terraform-ibm-modules
diff --git a/‎.secrets.baseline
+2-2 b/‎.secrets.baseline
+2-2
diff --git a/‎README.md
+3-2 b/‎README.md
+3-2
diff --git a/‎examples/backup-restore/README.md
+6 b/‎examples/backup-restore/README.md
+6
diff --git a/‎examples/backup-restore/catalogValidationValues.json.template
+6 b/‎examples/backup-restore/catalogValidationValues.json.template
+6
diff --git a/‎examples/backup-restore/main.tf
+28 b/‎examples/backup-restore/main.tf
+28
diff --git a/‎examples/backup-restore/outputs.tf
+12 b/‎examples/backup-restore/outputs.tf
+12
diff --git a/‎examples/backup-restore/provider.tf
+4 b/‎examples/backup-restore/provider.tf
+4
diff --git a/‎examples/backup-restore/variables.tf
+47 b/‎examples/backup-restore/variables.tf
+47
diff --git a/‎examples/backup-restore/version.tf
+11 b/‎examples/backup-restore/version.tf
+11
diff --git a/‎examples/basic/main.tf
+16-8 b/‎examples/basic/main.tf
+16-8
diff --git a/‎examples/basic/outputs.tf
+11-6 b/‎examples/basic/outputs.tf
+11-6
diff --git a/‎examples/basic/variables.tf
+17 b/‎examples/basic/variables.tf
+17
diff --git a/‎examples/complete/main.tf
+1-1 b/‎examples/complete/main.tf
+1-1
diff --git a/‎examples/fscloud/main.tf
+1-1 b/‎examples/fscloud/main.tf
+1-1
diff --git a/‎ibm_catalog.json
+15-3 b/‎ibm_catalog.json
+15-3
diff --git a/‎main.tf
+15-6 b/‎main.tf
+15-6
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-01-27T10:43:12Z",
+  "generated_at": "2025-02-11T19:19:45Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -82,7 +82,7 @@
         "hashed_secret": "ff9ee043d85595eb255c05dfe32ece02a53efbb2",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 33,
+        "line_number": 34,
         "type": "Secret Keyword",
         "verified_result": null
       }
 
@@ -20,6 +20,7 @@ This module implements an instance of IBM Cloud Databases for Redis.
     * [Basic example](./examples/basic)
     * [Complete example](./examples/complete)
     * [Financial Services compliant example](./examples/fscloud)
+    * [Restore from backup example](./examples/backup-restore)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 
@@ -94,16 +95,16 @@ You need the following permissions to run this module.
 | <a name="input_configuration"></a> [configuration](#input\_configuration) | Database Configuration. Default values will get picked up if not all the values are passed. | <pre>object({<br/>    maxmemory                   = optional(number)<br/>    maxmemory-policy            = optional(string)<br/>    appendonly                  = optional(string)<br/>    maxmemory-samples           = optional(number)<br/>    stop-writes-on-bgsave-error = optional(string)<br/>  })</pre> | `null` | no |
 | <a name="input_cpu_count"></a> [cpu\_count](#input\_cpu\_count) | Allocated dedicated CPU per member. For shared CPU, set to 0. [Learn more](https://cloud.ibm.com/docs/databases-for-redis?topic=databases-for-redis-resources-scaling) | `number` | `0` | no |
 | <a name="input_disk_mb"></a> [disk\_mb](#input\_disk\_mb) | Allocated disk per member. [Learn more](https://cloud.ibm.com/docs/databases-for-redis?topic=databases-for-redis-resources-scaling) | `number` | `1024` | no |
-| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. | `string` | `"private"` | no |
-| <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | The name to give the Redis instance. | `string` | n/a | yes |
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the `use_same_kms_key_for_backups` and `backup_encryption_key_crn` inputs. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
 | <a name="input_member_host_flavor"></a> [member\_host\_flavor](#input\_member\_host\_flavor) | Allocated host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor). | `string` | `null` | no |
 | <a name="input_members"></a> [members](#input\_members) | Allocated number of members. Members can be scaled up but not down. | `number` | `2` | no |
 | <a name="input_memory_mb"></a> [memory\_mb](#input\_memory\_mb) | Allocated memory per member. [Learn more](https://cloud.ibm.com/docs/databases-for-redis?topic=databases-for-redis-resources-scaling) | `number` | `4096` | no |
+| <a name="input_name"></a> [name](#input\_name) | The name to give the Redis instance. | `string` | n/a | yes |
 | <a name="input_redis_version"></a> [redis\_version](#input\_redis\_version) | Version of the Redis instance to provision. If no value is passed, the current preferred version of IBM Cloud Databases is used. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region where you want to deploy your instance. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Redis instance will be created. | `string` | n/a | yes |
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the database | `map(string)` | `{}` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. | `string` | `"private"` | no |
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of IAM authorization policies that permits all Databases for Redis instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the `kms_key_crn` and `backup_encryption_key_crn` inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if `use_ibm_owned_encryption_key` is true. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Optional list of tags to be added to the Redis instance. | `list(string)` | `[]` | no |
 | <a name="input_use_default_backup_encryption_key"></a> [use\_default\_backup\_encryption\_key](#input\_use\_default\_backup\_encryption\_key) | When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `kms_key_crn`, or in `backup_encryption_key_crn` if a value is passed. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data. | `bool` | `false` | no |
 
@@ -0,0 +1,6 @@
+# Restore from backup example
+
+This example provides an end-to-end executable flow of how a Redis DB instance can be created from a backup instance. This example uses the IBM Cloud terraform provider to:
+
+- Create a new resource group if one is not passed in.
+- Create a restored ICD Redis database instance pointing to the lastest backup of the existing Redis database instance crn passed.
@@ -0,0 +1,6 @@
+{
+  "ibmcloud_api_key": $VALIDATION_APIKEY,
+  "region": "us-south",
+  "resource_tags": $TAGS,
+  "prefix": $PREFIX
+}
@@ -0,0 +1,28 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.6"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+data "ibm_database_backups" "backup_database" {
+  deployment_id = var.existing_database_crn
+}
+
+# New redis instance pointing to the backup instance
+module "restored_icd_redis" {
+  source             = "../../"
+  resource_group_id  = module.resource_group.resource_group_id
+  name               = "${var.prefix}-redis-restored"
+  redis_version      = var.redis_version
+  region             = var.region
+  tags               = var.resource_tags
+  access_tags        = var.access_tags
+  member_host_flavor = "multitenant"
+  backup_crn         = data.ibm_database_backups.backup_database.backups[0].backup_id
+}
@@ -0,0 +1,12 @@
+##############################################################################
+# Outputs
+##############################################################################
+output "restored_icd_redis_id" {
+  description = "Restored redis instance id"
+  value       = module.restored_icd_redis.id
+}
+
+output "restored_icd_redis_version" {
+  description = "Restored redis instance version"
+  value       = module.restored_icd_redis.version
+}
@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
@@ -0,0 +1,47 @@
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "region" {
+  type        = string
+  description = "Region to provision all resources created by this example."
+  default     = "us-south"
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example"
+  default     = "backup"
+}
+
+variable "redis_version" {
+  type        = string
+  description = "Version of the redis instance. If no value passed, the current ICD preferred version is used."
+  default     = null
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "access_tags" {
+  type        = list(string)
+  description = "A list of access tags to apply to the redis instance created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details"
+  default     = []
+}
+
+variable "existing_database_crn" {
+  type        = string
+  description = "The existing CRN of a backup resource to restore from."
+  default     = null
+}
@@ -0,0 +1,11 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
+    # module's version.tf (basic example), and 1 example that will always use the latest provider version (complete example).
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">=1.70.0, <2.0.0"
+    }
+  }
+}
@@ -14,12 +14,20 @@ module "resource_group" {
 # Redis
 ##############################################################################
 
-module "redis" {
-  source            = "../.."
-  resource_group_id = module.resource_group.resource_group_id
-  instance_name     = "${var.prefix}-redis"
-  region            = var.region
-  access_tags       = var.access_tags
-  tags              = var.resource_tags
-  redis_version     = var.redis_version
+module "database" {
+  source             = "../.."
+  resource_group_id  = module.resource_group.resource_group_id
+  name               = "${var.prefix}-data-store"
+  region             = var.region
+  access_tags        = var.access_tags
+  service_endpoints  = var.service_endpoints
+  member_host_flavor = var.member_host_flavor
+  tags               = var.resource_tags
+  redis_version      = var.redis_version
+  service_credential_names = {
+    "redis_admin" : "Administrator",
+    "redis_operator" : "Operator",
+    "redis_viewer" : "Viewer",
+    "redis_editor" : "Editor",
+  }
 }
@@ -3,31 +3,36 @@
 ##############################################################################
 output "id" {
   description = "Redis instance id"
-  value       = module.redis.id
+  value       = module.database.id
+}
+
+output "redis_crn" {
+  description = "Redis CRN"
+  value       = module.database.crn
 }
 
 output "version" {
   description = "Redis instance version"
-  value       = module.redis.version
+  value       = module.database.version
 }
 
 output "adminuser" {
   description = "Database admin user name"
-  value       = module.redis.adminuser
+  value       = module.database.adminuser
 }
 
 output "hostname" {
   description = "Database connection hostname"
-  value       = module.redis.hostname
+  value       = module.database.hostname
 }
 
 output "port" {
   description = "Database connection port"
-  value       = module.redis.port
+  value       = module.database.port
 }
 
 output "certificate_base64" {
   description = "Database connection certificate"
-  value       = module.redis.certificate_base64
+  value       = module.database.certificate_base64
   sensitive   = true
 }
@@ -39,3 +39,20 @@ variable "redis_version" {
   type        = string
   default     = null
 }
+
+variable "service_endpoints" {
+  type        = string
+  description = "The type of endpoint of the database instance. Possible values: `public`, `private`, `public-and-private`."
+  default     = "public"
+
+  validation {
+    condition     = can(regex("public|public-and-private|private", var.service_endpoints))
+    error_message = "Valid values for service_endpoints are 'public', 'public-and-private', and 'private'"
+  }
+}
+variable "member_host_flavor" {
+  type        = string
+  description = "The host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor)."
+  default     = "multitenant"
+  # Validation is done in the Terraform plan phase by the IBM provider, so no need to add extra validation here.
+}
@@ -92,7 +92,7 @@ module "icd_redis" {
   source            = "../../"
   resource_group_id = module.resource_group.resource_group_id
   redis_version     = var.redis_version
-  instance_name     = "${var.prefix}-redis"
+  name              = "${var.prefix}-redis"
   region            = var.region
   admin_pass        = var.admin_pass
   users             = var.users
 
@@ -56,7 +56,7 @@ module "cbr_zone" {
 module "redis" {
   source                    = "../../modules/fscloud"
   resource_group_id         = module.resource_group.resource_group_id
-  instance_name             = "${var.prefix}-redis"
+  name                      = "${var.prefix}-redis"
   region                    = var.region
   redis_version             = var.redis_version
   access_tags               = var.access_tags
 
@@ -231,6 +231,21 @@
             {
               "key": "admin_pass"
             },
+            {
+              "key": "admin_pass_secret_manager_secret_group"
+            },
+            {
+              "key": "admin_pass_secret_manager_secret_name"
+            },
+            {
+              "key": "use_existing_admin_pass_secret_manager_secret_group"
+            },
+            {
+              "key": "existing_redis_instance_crn"
+            },
+            {
+              "key": "skip_redis_kms_auth_policy"
+            },
             {
               "key": "users"
             },
@@ -280,9 +295,6 @@
                 }
               ]
             },
-            {
-              "key": "skip_redis_kms_auth_policy"
-            },
             {
               "key": "key_ring_name"
             },
 
@@ -1,6 +1,9 @@
-##############################################################################
-# ICD Redis module
-##############################################################################
+########################################################################################################################
+# Input variable validation
+# (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
+#
+# TODO: Replace with terraform cross variable validation: https://github.ibm.com/GoldenEye/issues/issues/10836
+########################################################################################################################
 
 locals {
   # Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
@@ -12,7 +15,13 @@ locals {
   validate_backup_key = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn != null && (var.use_default_backup_encryption_key || var.use_same_kms_key_for_backups) ? tobool("When passing a value for 'backup_encryption_key_crn' you cannot set 'use_default_backup_encryption_key' to true or 'use_ibm_owned_encryption_key' to false.") : true
   # tflint-ignore: terraform_unused_declarations
   validate_backup_key_2 = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn == null && !var.use_same_kms_key_for_backups ? tobool("When 'use_same_kms_key_for_backups' is set to false, a value needs to be passed for 'backup_encryption_key_crn'.") : true
+}
 
+########################################################################################################################
+# Locals
+########################################################################################################################
+
+locals {
   # If no value passed for 'backup_encryption_key_crn' use the value of 'kms_key_crn' and perform validation of 'kms_key_crn' to check if region is supported by backup encryption key.
 
   # If 'use_ibm_owned_encryption_key' is true or 'use_default_backup_encryption_key' is true, default to null.
@@ -173,13 +182,13 @@ resource "time_sleep" "wait_for_backup_kms_authorization_policy" {
 
 resource "ibm_database" "redis_database" {
   depends_on                = [time_sleep.wait_for_authorization_policy]
-  name                      = var.instance_name
+  name                      = var.name
   plan                      = "standard" # Only standard plan is available for redis
   location                  = var.region
   service                   = "databases-for-redis"
   version                   = var.redis_version
   resource_group_id         = var.resource_group_id
-  service_endpoints         = var.endpoints
+  service_endpoints         = var.service_endpoints
   tags                      = var.tags
   adminpassword             = var.admin_pass
   key_protect_key           = var.kms_key_crn
@@ -391,7 +400,7 @@ locals {
 }
 
 data "ibm_database_connection" "database_connection" {
-  endpoint_type = var.endpoints == "public-and-private" ? "public" : var.endpoints
+  endpoint_type = var.service_endpoints == "public-and-private" ? "public" : var.service_endpoints
   deployment_id = ibm_database.redis_database.id
   user_id       = ibm_database.redis_database.adminuser
   user_type     = "database"