This module provisions the following resources in IBM Cloud:
-
A VPC Infrastructure with the following components:
- One VSI for management (jump/bastion) VSI,
- One VSI for network-services configured as squid proxy, NTP and DNS servers(using Ansible Galaxy collection roles ibm.power_linux_sap collection. This VSI also acts as central ansible execution node.
- Optional VSI for Monitoring host
- Optional Client to site VPN server
- Optional File storage share
- Optional Application load balancer
- IBM Cloud Object storage(COS) Virtual Private endpoint gateway(VPE)
- IBM Cloud Object storage(COS) Instance and buckets
- VPC flow logs
- KMS keys
- Activity tracker
- Optional Secrets Manager Instance Instance with private certificate.
-
A local or global transit gateway
-
An optional IBM Cloud Monitoring Instance
-
A Power Virtual Server workspace with the following network topology:
- Creates two private networks: a management network and a backup network.
- Attaches the PowerVS workspace to transit gateway
- Creates an SSH key.
- Optionally imports list of stock catalog images.
- Optionally imports up to three custom images from Cloud Object Storage.
-
Finally, interconnects both VPC and PowerVS infrastructure.
provider "ibm" {
alias = "ibm-pi"
region = ""
zone = ""
ibmcloud_api_key = var.ibmcloud_api_key != null ? var.ibmcloud_api_key : null
}
provider "ibm" {
alias = "ibm-is"
region = ""
zone = ""
ibmcloud_api_key = var.ibmcloud_api_key != null ? var.ibmcloud_api_key : null
}
module "powervs-vpc-landing-zone" {
source = "terraform-ibm-modules/powervs-infrastructure/ibm//modules//powervs-vpc-landing-zone"
version = "x.x.x" # Replace "x.x.x" with a git release version to lock into a specific release
providers = { ibm.ibm-is = ibm.ibm-is, ibm.ibm-pi = ibm.ibm-pi }
powervs_zone = var.powervs_zone
prefix = var.prefix
external_access_ip = var.external_access_ip
ssh_public_key = var.ssh_public_key
ssh_private_key = var.ssh_private_key
client_to_site_vpn = var.client_to_site_vpn #(optional. default check vars)
configure_dns_forwarder = var.configure_dns_forwarder #(optional, default false)
configure_ntp_forwarder = var.configure_ntp_forwarder #(optional, default false)
configure_nfs_server = var.configure_nfs_server #(optional. default false)
nfs_server_config = var.nfs_server_config #(optional. default check vars)
dns_forwarder_config = var.dns_forwarder_config #(optional. default check vars)
powervs_resource_group_name = var.powervs_resource_group_name #(optional. default check vars)
powervs_management_network = var.powervs_management_network #(optional. default check vars)
powervs_backup_network = var.powervs_backup_network #(optional. default check vars)
powervs_image_names = var.powervs_image_names #(optional. default check vars)
tags = var.tags #(optional. default check vars)
sm_service_plan = var.sm_service_plan
powervs_custom_images = var.powervs_custom_images #(optional, default null)
powervs_custom_image_cos_configuration = var.powervs_custom_image_cos_configuration #(optional, default null)
powervs_custom_image_cos_service_credentials = var.powervs_custom_image_cos_service_credentials #(optional, default null)
existing_sm_instance_guid = var.existing_sm_instance_guid #(optional. default check vars)
existing_sm_instance_region = var.existing_sm_instance_region #(optional. default check vars)
certificate_template_name = var.certificate_template_name #(optional. default check vars)
network_services_vsi_profile = var.network_services_vsi_profile #(optional. default check vars)
enable_monitoring = var.enable_monitoring #(optional. default true)
existing_monitoring_instance_crn = var.existing_monitoring_instance_crn #(optional. default null)
}Catalog image names to be imported into infrastructure can be found here
| Creates VPC Landing Zone | Performs VPC VSI OS Config | Creates PowerVS Infrastructure | Creates PowerVS Instance | Performs PowerVS OS Config |
|---|---|---|---|---|
| ✔️ | ✔️ | ✔️ | N/A | N/A |
| Name | Version |
|---|---|
| terraform | >= 1.9 |
| ibm | >=1.65.0 |
| Name | Source | Version |
|---|---|---|
| client_to_site_vpn | terraform-ibm-modules/client-to-site-vpn/ibm | 2.0.6 |
| configure_monitoring_host | ./submodules/ansible | n/a |
| configure_network_services | ./submodules/ansible | n/a |
| landing_zone | terraform-ibm-modules/landing-zone/ibm//patterns//vsi//module | 6.6.3 |
| powervs_workspace | terraform-ibm-modules/powervs-workspace/ibm | 2.4.0 |
| private_secret_engine | terraform-ibm-modules/secrets-manager-private-cert-engine/ibm | 1.3.5 |
| secrets_manager_group | terraform-ibm-modules/secrets-manager-secret-group/ibm | 1.2.2 |
| secrets_manager_private_certificate | terraform-ibm-modules/secrets-manager-private-cert/ibm | 1.3.2 |
| vpc_file_share_alb | ./submodules/fileshare-alb | n/a |
| Name | Type |
|---|---|
| ibm_is_vpc_address_prefix.vpn_address_prefix | resource |
| ibm_is_vpc_routing_table.transit | resource |
| ibm_resource_instance.monitoring_instance | resource |
| ibm_resource_instance.secrets_manager | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| certificate_template_name | The name of the Certificate Template to create for a private_cert secret engine. When var.existing_sm_instance_guid is not null, then it has to be the existing template name that exists in the private cert engine. |
string |
"my-template" |
no |
| client_to_site_vpn | VPN configuration - the client ip pool and list of users email ids to access the environment. If enabled, then a Secret Manager instance is also provisioned with certificates generated. See optional parameters to reuse existing certificate from secrets manager instance. | object({ |
{ |
no |
| configure_dns_forwarder | Specify if DNS forwarder will be configured. This will allow you to use central DNS servers (e.g. IBM Cloud DNS servers) sitting outside of the created IBM PowerVS infrastructure. If yes, ensure 'dns_forwarder_config' optional variable is set properly. DNS forwarder will be installed on the network-services vsi. | bool |
false |
no |
| configure_nfs_server | Specify if NFS server will be configured. This will allow you easily to share files between PowerVS instances (e.g., SAP installation files). File storage share and mount target in VPC will be created.. If yes, ensure 'nfs_server_config' optional variable is set properly below. Default value is '200GB' which will be mounted on specified directory in network-service vsi. | bool |
false |
no |
| configure_ntp_forwarder | Specify if NTP forwarder will be configured. This will allow you to synchronize time between IBM PowerVS instances. NTP forwarder will be installed on the network-services vsi. | bool |
false |
no |
| dns_forwarder_config | Configuration for the DNS forwarder to a DNS service that is not reachable directly from PowerVS. | object({ |
{ |
no |
| enable_monitoring | Specify whether Monitoring will be enabled. This includes the creation of an IBM Cloud Monitoring Instance and an Intel Monitoring Instance to host the services. If you already have an existing monitoring instance then specify in optional parameter 'existing_monitoring_instance_crn'. | bool |
true |
no |
| existing_monitoring_instance_crn | Existing CRN of IBM Cloud Monitoring Instance. If value is null, then an IBM Cloud Monitoring Instance will not be created but an intel VSI instance will be created if 'enable_monitoring' is true. | string |
null |
no |
| existing_sm_instance_guid | An existing Secrets Manager GUID. The existing Secret Manager instance must have private certificate engine configured. If not provided an new instance will be provisioned. | string |
null |
no |
| existing_sm_instance_region | Required if value is passed into var.existing_sm_instance_guid. |
string |
null |
no |
| external_access_ip | Specify the source IP address or CIDR for login through SSH to the environment after deployment. Access to the environment will be allowed only from this IP address. Can be set to 'null' if you choose to use client to site vpn. | string |
n/a | yes |
| network_services_vsi_profile | Compute profile configuration of the network services vsi (cpu and memory configuration). Must be one of the supported profiles. See here. | string |
"cx2-2x4" |
no |
| nfs_server_config | Configuration for the NFS server. 'size' is in GB, 'iops' is maximum input/output operation performance bandwidth per second, 'mount_path' defines the target mount point on os. Set 'configure_nfs_server' to false to ignore creating file storage share. | object({ |
{ |
no |
| powervs_backup_network | Name of the IBM Cloud PowerVS backup network and CIDR to create. | object({ |
{ |
no |
| powervs_custom_image_cos_configuration | Cloud Object Storage bucket containing custom PowerVS images. bucket_name: string, name of the COS bucket. bucket_access: string, possible values: public, private (private requires powervs_custom_image_cos_service_credentials). bucket_region: string, COS bucket region | object({ |
{ |
no |
| powervs_custom_image_cos_service_credentials | Service credentials for the Cloud Object Storage bucket containing the custom PowerVS images. The bucket must have HMAC credentials enabled. Click here for a json example of a service credential. | string |
null |
no |
| powervs_custom_images | Optionally import up to three custom images from Cloud Object Storage into PowerVS workspace. Requires 'powervs_custom_image_cos_configuration' to be set. image_name: string, must be unique. Name of image inside PowerVS workspace. file_name: string, object key of image inside COS bucket. storage_tier: string, storage tier which image will be stored in after import. Supported values: tier0, tier1, tier3, tier5k. sap_type: optional string, Supported values: null, Hana, Netweaver, use null for non-SAP image. | object({ |
{ |
no |
| powervs_image_names | List of Images to be imported into cloud account from catalog images. Supported values can be found here. For custom os image import configure the optional parameter 'powervs_custom_images'. | list(string) |
[ |
no |
| powervs_management_network | Name of the IBM Cloud PowerVS management subnet and CIDR to create. | object({ |
{ |
no |
| powervs_resource_group_name | Existing IBM Cloud resource group name. | string |
n/a | yes |
| powervs_zone | IBM Cloud data center location where IBM PowerVS infrastructure will be created. | string |
n/a | yes |
| prefix | A unique identifier for resources. Must begin with a lowercase letter and end with a lowercase letter or number. This prefix will be prepended to any resources provisioned by this template. Prefixes must be 16 or fewer characters. | string |
n/a | yes |
| sm_service_plan | The service/pricing plan to use when provisioning a new Secrets Manager instance. Allowed values: standard and trial. Only used if existing_sm_instance_guid is set to null. |
string |
"standard" |
no |
| ssh_private_key | Private SSH key (RSA format) to login to Intel VSIs to configure network management services (SQUID, NTP, DNS and ansible). Should match to public SSH key referenced by 'ssh_public_key'. The key is not uploaded or stored. For more information about SSH keys, see SSH keys. | string |
n/a | yes |
| ssh_public_key | Public SSH Key for VSI creation. Must be an RSA key with a key size of either 2048 bits or 4096 bits (recommended). Must be a valid SSH key that does not already exist in the deployment region. | string |
n/a | yes |
| tags | List of tag names for the IBM Cloud PowerVS workspace | list(string) |
[] |
no |
| transit_gateway_global | Connect to the networks outside the associated region. | bool |
false |
no |
| vpc_intel_images | Stock OS image names for creating VPC landing zone VSI instances: RHEL (management and network services) and SLES (monitoring). | object({ |
n/a | yes |
| Name | Description |
|---|---|
| access_host_or_ip | Access host(jump/bastion) for created PowerVS infrastructure. |
| ansible_host_or_ip | Central Ansible node private IP address. |
| dns_host_or_ip | DNS forwarder host for created PowerVS infrastructure. |
| monitoring_instance | Details of the IBM Cloud Monitoring Instance: CRN, location, guid |
| network_services_config | Complete configuration of network management services. |
| nfs_host_or_ip_path | NFS host for created PowerVS infrastructure. |
| ntp_host_or_ip | NTP host for created PowerVS infrastructure. |
| powervs_backup_subnet | Name, ID and CIDR of backup private network in created PowerVS infrastructure. |
| powervs_images | Object containing imported PowerVS image names and image ids. |
| powervs_management_subnet | Name, ID and CIDR of management private network in created PowerVS infrastructure. |
| powervs_resource_group_name | IBM Cloud resource group where PowerVS infrastructure is created. |
| powervs_ssh_public_key | SSH public key name and value in created PowerVS infrastructure. |
| powervs_workspace_guid | PowerVS infrastructure workspace guid. The GUID of the resource instance. |
| powervs_workspace_id | PowerVS infrastructure workspace id. The unique identifier of the new resource instance. |
| powervs_workspace_name | PowerVS infrastructure workspace name. |
| powervs_zone | Zone where PowerVS infrastructure is created. |
| prefix | The prefix that is associated with all resources |
| proxy_host_or_ip_port | Proxy host:port for created PowerVS infrastructure. |
| resource_group_data | List of resource groups data used within landing zone. |
| ssh_public_key | The string value of the ssh public key used when deploying VPC |
| transit_gateway_global | Connect to the networks outside the associated region. |
| transit_gateway_id | The ID of transit gateway. |
| transit_gateway_name | The name of the transit gateway. |
| vpc_data | List of VPC data. |
| vpc_names | A list of the names of the VPC. |
| vsi_list | A list of VSI with name, id, zone, and primary ipv4 address, VPC Name, and floating IP. |
| vsi_names | A list of the vsis names provisioned within the VPCs. |