terraform-ibm-modules
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 2 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎README.md‎
Lines changed: 3 additions & 0 deletions b/‎README.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎cra-config.yaml‎
Lines changed: 4 additions & 0 deletions b/‎cra-config.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎examples/fscloud/README.md‎
Lines changed: 22 additions & 0 deletions b/‎examples/fscloud/README.md‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎examples/fscloud/main.tf‎
Lines changed: 249 additions & 0 deletions b/‎examples/fscloud/main.tf‎
Lines changed: 249 additions & 0 deletions
diff --git a/‎examples/fscloud/outputs.tf‎
Lines changed: 10 additions & 0 deletions b/‎examples/fscloud/outputs.tf‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎examples/fscloud/provider.tf‎
Lines changed: 25 additions & 0 deletions b/‎examples/fscloud/provider.tf‎
Lines changed: 25 additions & 0 deletions
@@ -11,5 +11,4 @@ jobs:
     secrets: inherit
     with:
       craSCCv2: true
-      craTarget: "examples/standard"
-      craRuleIgnoreFile: "cra-tf-validate-ignore-rules.json"
+      craConfigYamlFile: "cra-config.yaml"
@@ -19,6 +19,8 @@ A module for provisioning an IBM Cloud Red Hat OpenShift cluster on VPC Gen2. Th
 - Make sure that you have a recent version of the [IBM Cloud CLI](https://cloud.ibm.com/docs/cli?topic=cli-getting-started)
 - Make sure that you have a recent version of the [IBM Cloud Kubernetes service CLI](https://cloud.ibm.com/docs/containers?topic=containers-kubernetes-service-cli)
 
+
+
 ## Usage
 ```hcl
 # Replace "master" with a GIT release version to lock into a specific release
@@ -126,6 +128,7 @@ Optionally, you need the following permissions to attach Access Management tags
 - [ Add Rules to Security Groups Example](examples/add_rules_to_sg)
 - [ Apply Taints Example](examples/apply_taints)
 - [ Existing COS](examples/existing_cos)
+- [ Financial Services Cloud profile example](examples/fscloud)
 - [ 2 MZR clusters in same VPC](examples/multiple_mzr_clusters)
 - [ Single zone autoscaling cluster example](examples/single_zone_autoscale_cluster)
 - [ Standard Example With User Managed Boot Volume Encryption](examples/standard)
 
@@ -0,0 +1,4 @@
+version: "v1"
+CRA_TARGETS:
+  - CRA_TARGET: "examples/fscloud"
+    CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json"
@@ -0,0 +1,22 @@
+# Financial Services Cloud profile example
+
+An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](../../modules/fscloud) to deploy an instance of the base OCP VPC module.
+
+The example uses the IBM Cloud Terraform provider to create the following infrastructure:
+
+- A resource group, if one is not passed in
+- A sample virtual private cloud (VPC)
+- A COS instance for use by the OCP cluster
+- A context-based restriction (CBR) rule to only allow COS Instance to be accessible from within the VPC
+- OCP cluster in a VPC with the default worker pool deployed across 3 availability zones
+- Also uses Hyper Protect Crypto Service for the cluster and boot volume encryption
+
+
+:exclamation: **Important:** OCP provisions a COS bucket, but you cannot use your own encryption keys. This will fail the requirement for Cloud Object Storage to be enabled with customer-managed encryption and Keep Your Own Key (KYOK).
+Once the service supports this the profile will be updated. Until that time it is for educational purposes only.
+
+Outside the OCP Cluster, other parts of the infrastructure do not necessarily comply.
+
+## Before you begin
+
+- You need a Hyper Protect Crypto Services instance and keys for the worker and master encryption available in the region that you want to deploy your OCP Cluster instance to.
@@ -0,0 +1,249 @@
+
+##############################################################################
+# Provision an OCP cluster with one extra worker pool inside a VPC
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.0.6"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+module "cos_fscloud" {
+  source                        = "terraform-ibm-modules/cos/ibm"
+  version                       = "6.10.0"
+  resource_group_id             = module.resource_group.resource_group_id
+  create_cos_bucket             = false
+  cos_instance_name             = "${var.prefix}-cos"
+  skip_iam_authorization_policy = true
+
+  sysdig_crn           = module.observability_instances.sysdig_crn
+  activity_tracker_crn = local.at_crn
+  # Don't set CBR rules here as we don't want to create a circular dependency with the VPC module
+}
+
+module "flowlogs_bucket" {
+  source  = "terraform-ibm-modules/cos/ibm//modules/buckets"
+  version = "6.10.0"
+
+  bucket_configs = [
+    {
+      bucket_name            = "${var.prefix}-vpc-flowlogs"
+      kms_encryption_enabled = true
+      kms_guid               = var.hpcs_instance_guid
+      kms_key_crn            = var.hpcs_key_crn_cluster
+      region_location        = var.region
+      resource_instance_id   = module.cos_fscloud.cos_instance_id
+      resource_group_id      = module.resource_group.resource_group_id
+    }
+  ]
+}
+
+##############################################################################
+# VPC
+##############################################################################
+module "vpc" {
+  depends_on        = [module.flowlogs_bucket]
+  source            = "terraform-ibm-modules/landing-zone-vpc/ibm"
+  version           = "7.3.2"
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  prefix            = var.prefix
+  tags              = []
+  name              = var.vpc_name
+  address_prefixes = {
+    zone-1 = ["10.10.10.0/24"]
+    zone-2 = ["10.20.10.0/24"]
+    zone-3 = ["10.30.10.0/24"]
+  }
+  clean_default_acl                      = true
+  clean_default_security_group           = true
+  enable_vpc_flow_logs                   = true
+  create_authorization_policy_vpc_to_cos = true
+  existing_storage_bucket_name           = module.flowlogs_bucket.bucket_configs[0].bucket_name
+  security_group_rules                   = []
+  existing_cos_instance_guid             = module.cos_fscloud.cos_instance_guid
+  subnets = {
+    zone-1 = [
+      {
+        acl_name = "vpc-acl"
+        name     = "zone-1"
+        cidr     = "10.10.10.0/24"
+      }
+    ],
+    zone-2 = [
+      {
+        acl_name = "vpc-acl"
+        name     = "zone-2"
+        cidr     = "10.20.10.0/24"
+      }
+    ],
+    zone-3 = [
+      {
+        acl_name = "vpc-acl"
+        name     = "zone-3"
+        cidr     = "10.30.10.0/24"
+      }
+  ] }
+  use_public_gateways = {
+    zone-1 = false
+    zone-2 = false
+    zone-3 = false
+  }
+  ibmcloud_api_key = var.ibmcloud_api_key
+}
+
+##############################################################################
+# Observability Instances (Sysdig + AT)
+##############################################################################
+
+locals {
+  existing_at = var.existing_at_instance_crn != null ? true : false
+  at_crn      = var.existing_at_instance_crn == null ? module.observability_instances.activity_tracker_crn : var.existing_at_instance_crn
+}
+
+
+# Create Sysdig and Activity Tracker instance
+module "observability_instances" {
+  source  = "terraform-ibm-modules/observability-instances/ibm"
+  version = "2.7.0"
+  providers = {
+    logdna.at = logdna.at
+    logdna.ld = logdna.ld
+  }
+  region                         = var.region
+  resource_group_id              = module.resource_group.resource_group_id
+  sysdig_instance_name           = "${var.prefix}-sysdig"
+  sysdig_plan                    = "graduated-tier"
+  enable_platform_logs           = false
+  enable_platform_metrics        = false
+  logdna_provision               = false
+  activity_tracker_instance_name = "${var.prefix}-at"
+  activity_tracker_plan          = "7-day"
+  activity_tracker_provision     = !local.existing_at
+}
+
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+
+##############################################################################
+# Create CBR Zone and Rules
+##############################################################################
+module "cbr_zone" {
+  source           = "terraform-ibm-modules/cbr/ibm//cbr-zone-module"
+  version          = "1.2.0"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone containing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc", # to bind a specific vpc to the zone
+    value = module.vpc.vpc_crn,
+  }]
+}
+
+module "cbr_rules" {
+  source           = "terraform-ibm-modules/cbr/ibm//cbr-rule-module"
+  version          = "1.2.0"
+  rule_description = "${var.prefix} rule for vpc flow log access to cos"
+  enforcement_mode = "enabled"
+  resources = [{
+    attributes = [
+      {
+        name     = "accountId"
+        value    = data.ibm_iam_account_settings.iam_account_settings.account_id
+        operator = "stringEquals"
+      },
+      {
+        name     = "resourceGroupId",
+        value    = module.resource_group.resource_group_id
+        operator = "stringEquals"
+      },
+      {
+        name     = "serviceInstance"
+        value    = module.cos_fscloud.cos_instance_id
+        operator = "stringEquals"
+      },
+      {
+        name     = "serviceName"
+        value    = "cloud-object-storage"
+        operator = "stringEquals"
+      }
+    ],
+  }]
+  rule_contexts = [{
+    attributes = [
+      {
+        "name" : "endpointType",
+        "value" : "private"
+      },
+      {
+        name  = "networkZoneId"
+        value = module.cbr_zone.zone_id
+    }]
+  }]
+}
+
+
+
+##############################################################################
+# Base OCP Cluster
+##############################################################################
+locals {
+  cluster_hpcs_worker_pool_key_id = regex("key:(.*)", var.hpcs_key_crn_worker_pool)[0]
+  cluster_hpcs_cluster_key_id     = regex("key:(.*)", var.hpcs_key_crn_cluster)[0]
+  cluster_vpc_subnets = {
+    default = [
+      for subnet in module.vpc.subnet_zone_list :
+      {
+        id         = subnet.id
+        zone       = subnet.zone
+        cidr_block = subnet.cidr
+      }
+    ]
+  }
+
+  worker_pools = [
+    {
+      subnet_prefix     = "default"
+      pool_name         = "default" # ibm_container_vpc_cluster automatically names default pool "default" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
+      machine_type      = "bx2.4x16"
+      workers_per_zone  = 2
+      labels            = {}
+      resource_group_id = module.resource_group.resource_group_id
+      boot_volume_encryption_kms_config = {
+        crk              = local.cluster_hpcs_worker_pool_key_id
+        kms_instance_id  = var.hpcs_instance_guid
+        private_endpoint = true
+      }
+    }
+  ]
+}
+
+module "ocp_fscloud" {
+  source                          = "../../modules/fscloud"
+  cluster_name                    = var.prefix
+  ibmcloud_api_key                = var.ibmcloud_api_key
+  resource_group_id               = module.resource_group.resource_group_id
+  region                          = "us-south"
+  force_delete_storage            = true
+  vpc_id                          = module.vpc.vpc_id
+  vpc_subnets                     = local.cluster_vpc_subnets
+  existing_cos_id                 = module.cos_fscloud.cos_instance_id
+  worker_pools                    = local.worker_pools
+  tags                            = var.resource_tags
+  verify_worker_network_readiness = false # No access from public internet to check worker network readiness
+  kms_config = {
+    instance_id      = var.hpcs_instance_guid
+    crk_id           = local.cluster_hpcs_cluster_key_id
+    private_endpoint = true
+  }
+}
+
+##############################################################################
@@ -0,0 +1,10 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "cluster_name" {
+  value       = module.ocp_fscloud.cluster_name
+  description = "The name of the provisioned cluster."
+}
+
+##############################################################################
@@ -0,0 +1,25 @@
+##############################################################################
+# Terraform providers
+##############################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
+
+locals {
+  at_endpoint = "https://api.${var.region}.logging.cloud.ibm.com"
+}
+
+provider "logdna" {
+  alias      = "at"
+  servicekey = module.observability_instances.activity_tracker_resource_key != null ? module.observability_instances.activity_tracker_resource_key : ""
+  url        = local.at_endpoint
+}
+
+provider "logdna" {
+  alias      = "ld"
+  servicekey = module.observability_instances.logdna_resource_key != null ? module.observability_instances.logdna_resource_key : ""
+  url        = local.at_endpoint
+}
+##############################################################################