Deploy the tutorial app using Schematics, Terraform, and a Tekton-based pipeline.

If you read the blog “IBM Cloud Solution Tutorials: 2020 in Review,” you will have noticed that the IBM Cloud Solution Tutorials can now also be found in a new tutorials library in the IBM Cloud documentation portal. One of these tutorials from the Security category is discussing how to apply end to end security to a cloud application. In June, I blogged how it had been extended by a discussion on how to share development resources.

The discussed app and its resources can be deployed by following the steps in the tutorial itself or by utilizing an automated toolchain with scripting. I’m happy to share with you that we switched from a classic toolchain that rolls out both the required resources, builds the app, and deploys it to a more granular approach. It is based on utilizing IBM Cloud Schematics for managing resource deployment based on Terraform and a Tekton-based pipeline in the Continuous Delivery service to build and deploy the app.

In the following, I am going to discuss some of the details:

Solution diagram: An app with end-to-end security to share files.

IBM Cloud Schematics and Terraform

Terraform is an open source solution for Infrastructure as Code. The desired state is described in one or more files written in a configuration language. As user or administrator, you would typically plan, apply, or destroy the configuration. That is, by generating a plan, seeing the expected changes to your resources, then applying those changes or destroying (i.e., deleting the resources again). It works well with a local machine, with a single cloud provider, or in a hybrid/multicloud environment.

IBM Cloud Schematics features Terraform-as-a-Service. It manages workspaces that hold a Terraform configuration and execution environment. Similar to running Terraform on your own, you can plan, apply, or destroy a Terraform-based deployment of resources. You can interact with Schematics in the IBM Cloud UI in its dashboard, use the command line, or work with its REST API.

To set up the required resources for the solution tutorial, you would click the “deploy link” found in the source code repository on GitHub. Next, you would set the (Terraform) variables when not going with the defaults (see screenshot below). Then, everything is ready for Apply plan. Once the resources are deployed, the you can set up the toolchain and deploy the app:

Configure the Terraform-based resource deployment in your Schematics workspace.

Tekton pipelines

The Continuous Delivery service on IBM Cloud (CD service) allows for the automation of building and deploying applications. It offers open toolchains to set up CI/CD (Continuous Integration/Continuous Delivery) pipelines, thereby supporting a DevOps or DevSecOps approach for app development and operation. The CD service supports its own (“classic”) or Tekton delivery pipelines. Tekton pipelines provide a deep integration into the Kubernetes ecosystem and either run on shared Kubernetes workers provided by the CD service or your own (private) workers for more security.

To deploy the app, create a toolchain by clicking the Create toolchain link in the source code repository on GitHub. Then, you configure the GitHub integration and few environment settings. All other properties are read from Schematics workspace, which manages most metadata. Once the toolchain is created, you may notice that toolchain has two code integrations with GitHub (and a single Delivery Pipeline):

  • One is for the tutorial source code and provides the app code.
  • The second is to the Tekton Catalog, which offers readily available pipeline tasks for reuse. We integrate two such tasks.

Toolchain with two GitHub integrations and one delivery pipeline.

Our pipeline to build and deploy the app reuses the icr-containerize task to build the app and the icr-va-check-scan task to scan the new image for vulnerabilities and check the result. Both tasks make use of the IBM Cloud Container Registry to manage the Docker image. As you can see in the screenshot below, the container with the updated app will only be deployed if the scans do not find any security issues.

Once the last pipeline task has completed, you can click the link for the log output to access the deployed app.

Tekton pipeline: The image is built, the security check succeeded, deployment is ongoing.


Separating the task of resource (infrastructure) rollout from app deployment allows you to utilize different tools for each task (IBM Cloud Schematics with Terraform-as-a-Service, Continuous Delivery with Tekton pipeline). The pipeline tasks to build the Docker image, and you can scan it for vulnerabilities from an open source library (Tekton Catalog). Switching from the previous classic toolchain to the new setup required some work, but now everything is based on open source technologies, configuration-based, and easy to extend.

If you want to try it, head over to the GitHub repository with the source code and read the tutorial on how to apply end-to-end security to a cloud application for background information.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn


More from Cloud

Kubernetes version 1.28 now available in IBM Cloud Kubernetes Service

2 min read - We are excited to announce the availability of Kubernetes version 1.28 for your clusters that are running in IBM Cloud Kubernetes Service. This is our 23rd release of Kubernetes. With our Kubernetes service, you can easily upgrade your clusters without the need for deep Kubernetes knowledge. When you deploy new clusters, the default Kubernetes version remains 1.27 (soon to be 1.28); you can also choose to immediately deploy version 1.28. Learn more about deploying clusters here. Kubernetes version 1.28 In…

Temenos brings innovative payments capabilities to IBM Cloud to help banks transform

3 min read - The payments ecosystem is at an inflection point for transformation, and we believe now is the time for change. As banks look to modernize their payments journeys, Temenos Payments Hub has become the first dedicated payments solution to deliver innovative payments capabilities on the IBM Cloud for Financial Services®—an industry-specific platform designed to accelerate financial institutions' digital transformations with security at the forefront. This is the latest initiative in our long history together helping clients transform. With the Temenos Payments…

Foundational models at the edge

7 min read - Foundational models (FMs) are marking the beginning of a new era in machine learning (ML) and artificial intelligence (AI), which is leading to faster development of AI that can be adapted to a wide range of downstream tasks and fine-tuned for an array of applications.  With the increasing importance of processing data where work is being performed, serving AI models at the enterprise edge enables near-real-time predictions, while abiding by data sovereignty and privacy requirements. By combining the IBM watsonx data…

The next wave of payments modernization: Minimizing complexity to elevate customer experience

3 min read - The payments ecosystem is at an inflection point for transformation, especially as we see the rise of disruptive digital entrants who are introducing new payment methods, such as cryptocurrency and central bank digital currencies (CDBC). With more choices for customers, capturing share of wallet is becoming more competitive for traditional banks. This is just one of many examples that show how the payments space has evolved. At the same time, we are increasingly seeing regulators more closely monitor the industry’s…