Dev

.gitignore

@@ -0,0 +1,46 @@
+# Global files to ignore in the project
+
+# macOS files to ignore
+.DS_Store
+._*
+
+# Visual Studio Code files to ignore
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+*.code-workspace
+.history/
+
+# Node files to ignore
+node_modules
+bower_components
+build/Release
+web_modules/
+keys/
+.npm
+*.tgz
+.env
+.env.test
+.cache/
+
+# Log files to ignore
+logs
+*.log*
+
+# Keys and Certificates files to ignore
+*.crt
+*.pem
+*.key
+
+# Terraform files to ignore
+**/.terraform/*
+*.tf.bkp
+*.tfstate
+*.tfstate.*
+*.auto.tfvars
+*.lock.hcl
+crash.log
+test
+terraform_key.json

main.tf

@@ -1,23 +1,22 @@
-
 # provider block required with Schematics to set VPC region
 provider "ibm" {
   region = var.ibm_region
   #ibmcloud_api_key = var.ibmcloud_api_key
-  generation = local.generation
-  version    = "~> 1.4"
+  # generation = local.generation
+  # version    = "~> 1.4"
 }
 
 data "ibm_resource_group" "all_rg" {
   name = var.resource_group_name
 }
 
 locals {
-  generation     = 2
+  # generation     = 2
   frontend_count = 2
   backend_count  = 1
+  datagov_count  = 1
 }
 
-
 ##################################################################################################
 #  Select CIDRs allowed to access bastion host  
 #  When running under Schematics allowed ingress CIDRs are set to only allow access from Schematics  
@@ -33,54 +32,53 @@ locals {
   geo    = substr(local.region, 0, 2)
   schematics_ssh_access_map = {
     us = ["169.44.0.0/14", "169.60.0.0/14"],
-    eu = ["158.175.0.0/16","158.176.0.0/15","141.125.75.80/28","161.156.139.192/28","149.81.103.128/28"],
+    eu = ["158.175.0.0/16", "158.176.0.0/15", "141.125.75.80/28", "161.156.139.192/28", "149.81.103.128/28"],
   }
   schematics_ssh_access = lookup(local.schematics_ssh_access_map, local.geo, ["0.0.0.0/0"])
   bastion_ingress_cidr  = var.ssh_source_cidr_override[0] != "0.0.0.0/0" ? var.ssh_source_cidr_override : local.schematics_ssh_access
 }
 
 
 module "vpc" {
-  source               = "./vpc"
-  ibm_region           = var.ibm_region
-  resource_group_name  = var.resource_group_name
-  generation           = local.generation
+  source              = "./vpc"
+  ibm_region          = var.ibm_region
+  resource_group_name = var.resource_group_name
+  # generation           = local.generation
   unique_id            = var.vpc_name
   frontend_count       = local.frontend_count
   frontend_cidr_blocks = local.frontend_cidr_blocks
   backend_count        = local.backend_count
   backend_cidr_blocks  = local.backend_cidr_blocks
+  datagov_count        = local.datagov_count
+  datagov_cidr_blocks  = local.datagov_cidr_blocks
 }
 
 locals {
   # bastion_cidr_blocks  = [cidrsubnet(var.bastion_cidr, 4, 0), cidrsubnet(var.bastion_cidr, 4, 2), cidrsubnet(var.bastion_cidr, 4, 4)]
   frontend_cidr_blocks = [cidrsubnet(var.frontend_cidr, 4, 0), cidrsubnet(var.frontend_cidr, 4, 2), cidrsubnet(var.frontend_cidr, 4, 4)]
   backend_cidr_blocks  = [cidrsubnet(var.backend_cidr, 4, 0), cidrsubnet(var.backend_cidr, 4, 2), cidrsubnet(var.backend_cidr, 4, 4)]
+  datagov_cidr_blocks  = [cidrsubnet(var.datagov_cidr, 4, 0), cidrsubnet(var.datagov_cidr, 4, 2), cidrsubnet(var.datagov_cidr, 4, 4)]
 }
 
 
 # Create single zone bastion
 module "bastion" {
-  source                   = "./bastionmodule"
+  source                   = "./modules/bastion"
   ibm_region               = var.ibm_region
   bastion_count            = 1
   unique_id                = var.vpc_name
   ibm_is_vpc_id            = module.vpc.vpc_id
   ibm_is_resource_group_id = data.ibm_resource_group.all_rg.id
   bastion_cidr             = var.bastion_cidr
   ssh_source_cidr_blocks   = local.bastion_ingress_cidr
-  destination_cidr_blocks  = [var.frontend_cidr, var.backend_cidr]
-  destination_sgs          = [module.frontend.security_group_id, module.backend.security_group_id]
-  # destination_sg          = [module.frontend.security_group_id, module.backend.security_group_id]
-  # vsi_profile             = "cx2-2x4"
-  # image_name              = "ibm-centos-7-6-minimal-amd64-1"
+  destination_cidr_blocks  = [var.frontend_cidr, var.backend_cidr, var.datagov_cidr]
+  destination_sgs          = [module.frontend.security_group_id, module.backend.security_group_id, module.datagov.security_group_id]
   ssh_key_id = data.ibm_is_ssh_key.sshkey.id
 
 }
 
-
 module "frontend" {
-  source                   = "./frontendmodule"
+  source                   = "./modules/frontend"
   ibm_region               = var.ibm_region
   unique_id                = var.vpc_name
   ibm_is_vpc_id            = module.vpc.vpc_id
@@ -92,12 +90,13 @@ module "frontend" {
   subnet_ids               = module.vpc.frontend_subnet_ids
   bastion_remote_sg_id     = module.bastion.security_group_id
   bastion_subnet_CIDR      = var.bastion_cidr
-  pub_repo_egress_cidr     = local.pub_repo_egress_cidr
   app_backend_sg_id        = module.backend.security_group_id
+  app_datagov_sg_id        = module.datagov.security_group_id
+  pub_repo_egress_cidr     = local.pub_repo_egress_cidr
 }
 
 module "backend" {
-  source                   = "./backendmodule"
+  source                   = "./modules/backend"
   ibm_region               = var.ibm_region
   unique_id                = var.vpc_name
   ibm_is_vpc_id            = module.vpc.vpc_id
@@ -110,13 +109,32 @@ module "backend" {
   bastion_remote_sg_id     = module.bastion.security_group_id
   bastion_subnet_CIDR      = var.bastion_cidr
   app_frontend_sg_id       = module.frontend.security_group_id
+  app_datagov_sg_id        = module.datagov.security_group_id
+  pub_repo_egress_cidr     = local.pub_repo_egress_cidr
+}
+
+module "datagov" {
+  source                   = "./modules/datagovernance"
+  ibm_region               = var.ibm_region
+  unique_id                = var.vpc_name
+  ibm_is_vpc_id            = module.vpc.vpc_id
+  ibm_is_resource_group_id = data.ibm_resource_group.all_rg.id
+  datagov_count            = local.datagov_count
+  profile                  = var.profile
+  ibm_is_image_id          = data.ibm_is_image.os.id
+  ibm_is_ssh_key_id        = data.ibm_is_ssh_key.sshkey.id
+  subnet_ids               = module.vpc.datagov_subnet_ids
+  bastion_remote_sg_id     = module.bastion.security_group_id
+  bastion_subnet_CIDR      = var.bastion_cidr
+  app_frontend_sg_id       = module.frontend.security_group_id
+  app_backend_sg_id        = module.backend.security_group_id
   pub_repo_egress_cidr     = local.pub_repo_egress_cidr
 }
 
 module "accesscheck" {
-  source          = "./accesscheck"
+  source          = "./modules/accesscheck"
   ssh_accesscheck = var.ssh_accesscheck
   ssh_private_key = var.ssh_private_key
   bastion_host    = module.bastion.bastion_ip_addresses[0]
-  target_hosts    = concat(module.frontend.primary_ipv4_address, module.backend.primary_ipv4_address)
+  target_hosts    = concat(module.frontend.primary_ipv4_address, module.backend.primary_ipv4_address, module.datagov.primary_ipv4_address)
 }

modules/accesscheck/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    ibm = {
+      source = "ibm-cloud/ibm"
+      version = "1.30.0"
+    }
+  }
+}
+

backendmodule/main.tf → modules/backend/main.tf

@@ -96,6 +96,8 @@ locals {
   sg_rules = [
     ["inbound", var.bastion_remote_sg_id, "tcp", 22, 22],
     ["inbound", var.app_frontend_sg_id, "tcp", 27017, 27017],
+    ["inbound", var.app_datagov_sg_id, "tcp", 27017, 27017],
+    ["outbound", var.app_datagov_sg_id, "tcp", 9300, 9300],
     ["outbound", "161.26.0.0/24", "tcp", 443, 443],
     ["outbound", "161.26.0.0/24", "tcp", 80, 80],
     ["outbound", "161.26.0.0/24", "udp", 53, 53],

backendmodule/vars.tf → modules/backend/vars.tf

@@ -33,6 +33,9 @@ variable "subnet_ids" {
 variable "app_frontend_sg_id" {
 }
 
+variable "app_datagov_sg_id" {
+}
+
 # bastion sg requiring access to backend security group
 variable "bastion_remote_sg_id" {
 }

modules/backend/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    ibm = {
+      source = "ibm-cloud/ibm"
+      version = "1.30.0"
+    }
+  }
+}
+

modules/bastion/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    ibm = {
+      source = "ibm-cloud/ibm"
+      version = "1.30.0"
+    }
+  }
+}
+

modules/create_services/main.tf

@@ -0,0 +1,142 @@
+# Cloud logging	
+resource "ibm_resource_instance" "logging" {
+  count             = var.create_logging ? 1 : 0
+  name              = "${var.basename}-logging"
+  resource_group_id = var.resource_group_id
+  service           = "logdna"
+  plan              = "7-day"
+  location          = var.region
+  tags              = concat(var.tags, ["service"])
+}
+
+resource "ibm_resource_key" "logging_key" {
+  count                = var.create_logging ? 1 : 0
+  name                 = "${var.basename}-logging-key"
+  resource_instance_id = ibm_resource_instance.logging.0.id
+  role                 = "Manager"
+}
+
+# Cloud monitoring	
+resource "ibm_resource_instance" "monitoring" {
+  count             = var.create_monitoring ? 1 : 0
+  name              = "${var.basename}-monitoring"
+  resource_group_id = var.resource_group_id
+  service           = "sysdig-monitor"
+  plan              = "graduated-tier"
+  location          = var.region
+  tags              = concat(var.tags, ["service"])
+}
+
+resource "ibm_resource_key" "monitoring_key" {
+  count                = var.create_monitoring ? 1 : 0
+  name                 = "${var.basename}-monitoring-key"
+  resource_instance_id = ibm_resource_instance.monitoring.0.id
+  role                 = "Manager"
+}
+
+# Create Key protect + root key
+resource "ibm_resource_instance" "keyprotect" {
+
+  name              = "${var.basename}-kms"
+  resource_group_id = var.resource_group_id
+  service           = "kms"
+  plan              = "tiered-pricing"
+  location          = var.region
+  tags              = concat(var.tags, ["service"])
+  service_endpoints = "private"
+}
+
+resource "ibm_kms_key" "key" {
+  instance_id  = ibm_resource_instance.keyprotect.guid
+  key_name     = "root_key"
+  standard_key = false
+  force_delete = true
+}
+
+# Create Cloud Object Storage service, policy and COS bucket
+
+resource "ibm_resource_instance" "cos" {
+
+  name              = "${var.basename}-cos"
+  resource_group_id = var.resource_group_id
+  service           = "cloud-object-storage"
+  plan              = "standard"
+  location          = "global"
+  tags              = concat(var.tags, ["service"])
+  service_endpoints = "private"
+}
+
+resource "ibm_resource_key" "cos_key" {
+
+  name                 = "${var.basename}-cos-key"
+  resource_instance_id = ibm_resource_instance.cos.id
+  role                 = "Writer"
+
+  parameters = {
+    service-endpoints = "private"
+    HMAC              = true
+  }
+  depends_on           = [ibm_iam_authorization_policy.cos_policy]
+}
+
+resource "ibm_iam_authorization_policy" "cos_policy" {
+  source_service_name         = "cloud-object-storage"
+  source_resource_instance_id = ibm_resource_instance.cos.guid
+  target_service_name         = ibm_kms_key.key.type
+  target_resource_instance_id = ibm_resource_instance.keyprotect.guid
+  roles                       = ["Reader"]
+}
+
+resource "random_uuid" "uuid" {
+}
+
+resource "ibm_cos_bucket" "bucket" {
+  bucket_name          = "${var.basename}-${random_uuid.uuid.result}-bucket"
+  key_protect          = ibm_kms_key.key.crn
+  resource_instance_id = ibm_resource_instance.cos.id
+  region_location      = var.region
+  storage_class        = "smart"
+  force_delete         = true
+  depends_on           = [ibm_iam_authorization_policy.cos_policy]
+}
+
+# Create a Postgresql DB 
+
+resource "ibm_database" "postgresql" {
+  resource_group_id = var.resource_group_id
+  name              = "${var.basename}-postgres"
+  service           = "databases-for-postgresql"
+  plan              = "standard"
+  location          = var.region
+  tags              = concat(var.tags, ["service"])
+  key_protect_key   = ibm_kms_key.key.crn
+  service_endpoints = "private"
+  depends_on        = [ibm_iam_authorization_policy.postgresql_policy]
+}
+
+resource "ibm_resource_key" "postgresql_key" {
+  name                 = "${var.basename}-postgresql-key"
+  resource_instance_id = ibm_database.postgresql.id
+  role                 = "Administrator"
+
+  parameters = {
+    service-endpoints = "private"
+  }
+  depends_on        = [ibm_iam_authorization_policy.postgresql_policy]
+}
+
+resource "ibm_iam_authorization_policy" "postgresql_policy" {
+  source_service_name         = "databases-for-postgresql"
+  target_service_name         = ibm_kms_key.key.type
+  target_resource_instance_id = ibm_resource_instance.keyprotect.guid
+  roles                       = ["Reader", "AuthorizationDelegator"]
+}
+
+resource "time_sleep" "wait_for_postgresql_initialization" {
+  #count               = var.step2_create_vpc || var.step4_create_dedicated ? 1 : 0
+  depends_on = [
+    ibm_database.postgresql
+  ]
+
+  create_duration = "5m"
+}