-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: added new variable
kms_encryption_enabled
which now needs to …
…be set to `true` to enable KMS encryption<br/>- added support to create KMS auth policy along with variable `skip_iam_authorization_policy` to toggle policy creation on or off<br/>- added extra validation around the use of KMS variables<br/>- added a new FSCloud profile terraform submodule (see `profiles/fscloud`) and an example on how to use it (see `examples/profiles`) (#467)
- Loading branch information
1 parent
ff5dc23
commit 8f10810
Showing
19 changed files
with
792 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# Financial Services Cloud profile example | ||
|
||
An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](../../profiles/fscloud/) to deploy a VSI. | ||
|
||
The example uses the IBM Cloud Terraform provider to create the following infrastructure: | ||
* A resource group, if one is not passed in. | ||
* An SSH Key, if one is not passed in. | ||
* A Secure Landing Zone virtual private cloud (VPC). | ||
* An IBM Cloud VSI instance with Hyper Protect Crypto Services root key that is passed in for encrypting block storage. | ||
|
||
:exclamation: **Important:** In this example, only the VSI instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply. | ||
|
||
## Before you begin | ||
|
||
- You need a Hyper Protect Crypto Services instance and root key available in the region that you want to deploy your VSI instance to. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
############################################################################## | ||
# Locals | ||
############################################################################## | ||
|
||
locals { | ||
resource_group_id = var.resource_group != null ? data.ibm_resource_group.existing_resource_group[0].id : ibm_resource_group.resource_group[0].id | ||
ssh_key_id = var.ssh_key != null ? data.ibm_is_ssh_key.existing_ssh_key[0].id : ibm_is_ssh_key.ssh_key[0].id | ||
} | ||
|
||
############################################################################## | ||
# Resource Group | ||
# (if var.resource_group is null, create a new RG using var.prefix) | ||
############################################################################## | ||
|
||
resource "ibm_resource_group" "resource_group" { | ||
count = var.resource_group != null ? 0 : 1 | ||
name = "${var.prefix}-rg" | ||
quota_id = null | ||
} | ||
|
||
data "ibm_resource_group" "existing_resource_group" { | ||
count = var.resource_group != null ? 1 : 0 | ||
name = var.resource_group | ||
} | ||
|
||
############################################################################## | ||
# SSH key | ||
############################################################################## | ||
resource "tls_private_key" "tls_key" { | ||
count = var.ssh_key != null ? 0 : 1 | ||
algorithm = "RSA" | ||
rsa_bits = 4096 | ||
} | ||
|
||
resource "ibm_is_ssh_key" "ssh_key" { | ||
count = var.ssh_key != null ? 0 : 1 | ||
name = "${var.prefix}-ssh-key" | ||
public_key = tls_private_key.tls_key[0].public_key_openssh | ||
} | ||
|
||
data "ibm_is_ssh_key" "existing_ssh_key" { | ||
count = var.ssh_key != null ? 1 : 0 | ||
name = var.ssh_key | ||
} | ||
|
||
############################################################################# | ||
# Provision VPC | ||
############################################################################# | ||
|
||
module "slz_vpc" { | ||
source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc.git?ref=v7.2.0" | ||
resource_group_id = local.resource_group_id | ||
region = var.region | ||
prefix = var.prefix | ||
tags = var.resource_tags | ||
name = var.vpc_name | ||
} | ||
|
||
############################################################################# | ||
# Provision VSI | ||
############################################################################# | ||
|
||
module "slz_vsi" { | ||
source = "../../profiles/fscloud" | ||
resource_group_id = local.resource_group_id | ||
image_id = var.image_id | ||
create_security_group = var.create_security_group | ||
security_group = var.security_group | ||
tags = var.resource_tags | ||
subnets = module.slz_vpc.subnet_zone_list | ||
vpc_id = module.slz_vpc.vpc_id | ||
prefix = var.prefix | ||
machine_type = var.machine_type | ||
user_data = var.user_data | ||
boot_volume_encryption_key = var.boot_volume_encryption_key | ||
existing_kms_instance_guid = var.existing_kms_instance_guid | ||
vsi_per_subnet = var.vsi_per_subnet | ||
ssh_key_ids = [local.ssh_key_id] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
output "slz_vpc" { | ||
value = module.slz_vpc | ||
description = "VPC module values" | ||
} | ||
|
||
output "slz_vsi" { | ||
value = module.slz_vsi | ||
description = "VSI module values" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
provider "ibm" { | ||
ibmcloud_api_key = var.ibmcloud_api_key | ||
region = var.region | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
variable "ibmcloud_api_key" { | ||
description = "APIkey that's associated with the account to provision resources to" | ||
type = string | ||
sensitive = true | ||
} | ||
|
||
variable "resource_group" { | ||
type = string | ||
description = "An existing resource group name to use for this example, if unset a new resource group will be created" | ||
default = null | ||
} | ||
|
||
variable "region" { | ||
description = "The region to which to deploy the VPC" | ||
type = string | ||
default = "us-south" | ||
} | ||
|
||
variable "prefix" { | ||
description = "The prefix that you would like to append to your resources" | ||
type = string | ||
default = "rajat-fs-vsi" | ||
} | ||
|
||
variable "resource_tags" { | ||
description = "List of tags to apply to resources created by this module." | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "image_id" { | ||
description = "Image ID used for VSI. Run 'ibmcloud is images' to find available images in a region" | ||
type = string | ||
default = "r006-7ca7884c-c797-468e-a565-5789102aedc6" | ||
} | ||
|
||
variable "machine_type" { | ||
description = "VSI machine type. Run 'ibmcloud is instance-profiles' to get a list of regional profiles" | ||
type = string | ||
default = "cx2-2x4" | ||
} | ||
|
||
variable "create_security_group" { | ||
description = "Create security group for VSI" | ||
type = string | ||
default = false | ||
} | ||
|
||
variable "security_group" { | ||
description = "Security group created for VSI" | ||
type = object({ | ||
name = string | ||
rules = list( | ||
object({ | ||
name = string | ||
direction = string | ||
source = string | ||
tcp = optional( | ||
object({ | ||
port_max = number | ||
port_min = number | ||
}) | ||
) | ||
udp = optional( | ||
object({ | ||
port_max = number | ||
port_min = number | ||
}) | ||
) | ||
icmp = optional( | ||
object({ | ||
type = number | ||
code = number | ||
}) | ||
) | ||
}) | ||
) | ||
}) | ||
default = null | ||
} | ||
|
||
variable "user_data" { | ||
description = "User data to initialize VSI deployment" | ||
type = string | ||
default = null | ||
} | ||
|
||
variable "vsi_per_subnet" { | ||
description = "Number of VSI instances for each subnet" | ||
type = number | ||
default = 1 | ||
} | ||
|
||
variable "ssh_key" { | ||
type = string | ||
description = "An existing ssh key name to use for this example, if unset a new ssh key will be created" | ||
default = null | ||
} | ||
|
||
variable "vpc_name" { | ||
type = string | ||
description = "Name for VPC" | ||
default = "vpc" | ||
} | ||
|
||
variable "boot_volume_encryption_key" { | ||
description = "CRN of boot volume encryption key" | ||
type = string | ||
} | ||
|
||
variable "existing_kms_instance_guid" { | ||
description = "The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms_key_crn and var.backup_encryption_key_crn is coming from. Required only if var.kms_encryption_enabled is set to true, var.skip_iam_authorization_policy is set to false, and you pass a value for var.kms_key_crn, var.backup_encryption_key_crn, or both." | ||
type = string | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
terraform { | ||
required_version = ">= 1.3.0" | ||
required_providers { | ||
# Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works | ||
ibm = { | ||
source = "IBM-Cloud/ibm" | ||
version = "1.52.0" | ||
} | ||
# The tls provider is not actually required by the module itself, just this example, so OK to use ">=" here instead of locking into a version | ||
tls = { | ||
source = "hashicorp/tls" | ||
version = ">= 4.0.4" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.