Skip to content

Latest commit

 

History

History
60 lines (48 loc) · 10.2 KB

File metadata and controls

60 lines (48 loc) · 10.2 KB

Profile for IBM Cloud Framework for Financial Services

This code is a version of the parent root module that includes a default configuration that complies with the relevant controls from the IBM Cloud Framework for Financial Services. See the Example for IBM Cloud Framework for Financial Services for logic that uses this module.

The default values in this profile were scanned by IBM Code Risk Analyzer (CRA) for compliance with the IBM Cloud Framework for Financial Services profile that is specified by the IBM Security and Compliance Center. The scan passed for all applicable goals.

Requirements

Name Version
terraform >= 1.3.0

Modules

Name Source Version
fscloud_vsi ../../ n/a

Resources

No resources.

Inputs

Name Description Type Default Required
access_tags A list of access tags to apply to the VSI resources created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. list(string) [] no
allow_ip_spoofing Allow IP spoofing on the primary network interface bool false no
block_storage_volumes List describing the block storage volumes that will be attached to each vsi
list(
object({
name = string
profile = string
capacity = optional(number)
iops = optional(number)
encryption_key = optional(string)
snapshot_id = optional(string) # set if you would like to base volume on a snapshot
})
)
[] no
boot_volume_encryption_key CRN of boot volume encryption key string n/a yes
boot_volume_snapshot_id The snapshot id of the volume to be used for creating boot volume attachment (if specified, the image_id parameter will not be used) string null no
create_security_group Create security group for VSI. If this is passed as false, the default will be used bool n/a yes
enable_floating_ip Create a floating IP for each virtual server created bool false no
existing_kms_instance_guid The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms_key_crn and var.backup_encryption_key_crn is coming from. Required only if var.skip_iam_authorization_policy is set to false. string null no
image_id Image ID used for VSI. Run 'ibmcloud is images' to find available images in a region string n/a yes
load_balancers Load balancers to add to VSI
list(
object({
name = string
type = string
listener_port = number
listener_protocol = string
connection_limit = number
idle_connection_timeout = optional(number)
algorithm = string
protocol = string
health_delay = number
health_retries = number
health_timeout = number
health_type = string
pool_member_port = string
profile = optional(string)
dns = optional(
object({
instance_crn = string
zone_id = string
})
)
security_group = optional(
object({
name = string
rules = list(
object({
name = string
direction = string
source = string
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
})
)
})
)
[] no
machine_type VSI machine type. Run 'ibmcloud is instance-profiles' to get a list of regional profiles string n/a yes
manage_reserved_ips Set to true if you want this terraform module to manage the reserved IP addresses that are assigned to VSI instances. If this option is enabled, when any VSI is recreated it should retain its original IP. bool false no
prefix The prefix that you would like to append to your resources string n/a yes
resource_group_id ID of resource group to create VSI and block storage volumes. If you wish to create the block storage volumes in a different resource group, you can optionally set that directly in the 'block_storage_volumes' variable. string n/a yes
security_group Security group created for VSI
object({
name = string
rules = list(
object({
name = string
direction = string
source = string
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
})
n/a yes
security_group_ids IDs of additional security groups to be added to VSI deployment primary interface. A VSI interface can have a maximum of 5 security groups. list(string) [] no
skip_iam_authorization_policy Set to true to skip the creation of an IAM authorization policy that permits all Storage Blocks to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing_kms_instance_guid variable. bool false no
snapshot_consistency_group_id The snapshot consistency group Id. If supplied, the group will be queried for snapshots that are matched with both boot volume and attached (attached are matched based on name suffix). You can override specific snapshot Ids by setting the appropriate input variables as well. string null no
ssh_key_ids ssh key ids to use in creating vsi list(string) n/a yes
subnets A list of subnet IDs where VSI will be deployed
list(
object({
name = string
id = string
zone = string
cidr = string
})
)
n/a yes
tags List of tags to apply to resources created by this module. list(string) [] no
use_boot_volume_key_as_default Set to true to use the key specified in the boot_volume_encryption_key input as default for all volumes, overriding any key value that may be specified in the encryption_key option of the block_storage_volumes input variable. If set to false, the value passed for the encryption_key option of the block_storage_volumes will be used instead. bool false no
use_static_boot_volume_name Sets the boot volume name for each VSI to a static name in the format {hostname}_boot, instead of a random name. Set this to true to have a consistent boot volume name even when VSIs are recreated. bool false no
user_data User data to initialize VSI deployment string n/a yes
vpc_id ID of VPC string n/a yes
vsi_per_subnet Number of VSI instances for each subnet number n/a yes

Outputs

Name Description
slz_vsi VSI module values