From 1ca497750162b9e52e7d8a4e23ad01f8cdad0fa3 Mon Sep 17 00:00:00 2001 From: Anand Reddy <53337597+Anand-Reddy7@users.noreply.github.com> Date: Fri, 23 Aug 2024 13:12:02 +0530 Subject: [PATCH] Adding IBM Key Protect support (#564) * Changes are related to AFM (#558) * AFM changes Signed-off-by: Jayesh-Kumar3 * AFM ini.py file changes Signed-off-by: Jayesh-Kumar3 * added , Signed-off-by: Jayesh-Kumar3 * BM Changes Signed-off-by: Jayesh-Kumar3 * Modified vsi and BM parameters Signed-off-by: Jayesh-Kumar3 * commented output not in use for AFM Signed-off-by: Jayesh-Kumar3 * Added option protocol subnet Signed-off-by: Jayesh-Kumar3 * fix 1 Signed-off-by: Jayesh-Kumar3 * fix 2 Signed-off-by: Jayesh-Kumar3 * Added conditon for cos bucket creation Signed-off-by: Jayesh-Kumar3 * updated provider Signed-off-by: Jayesh-Kumar3 * Modified AFM VSI and BM module Signed-off-by: Jayesh-Kumar3 * changed the condition for output Signed-off-by: Jayesh-Kumar3 * Added change for multiple fileset and bucket Signed-off-by: Jayesh-Kumar3 * Modified variable to be passed for afm config Signed-off-by: Jayesh-Kumar3 * added file system and afm ip in BM Signed-off-by: Jayesh-Kumar3 * Hmac should be one for new cos instance Signed-off-by: Jayesh-Kumar3 * removed commented code Signed-off-by: Jayesh-Kumar3 * added resource group variable Signed-off-by: Jayesh-Kumar3 * removed commented code Signed-off-by: Jayesh-Kumar3 * Added tuneable changes for AFM Signed-off-by: Jayesh-Kumar3 * Fixed data block for tuneables Signed-off-by: Jayesh-Kumar3 * Added function for afm Signed-off-by: Jayesh-Kumar3 * Modified afm value function Signed-off-by: Jayesh-Kumar3 * Modified afm function call Signed-off-by: Jayesh-Kumar3 * fix1 Signed-off-by: Jayesh-Kumar3 * Modified tuneable for AFM Signed-off-by: Jayesh-Kumar3 * Fix for inventory file Signed-off-by: Jayesh-Kumar3 * Changed the description Signed-off-by: Jayesh-Kumar3 * Modified tuneable Signed-off-by: Jayesh-Kumar3 * removed afm node grp Signed-off-by: Jayesh-Kumar3 * Added bucket type as variable Signed-off-by: Jayesh-Kumar3 * Added changes for different bucket type Signed-off-by: Jayesh-Kumar3 * changed hmac key name Signed-off-by: Jayesh-Kumar3 * New changes for bucket types Signed-off-by: Jayesh-Kumar3 * Changes for new bucket creation with different bucket type Signed-off-by: Jayesh-Kumar3 * Modified mode and filesets Signed-off-by: Jayesh-Kumar3 * fixed classes Signed-off-by: Jayesh-Kumar3 * modfied rest of the function for mode and fileset Signed-off-by: Jayesh-Kumar3 * Modifed tuneables for afm Signed-off-by: Jayesh-Kumar3 * modified afmHardMemThreshold Signed-off-by: Jayesh-Kumar3 * Removed commented code Signed-off-by: Jayesh-Kumar3 * Added logic for "" variabel for afm Signed-off-by: Jayesh-Kumar3 * added condition Signed-off-by: Jayesh-Kumar3 * Fix1 Signed-off-by: Jayesh-Kumar3 * Fix2 Signed-off-by: Jayesh-Kumar3 * fix3 Signed-off-by: Jayesh-Kumar3 * fix4 Signed-off-by: Jayesh-Kumar3 * Removed outputs Signed-off-by: Jayesh-Kumar3 * Fix for multi cos instance Signed-off-by: Jayesh-Kumar3 * Fix1 for bucket creation Signed-off-by: Jayesh-Kumar3 * added condition Signed-off-by: Jayesh-Kumar3 --------- Signed-off-by: Jayesh-Kumar3 Co-authored-by: Jayesh-Kumar3 Signed-off-by: Anand.Reddy7 * Description change (#563) Signed-off-by: Jayesh-Kumar3 Co-authored-by: Jayesh-Kumar3 Signed-off-by: Anand.Reddy7 * Adding Key Protect Support Signed-off-by: Anand.Reddy7 * Adding Key Protect Support Signed-off-by: Anand.Reddy7 * Adding Key Protect Support Signed-off-by: Anand.Reddy7 * Adding Key Protect Support Signed-off-by: Anand.Reddy7 --------- Signed-off-by: Jayesh-Kumar3 Signed-off-by: Anand.Reddy7 Co-authored-by: jayeshh123 <127783319+jayeshh123@users.noreply.github.com> Co-authored-by: Jayesh-Kumar3 Co-authored-by: Anand.Reddy7 --- .../sub_modules/instance_template/main.tf | 52 ++++++--- .../instance_template/providers.tf | 2 +- .../instance_template/variables.tf | 6 ++ .../encryption_configuration.tf | 101 +++++++++++++++--- .../common/scripts/prepare_scale_inv_ini.py | 71 +++++++++++- .../storage_configuration.tf | 28 ++--- .../compute/key_protect/key_protect.tf | 81 ++++++++++++++ 7 files changed, 294 insertions(+), 47 deletions(-) create mode 100644 resources/ibmcloud/compute/key_protect/key_protect.tf diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index c6250222..726901d7 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -49,7 +49,7 @@ module "generate_storage_cluster_keys" { module "generate_gklm_instance_keys" { source = "../../../resources/common/generate_keys" - turn_on = var.scale_encryption_enabled + turn_on = var.scale_encryption_enabled && var.scale_encryption_type == "gklm" ? true : false } module "generate_ldap_instance_keys" { @@ -122,7 +122,7 @@ module "storage_egress_security_rule" { module "gklm_instance_egress_security_rule" { source = "../../../resources/ibmcloud/security/security_allow_all" - turn_on = var.scale_encryption_enabled + turn_on = var.scale_encryption_enabled && var.scale_encryption_type == "gklm" ? true : false security_group_ids = module.gklm_instance_security_group.sec_group_id sg_direction = "outbound" remote_ip_addr = "0.0.0.0/0" @@ -179,7 +179,7 @@ module "bicluster_ingress_security_rule" { module "gklm_instance_security_group" { source = "../../../resources/ibmcloud/security/security_group" - turn_on = var.scale_encryption_enabled + turn_on = var.scale_encryption_enabled && var.scale_encryption_type == "gklm" ? true : false sec_group_name = [format("%s-gklm-sg", var.resource_prefix)] vpc_id = var.vpc_id resource_group_id = var.resource_group_id @@ -188,7 +188,7 @@ module "gklm_instance_security_group" { module "gklm_instance_ingress_security_rule" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.scale_encryption_enabled == true && var.using_jumphost_connection == false) ? 5 : 0 + total_rules = (var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.using_jumphost_connection == false) ? 5 : 0 security_group_id = [module.gklm_instance_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [var.bastion_security_group_id, local.deploy_sec_group_id, module.gklm_instance_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id] @@ -196,7 +196,7 @@ module "gklm_instance_ingress_security_rule" { module "gklm_instance_ingress_security_rule_wt_bastion" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.scale_encryption_enabled == true && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id != null) ? 5 : 0 + total_rules = (var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id != null) ? 5 : 0 security_group_id = [module.gklm_instance_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [var.bastion_security_group_id, local.deploy_sec_group_id, module.gklm_instance_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id] @@ -204,7 +204,7 @@ module "gklm_instance_ingress_security_rule_wt_bastion" { module "gklm_instance_ingress_security_rule_wo_bastion" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.scale_encryption_enabled == true && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id == null) ? 4 : 0 + total_rules = (var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id == null) ? 4 : 0 security_group_id = [module.gklm_instance_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [local.deploy_sec_group_id, module.gklm_instance_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id] @@ -583,17 +583,17 @@ module "storage_cluster_tie_breaker_instance" { } data "ibm_is_ssh_key" "gklm_ssh_key" { - count = var.scale_encryption_enabled == true ? length(var.gklm_instance_key_pair) : 0 + count = var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" ? length(var.gklm_instance_key_pair) : 0 name = var.gklm_instance_key_pair[count.index] } data "ibm_is_image" "gklm_instance_image" { name = var.gklm_vsi_osimage_name - count = var.scale_encryption_enabled == true && var.gklm_vsi_osimage_id == null ? 1 : 0 + count = var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.gklm_vsi_osimage_id == null ? 1 : 0 } module "gklm_instance" { - count = var.scale_encryption_enabled == true ? 1 : 0 + count = var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" ? 1 : 0 source = "../../../resources/ibmcloud/compute/gklm_vsi" total_vsis = var.total_gklm_instances vsi_name_prefix = format("%s-gklm", var.resource_prefix) @@ -607,13 +607,24 @@ module "gklm_instance" { dns_zone_id = var.gklm_instance_dns_zone_id vsi_subnet_id = var.vpc_compute_cluster_private_subnets vsi_security_group = [module.gklm_instance_security_group.sec_group_id] - vsi_user_public_key = var.scale_encryption_enabled ? data.ibm_is_ssh_key.gklm_ssh_key[*].id : [] + vsi_user_public_key = var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" ? data.ibm_is_ssh_key.gklm_ssh_key[*].id : [] vsi_meta_private_key = var.create_separate_namespaces == true ? module.generate_gklm_instance_keys.private_key_content : 0 vsi_meta_public_key = var.create_separate_namespaces == true ? module.generate_gklm_instance_keys.public_key_content : 0 resource_tags = var.scale_cluster_resource_tags depends_on = [module.gklm_instance_ingress_security_rule, module.gklm_instance_ingress_security_rule_wt_bastion, module.gklm_instance_ingress_security_rule_wo_bastion, module.gklm_instance_egress_security_rule, var.vpc_custom_resolver_id] } +module "key_protect_instance" { + count = var.scale_encryption_enabled == true && var.scale_encryption_type == "key_protect" ? 1 : 0 + source = "../../../resources/ibmcloud/compute/key_protect" + resource_prefix = var.resource_prefix + vpc_region = var.vpc_region + resource_group_id = var.resource_group_id + key_protect_path = format("%s/key_protect", var.scale_ansible_repo_clone_path) + resource_tags = var.scale_cluster_resource_tags + vpc_storage_cluster_dns_domain = var.vpc_storage_cluster_dns_domain +} + data "ibm_is_bare_metal_server_profile" "afm_vsi_bm_server_profile" { count = local.afm_server_type == true ? 1 : 0 name = var.afm_vsi_profile @@ -967,7 +978,7 @@ module "compute_cluster_configuration" { enable_ces = "False" enable_afm = "False" scale_encryption_enabled = var.scale_encryption_enabled - scale_encryption_admin_password = var.scale_encryption_enabled ? var.scale_encryption_admin_password : null + scale_encryption_admin_password = var.scale_encryption_admin_password scale_encryption_servers = var.scale_encryption_enabled ? jsonencode(one(module.gklm_instance[*].gklm_ip_addresses)) : null enable_ldap = var.enable_ldap ldap_basedns = var.ldap_basedns @@ -982,6 +993,8 @@ module "storage_cluster_configuration" { clone_complete = module.prepare_ansible_configuration.clone_complete bastion_user = jsonencode(var.bastion_user) write_inventory_complete = module.write_storage_cluster_inventory.write_inventory_complete + kp_resource_prefix = var.resource_prefix + vpc_region = var.vpc_region inventory_format = var.inventory_format create_scale_cluster = var.create_scale_cluster clone_path = var.scale_ansible_repo_clone_path @@ -1025,8 +1038,9 @@ module "storage_cluster_configuration" { enable_ces = local.scale_ces_enabled == true ? "True" : "False" enable_afm = local.enable_afm == true ? "True" : "False" scale_encryption_enabled = var.scale_encryption_enabled - scale_encryption_admin_password = var.scale_encryption_enabled ? var.scale_encryption_admin_password : null - scale_encryption_servers = var.scale_encryption_enabled ? jsonencode(one(module.gklm_instance[*].gklm_ip_addresses)) : null + scale_encryption_type = var.scale_encryption_type + scale_encryption_admin_password = var.scale_encryption_admin_password + scale_encryption_servers = var.scale_encryption_enabled && var.scale_encryption_type == "gklm" ? jsonencode(one(module.gklm_instance[*].gklm_ip_addresses)) : null enable_ldap = var.enable_ldap ldap_basedns = var.ldap_basedns ldap_server = local.ldap_server @@ -1056,7 +1070,7 @@ module "combined_cluster_configuration" { spectrumscale_rpms_path = var.spectrumscale_rpms_path enable_mrot_conf = false scale_encryption_enabled = var.scale_encryption_enabled - scale_encryption_admin_password = var.scale_encryption_enabled ? var.scale_encryption_admin_password : null + scale_encryption_admin_password = var.scale_encryption_admin_password scale_encryption_servers = var.scale_encryption_enabled ? jsonencode(one(module.gklm_instance[*].gklm_ip_addresses)) : null enable_ldap = var.enable_ldap ldap_basedns = var.ldap_basedns @@ -1142,9 +1156,12 @@ module "encryption_configuration" { scale_encryption_admin_default_password = var.scale_encryption_admin_default_password scale_encryption_admin_password = var.scale_encryption_admin_password scale_encryption_admin_username = var.scale_encryption_admin_username - scale_encryption_servers = jsonencode(one(module.gklm_instance[*].gklm_ip_addresses)) - scale_encryption_servers_dns = jsonencode(one(module.gklm_instance[*].gklm_dns_names)) - meta_private_key = module.generate_gklm_instance_keys.private_key_content + kp_resource_prefix = var.resource_prefix + vpc_region = var.vpc_region + scale_encryption_type = var.scale_encryption_type + scale_encryption_servers = var.scale_encryption_type == "gklm" ? jsonencode(one(module.gklm_instance[*].gklm_ip_addresses)) : jsonencode([]) + scale_encryption_servers_dns = var.scale_encryption_type == "gklm" ? jsonencode(one(module.gklm_instance[*].gklm_dns_names)) : jsonencode([]) + meta_private_key = var.scale_encryption_type == "gklm" ? module.generate_gklm_instance_keys.private_key_content : module.generate_storage_cluster_keys.private_key_content storage_cluster_encryption = (var.create_separate_namespaces == true && var.total_storage_cluster_instances > 0) ? true : false compute_cluster_encryption = (var.create_separate_namespaces == true && var.total_compute_cluster_instances >= 0) ? true : false combined_cluster_encryption = var.create_separate_namespaces == false ? true : false @@ -1152,6 +1169,7 @@ module "encryption_configuration" { storage_cluster_create_complete = module.storage_cluster_configuration.storage_cluster_create_complete combined_cluster_create_complete = module.combined_cluster_configuration.combined_cluster_create_complete remote_mount_create_complete = module.remote_mount_configuration.remote_mount_create_complete + filesystem_mountpoint = element(split("/", var.storage_cluster_filesystem_mountpoint), length(split("/", var.storage_cluster_filesystem_mountpoint)) - 1) depends_on = [module.gklm_instance, module.compute_cluster_configuration, module.storage_cluster_configuration, module.combined_cluster_configuration, module.remote_mount_configuration] } diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/providers.tf b/ibmcloud_scale_templates/sub_modules/instance_template/providers.tf index 232f73d0..096b6b52 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/providers.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { ibm = { source = "IBM-Cloud/ibm" - version = "1.67.1" + version = "1.68.0" } github = { source = "integrations/github" diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf b/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf index 21b8113e..8da0ed3f 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf @@ -320,6 +320,12 @@ variable "scale_encryption_enabled" { description = "To enable the encryption for the filesystem. Select true or false" } +variable "scale_encryption_type" { + type = string + default = "" + description = "To enable filesystem encryption, specify either 'key_protect' or 'gklm'. If neither is specified, the default value will be 'null' and encryption is disabled" +} + variable "gklm_vsi_osimage_id" { type = string default = null diff --git a/resources/common/encryption_configuration/encryption_configuration.tf b/resources/common/encryption_configuration/encryption_configuration.tf index 778fd08d..bb351c1b 100644 --- a/resources/common/encryption_configuration/encryption_configuration.tf +++ b/resources/common/encryption_configuration/encryption_configuration.tf @@ -13,6 +13,10 @@ variable "scale_encryption_servers_dns" {} variable "scale_encryption_admin_default_password" {} variable "scale_encryption_admin_password" {} variable "scale_encryption_admin_username" {} +variable "scale_encryption_type" {} +variable "kp_resource_prefix" {} +variable "vpc_region" {} +variable "filesystem_mountpoint" {} variable "compute_cluster_create_complete" {} variable "storage_cluster_create_complete" {} variable "combined_cluster_create_complete" {} @@ -22,25 +26,29 @@ variable "storage_cluster_encryption" {} variable "combined_cluster_encryption" {} locals { - gklm_private_key = format("%s/gklm_key/id_rsa", var.clone_path) - scale_encryption_servers = jsonencode(var.scale_encryption_servers) - scale_encryption_servers_dns = jsonencode(var.scale_encryption_servers_dns) - compute_inventory_path = format("%s/%s/compute_inventory.ini", var.clone_path, "ibm-spectrum-scale-install-infra") - storage_inventory_path = format("%s/%s/storage_inventory.ini", var.clone_path, "ibm-spectrum-scale-install-infra") - combined_inventory_path = format("%s/%s/combined_inventory.ini", var.clone_path, "ibm-spectrum-scale-install-infra") - encryption_gklm_playbook = format("%s/%s/encryption_gklm_playbook.yaml", var.clone_path, "ibm-spectrum-scale-install-infra") - encryption_cluster_playbook = format("%s/%s/encryption_cluster_playbook.yaml", var.clone_path, "ibm-spectrum-scale-install-infra") + gklm_private_key = format("%s/gklm_key/id_rsa", var.clone_path) + scale_encryption_servers = jsonencode(var.scale_encryption_servers) + scale_encryption_servers_dns = jsonencode(var.scale_encryption_servers_dns) + compute_inventory_path = format("%s/%s/compute_inventory.ini", var.clone_path, "ibm-spectrum-scale-install-infra") + storage_inventory_path = format("%s/%s/storage_inventory.ini", var.clone_path, "ibm-spectrum-scale-install-infra") + combined_inventory_path = format("%s/%s/combined_inventory.ini", var.clone_path, "ibm-spectrum-scale-install-infra") + encryption_gklm_playbook = format("%s/%s/encryption_gklm_playbook.yaml", var.clone_path, "ibm-spectrum-scale-install-infra") + encryption_cluster_playbook = format("%s/%s/encryption_cluster_playbook.yaml", var.clone_path, "ibm-spectrum-scale-install-infra") + kp_private_key = format("%s/storage_key/id_rsa", var.clone_path) + kp_encryption_prepare_playbook = format("%s/%s/encryption_keyprotect_prepare_playbook.yaml", var.clone_path, "ibm-spectrum-scale-install-infra") + kp_encryption_configure_playbook = format("%s/%s/encryption_keyprotect_configure_playbook.yaml", var.clone_path, "ibm-spectrum-scale-install-infra") + kp_encryption_apply_playbook = format("%s/%s/encryption_keyprotect_apply_playbook.yaml", var.clone_path, "ibm-spectrum-scale-install-infra") } resource "local_sensitive_file" "write_meta_private_key" { - count = (tobool(var.turn_on) == true && tobool(var.clone_complete) == true) ? 1 : 0 + count = (tobool(var.turn_on) == true && tobool(var.clone_complete) == true && var.scale_encryption_type == "gklm") ? 1 : 0 content = var.meta_private_key filename = local.gklm_private_key file_permission = "0600" } resource "null_resource" "perform_encryption_prepare" { - count = (tobool(var.turn_on) == true && tobool(var.clone_complete) == true && tobool(var.create_scale_cluster) == true) ? 1 : 0 + count = (tobool(var.turn_on) == true && tobool(var.clone_complete) == true && tobool(var.create_scale_cluster) == true && var.scale_encryption_type == "gklm") ? 1 : 0 provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] command = "/usr/local/bin/ansible-playbook -f 32 ${local.encryption_gklm_playbook} -e scale_cluster_clustername=${var.scale_cluster_clustername} -e ansible_ssh_private_key_file=${local.gklm_private_key} -e scale_encryption_admin_default_password=${var.scale_encryption_admin_default_password} -e scale_encryption_admin_password=${var.scale_encryption_admin_password} -e scale_encryption_admin_user=${var.scale_encryption_admin_username} -e scale_encryption_servers_list=${local.scale_encryption_servers}" @@ -52,7 +60,7 @@ resource "null_resource" "perform_encryption_prepare" { } resource "null_resource" "perform_encryption_storage" { - count = (tobool(var.turn_on) == true && tobool(var.storage_cluster_encryption) == true && tobool(var.storage_cluster_create_complete) == true && tobool(var.remote_mount_create_complete) == true && tobool(var.create_scale_cluster) == true) ? 1 : 0 + count = (tobool(var.turn_on) == true && tobool(var.storage_cluster_encryption) == true && tobool(var.storage_cluster_create_complete) == true && tobool(var.remote_mount_create_complete) == true && tobool(var.create_scale_cluster) == true && var.scale_encryption_type == "gklm") ? 1 : 0 provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] command = "/usr/local/bin/ansible-playbook -f 32 -i ${local.storage_inventory_path} ${local.encryption_cluster_playbook} -e scale_encryption_servers_dns=${local.scale_encryption_servers_dns}" @@ -64,7 +72,7 @@ resource "null_resource" "perform_encryption_storage" { } resource "null_resource" "perform_encryption_compute" { - count = (tobool(var.turn_on) == true && tobool(var.compute_cluster_encryption) == true && tobool(var.compute_cluster_create_complete) == true && tobool(var.remote_mount_create_complete) == true && tobool(var.create_scale_cluster) == true) ? 1 : 0 + count = (tobool(var.turn_on) == true && tobool(var.compute_cluster_encryption) == true && tobool(var.compute_cluster_create_complete) == true && tobool(var.remote_mount_create_complete) == true && tobool(var.create_scale_cluster) == true && var.scale_encryption_type == "gklm") ? 1 : 0 provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] command = "/usr/local/bin/ansible-playbook -f 32 -i ${local.compute_inventory_path} ${local.encryption_cluster_playbook} -e scale_encryption_servers_dns=${local.scale_encryption_servers_dns}" @@ -76,7 +84,7 @@ resource "null_resource" "perform_encryption_compute" { } resource "null_resource" "perform_encryption_combined" { - count = (tobool(var.turn_on) == true && tobool(var.combined_cluster_encryption) == true && tobool(var.combined_cluster_create_complete) == true && tobool(var.create_scale_cluster) == true) ? 1 : 0 + count = (tobool(var.turn_on) == true && tobool(var.combined_cluster_encryption) == true && tobool(var.combined_cluster_create_complete) == true && tobool(var.create_scale_cluster) == true && var.scale_encryption_type == "gklm") ? 1 : 0 provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] command = "/usr/local/bin/ansible-playbook -f 32 -i ${local.combined_inventory_path} ${local.encryption_cluster_playbook} -e scale_encryption_servers_dns=${local.scale_encryption_servers_dns}" @@ -86,3 +94,70 @@ resource "null_resource" "perform_encryption_combined" { build = timestamp() } } + +resource "local_sensitive_file" "write_meta_keyprotect_private_key" { + count = (tobool(var.turn_on) == true && tobool(var.clone_complete) == true && var.scale_encryption_type == "key_protect") ? 1 : 0 + content = var.meta_private_key + filename = local.kp_private_key + file_permission = "0600" +} + +resource "null_resource" "perform_keyprotect_encryption_prepare" { + count = (tobool(var.turn_on) == true && tobool(var.clone_complete) == true && tobool(var.create_scale_cluster) == true && var.scale_encryption_type == "key_protect") ? 1 : 0 + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = "/usr/local/bin/ansible-playbook -f 32 -i ${local.storage_inventory_path} ${local.kp_encryption_prepare_playbook} -e ansible_ssh_private_key_file=${local.kp_private_key} -e scale_encryption_admin_password=${var.scale_encryption_admin_password} -e kp_resource_prefix=${var.kp_resource_prefix} -e vpc_region=${var.vpc_region}" + } + depends_on = [local_sensitive_file.write_meta_keyprotect_private_key] + triggers = { + build = timestamp() + } +} + +resource "null_resource" "perform_keyprotect_encryption_storage" { + count = (tobool(var.turn_on) == true && tobool(var.storage_cluster_encryption) == true && tobool(var.storage_cluster_create_complete) == true && tobool(var.remote_mount_create_complete) == true && tobool(var.create_scale_cluster) == true && var.scale_encryption_type == "key_protect") ? 1 : 0 + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = "/usr/local/bin/ansible-playbook -f 32 -i ${local.storage_inventory_path} ${local.kp_encryption_configure_playbook} -e kp_resource_prefix=${var.kp_resource_prefix}" + } + depends_on = [null_resource.perform_keyprotect_encryption_prepare] + triggers = { + build = timestamp() + } +} + +resource "null_resource" "perform_keyprotect_encryption_compute" { + count = (tobool(var.turn_on) == true && tobool(var.compute_cluster_encryption) == true && tobool(var.compute_cluster_create_complete) == true && tobool(var.remote_mount_create_complete) == true && tobool(var.create_scale_cluster) == true && var.scale_encryption_type == "key_protect") ? 1 : 0 + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = "/usr/local/bin/ansible-playbook -f 32 -i ${local.compute_inventory_path} ${local.kp_encryption_configure_playbook} -e kp_resource_prefix=${var.kp_resource_prefix}" + } + depends_on = [null_resource.perform_keyprotect_encryption_prepare, null_resource.perform_keyprotect_encryption_storage] + triggers = { + build = timestamp() + } +} + +resource "null_resource" "perform_keyprotect_encryption_combined" { + count = (tobool(var.turn_on) == true && tobool(var.combined_cluster_encryption) == true && tobool(var.combined_cluster_create_complete) == true && tobool(var.create_scale_cluster) == true && var.scale_encryption_type == "key_protect") ? 1 : 0 + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = "/usr/local/bin/ansible-playbook -f 32 -i ${local.combined_inventory_path} ${local.kp_encryption_configure_playbook} -e kp_resource_prefix=${var.kp_resource_prefix}" + } + depends_on = [null_resource.perform_keyprotect_encryption_prepare] + triggers = { + build = timestamp() + } +} + +resource "null_resource" "perform_keyprotect_encryption_apply" { + count = (tobool(var.turn_on) == true && tobool(var.clone_complete) == true && tobool(var.create_scale_cluster) == true && var.scale_encryption_type == "key_protect") ? 1 : 0 + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = "sleep 60; /usr/local/bin/ansible-playbook -f 32 -i ${local.storage_inventory_path} ${local.kp_encryption_apply_playbook} -e ansible_ssh_private_key_file=${local.kp_private_key} -e scale_encryption_admin_password=${var.scale_encryption_admin_password} -e kp_resource_prefix=${var.kp_resource_prefix} -e vpc_region=${var.vpc_region} -e filesystem_mountpoint=${var.filesystem_mountpoint}" + } + depends_on = [null_resource.perform_keyprotect_encryption_prepare, null_resource.perform_keyprotect_encryption_storage] + triggers = { + build = timestamp() + } +} \ No newline at end of file diff --git a/resources/common/scripts/prepare_scale_inv_ini.py b/resources/common/scripts/prepare_scale_inv_ini.py index 4014e736..50b41ae2 100755 --- a/resources/common/scripts/prepare_scale_inv_ini.py +++ b/resources/common/scripts/prepare_scale_inv_ini.py @@ -321,10 +321,47 @@ def prepare_ansible_playbook_encryption_cluster(hosts_config): """ return content.format(hosts_config=hosts_config) +def prepare_ansible_playbook_encryption_keyprotect(hosts_config): + # Write to playbook + content = """--- +- hosts: "{{{{ groups['{hosts_config}'] | select('search', 'mgmt-001') | list | first }}}}" + collections: + - ibm.spectrum_scale + any_errors_fatal: true + roles: + - kp_encryption_prepare +""" + return content.format(hosts_config=hosts_config) + +def prepare_ansible_playbook_encryption_keyprotect_configure(hosts_config): + # Write to playbook + content = """--- +- hosts: {hosts_config} + collections: + - ibm.spectrum_scale + any_errors_fatal: true + roles: + - kp_encryption_configure +""" + return content.format(hosts_config=hosts_config) + +def prepare_ansible_playbook_encryption_keyprotect_apply(hosts_config): + # Write to playbook + content = """--- +# Enabling encryption on Storage Scale +- hosts: "{{{{ groups['{hosts_config}'] | select('search', 'mgmt-001') | list | first }}}}" + collections: + - ibm.spectrum_scale + any_errors_fatal: true + roles: + - kp_encryption_apply +""" + return content.format(hosts_config=hosts_config) + def initialize_cluster_details(scale_version, cluster_name, cluster_type, username, password, scale_profile_path, scale_replica_config, enable_mrot, enable_ces, enable_afm, storage_subnet_cidr, compute_subnet_cidr, protocol_gateway_ip, scale_remote_cluster_clustername, - scale_encryption_servers, scale_encryption_admin_password, enable_ldap, ldap_basedns, ldap_server, ldap_admin_password, afm_cos_bucket_details, afm_config_details): + scale_encryption_servers, scale_encryption_admin_password, scale_encryption_type, kp_resource_prefix, vpc_region, enable_ldap, ldap_basedns, ldap_server, ldap_admin_password, afm_cos_bucket_details, afm_config_details): """ Initialize cluster details. :args: scale_version (string), cluster_name (string), username (string), password (string), scale_profile_path (string), @@ -361,6 +398,9 @@ def initialize_cluster_details(scale_version, cluster_name, cluster_type, userna else: cluster_details['scale_encryption_servers'] = [] cluster_details['scale_encryption_admin_password'] = scale_encryption_admin_password + cluster_details['scale_encryption_type'] = scale_encryption_type + cluster_details['kp_resource_prefix'] = kp_resource_prefix + cluster_details['vpc_region'] = vpc_region cluster_details['enable_ldap'] = enable_ldap cluster_details['ldap_basedns'] = ldap_basedns cluster_details['ldap_server'] = ldap_server @@ -725,12 +765,18 @@ def initialize_scale_ces_details(smb, nfs, object, export_ip_pool, filesystem, m help='Configure CES on protocol nodes') PARSER.add_argument('--verbose', action='store_true', help='print log messages') - PARSER.add_argument('--scale_encryption_enabled', help='Enabling encryption feature with GKLM', - default=False) PARSER.add_argument('--scale_encryption_servers', help='List of key servers for encryption', default=[]) PARSER.add_argument('--scale_encryption_admin_password', help='Admin Password for the Key server', default="null") + PARSER.add_argument('--scale_encryption_type', help='Encryption type should be either GKLM or Key_Protect', + default="null") + PARSER.add_argument('--kp_resource_prefix', help='Key Protect Resource Prefix', + default="null") + PARSER.add_argument('--vpc_region', help='VPC Region', + default="null") + PARSER.add_argument('--scale_encryption_enabled', help='Enabling encryption feature', + default=False) PARSER.add_argument('--enable_ldap', help='Enabling the LDAP', default=False) PARSER.add_argument('--ldap_basedns', help='Base domain of ldap', @@ -1045,7 +1091,7 @@ def initialize_scale_ces_details(smb, nfs, object, export_ip_pool, filesystem, m print("Content of ansible playbook:\n", playbook_content) # Step-4.1: Create Encryption playbook - if ARGUMENTS.scale_encryption_enabled == "true": + if ARGUMENTS.scale_encryption_enabled == "true" and ARGUMENTS.scale_encryption_type == "gklm": encryption_playbook_content = prepare_ansible_playbook_encryption_gklm() write_to_file("%s/%s/encryption_gklm_playbook.yaml" % (ARGUMENTS.install_infra_path, "ibm-spectrum-scale-install-infra"), encryption_playbook_content) @@ -1057,6 +1103,20 @@ def initialize_scale_ces_details(smb, nfs, object, export_ip_pool, filesystem, m print("Content of ansible playbook for encryption:\n", encryption_playbook_content) + # Step-4.2: Create Key Protect Encryption playbook + if ARGUMENTS.scale_encryption_enabled == "true" and ARGUMENTS.scale_encryption_type == "key_protect": + encryption_playbook_content = prepare_ansible_playbook_encryption_keyprotect("scale_nodes") + write_to_file("%s/%s/encryption_keyprotect_prepare_playbook.yaml" % (ARGUMENTS.install_infra_path, + "ibm-spectrum-scale-install-infra"), encryption_playbook_content) + encryption_playbook_content = prepare_ansible_playbook_encryption_keyprotect_configure( + "scale_nodes") + write_to_file("%s/%s/encryption_keyprotect_configure_playbook.yaml" % (ARGUMENTS.install_infra_path, + "ibm-spectrum-scale-install-infra"), encryption_playbook_content) + encryption_playbook_content = prepare_ansible_playbook_encryption_keyprotect_apply( + "scale_nodes") + write_to_file("%s/%s/encryption_keyprotect_apply_playbook.yaml" % (ARGUMENTS.install_infra_path, + "ibm-spectrum-scale-install-infra"), encryption_playbook_content) + # Step-5: Create hosts config = configparser.ConfigParser(allow_no_value=True) node_details = initialize_node_details(len(TF['vpc_availability_zones']), cluster_type, @@ -1100,6 +1160,9 @@ def initialize_scale_ces_details(smb, nfs, object, export_ip_pool, filesystem, m TF['scale_remote_cluster_clustername'], ARGUMENTS.scale_encryption_servers, ARGUMENTS.scale_encryption_admin_password, + ARGUMENTS.scale_encryption_type, + ARGUMENTS.kp_resource_prefix, + ARGUMENTS.vpc_region, ARGUMENTS.enable_ldap, ARGUMENTS.ldap_basedns, ARGUMENTS.ldap_server, diff --git a/resources/common/storage_configuration/storage_configuration.tf b/resources/common/storage_configuration/storage_configuration.tf index 62e66438..ecf1420c 100644 --- a/resources/common/storage_configuration/storage_configuration.tf +++ b/resources/common/storage_configuration/storage_configuration.tf @@ -39,6 +39,9 @@ variable "scale_version" {} variable "spectrumscale_rpms_path" {} variable "enable_mrot_conf" {} variable "scale_encryption_enabled" {} +variable "scale_encryption_type" {} +variable "kp_resource_prefix" {} +variable "vpc_region" {} variable "scale_encryption_admin_password" {} variable "scale_encryption_servers" {} variable "disk_type" {} @@ -57,16 +60,17 @@ variable "afm_vcpus_count" {} variable "afm_bandwidth" {} locals { - scripts_path = replace(path.module, "storage_configuration", "scripts") - ansible_inv_script_path = var.inventory_format == "ini" ? format("%s/prepare_scale_inv_ini.py", local.scripts_path) : format("%s/prepare_scale_inv_json.py", local.scripts_path) - wait_for_ssh_script_path = format("%s/wait_for_ssh_availability.py", local.scripts_path) - scale_tuning_config_path = format("%s/%s", var.clone_path, "storagesncparams.profile") - storage_private_key = format("%s/storage_key/id_rsa", var.clone_path) #tfsec:ignore:GEN002 - default_metadata_replicas = var.default_metadata_replicas == null ? jsonencode("None") : jsonencode(var.default_metadata_replicas) - default_data_replicas = var.default_data_replicas == null ? jsonencode("None") : jsonencode(var.default_data_replicas) - storage_inventory_path = format("%s/%s/storage_inventory.ini", var.clone_path, "ibm-spectrum-scale-install-infra") - storage_playbook_path = format("%s/%s/storage_cloud_playbook.yaml", var.clone_path, "ibm-spectrum-scale-install-infra") - scale_encryption_servers = jsonencode(var.scale_encryption_servers) + scripts_path = replace(path.module, "storage_configuration", "scripts") + ansible_inv_script_path = var.inventory_format == "ini" ? format("%s/prepare_scale_inv_ini.py", local.scripts_path) : format("%s/prepare_scale_inv_json.py", local.scripts_path) + wait_for_ssh_script_path = format("%s/wait_for_ssh_availability.py", local.scripts_path) + scale_tuning_config_path = format("%s/%s", var.clone_path, "storagesncparams.profile") + storage_private_key = format("%s/storage_key/id_rsa", var.clone_path) #tfsec:ignore:GEN002 + default_metadata_replicas = var.default_metadata_replicas == null ? jsonencode("None") : jsonencode(var.default_metadata_replicas) + default_data_replicas = var.default_data_replicas == null ? jsonencode("None") : jsonencode(var.default_data_replicas) + storage_inventory_path = format("%s/%s/storage_inventory.ini", var.clone_path, "ibm-spectrum-scale-install-infra") + storage_playbook_path = format("%s/%s/storage_cloud_playbook.yaml", var.clone_path, "ibm-spectrum-scale-install-infra") + scale_encryption_servers = var.scale_encryption_enabled && var.scale_encryption_type == "gklm" ? jsonencode(var.scale_encryption_servers) : jsonencode("None") + scale_encryption_admin_password = var.scale_encryption_enabled ? var.scale_encryption_admin_password : "None" } resource "local_file" "create_storage_tuning_parameters" { @@ -117,7 +121,7 @@ resource "null_resource" "prepare_ansible_inventory_using_jumphost_connection_en count = (tobool(var.turn_on) == true && tobool(var.clone_complete) == true && tobool(var.write_inventory_complete) == true && tobool(var.using_jumphost_connection) == true && tobool(var.scale_encryption_enabled) == true) && var.bastion_instance_public_ip != null && var.bastion_ssh_private_key != null ? 1 : 0 provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] - command = "python3 ${local.ansible_inv_script_path} --tf_inv_path ${var.inventory_path} --install_infra_path ${var.clone_path} --instance_private_key ${local.storage_private_key} --bastion_user ${var.bastion_user} --bastion_ip ${var.bastion_instance_public_ip} --bastion_ssh_private_key ${var.bastion_ssh_private_key} --disk_type ${var.disk_type} --default_metadata_replicas ${local.default_metadata_replicas} --max_metadata_replicas ${var.max_metadata_replicas} --default_data_replicas ${local.default_data_replicas} --max_data_replicas ${var.max_data_replicas} --using_packer_image ${var.using_packer_image} --using_rest_initialization ${var.using_rest_initialization} --gui_username ${var.storage_cluster_gui_username} --gui_password ${var.storage_cluster_gui_password} --enable_mrot_conf ${var.enable_mrot_conf} --enable_ces ${var.enable_ces} --scale_encryption_enabled ${var.scale_encryption_enabled} --scale_encryption_servers ${local.scale_encryption_servers} --scale_encryption_admin_password ${var.scale_encryption_admin_password} --enable_ldap ${var.enable_ldap} --ldap_basedns ${var.ldap_basedns} --ldap_server ${var.ldap_server} --ldap_admin_password ${var.ldap_admin_password} --mgmt_memory ${var.mgmt_memory} --mgmt_vcpus_count ${var.mgmt_vcpus_count} --mgmt_bandwidth ${var.mgmt_bandwidth} --strg_desc_memory ${var.strg_desc_memory} --strg_desc_vcpus_count ${var.strg_desc_vcpus_count} --strg_desc_bandwidth ${var.strg_desc_bandwidth} --strg_memory ${var.strg_memory} --strg_vcpus_count ${var.strg_vcpus_count} --strg_bandwidth ${var.strg_bandwidth} --proto_memory ${var.proto_memory} --proto_vcpus_count ${var.proto_vcpus_count} --proto_bandwidth ${var.proto_bandwidth} --strg_proto_memory ${var.strg_proto_memory} --strg_proto_vcpus_count ${var.strg_proto_vcpus_count} --strg_proto_bandwidth ${var.strg_proto_bandwidth} --colocate_protocol_cluster_instances ${var.colocate_protocol_cluster_instances} --is_colocate_protocol_subset ${var.is_colocate_protocol_subset} --enable_afm ${var.enable_afm} --afm_memory ${var.afm_memory} --afm_vcpus_count ${var.afm_vcpus_count} --afm_bandwidth ${var.afm_bandwidth}" + command = "python3 ${local.ansible_inv_script_path} --tf_inv_path ${var.inventory_path} --install_infra_path ${var.clone_path} --instance_private_key ${local.storage_private_key} --vpc_region ${var.vpc_region} --bastion_user ${var.bastion_user} --bastion_ip ${var.bastion_instance_public_ip} --bastion_ssh_private_key ${var.bastion_ssh_private_key} --disk_type ${var.disk_type} --default_metadata_replicas ${local.default_metadata_replicas} --max_metadata_replicas ${var.max_metadata_replicas} --default_data_replicas ${local.default_data_replicas} --max_data_replicas ${var.max_data_replicas} --using_packer_image ${var.using_packer_image} --using_rest_initialization ${var.using_rest_initialization} --gui_username ${var.storage_cluster_gui_username} --gui_password ${var.storage_cluster_gui_password} --enable_mrot_conf ${var.enable_mrot_conf} --enable_ces ${var.enable_ces} --scale_encryption_enabled ${var.scale_encryption_enabled} --scale_encryption_servers ${local.scale_encryption_servers} --scale_encryption_admin_password ${local.scale_encryption_admin_password} --scale_encryption_type ${var.scale_encryption_type} --kp_resource_prefix ${var.kp_resource_prefix} --enable_ldap ${var.enable_ldap} --ldap_basedns ${var.ldap_basedns} --ldap_server ${var.ldap_server} --ldap_admin_password ${var.ldap_admin_password} --mgmt_memory ${var.mgmt_memory} --mgmt_vcpus_count ${var.mgmt_vcpus_count} --mgmt_bandwidth ${var.mgmt_bandwidth} --strg_desc_memory ${var.strg_desc_memory} --strg_desc_vcpus_count ${var.strg_desc_vcpus_count} --strg_desc_bandwidth ${var.strg_desc_bandwidth} --strg_memory ${var.strg_memory} --strg_vcpus_count ${var.strg_vcpus_count} --strg_bandwidth ${var.strg_bandwidth} --proto_memory ${var.proto_memory} --proto_vcpus_count ${var.proto_vcpus_count} --proto_bandwidth ${var.proto_bandwidth} --strg_proto_memory ${var.strg_proto_memory} --strg_proto_vcpus_count ${var.strg_proto_vcpus_count} --strg_proto_bandwidth ${var.strg_proto_bandwidth} --colocate_protocol_cluster_instances ${var.colocate_protocol_cluster_instances} --is_colocate_protocol_subset ${var.is_colocate_protocol_subset} --enable_afm ${var.enable_afm} --afm_memory ${var.afm_memory} --afm_vcpus_count ${var.afm_vcpus_count} --afm_bandwidth ${var.afm_bandwidth}" } depends_on = [local_file.create_storage_tuning_parameters, local_sensitive_file.write_meta_private_key] triggers = { @@ -141,7 +145,7 @@ resource "null_resource" "prepare_ansible_inventory_encryption" { count = (tobool(var.turn_on) == true && tobool(var.clone_complete) == true && tobool(var.write_inventory_complete) == true && tobool(var.using_jumphost_connection) == false && tobool(var.scale_encryption_enabled) == true) ? 1 : 0 provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] - command = "python3 ${local.ansible_inv_script_path} --tf_inv_path ${var.inventory_path} --install_infra_path ${var.clone_path} --instance_private_key ${local.storage_private_key} --disk_type ${var.disk_type} --default_metadata_replicas ${local.default_metadata_replicas} --max_metadata_replicas ${var.max_metadata_replicas} --default_data_replicas ${local.default_data_replicas} --max_data_replicas ${var.max_data_replicas} --using_packer_image ${var.using_packer_image} --using_rest_initialization ${var.using_rest_initialization} --gui_username ${var.storage_cluster_gui_username} --gui_password ${var.storage_cluster_gui_password} --enable_mrot_conf ${var.enable_mrot_conf} --enable_ces ${var.enable_ces} --scale_encryption_enabled ${var.scale_encryption_enabled} --scale_encryption_servers ${local.scale_encryption_servers} --scale_encryption_admin_password ${var.scale_encryption_admin_password} --enable_ldap ${var.enable_ldap} --ldap_basedns ${var.ldap_basedns} --ldap_server ${var.ldap_server} --ldap_admin_password ${var.ldap_admin_password} --mgmt_memory ${var.mgmt_memory} --mgmt_vcpus_count ${var.mgmt_vcpus_count} --mgmt_bandwidth ${var.mgmt_bandwidth} --strg_desc_memory ${var.strg_desc_memory} --strg_desc_vcpus_count ${var.strg_desc_vcpus_count} --strg_desc_bandwidth ${var.strg_desc_bandwidth} --strg_memory ${var.strg_memory} --strg_vcpus_count ${var.strg_vcpus_count} --strg_bandwidth ${var.strg_bandwidth} --proto_memory ${var.proto_memory} --proto_vcpus_count ${var.proto_vcpus_count} --proto_bandwidth ${var.proto_bandwidth} --strg_proto_memory ${var.strg_proto_memory} --strg_proto_vcpus_count ${var.strg_proto_vcpus_count} --strg_proto_bandwidth ${var.strg_proto_bandwidth} --colocate_protocol_cluster_instances ${var.colocate_protocol_cluster_instances} --is_colocate_protocol_subset ${var.is_colocate_protocol_subset} --enable_afm ${var.enable_afm} --afm_memory ${var.afm_memory} --afm_vcpus_count ${var.afm_vcpus_count} --afm_bandwidth ${var.afm_bandwidth}" + command = "python3 ${local.ansible_inv_script_path} --tf_inv_path ${var.inventory_path} --install_infra_path ${var.clone_path} --instance_private_key ${local.storage_private_key} --vpc_region ${var.vpc_region} --disk_type ${var.disk_type} --default_metadata_replicas ${local.default_metadata_replicas} --max_metadata_replicas ${var.max_metadata_replicas} --default_data_replicas ${local.default_data_replicas} --max_data_replicas ${var.max_data_replicas} --using_packer_image ${var.using_packer_image} --using_rest_initialization ${var.using_rest_initialization} --gui_username ${var.storage_cluster_gui_username} --gui_password ${var.storage_cluster_gui_password} --enable_mrot_conf ${var.enable_mrot_conf} --enable_ces ${var.enable_ces} --scale_encryption_enabled ${var.scale_encryption_enabled} --scale_encryption_servers ${local.scale_encryption_servers} --scale_encryption_admin_password ${local.scale_encryption_admin_password} --scale_encryption_type ${var.scale_encryption_type} --kp_resource_prefix ${var.kp_resource_prefix} --enable_ldap ${var.enable_ldap} --ldap_basedns ${var.ldap_basedns} --ldap_server ${var.ldap_server} --ldap_admin_password ${var.ldap_admin_password} --mgmt_memory ${var.mgmt_memory} --mgmt_vcpus_count ${var.mgmt_vcpus_count} --mgmt_bandwidth ${var.mgmt_bandwidth} --strg_desc_memory ${var.strg_desc_memory} --strg_desc_vcpus_count ${var.strg_desc_vcpus_count} --strg_desc_bandwidth ${var.strg_desc_bandwidth} --strg_memory ${var.strg_memory} --strg_vcpus_count ${var.strg_vcpus_count} --strg_bandwidth ${var.strg_bandwidth} --proto_memory ${var.proto_memory} --proto_vcpus_count ${var.proto_vcpus_count} --proto_bandwidth ${var.proto_bandwidth} --strg_proto_memory ${var.strg_proto_memory} --strg_proto_vcpus_count ${var.strg_proto_vcpus_count} --strg_proto_bandwidth ${var.strg_proto_bandwidth} --colocate_protocol_cluster_instances ${var.colocate_protocol_cluster_instances} --is_colocate_protocol_subset ${var.is_colocate_protocol_subset} --enable_afm ${var.enable_afm} --afm_memory ${var.afm_memory} --afm_vcpus_count ${var.afm_vcpus_count} --afm_bandwidth ${var.afm_bandwidth}" } depends_on = [local_file.create_storage_tuning_parameters, local_sensitive_file.write_meta_private_key] triggers = { diff --git a/resources/ibmcloud/compute/key_protect/key_protect.tf b/resources/ibmcloud/compute/key_protect/key_protect.tf new file mode 100644 index 00000000..48e17262 --- /dev/null +++ b/resources/ibmcloud/compute/key_protect/key_protect.tf @@ -0,0 +1,81 @@ +/* + Creates specified number of IBM Cloud Virtual Server Instance(s). +*/ + +terraform { + required_providers { + ibm = { + source = "IBM-Cloud/ibm" + } + } +} + +variable "resource_prefix" {} +variable "vpc_region" {} +variable "resource_group_id" {} +variable "key_protect_path" {} +variable "resource_tags" {} +variable "vpc_storage_cluster_dns_domain" {} + +resource "null_resource" "openssl_commands" { + provisioner "local-exec" { + command = < "${var.key_protect_path}/Key_Protect_Server.cert" + # Extract the end date of the certificate + [ -f "${var.key_protect_path}/Key_Protect_Server.cert" ] && END_DATE=$(openssl x509 -enddate -noout -in "${var.key_protect_path}/Key_Protect_Server.cert" | awk -F'=' '{print $2}') + # Get the current date in GMT + CURRENT_DATE=$(date -u +"%b %d %T %Y %Z") + # Calculate the difference in days + DIFF_DAYS=$(echo $(( ( $(date -ud "$END_DATE" +%s) - $(date -ud "$CURRENT_DATE" +%s) ) / 86400 ))) + # Create a Key Protect Server Root and CA certs + [ -f "${var.key_protect_path}/Key_Protect_Server.cert" ] && awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' "${var.key_protect_path}/Key_Protect_Server.cert" > "${var.key_protect_path}/Key_Protect_Server_CA.cert" + [ -f "${var.key_protect_path}/Key_Protect_Server_CA.cert" ] && awk '/-----BEGIN CERTIFICATE-----/{x="${var.key_protect_path}/Key_Protect_Server.chain"i".cert"; i++} {print > x}' "${var.key_protect_path}/Key_Protect_Server_CA.cert" + [ -f "${var.key_protect_path}/Key_Protect_Server.chain.cert" ] && mv "${var.key_protect_path}/Key_Protect_Server.chain.cert" "${var.key_protect_path}/Key_Protect_Server.chain0.cert" + # Create a Self Signed Certificates + [ ! -f "${var.key_protect_path}/${var.resource_prefix}.key" ] && openssl genpkey -algorithm RSA -out "${var.key_protect_path}/${var.resource_prefix}.key" + [ ! -f "${var.key_protect_path}/${var.resource_prefix}.csr" ] && openssl req -new -key "${var.key_protect_path}/${var.resource_prefix}.key" -out "${var.key_protect_path}/${var.resource_prefix}.csr" -subj "/CN=${var.vpc_storage_cluster_dns_domain}" + [ ! -f "${var.key_protect_path}/${var.resource_prefix}.cert" ] && openssl x509 -req -days $DIFF_DAYS -in "${var.key_protect_path}/${var.resource_prefix}.csr" -signkey "${var.key_protect_path}/${var.resource_prefix}.key" -out "${var.key_protect_path}/${var.resource_prefix}.cert" + EOT + } +} + +data "local_file" "kpclient_cert" { + depends_on = [null_resource.openssl_commands] + filename = "${var.key_protect_path}/${var.resource_prefix}.cert" +} + +resource "ibm_resource_instance" "kms_instance" { + name = format("%s-kp", var.resource_prefix) + service = "kms" + plan = "tiered-pricing" + location = var.vpc_region + resource_group_id = var.resource_group_id + tags = var.resource_tags +} + +resource "ibm_kms_key" "key" { + instance_id = ibm_resource_instance.kms_instance.guid + key_name = "key" + standard_key = false +} + +resource "ibm_kms_kmip_adapter" "myadapter" { + instance_id = ibm_resource_instance.kms_instance.guid + profile = "native_1.0" + profile_data = { + "crk_id" = ibm_kms_key.key.key_id + } + description = "Key Protect adapter" + name = format("%s-kp-adapter", var.resource_prefix) +} + +resource "ibm_kms_kmip_client_cert" "mycert" { + instance_id = ibm_resource_instance.kms_instance.guid + adapter_id = ibm_kms_kmip_adapter.myadapter.adapter_id + certificate = data.local_file.kpclient_cert.content + name = format("%s-kp-cert", var.resource_prefix) + depends_on = [data.local_file.kpclient_cert] +} \ No newline at end of file