From ae7fc5e1ac66a4b94ac08003368388d6fe4de2fb Mon Sep 17 00:00:00 2001 From: shemau Date: Wed, 10 Sep 2025 10:32:09 +0100 Subject: [PATCH 1/4] fix: use code editor in IBM catalog for maps/objects --- README.md | 2 +- ibm_catalog.json | 14 ++++++++++++-- modules/fscloud/README.md | 2 +- modules/fscloud/variables.tf | 2 +- scripts/put_vectordb_model.sh | 6 +++--- scripts/start_vectordb_model.sh | 2 +- solutions/fully-configurable/main.tf | 2 +- variables.tf | 2 +- 8 files changed, 21 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index df0fff9d..31fccbcd 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,7 @@ You need the following permissions to run this module. | [timeouts\_update](#input\_timeouts\_update) | A database update may require a longer timeout for the update to complete. The default is 120 minutes. Set this variable to change the `update` value in the `timeouts` block. [Learn more](https://developer.hashicorp.com/terraform/language/resources/syntax#operation-timeouts). | `string` | `"120m"` | no | | [use\_default\_backup\_encryption\_key](#input\_use\_default\_backup\_encryption\_key) | When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `kms_key_crn`, or in `backup_encryption_key_crn` if a value is passed. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data. | `bool` | `false` | no | | [use\_ibm\_owned\_encryption\_key](#input\_use\_ibm\_owned\_encryption\_key) | IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for the `kms_key_crn` input. | `bool` | `true` | no | -| [use\_same\_kms\_key\_for\_backups](#input\_use\_same\_kms\_key\_for\_backups) | Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatiely set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `bool` | `true` | no | +| [use\_same\_kms\_key\_for\_backups](#input\_use\_same\_kms\_key\_for\_backups) | Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `bool` | `true` | no | | [users](#input\_users) | A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be 10-32 characters. In most cases, you can use IAM service credentials (by specifying `service_credential_names`) to control access to the database instance. This block creates native database users. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-user-management&interface=ui). | 
list(object({
    name     = string
    password = string # pragma: allowlist secret
    type     = optional(string)
    role     = optional(string)
  }))
| `[]` | no | | [version\_upgrade\_skip\_backup](#input\_version\_upgrade\_skip\_backup) | Whether to skip taking a backup before upgrading the database version. Attention: Skipping a backup is not recommended. Skipping a backup before a version upgrade is dangerous and may result in data loss if the upgrade fails at any stage — there will be no immediate backup to restore from. | `bool` | `false` | no | diff --git a/ibm_catalog.json b/ibm_catalog.json index 91548463..a639bc6b 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -302,7 +302,12 @@ "key": "version_upgrade_skip_backup" }, { - "key": "service_credential_names" + "key": "service_credential_names", + "custom_config": { + "type": "code_editor", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { "key": "service_credential_secrets", @@ -702,7 +707,12 @@ "key": "timeouts_update" }, { - "key": "service_credential_names" + "key": "service_credential_names", + "custom_config": { + "type": "code_editor", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { "key": "service_credential_secrets", diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md index b224d684..50bd4cd3 100644 --- a/modules/fscloud/README.md +++ b/modules/fscloud/README.md @@ -56,7 +56,7 @@ No resources. | [timeouts\_update](#input\_timeouts\_update) | A database update may require a longer timeout for the update to complete. The default is 120 minutes. Set this variable to change the `update` value in the `timeouts` block. [Learn more](https://developer.hashicorp.com/terraform/language/resources/syntax#operation-timeouts). | `string` | `"120m"` | no | | [use\_default\_backup\_encryption\_key](#input\_use\_default\_backup\_encryption\_key) | When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `kms_key_crn`, or in `backup_encryption_key_crn` if a value is passed. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data. | `bool` | `false` | no | | [use\_ibm\_owned\_encryption\_key](#input\_use\_ibm\_owned\_encryption\_key) | Set to true to use the default IBM Cloud® Databases randomly generated keys for disk and backups encryption. To control the encryption keys, use the `kms_key_crn` and `backup_encryption_key_crn` inputs. | `bool` | `false` | no | -| [use\_same\_kms\_key\_for\_backups](#input\_use\_same\_kms\_key\_for\_backups) | Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatiely set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `bool` | `true` | no | +| [use\_same\_kms\_key\_for\_backups](#input\_use\_same\_kms\_key\_for\_backups) | Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `bool` | `true` | no | | [users](#input\_users) | A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service\_credential\_names) is sufficient to control access to the Elasticsearch instance. This blocks creates native Elasticsearch database users, more info on that can be found here https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-user-management&interface=ui | 
list(object({
    name     = string
    password = string # pragma: allowlist secret
    type     = optional(string)
    role     = optional(string)
  }))
| `[]` | no | | [version\_upgrade\_skip\_backup](#input\_version\_upgrade\_skip\_backup) | Whether to skip taking a backup before upgrading the database version. Attention: Skipping a backup is not recommended. Skipping a backup before a version upgrade is dangerous and may result in data loss if the upgrade fails at any stage — there will be no immediate backup to restore from. | `bool` | `false` | no | diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf index 74471f6f..f335ca5a 100644 --- a/modules/fscloud/variables.tf +++ b/modules/fscloud/variables.tf @@ -177,7 +177,7 @@ variable "kms_key_crn" { variable "use_same_kms_key_for_backups" { type = bool - description = "Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatiely set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + description = "Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." default = true } diff --git a/scripts/put_vectordb_model.sh b/scripts/put_vectordb_model.sh index d919d038..b3dcd455 100755 --- a/scripts/put_vectordb_model.sh +++ b/scripts/put_vectordb_model.sh @@ -21,7 +21,7 @@ for i in $(seq 1 4); do break else echo "Failed to get the trained models from elasticsearch. HTTP status code: $http_code" - echo "Reponse: $content" + echo "Response: $content" if [ "$i" -eq 4 ]; then exit 1 fi @@ -60,7 +60,7 @@ do break else echo "Failed to delete the trained model '$model' from elasticsearch. HTTP status code: $http_code" - echo "Reponse: $content" + echo "Response: $content" if [ "$i" -eq 4 ]; then exit 1 fi @@ -98,7 +98,7 @@ if [ "$INSTALL_NEW_MODEL" = true ] ; then break else echo "Failed to install the model '$ELSER_MODEL_TYPE'. HTTP status code: $http_code" - echo "Reponse: $content" + echo "Response: $content" if [ "$i" -eq 4 ]; then exit 1 fi diff --git a/scripts/start_vectordb_model.sh b/scripts/start_vectordb_model.sh index 22e3b72b..8f28379c 100755 --- a/scripts/start_vectordb_model.sh +++ b/scripts/start_vectordb_model.sh @@ -17,7 +17,7 @@ if [ "$http_code" -eq 200 ] || [ "$http_code" -eq 201 ]; then echo "Request sent successfully." else echo "Failed to start the vectorDB model. HTTP status code: $http_code" - echo "Reponse: $content" + echo "Response: $content" exit 1 fi diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 00ae502c..e902ed30 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -404,7 +404,7 @@ locals { ] }] - # Concatinate into 1 secrets object + # Concatenate into 1 secrets object secrets = concat(local.service_credential_secrets, local.admin_pass_secret) # Parse Secrets Manager details from the CRN existing_secrets_manager_instance_guid = var.existing_secrets_manager_instance_crn != null ? module.sm_instance_crn_parser[0].service_instance : null diff --git a/variables.tf b/variables.tf index efcfb956..163aba57 100644 --- a/variables.tf +++ b/variables.tf @@ -258,7 +258,7 @@ variable "kms_key_crn" { variable "use_same_kms_key_for_backups" { type = bool - description = "Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatiely set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + description = "Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." default = true } From 7bcc6fb71ab3c98a494ced8f28d43c410e92976f Mon Sep 17 00:00:00 2001 From: shemau Date: Wed, 10 Sep 2025 11:50:14 +0100 Subject: [PATCH 2/4] fix: include cbr_rules with code editor --- ibm_catalog.json | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index a639bc6b..9201f470 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -486,7 +486,13 @@ ] }, { - "key": "cbr_rules" + "key": "cbr_rules", + "type": "array", + "custom_config": { + "type": "code_editor", + "grouping": "deployment", + "original_grouping": "deployment" + } } ], "terraform_version": "1.10.5" @@ -820,7 +826,13 @@ "key": "kibana_image_port" }, { - "key": "cbr_rules" + "key": "cbr_rules", + "type": "array", + "custom_config": { + "type": "code_editor", + "grouping": "deployment", + "original_grouping": "deployment" + } } ], "terraform_version": "1.10.5" From f207e1178fcb89d2b3fbb1d6cde741992cc6316e Mon Sep 17 00:00:00 2001 From: shemau Date: Wed, 10 Sep 2025 16:57:40 +0100 Subject: [PATCH 3/4] feat: use code editor for auto scale configuration --- ibm_catalog.json | 14 ++++++++++++-- solutions/fully-configurable/variables.tf | 23 ++++++++++++++++++++++- solutions/security-enforced/variables.tf | 23 ++++++++++++++++++++++- 3 files changed, 56 insertions(+), 4 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 9201f470..79bcb1d2 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -273,7 +273,12 @@ "key": "member_host_flavor" }, { - "key": "auto_scaling" + "key": "auto_scaling", + "custom_config": { + "type": "code_editor", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { "key": "service_endpoints", @@ -704,7 +709,12 @@ "key": "member_host_flavor" }, { - "key": "auto_scaling" + "key": "auto_scaling", + "custom_config": { + "type": "code_editor", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { "key": "deletion_protection" diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index f11959de..87e40fa7 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -338,7 +338,28 @@ variable "auto_scaling" { }) }) description = "Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/blob/main/solutions/fully-configurable/DA-types.md#autoscaling)" - default = null + default = { + disk = { + capacity_enabled = false + free_space_less_than_percent = 10 + io_above_percent = 90 + io_enabled = false + io_over_period = "15m" + rate_increase_percent = 10 + rate_limit_mb_per_member = 3670016 + rate_period_seconds = 900 + rate_units = "mb" + } + memory = { + io_above_percent = 90 + io_enabled = false + io_over_period = "15m" + rate_increase_percent = 10 + rate_limit_mb_per_member = 114688 + rate_period_seconds = 900 + rate_units = "mb" + } + } } ############################################################################# diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 8cf136bf..f1dd1658 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -275,7 +275,28 @@ variable "auto_scaling" { }) }) description = "Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/tree/main/solutions/fully-configurable/DA-types.md#autoscaling)" - default = null + default = { + disk = { + capacity_enabled = false + free_space_less_than_percent = 10 + io_above_percent = 90 + io_enabled = false + io_over_period = "15m" + rate_increase_percent = 10 + rate_limit_mb_per_member = 3670016 + rate_period_seconds = 900 + rate_units = "mb" + } + memory = { + io_above_percent = 90 + io_enabled = false + io_over_period = "15m" + rate_increase_percent = 10 + rate_limit_mb_per_member = 114688 + rate_period_seconds = 900 + rate_units = "mb" + } + } } ############################################################################# From 2aecaa2a50832ef37aa92dedadbac2611b43cb5a Mon Sep 17 00:00:00 2001 From: shemau Date: Thu, 2 Oct 2025 17:28:34 +0100 Subject: [PATCH 4/4] fix: tidy system/app login password --- solutions/fully-configurable/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index e902ed30..478b56c8 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -447,8 +447,8 @@ locals { code_engine_project_name = local.code_engine_project_id != null ? null : (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.kibana_code_engine_new_project_name}" : var.kibana_code_engine_new_project_name code_engine_app_name = (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.kibana_code_engine_new_app_name}" : var.kibana_code_engine_new_app_name kibana_version = var.enable_kibana_dashboard ? jsondecode(data.http.es_metadata[0].response_body).version.number : null - kibana_system_password = var.enable_kibana_dashboard ? random_password.kibana_system_password[0].result : null - kibana_app_login_password = var.enable_kibana_dashboard ? random_password.kibana_app_login_password[0].result : null + kibana_system_password = var.enable_kibana_dashboard ? startswith(random_password.kibana_system_password[0].result, "-") ? "J${substr(random_password.kibana_system_password[0].result, 1, -1)}" : startswith(random_password.kibana_system_password[0].result, "_") ? "K${substr(random_password.kibana_system_password[0].result, 1, -1)}" : random_password.kibana_system_password[0].result : null + kibana_app_login_password = var.enable_kibana_dashboard ? startswith(random_password.kibana_app_login_password[0].result, "-") ? "J${substr(random_password.kibana_app_login_password[0].result, 1, -1)}" : startswith(random_password.kibana_app_login_password[0].result, "_") ? "K${substr(random_password.kibana_app_login_password[0].result, 1, -1)}" : random_password.kibana_app_login_password[0].result : null } data "http" "es_metadata" {