Skip to content

feat: added dependencies #151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 30 commits into from
Sep 25, 2025
Merged

feat: added dependencies #151

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
1b3099b
feat: added dependencies
vkuma17 Aug 20, 2025
6719fe0
addressed review comments
vkuma17 Sep 12, 2025
26131a7
changed cloud logs version
vkuma17 Sep 12, 2025
7f52c00
added trustedprofile creation if not provided
vkuma17 Sep 12, 2025
1c25145
added addon test
vkuma17 Sep 13, 2025
c0106e5
Merge branch 'main' into addons
vkuma17 Sep 13, 2025
a1c697f
added prefix for addons mapping
vkuma17 Sep 13, 2025
581507f
Merge branch 'addons' of github.com:terraform-ibm-modules/terraform-i…
vkuma17 Sep 13, 2025
90b853e
disabled event notifications
vkuma17 Sep 13, 2025
1955353
Update variables.tf
vkuma17 Sep 13, 2025
fd8d505
wait_till IngressReady
vkuma17 Sep 14, 2025
34f5548
Merge branch 'addons' of github.com:terraform-ibm-modules/terraform-i…
vkuma17 Sep 14, 2025
4c8e537
Update ibm_catalog.json
vkuma17 Sep 14, 2025
d1a62c1
Merge branch 'main' into addons
vkuma17 Sep 19, 2025
fa34a2a
exposed few more fields in catalog json for OCP
vkuma17 Sep 19, 2025
56cfb2e
exposed few more fields
vkuma17 Sep 21, 2025
0911043
exposed cluster virtual fields
vkuma17 Sep 22, 2025
c20a321
Merge branch 'main' into addons
vkuma17 Sep 22, 2025
5197b4b
Update ibm_catalog.json
vkuma17 Sep 22, 2025
60884b2
Update ibm_catalog.json
vkuma17 Sep 22, 2025
4715b67
Update ibm_catalog.json
vkuma17 Sep 22, 2025
eaaf6f2
Update ibm_catalog.json
vkuma17 Sep 22, 2025
7122f49
Update ibm_catalog.json
vkuma17 Sep 22, 2025
2a29872
Merge branch 'main' into addons
vkuma17 Sep 22, 2025
585dc92
Merge branch 'main' into addons
vkuma17 Sep 23, 2025
df8beb2
Merge branch 'main' into addons
vkuma17 Sep 24, 2025
60854cf
added prefix input var
vkuma17 Sep 24, 2025
5915839
addressed review comments
vkuma17 Sep 24, 2025
5d510d6
addressed review comment
vkuma17 Sep 24, 2025
e796c62
skipping addon test
vkuma17 Sep 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
315 changes: 313 additions & 2 deletions ibm_catalog.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,16 +53,132 @@
"service_name": "containers-kubernetes",
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Viewer"
"crn:v1:bluemix:public:iam::::role:Editor"
],
"notes": "Required to create and edit Logs Agent related resources."
"notes": "Required to create and edit OpenShift cluster and the related resources."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Viewer"
],
"service_name": "Resource group only",
"notes": "Viewer access is required in the resource group you want to provision in."
},
{
"service_name": "logs",
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"notes": "[Optional] Required to create an instance of Cloud Logs."
},
{
"service_name": "logs-router",
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager"
],
"notes": "[Optional] Required for configuring Cloud Logs routing."
},
{
"service_name": "sysdig-monitor",
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"notes": "[Optional] Required to create an instance of Cloud Monitoring."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "sysdig-secure",
"notes": "[Optional] Required for creating and managing SCC Workload Protection instance."
},
{
"service_name": "iam-identity",
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator",
"crn:v1:bluemix:public:iam-identity::::serviceRole:UserApiKeyCreator"
],
"notes": "[Optional] Required to create the containers-kubernetes-key needed by the OpenShift cluster on IBM Cloud."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator"
],
"service_name": "All Account Management services",
"notes": "[Optional] Required to create new resource groups when enabling the Account Configuration integration."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator"
],
"service_name": "All Identity and Access enabled services",
"notes": "[Optional] Required to create new resource groups with account settings when enabling the Account Configuration integration."
},
{
"service_name": "is.vpc",
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator"
],
"notes": "[Optional] Required for creating Virtual Private Cloud(VPC)."
},
{
"service_name": "cloud-object-storage",
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"notes": "[Optional] Required to create Cloud Object Storage (COS) Instance."
},
{
"service_name": "hs-crypto",
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"notes": "[Optional] Required if KMS encryption is enabled and IBM Hyper Protect Crypto Services is used to encrypt the Kubernetes Secrets and Object Storage bucket."
},
{
"service_name": "kms",
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"notes": "[Optional] Required if Key Protect is used for encryption for Kubernetes Secrets and Object Storage bucket."
},
{
"service_name": "atracker",
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Writer",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"notes": "[Optional] Required to set up Activity Tracker event routing of auditing events."
},
{
"service_name": "secrets-manager",
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator",
"crn:v1:bluemix:public:iam::::serviceRole:Manager"
],
"notes": "[Optional] Required when enabling the Secrets Manager integration for the cluster."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator",
"crn:v1:bluemix:public:iam::::serviceRole:Manager"
],
"service_name": "apprapp",
"notes": "[Optional] Required for provisioning the App Configuration instance."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "event-notifications",
"notes": "[Optional] Required when enabling the Event Notifications integration for secrets manager."
}
],
"architecture": {
Expand Down Expand Up @@ -117,6 +233,22 @@
"key": "is_ocp_cluster",
"required": true
},
{
"key": "region",
"type": "string",
"custom_config": {
"config_constraints": {
"generationType": "2"
},
"grouping": "deployment",
"original_grouping": "deployment",
"type": "vpc_region"
},
"description": "Region in which cloud logs instance or OpenShift cluster will be deployed. [Learn More](https://terraform-ibm-modules.github.io/documentation/#/region).",
"virtual": true,
"required": true,
"default_value": "us-south"
},
{
"key": "cloud_logs_ingress_endpoint",
"required": true
Expand Down Expand Up @@ -301,6 +433,83 @@
{
"key": "enable_multiline"
},
{
"key": "secrets_manager_service_plan",
"required": true,
"virtual": true,
"type": "string",
"options": [
{
"displayname": "Standard",
"value": "standard"
},
{
"displayname": "Trial",
"value": "trial"
}
],
"default_value": "__NOT_SET__",
"description": "The pricing plan to use when provisioning a Secrets Manager instance for centrally managing ingress certificates for OpenShift cluster. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)."
},
{
"key": "prefix",
"type": "string",
"default_value": "__NOT_SET__",
"description": "Prefix input which will be added in the front of the name of addon resources selected in this configuration",
"required": true,
"virtual": true
},
{
"key": "allow_public_access_to_cluster",
"type": "boolean",
"default_value": true,
"description": "When set to `true`, public endpoint will be enabled for the cluster which will allow access to master node of the cluster from outside the VPC network.",
"required": true,
"virtual": true,
"options": [
{
"displayname": "true",
"value": "true"
},
{
"displayname": "false",
"value": "false"
}
]
},
{
"key": "enable_platform_metrics",
"type": "boolean",
"default_value": false,
"description": "When set to `true`, the IBM Cloud Monitoring instance will be configured to collect platform metrics from the provided region. ⚠️ You can configure 1 instance only of the IBM Cloud Monitoring service per region to collect platform metrics in that location. Check with the account or service administrator if another monitoring instance has already been configured. You may not have permissions to see all monitoring instances in the region. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-platform_metrics_enabling).",
"required": true,
"virtual": true,
"options": [
{
"displayname": "true",
"value": "true"
},
{
"displayname": "false",
"value": "false"
}
]
},
{
"key": "logs_routing_tenant_regions",
"type": "array",
"default_value": [],
"description": "To manage platform logs that are generated by IBM Cloud services in a region of IBM Cloud, you must create a tenant in each region that you operate. Pass a list of regions to create a tenant in. For example: [\"us-south\", \"us-east\"]. [Learn more](https://cloud.ibm.com/docs/logs-router?topic=logs-router-about-platform-logs).",
"required": true,
"virtual": true,
"custom_config": {
"grouping": "deployment",
"original_grouping": "deployment",
"config_constraints": {
"type": "string"
}
}
},
{
"key": "provider_visibility",
"options": [
Expand All @@ -320,6 +529,108 @@
"hidden": true
}
],
"dependencies": [
{
"name": "deploy-arch-ibm-cloud-logs",
"description": "Create IBM Cloud Logs Instance for storing and analysing platform and application logs .",
"id": "63d8ae58-fbf3-41ce-b844-0fb5b85882ab-global",
"version": "v1.6.11",
"flavors": [
"fully-configurable"
],
"catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
"optional": true,
"on_by_default": true,
"input_mapping": [
{
"dependency_input": "region",
"version_input": "region",
"reference_version": true
},
{
"dependency_input": "prefix",
"version_input": "prefix",
"reference_version": true
},
{
"dependency_output": "cloud_logs_ingress_private_endpoint",
"version_input": "cloud_logs_ingress_endpoint"
},
{
"dependency_input": "enable_platform_metrics",
"version_input": "enable_platform_metrics",
"reference_version": true
},
{
"dependency_input": "logs_routing_tenant_regions",
"version_input": "logs_routing_tenant_regions",
"reference_version": true
}
]
},
{
"name": "deploy-arch-ibm-slz-ocp",
"description": "Configure the Red Hat OpenShift cluster on which logs agent will be installed.",
"catalog_id": "1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc",
"flavors": [
"fully-configurable"
],
"id": "95fccffc-ae3b-42df-b6d9-80be5914d852-global",
"optional": true,
"on_by_default": true,
"input_mapping": [
{
"dependency_output": "cluster_id",
"version_input": "cluster_id"
},
{
"dependency_output": "resource_group_id",
"version_input": "cluster_resource_group_id"
},
{
"version_input": "is_vpc_cluster",
"value": true
},
{
"dependency_input": "region",
"version_input": "region",
"reference_version": true
},
{
"dependency_input": "prefix",
"version_input": "prefix",
"reference_version": true
},
{
"dependency_input": "allow_public_access_to_cluster",
"version_input": "allow_public_access_to_cluster",
"reference_version": true
},
{
"dependency_input": "cluster_config_endpoint_type",
"version_input": "cluster_config_endpoint_type",
"reference_version": true
},
{
"dependency_input": "enable_platform_metrics",
"version_input": "enable_platform_metrics",
"reference_version": true
},
{
"dependency_input": "logs_routing_tenant_regions",
"version_input": "logs_routing_tenant_regions",
"reference_version": true
},
{
"dependency_input": "secrets_manager_service_plan",
"version_input": "secrets_manager_service_plan",
"reference_version": true
}
],
"version": "v3.58.2"
}
],
"dependency_version_2": true,
"terraform_version": "1.10.5"
}
]
Expand Down
30 changes: 29 additions & 1 deletion solutions/fully-configurable/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,34 @@ locals {
is_vpc_cluster = var.is_vpc_cluster
}

module "trusted_profile" {
count = (var.logs_agent_iam_mode == "TrustedProfile" && var.logs_agent_trusted_profile_id == null) ? 1 : 0
source = "terraform-ibm-modules/trusted-profile/ibm"
version = "3.1.1"
trusted_profile_name = "trusted-profile-${var.cluster_id}"
trusted_profile_description = "Logs agent Trusted Profile"
# As a `Sender`, you can send logs to your IBM Cloud Logs service instance - but not query or tail logs. This role is meant to be used by agents and routers sending logs.
trusted_profile_policies = [{
unique_identifier = "${var.cluster_id}-policy-0"
roles = ["Sender"]
resources = [{
service = "logs"
}]
}]

# Set up fine-grained authorization for `logs-agent` running in ROKS cluster in `ibm-observe` namespace.
trusted_profile_links = [{
unique_identifier = "${var.cluster_id}-link-0"
cr_type = "ROKS_SA"
links = [{
crn = local.is_vpc_cluster ? data.ibm_container_vpc_cluster.cluster[0].crn : data.ibm_container_cluster.cluster[0].crn
namespace = var.logs_agent_namespace
name = var.logs_agent_name
}]
}
]
}

module "logs_agent" {
source = "../.."
cluster_id = var.cluster_id
Expand All @@ -27,7 +55,7 @@ module "logs_agent" {
logs_agent_init_image_version = var.logs_agent_init_image_version
logs_agent_name = var.logs_agent_name
logs_agent_namespace = var.logs_agent_namespace
logs_agent_trusted_profile_id = var.logs_agent_trusted_profile_id
logs_agent_trusted_profile_id = var.logs_agent_iam_mode == "TrustedProfile" ? (var.logs_agent_trusted_profile_id != null ? var.logs_agent_trusted_profile_id : module.trusted_profile[0].trusted_profile.id) : null
logs_agent_iam_api_key = var.logs_agent_iam_api_key
logs_agent_tolerations = var.logs_agent_tolerations
logs_agent_system_logs = var.logs_agent_system_logs
Expand Down
Loading