IBM Cloud Docs
Provisioning an IBM Cloud virtual server for VPC

Provisioning an IBM Cloud virtual server for VPC

Use IBM Cloud Provider plug-in to provision a VPC, and set up networking for your VPC, and provision a virtual server for VPC in your IBM Cloud account. A VPC allows you to create your own space in IBM Cloud so that you can run an isolated environment in the public cloud with custom network policies.

Objectives

In this tutorial, you will learn to provisions:

  • 1 VPC where you provision your VPC virtual server instance
  • 1 security group and a rule for this security group to allow SSH connection to your virtual server instance
  • 1 subnet to enable networking in your VPC
  • 1 VPC virtual server instance
  • 1 floating IP address that you use to access your VPC virtual server instance over the public network

Keep in mind that a VPC virtual server instance is an IBM Cloud VPC infrastructure resource that incurs costs. Be sure to review the available plans before you proceed.

Audience

This tutorial is intended for system administrators who want to learn how to provision an IBM Cloud virtual server for a VPC by using IBM Cloud Provider.

Prerequisites

Create the Terraform configuration files

  1. Make sure that you have the required permissions to create and work with VPC infrastructure.

  2. In the Terraform directory, create a configuration file names versions.tf file as specified in the code block. For more information, about versions.tf, refer to sample Terraform version file.

    terraform {
     required_version = ">=1.0.0, <2.0"
     required_providers {
       ibm = {
       source = "IBM-Cloud/ibm"
      }
     }
    }
    
  3. From your Terraform directory, export IC_API_Key variable to set environment variable in your local machine. For more information, about how to setup the environment variables? see Using environment variable.

    Example

    export IC_API_Key="<provide your IBM Cloud API Key>"

  4. In the Terraform directory, create a Terraform configuration file and name it vpc.tf. The configuration file includes the following definition blocks:

    variable "ssh_key" {
    }
    
    locals {
        BASENAME = "vpctestexample"
        ZONE     = "us-south-1"
    }
    
    resource "ibm_is_vpc" "vpc" {
        name = "${local.BASENAME}-vpc"
    }
    
    resource "ibm_is_security_group" "sg1" {
        name = "${local.BASENAME}-sg1"
        vpc  = ibm_is_vpc.vpc.id
    }
    
    # allow all incoming network traffic on port 22
    resource "ibm_is_security_group_rule" "ingress_ssh_all" {
        group     = ibm_is_security_group.sg1.id
        direction = "inbound"
        remote    = "0.0.0.0/0"
    
        tcp {
          port_min = 22
          port_max = 22
        }
    }
    
    resource "ibm_is_subnet" "subnet1" {
        name                     = "${local.BASENAME}-subnet1"
        vpc                      = ibm_is_vpc.vpc.id
        zone                     = local.ZONE
        total_ipv4_address_count = 256
    }
    
    data "ibm_is_image" "centos" {
        name = "ibm-centos-7-6-minimal-amd64-1"
    }
    
    data "ibm_is_ssh_key" "ssh_key_id" {
        name = var.ssh_key
    }
    
    resource "ibm_is_instance" "vsi1" {
        name    = "${local.BASENAME}-vsi1"
        vpc     = ibm_is_vpc.vpc.id
        zone    = local.ZONE
        keys    = [data.ibm_is_ssh_key.ssh_key_id.id]
        image   = data.ibm_is_image.centos.id
        profile = "cx2-2x4"
    
        primary_network_interface {
            subnet          = ibm_is_subnet.subnet1.id
            security_groups = [ibm_is_security_group.sg1.id]
        }
    
    resource "ibm_is_floating_ip" "fip1" {
        name   = "${local.BASENAME}-fip1"
        target = ibm_is_instance.vsi1.primary_network_interface[0].id
        }
    
        output "sshcommand" {
        value = "ssh root@${ibm_is_floating_ip.fip1.address}"
        }
     }   
    

    For more information, about the description of the resource argument, refer to registry documentation. The table specifies the registry link of each resources and data sources.

    Registry link of the resources
    Resource name Registry documentation link
    ibm_is_vpc Docs
    ibm_is_security_group Docs
    ibm_is_security_group_rule Docs
    ibm_is_instance Docs
    ibm_is_floating_ip Docs
    ibm_is_subnet Docs
    Registry link of the data sources
    Data Sources name Registry documentation link
    ibm_is_ssh_key Docs
    ibm_is_image Docs

Initializing Terraform

Run the Terraform initialization command and observe the successful execution.

terraform init

Example output

2021/06/22 16:47:27 [WARN] Log levels other than TRACE are currently unreliable, and are supported only for backward compatibility.
Use TF_LOG=TRACE to see Terraform's internal logs.
----
2021/06/22 16:47:27 [INFO] Terraform version: 0.13.5  
2021/06/22 16:47:27 [INFO] Go runtime version: go1.14.7
terraform/plugins/darwin_amd64/lock.json: no such file or directory

Initializing provider plugins...
- Using previously-installed ibm-cloud/ibm v1.26.2

Terraform has been successfully initialized!
...
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Generating Terraform plan

Generate an Terraform on IBM Cloud execution plan. When you execute this command, Terraform on IBM Cloud validates the syntax of your configuration file and resource definitions against the specifications that are provided by the IBM Cloud Provider plug-in.

Your SSH key name need to be provide during terraform plan and terraform apply execution.

terraform plan

Example output

var.ssh_key
    Enter a value: <Provide your SSH key name>
2021/06/22 16:48:53 [INFO] backend/local: plan operation completed

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
    + create

Terraform will perform the following actions:

    ibm_is_floating_ip.fip1 will be created
    + resource "ibm_is_floating_ip" "fip1" {
        ...
    }

    ibm_is_instance.vsi1 will be created
    + resource "ibm_is_instance" "vsi1" {
        ...
        }
    }

    ibm_is_security_group.sg1 will be created
    + resource "ibm_is_security_group" "sg1" {
        ...
    }

    ibm_is_security_group_rule.ingress_ssh_all will be created
    + resource "ibm_is_security_group_rule" "ingress_ssh_all" {
        ...
    }

    ibm_is_subnet.subnet1 will be created
    + resource "ibm_is_subnet" "subnet1" {
        ...
    }

    ibm_is_vpc.vpc will be created
    + resource "ibm_is_vpc" "vpc" {
        ...
    }

Plan: 6 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

Executing Terraform apply

Create the VPC infrastructure resources. Confirm the creation by entering yes when prompted.

terraform apply

Observe the terraform.tfstate file that is created in your directory. Terraform state file maps your resources to your configuration and keep track of the metadata. Also improves performance for the large infrastructures.

Example output

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
    + create

Terraform will perform the following actions:

ibm_is_floating_ip.fip1 will be created
+ resource "ibm_is_floating_ip" "fip1" {
    ...
}

ibm_is_instance.vsi1 will be created
+ resource "ibm_is_instance" "vsi1" {
    ...
    }
}

ibm_is_vpc.vpc will be created
+ resource "ibm_is_vpc" "vpc" {
    + address_prefix_management   = "auto"
...
}

Apply complete! Resources: 6 added, 0 changed, 0 destroyed.

Outputs:

sshcommand = ssh root@ibm_is_floating_ip.fip1.address

Analyzing the provisioned resource

  1. Log in to your VPC VSI by using the ssh command that is listed at the end of your command-line output of the previous step.

    ssh root@52.118.150.55 
    

    Example output

    The authenticity of host '52.116.134.139 (52.116.134.139)' can't be established.
    ECDSA key fingerprint is SHA256:ZZRZY07mx3ccmnS5+Tip7eDDVSL7jlunPbANcrCeEYE.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '52.116.134.139' (ECDSA) to the list of known hosts.
    
    -bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
    [root@vpctestexample-vsi1 ~]#
    
  2. You can verify that VPC and VSI are created by accessing your IBM Cloud console.

    • Click Navigation Menu icon > VPC Infrastructure > VPCs to view VPC named vpctestexample is created
    • Click Navigation Menu icon > VPC Infrastructure > Virtual server instances to view VSI named vsi1 is created

Executing Terraform destroy

Optional: If you don't want to work with your VPC infrastructure resources anymore, remove them.

terraform destroy

What's next?

Explore other IBM Cloud resources that you can provision by using Terraform on IBM Cloud.