_group.resource_group_id
+  strategy       = "host_spread"
+  tags           = var.resource_tags
+}
+
+#############################################################################
+# Provision VSI
+#############################################################################
+
+module "slz_vsi" {
+  source                     = "../../"
+  resource_group_id          = module.resource_group.resource_group_id
+  image_id                   = var.image_id
+  create_security_group      = false
+  tags                       = var.resource_tags
+  access_tags                = var.access_tags
+  subnets                    = module.slz_vpc.subnet_zone_list
+  vpc_id                     = module.slz_vpc.vpc_id
+  prefix                     = var.prefix
+  placement_group_id         = ibm_is_placement_group.placement_group.id
+  machine_type               = "cx2-2x4"
+  user_data                  = null
+  boot_volume_encryption_key = module.key_protect_all_inclusive.keys["slz-vsi.${var.prefix}-vsi"].crn
+  kms_encryption_enabled     = true
+  existing_kms_instance_guid = module.key_protect_all_inclusive.key_protect_guid
+  vsi_per_subnet             = 1
+  ssh_key_ids                = [local.ssh_key_id]
+  # Add 1 additional data volume to each VSI
+  block_storage_volumes = [
+    {
+      name    = var.prefix
+      profile = "10iops-tier"
+  }]
+  load_balancers = [
+    {
+      name              = "${var.prefix}-lb"
+      type              = "public"
+      listener_port     = 9080
+      listener_protocol = "http"
+      connection_limit  = 100
+      algorithm         = "round_robin"
+      protocol          = "http"
+      health_delay      = 60
+      health_retries    = 5
+      health_timeout    = 30
+      health_type       = "http"
+      pool_member_port  = 8080
+    }
+  ]
+}

examples/complete/outputs.tf

@@ -0,0 +1,9 @@
+output "slz_vpc" {
+  value       = module.slz_vpc
+  description = "VPC module values"
+}
+
+output "slz_vsi" {
+  value       = module.slz_vsi
+  description = "VSI module values"
+}

examples/complete/provider.tf

@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/complete/variables.tf

@@ -0,0 +1,47 @@
+variable "ibmcloud_api_key" {
+  description = "APIkey that's associated with the account to provision resources to"
+  type        = string
+  sensitive   = true
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "region" {
+  description = "The region to which to deploy all resources in this example"
+  type        = string
+  default     = "us-south"
+}
+
+variable "prefix" {
+  description = "The prefix that you would like to append to your resources"
+  type        = string
+  default     = "slz-vsi-com"
+}
+
+variable "resource_tags" {
+  description = "List of Tags for the resource created"
+  type        = list(string)
+  default     = null
+}
+
+variable "access_tags" {
+  type        = list(string)
+  description = "A list of access tags to apply to the VSI resources created by the module."
+  default     = []
+}
+
+variable "image_id" {
+  description = "Image ID used for VSI. Run 'ibmcloud is images' to find available images. Be aware that region is important for the image since the id's are different in each region."
+  type        = string
+  default     = "r006-1366d3e6-bf5b-49a0-b69a-8efd93cc225f"
+}
+
+variable "ssh_key" {
+  type        = string
+  description = "An existing ssh key name to use for this example, if unset a new ssh key will be created"
+  default     = null
+}

examples/complete/version.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">= 1.54.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 4.0.4"
+    }
+  }
+}

examples/fscloud/main.tf

@@ -3,24 +3,19 @@
 ##############################################################################
 
 locals {
-  resource_group_id = var.resource_group != null ? data.ibm_resource_group.existing_resource_group[0].id : ibm_resource_group.resource_group[0].id
-  ssh_key_id        = var.ssh_key != null ? data.ibm_is_ssh_key.existing_ssh_key[0].id : ibm_is_ssh_key.ssh_key[0].id
+  ssh_key_id = var.ssh_key != null ? data.ibm_is_ssh_key.existing_ssh_key[0].id : ibm_is_ssh_key.ssh_key[0].id
 }
 
 ##############################################################################
 # Resource Group
-# (if var.resource_group is null, create a new RG using var.prefix)
 ##############################################################################
 
-resource "ibm_resource_group" "resource_group" {
-  count    = var.resource_group != null ? 0 : 1
-  name     = "${var.prefix}-rg"
-  quota_id = null
-}
-
-data "ibm_resource_group" "existing_resource_group" {
-  count = var.resource_group != null ? 1 : 0
-  name  = var.resource_group
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.0.6"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
 }
 
 ##############################################################################
@@ -50,7 +45,7 @@ data "ibm_is_ssh_key" "existing_ssh_key" {
 module "slz_vpc" {
   source            = "terraform-ibm-modules/landing-zone-vpc/ibm"
   version           = "7.5.0"
-  resource_group_id = local.resource_group_id
+  resource_group_id = module.resource_group.resource_group_id
   region            = var.region
   prefix            = var.prefix
   tags              = var.resource_tags
@@ -63,7 +58,7 @@ module "slz_vpc" {
 
 module "slz_vsi" {
   source                     = "../../profiles/fscloud"
-  resource_group_id          = local.resource_group_id
+  resource_group_id          = module.resource_group.resource_group_id
   image_id                   = var.image_id
   create_security_group      = var.create_security_group
   security_group             = var.security_group

examples/fscloud/variables.tf

@@ -19,7 +19,7 @@ variable "region" {
 variable "prefix" {
   description = "The prefix that you would like to append to your resources"
   type        = string
-  default     = "rajat-fs-vsi"
+  default     = "slz-fs-vsi"
 }
 
 variable "resource_tags" {

load_balancer.tf

@@ -14,6 +14,7 @@ resource "ibm_is_lb" "lb" {
   name            = "${var.prefix}-${each.value.name}-lb"
   subnets         = var.subnets[*].id
   type            = each.value.type
+  profile         = each.value.profile
   security_groups = each.value.security_group == null ? null : [ibm_is_security_group.security_group[each.value.security_group.name].id]
   resource_group  = var.resource_group_id
   tags            = var.tags

main.tf

@@ -6,6 +6,13 @@ locals {
   validate_kms_vars = var.kms_encryption_enabled && var.boot_volume_encryption_key == null ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.boot_volume_encryption_key") : true
   # tflint-ignore: terraform_unused_declarations
   validate_auth_policy = var.kms_encryption_enabled && var.skip_iam_authorization_policy == false && var.existing_kms_instance_guid == null ? tobool("When var.skip_iam_authorization_policy is set to false, and var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_guid in order to create the auth policy.") : true
+
+  # Determine what KMS service is being used for database encryption
+  kms_service = var.boot_volume_encryption_key != null ? (
+    can(regex(".*kms.*", var.boot_volume_encryption_key)) ? "kms" : (
+      can(regex(".*hs-crypto.*", var.boot_volume_encryption_key)) ? "hs-crypto" : null
+    )
+  ) : null
 }
 
 ##############################################################################
@@ -87,7 +94,7 @@ locals {
 resource "ibm_iam_authorization_policy" "block_storage_policy" {
   count                       = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
   source_service_name         = "server-protect"
-  target_service_name         = "hs-crypto"
+  target_service_name         = local.kms_service
   target_resource_instance_id = var.existing_kms_instance_guid
   roles                       = ["Reader"]
   description                 = "Allow block storage volumes to be encrypted by Key Management instance."