The journey to modernize our delivery pipeline continues. Learn how we moved to a Tekton CI/CD pipeline that is deployed using Schematics-managed Terraform (Toolchain as Code).

The IBM Cloud solution tutorial Apply end-to-end security to a cloud application, like many, comes with code and a related GitHub repository. As a reader, you can either follow all the steps and manually create services and deploy the application, or you can take a shortcut and use an automation.

Over time, the automation changed from a classic toolchain with shell scripts in the pipeline to a Tekton-based pipeline with a Terraform-created toolchain. In this blog post, we provide an overview of the recently updated toolchain and how we got there:

A Terraform-created Tekton pipeline running.

Overview: History of a toolchain

The IBM Cloud solution tutorial Apply end-to-end security to a cloud application walks you through how to use some key IBM Cloud security services together. The tutorial uses a file-sharing application as an example. The application source code and an automation to easily deploy the app and required resources are provided in a related GitHub repository.

We first published the tutorial around the early days of the Tekton project—a powerful and flexible open-source framework for creating CI/CD (continuous integration/continuous delivery) systems. At that time, the IBM Cloud Continuous Delivery service only offered support for what, today, is called a classic delivery pipeline. Hence, our initial code included a pipeline-invoked shell script to create the required resources and to deploy the app. The toolchain was based on the Open Toolchain format.

About two years ago, we upgraded the deployment automation to use Terraform code managed in IBM Cloud Schematics to create the cloud services and a Tekton pipeline hosted in the Continuous Delivery service to build and deploy the container image with the application. The toolchain itself still was based on the Open Toolchain format.

Recently, we switched the toolchain creation to Terraform, too. You create an IBM Cloud Schematics workspace to manage the Infrastructure as Code (IaC) deployment. In the workspace, you configure how the Terraform code should create the services and the toolchain. The settings include the resource group, target region, namespace in the Container Registry, service plans, etc. Then, you apply the Terraform code and create the resources. When done, run the delivery pipeline (see screenshot above) and the app is online (see screenshot below):

File-sharing app provided by the IBM Cloud solution tutorial.

Get started

If you already know the tutorial and want to try out the updated code directly, head over to the GitHub repository and its README file. Make sure to meet the few documented prerequisites, then click the link to create the IBM Cloud Schematics workspace. During that creation process, the directory with the Terraform configuration files is read and evaluated. It includes two new files:

  • The resource configuration for the toolchain: It defines the toolchain, its integrations with GitHub to find the pipeline source code, the pipeline definitions and details on where to run in (spoiler: on a public worker).
  • The resource configuration for the toolchain properties: It defines the input parameters for the Tekton pipeline and its tasks.

When you apply the Terraform plan in Schematics, it creates the service instances for the solution and the toolchain with the Tekton pipeline to build and deploy the app. As part of the latter, it reads the definition files for the Tekton pipeline. Running the pipeline is managed by the Continuous Delivery service. Follow the instruction to run the pipeline in order to build the container image with the app and to deploy it to the Kubernetes cluster.


It is interesting to see how the code for the automated deployment of resources for a single tutorial evolved. As developer, I always try to learn from others or to get hands-on experience on my own. In that sense, I invite you to either learn from the available updated code which I described above or to even utilize the toolchain to deploy the sample app yourself.

Feel free to open an issue in the repository if you run into problems with the updated deployment automation. If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik), Mastodon ( or LinkedIn.


More from Cloud

IBM Tech Now: October 2, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 86 On this episode, we're covering the following topics: AI on IBM Z IBM Maximo Application Suite 8.11 IBM NS1 Connect Stay plugged in You can check out the IBM Blog Announcements for a…

IBM Cloud inactive identities: Ideas for automated processing

4 min read - Regular cleanup is part of all account administration and security best practices, not just for cloud environments. In our blog post on identifying inactive identities, we looked at the APIs offered by IBM Cloud Identity and Access Management (IAM) and how to utilize them to obtain details on IAM identities and API keys. Some readers provided feedback and asked on how to proceed and act on identified inactive identities. In response, we are going lay out possible steps to take.…

IBM Cloud VMware as a Service introduces multitenant as a new, cost-efficient consumption model

4 min read - Businesses often struggle with ongoing operational needs like monitoring, patching and maintenance of their VMware infrastructure or the added concerns over capacity management. At the same time, cost efficiency and control are very important. Not all workloads have identical needs and different business applications have variable requirements. For example, production applications and regulated workloads may require strong isolation, but development/testing, training environments, disaster recovery sites or other applications may have lower availability requirements or they can be ephemeral in nature,…

IBM accelerates enterprise AI for clients with new capabilities on IBM Z

5 min read - Today, we are excited to unveil a new suite of AI offerings for IBM Z that are designed to help clients improve business outcomes by speeding the implementation of enterprise AI on IBM Z across a wide variety of use cases and industries. We are bringing artificial intelligence (AI) to emerging use cases that our clients (like Swiss insurance provider La Mobilière) have begun exploring, such as enhancing the accuracy of insurance policy recommendations, increasing the accuracy and timeliness of…