terraform-ibm-modules
diff --git a/‎README.md
Lines changed: 2 additions & 1 deletion b/‎README.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎examples/jobs/README.md
Lines changed: 1 addition & 0 deletions b/‎examples/jobs/README.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎examples/jobs/main.tf
Lines changed: 21 additions & 3 deletions b/‎examples/jobs/main.tf
Lines changed: 21 additions & 3 deletions
diff --git a/‎main.tf
Lines changed: 18 additions & 17 deletions b/‎main.tf
Lines changed: 18 additions & 17 deletions
diff --git a/‎modules/build/README.md
Lines changed: 5 additions & 0 deletions b/‎modules/build/README.md
Lines changed: 5 additions & 0 deletions
diff --git a/‎modules/build/main.tf
Lines changed: 20 additions & 0 deletions b/‎modules/build/main.tf
Lines changed: 20 additions & 0 deletions
diff --git a/‎modules/build/scripts/build-run.sh
Lines changed: 85 additions & 0 deletions b/‎modules/build/scripts/build-run.sh
Lines changed: 85 additions & 0 deletions
diff --git a/‎modules/build/variables.tf
Lines changed: 17 additions & 0 deletions b/‎modules/build/variables.tf
Lines changed: 17 additions & 0 deletions
@@ -157,11 +157,12 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_apps"></a> [apps](#input\_apps) | A map of code engine apps to be created. | <pre>map(object({<br/>    image_reference = string<br/>    image_secret    = optional(string)<br/>    run_env_variables = optional(list(object({<br/>      type      = optional(string)<br/>      name      = optional(string)<br/>      value     = optional(string)<br/>      prefix    = optional(string)<br/>      key       = optional(string)<br/>      reference = optional(string)<br/>    })))<br/>    run_volume_mounts = optional(list(object({<br/>      mount_path = string<br/>      reference  = string<br/>      name       = optional(string)<br/>      type       = string<br/>    })))<br/>    image_port                    = optional(number)<br/>    managed_domain_mappings       = optional(string)<br/>    run_arguments                 = optional(list(string))<br/>    run_as_user                   = optional(number)<br/>    run_commands                  = optional(list(string))<br/>    run_service_account           = optional(string)<br/>    scale_concurrency             = optional(number)<br/>    scale_concurrency_target      = optional(number)<br/>    scale_cpu_limit               = optional(string)<br/>    scale_ephemeral_storage_limit = optional(string)<br/>    scale_initial_instances       = optional(number)<br/>    scale_max_instances           = optional(number)<br/>    scale_memory_limit            = optional(string)<br/>    scale_min_instances           = optional(number)<br/>    scale_request_timeout         = optional(number)<br/>    scale_down_delay              = optional(number)<br/>  }))</pre> | `{}` | no |
 | <a name="input_bindings"></a> [bindings](#input\_bindings) | A map of code engine bindings to be created. | <pre>map(object({<br/>    secret_name = string<br/>    components = list(object({<br/>      name          = string<br/>      resource_type = string<br/>    }))<br/>  }))</pre> | `{}` | no |
-| <a name="input_builds"></a> [builds](#input\_builds) | A map of code engine builds to be created. | <pre>map(object({<br/>    output_image       = string<br/>    output_secret      = string # pragma: allowlist secret<br/>    source_url         = string<br/>    strategy_type      = string<br/>    source_context_dir = optional(string)<br/>    source_revision    = optional(string)<br/>    source_secret      = optional(string)<br/>    source_type        = optional(string)<br/>    strategy_size      = optional(string)<br/>    strategy_spec_file = optional(string)<br/>    timeout            = optional(number)<br/>  }))</pre> | `{}` | no |
+| <a name="input_builds"></a> [builds](#input\_builds) | A map of code engine builds to be created. Requires 'ibmcloud\_api\_key' to be set for authentication and execution. | <pre>map(object({<br/>    output_image       = string<br/>    output_secret      = string # pragma: allowlist secret<br/>    source_url         = string<br/>    strategy_type      = string<br/>    source_context_dir = optional(string)<br/>    source_revision    = optional(string)<br/>    source_secret      = optional(string)<br/>    source_type        = optional(string)<br/>    strategy_size      = optional(string)<br/>    strategy_spec_file = optional(string)<br/>    timeout            = optional(number)<br/>  }))</pre> | `{}` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restrictions rules to create. | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_config_maps"></a> [config\_maps](#input\_config\_maps) | A map of code engine config maps to be created. | <pre>map(object({<br/>    data = map(string)<br/>  }))</pre> | `{}` | no |
 | <a name="input_domain_mappings"></a> [domain\_mappings](#input\_domain\_mappings) | A map of code engine domain mappings to be created. | <pre>map(object({<br/>    tls_secret = string # pragma: allowlist secret<br/>    components = list(object({<br/>      name          = string<br/>      resource_type = string<br/>    }))<br/>  }))</pre> | `{}` | no |
 | <a name="input_existing_project_id"></a> [existing\_project\_id](#input\_existing\_project\_id) | The ID of the existing project to which code engine resources will be added. It is required if var.project\_name is null. | `string` | `null` | no |
+| <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key. Required only when 'builds' are specified and used. | `string` | `null` | no |
 | <a name="input_jobs"></a> [jobs](#input\_jobs) | A map of code engine jobs to be created. | <pre>map(object({<br/>    image_reference = string<br/>    image_secret    = optional(string)<br/>    run_env_variables = optional(list(object({<br/>      type      = optional(string)<br/>      name      = optional(string)<br/>      value     = optional(string)<br/>      prefix    = optional(string)<br/>      key       = optional(string)<br/>      reference = optional(string)<br/>    })))<br/>    run_volume_mounts = optional(list(object({<br/>      mount_path = string<br/>      reference  = string<br/>      name       = optional(string)<br/>      type       = string<br/>    })))<br/>    run_arguments                 = optional(list(string))<br/>    run_as_user                   = optional(number)<br/>    run_commands                  = optional(list(string))<br/>    run_mode                      = optional(string)<br/>    run_service_account           = optional(string)<br/>    scale_array_spec              = optional(string)<br/>    scale_cpu_limit               = optional(string)<br/>    scale_ephemeral_storage_limit = optional(string)<br/>    scale_max_execution_time      = optional(number)<br/>    scale_memory_limit            = optional(string)<br/>    scale_retry_limit             = optional(number)<br/>  }))</pre> | `{}` | no |
 | <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the project to which code engine resources will be added. It is required if var.existing\_project\_id is null. | `string` | `null` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | ID of the resource group to use when creating resources. | `string` | n/a | yes |
 
@@ -6,3 +6,4 @@ An end-to-end jobs example that will provision the following:
 - Code Engine Job
 - Code Engine Generic Secret
 - Code Engine Build
+- Run Code Engine Build
@@ -10,13 +10,23 @@ module "resource_group" {
   existing_resource_group_name = var.resource_group
 }
 
+locals {
+  cr_namespace = "private.us.icr.io/${resource.ibm_cr_namespace.my_namespace.name}/${var.prefix}-build"
+}
+
+resource "ibm_cr_namespace" "my_namespace" {
+  name              = "${var.prefix}-cr-namespace"
+  resource_group_id = module.resource_group.resource_group_id
+}
+
 ########################################################################################################################
 # Code Engine instance
 ########################################################################################################################
 
 module "code_engine" {
   source            = "../.."
   resource_group_id = module.resource_group.resource_group_id
+  ibmcloud_api_key  = var.ibmcloud_api_key
   project_name      = "${var.prefix}-project"
   jobs = {
     "${var.prefix}-job" = {
@@ -50,12 +60,20 @@ module "code_engine" {
     "${var.prefix}-s" = {
       format = "generic"
       data   = { "key_1" : "value_1", "key_2" : "value_2" }
-    }
+    },
+    "${var.prefix}-rs" = {
+      format = "registry"
+      data = {
+        password = var.ibmcloud_api_key,
+        username = "iamapikey",
+        server   = "private.us.icr.io"
+      }
+    },
   }
   builds = {
     "${var.prefix}-build" = {
-      output_image  = "private.de.icr.io/icr_namespace/image-name"
-      output_secret = "icr-private" # pragma: allowlist secret
+      output_image  = local.cr_namespace
+      output_secret = "${var.prefix}-rs" # pragma: allowlist secret
       source_url    = "https://github.com/IBM/CodeEngine"
       strategy_type = "dockerfile"
     }
 
@@ -99,23 +99,24 @@ module "secret" {
 # Code Engine Build
 ##############################################################################
 module "build" {
-  depends_on         = [module.secret]
-  source             = "./modules/build"
-  for_each           = var.builds
-  project_id         = local.project_id
-  name               = each.key
-  output_image       = each.value.output_image
-  output_secret      = each.value.output_secret
-  source_url         = each.value.source_url
-  strategy_type      = each.value.strategy_type
-  source_context_dir = each.value.source_context_dir
-  source_revision    = each.value.source_revision
-  source_secret      = each.value.source_secret
-  source_type        = each.value.source_type
-  strategy_size      = each.value.strategy_size
-  strategy_spec_file = each.value.strategy_spec_file
-  timeout            = each.value.timeout
-
+  depends_on                 = [module.secret]
+  source                     = "./modules/build"
+  for_each                   = var.builds
+  ibmcloud_api_key           = var.ibmcloud_api_key
+  existing_resource_group_id = var.resource_group_id
+  project_id                 = local.project_id
+  name                       = each.key
+  output_image               = each.value.output_image
+  output_secret              = each.value.output_secret
+  source_url                 = each.value.source_url
+  strategy_type              = each.value.strategy_type
+  source_context_dir         = each.value.source_context_dir
+  source_revision            = each.value.source_revision
+  source_secret              = each.value.source_secret
+  source_type                = each.value.source_type
+  strategy_size              = each.value.strategy_size
+  strategy_spec_file         = each.value.strategy_spec_file
+  timeout                    = each.value.timeout
 }
 
 ##############################################################################
 
@@ -47,15 +47,20 @@ No modules.
 | Name | Type |
 |------|------|
 | [ibm_code_engine_build.ce_build](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/code_engine_build) | resource |
+| [terraform_data.run_build](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
+| [ibm_code_engine_project.code_engine_project](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/code_engine_project) | data source |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_existing_resource_group_id"></a> [existing\_resource\_group\_id](#input\_existing\_resource\_group\_id) | The ID of an existing resource group where build will be provisioned. This must be the same resource group in which the code engine project was created. | `string` | n/a | yes |
+| <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key. | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | The name of the build. | `string` | n/a | yes |
 | <a name="input_output_image"></a> [output\_image](#input\_output\_image) | The name of the image. | `string` | n/a | yes |
 | <a name="input_output_secret"></a> [output\_secret](#input\_output\_secret) | The secret that is required to access the image registry. | `string` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The ID of the project where build will be created. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The region in which to provision the build. This must be the same region in which the code engine project was created. | `string` | `"us-south"` | no |
 | <a name="input_source_context_dir"></a> [source\_context\_dir](#input\_source\_context\_dir) | The directory in the repository that contains the buildpacks file or the Dockerfile. | `string` | `null` | no |
 | <a name="input_source_revision"></a> [source\_revision](#input\_source\_revision) | Commit, tag, or branch in the source repository to pull. | `string` | `null` | no |
 | <a name="input_source_secret"></a> [source\_secret](#input\_source\_secret) | The name of the secret that is used access the repository source. If the var.source\_type value is `local`, this field must be omitted. | `string` | `null` | no |
 
@@ -19,3 +19,23 @@ resource "ibm_code_engine_build" "ce_build" {
   strategy_spec_file = var.strategy_spec_file
   timeout            = var.timeout
 }
+
+data "ibm_code_engine_project" "code_engine_project" {
+  project_id = var.project_id
+}
+
+resource "terraform_data" "run_build" {
+  depends_on = [ibm_code_engine_build.ce_build]
+
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    command     = "${path.module}/scripts/build-run.sh"
+    environment = {
+      IBMCLOUD_API_KEY  = var.ibmcloud_api_key
+      RESOURCE_GROUP_ID = var.existing_resource_group_id
+      CE_PROJECT_NAME   = data.ibm_code_engine_project.code_engine_project.name
+      REGION            = var.region
+      BUILD_NAME        = ibm_code_engine_build.ce_build.name
+    }
+  }
+}
@@ -0,0 +1,85 @@
+#!/bin/bash
+set -e
+
+# Log in to IBM Cloud
+function ibmcloud_login() {
+    printf "\n#### IBM CLOUD LOGIN ####\n\n"
+    attempts=1
+    until ibmcloud login -r "${REGION}" -g "${RESOURCE_GROUP_ID}" --quiet || [ $attempts -ge 3 ]; do
+        attempts=$((attempts + 1))
+        echo "Error logging in to IBM Cloud CLI..."
+        sleep 3
+    done
+    printf "\nLogin complete\n"
+}
+
+# max wait time = 60 × 10s = 10 minutes
+MAX_RETRIES=60
+RETRY_INTERVAL=10  # seconds
+
+if [[ -z "${IBMCLOUD_API_KEY}" ]]; then
+  echo "IBMCLOUD_API_KEY is required" >&2
+  exit 1
+fi
+
+if [[ -z "${RESOURCE_GROUP_ID}" ]]; then
+  echo "RESOURCE_GROUP_ID is required" >&2
+  exit 1
+fi
+
+if [[ -z "${CE_PROJECT_NAME}" ]]; then
+  echo "CE_PROJECT_NAME is required" >&2
+  exit 1
+fi
+
+if [[ -z "${REGION}" ]]; then
+  echo "REGION is required" >&2
+  exit 1
+fi
+
+if [[ -z "${BUILD_NAME}" ]]; then
+  echo "BUILD_NAME is required" >&2
+  exit 1
+fi
+
+# ibm cloud login
+ibmcloud_login
+
+# selecet the right code engine project
+ibmcloud ce project select -n "${CE_PROJECT_NAME}"
+
+# check the image build status
+image_build_status=$(ibmcloud ce build get --name "${BUILD_NAME}" -o json | jq -r '.status')
+if [[ "$image_build_status" != "ready" ]]; then
+  echo "Error: Image build '${BUILD_NAME}' has status: ${image_build_status}"
+  exit 1
+fi
+
+# Ensure the build status is 'succeeded' before continuing.
+# This is required because the application deployment depends on a completed build run.
+echo "Submitting build: $BUILD_NAME"
+run_build_name=$(ibmcloud ce buildrun submit --build "$BUILD_NAME" --output json | jq -r '.name')
+
+echo "Waiting for build run $run_build_name to complete..."
+retries=0
+
+while true; do
+    status=$(ibmcloud ce buildrun get --name "$run_build_name" --output json | jq -r '.status')
+    echo "Status: '$status'"
+    if [[ "$status" == "succeeded" ]]; then
+        echo "Build $BUILD_NAME succeeded"
+        break
+    elif [[ "$status" == "Failed" || "$status" == "Error" ]]; then
+        echo "Error: Build $BUILD_NAME has status '{$status}'"
+        exit 1
+    fi
+
+    #  if max time timeout then finish with error
+    if [[ $retries -ge $MAX_RETRIES ]]; then
+        echo "Build $BUILD_NAME did not complete after $MAX_RETRIES retries. Timing out."
+        exit 1
+    fi
+
+    retries=$((retries + 1))
+    sleep "$RETRY_INTERVAL"
+done
@@ -2,6 +2,17 @@
 # Input Variables
 ########################################################################################################################
 
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API key."
+  sensitive   = true
+}
+
+variable "existing_resource_group_id" {
+  description = "The ID of an existing resource group where build will be provisioned. This must be the same resource group in which the code engine project was created."
+  type        = string
+}
+
 variable "project_id" {
   description = "The ID of the project where build will be created."
   type        = string
@@ -22,6 +33,12 @@ variable "output_secret" {
   type        = string
 }
 
+variable "region" {
+  type        = string
+  description = "The region in which to provision the build. This must be the same region in which the code engine project was created."
+  default     = "us-south"
+}
+
 variable "source_context_dir" {
   description = "The directory in the repository that contains the buildpacks file or the Dockerfile."
   type        = string