December 18, 2020 By Henrik Loeser 4 min read

Deploy the tutorial app using Schematics, Terraform, and a Tekton-based pipeline.

If you read the blog “IBM Cloud Solution Tutorials: 2020 in Review,” you will have noticed that the IBM Cloud Solution Tutorials can now also be found in a new tutorials library in the IBM Cloud documentation portal. One of these tutorials from the Security category is discussing how to apply end to end security to a cloud application. In June, I blogged how it had been extended by a discussion on how to share development resources.

The discussed app and its resources can be deployed by following the steps in the tutorial itself or by utilizing an automated toolchain with scripting. I’m happy to share with you that we switched from a classic toolchain that rolls out both the required resources, builds the app, and deploys it to a more granular approach. It is based on utilizing IBM Cloud Schematics for managing resource deployment based on Terraform and a Tekton-based pipeline in the Continuous Delivery service to build and deploy the app.

In the following, I am going to discuss some of the details:

Solution diagram: An app with end-to-end security to share files.

IBM Cloud Schematics and Terraform

Terraform is an open source solution for Infrastructure as Code. The desired state is described in one or more files written in a configuration language. As user or administrator, you would typically plan, apply, or destroy the configuration. That is, by generating a plan, seeing the expected changes to your resources, then applying those changes or destroying (i.e., deleting the resources again). It works well with a local machine, with a single cloud provider, or in a hybrid/multicloud environment.

IBM Cloud Schematics features Terraform-as-a-Service. It manages workspaces that hold a Terraform configuration and execution environment. Similar to running Terraform on your own, you can plan, apply, or destroy a Terraform-based deployment of resources. You can interact with Schematics in the IBM Cloud UI in its dashboard, use the command line, or work with its REST API.

To set up the required resources for the solution tutorial, you would click the “deploy link” found in the source code repository on GitHub. Next, you would set the (Terraform) variables when not going with the defaults (see screenshot below). Then, everything is ready for Apply plan. Once the resources are deployed, the you can set up the toolchain and deploy the app:

Configure the Terraform-based resource deployment in your Schematics workspace.

Tekton pipelines

The Continuous Delivery service on IBM Cloud (CD service) allows for the automation of building and deploying applications. It offers open toolchains to set up CI/CD (Continuous Integration/Continuous Delivery) pipelines, thereby supporting a DevOps or DevSecOps approach for app development and operation. The CD service supports its own (“classic”) or Tekton delivery pipelines. Tekton pipelines provide a deep integration into the Kubernetes ecosystem and either run on shared Kubernetes workers provided by the CD service or your own (private) workers for more security.

To deploy the app, create a toolchain by clicking the Create toolchain link in the source code repository on GitHub. Then, you configure the GitHub integration and few environment settings. All other properties are read from Schematics workspace, which manages most metadata. Once the toolchain is created, you may notice that toolchain has two code integrations with GitHub (and a single Delivery Pipeline):

  • One is for the tutorial source code and provides the app code.
  • The second is to the Tekton Catalog, which offers readily available pipeline tasks for reuse. We integrate two such tasks.

Toolchain with two GitHub integrations and one delivery pipeline.

Our pipeline to build and deploy the app reuses the icr-containerize task to build the app and the icr-va-check-scan task to scan the new image for vulnerabilities and check the result. Both tasks make use of the IBM Cloud Container Registry to manage the Docker image. As you can see in the screenshot below, the container with the updated app will only be deployed if the scans do not find any security issues.

Once the last pipeline task has completed, you can click the link for the log output to access the deployed app.

Tekton pipeline: The image is built, the security check succeeded, deployment is ongoing.


Separating the task of resource (infrastructure) rollout from app deployment allows you to utilize different tools for each task (IBM Cloud Schematics with Terraform-as-a-Service, Continuous Delivery with Tekton pipeline). The pipeline tasks to build the Docker image, and you can scan it for vulnerabilities from an open source library (Tekton Catalog). Switching from the previous classic toolchain to the new setup required some work, but now everything is based on open source technologies, configuration-based, and easy to extend.

If you want to try it, head over to the GitHub repository with the source code and read the tutorial on how to apply end-to-end security to a cloud application for background information.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn

Was this article helpful?

More from Cloud

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters