Setting up Terraform for IBM Cloud Logs
Terraform on IBM Cloud® enables predictable and consistent provisioning of IBM Cloud services so that you can rapidly build complex, multitier cloud environments that follow Infrastructure as Code (IaC) principles. Similar to using the IBM Cloud CLI or API and SDKs, you can automate the provisioning, update, and deletion of your IBM Cloud Logs instances by using HashiCorp Configuration Language (HCL).
Looking for a managed Terraform on IBM Cloud solution? Try out IBM Cloud® Schematics. With Schematics, you can use the Terraform scripting language that you are familiar with, but you don't need to worry about setting up and maintaining the Terraform command line and the IBM Cloud Provider plug-in. Schematics also provides pre-defined Terraform templates that you can install from the IBM Cloud catalog.
Before you begin, ensure that you have the required access to create and work with IBM Cloud Logs resources.
Step 1. Install the Terraform CLI
Complete the following steps to install the Terraform CLI:
-
Create a terraform folder on your local machine, and navigate to your terraform folder.
mkdir terraform && cd terraform
-
Download the Terraform version that you want. For example, you can download
terraform_0.15.5_darwin_amd64.zip
for a MacOS.The IBM Cloud Provider plug-in for Terraform currently supports Terraform version 0.15.x or later. Make sure to select a supported Terraform version.
-
Extract the Terraform zip file and copy the files to your terraform directory.
-
Set the environment PATH variable to your Terraform files.
export PATH=$PATH:<terraform-directory>/terraform
-
Verify that the installation is successful by using a terraform command.
./terraform
Step 2. Set up the IBM Cloud Provider plug-in
After the Terraform CLI installation is complete, you must set up the IBM Cloud Provider plug-in for Terraform so that you can start working with resources and services in IBM Cloud. For a list of supported versions, see the IBM Cloud Provider plug-in releases.
To run your Terraform configuration files with Terraform version 0.15.x or higher, complete the following steps:
-
Create a
versions.tf
file and specify the IBM Cloud Provider plug-in version that you want to use with theversion
parameter.terraform { required_providers { ibm = { source = "IBM-Cloud/ibm" version = "<provider version>" } } }
For example:
terraform { required_version = ">= 0.15" required_providers { ibm = { source = "ibm-cloud/ibm" version = "~>1.33.0" } } }
-
Store the
versions.tf
file in your Git repository or the folder where Terraform is set up.
If you are using Terraform on IBM Cloud modules, you must add a versions.tf
file to all the module folders. You can refer the Terraform provider block from the provider registry. You can use the IBM Cloud Observability - Terraform Module module to configure an instance.
Step 3. Configure the IBM Cloud Provider plug-in
After you complete the set up, you must configure the IBM Cloud Provider plug-in.
Before you can start working with Terraform on IBM Cloud, you must retrieve the credentials and parameters that are required for a Terraform resource or data source, and specify them in the provider
configuration. This configuration
is used by the IBM Cloud Provider plug-in to authenticate with the IBM Cloud platform and to view, create, update, or delete IBM Cloud resources and services.
The following table lists input parameters that you can set in the provider
block of your Terraform on IBM Cloud configuration file:
Input parameter | Required / optional | Description |
---|---|---|
ibmcloud_api_key |
Required | The IBM Cloud API key to authenticate with the IBM Cloud platform. For more information, about how to create an API key, see Creating an API key. You can
specify the API key in the provider block or retrieve the value from the IC_API_KEY or IBMCLOUD_API_KEY environment variables. If both environment variables are defined, IC_API_KEY takes precedence. |
ibmcloud_timeout |
Optional | The number of seconds that you want to wait until the IBM Cloud API is considered unavailable. The default value is 60 . You can specify the timeout in the provider block or retrieve the value from the IC_TIMEOUT or IBMCLOUD_TIMEOUT environment variables. If both variables are specified, IC_TIMEOUT takes precedence. |
region |
Optional | The IBM Cloud region where you want to create your resources. If this value is not specified, us-south is used by default. You can specify the region in the provider block or retrieve the value from the IBMCLOUD_REGION or IC_REGION environment variables. If both environment variables are specified, IC_REGION takes precedence. |
resource_group |
Optional | The ID of the resource group that you want to use for your IBM Cloud resources. To retrieve the ID, run ibmcloud resource groups . You can specify the resource group in the provider block or retrieve the value
from the IC_RESOURCE_GROUP or IBMCLOUD_RESOURCE_GROUP environment variables. If both environment variables are defined, IC_RESOURCE_GROUP takes precedence. |
For more information on how to use environment variables, see Using environment variables.
You can add multiple provider configurations within the same Terraform on the IBM Cloud configuration file to create your IBM Cloud resources with different provider parameters. For example, you can multiple providers so that you can use different input parameters, such as different regions, zones, infrastructure generations, or accounts to create the IBM Cloud resources in your Terraform on IBM Cloud configuration file. For more information, see Multiple Provider Instances.
Referencing credentials from a Terraform tfvars file
Store sensitive information, such as credentials, in a local terraform.tfvars
file and reference these credentials in your provider
block.
Do not commit the terraform.tfvars
into a public source repository. This file is meant to onnly be stored on your local machine.
-
Create a
terraform.tfvars
file on your local machine and add the input parameters that are required for your resource or data source.ibmcloud_api_key = "<ibmcloud_api_key>" region = "region"
-
Create a
provider.tf
file and use Terraform interpolation syntax to reference the variables from theterraform.tfvars
.variable "ibmcloud_api_key" {} variable "region" {} provider "ibm" { ibmcloud_api_key = var.ibmcloud_api_key region = var.region }
Step 4. Initialize the Terraform CLI.
Next, initialize the Terraform CLI. Run the following command:
./terraform init
You should see the following message: Terraform has been successfully initialized!
.
Step 5. Create a variables file
Create a variables file that is named variables.tf
to include hard-coded values.
The following sample lists variables that you can use when you provision an instance:
variable "ibm_region" {
description = "Name of the region where the instance will be deployed"
type = string
default = "eu-gb"
}
variable "existing_logdna_instance_name" {
description = "Specify an existing IBM Log Analysis instance name"
type = string
default = "IBM Log Analysis-3e"
}
variable "existing_logdna_resource_group_name" {
type = string
description = "Resource group for the existing Log Analysis instance."
default = "Default"
}
variable "rg_name" {
type = string
default = "Default"
}
variable "resource_tags" {
type = string
default = "01a9f76b-0g58-453e-88a0-85917bbf9859,access:stage,type:demo,demo,dev"
}
To see the list of valid regions, see Locations.
Step 6. Create a Terraform configuration file
Next, create a Terraform configuration file that is named main.tf
. In this file, you add the configuration to create a IBM Cloud Logs instance and to assign a user an access policy in Identity and Access Management (IAM) by using
HashiCorp Configuration Language (HCL). For more information, see the Terraform documentation.
The following code shows a sample configuration file to provision an instance. To retrieve the ID of the default resource group, the ibm_resource_group
data source is used. The region is retrieved from the terraform.tfvars
file that you created in step 1. Then, the user user@ibm.com
is assigned the Manager role in the IAM access policy for the namespace for a particular region.
data "ibm_resource_group" "group" {
name = var.resource_group_name
}
locals {
instance_name = "${var.name}-${var.location}"
}
// Create an auditing instance
resource "ibm_resource_instance" "resource_instance" {
name = local.instance_name
service = var.service_type
plan = var.plan
location = var.location
resource_group_id = data.ibm_resource_group.group.id
tags = ["logging", "public"]
}
// Create the resource key that is associated with the {{site.data.keyword.la_short}} instance
resource "ibm_resource_key" "resourceKey" {
name = var.key_name
role = "Manager"
resource_instance_id = ibm_resource_instance.instance.id
}
// Add a user policy for using the resource instance
resource "ibm_iam_user_policy" "policy" {
ibm_id = "user@ibm.com"
roles = ["Manager", "Viewer"]
resources {
service = "logs"
resource_instance_id = element(split(":", ibm_resource_instance.instance.id), 7)
}
}
For additional information on how to use Terraform for IBM Cloud resources, see:
Step 7. Provision resources
Complete the following steps:
-
Initialize the Terraform CLI.
./terraform init
-
Create a Terraform execution plan. The Terraform execution plan summarizes all the actions that need to be run to create the IBM Cloud Logs instance, the resource key, and IAM access policy in your account.
./terraform plan
-
Create the resources.
./terraform apply
To delete resources, run
./terraform destroy
.
What's next?
Verify that the resources are created.
- Launch the Observability UI and check the instance has been created.
- Launch Access (IAM). Select Service IDs and look for the resource key.
- Review the user assigned access in the console.