This template allows a user to create a landing zone
Name | Type | Description | Sensitive | Default |
---|---|---|---|---|
ibmcloud_api_key | string | The IBM Cloud platform API key needed to deploy IAM enabled resources. | true | |
TF_VERSION | string | The version of the Terraform engine that's used in the Schematics workspace. | 1.0 | |
prefix | string | A unique identifier for resources. Must begin with a letter and end with a letter or number. This prefix will be prepended to any resources provisioned by this template. Prefixes must be 16 or fewer characters. | ||
ssh_public_key | string | Public SSH Key for VSI creation. | ||
region | string | Region where VPC will be created. To find your VPC region, use ibmcloud is regions command to find available regions. |
||
tags | list(string) | List of tags to apply to resources created by this module. | [] | |
network_cidr | string | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | 10.0.0.0/8 | |
add_edge_vpc | bool | Create an edge VPC. This VPC will be dynamically added to the list of VPCs in var.vpcs . |
false | |
create_f5_network_on_management_vpc | bool | Set up bastion on management VPC. This value conflicts with add_edge_vpc . |
false | |
f5_image_name | string | Image name for F5 BIG-IP deployments. Must be null or one of f5-bigip-15-1-5-1-0-0-14-all-1slot ,f5-bigip-15-1-5-1-0-0-14-ltm-1slot , f5-bigip-16-1-2-2-0-0-28-ltm-1slot ,f5-bigip-16-1-2-2-0-0-28-all-1slot . |
null | |
f5_instance_profile | string | F5 vsi instance profile. Use the IBM Cloud CLI command ibmcloud is instance-profiles to see available image profiles. |
||
hostname | string | The F5 BIG-IP hostname. | f5-ve-01 | |
domain | string | The F5 BIG-IP domain name. | local | |
default_route_interface | string | The F5 BIG-IP interface name for the default route. Leave null to auto assign. | null | |
tmos_admin_password | string | Admin account password for the F5 BIG-IP instance | null | |
license_type | string | License, may be 'none','byol','regkeypool','utilitypool' | ||
byol_license_basekey | string | Bring your own license registration key for the F5 BIG-IP instance. | null | |
license_host | string | The F5 BIG-IP or hostname to use for pool based licensing of the F5 BIG-IP instance | null | |
license_username | string | The F5 BIG-IP USERNAME to use for the pool based licensing of the F5 BIG-IP instance. | null | |
license_password | string | The F5 BIG-IP PASSWORD to use for the pool based licensing of the F5 BIG-IP instance. | null | |
license_pool | string | The F5 BIG-IP license pool name of the pool based licensing of the F5 BIG-IP instance. | null | |
license_sku_keyword_1 | string | The F5 BIG-IP primary SKU for ELA utility licensing of the F5 BIG-IP instance. | null | |
license_sku_keyword_2 | string | The F5 BIG-IP secondary SKU for ELA utility licensing of the F5 BIG-IP instance. | null | |
license_unit_of_measure | string | The F5 BIG-IP utility pool unit of measurement. | hourly | |
do_declaration_url | string | URL to fetch the f5-declarative-onboarding declaration. | null | |
as3_declaration_url | string | URL to fetch the f5-appsvcs-extension declaration. | null | |
ts_declaration_url | string | URL to fetch the f5-telemetry-streaming declaration. | null | |
phone_home_url | string | The URL to POST status when the F5 BIG-IP is finished onboarding. | null | |
template_source | string | The terraform template source for phone_home_url_metadata. | f5devcentral/ibmcloud_schematics_bigip_multinic_declared | |
template_version | string | The terraform template version for phone_home_url_metadata. | 20210201 | |
app_id | string | The terraform application id for phone_home_url_metadata. | null | |
tgactive_url | string | The URL to POST L3 addresses when tgactive is triggered. | "" | |
tgstandby_url | string | The URL to POST L3 addresses when tgstandby is triggered. | null | |
tgrefresh_url | string | The URL to POST L3 addresses when tgrefresh is triggered. | null | |
enable_f5_management_fip | bool | Enable F5 management interface floating IP. Conflicts with enable_f5_external_fip , VSI can only have one floating IP per instance. |
false | |
enable_f5_external_fip | bool | Enable F5 external interface floating IP. Conflicts with enable_f5_management_fip , VSI can only have one floating IP per instance. |
false | |
vpn_firewall_type | string | Bastion type if provisioning bastion. Can be full-tunnel , waf , or vpn-and-waf . |
null | |
vpcs | list(string) | List of VPCs to create. The first VPC in this list will always be considered the management VPC, and will be where the VPN Gateway is connected. VPCs names can only be a maximum of 16 characters and can only contain letters, numbers, and - characters. VPC names must begin with a letter.. The first VPC in this list will always be considered the management VPC, and will be where the VPN Gateway is connected. VPCs names can only be a maximum of 16 characters and can only contain letters, numbers, and - characters. VPC names must begin with a letter. |
["management", "workload"] | |
enable_transit_gateway | bool | Create transit gateway | true | |
add_atracker_route | bool | Atracker can only have one route per zone. use this value to disable or enable the creation of atracker route | true | |
hs_crypto_instance_name | string | Optionally, you can bring you own Hyper Protect Crypto Service instance for key management. If you would like to use that instance, add the name here. Otherwise, leave as null | null | |
hs_crypto_resource_group | string | If you're using Hyper Protect Crypto services in a resource group, provide the name here. | null | |
vsi_image_name | string | VSI image name. Use the IBM Cloud CLI command ibmcloud is images to see availabled images. |
ibm-ubuntu-18-04-6-minimal-amd64-2 | |
vsi_instance_profile | string | VSI image profile. Use the IBM Cloud CLI command ibmcloud is instance-profiles to see available image profiles. |
cx2-4x8 | |
vsi_per_subnet | number | Number of Virtual Servers to create on each VSI subnet. | 1 | |
cluster_zones | number | Number of zones to provision clusters for each VPC. At least one zone is required. Can be 1, 2, or 3 zones. | 3 | |
kube_version | string | Kubernetes version to use for cluster. To get available versions, use the IBM Cloud CLI command ibmcloud ks versions . To use the default version, leave as default. Updates to the default versions may force this to change. |
default | |
flavor | string | Machine type for cluster. Use the IBM Cloud CLI command ibmcloud ks flavors to find valid machine types |
bx2.16x64 | |
workers_per_zone | number | Number of workers in each zone of the cluster. OpenShift requires at least 2 workers. | 2 | |
entitlement | string | If you do not have an entitlement, leave as null. Entitlement reduces additional OCP Licence cost in OpenShift clusters. Use Cloud Pak with OCP Licence entitlement to create the OpenShift cluster. Note It is set only when the first time creation of the cluster, further modifications are not impacted Set this argument to cloud_pak only if you use the cluster with a Cloud Pak that has an OpenShift entitlement. | null | |
wait_till | string | To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported args are MasterNodeReady , OneWorkerNodeReady , and IngressReady |
IngressReady | |
update_all_workers | bool | Update all workers to new kube version | false | |
teleport_management_zones | number | Number of zones to create teleport VSI on Management VPC if not using F5. If you are using F5, ignore this value. | 0 | |
use_existing_appid | bool | Use an existing appid instance. If this is false, one will be automatically created. | false | |
appid_name | string | Name of appid instance. | appid | |
appid_resource_group | string | Resource group for existing appid instance. This value is ignored if a new instance is created. | null | |
teleport_instance_profile | string | Machine type for Teleport VSI instances. Use the IBM Cloud CLI command ibmcloud is instance-profiles to see available image profiles. |
cx2-4x8 | |
teleport_vsi_image_name | string | Teleport VSI image name. Use the IBM Cloud CLI command ibmcloud is images to see availabled images. |
ibm-ubuntu-18-04-6-minimal-amd64-2 | |
teleport_license | string | The contents of the PEM license file | null | |
https_cert | string | The https certificate used by bastion host for teleport | null | |
https_key | string | The https private key used by bastion host for teleport | null | |
teleport_hostname | string | The name of the instance or bastion host | null | |
teleport_domain | string | The domain of the bastion host | null | |
teleport_version | string | Version of Teleport Enterprise to use | null | |
message_of_the_day | string | Banner message that is exposed to the user at authentication time | null | |
teleport_admin_email | string | Email for teleport vsi admin. | null | |
teleport_management_zones | number | Number of zones to create teleport VSI on Management VPC if not using F5. If you are using F5, ignore this value | 0 | |
add_edge_vpc | bool | Create an edge VPC. This VPC will be dynamically added to the list of VPCs in var.vpcs . Conflicts with create_f5_network_on_management_vpc to prevent overlapping subnet CIDR blocks. |
false | |
provision_teleport_in_f5 | bool | Provision teleport VSI in bastion subnet tier of F5 network if able. |
false | |
enable_scc | bool | Create SCC resources | false | |
scc_cred_name | string | SCC Credential Name | slz-cred | |
scc_group_id | string | SCC Credential Group, used to group credentials together ID. | null | |
scc_group_passphrase | string | Managed by IBM by default for an account, provide passphrase if the account being scanned has enabled passphrase, else provide an arbitrary passphrase. | true | null |
scc_cred_description | string | SCC Credential Description | This credential is used for SCC. | |
scc_collector_description | string | SCC Collector Description | collector description | |
scc_scope_description | string | SCC Scope Description | IBM-schema-for-configuration-collection | |
scc_scope_name | string | SCC Scope Name | scope | |
override | bool | Override default values with custom JSON template. This uses the file override.json to allow users to create a fully customized environment. |
false |
To create a fully customized environment based on the starting template, users can use override.json by setting the template override
variable to true
.
By using the variable deifnitions found in our landing zone module any number and custom configuration of VPC components, VSI workoads, and clusters can be created. Currently override.json
is set to contain the default environment configuration.
This module outputs config
, a JSON encoded definition of your environment based on the defaults for Landing Zone and any variables changed using override.json
. By using this output, it's easy to configure multiple additional workloads, VPCs, or subnets in existing VPCs to the default environment.
override.json
does not need to contain all elements. As an example override.json could be:
{
"enable_transit_gateway": false
}
In this use case, each other value would be the default configuration, just with a transit gateway disabled. This allows users to change just the values needed.