[Feature Request]: Terraform Module β "mcp-gateway-ibm-cloud" supporting IKS, ROKS, Code Engine targetsΒ #276
Description
π§ Epic
Title: Terraform Module β "mcp-gateway-ibm-cloud"
(Supports IKS β’ ROKS β’ Code Engine)
Goal
Deliver an official Terraform module (terraform-ibm-mcpgateway) that lets operators deploy MCP Gateway on IBM Cloud in one command.
The module must provision the gateway on any of three managed runtimes:
- IKS β IBM Cloud Kubernetes Service (VPC Gen 2).
- ROKS β Red Hat OpenShift on IBM Cloud (managed OCP 4).
- Code Engine β Fully-managed serverless containers.
It must expose opinionated defaults, integrate with IBM Cloud managed data stores, and remain entirely optional for users who prefer Helm or other IaC.
Registry target: registry.terraform.io/ibm-mcp-gateways/mcpgateway/ibm
π§ Type of Feature
- Infrastructure-as-Code
- Operator tooling
π Module Inputs & Features
| Variable | Type / Default | Description |
|---|---|---|
platform |
"iks" | "roks" | "codeengine" | "none" |
Target runtime. |
gateway_version |
string ="latest" |
Docker tag / Helm chart version. |
replicas |
number =2 |
Deployment replica count (K8s Deploy/STS, CE min-instances). |
db_engine |
"databases-for-postgresql" | "databases-for-mongodb" | "sqlite" |
Managed DB or in-pod SQLite. |
enable_redis |
bool =true |
Provision Databases-for-Redis for rate-limiting & sessions. |
custom_domain |
string |
Fully-qualified domain name; provisions Certificate Manager cert + ALB/Ingress or Code Engine domain mapping. |
policy_bundle_cos_url |
string |
Optional COS (S3) URL to a Rego bundle for Policy-as-Code engine. |
observability |
object |
Toggle LogDNA, Sysdig, Monitoring dashboards (JSON) and alerts. |
resource_group |
string ="default" |
Resource Group for all resources. |
tags |
list(string) |
Resource tags (propagated via IBMC Tags API). |
Outputs
- Public HTTPS endpoint (ALB host or CE domain)
- Database hostname / URI
- Redis hostname (if enabled)
- IAM Service IDs & API keys
- Cluster resource IDs (IKS/ROKS) or Code Engine App name
πββοΈ User Stories & Acceptance Criteria
Story 1 β Minimal IKS Deployment
Scenario: Deploy MCP Gateway on IKS with defaults
Given ibmcloud CLI is logged in and target resource group "demo-rg"
When I declare:
module "gateway" {
source = "ibm-mcp-gateways/mcpgateway/ibm"
platform = "iks"
custom_domain = "api.demo.example.com"
tags = ["env:demo","team:platform"]
}
And I run "terraform apply"
Then HTTPS https://api.demo.example.com/health returns 200
And GET /version equals var.gateway_versionStory 2 β Minimal ROKS Deployment
Scenario: Deploy to ROKS cluster
When platform="roks" and custom_domain="api.roks.demo.example.com"
Then Ingress hostname responds 200 to /health
And oc get route mcp-gateway returns status = "Available"Story 3 β Code Engine with Databases-for-PostgreSQL & Redis
Scenario: Code Engine serverless deployment
Given platform="codeengine" db_engine="databases-for-postgresql" enable_redis=true
When apply completes
Then Cloud Databases for PostgreSQL instance state is "active"
And Code Engine application logs contain "Connected to DB β" and "Connected to Redis β"Story 4 β Policy Bundle from Cloud Object Storage
Scenario: Load Rego bundle at start-up
Given object "cos://mcp-bucket/bundles/policy.tar.gz" exists
And variable policy_bundle_cos_url points to that URL
When the gateway container starts
Then logs contain "Loaded policy bundle (v1)" within 60 secondsStory 5 β Destroy Preserves Existing VPC When Flagged
Scenario: Keep shared VPC resources
Given create_vpc = false
When terraform destroy runs
Then VPC "prod-shared" and subnet "prod-subnet" are NOT destroyedπ Architecture Diagram
flowchart TD
%% IBM Cloud runtime options
subgraph "IBM Cloud"
ALB["Public ALB / Ingress"]
IKS["IKS Deployment"]
ROKS["ROKS Deployment"]
CE["Code Engine App"]
PG["Databases-for-PostgreSQL"]
REDIS["Databases-for-Redis"]
ALB --> IKS
ALB --> ROKS
ALB --> CE
IKS --> PG
ROKS --> PG
CE --> PG
IKS --> REDIS
ROKS --> REDIS
CE --> REDIS
end
%% Optional edge-WAF in front of the ALB/Ingress
WAF["IBM Cloud WAF (optional)"] -.-> ALB
π Repository Layout
terraform-ibm-mcpgateway/
βββ main.tf
βββ variables.tf
βββ outputs.tf
βββ versions.tf
βββ modules/
β βββ iks/ # IKS cluster creation + Helm release
β βββ roks/ # ROKS (openshift_cluster) + Helm release
β βββ codeengine/ # Code Engine app + domain mapping
β βββ postgres/ # Databases-for-PostgreSQL
β βββ redis/ # Databases-for-Redis
βββ examples/
β βββ iks_minimal/
β βββ roks_minimal/
β βββ codeengine_full/
βββ docs/
βββ README.md
βββ advanced.md
βββ architecture.puml
π Global Acceptance Checklist
-
terraform validate, tflint, and checkov show no high/critical findings. - Running each example (
iks_minimal,roks_minimal,codeengine_full) results in an endpoint where/healthreturns 200. - Module published to Terraform Registry with autogenerated docs, inputs, outputs, and example usage.
- GitHub Actions CI runs
terraform init -backend=false && terraform validate && terraform fmt -checkfor all three platforms. - README includes quick-start, cost table (IKS worker-hour, ROKS worker-hour, Code Engine vCPU-seconds, DB/Redis plans) and troubleshooting FAQ.
- Compatible with Terraform β₯ 1.6 and IBM Cloud provider β₯ 2.0.
- Rego bundle downloaded from COS when
policy_bundle_cos_urlis set. - Enabling
observabilityprovisions LogDNA log sources and Sysdig dashboards; outputs include dashboard URLs.
π Roll-Out Plan
- Scaffold repository
terraform-ibm-mcpgateway. - Implement Code Engine sub-module (App, project, ingress).
- Build Databases-for-PostgreSQL and Databases-for-Redis sub-modules.
- Implement IKS sub-module: create VPC, subnet, worker pool, ALB Ingress, Helm release.
- Implement ROKS sub-module: create OpenShift cluster, set up OpenShift Ingress, Helm release via
oc. - Add examples for each platform and CI validation matrix.
- Add observability option: LogDNA log source and pre-built Sysdig dashboards (JSON).
- Publish on Terraform Registry; tag release in GitHub.
- Record GIF demo, update main project docs with link.