feat: enabled add-ons configuration for DA (#53)

Author: vbontempi

.gitignore

@@ -72,3 +72,4 @@ terraform.rc
 # Go workspace file
 go.work
 *.code-workspace
+**/.*.svg.bkp

cra-config.yaml

@@ -12,3 +12,4 @@ CRA_TARGETS:
       TF_VAR_subscription_id_secret_crn: "crn:v1:bluemix:public:secrets-manager:us-south:a/abac0df06b644a9cabc6e44f55b3880e:79c6d411-c18f-4670-b009-b0044a238667:secret:71363d27-db8d-dd07-c72b-59ecb3884a8f" # pragma: allowlist secret
       TF_VAR_existing_resource_group_name: "geretain-test-e4j"
       TF_VAR_prefix: "e4j-cra"
+      TF_VAR_provider_visibility: "public"

ibm_catalog.json

@@ -0,0 +1,61 @@
+# Enterprise Application Service for Java
+
+This architecture creates an instance of Enterprise Application Service for Java (also known as EASe4J) and supports provisioning of the following resources:
+
+- A resource group, if an existing one is not passed in.
+- An Enterprise Application Service for Java instance.
+- An optional [Service to Service authorisation policy](https://cloud.ibm.com/docs/account?topic=account-serviceauth) to authorise the Enterprise Application instance to reach an instance of MQ service. If enabled, the authorisation policy is configured at MQ resource instance scope if its CRN is provided, otherwise the policy is created for MQ service at account scope, with the account owner of the Enterprise Application instance as target account.
+- An optional [Service to Service authorisation policy](https://cloud.ibm.com/docs/account?topic=account-serviceauth) to authorise the Enterprise Application instance to reach an instance of DB2 service. If enabled, the authorisation policy is configured at DB2 resource instance scope if its CRN is provided, otherwise the policy is created for DB2 service at account scope, with the account owner of the Enterprise Application instance as target account.
+
+<!-- ![Enterprise Application Service for Java architecture](../../reference-architecture/deployable-architecture-ease.svg) -->
+
+### Enterprise Application Service for Java instance source and configuration options
+
+The EASe4J service allows to build, deploy and run an application by setting the GitHub repositories to clone for the application sources and environment configurations (Build Deploy and Run use case), or to deploy and run an application by setting the Maven repository for the application built artifact and the GitHub repository to clone for the application environment configuration (Deploy and Run use case).
+For more details about the two use-cases support please refer to the [module README doc](../../README.md#enterprise-application-service-use-cases-support)
+
+### Mandatory input parameters for both the use cases
+
+1. The IBM Cloud API Key (https://cloud.ibm.com/iam/apikeys) for the account where to deploy the Enterprise Application Service instance
+1. Resource Group ID (https://cloud.ibm.com/account/resource-groups) containing the Enterprise Application Service instance
+
+### Token and Subscription ID secrets input variables
+
+- The input variables `repos_git_token` and `repos_git_token_secret_crn` are mutually exclusive: if both are provided with a value the second one is used.
+
+- The input variables `subscription_id` and `subscription_id_secret_crn` are mutually exclusive: if both are provided with a value the second one is used.
+
+#### IBM AppFlow GitHub application prerequisite
+
+In order to configure the Enterprise Application Service instance to build the Java liberty application using the source code and the configuration repositories, the GitHub application **IBM AppFlow** must installed in the GitHub organization(s) hosting the repositories and enable to access both of them.
+
+To install and configure the **IBM AppFlow** GitHub application refer to https://github.com/apps/ibm-enterprise-application-service
+
+**Note:** in the case you need to configure an Enterprise Application Service instance in an environment different from IBM Cloud public platform, you need to install and configure a specific version of the **IBM AppFlow** GitHub application.
+
+### Build Deploy and Run use case input parameters
+
+The following optional input parameters are required in order to pre-configure the Enterprise Application Service instance for the BDR use case:
+
+1. URL of the GitHub repository storing the Java liberty application source code to build in the Enterprise Application Service instance
+1. URL of the GitHub repository storing the Java liberty application configuration to build in the Enterprise Application Service instance
+1. GitHub token with read access to the source code and to the configuration repositories.
+
+**Note:** all these parameters are mandatory in the case any of them is different than their default null value, with the GitHub token mandatory also if the source code and the configuration repositories are both public. When all of them are left to the default null value it will be possible to configure the instance with their values once the instance is successfully created, as describe [here](#create-an-enterprise-application-service-instance-without-setting-any-repository)
+
+## Deploy and Run use case input parameters
+
+The following optional input parameters are required in order to pre-configure the Enterprise Application Service instance for the DR use case:
+
+1. URL of the Maven repository storing the built Java liberty application to run in the Enterprise Application Service instance
+2. URL of the GitHub repository storing the Java liberty application configuration to run in the Enterprise Application Service instance
+3. GitHub token with read access to the configuration repositories.
+
+**Note:** like the BDR use case, all these parameters are mandatory in the case any of them is different than their default null value. When all of them are left to the default null value it will be possible to configure the instance with their values once the instance is successfully created, as describe [here](#create-an-enterprise-application-service-instance-without-setting-any-repository)
+
+
+### Create an Enterprise Application Service instance without setting any repository
+
+This Deployable Architecture allows also to create an instance of the Enterprise Application Service without setting any source and configuration repository: in the case the source code (GitHub or Maven) and the configuration repositories are not set at Enterprise Application Service instance deployment time, it will be possible to configure them through the Enterprise Application Service dashboard url that will be included in the `ease_instance` output details of this module.
+
+:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).

reference-architecture/deployable-architecture-ease.svg

@@ -1,61 +1,3 @@
-# Enterprise Application Service for Java
-
-This architecture creates an instance of Enterprise Application Service for Java (also known as EASe4J) and supports provisioning of the following resources:
-
-- A resource group, if an existing one is not passed in.
-- An Enterprise Application Service for Java instance.
-- An optional [Service to Service authorisation policy](https://cloud.ibm.com/docs/account?topic=account-serviceauth) to authorise the Enterprise Application instance to reach an instance of MQ service. If enabled, the authorisation policy is configured at MQ resource instance scope if its CRN is provided, otherwise the policy is created for MQ service at account scope, with the account owner of the Enterprise Application instance as target account.
-- An optional [Service to Service authorisation policy](https://cloud.ibm.com/docs/account?topic=account-serviceauth) to authorise the Enterprise Application instance to reach an instance of DB2 service. If enabled, the authorisation policy is configured at DB2 resource instance scope if its CRN is provided, otherwise the policy is created for DB2 service at account scope, with the account owner of the Enterprise Application instance as target account.
-
-<!-- ![Enterprise Application Service for Java architecture](../../reference-architecture/deployable-architecture-ease.svg) -->
-
-### Enterprise Application Service for Java instance source and configuration options
-
-The EASe4J service allows to build, deploy and run an application by setting the GitHub repositories to clone for the application sources and environment configurations (Build Deploy and Run use case), or to deploy and run an application by setting the Maven repository for the application built artifact and the GitHub repository to clone for the application environment configuration (Deploy and Run use case).
-For more details about the two use-cases support please refer to the [module README doc](../../README.md#enterprise-application-service-use-cases-support)
-
-### Mandatory input parameters for both the use cases
-
-1. The IBM Cloud API Key (https://cloud.ibm.com/iam/apikeys) for the account where to deploy the Enterprise Application Service instance
-1. Resource Group ID (https://cloud.ibm.com/account/resource-groups) containing the Enterprise Application Service instance
-
-### Token and Subscription ID secrets input variables
-
-- The input variables `repos_git_token` and `repos_git_token_secret_crn` are mutually exclusive: if both are provided with a value the second one is used.
-
-- The input variables `subscription_id` and `subscription_id_secret_crn` are mutually exclusive: if both are provided with a value the second one is used.
-
-#### IBM AppFlow GitHub application prerequisite
-
-In order to configure the Enterprise Application Service instance to build the Java liberty application using the source code and the configuration repositories, the GitHub application **IBM AppFlow** must installed in the GitHub organization(s) hosting the repositories and enable to access both of them.
-
-To install and configure the **IBM AppFlow** GitHub application refer to https://github.com/apps/ibm-enterprise-application-service
-
-**Note:** in the case you need to configure an Enterprise Application Service instance in an environment different from IBM Cloud public platform, you need to install and configure a specific version of the **IBM AppFlow** GitHub application.
-
-### Build Deploy and Run use case input parameters
-
-The following optional input parameters are required in order to pre-configure the Enterprise Application Service instance for the BDR use case:
-
-1. URL of the GitHub repository storing the Java liberty application source code to build in the Enterprise Application Service instance
-1. URL of the GitHub repository storing the Java liberty application configuration to build in the Enterprise Application Service instance
-1. GitHub token with read access to the source code and to the configuration repositories.
-
-**Note:** all these parameters are mandatory in the case any of them is different than their default null value, with the GitHub token mandatory also if the source code and the configuration repositories are both public. When all of them are left to the default null value it will be possible to configure the instance with their values once the instance is successfully created, as describe [here](#create-an-enterprise-application-service-instance-without-setting-any-repository)
-
-## Deploy and Run use case input parameters
-
-The following optional input parameters are required in order to pre-configure the Enterprise Application Service instance for the DR use case:
-
-1. URL of the Maven repository storing the built Java liberty application to run in the Enterprise Application Service instance
-2. URL of the GitHub repository storing the Java liberty application configuration to run in the Enterprise Application Service instance
-3. GitHub token with read access to the configuration repositories.
-
-**Note:** like the BDR use case, all these parameters are mandatory in the case any of them is different than their default null value. When all of them are left to the default null value it will be possible to configure the instance with their values once the instance is successfully created, as describe [here](#create-an-enterprise-application-service-instance-without-setting-any-repository)
-
-
-### Create an Enterprise Application Service instance without setting any repository
-
-This Deployable Architecture allows also to create an instance of the Enterprise Application Service without setting any source and configuration repository: in the case the source code (GitHub or Maven) and the configuration repositories are not set at Enterprise Application Service instance deployment time, it will be possible to configure them through the Enterprise Application Service dashboard url that will be included in the `ease_instance` output details of this module.
+# Cloud automation for Enterprise Application Service (Fully configurable)
 
 :exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers).

solutions/fully-configurable/DA-details.md

@@ -1,6 +1,6 @@
 locals {
   sleep_create = "30s"
-  prefix       = var.prefix != null ? (var.prefix != "" ? var.prefix : null) : null
+  prefix       = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : ""
 }
 
 ########################################################################################################################
@@ -59,7 +59,8 @@ module "crn_parser_subid" {
 # setting the region for the provider on the secrets manager region
 # if null it is left to empty string
 locals {
-  sm_region = var.subscription_id_secret_crn != null ? module.crn_parser_subid[0].region : (var.repos_git_token_secret_crn != null ? module.crn_parser_token[0].region : "")
+  sm_region           = var.subscription_id_secret_crn != null ? module.crn_parser_subid[0].region : (var.repos_git_token_secret_crn != null ? module.crn_parser_token[0].region : "")
+  sm_ibmcloud_api_key = var.secrets_manager_ibmcloud_api_key == null ? var.ibmcloud_api_key : var.secrets_manager_ibmcloud_api_key
 }
 
 data "ibm_sm_arbitrary_secret" "sm_subscription_id" {
@@ -81,7 +82,7 @@ locals {
 
 module "ease" {
   source            = "../../"
-  ease_name         = try("${local.prefix}-${var.instance_name}", var.instance_name)
+  ease_name         = "${local.prefix}${var.instance_name}"
   resource_group_id = module.resource_group.resource_group_id
   tags              = var.resource_tags
   plan              = var.plan
@@ -112,20 +113,21 @@ data "ibm_resource_instance" "ease_resource" {
   identifier = module.ease.ease_instance.id
 }
 
-# Define Service to Service (S2S) policy between Enterprise Application Service instance and MQ capacity instance
+# reading the IAM account details from the provider to use when creating the S2S policies
+data "ibm_iam_account_settings" "provider_account" {}
+
+# Define Service to Service (S2S) policy between Enterprise Application Service instance and MQ capacity instance
 
+# parsing crn to collect the MQ capacity instance ID and its owner account ID
 module "crn_parser_mq_capacity_instance_crn" {
   count   = var.mq_s2s_policy_target_crn != null ? 1 : 0
   source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
   version = "1.1.0"
   crn     = var.mq_s2s_policy_target_crn
 }
 
-# reading the IAM account details from the provider to use when creating the S2S policies
-data "ibm_iam_account_settings" "provider_account" {}
-
 locals {
-  # for S2S policy, the source accountID is the one owning the Enterprise Application Service instance and the target is the account retrieved from the MQ instance CRN or, if this is null, the one creating the policy and owning the Enterprise Application Service instance
+  # for S2S policy, the source accountID is the one owning the Enterprise Application Service instance and the target is the account retrieved from the MQ instance CRN or, if this is null, the one creating the policy and owning the Enterprise Application Service instance
   mq_s2s_subject_account_id = data.ibm_iam_account_settings.provider_account.account_id
   mq_s2s_target_account_id  = var.mq_s2s_policy_target_crn != null ? module.crn_parser_mq_capacity_instance_crn[0].account_id : data.ibm_iam_account_settings.provider_account.account_id
 }
@@ -227,12 +229,12 @@ module "crn_parser_db2_instance_crn" {
 }
 
 locals {
-  # for S2S policy, the source accountID is the one owning the Enterprise Application Service instance and the target is the account retrieved from the DB2 instance CRN or, if this is null, the one creating the policy and owning the Enterprise Application Service instance
+  # for S2S policy, the source accountID is the one owning the Enterprise Application Service instance and the target is the account retrieved from the DB2 instance CRN or, if this is null, the one creating the policy and owning the Enterprise Application Service instance
   db2_s2s_subject_account_id = data.ibm_iam_account_settings.provider_account.account_id
   db2_s2s_target_account_id  = var.db2_s2s_policy_target_crn != null ? module.crn_parser_db2_instance_crn[0].account_id : data.ibm_iam_account_settings.provider_account.account_id
 }
 
-# creating S2S policy to DB2 if enabled - DB2 instance scope
+# creating S2S policy to DB2 if enabled - DB2 instance scope
 resource "ibm_iam_authorization_policy" "db2_s2s_policy_crn_scope" {
   count = var.db2_s2s_policy_enable == true && var.db2_s2s_policy_target_crn != null ? 1 : 0
   roles = var.db2_s2s_policy_roles
@@ -277,7 +279,7 @@ resource "ibm_iam_authorization_policy" "db2_s2s_policy_crn_scope" {
   }
 }
 
-# creating S2S policy to DB2 if enabled - account scope
+# creating S2S policy to DB2 if enabled - account scope
 resource "ibm_iam_authorization_policy" "db2_s2s_policy_account_scope" {
   count = var.db2_s2s_policy_enable == true && var.db2_s2s_policy_target_crn == null ? 1 : 0
   roles = var.db2_s2s_policy_roles

solutions/fully-configurable/README.md

@@ -3,12 +3,16 @@
 ########################################################################################################################
 
 provider "ibm" {
-  ibmcloud_api_key = var.ibmcloud_api_key
-  region           = var.region
+  ibmcloud_api_key      = var.ibmcloud_api_key
+  visibility            = var.provider_visibility
+  region                = var.region
+  private_endpoint_type = (var.provider_visibility == "private" && var.region == "ca-mon") ? "vpe" : null
 }
 
 provider "ibm" {
-  ibmcloud_api_key = var.ibmcloud_api_key
-  region           = local.sm_region
-  alias            = "ibm-sm"
+  ibmcloud_api_key      = local.sm_ibmcloud_api_key
+  visibility            = var.provider_visibility
+  region                = local.sm_region
+  alias                 = "ibm-sm"
+  private_endpoint_type = (var.provider_visibility == "private" && local.sm_region == "ca-mon") ? "vpe" : null
 }