Add terraform scripts to provision ODM landing zone on IBM Cloud (#191)

* added terraform for ODM on ROKS

* updated readme

Author: lionelmace

.gitignore

@@ -1,3 +1,17 @@
 *.iml
 output
 /.vscode
+
+
+# Local .terraform directories
+**/.terraform/*
+# .tfstate files
+*.tfstate
+*.tfstate.*
+*.terraform.lock.hcl
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+# *.tfvars

platform/roks/README.md

@@ -43,15 +43,22 @@ Then, create an [IBM Cloud Account](https://cloud.ibm.com/registration).
 
 ### 1. Prepare your environment (20 min)
 
-Create your IBM Cloud account and set up your first ROKS cluster following this [IBM Cloud tutorial](https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_tutorial&locale=en). Then, create a project for ODM deployment:
+1. Create your IBM Cloud account
 
-```bash
-oc new-project odm-tutorial
-```
+1. Follow the steps to provision the full infrastructure via Terraform in this [README](./terraform/README.md)
+
+    > Should you want to provision the cluster via the Console, you could follow this [IBM Cloud tutorial](https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_tutorial&locale=en).
+
+1. Then, create an OpenShift project for ODM deployment:
+
+    ```bash
+    oc new-project odm-tutorial
+    ```
 
 ### 2. Prepare your environment for the ODM installation (5 min)
 
 To get access to the ODM material, you must have an IBM entitlement key to pull the images from the IBM Cloud Container registry.
+
 This is what will be used in the next step of this tutorial.
 
 #### a. Retrieve your entitled registry key

platform/roks/terraform/README.md

@@ -0,0 +1,80 @@
+# Provision an ODM landing zone on IBM CLoud
+
+> Estimated duration: 60 mins
+
+These Terraform scripts will provision the following Cloud Services in IBM Cloud:
+
+* a Resource Group to host resources
+* a VPC with 3 subnets across a MZR (Multi Zone Region)
+* a managed OpenShift cluster (ROKS)
+* a managed Postgres Database
+
+You can then ssh into the newly created VSI.
+
+| Terraform | Estimation Duration |
+| --------- | --------- |
+| Apply     | ~60 mins |
+| Destroy   | ~5-10 mins |
+
+## Before you begin
+
+This lab requires the following command lines:
+
+* [IBM Cloud CLI](https://github.com/IBM-Cloud/ibm-cloud-cli-release/releases)
+* [Terraform CLI](https://developer.hashicorp.com/terraform/downloads)
+* [git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
+* [jq CLI JSON processor](https://jqlang.github.io/jq/download/)
+
+> Unless you are Administrator of the Cloud Account, you need permissions to be able to provision VPC Resources. Ask the Administrator run the Terraform in `iam` folder.
+
+## Provisioning Steps
+
+1. Clone this repository
+
+    ```sh
+    git clone https://github.com/lionelmace/learn-ibm-terraform
+    ```
+
+1. Login to IBM Cloud
+
+    ```sh
+    ibmcloud login
+    ```
+
+1. Create and store the value of an API KEY as environment variable
+
+    ```sh
+    export IBMCLOUD_API_KEY=$(ibmcloud iam api-key-create my-api-key --output json | jq -r .apikey)
+    ```
+
+    > If the variable "ibmcloud_api_key" is set in your provider,
+    > you can initialize it using the following command
+    > export TF_VAR_ibmcloud_api_key="Your IBM Cloud API Key"
+
+1. Terraform must initialize the provider before it can be used.
+
+    ```sh
+    terraform init
+    ```
+
+1. Review the plan
+
+    ```sh
+    terraform plan
+    ```
+
+1. Start provisioning.
+
+   > Estimated duration: 45-60 mins
+
+    ```sh
+    terraform apply --var-file="odm.auto.tfvars"
+    ```
+
+## Destroy Resources
+
+1. Clean up the resources to avoid cost
+
+    ```sh
+    terraform destroy
+    ```

platform/roks/terraform/account-rg.tf

@@ -0,0 +1,27 @@
+##############################################################################
+# Create a resource group or reuse an existing one
+##############################################################################
+
+variable "existing_resource_group_name" {
+  default     = ""
+  description = "(Optional) Name of an existing resource group where to create resources"
+}
+
+resource "ibm_resource_group" "group" {
+  count = var.existing_resource_group_name != "" ? 0 : 1
+  name  = "${local.basename}-group"
+  tags  = var.tags
+}
+
+data "ibm_resource_group" "group" {
+  count = var.existing_resource_group_name != "" ? 1 : 0
+  name  = var.existing_resource_group_name
+}
+
+locals {
+  resource_group_id = var.existing_resource_group_name != "" ? data.ibm_resource_group.group.0.id : ibm_resource_group.group.0.id
+}
+
+# output "resource_group_name" {
+#   value = ibm_resource_group.group.name
+# }

platform/roks/terraform/container-openshift.tf

@@ -0,0 +1,171 @@
+
+# OpenShift Variables
+##############################################################################
+
+variable "openshift_cluster_name" {
+  description = "Name of the cluster"
+  type        = string
+  default     = "roks"
+}
+
+variable "openshift_version" {
+  description = "The OpenShift version that you want to set up in your cluster."
+  type        = string
+  default     = ""
+}
+
+variable "openshift_os" {
+  description = "The Operating System (REDHAT_8_64 or RHCOS) for the Worker Nodes."
+  type        = string
+  default     = "RHCOS"
+}
+
+variable "openshift_machine_flavor" {
+  description = " The default flavor of the OpenShift worker node."
+  type        = string
+  default     = "bx2.4x16"
+}
+
+variable "openshift_worker_nodes_per_zone" {
+  description = "The number of worker nodes per zone in the default worker pool."
+  type        = number
+  default     = 1
+}
+
+variable "worker_labels" {
+  description = "Labels on all the workers in the default worker pool."
+  type        = map(any)
+  default     = null
+}
+
+variable "openshift_wait_till" {
+  description = "specify the stage when Terraform to mark the cluster creation as completed."
+  type        = string
+  default     = "OneWorkerNodeReady"
+
+  validation {
+    error_message = "`openshift_wait_till` value must be one of `MasterNodeReady`, `OneWorkerNodeReady`, or `IngressReady`."
+    condition = contains([
+      "MasterNodeReady",
+      "OneWorkerNodeReady",
+      "IngressReady"
+    ], var.openshift_wait_till)
+  }
+}
+
+variable "openshift_disable_outbound_traffic_protection" {
+  description = "Include this option to allow public outbound access from the cluster workers."
+  type        = bool
+  default     = true
+}
+
+variable "openshift_disable_public_service_endpoint" {
+  description = "Boolean value true if Public service endpoint to be disabled."
+  type        = bool
+  default     = false
+}
+
+variable "openshift_force_delete_storage" {
+  description = "force the removal of persistent storage associated with the cluster during cluster deletion."
+  type        = bool
+  default     = true
+}
+
+variable "kms_config" {
+  type    = list(map(string))
+  default = []
+}
+
+variable "entitlement" {
+  description = "Enable openshift entitlement during cluster creation ."
+  type        = string
+  default     = "cloud_pak"
+}
+
+variable "openshift_update_all_workers" {
+  description = "OpenShift version of the worker nodes is updated."
+  type        = bool
+  default     = true
+}
+
+variable "is_openshift_cluster" {
+  type    = bool
+  default = true
+}
+
+variable "roks_worker_pools" {
+  description = "List of maps describing worker pools"
+
+  type = list(object({
+    pool_name        = string
+    machine_type     = string
+    workers_per_zone = number
+  }))
+
+  default = [
+    {
+      pool_name        = "dev"
+      machine_type     = "bx2.4x16"
+      workers_per_zone = 1
+    }
+  ]
+
+  validation {
+    error_message = "Worker pool names must match the regex `^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$`."
+    condition = length([
+      for pool in var.roks_worker_pools :
+      false if !can(regex("^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$", pool.pool_name))
+    ]) == 0
+  }
+
+  validation {
+    error_message = "Worker pools cannot have duplicate names."
+    condition = length(distinct([
+      for pool in var.roks_worker_pools :
+      pool.pool_name
+    ])) == length(var.roks_worker_pools)
+  }
+}
+
+## Resources
+##############################################################################
+resource "ibm_container_vpc_cluster" "roks_cluster" {
+  name              = format("%s-%s", local.basename, var.openshift_cluster_name)
+  vpc_id            = ibm_is_vpc.vpc.id
+  resource_group_id = local.resource_group_id
+  # Optional: Specify OpenShift version. If not included, 4.15 is used
+  kube_version         = var.openshift_version == "" ? "4.15_openshift" : var.openshift_version
+  operating_system     = var.openshift_os
+  cos_instance_crn     = var.is_openshift_cluster ? ibm_resource_instance.cos_openshift_registry[0].id : null
+  entitlement          = var.entitlement
+  force_delete_storage = var.openshift_force_delete_storage
+  tags                 = var.tags
+  update_all_workers   = var.openshift_update_all_workers
+
+  flavor                          = var.openshift_machine_flavor
+  worker_count                    = var.openshift_worker_nodes_per_zone
+  wait_till                       = var.openshift_wait_till
+  disable_public_service_endpoint = var.openshift_disable_public_service_endpoint
+  # By default, public outbound access is blocked in OpenShift versions 4.15
+  disable_outbound_traffic_protection = var.openshift_disable_outbound_traffic_protection
+
+  dynamic "zones" {
+    for_each = { for subnet in ibm_is_subnet.subnet : subnet.id => subnet }
+    content {
+      name      = zones.value.zone
+      subnet_id = zones.value.id
+    }
+  }
+}
+
+# Object Storage to backup the OpenShift Internal Registry
+##############################################################################
+resource "ibm_resource_instance" "cos_openshift_registry" {
+  count             = var.is_openshift_cluster ? 1 : 0
+  name              = join("-", [local.basename, "cos-registry"])
+  resource_group_id = local.resource_group_id
+  service           = "cloud-object-storage"
+  plan              = "standard"
+  location          = "global"
+  tags              = var.tags
+}