feat: major in-place upgrade, deletion protection (#583)

Author: shemau

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-06-27T12:07:30Z",
+  "generated_at": "2025-07-17T12:16:53Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -87,12 +87,20 @@
         "verified_result": null
       }
     ],
-    "module-metadata.json": [
+    "solutions/fully-configurable/DA-types.md": [
       {
-        "hashed_secret": "99075eb0baa8cfda1cae029da06b57b93cc13a31",
+        "hashed_secret": "44cdfc3615970ada14420caaaa5c5745fca06002",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 407,
+        "line_number": 124,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "bd0d0d73a240c29656fb8ae0dfa5f863077788dc",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 129,
         "type": "Secret Keyword",
         "verified_result": null
       }

README.md

@@ -91,6 +91,7 @@ You need the following permissions to run this module.
 | <a name="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false and `use_same_kms_key_for_backups` is false. If no value is passed, and `use_same_kms_key_for_backups` is true, the value of `kms_key_crn` is used. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    tags = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })))<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_cpu_count"></a> [cpu\_count](#input\_cpu\_count) | Allocated dedicated CPU per member. For shared CPU, set to 0. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-pricing#mongodb-scale-member) | `number` | `0` | no |
+| <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | Enable deletion protection within terraform. This is not a property of the resource and does not prevent deletion outside of terraform. The database can not be deleted by terraform when this value is set to 'true'. In order to delete with terraform the value must be set to 'false' and a terraform apply performed before the destroy is performed. The default is 'true'. | `bool` | `true` | no |
 | <a name="input_disk_mb"></a> [disk\_mb](#input\_disk\_mb) | The disk that is allocated per member. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-pricing#mongodb-scale-member) | `number` | `10240` | no |
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the `use_same_kms_key_for_backups` and `backup_encryption_key_crn` inputs. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
 | <a name="input_member_host_flavor"></a> [member\_host\_flavor](#input\_member\_host\_flavor) | Allocated host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor). | `string` | `null` | no |
@@ -105,10 +106,12 @@ You need the following permissions to run this module.
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable the public or private endpoints on the instance. Supported values are 'public' or 'private'. | `string` | `"private"` | no |
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of IAM authorization policies that permits all Databases for MongoDB instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the `kms_key_crn` and `backup_encryption_key_crn` inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if `use_ibm_owned_encryption_key` is true. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Optional list of tags to be added to the MongoDB instance. | `list(string)` | `[]` | no |
+| <a name="input_timeouts_update"></a> [timeouts\_update](#input\_timeouts\_update) | A database update may require a longer timeout for the update to complete. The default is 120 minutes. Set this variable to change the `update` value in the `timeouts` block. [Learn more](https://developer.hashicorp.com/terraform/language/resources/syntax#operation-timeouts). | `string` | `"120m"` | no |
 | <a name="input_use_default_backup_encryption_key"></a> [use\_default\_backup\_encryption\_key](#input\_use\_default\_backup\_encryption\_key) | When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `kms_key_crn`, or in `backup_encryption_key_crn` if a value is passed. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data. | `bool` | `false` | no |
 | <a name="input_use_ibm_owned_encryption_key"></a> [use\_ibm\_owned\_encryption\_key](#input\_use\_ibm\_owned\_encryption\_key) | IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for the `kms_key_crn` input. | `bool` | `true` | no |
 | <a name="input_use_same_kms_key_for_backups"></a> [use\_same\_kms\_key\_for\_backups](#input\_use\_same\_kms\_key\_for\_backups) | Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatiely set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `bool` | `true` | no |
 | <a name="input_users"></a> [users](#input\_users) | A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service\_credential\_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users, more info on that can be found here https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-user-management&interface=ui | <pre>list(object({<br/>    name     = string<br/>    password = string # pragma: allowlist secret<br/>    type     = optional(string)<br/>    role     = optional(string)<br/>  }))</pre> | `[]` | no |
+| <a name="input_version_upgrade_skip_backup"></a> [version\_upgrade\_skip\_backup](#input\_version\_upgrade\_skip\_backup) | Whether to skip taking a backup before upgrading the database version. Attention: Skipping a backup is not recommended. Skipping a backup before a version upgrade is dangerous and may result in data loss if the upgrade fails at any stage — there will be no immediate backup to restore from. | `bool` | `false` | no |
 
 ### Outputs
 

examples/backup-restore/catalogValidationValues.json.template

@@ -20,12 +20,13 @@ module "restored_icd_mongodb" {
   # remove the above line and uncomment the below 2 lines to consume the module from the registry
   # source            = "terraform-ibm-modules/icd-mongodb/ibm/"
   # version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
-  resource_group_id  = module.resource_group.resource_group_id
-  name               = "${var.prefix}-mongodb-restored"
-  region             = var.region
-  mongodb_version    = var.mongodb_version
-  access_tags        = var.access_tags
-  tags               = var.resource_tags
-  member_host_flavor = "multitenant"
-  backup_crn         = data.ibm_database_backups.backup_database.backups[0].backup_id
+  resource_group_id   = module.resource_group.resource_group_id
+  name                = "${var.prefix}-mongodb-restored"
+  region              = var.region
+  mongodb_version     = var.mongodb_version
+  access_tags         = var.access_tags
+  tags                = var.resource_tags
+  member_host_flavor  = "multitenant"
+  deletion_protection = false
+  backup_crn          = data.ibm_database_backups.backup_database.backups[0].backup_id
 }

examples/backup-restore/main.tf

@@ -19,14 +19,15 @@ module "database" {
   # remove the above line and uncomment the below 2 lines to consume the module from the registry
   # source            = "terraform-ibm-modules/icd-mongodb/ibm"
   # version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
-  resource_group_id  = module.resource_group.resource_group_id
-  name               = "${var.prefix}-data-store"
-  region             = var.region
-  mongodb_version    = var.mongodb_version
-  access_tags        = var.access_tags
-  tags               = var.resource_tags
-  service_endpoints  = var.service_endpoints
-  member_host_flavor = var.member_host_flavor
+  resource_group_id   = module.resource_group.resource_group_id
+  name                = "${var.prefix}-data-store"
+  region              = var.region
+  mongodb_version     = var.mongodb_version
+  access_tags         = var.access_tags
+  tags                = var.resource_tags
+  service_endpoints   = var.service_endpoints
+  member_host_flavor  = var.member_host_flavor
+  deletion_protection = false
   service_credential_names = {
     "mongodb_admin" : "Administrator",
     "mongodb_operator" : "Operator",

examples/basic/main.tf

@@ -108,16 +108,17 @@ module "icd_mongodb" {
   # remove the above line and uncomment the below 2 lines to consume the module from the registry
   # source            = "terraform-ibm-modules/icd-mongodb/ibm"
   # version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
-  resource_group_id = module.resource_group.resource_group_id
-  name              = "${var.prefix}-mongodb"
-  mongodb_version   = var.mongodb_version
-  admin_pass        = var.admin_pass
-  users             = var.users
-  region            = var.region
-  plan              = var.plan
-  access_tags       = var.access_tags
-  tags              = var.resource_tags
-  auto_scaling      = var.auto_scaling
+  resource_group_id   = module.resource_group.resource_group_id
+  name                = "${var.prefix}-mongodb"
+  mongodb_version     = var.mongodb_version
+  admin_pass          = var.admin_pass
+  users               = var.users
+  region              = var.region
+  plan                = var.plan
+  access_tags         = var.access_tags
+  tags                = var.resource_tags
+  deletion_protection = false
+  auto_scaling        = var.auto_scaling
   # Example of how to use different KMS keys for data and backups
   use_ibm_owned_encryption_key = false
   use_same_kms_key_for_backups = false

examples/complete/main.tf

@@ -63,6 +63,7 @@ module "mongodb" {
   region                    = var.region
   tags                      = var.resource_tags
   access_tags               = var.access_tags
+  deletion_protection       = false
   kms_key_crn               = var.kms_key_crn
   backup_encryption_key_crn = var.backup_encryption_key_crn
   backup_crn                = var.backup_crn

examples/fscloud/main.tf

@@ -274,6 +274,15 @@
                 }
               ]
             },
+            {
+              "key": "deletion_protection"
+            },
+            {
+              "key": "timeouts_update"
+            },
+            {
+              "key": "version_upgrade_skip_backup"
+            },
             {
               "key": "service_credential_names"
             },
@@ -571,6 +580,12 @@
             {
               "key": "auto_scaling"
             },
+            {
+              "key": "deletion_protection"
+            },
+            {
+              "key": "timeouts_update"
+            },
             {
               "key": "service_credential_names"
             },

ibm_catalog.json

@@ -158,19 +158,21 @@ resource "time_sleep" "wait_for_backup_kms_authorization_policy" {
 ########################################################################################################################
 
 resource "ibm_database" "mongodb" {
-  depends_on                = [time_sleep.wait_for_authorization_policy, time_sleep.wait_for_backup_kms_authorization_policy]
-  name                      = var.name
-  plan                      = var.plan
-  location                  = var.region
-  service                   = "databases-for-mongodb"
-  version                   = var.mongodb_version
-  resource_group_id         = var.resource_group_id
-  service_endpoints         = var.service_endpoints
-  tags                      = var.tags
-  adminpassword             = var.admin_pass
-  key_protect_key           = var.kms_key_crn
-  backup_encryption_key_crn = local.backup_encryption_key_crn
-  backup_id                 = var.backup_crn
+  depends_on                  = [time_sleep.wait_for_authorization_policy, time_sleep.wait_for_backup_kms_authorization_policy]
+  name                        = var.name
+  plan                        = var.plan
+  location                    = var.region
+  service                     = "databases-for-mongodb"
+  version                     = var.mongodb_version
+  resource_group_id           = var.resource_group_id
+  service_endpoints           = var.service_endpoints
+  deletion_protection         = var.deletion_protection
+  version_upgrade_skip_backup = var.version_upgrade_skip_backup
+  tags                        = var.tags
+  adminpassword               = var.admin_pass
+  key_protect_key             = var.kms_key_crn
+  backup_encryption_key_crn   = local.backup_encryption_key_crn
+  backup_id                   = var.backup_crn
 
   dynamic "users" {
     for_each = nonsensitive(var.users != null ? var.users : [])
@@ -275,15 +277,14 @@ resource "ibm_database" "mongodb" {
   lifecycle {
     ignore_changes = [
       # Ignore changes to these because a change will destroy and recreate the instance
-      version,
       key_protect_key,
       backup_encryption_key_crn,
     ]
   }
 
   timeouts {
     create = "120m" # Extending provisioning time to 120 minutes
-    update = "120m"
+    update = var.timeouts_update
     delete = "15m"
   }
 }