This example provides a terraform implementation of the secure landing zone architecture - a production-grade Red Hat OpenShift platform on IBM Cloud VPC by providing a fully integrated ecosystem. Rather than just provisioning compute resources, it orchestrates the critical operational glue required for enterprise workloads—automatically wiring together Key Management, Secrets Manager, Cloud Logs, Cloud Monitoring, Cloud Object Storage and Events Notification. This comprehensive approach reduces operational overhead and eliminates manual configuration errors, ensuring your environment is secure, observable, and ready.
Secure, Compliant, and Scalable Designed to support a wide range of business needs, the architecture is secure by design and fully configurable. It incorporates robust compliance features, such as SCC Workload Protection, while allowing you to tailor specific integrations and worker pools to your requirements. This flexibility enables organizations to standardize on a single, reliable architectural pattern that streamlines security approvals and scales effortlessly with business demand.
The primary goal of this example is to provision an OpenShift cluster on VPC and automatically configure the necessary supporting services, including:
VPC Infrastructure: The base VPC, subnets, and network access controls (ACLs) for the OpenShift cluster. Learn more about the service module.Key Management (KMS): Optional provision and configuration of an IBM Key Protect or Hyper Protect Crypto Services (HPCS) instance for encrypting cluster and boot volumes. Learn more about the service module.Secrets Management: Optional provision and configuration of an IBM Secrets Manager instance to securely store service credentials and other secrets. Learn more about the service module.Cloud Object Storage (COS): Optional provision and configuration of COS instances and buckets for flow logs, activity tracker, and other data storage needs. Learn more about the service module.Monitoring & Logging: Optional provision and configuration of IBM Cloud Monitoring and IBM Cloud Logs instances for centralized observability. Learn more about the Cloud Monitoring and Cloud Logs service module.Activity Tracker and Event Routing: Configure event routing for platform audit logs to a COS bucket or IBM Cloud Logs. Learn more about the service module.Security & Compliance: Optional integration with IBM Cloud Security and Compliance Center (SCC) Workload Protection. Learn more about the service module.VPE Gateways: Optional configuration of Virtual Private Endpoint (VPE) gateways for secure private connectivity to cloud services. Learn more about the service module.Event Notifications: Optional provision and configuration of IBM Cloud Event Notifications for centralized event routing and management, with support for KMS encryption and failed event collection in COS. Learn more about the service module.App Configuration: Optional provision and configuration of IBM Cloud App Configuration for centralized feature flag and property management, securely integrated with KMS and Event Notifications. Learn more about the service module.Context-Based Restrictions (CBR): Optional support for defining and attaching network access rules (CBR zones and rules) to all supported services (KMS, COS, Secrets Manager) to enforce zero-trust networking. Learn more about the service module.
| Name | Version |
|---|---|
| terraform | >=1.9.0 |
| helm | 3.1.1 |
| ibm | 1.87.3 |
| kubernetes | 3.0.1 |
| restapi | 2.0.1 |
| time | 0.13.1 |
| Name | Source | Version |
|---|---|---|
| activity_tracker | terraform-ibm-modules/activity-tracker/ibm | 1.6.6 |
| app_config | terraform-ibm-modules/app-configuration/ibm | 1.14.15 |
| at_cos_bucket | terraform-ibm-modules/cos/ibm//modules/buckets | 10.14.3 |
| cloud_logs | terraform-ibm-modules/cloud-logs/ibm | 1.10.31 |
| cloud_logs_buckets | terraform-ibm-modules/cos/ibm//modules/buckets | 10.14.3 |
| cloud_monitoring | terraform-ibm-modules/cloud-monitoring/ibm | 1.12.21 |
| cos | terraform-ibm-modules/cos/ibm//modules/fscloud | 10.14.3 |
| en_cos_buckets | terraform-ibm-modules/cos/ibm//modules/buckets | 10.14.3 |
| event_notifications | terraform-ibm-modules/event-notifications/ibm | 2.11.7 |
| kms | terraform-ibm-modules/kms-all-inclusive/ibm | 5.5.25 |
| logs_agent | terraform-ibm-modules/logs-agent/ibm | 1.18.1 |
| metrics_routing | terraform-ibm-modules/cloud-monitoring/ibm//modules/metrics_routing | 1.12.21 |
| monitoring_agent | terraform-ibm-modules/monitoring-agent/ibm | 1.19.6 |
| ocp_base | terraform-ibm-modules/base-ocp-vpc/ibm | 3.79.0 |
| resource_group | terraform-ibm-modules/resource-group/ibm | 1.4.7 |
| scc_wp | terraform-ibm-modules/scc-workload-protection/ibm | 1.16.23 |
| secret_group | terraform-ibm-modules/secrets-manager-secret-group/ibm | 1.3.39 |
| secrets_manager | terraform-ibm-modules/secrets-manager/ibm | 2.12.25 |
| trusted_profile | terraform-ibm-modules/trusted-profile/ibm | 3.2.17 |
| vpc | terraform-ibm-modules/landing-zone-vpc/ibm | 8.12.5 |
| vpc_cos_buckets | terraform-ibm-modules/cos/ibm//modules/buckets | 10.14.3 |
| vpe_gateway | terraform-ibm-modules/vpe-gateway/ibm | 5.0.2 |
| Name | Type |
|---|---|
| ibm_en_subscription_email.apprapp_email_subscription | resource |
| ibm_en_subscription_email.en_email_subscription | resource |
| ibm_en_topic.en_apprapp_topic | resource |
| ibm_en_topic.en_sm_topic | resource |
| ibm_iam_authorization_policy.cos_secrets_manager_key_manager | resource |
| ibm_iam_authorization_policy.en_secrets_manager_key_manager | resource |
| terraform_data.delete_secrets | resource |
| time_sleep.wait_for_cos_authorization_policy | resource |
| time_sleep.wait_for_en_authorization_policy | resource |
| time_sleep.wait_for_secrets_manager | resource |
| ibm_container_cluster_config.cluster_config | data source |
| ibm_en_destinations.en_apprapp_destinations | data source |
| ibm_en_destinations.en_sm_destinations | data source |
| ibm_iam_auth_token.auth_token | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| event_notifications_email_list | The list of email address to target out when an event is triggered | list(string) |
[] |
no |
| existing_resource_group_name | The name of an existing resource group to provision the resources. | string |
"Default" |
no |
| ibmcloud_api_key | The IBM Cloud api token | string |
n/a | yes |
| prefix | Prefix for name of all resource created by this example | string |
"ocp-lz" |
no |
| provider_visibility | Set the visibility value for the IBM terraform provider. Supported values are public, private, public-and-private. |
string |
"public" |
no |
| region | Region where resources are created | string |
"eu-de" |
no |
| resource_tags | Optional list of tags to be added to created resources | list(string) |
[] |
no |
| secrets_manager_plan | The Secrets Manager plan to provision. Possible values are standard or trial. |
string |
"trial" |
no |
| Name | Description |
|---|---|
| activity_tracker_cos_target_bucket_name | he name of the object storage bucket which is set as activity tracker event routing target to collect audit events. |
| activity_tracker_routes | The map of created Activity Tracker Event Routing routes |
| activity_tracker_targets | The map of created Activity Tracker Event Routing targets |
| cloud_logs_crn | The id of the provisioned IBM Cloud Logs instance. |
| cloud_logs_guid | The guid of the provisioned IBM Cloud Logs instance. |
| cloud_logs_name | The name of the provisioned IBM Cloud Logs instance. |
| cloud_monitoring_access_key | The IBM Cloud Monitoring access key for agents to use |
| cloud_monitoring_access_key_name | The name of the IBM Cloud Monitoring access key for agents to use |
| cloud_monitoring_crn | The id of the provisioned IBM Cloud Monitoring instance. |
| cloud_monitoring_guid | The guid of the provisioned IBM Cloud Monitoring instance. |
| cloud_monitoring_name | The name of the provisioned IBM Cloud Monitoring instance. |
| cluster_crn | The Cloud Resource Name (CRN) of the provisioned OpenShift cluster. |
| cluster_id | The unique identifier assigned to the provisioned OpenShift cluster. |
| cluster_name | The name of the provisioned OpenShift cluster. |
| cos_instance_crn | COS instance crn |
| cos_instance_guid | COS instance guid |
| events_notification_crn | Event Notification crn |
| events_notification_guid | Event Notification guid |
| kms_account_id | The account ID of the KMS instance. |
| kms_guid | KMS instance GUID |
| kms_instance_crn | The CRN of the KMS instance |
| logs_bucket_crn | Logs Cloud Object Storage bucket CRN |
| metrics_bucket_crn | Metrics Cloud Object Storage bucket CRN |
| network_acls | List of shortnames and IDs of network ACLs. |
| ocp_version | The version of OpenShift running on the provisioned cluster. |
| private_path_subnet_id | The IDs of the subnets. |
| public_gateways | Map of the public gateways by zone. |
| scc_workload_protection_crn | SCC Workload Protection instance CRN |
| scc_workload_protection_id | SCC Workload Protection instance ID |
| scc_workload_protection_name | SCC Workload Protection instance name |
| secrets_manager_crn | CRN of the Secrets Manager instance |
| secrets_manager_guid | GUID of Secrets Manager instance |
| secrets_manager_region | Region of the Secrets Manager instance |
| subnet_detail_list | A list of subnets containing names, CIDR blocks, and zones. |
| subnet_detail_map | A map of subnets containing IDs, CIDR blocks, and zones. |
| subnet_ids | The IDs of the subnets. |
| subnet_zone_list | A list of subnet IDs and subnet zones. |
| vpc_crn | CRN of the VPC created. |
| vpc_flow_logs | Details of the VPC flow logs collector. |
| vpc_id | ID of the VPC created. |
| vpc_name | Name of the VPC created. |
| vpe_crn | The CRN of the endpoint gateway. |
| vpe_ips | The reserved IPs for endpoint gateways. |
| vpn_gateways_data | Details of VPN gateways data. |
| vpn_gateways_name | List of names of VPN gateways. |
| workerpools | A list of worker pools associated with the provisioned cluster |
ℹ️ Ctrl/Cmd+Click or right-click on the Schematics deploy button to open in a new tab