Merge branch 'main' of https://github.com/terraform-ibm-modules/stack-retrieval-augmented-generation

Author: daniel-butler-irl

README.md

@@ -16,7 +16,8 @@ Click the "Add to project" button, and select create in new project.
 ## 3. Set the input configuration for the stack
 
 - Clone this repository locally - and checkout the dev branch.
-- Create a file with name ".def.json" with the following content. 
+- Create a file with name ".def.json" with the following content.
+- The signing key is the base64 key obtained from the `gpg --export-secret-key <Email Address> | base64` command. See https://cloud.ibm.com/docs/devsecops?topic=devsecops-devsecops-image-signing#cd-devsecops-gpg-export for details.
 
 **Important**: 
 - Ensure region is either us-south or eu-de as watsonx can only be deployed in those 2 locations for now.
@@ -30,7 +31,8 @@ Click the "Add to project" button, and select create in new project.
         "resource_group_name": "<target resource group - name of a new resource group that the stack will creates>",
         "region": "<region where resources are deployed>",
         "sample_app_git_url": "https://github.com/IBM/gen-ai-rag-watsonx-sample-application",
-        "watsonx_admin_api_key": "<optional - admin key to use for watson if different from ibmcloud_api_key>"
+        "watsonx_admin_api_key": "<optional - admin key to use for watson if different from ibmcloud_api_key>",
+        "signing_key": "signing key used to sign build artifacts"
     }
 }
 ```
@@ -44,7 +46,8 @@ Example:
         "resource_group_name": "stack-service-rg",
         "region": "eu-de",
         "sample_app_git_url": "https://github.com/IBM/gen-ai-rag-watsonx-sample-application",
-        "watsonx_admin_api_key": "<optional - admin key to use for watson if different from ibmcloud_api_key>"
+        "watsonx_admin_api_key": "<optional - admin key to use for watson if different from ibmcloud_api_key>",
+        "signing_key": "signing key used to sign build artifacts"
     }
 }
 ```

ibm_catalog.json

@@ -31,16 +31,74 @@
 					},
 					"iam_permissions": [
 						{
-							"service_name": "iam-identity",
-							"resources": [
-								{
-									"name": "Placeholder - will be refined",
-									"description": "Placeholder - will be refined",
-									"role_crns": [
-										"crn:v1:bluemix:public:iam::::role:Administrator"
-									]
-								}
+							"service_name": "iam-groups",
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::role:Administrator"
 							]
+						},
+						{
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::serviceRole:Manager",
+								"crn:v1:bluemix:public:iam::::role:Editor"
+							],
+							"service_name": "cloud-object-storage"
+						},
+						{
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::role:Administrator"
+							],
+							"service_name": "iam-identity"
+						},
+						{
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::serviceRole:Writer",
+								"crn:v1:bluemix:public:iam::::role:Administrator"
+							],
+							"service_name": "atracker"
+						},
+						{
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::serviceRole:Manager",
+								"crn:v1:bluemix:public:iam::::role:Editor"
+							],
+							"service_name": "kms"
+						},
+						{
+							"service_name": "compliance",
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::serviceRole:Manager",
+								"crn:v1:bluemix:public:iam::::role:Editor"
+							]
+						},
+						{
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::role:Editor"
+							],
+							"service_name": "pm-20"
+						},
+						{
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::role:Editor"
+							],
+							"service_name": "data-science-experience"
+						},
+						{
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::role:Editor"
+							],
+							"service_name": "aiopenscale"
+						},
+						{
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::role:Editor"
+							],
+							"service_name": "conversation"
+						},
+						{
+							"role_crns": [
+								"crn:v1:bluemix:public:iam::::role:Editor"
+							],
+							"service_name": "discovery"
 						}
 					],
 					"architecture": {
@@ -109,6 +167,13 @@
 							"type": "string",
 							"hidden": false,
 							"default_value": "https://github.com/IBM/gen-ai-rag-watsonx-sample-application"
+						},
+						{
+							"name": "signing_key",
+							"required": false,
+							"type": "password",
+							"hidden": false,
+							"default_value": "replace"
 						}
 					],
 					"install_type": "fullstack"

stack_definition.json

@@ -38,7 +38,14 @@
 			"type": "string",
 			"hidden": false,
 			"default": "https://github.com/IBM/gen-ai-rag-watsonx-sample-application"
-		}
+		},
+		{
+			"name": "signing_key",
+			"required": false,
+			"type": "password",
+			"hidden": false,
+			"default": "replace"
+		}		
 	],
 	"members": [
 		{
@@ -336,12 +343,20 @@
 				{
 					"name": "cd_code_engine_app_min_scale",
 					"value": "1"
+				},
+				{
+					"name": "ci_signing_key_secret_name",
+					"value": "signing-key"
+				},
+				{
+					"name": "pipeline_ibmcloud_api_key_secret_name",
+					"value": "ibmcloud-api-key"
 				}
 			]
 		},
 		{			
 			"name": "6 - Sample RAG app configuration",
-			"version_locator": "7df1e4ca-d54c-4fd0-82ce-3d13247308cd.20c3a1a0-12bc-411a-b590-0c604546c965",
+			"version_locator": "7df1e4ca-d54c-4fd0-82ce-3d13247308cd.f375f9df-af21-4299-b11d-e5813f918efa",
 			"inputs": [
 				{
 					"name": "toolchain_region",
@@ -406,6 +421,18 @@
 				{
 					"name": "toolchain_region",
 					"value": "ref:../../inputs/region"
+				},
+				{
+					"name": "signing_key",
+					"value": "ref:../../inputs/signing_key"
+				},
+				{
+					"name": "secrets_manager_guid",
+					"value": "ref:../2b - Security Service - Secret Manager/outputs/secrets_manager_guid"
+				},
+				{
+					"name": "secrets_manager_crn",
+					"value": "notneeded"
 				}
 			]
 		}