From 619a4fc9a4aa74e2dfa905c8bf4833be12746314 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 27 Jun 2025 17:17:27 +0100 Subject: [PATCH 1/8] hooks --- .secrets.baseline | 43 +++- README.md | 80 +++---- examples/basic/main.tf | 16 +- examples/basic/variables.tf | 20 +- ibm_catalog.json | 100 ++++++--- main.tf | 59 +++-- modules/cloud-pak-deployer/.secrets.baseline | 85 -------- modules/cloud-pak-deployer/version.tf | 2 +- modules/cpd-image-build/README.md | 70 ++++++ modules/cpd-image-build/main.tf | 56 +++-- modules/cpd-image-build/outputs.tf | 16 +- modules/cpd-image-build/variables.tf | 52 +++-- modules/cpd-image-build/version.tf | 2 +- solutions/fully-configurable/DA-types.md | 36 +--- solutions/fully-configurable/README.md | 52 +++-- solutions/fully-configurable/main.tf | 79 ++++--- solutions/fully-configurable/outputs.tf | 6 + solutions/fully-configurable/providers.tf | 4 +- solutions/fully-configurable/variables.tf | 213 ++++++++++++------- solutions/fully-configurable/version.tf | 13 +- tests/other_test.go | 36 ++++ tests/pr_test.go | 58 +++-- variables.tf | 198 +++++++++-------- version.tf | 2 +- 24 files changed, 764 insertions(+), 534 deletions(-) delete mode 100644 modules/cloud-pak-deployer/.secrets.baseline create mode 100644 modules/cpd-image-build/README.md diff --git a/.secrets.baseline b/.secrets.baseline index a472fcdf..d91df2dc 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-02-11T22:49:04Z", + "generated_at": "2025-06-27T16:17:07Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -76,7 +76,46 @@ "name": "TwilioKeyDetector" } ], - "results": {}, + "results": { + "README.md": [ + { + "hashed_secret": "bcf22dfc6fb76b7366b1f1675baf2332a0e6a7ce", + "is_secret": false, + "is_verified": false, + "line_number": 43, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "2254481e1661d8f017a712b0d1ad9a14fd9460a3", + "is_secret": false, + "is_verified": false, + "line_number": 105, + "type": "Secret Keyword", + "verified_result": null + } + ], + "modules/cpd-image-build/README.md": [ + { + "hashed_secret": "49901d945ad6da0f0af47691f305daf994d9d2c9", + "is_secret": false, + "is_verified": false, + "line_number": 11, + "type": "Secret Keyword", + "verified_result": null + } + ], + "solutions/fully-configurable/DA-types.md": [ + { + "hashed_secret": "fdd55a32cde0ab9bbb89037c7ab4203633cf5558", + "is_secret": false, + "is_verified": false, + "line_number": 21, + "type": "Secret Keyword", + "verified_result": null + } + ] + }, "version": "0.13.1+ibm.62.dss", "word_list": { "file": null, diff --git a/README.md b/README.md index 5f856618..7ed23f22 100644 --- a/README.md +++ b/README.md @@ -8,19 +8,22 @@ Deploy Watsonx services on an existing Red Hat OpenShift cluster. - - +Cluster must meet the minimum requirements to deploy Cloud Pak for Data [Learn more](https://www.ibm.com/docs/en/cloud-paks/cp-data/5.1.x?topic=overview-cloud-pak-data). + +The following services are currently supported: +- watsonx.ai +- Watson Assistant +- Watson Discovery +- Watson Data + +![Architecture diagram](../../reference-architecture/deployable-architecture-cp4d.svg) ## Overview * [terraform-ibm-watsonx-self-managed-ocp](#terraform-ibm-watsonx-self-managed-ocp) * [Submodules](./modules) + * [cpd-image-build](./modules/cpd-image-build) * [Examples](./examples) * [Basic example](./examples/basic) * [Contributing](#contributing) @@ -35,19 +38,10 @@ module "watsonx_self_managed_ocp" { source = "terraform-ibm-modules/watsonx-self-managed-ocp/ibm" version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release ibmcloud_api_key = "xxxxxxxxxxxxxxxxx" # pragma: allowlist secret - resource_group_id = "xxxxxxxxxxxxxxxxx" - region = "us-south" - prefix = "cp4d" cluster_name = "my-ocp-cluster" - cluster_rg_id = "xxxxxxxxxxxxxxxxx" - install_odf_cluster_addon = true - watsonx_ai_install = true - watsonx_data_install = true - watson_assistant_install = true - watson_discovery_install = true - cpd_admin_password = "Passw0rd!" # pragma: allowlist secret - cpd_entitlement_key = "entitlementKey" - # Add other configuration options as needed + cluster_resource_group_id = "xxxxxxxxxxxxxxxxx" + cpd_admin_password = "XXXXXXXX" + cpd_entitlement_key = "XXXXXXXX" } ``` @@ -59,15 +53,18 @@ You need the following permissions to run this module. * **All Resource Groups** service * `Viewer` platform access * IAM Services - * **Kubernetes Service** (OpenShift) + * **Kubernetes Service** * `Administrator` platform access * `Manager` service access * **VPC Infrastructure** * `Administrator` platform access * `Manager` service access - * **Container Registry** + * **Container Registry** (if building image) * `Administrator` platform access * `Manager` service access + * **Code Engine service** (if building image) + * `Editor` platform access + * `Writer` service access For more information on access and permissions, see [IBM Cloud IAM service roles and actions](https://cloud.ibm.com/docs/account?topic=account-iam-service-roles-actions). @@ -78,7 +75,7 @@ For more information on access and permissions, see [IBM Cloud IAM service roles | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.9.0 | -| [ibm](#requirement\_ibm) | >=1.79.1 | +| [ibm](#requirement\_ibm) | >=1.79.1, <2.0.0 | ### Modules @@ -101,29 +98,32 @@ For more information on access and permissions, see [IBM Cloud IAM service roles | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [cloud\_pak\_deployer\_image](#input\_cloud\_pak\_deployer\_image) | Cloud Pak Deployer image to use. If `null`, the image will be built using Code Engine. | `string` | `null` | no | -| [cloud\_pak\_deployer\_release](#input\_cloud\_pak\_deployer\_release) | Release of Cloud Pak Deployer version to use. View releases at: https://github.com/IBM/cloud-pak-deployer/releases. | `string` | `"v3.1.8"` | no | -| [cloud\_pak\_deployer\_secret](#input\_cloud\_pak\_deployer\_secret) | Secret for accessing the Cloud Pak Deployer image. If `null`, a default secret will be created # pragma: allowlist secret. | 
object({
    username = string
    password = string
    server   = string
    email    = string
  })
| `null` | no | -| [cluster\_name](#input\_cluster\_name) | Name of Red Hat OpenShift cluster to install watsonx onto | `string` | n/a | yes | -| [cluster\_rg\_id](#input\_cluster\_rg\_id) | Resource group id of the cluster | `string` | n/a | yes | -| [code\_engine\_project\_id](#input\_code\_engine\_project\_id) | If you want to use an existing project, you can pass the code engine project ID and the Cloud Pak Deployer build will be built within the existing project instead of creating a new one. | `string` | `null` | no | -| [code\_engine\_project\_name](#input\_code\_engine\_project\_name) | If `cloud_pak_deployer_image` is `null`, it will build the image with code engine and store it within a private ICR registry. Provide a name if you want to set the name. If not defined, default will be `{prefix}-cpd-{random-suffix}`. | `string` | `null` | no | +| [add\_random\_suffix\_code\_engine\_project](#input\_add\_random\_suffix\_code\_engine\_project) | Whether to add a randomly generated 4-character suffix to the newly created Code Engine project. Only applies if `code_engine_project_id` is `null`. | `bool` | `true` | no | +| [add\_random\_suffix\_icr\_namespace](#input\_add\_random\_suffix\_icr\_namespace) | Whether to add a randomly generated 4-character suffix to the newly created ICR namespace. | `bool` | `true` | no | +| [cloud\_pak\_deployer\_image](#input\_cloud\_pak\_deployer\_image) | Cloud Pak Deployer image to use. If `null`, the image will be built using Code Engine and publish to a private Container Registry namespace. | `string` | `"quay.io/cloud-pak-deployer/cloud-pak-deployer:v3.1.8@sha256:e9cde204359a3014a3cee6a43c1e945a7dcb31d5fa92439326d4e5ab2191b48f"` | no | +| [cloud\_pak\_deployer\_release](#input\_cloud\_pak\_deployer\_release) | The GIT release of Cloud Pak Deployer version to build from. Only applies if `cloud_pak_deployer_image` is `null`. View releases at: https://github.com/IBM/cloud-pak-deployer/releases. | `string` | `"v3.1.8"` | no | +| [cloud\_pak\_deployer\_secret](#input\_cloud\_pak\_deployer\_secret) | Secret for accessing the Cloud Pak Deployer image. If `null`, a default secret will be created. | 
object({
    username = string
    password = string
    server   = string
    email    = string
  })
| `null` | no | +| [cluster\_name](#input\_cluster\_name) | Name of an existing Red Hat OpenShift cluster to install watsonX onto | `string` | n/a | yes | +| [cluster\_resource\_group\_id](#input\_cluster\_resource\_group\_id) | The resource group ID of the cluster provided in `cluster_name` | `string` | n/a | yes | +| [code\_engine\_project\_id](#input\_code\_engine\_project\_id) | If you want to use an existing project, you can pass the Code Engine project ID. Alternatively use `code_engine_project_name` to create a new project. Only applies if `cloud_pak_deployer_image` is `null`. | `string` | `null` | no | +| [code\_engine\_project\_name](#input\_code\_engine\_project\_name) | The name of the Code Engine project to be created for the image build. Alternatively use `code_engine_project_id` to use existing project. Only applies if `cloud_pak_deployer_image` is `null`. If `add_random_suffix_code_engine_project` is set to true, a randomly generated 4-character suffix will be added to this value. | `string` | `"cpd"` | no | +| [container\_registry\_namespace](#input\_container\_registry\_namespace) | The name of the Container Registry namespace to create. Only applies if `cloud_pak_deployer_image` is `null`. If `add_random_suffix_icr_namespace` is set to true, a randomly generated 4-character suffix will be added to this value. | `string` | `"cpd"` | no | | [cpd\_accept\_license](#input\_cpd\_accept\_license) | When set to 'true', it is understood that the user has read the terms of the Cloud Pak license(s) and agrees to the terms outlined. | `bool` | `true` | no | | [cpd\_admin\_password](#input\_cpd\_admin\_password) | Password for the Cloud Pak for Data admin user. | `string` | n/a | yes | | [cpd\_entitlement\_key](#input\_cpd\_entitlement\_key) | Cloud Pak for Data entitlement key for access to the IBM Entitled Registry. Can be fetched from https://myibm.ibm.com/products-services/containerlibrary. | `string` | n/a | yes | | [cpd\_version](#input\_cpd\_version) | Cloud Pak for Data version to install. Only version 5.x.x is supported, latest versions can be found [here](https://www.ibm.com/docs/en/cloud-paks/cp-data?topic=versions-cloud-pak-data). | `string` | `"5.0.3"` | no | | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | -| [install\_odf\_cluster\_addon](#input\_install\_odf\_cluster\_addon) | Install the ODF cluster addon. | `bool` | `true` | no | -| [odf\_config](#input\_odf\_config) | Configuration for the ODF addon. | `map(string)` | 
{
  "addSingleReplicaPool": "false",
  "billingType": "essentials",
  "clusterEncryption": "false",
  "disableNoobaaLB": "false",
  "enableNFS": "false",
  "encryptionInTransit": "false",
  "hpcsBaseUrl": "",
  "hpcsEncryption": "false",
  "hpcsInstanceId": "",
  "hpcsSecretName": "",
  "hpcsServiceName": "",
  "hpcsTokenUrl": "",
  "ignoreNoobaa": "true",
  "numOfOsd": "1",
  "ocsUpgrade": "false",
  "odfDeploy": "true",
  "osdDevicePaths": "",
  "osdSize": "512Gi",
  "osdStorageClassName": "ibmc-vpc-block-metro-10iops-tier",
  "prepareForDisasterRecovery": "false",
  "resourceProfile": "balanced",
  "taintNodes": "false",
  "useCephRBDAsDefaultStorageClass": "false",
  "workerNodes": "all",
  "workerPool": ""
}
| no | -| [odf\_version](#input\_odf\_version) | Version of ODF to install. | `string` | `"4.16.0"` | no | -| [prefix](#input\_prefix) | A unique identifier for resources that is prepended to resources that are provisioned. Must begin with a lowercase letter and end with a lowercase letter or number. Must be 16 or fewer characters. | `string` | `null` | no | -| [region](#input\_region) | Region where resources will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions. | `string` | n/a | yes | -| [resource\_group](#input\_resource\_group) | Resource group to provision services within. If not defined, a resource group called `{prefix}-cpd` will be created. | `string` | `null` | no | -| [watson\_assistant\_install](#input\_watson\_assistant\_install) | If watsonx.ai is being installed, also install watson assistant | `bool` | `false` | no | -| [watson\_discovery\_install](#input\_watson\_discovery\_install) | If watsonx.ai is being installed, also install watson discovery | `bool` | `false` | no | -| [watsonx\_ai\_install](#input\_watsonx\_ai\_install) | Determine whether the watsonx.ai cartridge for the deployer will be installed | `bool` | `false` | no | -| [watsonx\_ai\_models](#input\_watsonx\_ai\_models) | List of watsonx.ai models to install. Information on the foundation models including pre-reqs can be found here - https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=install-foundation-models. Use the ModelID as input | `list(string)` | 
[
  "ibm-granite-13b-instruct-v2"
]
| no | -| [watsonx\_data\_install](#input\_watsonx\_data\_install) | Determine whether the watsonx.data cartridge for the deployer will be installed | `bool` | `false` | no | +| [install\_odf\_cluster\_addon](#input\_install\_odf\_cluster\_addon) | Install the ODF cluster add-on. | `bool` | `true` | no | +| [odf\_config](#input\_odf\_config) | Configuration for the ODF addon. Only applies if `install_odf_cluster_addon` is true. | `map(string)` | 
{
  "addSingleReplicaPool": "false",
  "billingType": "essentials",
  "clusterEncryption": "false",
  "disableNoobaaLB": "false",
  "enableNFS": "false",
  "encryptionInTransit": "false",
  "hpcsBaseUrl": "",
  "hpcsEncryption": "false",
  "hpcsInstanceId": "",
  "hpcsSecretName": "",
  "hpcsServiceName": "",
  "hpcsTokenUrl": "",
  "ignoreNoobaa": "true",
  "numOfOsd": "1",
  "ocsUpgrade": "false",
  "odfDeploy": "true",
  "osdDevicePaths": "",
  "osdSize": "512Gi",
  "osdStorageClassName": "ibmc-vpc-block-metro-10iops-tier",
  "prepareForDisasterRecovery": "false",
  "resourceProfile": "balanced",
  "taintNodes": "false",
  "useCephRBDAsDefaultStorageClass": "false",
  "workerNodes": "all",
  "workerPool": ""
}
| no | +| [odf\_version](#input\_odf\_version) | Version of OpenShift Data Foundation (ODF) add-on to install. Only applies if `install_odf_cluster_addon` is true. | `string` | `"4.16.0"` | no | +| [region](#input\_region) | Region where Code Engine and Container Registry resources will be provisioned. Only applies if `cloud_pak_deployer_image` is `null`. To use the 'Global' Container Registry location set `use_global_container_registry_location` to true. | `string` | `"us-south"` | no | +| [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group where Code Engine and Container Registry resources will be provisioned. Only applies if `cloud_pak_deployer_image` is `null`. If not set, Default resource group will be used. | `string` | `null` | no | +| [use\_global\_container\_registry\_location](#input\_use\_global\_container\_registry\_location) | Set to true to create the Container Registry namespace in the 'Global' location. If set to false, the namespace will be created in the region provided in the `region` input value. Only applies if `cloud_pak_deployer_image` is `null`. | `bool` | `false` | no | +| [watson\_assistant\_install](#input\_watson\_assistant\_install) | If watsonx.ai is being installed, also install watson assistant | `bool` | `true` | no | +| [watson\_discovery\_install](#input\_watson\_discovery\_install) | If watsonx.ai is being installed, also install watson discovery | `bool` | `true` | no | +| [watsonx\_ai\_install](#input\_watsonx\_ai\_install) | Determine whether the watsonx.ai cartridge for the deployer will be installed | `bool` | `true` | no | +| [watsonx\_ai\_models](#input\_watsonx\_ai\_models) | List of watsonx.ai models to install. Information on the foundation models including pre-reqs can be found here - https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=install-foundation-models. Use the ModelID as input | `list(string)` | 
[
  "ibm-granite-13b-instruct-v2"
]
| no | +| [watsonx\_data\_install](#input\_watsonx\_data\_install) | Determine whether the watsonx.data cartridge for the deployer will be installed | `bool` | `true` | no | ### Outputs diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 193625b7..49377067 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -1,8 +1,10 @@ ############################################################################## +# Locals +############################################################################## + locals { cluster_name = var.existing_cluster_name != null ? var.existing_cluster_name : module.ocp_base[0].cluster_name } -############################################################################### ############################################################################## # Resource Group @@ -93,7 +95,7 @@ module "ocp_base" { vpc_id = ibm_is_vpc.vpc.id vpc_subnets = local.cluster_vpc_subnets worker_pools = local.worker_pools - disable_outbound_traffic_protection = true # set as True to enable outbound traffic + disable_outbound_traffic_protection = true # set as True to enable outbound traffic to allow image to be pulled from quay.io } ############################################################################## @@ -103,13 +105,9 @@ module "ocp_base" { module "watsonx_self_managed_ocp" { source = "../.." ibmcloud_api_key = var.ibmcloud_api_key - prefix = var.prefix region = var.region cluster_name = local.cluster_name - cluster_rg_id = module.resource_group.resource_group_id - cloud_pak_deployer_image = "quay.io/cloud-pak-deployer/cloud-pak-deployer" - cpd_admin_password = "Passw0rd" #pragma: allowlist secret - cpd_entitlement_key = "entitlementKey" - install_odf_cluster_addon = var.install_odf_cluster_addon - watsonx_ai_install = false + cluster_resource_group_id = module.resource_group.resource_group_id + cpd_admin_password = var.cpd_admin_password + cpd_entitlement_key = var.cpd_entitlement_key } diff --git a/examples/basic/variables.tf b/examples/basic/variables.tf index 1ae18a75..973d3bf2 100644 --- a/examples/basic/variables.tf +++ b/examples/basic/variables.tf @@ -31,12 +31,6 @@ variable "resource_tags" { default = [] } -variable "install_odf_cluster_addon" { - description = "Install the odf cluster addon" - type = bool - default = false -} - variable "existing_cluster_name" { description = "Existing cluster name" type = string @@ -44,7 +38,19 @@ variable "existing_cluster_name" { } variable "resource_group" { - description = "Existing resource group name" type = string + description = "The name of an existing resource group to provision resources in to. If not set a new resource group will be created using the prefix variable." default = null } + +variable "cpd_admin_password" { + description = "Password for the Cloud Pak for Data admin user." + sensitive = true + type = string +} + +variable "cpd_entitlement_key" { + description = "Cloud Pak for Data entitlement key for access to the IBM Entitled Registry. Can be fetched from https://myibm.ibm.com/products-services/containerlibrary." + sensitive = true + type = string +} diff --git a/ibm_catalog.json b/ibm_catalog.json index 7acaba6e..d92c1637 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -1,7 +1,7 @@ { "products": [ { - "label": "Watsonx (Self-Managed) on Red Hat OpenShift", + "label": "watsonx self-managed on Red Hat OpenShift", "name": "deploy-arch-ibm-watsonx-self-managed", "product_kind": "solution", "tags": [ @@ -28,6 +28,7 @@ "long_description": "Solution that deploys Watsonx services (watsonx.ai, watsonx.data, Watson Assistant, Watson Discovery) on an existing Red Hat OpenShift cluster.", "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp/blob/main/solutions/fully-configurable/README.md", "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp/main/images/watsonx-self-managed-ocp.svg", + "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in the following [issues repository](https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp/issues). Please note this product is not supported via the IBM Cloud Support Center.", "features": [ { "title": "Flexible Cluster Deployment", @@ -52,23 +53,48 @@ "name": "fully-configurable", "working_directory": "solutions/fully-configurable", "iam_permissions": [ + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Viewer" + ], + "service_name": "Resource group only", + "notes": "Viewer access is required in the resource group you want to provision in." + }, { "service_name": "containers-kubernetes", "role_crns": [ "crn:v1:bluemix:public:iam::::serviceRole:Manager", "crn:v1:bluemix:public:iam::::role:Viewer" ] + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "codeengine", + "notes": "[Optional] Required if building image." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "codeengine", + "notes": "[Optional] Required if building image." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Writer", + "crn:v1:bluemix:public:iam::::role:Manager" + ], + "service_name": "container-registry", + "notes": "[Optional] Required if building image." } ], "architecture": { "features": [ { - "title": "Cluster must meet minimum requirements to install any Watson services you wish to add.", - "description": "Yes" - }, - { - "title": "Deploys Watsonx services on an existing cluster.", - "description": "Yes" + "title": " ", + "description": "Configured to use IBM secure by default standards, but can be edited to fit your use case." } ], "diagrams": [ @@ -91,53 +117,52 @@ "key": "prefix", "required": true }, - { - "key": "region", - "required": true - }, { "key": "existing_cluster_name", "required": true }, { - "key": "existing_resource_group_name", + "key": "existing_cluster_resource_group_name", "custom_config": { "type": "resource_group", "grouping": "deployment", "original_grouping": "deployment", "config_constraints": { - "identifier": "rg_id" + "identifier": "rg_name" } }, "required": true }, { - "key": "install_odf_cluster_addon", + "key": "cpd_entitlement_key", "required": true }, { - "key": "cpd_entitlement_key", - "required": true + "key": "cpd_accept_license" }, { - "key": "watsonx_ai_install", - "required": true + "key": "cpd_admin_password" }, { - "key": "watsonx_ai_models", - "required": true + "key": "cpd_version" }, { - "key": "watsonx_data_install", - "required": true + "key": "watsonx_ai_install" }, { - "key": "watson_discovery_install", - "required": true + "key": "watsonx_ai_models" }, { - "key": "watson_assistant_install", - "required": true + "key": "watsonx_data_install" + }, + { + "key": "watson_discovery_install" + }, + { + "key": "watson_assistant_install" + }, + { + "key": "cloud_pak_deployer_image" }, { "key": "code_engine_project_name" @@ -146,28 +171,35 @@ "key": "code_engine_project_id" }, { - "key": "cloud_pak_deployer_image" + "key": "existing_resource_group_name" }, { - "key": "cloud_pak_deployer_release" + "key": "container_registry_namespace" }, { - "key": "cloud_pak_deployer_secret" + "key": "region" }, { - "key": "odf_version" + "key": "use_global_container_registry_location" }, { - "key": "odf_config" + "key": "cloud_pak_deployer_release" }, { - "key": "cpd_accept_license" + "key": "cloud_pak_deployer_secret" }, { - "key": "cpd_admin_password" + "key": "install_odf_cluster_addon" }, { - "key": "cpd_version" + "key": "odf_version" + }, + { + "key": "odf_config" + }, + { + "key": "provider_visibility", + "hidden": true } ], "install_type": "fullstack" diff --git a/main.tf b/main.tf index 1246b1fd..e3a279df 100644 --- a/main.tf +++ b/main.tf @@ -1,29 +1,31 @@ -locals { - openshift_version = join(".", slice(split(".", data.ibm_container_vpc_cluster.cluster_info.kube_version), 0, 2)) # Only use major and minor — no patch -} - -# Retrieve the openshift cluster info -data "ibm_container_vpc_cluster" "cluster_info" { - name = var.cluster_name - resource_group_id = var.cluster_rg_id -} +############################################################################## +# Build the image in Code Engine if one is not passed and publish to ICR +############################################################################## module "build_cpd_image" { - count = var.cloud_pak_deployer_image == null ? 1 : 0 - source = "./modules/cpd-image-build" - prefix = var.prefix - ibmcloud_api_key = var.ibmcloud_api_key - region = var.region - code_engine_project_name = var.code_engine_project_name - code_engine_project_id = var.code_engine_project_id - resource_group = var.resource_group - cloud_pak_deployer_release = var.cloud_pak_deployer_release + count = var.cloud_pak_deployer_image == null ? 1 : 0 + source = "./modules/cpd-image-build" + ibmcloud_api_key = var.ibmcloud_api_key + region = var.region + code_engine_project_name = var.code_engine_project_name + code_engine_project_id = var.code_engine_project_id + resource_group_id = var.resource_group_id + use_global_container_registry_location = var.use_global_container_registry_location + cloud_pak_deployer_release = var.cloud_pak_deployer_release + container_registry_namespace = var.container_registry_namespace + add_random_suffix_icr_namespace = var.add_random_suffix_icr_namespace + add_random_suffix_code_engine_project = var.add_random_suffix_code_engine_project } +############################################################################## +# Install OCP ODF cluster addon +############################################################################## + resource "ibm_container_addons" "odf_cluster_addon" { count = var.install_odf_cluster_addon ? 1 : 0 cluster = var.cluster_name manage_all_addons = false + resource_group_id = var.cluster_resource_group_id addons { name = "openshift-data-foundation" version = var.odf_version @@ -31,6 +33,10 @@ resource "ibm_container_addons" "odf_cluster_addon" { } } +############################################################################## +# watsonx-ai +############################################################################## + module "watsonx_ai" { source = "./modules/watsonx-ai" depends_on = [ibm_container_addons.odf_cluster_addon] @@ -40,12 +46,20 @@ module "watsonx_ai" { watsonx_ai_models = var.watsonx_ai_models } +############################################################################## +# watsonx-data +############################################################################## + module "watsonx_data" { source = "./modules/watsonx-data" depends_on = [ibm_container_addons.odf_cluster_addon] watsonx_data_install = var.watsonx_data_install } +############################################################################## +# Cloud Pak deployer +############################################################################## + module "cloud_pak_deployer" { depends_on = [ module.watsonx_ai, @@ -79,6 +93,15 @@ module "cloud_pak_deployer" { cpd_entitlement_key = var.cpd_entitlement_key } +# Retrieve the openshift cluster info +data "ibm_container_vpc_cluster" "cluster_info" { + name = var.cluster_name + resource_group_id = var.cluster_resource_group_id +} +locals { + openshift_version = join(".", slice(split(".", data.ibm_container_vpc_cluster.cluster_info.kube_version), 0, 2)) # Only use major and minor — no patch +} + # Cloud Pak Deployer configuration file local variable(s) only module "config" { source = "./modules/cloud-pak-deployer/config" diff --git a/modules/cloud-pak-deployer/.secrets.baseline b/modules/cloud-pak-deployer/.secrets.baseline deleted file mode 100644 index d9d7acb7..00000000 --- a/modules/cloud-pak-deployer/.secrets.baseline +++ /dev/null @@ -1,85 +0,0 @@ -{ - "exclude": { - "files": "^.secrets.baseline$", - "lines": null - }, - "generated_at": "2024-12-20T20:40:41Z", - "plugins_used": [ - { - "name": "AWSKeyDetector" - }, - { - "name": "ArtifactoryDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "base64_limit": 4.5, - "name": "Base64HighEntropyString" - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "BoxDetector" - }, - { - "name": "CloudantDetector" - }, - { - "ghe_instance": "github.ibm.com", - "name": "GheDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "hex_limit": 3, - "name": "HexHighEntropyString" - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "keyword_exclude": null, - "name": "KeywordDetector" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "results": {}, - "version": "0.13.1+ibm.62.dss", - "word_list": { - "file": null, - "hash": null - } -} diff --git a/modules/cloud-pak-deployer/version.tf b/modules/cloud-pak-deployer/version.tf index 01abebb5..eb3da515 100644 --- a/modules/cloud-pak-deployer/version.tf +++ b/modules/cloud-pak-deployer/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2.0" + required_version = ">= 1.9.0" required_providers { helm = { source = "hashicorp/helm" diff --git a/modules/cpd-image-build/README.md b/modules/cpd-image-build/README.md new file mode 100644 index 00000000..8b55b002 --- /dev/null +++ b/modules/cpd-image-build/README.md @@ -0,0 +1,70 @@ +# Cloud Pak Data (CPD) image build module + +A module to build and publish the Cloud Pak Data (CPD) image to container registry. + +### Usage + +```hcl +module "build_image" { + source = "terraform-ibm-modules/watsonx-self-managed-ocp/ibm//modules/cpd-image-build" + version = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release + ibmcloud_api_key = "XXXXXXXXXXXX" # replace with apikey value + region = "us-south + resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX" # replace with resource group ID + container_registry_namespace = "my-namespace" + code_engine_project_name = "my-project" +} +``` + + +### Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.9.0 | +| [ibm](#requirement\_ibm) | >=1.79.1, <2.0.0 | +| [random](#requirement\_random) | >= 3.4.3, < 4.0.0 | +| [shell](#requirement\_shell) | >= 1.7.10, <2.0.0 | + +### Modules + +| Name | Source | Version | +|------|--------|---------| +| [code\_engine](#module\_code\_engine) | terraform-ibm-modules/code-engine/ibm | 4.2.2 | +| [code\_engine\_build](#module\_code\_engine\_build) | terraform-ibm-modules/code-engine/ibm//modules/build | 4.2.2 | + +### Resources + +| Name | Type | +|------|------| +| [ibm_cr_namespace.cr_namespace](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/cr_namespace) | resource | +| [random_string.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [shell_script.build_run](https://registry.terraform.io/providers/scottwinkler/shell/latest/docs/resources/script) | resource | +| [ibm_code_engine_project.code_engine_project](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/code_engine_project) | data source | +| [ibm_resource_group.group](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/resource_group) | data source | + +### Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [add\_random\_suffix\_code\_engine\_project](#input\_add\_random\_suffix\_code\_engine\_project) | Whether to add a randomly generated 4-character suffix to the newly created Code Engine project. Only applies if `code_engine_project_id` is `null`. | `bool` | `true` | no | +| [add\_random\_suffix\_icr\_namespace](#input\_add\_random\_suffix\_icr\_namespace) | Whether to add a randomly generated 4-character suffix to the newly created ICR namespace. | `bool` | `true` | no | +| [cloud\_pak\_deployer\_release](#input\_cloud\_pak\_deployer\_release) | The GIT release of Cloud Pak Deployer version to build from. View releases at: https://github.com/IBM/cloud-pak-deployer/releases. | `string` | `"v3.1.8"` | no | +| [code\_engine\_project\_id](#input\_code\_engine\_project\_id) | If you want to use an existing project, you can pass the Code Engine project ID. Alternatively use `code_engine_project_name` to create a new project. | `string` | `null` | no | +| [code\_engine\_project\_name](#input\_code\_engine\_project\_name) | The name of the Code Engine project to be created for the image build. Alternatively use `code_engine_project_id` to use existing project. If `add_random_suffix_code_engine_project` is set to true, a randomly generated 4-character suffix will be added to this value. | `string` | `"cpd"` | no | +| [container\_registry\_namespace](#input\_container\_registry\_namespace) | The name of the Container Registry namespace to create. If `add_random_suffix_icr_namespace` is set to true, a randomly generated 4-character suffix will be added to this value. | `string` | `"cpd"` | no | +| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | +| [region](#input\_region) | Region where Code Engine and Container Registry resources will be provisioned. To use the 'Global' Container Registry location set `use_global_container_registry_location` to true. | `string` | `"us-south"` | no | +| [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group to create resource in. If not set, Default resource group will be used. | `string` | `null` | no | +| [use\_global\_container\_registry\_location](#input\_use\_global\_container\_registry\_location) | Set to true to create the Container Registry namespace in the 'Global' location. If set to false, the namespace will be created in the region provided in the `region` input value. | `bool` | `false` | no | + +### Outputs + +| Name | Description | +|------|-------------| +| [code\_engine\_project\_id](#output\_code\_engine\_project\_id) | The ID of the code engine project that used | +| [code\_engine\_project\_name](#output\_code\_engine\_project\_name) | The name of the code engine project that was used | +| [container\_registry\_namespace](#output\_container\_registry\_namespace) | The name of the container registry namespace | +| [container\_registry\_output\_image](#output\_container\_registry\_output\_image) | The path to the cpd container that was built | +| [container\_registry\_server](#output\_container\_registry\_server) | The url of the container registry | + diff --git a/modules/cpd-image-build/main.tf b/modules/cpd-image-build/main.tf index 13d11f1d..4437927a 100644 --- a/modules/cpd-image-build/main.tf +++ b/modules/cpd-image-build/main.tf @@ -1,12 +1,17 @@ -locals { - resource_group_name = var.resource_group == null ? "${var.prefix}-cpd" : var.resource_group - - container_registry_namespace = var.container_registry_namespace != null ? var.container_registry_namespace : "${var.prefix}-cpd-${random_string.random.result}" - container_registry_server = lookup(local.registry_server_map, var.region, null) != null ? local.registry_server_map[var.region] : "private.icr.io" - container_registry_output_image = "${local.container_registry_server}/${local.container_registry_namespace}/deployer:${var.cloud_pak_deployer_release}" +############################################################################## +# Locals +############################################################################## - code_engine_project_name = var.code_engine_project_name != null ? var.code_engine_project_name : "${var.prefix}-cpd-${random_string.random.result}" +data "ibm_resource_group" "group" { + count = var.resource_group_id == null ? 1 : 0 + is_default = "true" +} +locals { + resource_group_id = var.resource_group_id == null ? data.ibm_resource_group.group[0].id : var.resource_group_id + container_registry_server = var.use_global_container_registry_location ? "private.icr.io" : lookup(local.registry_server_map, var.region, null) != null ? local.registry_server_map[var.region] : "private.icr.io" + container_registry_output_image = "${local.container_registry_server}/${var.container_registry_namespace}/deployer:${var.cloud_pak_deployer_release}" + container_registry_namespace_name = var.add_random_suffix_icr_namespace ? "${var.container_registry_namespace}-${random_string.random[0].result}" : var.container_registry_namespace registry_server_map = { au-syd = "private.au.icr.io" br-sao = "private.br.icr.io" @@ -17,52 +22,45 @@ locals { eu-gb = "private.uk.icr.io" us-south = "private.us.icr.io" } - - resource_group_id = var.code_engine_project_id != null ? data.ibm_code_engine_project.code_engine_project[0].resource_group_id : module.resource_group[0].resource_group_id + ce_project_name = var.code_engine_project_name != null ? var.add_random_suffix_code_engine_project ? "${var.code_engine_project_name}-${random_string.random[0].result}" : var.code_engine_project_name : data.ibm_code_engine_project.code_engine_project[0].name } ############################################################################## # Generate a random seed since some resources need unique names ############################################################################## + resource "random_string" "random" { - length = 8 + count = var.add_random_suffix_icr_namespace || var.add_random_suffix_code_engine_project ? 1 : 0 + length = 4 lower = true upper = false special = false } -data "ibm_code_engine_project" "code_engine_project" { - count = var.code_engine_project_id != null ? 1 : 0 - project_id = var.code_engine_project_id -} - -module "resource_group" { - count = var.code_engine_project_id == null ? 1 : 0 - source = "terraform-ibm-modules/resource-group/ibm" - version = "1.2.0" - - # if an existing resource group is not set (null) create a new one using prefix - resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null - existing_resource_group_name = var.resource_group -} - ############################################################################## -# Container registry resources +# Container registry namespace ############################################################################## + resource "ibm_cr_namespace" "cr_namespace" { - name = local.container_registry_namespace + name = local.container_registry_namespace_name resource_group_id = local.resource_group_id } ############################################################################## # Code engine resources ############################################################################## + +data "ibm_code_engine_project" "code_engine_project" { + count = var.code_engine_project_id != null ? 1 : 0 + project_id = var.code_engine_project_id +} + module "code_engine" { source = "terraform-ibm-modules/code-engine/ibm" version = "4.2.2" - project_name = var.code_engine_project_id == null ? local.code_engine_project_name : null + project_name = var.code_engine_project_id == null ? var.code_engine_project_name : null existing_project_id = var.code_engine_project_id - resource_group_id = local.resource_group_id + resource_group_id = var.code_engine_project_id != null ? data.ibm_code_engine_project.code_engine_project[0].resource_group_id : local.resource_group_id secrets = { "registry-secret" = { format = "registry" diff --git a/modules/cpd-image-build/outputs.tf b/modules/cpd-image-build/outputs.tf index afd18f60..6535b0aa 100644 --- a/modules/cpd-image-build/outputs.tf +++ b/modules/cpd-image-build/outputs.tf @@ -1,11 +1,6 @@ -output "resource_group" { - description = "The resource group that was used for the resources within" - value = local.resource_group_name -} - output "container_registry_namespace" { description = "The name of the container registry namespace" - value = local.container_registry_namespace + value = ibm_cr_namespace.cr_namespace.name } output "container_registry_server" { @@ -19,6 +14,11 @@ output "container_registry_output_image" { } output "code_engine_project_name" { - description = "The name of the code engine project that was created" - value = local.code_engine_project_name + description = "The name of the code engine project that was used" + value = local.ce_project_name +} + +output "code_engine_project_id" { + description = "The ID of the code engine project that used" + value = module.code_engine.project_id } diff --git a/modules/cpd-image-build/variables.tf b/modules/cpd-image-build/variables.tf index 4c0c2acc..3ea23988 100644 --- a/modules/cpd-image-build/variables.tf +++ b/modules/cpd-image-build/variables.tf @@ -4,46 +4,60 @@ variable "ibmcloud_api_key" { sensitive = true } -variable "prefix" { - description = "The value that you would like to prefix to the name of the resources provisioned by this module. Explicitly set to null if you do not wish to use a prefix. This value is ignored if using one of the optional variables for explicit control over naming." - type = string - default = null -} - variable "region" { - description = "Region where resources will be provisioned" + description = "Region where Code Engine and Container Registry resources will be provisioned. To use the 'Global' Container Registry location set `use_global_container_registry_location` to true." type = string + default = "us-south" } -variable "resource_group" { - description = "Resource groups to create or reference" +variable "resource_group_id" { type = string + description = "The ID of the resource group to create resource in. If not set, Default resource group will be used." + default = null +} - default = null +variable "use_global_container_registry_location" { + description = "Set to true to create the Container Registry namespace in the 'Global' location. If set to false, the namespace will be created in the region provided in the `region` input value." + type = bool + default = false } variable "container_registry_namespace" { - description = "The name of the container registry namespace" + description = "The name of the Container Registry namespace to create. If `add_random_suffix_icr_namespace` is set to true, a randomly generated 4-character suffix will be added to this value." type = string - - default = null + default = "cpd" } variable "code_engine_project_name" { - description = "The name of the code engine project to be created for the image build" + description = "The name of the Code Engine project to be created for the image build. Alternatively use `code_engine_project_id` to use existing project. If `add_random_suffix_code_engine_project` is set to true, a randomly generated 4-character suffix will be added to this value." type = string - - default = null + default = "cpd" + validation { + condition = var.code_engine_project_name == null ? var.code_engine_project_id != null : true + error_message = "A value must be passed for either 'code_engine_project_name' (to create new project) or 'code_engine_project_id' (to use existing project)." + } } variable "code_engine_project_id" { - description = "If you want to use an existing project, you can pass the code engine project id vs a new project being created." + description = "If you want to use an existing project, you can pass the Code Engine project ID. Alternatively use `code_engine_project_name` to create a new project." type = string default = null } variable "cloud_pak_deployer_release" { - description = "The release of cloud pak deployer to build the image off of" + description = "The GIT release of Cloud Pak Deployer version to build from. View releases at: https://github.com/IBM/cloud-pak-deployer/releases." type = string - default = "latest" + default = "v3.1.8" # TODO: manage this version with renovate - https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp/issues/36 +} + +variable "add_random_suffix_icr_namespace" { + type = bool + description = "Whether to add a randomly generated 4-character suffix to the newly created ICR namespace." + default = true +} + +variable "add_random_suffix_code_engine_project" { + type = bool + description = "Whether to add a randomly generated 4-character suffix to the newly created Code Engine project. Only applies if `code_engine_project_id` is `null`." + default = true } diff --git a/modules/cpd-image-build/version.tf b/modules/cpd-image-build/version.tf index cbc24ff8..ea19eac4 100644 --- a/modules/cpd-image-build/version.tf +++ b/modules/cpd-image-build/version.tf @@ -11,7 +11,7 @@ terraform { } shell = { source = "scottwinkler/shell" - version = "1.7.10" + version = ">= 1.7.10, <2.0.0" } } } diff --git a/solutions/fully-configurable/DA-types.md b/solutions/fully-configurable/DA-types.md index 409c3dc6..82704707 100644 --- a/solutions/fully-configurable/DA-types.md +++ b/solutions/fully-configurable/DA-types.md @@ -4,22 +4,7 @@ The `cloud_pak_deployer_secret` variable is used to provide credentials for accessing a private Cloud Pak Deployer image registry. This is required if you are using a custom or private image that is not publicly accessible. If this variable is set to `null`, a default secret will be created automatically. -## Variable Definition - -```hcl -variable "cloud_pak_deployer_secret" { - description = "Secret for accessing the Cloud Pak Deployer image. If `null`, a default secret will be created # pragma: allowlist secret." - type = object({ - username = string - password = string - server = string - email = string - }) - default = null -} -``` - -## Usage +### Usage The value should be an object with the following fields: @@ -28,12 +13,12 @@ The value should be an object with the following fields: - `server`: The registry server URL (e.g., `quay.io`, `icr.io`, etc.). - `email`: The email address associated with the registry account. -### Example +### Example usage ```hcl -cloud_pak_deployer_secret = { +{ username = "my-registry-user" - password = "my-registry-password" # pragma: allowlist secret + password = "my-registry-password" server = "quay.io" email = "user@example.com" } @@ -46,21 +31,10 @@ If you are using IBM Cloud Container Registry (ICR), your `server` might look li - **Required**: When your `cloud_pak_deployer_image` is hosted in a private registry that requires authentication. - **Optional**: If using the default public image, you can leave this variable as `null`. -## References +### References - [IBM Cloud Pak Deployer Documentation](https://github.com/IBM/cloud-pak-deployer) - [IBM Cloud Container Registry Docs](https://cloud.ibm.com/docs/container-registry) - [Terraform Input Variables](https://developer.hashicorp.com/terraform/language/values/variables) -## Example usage - -```hcl -cloud_pak_deployer_secret = { - username = "myuser" - password = "mypassword" # pragma: allowlist secret - server = "us.icr.io" - email = "myuser@example.com" -} -``` - > **Note:** If you do not need a custom image or private registry, you can omit this variable or set it to `null`. diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index 18c6c649..9d41443b 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -113,16 +113,18 @@ You need the following permissions to run this module: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.9.0 | -| [external](#requirement\_external) | >= 2.3.4 | -| [helm](#requirement\_helm) | >= 2.8.0, <3.0.0 | -| [ibm](#requirement\_ibm) | 1.79.1 | -| [null](#requirement\_null) | >= 3.2.1, < 4.0.0 | +| [external](#requirement\_external) | 2.3.5 | +| [helm](#requirement\_helm) | 2.17.0 | +| [ibm](#requirement\_ibm) | 1.79.2 | +| [null](#requirement\_null) | 3.2.4 | +| [random](#requirement\_random) | 3.7.2 | | [shell](#requirement\_shell) | 1.7.10 | ### Modules | Name | Source | Version | |------|--------|---------| +| [cluster\_resource\_group](#module\_cluster\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.2.0 | | [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.2.0 | | [watsonx\_self\_managed\_ocp](#module\_watsonx\_self\_managed\_ocp) | ../.. | n/a | @@ -130,37 +132,42 @@ You need the following permissions to run this module: | Name | Type | |------|------| -| [null_resource.wait_for_cloud_pak_deployer_complete](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | -| [external_external.schematics](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source | -| [ibm_container_cluster_config.cluster_config](https://registry.terraform.io/providers/ibm-cloud/ibm/1.79.1/docs/data-sources/container_cluster_config) | data source | -| [ibm_iam_auth_token.tokendata](https://registry.terraform.io/providers/ibm-cloud/ibm/1.79.1/docs/data-sources/iam_auth_token) | data source | +| [null_resource.wait_for_cloud_pak_deployer_complete](https://registry.terraform.io/providers/hashicorp/null/3.2.4/docs/resources/resource) | resource | +| [random_password.admin_password](https://registry.terraform.io/providers/hashicorp/random/3.7.2/docs/resources/password) | resource | +| [external_external.schematics](https://registry.terraform.io/providers/hashicorp/external/2.3.5/docs/data-sources/external) | data source | +| [ibm_container_cluster_config.cluster_config](https://registry.terraform.io/providers/ibm-cloud/ibm/1.79.2/docs/data-sources/container_cluster_config) | data source | +| [ibm_iam_auth_token.tokendata](https://registry.terraform.io/providers/ibm-cloud/ibm/1.79.2/docs/data-sources/iam_auth_token) | data source | ### Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [cloud\_pak\_deployer\_image](#input\_cloud\_pak\_deployer\_image) | Cloud Pak Deployer image to use. If `null`, the image will be built using Code Engine. | `string` | `"quay.io/cloud-pak-deployer/cloud-pak-deployer"` | no | -| [cloud\_pak\_deployer\_release](#input\_cloud\_pak\_deployer\_release) | Release of Cloud Pak Deployer version to use. View releases at: https://github.com/IBM/cloud-pak-deployer/releases. | `string` | `"v3.1.8"` | no | +| [cloud\_pak\_deployer\_image](#input\_cloud\_pak\_deployer\_image) | Cloud Pak Deployer image to use. If `null`, the image will be built using Code Engine and publish to a private Container Registry namespace. | `string` | `"quay.io/cloud-pak-deployer/cloud-pak-deployer:v3.1.8@sha256:e9cde204359a3014a3cee6a43c1e945a7dcb31d5fa92439326d4e5ab2191b48f"` | no | +| [cloud\_pak\_deployer\_release](#input\_cloud\_pak\_deployer\_release) | The GIT release of Cloud Pak Deployer version to build from. Only applies if `cloud_pak_deployer_image` is `null`. View releases at: https://github.com/IBM/cloud-pak-deployer/releases. | `string` | `"v3.1.8"` | no | | [cloud\_pak\_deployer\_secret](#input\_cloud\_pak\_deployer\_secret) | Secret for accessing the Cloud Pak Deployer image. If `null`, a default secret will be created # pragma: allowlist secret. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp/tree/main/solutions/fully-configurable/DA-types.md). | 
object({
    username = string
    password = string
    server   = string
    email    = string
  })
| `null` | no | -| [code\_engine\_project\_id](#input\_code\_engine\_project\_id) | If you want to use an existing project, you can pass the code engine project ID and the Cloud Pak Deployer build will be built within the existing project instead of creating a new one. | `string` | `null` | no | -| [code\_engine\_project\_name](#input\_code\_engine\_project\_name) | If `cloud_pak_deployer_image` is `null`, it will build the image with code engine and store it within a private ICR registry. Provide a name if you want to set the name. If not defined, default will be `{prefix}-cpd-{random-suffix}`. | `string` | `null` | no | -| [cpd\_accept\_license](#input\_cpd\_accept\_license) | When set to `true`, it is understood that the user has read the terms of the Cloud Pak license(s) and agrees to the terms outlined. | `bool` | `true` | no | -| [cpd\_admin\_password](#input\_cpd\_admin\_password) | Password for the Cloud Pak for Data admin user. | `string` | `"passw0rd"` | no | +| [code\_engine\_project\_id](#input\_code\_engine\_project\_id) | If you want to use an existing project, you can pass the Code Engine project ID. Alternatively use `code_engine_project_name` to create a new project. Only applies if `cloud_pak_deployer_image` is `null`. | `string` | `null` | no | +| [code\_engine\_project\_name](#input\_code\_engine\_project\_name) | The name of the Code Engine project to be created for the image build. Alternatively use `code_engine_project_id` to use existing project. Only applies if `cloud_pak_deployer_image` is `null`. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"cpd"` | no | +| [container\_registry\_namespace](#input\_container\_registry\_namespace) | The name of the Container Registry namespace to create. Only applies if `cloud_pak_deployer_image` is `null`. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"cpd"` | no | +| [cpd\_accept\_license](#input\_cpd\_accept\_license) | When set to 'true', it is understood that the user has read the terms of the Cloud Pak license(s) and agrees to the terms outlined. | `bool` | `true` | no | +| [cpd\_admin\_password](#input\_cpd\_admin\_password) | Password for the Cloud Pak for Data admin user. If no value passed, a random password is generated and can be access using the 'cpd\_admin\_password' output. | `string` | `null` | no | | [cpd\_entitlement\_key](#input\_cpd\_entitlement\_key) | Cloud Pak for Data entitlement key for access to the IBM Entitled Registry. Can be fetched from https://myibm.ibm.com/products-services/containerlibrary. | `string` | n/a | yes | | [cpd\_version](#input\_cpd\_version) | Cloud Pak for Data version to install. Only version 5.x.x is supported, latest versions can be found [here](https://www.ibm.com/docs/en/cloud-paks/cp-data?topic=versions-cloud-pak-data). | `string` | `"5.0.3"` | no | | [existing\_cluster\_name](#input\_existing\_cluster\_name) | Name of an existing Red Hat OpenShift cluster to create and install watsonx onto. | `string` | n/a | yes | -| [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | Resource group id of the cluster | `string` | n/a | yes | +| [existing\_cluster\_resource\_group\_name](#input\_existing\_cluster\_resource\_group\_name) | The name of the resource group that the cluster provided in `cluster_name` exists in. | `string` | n/a | yes | +| [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of the resource group where Code Engine and Container Registry resources will be provisioned. Only applies if `cloud_pak_deployer_image` is `null`. | `string` | `"Default"` | no | | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | | [install\_odf\_cluster\_addon](#input\_install\_odf\_cluster\_addon) | Install the ODF cluster addon. | `bool` | `true` | no | | [odf\_config](#input\_odf\_config) | Configuration for the ODF addon. Example add on options can be found [here](https://cloud.ibm.com/docs/openshift?topic=openshift-deploy-odf-classic&interface=cli#install-odf-cli-classic) | `map(string)` | 
{
  "addSingleReplicaPool": "false",
  "billingType": "essentials",
  "clusterEncryption": "false",
  "disableNoobaaLB": "false",
  "enableNFS": "false",
  "encryptionInTransit": "false",
  "hpcsBaseUrl": "",
  "hpcsEncryption": "false",
  "hpcsInstanceId": "",
  "hpcsSecretName": "",
  "hpcsServiceName": "",
  "hpcsTokenUrl": "",
  "ignoreNoobaa": "true",
  "numOfOsd": "1",
  "ocsUpgrade": "false",
  "odfDeploy": "true",
  "osdDevicePaths": "",
  "osdSize": "512Gi",
  "osdStorageClassName": "ibmc-vpc-block-metro-10iops-tier",
  "prepareForDisasterRecovery": "false",
  "resourceProfile": "balanced",
  "taintNodes": "false",
  "useCephRBDAsDefaultStorageClass": "false",
  "workerNodes": "all",
  "workerPool": ""
}
| no | | [odf\_version](#input\_odf\_version) | Version of ODF to install. | `string` | `"4.16.0"` | no | -| [prefix](#input\_prefix) | A unique identifier for resources that is prepended to resources that are provisioned. Must begin with a lowercase letter and end with a lowercase letter or number. Must be 16 or fewer characters. | `string` | `"cp4d"` | no | -| [region](#input\_region) | Region where resources will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions. | `string` | `"us-south"` | no | -| [watson\_assistant\_install](#input\_watson\_assistant\_install) | If watsonx.ai is being installed, also install watson assistant | `bool` | `false` | no | -| [watson\_discovery\_install](#input\_watson\_discovery\_install) | If watsonx.ai is being installed, also install watson discovery | `bool` | `false` | no | -| [watsonx\_ai\_install](#input\_watsonx\_ai\_install) | Determine whether the watsonx.ai cartridge for the deployer will be installed | `bool` | `false` | no | -| [watsonx\_ai\_models](#input\_watsonx\_ai\_models) | List of watsonx.ai models to install. Information on the foundation models including pre-reqs can be found here - https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=install-foundation-models. Use the ModelID as input | `list(string)` | 
[
  "ibm-granite-13b-instruct-v2"
]
| no | -| [watsonx\_data\_install](#input\_watsonx\_data\_install) | Determine whether the watsonx.data cartridge for the deployer will be installed | `bool` | `false` | no | +| [prefix](#input\_prefix) | The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-wx-cp4d. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md). | `string` | n/a | yes | +| [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no | +| [region](#input\_region) | Region where Code Engine and Container Registry resources will be provisioned. Only applies if `cloud_pak_deployer_image` is `null`. To use the 'Global' Container Registry location set `use_global_container_registry_location` to true. | `string` | `"us-south"` | no | +| [use\_global\_container\_registry\_location](#input\_use\_global\_container\_registry\_location) | Set to true to create the Container Registry namespace in the 'Global' location. If set to false, the namespace will be created in the region provided in the `region` input value. Only applies if `cloud_pak_deployer_image` is `null`. | `bool` | `false` | no | +| [watson\_assistant\_install](#input\_watson\_assistant\_install) | If watsonx.ai is being installed, also install watson assistant | `bool` | `true` | no | +| [watson\_discovery\_install](#input\_watson\_discovery\_install) | If watsonx.ai is being installed, also install watson discovery | `bool` | `true` | no | +| [watsonx\_ai\_install](#input\_watsonx\_ai\_install) | Determine whether the watsonx.ai cartridge for the deployer will be installed | `bool` | `true` | no | +| [watsonx\_ai\_models](#input\_watsonx\_ai\_models) | List of watsonx.ai models to install. Information on the foundation models including pre-reqs can be found here - https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=install-foundation-models. Use the ModelID as input | `list(string)` | 
[
  "ibm-granite-13b-instruct-v2"
]
| no | +| [watsonx\_data\_install](#input\_watsonx\_data\_install) | Determine whether the watsonx.data cartridge for the deployer will be installed | `bool` | `true` | no | ### Outputs @@ -170,6 +177,7 @@ You need the following permissions to run this module: | [cloud\_pak\_deployer\_secret](#output\_cloud\_pak\_deployer\_secret) | The secret used for accessing the Cloud Pak Deployer image. | | [cluster\_name](#output\_cluster\_name) | The name of the OpenShift cluster. | | [code\_engine\_project\_name](#output\_code\_engine\_project\_name) | The name of the code engine project that was created | +| [cpd\_admin\_password](#output\_cpd\_admin\_password) | The Cloud Pak Data admin password | diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 494c9080..1eaaaf45 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -2,42 +2,71 @@ # Resource Group ############################################################################## +module "cluster_resource_group" { + source = "terraform-ibm-modules/resource-group/ibm" + version = "1.2.0" + existing_resource_group_name = var.existing_cluster_resource_group_name +} + module "resource_group" { source = "terraform-ibm-modules/resource-group/ibm" version = "1.2.0" existing_resource_group_name = var.existing_resource_group_name } - ######################################################################################################################## # Watsonx Self Managed OCP module ######################################################################################################################## +resource "random_password" "admin_password" { + count = var.cpd_admin_password == null ? 1 : 0 + length = 32 + special = true + override_special = "-_" + min_numeric = 1 +} + +locals { + # _- are invalid first characters + # if - replace first char with J + # elseif _ replace first char with K + # else use asis + generated_admin_password = (length(random_password.admin_password) > 0 ? (startswith(random_password.admin_password[0].result, "-") ? "J${substr(random_password.admin_password[0].result, 1, -1)}" : startswith(random_password.admin_password[0].result, "_") ? "K${substr(random_password.admin_password[0].result, 1, -1)}" : random_password.admin_password[0].result) : null) + # admin password to use + cpd_admin_password = var.cpd_admin_password == null ? local.generated_admin_password : var.cpd_admin_password + prefix = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : "" +} + + module "watsonx_self_managed_ocp" { - source = "../.." - prefix = var.prefix - ibmcloud_api_key = var.ibmcloud_api_key - region = var.region - resource_group = module.resource_group.resource_group_id - code_engine_project_name = var.code_engine_project_name - code_engine_project_id = var.code_engine_project_id - cloud_pak_deployer_image = var.cloud_pak_deployer_image - cloud_pak_deployer_release = var.cloud_pak_deployer_release - cloud_pak_deployer_secret = var.cloud_pak_deployer_secret - cluster_name = var.existing_cluster_name - cluster_rg_id = module.resource_group.resource_group_id - install_odf_cluster_addon = var.install_odf_cluster_addon - odf_version = var.odf_version - odf_config = var.odf_config - cpd_version = var.cpd_version - cpd_accept_license = var.cpd_accept_license - cpd_admin_password = var.cpd_admin_password - cpd_entitlement_key = var.cpd_entitlement_key - watsonx_ai_install = var.watsonx_ai_install - watsonx_ai_models = var.watsonx_ai_models - watsonx_data_install = var.watsonx_data_install - watson_discovery_install = var.watson_discovery_install - watson_assistant_install = var.watson_assistant_install + source = "../.." + ibmcloud_api_key = var.ibmcloud_api_key + region = var.region + resource_group_id = module.resource_group.resource_group_id + code_engine_project_name = "${local.prefix}${var.code_engine_project_name}" + code_engine_project_id = var.code_engine_project_id + cloud_pak_deployer_image = var.cloud_pak_deployer_image + cloud_pak_deployer_release = var.cloud_pak_deployer_release + cloud_pak_deployer_secret = var.cloud_pak_deployer_secret + cluster_name = var.existing_cluster_name + cluster_resource_group_id = module.cluster_resource_group.resource_group_id + install_odf_cluster_addon = var.install_odf_cluster_addon + odf_version = var.odf_version + odf_config = var.odf_config + cpd_version = var.cpd_version + cpd_accept_license = var.cpd_accept_license + cpd_admin_password = local.cpd_admin_password + cpd_entitlement_key = var.cpd_entitlement_key + watsonx_ai_install = var.watsonx_ai_install + watsonx_ai_models = var.watsonx_ai_models + watsonx_data_install = var.watsonx_data_install + watson_discovery_install = var.watson_discovery_install + watson_assistant_install = var.watson_assistant_install + use_global_container_registry_location = var.use_global_container_registry_location + container_registry_namespace = "${local.prefix}${var.container_registry_namespace}" + # No need to support suffix in DA as it has prefix functionality + add_random_suffix_icr_namespace = false + add_random_suffix_code_engine_project = false } resource "null_resource" "wait_for_cloud_pak_deployer_complete" { diff --git a/solutions/fully-configurable/outputs.tf b/solutions/fully-configurable/outputs.tf index dadba504..fe554976 100644 --- a/solutions/fully-configurable/outputs.tf +++ b/solutions/fully-configurable/outputs.tf @@ -18,3 +18,9 @@ output "code_engine_project_name" { description = "The name of the code engine project that was created" value = module.watsonx_self_managed_ocp.code_engine_project_name } + +output "cpd_admin_password" { + description = "The Cloud Pak Data admin password" + sensitive = true + value = local.cpd_admin_password +} diff --git a/solutions/fully-configurable/providers.tf b/solutions/fully-configurable/providers.tf index 88c2a2a4..69796da2 100644 --- a/solutions/fully-configurable/providers.tf +++ b/solutions/fully-configurable/providers.tf @@ -1,7 +1,7 @@ provider "ibm" { ibmcloud_api_key = var.ibmcloud_api_key - - region = var.region + region = var.region + visibility = var.provider_visibility } locals { diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 5904a5de..2aa13b31 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -1,48 +1,67 @@ +############################################################################################### +# Common inputs +############################################################################################### + variable "ibmcloud_api_key" { description = "The IBM Cloud API key to deploy resources." type = string sensitive = true } -variable "prefix" { - description = "A unique identifier for resources that is prepended to resources that are provisioned. Must begin with a lowercase letter and end with a lowercase letter or number. Must be 16 or fewer characters." +variable "provider_visibility" { + description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)." type = string - default = "cp4d" + default = "private" + validation { - error_message = "Prefix must begin with a letter and contain only lowercase letters, numbers, and - characters. Prefixes must end with a lowercase letter or number and be 16 or fewer characters." - condition = can(regex("^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$", var.prefix)) && length(var.prefix) <= 16 + condition = contains(["public", "private", "public-and-private"], var.provider_visibility) + error_message = "Invalid visibility option. Allowed values are 'public', 'private', or 'public-and-private'." } } -variable "region" { - description = "Region where resources will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions." +variable "prefix" { type = string - nullable = false - default = "us-south" -} + nullable = true + description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-wx-cp4d. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)." -variable "code_engine_project_name" { - description = "If `cloud_pak_deployer_image` is `null`, it will build the image with code engine and store it within a private ICR registry. Provide a name if you want to set the name. If not defined, default will be `{prefix}-cpd-{random-suffix}`." - type = string - default = null + validation { + # - null and empty string is allowed + # - Must not contain consecutive hyphens (--): length(regexall("--", var.prefix)) == 0 + # - Starts with a lowercase letter: [a-z] + # - Contains only lowercase letters (a–z), digits (0–9), and hyphens (-) + # - Must not end with a hyphen (-): [a-z0-9] + condition = (var.prefix == null || var.prefix == "" ? true : + alltrue([ + can(regex("^[a-z][-a-z0-9]*[a-z0-9]$", var.prefix)), + length(regexall("--", var.prefix)) == 0 + ]) + ) + error_message = "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--')." + } + + validation { + # must not exceed 16 characters in length + condition = length(var.prefix) <= 16 + error_message = "Prefix must not exceed 16 characters." + } } -variable "code_engine_project_id" { - description = "If you want to use an existing project, you can pass the code engine project ID and the Cloud Pak Deployer build will be built within the existing project instead of creating a new one." +variable "cloud_pak_deployer_image" { + description = "Cloud Pak Deployer image to use. If `null`, the image will be built using Code Engine and publish to a private Container Registry namespace." type = string - default = null + default = "quay.io/cloud-pak-deployer/cloud-pak-deployer:v3.1.8@sha256:e9cde204359a3014a3cee6a43c1e945a7dcb31d5fa92439326d4e5ab2191b48f" } -variable "cloud_pak_deployer_image" { - description = "Cloud Pak Deployer image to use. If `null`, the image will be built using Code Engine." +variable "existing_cluster_name" { + description = "Name of an existing Red Hat OpenShift cluster to create and install watsonx onto." type = string - default = "quay.io/cloud-pak-deployer/cloud-pak-deployer" + nullable = false } -variable "cloud_pak_deployer_release" { - description = "Release of Cloud Pak Deployer version to use. View releases at: https://github.com/IBM/cloud-pak-deployer/releases." +variable "existing_cluster_resource_group_name" { + description = "The name of the resource group that the cluster provided in `cluster_name` exists in." type = string - default = "v3.1.8" + nullable = false } variable "cloud_pak_deployer_secret" { @@ -56,20 +75,73 @@ variable "cloud_pak_deployer_secret" { default = null } -variable "existing_cluster_name" { - description = "Name of an existing Red Hat OpenShift cluster to create and install watsonx onto." +variable "cpd_accept_license" { + description = "When set to 'true', it is understood that the user has read the terms of the Cloud Pak license(s) and agrees to the terms outlined." + type = bool + default = true +} + +variable "cpd_admin_password" { + description = "Password for the Cloud Pak for Data admin user. If no value passed, a random password is generated and can be access using the 'cpd_admin_password' output." + sensitive = true + type = string + default = null +} + +variable "cpd_entitlement_key" { + description = "Cloud Pak for Data entitlement key for access to the IBM Entitled Registry. Can be fetched from https://myibm.ibm.com/products-services/containerlibrary." + sensitive = true type = string } -variable "existing_resource_group_name" { - description = "Resource group id of the cluster" +variable "cpd_version" { + description = "Cloud Pak for Data version to install. Only version 5.x.x is supported, latest versions can be found [here](https://www.ibm.com/docs/en/cloud-paks/cp-data?topic=versions-cloud-pak-data)." type = string + default = "5.0.3" + validation { - error_message = "`existing_resource_group_name` cannot be null if `existing_cluster_name` is not null." - condition = var.existing_cluster_name == null || var.existing_resource_group_name != null + error_message = "Cloud pak for data major version 5 is supported." + condition = split(".", var.cpd_version)[0] == "5" } } +# Only used in the watsonx.ai offering flavour +variable "watsonx_ai_install" { + description = "Determine whether the watsonx.ai cartridge for the deployer will be installed" + type = bool + default = true +} + +# Only used in the watsonx.ai offering flavour +variable "watsonx_ai_models" { + description = "List of watsonx.ai models to install. Information on the foundation models including pre-reqs can be found here - https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=install-foundation-models. Use the ModelID as input" + type = list(string) + default = ["ibm-granite-13b-instruct-v2"] +} + +# Only used in the watsonx.data offering flavour +variable "watsonx_data_install" { + description = "Determine whether the watsonx.data cartridge for the deployer will be installed" + type = bool + default = true +} + +variable "watson_discovery_install" { + description = "If watsonx.ai is being installed, also install watson discovery" + type = bool + default = true +} + +variable "watson_assistant_install" { + description = "If watsonx.ai is being installed, also install watson assistant" + type = bool + default = true +} + +############################################################################################### +# ODF inputs +############################################################################################### + variable "install_odf_cluster_addon" { description = "Install the ODF cluster addon." type = bool @@ -120,73 +192,52 @@ variable "odf_config" { } } -variable "cpd_accept_license" { - description = "When set to `true`, it is understood that the user has read the terms of the Cloud Pak license(s) and agrees to the terms outlined." - type = bool - default = true - nullable = false -} +############################################################################################### +# Below inputs are only used if building image (aka setting "cloud_pak_deployer_image" to null) +############################################################################################### -variable "cpd_admin_password" { - description = "Password for the Cloud Pak for Data admin user." - sensitive = true - type = string - nullable = false - default = "passw0rd" # pragma: allowlist secret -} - -variable "cpd_entitlement_key" { - description = "Cloud Pak for Data entitlement key for access to the IBM Entitled Registry. Can be fetched from https://myibm.ibm.com/products-services/containerlibrary." - sensitive = true +variable "existing_resource_group_name" { type = string - nullable = false + description = "The name of the resource group where Code Engine and Container Registry resources will be provisioned. Only applies if `cloud_pak_deployer_image` is `null`." + default = "Default" } -variable "cpd_version" { - description = "Cloud Pak for Data version to install. Only version 5.x.x is supported, latest versions can be found [here](https://www.ibm.com/docs/en/cloud-paks/cp-data?topic=versions-cloud-pak-data)." +variable "region" { + description = "Region where Code Engine and Container Registry resources will be provisioned. Only applies if `cloud_pak_deployer_image` is `null`. To use the 'Global' Container Registry location set `use_global_container_registry_location` to true." type = string - validation { - error_message = "Cloud pak for data major version 5 is supported." - condition = split(".", var.cpd_version)[0] == "5" - } - default = "5.0.3" - nullable = false + default = "us-south" } -# Only used in the watsonx.ai offering flavour -variable "watsonx_ai_install" { - description = "Determine whether the watsonx.ai cartridge for the deployer will be installed" +variable "use_global_container_registry_location" { + description = "Set to true to create the Container Registry namespace in the 'Global' location. If set to false, the namespace will be created in the region provided in the `region` input value. Only applies if `cloud_pak_deployer_image` is `null`." type = bool default = false - nullable = false } -# Only used in the watsonx.ai offering flavour -variable "watsonx_ai_models" { - description = "List of watsonx.ai models to install. Information on the foundation models including pre-reqs can be found here - https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=install-foundation-models. Use the ModelID as input" - type = list(string) - default = ["ibm-granite-13b-instruct-v2"] - nullable = false +variable "container_registry_namespace" { + description = "The name of the Container Registry namespace to create. Only applies if `cloud_pak_deployer_image` is `null`. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + type = string + default = "cpd" } -# Only used in the watsonx.data offering flavour -variable "watsonx_data_install" { - description = "Determine whether the watsonx.data cartridge for the deployer will be installed" - type = bool - default = false - nullable = false +variable "code_engine_project_name" { + description = "The name of the Code Engine project to be created for the image build. Alternatively use `code_engine_project_id` to use existing project. Only applies if `cloud_pak_deployer_image` is `null`. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + type = string + default = "cpd" + validation { + condition = var.code_engine_project_name == null ? var.code_engine_project_id != null : true + error_message = "A value must be passed for either 'code_engine_project_name' (to create new project) or 'code_engine_project_id' (to use existing project)." + } } -variable "watson_discovery_install" { - description = "If watsonx.ai is being installed, also install watson discovery" - type = bool - default = false - nullable = false +variable "code_engine_project_id" { + description = "If you want to use an existing project, you can pass the Code Engine project ID. Alternatively use `code_engine_project_name` to create a new project. Only applies if `cloud_pak_deployer_image` is `null`." + type = string + default = null } -variable "watson_assistant_install" { - description = "If watsonx.ai is being installed, also install watson assistant" - type = bool - default = false - nullable = false +variable "cloud_pak_deployer_release" { + description = "The GIT release of Cloud Pak Deployer version to build from. Only applies if `cloud_pak_deployer_image` is `null`. View releases at: https://github.com/IBM/cloud-pak-deployer/releases." + type = string + default = "v3.1.8" # TODO: manage this version with renovate - https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp/issues/36 } diff --git a/solutions/fully-configurable/version.tf b/solutions/fully-configurable/version.tf index 0810d93b..7ea9f03d 100644 --- a/solutions/fully-configurable/version.tf +++ b/solutions/fully-configurable/version.tf @@ -1,17 +1,18 @@ terraform { required_version = ">= 1.9.0" + # Lock DA into an exact provider versions - renovate automation will keep it updated required_providers { ibm = { source = "ibm-cloud/ibm" - version = "1.79.1" + version = "1.79.2" } external = { source = "hashicorp/external" - version = ">= 2.3.4" + version = "2.3.5" } helm = { source = "hashicorp/helm" - version = ">= 2.8.0, <3.0.0" + version = "2.17.0" } shell = { source = "scottwinkler/shell" @@ -19,7 +20,11 @@ terraform { } null = { source = "hashicorp/null" - version = ">= 3.2.1, < 4.0.0" + version = "3.2.4" + } + random = { + source = "hashicorp/random" + version = "3.7.2" } } } diff --git a/tests/other_test.go b/tests/other_test.go index 88d360d3..e54c37af 100644 --- a/tests/other_test.go +++ b/tests/other_test.go @@ -1,2 +1,38 @@ // Tests in this file are NOT run in the PR pipeline. They are run in the continuous testing pipeline along with the ones in pr_test.go package test + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" +) + +func TestRunBasicExample(t *testing.T) { + t.Parallel() + + // Pull entitlement key from secrets manager + cpdEntitlementKey, cpdEntitlementKeyErr := GetSecretsManagerKey( + permanentResources["secretsManagerGuid"].(string), + permanentResources["secretsManagerRegion"].(string), + cpdEntitlementKeySecretId, + ) + if !assert.NoError(t, cpdEntitlementKeyErr) { + t.Error("TestRunStandardUpgradeSolution Failed - geretain-software-entitlement-key not found in secrets manager") + panic(cpdEntitlementKeyErr) + } + + options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{ + Testing: t, + TerraformDir: "examples/basic", + Prefix: "wx-basic", + TerraformVars: map[string]interface{}{ + "cpd_admin_password": GetRandomAdminPassword(t), + "cpd_entitlement_key": *cpdEntitlementKey, + }, + }) + + output, err := options.RunTestConsistency() + assert.Nil(t, err, "This should not have errored") + assert.NotNil(t, output, "Expected some output") +} diff --git a/tests/pr_test.go b/tests/pr_test.go index 187dcc0f..67ac933b 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -44,7 +44,7 @@ func TestMain(m *testing.M) { } // A test to pass existing resources to the WatsonX Self Managed OCP DA -func TestRunStandardSolution(t *testing.T) { +func TestRunFullyConfigurableSolution(t *testing.T) { t.Parallel() // ------------------------------------------------------------------------------------ // Provision ROK's first @@ -90,7 +90,7 @@ func TestRunStandardSolution(t *testing.T) { ) if !assert.NoError(t, cpdEntitlementKeyErr) { - t.Error("TestRunStandardUpgradeSolution Failed - geretain-software-entitlement-key not found in secrets manager") + t.Error("TestRunFullyConfigurableSolution Failed - geretain-software-entitlement-key not found in secrets manager") panic(cpdEntitlementKeyErr) } @@ -100,14 +100,12 @@ func TestRunStandardSolution(t *testing.T) { // Do not hard fail the test if the implicit destroy steps fail to allow a full destroy of resource to occur ImplicitRequired: false, TerraformVars: map[string]any{ - "prefix": prefix, - "region": region, - "existing_cluster_name": terraform.Output(t, existingTerraformOptions, "cluster_name"), - "existing_resource_group_name": terraform.Output(t, existingTerraformOptions, "cluster_resource_group_name"), - "cloud_pak_deployer_image": "quay.io/cloud-pak-deployer/cloud-pak-deployer", - "cpd_admin_password": GetRandomAdminPassword(t), - "cpd_entitlement_key": *cpdEntitlementKey, - "install_odf_cluster_addon": true, + "prefix": prefix, + "region": region, + "existing_cluster_name": terraform.Output(t, existingTerraformOptions, "cluster_name"), + "cluster_resource_group_name": terraform.Output(t, existingTerraformOptions, "cluster_resource_group_name"), + "cpd_entitlement_key": *cpdEntitlementKey, + "provider_visibility": "public", // TODO: use schematics test wrapper and default to private }, }) @@ -147,7 +145,7 @@ func TestRunStandardSolution(t *testing.T) { } } -func TestRunStandardUpgradeSolution(t *testing.T) { +func TestRunFullyConfigurableUpgradeSolution(t *testing.T) { t.Parallel() prefix := fmt.Sprintf("cp-up-%s", strings.ToLower(random.UniqueId())) @@ -190,7 +188,7 @@ func TestRunStandardUpgradeSolution(t *testing.T) { ) if !assert.NoError(t, cpdEntitlementKeyErr) { - t.Error("TestRunStandardUpgradeSolution Failed - geretain-software-entitlement-key not found in secrets manager") + t.Error("TestRunFullyConfigurableUpgradeSolution Failed - geretain-software-entitlement-key not found in secrets manager") panic(cpdEntitlementKeyErr) } @@ -200,14 +198,12 @@ func TestRunStandardUpgradeSolution(t *testing.T) { // Do not hard fail the test if the implicit destroy steps fail to allow a full destroy of resource to occur ImplicitRequired: false, TerraformVars: map[string]any{ - "prefix": prefix, - "region": region, - "existing_cluster_name": terraform.Output(t, existingTerraformOptions, "cluster_name"), - "existing_resource_group_name": terraform.Output(t, existingTerraformOptions, "cluster_resource_group_name"), - "cloud_pak_deployer_image": "quay.io/cloud-pak-deployer/cloud-pak-deployer", - "cpd_admin_password": GetRandomAdminPassword(t), - "cpd_entitlement_key": *cpdEntitlementKey, - "install_odf_cluster_addon": true, + "prefix": prefix, + "region": region, + "existing_cluster_name": terraform.Output(t, existingTerraformOptions, "cluster_name"), + "cluster_resource_group_name": terraform.Output(t, existingTerraformOptions, "cluster_resource_group_name"), + "cpd_entitlement_key": *cpdEntitlementKey, + "provider_visibility": "public", // TODO: use schematics test wrapper and default to private }, }) @@ -249,17 +245,6 @@ func TestRunStandardUpgradeSolution(t *testing.T) { } } -func GetRandomAdminPassword(t *testing.T) string { - // Generate a 15 char long random string for the admin_pass - randomBytes := make([]byte, 13) - _, randErr := rand.Read(randomBytes) - require.Nil(t, randErr) // do not proceed if we can't gen a random password - - randomPass := "A1" + base64.URLEncoding.EncodeToString(randomBytes)[:13] - - return randomPass -} - // GetSecretsManagerKey retrieves a secret from Secrets Manager func GetSecretsManagerKey(smId string, smRegion string, smKeyId string) (*string, error) { secretsManagerService, err := secretsmanagerv2.NewSecretsManagerV2(&secretsmanagerv2.SecretsManagerV2Options{ @@ -282,3 +267,14 @@ func GetSecretsManagerKey(smId string, smRegion string, smKeyId string) (*string } return secret.(*secretsmanagerv2.ArbitrarySecret).Payload, nil } + +func GetRandomAdminPassword(t *testing.T) string { + // Generate a 15 char long random string for the admin_pass + randomBytes := make([]byte, 13) + _, randErr := rand.Read(randomBytes) + require.Nil(t, randErr) // do not proceed if we can't gen a random password + + randomPass := "A1" + base64.URLEncoding.EncodeToString(randomBytes)[:13] + + return randomPass +} diff --git a/variables.tf b/variables.tf index c1b57db2..7d6d6ecf 100644 --- a/variables.tf +++ b/variables.tf @@ -1,90 +1,120 @@ +############################################################################################### +# Common inputs +############################################################################################### + variable "ibmcloud_api_key" { description = "The IBM Cloud API key to deploy resources." type = string sensitive = true } -variable "prefix" { - description = "A unique identifier for resources that is prepended to resources that are provisioned. Must begin with a lowercase letter and end with a lowercase letter or number. Must be 16 or fewer characters." +variable "cloud_pak_deployer_image" { + description = "Cloud Pak Deployer image to use. If `null`, the image will be built using Code Engine and publish to a private Container Registry namespace." type = string - default = null - - validation { - error_message = "Prefix must begin with a letter and contain only lowercase letters, numbers, and - characters. Prefixes must end with a lowercase letter or number and be 16 or fewer characters." - condition = can(regex("^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$", var.prefix)) && length(var.prefix) <= 16 - } + default = "quay.io/cloud-pak-deployer/cloud-pak-deployer:v3.1.8@sha256:e9cde204359a3014a3cee6a43c1e945a7dcb31d5fa92439326d4e5ab2191b48f" } -variable "region" { - description = "Region where resources will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions." +variable "cluster_name" { + description = "Name of an existing Red Hat OpenShift cluster to install watsonX onto" type = string } -variable "resource_group" { - description = "Resource group to provision services within. If not defined, a resource group called `{prefix}-cpd` will be created." +variable "cluster_resource_group_id" { + description = "The resource group ID of the cluster provided in `cluster_name`" type = string - default = null } -variable "code_engine_project_name" { - description = "If `cloud_pak_deployer_image` is `null`, it will build the image with code engine and store it within a private ICR registry. Provide a name if you want to set the name. If not defined, default will be `{prefix}-cpd-{random-suffix}`." - type = string - default = null +variable "cloud_pak_deployer_secret" { + description = "Secret for accessing the Cloud Pak Deployer image. If `null`, a default secret will be created." + type = object({ + username = string + password = string + server = string + email = string + }) + default = null } -variable "code_engine_project_id" { - description = "If you want to use an existing project, you can pass the code engine project ID and the Cloud Pak Deployer build will be built within the existing project instead of creating a new one." +variable "cpd_accept_license" { + description = "When set to 'true', it is understood that the user has read the terms of the Cloud Pak license(s) and agrees to the terms outlined." + type = bool + default = true +} + +variable "cpd_admin_password" { + description = "Password for the Cloud Pak for Data admin user." + sensitive = true type = string - default = null } -variable "cloud_pak_deployer_image" { - description = "Cloud Pak Deployer image to use. If `null`, the image will be built using Code Engine." +variable "cpd_entitlement_key" { + description = "Cloud Pak for Data entitlement key for access to the IBM Entitled Registry. Can be fetched from https://myibm.ibm.com/products-services/containerlibrary." + sensitive = true type = string - default = null } -variable "cloud_pak_deployer_release" { - description = "Release of Cloud Pak Deployer version to use. View releases at: https://github.com/IBM/cloud-pak-deployer/releases." +variable "cpd_version" { + description = "Cloud Pak for Data version to install. Only version 5.x.x is supported, latest versions can be found [here](https://www.ibm.com/docs/en/cloud-paks/cp-data?topic=versions-cloud-pak-data)." type = string - default = "v3.1.8" + default = "5.0.3" + + validation { + error_message = "Cloud pak for data major version 5 is supported." + condition = split(".", var.cpd_version)[0] == "5" + } } -variable "cloud_pak_deployer_secret" { - description = "Secret for accessing the Cloud Pak Deployer image. If `null`, a default secret will be created # pragma: allowlist secret." - type = object({ - username = string - password = string - server = string - email = string - }) - default = null +# Only used in the watsonx.ai offering flavour +variable "watsonx_ai_install" { + description = "Determine whether the watsonx.ai cartridge for the deployer will be installed" + type = bool + default = true } -variable "cluster_name" { - description = "Name of Red Hat OpenShift cluster to install watsonx onto" - type = string +# Only used in the watsonx.ai offering flavour +variable "watsonx_ai_models" { + description = "List of watsonx.ai models to install. Information on the foundation models including pre-reqs can be found here - https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=install-foundation-models. Use the ModelID as input" + type = list(string) + default = ["ibm-granite-13b-instruct-v2"] } -variable "cluster_rg_id" { - description = "Resource group id of the cluster" - type = string +# Only used in the watsonx.data offering flavour +variable "watsonx_data_install" { + description = "Determine whether the watsonx.data cartridge for the deployer will be installed" + type = bool + default = true } +variable "watson_discovery_install" { + description = "If watsonx.ai is being installed, also install watson discovery" + type = bool + default = true +} + +variable "watson_assistant_install" { + description = "If watsonx.ai is being installed, also install watson assistant" + type = bool + default = true +} + +############################################################################################### +# ODF inputs +############################################################################################### + variable "install_odf_cluster_addon" { - description = "Install the ODF cluster addon." + description = "Install the ODF cluster add-on." type = bool default = true } variable "odf_version" { - description = "Version of ODF to install." + description = "Version of OpenShift Data Foundation (ODF) add-on to install. Only applies if `install_odf_cluster_addon` is true." type = string default = "4.16.0" } variable "odf_config" { - description = "Configuration for the ODF addon." + description = "Configuration for the ODF addon. Only applies if `install_odf_cluster_addon` is true." type = map(string) default = { "odfDeploy" = "true" @@ -115,65 +145,65 @@ variable "odf_config" { } } -variable "cpd_accept_license" { - description = "When set to 'true', it is understood that the user has read the terms of the Cloud Pak license(s) and agrees to the terms outlined." - type = bool - default = true -} -variable "cpd_admin_password" { - description = "Password for the Cloud Pak for Data admin user." - sensitive = true +############################################################################################### +# Below inputs are only used if building image (aka setting "cloud_pak_deployer_image" to null) +############################################################################################### + +variable "resource_group_id" { type = string + description = "The ID of the resource group where Code Engine and Container Registry resources will be provisioned. Only applies if `cloud_pak_deployer_image` is `null`. If not set, Default resource group will be used." + default = null } -variable "cpd_entitlement_key" { - description = "Cloud Pak for Data entitlement key for access to the IBM Entitled Registry. Can be fetched from https://myibm.ibm.com/products-services/containerlibrary." - sensitive = true +variable "region" { + description = "Region where Code Engine and Container Registry resources will be provisioned. Only applies if `cloud_pak_deployer_image` is `null`. To use the 'Global' Container Registry location set `use_global_container_registry_location` to true." type = string + default = "us-south" } -variable "cpd_version" { - description = "Cloud Pak for Data version to install. Only version 5.x.x is supported, latest versions can be found [here](https://www.ibm.com/docs/en/cloud-paks/cp-data?topic=versions-cloud-pak-data)." +variable "use_global_container_registry_location" { + description = "Set to true to create the Container Registry namespace in the 'Global' location. If set to false, the namespace will be created in the region provided in the `region` input value. Only applies if `cloud_pak_deployer_image` is `null`." + type = bool + default = false +} + +variable "container_registry_namespace" { + description = "The name of the Container Registry namespace to create. Only applies if `cloud_pak_deployer_image` is `null`. If `add_random_suffix_icr_namespace` is set to true, a randomly generated 4-character suffix will be added to this value." type = string + default = "cpd" +} +variable "code_engine_project_name" { + description = "The name of the Code Engine project to be created for the image build. Alternatively use `code_engine_project_id` to use existing project. Only applies if `cloud_pak_deployer_image` is `null`. If `add_random_suffix_code_engine_project` is set to true, a randomly generated 4-character suffix will be added to this value." + type = string + default = "cpd" validation { - error_message = "Cloud pak for data major version 5 is supported." - condition = split(".", var.cpd_version)[0] == "5" + condition = var.code_engine_project_name == null ? var.code_engine_project_id != null : true + error_message = "A value must be passed for either 'code_engine_project_name' (to create new project) or 'code_engine_project_id' (to use existing project)." } - - default = "5.0.3" } -# Only used in the watsonx.ai offering flavour -variable "watsonx_ai_install" { - description = "Determine whether the watsonx.ai cartridge for the deployer will be installed" - type = bool - default = false -} - -# Only used in the watsonx.ai offering flavour -variable "watsonx_ai_models" { - description = "List of watsonx.ai models to install. Information on the foundation models including pre-reqs can be found here - https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=install-foundation-models. Use the ModelID as input" - type = list(string) - default = ["ibm-granite-13b-instruct-v2"] +variable "code_engine_project_id" { + description = "If you want to use an existing project, you can pass the Code Engine project ID. Alternatively use `code_engine_project_name` to create a new project. Only applies if `cloud_pak_deployer_image` is `null`." + type = string + default = null } -# Only used in the watsonx.data offering flavour -variable "watsonx_data_install" { - description = "Determine whether the watsonx.data cartridge for the deployer will be installed" - type = bool - default = false +variable "cloud_pak_deployer_release" { + description = "The GIT release of Cloud Pak Deployer version to build from. Only applies if `cloud_pak_deployer_image` is `null`. View releases at: https://github.com/IBM/cloud-pak-deployer/releases." + type = string + default = "v3.1.8" # TODO: manage this version with renovate - https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp/issues/36 } -variable "watson_discovery_install" { - description = "If watsonx.ai is being installed, also install watson discovery" +variable "add_random_suffix_icr_namespace" { type = bool - default = false + description = "Whether to add a randomly generated 4-character suffix to the newly created ICR namespace." + default = true } -variable "watson_assistant_install" { - description = "If watsonx.ai is being installed, also install watson assistant" +variable "add_random_suffix_code_engine_project" { type = bool - default = false + description = "Whether to add a randomly generated 4-character suffix to the newly created Code Engine project. Only applies if `code_engine_project_id` is `null`." + default = true } diff --git a/version.tf b/version.tf index 7ba5e655..4433a529 100644 --- a/version.tf +++ b/version.tf @@ -3,7 +3,7 @@ terraform { required_providers { ibm = { source = "ibm-cloud/ibm" - version = ">=1.79.1" + version = ">=1.79.1, <2.0.0" } } } From 9fcfd9f347d4889f371d045d80138a64fe8ecd5c Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 27 Jun 2025 17:43:28 +0100 Subject: [PATCH 2/8] clean --- .catalog-onboard-pipeline.yaml | 2 +- ibm_catalog.json | 29 ++++++++++++------- solutions/fully-configurable/README.md | 3 +- solutions/fully-configurable/main.tf | 6 +++- solutions/fully-configurable/providers.tf | 2 +- solutions/fully-configurable/variables.tf | 4 +-- .../pre-validation-deploy-ocp-instances.sh | 2 +- 7 files changed, 30 insertions(+), 18 deletions(-) diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml index 3191d23d..eddebd0d 100644 --- a/.catalog-onboard-pipeline.yaml +++ b/.catalog-onboard-pipeline.yaml @@ -4,7 +4,7 @@ offerings: - name: deploy-arch-ibm-watsonx-self-managed kind: solution catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd - offering_id: 86425cf1-a763-4d17-9bb9-75276274a5f6 + offering_id: 3b9ffe49-80e7-417b-9179-a2882d3c2517 variations: - name: fully-configurable mark_ready: true diff --git a/ibm_catalog.json b/ibm_catalog.json index d92c1637..7ec38205 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -76,16 +76,9 @@ }, { "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", "crn:v1:bluemix:public:iam::::role:Editor" ], - "service_name": "codeengine", - "notes": "[Optional] Required if building image." - }, - { - "role_crns": [ - "crn:v1:bluemix:public:iam::::role:Writer", - "crn:v1:bluemix:public:iam::::role:Manager" - ], "service_name": "container-registry", "notes": "[Optional] Required if building image." } @@ -118,8 +111,14 @@ "required": true }, { - "key": "existing_cluster_name", - "required": true + "key": "existing_cluster_id", + "display_name": "existing_cluster", + "required": true, + "custom_config": { + "type": "cluster_var", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { "key": "existing_cluster_resource_group_name", @@ -171,7 +170,15 @@ "key": "code_engine_project_id" }, { - "key": "existing_resource_group_name" + "key": "existing_resource_group_name", + "custom_config": { + "type": "resource_group", + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "identifier": "rg_name" + } + } }, { "key": "container_registry_namespace" diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index 9d41443b..e5b4e432 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -136,6 +136,7 @@ You need the following permissions to run this module: | [random_password.admin_password](https://registry.terraform.io/providers/hashicorp/random/3.7.2/docs/resources/password) | resource | | [external_external.schematics](https://registry.terraform.io/providers/hashicorp/external/2.3.5/docs/data-sources/external) | data source | | [ibm_container_cluster_config.cluster_config](https://registry.terraform.io/providers/ibm-cloud/ibm/1.79.2/docs/data-sources/container_cluster_config) | data source | +| [ibm_container_vpc_cluster.cluster](https://registry.terraform.io/providers/ibm-cloud/ibm/1.79.2/docs/data-sources/container_vpc_cluster) | data source | | [ibm_iam_auth_token.tokendata](https://registry.terraform.io/providers/ibm-cloud/ibm/1.79.2/docs/data-sources/iam_auth_token) | data source | ### Inputs @@ -152,7 +153,7 @@ You need the following permissions to run this module: | [cpd\_admin\_password](#input\_cpd\_admin\_password) | Password for the Cloud Pak for Data admin user. If no value passed, a random password is generated and can be access using the 'cpd\_admin\_password' output. | `string` | `null` | no | | [cpd\_entitlement\_key](#input\_cpd\_entitlement\_key) | Cloud Pak for Data entitlement key for access to the IBM Entitled Registry. Can be fetched from https://myibm.ibm.com/products-services/containerlibrary. | `string` | n/a | yes | | [cpd\_version](#input\_cpd\_version) | Cloud Pak for Data version to install. Only version 5.x.x is supported, latest versions can be found [here](https://www.ibm.com/docs/en/cloud-paks/cp-data?topic=versions-cloud-pak-data). | `string` | `"5.0.3"` | no | -| [existing\_cluster\_name](#input\_existing\_cluster\_name) | Name of an existing Red Hat OpenShift cluster to create and install watsonx onto. | `string` | n/a | yes | +| [existing\_cluster\_id](#input\_existing\_cluster\_id) | ID of an existing Red Hat OpenShift cluster to create and install watsonx onto. | `string` | n/a | yes | | [existing\_cluster\_resource\_group\_name](#input\_existing\_cluster\_resource\_group\_name) | The name of the resource group that the cluster provided in `cluster_name` exists in. | `string` | n/a | yes | | [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of the resource group where Code Engine and Container Registry resources will be provisioned. Only applies if `cloud_pak_deployer_image` is `null`. | `string` | `"Default"` | no | | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes | diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 1eaaaf45..0598f9ed 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -37,6 +37,10 @@ locals { prefix = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : "" } +data "ibm_container_vpc_cluster" "cluster" { + name = var.existing_cluster_id + resource_group_id = module.cluster_resource_group.resource_group_id +} module "watsonx_self_managed_ocp" { source = "../.." @@ -48,7 +52,7 @@ module "watsonx_self_managed_ocp" { cloud_pak_deployer_image = var.cloud_pak_deployer_image cloud_pak_deployer_release = var.cloud_pak_deployer_release cloud_pak_deployer_secret = var.cloud_pak_deployer_secret - cluster_name = var.existing_cluster_name + cluster_name = data.ibm_container_vpc_cluster.cluster.name cluster_resource_group_id = module.cluster_resource_group.resource_group_id install_odf_cluster_addon = var.install_odf_cluster_addon odf_version = var.odf_version diff --git a/solutions/fully-configurable/providers.tf b/solutions/fully-configurable/providers.tf index 69796da2..fa940f14 100644 --- a/solutions/fully-configurable/providers.tf +++ b/solutions/fully-configurable/providers.tf @@ -23,7 +23,7 @@ locals { } data "ibm_container_cluster_config" "cluster_config" { - cluster_name_id = var.existing_cluster_name + cluster_name_id = var.existing_cluster_id config_dir = local.kube_config_dir } diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 2aa13b31..e5d9e6a2 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -52,8 +52,8 @@ variable "cloud_pak_deployer_image" { default = "quay.io/cloud-pak-deployer/cloud-pak-deployer:v3.1.8@sha256:e9cde204359a3014a3cee6a43c1e945a7dcb31d5fa92439326d4e5ab2191b48f" } -variable "existing_cluster_name" { - description = "Name of an existing Red Hat OpenShift cluster to create and install watsonx onto." +variable "existing_cluster_id" { + description = "ID of an existing Red Hat OpenShift cluster to create and install watsonx onto." type = string nullable = false } diff --git a/tests/scripts/pre-validation-deploy-ocp-instances.sh b/tests/scripts/pre-validation-deploy-ocp-instances.sh index 4d78812b..70ee977a 100755 --- a/tests/scripts/pre-validation-deploy-ocp-instances.sh +++ b/tests/scripts/pre-validation-deploy-ocp-instances.sh @@ -33,7 +33,7 @@ TF_VARS_FILE="terraform.tfvars" cpd_entitlement_key_value="${SOFTWARE_ENTITLEMENT_KEY}" existing_cluster_name_var_name="existing_cluster_name" existing_cluster_name_value=$(terraform output -state=terraform.tfstate -raw cluster_name) - existing_resource_group_name_var_name="existing_resource_group_name" + existing_resource_group_name_var_name="existing_cluster_resource_group_name" existing_resource_group_name_value=$(terraform output -state=terraform.tfstate -raw cluster_resource_group_name) echo "Appending '${existing_cluster_name_var_name}', '${existing_resource_group_name_var_name}', '${cpd_entitlement_key_var_name}', and '${region_var_name}' input variable values to ${JSON_FILE}.." From 35ecc1f881619c65273104c888a60af648a24986 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Sat, 28 Jun 2025 21:52:25 +0100 Subject: [PATCH 3/8] fix tests --- tests/other_test.go | 2 +- tests/pr_test.go | 24 ++++++++++++------------ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/tests/other_test.go b/tests/other_test.go index e54c37af..e2a0aa02 100644 --- a/tests/other_test.go +++ b/tests/other_test.go @@ -18,7 +18,7 @@ func TestRunBasicExample(t *testing.T) { cpdEntitlementKeySecretId, ) if !assert.NoError(t, cpdEntitlementKeyErr) { - t.Error("TestRunStandardUpgradeSolution Failed - geretain-software-entitlement-key not found in secrets manager") + t.Error("TestRunBasicExample Failed - geretain-software-entitlement-key not found in secrets manager") panic(cpdEntitlementKeyErr) } diff --git a/tests/pr_test.go b/tests/pr_test.go index 67ac933b..916de98e 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -100,12 +100,12 @@ func TestRunFullyConfigurableSolution(t *testing.T) { // Do not hard fail the test if the implicit destroy steps fail to allow a full destroy of resource to occur ImplicitRequired: false, TerraformVars: map[string]any{ - "prefix": prefix, - "region": region, - "existing_cluster_name": terraform.Output(t, existingTerraformOptions, "cluster_name"), - "cluster_resource_group_name": terraform.Output(t, existingTerraformOptions, "cluster_resource_group_name"), - "cpd_entitlement_key": *cpdEntitlementKey, - "provider_visibility": "public", // TODO: use schematics test wrapper and default to private + "prefix": prefix, + "region": region, + "existing_cluster_id": terraform.Output(t, existingTerraformOptions, "cluster_id"), + "existing_cluster_resource_group_name": terraform.Output(t, existingTerraformOptions, "cluster_resource_group_name"), + "cpd_entitlement_key": *cpdEntitlementKey, + "provider_visibility": "public", // TODO: use schematics test wrapper and default to private (https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp/issues/42) }, }) @@ -198,12 +198,12 @@ func TestRunFullyConfigurableUpgradeSolution(t *testing.T) { // Do not hard fail the test if the implicit destroy steps fail to allow a full destroy of resource to occur ImplicitRequired: false, TerraformVars: map[string]any{ - "prefix": prefix, - "region": region, - "existing_cluster_name": terraform.Output(t, existingTerraformOptions, "cluster_name"), - "cluster_resource_group_name": terraform.Output(t, existingTerraformOptions, "cluster_resource_group_name"), - "cpd_entitlement_key": *cpdEntitlementKey, - "provider_visibility": "public", // TODO: use schematics test wrapper and default to private + "prefix": prefix, + "region": region, + "existing_cluster_id": terraform.Output(t, existingTerraformOptions, "cluster_id"), + "existing_cluster_resource_group_name": terraform.Output(t, existingTerraformOptions, "cluster_resource_group_name"), + "cpd_entitlement_key": *cpdEntitlementKey, + "provider_visibility": "public", // TODO: use schematics test wrapper and default to private (https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp/issues/42) }, }) From 835321b566a675c01a7e54ef4b406b67e8c5a4ba Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Sat, 28 Jun 2025 23:17:48 +0100 Subject: [PATCH 4/8] fix catalog script --- .../catalogValidationValues.json.template | 3 +-- tests/scripts/pre-validation-deploy-ocp-instances.sh | 10 +++++----- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/solutions/fully-configurable/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template index 18b78fec..45bef1ef 100644 --- a/solutions/fully-configurable/catalogValidationValues.json.template +++ b/solutions/fully-configurable/catalogValidationValues.json.template @@ -1,6 +1,5 @@ { "ibmcloud_api_key": $VALIDATION_APIKEY, "cpd_entitlement_key": $SOFTWARE_ENTITLEMENT_KEY, - "prefix": $PREFIX, - "region": "us-south" + "prefix": $PREFIX } diff --git a/tests/scripts/pre-validation-deploy-ocp-instances.sh b/tests/scripts/pre-validation-deploy-ocp-instances.sh index 70ee977a..a813e0ae 100755 --- a/tests/scripts/pre-validation-deploy-ocp-instances.sh +++ b/tests/scripts/pre-validation-deploy-ocp-instances.sh @@ -31,12 +31,12 @@ TF_VARS_FILE="terraform.tfvars" prefix_value="ocp-$(openssl rand -hex 2)" cpd_entitlement_key_var_name="cpd_entitlement_key" cpd_entitlement_key_value="${SOFTWARE_ENTITLEMENT_KEY}" - existing_cluster_name_var_name="existing_cluster_name" - existing_cluster_name_value=$(terraform output -state=terraform.tfstate -raw cluster_name) + existing_cluster_id_var_name="existing_cluster_id" + existing_cluster_id_value=$(terraform output -state=terraform.tfstate -raw cluster_id) existing_resource_group_name_var_name="existing_cluster_resource_group_name" existing_resource_group_name_value=$(terraform output -state=terraform.tfstate -raw cluster_resource_group_name) - echo "Appending '${existing_cluster_name_var_name}', '${existing_resource_group_name_var_name}', '${cpd_entitlement_key_var_name}', and '${region_var_name}' input variable values to ${JSON_FILE}.." + echo "Appending '${existing_cluster_id_var_name}', '${existing_resource_group_name_var_name}', '${cpd_entitlement_key_var_name}', and '${region_var_name}' input variable values to ${JSON_FILE}.." cd "${cwd}" jq -r --arg region_var_name "${region_var_name}" \ @@ -45,8 +45,8 @@ TF_VARS_FILE="terraform.tfvars" --arg prefix_value "${prefix_value}" \ --arg cpd_entitlement_key_var_name "${cpd_entitlement_key_var_name}" \ --arg cpd_entitlement_key_value "${cpd_entitlement_key_value}" \ - --arg existing_cluster_name_var_name "${existing_cluster_name_var_name}" \ - --arg existing_cluster_name_value "${existing_cluster_name_value}" \ + --arg existing_cluster_name_var_name "${existing_cluster_id_var_name}" \ + --arg existing_cluster_name_value "${existing_cluster_id_value}" \ --arg existing_resource_group_name_var_name "${existing_resource_group_name_var_name}" \ --arg existing_resource_group_name_value "${existing_resource_group_name_value}" \ '. + {($region_var_name): $region_var_value, ($prefix_var_name): $prefix_value, ($cpd_entitlement_key_var_name): $cpd_entitlement_key_value, ($existing_cluster_name_var_name): $existing_cluster_name_value, ($existing_resource_group_name_var_name): $existing_resource_group_name_value}' "${JSON_FILE}" > tmpfile && mv tmpfile "${JSON_FILE}" || exit 1 From 50910c72bc8540f5619489a1312bf178a5861acd Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Sun, 29 Jun 2025 16:32:49 +0100 Subject: [PATCH 5/8] script clean --- scripts/wait_for_cpd_pod.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/scripts/wait_for_cpd_pod.sh b/scripts/wait_for_cpd_pod.sh index 647e88b2..c47021e1 100755 --- a/scripts/wait_for_cpd_pod.sh +++ b/scripts/wait_for_cpd_pod.sh @@ -3,14 +3,16 @@ set -e NAMESPACE="cloud-pak-deployer" -POD_NAME=$(kubectl get pods -n $NAMESPACE -o jsonpath='{.items[0].metadata.name}') +POD_NAME=$(kubectl get pods -n "${NAMESPACE}" -o jsonpath='{.items[0].metadata.name}') STATUS="" while true; do - # shellcheck disable=SC2086 - STATUS=$(kubectl get pod $POD_NAME -n $NAMESPACE -o jsonpath='{.status.phase}') - echo "Pod status: $STATUS" - if [[ "$STATUS" == "Succeeded" || "$STATUS" == "Failed" ]]; then + STATUS=$(kubectl get pod "${POD_NAME}" -n "${NAMESPACE}" -o jsonpath='{.status.phase}') + echo "Pod status: ${STATUS}" + if [[ "${STATUS}" == "Succeeded" ]]; then break + elif [[ "${STATUS}" == "Failed" ]]; then + echo "Exiting due to 'Failed' status. Check pod logs for more info." + exit 1 fi - sleep 300 + sleep 60 done From 6dc2b8a206f6e555392c3ff4f08f70bbc20cd72c Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Mon, 30 Jun 2025 16:20:13 +0100 Subject: [PATCH 6/8] SKIP UPGRADE TEST From 0ec761994ab78ad7487b42aa6968b3d6735e191f Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Mon, 30 Jun 2025 20:24:04 +0100 Subject: [PATCH 7/8] disable by default --- README.md | 8 ++++---- ibm_catalog.json | 16 ++++++++-------- solutions/fully-configurable/variables.tf | 8 ++++---- variables.tf | 8 ++++---- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 7ed23f22..9134b7d3 100644 --- a/README.md +++ b/README.md @@ -119,11 +119,11 @@ For more information on access and permissions, see [IBM Cloud IAM service roles | [region](#input\_region) | Region where Code Engine and Container Registry resources will be provisioned. Only applies if `cloud_pak_deployer_image` is `null`. To use the 'Global' Container Registry location set `use_global_container_registry_location` to true. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group where Code Engine and Container Registry resources will be provisioned. Only applies if `cloud_pak_deployer_image` is `null`. If not set, Default resource group will be used. | `string` | `null` | no | | [use\_global\_container\_registry\_location](#input\_use\_global\_container\_registry\_location) | Set to true to create the Container Registry namespace in the 'Global' location. If set to false, the namespace will be created in the region provided in the `region` input value. Only applies if `cloud_pak_deployer_image` is `null`. | `bool` | `false` | no | -| [watson\_assistant\_install](#input\_watson\_assistant\_install) | If watsonx.ai is being installed, also install watson assistant | `bool` | `true` | no | -| [watson\_discovery\_install](#input\_watson\_discovery\_install) | If watsonx.ai is being installed, also install watson discovery | `bool` | `true` | no | -| [watsonx\_ai\_install](#input\_watsonx\_ai\_install) | Determine whether the watsonx.ai cartridge for the deployer will be installed | `bool` | `true` | no | +| [watson\_assistant\_install](#input\_watson\_assistant\_install) | If watsonx.ai is being installed, also install watson assistant | `bool` | `false` | no | +| [watson\_discovery\_install](#input\_watson\_discovery\_install) | If watsonx.ai is being installed, also install watson discovery | `bool` | `false` | no | +| [watsonx\_ai\_install](#input\_watsonx\_ai\_install) | Determine whether the watsonx.ai cartridge for the deployer will be installed | `bool` | `false` | no | | [watsonx\_ai\_models](#input\_watsonx\_ai\_models) | List of watsonx.ai models to install. Information on the foundation models including pre-reqs can be found here - https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=install-foundation-models. Use the ModelID as input | `list(string)` | 
[
  "ibm-granite-13b-instruct-v2"
]
| no | -| [watsonx\_data\_install](#input\_watsonx\_data\_install) | Determine whether the watsonx.data cartridge for the deployer will be installed | `bool` | `true` | no | +| [watsonx\_data\_install](#input\_watsonx\_data\_install) | Determine whether the watsonx.data cartridge for the deployer will be installed | `bool` | `false` | no | ### Outputs diff --git a/ibm_catalog.json b/ibm_catalog.json index 7ec38205..6deac23b 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -137,28 +137,28 @@ "required": true }, { - "key": "cpd_accept_license" + "key": "watsonx_ai_install" }, { - "key": "cpd_admin_password" + "key": "watsonx_ai_models" }, { - "key": "cpd_version" + "key": "watsonx_data_install" }, { - "key": "watsonx_ai_install" + "key": "watson_discovery_install" }, { - "key": "watsonx_ai_models" + "key": "watson_assistant_install" }, { - "key": "watsonx_data_install" + "key": "cpd_accept_license" }, { - "key": "watson_discovery_install" + "key": "cpd_admin_password" }, { - "key": "watson_assistant_install" + "key": "cpd_version" }, { "key": "cloud_pak_deployer_image" diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index e5d9e6a2..03ad05c8 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -109,7 +109,7 @@ variable "cpd_version" { variable "watsonx_ai_install" { description = "Determine whether the watsonx.ai cartridge for the deployer will be installed" type = bool - default = true + default = false } # Only used in the watsonx.ai offering flavour @@ -123,19 +123,19 @@ variable "watsonx_ai_models" { variable "watsonx_data_install" { description = "Determine whether the watsonx.data cartridge for the deployer will be installed" type = bool - default = true + default = false } variable "watson_discovery_install" { description = "If watsonx.ai is being installed, also install watson discovery" type = bool - default = true + default = false } variable "watson_assistant_install" { description = "If watsonx.ai is being installed, also install watson assistant" type = bool - default = true + default = false } ############################################################################################### diff --git a/variables.tf b/variables.tf index 7d6d6ecf..8d8836b7 100644 --- a/variables.tf +++ b/variables.tf @@ -68,7 +68,7 @@ variable "cpd_version" { variable "watsonx_ai_install" { description = "Determine whether the watsonx.ai cartridge for the deployer will be installed" type = bool - default = true + default = false } # Only used in the watsonx.ai offering flavour @@ -82,19 +82,19 @@ variable "watsonx_ai_models" { variable "watsonx_data_install" { description = "Determine whether the watsonx.data cartridge for the deployer will be installed" type = bool - default = true + default = false } variable "watson_discovery_install" { description = "If watsonx.ai is being installed, also install watson discovery" type = bool - default = true + default = false } variable "watson_assistant_install" { description = "If watsonx.ai is being installed, also install watson assistant" type = bool - default = true + default = false } ############################################################################################### From 1b8490d7173ca9801d0b33887555f390e6410d0a Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Mon, 30 Jun 2025 20:25:20 +0100 Subject: [PATCH 8/8] add to required tab in projects --- ibm_catalog.json | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 6deac23b..d11460a0 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -137,19 +137,24 @@ "required": true }, { - "key": "watsonx_ai_install" + "key": "watsonx_ai_install", + "required": true }, { - "key": "watsonx_ai_models" + "key": "watsonx_ai_models", + "required": true }, { - "key": "watsonx_data_install" + "key": "watsonx_data_install", + "required": true }, { - "key": "watson_discovery_install" + "key": "watson_discovery_install", + "required": true }, { - "key": "watson_assistant_install" + "key": "watson_assistant_install", + "required": true }, { "key": "cpd_accept_license"