Skip to content

Commit

Permalink
minimize odm version
Browse files Browse the repository at this point in the history
  • Loading branch information
lionelmace committed Jun 24, 2024
1 parent 8fec817 commit 0d9474c
Show file tree
Hide file tree
Showing 13 changed files with 86 additions and 379 deletions.
11 changes: 4 additions & 7 deletions terraform/icd-postgres/database-postgres.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ variable "icd_postgres_ram_allocation" {
variable "icd_postgres_disk_allocation" {
type = number
description = "Disk Usage (GB/data member)"
default = 20480
default = 5120
}

variable "icd_postgres_core_allocation" {
Expand Down Expand Up @@ -80,12 +80,9 @@ resource "ibm_database" "icd_postgres" {
group {
group_id = "member"
host_flavor { id = "multitenant" }
memory { allocation_mb = 4096 }
disk { allocation_mb = 5120 }
cpu { allocation_count = 0 }
# memory { allocation_mb = var.icd_postgres_ram_allocation }
# disk { allocation_mb = var.icd_postgres_disk_allocation }
# cpu { allocation_count = var.icd_postgres_core_allocation }
memory { allocation_mb = var.icd_postgres_ram_allocation }
disk { allocation_mb = var.icd_postgres_disk_allocation }
cpu { allocation_count = var.icd_postgres_core_allocation }
}

# auto_scaling {
Expand Down
4 changes: 2 additions & 2 deletions terraform/icd-postgres/testing.auto.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ icd_postgres_use_vpe = "true"
# icd_postgres_core_allocation = 6

# Minimum parameter for Standard Edition
icd_postgres_ram_allocation = 1024
icd_postgres_disk_allocation = 20480
icd_postgres_ram_allocation = 4096
icd_postgres_disk_allocation = 5120
icd_postgres_core_allocation = 0

icd_postgres_users = [{
Expand Down
26 changes: 20 additions & 6 deletions terraform/odmonroks/account-rg.tf
Original file line number Diff line number Diff line change
@@ -1,13 +1,27 @@

##############################################################################
# Create a resource group or reuse an existing one
##############################################################################

variable "existing_resource_group_name" {
default = ""
description = "(Optional) Name of an existing resource group where to create resources"
}

resource "ibm_resource_group" "group" {
name = "${local.basename}-group"
tags = var.tags
count = var.existing_resource_group_name != "" ? 0 : 1
name = "${local.basename}-group"
tags = var.tags
}

data "ibm_resource_group" "group" {
count = var.existing_resource_group_name != "" ? 1 : 0
name = var.existing_resource_group_name
}

locals {
resource_group_id = var.existing_resource_group_name != "" ? data.ibm_resource_group.group.0.id : ibm_resource_group.group.0.id
}

output "resource_group_name" {
value = ibm_resource_group.group.name
}
# output "resource_group_name" {
# value = ibm_resource_group.group.name
# }
51 changes: 2 additions & 49 deletions terraform/odmonroks/container-openshift.tf
Original file line number Diff line number Diff line change
Expand Up @@ -107,11 +107,6 @@ variable "roks_worker_pools" {
pool_name = "dev"
machine_type = "bx2.4x16"
workers_per_zone = 1
# },
# {
# pool_name = "odf"
# machine_type = "bx2.16x64"
# workers_per_zone = 1
}
]

Expand All @@ -137,7 +132,7 @@ variable "roks_worker_pools" {
resource "ibm_container_vpc_cluster" "roks_cluster" {
name = format("%s-%s", local.basename, var.openshift_cluster_name)
vpc_id = ibm_is_vpc.vpc.id
resource_group_id = ibm_resource_group.group.id
resource_group_id = local.resource_group_id
# Optional: Specify OpenShift version. If not included, 4.15 is used
kube_version = var.openshift_version == "" ? "4.15_openshift" : var.openshift_version
operating_system = var.openshift_os
Expand All @@ -161,58 +156,16 @@ resource "ibm_container_vpc_cluster" "roks_cluster" {
subnet_id = zones.value.id
}
}

kms_config {
instance_id = ibm_resource_instance.key-protect.guid # GUID of Key Protect instance
crk_id = ibm_kms_key.key.key_id # ID of customer root key
private_endpoint = true
}
depends_on = [
ibm_iam_authorization_policy.roks-kms
]
}

# Additional Worker Pool
##############################################################################
# resource "ibm_container_vpc_worker_pool" "roks_worker_pools" {
# for_each = { for pool in var.roks_worker_pools : pool.pool_name => pool }
# cluster = ibm_container_vpc_cluster.roks_cluster.id
# resource_group_id = ibm_resource_group.group.id
# worker_pool_name = each.key
# flavor = lookup(each.value, "machine_type", null)
# vpc_id = ibm_is_vpc.vpc.id
# worker_count = each.value.workers_per_zone
# operating_system = var.openshift_os

# dynamic "zones" {
# for_each = { for subnet in ibm_is_subnet.subnet : subnet.id => subnet }
# content {
# name = zones.value.zone
# subnet_id = zones.value.id
# }
# }
# }

# Object Storage to backup the OpenShift Internal Registry
##############################################################################
resource "ibm_resource_instance" "cos_openshift_registry" {
count = var.is_openshift_cluster ? 1 : 0
name = join("-", [local.basename, "cos-registry"])
resource_group_id = ibm_resource_group.group.id
resource_group_id = local.resource_group_id
service = "cloud-object-storage"
plan = "standard"
location = "global"
tags = var.tags
}

# IAM AUTHORIZATIONS
##############################################################################

# Authorization policy between OpenShift and Key Protect
# Require to encrypt OpenShift with Key in Key Protect
resource "ibm_iam_authorization_policy" "roks-kms" {
source_service_name = "containers-kubernetes"
target_service_name = "kms"
target_resource_instance_id = ibm_resource_instance.key-protect.guid
roles = ["Reader"]
}
160 changes: 11 additions & 149 deletions terraform/odmonroks/database-postgres.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ variable "icd_postgres_ram_allocation" {
variable "icd_postgres_disk_allocation" {
type = number
description = "Disk Usage (GB/data member)"
default = 20480
default = 5120
}

variable "icd_postgres_core_allocation" {
Expand All @@ -43,17 +43,12 @@ variable "icd_postgres_users" {
description = "Database Users. It is set of username and passwords"
}

# PostgresDB cannot support both public and private endpoints simultaneously.
# This cannot be changed after provisioning.
variable "icd_postgres_service_endpoints" {
default = "public"
type = string
description = "Types of the service endpoints. Possible values are 'public', 'private', 'public-and-private'."
}

variable "icd_postgres_use_vpe" { default = false }


##############################################################################
## ICD Postgres
##############################################################################
Expand All @@ -64,174 +59,41 @@ resource "ibm_database" "icd_postgres" {
version = var.icd_postgres_db_version
service_endpoints = var.icd_postgres_service_endpoints
location = var.region
resource_group_id = ibm_resource_group.group.id
resource_group_id = local.resource_group_id
tags = var.tags

# Encrypt DB (comment to use IBM-provided Automatic Key)
key_protect_instance = ibm_resource_instance.key-protect.id
key_protect_key = ibm_kms_key.key.id
backup_encryption_key_crn = ibm_kms_key.key.id
depends_on = [ # require when using encryption key otherwise provisioning failed
ibm_iam_authorization_policy.postgres-kms,
]

# DB Settings
adminpassword = var.icd_postgres_adminpassword
group {
group_id = "member"
# host_flavor { id = "multitenant" }
host_flavor { id = "multitenant" }
memory { allocation_mb = var.icd_postgres_ram_allocation }
disk { allocation_mb = var.icd_postgres_disk_allocation }
cpu { allocation_count = var.icd_postgres_core_allocation }
}

# auto_scaling {
# cpu {
# rate_increase_percent = 20
# rate_limit_count_per_member = 20
# rate_period_seconds = 900
# rate_units = "count"
# }
# disk {
# capacity_enabled = true
# free_space_less_than_percent = 15
# io_above_percent = 85
# io_enabled = true
# io_over_period = "15m"
# rate_increase_percent = 15
# rate_limit_mb_per_member = 3670016
# rate_period_seconds = 900
# rate_units = "mb"
# }
# memory {
# io_above_percent = 90
# io_enabled = true
# io_over_period = "15m"
# rate_increase_percent = 10
# rate_limit_mb_per_member = 114688
# rate_period_seconds = 900
# rate_units = "mb"
# }
# }

# users {
# name = "user123"
# password = "password12"
# }

}

## Service Credentials
##############################################################################
resource "ibm_resource_key" "icd_postgres_key" {
resource "ibm_resource_key" "db-svc-credentials" {
name = format("%s-%s", local.basename, "postgres-key")
resource_instance_id = ibm_database.icd_postgres.id
role = "Viewer"
}

# Database connection
##############################################################################
# data "ibm_database_connection" "postgres_db_connection" {
# deployment_id = ibm_database.icd_postgres.id
# endpoint_type = var.icd_postgres_service_endpoints
# user_id = "user_id"
# user_type = "database"
# }


## IAM
##############################################################################
# Doc at https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-iam
resource "ibm_iam_access_group_policy" "iam-postgres" {
access_group_id = ibm_iam_access_group.accgrp.id
roles = ["Editor"]

resources {
service = "databases-for-postgresql"
resource_group_id = ibm_resource_group.group.id
}
}

locals {
endpoints = [
{
name = "postgres",
crn = ibm_database.icd_postgres.id
hostname = ibm_resource_key.icd_postgres_key.credentials["connection.postgres.hosts.0.hostname"]
name = "postgres",
crn = ibm_database.icd_postgres.id
db-name = nonsensitive(ibm_resource_key.db-svc-credentials.credentials["connection.postgres.database"])
db-host = nonsensitive(ibm_resource_key.db-svc-credentials.credentials["connection.postgres.hosts.0.hostname"])
db-user = nonsensitive(ibm_resource_key.db-svc-credentials.credentials["connection.postgres.authentication.username"])
db-password = nonsensitive(ibm_resource_key.db-svc-credentials.credentials["connection.postgres.authentication.password"])
}
]
}

output "endpoints" {
sensitive = true
output "icd-postgres-credentials" {
value = local.endpoints
}


## VPE (Optional)
##############################################################################
# VPE can only be created once Postgres DB is fully registered in the backend
resource "time_sleep" "wait_for_postgres_initialization" {
count = tobool(var.icd_postgres_use_vpe) ? 1 : 0

depends_on = [
ibm_database.icd_postgres
]

create_duration = "5m"
}

# VPE (Virtual Private Endpoint) for Postgres
##############################################################################
# Make sure your Cloud Databases deployment's private endpoint is enabled
# otherwise you'll face this error: "Service does not support VPE extensions."
##############################################################################
resource "ibm_is_virtual_endpoint_gateway" "vpe_postgres" {
for_each = { for target in local.endpoints : target.name => target if tobool(var.icd_postgres_use_vpe) }

name = "${local.basename}-postgres-vpe"
resource_group = ibm_resource_group.group.id
vpc = ibm_is_vpc.vpc.id

target {
crn = ibm_database.icd_postgres.id
resource_type = "provider_cloud_service"
}

# one Reserved IP for per zone in the VPC
dynamic "ips" {
for_each = { for subnet in ibm_is_subnet.subnet : subnet.id => subnet }
content {
subnet = ips.key
name = "${ips.value.name}-ip-postgres"
}
}

depends_on = [
time_sleep.wait_for_postgres_initialization
]

tags = var.tags
}

# data "ibm_is_virtual_endpoint_gateway_ips" "postgres_vpe_ips" {
# gateway = ibm_is_virtual_endpoint_gateway.vpe_postgres.id
# }

# output "postgres_vpe_ips" {
# value = data.ibm_is_virtual_endpoint_gateway_ips.postgres_vpe_ips
# }


# IAM AUTHORIZATIONS
##############################################################################

# Authorization policy between Postgres and Key Protect
# Require to encrypt Postgres DB with Key in Key Protect
# https://github.com/IBM-Cloud/vpc-scaling-dedicated-host/blob/master/modules/create_services/main.tf
resource "ibm_iam_authorization_policy" "postgres-kms" {
source_service_name = "databases-for-postgresql"
target_service_name = "kms"
target_resource_instance_id = ibm_resource_instance.key-protect.guid
roles = ["Reader", "Authorization Delegator"]
}
Loading

0 comments on commit 0d9474c

Please sign in to comment.