nirajdp76
diff --git a/‎README.md
+29-16 b/‎README.md
+29-16
diff --git a/‎backends.tf
+49 b/‎backends.tf
+49
diff --git a/‎compute.tf
+48 b/‎compute.tf
+48
diff --git a/‎image.tf
+88 b/‎image.tf
+88
@@ -1,14 +1,23 @@
-# Virtual Server for Virtual Private Cloud using Custom Image
+# F5-BIGIP Virtual Server for Virtual Private Cloud using Custom Image
 
-With this template, you can use IBM Cloud Schematics to create F5-BIGIP virtual server using custom image from you IBM Cloud account. Schematics uses [Terraform](https://www.terraform.io/) as the infrastructure-as-code engine. With this template, you can create and manage infrastructure as a single unit as follows. For more information about how to use this template, see the [IBM Cloud Schematics documentation](https://cloud.ibm.com/docs/schematics).
+With this template, you can use IBM Cloud Schematics to create F5-BIGIP virtual server using custom image from your IBM Cloud account. Schematics uses [Terraform](https://www.terraform.io/) as the infrastructure-as-code engine. With this template, you can create and manage infrastructure as a single unit as follows. For more information about how to use this template, see the [IBM Cloud Schematics documentation](https://cloud.ibm.com/docs/schematics).
 
 **Included**:
-* 1 [virtual private cloud](https://cloud.ibm.com/docs/vpc-on-classic?topic=vpc-on-classic-getting-started) instance, in specified zone.
-* 1 [VPC virtual servers using bring your own custom F5-BigIP image](https://cloud.ibm.com/docs/vpc-on-classic-vsi?topic=vpc-on-classic-vsi-getting-started) instances per zone. 
+* 1. (1) Public-Gateway for given VPC
+* 2. (1) Subnet that will be used by F5-BIGIP VSI and attach the public-gateway
+* 3. (1) Security-Group with rules to allow access to F5-BIGIP admin portal
+* 4. (1) Custom Image using provided F5-BIGIP qcow2
+* 5. (1) F5-BIGIP VSI and attach security-group rules
+* 6. (1) FIP and attach to primary network interface of F5-BIGIP VSI
+* 7. (2) Backend VSI with nginx and customized welcome page (Demo purpose only)
 
 **Not included**:
 * This is a poc work.
-* [Bring your F5 Custom Image](https://cloud.ibm.com/docs/vpc-on-classic-vsi?topic=vpc-on-classic-vsi-images#custom-images)
+
+**Must have IBM IS Terraform Provider fixes**:
+* Provide `data source for ibm_login_target` that would provide some key information from provider session (example: account-id)
+* Provide `resource for ibm_is_image` - IS Image create, update, delete
+* Catalog offering Deployment variable must provide way to mark some variable sensitive (example: vendor svc account apikey)
 
 ## Costs
 
@@ -24,12 +33,7 @@ Before you can apply the template in IBM Cloud, complete the following steps.
 1.  Make sure that you have the following permissions in IBM Cloud Identity and Access Management:
     * **Manager** service access role for IBM Cloud Schematics
     * **Operator** platform role for VPC Infrastructure
-2.  Download the [`ibmcloud` command line interface (CLI) tool](https://cloud.ibm.com/docs/cli/reference/ibmcloud?topic=cloud-cli-install-ibmcloud-cli).
-3.  Install the `ibmcloud terraform` and `ibmcloud is` CLI plug-ins for Schematics and VPC infrastructure. **Tip**: To update your current plug-ins, run `ibmcloud plugin update`.
-    *  `ibmcloud plugin install schematics`
-    *  `ibmcloud plugin install vpc-infrastructure`
-4.  [Create or use an existing SSH key for VPC virtual servers](https://cloud.ibm.com/docs/vpc-on-classic-vsi?topic=vpc-on-classic-vsi-ssh-keys).
-5. [Bring your F5 Custom Image](https://cloud.ibm.com/docs/vpc-on-classic-vsi?topic=vpc-on-classic-vsi-images#custom-images)
+2.  Ensure given VPC and SSHKey already exists in your account.
 
 ## Configuring your deployment values
 
@@ -41,21 +45,30 @@ Fill in the following values, based on the steps that you completed before you b
 |Variable Name|Description|
 |-------------|-----------|
 |`ssh_public_key`|Enter the [public SSH key](https://cloud.ibm.com/docs/vpc-on-classic-vsi?topic=vpc-on-classic-vsi-ssh-keys) that you use to access your VPC virtual servers. Use the public key from the `~/.ssh/id_rsa.pub` file generated by the latest version of ssh-keygen tool, with the recommended key-size 2048.|
-|`f5_image`|The ID of the F5 custom image provisioned in your IBM Cloud account. To list available images, run `ibmcloud is images`. The default image is for an `f5-bigip` image in a demo account.|
 
 ### Optional values
 Before you apply your template, you can customize the following default variable values.
 
 |Variable Name|Description|Default Value|
 |-------------|-----------|-------------|
+|`ibmcloud_api_key`|[Temp hack] to workaround IBM IS Provider (Image Create) gap. The APIKey of the IBM Cloud account where resources will be provisioned.|`None`|
+|`ibmcloud_vnf_svc_api_key`|The APIKey of the IBM Cloud NFV service account that is hosting the F5-BIGIP qcow2 image file.|`None`|
 |`generation`|The VPC Generation to target. Valid values are 2 or 1..|`2`|
 |`region`|The VPC Region that you want your VPC to be provisioned. To list available zones, run `ibmcloud is regions`.|`us-south`|
 |`zone`|The VPC Zone that you want your VPC virtual servers to be provisioned. To list available zones, run `ibmcloud is zones`.|`us-south-1`|
-|`vpc_name`|The name of your VPC to be provisioned.|`f5-bigip-1nic-demo-vpc`|
-|`ssh_key_name`|The name of your public SSH key.|`f5-ssh-pub-ke`|
-|`f5_vsi_name`|The name of your F5 Virtual Server to be provisioned.|`f5-bigip-1nic-demo-appliance`|
-|`profile`|Enter the profile of compute CPU and memory resources that you want your VPC virtual servers to have. To list available profiles, run `ibmcloud is instance-profiles`.|`bx2-2x8`|
+|`resource_group`|The resource group to use. If unspecified, the account's default resource group is used. To list available resource groups, run `ibmcloud resource groups`.|`Default`|
+|`vpc_name`|The name of your VPC in which F5-BIGIP VSI is to be provisioned.|`None`|
+|`ssh_key_name`|The name of your public SSH key to be used for F5-BIGIP VSI.|`None`|
+|`f5_image_name`|The name of the F5 custom image to be provisioned in your IBM Cloud account.|`f5-bigip-15-0-1-0-0-11`|
+|`f5_vsi_name`|The name of your F5 Virtual Server to be provisioned.|`f5-1arm-vsi`|
+|`f5_profile`|Enter the profile of compute CPU and memory resources that you want your F5-BIGIP virtual servers to have. To list available profiles, run `ibmcloud is instance-profiles`.|`bx2-2x8`|
 |`f5_license`|Optional: The BYOL license key that you want your F5 virtual server in a VPC to be used by registration flow during cloud-init.|`None`|
+|`vnf_f5bigip_cos_instance_id`|Hidden: The COS instance-id hosting the F5-BIGIP qcow2 image.|`NA`|
+|`vnf_f5bigip_cos_image_url`|The COS image object url for F5-BIGIP qcow2 image.|`NA`|
 
 ## Outputs
 After you apply the template your VPC resources are successfully provisioned in IBM Cloud, you can review information such as the virtual server IP addresses and VPC identifiers in the Schematics log files, in the `Terraform SHOW` section.
+
+|Variable Name|Description|Default Value|
+|-------------|-----------|-------------|
+|f5_admin_portal|Web url to interact with F5-BIGIP admin portal.|`None`|
@@ -0,0 +1,49 @@
+##############################################################################
+# This file creates two compute instances that will be used by PoC to setup
+# F5-BIGIP loadbalancer. Each of the backend server will be enabled with nginx
+# and a customize welcome page via cloud-init.
+# - Two Virtual Server using ubuntu-18-04-amd64
+##############################################################################
+
+data "template_file" "welcom_page" {
+    template = "${file("${path.module}/templates/index.nginx-debian.html.tpl")}"
+    vars = {
+        server_marker = "One"
+    }
+}
+
+##############################################################################
+# Read Public Image using the image name and visibility
+##############################################################################
+data "ibm_is_image" "ubuntu_18_image" {
+  name        = "ibm-ubuntu-18-04-64"
+  visibility  = "public"
+}
+
+resource "ibm_is_instance" "backend_vsi" {
+  count     = 2
+  name      = "backend-vsi-0${count.index}"
+  image     = "${data.ibm_is_image.ubuntu_18_image.id}"
+  profile   = "cx2-2x4"
+
+  primary_network_interface = {
+    subnet  = "${ibm_is_subnet.f5_subnet1.id}"
+  }
+
+  vpc       = "${data.ibm_is_vpc.f5_vpc.id}"
+  zone      = "${data.ibm_is_zone.zone.name}"
+  keys      = ["${data.ibm_is_ssh_key.f5_ssh_pub_key.id}"]
+  user_data = <<EOF
+#!/bin/bash -v
+apt-get update -y
+apt-get install -y nginx > /tmp/nginx.log
+echo "${base64encode(data.template_file.welcom_page.rendered)}" | base64 -d | sed 's/SERVER_MARKER/${count.index}/g' > /var/www/html/index.nginx-debian.html
+service nginx start
+EOF
+
+  //User can configure timeouts
+  timeouts {
+    create = "10m"
+    delete = "10m"
+  }
+}
@@ -0,0 +1,48 @@
+##############################################################################
+# This file creates the compute instances for the solution.
+# - Virtual Server using F5-BIGIP custom image
+# - Two virtual servers initialized with nginx to demo Load Balancing using F5-BIGIP
+##############################################################################
+
+##############################################################################
+# Read/validate sshkey
+##############################################################################
+data "ibm_is_ssh_key" "f5_ssh_pub_key" {
+  name = "${var.ssh_key_name}"
+}
+
+##############################################################################
+# Read/validate vsi profile
+##############################################################################
+data "ibm_is_instance_profile" "f5_profile" {
+  name = "${var.f5_profile}"
+}
+
+##############################################################################
+# Create F5-BIGIP virtual server.
+##############################################################################
+resource "ibm_is_instance" "f5_vsi" {
+  name    = "${var.f5_vsi_name}"
+  image   = "${data.ibm_is_image.f5_custom_image.id}"
+  profile = "${data.ibm_is_instance_profile.f5_profile.name}"
+
+  primary_network_interface = {
+    subnet = "${ibm_is_subnet.f5_subnet1.id}"
+  }
+
+  vpc  = "${data.ibm_is_vpc.f5_vpc.id}"
+  zone = "${data.ibm_is_zone.zone.name}"
+  keys = ["${data.ibm_is_ssh_key.f5_ssh_pub_key.id}"]
+  # user_data = "$(replace(file("f5-userdata.sh"), "F5-LICENSE-REPLACEMENT", var.f5_license)"
+
+  //User can configure timeouts
+  timeouts {
+    create = "10m"
+    delete = "10m"
+  }
+
+  # Hack to handle some race condition; will remove it once have root caused the issues.
+  provisioner "local-exec" {
+    command = "sleep 30"
+  }
+}
@@ -0,0 +1,88 @@
+##############################################################################
+# This file creates custom image using F5-BIGIP qcow2 image hosted in vnfsvc COS
+#  - Creates IAM Authorization Policy in vnfsvc account
+#  - Creates Custom Image in User account
+#
+# Note: There are following gaps in ibm is provider and thus using Terraform tricks
+# to overcome the gaps for the PoC sake.
+# Gap1: IBM IS Provider missing resource implementation for is_image (Create, update, delete)
+# Gap2: IBM IS provider missing data source to read logged user provider session info
+# example: account-id
+##############################################################################
+
+# =============================================================================
+# Hack: parse out the user account from the vpc resource crn
+# Fix: Get data_source_ibm_iam_target added that would provide information
+# about user from provider session
+# =============================================================================
+locals {
+  user_acct_id = "${substr(element(split("a/", data.ibm_is_vpc.f5_vpc.resource_crn), 1),0,32)}"
+}
+
+##############################################################################
+# Create IAM Authorization Policy for user to able to create custom image
+# pointing to COS object url hosted in vnfsvc account.
+##############################################################################
+resource "ibm_iam_authorization_policy" "authorize_image" {
+  depends_on                    = ["data.ibm_is_vpc.f5_vpc"]
+  provider                      = "ibm.vfnsvc"
+  source_service_account        = "${local.user_acct_id}"
+  source_service_name           = "is"
+  source_resource_type          = "image"
+  target_service_name           = "cloud-object-storage"
+  target_resource_type          = "bucket"
+  roles                         = ["Reader"]
+  target_resource_instance_id   = "${var.vnf_f5bigip_cos_instance_id}"
+}
+
+##############################################################################
+# Read Custom Image using the image name and visibility
+##############################################################################
+data "ibm_is_image" "f5_custom_image" {
+  depends_on  = ["data.external.create_image_hack"]
+  name        = "${var.f5_image_name}"
+  visibility  = "private"
+}
+
+##############################################################################
+# Create Custom Image
+# Hack: Given ibm provider is missing ibm_is_image resource we using
+# external data provider tricks and provisining the resource using bash script.
+##############################################################################
+data "external" "create_image_hack" {
+  depends_on  = ["ibm_iam_authorization_policy.authorize_image"]
+  program     = ["bash", "${path.module}/scripts/create-image-hack.sh"]
+
+  query = {
+    ibmcloud_endpoint         = "${var.ibmcloud_endpoint}"
+    ibmcloud_api_key          = "${var.ibmcloud_api_key}"
+    generation                = "${var.generation}"
+    region                    = "${data.ibm_is_region.region.name}"
+    resource_group_id         = "${data.ibm_resource_group.rg.id}"
+    f5_image_name             = "${var.f5_image_name}"
+    vnf_f5bigip_cos_image_url = "${var.vnf_f5bigip_cos_image_url}"
+ }
+}
+
+# resource "null_resource" "null_custom_image" {
+#   # provisioner "local-exec" {
+#   #   command = "${path.module}/scripts/create-image-hack.sh"
+#   #   environment = {
+#   #     ibmcloud_api_key = "${var.ibmcloud_api_key}"
+#   #     generation = "${var.generation}"
+#   #     region = "${var.region}"
+#   #     resource_group_id = "${data.ibm_resource_group.rg.id}"
+#   #     f5_image_name = "${var.f5_image_name}"
+#   #     vnf_f5bigip_cos_image_url = "${var.vnf_f5bigip_cos_image_url}"
+#   #   }
+#   # }
+#   # provisioner "local-exec" {
+#   #   when        = "destroy"
+#   #   command = <<EOT
+#   #     ibmcloud plugin install vpc-infrastructure -f
+#   #     ibmcloud login --apikey ${var.ibmcloud_api_key} -r "${var.region}" -g "${var.resource_group}"
+#   #     ibmcloud is target --gen ${var.generation}
+#   #     ibmcloud is image-delete "${data.external.create_image_hack.result.id}" -f
+#   #   EOT
+#   # }
+# }