diff --git a/ibm_catalog.json b/ibm_catalog.json index 3206402..c8678de 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -30,6 +30,10 @@ { "title": "Logs Agent", "description": "Deploys the IBM Logs Agent on a [Red Hat OpenShift Cluster](https://cloud.ibm.com/docs/openshift) or [Kubernetes Service](https://cloud.ibm.com/docs/containers?topic=containers-getting-started)." + }, + { + "title": "Trusted Profile", + "description": "Creates a trusted profile with Sender Role access to Cloud Logs for the provided cluster if existing trusted profile ID is not provided and IAM mode is TrustedProfile." } ], "flavors": [ @@ -53,9 +57,9 @@ "service_name": "containers-kubernetes", "role_crns": [ "crn:v1:bluemix:public:iam::::serviceRole:Manager", - "crn:v1:bluemix:public:iam::::role:Viewer" + "crn:v1:bluemix:public:iam::::role:Editor" ], - "notes": "Required to create and edit Logs Agent related resources." + "notes": "Required to create and edit Logs Agent related resources. Editor access is required only if you are provisioning cluster." }, { "role_crns": [ @@ -63,6 +67,122 @@ ], "service_name": "Resource group only", "notes": "Viewer access is required in the resource group you want to provision in." + }, + { + "service_name": "logs", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "[Optional] Required to create an instance of Cloud Logs." + }, + { + "service_name": "logs-router", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager" + ], + "notes": "[Optional] Required for configuring Cloud Logs routing." + }, + { + "service_name": "sysdig-monitor", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "[Optional] Required to create an instance of Cloud Monitoring." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "sysdig-secure", + "notes": "[Optional] Required for creating and managing SCC Workload Protection instance." + }, + { + "service_name": "iam-identity", + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator", + "crn:v1:bluemix:public:iam-identity::::serviceRole:UserApiKeyCreator" + ], + "notes": "[Optional] Required to create the containers-kubernetes-key needed by the OpenShift cluster on IBM Cloud." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "service_name": "All Account Management services", + "notes": "[Optional] Required to create new resource groups when enabling the Account Configuration integration." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "service_name": "All Identity and Access enabled services", + "notes": "[Optional] Required to create new resource groups with account settings when enabling the Account Configuration integration." + }, + { + "service_name": "is.vpc", + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "notes": "[Optional] Required for creating Virtual Private Cloud(VPC)." + }, + { + "service_name": "cloud-object-storage", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "[Optional] Required to create Cloud Object Storage (COS) Instance." + }, + { + "service_name": "hs-crypto", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "[Optional] Required if KMS encryption is enabled and IBM Hyper Protect Crypto Services is used to encrypt the Kubernetes Secrets and Object Storage bucket." + }, + { + "service_name": "kms", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "[Optional] Required if Key Protect is used for encryption for Kubernetes Secrets and Object Storage bucket." + }, + { + "service_name": "atracker", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Writer", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "[Optional] Required to set up Activity Tracker event routing of auditing events." + }, + { + "service_name": "secrets-manager", + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator", + "crn:v1:bluemix:public:iam::::serviceRole:Manager" + ], + "notes": "[Optional] Required when enabling the Secrets Manager integration for the cluster." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator", + "crn:v1:bluemix:public:iam::::serviceRole:Manager" + ], + "service_name": "apprapp", + "notes": "[Optional] Required for provisioning the App Configuration instance." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "event-notifications", + "notes": "[Optional] Required when enabling the Event Notifications integration for secrets manager." } ], "architecture": { @@ -88,6 +208,17 @@ "key": "ibmcloud_api_key", "required": true }, + { + "key": "prefix", + "required": true, + "value_constraints": [ + { + "type": "regex", + "description": "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--'). It should not exceed 16 characters", + "value": "^$|^__NULL__$|^[a-z](?!.*--)(?:[a-z0-9-]{0,14}[a-z0-9])?$" + } + ] + }, { "key": "cluster_id", "custom_config": { @@ -117,6 +248,22 @@ "key": "is_ocp_cluster", "required": true }, + { + "key": "region", + "type": "string", + "custom_config": { + "config_constraints": { + "generationType": "2" + }, + "grouping": "deployment", + "original_grouping": "deployment", + "type": "vpc_region" + }, + "description": "Region in which Cloud Logs instance or OpenShift Cluster will be deployed. [Learn More](https://terraform-ibm-modules.github.io/documentation/#/region).", + "virtual": true, + "required": true, + "default_value": "us-south" + }, { "key": "cloud_logs_ingress_endpoint", "required": true @@ -301,6 +448,367 @@ { "key": "enable_multiline" }, + { + "key": "cluster_name", + "type": "string", + "required": true, + "virtual": true, + "default_value": "openshift", + "description": "The name of the OpenShift Cluster." + }, + { + "key": "openshift_version", + "type": "string", + "required": true, + "virtual": true, + "default_value": "4.18", + "options": [ + { + "displayname": "4.18", + "value": "4.18" + }, + { + "displayname": "4.17", + "value": "4.17" + }, + { + "displayname": "4.16", + "value": "4.16" + } + ], + "description": "The version of the OpenShift Cluster." + }, + { + "key": "default_worker_pool_machine_type", + "required": true, + "virtual": true, + "default_value": "bx2.8x32", + "options": [ + { + "displayname": "bx2.16x64", + "value": "bx2.16x64" + }, + { + "displayname": "bx2.32x128", + "value": "bx2.32x128" + }, + { + "displayname": "bx2.48x192", + "value": "bx2.48x192" + }, + { + "displayname": "bx2.8x32", + "value": "bx2.8x32" + }, + { + "displayname": "bx3d.128x640", + "value": "bx3d.128x640" + }, + { + "displayname": "bx3d.16x80", + "value": "bx3d.16x80" + }, + { + "displayname": "bx3d.24x120", + "value": "bx3d.24x120" + }, + { + "displayname": "bx3d.32x160", + "value": "bx3d.32x160" + }, + { + "displayname": "bx3d.48x240", + "value": "bx3d.48x240" + }, + { + "displayname": "bx3d.64x320", + "value": "bx3d.64x320" + }, + { + "displayname": "bx3d.8x40", + "value": "bx3d.8x40" + }, + { + "displayname": "bx3d.96x480", + "value": "bx3d.96x480" + }, + { + "displayname": "cx2.16x32", + "value": "cx2.16x32" + }, + { + "displayname": "cx2.32x64", + "value": "cx2.32x64" + }, + { + "displayname": "cx2.48x96", + "value": "cx2.48x96" + }, + { + "displayname": "cx3d.128x320", + "value": "cx3d.128x320" + }, + { + "displayname": "cx3d.16x40", + "value": "cx3d.16x40" + }, + { + "displayname": "cx3d.24x60", + "value": "cx3d.24x60" + }, + { + "displayname": "cx3d.32x80", + "value": "cx3d.32x80" + }, + { + "displayname": "cx3d.48x120", + "value": "cx3d.48x120" + }, + { + "displayname": "cx3d.64x160", + "value": "cx3d.64x160" + }, + { + "displayname": "cx3d.96x240", + "value": "cx3d.96x240" + }, + { + "displayname": "mx2.128x1024", + "value": "mx2.128x1024" + }, + { + "displayname": "mx2.16x128", + "value": "mx2.16x128" + }, + { + "displayname": "mx2.32x256", + "value": "mx2.32x256" + }, + { + "displayname": "mx2.48x384", + "value": "mx2.48x384" + }, + { + "displayname": "mx2.64x512", + "value": "mx2.64x512" + }, + { + "displayname": "mx2.8x64", + "value": "mx2.8x64" + }, + { + "displayname": "mx3d.128x1280", + "value": "mx3d.128x1280" + }, + { + "displayname": "mx3d.24x240", + "value": "mx3d.24x240" + }, + { + "displayname": "mx3d.32x320", + "value": "mx3d.32x320" + }, + { + "displayname": "mx3d.48x480", + "value": "mx3d.48x480" + }, + { + "displayname": "mx3d.64x640", + "value": "mx3d.64x640" + }, + { + "displayname": "mx3d.96x960", + "value": "mx3d.96x960" + }, + { + "displayname": "bx2d.metal.96x384 (Only available in Toronto (ca-tor))", + "value": "bx2d.metal.96x384" + }, + { + "displayname": "cx2d.metal.96x192 (Only available in Toronto (ca-tor)) ", + "value": "cx2d.metal.96x192" + }, + { + "displayname": "mx2d.metal.96x768 (Only available in Toronto (ca-tor))) ", + "value": "mx2d.metal.96x768" + }, + { + "displayname": "mx2.16x128.2000gb (Not available in Sao Paulo (br-sao), Montreal (ca-mon), Madrid (eu-es), Osaka (jp-osa))", + "value": "mx2.16x128.2000gb" + }, + { + "displayname": "ox2.128x1024 (Not available in Sao Paulo (br-sao), Montreal (ca-mon))", + "value": "ox2.128x1024" + }, + { + "displayname": "ox2.16x128 (Not available in Sao Paulo (br-sao), Montreal (ca-mon))", + "value": "ox2.16x128" + }, + { + "displayname": "ox2.32x256 (Not available in Sao Paulo (br-sao), Montreal (ca-mon))", + "value": "ox2.32x256" + }, + { + "displayname": "ox2.64x512 (Not available in Sao Paulo (br-sao), Montreal (ca-mon))", + "value": "ox2.64x512" + }, + { + "displayname": "ox2.8x64 (Not available in Sao Paulo (br-sao), Montreal (ca-mon))", + "value": "ox2.8x64" + }, + { + "displayname": "ox2.96x768 (Not available in Sao Paulo (br-sao), Montreal (ca-mon))", + "value": "ox2.96x768" + } + ], + "description": "The machine type for worker nodes.[Learn more](https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-flavors)." + }, + { + "key": "default_worker_pool_workers_per_zone", + "required": true, + "virtual": true, + "type": "number", + "default_value": 2, + "description": "Number of worker nodes in each zone of the cluster." + }, + { + "key": "default_worker_pool_operating_system", + "required": true, + "virtual": true, + "type": "string", + "default_value": "RHCOS", + "options": [ + { + "displayname": "RHEL 9", + "value": "RHEL_9_64" + }, + { + "displayname": "Red Hat CoreOS", + "value": "RHCOS" + }, + { + "displayname": "RHEL 8", + "value": "REDHAT_8_64" + } + ], + "description": "The operating system installed on the worker nodes. [Learn more](https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-flavors)." + }, + { + "key": "allow_public_access_to_cluster", + "type": "boolean", + "required": true, + "virtual": true, + "default_value": false, + "options": [ + { + "displayname": "true", + "value": "true" + }, + { + "displayname": "false", + "value": "false" + } + ], + "description": "When set to `true`, public endpoint will be enabled for the cluster which will allow access to master node of the cluster from outside the VPC network." + }, + { + "key": "allow_outbound_traffic", + "type": "boolean", + "required": true, + "virtual": true, + "default_value": false, + "options": [ + { + "displayname": "true", + "value": "true" + }, + { + "displayname": "false", + "value": "false" + } + ], + "description": "Set to true to allow public outbound access from the cluster workers." + }, + { + "key": "subnets", + "type": "object", + "default_value": "{\n zone-1 = [\n {\n name = \"subnet-a\"\n cidr = \"10.10.10.0/24\"\n public_gateway = true\n acl_name = \"vpc-acl\"\n no_addr_prefix = false\n }\n ],\n zone-2 = [\n {\n name = \"subnet-b\"\n cidr = \"10.20.10.0/24\"\n public_gateway = true\n acl_name = \"vpc-acl\"\n no_addr_prefix = false\n }\n ],\n zone-3 = [\n {\n name = \"subnet-c\"\n cidr = \"10.30.10.0/24\"\n public_gateway = true\n acl_name = \"vpc-acl\"\n no_addr_prefix = false\n }\n ]\n }", + "description": "List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addresses. Public gateways will be enabled only in zones where a gateway has been created. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#subnets-).", + "required": false, + "virtual": true + }, + { + "key": "network_acls", + "type": "list(object)", + "default_value": "[\n {\n name = \"vpc-acl\"\n add_ibm_cloud_internal_rules = true\n add_vpc_connectivity_rules = true\n prepend_ibm_rules = true\n rules = [\n {\n name = \"allow-all-443-inbound\"\n action = \"allow\"\n direction = \"inbound\"\n tcp = {\n port_min = 443\n port_max = 443\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-80-inbound\"\n action = \"allow\"\n direction = \"inbound\"\n tcp = {\n port_min = 80\n port_max = 80\n source_port_min = 80\n source_port_max = 80\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-ingress-inbound\"\n action = \"allow\"\n direction = \"inbound\"\n tcp = {\n source_port_min = 30000\n source_port_max = 32767\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-443-outbound\"\n action = \"allow\"\n direction = \"outbound\"\n tcp = {\n source_port_min = 443\n source_port_max = 443\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-80-outbound\"\n action = \"allow\"\n direction = \"outbound\"\n tcp = {\n source_port_min = 80\n source_port_max = 80\n port_min = 80\n port_max = 80\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-ingress-outbound\"\n action = \"allow\"\n direction = \"outbound\"\n tcp = {\n port_min = 30000\n port_max = 32767\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n }\n ]\n }\n]", + "description": "The list of ACLs to create. Provide at least one rule for each ACL. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#network-acls-).", + "required": false, + "virtual": true, + "custom_config": { + "type": "code_editor", + "grouping": "deployment", + "original_grouping": "deployment" + } + }, + { + "key": "cloud_logs_instance_name", + "type": "string", + "required": true, + "virtual": true, + "default_value": "cloud-logs", + "description": "The name of the Cloud Logs Instance." + }, + { + "key": "secrets_manager_service_plan", + "type": "string", + "required": true, + "virtual": true, + "default_value": "standard", + "options": [ + { + "displayname": "Standard", + "value": "standard" + }, + { + "displayname": "Trial", + "value": "trial" + } + ], + "description": "The pricing plan to use when provisioning a Secrets Manager instance for centrally managing ingress certificates for OpenShift cluster. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." + }, + { + "key": "enable_platform_metrics", + "type": "boolean", + "default_value": false, + "description": "When set to `true`, the IBM Cloud Monitoring instance will be configured to collect platform metrics from the provided region. ⚠️ You can configure 1 instance only of the IBM Cloud Monitoring service per region to collect platform metrics in that location. Check with the account or service administrator if another monitoring instance has already been configured. You may not have permissions to see all monitoring instances in the region. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-platform_metrics_enabling).", + "required": true, + "virtual": true, + "options": [ + { + "displayname": "true", + "value": "true" + }, + { + "displayname": "false", + "value": "false" + } + ] + }, + { + "key": "logs_routing_tenant_regions", + "type": "array", + "default_value": [], + "description": "To manage platform logs that are generated by IBM Cloud services in a region of IBM Cloud, you must create a tenant in each region that you operate. Pass a list of regions to create a tenant in. For example: [\"us-south\", \"us-east\"]. [Learn more](https://cloud.ibm.com/docs/logs-router?topic=logs-router-about-platform-logs).", + "required": true, + "virtual": true, + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } + }, { "key": "provider_visibility", "options": [ @@ -320,6 +828,153 @@ "hidden": true } ], + "dependencies": [ + { + "name": "deploy-arch-ibm-cloud-logs", + "description": "Create IBM Cloud Logs Instance for storing and analysing platform and application logs .", + "id": "63d8ae58-fbf3-41ce-b844-0fb5b85882ab-global", + "version": "v1.6.11", + "flavors": [ + "fully-configurable" + ], + "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", + "optional": true, + "on_by_default": true, + "input_mapping": [ + { + "dependency_input": "region", + "version_input": "region", + "reference_version": true + }, + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "cloud_logs_instance_name", + "version_input": "cloud_logs_instance_name", + "reference_version": true + }, + { + "dependency_output": "cloud_logs_ingress_private_endpoint", + "version_input": "cloud_logs_ingress_endpoint" + }, + { + "dependency_input": "enable_platform_metrics", + "version_input": "enable_platform_metrics", + "reference_version": true + }, + { + "dependency_input": "logs_routing_tenant_regions", + "version_input": "logs_routing_tenant_regions", + "reference_version": true + } + ] + }, + { + "name": "deploy-arch-ibm-slz-ocp", + "description": "Configure the Red Hat OpenShift cluster on which logs agent will be installed.", + "catalog_id": "1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc", + "flavors": [ + "fully-configurable" + ], + "id": "95fccffc-ae3b-42df-b6d9-80be5914d852-global", + "optional": true, + "on_by_default": true, + "input_mapping": [ + { + "dependency_output": "cluster_id", + "version_input": "cluster_id" + }, + { + "dependency_output": "resource_group_id", + "version_input": "cluster_resource_group_id" + }, + { + "version_input": "is_vpc_cluster", + "value": true + }, + { + "dependency_input": "region", + "version_input": "region", + "reference_version": true + }, + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "default_worker_pool_machine_type", + "version_input": "default_worker_pool_machine_type", + "reference_version": true + }, + { + "dependency_input": "default_worker_pool_workers_per_zone", + "version_input": "default_worker_pool_workers_per_zone", + "reference_version": true + }, + { + "dependency_input": "default_worker_pool_operating_system", + "version_input": "default_worker_pool_operating_system", + "reference_version": true + }, + { + "dependency_input": "allow_public_access_to_cluster", + "version_input": "allow_public_access_to_cluster", + "reference_version": true + }, + { + "dependency_input": "allow_outbound_traffic", + "version_input": "allow_outbound_traffic", + "reference_version": true + }, + { + "dependency_input": "cluster_config_endpoint_type", + "version_input": "cluster_config_endpoint_type", + "reference_version": true + }, + { + "dependency_input": "enable_platform_metrics", + "version_input": "enable_platform_metrics", + "reference_version": true + }, + { + "dependency_input": "logs_routing_tenant_regions", + "version_input": "logs_routing_tenant_regions", + "reference_version": true + }, + { + "dependency_input": "secrets_manager_service_plan", + "version_input": "secrets_manager_service_plan", + "reference_version": true + }, + { + "dependency_input": "subnets", + "version_input": "subnets", + "reference_version": true + }, + { + "dependency_input": "network_acls", + "version_input": "network_acls", + "reference_version": true + }, + { + "dependency_input": "cluster_name", + "version_input": "cluster_name", + "reference_version": true + }, + { + "dependency_input": "openshift_version", + "version_input": "openshift_version", + "reference_version": true + } + ], + "version": "v3.58.2" + } + ], + "dependency_version_2": true, "terraform_version": "1.10.5" } ] diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index cc01edf..a5991f8 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -10,8 +10,46 @@ data "ibm_container_cluster_config" "cluster_config" { } locals { + prefix = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : "" cluster_config_endpoint_type = var.cluster_config_endpoint_type is_vpc_cluster = var.is_vpc_cluster + cloud_logs_instance_id = split(".", var.cloud_logs_ingress_endpoint)[0] +} + +module "trusted_profile" { + count = (var.logs_agent_iam_mode == "TrustedProfile" && var.logs_agent_trusted_profile_id == null) ? 1 : 0 + source = "terraform-ibm-modules/trusted-profile/ibm" + version = "3.1.1" + trusted_profile_name = "${local.prefix}trusted-profile" + trusted_profile_description = "Logs agent Trusted Profile" + # As a `Sender`, you can send logs to your IBM Cloud Logs service instance - but not query or tail logs. This role is meant to be used by agents and routers sending logs. + trusted_profile_policies = [{ + unique_identifier = "${local.prefix}-policy-0" + roles = ["Sender"] + resource_attributes = [ + { + name = "serviceInstance" + operator = "stringEquals" + value = local.cloud_logs_instance_id + }, + { + name = "serviceName" + value = "logs" + } + ] + }] + + # Set up fine-grained authorization for `logs-agent` running in ROKS cluster in `ibm-observe` namespace. + trusted_profile_links = [{ + unique_identifier = "${local.prefix}-link-0" + cr_type = var.is_ocp_cluster ? "ROKS_SA" : "IKS_SA" + links = [{ + crn = local.is_vpc_cluster ? data.ibm_container_vpc_cluster.cluster[0].crn : data.ibm_container_cluster.cluster[0].crn + namespace = var.logs_agent_namespace + name = var.logs_agent_name + }] + } + ] } module "logs_agent" { @@ -27,7 +65,7 @@ module "logs_agent" { logs_agent_init_image_version = var.logs_agent_init_image_version logs_agent_name = var.logs_agent_name logs_agent_namespace = var.logs_agent_namespace - logs_agent_trusted_profile_id = var.logs_agent_trusted_profile_id + logs_agent_trusted_profile_id = var.logs_agent_iam_mode == "TrustedProfile" ? (var.logs_agent_trusted_profile_id != null ? var.logs_agent_trusted_profile_id : module.trusted_profile[0].trusted_profile.id) : null logs_agent_iam_api_key = var.logs_agent_iam_api_key logs_agent_tolerations = var.logs_agent_tolerations logs_agent_system_logs = var.logs_agent_system_logs diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 245ce84..239d7ea 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -4,6 +4,33 @@ variable "ibmcloud_api_key" { sensitive = true } +variable "prefix" { + type = string + nullable = true + description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To skip using a prefix, set this value to null or an empty string. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)." + + validation { + # - null and empty string is allowed + # - Must not contain consecutive hyphens (--): length(regexall("--", var.prefix)) == 0 + # - Starts with a lowercase letter: [a-z] + # - Contains only lowercase letters (a–z), digits (0–9), and hyphens (-) + # - Must not end with a hyphen (-): [a-z0-9] + condition = (var.prefix == null || var.prefix == "" ? true : + alltrue([ + can(regex("^[a-z][-a-z0-9]*[a-z0-9]$", var.prefix)), + length(regexall("--", var.prefix)) == 0 + ]) + ) + error_message = "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--')." + } + + validation { + # must not exceed 16 characters in length + condition = var.prefix == null || var.prefix == "" ? true : length(var.prefix) <= 16 + error_message = "Prefix must not exceed 16 characters." + } +} + ############################################################################## # Cluster variables ############################################################################## @@ -98,12 +125,8 @@ variable "logs_agent_namespace" { variable "logs_agent_trusted_profile_id" { type = string - description = "The IBM Cloud trusted profile ID. Used only when `logs_agent_iam_mode` is set to `TrustedProfile`. The trusted profile must have an IBM Cloud Logs `Sender` role. Must provide a value for `logs_agent_iam_api_key` if `logs_agent_trusted_profile_id` is null." + description = "The IBM Cloud trusted profile ID. Used only when `logs_agent_iam_mode` is set to `TrustedProfile`. The trusted profile must have an IBM Cloud Logs `Sender` role. If `logs_agent_iam_mode` is set to `TrustedProfile` and this value is not provided a new trusted profile will be created." default = null - validation { - condition = !(var.logs_agent_iam_mode == "TrustedProfile" && var.logs_agent_trusted_profile_id == null) - error_message = "The `logs_agent_trusted_profile_id` is required when `logs_agent_iam_mode` is set to `TrustedProfile`." - } } variable "logs_agent_tolerations" { diff --git a/tests/go.mod b/tests/go.mod index d515d81..01a5977 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -15,6 +15,7 @@ require ( github.com/IBM-Cloud/bluemix-go v0.0.0-20240719075425-078fcb3a55be // indirect github.com/IBM-Cloud/power-go-client v1.12.0 // indirect github.com/IBM/cloud-databases-go-sdk v0.8.0 // indirect + github.com/IBM/go-sdk-core v1.1.0 // indirect github.com/IBM/go-sdk-core/v5 v5.21.0 // indirect github.com/IBM/platform-services-go-sdk v0.86.1 // indirect github.com/IBM/project-go-sdk v0.3.6 // indirect @@ -29,6 +30,7 @@ require ( github.com/cloudflare/circl v1.6.1 // indirect github.com/cyphar/filepath-securejoin v0.4.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect + github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect github.com/emirpasic/gods v1.18.1 // indirect github.com/gabriel-vasile/mimetype v1.4.9 // indirect github.com/ghodss/yaml v1.0.0 // indirect @@ -98,6 +100,7 @@ require ( golang.org/x/sys v0.35.0 // indirect golang.org/x/text v0.28.0 // indirect golang.org/x/tools v0.35.0 // indirect + gopkg.in/go-playground/validator.v9 v9.31.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/tests/go.sum b/tests/go.sum index de7fbbb..4bda21e 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -6,6 +6,8 @@ github.com/IBM-Cloud/power-go-client v1.12.0 h1:tF9Mq5GLYHebpzQT6IYB89lIxEST1E9t github.com/IBM-Cloud/power-go-client v1.12.0/go.mod h1:SpTK1ttW8bfMNUVQS8qOEuWn2KOkzaCLyzfze8MG1JE= github.com/IBM/cloud-databases-go-sdk v0.8.0 h1:uMFqhnc/roVTzfCaUsJ23eaHKjChhGpM1F7Mpxik0bo= github.com/IBM/cloud-databases-go-sdk v0.8.0/go.mod h1:JYucI1PdwqbAd8XGdDAchxzxRP7bxOh1zUnseovHKsc= +github.com/IBM/go-sdk-core v1.1.0 h1:pV73lZqr9r1xKb3h08c1uNG3AphwoV5KzUzhS+pfEqY= +github.com/IBM/go-sdk-core v1.1.0/go.mod h1:2pcx9YWsIsZ3I7kH+1amiAkXvLTZtAq9kbxsfXilSoY= github.com/IBM/go-sdk-core/v5 v5.9.2/go.mod h1:YlOwV9LeuclmT/qi/LAK2AsobbAP42veV0j68/rlZsE= github.com/IBM/go-sdk-core/v5 v5.21.0 h1:DUnYhvC4SoC8T84rx5omnhY3+xcQg/Whyoa3mDPIMkk= github.com/IBM/go-sdk-core/v5 v5.21.0/go.mod h1:Q3BYO6iDA2zweQPDGbNTtqft5tDcEpm6RTuqMlPcvbw= @@ -48,6 +50,8 @@ github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGL github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o= github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= @@ -106,9 +110,11 @@ github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3Bum github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s= github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= +github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM= github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs= github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA= github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= +github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY= github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA= github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= @@ -193,6 +199,7 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY= github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ= github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI= @@ -512,6 +519,8 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= +gopkg.in/go-playground/validator.v9 v9.30.0/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ= +gopkg.in/go-playground/validator.v9 v9.31.0 h1:bmXmP2RSNtFES+bn4uYuHT7iJFJv7Vj+an+ZQdDaD1M= gopkg.in/go-playground/validator.v9 v9.31.0/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= diff --git a/tests/pr_test.go b/tests/pr_test.go index 2f73a71..697c4fc 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -9,6 +9,7 @@ import ( "math/rand/v2" + "github.com/IBM/go-sdk-core/core" "github.com/gruntwork-io/terratest/modules/files" "github.com/gruntwork-io/terratest/modules/logger" "github.com/gruntwork-io/terratest/modules/random" @@ -16,6 +17,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/cloudinfo" + "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testaddons" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic" ) @@ -125,6 +127,7 @@ func TestFullyConfigurableSolution(t *testing.T) { options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, + {Name: "prefix", Value: options.Prefix, DataType: "string"}, {Name: "cluster_id", Value: terraform.Output(t, existingTerraformOptions, "workload_cluster_id"), DataType: "string"}, {Name: "logs_agent_trusted_profile_id", Value: terraform.Output(t, existingTerraformOptions, "trusted_profile_id"), DataType: "string"}, {Name: "cloud_logs_ingress_endpoint", Value: terraform.Output(t, existingTerraformOptions, "cloud_logs_ingress_private_endpoint"), DataType: "string"}, @@ -209,6 +212,7 @@ func TestFullyConfigurableUpgradeSolution(t *testing.T) { options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, + {Name: "prefix", Value: options.Prefix, DataType: "string"}, {Name: "cluster_id", Value: terraform.Output(t, existingTerraformOptions, "workload_cluster_id"), DataType: "string"}, {Name: "logs_agent_trusted_profile_id", Value: terraform.Output(t, existingTerraformOptions, "trusted_profile_id"), DataType: "string"}, {Name: "cloud_logs_ingress_endpoint", Value: terraform.Output(t, existingTerraformOptions, "cloud_logs_ingress_private_endpoint"), DataType: "string"}, @@ -250,3 +254,50 @@ func TestRunAgentVpcKubernetes(t *testing.T) { assert.Nil(t, err, "This should not have errored") assert.NotNil(t, output, "Expected some output") } + +func TestAgentDefaultConfiguration(t *testing.T) { + + /* + Skipping this test because auto-approve is not working as expected in projects + Config gets stuck in approved state and doesn't move to deployment + https://github.ibm.com/epx/projects/issues/4814 + */ + t.Skip("Skipping because of projects issue") + t.Parallel() + + options := testaddons.TestAddonsOptionsDefault(&testaddons.TestAddonOptions{ + Testing: t, + Prefix: "la-def", + QuietMode: false, + }) + + options.AddonConfig = cloudinfo.NewAddonConfigTerraform( + options.Prefix, + "deploy-arch-ibm-logs-agent", + "fully-configurable", + map[string]interface{}{ + "region": "eu-de", + "prefix": options.Prefix, + "secrets_manager_service_plan": "trial", + }, + ) + + /* + Event notifications is manually disabled in this test because event notifications DA creates kms keys and during undeploy the order of key protect and event notifications + is not considered by projects as EN is not a direct dependency of VSI DA. So undeploy fails, because + key protect instance can't be deleted because of active keys created by EN. Hence for now, we don't want to deploy + EN. + + Issue has been created for projects team. https://github.ibm.com/epx/projects/issues/4750 + Once that is fixed, we can remove the logic to disable EN + */ + options.AddonConfig.Dependencies = []cloudinfo.AddonConfig{ + { + OfferingName: "deploy-arch-ibm-event-notifications", + OfferingFlavor: "fully-configurable", + Enabled: core.BoolPtr(false), // explicitly disabled + }, + } + err := options.RunAddonTest() + require.NoError(t, err) +}