terraform-ibm-modules · ocofaigh · Jun 9, 2023 · May 29, 2023 · May 29, 2023 · May 29, 2023
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,14 +7,17 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
+    types: [opened, synchronize, reopened, ready_for_review]
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
 jobs:
   call-terraform-ci-pipeline:
-    uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/common-terraform-module-ci.yml@v1.9.1
+    uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/common-terraform-module-ci.yml@v1.12.2
     secrets: inherit
     with:
-      craTarget: "examples/default"
+      craSCCv2: true
+      craTarget: "examples/fscloud"
       craGoalIgnoreFile: "cra-tf-validate-ignore-goals.json"
+      craEnvironmentVariables: "TF_VAR_existing_at_instance_crn=${{ vars.AT_INSTANCE_CRN }},TF_VAR_existing_kms_instance_guid=${{ vars.HPCS_SOUTH_GUID }},TF_VAR_kms_key_crn=${{ vars.HPCS_SOUTH_KEY_CRN }}"
@@ -106,6 +106,7 @@ You need the following permissions to run this module.
 ## Examples
 
 - [ End to end example with default values](examples/default)
+- [ End to end example with default values](examples/fscloud)
 <!-- END EXAMPLES HOOK -->
 
 ---
@@ -126,6 +127,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [ibm_iam_authorization_policy.block_storage_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_is_floating_ip.secondary_fip](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_floating_ip) | resource |
 | [ibm_is_floating_ip.vsi_fip](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_floating_ip) | resource |
 | [ibm_is_instance.vsi](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_instance) | resource |
@@ -148,6 +150,7 @@ No modules.
 | <a name="input_boot_volume_encryption_key"></a> [boot\_volume\_encryption\_key](#input\_boot\_volume\_encryption\_key) | CRN of boot volume encryption key | `string` | n/a | yes |
 | <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Create security group for VSI. If this is passed as false, the default will be used | `bool` | n/a | yes |
 | <a name="input_enable_floating_ip"></a> [enable\_floating\_ip](#input\_enable\_floating\_ip) | Create a floating IP for each virtual server created | `bool` | `false` | no |
+| <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms\_key\_crn and var.backup\_encryption\_key\_crn is coming from. Required only if var.kms\_encryption\_enabled is set to true, var.skip\_iam\_authorization\_policy is set to false, and you pass a value for var.kms\_key\_crn, var.backup\_encryption\_key\_crn, or both. | `string` | `null` | no |
 | <a name="input_image_id"></a> [image\_id](#input\_image\_id) | Image ID used for VSI. Run 'ibmcloud is images' to find available images in a region | `string` | n/a | yes |
 | <a name="input_load_balancers"></a> [load\_balancers](#input\_load\_balancers) | Load balancers to add to VSI | <pre>list(<br>    object({<br>      name              = string<br>      type              = string<br>      listener_port     = number<br>      listener_protocol = string<br>      connection_limit  = number<br>      algorithm         = string<br>      protocol          = string<br>      health_delay      = number<br>      health_retries    = number<br>      health_timeout    = number<br>      health_type       = string<br>      pool_member_port  = string<br>      security_group = optional(<br>        object({<br>          name = string<br>          rules = list(<br>            object({<br>              name      = string<br>              direction = string<br>              source    = string<br>              tcp = optional(<br>                object({<br>                  port_max = number<br>                  port_min = number<br>                })<br>              )<br>              udp = optional(<br>                object({<br>                  port_max = number<br>                  port_min = number<br>                })<br>              )<br>              icmp = optional(<br>                object({<br>                  type = number<br>                  code = number<br>                })<br>              )<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | `[]` | no |
 | <a name="input_machine_type"></a> [machine\_type](#input\_machine\_type) | VSI machine type. Run 'ibmcloud is instance-profiles' to get a list of regional profiles | `string` | n/a | yes |

@@ -19,7 +19,7 @@ variable "region" {
 variable "prefix" {
   description = "The prefix that you would like to append to your resources"
   type        = string
-  default     = "test-landing-zone-vsi"
+  default     = "rajat-vsi"
 }
 
 variable "resource_tags" {

@@ -0,0 +1,3 @@
+# End to end example with default values
+
+An end to end example using the module's default variable values.
@@ -0,0 +1,79 @@
+##############################################################################
+# Locals
+##############################################################################
+
+locals {
+  resource_group_id = var.resource_group != null ? data.ibm_resource_group.existing_resource_group[0].id : ibm_resource_group.resource_group[0].id
+  ssh_key_id        = var.ssh_key != null ? data.ibm_is_ssh_key.existing_ssh_key[0].id : ibm_is_ssh_key.ssh_key[0].id
+}
+
+##############################################################################
+# Resource Group
+# (if var.resource_group is null, create a new RG using var.prefix)
+##############################################################################
+
+resource "ibm_resource_group" "resource_group" {
+  count    = var.resource_group != null ? 0 : 1
+  name     = "${var.prefix}-rg"
+  quota_id = null
+}
+
+data "ibm_resource_group" "existing_resource_group" {
+  count = var.resource_group != null ? 1 : 0
+  name  = var.resource_group
+}
+
+##############################################################################
+# Create new SSH key
+##############################################################################
+resource "tls_private_key" "tls_key" {
+  count     = var.ssh_key != null ? 0 : 1
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "ibm_is_ssh_key" "ssh_key" {
+  count      = var.ssh_key != null ? 0 : 1
+  name       = "${var.prefix}-ssh-key"
+  public_key = tls_private_key.tls_key[0].public_key_openssh
+}
+
+data "ibm_is_ssh_key" "existing_ssh_key" {
+  count = var.ssh_key != null ? 1 : 0
+  name  = var.ssh_key
+}
+
+#############################################################################
+# Provision VPC
+#############################################################################
+
+module "slz_vpc" {
+  source            = "git::https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc.git?ref=v4.2.0"
+  resource_group_id = local.resource_group_id
+  region            = var.region
+  prefix            = var.prefix
+  tags              = var.resource_tags
+  name              = var.vpc_name
+}
+
+#############################################################################
+# Provision VSI
+#############################################################################
+
+module "slz_vsi" {
+  source                     = "../../profiles/fscloud"
+  resource_group_id          = local.resource_group_id
+  image_id                   = var.image_id
+  create_security_group      = var.create_security_group
+  security_group             = var.security_group
+  tags                       = var.resource_tags
+  subnets                    = module.slz_vpc.subnet_zone_list
+  vpc_id                     = module.slz_vpc.vpc_id
+  prefix                     = var.prefix
+  machine_type               = var.machine_type
+  user_data                  = var.user_data
+  boot_volume_encryption_key = var.boot_volume_encryption_key
+  existing_kms_instance_guid = var.existing_kms_instance_guid
+  vsi_per_subnet             = var.vsi_per_subnet
+  ssh_key_ids                = [local.ssh_key_id]
+}
@@ -0,0 +1,9 @@
+output "slz_vpc" {
+  value       = module.slz_vpc
+  description = "VPC module values"
+}
+
+output "slz_vsi" {
+  value       = module.slz_vsi
+  description = "VSI module values"
+}
@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
@@ -0,0 +1,114 @@
+variable "ibmcloud_api_key" {
+  description = "APIkey that's associated with the account to provision resources to"
+  type        = string
+  sensitive   = true
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "region" {
+  description = "The region to which to deploy the VPC"
+  type        = string
+  default     = "us-south"
+}
+
+variable "prefix" {
+  description = "The IBM Cloud platform API key needed to deploy IAM enabled resources"
+  type        = string
+  default     = "slz-fs-vsi"
+}
+
+variable "resource_tags" {
+  description = "List of tags to apply to resources created by this module."
+  type        = list(string)
+  default     = []
+}
+
+variable "image_id" {
+  description = "Image ID used for VSI. Run 'ibmcloud is images' to find available images in a region"
+  type        = string
+  default     = "r006-1366d3e6-bf5b-49a0-b69a-8efd93cc225f"
+}
+
+variable "machine_type" {
+  description = "VSI machine type. Run 'ibmcloud is instance-profiles' to get a list of regional profiles"
+  type        = string
+  default     = "cx2-2x4"
+}
+
+variable "create_security_group" {
+  description = "Create security group for VSI"
+  type        = string
+  default     = false
+}
+
+variable "security_group" {
+  description = "Security group created for VSI"
+  type = object({
+    name = string
+    rules = list(
+      object({
+        name      = string
+        direction = string
+        source    = string
+        tcp = optional(
+          object({
+            port_max = number
+            port_min = number
+          })
+        )
+        udp = optional(
+          object({
+            port_max = number
+            port_min = number
+          })
+        )
+        icmp = optional(
+          object({
+            type = number
+            code = number
+          })
+        )
+      })
+    )
+  })
+  default = null
+}
+
+variable "user_data" {
+  description = "User data to initialize VSI deployment"
+  type        = string
+  default     = null
+}
+
+variable "vsi_per_subnet" {
+  description = "Number of VSI instances for each subnet"
+  type        = number
+  default     = 1
+}
+
+variable "ssh_key" {
+  type        = string
+  description = "An existing ssh key name to use for this example, if unset a new ssh key will be created"
+  default     = null
+}
+
+variable "vpc_name" {
+  type        = string
+  description = "Name for VPC"
+  default     = "vpc"
+}
+
+variable "boot_volume_encryption_key" {
+  description = "CRN of boot volume encryption key"
+  type        = string
+}
+
+variable "existing_kms_instance_guid" {
+  description = "The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms_key_crn and var.backup_encryption_key_crn is coming from. Required only if var.kms_encryption_enabled is set to true, var.skip_iam_authorization_policy is set to false, and you pass a value for var.kms_key_crn, var.backup_encryption_key_crn, or both."
+  type        = string
+}
@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.49.0"
+    }
+    # The tls provider is not actually required by the module itself, just this example, so OK to use ">=" here instead of locking into a version
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 4.0.4"
+    }
+  }
+}
@@ -64,6 +64,15 @@ locals {
 # Create Virtual Servers
 ##############################################################################
 
+resource "ibm_iam_authorization_policy" "block_storage_policy" {
+  count                       = var.existing_kms_instance_guid != null ? 1 : 0
+  source_service_name         = "server-protect"
+  target_service_name         = "hs-crypto"
+  target_resource_instance_id = var.existing_kms_instance_guid
+  roles                       = ["Reader"]
+  description                 = "Allow block storage volumes to be encrypted by Key Management instance."
+}
+
 resource "ibm_is_instance" "vsi" {
   for_each       = local.vsi_map
   name           = each.key

@@ -57,6 +57,21 @@
         "line": 87
       }
     },
+    "existing_kms_instance_guid": {
+      "name": "existing_kms_instance_guid",
+      "type": "string",
+      "description": "The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms_key_crn and var.backup_encryption_key_crn is coming from. Required only if var.kms_encryption_enabled is set to true, var.skip_iam_authorization_policy is set to false, and you pass a value for var.kms_key_crn, var.backup_encryption_key_crn, or both.",
+      "source": [
+        "ibm_iam_authorization_policy.block_storage_policy.count",
+        "ibm_iam_authorization_policy.block_storage_policy.target_resource_instance_id"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 365
+      },
+      "immutable": true,
+      "computed": true
+    },
     "image_id": {
       "name": "image_id",
       "type": "string",
@@ -362,6 +377,22 @@
     }
   },
   "managed_resources": {
+    "ibm_iam_authorization_policy.block_storage_policy": {
+      "mode": "managed",
+      "type": "ibm_iam_authorization_policy",
+      "name": "block_storage_policy",
+      "attributes": {
+        "count": "existing_kms_instance_guid",
+        "target_resource_instance_id": "existing_kms_instance_guid"
+      },
+      "provider": {
+        "name": "ibm"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 67
+      }
+    },
     "ibm_is_floating_ip.secondary_fip": {
       "mode": "managed",
       "type": "ibm_is_floating_ip",
@@ -375,7 +406,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 132
+        "line": 141
       }
     },
     "ibm_is_floating_ip.vsi_fip": {
@@ -391,7 +422,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 125
+        "line": 134
       }
     },
     "ibm_is_instance.vsi": {
@@ -413,7 +444,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 67
+        "line": 76
       }
     },
     "ibm_is_lb.lb": {

@@ -0,0 +1,22 @@
+module "fscloud_vsi" {
+  source                     = "../../"
+  resource_group_id          = var.resource_group_id
+  prefix                     = var.prefix
+  tags                       = var.tags
+  vpc_id                     = var.vpc_id
+  subnets                    = var.subnets
+  image_id                   = var.image_id
+  ssh_key_ids                = var.ssh_key_ids
+  machine_type               = var.machine_type
+  vsi_per_subnet             = var.vsi_per_subnet
+  user_data                  = var.user_data
+  existing_kms_instance_guid = var.existing_kms_instance_guid
+  boot_volume_encryption_key = var.boot_volume_encryption_key
+  enable_floating_ip         = var.enable_floating_ip
+  allow_ip_spoofing          = var.allow_ip_spoofing
+  create_security_group      = var.create_security_group
+  security_group             = var.security_group
+  security_group_ids         = var.security_group_ids
+  block_storage_volumes      = var.block_storage_volumes
+  load_balancers             = var.load_balancers
+}
@@ -0,0 +1 @@
+// TODO