best practices

Author: Vipin Kumar

ibm_catalog.json

@@ -25,15 +25,28 @@
       "provider_name": "IBM",
       "features": [
         {
-          "title": "Configures IBM Cloud Activity Tracker Event Routing",
-          "description": "Configures an IBM Cloud Activity Tracker route with a Cloud Object Storage and Cloud Logs target."
+          "title": "Event Routing",
+          "description": "Configures an IBM Cloud Activity Tracker route with Cloud Object Storage and Cloud Logs target."
+        },
+        {
+          "title": "Object Storage buckets",
+          "description": "Creates buckets required for storing events."
+        },
+        {
+          "title": "Cloud Logs",
+          "description": "Supports creating a new cloud logs instance as well as using an existing one."
+        },
+        {
+          "title": "Enable KMS encryption",
+          "description": "Supports creating a new key, or using an existing one to encrypt the Object Storage bucket. For more details on KMS encryption, refer [this](https://cloud.ibm.com/docs/key-protect?topic=key-protect-about)."
         }
       ],
       "support_details": "This product is in the community registry and support is handled in the source repo. You can open an issue at [https://github.com/terraform-ibm-modules/terraform-ibm-activity-tracker/issues](https://github.com/terraform-ibm-modules/terraform-ibm-activity-tracker/issues). Support is not offered through IBM Cloud Support.",
       "flavors": [
         {
           "label": "Fully configurable",
           "name": "fully-configurable",
+          "index": 1,
           "install_type": "fullstack",
           "working_directory": "solutions/fully-configurable",
           "iam_permissions": [
@@ -45,25 +58,25 @@
               ]
             },
             {
+              "service_name": "hs-crypto",
               "role_crns": [
                 "crn:v1:bluemix:public:iam::::serviceRole:Manager",
                 "crn:v1:bluemix:public:iam::::role:Editor"
-              ],
-              "service_name": "hs-crypto"
+              ]
             },
             {
+              "service_name": "kms",
               "role_crns": [
                 "crn:v1:bluemix:public:iam::::serviceRole:Manager",
                 "crn:v1:bluemix:public:iam::::role:Editor"
-              ],
-              "service_name": "kms"
+              ]
             },
             {
+              "service_name": "cloud-object-storage",
               "role_crns": [
                 "crn:v1:bluemix:public:iam::::serviceRole:Manager",
                 "crn:v1:bluemix:public:iam::::role:Editor"
-              ],
-              "service_name": "cloud-object-storage"
+              ]
             }
           ],
           "compliance": {
@@ -81,6 +94,7 @@
             },
             {
               "key": "provider_visibility",
+              "hidden": true,
               "options": [
                 {
                   "displayname": "private",
@@ -104,6 +118,8 @@
               "key": "existing_resource_group_name"
             },
             {
+              "key": "region",
+              "required": true,
               "custom_config": {
                 "type": "region",
                 "grouping": "deployment",
@@ -113,18 +129,34 @@
                     "region"
                   ]
                 }
-              },
-              "key": "region",
-              "required": true
+              }
             },
             {
-              "key": "enable_at_event_routing_to_cos_bucket"
+              "key": "existing_cloud_logs_instance_crn"
             },
             {
               "key": "enable_at_event_routing_to_cloud_logs"
             },
             {
-                "key": "existing_cloud_logs_crn"
+              "key": "cloud_logs_target_name"
+            },
+            {
+              "key": "at_cloud_logs_route_name"
+            },
+            {
+              "key": "existing_cos_instance_crn"
+            },
+            {
+              "key": "ibmcloud_cos_api_key"
+            },
+            {
+              "key": "enable_at_event_routing_to_cos_bucket"
+            },
+            {
+              "key": "cos_target_name"
+            },
+            {
+              "key": "at_cos_route_name"
             },
             {
               "key": "cos_region"
@@ -168,6 +200,7 @@
             },
             {
               "key": "management_endpoint_type_for_bucket",
+              "hidden": true,
               "options": [
                 {
                   "displayname": "public",
@@ -183,9 +216,6 @@
                 }
               ]
             },
-            {
-              "key": "existing_cos_instance_crn"
-            },
             {
               "key": "existing_at_cos_target_bucket_name"
             },
@@ -205,23 +235,20 @@
               "key": "existing_cos_kms_key_crn"
             },
             {
-              "key": "existing_kms_instance_crn",
-              "required": true
+              "key": "existing_kms_instance_crn"
             },
             {
               "key": "cos_key_name"
             },
             {
               "key": "cos_key_ring_name"
             },
-            {
-              "key": "ibmcloud_cos_api_key"
-            },
             {
               "key": "ibmcloud_kms_api_key"
             },
             {
               "key": "kms_endpoint_type",
+              "hidden": true,
               "options": [
                 {
                   "displayname": "public",
@@ -232,23 +259,97 @@
                   "value": "private"
                 }
               ]
-            },
+            }
+          ],
+          "dependencies": [
             {
-              "key": "at_cloud_logs_route_name"
+              "name": "deploy-arch-ibm-cos",
+              "description": "Enable this to create an IBM Cloud Object Storage(COS) instance. The buckets to store events will be created by the Cloud Logs deployable architecture.",
+              "id": "68921490-2778-4930-ac6d-bae7be6cd958-global",
+              "version": "v9.0.2",
+              "flavors": [
+                "instance"
+              ],
+              "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
+              "optional": true,
+              "on_by_default": true,
+              "input_mapping": [
+                {
+                  "dependency_input": "existing_resource_group_name",
+                  "version_input": "existing_resource_group_name",
+                  "reference_version": true
+                },
+                {
+                  "dependency_output": "cos_instance_crn",
+                  "version_input": "existing_cos_instance_crn"
+                },
+                {
+                  "dependency_input": "prefix",
+                  "version_input": "prefix",
+                  "reference_version": true
+                }
+              ]
             },
             {
-              "key": "at_cos_route_name"
+              "name": "deploy-arch-ibm-kms",
+              "description": "Enable when you want to create your own root keys to encrypt the buckets.",
+              "id": "2cad4789-fa90-4886-9c9e-857081c273ee-global",
+              "version": "v5.1.4",
+              "flavors": [
+                "fully-configurable"
+              ],
+              "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
+              "optional": true,
+              "on_by_default": true,
+              "input_mapping": [
+                {
+                  "dependency_output": "kms_instance_crn",
+                  "version_input": "existing_kms_instance_crn"
+                },
+                {
+                  "version_input": "kms_encryption_enabled_buckets",
+                  "value": true
+                },
+                {
+                  "dependency_input": "prefix",
+                  "version_input": "prefix",
+                  "reference_version": true
+                },
+                {
+                  "dependency_input": "region",
+                  "version_input": "region",
+                  "reference_version": true
+                }
+              ]
             },
             {
-              "key": "cloud_logs_target_name"
+              "name": "deploy-arch-ibm-account-infra-base",
+              "description": "Enable to create a resource groups by default where all the resources will be provisioned and, when you enable the “with Account Settings” option, it also applies baseline security and governance settings. When disabled, provide your own resource group via the `existing_resource_group_name` input.",
+              "id": "63641cec-6093-4b4f-b7b0-98d2f4185cd6-global",
+              "version": "v3.0.7",
+              "flavors": [
+                "resource-group-only",
+                "resource-groups-with-account-settings"
+              ],
+              "default_flavor": "resource-group-only",
+              "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
+              "optional": true,
+              "on_by_default": false,
+              "input_mapping": [
+                {
+                  "dependency_input": "prefix",
+                  "version_input": "prefix",
+                  "reference_version": true
+                },
+                {
+                  "dependency_output": "observability_resource_group_name",
+                  "version_input": "existing_resource_group_name"
+                }
+              ]
             },
-            {
-              "key": "cos_target_name"
-            }
-          ],
-          "dependencies": [
             {
               "name": "deploy-arch-ibm-cloud-logs",
+              "description": "Enable this to create an IBM Cloud Logs (ICL) Instance which can be used for storage and analysis of events ingested by activity tracker.",
               "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
               "flavors": [
                 "fully-configurable"
@@ -303,16 +404,12 @@
             }
           ],
           "dependency_version_2": true,
+          "terraform_version": "1.10.5",
           "architecture": {
-            "descriptions": "This architecture supports the deployment of IBM Cloud Activity Tracker Event Routing to an Object Storage bucket and Cloud Logs target.",
             "features": [
               {
-                "title": "Creates KMS-encrypted Object Storage buckets for log files and Activity Tracker events",
-                "description": "Creates and configures the IBM Cloud Object Storage buckets with archiving and expiration enabled."
-              },
-              {
-                "title": "Creates an IBM Cloud Activity Tracker event route to an Object Storage bucket and Cloud Logs target",
-                "description": "Creates and configures the IBM Cloud Activity Tracker Event Routing to an IBM Cloud Object Storage bucket and IBM Cloud Logs target."
+                "title": " ",
+                "description": "Configured to use IBM secure by default standards, but can be edited to fit your use case."
               }
             ],
             "diagrams": [

reference-architecture/deployable-architecture-activity-tracker.svg

@@ -0,0 +1,3 @@
+# Cloud automation for <service name> (Fully configurable)
+
+:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).

solutions/fully-configurable/README.md

@@ -14,7 +14,6 @@ locals {
   cos_key_name              = try("${local.prefix}-${var.cos_key_name}", var.cos_key_name)
   at_cos_target_bucket_name = try("${local.prefix}-${var.at_cos_target_bucket_name}", var.at_cos_target_bucket_name)
 
-  cos_instance_crn  = var.existing_cos_instance_crn
   cos_instance_guid = element(split(":", var.existing_cos_instance_crn), length(split(":", var.existing_cos_instance_crn)) - 3)
 
   use_kms_module    = var.kms_encryption_enabled_buckets && var.existing_cos_kms_key_crn == null
@@ -66,7 +65,7 @@ locals {
     target_ids = [module.activity_tracker.activity_tracker_targets[local.cos_target_name].id]
   }] : []
 
-  at_cloud_logs_route = var.enable_at_event_routing_to_cloud_logs && var.existing_cloud_logs_crn != null ? [{
+  at_cloud_logs_route = var.enable_at_event_routing_to_cloud_logs && var.existing_cloud_logs_instance_crn != null ? [{
     route_name = local.at_cloud_logs_route_name
     locations  = ["*", "global"]
     target_ids = [module.activity_tracker.activity_tracker_targets[local.cloud_logs_target_name].id]
@@ -105,17 +104,17 @@ module "activity_tracker" {
     {
       bucket_name                       = local.cos_target_bucket_name
       endpoint                          = local.cos_target_bucket_endpoint
-      instance_id                       = local.cos_instance_crn
+      instance_id                       = var.existing_cos_instance_crn
       target_region                     = local.default_cos_region
       target_name                       = local.cos_target_name
       skip_atracker_cos_iam_auth_policy = var.ibmcloud_cos_api_key != null ? true : var.skip_at_cos_auth_policy
       service_to_service_enabled        = true
     }
   ] : []
 
-  cloud_logs_targets = var.enable_at_event_routing_to_cloud_logs && var.existing_cloud_logs_crn != null ? [
+  cloud_logs_targets = var.enable_at_event_routing_to_cloud_logs && var.existing_cloud_logs_instance_crn != null ? [
     {
-      instance_id   = var.existing_cloud_logs_crn
+      instance_id   = var.existing_cloud_logs_instance_crn
       target_region = var.region
       target_name   = local.cloud_logs_target_name
     }
@@ -137,9 +136,9 @@ resource "ibm_iam_authorization_policy" "atracker_cos" {
   source_service_account      = data.ibm_iam_account_settings.iam_account_settings.account_id
   source_service_name         = "atracker"
   target_service_name         = "cloud-object-storage"
-  target_resource_instance_id = regex(".*:(.*)::", local.cos_instance_crn)[0]
+  target_resource_instance_id = regex(".*:(.*)::", var.existing_cos_instance_crn)[0]
   roles                       = ["Object Writer"]
-  description                 = "Permit AT service Object Writer access to COS instance ${local.cos_instance_crn}"
+  description                 = "Permit AT service Object Writer access to COS instance ${var.existing_cos_instance_crn}"
 }
 
 #######################################################################################################################
@@ -271,7 +270,7 @@ module "cos_bucket" {
       skip_iam_authorization_policy = false
       management_endpoint_type      = var.management_endpoint_type_for_bucket
       storage_class                 = value.class
-      resource_instance_id          = local.cos_instance_crn
+      resource_instance_id          = var.existing_cos_instance_crn
       region_location               = local.default_cos_region
       force_delete                  = true
       archive_rule                  = local.archive_rule

solutions/fully-configurable/main.tf

@@ -3,22 +3,25 @@
 ########################################################################################################################
 
 provider "ibm" {
-  ibmcloud_api_key = var.ibmcloud_api_key
-  region           = var.region
-  visibility       = var.provider_visibility
+  ibmcloud_api_key      = var.ibmcloud_api_key
+  region                = var.region
+  visibility            = var.provider_visibility
+  private_endpoint_type = (var.provider_visibility == "private" && var.region == "ca-mon") ? "vpe" : null
 }
 
 provider "ibm" {
-  alias            = "cos"
-  ibmcloud_api_key = var.ibmcloud_cos_api_key != null ? var.ibmcloud_cos_api_key : var.ibmcloud_api_key
-  region           = local.default_cos_region
-  visibility       = var.provider_visibility
+  alias                 = "cos"
+  ibmcloud_api_key      = var.ibmcloud_cos_api_key != null ? var.ibmcloud_cos_api_key : var.ibmcloud_api_key
+  region                = local.default_cos_region
+  visibility            = var.provider_visibility
+  private_endpoint_type = (var.provider_visibility == "private" && local.default_cos_region == "ca-mon") ? "vpe" : null
 }
 
 
 provider "ibm" {
-  alias            = "kms"
-  ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
-  region           = local.kms_region
-  visibility       = var.provider_visibility
+  alias                 = "kms"
+  ibmcloud_api_key      = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
+  region                = local.kms_region
+  visibility            = var.provider_visibility
+  private_endpoint_type = (var.provider_visibility == "private" && local.kms_region == "ca-mon") ? "vpe" : null
 }