diff --git a/ibm_catalog.json b/ibm_catalog.json index 2b691f3..7752da3 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -39,8 +39,132 @@ "service_name": "containers-kubernetes", "role_crns": [ "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "Required to create and edit OpenShift cluster and the related resources." + }, + { + "role_crns": [ "crn:v1:bluemix:public:iam::::role:Viewer" - ] + ], + "service_name": "Resource group only", + "notes": "Viewer access is required in the resource group you want to provision in." + }, + { + "service_name": "sysdig-monitor", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "[Optional] Required to create an instance of Cloud Monitoring." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "sysdig-secure", + "notes": "[Optional] Required for creating and managing SCC Workload Protection instance." + }, + { + "service_name": "logs", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "[Optional] Required to create an instance of Cloud Logs." + }, + { + "service_name": "logs-router", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager" + ], + "notes": "[Optional] Required for configuring Cloud Logs routing." + }, + { + "service_name": "iam-identity", + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator", + "crn:v1:bluemix:public:iam-identity::::serviceRole:UserApiKeyCreator" + ], + "notes": "[Optional] Required to create the containers-kubernetes-key needed by the OpenShift cluster on IBM Cloud." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "service_name": "All Account Management services", + "notes": "[Optional] Required to create new resource groups when enabling the Account Configuration integration." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "service_name": "All Identity and Access enabled services", + "notes": "[Optional] Required to create new resource groups with account settings when enabling the Account Configuration integration." + }, + { + "service_name": "is.vpc", + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "notes": "[Optional] Required for creating Virtual Private Cloud(VPC)." + }, + { + "service_name": "cloud-object-storage", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "[Optional] Required to create Cloud Object Storage (COS) Instance." + }, + { + "service_name": "hs-crypto", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "[Optional] Required if KMS encryption is enabled and IBM Hyper Protect Crypto Services is used to encrypt the Kubernetes Secrets and Object Storage bucket." + }, + { + "service_name": "kms", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "[Optional] Required if Key Protect is used for encryption for Kubernetes Secrets and Object Storage bucket." + }, + { + "service_name": "atracker", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Writer", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "notes": "[Optional] Required to set up Activity Tracker event routing of auditing events." + }, + { + "service_name": "secrets-manager", + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator", + "crn:v1:bluemix:public:iam::::serviceRole:Manager" + ], + "notes": "[Optional] Required when enabling the Secrets Manager integration for the cluster." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator", + "crn:v1:bluemix:public:iam::::serviceRole:Manager" + ], + "service_name": "apprapp", + "notes": "[Optional] Required for provisioning the App Configuration instance." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "event-notifications", + "notes": "[Optional] Required when enabling the Event Notifications integration for secrets manager." } ], "architecture": { @@ -94,6 +218,17 @@ "key": "ibmcloud_api_key", "required": true }, + { + "key": "prefix", + "required": true, + "value_constraints": [ + { + "type": "regex", + "description": "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--'). It should not exceed 16 characters", + "value": "^$|^__NULL__$|^[a-z](?!.*--)(?:[a-z0-9-]{0,14}[a-z0-9])?$" + } + ] + }, { "display_name": "cluster", "key": "cluster_id", @@ -117,13 +252,20 @@ }, "required": true }, + { + "key": "instance_crn", + "required": true + }, { "key": "access_key", "required": true }, { - "key": "instance_region", + "key": "region", "required": true, + "virtual": true, + "default_value": "us-south", + "description": "Region in which all the resources will be deployed. [Learn More](https://terraform-ibm-modules.github.io/documentation/#/region).", "options": [ { "displayname": "London (eu-gb)", @@ -375,9 +517,572 @@ }, { "key": "enable_universal_ebpf" + }, + { + "key": "provider_visibility", + "options": [ + { + "displayname": "private", + "value": "private" + }, + { + "displayname": "public", + "value": "public" + }, + { + "displayname": "public-and-private", + "value": "public-and-private" + } + ], + "hidden": true + }, + { + "key": "cluster_name", + "type": "string", + "required": true, + "virtual": true, + "default_value": "openshift", + "description": "The name of the OpenShift Cluster." + }, + { + "key": "openshift_version", + "type": "string", + "required": true, + "virtual": true, + "default_value": "4.18", + "options": [ + { + "displayname": "4.18", + "value": "4.18" + }, + { + "displayname": "4.17", + "value": "4.17" + }, + { + "displayname": "4.16", + "value": "4.16" + } + ], + "description": "The version of the OpenShift Cluster." + }, + { + "key": "default_worker_pool_machine_type", + "type": "string", + "required": true, + "virtual": true, + "default_value": "bx2.8x32", + "options": [ + { + "displayname": "bx2.16x64", + "value": "bx2.16x64" + }, + { + "displayname": "bx2.32x128", + "value": "bx2.32x128" + }, + { + "displayname": "bx2.48x192", + "value": "bx2.48x192" + }, + { + "displayname": "bx2.8x32", + "value": "bx2.8x32" + }, + { + "displayname": "bx3d.128x640", + "value": "bx3d.128x640" + }, + { + "displayname": "bx3d.16x80", + "value": "bx3d.16x80" + }, + { + "displayname": "bx3d.24x120", + "value": "bx3d.24x120" + }, + { + "displayname": "bx3d.32x160", + "value": "bx3d.32x160" + }, + { + "displayname": "bx3d.48x240", + "value": "bx3d.48x240" + }, + { + "displayname": "bx3d.64x320", + "value": "bx3d.64x320" + }, + { + "displayname": "bx3d.8x40", + "value": "bx3d.8x40" + }, + { + "displayname": "bx3d.96x480", + "value": "bx3d.96x480" + }, + { + "displayname": "cx2.16x32", + "value": "cx2.16x32" + }, + { + "displayname": "cx2.32x64", + "value": "cx2.32x64" + }, + { + "displayname": "cx2.48x96", + "value": "cx2.48x96" + }, + { + "displayname": "cx3d.128x320", + "value": "cx3d.128x320" + }, + { + "displayname": "cx3d.16x40", + "value": "cx3d.16x40" + }, + { + "displayname": "cx3d.24x60", + "value": "cx3d.24x60" + }, + { + "displayname": "cx3d.32x80", + "value": "cx3d.32x80" + }, + { + "displayname": "cx3d.48x120", + "value": "cx3d.48x120" + }, + { + "displayname": "cx3d.64x160", + "value": "cx3d.64x160" + }, + { + "displayname": "cx3d.96x240", + "value": "cx3d.96x240" + }, + { + "displayname": "mx2.128x1024", + "value": "mx2.128x1024" + }, + { + "displayname": "mx2.16x128", + "value": "mx2.16x128" + }, + { + "displayname": "mx2.32x256", + "value": "mx2.32x256" + }, + { + "displayname": "mx2.48x384", + "value": "mx2.48x384" + }, + { + "displayname": "mx2.64x512", + "value": "mx2.64x512" + }, + { + "displayname": "mx2.8x64", + "value": "mx2.8x64" + }, + { + "displayname": "mx3d.128x1280", + "value": "mx3d.128x1280" + }, + { + "displayname": "mx3d.24x240", + "value": "mx3d.24x240" + }, + { + "displayname": "mx3d.32x320", + "value": "mx3d.32x320" + }, + { + "displayname": "mx3d.48x480", + "value": "mx3d.48x480" + }, + { + "displayname": "mx3d.64x640", + "value": "mx3d.64x640" + }, + { + "displayname": "mx3d.96x960", + "value": "mx3d.96x960" + }, + { + "displayname": "bx2d.metal.96x384 (Only available in Toronto (ca-tor))", + "value": "bx2d.metal.96x384" + }, + { + "displayname": "cx2d.metal.96x192 (Only available in Toronto (ca-tor)) ", + "value": "cx2d.metal.96x192" + }, + { + "displayname": "mx2d.metal.96x768 (Only available in Toronto (ca-tor))) ", + "value": "mx2d.metal.96x768" + }, + { + "displayname": "mx2.16x128.2000gb (Not available in Sao Paulo (br-sao), Montreal (ca-mon), Madrid (eu-es), Osaka (jp-osa))", + "value": "mx2.16x128.2000gb" + }, + { + "displayname": "ox2.128x1024 (Not available in Sao Paulo (br-sao), Montreal (ca-mon))", + "value": "ox2.128x1024" + }, + { + "displayname": "ox2.16x128 (Not available in Sao Paulo (br-sao), Montreal (ca-mon))", + "value": "ox2.16x128" + }, + { + "displayname": "ox2.32x256 (Not available in Sao Paulo (br-sao), Montreal (ca-mon))", + "value": "ox2.32x256" + }, + { + "displayname": "ox2.64x512 (Not available in Sao Paulo (br-sao), Montreal (ca-mon))", + "value": "ox2.64x512" + }, + { + "displayname": "ox2.8x64 (Not available in Sao Paulo (br-sao), Montreal (ca-mon))", + "value": "ox2.8x64" + }, + { + "displayname": "ox2.96x768 (Not available in Sao Paulo (br-sao), Montreal (ca-mon))", + "value": "ox2.96x768" + } + ], + "description": "The machine type for worker nodes.[Learn more](https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-flavors)." + }, + { + "key": "default_worker_pool_workers_per_zone", + "required": true, + "virtual": true, + "type": "number", + "default_value": 2, + "description": "Number of worker nodes in each zone of the cluster." + }, + { + "key": "default_worker_pool_operating_system", + "required": true, + "virtual": true, + "type": "string", + "default_value": "RHCOS", + "options": [ + { + "displayname": "RHEL 9", + "value": "RHEL_9_64" + }, + { + "displayname": "Red Hat CoreOS", + "value": "RHCOS" + }, + { + "displayname": "RHEL 8", + "value": "REDHAT_8_64" + } + ], + "description": "The operating system installed on the worker nodes. [Learn more](https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-flavors)." + }, + { + "key": "allow_public_access_to_cluster", + "type": "boolean", + "required": true, + "virtual": true, + "default_value": false, + "options": [ + { + "displayname": "true", + "value": "true" + }, + { + "displayname": "false", + "value": "false" + } + ], + "description": "When set to `true`, public endpoint will be enabled for the cluster which will allow access to master node of the cluster from outside the VPC network." + }, + { + "key": "allow_outbound_traffic", + "type": "boolean", + "required": true, + "virtual": true, + "default_value": false, + "options": [ + { + "displayname": "true", + "value": "true" + }, + { + "displayname": "false", + "value": "false" + } + ], + "description": "Set to true to allow public outbound access from the cluster workers." + }, + { + "key": "subnets", + "type": "object", + "default_value": "{\n zone-1 = [\n {\n name = \"subnet-a\"\n cidr = \"10.10.10.0/24\"\n public_gateway = true\n acl_name = \"vpc-acl\"\n no_addr_prefix = false\n }\n ],\n zone-2 = [\n {\n name = \"subnet-b\"\n cidr = \"10.20.10.0/24\"\n public_gateway = true\n acl_name = \"vpc-acl\"\n no_addr_prefix = false\n }\n ],\n zone-3 = [\n {\n name = \"subnet-c\"\n cidr = \"10.30.10.0/24\"\n public_gateway = true\n acl_name = \"vpc-acl\"\n no_addr_prefix = false\n }\n ]\n }", + "description": "List of subnets for the vpc. For each item in each array, a subnet will be created. Items can be either CIDR blocks or total ipv4 addresses. Public gateways will be enabled only in zones where a gateway has been created. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#subnets-).", + "required": false, + "virtual": true + }, + { + "key": "network_acls", + "type": "list(object)", + "default_value": "[\n {\n name = \"vpc-acl\"\n add_ibm_cloud_internal_rules = true\n add_vpc_connectivity_rules = true\n prepend_ibm_rules = true\n rules = [\n {\n name = \"allow-all-443-inbound\"\n action = \"allow\"\n direction = \"inbound\"\n tcp = {\n port_min = 443\n port_max = 443\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-80-inbound\"\n action = \"allow\"\n direction = \"inbound\"\n tcp = {\n port_min = 80\n port_max = 80\n source_port_min = 80\n source_port_max = 80\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-ingress-inbound\"\n action = \"allow\"\n direction = \"inbound\"\n tcp = {\n source_port_min = 30000\n source_port_max = 32767\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-443-outbound\"\n action = \"allow\"\n direction = \"outbound\"\n tcp = {\n source_port_min = 443\n source_port_max = 443\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-80-outbound\"\n action = \"allow\"\n direction = \"outbound\"\n tcp = {\n source_port_min = 80\n source_port_max = 80\n port_min = 80\n port_max = 80\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n },\n {\n name = \"allow-all-ingress-outbound\"\n action = \"allow\"\n direction = \"outbound\"\n tcp = {\n port_min = 30000\n port_max = 32767\n }\n destination = \"0.0.0.0/0\"\n source = \"0.0.0.0/0\"\n }\n ]\n }\n]", + "description": "The list of ACLs to create. Provide at least one rule for each ACL. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/blob/main/solutions/fully-configurable/DA-types.md#network-acls-).", + "required": false, + "virtual": true, + "custom_config": { + "type": "code_editor", + "grouping": "deployment", + "original_grouping": "deployment" + } + }, + { + "key": "secrets_manager_service_plan", + "type": "string", + "required": true, + "virtual": true, + "default_value": "standard", + "options": [ + { + "displayname": "Standard", + "value": "standard" + }, + { + "displayname": "Trial", + "value": "trial" + } + ], + "description": "The pricing plan to use when provisioning a Secrets Manager instance for centrally managing ingress certificates for OpenShift cluster. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." + }, + { + "key": "enable_platform_metrics", + "type": "boolean", + "default_value": false, + "description": "When set to `true`, the IBM Cloud Monitoring instance will be configured to collect platform metrics from the provided region. ⚠️ You can configure 1 instance only of the IBM Cloud Monitoring service per region to collect platform metrics in that location. Check with the account or service administrator if another monitoring instance has already been configured. You may not have permissions to see all monitoring instances in the region. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-platform_metrics_enabling).", + "required": true, + "virtual": true, + "options": [ + { + "displayname": "true", + "value": "true" + }, + { + "displayname": "false", + "value": "false" + } + ] + }, + { + "key": "logs_routing_tenant_regions", + "type": "array", + "default_value": [], + "description": "To manage platform logs that are generated by IBM Cloud services in a region of IBM Cloud, you must create a tenant in each region that you operate. Pass a list of regions to create a tenant in. For example: [\"us-south\", \"us-east\"]. [Learn more](https://cloud.ibm.com/docs/logs-router?topic=logs-router-about-platform-logs).", + "required": true, + "virtual": true, + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } + }, + { + "key": "cloud_monitoring_instance_name", + "type": "string", + "required": true, + "virtual": true, + "default_value": "cloud-monitoring", + "description": "The name of the Cloud Monitoring Instance." + }, + { + "key": "scc_workload_protection_instance_name", + "type": "string", + "required": true, + "virtual": true, + "default_value": "scc-workload-protection", + "description": "The name of the SCC Workload Protection Instance." } ], "install_type": "fullstack", + "dependencies": [ + { + "name": "deploy-arch-ibm-cloud-monitoring", + "description": "Sets up a Cloud Monitoring instance to gain operational visibility on applications running on OpenShift Cluster.", + "id": "73debdbf-894f-4c14-81c7-5ece3a70b67d-global", + "version": "v1.6.4", + "flavors": [ + "fully-configurable" + ], + "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", + "optional": true, + "on_by_default": true, + "input_mapping": [ + { + "dependency_input": "region", + "version_input": "region", + "reference_version": true + }, + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "cloud_monitoring_instance_name", + "version_input": "cloud_monitoring_instance_name", + "reference_version": true + }, + { + "dependency_input": "enable_platform_metrics", + "version_input": "enable_platform_metrics", + "reference_version": true + }, + { + "dependency_output": "cloud_monitoring_crn", + "version_input": "instance_crn" + } + ] + }, + { + "name": "deploy-arch-ibm-scc-workload-protection", + "description": "Configure an IBM Cloud Security and Compliance Center Workload Protection instance to help you manage security and compliance for your organization.", + "id": "4322cf44-2289-49aa-a719-dd79e39b14dc-global", + "version": "v1.11.4", + "flavors": [ + "fully-configurable" + ], + "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", + "optional": true, + "on_by_default": true, + "input_mapping": [ + { + "dependency_input": "region", + "version_input": "region", + "reference_version": true + }, + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "scc_workload_protection_instance_name", + "version_input": "scc_workload_protection_instance_name", + "reference_version": true + }, + { + "dependency_output": "scc_workload_protection_crn", + "version_input": "instance_crn" + }, + { + "dependency_input": "logs_routing_tenant_regions", + "version_input": "logs_routing_tenant_regions", + "reference_version": true + } + ] + }, + { + "name": "deploy-arch-ibm-slz-ocp", + "description": "Configure the Red Hat OpenShift cluster on which monitoring agent will be installed.", + "catalog_id": "1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc", + "flavors": [ + "fully-configurable" + ], + "id": "95fccffc-ae3b-42df-b6d9-80be5914d852-global", + "optional": true, + "on_by_default": true, + "input_mapping": [ + { + "dependency_output": "cluster_id", + "version_input": "cluster_id" + }, + { + "dependency_output": "resource_group_id", + "version_input": "cluster_resource_group_id" + }, + { + "version_input": "is_vpc_cluster", + "value": true + }, + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "region", + "version_input": "region", + "reference_version": true + }, + { + "dependency_input": "default_worker_pool_machine_type", + "version_input": "default_worker_pool_machine_type", + "reference_version": true + }, + { + "dependency_input": "default_worker_pool_workers_per_zone", + "version_input": "default_worker_pool_workers_per_zone", + "reference_version": true + }, + { + "dependency_input": "default_worker_pool_operating_system", + "version_input": "default_worker_pool_operating_system", + "reference_version": true + }, + { + "dependency_input": "allow_public_access_to_cluster", + "version_input": "allow_public_access_to_cluster", + "reference_version": true + }, + { + "dependency_input": "allow_outbound_traffic", + "version_input": "allow_outbound_traffic", + "reference_version": true + }, + { + "dependency_input": "cluster_config_endpoint_type", + "version_input": "cluster_config_endpoint_type", + "reference_version": true + }, + { + "dependency_input": "logs_routing_tenant_regions", + "version_input": "logs_routing_tenant_regions", + "reference_version": true + }, + { + "dependency_input": "secrets_manager_service_plan", + "version_input": "secrets_manager_service_plan", + "reference_version": true + }, + { + "dependency_input": "subnets", + "version_input": "subnets", + "reference_version": true + }, + { + "dependency_input": "network_acls", + "version_input": "network_acls", + "reference_version": true + }, + { + "dependency_input": "cluster_name", + "version_input": "cluster_name", + "reference_version": true + }, + { + "dependency_input": "openshift_version", + "version_input": "openshift_version", + "reference_version": true + } + ], + "version": "v3.58.2" + } + ], + "dependency_version_2": true, "terraform_version": "1.10.5" } ] diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 7098259..ad54868 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -9,6 +9,25 @@ data "ibm_container_cluster_config" "cluster_config" { endpoint_type = var.cluster_config_endpoint_type != "default" ? var.cluster_config_endpoint_type : null } +locals { + prefix = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : "" + create_access_key = ((var.access_key != null && var.access_key != "") || (var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "")) ? 0 : 1 +} + +module "instance_crn_parser" { + source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" + version = "1.2.0" + crn = var.instance_crn +} + + +resource "ibm_resource_key" "key" { + count = local.create_access_key + name = "${local.prefix}key" + resource_instance_id = module.instance_crn_parser.service_instance + role = "Manager" +} + module "monitoring_agent" { source = "../.." cluster_id = var.cluster_id @@ -16,12 +35,12 @@ module "monitoring_agent" { cluster_config_endpoint_type = var.cluster_config_endpoint_type wait_till = var.wait_till wait_till_timeout = var.wait_till_timeout - instance_region = var.instance_region + instance_region = module.instance_crn_parser.region use_private_endpoint = var.use_private_endpoint is_vpc_cluster = var.is_vpc_cluster name = var.name namespace = var.namespace - access_key = var.access_key + access_key = local.create_access_key == 1 ? ibm_resource_key.key[0].credentials["Sysdig Access Key"] : var.access_key existing_access_key_secret_name = var.existing_access_key_secret_name agent_tags = var.agent_tags add_cluster_name = var.add_cluster_name diff --git a/solutions/fully-configurable/provider.tf b/solutions/fully-configurable/provider.tf index 7420ec0..25b689e 100644 --- a/solutions/fully-configurable/provider.tf +++ b/solutions/fully-configurable/provider.tf @@ -1,5 +1,6 @@ provider "ibm" { ibmcloud_api_key = var.ibmcloud_api_key + visibility = var.provider_visibility } provider "kubernetes" { diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 5a9cf67..50b9c35 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -8,6 +8,33 @@ variable "ibmcloud_api_key" { sensitive = true } +variable "prefix" { + type = string + nullable = true + description = "The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To skip using a prefix, set this value to null or an empty string. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)." + + validation { + # - null and empty string is allowed + # - Must not contain consecutive hyphens (--): length(regexall("--", var.prefix)) == 0 + # - Starts with a lowercase letter: [a-z] + # - Contains only lowercase letters (a–z), digits (0–9), and hyphens (-) + # - Must not end with a hyphen (-): [a-z0-9] + condition = (var.prefix == null || var.prefix == "" ? true : + alltrue([ + can(regex("^[a-z][-a-z0-9]*[a-z0-9]$", var.prefix)), + length(regexall("--", var.prefix)) == 0 + ]) + ) + error_message = "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--')." + } + + validation { + # must not exceed 16 characters in length + condition = var.prefix == null || var.prefix == "" ? true : length(var.prefix) <= 16 + error_message = "Prefix must not exceed 16 characters." + } +} + variable "cluster_id" { type = string description = "The ID of the cluster you wish to deploy the agent in." @@ -66,10 +93,15 @@ variable "wait_till_timeout" { # Common agent variables ############################################################################## -variable "instance_region" { +variable "instance_crn" { type = string - description = "The region of the IBM Cloud Monitoring instance that you want to send metrics to. This is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the region of your IBM Cloud Security and Compliance Center Workload Protection instance. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#key-considerations)." + description = "The CRN of the IBM Cloud Monitoring instance that you want to send metrics to. This is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the crn of your IBM Cloud Security and Compliance Center Workload Protection instance. If you are using this agent for both `monitoring` and `security and compliance` you can provide CRN of any one of them provided they are connected. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#key-considerations)." nullable = false + + validation { + condition = var.instance_crn != "" + error_message = "Instance CRN can not be empty." + } } variable "use_private_endpoint" { @@ -81,21 +113,14 @@ variable "use_private_endpoint" { variable "access_key" { type = string - description = "Access key used by the agent to communicate with the instance. Either `access_key` or `existing_access_key_secret_name` is required. This value will be stored in a new secret on the cluster if passed. If you want to use this agent for only metrics or metrics with security and compliance, use a manager key scoped to the IBM Cloud Monitoring instance. If you only want to use the agent for security and compliance use a manager key scoped to the Security and Compliance Center Workload Protection instance." + description = "Access key used by the agent to communicate with the instance. This value will be stored in a new secret on the cluster if passed. If you want to use this agent for only metrics or metrics with security and compliance, use a manager key scoped to the IBM Cloud Monitoring instance. If you only want to use the agent for security and compliance use a manager key scoped to the Security and Compliance Center Workload Protection instance. If neither `access_key` nor `existing_access_key_secret_name` is provided a new Manager Key will be created scoped to the instance provided in `instance_crn`." sensitive = true default = null - validation { - condition = ( - (var.access_key != null && var.access_key != "") || - (var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "") - ) - error_message = "Either 'access_key' or 'existing_access_key_secret_name' must be provided and non-empty." - } } variable "existing_access_key_secret_name" { type = string - description = "An alternative to using `access_key`. Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the `namespace` input. Either `access_key` or `existing_access_key_secret_name` is required." + description = "An alternative to using `access_key`. Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the `namespace` input. If neither `access_key` nor `existing_access_key_secret_name` is provided a new Manager Key will be created scoped to the instance provided in `instance_crn`." default = null } @@ -362,3 +387,14 @@ variable "cluster_shield_limits_memory" { description = "Specify memory resource limits for the cluster shield pods." default = "1536Mi" } + +variable "provider_visibility" { + description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)." + type = string + default = "private" + + validation { + condition = contains(["public", "private", "public-and-private"], var.provider_visibility) + error_message = "Invalid visibility option. Allowed values are 'public', 'private', or 'public-and-private'." + } +} diff --git a/tests/go.mod b/tests/go.mod index fb8f495..d3caed2 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -15,6 +15,7 @@ require ( github.com/IBM-Cloud/bluemix-go v0.0.0-20240719075425-078fcb3a55be // indirect github.com/IBM-Cloud/power-go-client v1.12.0 // indirect github.com/IBM/cloud-databases-go-sdk v0.8.0 // indirect + github.com/IBM/go-sdk-core v1.1.0 // indirect github.com/IBM/go-sdk-core/v5 v5.21.0 // indirect github.com/IBM/platform-services-go-sdk v0.86.1 // indirect github.com/IBM/project-go-sdk v0.3.6 // indirect @@ -29,6 +30,7 @@ require ( github.com/cloudflare/circl v1.6.1 // indirect github.com/cyphar/filepath-securejoin v0.4.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect + github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect github.com/emirpasic/gods v1.18.1 // indirect github.com/gabriel-vasile/mimetype v1.4.9 // indirect github.com/ghodss/yaml v1.0.0 // indirect @@ -98,6 +100,7 @@ require ( golang.org/x/sys v0.35.0 // indirect golang.org/x/text v0.28.0 // indirect golang.org/x/tools v0.35.0 // indirect + gopkg.in/go-playground/validator.v9 v9.31.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/tests/go.sum b/tests/go.sum index de7fbbb..4bda21e 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -6,6 +6,8 @@ github.com/IBM-Cloud/power-go-client v1.12.0 h1:tF9Mq5GLYHebpzQT6IYB89lIxEST1E9t github.com/IBM-Cloud/power-go-client v1.12.0/go.mod h1:SpTK1ttW8bfMNUVQS8qOEuWn2KOkzaCLyzfze8MG1JE= github.com/IBM/cloud-databases-go-sdk v0.8.0 h1:uMFqhnc/roVTzfCaUsJ23eaHKjChhGpM1F7Mpxik0bo= github.com/IBM/cloud-databases-go-sdk v0.8.0/go.mod h1:JYucI1PdwqbAd8XGdDAchxzxRP7bxOh1zUnseovHKsc= +github.com/IBM/go-sdk-core v1.1.0 h1:pV73lZqr9r1xKb3h08c1uNG3AphwoV5KzUzhS+pfEqY= +github.com/IBM/go-sdk-core v1.1.0/go.mod h1:2pcx9YWsIsZ3I7kH+1amiAkXvLTZtAq9kbxsfXilSoY= github.com/IBM/go-sdk-core/v5 v5.9.2/go.mod h1:YlOwV9LeuclmT/qi/LAK2AsobbAP42veV0j68/rlZsE= github.com/IBM/go-sdk-core/v5 v5.21.0 h1:DUnYhvC4SoC8T84rx5omnhY3+xcQg/Whyoa3mDPIMkk= github.com/IBM/go-sdk-core/v5 v5.21.0/go.mod h1:Q3BYO6iDA2zweQPDGbNTtqft5tDcEpm6RTuqMlPcvbw= @@ -48,6 +50,8 @@ github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGL github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o= github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= @@ -106,9 +110,11 @@ github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3Bum github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s= github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= +github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM= github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs= github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA= github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= +github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY= github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA= github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= @@ -193,6 +199,7 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY= github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ= github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI= @@ -512,6 +519,8 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= +gopkg.in/go-playground/validator.v9 v9.30.0/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ= +gopkg.in/go-playground/validator.v9 v9.31.0 h1:bmXmP2RSNtFES+bn4uYuHT7iJFJv7Vj+an+ZQdDaD1M= gopkg.in/go-playground/validator.v9 v9.31.0/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= diff --git a/tests/pr_test.go b/tests/pr_test.go index 388c4a3..3eb36e3 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -8,6 +8,7 @@ import ( "strings" "testing" + "github.com/IBM/go-sdk-core/core" "github.com/gruntwork-io/terratest/modules/files" "github.com/gruntwork-io/terratest/modules/logger" "github.com/gruntwork-io/terratest/modules/random" @@ -15,6 +16,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/cloudinfo" + "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testaddons" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic" ) @@ -94,7 +96,7 @@ func TestFullyConfigurableSolution(t *testing.T) { options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{ Testing: t, - Prefix: "monitoring-agent", + Prefix: "mon-agent", TarIncludePatterns: []string{ "*.tf", "kubeconfig/*.*", @@ -114,9 +116,10 @@ func TestFullyConfigurableSolution(t *testing.T) { }) options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, - {Name: "instance_region", Value: region, DataType: "string"}, + {Name: "prefix", Value: options.Prefix, DataType: "string"}, {Name: "cluster_id", Value: terraform.Output(t, existingTerraformOptions, "cluster_id"), DataType: "string"}, {Name: "cluster_resource_group_id", Value: terraform.Output(t, existingTerraformOptions, "cluster_resource_group_id"), DataType: "string"}, + {Name: "instance_crn", Value: terraform.Output(t, existingTerraformOptions, "instance_crn"), DataType: "string", Secure: true}, {Name: "access_key", Value: terraform.Output(t, existingTerraformOptions, "access_key"), DataType: "string", Secure: true}, {Name: "priority_class_name", Value: "sysdig-daemonset-priority", DataType: "string"}, } @@ -178,7 +181,7 @@ func TestFullyConfigurableUpgradeSolution(t *testing.T) { options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{ Testing: t, - Prefix: "monitoring-agent", + Prefix: "mon-agent", TarIncludePatterns: []string{ "*.tf", "kubeconfig/*.*", @@ -199,9 +202,10 @@ func TestFullyConfigurableUpgradeSolution(t *testing.T) { options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, - {Name: "instance_region", Value: region, DataType: "string"}, + {Name: "prefix", Value: options.Prefix, DataType: "string"}, {Name: "cluster_id", Value: terraform.Output(t, existingTerraformOptions, "cluster_id"), DataType: "string"}, {Name: "cluster_resource_group_id", Value: terraform.Output(t, existingTerraformOptions, "cluster_resource_group_id"), DataType: "string"}, + {Name: "instance_crn", Value: terraform.Output(t, existingTerraformOptions, "instance_crn"), DataType: "string", Secure: true}, {Name: "access_key", Value: terraform.Output(t, existingTerraformOptions, "access_key"), DataType: "string", Secure: true}, } @@ -251,7 +255,7 @@ func TestRunAgentClassicKubernetes(t *testing.T) { Testing: t, TerraformDir: terraformDirMonitoringAgentIKS, Prefix: "obs-agent-iks", - Region: "au-syd", + Region: validRegions[rand.IntN(len(validRegions))], ResourceGroup: resourceGroup, IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check List: IgnoreUpdates, @@ -271,3 +275,51 @@ func TestRunAgentClassicKubernetes(t *testing.T) { assert.Nil(t, err, "This should not have errored") assert.NotNil(t, output, "Expected some output") } + +func TestAgentDefaultConfiguration(t *testing.T) { + + /* + Skipping this test because auto-approve is not working as expected in projects + Config gets stuck in approved state and doesn't move to deployment + https://github.ibm.com/epx/projects/issues/4814 + */ + t.Skip("Skipping because of projects issue") + t.Parallel() + + options := testaddons.TestAddonsOptionsDefault(&testaddons.TestAddonOptions{ + Testing: t, + Prefix: "ma-def", + QuietMode: false, + }) + + options.AddonConfig = cloudinfo.NewAddonConfigTerraform( + options.Prefix, + "deploy-arch-ibm-monitoring-agent", + "fully-configurable", + map[string]interface{}{ + "prefix": options.Prefix, + "secrets_manager_service_plan": "trial", + "region": "eu-de", + }, + ) + + /* + Event notifications is manually disabled in this test because event notifications DA creates kms keys and during undeploy the order of key protect and event notifications + is not considered by projects as EN is not a direct dependency of VSI DA. So undeploy fails, because + key protect instance can't be deleted because of active keys created by EN. Hence for now, we don't want to deploy + EN. + + Issue has been created for projects team. https://github.ibm.com/epx/projects/issues/4750 + Once that is fixed, we can remove the logic to disable EN + */ + options.AddonConfig.Dependencies = []cloudinfo.AddonConfig{ + { + OfferingName: "deploy-arch-ibm-event-notifications", + OfferingFlavor: "fully-configurable", + Enabled: core.BoolPtr(false), // explicitly disabled + }, + } + + err := options.RunAddonTest() + require.NoError(t, err) +} diff --git a/tests/resources/outputs.tf b/tests/resources/outputs.tf index bb82ba6..c258a83 100644 --- a/tests/resources/outputs.tf +++ b/tests/resources/outputs.tf @@ -27,3 +27,9 @@ output "access_key" { description = "The access key of the provisioned IBM Cloud Monitoring instance." sensitive = true } + +output "instance_crn" { + value = module.cloud_monitoring.crn + description = "The access key of the provisioned IBM Cloud Monitoring instance." + sensitive = true +}