From 57d127bdd92dd92b434fa83d42457e51f9edc505 Mon Sep 17 00:00:00 2001 From: Piyush Kumar Sahu Date: Tue, 19 Aug 2025 11:47:19 +0530 Subject: [PATCH 1/3] improve da user experience --- ibm_catalog.json | 113 ++++++++++++++++++++-- solutions/fully-configurable/variables.tf | 17 ++-- 2 files changed, 112 insertions(+), 18 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 695f1d1..13b2724 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -31,21 +31,34 @@ "features": [ { "title": "Application load balancer", - "description": "Sets up an IBM Cloud Application load balancer (ALB) within a Virtual Private Cloud (VPC) environment to manage and distribute incoming network traffic across multiple backend targets. [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-load-balancers)." + "description": "Sets up an IBM Cloud Application load balancer (ALB) within a Virtual Private Cloud (VPC) environment to manage and distribute incoming network traffic across multiple backend targets. [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-load-balancers)" }, { "title": "Private Path Network load balancer.", - "description": "Sets up an IBM Private Path Network load balancer with a backend pool to connect to the VPE Gateway. [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-ppnlb-ui-creating-private-path-network-load-balancer&interface=ui)." + "description": "Sets up an IBM Private Path Network load balancer with a backend pool to connect to the VPE Gateway. [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-ppnlb-ui-creating-private-path-network-load-balancer&interface=ui)" }, { "title": "Private Path service", - "description": "Creates an IBM VPC Private Path services provide private connectivity for IBM Cloud and third-party services. [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-private-path-service-intro)." + "description": "Creates an IBM VPC Private Path services provide private connectivity for IBM Cloud and third-party services. [Learn more](https://cloud.ibm.com/docs/vpc?topic=vpc-private-path-service-intro)" + }, + { + "title": "Observability", + "description": "This solution can leverage [Cloud automation for Observability](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-observability-a3137d28-79e0-479d-8a24-758ebd5a0eab-global) that supports configuring resources for logging, monitoring and activity tracker event routing (optional)." + }, + { + "title": "Object Storage", + "description": "Creates and configures an [Object Storage bucket](https://cloud.ibm.com/docs/openshift?topic=openshift-storage-cos-understand) to store VPC flow logs as part of the deployment. You can provide an existing COS Instance or use the [Cloud automation for Object Storage](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cos-68921490-2778-4930-ac6d-bae7be6cd958-global) for creating a new instance." + }, + { + "title": "KMS Encryption", + "description": "Optionally you can enable key management services(KMS) [encryption](https://cloud.ibm.com/docs/openshift?topic=openshift-encryption-secrets) of the Object Storage bucket using either a newly created key or an existing one." } ], "flavors": [ { "label": "Fully configurable", "name": "fully-configurable", + "index": 1, "install_type": "fullstack", "working_directory": "solutions/fully-configurable", "compliance": { @@ -63,28 +76,75 @@ "crn:v1:bluemix:public:iam::::role:Administrator" ], "service_name": "iam-identity", - "notes": "[Optional] Required if Cloud automation for account configuration is enabled." + "notes": "Required for creating account configuration" }, { "role_crns": [ "crn:v1:bluemix:public:iam::::role:Administrator" ], - "service_name": "is.vpc", - "notes": "[Optional] Required if Cloud automation for Virtual Private Cloud(VPC) is enabled." + "service_name": "All Identity and Access enabled services", + "notes": "Required for creating auth policy for the services" }, { "role_crns": [ - "crn:v1:bluemix:public:iam::::role:Editor" + "crn:v1:bluemix:public:iam::::role:Administrator" ], "service_name": "is.vpc", - "notes": "Required for creating Private-path service and Application Load balancer." + "notes": "[Optional] Required if Cloud automation for Virtual Private Cloud(VPC) is enabled." }, { "role_crns": [ "crn:v1:bluemix:public:iam::::role:Viewer" ], "service_name": "Resource group only", - "notes": "Viewer access is required in the resource group you want to provision in." + "notes": "[Optional] Required if Cloud automation for Account Configuration is enabled." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "cloud-object-storage", + "notes": "[Optional] Required if Cloud automation for Virtual Private Cloud(VPC) is enabled which sets up a bucket to store VPC flow logs as part of the deployment." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "kms", + "notes": "[Optional] Required if KMS encryption is enabled and Key protect is used for encryption of Object Storage bucket which stores VPC flow logs." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "sysdig-monitor", + "notes": "[Optional] Required if you are consuming Observability deployable architecture which sets up Cloud monitoring." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "logs", + "notes": "[Optional] Required if you are consuming Observability deployable architecture which sets up Cloud logs." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Writer", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "atracker", + "notes": "[Optional] Required if you are consuming Observability deployable architecture which sets up Activity Tracker Event Routing." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "service_name": "metrics-router", + "notes": "[Optional] Required if you are consuming Observability deployable architecture which sets up Metrics Routing." } ], "configuration": [ @@ -107,10 +167,33 @@ "key": "prefix", "required": true }, + { + "key": "enable_platform_metrics", + "type": "string", + "default_value": true, + "description": "When set to `true`, the IBM Cloud Monitoring instance will be configured to collect platform metrics from the provided region. You can configure 1 instance only of the IBM Cloud Monitoring service per region to collect platform metrics in that location. Check with the account or service administrator if another monitoring instance has already been configured. You may not have permissions to see all monitoring instances in the region. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-platform_metrics_enabling).", + "required": true, + "virtual": true + }, + { + "key": "logs_routing_tenant_regions", + "type": "list(string)", + "default_value": "[]", + "description": "To manage platform logs that are generated by IBM Cloud services in a region of IBM Cloud, you must create a tenant in each region that you operate. Pass a list of regions to create a tenant in. [Learn more](https://cloud.ibm.com/docs/logs-router?topic=logs-router-about-platform-logs).", + "required": true, + "virtual": true, + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } + }, { "key": "existing_resource_group_name", "display_name": "resource_group", - "required": true, + "type": "string", "custom_config": { "type": "resource_group", "grouping": "deployment", @@ -369,6 +452,16 @@ { "dependency_output": "vpc_id", "version_input": "existing_vpc_id" + }, + { + "dependency_input": "enable_platform_metrics", + "version_input": "enable_platform_metrics", + "reference_version": true + }, + { + "dependency_input": "logs_routing_tenant_regions", + "version_input": "logs_routing_tenant_regions", + "reference_version": true } ], "optional": true, diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 5bc646c..e9719fe 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -10,13 +10,14 @@ variable "ibmcloud_api_key" { variable "existing_resource_group_name" { type = string - description = "The name of an existing resource group in which to provision the private path services in." + description = "The name of an existing resource group to provision the resources. If not provided the default resource group will be used." default = "Default" } variable "region" { type = string - description = "The region in which the VPC resources are provisioned." + description = "The region to provision all the resources in. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/region) about how to select different regions for different services." + default = "us-south" } variable "provider_visibility" { @@ -74,7 +75,7 @@ variable "private_path_access_tags" { ############################################################################## variable "existing_vpc_id" { - description = "The ID of an existing VPC. If the user provides only the `existing_vpc_id` the private path service will be provisioned in the first subnet." + description = "The ID of an existing VPC. If the user provides only the `existing_vpc_id`, the private path service will be provisioned in the first subnet." type = string default = null validation { @@ -107,7 +108,7 @@ variable "application_loadbalancer_type" { variable "application_loadbalancer_pool_algorithm" { type = string - description = "The load-balancing algorithm for private path netwrok load balancer pool members. Supported values are `round_robin` or `weighted_round_robin`." + description = "The load-balancing algorithm for private path network load balancer pool members. Supported values are `round_robin` or `weighted_round_robin`." default = "round_robin" } @@ -149,7 +150,7 @@ variable "application_loadbalancer_pool_protocol" { variable "application_loadbalancer_listener_port" { type = number - description = "The listener port for the private path netwrok load balancer." + description = "The listener port for the private path network load balancer." default = 80 } @@ -183,13 +184,13 @@ variable "application_loadbalancer_listener_certificate_instance" { variable "network_loadbalancer_name" { type = string - description = "The name of the private path netwrok load balancer." + description = "The name of the private path network load balancer." default = "pp-nlb" } variable "network_loadbalancer_listener_port" { type = number - description = "The listener port for the private path netwrok load balancer." + description = "The listener port for the private path network load balancer." default = 80 } @@ -201,7 +202,7 @@ variable "network_loadbalancer_listener_accept_proxy_protocol" { variable "network_loadbalancer_pool_algorithm" { type = string - description = "The load-balancing algorithm for private path netwrok load balancer pool members. Supported values are `round_robin` or `weighted_round_robin`." + description = "The load-balancing algorithm for private path network load balancer pool members. Supported values are `round_robin` or `weighted_round_robin`." default = "round_robin" } From 0a5b6a115e6b2d4280e6da4ebab07376689360f6 Mon Sep 17 00:00:00 2001 From: Piyush Kumar Sahu Date: Mon, 25 Aug 2025 11:48:33 +0530 Subject: [PATCH 2/3] Updated permission --- common-dev-assets | 2 +- ibm_catalog.json | 22 +++++++++++----------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/common-dev-assets b/common-dev-assets index 6887f0a..7179ae4 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 6887f0a9285a9a67766f435a115b7d5fb28c54fc +Subproject commit 7179ae4f3446b3816fa2d72c873f8f8e86797836 diff --git a/ibm_catalog.json b/ibm_catalog.json index 13b2724..fcc2d22 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -23,7 +23,7 @@ "terraform", "solution" ], - "short_description": "Automates the deployment of a VPC Private path service on IBM Cloud with integration of Application loadbalancer for external connectivity.", + "short_description": "Automates the deployment of a VPC Private path service on IBM Cloud with integration of Application load balancer for external connectivity.", "long_description": "Private network connectivity is essential for IBM Cloud customers who prioritize privacy, security, and compliance.\n\nThrough Private path services for VPC, providers can deliver their cloud and on-premises services over the IBM Cloud private network backbone, ensuring secure and private interactions for consumers.\n\nYou can use this solution to provision and configure a VPC Private path service to securely connect services hosted in IBM Cloud VPC, on-premise or other reachable external locations.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-vpc-private-path-external-connectivity/blob/main/solutions/fully-configurable/README.md", "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-vpc-private-path-external-connectivity/main/images/private_path.svg", @@ -73,31 +73,31 @@ "iam_permissions": [ { "role_crns": [ - "crn:v1:bluemix:public:iam::::role:Administrator" + "crn:v1:bluemix:public:iam::::role:Viewer" ], - "service_name": "iam-identity", - "notes": "Required for creating account configuration" + "service_name": "Resource group only", + "notes": "Viewer access is required in the resource group you want to provision in." }, { "role_crns": [ "crn:v1:bluemix:public:iam::::role:Administrator" ], - "service_name": "All Identity and Access enabled services", - "notes": "Required for creating auth policy for the services" + "service_name": "All Account Management services", + "notes": "[Optional] Required for consuming Account Configuration deployable architecture which creates resource group." }, { "role_crns": [ "crn:v1:bluemix:public:iam::::role:Administrator" ], - "service_name": "is.vpc", - "notes": "[Optional] Required if Cloud automation for Virtual Private Cloud(VPC) is enabled." + "service_name": "All Identity and Access enabled services", + "notes": "[Optional] Required for consuming Account Configuration deployable architecture which creates resource group with account setting." }, { "role_crns": [ - "crn:v1:bluemix:public:iam::::role:Viewer" + "crn:v1:bluemix:public:iam::::role:Administrator" ], - "service_name": "Resource group only", - "notes": "[Optional] Required if Cloud automation for Account Configuration is enabled." + "service_name": "is.vpc", + "notes": "[Optional] Required if Cloud automation for Virtual Private Cloud(VPC) is enabled." }, { "role_crns": [ From 0717c1e0267ea4886c8aebeacfde3274226a731e Mon Sep 17 00:00:00 2001 From: Piyush Kumar Sahu Date: Mon, 25 Aug 2025 17:13:20 +0530 Subject: [PATCH 3/3] further update the permission --- ibm_catalog.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ibm_catalog.json b/ibm_catalog.json index fcc2d22..c462694 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -115,6 +115,14 @@ "service_name": "kms", "notes": "[Optional] Required if KMS encryption is enabled and Key protect is used for encryption of Object Storage bucket which stores VPC flow logs." }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "hs-crypto", + "notes": "[Optional] Required if you are creating/configuring keys in an existing Hyper Protect Crypto Services (HPCS) instance for encryption." + }, { "role_crns": [ "crn:v1:bluemix:public:iam::::serviceRole:Manager",