Terraform CAMC provider
Describes the Terraform CAMC providers
CAMC bootstrap
Description
The camc_bootstrap function performs a Chef bootstrap operation on the target node defined by the host_ip parameter. This function relies on a viable SSH connection between the pattern manager and the target node using SSH certificate-based security. The following steps are taken:
- Install chef-client on the target node.
- Register the Chef client with the Chef server. The Chef server will be bound to a single pattern manager as a parameter. If a Chef client already exists with the specified node_name parameter, then the target node is assumed to be a part of a previous deployment and is removed prior to registration.
- Install the chef-vault gem.
- Create a chef-vault entry based on the stack_id parameter of the node if it does not already exist. Chef nodes in a multi-node deploy will have the same stack_id and will share vault entries.
Example Usage
resource "camc_bootstrap" "resource1" {
name = "resource1"
camc_endpoint = "http://${var.endpoint}:5443/v1/bootstrap/"
access_token = "${var.pm_access_token}"
trace = "true"
data = <<EOT
{
"os_username": "${var.referenced-image-os_username}",
"stack_id": "${random_id.stack_id.hex}",
"environment_name": "_default",
"host_ip": "${vsphere_virtual_machine.referenced-image.network_interface.0.ipv4_address}",
"node_name": "${var.referenced-image-name}",
"node_attributes": {
"ibm_internal": {
"stack_id": "${random_id.stack_id.hex}",
"stack_name": "${var.stack_name}",
"vault": {
"item": "secrets",
"name": "${random_id.stack_id.hex}"
}
}
}
}
EOT
}
Argument Reference
| Type | Name | Description | Schema | Default | Required |
|---|---|---|---|---|---|
| Body | access_token | The pattern manager access token that was provided during Content Runtime provisioning | String | Yes | |
| Body | camc_endpoint | The IP address or FQDN of the pattern manager | String | Yes | |
| Body | data | A valid JSON structure. See Data type for more information | JSON | Yes | |
| Body | name | A label to aid in identifying the resource | String | No | |
| Body | trace | If true, writes more data to TF_LOG | Boolean | False | No |
| Data | os_username | The operating system user name used by the pattern manager to remote SSH to the target node | String | Yes | |
| Data | stack_id | The stack ID shared across nodes in this deployment | String | Yes | |
| Data | environment_name | The environment name for this deployment | String | Yes | |
| Data | host_ip | The IP address of the host being bootstrapped | String | Yes | |
| Data | node_name | The unique name to give the node on your chef server | String | Yes | |
| Data | node_attributes | Chef attributes to be added to the node object during the bootstrap process. | String | Yes |
CAMC software deploy
Description
Deploys one or more Chef cookbooks and Chef roles on the target node specified by the node_name parameter.
This node_name should match the value specified in the camc_bootstrap resource. The attributes specified by the node_attributes parameter will be applied to the node prior to executing the software deployment. Additionally, the vault may also be updated with the attributes defined in the vault_content parameter. The runlist parameter specifies an ordered list of roles and/or recipes to be run against the node. These cookbooks and roles need to be registered with the Chef server prior to executing this resource.
Example Usage
resource "camc_softwaredeploy" "resource2" {
name = "resource2"
camc_endpoint = "http://${var.endpoint}:5443/v1/softwaredeploy/chef"
access_token = "${var.pm_private_b64}"
data = <<EOT
{
"os_username": "${var.referenced-image-os_username}",
"stack_id": "${random_id.stack_id.hex}",
"environment_name": "_default",
"host_ip": "${vsphere_virtual_machine.referenced-image.network_interface.0.ipv4_address}",
"node_name": "${var.referenced-image-name}",
"runlist": "role[ihs-wasmode-admin]",
"node_attributes": {
"host_ip": "${vsphere_virtual_machine.referenced-image.network_interface.0.ipv4_address}",
"ibm": {
"im_repo": "${var.ibm_im_repo}",
"im_repo_user": "${var.ibm_im_repo_user}",
"sw_repo": "${var.ibm_sw_repo}",
"sw_repo_user": "${var.ibm_sw_repo_user}"
},
"ibm_internal": {
"roles": "[ihs-wasmode-admin]"
},
"ihs": {
"admin_server": {
"enabled": "true",
"port": "8008",
"username": "${var.referenced-image_ihs_admin_server_username}"
},
"install_dir": "/opt/IBM/HTTPServer",
"install_mode": "admin",
"plugin": {
"enabled": "true",
"install_dir": "/opt/IBM/WebSphere/Plugins",
"was_webserver_name": "webserver1"
},
"port": "${var.referenced-image_ihs_port}",
"version": "${var.referenced-image_ihs_version}"
}
},
"vault_content": {
"item": "secrets",
"values": {
"ibm": {
"im_repo_password": "${var.ibm_im_repo_password}",
"sw_repo_password": "${var.ibm_sw_repo_password}"
},
"ihs": {
"admin_server": {
"password": "${var.referenced-image_ihs_admin_server_password}"
}
}
},
"vault": "${random_id.stack_id.hex}"
}
}
EOT
}
Argument Reference
| Type | Name | Description | Schema | Default | Required |
|---|---|---|---|---|---|
| Body | access_token | The pattern manager access token that was provided during Content Runtime provisioning | String | Yes | |
| Body | camc_endpoint | The IP address or FQDN of the pattern manager | String | Yes | |
| Body | data | A valid JSON structure | JSON | Yes | |
| Body | name | A label to aid in identifying the resource | String | No | |
| Data | os_username | The operating system user name used by the pattern manager to remote SSH to the target node | String | Yes | |
| Data | stack_id | The stack ID shared across nodes in this deployment | String | Yes | |
| Data | environment_name | The environment name for this deployment | String | Yes | |
| Data | host_ip | The IP address of the host | String | Yes | |
| Data | node_name | The unique name to give the node on your chef server | String | Yes | |
| Data | node_attributes | Chef attributes to be added to the node object prior to the software deployment process. | String | Yes |
CAMC script package
The camc_scriptpackage resource executes scripts and stores the output for use by other resources in your Terraform template. For example, use it to retrieve hostname and IP address information from an IPAM server and use the results in the virtual machine description.
The camc_scriptpackage resource allows you to store scripts locally on the cam-provider-terraform microservice or on an HTTP(s) server, execute scripts or commands locally from the cam-provider-terraform microservice or remotely on a deployed virtual machine, and control when the scripts should be run.
Passing parameters
There are two ways to pass parameters to the script: through the program array and the query JSON object. Parameters specified in the program array are passed to the script as command line parameters. The query JSON object contains name/value pairs of strings and are passed to the script through stdin.
Script response values
Responses from the script are collected and available in the Terraform template. Scripts returning multiple values must return them in a JSON object containing name/value pairs of strings. If the response is not a JSON object, it will be available to the Terraform template in a property called stdout.
Local scripts
Local scripts are run as a non-privileged user within the terraform-provider container in Managed services. This container has a limited number of installed packages, including:
awk
base64
bash
curl
gpg
jq
md5sum
Python 2.7.9 - no pip
sed
ssh
tr
wget
xargs
If the package that you are looking for does not exist locally, the recommendation is to use the remote script capabilities of the script provider to run scripts on a remote virtual machine that has those packages available.
Example usage
Local script
Example 1
resource "camc_scriptpackage" "LocalIp" {
program = ["/bin/bash", "/var/scripts/get_ip.sh"]
query = {
prop1 = "prop1_value"
}
on_create = true
}
Example 2:
resource "camc_scriptpackage" "delete_test_resource" {
depends_on = ["camc_scriptpackage.create_test_resource"]
program = ["/bin/bash", "${path.module}/scripts/delete_ucd_resource.sh", "-h", "${var.ucd_host}", "-u", "${var.ucd_user}", "-i", "${lookup(camc_scriptpackage.create_test_resource.result, "resource_id")}"]
program_sensitive = ["-p", "${var.ucd_password}"]
on_delete = true
}
Local script from HTTPS server
resource "camc_scriptpackage" "LocalHttpsScript" {
program = ["/bin/bash", "/var/scripts/get_ip.sh"]
source = "https://172.95.34.11/scripts/cam/get_ip.sh"
source_user = "${var.src_user}"
source_password = "${var.src_pass}"
source_no_check_cert = true
destination = "/var/scripts/get_ip.sh"
on_create = true
}
Remote script
resource "camc_scriptpackage" "RemoteScript" {
program = ["/bin/bash", "/var/scripts/deregister_node.sh"]
remote_host = "172.13.205.41"
remote_user = "${var.referenced-image-os_username}"
remote_password = "${var.referenced-image-os_password}"
destination = "/var/deregister_node.sh"
on_delete = true
}
Referencing script output
output "local_script" {
value = "${camc_scriptpackage.LocalIp.result}"
}
output "local_script_ip" {
value = "${lookup(camc_scriptpackage.LocalIp.result, var.ip)}"
}
output "remote_script_stdout" {
value = "${camc_scriptpackage.CreateScript.result}"
}
Argument Reference
| Type | Name | Description | Schema | Default | Required |
|---|---|---|---|---|---|
| Body | destination | Destination file for the script. This can be the location to download the script from an HTTP server or the remote location to copy your local script | String | Yes, if specifying source | |
| Body | on_create | Execute this script when this resource is created | Boolean | false | No |
| Body | on_delete | Execute this script when this resource is deleted | Boolean | false | No |
| Body | on_update | Execute this script when this resource is updated | Boolean | false | No |
| Body | depends_on | It is a Terraform metadata argument. For more information, see Terraform Resources  . |
Boolean | false | No |
| Body | program_sensitive | It is an array that contains a list of sensitive program arguments like passwords or other secret fields. Having them in this list ensures that the value of the attribute is not displayed in logs or regular output. Example: If you want
to pass a sensitive field like password to a command in "program" parameter, then you can provide a program_sensitive parameter as program_sensitive = ["${var.ucd_password}"]. |
Array | No | |
| Body | program | Array containing the command to run | Array | Yes | |
| Body | query | Name/value pairs of parameters passed to your script through stdin | JSON Object | No | |
| Body | remote_host | The hostname or IP address of the remote system to execute this script | String | No | |
| Body | remote_key | The base64-encoded private key to access the host specified by the remote_host parameter. One of remote_key or remote_password are required when specifying remote_host | String | No | |
| Body | remote_password | The password to access the host specified by the remote_host parameter. One of remote_key or remote_password are required when specifying remote_host | String | No | |
| Body | remote_user | The user to access the host specified by the remote_host parameter | String | Yes, if remote_host is specified | |
| Body | source | The location of the script. This can be a local path on the cam-provider-terraform microservice or an HTTP(s) URL | String | No | |
| Body | source_no_check_cert | Ignore the certificate when downloading the script from the HTTPS server | Boolean | false | No |
| Body | source_password | The password for the HTTPS server used to host the script | String | Yes, if source is an HTTPS server | |
| Body | source_user | The user for the HTTPS server used to host the script | String | Yes, if source is an HTTPS server | |
| Body | trace | If true, writes more data to TF_LOG | Boolean | False | No |
CAMC vault item
Description
IBM Chef-based patterns use the chef-vault gem to store secrets such as passwords and user names to be defined by and used by cookbooks during the software deployment process. The camc_vaultitem resource will specify the items to be created.
It is important to note that nodes are logically arranged into a stack. A stack is a set of nodes belonging to the same pattern and is defined by the stack_id parameter. There is a single chef-vault entry for each stack so that nodes in a stack can share secrets between themselves, but not with other nodes deployed in the environment.
Example Usage
resource "camc_vaultitem" "vault1" {
name = "vault1"
trace = "true"
camc_endpoint = "http://${var.endpoint}:5443/v1/vaultitem"
access_token = "${var.pm_private_b64}"
data = <<EOT
{
"vault_content": {
"item": "secrets",
"values": {},
"vault": "${random_id.stack_id.hex}"
}
}
EOT
}
Argument Reference
| Type | Name | Description | Schema | Default | Required |
|---|---|---|---|---|---|
| Body | access_token | The pattern manager access token that was provided during Content Runtime provisioning | String | Yes | |
| Body | camc_endpoint | The IP address or FQDN of the pattern manager | String | Yes | |
| Body | data | A valid JSON structure | JSON | Yes | |
| Body | name | A label to aid in identifying the resource | String | No | |
| Data | vault_content | The content to add to the vault | String | Yes | |
| Body | trace | If true, writes more data to TF_LOG | Boolean | False | No |