Adding IBM Key Protect support (#564)

* Changes are related to AFM (#558) * AFM changes Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * AFM ini.py file changes Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * added , Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * BM Changes Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Modified vsi and BM parameters Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * commented output not in use for AFM Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Added option protocol subnet Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * fix 1 Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * fix 2 Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Added conditon for cos bucket creation Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * updated provider Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Modified AFM VSI and BM module Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * changed the condition for output Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Added change for multiple fileset and bucket Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Modified variable to be passed for afm config Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * added file system and afm ip in BM Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Hmac should be one for new cos instance Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * removed commented code Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * added resource group variable Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * removed commented code Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Added tuneable changes for AFM Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Fixed data block for tuneables Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Added function for afm Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Modified afm value function Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Modified afm function call Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * fix1 Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Modified tuneable for AFM Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Fix for inventory file Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Changed the description Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Modified tuneable Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * removed afm node grp Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Added bucket type as variable Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Added changes for different bucket type Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * changed hmac key name Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * New changes for bucket types Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Changes for new bucket creation with different bucket type Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Modified mode and filesets Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * fixed classes Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * modfied rest of the function for mode and fileset Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Modifed tuneables for afm Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * modified afmHardMemThreshold Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Removed commented code Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Added logic for "" variabel for afm Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * added condition Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Fix1 Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Fix2 Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * fix3 Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * fix4 Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Removed outputs Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Fix for multi cos instance Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * Fix1 for bucket creation Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> * added condition Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> --------- Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> Co-authored-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> Signed-off-by: Anand.Reddy7 <Anand.Reddy7@ibm.com> * Description change (#563) Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> Co-authored-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> Signed-off-by: Anand.Reddy7 <Anand.Reddy7@ibm.com> * Adding Key Protect Support Signed-off-by: Anand.Reddy7 <Anand.Reddy7@ibm.com> * Adding Key Protect Support Signed-off-by: Anand.Reddy7 <Anand.Reddy7@ibm.com> * Adding Key Protect Support Signed-off-by: Anand.Reddy7 <Anand.Reddy7@ibm.com> * Adding Key Protect Support Signed-off-by: Anand.Reddy7 <Anand.Reddy7@ibm.com> --------- Signed-off-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> Signed-off-by: Anand.Reddy7 <Anand.Reddy7@ibm.com> Co-authored-by: jayeshh123 <127783319+jayeshh123@users.noreply.github.com> Co-authored-by: Jayesh-Kumar3 <Jayesh.Kumar3@ibm.com> Co-authored-by: Anand.Reddy7 <Anand.Reddy7@ibm.com>
IBM · Aug 23, 2024 · 1ca4977 · 1ca4977
1 parent 1ae2c8c
commit 1ca4977
Show file tree

Hide file tree

Showing 7 changed files with 294 additions and 47 deletions.
diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf
@@ -49,7 +49,7 @@ module "generate_storage_cluster_keys" {
 
 module "generate_gklm_instance_keys" {
   source  = "../../../resources/common/generate_keys"
-  turn_on = var.scale_encryption_enabled
+  turn_on = var.scale_encryption_enabled && var.scale_encryption_type == "gklm" ? true : false
 }
 
 module "generate_ldap_instance_keys" {
@@ -122,7 +122,7 @@ module "storage_egress_security_rule" {
 
 module "gklm_instance_egress_security_rule" {
   source             = "../../../resources/ibmcloud/security/security_allow_all"
-  turn_on            = var.scale_encryption_enabled
+  turn_on            = var.scale_encryption_enabled && var.scale_encryption_type == "gklm" ? true : false
   security_group_ids = module.gklm_instance_security_group.sec_group_id
   sg_direction       = "outbound"
   remote_ip_addr     = "0.0.0.0/0"
@@ -179,7 +179,7 @@ module "bicluster_ingress_security_rule" {
 
 module "gklm_instance_security_group" {
   source            = "../../../resources/ibmcloud/security/security_group"
-  turn_on           = var.scale_encryption_enabled
+  turn_on           = var.scale_encryption_enabled && var.scale_encryption_type == "gklm" ? true : false
   sec_group_name    = [format("%s-gklm-sg", var.resource_prefix)]
   vpc_id            = var.vpc_id
   resource_group_id = var.resource_group_id
@@ -188,23 +188,23 @@ module "gklm_instance_security_group" {
 
 module "gklm_instance_ingress_security_rule" {
   source                   = "../../../resources/ibmcloud/security/security_rule_source"
-  total_rules              = (var.scale_encryption_enabled == true && var.using_jumphost_connection == false) ? 5 : 0
+  total_rules              = (var.scale_encryption_enabled == true  && var.scale_encryption_type == "gklm" && var.using_jumphost_connection == false) ? 5 : 0
   security_group_id        = [module.gklm_instance_security_group.sec_group_id]
   sg_direction             = ["inbound"]
   source_security_group_id = [var.bastion_security_group_id, local.deploy_sec_group_id, module.gklm_instance_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id]
 }
 
 module "gklm_instance_ingress_security_rule_wt_bastion" {
   source                   = "../../../resources/ibmcloud/security/security_rule_source"
-  total_rules              = (var.scale_encryption_enabled == true && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id != null) ? 5 : 0
+  total_rules              = (var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id != null) ? 5 : 0
   security_group_id        = [module.gklm_instance_security_group.sec_group_id]
   sg_direction             = ["inbound"]
   source_security_group_id = [var.bastion_security_group_id, local.deploy_sec_group_id, module.gklm_instance_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id]
 }
 
 module "gklm_instance_ingress_security_rule_wo_bastion" {
   source                   = "../../../resources/ibmcloud/security/security_rule_source"
-  total_rules              = (var.scale_encryption_enabled == true && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id == null) ? 4 : 0
+  total_rules              = (var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id == null) ? 4 : 0
   security_group_id        = [module.gklm_instance_security_group.sec_group_id]
   sg_direction             = ["inbound"]
   source_security_group_id = [local.deploy_sec_group_id, module.gklm_instance_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id]
@@ -583,17 +583,17 @@ module "storage_cluster_tie_breaker_instance" {
 }
 
 data "ibm_is_ssh_key" "gklm_ssh_key" {
-  count = var.scale_encryption_enabled == true ? length(var.gklm_instance_key_pair) : 0
+  count = var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" ? length(var.gklm_instance_key_pair) : 0
   name  = var.gklm_instance_key_pair[count.index]
 }
 
 data "ibm_is_image" "gklm_instance_image" {
   name  = var.gklm_vsi_osimage_name
-  count = var.scale_encryption_enabled == true && var.gklm_vsi_osimage_id == null ? 1 : 0
+  count = var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.gklm_vsi_osimage_id == null ? 1 : 0
 }
 
 module "gklm_instance" {
-  count                = var.scale_encryption_enabled == true ? 1 : 0
+  count                = var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" ? 1 : 0
   source               = "../../../resources/ibmcloud/compute/gklm_vsi"
   total_vsis           = var.total_gklm_instances
   vsi_name_prefix      = format("%s-gklm", var.resource_prefix)
@@ -607,13 +607,24 @@ module "gklm_instance" {
   dns_zone_id          = var.gklm_instance_dns_zone_id
   vsi_subnet_id        = var.vpc_compute_cluster_private_subnets
   vsi_security_group   = [module.gklm_instance_security_group.sec_group_id]
-  vsi_user_public_key  = var.scale_encryption_enabled ? data.ibm_is_ssh_key.gklm_ssh_key[*].id : []
+  vsi_user_public_key  = var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" ? data.ibm_is_ssh_key.gklm_ssh_key[*].id : []
   vsi_meta_private_key = var.create_separate_namespaces == true ? module.generate_gklm_instance_keys.private_key_content : 0
   vsi_meta_public_key  = var.create_separate_namespaces == true ? module.generate_gklm_instance_keys.public_key_content : 0
   resource_tags        = var.scale_cluster_resource_tags
   depends_on           = [module.gklm_instance_ingress_security_rule, module.gklm_instance_ingress_security_rule_wt_bastion, module.gklm_instance_ingress_security_rule_wo_bastion, module.gklm_instance_egress_security_rule, var.vpc_custom_resolver_id]
 }
 
+module "key_protect_instance" {
+  count                          = var.scale_encryption_enabled == true && var.scale_encryption_type == "key_protect" ? 1 : 0
+  source                         = "../../../resources/ibmcloud/compute/key_protect"
+  resource_prefix                = var.resource_prefix
+  vpc_region                     = var.vpc_region
+  resource_group_id              = var.resource_group_id
+  key_protect_path               = format("%s/key_protect", var.scale_ansible_repo_clone_path)
+  resource_tags                  = var.scale_cluster_resource_tags
+  vpc_storage_cluster_dns_domain = var.vpc_storage_cluster_dns_domain
+}
+
 data "ibm_is_bare_metal_server_profile" "afm_vsi_bm_server_profile" {
   count = local.afm_server_type == true ? 1 : 0
   name  = var.afm_vsi_profile
@@ -967,7 +978,7 @@ module "compute_cluster_configuration" {
   enable_ces                      = "False"
   enable_afm                      = "False"
   scale_encryption_enabled        = var.scale_encryption_enabled
-  scale_encryption_admin_password = var.scale_encryption_enabled ? var.scale_encryption_admin_password : null
+  scale_encryption_admin_password = var.scale_encryption_admin_password
   scale_encryption_servers        = var.scale_encryption_enabled ? jsonencode(one(module.gklm_instance[*].gklm_ip_addresses)) : null
   enable_ldap                     = var.enable_ldap
   ldap_basedns                    = var.ldap_basedns
@@ -982,6 +993,8 @@ module "storage_cluster_configuration" {
   clone_complete                      = module.prepare_ansible_configuration.clone_complete
   bastion_user                        = jsonencode(var.bastion_user)
   write_inventory_complete            = module.write_storage_cluster_inventory.write_inventory_complete
+  kp_resource_prefix                  = var.resource_prefix
+  vpc_region                          = var.vpc_region
   inventory_format                    = var.inventory_format
   create_scale_cluster                = var.create_scale_cluster
   clone_path                          = var.scale_ansible_repo_clone_path
@@ -1025,8 +1038,9 @@ module "storage_cluster_configuration" {
   enable_ces                          = local.scale_ces_enabled == true ? "True" : "False"
   enable_afm                          = local.enable_afm == true ? "True" : "False"
   scale_encryption_enabled            = var.scale_encryption_enabled
-  scale_encryption_admin_password     = var.scale_encryption_enabled ? var.scale_encryption_admin_password : null
-  scale_encryption_servers            = var.scale_encryption_enabled ? jsonencode(one(module.gklm_instance[*].gklm_ip_addresses)) : null
+  scale_encryption_type               = var.scale_encryption_type
+  scale_encryption_admin_password     = var.scale_encryption_admin_password
+  scale_encryption_servers            = var.scale_encryption_enabled && var.scale_encryption_type == "gklm" ? jsonencode(one(module.gklm_instance[*].gklm_ip_addresses)) : null
   enable_ldap                         = var.enable_ldap
   ldap_basedns                        = var.ldap_basedns
   ldap_server                         = local.ldap_server
@@ -1056,7 +1070,7 @@ module "combined_cluster_configuration" {
   spectrumscale_rpms_path         = var.spectrumscale_rpms_path
   enable_mrot_conf                = false
   scale_encryption_enabled        = var.scale_encryption_enabled
-  scale_encryption_admin_password = var.scale_encryption_enabled ? var.scale_encryption_admin_password : null
+  scale_encryption_admin_password = var.scale_encryption_admin_password
   scale_encryption_servers        = var.scale_encryption_enabled ? jsonencode(one(module.gklm_instance[*].gklm_ip_addresses)) : null
   enable_ldap                     = var.enable_ldap
   ldap_basedns                    = var.ldap_basedns
@@ -1142,16 +1156,20 @@ module "encryption_configuration" {
   scale_encryption_admin_default_password = var.scale_encryption_admin_default_password
   scale_encryption_admin_password         = var.scale_encryption_admin_password
   scale_encryption_admin_username         = var.scale_encryption_admin_username
-  scale_encryption_servers                = jsonencode(one(module.gklm_instance[*].gklm_ip_addresses))
-  scale_encryption_servers_dns            = jsonencode(one(module.gklm_instance[*].gklm_dns_names))
-  meta_private_key                        = module.generate_gklm_instance_keys.private_key_content
+  kp_resource_prefix                      = var.resource_prefix
+  vpc_region                              = var.vpc_region
+  scale_encryption_type                   = var.scale_encryption_type
+  scale_encryption_servers                = var.scale_encryption_type == "gklm" ? jsonencode(one(module.gklm_instance[*].gklm_ip_addresses)) : jsonencode([])
+  scale_encryption_servers_dns            = var.scale_encryption_type == "gklm" ? jsonencode(one(module.gklm_instance[*].gklm_dns_names)) : jsonencode([])
+  meta_private_key                        = var.scale_encryption_type == "gklm" ? module.generate_gklm_instance_keys.private_key_content : module.generate_storage_cluster_keys.private_key_content
   storage_cluster_encryption              = (var.create_separate_namespaces == true && var.total_storage_cluster_instances > 0) ? true : false
   compute_cluster_encryption              = (var.create_separate_namespaces == true && var.total_compute_cluster_instances >= 0) ? true : false
   combined_cluster_encryption             = var.create_separate_namespaces == false ? true : false
   compute_cluster_create_complete         = module.compute_cluster_configuration.compute_cluster_create_complete
   storage_cluster_create_complete         = module.storage_cluster_configuration.storage_cluster_create_complete
   combined_cluster_create_complete        = module.combined_cluster_configuration.combined_cluster_create_complete
   remote_mount_create_complete            = module.remote_mount_configuration.remote_mount_create_complete
+  filesystem_mountpoint                   = element(split("/", var.storage_cluster_filesystem_mountpoint), length(split("/", var.storage_cluster_filesystem_mountpoint)) - 1)
   depends_on                              = [module.gklm_instance, module.compute_cluster_configuration, module.storage_cluster_configuration, module.combined_cluster_configuration, module.remote_mount_configuration]
 }
 

diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/providers.tf b/ibmcloud_scale_templates/sub_modules/instance_template/providers.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.67.1"
+      version = "1.68.0"
     }
     github = {
       source  = "integrations/github"

diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf b/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf
@@ -320,6 +320,12 @@ variable "scale_encryption_enabled" {
   description = "To enable the encryption for the filesystem. Select true or false"
 }
 
+variable "scale_encryption_type" {
+  type        = string
+  default     = ""
+  description = "To enable filesystem encryption, specify either 'key_protect' or 'gklm'. If neither is specified, the default value will be 'null' and encryption is disabled"
+}
+
 variable "gklm_vsi_osimage_id" {
   type        = string
   default     = null