feat: added new FSCloud submodule (#18)

Author: Aayush-Abhyarthi

.github/settings.yml

@@ -15,15 +15,15 @@ repository:
   # By changing this field, you rename the repository.
 
   # Uncomment this name property and set the name to the current repo name.
-  # name: ""
+  name: "terraform-ibm-icd-rabbitmq"
 
   # The description is displayed under the repository name on the
   # organization page and in the 'About' section of the repository.
 
   # Uncomment this description property
   # and update the description to the current repo description.
-  # description: ""
+  description: "Implements an instance of the IBM Cloud Databases for RabbitMQ."
 
   # Uncomment this topics property
   # and add a comma-separated list of topics to set on the repo.
-  # topics: terraform, ibm-cloud, terraform-module
+  topics: core-team, terraform, ibm-cloud, terraform-module, ibm-database, icd, icd-rabbitmq, supported, graduated

README.md

@@ -39,6 +39,7 @@ You need the following permissions to run this module.
 
 - [ Basic example](examples/basic)
 - [ Complete example with BYOK encryption, CBR rules, autoscaling, and service credentials creation](examples/complete)
+- [ Financial Services Cloud profile example with autoscaling enabled](examples/fscloud)
 <!-- END EXAMPLES HOOK -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ### Requirements

cra-config.yaml

@@ -1,11 +1,9 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/complete" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
-    CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
-    # CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
-    #   TF_VAR_sample: "sample value"
-    #   TF_VAR_other:  "another value"
-    # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.
-    # SCC_REGION: "" # The IBM Cloud region that the SCC instance is in. If not provided, a default global value will be used.
-    # PROFILE_ID: "" # The Profile ID input for CRA SCC scan. If not provided, a default global value will be used.
+  - CRA_TARGET: "examples/fscloud"
+    CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json"
+    PROFILE_ID: "0e6e7b5a-817d-4344-ab6f-e5d7a9c49520" # SCC profile ID (currently set to the FSCloud 1.4.0 profile).
+    CRA_ENVIRONMENT_VARIABLES:
+      TF_VAR_existing_kms_instance_guid: "e6dce284-e80f-46e1-a3c1-830f7adff7a9"
+      TF_VAR_kms_key_crn:  "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533"

examples/fscloud/README.md

@@ -0,0 +1,19 @@
+# Financial Services Cloud profile example with autoscaling enabled
+
+An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](../../modules/fscloud/) to deploy an instance of IBM Cloud Databases for RabbitMQ.
+
+The example uses the IBM Cloud Terraform provider to create the following infrastructure:
+
+- A resource group, if one is not passed in.
+- An IAM authorization between all RabbitMQ database instances in the given resource group, and the Hyper Protect Crypto Services instance that is passed in.
+- An IBM Cloud Databases RabbitMQ database instance that is encrypted with the Hyper Protect Crypto Services root key that is passed in.
+- Autoscaling rules for the IBM Cloud Databases RabbitMQ database instance.
+- Service Credentials for the RabbitMQ database instance.
+- A sample virtual private cloud (VPC).
+- A context-based restriction (CBR) rule to only allow RabbitMQ to be accessible from within the VPC.
+
+:exclamation: **Important:** In this example, only the IBM Cloud Databases for RabbitMQ instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.
+
+## Before you begin
+
+- You need a Hyper Protect Crypto Services instance and root key available in the region that you want to deploy your RabbitMQ database instance to.

examples/fscloud/main.tf

@@ -0,0 +1,87 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.0"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Get Cloud Account ID
+##############################################################################
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
+##############################################################################
+# VPC
+##############################################################################
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Create CBR Zone
+##############################################################################
+module "cbr_zone" {
+  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
+  version          = "1.15.1"
+  name             = "${var.prefix}-VPC-network-zone"
+  zone_description = "CBR Network zone representing VPC"
+  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+  addresses = [{
+    type  = "vpc", # to bind a specific vpc to the zone
+    value = ibm_is_vpc.example_vpc.crn,
+  }]
+}
+
+##############################################################################
+# Postgres Instance
+##############################################################################
+
+module "rabbitmq_database" {
+  source                     = "../../modules/fscloud"
+  resource_group_id          = module.resource_group.resource_group_id
+  instance_name              = "${var.prefix}-rabbitmq"
+  region                     = var.region
+  rabbitmq_version           = var.rabbitmq_version
+  kms_key_crn                = var.kms_key_crn
+  existing_kms_instance_guid = var.existing_kms_instance_guid
+  service_credential_names   = var.service_credential_names
+  endpoints                  = var.endpoints
+  tags                       = var.tags
+  access_tags                = var.access_tags
+  auto_scaling               = var.auto_scaling
+  cbr_rules = [
+    {
+      description      = "${var.prefix}-rabbitmq access only from vpc"
+      enforcement_mode = "enabled"
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
+}

examples/fscloud/outputs.tf

@@ -0,0 +1,17 @@
+##############################################################################
+# Outputs
+##############################################################################
+output "id" {
+  description = "RabbitMQ instance id"
+  value       = module.rabbitmq_database.id
+}
+
+output "guid" {
+  description = "RabbitMQ instance guid"
+  value       = module.rabbitmq_database.guid
+}
+
+output "version" {
+  description = "RabbitMQ instance version"
+  value       = module.rabbitmq_database.version
+}

examples/fscloud/provider.tf

@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/fscloud/variables.tf

@@ -0,0 +1,96 @@
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "region" {
+  type        = string
+  description = "Region to provision all resources created by this example"
+  default     = "us-south"
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example"
+  default     = "fs-cloud"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "existing_kms_instance_guid" {
+  description = "The GUID of the Hyper Protect Crypto service in which the key specified in var.kms_key_crn is coming from"
+  type        = string
+}
+
+variable "kms_key_crn" {
+  type        = string
+  description = "The root key CRN of a Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs&interface=ui for more information on integrating HPCS with RabbitMQ instance."
+}
+
+variable "rabbitmq_version" {
+  type        = string
+  description = "The version of RabbitMQ to deploy. If no value passed, the current ICD preferred version is used."
+  default     = null
+}
+
+variable "auto_scaling" {
+  type = object({
+    disk = object({
+      capacity_enabled             = optional(bool, false)
+      free_space_less_than_percent = optional(number, 10)
+      io_above_percent             = optional(number, 90)
+      io_enabled                   = optional(bool, false)
+      io_over_period               = optional(string, "15m")
+      rate_increase_percent        = optional(number, 10)
+      rate_limit_mb_per_member     = optional(number, 3670016)
+      rate_period_seconds          = optional(number, 900)
+      rate_units                   = optional(string, "mb")
+    })
+    memory = object({
+      io_above_percent         = optional(number, 90)
+      io_enabled               = optional(bool, false)
+      io_over_period           = optional(string, "15m")
+      rate_increase_percent    = optional(number, 10)
+      rate_limit_mb_per_member = optional(number, 114688)
+      rate_period_seconds      = optional(number, 900)
+      rate_units               = optional(string, "mb")
+    })
+  })
+  description = "Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://cloud.ibm.com/docs/messages-for-rabbitmq?topic=messages-for-rabbitmq-autoscaling in the IBM Cloud Docs."
+  default     = null
+}
+
+variable "service_credential_names" {
+  description = "Map of name, role for service credentials that you want to create for the database"
+  type        = map(string)
+  default     = {}
+}
+
+variable "endpoints" {
+  description = "Endpoints available to the database instance (public, private, public-and-private)"
+  type        = string
+  default     = "private"
+}
+
+variable "tags" {
+  type        = list(any)
+  description = "Optional list of tags to be added to the RabbitMQ instance."
+  default     = []
+}
+
+variable "access_tags" {
+  type        = list(string)
+  description = "A list of access tags to apply to the rabbitmq instance created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details"
+  default     = []
+}

examples/fscloud/version.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0, <1.6.0"
+  required_providers {
+    # Use latest version of provider in non-basic examples to verify latest version works with module
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">= 1.56.1, <2.0.0"
+    }
+  }
+}

main.tf

@@ -42,7 +42,6 @@ resource "time_sleep" "wait_for_authorization_policy" {
   create_duration = "30s"
 }
 
-
 resource "ibm_database" "rabbitmq_database" {
   depends_on                = [ibm_iam_authorization_policy.kms_policy]
   name                      = var.instance_name
@@ -88,7 +87,7 @@ resource "ibm_database" "rabbitmq_database" {
   }
 
   ## This for_each block is NOT a loop to attach to multiple auto_scaling blocks.
-  ## This block is only used to conditionally add auto_scaling block depending on var.auto_scaling
+  ## This block is only used to conditionally add auto_scaling block depending on var.auto_scaling.
   dynamic "auto_scaling" {
     for_each = local.auto_scaling_enabled
     content {