Integrating Tekton Pipelines to deploy infrastructure reference architecture Terraform patterns using Infrastructure as Code (IaC).

Clients all around the world working with IBM Cloud need to establish or expand their cloud environments. Their goal is to provide robust connectivity, scalability and security while decreasing the costs of their production and non-production compute resources (e.g., Kubernetes clusters). To succeed with their cloud-based deployments, they also need to incorporate day 2 patterns for monitoring, maintenance and troubleshooting to keeps apps, services and hosts up and running. It is important that our clients can establish such a framework with agility and accuracy across multiple projects.

This article describes an automated approach for enterprises to establish environments for their programs and projects in a rapid, replicable manner using the principles of Infrastructure as Code (IaC). Key benefits of this approach are as follows:

  • Accelerated time-to-value on cloud
  • Standardization of deployment practices on cloud across the enterprise
  • Rapid deployment of environments for projects

What are infrastructure architectural reference patterns?

A reference infrastructure pattern and/or framework is a pre-built architectural pattern with pre-configured controls and guardrails to help achieve security and compliance with prescriptive deployments. Using these patterns will enable you to stand up your environment as securely as possible. If you have not already created Terraform scripts for your environment, the teams at IBM Cloud have created pre-defined Terraform scripts and toolchains for rapid implementations, allowing you to jump right into using IBM Cloud without having to learn and build from scratch.

Typically for a client situation, the architectural design pattern will be a copy of their environment, including their existing data centers, cloud brokerages and other third-party environments, such as databases. It is, therefore, important to map and automate the inter-connectivity across these environments. Creating and implementing these patterns of your network and data security also help provide due consideration to High Availability within a Cloud Region using Availability Zones and Multi-Region configurations, such as Active-Standby or Active-Active architectures.

It is also key to consider the CI/CD environment required to realize quick time-to-deploy for rapid realization of business benefits to our clients. Another key aspect is the day 2 architecture that will establish data collection, analysis, monitoring, predictive analytics and trouble management to radically reduce mean-time-to-repair.

The diagram below illustrates IBM Cloud-based patterns using OpenShift managed services that cover the above-described aspects in a reference pattern:

What are the building blocks of infrastructure automation?

Infrastructure as Code and Terraform

Infrastructure as Code (IaC) allows you to manage your deployment environment from the code level instead of manually through the GUI. This allows for faster, more secure deployments and thereby reduces human error since the desired state is defined within code. Using Terraform, you can provision your infrastructure safely, securely and faster — at enterprise scale.

Terraform allows you to create immutable desired state code workflows to build out your deployments while providing repeatable, reusable, standardized modules and objects that provide greater compliance and easier management. Terraform can be used for most cloud and on-premises deployments. You can check for a list of the “providers” available here.

IBM has created a lot of the individual Terraform modules needed to stand up resources and services. These can be leveraged as needed, or you can use your existing Terraform configuration files to deploy to IBM Cloud.

Sample code for creation of Management VPC:

module "management_vpc" {
  source = ""
  resource_group_id    =
  resource_group_name  =
  region               = var.region
  name                 = var.management_vpc_name
  name_prefix          = var.mgmt_name_prefix
  ibmcloud_api_key     = var.ibmcloud_api_key
  provision            = var.management_vpc_provision
  address_prefix_count = var.management_vpc_address_prefix_count
  address_prefixes     = var.management_vpc_address_prefixes == null ? null : jsondecode(var.management_vpc_address_prefixes)
Scroll to view full table

Sample code for creation of transit gateway:

module "ibm_transit_gateway" {
   source = ""
   resource_group_name =
   connections         = [module.workload_vpc.crn, module.management_vpc.crn]
   region              = var.region
   name                = var.ibm_transit_gateway_name
   name_prefix         = var.name_prefix
   ibmcloud_api_key    = var.ibmcloud_api_key #remove this if version is 0.2.2
   #provision          = var.ibm_transit_gateway_provision #only put this if version is 0.2.2
Scroll to view full table

Toolchains and pipelines

From a high level, a toolchain is part of a DevOps approach to create and deploy reliable code and then manage that code through the lifecycle of development or deployment. A toolchain allows you to create multiple pipelines that can be defined as workflows within the toolchain, allowing you to separate specific tasks into different sections while maintaining structure, automation and security. Some common pipeline tasks within a Toolchain could be Plan, Create, Verify, Package, Release/Deploy, Configure and Monitor in the development world.

Toolchains can also be shared within companies to create automation pipelines for Infrastructure as Code (IaC). This allows them to create standards and compliance for all deployments, thereby reducing security risks, deployment times and overall management time needed for your infrastructure when making changes or deploying new workload environments.

Example of a toolchain on IBM Cloud:

IBM-managed Tekton CI/CD pipelines

Tekton is an open-source, vendor-neutral framework for creating continuous integration and delivery (CI/CD) systems. Tekton runs in any Kubernetes environment, but IBM has integrated Tekton pipelines as a managed service within IBM Cloud. From here, you can create Tekton toolchains and pipelines within your own environment that can be triggered manually or automatically through “commits” on the attach repository. This allows you to deliver applications and automations across multiple cloud providers or on-premises and monitor all the environments from a single control plane/dashboard.

IBM Cloud also integrates code risk analysis (CRA) into Tekton pipelines, allowing you more secure and regulatory compliant control checks in real time before the infrastructure is deployed.

Example of pipeline workflow with CRA on IBM Cloud:

Linking it all together to create automated deployments

Now that you understand some of the individual components, we can discuss how to create rapid automation deployments of the infrastructure on IBM Cloud.

Using either IBM reference architecture Terraform pattern samples or your own existing Terraform code, you can copy/fork the code as necessary to your own GitHub. You are then able to modify the specific infrastructure, variables and validation you need for your specific environment. Once completed, you are now able to create a toolchain “link” that connects that GitHub Repository directly into the IBM Managed Tekton service. Doing this allows you to start creating and running automation pipelines for different aspects of the infrastructure.    

From this point, you can securely run the different deployment pipeline workflows, either through manually triggering them in the UI or using GitHub Commit trigger integrations, allowing the environment to be Terraform “planned,” “applied” or “destroyed” through automation — all while being able to see the status of all your deployments from a single dashboard.

Example of resource list from a deployment:

Learn more

In summary, we hope that the approach described in this article helps you understand how to establish repeatable, automated environments on IBM Cloud for your projects with speed and accuracy. As described, the patterns will help you to establish the DevOps capability, run time environment and day 2 operational environment using proven and repeatable framework.

More from Cloud

Using advanced scan settings in the IBM Cloud Security and Compliance Center

5 min read - Customers and users want the ability to schedule scans at the timing of their choice and receive alerts when issues arise, and we’re happy to make a few announcements in this area today: Scan frequency: Until recently, the IBM Cloud® Security and Compliance Center would scan resources every 24 hours, by default, on all of the attachments in an account. With this release, users can continue to run daily scans—which is the recommended option—but they also have the option for…

5 min read

Modernizing child support enforcement with IBM and AWS

7 min read - With 68% of child support enforcement (CSE) systems aging, most state agencies are currently modernizing them or preparing to modernize. More than 20% of families and children are supported by these systems, and with the current constituents of these systems becoming more consumer technology-centric, the use of antiquated technology systems is archaic and unsustainable. At this point, families expect state agencies to have a modern, efficient child support system. The following are some factors driving these states to pursue modernization:…

7 min read

IBM Cloud Databases for Elasticsearch End of Life and pricing changes

2 min read - As part of our partnership with Elastic, IBM is announcing the release of a new version of IBM Cloud Databases for Elasticsearch. We are excited to bring you an enhanced offering of our enterprise-ready, fully managed Elasticsearch. Our partnership with Elastic means that we will be able to offer more, richer functionality and world-class levels of support. The release of version 7.17 of our managed database service will include support for additional functionality, including things like Role Based Access Control…

2 min read

Connected products at the edge

6 min read - There are many overlapping business usage scenarios involving both the disciplines of the Internet of Things (IoT) and edge computing. But there is one very practical and promising use case that has been commonly deployed without many people thinking about it: connected products. This use case involves devices and equipment embedded with sensors, software and connectivity that exchange data with other products, operators or environments in real-time. In this blog post, we will look at the frequently overlooked phenomenon of…

6 min read