terraform-ibm-modules · jor2 · Dec 6, 2024 · Dec 6, 2024 · Dec 6, 2024 · Dec 6, 2024
@@ -114,6 +114,7 @@ You need the following permissions to run this module.
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of endpoint of the database instance. Possible values: `public`, `private`, `public-and-private`. | `string` | `"public"` | no |
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Whether to create an IAM authorization policy that permits all Databases for Elasticsearch instances in the resource group to read the encryption key from the Hyper Protect Crypto Services instance specified in the `existing_kms_instance_guid` variable. If set to `false`, specify a value for the KMS instance in the `existing_kms_instance_guid` variable. No policy is created if `kms_encryption_enabled` is false. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | The list of tags to be added to the Databases for Elasticsearch instance. | `list(string)` | `[]` | no |
+| <a name="input_use_custom_backup_encryption_key"></a> [use\_custom\_backup\_encryption\_key](#input\_use\_custom\_backup\_encryption\_key) | Whether to use a custom IBM Cloud Databases generated key for backup encryption. | `bool` | `false` | no |
 | <a name="input_use_default_backup_encryption_key"></a> [use\_default\_backup\_encryption\_key](#input\_use\_default\_backup\_encryption\_key) | Whether to use the IBM Cloud Databases generated keys for backup encryption. | `bool` | `false` | no |
 | <a name="input_users"></a> [users](#input\_users) | The list of users that have access to the database. Multiple blocks are allowed. The user password must be 10-32 characters. In most cases, you can use IAM service credentials (by specifying `service_credential_names`) to control access to the database instance. This block creates native database users. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-user-management&interface=ui). | <pre>list(object({<br/>    name     = string<br/>    password = string # pragma: allowlist secret<br/>    type     = optional(string)<br/>    role     = optional(string)<br/>  }))</pre> | `[]` | no |
 

@@ -34,6 +34,10 @@ module "key_protect_all_inclusive" {
         {
           key_name     = "${var.prefix}-elasticsearch"
           force_delete = true
+        },
+        {
+          key_name     = "backup-${var.prefix}-elasticsearch"
+          force_delete = true
         }
       ]
     }
@@ -45,23 +49,25 @@ module "key_protect_all_inclusive" {
 ##############################################################################
 
 module "icd_elasticsearch" {
-  source                     = "../../"
-  resource_group_id          = module.resource_group.resource_group_id
-  name                       = "${var.prefix}-elasticsearch"
-  region                     = var.region
-  plan                       = var.plan
-  kms_encryption_enabled     = true
-  access_tags                = var.access_tags
-  admin_pass                 = var.admin_pass
-  users                      = var.users
-  existing_kms_instance_guid = module.key_protect_all_inclusive.kms_guid
-  service_credential_names   = var.service_credential_names
-  elasticsearch_version      = var.elasticsearch_version
-  kms_key_crn                = module.key_protect_all_inclusive.keys["icd.${var.prefix}-elasticsearch"].crn
-  tags                       = var.resource_tags
-  auto_scaling               = var.auto_scaling
-  member_host_flavor         = "multitenant"
-  member_memory_mb           = 4096
+  source                           = "../../"
+  resource_group_id                = module.resource_group.resource_group_id
+  name                             = "${var.prefix}-elasticsearch"
+  region                           = var.region
+  plan                             = var.plan
+  kms_encryption_enabled           = true
+  access_tags                      = var.access_tags
+  admin_pass                       = var.admin_pass
+  users                            = var.users
+  existing_kms_instance_guid       = module.key_protect_all_inclusive.kms_guid
+  service_credential_names         = var.service_credential_names
+  elasticsearch_version            = var.elasticsearch_version
+  kms_key_crn                      = module.key_protect_all_inclusive.keys["icd.${var.prefix}-elasticsearch"].crn
+  backup_encryption_key_crn        = module.key_protect_all_inclusive.keys["icd.backup-${var.prefix}-elasticsearch"].crn
+  use_custom_backup_encryption_key = true
+  tags                             = var.resource_tags
+  auto_scaling                     = var.auto_scaling
+  member_host_flavor               = "multitenant"
+  member_memory_mb                 = 4096
 }
 
 

@@ -49,26 +49,57 @@ module "cbr_zone" {
   }]
 }
 
+##############################################################################
+# Key Protect All Inclusive
+##############################################################################
+
+module "key_protect_all_inclusive" {
+  source            = "terraform-ibm-modules/kms-all-inclusive/ibm"
+  version           = "4.17.1"
+  resource_group_id = module.resource_group.resource_group_id
+  # Only us-south, eu-de backup encryption keys are supported. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok for details.
+  # Note: Database instance and Key Protect must be created on the same region.
+  region                    = var.region
+  key_protect_instance_name = "${var.prefix}-kp"
+  resource_tags             = var.resource_tags
+  keys = [
+    {
+      key_ring_name = "icd"
+      keys = [
+        {
+          key_name     = "${var.prefix}-elasticsearch"
+          force_delete = true
+        },
+        {
+          key_name     = "backup-${var.prefix}-elasticsearch"
+          force_delete = true
+        }
+      ]
+    }
+  ]
+}
+
 ##############################################################################
 # ICD elasticsearch database
 ##############################################################################
 
 module "elasticsearch" {
-  source                     = "../../modules/fscloud"
-  resource_group_id          = module.resource_group.resource_group_id
-  name                       = "${var.prefix}-elasticsearch"
-  region                     = var.region
-  tags                       = var.resource_tags
-  access_tags                = var.access_tags
-  kms_key_crn                = var.kms_key_crn
-  existing_kms_instance_guid = var.existing_kms_instance_guid
-  elasticsearch_version      = var.elasticsearch_version
-  service_credential_names   = var.service_credential_names
-  auto_scaling               = var.auto_scaling
-  member_host_flavor         = "b3c.4x16.encrypted"
-  backup_encryption_key_crn  = var.backup_encryption_key_crn
-  backup_crn                 = var.backup_crn
-  enable_elser_model         = var.enable_elser_model
+  source                           = "../../modules/fscloud"
+  resource_group_id                = module.resource_group.resource_group_id
+  name                             = "${var.prefix}-elasticsearch"
+  region                           = var.region
+  tags                             = var.resource_tags
+  access_tags                      = var.access_tags
+  existing_kms_instance_guid       = module.key_protect_all_inclusive.kms_guid
+  kms_key_crn                      = module.key_protect_all_inclusive.keys["icd.${var.prefix}-elasticsearch"].crn
+  backup_encryption_key_crn        = module.key_protect_all_inclusive.keys["icd.backup-${var.prefix}-elasticsearch"].crn
+  use_custom_backup_encryption_key = true
+  elasticsearch_version            = var.elasticsearch_version
+  service_credential_names         = var.service_credential_names
+  auto_scaling                     = var.auto_scaling
+  member_host_flavor               = "b3c.4x16.encrypted"
+  backup_crn                       = var.backup_crn
+  enable_elser_model               = var.enable_elser_model
   cbr_rules = [
     {
       description      = "${var.prefix}-elasticsearch access only from vpc"

@@ -34,20 +34,9 @@ variable "access_tags" {
   default     = []
 }
 
-variable "existing_kms_instance_guid" {
-  description = "The GUID of the Hyper Protect Crypto services in which the key specified in var.kms_key_crn is coming from"
-  type        = string
-}
-
-variable "kms_key_crn" {
-  type        = string
-  description = "The root key CRN of a Hyper Protect Crypto Services (HPCS) that you want to use for disk encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs&interface=ui for more information on integrating HPCS with Elasticsearch instance."
-}
-
 variable "elasticsearch_version" {
   type        = string
   description = "Version of the Elasticsearch instance. If no value is passed, the current preferred version of IBM Cloud Databases is used."
-  default     = null
 }
 
 variable "service_credential_names" {
@@ -102,13 +91,6 @@ variable "backup_crn" {
   default     = null
 }
 
-variable "backup_encryption_key_crn" {
-  type        = string
-  description = "The CRN of a Hyper Protect Crypto Services use for encrypting the disk that holds deployment backups. There are limitation per region on the Hyper Protect Crypto Services and region for those services. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups"
-  default     = null
-  # Validation happens in the root module
-}
-
 variable "enable_elser_model" {
   type        = bool
   description = "Set it to true to install and start the Elastic's Natural Language Processing model. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)"

@@ -291,6 +291,9 @@
                 {
                   "key": "existing_backup_kms_instance_crn"
                 },
+                {
+                  "key": "use_custom_backup_encryption_key"
+                },
                 {
                   "key": "enable_elser_model"
                 },

@@ -7,7 +7,13 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   validate_auth_policy = var.kms_encryption_enabled && var.skip_iam_authorization_policy == false && var.existing_kms_instance_guid == null ? tobool("When var.skip_iam_authorization_policy is set to false, and var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_guid in order to create the auth policy.") : true
   # tflint-ignore: terraform_unused_declarations
-  validate_backup_key = var.backup_encryption_key_crn != null && var.use_default_backup_encryption_key == true ? tobool("When passing a value for 'backup_encryption_key_crn' you cannot set 'use_default_backup_encryption_key' to 'true'") : true
+  validate_backup_key_default = var.backup_encryption_key_crn != null && var.use_default_backup_encryption_key == true ? tobool("When passing a value for 'backup_encryption_key_crn' you cannot set 'use_default_backup_encryption_key' to 'true'") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_backup_key_custom = var.backup_encryption_key_crn == null && var.use_custom_backup_encryption_key == true ? tobool("When setting 'use_custom_backup_encryption_key' to 'true' you must also pass a value for 'backup_encryption_key_crn'") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_backup_key_custom_flag = var.backup_encryption_key_crn != null && var.use_custom_backup_encryption_key == false ? tobool("When passing a value for 'backup_encryption_key_crn', 'use_custom_backup_encryption_key' must also be set to 'true'") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_backup_key_custom_or_default = var.use_default_backup_encryption_key == true && var.use_custom_backup_encryption_key == true ? tobool("You cannot set 'use_default_backup_encryption_key' and 'use_custom_backup_encryption_key' simultaneously. You must choose one or the other.") : true
   # tflint-ignore: terraform_unused_declarations
   validate_plan = var.enable_elser_model && var.plan != "platinum" ? tobool("When var.enable_elser_model is set to true, a value for var.plan must be 'platinum' in order to enable ELSER model.") : true
   # tflint-ignore: terraform_unused_declarations
@@ -21,7 +27,7 @@ locals {
   parsed_backup_encryption_key_crn = local.backup_encryption_key_crn != null ? split(":", local.backup_encryption_key_crn) : []
   backup_kms_key_id                = length(local.parsed_backup_encryption_key_crn) > 0 ? local.parsed_backup_encryption_key_crn[9] : null
 
-  create_backup_kms_policy = local.create_kp_auth_policy == 1 && local.backup_encryption_key_crn != null && var.backup_encryption_key_crn != null
+  create_backup_kms_policy = local.create_kp_auth_policy == 1 && var.use_custom_backup_encryption_key
 
   # Determine if auto scaling is enabled
   auto_scaling_enabled = var.auto_scaling == null ? [] : [1]
@@ -125,6 +131,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" {
 
 # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
 resource "time_sleep" "wait_for_backup_kms_authorization_policy" {
+  count           = local.create_backup_kms_policy ? 1 : 0
   depends_on      = [ibm_iam_authorization_policy.backup_kms_policy]
   create_duration = "30s"
 }

@@ -53,6 +53,7 @@ No resources.
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the database | `map(string)` | `{}` | no |
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all ElasticSearch database instances in the resource group to read the encryption key from the Hyper Protect Crypto Services or Key Protect instance. The instance is passed in through the var.existing\_kms\_instance\_guid variable. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Optional list of tags to be added to the Elasticsearch instance. | `list(any)` | `[]` | no |
+| <a name="input_use_custom_backup_encryption_key"></a> [use\_custom\_backup\_encryption\_key](#input\_use\_custom\_backup\_encryption\_key) | Whether to use a custom IBM Cloud Databases generated key for backup encryption. | `bool` | `false` | no |
 | <a name="input_use_ibm_owned_encryption_key"></a> [use\_ibm\_owned\_encryption\_key](#input\_use\_ibm\_owned\_encryption\_key) | Set to true to use the default IBM Cloud® Databases randomly generated keys for disk and backups encryption. To control the encryption keys, use the `kms_key_crn` and `backup_encryption_key_crn` inputs. | `bool` | `false` | no |
 | <a name="input_users"></a> [users](#input\_users) | A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service\_credential\_names) is sufficient to control access to the Elasticsearch instance. This blocks creates native Elasticsearch database users, more info on that can be found here https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-user-management&interface=ui | <pre>list(object({<br/>    name     = string<br/>    password = string # pragma: allowlist secret<br/>    type     = optional(string)<br/>    role     = optional(string)<br/>  }))</pre> | `[]` | no |
 

@@ -6,31 +6,32 @@ locals {
 }
 
 module "elasticsearch" {
-  source                        = "../../"
-  resource_group_id             = var.resource_group_id
-  name                          = var.name
-  region                        = var.region
-  skip_iam_authorization_policy = var.skip_iam_authorization_policy
-  service_endpoints             = "private"
-  elasticsearch_version         = var.elasticsearch_version
-  kms_encryption_enabled        = !var.use_ibm_owned_encryption_key
-  existing_kms_instance_guid    = var.existing_kms_instance_guid
-  kms_key_crn                   = var.kms_key_crn
-  backup_crn                    = var.backup_crn
-  backup_encryption_key_crn     = var.backup_encryption_key_crn
-  cbr_rules                     = var.cbr_rules
-  access_tags                   = var.access_tags
-  tags                          = var.tags
-  plan                          = var.plan
-  members                       = var.members
-  member_memory_mb              = var.member_memory_mb
-  admin_pass                    = var.admin_pass
-  users                         = var.users
-  member_disk_mb                = var.member_disk_mb
-  member_cpu_count              = var.member_cpu_count
-  member_host_flavor            = var.member_host_flavor
-  auto_scaling                  = var.auto_scaling
-  service_credential_names      = var.service_credential_names
-  enable_elser_model            = var.enable_elser_model
-  elser_model_type              = var.elser_model_type
+  source                           = "../../"
+  resource_group_id                = var.resource_group_id
+  name                             = var.name
+  region                           = var.region
+  skip_iam_authorization_policy    = var.skip_iam_authorization_policy
+  service_endpoints                = "private"
+  elasticsearch_version            = var.elasticsearch_version
+  kms_encryption_enabled           = !var.use_ibm_owned_encryption_key
+  existing_kms_instance_guid       = var.existing_kms_instance_guid
+  kms_key_crn                      = var.kms_key_crn
+  backup_crn                       = var.backup_crn
+  backup_encryption_key_crn        = var.backup_encryption_key_crn
+  use_custom_backup_encryption_key = var.use_custom_backup_encryption_key
+  cbr_rules                        = var.cbr_rules
+  access_tags                      = var.access_tags
+  tags                             = var.tags
+  plan                             = var.plan
+  members                          = var.members
+  member_memory_mb                 = var.member_memory_mb
+  admin_pass                       = var.admin_pass
+  users                            = var.users
+  member_disk_mb                   = var.member_disk_mb
+  member_cpu_count                 = var.member_cpu_count
+  member_host_flavor               = var.member_host_flavor
+  auto_scaling                     = var.auto_scaling
+  service_credential_names         = var.service_credential_names
+  enable_elser_model               = var.enable_elser_model
+  elser_model_type                 = var.elser_model_type
 }
@@ -148,6 +148,12 @@ variable "kms_key_crn" {
   default     = null
 }
 
+variable "use_custom_backup_encryption_key" {
+  type        = bool
+  description = "Whether to use a custom IBM Cloud Databases generated key for backup encryption."
+  default     = false
+}
+
 variable "backup_encryption_key_crn" {
   type        = string
   description = "The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for encrypting the disk that holds deployment backups. There are region limitations for backup encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups (HPCS) and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok (Key Protect)."
-Original file line number
+Diff line change
@@ Expand Up / @@ -291,6 +291,9 @@ @@
                     {
                       "key": "existing_backup_kms_instance_crn"
                     },
+                    {
+                      "key": "use_custom_backup_encryption_key"
+                    },
                     {
                       "key": "enable_elser_model"
                     },
@@ Expand Down @@