This Terraform module deploys the following VPC infrastructure to deploy sandbox environment on IBM Cloud:
- VPC
- Subnet
- Public gateway
- Security groups
- IAM Trusted Profile
- Dashboard portal VSI
- Bastion host VSI
- Bastion host FIP
- LogDNA (optional component)
It's recommended to use the IBM Cloud Schematics workspace to deploy the sandbox environment on IBM Cloud VPC. Using Schematics is no additional cost and provides a way for you to easily manage your Terraform lifecycle.
For more information on IBM Cloud Schematics, see IBM Cloud Schematics.
You can run this Terraform module locally when you supply the necessary variables. See Assigning values to root module variables.
You can follow the Sandbox User Guide to deploy the Sandbox environment on IBM Cloud.
To order and use IBM Cloud services, billing information is required for your account. See Upgrading Your Account.
If you want to run Terraform locally, see Install Terraform.
You must supply an IBM Cloud API key so that Terraform can connect to the IBM Cloud Terraform provider. This API key is used to order resources by using the identity of the user. For more information, see Create API Key.
You must create the proper Schematics access policies for a user to deploy the sandbox environment on IBM Cloud VPC using IBM Cloud Schematics. For more information, see IBM Cloud Schematics Access.
There are a number of variables defined in variables.tf used by this Terraform module to deploy and configure your sandbox infrastructure. See variables.tf for full list of variables with their descriptions, defaults, and conditions.
When you deploy the sandbox environment on VPC using IBM Cloud topology, the following infrastructure is created by default:
- 1 x VPC
- 1 x /24 Subnet (256 IPs)
- 1 x Public gateway
- 1 x Dashboard portal VSI
- 1 x Bastion host VSI
- 1 x Bastion host FIP
- 1 x IAM Trusted Profile
- 1 x LogDNA (optional component)
- 2 Security groups
Dashboard VSI downloads and installs the sandbox dashboard application, during post-provisioning using cloud-init/user_data . See main.tf
- Dashboard Portal can only be accessible from Bastion host.
- You can log into the Dashboard Portal with your username and password and provision the SPR and CLX application VSIs.
- To provision the application VSIs, IAM Trusted Profile is used to authenticate with IBM Cloud.
- You can deploy your own workload by providing your installer and runner scripts from the dashboard UI.
NOTE: Don't attach FIP to dashboard VSI; it can only be accessible from the bastion hgost.
Linux Bastion host with VNC Server: You can access the dashboard portal VSI through the bastion host only. You can bind/unbind the FIP in the bastion host as per your usage. The bastion Terraform module provides the commands to access the sandbox dashboard through the bastion tunnel after successful provisioning of the resources.
Terraform IAC creates a trusted profile for compute resource identities in IBM Cloud Identity and Access Management, and then assigns access rights for IAM-enabled services to a virtual server instance. The following roles are provided to the IAM Trusted profiles: "Writer", "Viewer", "Reader", "Editor. This profile is used by the dashboard VSI to authenticate with IBM Cloud.
- Bastion host
- Dashboard VSI
You can pass the remote_allowed_ips for the bastion host security group during Terraform provisioning
to open 22(SSH) port for specific IPs. The performance dashboard security group has open traffic for ports
80(UI), 22(SSH) and 8080(API) only for bastion host security group.
This Terraform module provides the commands to access the sandbox dashboard application through the bastion tunnel after successful provisioning of the resources. It provides you with the following command to run in your local terminal so you can access the sandbox dashboard:
http://localhost:38080
ssh -i [SSHKeyPath] -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -L 38080:[dashboard-internalIP]:80 root@[bastion_fip].
Though the materials provided herein are not supported by the IBM Service organization, your comments are welcomed by the developers, who reserve the right to revise or remove the materials at any time. For reporting a problem, providing suggestions, or comments regarding the IBM Cloud Virtual Servers for VPC Sandbox, users can open a GitHub issue. All issues will be addressed as best effort by developers.
Please note that there are no warranties of any kind, and there is no service or technical support available for these materials from IBM. As a recommended practice, carefully review any materials before using them.
If you have problems or questions when you are using the IBM Sandbox for VPC, you can use the following options:
- User Guide
- FAQ
- Open a git issue
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| ibm | 1.62.0 |
| random | 3.5.1 |
| Name | Source | Version |
|---|---|---|
| bastion_host | ./modules/instance | n/a |
| logdna | ./modules/logdna | n/a |
| Name | Type |
|---|---|
| ibm_iam_trusted_profile.profile_id | resource |
| ibm_iam_trusted_profile_policy.rg_policy | resource |
| ibm_iam_trusted_profile_policy.vpc_policy | resource |
| ibm_is_floating_ip.main | resource |
| ibm_is_instance.dashboard-vm | resource |
| ibm_is_public_gateway.gateway | resource |
| ibm_is_security_group.login_sg | resource |
| ibm_is_security_group_rule.dashboard_api_rule | resource |
| ibm_is_security_group_rule.dashboard_outbound | resource |
| ibm_is_security_group_rule.dashboard_ssh_self | resource |
| ibm_is_security_group_rule.dashboard_ui_rule | resource |
| ibm_is_security_group_rule.login_egress_tcp | resource |
| ibm_is_security_group_rule.login_ingress_tcp | resource |
| ibm_is_subnet.subnets | resource |
| ibm_is_vpc.sandbox-vpc | resource |
| ibm_is_vpc_address_prefix.prefixes | resource |
| random_string.resource_identifier | resource |
| ibm_is_image.linux | data source |
| ibm_is_ssh_key.ssh_key_id | data source |
| ibm_resource_group.resource_group | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| address_prefix_cidrs | Address prefixes to create in the VPC | list(string) |
[] |
no |
| basename | Basename of the created resource | string |
"sbox" |
no |
| dashboard-machine-type | Application 1 VM machine types | string |
"bx2d-4x16" |
no |
| ibmcloud_api_key | The IBM Cloud platform API key needed to deploy IAM enabled resources | string |
n/a | yes |
| ibmcloud_ssh_key_name | The IBM Cloud platform SSH key name used to deploy sandbox instances | string |
n/a | yes |
| logdna_enable_platform | Enables logging | bool |
false |
no |
| logdna_ingestion_key | Provide existing LogDNA instance ingestion key. To get ingestion key, please follow this https://cloud.ibm.com/docs/log-analysis?topic=log-analysis-ingestion_key&interface=ui. If not set, a new instance of LogDNA will be created when logdna_integration is true. |
string |
"" |
no |
| logdna_integration | Set to false if LogDNA not needed, only recommend disabling for non-production environments. | bool |
true |
no |
| logdna_name | Name for LogDNA Instance. | string |
"logging" |
no |
| logdna_plan | Service plan used for new LogDNA instance, valid options are lite, 7-day, 14-day, 30-day, hipaa | string |
"lite" |
no |
| personal_access_token | Personal access token, Internal IBM use only | string |
"" |
no |
| region | IBM Cloud region where all resources will be deployed. SPR VSIs are available in Dallas, London, Frankfurt etc. Please refer this | string |
"us-south" |
no |
| remote_allowed_ips | List of ips to allow access to this bastion host | list(string) |
n/a | yes |
| resource_group | The IBM resource group name to be associated with this IBM Cloud VPC Sandbox deployment | string |
"Default" |
no |
| sandbox_ui_repo_url | Sandbox UI repo download URL, Sample repo URL https://github.com/username/repository-name/archive/master.zip | string |
"https://github.com/IBM-Cloud/sandbox-benchmark-dashboard-for-vpc/archive/main.zip" |
no |
| sandbox_uipassword | Sandbox UI password. Password must contain at least one uppercase character, one lowercase character, one number, and cannot contain the word 'password'. Password must be 12 to 63 characters long. | string |
n/a | yes |
| subnet_cidrs | Subnet cidrs to use in each zone, required when using address_prefix_cidrs |
list(string) |
[] |
no |
| subnet_ipv4_count | Count of ipv4 address in each zone, ignored when using address_prefix_cidrs |
number |
256 |
no |
| zones | IBM Cloud zone name within the selected region where the Sandbox infrastructure should be deployed. Learn more | list(string) |
[ |
no |
| Name | Description |
|---|---|
| access_info | Provides the commands needed to access the instances via the bastion tunnel |
| trusted_profile | The ID of the Trusted profile |
| vpc_name | The ID of the vpc |