fix: support for cloud monitoring in Montreal (#706) <br> - configure IBM Cloud Monitoring in Montreal (ca-mon) by using the cloud_services input sysdig-monitor

shemau · web-flow · commit 82d7a721ad0d · 2025-10-09T13:38:55.000-04:00
diff --git a/README.md b/README.md
@@ -28,6 +28,7 @@ An IBM Provider [issue](https://github.com/IBM-Cloud/terraform-provider-ibm/issu
     * [Basic multi-tenant VPE gateway](./examples/basic)
     * [Every supported multi-tenant ("provider_cloud_service") VPE gateway](./examples/every-multi-tenant-svc)
     * [Existing Reserved IPs example](./examples/reserved-ips)
+    * [Multi-tenant IBM Cloud Monitoring in Montreal VPE gateway](./examples/montreal-monitoring)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 
diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf
@@ -101,12 +101,12 @@ module "vpes" {
   ]
   service_endpoints = var.service_endpoints
   #vpe_names            = local.vpe_names
-  #  See comments below (resource "time_sleep" "sleep_time") for explaination on why this is needed.
+  #  See comments below (resource "time_sleep" "sleep_time") for explanation on why this is needed.
   depends_on = [time_sleep.sleep_time]
 }
 
 ## This sleep serve two purposes:
-# 1. Give some extra time after postgresql db creation, and before creating the VPE targetting it. This works around the error "Service does not support VPE extensions."
+# 1. Give some extra time after postgresql db creation, and before creating the VPE targeting it. This works around the error "Service does not support VPE extensions."
 # 2. Give time on deletion between the VPE destruction and the destruction of the SG that is attached to the VPE. This works around the error "Target not found"
 resource "time_sleep" "sleep_time" {
   depends_on       = [module.vpe_security_group.security_group_id, module.postgresql_db]
diff --git a/examples/advanced/versions.tf b/examples/advanced/versions.tf
@@ -9,7 +9,7 @@ terraform {
   required_providers {
     ibm = {
       source = "IBM-Cloud/ibm"
-      # pin above lowest vesion, required for postgresql and IAM auth policy
+      # pin above lowest version, required for postgresql and IAM auth policy
       version = ">=1.81.1"
     }
     time = {
diff --git a/examples/basic/versions.tf b/examples/basic/versions.tf
@@ -9,7 +9,7 @@ terraform {
   required_providers {
     ibm = {
       source = "IBM-Cloud/ibm"
-      # pin to lowest vesion, required for IAM auth policy
+      # pin to lowest version, required for IAM auth policy
       version = "1.81.1"
     }
   }
diff --git a/examples/every-multi-tenant-svc/versions.tf b/examples/every-multi-tenant-svc/versions.tf
@@ -9,7 +9,7 @@ terraform {
   required_providers {
     ibm = {
       source = "IBM-Cloud/ibm"
-      # pin to lowest vesion, required for IAM auth policy
+      # pin to lowest version, required for IAM auth policy
       version = "1.81.1"
     }
   }
diff --git a/examples/montreal-monitoring/README.md b/examples/montreal-monitoring/README.md
@@ -0,0 +1,7 @@
+# Multi-tenant IBM Cloud Monitoring in Montreal VPE gateway
+
+This example creates the following infrastructure:
+- A resource group, if one is not passed in.
+- A VPC
+    - The VPC is created with three subnets across the three availability zones of the region that is passed as input.
+- A virtual private endpoint (VPE) gateways for a couple of the  multitenant services
diff --git a/examples/montreal-monitoring/main.tf b/examples/montreal-monitoring/main.tf
@@ -0,0 +1,51 @@
+##############################################################################
+# Resource Group
+##############################################################################
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.3.0"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Create a VPC for this example using defaults from terraform-ibm-landing-zone-vpc
+# ( 3 subnets across the 3 AZs in the region )
+##############################################################################
+
+module "vpc" {
+  source            = "terraform-ibm-modules/landing-zone-vpc/ibm"
+  version           = "8.3.0"
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  prefix            = var.prefix
+  name              = "vpc"
+  tags              = var.resource_tags
+}
+
+##############################################################################
+# Create every multi-tenant VPEs in the VPC
+# NOTE: forcing a shorter VPE name for some services due to length limitations
+# on VPE service side
+##############################################################################
+module "vpes" {
+  source            = "../../"
+  region            = var.region
+  prefix            = var.prefix
+  vpc_name          = module.vpc.vpc_name
+  vpc_id            = module.vpc.vpc_id
+  subnet_zone_list  = module.vpc.subnet_zone_list
+  resource_group_id = module.resource_group.resource_group_id
+  cloud_services = [
+    {
+      service_name = "cloud-object-storage"
+    },
+    {
+      service_name = "sysdig-monitor"
+    }
+  ]
+}
+
+
+##############################################################################
diff --git a/examples/montreal-monitoring/outputs.tf b/examples/montreal-monitoring/outputs.tf
@@ -0,0 +1,9 @@
+output "vpe_ips" {
+  description = "The endpoint gateway reserved ips"
+  value       = module.vpes.vpe_ips
+}
+
+output "crn" {
+  description = "The CRN of the endpoint gateway"
+  value       = module.vpes.crn
+}
diff --git a/examples/montreal-monitoring/provider.tf b/examples/montreal-monitoring/provider.tf
@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
diff --git a/examples/montreal-monitoring/variables.tf b/examples/montreal-monitoring/variables.tf
@@ -0,0 +1,33 @@
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "region" {
+  description = "The region where VPC and services are deployed"
+  type        = string
+  default     = "ca-mon"
+
+  validation {
+    condition     = var.region == "ca-mon"
+    error_message = "This code only runs in Montreal, set `region` to `ca-mon`"
+  }
+}
+
+variable "prefix" {
+  description = "The prefix that you would like to append to your resources"
+  type        = string
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
diff --git a/examples/montreal-monitoring/versions.tf b/examples/montreal-monitoring/versions.tf
@@ -0,0 +1,18 @@
+##############################################################################
+# Terraform Providers
+##############################################################################
+
+terraform {
+  required_version = ">= 1.9.0"
+  # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
+  # module's version.tf (basic or default), and 1 example that will always use the latest provider version.
+  required_providers {
+    ibm = {
+      source = "IBM-Cloud/ibm"
+      # pin to lowest version, required for IAM auth policy
+      version = "1.81.1"
+    }
+  }
+}
+
+##############################################################################
diff --git a/service_endpoints.tf b/service_endpoints.tf
@@ -37,6 +37,7 @@ locals {
     messaging             = "crn:v1:bluemix:public:messaging:global:::endpoint:${local.endpoint_prefix}messaging.cloud.ibm.com"
     resource-controller   = "crn:v1:bluemix:public:resource-controller:global:::endpoint:${local.endpoint_prefix}resource-controller.cloud.ibm.com"
     support-center        = "crn:v1:bluemix:public:support:global:::endpoint:private.support-center.cloud.ibm.com"
+    sysdig-monitor        = "crn:v1:bluemix:public:sysdig-monitor:ca-mon:::endpoint:${local.endpoint_prefix}ca-mon.monitoring.cloud.ibm.com"
     transit               = "crn:v1:bluemix:public:transit:global:::endpoint:${local.endpoint_prefix}transit.cloud.ibm.com"
     user-management       = "crn:v1:bluemix:public:user-management:global:::endpoint:${local.endpoint_prefix}user-management.cloud.ibm.com"
     vmware                = "crn:v1:bluemix:public:vmware:${var.region}:::endpoint:api.${local.endpoint_prefix}${var.region}.vmware.cloud.ibm.com"
diff --git a/solutions/fully-configurable/DA-types.md b/solutions/fully-configurable/DA-types.md
@@ -1,6 +1,6 @@
 # Configuring complex inputs for Virtual Private Endpoint Gateways
 
-IBM Cloud® Virtual Private Endpoints (VPE) for VPC enables you to connect to supported IBM Cloud services from your Virtual Privte Cloud (VPC) network by using the IP addresses of your choosing, allocated from a subnet within your VPC. For more details about Virtual Private Endpoint Gateways please refer to this [documentation page](https://cloud.ibm.com/docs/vpc?topic=vpc-about-vpe)
+IBM Cloud® Virtual Private Endpoints (VPE) for VPC enables you to connect to supported IBM Cloud services from your Virtual Private Cloud (VPC) network by using the IP addresses of your choosing, allocated from a subnet within your VPC. For more details about Virtual Private Endpoint Gateways please refer to this [documentation page](https://cloud.ibm.com/docs/vpc?topic=vpc-about-vpe)
 
 IBM Cloud services either offer a service specific target or an instance specific target for the VPE gateway. In order to target a service specific endpoint, the service should be included in the `cloud_services` block. In order to target an instance specific endpoint the service CRN should be included in the `cloud_service_by_crn` block.
 
@@ -24,7 +24,7 @@ By setting up this input parameter you can create VPE gateways in your VPC insta
 ### cloud_service attributes
 
 - `service_name` (required): The IBM Cloud service name as per [this documentation page](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services) or the name value returned by the CLI command `ibmcloud is endpoint-gateway-targets`
-- `vpe_name` (optional): The desired name to assigne to the VPE gateway. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
+- `vpe_name` (optional): The desired name to assign to the VPE gateway. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
 - `allow_dns_resolution_binding` (optional): Indicates whether to allow this endpoint gateway to participate in DNS resolution bindings. For more details please refer to this [documentation page](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-dns-sharing-configure-hub&interface=ui). If not set default value is `true`.
 
 ### Example for cloud_services input parameter
@@ -52,8 +52,8 @@ By setting up this input parameter you can create VPE gateways in your VPC insta
 
 ### Options for cloud_service_by_crn
 
-- `crn` (mandatory): IBM Cloud service CRN as per [this documentation page](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services))or the CRN value returned by the CLI command `ibmcloud is endpoint-gateway-targets`
-- `vpe_name` (optional): The desired name to assigne to the VPE gateway. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
+- `crn` (mandatory): IBM Cloud service CRN as per [this documentation page](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services) or the CRN value returned by the CLI command `ibmcloud is endpoint-gateway-targets`
+- `vpe_name` (optional): The desired name to assign to the VPE gateway. If not specified, the VPE name will be computed based on prefix, vpc name and service name.
 - `service_name` (optional): The name of the service used to compute the name of the VPE gateway. If not provided the name is extracted from the CRN.
 - `allow_dns_resolution_binding` (optional): Indicates whether to allow this endpoint gateway to participate in DNS resolution bindings. For more details please refer to this [documentation page](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-dns-sharing-configure-hub&interface=ui). If not set default value is `true`.
 
diff --git a/tests/existing-resources/versions.tf b/tests/existing-resources/versions.tf
@@ -9,7 +9,7 @@ terraform {
   required_providers {
     ibm = {
       source = "IBM-Cloud/ibm"
-      # pin to lowest vesion, required for IAM auth policy
+      # pin to lowest version, required for IAM auth policy
       version = "1.81.1"
     }
   }
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -41,6 +41,23 @@ func TestMain(m *testing.M) {
 	os.Exit(m.Run())
 }
 
+func setupMontrealOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions {
+
+	options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
+		Testing:      t,
+		TerraformDir: dir,
+		Prefix:       prefix,
+		Region:       "ca-mon",
+		IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check
+			List: []string{
+				"time_sleep.sleep_time",
+			},
+		},
+		ResourceGroup: resourceGroup,
+	})
+	return options
+}
+
 func setupOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions {
 
 	options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
@@ -164,6 +181,15 @@ func TestRunBasicExample(t *testing.T) {
 	assert.NotNil(t, output, "Expected some output")
 }
 
+func TestRunMontrealExample(t *testing.T) {
+	t.Parallel()
+
+	options := setupMontrealOptions(t, "vpe-ca-mon", "examples/montreal-monitoring")
+	output, err := options.RunTestConsistency()
+	assert.Nil(t, err, "This should not have errored.")
+	assert.NotNil(t, output, "Expected some output")
+}
+
 // helper function to set up inputs for full config solution test, will help keep it consistent
 // between normal and upgrade tests
 func getFullConfigSolutionTestVariables(mainOptions *testschematic.TestSchematicOptions, existingOptions *testhelper.TestOptions) []testschematic.TestSchematicTerraformVar {
diff --git a/variables.tf b/variables.tf
@@ -66,6 +66,7 @@ variable "cloud_services" {
     allow_dns_resolution_binding = optional(bool, false)
   }))
   default = []
+
   validation {
     error_message = "The service you're trying to add is not supported. For a list of supported services, see [VPE-enabled services](https://cloud.ibm.com/docs/vpc?topic=vpc-vpe-supported-services). You can add unsupported services in the `cloud_service_by_crn` variable."
     condition = length(var.cloud_services) == 0 ? true : length([
@@ -100,13 +101,22 @@ variable "cloud_services" {
         "messaging",
         "resource-controller",
         "support-center",
+        "sysdig-monitor",
         "transit",
         "user-management",
         "vmware",
         "ntp"
       ], service.service_name)
     ]) == 0
   }
+
+  validation {
+    condition = length(var.cloud_services) == 0 ? true : length([
+      for service in var.cloud_services :
+      service.service_name if length(regexall("sysdig-monitor", service.service_name)) > 0 && var.region != "ca-mon"
+    ]) == 0
+    error_message = "IBM Cloud Monitoring in regions other than Montreal is supported by removing `sysdig-monitor` and adding the instance CRN to the `cloud_service_by_crn` variable input"
+  }
 }
 
 variable "cloud_service_by_crn" {
@@ -120,6 +130,14 @@ variable "cloud_service_by_crn" {
     })
   )
   default = []
+
+  validation {
+    condition = length(var.cloud_service_by_crn) == 0 ? true : length([
+      for service_crn in var.cloud_service_by_crn :
+      service_crn.crn if length(regexall(":sysdig-monitor:ca-mon:", service_crn.crn)) > 0
+    ]) == 0
+    error_message = "IBM Cloud Monitoring in Montreal is supported by removing the sysdig-monitor CRN and adding `sysdig-monitor` to the `cloud_services` variable input"
+  }
 }
 
 variable "service_endpoints" {

Original file line number	Diff line number	Diff line change
`@@ -101,12 +101,12 @@ module "vpes" {`
`101`	`101`	`]`
`102`	`102`	`service_endpoints = var.service_endpoints`
`103`	`103`	`#vpe_names = local.vpe_names`
`104`		`- # See comments below (resource "time_sleep" "sleep_time") for explaination on why this is needed.`
	`104`	`+ # See comments below (resource "time_sleep" "sleep_time") for explanation on why this is needed.`
`105`	`105`	`depends_on = [time_sleep.sleep_time]`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`## This sleep serve two purposes:`
`109`		`-# 1. Give some extra time after postgresql db creation, and before creating the VPE targetting it. This works around the error "Service does not support VPE extensions."`
	`109`	`+# 1. Give some extra time after postgresql db creation, and before creating the VPE targeting it. This works around the error "Service does not support VPE extensions."`
`110`	`110`	`# 2. Give time on deletion between the VPE destruction and the destruction of the SG that is attached to the VPE. This works around the error "Target not found"`
`111`	`111`	`resource "time_sleep" "sleep_time" {`
`112`	`112`	`depends_on = [module.vpe_security_group.security_group_id, module.postgresql_db]`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ terraform {`
`9`	`9`	`required_providers {`
`10`	`10`	`ibm = {`
`11`	`11`	`source = "IBM-Cloud/ibm"`
`12`		`- # pin above lowest vesion, required for postgresql and IAM auth policy`
	`12`	`+ # pin above lowest version, required for postgresql and IAM auth policy`
`13`	`13`	`version = ">=1.81.1"`
`14`	`14`	`}`
`15`	`15`	`time = {`