feat: Updates: <br>- Add binaries installation support in scripts for HashiCorp Waypoint runtime compatibility <br>- use terraform_data resource in-place of null_resource for improved Terraform resource handling (#609)

Author: arya-girish-k

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-02-25T20:47:40Z",
+  "generated_at": "2026-03-10T09:52:57Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -110,7 +110,7 @@
         "hashed_secret": "0b4fa8c4bcd22d61d35ced7462e18292e87ff633",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 427,
+        "line_number": 428,
         "type": "Base64 High Entropy String",
         "verified_result": null
       }

README.md

@@ -66,7 +66,6 @@ You need the following permissions to run this module.
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.79.2, <2.0.0 |
-| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1, < 4.0.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1, < 1.0.0 |
 
 ### Modules
@@ -87,8 +86,9 @@ You need the following permissions to run this module.
 | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource |
 | [ibm_resource_tag.elasticsearch_tag](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_tag) | resource |
-| [null_resource.put_vectordb_model](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [null_resource.start_vectordb_model](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [terraform_data.install_required_binaries](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
+| [terraform_data.put_vectordb_model](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
+| [terraform_data.start_vectordb_model](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [time_sleep.wait_for_backup_kms_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [ibm_database_connection.database_connection](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/database_connection) | data source |
@@ -111,6 +111,7 @@ You need the following permissions to run this module.
 | <a name="input_elasticsearch_version"></a> [elasticsearch\_version](#input\_elasticsearch\_version) | The version of Databases for Elasticsearch to deploy. Possible values: `8.7`, `8.10`, `8.12`, `8.15`, `8.19`, `9.1` which requires an Enterprise Platinum pricing plan. If no value is specified, the current preferred version for IBM Cloud Databases is used. | `string` | `null` | no |
 | <a name="input_elser_model_type"></a> [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if also 'plan' is set to 'platinum'. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no |
 | <a name="input_enable_elser_model"></a> [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if also 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no |
+| <a name="input_install_required_binaries"></a> [install\_required\_binaries](#input\_install\_required\_binaries) | When set to true, a script will run to check if `jq` exist on the runtime and if not attempt to download it from the public internet and install it to /tmp. Set to false to skip running this script. | `bool` | `true` | no |
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the `use_same_kms_key_for_backups` and `backup_encryption_key_crn` inputs. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
 | <a name="input_member_host_flavor"></a> [member\_host\_flavor](#input\_member\_host\_flavor) | Allocated host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor). | `string` | `null` | no |
 | <a name="input_members"></a> [members](#input\_members) | The number of members that are allocated. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-resources-scaling). | `number` | `3` | no |

ibm_catalog.json

@@ -603,6 +603,10 @@
                   ]
                 }
               }
+            },
+            {
+              "key": "install_required_binaries",
+              "hidden": true
             }
           ],
           "terraform_version": "1.12.2",

main.tf

@@ -406,15 +406,29 @@ locals {
   es_username    = local.es_admin_user != null ? local.service_credentials_object["credentials"][local.es_admin_user]["username"] : var.admin_pass != null ? "admin" : null
   es_password    = local.es_admin_user != null ? local.service_credentials_object["credentials"][local.es_admin_user]["password"] : var.admin_pass != null ? ibm_database.elasticsearch.adminpassword : null
   es_url         = local.es_username != null && local.es_password != null ? "https://${local.es_username}:${local.es_password}@${data.ibm_database_connection.database_connection.https[0].hosts[0].hostname}:${data.ibm_database_connection.database_connection.https[0].hosts[0].port}" : null
+  binaries_path  = "/tmp"
 }
 
-resource "null_resource" "put_vectordb_model" {
-  count = var.enable_elser_model ? 1 : 0
-  triggers = {
+resource "terraform_data" "install_required_binaries" {
+  count = var.install_required_binaries && var.enable_elser_model ? 1 : 0
+  triggers_replace = {
+    file_changed = md5(var.elser_model_type)
+  }
+
+  provisioner "local-exec" {
+    command     = "${path.module}/solutions/fully-configurable/scripts/install-binaries.sh ${local.binaries_path}"
+    interpreter = ["/bin/bash", "-c"]
+  }
+}
+
+resource "terraform_data" "put_vectordb_model" {
+  depends_on = [terraform_data.install_required_binaries]
+  count      = var.enable_elser_model ? 1 : 0
+  triggers_replace = {
     file_changed = md5(var.elser_model_type)
   }
   provisioner "local-exec" {
-    command     = "${path.module}/scripts/put_vectordb_model.sh"
+    command     = "${path.module}/scripts/put_vectordb_model.sh ${local.binaries_path}"
     interpreter = ["/bin/bash", "-c"]
     environment = {
       ES               = local.es_url
@@ -423,10 +437,10 @@ resource "null_resource" "put_vectordb_model" {
   }
 }
 
-resource "null_resource" "start_vectordb_model" {
-  depends_on = [null_resource.put_vectordb_model]
+resource "terraform_data" "start_vectordb_model" {
+  depends_on = [terraform_data.put_vectordb_model]
   count      = var.enable_elser_model ? 1 : 0
-  triggers = {
+  triggers_replace = {
     file_changed = md5(var.elser_model_type)
   }
   provisioner "local-exec" {

scripts/put_vectordb_model.sh

@@ -1,6 +1,9 @@
 #!/bin/bash
 set -e
 
+# The binaries downloaded by the install-binaries script are located in the /tmp directory.
+export PATH=$PATH:${1:-"/tmp"}
+
 INSTALL_NEW_MODEL=true
 
 # get trained models from elasticsearch

solutions/fully-configurable/main.tf

@@ -469,11 +469,18 @@ locals {
   kibana_version            = var.enable_kibana_dashboard ? try(data.external.es_metadata[0].result.version_number, null) : null
   kibana_system_password    = var.enable_kibana_dashboard ? startswith(random_password.kibana_system_password[0].result, "-") ? "J${substr(random_password.kibana_system_password[0].result, 1, -1)}" : startswith(random_password.kibana_system_password[0].result, "_") ? "K${substr(random_password.kibana_system_password[0].result, 1, -1)}" : random_password.kibana_system_password[0].result : null
   kibana_app_login_password = var.enable_kibana_dashboard ? startswith(random_password.kibana_app_login_password[0].result, "-") ? "J${substr(random_password.kibana_app_login_password[0].result, 1, -1)}" : startswith(random_password.kibana_app_login_password[0].result, "_") ? "K${substr(random_password.kibana_app_login_password[0].result, 1, -1)}" : random_password.kibana_app_login_password[0].result : null
+  binaries_path             = "/tmp"
+}
+
+data "external" "install_required_binaries" {
+  count   = var.install_required_binaries && var.enable_kibana_dashboard ? 1 : 0
+  program = ["/bin/bash", "${path.module}/scripts/install-binaries.sh", local.binaries_path]
 }
 
 data "external" "es_metadata" {
-  count   = var.enable_kibana_dashboard ? 1 : 0
-  program = ["bash", "${path.module}/scripts/es_metadata.sh"]
+  depends_on = [data.external.install_required_binaries]
+  count      = var.enable_kibana_dashboard ? 1 : 0
+  program    = ["bash", "${path.module}/scripts/es_metadata.sh", local.binaries_path]
   query = {
     url         = "https://${local.elasticsearch_hostname}:${local.elasticsearch_port}"
     username    = local.elasticsearch_username

solutions/fully-configurable/scripts/es_metadata.sh

@@ -2,6 +2,9 @@
 
 set -euo pipefail
 
+# The binaries downloaded by the install-binaries script are located in the /tmp directory.
+export PATH=$PATH:${1:-"/tmp"}
+
 # Read JSON from stdin
 INPUT_JSON="$(cat)"
 

solutions/fully-configurable/scripts/install-binaries.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# scripts placed in the root module when they are invoked individually.
+# Placing it here also avoids duplicating the install-binaries script across modules.
+
+set -o errexit
+set -o pipefail
+
+DIRECTORY=${1:-"/tmp"}
+export PATH=$PATH:$DIRECTORY
+# renovate: datasource=github-tags depName=terraform-ibm-modules/common-bash-library
+TAG=v0.4.0
+# Running multiple Terraform executions on the same environment that share a /tmp directory can lead to conflicts during script execution.
+TMP_DIR=$(mktemp -d "${DIRECTORY}/common-bash-XXXXX")
+
+echo "Downloading common-bash-library version ${TAG}." >&2
+
+# download common-bash-library
+curl --silent \
+    --connect-timeout 5 \
+    --max-time 10 \
+    --retry 3 \
+    --retry-delay 2 \
+    --retry-connrefused \
+    --fail \
+    --show-error \
+    --location \
+    --output "${TMP_DIR}/common-bash.tar.gz" \
+    "https://github.com/terraform-ibm-modules/common-bash-library/archive/refs/tags/$TAG.tar.gz"
+
+mkdir -p "${TMP_DIR}/common-bash-library"
+tar -xzf "${TMP_DIR}/common-bash.tar.gz" -C "${TMP_DIR}"
+rm -f "${TMP_DIR}/common-bash.tar.gz"
+
+# The file doesn’t exist at the time shellcheck runs, so this check is skipped.
+# shellcheck disable=SC1091,SC1090
+source "${TMP_DIR}/common-bash-library-${TAG#v}/common/common.sh"
+
+echo "Installing jq." >&2
+install_jq "latest" "${DIRECTORY}" "true"
+
+rm -rf "$TMP_DIR"
+
+echo "Installation complete successfully" >&2
+
+# Output JSON for Terraform external data source
+echo '{"status":"success"}'

solutions/fully-configurable/variables.tf

@@ -705,3 +705,10 @@ variable "cbr_code_engine_kibana_project_rules" {
   description = "(Optional, list) List of context-based restrictions rules to create for the Kibana dashboard and it is only applicable if `enable_kibana_dashboard` is true. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/tree/main/solutions/standard/DA-cbr_rules.md)"
   default     = []
 }
+
+variable "install_required_binaries" {
+  type        = bool
+  default     = true
+  description = "When set to true, a script will run to check if `jq` exist on the runtime and if not attempt to download it from the public internet and install it to /tmp. Set to false to skip running this script."
+  nullable    = false
+}

tests/pr_test.go

@@ -298,6 +298,7 @@ func TestRunSecurityEnforcedUpgradeSolution(t *testing.T) {
 		TarIncludePatterns: []string{
 			"*.tf",
 			fullyConfigurableSolutionTerraformDir + "/*.tf",
+			fullyConfigurableSolutionTerraformDir + "/scripts/*.sh",
 			securityEnforcedSolutionTerraformDir + "/*.tf",
 		},
 		TemplateFolder:             securityEnforcedSolutionTerraformDir,