feat: initial module release (#5)

Author: akocbek

.github/CODEOWNERS

@@ -1,2 +1,2 @@
 # Primary owner should be listed first in list of global owners, followed by any secondary owners
-*       @SirSpidey @ocofaigh
+*       @akocbek @shemau

.github/settings.yml

@@ -15,14 +15,9 @@ repository:
   # By changing this field, you rename the repository.
 
   # Uncomment this name property and set the name to the current repo name.
-  # name: ""
+  name: terraform-ibm-code-engine
 
-  # The description is displayed under the repository name on the
-  # organization page and in the 'About' section of the repository.
-
-  # Uncomment this description property
-  # and update the description to the current repo description.
-  # description: ""
+  description: "Creates IBM Cloud Code Engine resources."
 
   # Use a comma-separated list of topics to set on the repo (ensure not to use any caps in the topic string).
-  topics: terraform, ibm-cloud, terraform-module
+  topics: terraform, ibm-cloud, terraform-module, code-engine, core-team, stable, supported

README.md

@@ -1,9 +1,12 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/complete" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "examples/apps" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
     PROFILE_ID: "0e6e7b5a-817d-4344-ab6f-e5d7a9c49520" # SCC profile ID (currently set to the FSCloud 1.4.0 profile).
+    CRA_ENVIRONMENT_VARIABLES:
+      TF_VAR_acme_letsencrypt_private_key: "DUMMY VALUE FOR CRA"
+      TF_VAR_cis_id: "crn:v1:bluemix:public:internet-svcs:global:a/abac0df06b644a9cabc6e44f55b3880e:59aa1a88-ac47-45e4-bd96-2bc778d26ca7::"
     # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.
     # SCC_REGION: "" # The IBM Cloud region that the SCC instance is in. If not provided, a default global value will be used.
     # CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.

common-dev-assets

@@ -1,3 +1,22 @@
 {
-    "scc_rules": []
+    "scc_rules": [
+        {
+            "scc_rule_id": "rule-4d86c074-097e-4ff3-a763-ccff128388e2",
+            "description": "Check whether multifactor authentication (MFA) is enabled at the account level",
+            "ignore_reason": "In order for this rule to pass, multifactor authentication (MFA) is enabled at the account level (tracking in https://github.ibm.com/workload-eng-services/HPCCluster/issues/3422).",
+            "is_valid": true
+        },
+        {
+            "scc_rule_id": "rule-0704e840-e443-4781-b9be-ec57469d09c1",
+            "description": "Check whether permissions for API key creation are limited and configured in IAM settings for the account owner",
+            "ignore_reason": "Need more exploration (tracking in https://github.ibm.com/workload-eng-services/HPCCluster/issues/3422).",
+            "is_valid": true
+        },
+        {
+            "scc_rule_id": "rule-0244c010-fde6-4db3-95aa-8952bd292ac3",
+            "description": "Check whether permissions for service ID creation are limited and configured in IAM settings for the account owner",
+            "ignore_reason": "Need more exploration (tracking in https://github.ibm.com/workload-eng-services/HPCCluster/issues/3422).",
+            "is_valid": true
+        }
+    ]
 }

cra-config.yaml

@@ -0,0 +1,10 @@
+# Apps example
+
+An end-to-end apps example that will provision the following:
+- A new resource group if one is not passed in.
+- Code Engine project
+- Code Engine App
+- Code Engine Config Map
+- Code Engine TLS Secret
+- Code Engine Domain Mapping
+- Secrets Manager Resources (Public Engine, Group, Public Certificate)

cra-tf-validate-ignore-rules.json

@@ -0,0 +1,155 @@
+########################################################################################################################
+# Resource group
+########################################################################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.5"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+########################################################################################################################
+# Secrets Manager resources
+########################################################################################################################
+
+locals {
+  sm_guid   = var.existing_sm_instance_guid == null ? ibm_resource_instance.secrets_manager[0].guid : var.existing_sm_instance_guid
+  sm_region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region
+
+  # Certificate issuance is rate limited by domain, by default pick different domains to avoid rate limits during testing
+  cert_common_name = var.existing_cert_common_name == null ? "${var.prefix}.goldeneye.dev.cloud.ibm.com" : var.existing_cert_common_name
+  cert_secret_id   = var.existing_cert_secret_id == null ? resource.ibm_sm_public_certificate.secrets_manager_public_certificate[0].secret_id : var.existing_cert_secret_id
+
+}
+
+# Create a new SM instance if not using an existing one
+resource "ibm_resource_instance" "secrets_manager" {
+  count             = var.existing_sm_instance_guid == null ? 1 : 0
+  name              = "${var.prefix}-sm-instance"
+  service           = "secrets-manager"
+  plan              = var.sm_service_plan
+  location          = local.sm_region
+  resource_group_id = module.resource_group.resource_group_id
+  timeouts {
+    create = "20m" # Extending provisioning time to 20 minutes
+  }
+  provider = ibm.ibm-sm
+}
+
+# Configure public cert engine if provisioning a new SM instance
+module "secrets_manager_public_cert_engine" {
+  depends_on = [ibm_resource_instance.secrets_manager]
+  count      = var.existing_sm_instance_guid == null ? 1 : 0
+  source     = "terraform-ibm-modules/secrets-manager-public-cert-engine/ibm"
+  version    = "1.0.0"
+  providers = {
+    ibm              = ibm.ibm-sm
+    ibm.secret-store = ibm.ibm-sm
+  }
+  secrets_manager_guid                      = local.sm_guid
+  region                                    = local.sm_region
+  internet_services_crn                     = var.cis_id
+  dns_config_name                           = var.dns_provider_name
+  ca_config_name                            = var.ca_name
+  acme_letsencrypt_private_key              = var.acme_letsencrypt_private_key
+  private_key_secrets_manager_instance_guid = var.private_key_secrets_manager_instance_guid
+  private_key_secrets_manager_secret_id     = var.private_key_secrets_manager_secret_id
+  private_key_secrets_manager_region        = var.private_key_secrets_manager_region
+}
+
+# Create a secret group to place the certificate in
+module "secrets_manager_group" {
+  count                    = var.existing_cert_secret_id == null ? 1 : 0
+  source                   = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
+  version                  = "1.1.4"
+  region                   = local.sm_region
+  secrets_manager_guid     = local.sm_guid
+  secret_group_name        = "${var.prefix}-certificates-secret-group"
+  secret_group_description = "secret group used for private certificates"
+  providers = {
+    ibm = ibm.ibm-sm
+  }
+}
+
+resource "ibm_sm_public_certificate" "secrets_manager_public_certificate" {
+  depends_on = [module.secrets_manager_public_cert_engine]
+  count      = var.existing_cert_secret_id == null ? 1 : 0
+
+  instance_id     = local.sm_guid
+  region          = local.sm_region
+  name            = local.cert_common_name
+  description     = "Certificate for ${local.cert_common_name} domain"
+  ca              = var.ca_name
+  dns             = var.dns_provider_name
+  common_name     = local.cert_common_name
+  secret_group_id = module.secrets_manager_group[0].secret_group_id
+  rotation {
+    auto_rotate = true
+  }
+}
+
+data "ibm_sm_public_certificate" "public_certificate" {
+  depends_on  = [resource.ibm_sm_public_certificate.secrets_manager_public_certificate]
+  instance_id = local.sm_guid
+  region      = local.sm_region
+  secret_id   = local.cert_secret_id
+}
+
+########################################################################################################################
+# Code Engine instance
+########################################################################################################################
+
+module "code_engine" {
+  depends_on        = [resource.ibm_sm_public_certificate.secrets_manager_public_certificate]
+  source            = "../.."
+  resource_group_id = module.resource_group.resource_group_id
+  project_name      = "${var.prefix}-project"
+  apps = {
+    "${var.prefix}-app" = {
+      image_reference = "icr.io/codeengine/helloworld"
+      run_env_variables = [{
+        type  = "literal"
+        name  = "name_1"
+        value = "value_1"
+        },
+        {
+          type  = "literal"
+          name  = "name_2"
+          value = "value_2"
+      }]
+      scale_cpu_limit               = "4",
+      scale_memory_limit            = "32G"
+      scale_ephemeral_storage_limit = "300M"
+      managed_domain_mappings       = "local_private"
+    }
+    "${var.prefix}-app2" = {
+      image_reference = "icr.io/codeengine/helloworld"
+    }
+  }
+  config_maps = {
+    "${var.prefix}-cm" = {
+      data = { "key_1" : "value_1", "key_2" : "value_2" }
+    }
+  }
+  secrets = {
+    "${var.prefix}-tls" = {
+      format = "tls"
+      data = {
+        "tls_cert" = format("%s%s", data.ibm_sm_public_certificate.public_certificate.certificate, data.ibm_sm_public_certificate.public_certificate.intermediate)
+        "tls_key"  = data.ibm_sm_public_certificate.public_certificate.private_key
+      }
+    }
+  }
+  domain_mappings = {
+    # tflint-ignore: terraform_deprecated_interpolation
+    "${local.cert_common_name}" = {
+      components = [{
+        name          = "${var.prefix}-app"
+        resource_type = "app_v2"
+      }]
+      tls_secret = "${var.prefix}-tls"
+    }
+  }
+}

examples/apps/README.md

@@ -0,0 +1,28 @@
+########################################################################################################################
+# Outputs
+########################################################################################################################
+
+output "project_id" {
+  description = "ID of the created code engine project."
+  value       = module.code_engine.project_id
+}
+
+output "app" {
+  description = "Configuration of the created code engine app."
+  value       = module.code_engine.app
+}
+
+output "config_map" {
+  description = "Configuration of the created code engine config map."
+  value       = module.code_engine.config_map
+}
+
+output "secret" {
+  description = "Configuration of the created code engine secret."
+  value       = module.code_engine.secret
+}
+
+output "domain_mapping" {
+  description = "Configuration of the created code engine domain maping."
+  value       = module.code_engine.domain_mapping
+}

examples/apps/main.tf

@@ -0,0 +1,14 @@
+########################################################################################################################
+# Provider config
+########################################################################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region
+  alias            = "ibm-sm"
+}

examples/apps/outputs.tf

@@ -0,0 +1,104 @@
+########################################################################################################################
+# Input variables
+########################################################################################################################
+
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key"
+  sensitive   = true
+}
+
+variable "region" {
+  type        = string
+  description = "Region to provision all resources created by this example"
+  default     = "us-south"
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example"
+  default     = "ce-apps"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "The name of an existing resource group to provision resources in to. If not set a new resource group will be created using the prefix variable"
+  default     = null
+}
+
+##############################################################
+# Secret Manager
+##############################################################
+
+variable "sm_service_plan" {
+  type        = string
+  description = "The service/pricing plan to use when provisioning a new Secrets Manager instance. Allowed values: `standard` and `trial`. Only used if `provision_sm_instance` is set to true."
+  default     = "standard"
+}
+
+variable "existing_sm_instance_guid" {
+  type        = string
+  description = "An existing Secrets Manager GUID. The existing Secret Manager instance must have private certificate engine configured. If not provided an new instance will be provisioned."
+  default     = null
+}
+
+variable "existing_sm_instance_region" {
+  type        = string
+  description = "Required if value is passed into `var.existing_sm_instance_guid`."
+  default     = null
+}
+
+variable "existing_cert_common_name" {
+  type        = string
+  description = "Required if value is passed into `var.existing_sm_instance_guid`."
+  default     = null
+}
+
+variable "existing_cert_secret_id" {
+  type        = string
+  description = "Required if value is passed into `var.existing_sm_instance_guid`."
+  default     = null
+}
+
+variable "cis_id" {
+  type        = string
+  description = "Cloud Internet Service ID"
+  default     = null
+}
+
+variable "dns_provider_name" {
+  type        = string
+  description = "Secret Managers DNS provider name"
+  default     = "certificate-dns"
+}
+
+variable "private_key_secrets_manager_instance_guid" {
+  type        = string
+  description = "The Secrets Manager instance GUID of the Secrets Manager containing your ACME private key. Required if acme_letsencrypt_private_key is not set."
+  default     = null
+}
+
+variable "private_key_secrets_manager_secret_id" {
+  type        = string
+  description = "The secret ID of your ACME private key. Required if acme_letsencrypt_private_key is not set. If both are set, this value will be used as the private key."
+  default     = null
+}
+
+variable "private_key_secrets_manager_region" {
+  type        = string
+  description = "The region of the Secrets Manager instance containing your ACME private key. (Only needed if different from the region variable)"
+  default     = "us-south"
+}
+
+variable "ca_name" {
+  type        = string
+  description = "Secret Managers certificate authority name"
+  default     = "certificate-ca"
+}
+
+variable "acme_letsencrypt_private_key" {
+  type        = string
+  description = "Lets Encrypt private key for certificate authority. If not provided, all created public certs will be immediately deactivated."
+  default     = null
+  sensitive   = true
+}

examples/apps/provider.tf

@@ -0,0 +1,10 @@
+
+terraform {
+  required_version = ">= 1.3.0, <1.7.0"
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.63.0"
+    }
+  }
+}