Skip to content

Latest commit

 

History

History
112 lines (98 loc) · 38 KB

File metadata and controls

112 lines (98 loc) · 38 KB

Landing Zone Mixed Pattern

This template allows a user to create a landing zone

landing zone

Module Variables

Name Type Description Sensitive Default
ibmcloud_api_key string The IBM Cloud platform API key needed to deploy IAM enabled resources. true
TF_VERSION string The version of the Terraform engine that's used in the Schematics workspace. 1.0
prefix string A unique identifier for resources. Must begin with a letter and end with a letter or number. This prefix will be prepended to any resources provisioned by this template. Prefixes must be 16 or fewer characters.
ssh_public_key string Public SSH Key for VSI creation.
region string Region where VPC will be created. To find your VPC region, use ibmcloud is regions command to find available regions.
tags list(string) List of tags to apply to resources created by this module. []
network_cidr string Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. 10.0.0.0/8
add_edge_vpc bool Create an edge VPC. This VPC will be dynamically added to the list of VPCs in var.vpcs. false
create_f5_network_on_management_vpc bool Set up bastion on management VPC. This value conflicts with add_edge_vpc. false
f5_image_name string Image name for F5 BIG-IP deployments. Must be null or one of f5-bigip-15-1-5-1-0-0-14-all-1slot,f5-bigip-15-1-5-1-0-0-14-ltm-1slot, f5-bigip-16-1-2-2-0-0-28-ltm-1slot,f5-bigip-16-1-2-2-0-0-28-all-1slot. null
f5_instance_profile string F5 vsi instance profile. Use the IBM Cloud CLI command ibmcloud is instance-profiles to see available image profiles.
hostname string The F5 BIG-IP hostname. f5-ve-01
domain string The F5 BIG-IP domain name. local
default_route_interface string The F5 BIG-IP interface name for the default route. Leave null to auto assign. null
tmos_admin_password string Admin account password for the F5 BIG-IP instance null
license_type string License, may be 'none','byol','regkeypool','utilitypool'
byol_license_basekey string Bring your own license registration key for the F5 BIG-IP instance. null
license_host string The F5 BIG-IP or hostname to use for pool based licensing of the F5 BIG-IP instance null
license_username string The F5 BIG-IP USERNAME to use for the pool based licensing of the F5 BIG-IP instance. null
license_password string The F5 BIG-IP PASSWORD to use for the pool based licensing of the F5 BIG-IP instance. null
license_pool string The F5 BIG-IP license pool name of the pool based licensing of the F5 BIG-IP instance. null
license_sku_keyword_1 string The F5 BIG-IP primary SKU for ELA utility licensing of the F5 BIG-IP instance. null
license_sku_keyword_2 string The F5 BIG-IP secondary SKU for ELA utility licensing of the F5 BIG-IP instance. null
license_unit_of_measure string The F5 BIG-IP utility pool unit of measurement. hourly
do_declaration_url string URL to fetch the f5-declarative-onboarding declaration. null
as3_declaration_url string URL to fetch the f5-appsvcs-extension declaration. null
ts_declaration_url string URL to fetch the f5-telemetry-streaming declaration. null
phone_home_url string The URL to POST status when the F5 BIG-IP is finished onboarding. null
template_source string The terraform template source for phone_home_url_metadata. f5devcentral/ibmcloud_schematics_bigip_multinic_declared
template_version string The terraform template version for phone_home_url_metadata. 20210201
app_id string The terraform application id for phone_home_url_metadata. null
tgactive_url string The URL to POST L3 addresses when tgactive is triggered. ""
tgstandby_url string The URL to POST L3 addresses when tgstandby is triggered. null
tgrefresh_url string The URL to POST L3 addresses when tgrefresh is triggered. null
enable_f5_management_fip bool Enable F5 management interface floating IP. Conflicts with enable_f5_external_fip, VSI can only have one floating IP per instance. false
enable_f5_external_fip bool Enable F5 external interface floating IP. Conflicts with enable_f5_management_fip, VSI can only have one floating IP per instance. false
vpn_firewall_type string Bastion type if provisioning bastion. Can be full-tunnel, waf, or vpn-and-waf. null
vpcs list(string) List of VPCs to create. The first VPC in this list will always be considered the management VPC, and will be where the VPN Gateway is connected. VPCs names can only be a maximum of 16 characters and can only contain letters, numbers, and - characters. VPC names must begin with a letter.. The first VPC in this list will always be considered the management VPC, and will be where the VPN Gateway is connected. VPCs names can only be a maximum of 16 characters and can only contain letters, numbers, and - characters. VPC names must begin with a letter. ["management", "workload"]
enable_transit_gateway bool Create transit gateway true
add_atracker_route bool Atracker can only have one route per zone. use this value to disable or enable the creation of atracker route true
hs_crypto_instance_name string Optionally, you can bring you own Hyper Protect Crypto Service instance for key management. If you would like to use that instance, add the name here. Otherwise, leave as null null
hs_crypto_resource_group string If you're using Hyper Protect Crypto services in a resource group, provide the name here. null
vsi_image_name string VSI image name. Use the IBM Cloud CLI command ibmcloud is images to see availabled images. ibm-ubuntu-18-04-6-minimal-amd64-2
vsi_instance_profile string VSI image profile. Use the IBM Cloud CLI command ibmcloud is instance-profiles to see available image profiles. cx2-4x8
vsi_per_subnet number Number of Virtual Servers to create on each VSI subnet. 1
cluster_zones number Number of zones to provision clusters for each VPC. At least one zone is required. Can be 1, 2, or 3 zones. 3
kube_version string Kubernetes version to use for cluster. To get available versions, use the IBM Cloud CLI command ibmcloud ks versions. To use the default version, leave as default. Updates to the default versions may force this to change. default
flavor string Machine type for cluster. Use the IBM Cloud CLI command ibmcloud ks flavors to find valid machine types bx2.16x64
workers_per_zone number Number of workers in each zone of the cluster. OpenShift requires at least 2 workers. 2
entitlement string If you do not have an entitlement, leave as null. Entitlement reduces additional OCP Licence cost in OpenShift clusters. Use Cloud Pak with OCP Licence entitlement to create the OpenShift cluster. Note It is set only when the first time creation of the cluster, further modifications are not impacted Set this argument to cloud_pak only if you use the cluster with a Cloud Pak that has an OpenShift entitlement. null
wait_till string To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported args are MasterNodeReady, OneWorkerNodeReady, and IngressReady IngressReady
update_all_workers bool Update all workers to new kube version false
teleport_management_zones number Number of zones to create teleport VSI on Management VPC if not using F5. If you are using F5, ignore this value. 0
use_existing_appid bool Use an existing appid instance. If this is false, one will be automatically created. false
appid_name string Name of appid instance. appid
appid_resource_group string Resource group for existing appid instance. This value is ignored if a new instance is created. null
teleport_instance_profile string Machine type for Teleport VSI instances. Use the IBM Cloud CLI command ibmcloud is instance-profiles to see available image profiles. cx2-4x8
teleport_vsi_image_name string Teleport VSI image name. Use the IBM Cloud CLI command ibmcloud is images to see availabled images. ibm-ubuntu-18-04-6-minimal-amd64-2
teleport_license string The contents of the PEM license file null
https_cert string The https certificate used by bastion host for teleport null
https_key string The https private key used by bastion host for teleport null
teleport_hostname string The name of the instance or bastion host null
teleport_domain string The domain of the bastion host null
teleport_version string Version of Teleport Enterprise to use null
message_of_the_day string Banner message that is exposed to the user at authentication time null
teleport_admin_email string Email for teleport vsi admin. null
teleport_management_zones number Number of zones to create teleport VSI on Management VPC if not using F5. If you are using F5, ignore this value 0
add_edge_vpc bool Create an edge VPC. This VPC will be dynamically added to the list of VPCs in var.vpcs. Conflicts with create_f5_network_on_management_vpc to prevent overlapping subnet CIDR blocks. false
provision_teleport_in_f5 bool Provision teleport VSI in bastion subnet tier of F5 network if able. false
enable_scc bool Create SCC resources false
scc_cred_name string SCC Credential Name slz-cred
scc_group_id string SCC Credential Group, used to group credentials together ID. null
scc_group_passphrase string Managed by IBM by default for an account, provide passphrase if the account being scanned has enabled passphrase, else provide an arbitrary passphrase. true null
scc_cred_description string SCC Credential Description This credential is used for SCC.
scc_collector_description string SCC Collector Description collector description
scc_scope_description string SCC Scope Description IBM-schema-for-configuration-collection
scc_scope_name string SCC Scope Name scope
override bool Override default values with custom JSON template. This uses the file override.json to allow users to create a fully customized environment. false

Using override.json

To create a fully customized environment based on the starting template, users can use override.json by setting the template override variable to true.

Variable Definitions

By using the variable deifnitions found in our landing zone module any number and custom configuration of VPC components, VSI workoads, and clusters can be created. Currently override.json is set to contain the default environment configuration.

Getting Your Environment

This module outputs config, a JSON encoded definition of your environment based on the defaults for Landing Zone and any variables changed using override.json. By using this output, it's easy to configure multiple additional workloads, VPCs, or subnets in existing VPCs to the default environment.

Overriding Only Some Variables

override.json does not need to contain all elements. As an example override.json could be:

{
    "enable_transit_gateway": false
}

In this use case, each other value would be the default configuration, just with a transit gateway disabled. This allows users to change just the values needed.