From f9a4e350009d2371d589e193cdd8722dbb957cf8 Mon Sep 17 00:00:00 2001 From: whoffler Date: Thu, 8 May 2025 14:41:30 +0100 Subject: [PATCH 01/15] fully configurable solution --- ibm_catalog.json | 23 ++-- .../DA-types.md | 0 .../README.md | 6 +- .../catalogValidationValues.json.template | 10 ++ .../{standard => fully-configurable}/main.tf | 22 ++-- .../{standard => fully-configurable}/moved.tf | 0 .../outputs.tf | 0 .../provider.tf | 0 .../variables.tf | 107 ++++++++++++------ .../version.tf | 0 .../catalogValidationValues.json.template | 8 -- tests/pr_test.go | 44 +++---- 12 files changed, 137 insertions(+), 83 deletions(-) rename solutions/{standard => fully-configurable}/DA-types.md (100%) rename solutions/{standard => fully-configurable}/README.md (90%) create mode 100644 solutions/fully-configurable/catalogValidationValues.json.template rename solutions/{standard => fully-configurable}/main.tf (94%) rename solutions/{standard => fully-configurable}/moved.tf (100%) rename solutions/{standard => fully-configurable}/outputs.tf (100%) rename solutions/{standard => fully-configurable}/provider.tf (100%) rename solutions/{standard => fully-configurable}/variables.tf (84%) rename solutions/{standard => fully-configurable}/version.tf (100%) delete mode 100644 solutions/standard/catalogValidationValues.json.template diff --git a/ibm_catalog.json b/ibm_catalog.json index e18769d0..a77adcb9 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -47,10 +47,10 @@ ], "flavors": [ { - "label": "Standard", - "name": "standard", + "label": "Fully configurable", + "name": "fully-configurable", "install_type": "fullstack", - "working_directory": "solutions/standard", + "working_directory": "solutions/fully-configurable", "compliance": { "authority": "scc-v3", "profiles": [ @@ -115,16 +115,13 @@ ] }, { - "key": "use_existing_resource_group" - }, - { - "key": "resource_group_name" + "key": "existing_resource_group_name" }, { "key": "prefix" }, { - "key": "name" + "key": "mongodb_name" }, { "key": "region", @@ -203,6 +200,9 @@ { "key": "plan" }, + { + "key": "service_endpoints" + }, { "key": "members" }, @@ -240,10 +240,13 @@ "key": "users" }, { - "key": "tags" + "key": "mongodb_tags" + }, + { + "key": "mongodb_access_tags" }, { - "key": "access_tags" + "key": "kms_encryption_enabled" }, { "key": "use_ibm_owned_encryption_key" diff --git a/solutions/standard/DA-types.md b/solutions/fully-configurable/DA-types.md similarity index 100% rename from solutions/standard/DA-types.md rename to solutions/fully-configurable/DA-types.md diff --git a/solutions/standard/README.md b/solutions/fully-configurable/README.md similarity index 90% rename from solutions/standard/README.md rename to solutions/fully-configurable/README.md index 8a4c8a55..9be2994f 100644 --- a/solutions/standard/README.md +++ b/solutions/fully-configurable/README.md @@ -1,8 +1,10 @@ - # IBM Cloud Databases for MongoDB +# IBM Cloud Databases for MongoDB + +## Prerequisites +- An existing resource group This architecture creates an instance of IBM Cloud Databases for MongoDB and supports provisioning of the following resources: -- A resource group, if one is not passed in. - A KMS root key, if one is not passed in. - An IBM Cloud Databases for MongoDB instance with KMS encryption. - Autoscaling rules for the database instance, if provided. diff --git a/solutions/fully-configurable/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template new file mode 100644 index 00000000..a9a30170 --- /dev/null +++ b/solutions/fully-configurable/catalogValidationValues.json.template @@ -0,0 +1,10 @@ +{ + "ibmcloud_api_key": $VALIDATION_APIKEY, + "region": "us-south", + "mongodb_tags": $TAGS, + "mongodb_name": $PREFIX, + "existing_resource_group_name": $PREFIX, + "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN, + "kms_encryption_enabled": true, + "use_ibm_owned_encryption_key": false +} diff --git a/solutions/standard/main.tf b/solutions/fully-configurable/main.tf similarity index 94% rename from solutions/standard/main.tf rename to solutions/fully-configurable/main.tf index da027a1a..e218f7cc 100644 --- a/solutions/standard/main.tf +++ b/solutions/fully-configurable/main.tf @@ -2,11 +2,11 @@ # Resource Group ####################################################################################################################### + module "resource_group" { source = "terraform-ibm-modules/resource-group/ibm" version = "1.2.0" - resource_group_name = var.use_existing_resource_group == false ? ((var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.resource_group_name}" : var.resource_group_name) : null - existing_resource_group_name = var.use_existing_resource_group == true ? var.resource_group_name : null + existing_resource_group_name = var.existing_resource_group_name } ####################################################################################################################### @@ -14,9 +14,10 @@ module "resource_group" { ####################################################################################################################### locals { + prefix = (var.prefix != null && trimspace(var.prefix) != "" ? "${var.prefix}-" : "") create_new_kms_key = var.existing_mongodb_instance_crn == null && !var.use_ibm_owned_encryption_key && var.existing_kms_key_crn == null ? true : false # no need to create any KMS resources if passing an existing key, or using IBM owned keys - mongodb_key_name = var.prefix != null ? "${var.prefix}-${var.key_name}" : var.key_name - mongodb_key_ring_name = var.prefix != null ? "${var.prefix}-${var.key_ring_name}" : var.key_ring_name + mongodb_key_name = "${local.prefix}${var.key_name}" + mongodb_key_ring_name = "${local.prefix}${var.key_ring_name}" } module "kms" { @@ -269,10 +270,10 @@ data "ibm_database_connection" "existing_connection" { # Create new instance module "mongodb" { count = var.existing_mongodb_instance_crn != null ? 0 : 1 - source = "../../modules/fscloud" + source = "../.." depends_on = [time_sleep.wait_for_authorization_policy, time_sleep.wait_for_backup_kms_authorization_policy] resource_group_id = module.resource_group.resource_group_id - name = (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.name}" : var.name + name = "${local.prefix}${var.mongodb_name}" plan = var.plan region = var.region mongodb_version = var.mongodb_version @@ -282,8 +283,8 @@ module "mongodb" { backup_encryption_key_crn = local.backup_kms_key_crn use_same_kms_key_for_backups = local.use_same_kms_key_for_backups use_default_backup_encryption_key = var.use_default_backup_encryption_key - access_tags = var.access_tags - tags = var.tags + access_tags = var.mongodb_access_tags + tags = var.mongodb_tags admin_pass = local.admin_pass users = var.users members = var.members @@ -294,6 +295,7 @@ module "mongodb" { auto_scaling = var.auto_scaling service_credential_names = var.service_credential_names backup_crn = var.backup_crn + service_endpoints = var.service_endpoints } locals { @@ -365,10 +367,10 @@ locals { # Build the structure of the arbitrary credential type secret for admin password admin_pass_secret = [{ - secret_group_name = (var.prefix != null && var.prefix != "") && var.admin_pass_secrets_manager_secret_group != null ? "${var.prefix}-${var.admin_pass_secrets_manager_secret_group}" : var.admin_pass_secrets_manager_secret_group + secret_group_name = "${local.prefix}${var.admin_pass_secrets_manager_secret_group}" existing_secret_group = var.use_existing_admin_pass_secrets_manager_secret_group secrets = [{ - secret_name = (var.prefix != null && var.prefix != "") && var.admin_pass_secrets_manager_secret_name != null ? "${var.prefix}-${var.admin_pass_secrets_manager_secret_name}" : var.admin_pass_secrets_manager_secret_name + secret_name = "${local.prefix}${var.admin_pass_secrets_manager_secret_name}" secret_type = "arbitrary" secret_payload_password = local.admin_pass } diff --git a/solutions/standard/moved.tf b/solutions/fully-configurable/moved.tf similarity index 100% rename from solutions/standard/moved.tf rename to solutions/fully-configurable/moved.tf diff --git a/solutions/standard/outputs.tf b/solutions/fully-configurable/outputs.tf similarity index 100% rename from solutions/standard/outputs.tf rename to solutions/fully-configurable/outputs.tf diff --git a/solutions/standard/provider.tf b/solutions/fully-configurable/provider.tf similarity index 100% rename from solutions/standard/provider.tf rename to solutions/fully-configurable/provider.tf diff --git a/solutions/standard/variables.tf b/solutions/fully-configurable/variables.tf similarity index 84% rename from solutions/standard/variables.tf rename to solutions/fully-configurable/variables.tf index 585da345..c405460a 100644 --- a/solutions/standard/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -7,24 +7,30 @@ variable "ibmcloud_api_key" { description = "The IBM Cloud API key to deploy resources." sensitive = true } -variable "use_existing_resource_group" { - type = bool - description = "Whether to use an existing resource group." - default = false -} -variable "resource_group_name" { +variable "existing_resource_group_name" { type = string - description = "The name of a new or an existing resource group to provision the Databases for MongoDB in. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + description = "The name of an existing resource group to provision the Databases for MongoDB in." + default = "Default" + nullable = false } variable "prefix" { type = string - description = "Prefix to add to all resources created by this solution." - default = null + description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string." + nullable = true + validation { + condition = (var.prefix == null ? true : + alltrue([ + can(regex("^[a-z]{0,1}[-a-z0-9]{0,14}[a-z0-9]{0,1}$", var.prefix)), + length(regexall("^.*--.*", var.prefix)) == 0 + ]) + ) + error_message = "Prefix must begin with a lowercase letter, contain only lowercase letters, numbers, and - characters. Prefixes must end with a lowercase letter or number and be 16 or fewer characters." + } } -variable "name" { +variable "mongodb_name" { type = string description = "The name of the Databases for MongoDB instance. If a prefix input variable is specified, the prefix is added to the name in the `-` format." default = "mongodb" @@ -61,6 +67,17 @@ variable "plan" { } } +variable "service_endpoints" { + type = string + description = "The type of endpoint of the database instance. Possible values: `public`, `private`, `public-and-private`." + default = "public" + + validation { + condition = can(regex("public|public-and-private|private", var.service_endpoints)) + error_message = "Valid values for service_endpoints are 'public', 'public-and-private', and 'private'" + } +} + variable "existing_mongodb_instance_crn" { type = string default = null @@ -107,7 +124,7 @@ variable "member_host_flavor" { } variable "service_credential_names" { - description = "Map of name, role for service credentials that you want to create for the database. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/standard/DA-types.md#svc-credential-name)" + description = "Map of name, role for service credentials that you want to create for the database. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#svc-credential-name)" type = map(string) default = {} } @@ -128,16 +145,16 @@ variable "users" { })) default = [] sensitive = true - description = "A list of users that you want to create on the database. Users block is supported by MongoDB version >= 6.0. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/standard/DA-types.md#users)" + description = "A list of users that you want to create on the database. Users block is supported by MongoDB version >= 6.0. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#users)" } -variable "tags" { +variable "mongodb_tags" { type = list(any) description = "The list of tags to be added to the Databases for MongoDB instance." default = [] } -variable "access_tags" { +variable "mongodb_access_tags" { type = list(string) description = "A list of access tags to apply to the Databases for MongoDB instance created by the solution. [Learn more](https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial)." default = [] @@ -147,32 +164,40 @@ variable "access_tags" { # Encryption ############################################################## -variable "use_ibm_owned_encryption_key" { +variable "kms_encryption_enabled" { type = bool - description = "IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for `existing_kms_instance_crn` to create a new key, or `existing_kms_key_crn` and/or `existing_backup_kms_key_crn` to use an existing key." + description = "Set to true to enable KMS Encryption using customer managed keys. When set to true, a value must be passed for either 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn'." default = false + # this validation ensures key info is provided when Kms encryption is enabled and no MongoDB instance is given validation { condition = ( var.existing_mongodb_instance_crn != null || - !(var.use_ibm_owned_encryption_key && ( + (var.kms_encryption_enabled && ( var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null )) ) - error_message = "When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false." + error_message = "When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'kms_encryption_enabled' input must be set to true." + } +} + +variable "use_ibm_owned_encryption_key" { + type = bool + description = "IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for `existing_kms_instance_crn` to create a new key, or `existing_kms_key_crn` and/or `existing_backup_kms_key_crn` to use an existing key." + default = true + + validation { + condition = var.use_ibm_owned_encryption_key ? !var.kms_encryption_enabled : true + error_message = "When setting input 'use_ibm_owned_encryption_key' true, 'kms_encryption_enabled' input must be set to false." } - # this validation ensures key info is provided when IBM-owned key is disabled and no MongoDB instance is given validation { - condition = !( - var.existing_mongodb_instance_crn == null && - var.use_ibm_owned_encryption_key == false && - var.existing_kms_instance_crn == null && - var.existing_kms_key_crn == null + condition = ( + var.use_ibm_owned_encryption_key ? length(compact([var.existing_kms_instance_crn, var.existing_kms_key_crn, var.existing_backup_kms_key_crn])) == 0 : true ) - error_message = "When 'use_ibm_owned_encryption_key' is false, you must provide either 'existing_kms_instance_crn' (to create a new key) or 'existing_kms_key_crn' (to use an existing key)." + error_message = "When using ibm owned encryption keys by setting input 'use_ibm_owned_encryption_key' to true, 'existing_kms_instance_crn', 'existing_kms_key_crn' and 'existing_backup_kms_key_crn' should not be set." } } @@ -180,12 +205,33 @@ variable "existing_kms_instance_crn" { type = string description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. Applies only if `use_ibm_owned_encryption_key` is false. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." default = null + + validation { + condition = var.existing_mongodb_instance_crn != null ? var.existing_kms_instance_crn == null : true + error_message = "When using an existing mongodb instance 'existing_kms_instance_crn' should not be set" + } } variable "existing_kms_key_crn" { type = string description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the optional `existing_backup_kms_key_crn` input. If no value is passed a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." default = null + + validation { + condition = var.existing_mongodb_instance_crn != null ? var.existing_kms_key_crn == null : true + error_message = "When using an existing mongodb instance 'existing_kms_key_crn' should not be set" + } +} + +variable "existing_backup_kms_key_crn" { + type = string + description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + default = null + + validation { + condition = var.existing_mongodb_instance_crn != null ? var.existing_backup_kms_key_crn == null : true + error_message = "When using an existing mongodb instance 'existing_backup_kms_key_crn' should not be set" + } } variable "kms_endpoint_type" { @@ -224,12 +270,6 @@ variable "key_name" { description = "The name for the key created for the Databases for MongoDB key. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format." } -variable "existing_backup_kms_key_crn" { - type = string - description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." - default = null -} - variable "use_default_backup_encryption_key" { type = bool description = "When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `existing_kms_key_crn`, in `existing_backup_kms_key_crn`, or with a new key that will be created in the instance specified in the `existing_kms_instance_crn` input. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data." @@ -249,6 +289,7 @@ variable "backup_crn" { error_message = "backup_crn must be null OR starts with 'crn:' and contains ':backup:'" } } + variable "provider_visibility" { description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)." type = string @@ -287,7 +328,7 @@ variable "auto_scaling" { rate_units = optional(string, "mb") }) }) - description = "Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/standard/DA-types.md#autoscaling)" + description = "Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#autoscaling)" default = null } @@ -330,7 +371,7 @@ variable "service_credential_secrets" { })) })) default = [] - description = "Service credential secrets configuration for Databases for MongoDB. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/tree/main/solutions/standard/DA-types.md#service-credential-secrets)." + description = "Service credential secrets configuration for Databases for MongoDB. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/tree/main/solutions/fully-configurable/DA-types.md#service-credential-secrets)." validation { # Service roles CRNs can be found at https://cloud.ibm.com/iam/roles, select the IBM Cloud Database and select the role diff --git a/solutions/standard/version.tf b/solutions/fully-configurable/version.tf similarity index 100% rename from solutions/standard/version.tf rename to solutions/fully-configurable/version.tf diff --git a/solutions/standard/catalogValidationValues.json.template b/solutions/standard/catalogValidationValues.json.template deleted file mode 100644 index e69e502f..00000000 --- a/solutions/standard/catalogValidationValues.json.template +++ /dev/null @@ -1,8 +0,0 @@ -{ - "ibmcloud_api_key": $VALIDATION_APIKEY, - "region": "us-south", - "tags": $TAGS, - "name": $PREFIX, - "resource_group_name": $PREFIX, - "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN -} diff --git a/tests/pr_test.go b/tests/pr_test.go index 8c3c5cb2..a31ff47f 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -22,7 +22,7 @@ import ( ) const fscloudExampleTerraformDir = "examples/fscloud" -const standardSolutionTerraformDir = "solutions/standard" +const fullyConfigurableSolutionTerraformDir = "solutions/fully-configurable" const latestVersion = "7.0" // Use existing resource group @@ -55,19 +55,19 @@ func TestMain(m *testing.M) { os.Exit(m.Run()) } -func TestRunStandardSolutionSchematics(t *testing.T) { +func TestRunFullyConfigurableSolutionSchematics(t *testing.T) { t.Parallel() options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{ Testing: t, TarIncludePatterns: []string{ "*.tf", - fmt.Sprintf("%s/*.tf", standardSolutionTerraformDir), + fmt.Sprintf("%s/*.tf", fullyConfigurableSolutionTerraformDir), fmt.Sprintf("%s/*.tf", fscloudExampleTerraformDir), fmt.Sprintf("%s/*.tf", "modules/fscloud"), fmt.Sprintf("%s/*.sh", "scripts"), }, - TemplateFolder: standardSolutionTerraformDir, + TemplateFolder: fullyConfigurableSolutionTerraformDir, BestRegionYAMLPath: regionSelectionPath, Prefix: "mdb-st-da", ResourceGroup: resourceGroup, @@ -93,12 +93,14 @@ func TestRunStandardSolutionSchematics(t *testing.T) { options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, - {Name: "access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"}, + {Name: "mongodb_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"}, + {Name: "kms_encryption_enabled", Value: true, DataType: "bool"}, + {Name: "use_ibm_owned_encryption_key", Value: false, DataType: "bool"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, {Name: "existing_backup_kms_key_crn", Value: permanentResources["hpcs_south_root_key_crn"], DataType: "string"}, {Name: "kms_endpoint_type", Value: "private", DataType: "string"}, {Name: "mongodb_version", Value: "7.0", DataType: "string"}, // Always lock this test into the latest supported MongoDB version - {Name: "resource_group_name", Value: options.Prefix, DataType: "string"}, + {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"}, {Name: "plan", Value: "standard", DataType: "string"}, {Name: "service_credential_names", Value: "{\"admin_test\": \"Administrator\", \"editor_test\": \"Editor\"}", DataType: "map(string)"}, {Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"}, @@ -111,12 +113,12 @@ func TestRunStandardSolutionSchematics(t *testing.T) { err := options.RunSchematicTest() assert.Nil(t, err, "This should not have errored") } -func TestRunStandardUpgradeSolution(t *testing.T) { +func TestRunFullyConfigurableUpgradeSolution(t *testing.T) { t.Parallel() options := testhelper.TestOptionsDefault(&testhelper.TestOptions{ Testing: t, - TerraformDir: standardSolutionTerraformDir, + TerraformDir: fullyConfigurableSolutionTerraformDir, BestRegionYAMLPath: regionSelectionPath, Prefix: "mongodb-st-da-upg", ResourceGroup: resourceGroup, @@ -124,11 +126,13 @@ func TestRunStandardUpgradeSolution(t *testing.T) { }) options.TerraformVars = map[string]interface{}{ - "access_tags": permanentResources["accessTags"], - "existing_kms_instance_crn": permanentResources["hpcs_south_crn"], - "kms_endpoint_type": "public", - "provider_visibility": "public", - "resource_group_name": options.Prefix, + "mongodb_access_tags": permanentResources["accessTags"], + "kms_encryption_enabled": true, + "use_ibm_owned_encryption_key": false, + "existing_kms_instance_crn": permanentResources["hpcs_south_crn"], + "kms_endpoint_type": "public", + "provider_visibility": "public", + "existing_resource_group_name": resourceGroup, } output, err := options.RunTestUpgrade() @@ -175,12 +179,12 @@ func TestRunExistingInstance(t *testing.T) { Testing: t, TarIncludePatterns: []string{ "*.tf", - fmt.Sprintf("%s/*.tf", standardSolutionTerraformDir), + fmt.Sprintf("%s/*.tf", fullyConfigurableSolutionTerraformDir), fmt.Sprintf("%s/*.tf", fscloudExampleTerraformDir), fmt.Sprintf("%s/*.tf", "modules/fscloud"), fmt.Sprintf("%s/*.sh", "scripts"), }, - TemplateFolder: standardSolutionTerraformDir, + TemplateFolder: fullyConfigurableSolutionTerraformDir, BestRegionYAMLPath: regionSelectionPath, Prefix: "mongodb-sr-da", ResourceGroup: resourceGroup, @@ -191,9 +195,8 @@ func TestRunExistingInstance(t *testing.T) { options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, {Name: "existing_mongodb_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "mongodb_crn"), DataType: "string"}, - {Name: "resource_group_name", Value: fmt.Sprintf("%s-resource-group", prefix), DataType: "string"}, + {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"}, {Name: "region", Value: region, DataType: "string"}, - {Name: "use_existing_resource_group", Value: true, DataType: "bool"}, {Name: "provider_visibility", Value: "public", DataType: "string"}, } err := options.RunSchematicTest() @@ -214,12 +217,12 @@ func TestRunExistingInstance(t *testing.T) { } // Test the DA when using IBM owned encryption keys -func TestRunStandardSolutionIBMKeys(t *testing.T) { +func TestRunfullyConfigurableSolutionIBMKeys(t *testing.T) { t.Parallel() options := testhelper.TestOptionsDefault(&testhelper.TestOptions{ Testing: t, - TerraformDir: standardSolutionTerraformDir, + TerraformDir: fullyConfigurableSolutionTerraformDir, Region: "us-south", Prefix: "mongodb-icd-key", ResourceGroup: resourceGroup, @@ -228,8 +231,9 @@ func TestRunStandardSolutionIBMKeys(t *testing.T) { options.TerraformVars = map[string]interface{}{ "mongodb_version": "7.0", "provider_visibility": "public", - "resource_group_name": options.Prefix, + "existing_resource_group_name": resourceGroup, "use_ibm_owned_encryption_key": true, + "prefix": options.Prefix, } output, err := options.RunTestConsistency() From 0033558a4a75f1a156737908265773a076a3b163 Mon Sep 17 00:00:00 2001 From: whoffler Date: Fri, 9 May 2025 10:56:04 +0100 Subject: [PATCH 02/15] security enforced variation --- ibm_catalog.json | 255 ++++++++++++- solutions/fully-configurable/README.md | 2 +- solutions/fully-configurable/variables.tf | 2 +- solutions/security-enforced/README.md | 15 + .../catalogValidationValues.json.template | 8 + solutions/security-enforced/main.tf | 47 +++ solutions/security-enforced/outputs.tf | 50 +++ solutions/security-enforced/provider.tf | 1 + solutions/security-enforced/variables.tf | 349 ++++++++++++++++++ solutions/security-enforced/version.tf | 5 + tests/pr_test.go | 59 +++ 11 files changed, 787 insertions(+), 6 deletions(-) create mode 100644 solutions/security-enforced/README.md create mode 100644 solutions/security-enforced/catalogValidationValues.json.template create mode 100644 solutions/security-enforced/main.tf create mode 100644 solutions/security-enforced/outputs.tf create mode 100644 solutions/security-enforced/provider.tf create mode 100644 solutions/security-enforced/variables.tf create mode 100644 solutions/security-enforced/version.tf diff --git a/ibm_catalog.json b/ibm_catalog.json index a77adcb9..58432650 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -97,6 +97,18 @@ { "key": "ibmcloud_api_key" }, + { + "key": "existing_resource_group_name", + "required": true, + "custom_config": { + "type": "resource_group", + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "identifier": "rg_name" + } + } + }, { "key": "provider_visibility", "options": [ @@ -114,9 +126,6 @@ } ] }, - { - "key": "existing_resource_group_name" - }, { "key": "prefix" }, @@ -258,7 +267,17 @@ "key": "existing_kms_key_crn" }, { - "key": "kms_endpoint_type" + "key": "kms_endpoint_type", + "options": [ + { + "displayname": "public", + "value": "public" + }, + { + "displayname": "private", + "value": "private" + } + ] }, { "key": "skip_mongodb_kms_auth_policy" @@ -297,6 +316,234 @@ "key": "skip_mongodb_secrets_manager_auth_policy" } ] + }, + { + "label": "Security Enforced", + "name": "security-enforced", + "install_type": "fullstack", + "working_directory": "solutions/security-enforced", + "compliance": { + "authority": "scc-v3", + "profiles": [ + { + "profile_name": "IBM Cloud Framework for Financial Services", + "profile_version": "1.7.0" + } + ] + }, + "iam_permissions": [ + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "databases-for-mongodb" + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "kms" + } + ], + "architecture": { + "descriptions": "This architecture creates an instance of IBM Cloud Databases for MongoDB instance with KMS encryption. Supports autoscaling.", + "features": [ + { + "title": " Creates an instance of Databases for MongoDB", + "description": "This architecture creates an instance of IBM Cloud Databases for MongoDB with KMS encryption. It accepts or creates a resource group, and provides autoscaling rules." + } + ], + "diagrams": [ + { + "diagram": { + "caption": "Databases for MongoDB instance on IBM Cloud", + "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/main/reference-architecture/deployable-architecture-mongodb.svg", + "type": "image/svg+xml" + }, + "description": "This architecture supports creating and configuring an instance of Databases for MongoDB instance with KMS encryption." + } + ] + }, + "configuration": [ + { + "key": "ibmcloud_api_key" + }, + { + "key": "existing_resource_group_name", + "required": true, + "custom_config": { + "type": "resource_group", + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "identifier": "rg_name" + } + } + }, + { + "key": "region", + "required": true, + "default_value": "us-south", + "options": [ + { + "displayname": "Chennai (che01)", + "value": "che01" + }, + { + "displayname": "Dallas (us-south)", + "value": "us-south" + }, + { + "displayname": "Frankfurt (eu-de)", + "value": "eu-de" + }, + { + "displayname": "London (eu-gb)", + "value": "eu-gb" + }, + { + "displayname": "Madrid (eu-es)", + "value": "eu-es" + }, + { + "displayname": "Osaka (jp-osa)", + "value": "jp-osa" + }, + { + "displayname": "Paris (par01)", + "value": "par01" + }, + { + "displayname": "Sao Paulo (br-sao)", + "value": "br-sao" + }, + { + "displayname": "Sydney (au-syd)", + "value": "au-syd" + }, + { + "displayname": "Toronto (ca-tor)", + "value": "ca-tor" + }, + { + "displayname": "Tokyo (jp-tok)", + "value": "jp-tok" + }, + { + "displayname": "Washington (us-east)", + "value": "us-east" + } + ] + }, + { + "key": "prefix" + }, + { + "key": "mongodb_name" + }, + + { + "key": "mongodb_version", + "required": false, + "default_value": "__NULL__", + "options": [ + { + "displayname": "preferred", + "value": "__NULL__" + }, + { + "displayname": "6.0", + "value": "6.0" + }, + { + "displayname": "7.0", + "value": "7.0" + } + ] + }, + { + "key": "plan" + }, + { + "key": "members" + }, + { + "key": "memory_mb" + }, + { + "key": "cpu_count" + }, + { + "key": "disk_mb" + }, + { + "key": "member_host_flavor" + }, + { + "key": "service_credential_names" + }, + { + "key": "admin_pass" + }, + { + "key": "admin_pass_secrets_manager_secret_group" + }, + { + "key": "admin_pass_secrets_manager_secret_name" + }, + { + "key": "existing_mongodb_instance_crn" + }, + { + "key": "use_existing_admin_pass_secrets_manager_secret_group" + }, + { + "key": "users" + }, + { + "key": "mongodb_tags" + }, + { + "key": "mongodb_access_tags" + }, + { + "key": "existing_kms_instance_crn" + }, + { + "key": "existing_kms_key_crn" + }, + { + "key": "skip_mongodb_kms_auth_policy" + }, + { + "key": "ibmcloud_kms_api_key" + }, + { + "key": "key_ring_name" + }, + { + "key": "key_name" + }, + { + "key": "existing_backup_kms_key_crn" + }, + { + "key": "auto_scaling" + }, + { + "key": "backup_crn" + }, + { + "key": "existing_secrets_manager_instance_crn" + }, + { + "key": "service_credential_secrets" + }, + { + "key": "skip_mongodb_secrets_manager_auth_policy" + } + ] } ] } diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index 9be2994f..d12694b0 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -1,4 +1,4 @@ -# IBM Cloud Databases for MongoDB +# IBM Cloud Databases for MongoDB (Fully Configurable) ## Prerequisites - An existing resource group diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index c405460a..e407a084 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -70,7 +70,7 @@ variable "plan" { variable "service_endpoints" { type = string description = "The type of endpoint of the database instance. Possible values: `public`, `private`, `public-and-private`." - default = "public" + default = "private" validation { condition = can(regex("public|public-and-private|private", var.service_endpoints)) diff --git a/solutions/security-enforced/README.md b/solutions/security-enforced/README.md new file mode 100644 index 00000000..ac9afbfe --- /dev/null +++ b/solutions/security-enforced/README.md @@ -0,0 +1,15 @@ +# IBM Cloud Databases for MongoDB (Security Enforced) + +## Prerequisites +- An existing resource group + +This architecture creates an instance of IBM Cloud Databases for MongoDB and supports provisioning of the following resources: + +- A KMS root key, if one is not passed in. +- An IBM Cloud Databases for MongoDB instance with KMS encryption. +- Autoscaling rules for the database instance, if provided. +- Service credential secrets and store them in secret manager. + +![fscloud-mongodb](../../reference-architecture/deployable-architecture-mongodb.svg) + +:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers). diff --git a/solutions/security-enforced/catalogValidationValues.json.template b/solutions/security-enforced/catalogValidationValues.json.template new file mode 100644 index 00000000..7cc65c1e --- /dev/null +++ b/solutions/security-enforced/catalogValidationValues.json.template @@ -0,0 +1,8 @@ +{ + "ibmcloud_api_key": $VALIDATION_APIKEY, + "region": "us-south", + "mongodb_tags": $TAGS, + "mongodb_name": $PREFIX, + "existing_resource_group_name": $PREFIX, + "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN +} diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf new file mode 100644 index 00000000..e3ef016d --- /dev/null +++ b/solutions/security-enforced/main.tf @@ -0,0 +1,47 @@ +module "mongodb" { + source = "../fully-configurable" + ibmcloud_api_key = var.ibmcloud_api_key + existing_resource_group_name = var.existing_resource_group_name + prefix = var.prefix + mongodb_name = var.mongodb_name + region = var.region + mongodb_version = var.mongodb_version + plan = var.plan + service_endpoints = "private" + existing_mongodb_instance_crn = var.existing_mongodb_instance_crn + # ICD hosting model properties + members = var.members + memory_mb = var.memory_mb + cpu_count = var.cpu_count + disk_mb = var.disk_mb + member_host_flavor = var.member_host_flavor + service_credential_names = var.service_credential_names + admin_pass = var.admin_pass + users = var.users + mongodb_tags = var.mongodb_tags + mongodb_access_tags = var.mongodb_access_tags + # Encryption + kms_encryption_enabled = true + use_ibm_owned_encryption_key = false + existing_kms_instance_crn = var.existing_kms_instance_crn + existing_kms_key_crn = var.existing_kms_key_crn + existing_backup_kms_key_crn = var.existing_backup_kms_key_crn + kms_endpoint_type = "private" + skip_mongodb_kms_auth_policy = var.skip_mongodb_kms_auth_policy + ibmcloud_kms_api_key = var.ibmcloud_kms_api_key + key_ring_name = var.key_ring_name + key_name = var.key_name + use_default_backup_encryption_key = false + backup_crn = var.backup_crn + provider_visibility = "private" + # Auto Scaling + auto_scaling = var.auto_scaling + # Secrets Manager Service Credentials + existing_secrets_manager_instance_crn = var.existing_secrets_manager_instance_crn + existing_secrets_manager_endpoint_type = "private" + service_credential_secrets = var.service_credential_secrets + skip_mongodb_secrets_manager_auth_policy = var.skip_mongodb_secrets_manager_auth_policy + admin_pass_secrets_manager_secret_group = var.admin_pass_secrets_manager_secret_group + use_existing_admin_pass_secrets_manager_secret_group = var.use_existing_admin_pass_secrets_manager_secret_group + admin_pass_secrets_manager_secret_name = var.admin_pass_secrets_manager_secret_name +} diff --git a/solutions/security-enforced/outputs.tf b/solutions/security-enforced/outputs.tf new file mode 100644 index 00000000..bd403dff --- /dev/null +++ b/solutions/security-enforced/outputs.tf @@ -0,0 +1,50 @@ +############################################################################## +# Outputs +############################################################################## + +output "id" { + description = "MongoDB instance id" + value = module.mongodb.id +} + +output "version" { + description = "MongoDB instance version" + value = module.mongodb.version +} + +output "guid" { + description = "MongoDB instance guid" + value = module.mongodb.guid +} + +output "crn" { + description = "MongoDB instance crn" + value = module.mongodb.crn +} + +output "service_credentials_json" { + description = "Service credentials json map" + value = module.mongodb.service_credentials_json + sensitive = true +} + +output "service_credentials_object" { + description = "Service credentials object" + value = module.mongodb.service_credentials_object + sensitive = true +} + +output "hostname" { + description = "Database connection hostname" + value = module.mongodb.hostname +} + +output "port" { + description = "Database connection port" + value = module.mongodb.port +} + +output "secrets_manager_secrets" { + description = "Service credential secrets" + value = module.mongodb.secrets_manager_secrets +} diff --git a/solutions/security-enforced/provider.tf b/solutions/security-enforced/provider.tf new file mode 100644 index 00000000..4c6add22 --- /dev/null +++ b/solutions/security-enforced/provider.tf @@ -0,0 +1 @@ +# Explicit provider config not required here as provider config in fully-configurable is used diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf new file mode 100644 index 00000000..86731329 --- /dev/null +++ b/solutions/security-enforced/variables.tf @@ -0,0 +1,349 @@ +############################################################################## +# Input Variables +############################################################################## + +variable "ibmcloud_api_key" { + type = string + description = "The IBM Cloud API key to deploy resources." + sensitive = true +} + +variable "existing_resource_group_name" { + type = string + description = "The name of an existing resource group to provision the Databases for MongoDB in." + default = "Default" + nullable = false +} + +variable "prefix" { + type = string + description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string." + nullable = true + validation { + condition = (var.prefix == null ? true : + alltrue([ + can(regex("^[a-z]{0,1}[-a-z0-9]{0,14}[a-z0-9]{0,1}$", var.prefix)), + length(regexall("^.*--.*", var.prefix)) == 0 + ]) + ) + error_message = "Prefix must begin with a lowercase letter, contain only lowercase letters, numbers, and - characters. Prefixes must end with a lowercase letter or number and be 16 or fewer characters." + } +} + +variable "mongodb_name" { + type = string + description = "The name of the Databases for MongoDB instance. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + default = "mongodb" +} + +variable "region" { + description = "The region where you want to deploy your instance." + type = string + default = "us-south" +} + +variable "mongodb_version" { + description = "The version of the Databases for MongoDB instance. If no value is specified, the current preferred version of Databases for MongoDB is used." + type = string + default = null +} + +variable "plan" { + type = string + description = "The name of the service plan that you choose for your MongoDB instance" + default = "standard" + + validation { + condition = anytrue([ + var.plan == "standard", + var.plan == "enterprise", + ]) + error_message = "Only supported plans are standard or enterprise" + } +} + +variable "existing_mongodb_instance_crn" { + type = string + default = null + description = "The CRN of an existing Databases for MongoDB instance. If no value is specified, a new instance is created." +} + +############################################################################## +# ICD hosting model properties +############################################################################## + +variable "members" { + type = number + description = "The number of members that are allocated. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)." + default = 3 +} + +variable "memory_mb" { + type = number + description = "The memory per member that is allocated. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)" + default = 4096 +} + +variable "cpu_count" { + type = number + description = "The dedicated CPU per member that is allocated. For shared CPU, set to 0. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)." + default = 0 +} + +variable "disk_mb" { + type = number + description = "The disk that is allocated per member. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)." + default = 10240 +} + +variable "member_host_flavor" { + type = string + description = "The host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor)." + default = "multitenant" + # Prevent null or "", require multitenant or a machine type + validation { + condition = (length(var.member_host_flavor) > 0) + error_message = "Member host flavor must be specified. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor)." + } +} + +variable "service_credential_names" { + description = "Map of name, role for service credentials that you want to create for the database. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#svc-credential-name)" + type = map(string) + default = {} +} + +variable "admin_pass" { + type = string + description = "The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block." + default = null + sensitive = true +} + +variable "users" { + type = list(object({ + name = string + password = string # pragma: allowlist secret + type = string # "type" is required to generate the connection string for the outputs. + role = optional(string) + })) + default = [] + sensitive = true + description = "A list of users that you want to create on the database. Users block is supported by MongoDB version >= 6.0. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#users)" +} + +variable "mongodb_tags" { + type = list(any) + description = "The list of tags to be added to the Databases for MongoDB instance." + default = [] +} + +variable "mongodb_access_tags" { + type = list(string) + description = "A list of access tags to apply to the Databases for MongoDB instance created by the solution. [Learn more](https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial)." + default = [] +} + +############################################################## +# Encryption +############################################################## + +variable "existing_kms_instance_crn" { + type = string + description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. Applies only if `use_ibm_owned_encryption_key` is false. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + default = null + + validation { + condition = var.existing_mongodb_instance_crn != null ? var.existing_kms_instance_crn == null : true + error_message = "When using an existing mongodb instance 'existing_kms_instance_crn' should not be set" + } + + validation { + condition = ( + length(compact([var.existing_kms_instance_crn, var.existing_kms_key_crn, var.existing_backup_kms_key_crn])) == 1 ? true : false + ) + error_message = "To enable KMS encryption one of 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn' must be set." + } +} + +variable "existing_kms_key_crn" { + type = string + description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the optional `existing_backup_kms_key_crn` input. If no value is passed a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + default = null + + validation { + condition = var.existing_mongodb_instance_crn != null ? var.existing_kms_key_crn == null : true + error_message = "When using an existing mongodb instance 'existing_kms_key_crn' should not be set" + } +} + +variable "existing_backup_kms_key_crn" { + type = string + description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + default = null + + validation { + condition = var.existing_mongodb_instance_crn != null ? var.existing_backup_kms_key_crn == null : true + error_message = "When using an existing mongodb instance 'existing_backup_kms_key_crn' should not be set" + } +} + +variable "skip_mongodb_kms_auth_policy" { + type = bool + description = "Whether to create an IAM authorization policy that permits all Databases for MongoDB instances in the resource group to read the encryption key from the Hyper Protect Crypto Services instance specified in the `existing_kms_instance_crn` variable." + default = false +} + +variable "ibmcloud_kms_api_key" { + type = string + description = "The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud_api_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the MongoDB instance. Leave this input empty if the same account owns both instances." + sensitive = true + default = null +} + +variable "key_ring_name" { + type = string + default = "mongodb-key-ring" + description = "The name for the key ring created for the Databases for MongoDB key. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format." +} + +variable "key_name" { + type = string + default = "mongodb-key" + description = "The name for the key created for the Databases for MongoDB key. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format." +} + +variable "backup_crn" { + type = string + description = "The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty." + default = null + + validation { + condition = anytrue([ + var.backup_crn == null, + can(regex("^crn:.*:backup:", var.backup_crn)) + ]) + error_message = "backup_crn must be null OR starts with 'crn:' and contains ':backup:'" + } +} + +############################################################## +# Auto Scaling +############################################################## + +variable "auto_scaling" { + type = object({ + disk = object({ + capacity_enabled = optional(bool, false) + free_space_less_than_percent = optional(number, 10) + io_above_percent = optional(number, 90) + io_enabled = optional(bool, false) + io_over_period = optional(string, "15m") + rate_increase_percent = optional(number, 10) + rate_limit_mb_per_member = optional(number, 3670016) + rate_period_seconds = optional(number, 900) + rate_units = optional(string, "mb") + }) + memory = object({ + io_above_percent = optional(number, 90) + io_enabled = optional(bool, false) + io_over_period = optional(string, "15m") + rate_increase_percent = optional(number, 10) + rate_limit_mb_per_member = optional(number, 114688) + rate_period_seconds = optional(number, 900) + rate_units = optional(string, "mb") + }) + }) + description = "Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#autoscaling)" + default = null +} + +############################################################################## +## Secrets Manager Service Credentials +############################################################################## + +variable "existing_secrets_manager_instance_crn" { + type = string + default = null + description = "The CRN of existing secrets manager to use to create service credential secrets for Databases for MongoDB instance." +} + +variable "service_credential_secrets" { + type = list(object({ + secret_group_name = string + secret_group_description = optional(string) + existing_secret_group = optional(bool) + service_credentials = list(object({ + secret_name = string + service_credentials_source_service_role_crn = string + secret_labels = optional(list(string)) + secret_auto_rotation = optional(bool) + secret_auto_rotation_unit = optional(string) + secret_auto_rotation_interval = optional(number) + service_credentials_ttl = optional(string) + service_credential_secret_description = optional(string) + + })) + })) + default = [] + description = "Service credential secrets configuration for Databases for MongoDB. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/tree/main/solutions/fully-configurable/DA-types.md#service-credential-secrets)." + + validation { + # Service roles CRNs can be found at https://cloud.ibm.com/iam/roles, select the IBM Cloud Database and select the role + condition = alltrue([ + for group in var.service_credential_secrets : alltrue([ + # crn:v?:bluemix; two non-empty segments; three possibly empty segments; :serviceRole or role: non-empty segment + for credential in group.service_credentials : can(regex("^crn:v[0-9]:bluemix(:..*){2}(:.*){3}:(serviceRole|role):..*$", credential.service_credentials_source_service_role_crn)) + ]) + ]) + error_message = "service_credentials_source_service_role_crn must be a serviceRole CRN. See https://cloud.ibm.com/iam/roles" + } + + validation { + condition = ( + length(var.service_credential_secrets) == 0 || + var.existing_secrets_manager_instance_crn != null + ) + error_message = "`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret." + } +} + +variable "skip_mongodb_secrets_manager_auth_policy" { + type = bool + description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Databases for MongoDB. If set to false, the Secrets Manager instance passed by the user is granted the Key Manager access to the MongoDB instance created by the Deployable Architecture. Set to `true` to use an existing policy. The value of this is ignored if any value for 'existing_secrets_manager_instance_crn' is not passed." + default = false +} + +variable "admin_pass_secrets_manager_secret_group" { + type = string + description = "The name of a new or existing secrets manager secret group for admin password. To use existing secret group, `use_existing_admin_pass_secrets_manager_secret_group` must be set to `true`. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + default = "mongodb-secrets" + + validation { + condition = ( + var.existing_secrets_manager_instance_crn == null || + var.admin_pass_secrets_manager_secret_group != null + ) + error_message = "`admin_pass_secrets_manager_secret_group` is required when `existing_secrets_manager_instance_crn` is set." + } +} + +variable "use_existing_admin_pass_secrets_manager_secret_group" { + type = bool + description = "Whether to use an existing secrets manager secret group for admin password." + default = false +} + +variable "admin_pass_secrets_manager_secret_name" { + type = string + description = "The name of a new mongodb administrator secret. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + default = "mongodb-admin-password" + + validation { + condition = ( + var.existing_secrets_manager_instance_crn == null || + var.admin_pass_secrets_manager_secret_name != null + ) + error_message = "`admin_pass_secrets_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set." + } +} diff --git a/solutions/security-enforced/version.tf b/solutions/security-enforced/version.tf new file mode 100644 index 00000000..2d5c091d --- /dev/null +++ b/solutions/security-enforced/version.tf @@ -0,0 +1,5 @@ +terraform { + required_version = ">= 1.9.0" + # Lock DA into an exact provider version - renovate automation will keep it updated + required_providers {} +} diff --git a/tests/pr_test.go b/tests/pr_test.go index a31ff47f..cbf54a5d 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -23,6 +23,7 @@ import ( const fscloudExampleTerraformDir = "examples/fscloud" const fullyConfigurableSolutionTerraformDir = "solutions/fully-configurable" +const securityEnforcedSolutionTerraformDir = "solutions/security-enforced" const latestVersion = "7.0" // Use existing resource group @@ -113,6 +114,7 @@ func TestRunFullyConfigurableSolutionSchematics(t *testing.T) { err := options.RunSchematicTest() assert.Nil(t, err, "This should not have errored") } + func TestRunFullyConfigurableUpgradeSolution(t *testing.T) { t.Parallel() @@ -142,6 +144,63 @@ func TestRunFullyConfigurableUpgradeSolution(t *testing.T) { } } +func TestRunSecurityEnforcedSolutionSchematics(t *testing.T) { + t.Parallel() + + options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{ + Testing: t, + TarIncludePatterns: []string{ + "*.tf", + fmt.Sprintf("%s/*.tf", fullyConfigurableSolutionTerraformDir), + fmt.Sprintf("%s/*.tf", securityEnforcedSolutionTerraformDir), + fmt.Sprintf("%s/*.tf", fscloudExampleTerraformDir), + fmt.Sprintf("%s/*.tf", "modules/fscloud"), + fmt.Sprintf("%s/*.sh", "scripts"), + }, + TemplateFolder: securityEnforcedSolutionTerraformDir, + BestRegionYAMLPath: regionSelectionPath, + Prefix: "mdb-st-da", + ResourceGroup: resourceGroup, + DeleteWorkspaceOnFail: false, + WaitJobCompleteMinutes: 60, + }) + + serviceCredentialSecrets := []map[string]interface{}{ + { + "secret_group_name": fmt.Sprintf("%s-secret-group", options.Prefix), + "service_credentials": []map[string]string{ + { + "secret_name": fmt.Sprintf("%s-cred-reader", options.Prefix), + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer", + }, + { + "secret_name": fmt.Sprintf("%s-cred-writer", options.Prefix), + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor", + }, + }, + }, + } + + options.TerraformVars = []testschematic.TestSchematicTerraformVar{ + {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, + {Name: "mongodb_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"}, + {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, + {Name: "existing_backup_kms_key_crn", Value: permanentResources["hpcs_south_root_key_crn"], DataType: "string"}, + {Name: "kms_endpoint_type", Value: "private", DataType: "string"}, + {Name: "mongodb_version", Value: "7.0", DataType: "string"}, // Always lock this test into the latest supported MongoDB version + {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"}, + {Name: "plan", Value: "standard", DataType: "string"}, + {Name: "service_credential_names", Value: "{\"admin_test\": \"Administrator\", \"editor_test\": \"Editor\"}", DataType: "map(string)"}, + {Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"}, + {Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"}, + {Name: "admin_pass_secrets_manager_secret_group", Value: options.Prefix, DataType: "string"}, + {Name: "admin_pass_secrets_manager_secret_name", Value: options.Prefix, DataType: "string"}, + {Name: "prefix", Value: options.Prefix, DataType: "string"}, + } + err := options.RunSchematicTest() + assert.Nil(t, err, "This should not have errored") +} + func TestRunExistingInstance(t *testing.T) { t.Parallel() prefix := fmt.Sprintf("mongodb-t-%s", strings.ToLower(random.UniqueId())) From df453940e5f1435f9a8d94c1a5459c43c721e47d Mon Sep 17 00:00:00 2001 From: whoffler Date: Mon, 12 May 2025 09:12:52 +0100 Subject: [PATCH 03/15] SKIP UPGRADE TEST update cra-config.yaml --- cra-config.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/cra-config.yaml b/cra-config.yaml index fbae9039..17ed72c8 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -1,12 +1,13 @@ # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml version: "v1" CRA_TARGETS: - - CRA_TARGET: "solutions/standard" + - CRA_TARGET: "solutions/fully-configurable" CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3" # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile). CRA_ENVIRONMENT_VARIABLES: + TF_VAR_prefix: "test" + TF_VAR_existing_resource_group_name: "geretain-test-redis" + TF_VAR_kms_encryption_enabled: true + TF_VAR_use_ibm_owned_encryption_key: false TF_VAR_existing_kms_instance_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::" - TF_VAR_existing_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:1368d2eb-3ed0-4a8b-b09c-2155895f01ea" - TF_VAR_use_existing_resource_group: true - TF_VAR_resource_group_name: "geretain-test-redis" TF_VAR_provider_visibility: "public" From 7d84e1daeb7bece1808343817092643fbef9a866 Mon Sep 17 00:00:00 2001 From: whoffler Date: Mon, 12 May 2025 10:55:13 +0100 Subject: [PATCH 04/15] SKIP UPGRADE TEST fix unit test and variable validation --- solutions/fully-configurable/variables.tf | 22 ++++++++++++---------- tests/pr_test.go | 4 +++- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index e407a084..4ed2a56b 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -169,17 +169,19 @@ variable "kms_encryption_enabled" { description = "Set to true to enable KMS Encryption using customer managed keys. When set to true, a value must be passed for either 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn'." default = false - # this validation ensures key info is provided when Kms encryption is enabled and no MongoDB instance is given validation { - condition = ( - var.existing_mongodb_instance_crn != null || - (var.kms_encryption_enabled && ( - var.existing_kms_instance_crn != null || - var.existing_kms_key_crn != null || - var.existing_backup_kms_key_crn != null - )) - ) - error_message = "When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'kms_encryption_enabled' input must be set to true." + condition = var.existing_mongodb_instance_crn != null ? var.kms_encryption_enabled == false : true + error_message = "When using an existing mongodb instance 'kms_encryption_enabled' should not be enabled" + } + + validation { + condition = var.kms_encryption_enabled == true ? (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) : true + error_message = "You must provide at least one of 'existing_kms_instance_crn', 'existing_kms_root_key_crn' or 'existing_backup_kms_key_crn' inputs if 'kms_encryption_enabled' is set to true." + } + + validation { + condition = var.kms_encryption_enabled == false ? (var.existing_kms_key_crn == null && var.existing_kms_instance_crn == null && var.existing_backup_kms_key_crn == null) : true + error_message = "If 'kms_encryption_enabled' is set to false, you should not pass values for 'existing_kms_instance_crn', 'existing_kms_root_key_crn' or 'existing_backup_kms_key_crn'. inputs" } } diff --git a/tests/pr_test.go b/tests/pr_test.go index cbf54a5d..0643a096 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -128,6 +128,7 @@ func TestRunFullyConfigurableUpgradeSolution(t *testing.T) { }) options.TerraformVars = map[string]interface{}{ + "prefix": options.Prefix, "mongodb_access_tags": permanentResources["accessTags"], "kms_encryption_enabled": true, "use_ibm_owned_encryption_key": false, @@ -252,6 +253,7 @@ func TestRunExistingInstance(t *testing.T) { }) options.TerraformVars = []testschematic.TestSchematicTerraformVar{ + {Name: "prefix", Value: options.Prefix, DataType: "string"}, {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, {Name: "existing_mongodb_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "mongodb_crn"), DataType: "string"}, {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"}, @@ -283,7 +285,7 @@ func TestRunfullyConfigurableSolutionIBMKeys(t *testing.T) { Testing: t, TerraformDir: fullyConfigurableSolutionTerraformDir, Region: "us-south", - Prefix: "mongodb-icd-key", + Prefix: "mongo-key", ResourceGroup: resourceGroup, }) From 22ad7f63d54ab2e7b903ebd754e6e8bd5b2d6174 Mon Sep 17 00:00:00 2001 From: whoffler Date: Mon, 12 May 2025 13:49:21 +0100 Subject: [PATCH 05/15] SKIP UPGRADE TEST fix unit test and variable validation --- solutions/security-enforced/variables.tf | 7 ------- tests/pr_test.go | 10 ++++------ 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 86731329..307d3f0b 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -157,13 +157,6 @@ variable "existing_kms_instance_crn" { condition = var.existing_mongodb_instance_crn != null ? var.existing_kms_instance_crn == null : true error_message = "When using an existing mongodb instance 'existing_kms_instance_crn' should not be set" } - - validation { - condition = ( - length(compact([var.existing_kms_instance_crn, var.existing_kms_key_crn, var.existing_backup_kms_key_crn])) == 1 ? true : false - ) - error_message = "To enable KMS encryption one of 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn' must be set." - } } variable "existing_kms_key_crn" { diff --git a/tests/pr_test.go b/tests/pr_test.go index 0643a096..d457aca4 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -70,7 +70,7 @@ func TestRunFullyConfigurableSolutionSchematics(t *testing.T) { }, TemplateFolder: fullyConfigurableSolutionTerraformDir, BestRegionYAMLPath: regionSelectionPath, - Prefix: "mdb-st-da", + Prefix: "mdb-fc-da", ResourceGroup: resourceGroup, DeleteWorkspaceOnFail: false, WaitJobCompleteMinutes: 60, @@ -98,7 +98,6 @@ func TestRunFullyConfigurableSolutionSchematics(t *testing.T) { {Name: "kms_encryption_enabled", Value: true, DataType: "bool"}, {Name: "use_ibm_owned_encryption_key", Value: false, DataType: "bool"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, - {Name: "existing_backup_kms_key_crn", Value: permanentResources["hpcs_south_root_key_crn"], DataType: "string"}, {Name: "kms_endpoint_type", Value: "private", DataType: "string"}, {Name: "mongodb_version", Value: "7.0", DataType: "string"}, // Always lock this test into the latest supported MongoDB version {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"}, @@ -160,7 +159,7 @@ func TestRunSecurityEnforcedSolutionSchematics(t *testing.T) { }, TemplateFolder: securityEnforcedSolutionTerraformDir, BestRegionYAMLPath: regionSelectionPath, - Prefix: "mdb-st-da", + Prefix: "mdb-se-da", ResourceGroup: resourceGroup, DeleteWorkspaceOnFail: false, WaitJobCompleteMinutes: 60, @@ -186,7 +185,6 @@ func TestRunSecurityEnforcedSolutionSchematics(t *testing.T) { {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, {Name: "mongodb_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, - {Name: "existing_backup_kms_key_crn", Value: permanentResources["hpcs_south_root_key_crn"], DataType: "string"}, {Name: "kms_endpoint_type", Value: "private", DataType: "string"}, {Name: "mongodb_version", Value: "7.0", DataType: "string"}, // Always lock this test into the latest supported MongoDB version {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"}, @@ -204,7 +202,7 @@ func TestRunSecurityEnforcedSolutionSchematics(t *testing.T) { func TestRunExistingInstance(t *testing.T) { t.Parallel() - prefix := fmt.Sprintf("mongodb-t-%s", strings.ToLower(random.UniqueId())) + prefix := fmt.Sprintf("mdb-t-%s", strings.ToLower(random.UniqueId())) realTerraformDir := ".." tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId()))) region := validICDRegions[rand.Intn(len(validICDRegions))] @@ -246,7 +244,7 @@ func TestRunExistingInstance(t *testing.T) { }, TemplateFolder: fullyConfigurableSolutionTerraformDir, BestRegionYAMLPath: regionSelectionPath, - Prefix: "mongodb-sr-da", + Prefix: "mdb-sr-da", ResourceGroup: resourceGroup, DeleteWorkspaceOnFail: false, WaitJobCompleteMinutes: 60, From 683efb58f0b2a9ede6c65c3f6bec3845b661038a Mon Sep 17 00:00:00 2001 From: whoffler Date: Sun, 22 Jun 2025 09:02:02 +0100 Subject: [PATCH 06/15] SKIP UPGRADE TEST align with redis --- common-dev-assets | 2 +- ibm_catalog.json | 249 ++++++++++++------ main.tf | 5 +- solutions/fully-configurable/README.md | 14 +- .../catalogValidationValues.json.template | 4 +- solutions/fully-configurable/main.tf | 27 +- solutions/fully-configurable/provider.tf | 17 +- solutions/fully-configurable/variables.tf | 99 +++---- solutions/security-enforced/README.md | 14 +- .../catalogValidationValues.json.template | 4 +- solutions/security-enforced/main.tf | 18 +- solutions/security-enforced/variables.tf | 62 ++--- tests/pr_test.go | 10 +- 13 files changed, 302 insertions(+), 223 deletions(-) diff --git a/common-dev-assets b/common-dev-assets index 1cf0dafd..403ef31b 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 1cf0dafd08adb8c4450f6110fbb6163efb02f43b +Subproject commit 403ef31b0757e3b5819313709a12e72c48f4384b diff --git a/ibm_catalog.json b/ibm_catalog.json index 58432650..a849860e 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -9,6 +9,7 @@ "target_terraform", "terraform", "data_management", + "database", "solution" ], "keywords": [ @@ -22,33 +23,34 @@ "relational" ], "short_description": "Creates and configures an instance of IBM Cloud Databases for MongoDB.", - "long_description": "This architecture supports creating and configuring an instance of Databases for MongoDB with KMS encryption.", + "long_description": "This architecture supports creating and configuring an instance of [Databases for MongoDB](https://www.ibm.com/products/databases-for-mongodb), with optional KMS encryption. This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/README.md", "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/main/images/mongodb.svg", "provider_name": "IBM", "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in the repository [https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/issues](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/issues). Please note this product is not supported via the IBM Cloud Support Center.", "features": [ { - "title": "Creates an instance of Databases for MongoDB", - "description": "Creates and configures an IBM Cloud Databases for MongoDB instance." + "title": "KMS encryption", + "description": "Provides [KMS encryption](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-key-protect&interface=ui) for the data that you store in the database, enhancing data security." }, { - "title": "Supports KMS encryption", - "description": "Provides KMS encryption for the data that you store in the database." + "title": "Autoscaling", + "description": "Provides the [autoscaling](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-autoscaling&interface=ui) to allow the database to increase resources in response to usage." }, { - "title": "Supports autoscaling", - "description": "Provides the autoscaling to allow the database to increase resources in response to usage." + "title": "Access tags", + "description": "Attaches access tags to the MongoDB instance." }, { - "title": "Supports backup restoration", - "description": "Provides database restoration using a backup created by a deployment with the same service ID." + "title": "Backup restoration", + "description": "Provides [database restoration](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-dashboard-backups&interface=ui) using a backup created by a deployment with the same service ID." } ], "flavors": [ { "label": "Fully configurable", "name": "fully-configurable", + "index": 1, "install_type": "fullstack", "working_directory": "solutions/fully-configurable", "compliance": { @@ -79,7 +81,7 @@ "features": [ { "title": " Creates an instance of Databases for MongoDB", - "description": "This architecture creates an instance of IBM Cloud Databases for MongoDB with KMS encryption. It accepts or creates a resource group, and provides autoscaling rules." + "description": "Configured to use IBM secure by default standards, but can be edited to fit your use case." } ], "diagrams": [ @@ -111,6 +113,7 @@ }, { "key": "provider_visibility", + "hidden": true, "options": [ { "displayname": "private", @@ -126,16 +129,9 @@ } ] }, - { - "key": "prefix" - }, - { - "key": "mongodb_name" - }, { "key": "region", "required": true, - "default_value": "us-south", "options": [ { "displayname": "Chennai (che01)", @@ -206,60 +202,134 @@ } ] }, + { + "key": "prefix" + }, { "key": "plan" }, { - "key": "service_endpoints" + "key": "name" + }, + { + "key": "mongodb_resource_tags", + "type": "array", + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } + }, + { + "key": "mongodb_access_tags", + "type": "array", + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } }, { "key": "members" }, { - "key": "memory_mb" + "key": "member_memory_mb" }, { - "key": "cpu_count" + "key": "member_cpu_count" }, { - "key": "disk_mb" + "key": "member_disk_mb" }, { "key": "member_host_flavor" }, + { + "key": "auto_scaling" + }, + { + "key": "service_endpoints", + "options": [ + { + "displayname": "private", + "value": "private" + }, + { + "displayname": "public", + "value": "public" + }, + { + "displayname": "public-and-private", + "value": "public-and-private" + } + ] + }, { "key": "service_credential_names" }, { - "key": "admin_pass" + "key": "service_credential_secrets", + "type": "array", + "custom_config": { + "type": "textarea", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { - "key": "admin_pass_secrets_manager_secret_group" + "key": "admin_pass" }, { - "key": "admin_pass_secrets_manager_secret_name" + "key": "existing_secrets_manager_instance_crn" }, { - "key": "existing_mongodb_instance_crn" + "key": "existing_secrets_manager_endpoint_type", + "hidden": true, + "options": [ + { + "displayname": "public", + "value": "public" + }, + { + "displayname": "private", + "value": "private" + } + ] }, { - "key": "use_existing_admin_pass_secrets_manager_secret_group" + "key": "skip_mongodb_secrets_manager_auth_policy" }, { - "key": "users" + "key": "admin_pass_secrets_manager_secret_group" }, { - "key": "mongodb_tags" + "key": "admin_pass_secrets_manager_secret_name" }, { - "key": "mongodb_access_tags" + "key": "use_existing_admin_pass_secrets_manager_secret_group" }, { - "key": "kms_encryption_enabled" + "key": "users", + "type": "array", + "custom_config": { + "type": "textarea", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { "key": "use_ibm_owned_encryption_key" }, + { + "key": "ibmcloud_kms_api_key" + }, + { + "key": "kms_encryption_enabled" + }, { "key": "existing_kms_instance_crn" }, @@ -268,6 +338,7 @@ }, { "key": "kms_endpoint_type", + "hidden": true, "options": [ { "displayname": "public", @@ -279,47 +350,33 @@ } ] }, - { - "key": "skip_mongodb_kms_auth_policy" - }, - { - "key": "ibmcloud_kms_api_key" - }, { "key": "key_ring_name" }, { "key": "key_name" }, - { - "key": "existing_backup_kms_key_crn" - }, - { - "key": "use_default_backup_encryption_key" - }, - { - "key": "auto_scaling" - }, { "key": "backup_crn" }, { - "key": "existing_secrets_manager_instance_crn" + "key": "existing_backup_kms_key_crn" }, { - "key": "existing_secrets_manager_endpoint_type" + "key": "use_default_backup_encryption_key" }, { - "key": "service_credential_secrets" + "key": "skip_mongodb_kms_auth_policy" }, { - "key": "skip_mongodb_secrets_manager_auth_policy" + "key": "existing_mongodb_instance_crn" } ] }, { "label": "Security Enforced", "name": "security-enforced", + "index": 2, "install_type": "fullstack", "working_directory": "solutions/security-enforced", "compliance": { @@ -343,15 +400,22 @@ "crn:v1:bluemix:public:iam::::serviceRole:Manager", "crn:v1:bluemix:public:iam::::role:Editor" ], - "service_name": "kms" + "service_name": "kms", + "notes": "[Optional] Editor access is required to create keys. It is required only if KMS encryption is enabled." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "hs-crypto", + "notes": "[Optional] Editor access is required to create keys in HPCS. It is required only if KMS encryption is enabled." } ], "architecture": { - "descriptions": "This architecture creates an instance of IBM Cloud Databases for MongoDB instance with KMS encryption. Supports autoscaling.", "features": [ { "title": " Creates an instance of Databases for MongoDB", - "description": "This architecture creates an instance of IBM Cloud Databases for MongoDB with KMS encryption. It accepts or creates a resource group, and provides autoscaling rules." + "description": "Configured to use IBM secure by default standards that can't be changed." } ], "diagrams": [ @@ -440,9 +504,8 @@ "key": "prefix" }, { - "key": "mongodb_name" + "key": "plan" }, - { "key": "mongodb_version", "required": false, @@ -463,85 +526,113 @@ ] }, { - "key": "plan" + "key": "name" }, { - "key": "members" + "key": "mongodb_resource_tags", + "type": "array", + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } }, { - "key": "memory_mb" + "key": "mongodb_access_tags", + "type": "array", + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } }, { - "key": "cpu_count" + "key": "members" }, { - "key": "disk_mb" + "key": "member_memory_mb" }, { - "key": "member_host_flavor" + "key": "member_cpu_count" }, { - "key": "service_credential_names" + "key": "member_disk_mb" }, { - "key": "admin_pass" + "key": "member_host_flavor" }, { - "key": "admin_pass_secrets_manager_secret_group" + "key": "auto_scaling" }, { - "key": "admin_pass_secrets_manager_secret_name" + "key": "service_credential_names" }, { - "key": "existing_mongodb_instance_crn" + "key": "service_credential_secrets", + "type": "array", + "custom_config": { + "type": "textarea", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { - "key": "use_existing_admin_pass_secrets_manager_secret_group" + "key": "admin_pass" }, { - "key": "users" + "key": "existing_secrets_manager_instance_crn" }, { - "key": "mongodb_tags" + "key": "skip_mongodb_secrets_manager_auth_policy" }, { - "key": "mongodb_access_tags" + "key": "admin_pass_secrets_manager_secret_group" }, { - "key": "existing_kms_instance_crn" + "key": "admin_pass_secrets_manager_secret_name" }, { - "key": "existing_kms_key_crn" + "key": "use_existing_admin_pass_secrets_manager_secret_group" }, { - "key": "skip_mongodb_kms_auth_policy" + "key": "users", + "type": "array", + "custom_config": { + "type": "textarea", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { "key": "ibmcloud_kms_api_key" }, { - "key": "key_ring_name" + "key": "existing_kms_instance_crn" }, { - "key": "key_name" + "key": "existing_kms_key_crn" }, { - "key": "existing_backup_kms_key_crn" + "key": "key_ring_name" }, { - "key": "auto_scaling" + "key": "key_name" }, { "key": "backup_crn" }, { - "key": "existing_secrets_manager_instance_crn" + "key": "existing_backup_kms_key_crn" }, { - "key": "service_credential_secrets" + "key": "skip_mongodb_kms_auth_policy" }, { - "key": "skip_mongodb_secrets_manager_auth_policy" + "key": "existing_mongodb_instance_crn" } ] } diff --git a/main.tf b/main.tf index 3b370ee9..854052cb 100644 --- a/main.tf +++ b/main.tf @@ -168,9 +168,9 @@ resource "ibm_database" "mongodb" { service = "databases-for-mongodb" version = var.mongodb_version resource_group_id = var.resource_group_id - adminpassword = var.admin_pass - tags = var.tags service_endpoints = var.service_endpoints + tags = var.tags + adminpassword = var.admin_pass key_protect_key = var.kms_key_crn backup_encryption_key_crn = local.backup_encryption_key_crn backup_id = var.backup_crn @@ -247,7 +247,6 @@ resource "ibm_database" "mongodb" { } } - ## This for_each block is NOT a loop to attach to multiple auto_scaling blocks. ## This block is only used to conditionally add auto_scaling block depending on var.auto_scaling dynamic "auto_scaling" { diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index d12694b0..81d156c0 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -1,15 +1,3 @@ -# IBM Cloud Databases for MongoDB (Fully Configurable) - -## Prerequisites -- An existing resource group - -This architecture creates an instance of IBM Cloud Databases for MongoDB and supports provisioning of the following resources: - -- A KMS root key, if one is not passed in. -- An IBM Cloud Databases for MongoDB instance with KMS encryption. -- Autoscaling rules for the database instance, if provided. -- Service credential secrets and store them in secret manager. - -![fscloud-mongodb](../../reference-architecture/deployable-architecture-mongodb.svg) +# Cloud automation for MongoDB (Fully configurable) :exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers). diff --git a/solutions/fully-configurable/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template index a9a30170..1400be94 100644 --- a/solutions/fully-configurable/catalogValidationValues.json.template +++ b/solutions/fully-configurable/catalogValidationValues.json.template @@ -1,8 +1,8 @@ { "ibmcloud_api_key": $VALIDATION_APIKEY, "region": "us-south", - "mongodb_tags": $TAGS, - "mongodb_name": $PREFIX, + "mongodb_resource_tags": $TAGS, + "name": $PREFIX, "existing_resource_group_name": $PREFIX, "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN, "kms_encryption_enabled": true, diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index e218f7cc..1663fbdd 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -14,8 +14,13 @@ module "resource_group" { ####################################################################################################################### locals { - prefix = (var.prefix != null && trimspace(var.prefix) != "" ? "${var.prefix}-" : "") - create_new_kms_key = var.existing_mongodb_instance_crn == null && !var.use_ibm_owned_encryption_key && var.existing_kms_key_crn == null ? true : false # no need to create any KMS resources if passing an existing key, or using IBM owned keys + prefix = (var.prefix != null && trimspace(var.prefix) != "" ? "${var.prefix}-" : "") + create_new_kms_key = ( + var.kms_encryption_enabled && + var.existing_mongodb_instance_crn == null && + !var.use_ibm_owned_encryption_key && + var.existing_kms_key_crn == null + ) mongodb_key_name = "${local.prefix}${var.key_name}" mongodb_key_ring_name = "${local.prefix}${var.key_ring_name}" } @@ -42,7 +47,7 @@ module "kms" { standard_key = false rotation_interval_month = 3 dual_auth_delete_enabled = false - force_delete = true + force_delete = true # Force delete must be set to true, or the terraform destroy will fail since the service does not de-register itself from the key until the reclamation period has expired. } ] } @@ -89,7 +94,7 @@ locals { create_cross_account_kms_auth_policy = var.existing_mongodb_instance_crn == null && var.ibmcloud_kms_api_key != null && !var.use_ibm_owned_encryption_key create_cross_account_backup_kms_auth_policy = var.existing_mongodb_instance_crn == null && var.ibmcloud_kms_api_key != null && !var.use_ibm_owned_encryption_key && var.existing_backup_kms_key_crn != null - # If KMS encryption enabled (and existing ES instance is not being passed), parse details from the existing key if being passed, otherwise get it from the key that the DA creates + # If KMS encryption enabled (and existing MongoDB instance is not being passed), parse details from the existing key if being passed, otherwise get it from the key that the DA creates kms_account_id = var.existing_mongodb_instance_crn != null || var.use_ibm_owned_encryption_key ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : module.kms_instance_crn_parser[0].account_id kms_service = var.existing_mongodb_instance_crn != null || var.use_ibm_owned_encryption_key ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : module.kms_instance_crn_parser[0].service_name kms_instance_guid = var.existing_mongodb_instance_crn != null || var.use_ibm_owned_encryption_key ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].service_instance : module.kms_instance_crn_parser[0].service_instance @@ -220,7 +225,7 @@ locals { # if - replace first char with J # elseif _ replace first char with K # else use asis - generated_admin_password = startswith(random_password.admin_password[0].result, "-") ? "J${substr(random_password.admin_password[0].result, 1, -1)}" : startswith(random_password.admin_password[0].result, "_") ? "K${substr(random_password.admin_password[0].result, 1, -1)}" : random_password.admin_password[0].result + generated_admin_password = (length(random_password.admin_password) > 0 ? (startswith(random_password.admin_password[0].result, "-") ? "J${substr(random_password.admin_password[0].result, 1, -1)}" : startswith(random_password.admin_password[0].result, "_") ? "K${substr(random_password.admin_password[0].result, 1, -1)}" : random_password.admin_password[0].result) : null) # admin password to use admin_pass = var.admin_pass == null ? local.generated_admin_password : var.admin_pass } @@ -273,25 +278,25 @@ module "mongodb" { source = "../.." depends_on = [time_sleep.wait_for_authorization_policy, time_sleep.wait_for_backup_kms_authorization_policy] resource_group_id = module.resource_group.resource_group_id - name = "${local.prefix}${var.mongodb_name}" + name = "${local.prefix}${var.name}" plan = var.plan region = var.region mongodb_version = var.mongodb_version - skip_iam_authorization_policy = var.skip_mongodb_kms_auth_policy + skip_iam_authorization_policy = var.kms_encryption_enabled ? var.skip_mongodb_kms_auth_policy : true use_ibm_owned_encryption_key = var.use_ibm_owned_encryption_key kms_key_crn = local.kms_key_crn backup_encryption_key_crn = local.backup_kms_key_crn use_same_kms_key_for_backups = local.use_same_kms_key_for_backups use_default_backup_encryption_key = var.use_default_backup_encryption_key access_tags = var.mongodb_access_tags - tags = var.mongodb_tags + tags = var.mongodb_resource_tags admin_pass = local.admin_pass users = var.users members = var.members member_host_flavor = var.member_host_flavor - memory_mb = var.memory_mb - disk_mb = var.disk_mb - cpu_count = var.cpu_count + memory_mb = var.member_memory_mb + disk_mb = var.member_disk_mb + cpu_count = var.member_cpu_count auto_scaling = var.auto_scaling service_credential_names = var.service_credential_names backup_crn = var.backup_crn diff --git a/solutions/fully-configurable/provider.tf b/solutions/fully-configurable/provider.tf index 65c38f7d..e66dac2c 100644 --- a/solutions/fully-configurable/provider.tf +++ b/solutions/fully-configurable/provider.tf @@ -1,11 +1,14 @@ provider "ibm" { - ibmcloud_api_key = var.ibmcloud_api_key - region = var.region - visibility = var.provider_visibility + ibmcloud_api_key = var.ibmcloud_api_key + region = var.region + visibility = var.provider_visibility + private_endpoint_type = (var.provider_visibility == "private" && var.region == "ca-mon") ? "vpe" : null } + provider "ibm" { - alias = "kms" - ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key - region = local.kms_region - visibility = var.provider_visibility + alias = "kms" + ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key + region = local.kms_region + visibility = var.provider_visibility + private_endpoint_type = (var.provider_visibility == "private" && var.region == "ca-mon") ? "vpe" : null } diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 4ed2a56b..43d982fa 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -10,15 +10,16 @@ variable "ibmcloud_api_key" { variable "existing_resource_group_name" { type = string - description = "The name of an existing resource group to provision the Databases for MongoDB in." + description = "The name of an existing resource group to provision resources in." default = "Default" nullable = false } variable "prefix" { type = string - description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string." nullable = true + description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-0205-cos. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)." + validation { condition = (var.prefix == null ? true : alltrue([ @@ -30,7 +31,7 @@ variable "prefix" { } } -variable "mongodb_name" { +variable "name" { type = string description = "The name of the Databases for MongoDB instance. If a prefix input variable is specified, the prefix is added to the name in the `-` format." default = "mongodb" @@ -47,6 +48,12 @@ variable "region" { } } +variable "existing_mongodb_instance_crn" { + type = string + default = null + description = "The CRN of an existing Databases for MongoDB instance. If no value is specified, a new instance is created." +} + variable "mongodb_version" { description = "The version of the Databases for MongoDB instance. If no value is specified, the current preferred version of Databases for MongoDB is used." type = string @@ -78,11 +85,6 @@ variable "service_endpoints" { } } -variable "existing_mongodb_instance_crn" { - type = string - default = null - description = "The CRN of an existing Databases for MongoDB instance. If no value is specified, a new instance is created." -} ############################################################################## # ICD hosting model properties @@ -94,19 +96,19 @@ variable "members" { default = 3 } -variable "memory_mb" { +variable "member_memory_mb" { type = number description = "The memory per member that is allocated. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)" default = 4096 } -variable "cpu_count" { +variable "member_cpu_count" { type = number description = "The dedicated CPU per member that is allocated. For shared CPU, set to 0. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)." default = 0 } -variable "disk_mb" { +variable "member_disk_mb" { type = number description = "The disk that is allocated per member. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)." default = 10240 @@ -148,9 +150,9 @@ variable "users" { description = "A list of users that you want to create on the database. Users block is supported by MongoDB version >= 6.0. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#users)" } -variable "mongodb_tags" { - type = list(any) - description = "The list of tags to be added to the Databases for MongoDB instance." +variable "mongodb_resource_tags" { + type = list(string) + description = "The list of resource tags to be added to the Databases for MongoDB instance." default = [] } @@ -168,21 +170,6 @@ variable "kms_encryption_enabled" { type = bool description = "Set to true to enable KMS Encryption using customer managed keys. When set to true, a value must be passed for either 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn'." default = false - - validation { - condition = var.existing_mongodb_instance_crn != null ? var.kms_encryption_enabled == false : true - error_message = "When using an existing mongodb instance 'kms_encryption_enabled' should not be enabled" - } - - validation { - condition = var.kms_encryption_enabled == true ? (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) : true - error_message = "You must provide at least one of 'existing_kms_instance_crn', 'existing_kms_root_key_crn' or 'existing_backup_kms_key_crn' inputs if 'kms_encryption_enabled' is set to true." - } - - validation { - condition = var.kms_encryption_enabled == false ? (var.existing_kms_key_crn == null && var.existing_kms_instance_crn == null && var.existing_backup_kms_key_crn == null) : true - error_message = "If 'kms_encryption_enabled' is set to false, you should not pass values for 'existing_kms_instance_crn', 'existing_kms_root_key_crn' or 'existing_backup_kms_key_crn'. inputs" - } } variable "use_ibm_owned_encryption_key" { @@ -191,8 +178,27 @@ variable "use_ibm_owned_encryption_key" { default = true validation { - condition = var.use_ibm_owned_encryption_key ? !var.kms_encryption_enabled : true - error_message = "When setting input 'use_ibm_owned_encryption_key' true, 'kms_encryption_enabled' input must be set to false." + condition = ( + !var.kms_encryption_enabled || + var.existing_mongodb_instance_crn != null || + !(var.use_ibm_owned_encryption_key && ( + var.existing_kms_instance_crn != null || + var.existing_kms_key_crn != null || + var.existing_backup_kms_key_crn != null + )) + ) + error_message = "When 'kms_encryption_enabled' is true and setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false." + } + + # this validation ensures key info is provided when IBM-owned key is disabled and no MongoDB instance is given + validation { + condition = (!var.kms_encryption_enabled || + var.existing_mongodb_instance_crn != null || + var.use_ibm_owned_encryption_key || + var.existing_kms_instance_crn != null || + var.existing_kms_key_crn != null + ) + error_message = "When 'kms_encryption_enabled' is true and 'use_ibm_owned_encryption_key' is false, you must provide either 'existing_kms_instance_crn' (to create a new key) or 'existing_kms_key_crn' (to use an existing key)." } validation { @@ -225,17 +231,6 @@ variable "existing_kms_key_crn" { } } -variable "existing_backup_kms_key_crn" { - type = string - description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." - default = null - - validation { - condition = var.existing_mongodb_instance_crn != null ? var.existing_backup_kms_key_crn == null : true - error_message = "When using an existing mongodb instance 'existing_backup_kms_key_crn' should not be set" - } -} - variable "kms_endpoint_type" { type = string description = "The type of endpoint to use for communicating with the Key Protect or Hyper Protect Crypto Services instance. Possible values: `public`, `private`. Applies only if `existing_kms_key_crn` is not specified." @@ -272,6 +267,17 @@ variable "key_name" { description = "The name for the key created for the Databases for MongoDB key. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format." } +variable "existing_backup_kms_key_crn" { + type = string + description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + default = null + + validation { + condition = var.existing_mongodb_instance_crn != null ? var.existing_backup_kms_key_crn == null : true + error_message = "When using an existing mongodb instance 'existing_backup_kms_key_crn' should not be set" + } +} + variable "use_default_backup_encryption_key" { type = bool description = "When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `existing_kms_key_crn`, in `existing_backup_kms_key_crn`, or with a new key that will be created in the instance specified in the `existing_kms_instance_crn` input. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data." @@ -334,9 +340,9 @@ variable "auto_scaling" { default = null } -############################################################################## -## Secrets Manager Service Credentials -############################################################################## +############################################################################# +# Secrets Manager Service Credentials +############################################################################# variable "existing_secrets_manager_instance_crn" { type = string @@ -397,8 +403,9 @@ variable "service_credential_secrets" { variable "skip_mongodb_secrets_manager_auth_policy" { type = bool - description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Databases for MongoDB. If set to false, the Secrets Manager instance passed by the user is granted the Key Manager access to the MongoDB instance created by the Deployable Architecture. Set to `true` to use an existing policy. The value of this is ignored if any value for 'existing_secrets_manager_instance_crn' is not passed." default = false + description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Databases for MongoDB. If set to false, the Secrets Manager instance passed by the user is granted the Key Manager access to the MongoDB instance created by the Deployable Architecture. Set to `true` to use an existing policy. The value of this is ignored if any value for 'existing_secrets_manager_instance_crn' is not passed." + } variable "admin_pass_secrets_manager_secret_group" { diff --git a/solutions/security-enforced/README.md b/solutions/security-enforced/README.md index ac9afbfe..7fd75368 100644 --- a/solutions/security-enforced/README.md +++ b/solutions/security-enforced/README.md @@ -1,15 +1,3 @@ -# IBM Cloud Databases for MongoDB (Security Enforced) - -## Prerequisites -- An existing resource group - -This architecture creates an instance of IBM Cloud Databases for MongoDB and supports provisioning of the following resources: - -- A KMS root key, if one is not passed in. -- An IBM Cloud Databases for MongoDB instance with KMS encryption. -- Autoscaling rules for the database instance, if provided. -- Service credential secrets and store them in secret manager. - -![fscloud-mongodb](../../reference-architecture/deployable-architecture-mongodb.svg) +# Cloud automation for MongoDB (Security-enforced) :exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers). diff --git a/solutions/security-enforced/catalogValidationValues.json.template b/solutions/security-enforced/catalogValidationValues.json.template index 7cc65c1e..345e9554 100644 --- a/solutions/security-enforced/catalogValidationValues.json.template +++ b/solutions/security-enforced/catalogValidationValues.json.template @@ -1,8 +1,8 @@ { "ibmcloud_api_key": $VALIDATION_APIKEY, "region": "us-south", - "mongodb_tags": $TAGS, - "mongodb_name": $PREFIX, + "mongodb_resource_tags": $TAGS, + "name": $PREFIX, "existing_resource_group_name": $PREFIX, "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN } diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf index e3ef016d..69e82804 100644 --- a/solutions/security-enforced/main.tf +++ b/solutions/security-enforced/main.tf @@ -3,37 +3,39 @@ module "mongodb" { ibmcloud_api_key = var.ibmcloud_api_key existing_resource_group_name = var.existing_resource_group_name prefix = var.prefix - mongodb_name = var.mongodb_name + name = var.name + provider_visibility = "private" region = var.region + existing_mongodb_instance_crn = var.existing_mongodb_instance_crn mongodb_version = var.mongodb_version plan = var.plan service_endpoints = "private" - existing_mongodb_instance_crn = var.existing_mongodb_instance_crn + # ICD hosting model properties members = var.members - memory_mb = var.memory_mb - cpu_count = var.cpu_count - disk_mb = var.disk_mb + member_memory_mb = var.member_memory_mb + member_cpu_count = var.member_cpu_count + member_disk_mb = var.member_disk_mb member_host_flavor = var.member_host_flavor service_credential_names = var.service_credential_names admin_pass = var.admin_pass users = var.users - mongodb_tags = var.mongodb_tags + mongodb_resource_tags = var.mongodb_resource_tags mongodb_access_tags = var.mongodb_access_tags # Encryption kms_encryption_enabled = true use_ibm_owned_encryption_key = false existing_kms_instance_crn = var.existing_kms_instance_crn existing_kms_key_crn = var.existing_kms_key_crn - existing_backup_kms_key_crn = var.existing_backup_kms_key_crn kms_endpoint_type = "private" skip_mongodb_kms_auth_policy = var.skip_mongodb_kms_auth_policy ibmcloud_kms_api_key = var.ibmcloud_kms_api_key key_ring_name = var.key_ring_name key_name = var.key_name + existing_backup_kms_key_crn = var.existing_backup_kms_key_crn use_default_backup_encryption_key = false backup_crn = var.backup_crn - provider_visibility = "private" + # Auto Scaling auto_scaling = var.auto_scaling # Secrets Manager Service Credentials diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 307d3f0b..2dbb8251 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -10,15 +10,15 @@ variable "ibmcloud_api_key" { variable "existing_resource_group_name" { type = string - description = "The name of an existing resource group to provision the Databases for MongoDB in." + description = "The name of an existing resource group to provision resources in." default = "Default" nullable = false } variable "prefix" { type = string - description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string." nullable = true + description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string." validation { condition = (var.prefix == null ? true : alltrue([ @@ -30,7 +30,7 @@ variable "prefix" { } } -variable "mongodb_name" { +variable "name" { type = string description = "The name of the Databases for MongoDB instance. If a prefix input variable is specified, the prefix is added to the name in the `-` format." default = "mongodb" @@ -42,6 +42,12 @@ variable "region" { default = "us-south" } +variable "existing_mongodb_instance_crn" { + type = string + default = null + description = "The CRN of an existing Databases for MongoDB instance. If no value is specified, a new instance is created." +} + variable "mongodb_version" { description = "The version of the Databases for MongoDB instance. If no value is specified, the current preferred version of Databases for MongoDB is used." type = string @@ -62,12 +68,6 @@ variable "plan" { } } -variable "existing_mongodb_instance_crn" { - type = string - default = null - description = "The CRN of an existing Databases for MongoDB instance. If no value is specified, a new instance is created." -} - ############################################################################## # ICD hosting model properties ############################################################################## @@ -78,19 +78,19 @@ variable "members" { default = 3 } -variable "memory_mb" { +variable "member_memory_mb" { type = number description = "The memory per member that is allocated. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)" default = 4096 } -variable "cpu_count" { +variable "member_cpu_count" { type = number description = "The dedicated CPU per member that is allocated. For shared CPU, set to 0. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)." default = 0 } -variable "disk_mb" { +variable "member_disk_mb" { type = number description = "The disk that is allocated per member. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)." default = 10240 @@ -132,8 +132,8 @@ variable "users" { description = "A list of users that you want to create on the database. Users block is supported by MongoDB version >= 6.0. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#users)" } -variable "mongodb_tags" { - type = list(any) +variable "mongodb_resource_tags" { + type = list(string) description = "The list of tags to be added to the Databases for MongoDB instance." default = [] } @@ -150,7 +150,7 @@ variable "mongodb_access_tags" { variable "existing_kms_instance_crn" { type = string - description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. Applies only if `use_ibm_owned_encryption_key` is false. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." default = null validation { @@ -161,7 +161,7 @@ variable "existing_kms_instance_crn" { variable "existing_kms_key_crn" { type = string - description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the optional `existing_backup_kms_key_crn` input. If no value is passed a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. By default this key is used for both deployment data and backups, but this behaviour can be altered using the optional `existing_backup_kms_key_crn` input. If no value is passed a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." default = null validation { @@ -170,17 +170,6 @@ variable "existing_kms_key_crn" { } } -variable "existing_backup_kms_key_crn" { - type = string - description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." - default = null - - validation { - condition = var.existing_mongodb_instance_crn != null ? var.existing_backup_kms_key_crn == null : true - error_message = "When using an existing mongodb instance 'existing_backup_kms_key_crn' should not be set" - } -} - variable "skip_mongodb_kms_auth_policy" { type = bool description = "Whether to create an IAM authorization policy that permits all Databases for MongoDB instances in the resource group to read the encryption key from the Hyper Protect Crypto Services instance specified in the `existing_kms_instance_crn` variable." @@ -206,6 +195,17 @@ variable "key_name" { description = "The name for the key created for the Databases for MongoDB key. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format." } +variable "existing_backup_kms_key_crn" { + type = string + description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + default = null + + validation { + condition = var.existing_mongodb_instance_crn != null ? var.existing_backup_kms_key_crn == null : true + error_message = "When using an existing mongodb instance 'existing_backup_kms_key_crn' should not be set" + } +} + variable "backup_crn" { type = string description = "The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty." @@ -251,9 +251,9 @@ variable "auto_scaling" { default = null } -############################################################################## -## Secrets Manager Service Credentials -############################################################################## +############################################################################# +# Secrets Manager Service Credentials +############################################################################# variable "existing_secrets_manager_instance_crn" { type = string @@ -303,8 +303,8 @@ variable "service_credential_secrets" { variable "skip_mongodb_secrets_manager_auth_policy" { type = bool - description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Databases for MongoDB. If set to false, the Secrets Manager instance passed by the user is granted the Key Manager access to the MongoDB instance created by the Deployable Architecture. Set to `true` to use an existing policy. The value of this is ignored if any value for 'existing_secrets_manager_instance_crn' is not passed." default = false + description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Databases for MongoDB. If set to false, the Secrets Manager instance passed by the user is granted the Key Manager access to the MongoDB instance created by the Deployable Architecture. Set to `true` to use an existing policy. The value of this is ignored if any value for 'existing_secrets_manager_instance_crn' is not passed." } variable "admin_pass_secrets_manager_secret_group" { diff --git a/tests/pr_test.go b/tests/pr_test.go index d457aca4..27170d93 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -114,14 +114,14 @@ func TestRunFullyConfigurableSolutionSchematics(t *testing.T) { assert.Nil(t, err, "This should not have errored") } -func TestRunFullyConfigurableUpgradeSolution(t *testing.T) { +func TestRunSecurityEnforcedUpgradeSolution(t *testing.T) { t.Parallel() options := testhelper.TestOptionsDefault(&testhelper.TestOptions{ Testing: t, - TerraformDir: fullyConfigurableSolutionTerraformDir, + TerraformDir: securityEnforcedSolutionTerraformDir, BestRegionYAMLPath: regionSelectionPath, - Prefix: "mongodb-st-da-upg", + Prefix: "mdb-se-da-upg", ResourceGroup: resourceGroup, CheckApplyResultForUpgrade: true, }) @@ -129,11 +129,7 @@ func TestRunFullyConfigurableUpgradeSolution(t *testing.T) { options.TerraformVars = map[string]interface{}{ "prefix": options.Prefix, "mongodb_access_tags": permanentResources["accessTags"], - "kms_encryption_enabled": true, - "use_ibm_owned_encryption_key": false, "existing_kms_instance_crn": permanentResources["hpcs_south_crn"], - "kms_endpoint_type": "public", - "provider_visibility": "public", "existing_resource_group_name": resourceGroup, } From defcd425cf287935bb31e0670efb442472c5a4ce Mon Sep 17 00:00:00 2001 From: whoffler Date: Mon, 23 Jun 2025 10:00:22 +0100 Subject: [PATCH 07/15] SKIP UPGRADE TEST small updates --- ibm_catalog.json | 55 ++++++++++++------- .../deployable-architecture-mongodb.svg | 4 +- solutions/fully-configurable/variables.tf | 2 +- solutions/security-enforced/variables.tf | 2 +- 4 files changed, 38 insertions(+), 25 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index a849860e..25cf05dd 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -63,18 +63,31 @@ ] }, "iam_permissions": [ + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "service_name": "all-account-management-services" + }, { "role_crns": [ "crn:v1:bluemix:public:iam::::role:Editor" ], - "service_name": "databases-for-mongodb" + "service_name": "databases-for-elasticsearch" + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "kms", + "notes": "[Optional] Editor access is required to create keys. It is required only if KMS encryption is enabled." }, { "role_crns": [ - "crn:v1:bluemix:public:iam::::serviceRole:Manager", "crn:v1:bluemix:public:iam::::role:Editor" ], - "service_name": "kms" + "service_name": "hs-crypto", + "notes": "[Optional] Editor access is required to create keys in HPCS. It is required only if KMS encryption is enabled." } ], "architecture": { @@ -111,24 +124,6 @@ } } }, - { - "key": "provider_visibility", - "hidden": true, - "options": [ - { - "displayname": "private", - "value": "private" - }, - { - "displayname": "public", - "value": "public" - }, - { - "displayname": "public-and-private", - "value": "public-and-private" - } - ] - }, { "key": "region", "required": true, @@ -183,6 +178,24 @@ } ] }, + { + "key": "provider_visibility", + "hidden": true, + "options": [ + { + "displayname": "private", + "value": "private" + }, + { + "displayname": "public", + "value": "public" + }, + { + "displayname": "public-and-private", + "value": "public-and-private" + } + ] + }, { "key": "mongodb_version", "required": false, diff --git a/reference-architecture/deployable-architecture-mongodb.svg b/reference-architecture/deployable-architecture-mongodb.svg index 9e1a3b0d..332dd6b8 100644 --- a/reference-architecture/deployable-architecture-mongodb.svg +++ b/reference-architecture/deployable-architecture-mongodb.svg @@ -1,4 +1,4 @@ - + -
IBM Cloud
IBM Cloud
KMS Encryption
KMS Encryption
Region
Region
Resource Group
Resource Group
IBM Cloud MongoDB Instance
IBM Cloud MongoDB Instance
MDB
MDBText is not SVG - cannot display \ No newline at end of file +
IBM Cloud
IBM Cloud
KMS Encryption
KMS Encryption
Region
Region
Resource Group
Resource Group
IBM Cloud MongoDB Instance
IBM Cloud MongoDB Instance
MDB
MDBText is not SVG - cannot display \ No newline at end of file diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 43d982fa..5766ee85 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -38,7 +38,7 @@ variable "name" { } variable "region" { - description = "The region where you want to deploy your instance." + description = "The region to provision all resources in. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/region) about how to select different regions for different services." type = string default = "us-south" diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 2dbb8251..d65d827a 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -37,7 +37,7 @@ variable "name" { } variable "region" { - description = "The region where you want to deploy your instance." + description = "The region to provision all resources in. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/region) about how to select different regions for different services." type = string default = "us-south" } From 8037a1fec18e5b1be29908a02425687d8b1fd527 Mon Sep 17 00:00:00 2001 From: whoffler Date: Tue, 24 Jun 2025 06:09:15 +0100 Subject: [PATCH 08/15] remove use_ibm_owned_encryption_key --- .catalog-onboard-pipeline.yaml | 2 +- ibm_catalog.json | 3 --- .../catalogValidationValues.json.template | 3 +-- solutions/fully-configurable/main.tf | 22 +++++++-------- solutions/fully-configurable/variables.tf | 27 ++++--------------- solutions/security-enforced/main.tf | 1 - tests/pr_test.go | 2 -- 7 files changed, 18 insertions(+), 42 deletions(-) diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml index f78ac6e1..80919308 100644 --- a/.catalog-onboard-pipeline.yaml +++ b/.catalog-onboard-pipeline.yaml @@ -6,7 +6,7 @@ offerings: catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd offering_id: 39b67380-7bc8-407f-832c-d610afa17d53 variations: - - name: standard + - name: fully-configurable mark_ready: true install_type: fullstack scc: diff --git a/ibm_catalog.json b/ibm_catalog.json index 25cf05dd..e7417ca2 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -334,9 +334,6 @@ "original_grouping": "deployment" } }, - { - "key": "use_ibm_owned_encryption_key" - }, { "key": "ibmcloud_kms_api_key" }, diff --git a/solutions/fully-configurable/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template index 1400be94..6c1a0e7d 100644 --- a/solutions/fully-configurable/catalogValidationValues.json.template +++ b/solutions/fully-configurable/catalogValidationValues.json.template @@ -5,6 +5,5 @@ "name": $PREFIX, "existing_resource_group_name": $PREFIX, "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN, - "kms_encryption_enabled": true, - "use_ibm_owned_encryption_key": false + "kms_encryption_enabled": true } diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 1663fbdd..ddd32580 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -18,7 +18,7 @@ locals { create_new_kms_key = ( var.kms_encryption_enabled && var.existing_mongodb_instance_crn == null && - !var.use_ibm_owned_encryption_key && + var.kms_encryption_enabled && var.existing_kms_key_crn == null ) mongodb_key_name = "${local.prefix}${var.key_name}" @@ -91,23 +91,23 @@ data "ibm_iam_account_settings" "iam_account_settings" { locals { account_id = data.ibm_iam_account_settings.iam_account_settings.account_id - create_cross_account_kms_auth_policy = var.existing_mongodb_instance_crn == null && var.ibmcloud_kms_api_key != null && !var.use_ibm_owned_encryption_key - create_cross_account_backup_kms_auth_policy = var.existing_mongodb_instance_crn == null && var.ibmcloud_kms_api_key != null && !var.use_ibm_owned_encryption_key && var.existing_backup_kms_key_crn != null + create_cross_account_kms_auth_policy = var.existing_mongodb_instance_crn == null && var.ibmcloud_kms_api_key != null && var.kms_encryption_enabled + create_cross_account_backup_kms_auth_policy = var.existing_mongodb_instance_crn == null && var.ibmcloud_kms_api_key != null && var.kms_encryption_enabled && var.existing_backup_kms_key_crn != null # If KMS encryption enabled (and existing MongoDB instance is not being passed), parse details from the existing key if being passed, otherwise get it from the key that the DA creates - kms_account_id = var.existing_mongodb_instance_crn != null || var.use_ibm_owned_encryption_key ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : module.kms_instance_crn_parser[0].account_id - kms_service = var.existing_mongodb_instance_crn != null || var.use_ibm_owned_encryption_key ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : module.kms_instance_crn_parser[0].service_name - kms_instance_guid = var.existing_mongodb_instance_crn != null || var.use_ibm_owned_encryption_key ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].service_instance : module.kms_instance_crn_parser[0].service_instance - kms_key_crn = var.existing_mongodb_instance_crn != null || var.use_ibm_owned_encryption_key ? null : var.existing_kms_key_crn != null ? var.existing_kms_key_crn : module.kms[0].keys[format("%s.%s", local.mongodb_key_ring_name, local.mongodb_key_name)].crn - kms_key_id = var.existing_mongodb_instance_crn != null || var.use_ibm_owned_encryption_key ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].resource : module.kms[0].keys[format("%s.%s", local.mongodb_key_ring_name, local.mongodb_key_name)].key_id - kms_region = var.existing_mongodb_instance_crn != null || var.use_ibm_owned_encryption_key ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].region : module.kms_instance_crn_parser[0].region + kms_account_id = !var.kms_encryption_enabled || var.existing_mongodb_instance_crn != null ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : module.kms_instance_crn_parser[0].account_id + kms_service = !var.kms_encryption_enabled || var.existing_mongodb_instance_crn != null ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : module.kms_instance_crn_parser[0].service_name + kms_instance_guid = !var.kms_encryption_enabled || var.existing_mongodb_instance_crn != null ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].service_instance : module.kms_instance_crn_parser[0].service_instance + kms_key_crn = !var.kms_encryption_enabled || var.existing_mongodb_instance_crn != null ? null : var.existing_kms_key_crn != null ? var.existing_kms_key_crn : module.kms[0].keys[format("%s.%s", local.mongodb_key_ring_name, local.mongodb_key_name)].crn + kms_key_id = !var.kms_encryption_enabled || var.existing_mongodb_instance_crn != null ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].resource : module.kms[0].keys[format("%s.%s", local.mongodb_key_ring_name, local.mongodb_key_name)].key_id + kms_region = !var.kms_encryption_enabled || var.existing_mongodb_instance_crn != null ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].region : module.kms_instance_crn_parser[0].region # If creating KMS cross account policy for backups, parse backup key details from passed in key CRN backup_kms_account_id = local.create_cross_account_backup_kms_auth_policy ? module.kms_backup_key_crn_parser[0].account_id : local.kms_account_id backup_kms_service = local.create_cross_account_backup_kms_auth_policy ? module.kms_backup_key_crn_parser[0].service_name : local.kms_service backup_kms_instance_guid = local.create_cross_account_backup_kms_auth_policy ? module.kms_backup_key_crn_parser[0].service_instance : local.kms_instance_guid backup_kms_key_id = local.create_cross_account_backup_kms_auth_policy ? module.kms_backup_key_crn_parser[0].resource : local.kms_key_id - backup_kms_key_crn = var.existing_mongodb_instance_crn != null || var.use_ibm_owned_encryption_key ? null : var.existing_backup_kms_key_crn + backup_kms_key_crn = !var.kms_encryption_enabled || var.existing_mongodb_instance_crn != null ? null : var.existing_backup_kms_key_crn # Always use same key for backups unless user explicially passed a value for 'existing_backup_kms_key_crn' use_same_kms_key_for_backups = var.existing_backup_kms_key_crn == null ? true : false } @@ -283,7 +283,7 @@ module "mongodb" { region = var.region mongodb_version = var.mongodb_version skip_iam_authorization_policy = var.kms_encryption_enabled ? var.skip_mongodb_kms_auth_policy : true - use_ibm_owned_encryption_key = var.use_ibm_owned_encryption_key + use_ibm_owned_encryption_key = !var.kms_encryption_enabled kms_key_crn = local.kms_key_crn backup_encryption_key_crn = local.backup_kms_key_crn use_same_kms_key_for_backups = local.use_same_kms_key_for_backups diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 5766ee85..7da67c6b 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -170,42 +170,25 @@ variable "kms_encryption_enabled" { type = bool description = "Set to true to enable KMS Encryption using customer managed keys. When set to true, a value must be passed for either 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn'." default = false -} - -variable "use_ibm_owned_encryption_key" { - type = bool - description = "IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for `existing_kms_instance_crn` to create a new key, or `existing_kms_key_crn` and/or `existing_backup_kms_key_crn` to use an existing key." - default = true validation { condition = ( !var.kms_encryption_enabled || var.existing_mongodb_instance_crn != null || - !(var.use_ibm_owned_encryption_key && ( + ( var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null - )) - ) - error_message = "When 'kms_encryption_enabled' is true and setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false." - } - - # this validation ensures key info is provided when IBM-owned key is disabled and no MongoDB instance is given - validation { - condition = (!var.kms_encryption_enabled || - var.existing_mongodb_instance_crn != null || - var.use_ibm_owned_encryption_key || - var.existing_kms_instance_crn != null || - var.existing_kms_key_crn != null + ) ) - error_message = "When 'kms_encryption_enabled' is true and 'use_ibm_owned_encryption_key' is false, you must provide either 'existing_kms_instance_crn' (to create a new key) or 'existing_kms_key_crn' (to use an existing key)." + error_message = "When 'kms_encryption_enabled' is true and setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn'." } validation { condition = ( - var.use_ibm_owned_encryption_key ? length(compact([var.existing_kms_instance_crn, var.existing_kms_key_crn, var.existing_backup_kms_key_crn])) == 0 : true + !var.kms_encryption_enabled ? length(compact([var.existing_kms_instance_crn, var.existing_kms_key_crn, var.existing_backup_kms_key_crn])) == 0 : true ) - error_message = "When using ibm owned encryption keys by setting input 'use_ibm_owned_encryption_key' to true, 'existing_kms_instance_crn', 'existing_kms_key_crn' and 'existing_backup_kms_key_crn' should not be set." + error_message = "When using ibm owned encryption keys by setting input 'kms_encryption_enabled' to false, 'existing_kms_instance_crn', 'existing_kms_key_crn' and 'existing_backup_kms_key_crn' should not be set." } } diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf index 69e82804..4a3f86c1 100644 --- a/solutions/security-enforced/main.tf +++ b/solutions/security-enforced/main.tf @@ -24,7 +24,6 @@ module "mongodb" { mongodb_access_tags = var.mongodb_access_tags # Encryption kms_encryption_enabled = true - use_ibm_owned_encryption_key = false existing_kms_instance_crn = var.existing_kms_instance_crn existing_kms_key_crn = var.existing_kms_key_crn kms_endpoint_type = "private" diff --git a/tests/pr_test.go b/tests/pr_test.go index 27170d93..86b0b56e 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -96,7 +96,6 @@ func TestRunFullyConfigurableSolutionSchematics(t *testing.T) { {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, {Name: "mongodb_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"}, {Name: "kms_encryption_enabled", Value: true, DataType: "bool"}, - {Name: "use_ibm_owned_encryption_key", Value: false, DataType: "bool"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, {Name: "kms_endpoint_type", Value: "private", DataType: "string"}, {Name: "mongodb_version", Value: "7.0", DataType: "string"}, // Always lock this test into the latest supported MongoDB version @@ -287,7 +286,6 @@ func TestRunfullyConfigurableSolutionIBMKeys(t *testing.T) { "mongodb_version": "7.0", "provider_visibility": "public", "existing_resource_group_name": resourceGroup, - "use_ibm_owned_encryption_key": true, "prefix": options.Prefix, } From daf3778b5c2e031f72801defc04fc7043aebbeb3 Mon Sep 17 00:00:00 2001 From: whoffler Date: Wed, 25 Jun 2025 14:57:18 +0100 Subject: [PATCH 09/15] rebase with redis --- ibm_catalog.json | 26 ++++++++++++------- solutions/fully-configurable/variables.tf | 31 ++++++++++------------- solutions/security-enforced/variables.tf | 7 +++-- 3 files changed, 35 insertions(+), 29 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index e7417ca2..869d1f10 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -65,9 +65,10 @@ "iam_permissions": [ { "role_crns": [ - "crn:v1:bluemix:public:iam::::role:Administrator" + "crn:v1:bluemix:public:iam::::role:Viewer" ], - "service_name": "all-account-management-services" + "service_name": "Resource group only", + "notes": "Viewer access is required in the resource group you want to provision in." }, { "role_crns": [ @@ -93,7 +94,7 @@ "architecture": { "features": [ { - "title": " Creates an instance of Databases for MongoDB", + "title": " ", "description": "Configured to use IBM secure by default standards, but can be edited to fit your use case." } ], @@ -399,15 +400,21 @@ ] }, "iam_permissions": [ + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Viewer" + ], + "service_name": "Resource group only", + "notes": "Viewer access is required in the resource group you want to provision in." + }, { "role_crns": [ "crn:v1:bluemix:public:iam::::role:Editor" ], "service_name": "databases-for-mongodb" }, - { + { "role_crns": [ - "crn:v1:bluemix:public:iam::::serviceRole:Manager", "crn:v1:bluemix:public:iam::::role:Editor" ], "service_name": "kms", @@ -418,13 +425,13 @@ "crn:v1:bluemix:public:iam::::role:Editor" ], "service_name": "hs-crypto", - "notes": "[Optional] Editor access is required to create keys in HPCS. It is required only if KMS encryption is enabled." + "notes": "[Optional] Editor access is required to create keys in HPCS. It is only required when using HPCS for encryption." } ], "architecture": { "features": [ { - "title": " Creates an instance of Databases for MongoDB", + "title": " ", "description": "Configured to use IBM secure by default standards that can't be changed." } ], @@ -445,7 +452,7 @@ }, { "key": "existing_resource_group_name", - "required": true, + "display_name": "resource_group", "custom_config": { "type": "resource_group", "grouping": "deployment", @@ -621,7 +628,8 @@ "key": "ibmcloud_kms_api_key" }, { - "key": "existing_kms_instance_crn" + "key": "existing_kms_instance_crn", + "required": true }, { "key": "existing_kms_key_crn" diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 7da67c6b..2423c5c7 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -74,6 +74,11 @@ variable "plan" { } } + +############################################################################## +# ICD hosting model properties +############################################################################## + variable "service_endpoints" { type = string description = "The type of endpoint of the database instance. Possible values: `public`, `private`, `public-and-private`." @@ -85,11 +90,6 @@ variable "service_endpoints" { } } - -############################################################################## -# ICD hosting model properties -############################################################################## - variable "members" { type = number description = "The number of members that are allocated. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)." @@ -172,23 +172,18 @@ variable "kms_encryption_enabled" { default = false validation { - condition = ( - !var.kms_encryption_enabled || + condition = (!var.kms_encryption_enabled || var.existing_mongodb_instance_crn != null || - ( - var.existing_kms_instance_crn != null || - var.existing_kms_key_crn != null || - var.existing_backup_kms_key_crn != null - ) + var.existing_kms_instance_crn != null || + var.existing_kms_key_crn != null || + var.existing_backup_kms_key_crn != null ) - error_message = "When 'kms_encryption_enabled' is true and setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn'." + error_message = "When 'kms_encryption_enabled' is true, you must provide either 'existing_backup_kms_key_crn', 'existing_kms_instance_crn' (to create a new key) or 'existing_kms_key_crn' (to use an existing key)." } validation { - condition = ( - !var.kms_encryption_enabled ? length(compact([var.existing_kms_instance_crn, var.existing_kms_key_crn, var.existing_backup_kms_key_crn])) == 0 : true - ) - error_message = "When using ibm owned encryption keys by setting input 'kms_encryption_enabled' to false, 'existing_kms_instance_crn', 'existing_kms_key_crn' and 'existing_backup_kms_key_crn' should not be set." + condition = (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null && var.existing_backup_kms_key_crn == null) || var.kms_encryption_enabled + error_message = "When either 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn' is set then 'kms_encryption_enabled' must be set to true." } } @@ -263,7 +258,7 @@ variable "existing_backup_kms_key_crn" { variable "use_default_backup_encryption_key" { type = bool - description = "When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `existing_kms_key_crn`, in `existing_backup_kms_key_crn`, or with a new key that will be created in the instance specified in the `existing_kms_instance_crn` input. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data." + description = "When `kms_encryption_enabled` is set to true, backups will be encrypted with either the key specified in `existing_kms_key_crn`, in `existing_backup_kms_key_crn`, or with a new key that will be created in the instance specified in the `existing_kms_instance_crn` input. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `kms_encryption_enabled` to false to use the default encryption for both backups and deployment data." default = false } diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index d65d827a..553acfda 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -165,8 +165,11 @@ variable "existing_kms_key_crn" { default = null validation { - condition = var.existing_mongodb_instance_crn != null ? var.existing_kms_key_crn == null : true - error_message = "When using an existing mongodb instance 'existing_kms_key_crn' should not be set" + condition = ( + (var.existing_kms_key_crn != null && var.existing_kms_instance_crn == null) || + (var.existing_kms_key_crn == null && var.existing_kms_instance_crn != null) + ) + error_message = "Either existing_kms_key_crn or existing_kms_instance_crn must be set, but not both." } } From 2392f0dea390fe5f63eeface0a9953a85b4e2f97 Mon Sep 17 00:00:00 2001 From: whoffler Date: Thu, 26 Jun 2025 16:06:46 +0100 Subject: [PATCH 10/15] update --- README.md | 10 +-- cra-config.yaml | 5 +- ibm_catalog.json | 67 +++++++++-------- main.tf | 11 ++- outputs.tf | 20 +++--- .../deployable-architecture-mongodb.svg | 2 +- .../catalogValidationValues.json.template | 2 +- solutions/fully-configurable/main.tf | 20 +++--- solutions/fully-configurable/moved.tf | 4 -- solutions/fully-configurable/variables.tf | 53 +++++++------- .../catalogValidationValues.json.template | 2 +- solutions/security-enforced/main.tf | 72 +++++++++---------- solutions/security-enforced/variables.tf | 42 +++++------ tests/pr_test.go | 6 +- variables.tf | 10 +-- version.tf | 6 +- 16 files changed, 157 insertions(+), 175 deletions(-) delete mode 100644 solutions/fully-configurable/moved.tf diff --git a/README.md b/README.md index 8065aca5..a46c5753 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ You need the following permissions to run this module. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.9.0 | -| [ibm](#requirement\_ibm) | >= 1.79.2, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.79.2, <2.0.0 | | [time](#requirement\_time) | >= 0.9.1, < 1.0.0 | ### Modules @@ -75,7 +75,7 @@ You need the following permissions to run this module. | [ibm_iam_authorization_policy.backup_kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource | -| [ibm_resource_tag.mongodb_tag](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_tag) | resource | +| [ibm_resource_tag.access_tag](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_tag) | resource | | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [time_sleep.wait_for_backup_kms_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [ibm_database_connection.database_connection](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/database_connection) | data source | @@ -89,7 +89,7 @@ You need the following permissions to run this module. | [auto\_scaling](#input\_auto\_scaling) | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-autoscaling&interface=cli#autoscaling-considerations in the IBM Cloud Docs. | 
object({
    disk = object({
      capacity_enabled             = optional(bool, false)
      free_space_less_than_percent = optional(number, 10)
      io_above_percent             = optional(number, 90)
      io_enabled                   = optional(bool, false)
      io_over_period               = optional(string, "15m")
      rate_increase_percent        = optional(number, 10)
      rate_limit_mb_per_member     = optional(number, 3670016)
      rate_period_seconds          = optional(number, 900)
      rate_units                   = optional(string, "mb")
    })
    memory = object({
      io_above_percent         = optional(number, 90)
      io_enabled               = optional(bool, false)
      io_over_period           = optional(string, "15m")
      rate_increase_percent    = optional(number, 10)
      rate_limit_mb_per_member = optional(number, 114688)
      rate_period_seconds      = optional(number, 900)
      rate_units               = optional(string, "mb")
    })
  })
| `null` | no | | [backup\_crn](#input\_backup\_crn) | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. | `string` | `null` | no | | [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false and `use_same_kms_key_for_backups` is false. If no value is passed, and `use_same_kms_key_for_backups` is true, the value of `kms_key_crn` is used. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no | -| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create. | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    tags = optional(list(object({
      name  = string
      value = string
    })))
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | +| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    tags = optional(list(object({
      name  = string
      value = string
    })))
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | | [cpu\_count](#input\_cpu\_count) | Allocated dedicated CPU per member. For shared CPU, set to 0. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-pricing#mongodb-scale-member) | `number` | `0` | no | | [disk\_mb](#input\_disk\_mb) | The disk that is allocated per member. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-pricing#mongodb-scale-member) | `number` | `10240` | no | | [kms\_key\_crn](#input\_kms\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the `use_same_kms_key_for_backups` and `backup_encryption_key_crn` inputs. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no | @@ -102,9 +102,9 @@ You need the following permissions to run this module. | [region](#input\_region) | The region where you want to deploy your instance. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the MongoDB instance will be created. | `string` | n/a | yes | | [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the database | `map(string)` | `{}` | no | -| [service\_endpoints](#input\_service\_endpoints) | The type of endpoint of the database instance. Possible values: `public`, `private`, `public-and-private`. | `string` | `"public"` | no | +| [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. | `string` | `"private"` | no | | [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of IAM authorization policies that permits all Databases for MongoDB instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the `kms_key_crn` and `backup_encryption_key_crn` inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if `use_ibm_owned_encryption_key` is true. | `bool` | `false` | no | -| [tags](#input\_tags) | Optional list of tags to be added to the MongoDB instance. | `list(any)` | `[]` | no | +| [tags](#input\_tags) | Optional list of tags to be added to the MongoDB instance. | `list(string)` | `[]` | no | | [use\_default\_backup\_encryption\_key](#input\_use\_default\_backup\_encryption\_key) | When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `kms_key_crn`, or in `backup_encryption_key_crn` if a value is passed. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data. | `bool` | `false` | no | | [use\_ibm\_owned\_encryption\_key](#input\_use\_ibm\_owned\_encryption\_key) | IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for the `kms_key_crn` input. | `bool` | `true` | no | | [use\_same\_kms\_key\_for\_backups](#input\_use\_same\_kms\_key\_for\_backups) | Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatiely set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `bool` | `true` | no | diff --git a/cra-config.yaml b/cra-config.yaml index 17ed72c8..3b509987 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -5,9 +5,8 @@ CRA_TARGETS: CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3" # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile). CRA_ENVIRONMENT_VARIABLES: - TF_VAR_prefix: "test" + TF_VAR_existing_kms_instance_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::" TF_VAR_existing_resource_group_name: "geretain-test-redis" TF_VAR_kms_encryption_enabled: true - TF_VAR_use_ibm_owned_encryption_key: false - TF_VAR_existing_kms_instance_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::" TF_VAR_provider_visibility: "public" + TF_VAR_prefix: "test" diff --git a/ibm_catalog.json b/ibm_catalog.json index 869d1f10..32b19993 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -74,21 +74,21 @@ "role_crns": [ "crn:v1:bluemix:public:iam::::role:Editor" ], - "service_name": "databases-for-elasticsearch" + "service_name": "databases-for-mongodb" }, { "role_crns": [ "crn:v1:bluemix:public:iam::::role:Editor" ], "service_name": "kms", - "notes": "[Optional] Editor access is required to create keys. It is required only if KMS encryption is enabled." + "notes": "[Optional] Editor access is required to create keys. It is only required when using Key Protect for encryption." }, { "role_crns": [ "crn:v1:bluemix:public:iam::::role:Editor" ], "service_name": "hs-crypto", - "notes": "[Optional] Editor access is required to create keys in HPCS. It is required only if KMS encryption is enabled." + "notes": "[Optional] Editor access is required to create keys in HPCS. It is only required when using HPCS for encryption." } ], "architecture": { @@ -113,9 +113,27 @@ { "key": "ibmcloud_api_key" }, + { + "key": "provider_visibility", + "hidden": true, + "options": [ + { + "displayname": "private", + "value": "private" + }, + { + "displayname": "public", + "value": "public" + }, + { + "displayname": "public-and-private", + "value": "public-and-private" + } + ] + }, { "key": "existing_resource_group_name", - "required": true, + "display_name": "resource_group", "custom_config": { "type": "resource_group", "grouping": "deployment", @@ -125,6 +143,9 @@ } } }, + { + "key": "prefix" + }, { "key": "region", "required": true, @@ -179,24 +200,6 @@ } ] }, - { - "key": "provider_visibility", - "hidden": true, - "options": [ - { - "displayname": "private", - "value": "private" - }, - { - "displayname": "public", - "value": "public" - }, - { - "displayname": "public-and-private", - "value": "public-and-private" - } - ] - }, { "key": "mongodb_version", "required": false, @@ -216,9 +219,6 @@ } ] }, - { - "key": "prefix" - }, { "key": "plan" }, @@ -226,7 +226,7 @@ "key": "name" }, { - "key": "mongodb_resource_tags", + "key": "resource_tags", "type": "array", "custom_config": { "grouping": "deployment", @@ -237,7 +237,7 @@ } }, { - "key": "mongodb_access_tags", + "key": "access_tags", "type": "array", "custom_config": { "grouping": "deployment", @@ -385,7 +385,7 @@ ] }, { - "label": "Security Enforced", + "label": "Security-enforced", "name": "security-enforced", "index": 2, "install_type": "fullstack", @@ -462,10 +462,12 @@ } } }, + { + "key": "prefix" + }, { "key": "region", "required": true, - "default_value": "us-south", "options": [ { "displayname": "Chennai (che01)", @@ -517,9 +519,6 @@ } ] }, - { - "key": "prefix" - }, { "key": "plan" }, @@ -546,7 +545,7 @@ "key": "name" }, { - "key": "mongodb_resource_tags", + "key": "resource_tags", "type": "array", "custom_config": { "grouping": "deployment", @@ -557,7 +556,7 @@ } }, { - "key": "mongodb_access_tags", + "key": "access_tags", "type": "array", "custom_config": { "grouping": "deployment", diff --git a/main.tf b/main.tf index 854052cb..1e3b6251 100644 --- a/main.tf +++ b/main.tf @@ -1,13 +1,10 @@ -############################################################################## -# ICD MongoDB module -############################################################################## - - ######################################################################################################################## # Locals ######################################################################################################################## locals { + # If no value passed for 'backup_encryption_key_crn' use the value of 'kms_key_crn' and perform validation of 'kms_key_crn' to check if region is supported by backup encryption key. + # If 'use_ibm_owned_encryption_key' is true or 'use_default_backup_encryption_key' is true, default to null. # If no value is passed for 'backup_encryption_key_crn', then default to use 'kms_key_crn'. backup_encryption_key_crn = var.use_ibm_owned_encryption_key || var.use_default_backup_encryption_key ? null : (var.backup_encryption_key_crn != null ? var.backup_encryption_key_crn : var.kms_key_crn) @@ -163,8 +160,8 @@ resource "time_sleep" "wait_for_backup_kms_authorization_policy" { resource "ibm_database" "mongodb" { depends_on = [time_sleep.wait_for_authorization_policy, time_sleep.wait_for_backup_kms_authorization_policy] name = var.name - location = var.region plan = var.plan + location = var.region service = "databases-for-mongodb" version = var.mongodb_version resource_group_id = var.resource_group_id @@ -291,7 +288,7 @@ resource "ibm_database" "mongodb" { } } -resource "ibm_resource_tag" "mongodb_tag" { +resource "ibm_resource_tag" "access_tag" { count = length(var.access_tags) == 0 ? 0 : 1 resource_id = ibm_database.mongodb.resource_crn tags = var.access_tags diff --git a/outputs.tf b/outputs.tf index 96371861..12eee8f3 100644 --- a/outputs.tf +++ b/outputs.tf @@ -7,26 +7,21 @@ output "id" { value = ibm_database.mongodb.id } -output "guid" { - description = "MongoDB instance guid" - value = ibm_database.mongodb.guid -} - output "version" { description = "MongoDB instance version" value = ibm_database.mongodb.version } +output "guid" { + description = "MongoDB instance guid" + value = ibm_database.mongodb.guid +} + output "crn" { description = "MongoDB instance crn" value = ibm_database.mongodb.resource_crn } -output "cbr_rule_ids" { - description = "CBR rule ids created to restrict MongoDB" - value = module.cbr_rule[*].rule_id -} - output "service_credentials_json" { description = "Service credentials json map" value = local.service_credentials_json @@ -39,6 +34,11 @@ output "service_credentials_object" { sensitive = true } +output "cbr_rule_ids" { + description = "CBR rule ids created to restrict MongoDB" + value = module.cbr_rule[*].rule_id +} + output "adminuser" { description = "Database admin user name" value = ibm_database.mongodb.adminuser diff --git a/reference-architecture/deployable-architecture-mongodb.svg b/reference-architecture/deployable-architecture-mongodb.svg index 332dd6b8..811a2eed 100644 --- a/reference-architecture/deployable-architecture-mongodb.svg +++ b/reference-architecture/deployable-architecture-mongodb.svg @@ -1,4 +1,4 @@ -
IBM Cloud
IBM Cloud
KMS Encryption
KMS Encryption
Region
Region
Resource Group
Resource Group
IBM Cloud MongoDB Instance
IBM Cloud MongoDB Instance
MDB
MDBText is not SVG - cannot display \ No newline at end of file +IBM CloudRegionResource GroupDatabase for MongoDB
MDB
MDB
[Optional] KMS
[Optional] KMS
Key Ring
Key Ringredis-keyText is not SVG - cannot display \ No newline at end of file diff --git a/solutions/fully-configurable/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template index 6c1a0e7d..85531edd 100644 --- a/solutions/fully-configurable/catalogValidationValues.json.template +++ b/solutions/fully-configurable/catalogValidationValues.json.template @@ -1,7 +1,7 @@ { "ibmcloud_api_key": $VALIDATION_APIKEY, "region": "us-south", - "mongodb_resource_tags": $TAGS, + "resource_tags": $TAGS, "name": $PREFIX, "existing_resource_group_name": $PREFIX, "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN, diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index ddd32580..a663553a 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -1,7 +1,9 @@ ####################################################################################################################### # Resource Group ####################################################################################################################### - +locals { + prefix = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : "" +} module "resource_group" { source = "terraform-ibm-modules/resource-group/ibm" @@ -14,11 +16,10 @@ module "resource_group" { ####################################################################################################################### locals { - prefix = (var.prefix != null && trimspace(var.prefix) != "" ? "${var.prefix}-" : "") + use_ibm_owned_encryption_key = !var.kms_encryption_enabled create_new_kms_key = ( var.kms_encryption_enabled && var.existing_mongodb_instance_crn == null && - var.kms_encryption_enabled && var.existing_kms_key_crn == null ) mongodb_key_name = "${local.prefix}${var.key_name}" @@ -91,8 +92,8 @@ data "ibm_iam_account_settings" "iam_account_settings" { locals { account_id = data.ibm_iam_account_settings.iam_account_settings.account_id - create_cross_account_kms_auth_policy = var.existing_mongodb_instance_crn == null && var.ibmcloud_kms_api_key != null && var.kms_encryption_enabled - create_cross_account_backup_kms_auth_policy = var.existing_mongodb_instance_crn == null && var.ibmcloud_kms_api_key != null && var.kms_encryption_enabled && var.existing_backup_kms_key_crn != null + create_cross_account_kms_auth_policy = var.kms_encryption_enabled && var.existing_mongodb_instance_crn == null && var.ibmcloud_kms_api_key != null + create_cross_account_backup_kms_auth_policy = var.kms_encryption_enabled && var.existing_mongodb_instance_crn == null && var.ibmcloud_kms_api_key != null && var.existing_backup_kms_key_crn != null # If KMS encryption enabled (and existing MongoDB instance is not being passed), parse details from the existing key if being passed, otherwise get it from the key that the DA creates kms_account_id = !var.kms_encryption_enabled || var.existing_mongodb_instance_crn != null ? null : var.existing_kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : module.kms_instance_crn_parser[0].account_id @@ -107,7 +108,7 @@ locals { backup_kms_service = local.create_cross_account_backup_kms_auth_policy ? module.kms_backup_key_crn_parser[0].service_name : local.kms_service backup_kms_instance_guid = local.create_cross_account_backup_kms_auth_policy ? module.kms_backup_key_crn_parser[0].service_instance : local.kms_instance_guid backup_kms_key_id = local.create_cross_account_backup_kms_auth_policy ? module.kms_backup_key_crn_parser[0].resource : local.kms_key_id - backup_kms_key_crn = !var.kms_encryption_enabled || var.existing_mongodb_instance_crn != null ? null : var.existing_backup_kms_key_crn + backup_kms_key_crn = var.existing_mongodb_instance_crn != null || local.use_ibm_owned_encryption_key ? null : var.existing_backup_kms_key_crn # Always use same key for backups unless user explicially passed a value for 'existing_backup_kms_key_crn' use_same_kms_key_for_backups = var.existing_backup_kms_key_crn == null ? true : false } @@ -283,13 +284,13 @@ module "mongodb" { region = var.region mongodb_version = var.mongodb_version skip_iam_authorization_policy = var.kms_encryption_enabled ? var.skip_mongodb_kms_auth_policy : true - use_ibm_owned_encryption_key = !var.kms_encryption_enabled + use_ibm_owned_encryption_key = local.use_ibm_owned_encryption_key kms_key_crn = local.kms_key_crn backup_encryption_key_crn = local.backup_kms_key_crn use_same_kms_key_for_backups = local.use_same_kms_key_for_backups use_default_backup_encryption_key = var.use_default_backup_encryption_key - access_tags = var.mongodb_access_tags - tags = var.mongodb_resource_tags + access_tags = var.access_tags + tags = var.resource_tags admin_pass = local.admin_pass users = var.users members = var.members @@ -331,7 +332,6 @@ module "secrets_manager_instance_crn_parser" { # create a service authorization between Secrets Manager and the target service (Databases for MongoDB) resource "ibm_iam_authorization_policy" "secrets_manager_key_manager" { count = local.create_secrets_manager_auth_policy - depends_on = [module.mongodb] source_service_name = "secrets-manager" source_resource_instance_id = local.existing_secrets_manager_instance_guid target_service_name = "databases-for-mongodb" diff --git a/solutions/fully-configurable/moved.tf b/solutions/fully-configurable/moved.tf deleted file mode 100644 index 248dfb7d..00000000 --- a/solutions/fully-configurable/moved.tf +++ /dev/null @@ -1,4 +0,0 @@ -moved { - from = module.mongodb - to = module.mongodb[0] -} diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 2423c5c7..de75e41b 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -10,7 +10,7 @@ variable "ibmcloud_api_key" { variable "existing_resource_group_name" { type = string - description = "The name of an existing resource group to provision resources in." + description = "The name of an existing resource group to provision resource in." default = "Default" nullable = false } @@ -21,13 +21,24 @@ variable "prefix" { description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-0205-cos. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)." validation { - condition = (var.prefix == null ? true : + # - null and empty string is allowed + # - Must not contain consecutive hyphens (--): length(regexall("--", var.prefix)) == 0 + # - Starts with a lowercase letter: [a-z] + # - Contains only lowercase letters (a–z), digits (0–9), and hyphens (-) + # - Must not end with a hyphen (-): [a-z0-9] + condition = (var.prefix == null || var.prefix == "" ? true : alltrue([ - can(regex("^[a-z]{0,1}[-a-z0-9]{0,14}[a-z0-9]{0,1}$", var.prefix)), - length(regexall("^.*--.*", var.prefix)) == 0 + can(regex("^[a-z][-a-z0-9]*[a-z0-9]$", var.prefix)), + length(regexall("--", var.prefix)) == 0 ]) ) - error_message = "Prefix must begin with a lowercase letter, contain only lowercase letters, numbers, and - characters. Prefixes must end with a lowercase letter or number and be 16 or fewer characters." + error_message = "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--')." + } + + validation { + # must not exceed 16 characters in length + condition = length(var.prefix) <= 16 + error_message = "Prefix must not exceed 16 characters." } } @@ -38,7 +49,7 @@ variable "name" { } variable "region" { - description = "The region to provision all resources in. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/region) about how to select different regions for different services." + description = "The region where you want to deploy your instance." type = string default = "us-south" @@ -133,7 +144,7 @@ variable "service_credential_names" { variable "admin_pass" { type = string - description = "The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block." + description = "The password for the database administrator. If no admin password is provided (i.e., it is null), one will be generated automatically. Additional users can be added using a user block." default = null sensitive = true } @@ -150,13 +161,13 @@ variable "users" { description = "A list of users that you want to create on the database. Users block is supported by MongoDB version >= 6.0. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#users)" } -variable "mongodb_resource_tags" { +variable "resource_tags" { type = list(string) description = "The list of resource tags to be added to the Databases for MongoDB instance." default = [] } -variable "mongodb_access_tags" { +variable "access_tags" { type = list(string) description = "A list of access tags to apply to the Databases for MongoDB instance created by the solution. [Learn more](https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial)." default = [] @@ -168,7 +179,7 @@ variable "mongodb_access_tags" { variable "kms_encryption_enabled" { type = bool - description = "Set to true to enable KMS Encryption using customer managed keys. When set to true, a value must be passed for either 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn'." + description = "Set to true to enable KMS encryption using customer-managed keys. When enabled, you must provide a value for at least one of the following: existing_kms_instance_crn, existing_kms_key_crn, or existing_backup_kms_key_crn. If set to false, IBM-owned encryption is used (i.e., encryption keys managed and held by IBM)." default = false validation { @@ -189,24 +200,14 @@ variable "kms_encryption_enabled" { variable "existing_kms_instance_crn" { type = string - description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. Applies only if `use_ibm_owned_encryption_key` is false. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." default = null - - validation { - condition = var.existing_mongodb_instance_crn != null ? var.existing_kms_instance_crn == null : true - error_message = "When using an existing mongodb instance 'existing_kms_instance_crn' should not be set" - } } variable "existing_kms_key_crn" { type = string - description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the optional `existing_backup_kms_key_crn` input. If no value is passed a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. By default this key is used for both deployment data and backups, but this behaviour can be altered using the optional `existing_backup_kms_key_crn` input. If no value is passed a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." default = null - - validation { - condition = var.existing_mongodb_instance_crn != null ? var.existing_kms_key_crn == null : true - error_message = "When using an existing mongodb instance 'existing_kms_key_crn' should not be set" - } } variable "kms_endpoint_type" { @@ -247,13 +248,8 @@ variable "key_name" { variable "existing_backup_kms_key_crn" { type = string - description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." default = null - - validation { - condition = var.existing_mongodb_instance_crn != null ? var.existing_backup_kms_key_crn == null : true - error_message = "When using an existing mongodb instance 'existing_backup_kms_key_crn' should not be set" - } } variable "use_default_backup_encryption_key" { @@ -383,7 +379,6 @@ variable "skip_mongodb_secrets_manager_auth_policy" { type = bool default = false description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Databases for MongoDB. If set to false, the Secrets Manager instance passed by the user is granted the Key Manager access to the MongoDB instance created by the Deployable Architecture. Set to `true` to use an existing policy. The value of this is ignored if any value for 'existing_secrets_manager_instance_crn' is not passed." - } variable "admin_pass_secrets_manager_secret_group" { diff --git a/solutions/security-enforced/catalogValidationValues.json.template b/solutions/security-enforced/catalogValidationValues.json.template index 345e9554..5d462e78 100644 --- a/solutions/security-enforced/catalogValidationValues.json.template +++ b/solutions/security-enforced/catalogValidationValues.json.template @@ -1,7 +1,7 @@ { "ibmcloud_api_key": $VALIDATION_APIKEY, "region": "us-south", - "mongodb_resource_tags": $TAGS, + "resource_tags": $TAGS, "name": $PREFIX, "existing_resource_group_name": $PREFIX, "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf index 4a3f86c1..f65dc4f9 100644 --- a/solutions/security-enforced/main.tf +++ b/solutions/security-enforced/main.tf @@ -1,43 +1,36 @@ module "mongodb" { - source = "../fully-configurable" - ibmcloud_api_key = var.ibmcloud_api_key - existing_resource_group_name = var.existing_resource_group_name - prefix = var.prefix - name = var.name - provider_visibility = "private" - region = var.region - existing_mongodb_instance_crn = var.existing_mongodb_instance_crn - mongodb_version = var.mongodb_version - plan = var.plan - service_endpoints = "private" - - # ICD hosting model properties - members = var.members - member_memory_mb = var.member_memory_mb - member_cpu_count = var.member_cpu_count - member_disk_mb = var.member_disk_mb - member_host_flavor = var.member_host_flavor - service_credential_names = var.service_credential_names - admin_pass = var.admin_pass - users = var.users - mongodb_resource_tags = var.mongodb_resource_tags - mongodb_access_tags = var.mongodb_access_tags - # Encryption - kms_encryption_enabled = true - existing_kms_instance_crn = var.existing_kms_instance_crn - existing_kms_key_crn = var.existing_kms_key_crn - kms_endpoint_type = "private" - skip_mongodb_kms_auth_policy = var.skip_mongodb_kms_auth_policy - ibmcloud_kms_api_key = var.ibmcloud_kms_api_key - key_ring_name = var.key_ring_name - key_name = var.key_name - existing_backup_kms_key_crn = var.existing_backup_kms_key_crn - use_default_backup_encryption_key = false - backup_crn = var.backup_crn - - # Auto Scaling - auto_scaling = var.auto_scaling - # Secrets Manager Service Credentials + source = "../fully-configurable" + ibmcloud_api_key = var.ibmcloud_api_key + existing_resource_group_name = var.existing_resource_group_name + prefix = var.prefix + name = var.name + provider_visibility = "private" + region = var.region + existing_mongodb_instance_crn = var.existing_mongodb_instance_crn + mongodb_version = var.mongodb_version + plan = var.plan + members = var.members + member_memory_mb = var.member_memory_mb + member_cpu_count = var.member_cpu_count + member_disk_mb = var.member_disk_mb + member_host_flavor = var.member_host_flavor + service_credential_names = var.service_credential_names + admin_pass = var.admin_pass + users = var.users + resource_tags = var.resource_tags + access_tags = var.access_tags + kms_encryption_enabled = true + existing_kms_instance_crn = var.existing_kms_instance_crn + existing_kms_key_crn = var.existing_kms_key_crn + kms_endpoint_type = "private" + skip_mongodb_kms_auth_policy = var.skip_mongodb_kms_auth_policy + ibmcloud_kms_api_key = var.ibmcloud_kms_api_key + key_ring_name = var.key_ring_name + key_name = var.key_name + existing_backup_kms_key_crn = var.existing_backup_kms_key_crn + use_default_backup_encryption_key = false + backup_crn = var.backup_crn + auto_scaling = var.auto_scaling existing_secrets_manager_instance_crn = var.existing_secrets_manager_instance_crn existing_secrets_manager_endpoint_type = "private" service_credential_secrets = var.service_credential_secrets @@ -45,4 +38,5 @@ module "mongodb" { admin_pass_secrets_manager_secret_group = var.admin_pass_secrets_manager_secret_group use_existing_admin_pass_secrets_manager_secret_group = var.use_existing_admin_pass_secrets_manager_secret_group admin_pass_secrets_manager_secret_name = var.admin_pass_secrets_manager_secret_name + service_endpoints = "private" } diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 553acfda..ec8010a8 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -10,7 +10,7 @@ variable "ibmcloud_api_key" { variable "existing_resource_group_name" { type = string - description = "The name of an existing resource group to provision resources in." + description = "The name of an existing resource group to provision resource in." default = "Default" nullable = false } @@ -18,15 +18,27 @@ variable "existing_resource_group_name" { variable "prefix" { type = string nullable = true - description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string." + description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-0205-cos. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)." + validation { - condition = (var.prefix == null ? true : + # - null and empty string is allowed + # - Must not contain consecutive hyphens (--): length(regexall("--", var.prefix)) == 0 + # - Starts with a lowercase letter: [a-z] + # - Contains only lowercase letters (a–z), digits (0–9), and hyphens (-) + # - Must not end with a hyphen (-): [a-z0-9] + condition = (var.prefix == null || var.prefix == "" ? true : alltrue([ - can(regex("^[a-z]{0,1}[-a-z0-9]{0,14}[a-z0-9]{0,1}$", var.prefix)), - length(regexall("^.*--.*", var.prefix)) == 0 + can(regex("^[a-z][-a-z0-9]*[a-z0-9]$", var.prefix)), + length(regexall("--", var.prefix)) == 0 ]) ) - error_message = "Prefix must begin with a lowercase letter, contain only lowercase letters, numbers, and - characters. Prefixes must end with a lowercase letter or number and be 16 or fewer characters." + error_message = "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--')." + } + + validation { + # must not exceed 16 characters in length + condition = length(var.prefix) <= 16 + error_message = "Prefix must not exceed 16 characters." } } @@ -115,7 +127,7 @@ variable "service_credential_names" { variable "admin_pass" { type = string - description = "The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block." + description = "The password for the database administrator. If no admin password is provided (i.e., it is null), one will be generated automatically. Additional users can be added using a user block." default = null sensitive = true } @@ -132,13 +144,13 @@ variable "users" { description = "A list of users that you want to create on the database. Users block is supported by MongoDB version >= 6.0. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#users)" } -variable "mongodb_resource_tags" { +variable "resource_tags" { type = list(string) description = "The list of tags to be added to the Databases for MongoDB instance." default = [] } -variable "mongodb_access_tags" { +variable "access_tags" { type = list(string) description = "A list of access tags to apply to the Databases for MongoDB instance created by the solution. [Learn more](https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial)." default = [] @@ -152,11 +164,6 @@ variable "existing_kms_instance_crn" { type = string description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." default = null - - validation { - condition = var.existing_mongodb_instance_crn != null ? var.existing_kms_instance_crn == null : true - error_message = "When using an existing mongodb instance 'existing_kms_instance_crn' should not be set" - } } variable "existing_kms_key_crn" { @@ -200,13 +207,8 @@ variable "key_name" { variable "existing_backup_kms_key_crn" { type = string - description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if `use_ibm_owned_encryption_key` is false. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." default = null - - validation { - condition = var.existing_mongodb_instance_crn != null ? var.existing_backup_kms_key_crn == null : true - error_message = "When using an existing mongodb instance 'existing_backup_kms_key_crn' should not be set" - } } variable "backup_crn" { diff --git a/tests/pr_test.go b/tests/pr_test.go index 86b0b56e..243feb10 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -94,7 +94,7 @@ func TestRunFullyConfigurableSolutionSchematics(t *testing.T) { options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, - {Name: "mongodb_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"}, + {Name: "access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"}, {Name: "kms_encryption_enabled", Value: true, DataType: "bool"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, {Name: "kms_endpoint_type", Value: "private", DataType: "string"}, @@ -127,7 +127,7 @@ func TestRunSecurityEnforcedUpgradeSolution(t *testing.T) { options.TerraformVars = map[string]interface{}{ "prefix": options.Prefix, - "mongodb_access_tags": permanentResources["accessTags"], + "access_tags": permanentResources["accessTags"], "existing_kms_instance_crn": permanentResources["hpcs_south_crn"], "existing_resource_group_name": resourceGroup, } @@ -178,7 +178,7 @@ func TestRunSecurityEnforcedSolutionSchematics(t *testing.T) { options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, - {Name: "mongodb_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"}, + {Name: "access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, {Name: "kms_endpoint_type", Value: "private", DataType: "string"}, {Name: "mongodb_version", Value: "7.0", DataType: "string"}, // Always lock this test into the latest supported MongoDB version diff --git a/variables.tf b/variables.tf index 63cd446e..cef419dd 100644 --- a/variables.tf +++ b/variables.tf @@ -55,7 +55,7 @@ variable "members" { type = number description = "The number of members that are allocated. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)" default = 3 - # Validation is done in the Terraform plan phase by the IBM provider, so no need to add extra validation here. + # Validation is done in terraform plan phase by IBM provider, so no need to add any extra validation here } variable "cpu_count" { @@ -118,8 +118,8 @@ variable "service_credential_names" { variable "service_endpoints" { type = string - description = "The type of endpoint of the database instance. Possible values: `public`, `private`, `public-and-private`." - default = "public" + description = "Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'." + default = "private" validation { condition = can(regex("public|public-and-private|private", var.service_endpoints)) @@ -128,7 +128,7 @@ variable "service_endpoints" { } variable "tags" { - type = list(any) + type = list(string) description = "Optional list of tags to be added to the MongoDB instance." default = [] } @@ -291,7 +291,7 @@ variable "cbr_rules" { })) }))) })) - description = "(Optional, list) List of context-based restrictions rules to create." + description = "(Optional, list) List of CBR rules to create" default = [] # Validation happens in the rule module } diff --git a/version.tf b/version.tf index 1769e9b3..857e2b1c 100644 --- a/version.tf +++ b/version.tf @@ -1,10 +1,10 @@ terraform { required_version = ">= 1.9.0" required_providers { - # Use "greater than or equal to" range in modules ibm = { - source = "IBM-Cloud/ibm" - version = ">= 1.79.2, < 2.0.0" + source = "IBM-Cloud/ibm" + # Use "greater than or equal to" range in modules + version = ">= 1.79.2, <2.0.0" } time = { source = "hashicorp/time" From f77847bc4a3bf7ce6a8ff21637a7f2ceb34f7788 Mon Sep 17 00:00:00 2001 From: whoffler Date: Fri, 27 Jun 2025 09:06:44 +0100 Subject: [PATCH 11/15] update diagram --- reference-architecture/deployable-architecture-mongodb.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference-architecture/deployable-architecture-mongodb.svg b/reference-architecture/deployable-architecture-mongodb.svg index 811a2eed..399acad1 100644 --- a/reference-architecture/deployable-architecture-mongodb.svg +++ b/reference-architecture/deployable-architecture-mongodb.svg @@ -1,4 +1,4 @@ -IBM CloudRegionResource GroupDatabase for MongoDB
MDB
MDB
[Optional] KMS
[Optional] KMS
Key Ring
Key Ringredis-keyText is not SVG - cannot display \ No newline at end of file +IBM CloudRegionResource GroupDatabase for MongoDB
MDB
MDB
[Optional] KMS
[Optional] KMS
Key Ring
Key Ringmongodb-keyText is not SVG - cannot display \ No newline at end of file From db0267331a10c5023f8e7d290217cd1a216430ea Mon Sep 17 00:00:00 2001 From: whoffler Date: Fri, 27 Jun 2025 10:35:23 +0100 Subject: [PATCH 12/15] remove default version from ibmcatalog --- ibm_catalog.json | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 32b19993..a3fff8ba 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -202,13 +202,8 @@ }, { "key": "mongodb_version", - "required": false, - "default_value": "__NULL__", + "required": true, "options": [ - { - "displayname": "preferred", - "value": "__NULL__" - }, { "displayname": "6.0", "value": "6.0" @@ -524,13 +519,8 @@ }, { "key": "mongodb_version", - "required": false, - "default_value": "__NULL__", + "required": true, "options": [ - { - "displayname": "preferred", - "value": "__NULL__" - }, { "displayname": "6.0", "value": "6.0" From 62fac0556980342eef374c9c05fbb0387dc88c3a Mon Sep 17 00:00:00 2001 From: whoffler Date: Fri, 27 Jun 2025 12:40:48 +0100 Subject: [PATCH 13/15] sync variable descriptions --- solutions/fully-configurable/variables.tf | 2 +- solutions/security-enforced/variables.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index de75e41b..71b59ba8 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -66,7 +66,7 @@ variable "existing_mongodb_instance_crn" { } variable "mongodb_version" { - description = "The version of the Databases for MongoDB instance. If no value is specified, the current preferred version of Databases for MongoDB is used." + description = "The version of the Databases for MongoDB instance." type = string default = null } diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index ec8010a8..22f0e26f 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -49,7 +49,7 @@ variable "name" { } variable "region" { - description = "The region to provision all resources in. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/region) about how to select different regions for different services." + description = "The region where you want to deploy your instance." type = string default = "us-south" } @@ -61,7 +61,7 @@ variable "existing_mongodb_instance_crn" { } variable "mongodb_version" { - description = "The version of the Databases for MongoDB instance. If no value is specified, the current preferred version of Databases for MongoDB is used." + description = "The version of the Databases for MongoDB instance." type = string default = null } From 785b430c2259697a9a29afc2c6e8f701b995b482 Mon Sep 17 00:00:00 2001 From: whoffler Date: Fri, 27 Jun 2025 15:01:04 +0100 Subject: [PATCH 14/15] address feedback --- .catalog-onboard-pipeline.yaml | 8 ++++++++ cra-config.yaml | 8 ++++---- ibm_catalog.json | 6 +++--- .../catalogValidationValues.json.template | 2 +- solutions/fully-configurable/variables.tf | 4 ++-- .../catalogValidationValues.json.template | 2 +- solutions/security-enforced/variables.tf | 6 +++--- 7 files changed, 22 insertions(+), 14 deletions(-) diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml index 80919308..6429c8bd 100644 --- a/.catalog-onboard-pipeline.yaml +++ b/.catalog-onboard-pipeline.yaml @@ -12,3 +12,11 @@ offerings: scc: instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37 region: us-south + scope_resource_group_var_name: existing_resource_group_name + - name: security-enforced + mark_ready: true + install_type: fullstack + scc: + instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37 + region: us-south + scope_resource_group_var_name: existing_resource_group_name diff --git a/cra-config.yaml b/cra-config.yaml index 3b509987..94512617 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -1,10 +1,10 @@ # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml version: "v1" CRA_TARGETS: - - CRA_TARGET: "solutions/fully-configurable" - CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" - PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3" # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile). - CRA_ENVIRONMENT_VARIABLES: + - CRA_TARGET: "solutions/fully-configurable" # Target directory for CRA scan. If not provided, the CRA Scan will not be run. + CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json` + PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3" # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile). + CRA_ENVIRONMENT_VARIABLES: # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs. TF_VAR_existing_kms_instance_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::" TF_VAR_existing_resource_group_name: "geretain-test-redis" TF_VAR_kms_encryption_enabled: true diff --git a/ibm_catalog.json b/ibm_catalog.json index a3fff8ba..76cfa559 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -514,9 +514,6 @@ } ] }, - { - "key": "plan" - }, { "key": "mongodb_version", "required": true, @@ -531,6 +528,9 @@ } ] }, + { + "key": "plan" + }, { "key": "name" }, diff --git a/solutions/fully-configurable/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template index 85531edd..36858b29 100644 --- a/solutions/fully-configurable/catalogValidationValues.json.template +++ b/solutions/fully-configurable/catalogValidationValues.json.template @@ -3,7 +3,7 @@ "region": "us-south", "resource_tags": $TAGS, "name": $PREFIX, - "existing_resource_group_name": $PREFIX, + "existing_resource_group_name": "geretain-test-mongo", "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN, "kms_encryption_enabled": true } diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 71b59ba8..3f2c46e9 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -122,7 +122,7 @@ variable "member_cpu_count" { variable "member_disk_mb" { type = number description = "The disk that is allocated per member. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)." - default = 10240 + default = 5120 } variable "member_host_flavor" { @@ -158,7 +158,7 @@ variable "users" { })) default = [] sensitive = true - description = "A list of users that you want to create on the database. Users block is supported by MongoDB version >= 6.0. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#users)" + description = "A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#users)" } variable "resource_tags" { diff --git a/solutions/security-enforced/catalogValidationValues.json.template b/solutions/security-enforced/catalogValidationValues.json.template index 5d462e78..a343dbee 100644 --- a/solutions/security-enforced/catalogValidationValues.json.template +++ b/solutions/security-enforced/catalogValidationValues.json.template @@ -3,6 +3,6 @@ "region": "us-south", "resource_tags": $TAGS, "name": $PREFIX, - "existing_resource_group_name": $PREFIX, + "existing_resource_group_name": "geretain-test-mongo", "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN } diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 22f0e26f..43d2a0b3 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -105,7 +105,7 @@ variable "member_cpu_count" { variable "member_disk_mb" { type = number description = "The disk that is allocated per member. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)." - default = 10240 + default = 5120 } variable "member_host_flavor" { @@ -141,7 +141,7 @@ variable "users" { })) default = [] sensitive = true - description = "A list of users that you want to create on the database. Users block is supported by MongoDB version >= 6.0. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#users)" + description = "A list of users that you want to create on the database. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mongodb/blob/main/solutions/fully-configurable/DA-types.md#users)" } variable "resource_tags" { @@ -207,7 +207,7 @@ variable "key_name" { variable "existing_backup_kms_key_crn" { type = string - description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Alternatively set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)." + description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. If no value is passed, the value of `existing_kms_key_crn` is used. If no value is passed for `existing_kms_key_crn`, a new key will be created in the instance specified in the `existing_kms_instance_crn` input." default = null } From 450aeacb21770ec9077122406e483e94d52bd830 Mon Sep 17 00:00:00 2001 From: whoffler Date: Fri, 27 Jun 2025 15:05:35 +0100 Subject: [PATCH 15/15] update default member_disk_mb --- solutions/fully-configurable/variables.tf | 2 +- solutions/security-enforced/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 3f2c46e9..cc668cb0 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -122,7 +122,7 @@ variable "member_cpu_count" { variable "member_disk_mb" { type = number description = "The disk that is allocated per member. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)." - default = 5120 + default = 10240 } variable "member_host_flavor" { diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 43d2a0b3..c800af37 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -105,7 +105,7 @@ variable "member_cpu_count" { variable "member_disk_mb" { type = number description = "The disk that is allocated per member. [Learn more](https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-resources-scaling)." - default = 5120 + default = 10240 } variable "member_host_flavor" {