fix: major cleanup

.secrets.baseline

@@ -3,7 +3,7 @@
  "files": "go.sum|^.secrets.baseline$",
  "lines": null
  },
- "generated_at": "2023-05-11T10:56:04Z",
+ "generated_at": "2023-05-12T16:01:54Z",
  "plugins_used": [
  {
  "name": "AWSKeyDetector"
@@ -76,7 +76,18 @@
  "name": "TwilioKeyDetector"
  }
  ],
- "results": {},
+ "results": {
+ "README.md": [
+ {
+ "hashed_secret": "ff9ee043d85595eb255c05dfe32ece02a53efbb2",
+ "is_secret": false,
+ "is_verified": false,
+ "line_number": 19,
+ "type": "Secret Keyword",
+ "verified_result": null
+ }
+ ]
+ },
  "version": "0.13.1+ibm.60.dss",
  "word_list": {
  "file": null,

examples/complete/README.md

@@ -1,12 +1,11 @@
-# Complete example with BYOK encryption, autoscaling, CBR rules, VPE creation and read-only replica provisioning
+# Complete example with BYOK encryption, autoscaling, CBR rules, VPE creation, and read-only replica provisioning
 
-An end-to-end example that uses the module's default variable values. This example uses the IBM Cloud terraform provider to:
+An end-to-end example that does the following:
 
 - Create a new resource group if one is not passed in.
-- Create a new ICD Postgresql database instance with auto-scaling (automatically increase resources) enabled.
 - Create Key Protect instance with root key.
-- Backend encryption using generated Key Protect key.
-- Create a Sample VPC.
-- Create Context Based Restriction(CBR) to only allow Postgresql to be accessible from the VPC.
-- Create a security group and a VPE for the postgres instance
-- Create a read-only replica of the leader Postgresql database instance.
+- Create a new ICD PostgreSQL database instance with auto-scaling and BYOK encryption enabled.
+- Create a Virtual Private Cloud (VPC).
+- Create Context Based Restriction (CBR) to only allow Postgresql to be accessible from the VPC.
+- Create a security group and a VPE for the PostgreSQL instance.
+- Create a read-only replica of the leader Postgresql database instance. For more info on Read-only Replicas, see [Configuring Read-only Replicas](https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-read-only-replicas)

examples/complete/main.tf

@@ -14,7 +14,7 @@ module "resource_group" {
 ##############################################################################
 
 module "key_protect_all_inclusive" {
- source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v4.0.0"
+ source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v4.1.0"
  resource_group_id = module.resource_group.resource_group_id
  # Note: Database instance and Key Protect must be created in the same region when using BYOK
  # See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok

examples/complete/variables.tf

@@ -101,7 +101,7 @@ variable "read_only_replicas_count" {
 }
 
 variable "replica_member_memory_mb" {
- type = string
+ type = number
  description = "Memory allocation required for postgresql read-only replica database"
  default = "3072"
  validation {

examples/fscloud/README.md

@@ -5,9 +5,6 @@ An end-to-end example that uses the [Profile for IBM Cloud Framework for Financi
 The example uses the IBM Cloud Terraform provider to create the following infrastructure:
 
 - A resource group, if one is not passed in.
-- A Key Protect instance with a root key.
-- Backend encryption that uses the generated Key Protect key.
-- An IAM authorization between the PostgreSQL database resource group and the Key Protect instance for the `backup_encryption_key_crn`. This is because backup encryption keys are not yet supported by Hyper Protect Crypto Services.
 - An IAM authorization between the PostgreSQL database resource group and the Hyper Protect Crypto Services permanent instance.
 - An IBM Cloud Databases PostgreSQL database instance and credentials that are encrypted with the Hyper Protect Crypto Services resources that are passed in.
 - A sample virtual private cloud (VPC).

examples/fscloud/main.tf

@@ -9,31 +9,6 @@ module "resource_group" {
  existing_resource_group_name = var.resource_group
 }
 
-##############################################################################
-# Key Protect All Inclusive
-##############################################################################
-
-# Need Key Protect instance for backup_encryption_key_crn as backup encryption key is not supported by Hyper Protect instaces yet.
-module "key_protect_all_inclusive" {
- source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v4.1.0"
- resource_group_id = module.resource_group.resource_group_id
- # Note: Database instance and Key Protect must be created in the same region when using BYOK
- # See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok
- region = var.region
- key_protect_instance_name = "${var.prefix}-kp"
- resource_tags = var.resource_tags
- key_map = { "icd-pg" = ["${var.prefix}-pg"] }
-}
-
-# Create IAM Access Policy to allow Key protect to access Postgres instance
-resource "ibm_iam_authorization_policy" "policy" {
- source_service_name = "databases-for-postgresql"
- source_resource_group_id = module.resource_group.resource_group_id
- target_service_name = "kms"
- target_resource_instance_id = module.key_protect_all_inclusive.key_protect_guid
- roles = ["Reader"]
-}
-
 ##############################################################################
 # Get Cloud Account ID
 ##############################################################################
@@ -77,7 +52,6 @@ module "cbr_zone" {
 ##############################################################################
 
 module "postgresql_db" {
- depends_on = [ibm_iam_authorization_policy.policy]
  source = "../../profiles/fscloud"
  resource_group_id = module.resource_group.resource_group_id
  name = "${var.prefix}-postgres"
@@ -86,7 +60,6 @@ module "postgresql_db" {
  kms_key_crn = var.kms_key_crn
  existing_kms_instance_guid = var.existing_kms_instance_guid
  resource_tags = var.resource_tags
- backup_encryption_key_crn = module.key_protect_all_inclusive.keys["icd-pg.${var.prefix}-pg"].crn
  cbr_rules = [
  {
  description = "${var.prefix}-postgres access only from vpc"

examples/pitr/README.md

@@ -1,7 +1,7 @@
 # Point in time recovery example (PITR)
 
-This example provides an end-to-end creation of a new PostgreSQL instance, then creating a new PostgreSQL instance pointing to a PITR time. This example uses the IBM Cloud terraform provider to:
+This example provides an end-to-end solution that:
 
-- Create a new resource group if one is not passed in.
-- Create a new ICD Postgresql database instance.
-- Create a new PostgreSQL instance pointing to a PITR time.
+- Creates a new resource group if one is not passed in.
+- Creates a new ICD Postgresql database instance.
+- Creates a new PostgreSQL instance pointing to a PITR time.

examples/pitr/main.tf

@@ -20,10 +20,9 @@ module "postgresql_db_pitr" {
  name = "${var.prefix}-postgres-pitr"
  region = var.region
  resource_tags = var.resource_tags
- configuration = var.configuration
- member_memory_mb = var.member_memory_mb
- member_disk_mb = var.member_disk_mb
- member_cpu_count = var.member_cpu_count
+ member_memory_mb = 3072
+ member_disk_mb = 15360
+ member_cpu_count = 9
  pg_version = var.pg_version
  pitr_id = var.pitr_id
  pitr_time = data.ibm_database_point_in_time_recovery.database_pitr.earliest_point_in_time_recovery_time

examples/pitr/variables.tf

@@ -34,64 +34,7 @@ variable "resource_tags" {
  default = []
 }
 
-variable "configuration" {
- description = "(Optional, Json String) Database Configuration in JSON format."
- type = object({
- max_connections = optional(number)
- max_prepared_transactions = optional(number)
- deadlock_timeout = optional(number)
- effective_io_concurrency = optional(number)
- max_replication_slots = optional(number)
- max_wal_senders = optional(number)
- shared_buffers = optional(number)
- synchronous_commit = optional(string)
- wal_level = optional(string)
- archive_timeout = optional(number)
- log_min_duration_statement = optional(number)
- })
- default = null
-}
-
 variable "pitr_id" {
  type = string
- description = "The ID of the postgresql instance that you want to recover back to. Here ID of the postgresql instance is expected to be up and in running state."
-}
-
-variable "member_memory_mb" {
- type = string
- description = "Memory allocation required for postgresql read-only replica database"
- default = "3072"
- validation {
- condition = alltrue([
- var.member_memory_mb >= 3072,
- var.member_memory_mb <= 114688
- ])
- error_message = "member group memory must be >= 3072 and <= 114688 in increments of 384"
- }
-}
-
-variable "member_disk_mb" {
- type = string
- description = "Disk allocation required for postgresql read-only replica database"
- default = "15360"
- validation {
- condition = alltrue([
- var.member_disk_mb >= 15360,
- var.member_disk_mb <= 4194304
- ])
- error_message = "member group disk must be >= 15360 and <= 4194304 in increments of 1536"
- }
-}
-
-variable "member_cpu_count" {
- type = string
- description = "CPU allocation required for the postgresql read-only replica database"
- default = "9"
- validation {
- condition = alltrue([
- var.member_cpu_count >= 9,
- var.member_cpu_count <= 28
- ])
- error_message = "member group cpu must be >= 9 and <= 28 in increments of 1"
- }
+ description = "The ID of the source deployment PostgreSQL instance that you want to recover back to. The PostgreSQL instance is expected to be in an up and in running state."
 }

main.tf

@@ -1,22 +1,20 @@
 ##############################################################################
-# ICD Postgresql modules
-#
-# Creates ICD Postgresql instance
+# ICD PostgreSQL module
 ##############################################################################
 
 locals {
- # Validation
+ # Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
  # tflint-ignore: terraform_unused_declarations
  validate_pitr_vars = (var.pitr_id != null && var.pitr_time == null) || (var.pitr_time != null && var.pitr_id == null) ? tobool("To use Point-In-Time Recovery (PITR), values for both var.pitr_id and var.pitr_time need to be set. Otherwise, unset both of these.") : true
  # tflint-ignore: terraform_unused_declarations
  validate_kms_vars = var.kms_encryption_enabled && var.kms_key_crn == null && var.backup_encryption_key_crn == null ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn and/or var.backup_encryption_key_crn") : true
  # tflint-ignore: terraform_unused_declarations
- validate_backup_encryption_key = var.kms_encryption_enabled && can(regex(".*hs-crypto.*", local.backup_encryption_key_crn)) ? tobool("Hyper Protect Crypto Services for IBM Cloud® Databases backups is not currently supported. You must either pass a Key Protect CRN for the value of var.backup_encryption_key_crn, or don't pass any value for it to use the default encryption.") : true
- # tflint-ignore: terraform_unused_declarations
  validate_auth_policy = var.kms_encryption_enabled && var.skip_iam_authorization_policy == false && var.existing_kms_instance_guid == null ? tobool("When var.skip_iam_authorization_policy is set to false, and var.kms_key_crn is not null, a value must be passed for var.existing_kms_instance_guid.") : true
 
- # If no value passed for 'backup_encryption_key_crn' use the value of 'kms_key_crn'
- backup_encryption_key_crn = var.backup_encryption_key_crn != null ? var.backup_encryption_key_crn : var.kms_key_crn
+ # If no value passed for 'backup_encryption_key_crn' use the value of 'kms_key_crn'. If this is a HPCS key (which is not currently supported for backup encryption), default to 'null' meaning encryption is done using randomly generated keys
+ # More info https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs
+ backup_encryption_key_crn = var.backup_encryption_key_crn != null ? var.backup_encryption_key_crn : (can(regex(".*kms.*", var.kms_key_crn)) ? var.kms_key_crn : null)
+
  # Determine if auto scaling is enabled
  auto_scaling_enabled = var.auto_scaling == null ? [] : [1]
  # Determine what KMS service is being used for database encryption
@@ -27,7 +25,7 @@ locals {
  ) : null
 }
 
-# Create IAM Authorization Policies to allow postgresql to access kms for the encryption key
+# Create IAM Authorization Policies to allow PostgreSQL to access KMS for the encryption key
 resource "ibm_iam_authorization_policy" "kms_policy" {
  count = var.kms_encryption_enabled == false || var.skip_iam_authorization_policy ? 0 : 1
  source_service_name = "databases-for-postgresql"
@@ -60,7 +58,7 @@ resource "ibm_database" "postgresql_db" {
  point_in_time_recovery_time = var.pitr_time
 
  group {
- group_id = "member" #Only member type is allowed for postgresql
+ group_id = "member" # Only member type is allowed for postgresql
  memory {
  allocation_mb = var.member_memory_mb
  }