generated from terraform-ibm-modules/terraform-ibm-module-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
141 lines (125 loc) · 5.93 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#######################################################################################################################
# Local Variables
#######################################################################################################################
locals {
# watsonx.data values
watsonx_data_datacenter_mapping = {
"us-south" = "ibm:us-south:dal",
"eu-gb" = "ibm:eu-gb:lon",
"eu-de" = "ibm:eu-de:fra",
"jp-tok" = "ibm:jp-tok:tok",
"au-syd" = "ibm:au-syd:syd"
}
watsonx_data_datacenter = local.watsonx_data_datacenter_mapping[var.region]
account_id = var.existing_watsonx_data_instance_crn != null ? module.crn_parser[0].account_id : ibm_resource_instance.data_instance[0].account_id
watsonx_data_id = var.existing_watsonx_data_instance_crn != null ? data.ibm_resource_instance.existing_data_instance[0].id : ibm_resource_instance.data_instance[0].id
watsonx_data_crn = var.existing_watsonx_data_instance_crn != null ? data.ibm_resource_instance.existing_data_instance[0].crn : resource.ibm_resource_instance.data_instance[0].crn
watsonx_data_guid = var.existing_watsonx_data_instance_crn != null ? data.ibm_resource_instance.existing_data_instance[0].guid : resource.ibm_resource_instance.data_instance[0].guid
watsonx_data_name = var.existing_watsonx_data_instance_crn != null ? data.ibm_resource_instance.existing_data_instance[0].resource_name : resource.ibm_resource_instance.data_instance[0].resource_name
watsonx_data_plan_id = var.existing_watsonx_data_instance_crn != null ? null : resource.ibm_resource_instance.data_instance[0].resource_plan_id
watsonx_data_dashboard_url = var.existing_watsonx_data_instance_crn != null ? null : resource.ibm_resource_instance.data_instance[0].dashboard_url
}
module "crn_parser" {
count = var.existing_watsonx_data_instance_crn != null ? 1 : 0
source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
version = "1.1.0"
crn = var.existing_watsonx_data_instance_crn
}
module "kms_key_crn_parser" {
count = var.enable_kms_encryption ? 1 : 0
source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
version = "1.1.0"
crn = var.watsonx_data_kms_key_crn
}
# KMS values
locals {
# kms not applicable for plan - `lakehouse-enterprise-mcsp`
validate_kms_plan = var.plan == "lakehouse-enterprise" && var.watsonx_data_kms_key_crn != null
kms_service = local.validate_kms_plan ? try(module.kms_key_crn_parser[0].service_name, null) : null
kms_account_id = local.validate_kms_plan ? try(module.kms_key_crn_parser[0].account_id, null) : null
kms_key_id = local.validate_kms_plan ? try(module.kms_key_crn_parser[0].resource, null) : null
target_resource_instance_id = local.validate_kms_plan ? try(module.kms_key_crn_parser[0].service_instance, null) : null
}
########################################################################################################################
# watsonx.data
########################################################################################################################
data "ibm_resource_instance" "existing_data_instance" {
count = var.existing_watsonx_data_instance_crn != null ? 1 : 0
identifier = var.existing_watsonx_data_instance_crn
}
resource "ibm_resource_instance" "data_instance" {
count = var.existing_watsonx_data_instance_crn != null ? 0 : 1
name = var.watsonx_data_name
service = "lakehouse"
plan = var.plan
location = var.region
resource_group_id = var.resource_group_id
tags = var.resource_tags
timeouts {
create = "15m"
update = "15m"
delete = "15m"
}
parameters = {
datacenter : local.watsonx_data_datacenter
cloud_type : "ibm"
region : var.region
use_case : var.use_case
kms_instance : var.watsonx_data_kms_key_crn
kms_key : local.kms_key_id
}
}
##############################################################################
# Attach Access Tags
##############################################################################
resource "ibm_resource_tag" "watsonx_data_tag" {
count = length(var.access_tags) != 0 ? 1 : 0
resource_id = local.watsonx_data_crn
tags = var.access_tags
tag_type = "access"
}
##############################################################################
# IAM Authorization Policy
##############################################################################
resource "ibm_iam_authorization_policy" "kms_policy" {
count = !var.enable_kms_encryption || var.skip_iam_authorization_policy ? 0 : 1
source_service_name = "lakehouse"
source_resource_instance_id = ibm_resource_instance.data_instance[0].guid
roles = ["Reader"]
resource_attributes {
name = "serviceName"
operator = "stringEquals"
value = local.kms_service
}
resource_attributes {
name = "accountId"
operator = "stringEquals"
value = local.kms_account_id
}
resource_attributes {
name = "serviceInstance"
operator = "stringEquals"
value = local.target_resource_instance_id
}
resource_attributes {
name = "resourceType"
operator = "stringEquals"
value = "key"
}
resource_attributes {
name = "resource"
operator = "stringEquals"
value = local.kms_key_id
}
# Scope of policy now includes the key, so ensure to create new policy before
# destroying old one to prevent any disruption to every day services.
lifecycle {
create_before_destroy = true
}
}
# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
resource "time_sleep" "wait_for_kms_authorization_policy" {
count = !var.enable_kms_encryption || var.skip_iam_authorization_policy ? 0 : 1
depends_on = [ibm_iam_authorization_policy.kms_policy]
create_duration = "30s"
}