Merge pull request #56 from ibm-hyper-protect/cleue-contract-sample-with-download

fix: add sample how to select the correct encryption certificate base…

Author: CarstenLeue

terraform-hpvs/create-contract-download-encryption/README.md

@@ -0,0 +1,42 @@
+## Contract generation example
+
+This sample creates an encrypted and signed contract and stores it locally in a file. In addition this example identifies
+the latest version of HPCR in the VPC cloud and then downloads the matching encryption certifcicate.
+
+### Prerequisite
+
+Prepare your environment according to [these steps](../README.md)
+
+### Settings
+
+Use one of the following options to set you settings:
+
+#### Template file
+
+1. `cp my-settings.auto.tfvars-template my-settings.auto.tfvars`
+2. Fill the values in `my-settings.auto.tfvars`
+
+#### Environment variables
+
+Set the following environment variables:
+
+```text
+TF_VAR_logdna_ingestion_key=
+TF_VAR_logdna_ingestion_hostname=
+```
+
+### Run the Example
+
+Initialize terraform:
+
+```bash
+terraform init
+```
+
+Deploy the example:
+
+```bash
+terraform apply
+```
+
+The contract will be persisted in the `build/contract.yml` folder for further use.

terraform-hpvs/create-contract-download-encryption/compose/docker-compose.yml

@@ -0,0 +1,3 @@
+services:
+  helloworld:
+    image: docker.io/library/hello-world@sha256:53f1bbee2f52c39e41682ee1d388285290c5c8a76cc92b42687eecf38e0af3f0

terraform-hpvs/create-contract-download-encryption/my-settings.auto.tfvars-template

@@ -0,0 +1,5 @@
+logdna_ingestion_key="Your LogDNA ingestion key". # You can find this in "Linux/ubuntu" section of `Logging sources` tab of "IBM Log Analysis" instance in [cloud.ibm.com](https://cloud.ibm.com)
+logdna_ingestion_hostname="rsyslog endpoint of IBM Log Analysis instance"
+# Example: "syslog-a.<log_region>.logging.cloud.ibm.com". Where <log_region> is
+# the region on which IBM Log Analysis is deployed
+# Any other variable you want to set (see variables.tf)

terraform-hpvs/create-contract-download-encryption/terraform.tf

@@ -0,0 +1,76 @@
+terraform {
+  required_providers {
+    hpcr = {
+      source  = "ibm-hyper-protect/hpcr"
+      version = ">= 0.1.12"
+    }
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">= 1.37.1"
+    }
+  }
+}
+
+# make sure to target the correct region and zone
+provider "ibm" {
+  region           = var.region
+  zone             = "${var.region}-${var.zone}"
+  ibmcloud_api_key = var.ibmcloud_api_key
+}
+
+# archive of the folder containing docker-compose file. This folder could create additional resources such as files 
+# to be mounted into containers, environment files etc. This is why all of these files get bundled in a tgz file (base64 encoded)
+resource "hpcr_tgz" "contract" {
+  folder = "compose"
+}
+
+# locate all public image
+data "ibm_is_images" "hyper_protect_images" {
+  visibility = "public"
+  status     = "available"
+}
+
+# locate the latest hyper protect image from the list of available images
+data "hpcr_image" "hyper_protect_image" {
+  images = jsonencode(data.ibm_is_images.hyper_protect_images.images)
+}
+
+# load the certificate for the selected image versions
+# in this case we only download the certificate for the selected version of the image
+data "hpcr_encryption_certs" "enc_certs" {
+  versions = [data.hpcr_image.hyper_protect_image.version]
+}
+
+locals {
+  # contract in clear text
+  contract = yamlencode({
+    "env" : {
+      "type" : "env",
+      "logging" : {
+        "logDNA" : {
+          "ingestionKey" : var.logdna_ingestion_key,
+          "hostname" : var.logdna_ingestion_hostname,
+        }
+      }
+    },
+    "workload" : {
+      "type" : "workload",
+      "compose" : {
+        "archive" : hpcr_tgz.contract.rendered
+      }
+    }
+  })
+}
+
+# In this step we encrypt the fields of the contract and sign the env and workload field. The certificate to execute the 
+# encryption it built into the provider and matches the latest HPCR image. If required it can be overridden. 
+# We use a temporary, random keypair to execute the signature. This could also be overriden. 
+resource "hpcr_contract_encrypted" "contract" {
+  contract = local.contract
+  cert     = data.hpcr_encryption_certs.enc_certs.certs[data.hpcr_image.hyper_protect_image.version]
+}
+
+resource "local_file" "contract" {
+  content  = hpcr_contract_encrypted.contract.rendered
+  filename = "${path.module}/build/contract.yml"
+}

terraform-hpvs/create-contract-download-encryption/variables.tf

@@ -0,0 +1,54 @@
+variable "logdna_ingestion_key" {
+  type        = string
+  sensitive   = true
+  description = <<-DESC
+                  Ingestion key for IBM Log Analysis instance. This can be 
+                  obtained from "Linux/Ubuntu" section of "Logging resource" 
+                  tab of IBM Log Analysis instance
+                DESC
+}
+
+variable "logdna_ingestion_hostname" {
+  type        = string
+  description = <<-DESC
+                  rsyslog endpoint of IBM Log Analysis instance. 
+                  Don't include the port. Example: 
+                  syslog-a.<log_region>.logging.cloud.ibm.com
+                  log_region is the region where IBM Log Analysis is deployed
+                DESC
+}
+
+variable "ibmcloud_api_key" {
+  description = <<-DESC
+                  Enter your IBM Cloud API Key, you can get your IBM Cloud API key using:
+                   https://cloud.ibm.com/iam#/apikeys
+                DESC
+  sensitive   = true
+}
+
+variable "region" {
+  type        = string
+  description = "Region to deploy to, e.g. eu-gb"
+
+  validation {
+    condition = (var.region == "eu-gb" ||
+      var.region == "br-sao" ||
+      var.region == "ca-tor" ||
+      var.region == "jp-tok" ||
+    var.region == "us-east")
+    error_message = "Value of region must be one of eu-gb/br-sao/ca-tor/jp-tok/us-east."
+  }
+}
+
+variable "zone" {
+  type        = string
+  default     = "2"
+  description = "Zone to deploy to, e.g. 2."
+
+  validation {
+    condition = (var.zone == "1" ||
+      var.zone == "2" ||
+    var.zone == "3")
+    error_message = "Value of zone must be one of 1/2/3."
+  }
+}