IBM Cloud Solution for Power Virtual Server with VPC Landing Zone Quickstart (Standard plus VSI) Variation
This example sets up the following infrastructure:
-
A VPC Infrastructure with the following components:
- One VSI for management (jump/bastion)
- One VSI for network-services configured as squid proxy, NTP and DNS servers(using Ansible Galaxy collection roles ibm.power_linux_sap collection. This VSI also acts as central ansible execution node.
- Optional Client to site VPN server
- Optional File storage share
- Optional Network load balancer
- Optional IBM Cloud Security and Compliance Center Workload Protection and SCC Workload Protection agent configuration on the VSIs in the deployment
- IBM Cloud Object storage(COS) Virtual Private endpoint gateway(VPE)
- IBM Cloud Object storage(COS) Instance and buckets
- VPC flow logs
- KMS keys
- Activity tracker
- Optional Secrets Manager Instance Instance with private certificate.
- For single zone components, the VPC zone is automatically chosen to be in the same availability zone with the selected PowerVS zone.
-
A local or global transit gateway
-
An optional IBM Cloud Monitoring Instance
-
A Power Virtual Server workspace with the following network topology:
- Creates two private networks: a management network and a backup network.
- Attaches the PowerVS workspace to transit gateway.
- Creates an SSH key.
-
A PowerVS Instance with following options:
- t-shirt profile (Aix/IBMi/SAP Image)
- Custom profile ( cores, memory, storage and image)
- 1 volume
- Network management services, filesystems and SCC Workload protection agents are configured for AIX and Linux instances.
| Variation | Available on IBM Catalog | Requires Schematics Workspace ID | Creates VPC Landing Zone | Performs VPC VSI OS Config | Creates PowerVS Infrastructure | Creates PowerVS Instance | Performs PowerVS OS Config |
|---|---|---|---|---|---|---|---|
| Quickstart (Standard plus VSI) | ✔️ | N/A | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Quickstart (Standard plus VSI) variation
| Name | Version |
|---|---|
| terraform | >= 1.9 |
| ibm | 2.0.0 |
| restapi | 3.0.0 |
| Name | Source | Version |
|---|---|---|
| pi_aix_configure_services | ../../modules/powervs-vpc-landing-zone/submodules/ansible | n/a |
| pi_scc_wp_agent | ../../modules/powervs-vpc-landing-zone/submodules/ansible | n/a |
| powervs_instance | terraform-ibm-modules/powervs-instance/ibm | 2.8.9 |
| standard | ../../modules/powervs-vpc-landing-zone | n/a |
| Name | Type |
|---|---|
| ibm_iam_auth_token.auth_token | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| IC_SCHEMATICS_WORKSPACE_ID | leave blank if running locally. This variable will be automatically populated if running from an IBM Cloud Schematics workspace | string |
"" |
no |
| ansible_vault_password | Vault password to encrypt ansible playbooks that contain sensitive information. Password requirements: 15-100 characters and at least one uppercase letter, one lowercase letter, one number, and one special character. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]_{|}~. | string |
n/a | yes |
| client_to_site_vpn | VPN configuration - the client ip pool and list of users email ids to access the environment. If enabled, then a Secret Manager instance is also provisioned with certificates generated. See optional parameters to reuse an existing Secrets manager instance. | object({ |
{ |
no |
| configure_dns_forwarder | Specify if DNS forwarder will be configured. This will allow you to use central DNS servers (e.g. IBM Cloud DNS servers) sitting outside of the created IBM PowerVS infrastructure. If yes, ensure 'dns_forwarder_config' optional variable is set properly. DNS forwarder will be installed on the network-services vsi. | bool |
true |
no |
| configure_nfs_server | Specify if NFS server will be configured. This will allow you easily to share files between PowerVS instances (e.g., SAP installation files). File storage share and mount target in VPC will be created.. If yes, ensure 'nfs_server_config' optional variable is set properly below. Default value is '200GB' which will be mounted on specified directory in network-service vsi. | bool |
true |
no |
| configure_ntp_forwarder | Specify if NTP forwarder will be configured. This will allow you to synchronize time between IBM PowerVS instances. NTP forwarder will be installed on the network-services vsi. | bool |
true |
no |
| custom_profile | Overrides t-shirt profile: Custom PowerVS instance. Specify 'sap_profile_id' here or combination of 'cores' & 'memory'. Optionally volumes can be created. | object({ |
{ |
no |
| custom_profile_instance_boot_image | Override the t-shirt size specs of PowerVS Workspace instance by selecting an image name and providing valid 'custom_profile' optional parameter. | string |
"none" |
no |
| dns_forwarder_config | Configuration for the DNS forwarder to a DNS service that is not reachable directly from PowerVS. | object({ |
{ |
no |
| enable_monitoring | Specify whether Monitoring will be enabled. This creates a new IBM Cloud Monitoring Instance. | bool |
true |
no |
| enable_scc_wp | Enable SCC Workload Protection and install and configure the SCC Workload Protection agent on all intel VSIs in this deployment. If set to true, then value for 'ansible_vault_password' in optional parameter must be set. | bool |
true |
no |
| existing_sm_instance_guid | An existing Secrets Manager GUID. If not provided a new instance will be provisioned. | string |
null |
no |
| existing_sm_instance_region | Required if value is passed into var.existing_sm_instance_guid. |
string |
null |
no |
| external_access_ip | Specify the source IP address or CIDR for login through SSH to the environment after deployment. Access to the environment will be allowed only from this IP address. Can be set to 'null' if you choose to use client to site vpn. | string |
"0.0.0.0/0" |
no |
| ibmcloud_api_key | The IBM Cloud platform API key needed to deploy IAM enabled resources. | string |
n/a | yes |
| network_services_vsi_profile | Compute profile configuration of the network services vsi (cpu and memory configuration). Must be one of the supported profiles. See here. | string |
"cxf-2x4" |
no |
| nfs_server_config | Configuration for the NFS server. 'size' is in GB, 'iops' is maximum input/output operation performance bandwidth per second, 'mount_path' defines the target mount point on os. Set 'configure_nfs_server' to false to ignore creating file storage share. | object({ |
{ |
no |
| powervs_backup_network | Name of the IBM Cloud PowerVS backup network and CIDR to create. | object({ |
{ |
no |
| powervs_management_network | Name of the IBM Cloud PowerVS management subnet and CIDR to create. | object({ |
{ |
no |
| powervs_resource_group_name | Existing IBM Cloud resource group name. | string |
"Default" |
no |
| powervs_zone | IBM Cloud data center location where IBM PowerVS infrastructure will be created. | string |
n/a | yes |
| prefix | A unique identifier for resources. Must begin with a lowercase letter and end with a lowercase letter or number. Must contain only lowercase letters, numbers, and - characters. This prefix will be prepended to any resources provisioned by this template. Prefixes must be 16 or fewer characters. | string |
n/a | yes |
| sm_service_plan | The service/pricing plan to use when provisioning a new Secrets Manager instance. Allowed values: standard and trial. Only used if existing_sm_instance_guid is set to null. |
string |
"standard" |
no |
| ssh_private_key | Private SSH key (RSA format) to login to Intel VSIs to configure network management services (SQUID, NTP, DNS and ansible). Should match to public SSH key referenced by 'ssh_public_key'. The key is not uploaded or stored. If you're unsure how to create one, check Generate a SSH Key Pair in our docs. For more information about SSH keys, see SSH keys in the VPC docs. | string |
n/a | yes |
| ssh_public_key | Public SSH Key for VSI creation. Must be an RSA key with a key size of either 2048 bits or 4096 bits (recommended). Must be a valid SSH key that does not already exist in the deployment region. If you're unsure how to create one, check Generate a SSH Key Pair in our docs. For more information about SSH keys, see SSH keys in the VPC docs. | string |
n/a | yes |
| tags | List of tag names for the IBM Cloud PowerVS workspace | list(string) |
[] |
no |
| tshirt_size | PowerVS instance profiles. These profiles can be overridden by specifying 'custom_profile_instance_boot_image' and 'custom_profile' values in optional parameters. | object({ |
n/a | yes |
| vpc_intel_images | Stock OS image names for creating VPC landing zone VSI instances: RHEL (management and network services) and SLES (monitoring). | object({ |
{ |
no |
| vpc_subnet_cidrs | CIDR values for the VPC subnets to be created. It's customer responsibility that none of the defined networks collide, including the PowerVS subnets and VPN client pool. | object({ |
{ |
no |
| Name | Description |
|---|---|
| access_host_or_ip | Access host(jump/bastion) for created PowerVS infrastructure. |
| ansible_host_or_ip | Central Ansible node private IP address. |
| dns_host_or_ip | DNS forwarder host for created PowerVS infrastructure. |
| kms_key_map | Map of ids and keys for KMS keys created |
| monitoring_instance | Details of the IBM Cloud Monitoring Instance: CRN, location, guid, monitoring_host_ip. monitoring_host_ip is an empty string if enable_monitoring_host is disabled. |
| network_load_balancer | Details of network load balancer. |
| network_services_config | Complete configuration of network management services. |
| nfs_host_or_ip_path | NFS host for created PowerVS infrastructure. |
| ntp_host_or_ip | NTP host for created PowerVS infrastructure. |
| powervs_backup_subnet | Name, ID and CIDR of backup private network in created PowerVS infrastructure. |
| powervs_images | Object containing imported PowerVS image names and image ids. |
| powervs_instance_management_ip | IP address of the primary network interface of IBM PowerVS instance. |
| powervs_instance_private_ips | All private IP addresses (as a list) of IBM PowerVS instance. |
| powervs_management_subnet | Name, ID and CIDR of management private network in created PowerVS infrastructure. |
| powervs_resource_group_name | IBM Cloud resource group where PowerVS infrastructure is created. |
| powervs_ssh_public_key | SSH public key name and value in created PowerVS infrastructure. |
| powervs_storage_configuration | Storage configuration of PowerVS instance. |
| powervs_workspace_guid | PowerVS infrastructure workspace guid. The GUID of the resource instance. |
| powervs_workspace_id | PowerVS infrastructure workspace id. The unique identifier of the new resource instance. |
| powervs_workspace_name | PowerVS infrastructure workspace name. |
| powervs_zone | Zone where PowerVS infrastructure is created. |
| prefix | The prefix that is associated with all resources. |
| proxy_host_or_ip_port | Proxy host:port for created PowerVS infrastructure. |
| resource_group_data | List of resource groups data used within landing zone. |
| scc_wp_instance | Details of the Security and Compliance Center Workload Protection Instance: guid, access key, api_endpoint, ingestion_endpoint. |
| schematics_workspace_id | ID of the IBM Cloud Schematics workspace. Returns null if not ran in Schematics. |
| ssh_public_key | The string value of the ssh public key used when deploying VPC. |
| transit_gateway_id | The ID of transit gateway. |
| transit_gateway_name | The name of the transit gateway. |
| vpc_data | List of VPC data. |
| vpc_names | A list of the names of the VPC. |
| vsi_list | A list of VSI with name, id, zone, and primary ipv4 address, VPC Name, and floating IP. |
| vsi_names | A list of the vsis names provisioned within the VPCs. |
| vsi_ssh_key_data | List of VSI SSH key data |