From 363b3edf9325b032c309dd9657f679a8e8748cac Mon Sep 17 00:00:00 2001 From: "akocbek@ie.ibm.com" Date: Mon, 30 Sep 2024 15:01:54 +0100 Subject: [PATCH 1/4] fix: small fixes around input DA variables --- README.md | 6 +- examples/fscloud/variables.tf | 2 +- ibm_catalog.json | 106 ++++++++++++++++---------------- modules/fscloud/README.md | 8 +-- modules/fscloud/variables.tf | 4 +- solutions/standard/main.tf | 28 ++++----- solutions/standard/outputs.tf | 2 +- solutions/standard/variables.tf | 12 ++-- variables.tf | 4 +- 9 files changed, 86 insertions(+), 86 deletions(-) diff --git a/README.md b/README.md index 721dddca..26d6a5ac 100644 --- a/README.md +++ b/README.md @@ -95,9 +95,9 @@ You need the following permissions to run this module. | [backup\_crn](#input\_backup\_crn) | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after both provisioning is complete and the new deployment that uses that data starts. Specify a backup CRN is in the format `crn:v1:<...>:backup:`. If not specified, the database is provisioned empty. | `string` | `null` | no | | [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Hyper Protect Crypto Services use for encrypting the disk that holds deployment backups. There are limitation per region on the Hyper Protect Crypto Services and region for those services. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups | `string` | `null` | no | | [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create. | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
  }))
| `[]` | no | -| [elasticsearch\_version](#input\_elasticsearch\_version) | The version of Databases for Elasticsearch to deploy. Possible values: `8.7`, `8.10`, `8.12`, `8.15` which requires an Enterprise Platinum pricing plan. If no value is specified, the current preferred version for IBM Cloud Databases is used. | `string` | `null` | no | -| [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no | -| [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no | +| [elasticsearch\_version](#input\_elasticsearch\_version) | The version of Databases for Elasticsearch to deploy. Possible values: `8.7`, `8.10`, `8.12`, which requires an Enterprise Platinum pricing plan. If no value is specified, the current preferred version for IBM Cloud Databases is used. | `string` | `null` | no | +| [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if 'plan' is set to 'platinum' and 'enable\_elser\_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no | +| [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no | | [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of a Hyper Protect Crypto Services or Key Protect instance for the CRN specified in `kms_key_crn` and `backup_encryption_key_crn`. Applies only if `kms_encryption_enabled` is true, `skip_iam_authorization_policy` is false, and you specify values for `kms_key_crn` or `backup_encryption_key_crn`. | `string` | `null` | no | | [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Whether to specify the keys used to encrypt data in the database. Specify `true` to identify the encryption keys. If set to `false`, the data is encrypted with randomly generated keys. [Learn more about Key Protect integration](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect). [Learn more about HPCS integration](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs). | `bool` | `false` | no | | [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of the Key Protect or Hyper Protect Crypto Services instance to use for disk encryption. Applies only if `kms_encryption_enabled` is true. | `string` | `null` | no | diff --git a/examples/fscloud/variables.tf b/examples/fscloud/variables.tf index 664994c7..adeace6b 100644 --- a/examples/fscloud/variables.tf +++ b/examples/fscloud/variables.tf @@ -111,6 +111,6 @@ variable "backup_encryption_key_crn" { variable "enable_elser_model" { type = bool - description = "Set it to true to install and start the Elastic's Natural Language Processing model. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)" + description = "Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)" default = false } diff --git a/ibm_catalog.json b/ibm_catalog.json index bfc04fd4..f07f1f82 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -177,6 +177,9 @@ { "key": "name" }, + { + "key": "existing_elastic_search_instance_crn" + }, { "key": "plan", "options": [ @@ -209,10 +212,27 @@ ] }, { - "key": "access_tags" + "key": "enable_elser_model" + }, + { + "key": "elser_model_type", + "options": [ + { + "displayname": ".elser_model_1", + "value": ".elser_model_1" + }, + { + "displayname": ".elser_model_2", + "value": ".elser_model_2" + }, + { + "displayname": ".elser_model_2_linux-x86_64", + "value": ".elser_model_2_linux-x86_64" + } + ] }, { - "key": "use_ibm_owned_encryption_key" + "key": "access_tags" }, { "key": "tags" @@ -220,6 +240,12 @@ { "key": "users" }, + { + "key": "service_credential_names" + }, + { + "key": "admin_pass" + }, { "key": "members" }, @@ -236,80 +262,56 @@ "key": "member_host_flavor" }, { - "key": "service_credential_names" - }, - { - "key": "admin_pass" - }, - { - "key": "admin_pass_sm_secret_group" - }, - { - "key": "use_existing_admin_pass_sm_secret_group" - }, - { - "key": "admin_pass_sm_secret_name" + "key": "auto_scaling" }, { - "key": "skip_iam_authorization_policy" + "key": "admin_pass_secrets_manager_secret_group" }, { - "key": "kms_endpoint_type", - "options": [ - { - "displayname": "public", - "value": "public" - }, - { - "displayname": "private", - "value": "private" - } - ] + "key": "use_existing_admin_pass_secrets_manager_secret_group" }, { - "key": "existing_kms_key_crn" + "key": "admin_pass_secrets_manager_secret_name" }, { - "key": "existing_kms_instance_crn", - "required": true + "key": "existing_secrets_manager_instance_crn" }, { - "key": "elasticsearch_key_ring_name" + "key": "existing_secrets_manager_endpoint_type" }, { - "key": "elasticsearch_key_name" + "key": "skip_elastic_search_to_secret_manager_auth_policy" }, { - "key": "auto_scaling" + "key": "service_credential_secrets" }, { - "key": "backup_crn" + "key": "skip_iam_authorization_policy" }, + { + "key": "kms_endpoint_type", + "options": [ + { + "displayname": "public", + "value": "public" + }, + { + "displayname": "private", + "value": "private" + } + ] + }, { - "key": "existing_backup_kms_key_crn" + "key": "existing_kms_key_crn" }, { - "key": "existing_backup_kms_instance_crn" + "key": "existing_kms_instance_crn" }, { - "key": "enable_elser_model" + "key": "elasticsearch_key_ring_name" }, { - "key": "elser_model_type", - "options": [ - { - "displayname": ".elser_model_1", - "value": ".elser_model_1" - }, - { - "displayname": ".elser_model_2", - "value": ".elser_model_2" - }, - { - "displayname": ".elser_model_2_linux-x86_64", - "value": ".elser_model_2_linux-x86_64" - } - ] + "key": "elasticsearch_key_name" } ] } diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md index d89eaa74..1ad71b5d 100644 --- a/modules/fscloud/README.md +++ b/modules/fscloud/README.md @@ -37,10 +37,10 @@ No resources. | [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for encrypting the disk that holds deployment backups. There are region limitations for backup encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups (HPCS) and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok (Key Protect). | `string` | `null` | no | | [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
  }))
| `[]` | no | | [elasticsearch\_version](#input\_elasticsearch\_version) | Version of the Elasticsearch instance. If no value is passed, the current preferred version of IBM Cloud Databases is used. | `string` | `null` | no | -| [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no | -| [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no | -| [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services (HPCS) or Key Protect instance. | `string` | `null` | no | -| [kms\_key\_crn](#input\_kms\_key\_crn) | The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for disk encryption. | `string` | `null` | no | +| [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if 'plan' is set to 'platinum' and 'enable\_elser\_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no | +| [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no | +| [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services instance. It is only required while creating authorization policy. | `string` | `null` | no | +| [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of the Hyper Protect Crypto Services (HPCS) to use for disk encryption. | `string` | n/a | yes | | [member\_cpu\_count](#input\_member\_cpu\_count) | Allocated dedicated CPU per member. For shared CPU, set to 0. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-resources-scaling) | `number` | `0` | no | | [member\_disk\_mb](#input\_member\_disk\_mb) | Allocated disk per-member. [Learn more}(https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-resources-scaling) | `number` | `5120` | no | | [member\_host\_flavor](#input\_member\_host\_flavor) | Allocated host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor). | `string` | `null` | no | diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf index d6d0bc3c..ba1d1594 100644 --- a/modules/fscloud/variables.tf +++ b/modules/fscloud/variables.tf @@ -198,13 +198,13 @@ variable "backup_crn" { variable "enable_elser_model" { type = bool - description = "Set it to true to install and start the Elastic's Natural Language Processing model. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)" + description = "Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)" default = false } variable "elser_model_type" { type = string - description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)" + description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if 'plan' is set to 'platinum' and 'enable_elser_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)" default = ".elser_model_2_linux-x86_64" validation { condition = contains([".elser_model_1", ".elser_model_2", ".elser_model_2_linux-x86_64"], var.elser_model_type) diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 5af0ec1f..bd7f8042 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -11,18 +11,16 @@ locals { elasticsearch_key_ring_name = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_ring_name}" : var.elasticsearch_key_ring_name - existing_db_instance_guid = var.existing_db_instance_crn != null ? element(split(":", var.existing_db_instance_crn), length(split(":", var.existing_db_instance_crn)) - 3) : null - use_existing_db_instance = var.existing_db_instance_crn != null + kms_key_crn = var.existing_elastic_search_instance_crn != null ? null : (var.existing_kms_key_crn != null ? var.existing_kms_key_crn : module.kms[0].keys[format("%s.%s", local.elasticsearch_key_ring_name, local.elasticsearch_key_name)].crn) - create_cross_account_auth_policy = !var.skip_iam_authorization_policy && var.ibmcloud_kms_api_key != null && !var.use_ibm_owned_encryption_key - create_sm_auth_policy = var.skip_es_sm_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1 + existing_db_instance_guid = var.existing_elastic_search_instance_crn != null ? element(split(":", var.existing_elastic_search_instance_crn), length(split(":", var.existing_elastic_search_instance_crn)) - 3) : null + use_existing_db_instance = var.existing_elastic_search_instance_crn != null - kms_key_crn = var.existing_db_instance_crn != null ? null : !var.use_ibm_owned_encryption_key ? var.existing_kms_key_crn != null ? var.existing_kms_key_crn : module.kms[0].keys[format("%s.%s", local.elasticsearch_key_ring_name, local.elasticsearch_key_name)].crn : null - parsed_kms_key_crn = local.kms_key_crn != null ? split(":", local.kms_key_crn) : [] - kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null - kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null - kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.kms_scope)[1] : null - kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null + create_cross_account_auth_policy = !var.skip_iam_authorization_policy && var.ibmcloud_kms_api_key != null + create_sm_auth_policy = var.skip_elastic_search_to_secret_manager_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1 + kms_service_name = local.kms_key_crn != null ? ( + can(regex(".*kms.*", local.kms_key_crn)) ? "kms" : can(regex(".*hs-crypto.*", local.kms_key_crn)) ? "hs-crypto" : null + ) : null elasticsearch_guid = local.use_existing_db_instance ? data.ibm_database.existing_db_instance[0].guid : module.elasticsearch[0].guid } @@ -287,10 +285,10 @@ locals { admin_pass = var.admin_pass == null ? local.admin_password : var.admin_pass admin_pass_secret = [{ - secret_group_name = var.prefix != null && var.admin_pass_sm_secret_group != null ? "${var.prefix}-${var.admin_pass_sm_secret_group}" : var.admin_pass_sm_secret_group - existing_secret_group = var.use_existing_admin_pass_sm_secret_group + secret_group_name = var.prefix != null && var.admin_pass_secrets_manager_secret_group != null ? "${var.prefix}-${var.admin_pass_secrets_manager_secret_group}" : var.admin_pass_secrets_manager_secret_group + existing_secret_group = var.use_existing_admin_pass_secrets_manager_secret_group secrets = [{ - secret_name = var.prefix != null && var.admin_pass_sm_secret_name != null ? "${var.prefix}-${var.admin_pass_sm_secret_name}" : var.admin_pass_sm_secret_name + secret_name = var.prefix != null && var.admin_pass_secrets_manager_secret_name != null ? "${var.prefix}-${var.admin_pass_secrets_manager_secret_name}" : var.admin_pass_secrets_manager_secret_name secret_type = "arbitrary" secret_payload_password = local.admin_pass } @@ -305,9 +303,9 @@ locals { # tflint-ignore: terraform_unused_declarations validate_sm_crn = length(local.service_credential_secrets) > 0 && var.existing_secrets_manager_instance_crn == null ? tobool("`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret.") : false # tflint-ignore: terraform_unused_declarations - validate_sm_sg = var.existing_secrets_manager_instance_crn != null && var.admin_pass_sm_secret_group == null ? tobool("`admin_pass_sm_secret_group` is required when `existing_secrets_manager_instance_crn` is set.") : false + validate_sm_sg = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_group == null ? tobool("`admin_pass_secrets_manager_secret_group` is required when `existing_secrets_manager_instance_crn` is set.") : false # tflint-ignore: terraform_unused_declarations - validate_sm_sn = var.existing_secrets_manager_instance_crn != null && var.admin_pass_sm_secret_name == null ? tobool("`admin_pass_sm_secret_name` is required when `existing_secrets_manager_instance_crn` is set.") : false + validate_sm_sn = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_name == null ? tobool("`admin_pass_secrets_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set.") : false } module "secrets_manager_service_credentials" { diff --git a/solutions/standard/outputs.tf b/solutions/standard/outputs.tf index 62f1d12a..ccff0142 100644 --- a/solutions/standard/outputs.tf +++ b/solutions/standard/outputs.tf @@ -19,7 +19,7 @@ output "version" { output "crn" { description = "Elasticsearch instance crn" - value = local.use_existing_db_instance ? var.existing_db_instance_crn : module.elasticsearch[0].crn + value = local.use_existing_db_instance ? var.existing_elastic_search_instance_crn : module.elasticsearch[0].crn } output "cbr_rule_ids" { diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index b169b2f0..81a61488 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -77,7 +77,7 @@ variable "plan" { default = "platinum" } -variable "existing_db_instance_crn" { +variable "existing_elastic_search_instance_crn" { type = string default = null description = "The CRN of an existing Databases for Elasticsearch instance. If no value is specified, a new instance is created." @@ -91,7 +91,7 @@ variable "enable_elser_model" { variable "elser_model_type" { type = string - description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)" + description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if 'plan' is set to 'platinum' and 'enable_elser_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)" default = ".elser_model_2_linux-x86_64" validation { condition = contains([".elser_model_1", ".elser_model_2", ".elser_model_2_linux-x86_64"], var.elser_model_type) @@ -315,25 +315,25 @@ variable "service_credential_secrets" { } } -variable "skip_es_sm_auth_policy" { +variable "skip_elastic_search_to_secret_manager_auth_policy" { type = bool default = false description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Databases for Elasticsearch. Set to `true` to use an existing policy." } -variable "admin_pass_sm_secret_group" { +variable "admin_pass_secrets_manager_secret_group" { type = string description = "The name of a new or existing secrets manager secret group for admin password. To use existing secret group, `use_existing_admin_pass_sm_secret_group` must be set to `true`. If a prefix input variable is specified, the prefix is added to the name in the `-` format." default = "elasticsearch-secrets" } -variable "use_existing_admin_pass_sm_secret_group" { +variable "use_existing_admin_pass_secrets_manager_secret_group" { type = bool description = "Whether to use an existing secrets manager secret group for admin password." default = false } -variable "admin_pass_sm_secret_name" { +variable "admin_pass_secrets_manager_secret_name" { type = string description = "The name of a new elasticsearch administrator secret. If a prefix input variable is specified, the prefix is added to the name in the `-` format." default = "elasticsearch-admin-password" diff --git a/variables.tf b/variables.tf index 7a6e3184..d1f2eb12 100644 --- a/variables.tf +++ b/variables.tf @@ -266,13 +266,13 @@ variable "backup_crn" { variable "enable_elser_model" { type = bool - description = "Set it to true to install and start the Elastic's Natural Language Processing model. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)" + description = "Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)" default = false } variable "elser_model_type" { type = string - description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)" + description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if 'plan' is set to 'platinum' and 'enable_elser_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)" default = ".elser_model_2_linux-x86_64" validation { condition = contains([".elser_model_1", ".elser_model_2", ".elser_model_2_linux-x86_64"], var.elser_model_type) From 1339024c58b8ad0eded1502071df5b28365befeb Mon Sep 17 00:00:00 2001 From: "akocbek@ie.ibm.com" Date: Mon, 30 Sep 2024 15:08:24 +0100 Subject: [PATCH 2/4] fix: small fixes around input DA variables --- README.md | 4 ++-- examples/fscloud/variables.tf | 2 +- modules/fscloud/README.md | 4 ++-- modules/fscloud/variables.tf | 4 ++-- solutions/standard/variables.tf | 2 +- variables.tf | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 26d6a5ac..43d40051 100644 --- a/README.md +++ b/README.md @@ -96,8 +96,8 @@ You need the following permissions to run this module. | [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Hyper Protect Crypto Services use for encrypting the disk that holds deployment backups. There are limitation per region on the Hyper Protect Crypto Services and region for those services. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups | `string` | `null` | no | | [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create. | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
  }))
| `[]` | no | | [elasticsearch\_version](#input\_elasticsearch\_version) | The version of Databases for Elasticsearch to deploy. Possible values: `8.7`, `8.10`, `8.12`, which requires an Enterprise Platinum pricing plan. If no value is specified, the current preferred version for IBM Cloud Databases is used. | `string` | `null` | no | -| [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if 'plan' is set to 'platinum' and 'enable\_elser\_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no | -| [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no | +| [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if also 'plan' is set to 'platinum' and 'enable\_elser\_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no | +| [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if also 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no | | [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of a Hyper Protect Crypto Services or Key Protect instance for the CRN specified in `kms_key_crn` and `backup_encryption_key_crn`. Applies only if `kms_encryption_enabled` is true, `skip_iam_authorization_policy` is false, and you specify values for `kms_key_crn` or `backup_encryption_key_crn`. | `string` | `null` | no | | [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Whether to specify the keys used to encrypt data in the database. Specify `true` to identify the encryption keys. If set to `false`, the data is encrypted with randomly generated keys. [Learn more about Key Protect integration](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect). [Learn more about HPCS integration](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs). | `bool` | `false` | no | | [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of the Key Protect or Hyper Protect Crypto Services instance to use for disk encryption. Applies only if `kms_encryption_enabled` is true. | `string` | `null` | no | diff --git a/examples/fscloud/variables.tf b/examples/fscloud/variables.tf index adeace6b..0f212ecb 100644 --- a/examples/fscloud/variables.tf +++ b/examples/fscloud/variables.tf @@ -111,6 +111,6 @@ variable "backup_encryption_key_crn" { variable "enable_elser_model" { type = bool - description = "Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)" + description = "Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if also 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)" default = false } diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md index 1ad71b5d..6b93e703 100644 --- a/modules/fscloud/README.md +++ b/modules/fscloud/README.md @@ -37,8 +37,8 @@ No resources. | [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for encrypting the disk that holds deployment backups. There are region limitations for backup encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups (HPCS) and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok (Key Protect). | `string` | `null` | no | | [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
  }))
| `[]` | no | | [elasticsearch\_version](#input\_elasticsearch\_version) | Version of the Elasticsearch instance. If no value is passed, the current preferred version of IBM Cloud Databases is used. | `string` | `null` | no | -| [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if 'plan' is set to 'platinum' and 'enable\_elser\_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no | -| [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no | +| [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if also 'plan' is set to 'platinum' and 'enable\_elser\_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no | +| [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if also 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no | | [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services instance. It is only required while creating authorization policy. | `string` | `null` | no | | [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of the Hyper Protect Crypto Services (HPCS) to use for disk encryption. | `string` | n/a | yes | | [member\_cpu\_count](#input\_member\_cpu\_count) | Allocated dedicated CPU per member. For shared CPU, set to 0. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-resources-scaling) | `number` | `0` | no | diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf index ba1d1594..a22244be 100644 --- a/modules/fscloud/variables.tf +++ b/modules/fscloud/variables.tf @@ -198,13 +198,13 @@ variable "backup_crn" { variable "enable_elser_model" { type = bool - description = "Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)" + description = "Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if also 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)" default = false } variable "elser_model_type" { type = string - description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if 'plan' is set to 'platinum' and 'enable_elser_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)" + description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if also 'plan' is set to 'platinum' and 'enable_elser_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)" default = ".elser_model_2_linux-x86_64" validation { condition = contains([".elser_model_1", ".elser_model_2", ".elser_model_2_linux-x86_64"], var.elser_model_type) diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 81a61488..58f143e7 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -91,7 +91,7 @@ variable "enable_elser_model" { variable "elser_model_type" { type = string - description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if 'plan' is set to 'platinum' and 'enable_elser_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)" + description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if also 'plan' is set to 'platinum' and 'enable_elser_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)" default = ".elser_model_2_linux-x86_64" validation { condition = contains([".elser_model_1", ".elser_model_2", ".elser_model_2_linux-x86_64"], var.elser_model_type) diff --git a/variables.tf b/variables.tf index d1f2eb12..d32f0883 100644 --- a/variables.tf +++ b/variables.tf @@ -266,13 +266,13 @@ variable "backup_crn" { variable "enable_elser_model" { type = bool - description = "Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)" + description = "Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if also 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)" default = false } variable "elser_model_type" { type = string - description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if 'plan' is set to 'platinum' and 'enable_elser_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)" + description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if also 'plan' is set to 'platinum' and 'enable_elser_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)" default = ".elser_model_2_linux-x86_64" validation { condition = contains([".elser_model_1", ".elser_model_2", ".elser_model_2_linux-x86_64"], var.elser_model_type) From b644ffa161eec74e22913eb003cf73236e286d7b Mon Sep 17 00:00:00 2001 From: "akocbek@ie.ibm.com" Date: Thu, 3 Oct 2024 11:25:37 +0100 Subject: [PATCH 3/4] fix: small fixes around input DA variables --- ibm_catalog.json | 4 ++-- solutions/standard/main.tf | 22 +++++++++++----------- solutions/standard/outputs.tf | 16 ++++++++-------- solutions/standard/variables.tf | 4 ++-- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index f07f1f82..b65bda39 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -178,7 +178,7 @@ "key": "name" }, { - "key": "existing_elastic_search_instance_crn" + "key": "existing_elasticsearch_instance_crn" }, { "key": "plan", @@ -280,7 +280,7 @@ "key": "existing_secrets_manager_endpoint_type" }, { - "key": "skip_elastic_search_to_secret_manager_auth_policy" + "key": "skip_elasticsearch_to_secret_manager_auth_policy" }, { "key": "service_credential_secrets" diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index bd7f8042..eb0a49f1 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -11,18 +11,18 @@ locals { elasticsearch_key_ring_name = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_ring_name}" : var.elasticsearch_key_ring_name - kms_key_crn = var.existing_elastic_search_instance_crn != null ? null : (var.existing_kms_key_crn != null ? var.existing_kms_key_crn : module.kms[0].keys[format("%s.%s", local.elasticsearch_key_ring_name, local.elasticsearch_key_name)].crn) + kms_key_crn = var.existing_elasticsearch_instance_crn != null ? null : (var.existing_kms_key_crn != null ? var.existing_kms_key_crn : module.kms[0].keys[format("%s.%s", local.elasticsearch_key_ring_name, local.elasticsearch_key_name)].crn) - existing_db_instance_guid = var.existing_elastic_search_instance_crn != null ? element(split(":", var.existing_elastic_search_instance_crn), length(split(":", var.existing_elastic_search_instance_crn)) - 3) : null - use_existing_db_instance = var.existing_elastic_search_instance_crn != null + existing_db_instance_guid = var.existing_elasticsearch_instance_crn != null ? element(split(":", var.existing_elasticsearch_instance_crn), length(split(":", var.existing_elasticsearch_instance_crn)) - 3) : null + use_existing_elasticsearch_instance = var.existing_elasticsearch_instance_crn != null create_cross_account_auth_policy = !var.skip_iam_authorization_policy && var.ibmcloud_kms_api_key != null - create_sm_auth_policy = var.skip_elastic_search_to_secret_manager_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1 + create_sm_auth_policy = var.skip_elasticsearch_to_secret_manager_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1 kms_service_name = local.kms_key_crn != null ? ( can(regex(".*kms.*", local.kms_key_crn)) ? "kms" : can(regex(".*hs-crypto.*", local.kms_key_crn)) ? "hs-crypto" : null ) : null - elasticsearch_guid = local.use_existing_db_instance ? data.ibm_database.existing_db_instance[0].guid : module.elasticsearch[0].guid + elasticsearch_guid = local.use_existing_elasticsearch_instance ? data.ibm_database.existing_db_instance[0].guid : module.elasticsearch[0].guid } ####################################################################################################################### @@ -95,7 +95,7 @@ module "kms" { providers = { ibm = ibm.kms } - count = var.existing_kms_key_crn != null || local.use_existing_db_instance || var.use_ibm_owned_encryption_key ? 0 : 1 # no need to create any KMS resources if passing an existing key or using IBM owned keys + count = var.existing_kms_key_crn != null || local.use_existing_elasticsearch_instance ? 0 : 1 # no need to create any KMS resources if passing an existing key source = "terraform-ibm-modules/kms-all-inclusive/ibm" version = "4.17.1" create_key_protect_instance = false @@ -196,7 +196,7 @@ module "backup_kms" { ####################################################################################################################### module "elasticsearch" { - count = local.use_existing_db_instance ? 0 : 1 + count = local.use_existing_elasticsearch_instance ? 0 : 1 source = "../../modules/fscloud" depends_on = [time_sleep.wait_for_authorization_policy, time_sleep.wait_for_backup_kms_authorization_policy] resource_group_id = module.resource_group.resource_group_id @@ -276,7 +276,7 @@ locals { service_credentials_ttl = secret.service_credentials_ttl service_credential_secret_description = secret.service_credential_secret_description service_credentials_source_service_role = secret.service_credentials_source_service_role - service_credentials_source_service_crn = local.use_existing_db_instance ? data.ibm_database.existing_db_instance[0].id : module.elasticsearch[0].crn + service_credentials_source_service_crn = local.use_existing_elasticsearch_instance ? data.ibm_database.existing_db_instance[0].id : module.elasticsearch[0].crn secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6 } ] @@ -322,12 +322,12 @@ module "secrets_manager_service_credentials" { # this extra block is needed when passing in an existing ES instance - the database data block # requires a name and resource_id to retrieve the data data "ibm_resource_instance" "existing_instance_resource" { - count = local.use_existing_db_instance ? 1 : 0 + count = local.use_existing_elasticsearch_instance ? 1 : 0 identifier = local.existing_db_instance_guid } data "ibm_database" "existing_db_instance" { - count = local.use_existing_db_instance ? 1 : 0 + count = local.use_existing_elasticsearch_instance ? 1 : 0 name = data.ibm_resource_instance.existing_instance_resource[0].name resource_group_id = data.ibm_resource_instance.existing_instance_resource[0].resource_group_id location = var.region @@ -335,7 +335,7 @@ data "ibm_database" "existing_db_instance" { } data "ibm_database_connection" "existing_connection" { - count = local.use_existing_db_instance ? 1 : 0 + count = local.use_existing_elasticsearch_instance ? 1 : 0 endpoint_type = "private" deployment_id = data.ibm_database.existing_db_instance[0].id user_id = data.ibm_database.existing_db_instance[0].adminuser diff --git a/solutions/standard/outputs.tf b/solutions/standard/outputs.tf index ccff0142..570c58bc 100644 --- a/solutions/standard/outputs.tf +++ b/solutions/standard/outputs.tf @@ -4,7 +4,7 @@ output "id" { description = "Elasticsearch instance id" - value = local.use_existing_db_instance ? data.ibm_database.existing_db_instance[0].id : module.elasticsearch[0].id + value = local.use_existing_elasticsearch_instance ? data.ibm_database.existing_db_instance[0].id : module.elasticsearch[0].id } output "guid" { @@ -14,39 +14,39 @@ output "guid" { output "version" { description = "Elasticsearch instance version" - value = local.use_existing_db_instance ? data.ibm_database.existing_db_instance[0].version : module.elasticsearch[0].version + value = local.use_existing_elasticsearch_instance ? data.ibm_database.existing_db_instance[0].version : module.elasticsearch[0].version } output "crn" { description = "Elasticsearch instance crn" - value = local.use_existing_db_instance ? var.existing_elastic_search_instance_crn : module.elasticsearch[0].crn + value = local.use_existing_elasticsearch_instance ? var.existing_elasticsearch_instance_crn : module.elasticsearch[0].crn } output "cbr_rule_ids" { description = "CBR rule ids created to restrict Elasticsearch" - value = local.use_existing_db_instance ? null : module.elasticsearch[0].cbr_rule_ids + value = local.use_existing_elasticsearch_instance ? null : module.elasticsearch[0].cbr_rule_ids } output "service_credentials_json" { description = "Service credentials json map" - value = local.use_existing_db_instance ? null : module.elasticsearch[0].service_credentials_json + value = local.use_existing_elasticsearch_instance ? null : module.elasticsearch[0].service_credentials_json sensitive = true } output "service_credentials_object" { description = "Service credentials object" - value = local.use_existing_db_instance ? null : module.elasticsearch[0].service_credentials_object + value = local.use_existing_elasticsearch_instance ? null : module.elasticsearch[0].service_credentials_object sensitive = true } output "hostname" { description = "Elasticsearch instance hostname" - value = local.use_existing_db_instance ? data.ibm_database_connection.existing_connection[0].https[0].hosts[0].hostname : module.elasticsearch[0].hostname + value = local.use_existing_elasticsearch_instance ? data.ibm_database_connection.existing_connection[0].https[0].hosts[0].hostname : module.elasticsearch[0].hostname } output "port" { description = "Elasticsearch instance port" - value = local.use_existing_db_instance ? data.ibm_database_connection.existing_connection[0].https[0].hosts[0].port : module.elasticsearch[0].port + value = local.use_existing_elasticsearch_instance ? data.ibm_database_connection.existing_connection[0].https[0].hosts[0].port : module.elasticsearch[0].port } output "secrets_manager_secrets" { diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 58f143e7..89443ff5 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -77,7 +77,7 @@ variable "plan" { default = "platinum" } -variable "existing_elastic_search_instance_crn" { +variable "existing_elasticsearch_instance_crn" { type = string default = null description = "The CRN of an existing Databases for Elasticsearch instance. If no value is specified, a new instance is created." @@ -315,7 +315,7 @@ variable "service_credential_secrets" { } } -variable "skip_elastic_search_to_secret_manager_auth_policy" { +variable "skip_elasticsearch_to_secret_manager_auth_policy" { type = bool default = false description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Databases for Elasticsearch. Set to `true` to use an existing policy." From 07dba5bf940ad32ed732dd129c81c9066be6f4f9 Mon Sep 17 00:00:00 2001 From: "akocbek@ie.ibm.com" Date: Mon, 9 Dec 2024 17:32:08 +0000 Subject: [PATCH 4/4] fix small issues --- README.md | 2 +- ibm_catalog.json | 8 +++++--- modules/fscloud/README.md | 4 ++-- solutions/standard/main.tf | 30 ++++++++++++++++-------------- solutions/standard/variables.tf | 2 +- 5 files changed, 25 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 43d40051..62943d93 100644 --- a/README.md +++ b/README.md @@ -95,7 +95,7 @@ You need the following permissions to run this module. | [backup\_crn](#input\_backup\_crn) | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after both provisioning is complete and the new deployment that uses that data starts. Specify a backup CRN is in the format `crn:v1:<...>:backup:`. If not specified, the database is provisioned empty. | `string` | `null` | no | | [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Hyper Protect Crypto Services use for encrypting the disk that holds deployment backups. There are limitation per region on the Hyper Protect Crypto Services and region for those services. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups | `string` | `null` | no | | [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create. | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
  }))
| `[]` | no | -| [elasticsearch\_version](#input\_elasticsearch\_version) | The version of Databases for Elasticsearch to deploy. Possible values: `8.7`, `8.10`, `8.12`, which requires an Enterprise Platinum pricing plan. If no value is specified, the current preferred version for IBM Cloud Databases is used. | `string` | `null` | no | +| [elasticsearch\_version](#input\_elasticsearch\_version) | The version of Databases for Elasticsearch to deploy. Possible values: `8.7`, `8.10`, `8.12`, `8.15` which requires an Enterprise Platinum pricing plan. If no value is specified, the current preferred version for IBM Cloud Databases is used. | `string` | `null` | no | | [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if also 'plan' is set to 'platinum' and 'enable\_elser\_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no | | [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if also 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no | | [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of a Hyper Protect Crypto Services or Key Protect instance for the CRN specified in `kms_key_crn` and `backup_encryption_key_crn`. Applies only if `kms_encryption_enabled` is true, `skip_iam_authorization_policy` is false, and you specify values for `kms_key_crn` or `backup_encryption_key_crn`. | `string` | `null` | no | diff --git a/ibm_catalog.json b/ibm_catalog.json index b65bda39..7061f67e 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -111,10 +111,12 @@ ] }, { - "key": "use_existing_resource_group" + "key": "use_existing_resource_group", + "required": true }, { - "key": "resource_group_name" + "key": "resource_group_name", + "required": true }, { "key": "prefix" @@ -280,7 +282,7 @@ "key": "existing_secrets_manager_endpoint_type" }, { - "key": "skip_elasticsearch_to_secret_manager_auth_policy" + "key": "skip_elasticsearch_to_secrets_manager_auth_policy" }, { "key": "service_credential_secrets" diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md index 6b93e703..19010c92 100644 --- a/modules/fscloud/README.md +++ b/modules/fscloud/README.md @@ -39,8 +39,8 @@ No resources. | [elasticsearch\_version](#input\_elasticsearch\_version) | Version of the Elasticsearch instance. If no value is passed, the current preferred version of IBM Cloud Databases is used. | `string` | `null` | no | | [elser\_model\_type](#input\_elser\_model\_type) | Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. Applies only if also 'plan' is set to 'platinum' and 'enable\_elser\_model' is enabled. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html) | `string` | `".elser_model_2_linux-x86_64"` | no | | [enable\_elser\_model](#input\_enable\_elser\_model) | Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if also 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch) | `bool` | `false` | no | -| [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services instance. It is only required while creating authorization policy. | `string` | `null` | no | -| [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of the Hyper Protect Crypto Services (HPCS) to use for disk encryption. | `string` | n/a | yes | +| [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services (HPCS) or Key Protect instance. | `string` | `null` | no | +| [kms\_key\_crn](#input\_kms\_key\_crn) | The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for disk encryption. | `string` | `null` | no | | [member\_cpu\_count](#input\_member\_cpu\_count) | Allocated dedicated CPU per member. For shared CPU, set to 0. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-resources-scaling) | `number` | `0` | no | | [member\_disk\_mb](#input\_member\_disk\_mb) | Allocated disk per-member. [Learn more}(https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-resources-scaling) | `number` | `5120` | no | | [member\_host\_flavor](#input\_member\_host\_flavor) | Allocated host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor). | `string` | `null` | no | diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index eb0a49f1..e59400a5 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -11,16 +11,18 @@ locals { elasticsearch_key_ring_name = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_ring_name}" : var.elasticsearch_key_ring_name - kms_key_crn = var.existing_elasticsearch_instance_crn != null ? null : (var.existing_kms_key_crn != null ? var.existing_kms_key_crn : module.kms[0].keys[format("%s.%s", local.elasticsearch_key_ring_name, local.elasticsearch_key_name)].crn) + existing_elasticsearch_instance_guid = var.existing_elasticsearch_instance_crn != null ? element(split(":", var.existing_elasticsearch_instance_crn), length(split(":", var.existing_elasticsearch_instance_crn)) - 3) : null + use_existing_elasticsearch_instance = var.existing_elasticsearch_instance_crn != null - existing_db_instance_guid = var.existing_elasticsearch_instance_crn != null ? element(split(":", var.existing_elasticsearch_instance_crn), length(split(":", var.existing_elasticsearch_instance_crn)) - 3) : null - use_existing_elasticsearch_instance = var.existing_elasticsearch_instance_crn != null + create_cross_account_auth_policy = !var.skip_iam_authorization_policy && var.ibmcloud_kms_api_key != null && !var.use_ibm_owned_encryption_key + create_sm_auth_policy = var.skip_elasticsearch_to_secrets_manager_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1 - create_cross_account_auth_policy = !var.skip_iam_authorization_policy && var.ibmcloud_kms_api_key != null - create_sm_auth_policy = var.skip_elasticsearch_to_secret_manager_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1 - kms_service_name = local.kms_key_crn != null ? ( - can(regex(".*kms.*", local.kms_key_crn)) ? "kms" : can(regex(".*hs-crypto.*", local.kms_key_crn)) ? "hs-crypto" : null - ) : null + kms_key_crn = var.existing_elasticsearch_instance_crn != null ? null : !var.use_ibm_owned_encryption_key ? var.existing_kms_key_crn != null ? var.existing_kms_key_crn : module.kms[0].keys[format("%s.%s", local.elasticsearch_key_ring_name, local.elasticsearch_key_name)].crn : null + parsed_kms_key_crn = local.kms_key_crn != null ? split(":", local.kms_key_crn) : [] + kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null + kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null + kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.kms_scope)[1] : null + kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null elasticsearch_guid = local.use_existing_elasticsearch_instance ? data.ibm_database.existing_db_instance[0].guid : module.elasticsearch[0].guid } @@ -95,7 +97,7 @@ module "kms" { providers = { ibm = ibm.kms } - count = var.existing_kms_key_crn != null || local.use_existing_elasticsearch_instance ? 0 : 1 # no need to create any KMS resources if passing an existing key + count = var.existing_kms_key_crn != null || local.use_existing_elasticsearch_instance || var.use_ibm_owned_encryption_key ? 0 : 1 # no need to create any KMS resources if passing an existing key or using IBM owned keys source = "terraform-ibm-modules/kms-all-inclusive/ibm" version = "4.17.1" create_key_protect_instance = false @@ -323,7 +325,7 @@ module "secrets_manager_service_credentials" { # requires a name and resource_id to retrieve the data data "ibm_resource_instance" "existing_instance_resource" { count = local.use_existing_elasticsearch_instance ? 1 : 0 - identifier = local.existing_db_instance_guid + identifier = local.existing_elasticsearch_instance_guid } data "ibm_database" "existing_db_instance" { @@ -352,10 +354,10 @@ locals { code_engine_project_name = local.code_engine_project_id != null ? null : var.prefix != null ? "${var.prefix}-code-engine-kibana-project" : "ce-kibana-project" code_engine_app_name = var.prefix != null ? "${var.prefix}-kibana-app" : "ce-kibana-app" - es_host = local.use_existing_db_instance ? data.ibm_database_connection.existing_connection[0].https[0].hosts[0].hostname : module.elasticsearch[0].hostname - es_port = local.use_existing_db_instance ? data.ibm_database_connection.existing_connection[0].https[0].hosts[0].port : module.elasticsearch[0].port - es_cert = local.use_existing_db_instance ? data.ibm_database_connection.existing_connection[0].https[0].certificate[0].certificate_base64 : module.elasticsearch[0].certificate_base64 - es_username = local.use_existing_db_instance ? data.ibm_database.existing_db_instance[0].adminuser : "admin" + es_host = local.use_existing_elasticsearch_instance ? data.ibm_database_connection.existing_connection[0].https[0].hosts[0].hostname : module.elasticsearch[0].hostname + es_port = local.use_existing_elasticsearch_instance ? data.ibm_database_connection.existing_connection[0].https[0].hosts[0].port : module.elasticsearch[0].port + es_cert = local.use_existing_elasticsearch_instance ? data.ibm_database_connection.existing_connection[0].https[0].certificate[0].certificate_base64 : module.elasticsearch[0].certificate_base64 + es_username = local.use_existing_elasticsearch_instance ? data.ibm_database.existing_db_instance[0].adminuser : "admin" es_password = local.admin_pass es_data = var.enable_kibana_dashboard ? jsondecode(data.http.es_metadata[0].response_body) : null es_full_version = var.enable_kibana_dashboard ? (var.elasticsearch_full_version != null ? var.elasticsearch_full_version : local.es_data.version.number) : null diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 89443ff5..8c454f66 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -315,7 +315,7 @@ variable "service_credential_secrets" { } } -variable "skip_elasticsearch_to_secret_manager_auth_policy" { +variable "skip_elasticsearch_to_secrets_manager_auth_policy" { type = bool default = false description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Databases for Elasticsearch. Set to `true` to use an existing policy."