This Terraform template deploys a serverless job on IBM Cloud Code Engine that runs the quay.io/cloud-governance/cloud-governance:latest container image on a scheduled basis to apply tags to supported resources.
The deployment creates the following resources:
- Resource group: Container for the Code Engine Project
- Code Engine Project: Container for all Code Engine resources
- Secret: Stores sensitive configuration data (API keys, credentials)
- ConfigMap: Stores non-sensitive configuration data
- Job: Serverless job definition with the cloud-governance container
- Cron scheduler: Runs the job on the configured schedule
Note: Job scheduling is not currently supported by the IBM Cloud Terraform provider and must be configured separately via the CLI after deployment.
As the redhat-performance/cloud-governance tool does not yet support IBM Cloud's Trusted Profiles feature, regular API keys are used for authentication.
- IBM Cloud Account: Ensure you have an active IBM Cloud account
- Terraform: Install Terraform
- IBM Cloud CLI:
Log in using a one-time passcode.
ibmcloud login -a https://cloud.ibm.com -u passcode -p <passcode>Note: The easiest method to get the passcode is to log into the IBM Cloud console via a browser, click on the avatar icon in the top-right corner, and click on Log in to CLI and API.
-
Copy the example configuration file:
cp terraform.tfvars.example terraform.tfvars
-
Edit
terraform.tfvarswith your specific values:config_data = { "IBM_CUSTOM_TAGS_LIST" = "tag1:value1,tag2:value2,tag3:value3" "account" = "Account Name" "RESOURCE_TO_TAG" = "resource_instances,virtual_servers,schematics_workspaces" ... }
Note
If Classic Infrastructure access is required, generate and configure an IBM Cloud API key as IBM_API_KEY and leave IBM_API_USERNAME as the default value:
secret_data = {
"IBM_API_KEY" = "<Personal IBM Cloud API Key>"
"IBM_API_USERNAME" = "apikey"
}RESOURCE_TO_TAG also needs to be either adjusted or commented out.
If it's commented out, all supported resources types are tagged, including classic ones.
config_data = {
...
"RESOURCE_TO_TAG" = "resource_instances,virtual_servers,schematics_workspaces,classic_virtual_machines,classic_baremetals"
...
}-
Configure API access for Terraform
export IC_API_KEY="<IBM CLOUD API KEY>"
-
Initialize Terraform:
terraform init
-
Plan the deployment:
terraform plan
-
Create the resources:
terraform apply
-
Set up job scheduling:
The CLI command will be displayed in the Terraform output.
Example:Outputs: ... schedule_cli_command = "ibmcloud target -r us-east -g auto-tagger && ibmcloud ce project select -n auto-tagger && ibmcloud ce subscription cron create --name auto-tagger-job-schedule --destination auto-tagger-job --schedule '0 0 */1 * *' --destination-type job --tz UTC"
-
Configure API access for Terraform
export IC_API_KEY="<IBM CLOUD API KEY>"
-
Delete the resources:
terraform destroy
Note: This will also remove the scheduling, so no need to remove that via other methods.