Skip to content

Latest commit

 

History

History
130 lines (97 loc) · 4.34 KB

File metadata and controls

130 lines (97 loc) · 4.34 KB

Auto-tagging for IBM Cloud resources

This Terraform template deploys a serverless job on IBM Cloud Code Engine that runs the quay.io/cloud-governance/cloud-governance:latest container image on a scheduled basis to apply tags to supported resources.

Architecture

The deployment creates the following resources:

  • Resource group: Container for the Code Engine Project
  • Code Engine Project: Container for all Code Engine resources
  • Secret: Stores sensitive configuration data (API keys, credentials)
  • ConfigMap: Stores non-sensitive configuration data
  • Job: Serverless job definition with the cloud-governance container
  • Cron scheduler: Runs the job on the configured schedule

Note: Job scheduling is not currently supported by the IBM Cloud Terraform provider and must be configured separately via the CLI after deployment.

Security Considerations

As the redhat-performance/cloud-governance tool does not yet support IBM Cloud's Trusted Profiles feature, regular API keys are used for authentication.

Prerequisites

  1. IBM Cloud Account: Ensure you have an active IBM Cloud account
  2. Terraform: Install Terraform
  3. IBM Cloud CLI:

Usage

1. Log in via the CLI

Log in using a one-time passcode.

ibmcloud login -a https://cloud.ibm.com -u passcode -p <passcode>

Note: The easiest method to get the passcode is to log into the IBM Cloud console via a browser, click on the avatar icon in the top-right corner, and click on Log in to CLI and API.

2. Configuration

  1. Copy the example configuration file:

    cp terraform.tfvars.example terraform.tfvars
  2. Edit terraform.tfvars with your specific values:

     config_data = {
         "IBM_CUSTOM_TAGS_LIST" = "tag1:value1,tag2:value2,tag3:value3"
         "account"              = "Account Name"
         "RESOURCE_TO_TAG"      = "resource_instances,virtual_servers,schematics_workspaces"
         ...
     }

Note

Tagging Classic Infrastructure resources

If Classic Infrastructure access is required, generate and configure an IBM Cloud API key as IBM_API_KEY and leave IBM_API_USERNAME as the default value:

secret_data = {
    "IBM_API_KEY"       = "<Personal IBM Cloud API Key>"
    "IBM_API_USERNAME"  = "apikey"
}

RESOURCE_TO_TAG also needs to be either adjusted or commented out.
If it's commented out, all supported resources types are tagged, including classic ones.

config_data = {
    ...
    "RESOURCE_TO_TAG"      = "resource_instances,virtual_servers,schematics_workspaces,classic_virtual_machines,classic_baremetals"
    ...
}

4. Deployment

  1. Configure API access for Terraform

    export IC_API_KEY="<IBM CLOUD API KEY>"
  2. Initialize Terraform:

    terraform init
  3. Plan the deployment:

    terraform plan
  4. Create the resources:

    terraform apply
  5. Set up job scheduling:

    The CLI command will be displayed in the Terraform output.
    Example:

    Outputs:
     ...
     schedule_cli_command = "ibmcloud target -r us-east -g auto-tagger && ibmcloud ce project select -n auto-tagger && ibmcloud ce subscription cron create --name auto-tagger-job-schedule --destination auto-tagger-job --schedule '0 0 */1 * *' --destination-type job --tz UTC"

5. Deprovisioning

  1. Configure API access for Terraform

    export IC_API_KEY="<IBM CLOUD API KEY>"
  2. Delete the resources:

    terraform destroy

Note: This will also remove the scheduling, so no need to remove that via other methods.