Merge remote-tracking branch 'internal/main'

.docs/access-policies.md

@@ -15,9 +15,10 @@ The `access.sh` script automates the creation of 3 access groups which assign al
 
 ### Prerequisites
 
-- _To use this script, users must have the following type of access in your Cloud Account:_
-  - **_Account owner_**
-  - **_Administrator or editor on the IAM Access Groups account management service in the account_**
+- _To use this script, users must be the Account Owner or have the following type of access in their Cloud Account:_
+  - **_Administrator or editor on the IAM Access Groups account management services_**
+  - **_Administrator or editor on the IAM Account Management services_**
+  - **_Administrator or editor on the All Identity and Access enabled services_**
   - **_Administrator or editor for the All Account Management services_**
 
 - _Requires that the ibmcloud CLI be installed and a ibmcloud login has been performed prior to running the script (or run using the IBM Cloud Shell)._
@@ -171,4 +172,4 @@ How to create Authorization policy
 - Manage -> Access (IAM) -> Authorizations -> Create +
 - Select This account
 - Specify source and target
-- Click Authorize
+- Click Authorize

CHANGELOG.md

@@ -2,6 +2,39 @@
 
 All notable changes to this project will be documented in this file.
 
+## 1.15.1
+
+### Upgrade Notes
+
+- A resource groups is now required for existing Object Storage instances. To use an existing instance, the resource group for that instance must be added into CRAIG
+
+### Features
+
+- Environment prefix is now prepended to the beginning of Classic SSH Key names
+- Power VS Cloud Connections now support connections to Classic Infrastructure and VPCs
+- Users can now use a Service ID for CRAIG application's cloud access. To use this feature, add your account ID as the value `ACCOUNT_ID` in your deployment environment
+
+### Fixes
+
+- Fixed an issue causing schematics workspace URL to not be provided to the user after creation
+- Fixed an issue causing workspace creation modal to be incorrectly labelled as `Upload`
+- Fixed an issue where the helper text for an exising COS instance would incorrectly include added suffixes
+- Fixed an issue where Load Balancer Health Timeout invalid text showed a maximum value of `300` instead of `3000`
+- The `Power VS Oracle Ready` Template now creates a new VPC SSH Key rather than relying on an existing key
+- The `Power VS Oracle Single Instance` Template now creates a new VPC SSH Key, and sets all Power Volumes to have storage tier `tier3` and affinity instance `oracle`
+- The `VSI` template now correctly includes an ssh key for both VPC VSI Instances, instead of no key being present
+- The `VSI Edge` template now correctly includes an ssh key for both VPC VSI Instances, instead of no key being present
+- The `VPN as a Service` template now correctly force deletes the cos bucket `vpc-bucket` and the encryption key `encryption-key`
+- Fixed visual bugs on the DNS Record sub form form causing fields to be misaligned
+- Fixed an issue causing DNS records using VSI IPs to always be invalid
+- Fixed an issue causing Terraform code for DNS resource records to have invalid references to their parent DNS instance
+- Fixed an issue causing the Schematics workspace creation modal to have an incorrect title
+- Fixed an issue causing the Schematics workspace creation modal to display a success message when after failing to create a workspace
+- Fixed an issue causing Power VS Images to not correctly be update after being removed during validation
+- Fixed an issue in the Project form allowing users to create multiple workspaces for the same project
+- Fixed an issue causing the validation button in the top navigation bar to work inconsistently
+- Fixed an issue causing strange behavior when disabling Acitivity Tracer in the v2 GUI
+
 ## 1.15.0
 
 ### Upgrade Notes

access.sh

@@ -55,6 +55,8 @@ create_craig_deployer() {
     echo "Creating Access Group craig-deployer..."
     ibmcloud iam access-group-create craig-deployer -d "Access group that assigns all access policies required to successfully run deploy.sh to set up CRAIG in Code Engine, create a schematics workspace, and create PowerVS workspaces when running with the -z parameter." || fatal "An error ocurred while creating the craig-deployer access group."
     echo "Creating Access Policies for craig-deployer..."
+    # Account Management viewer access policy - needed for the 'ibmcoud account show' CLI command in deploy script
+    ibmcloud iam access-group-policy-create craig-deployer --account-management --roles Viewer
     # Resource Group access policy
     ibmcloud iam access-group-policy-create craig-deployer --roles Viewer,Editor --resource-type resource-group
     # Code Engine access policy
@@ -87,7 +89,7 @@ create_craig_application() {
     # schematics-api access policy
     ibmcloud iam access-group-policy-create craig-application --roles Manager,Editor --service-name schematics
     # Resource Group access policy
-    ibmcloud iam access-group-policy-create craig-application --roles Viewer,Editor --resource-type resource-group
+    ibmcloud iam access-group-policy-create craig-application --roles Viewer --resource-type resource-group
     echo "Access group craig-application has been successfully created."
   else
     echo "The access group craig-application already exists."

ansible/all-templates/main.yml

@@ -0,0 +1,85 @@
+---
+- name: "Playbook to run end-to-end test for all CRAIG templates"
+  hosts: localhost
+  vars_files: ../template-test/vars/vars.yml
+  tasks:
+  - name: Generate random suffix for schematics workspace/action names
+    set_fact:
+      suffix: "{{lookup('community.general.random_string', special=false, length=4)}}"
+- import_playbook: ../template-test/test-inside-action.yml
+  vars:
+    template: "from-scratch"
+    action_name: "from-scratch-{{suffix}}"
+    workspace_name: "from-scratch-{{suffix}}"
+    tf_var_prefix: "from-scratch"
+- import_playbook: ../template-test/test-inside-action.yml
+  vars:
+    template: "mixed"
+    action_name: "mixed-{{suffix}}"
+    workspace_name: "mixed-{{suffix}}"
+    tf_var_prefix: "mixed"
+    tf_var_ssh_key: "{{mixed}}"
+- import_playbook: ../template-test/test-inside-action.yml
+  vars:
+    template: "vsi"
+    action_name: "vsi-{{suffix}}"
+    workspace_name: "vsi-{{suffix}}"
+    tf_var_prefix: "vsi"
+    tf_var_ssh_key: "{{vsi}}"
+- import_playbook: ../template-test/test-inside-action.yml
+  vars:
+    template: "vsi-edge"
+    action_name: "vsi-edge-{{suffix}}"
+    workspace_name: "vsi-edge-{{suffix}}"
+    tf_var_prefix: "vsi-edge"
+    tf_var_ssh_key: "{{vsi_edge}}"
+- import_playbook: ../template-test/test-inside-action.yml
+  vars:
+    template: "quick-start-power"
+    action_name: "quick-{{suffix}}"
+    workspace_name: "quick-{{suffix}}"
+    tf_var_prefix: "quick"
+    tf_var_ssh_key: "{{quick_start}}"
+- name: "Wait 30 minutes before executing the remaining templates"
+  hosts: localhost
+  tasks:
+    - ansible.builtin.pause:
+        minutes: 30
+- import_playbook: ../template-test/test-inside-action.yml
+  vars:
+    template: "power-vs-sap-hana"
+    action_name: "sap-hana-{{suffix}}"
+    workspace_name: "sap-hana-{{suffix}}"
+    tf_var_prefix: "sap-hana"
+    tf_var_ssh_key: "{{sap_hana}}"
+    tf_var_power_ssh_key: "{{sap_hana_power}}"
+- import_playbook: ../template-test/test-inside-action.yml
+  vars:
+    template: "oracle-rac"
+    action_name: "oracle-rac-{{suffix}}"
+    workspace_name: "oracle-rac-{{suffix}}"
+    tf_var_prefix: "oracle-rac"
+    tf_var_ssh_key: "{{oracle_rac}}"
+    tf_var_power_ssh_key: "{{oracle_rac_power}}"
+- import_playbook: ../template-test/test-inside-action.yml
+  vars:
+    template: "oracle-si"
+    action_name: "oracle-si-{{suffix}}"
+    workspace_name: "oracle-si-{{suffix}}"
+    tf_var_prefix: "oracle-si"
+    tf_var_ssh_key: "{{oracle_si}}"
+    tf_var_power_ssh_key: "{{oracle_si_power}}"
+- import_playbook: ../template-test/test-inside-action.yml
+  vars:
+    template: "power-vs-poc"
+    action_name: "poc-{{suffix}}"
+    workspace_name: "poc-{{suffix}}"
+    tf_var_prefix: "power-poc"
+    tf_var_ssh_key: "{{poc}}"
+    tf_var_power_ssh_key: "{{poc_power}}"
+- import_playbook: ../template-test/test-inside-action.yml
+  vars:
+    template: "vpnaas"
+    action_name: "vpnaas-{{suffix}}"
+    workspace_name: "vpnaas-{{suffix}}"
+    tf_var_prefix: "vpn-test"

ansible/template-test/roles/action/tasks/main.yml

@@ -8,4 +8,5 @@
     headers:
       Authorization: Bearer {{token.json.access_token}}
     status_code: 202
+    timeout: 500
   register: action_result

ansible/template-test/roles/create_schematics_action/tasks/main.yml

@@ -14,4 +14,5 @@
         command_parameter: main.yml
         source: "{{ source }}"
         inputs: "{{ inputs }}"
-    status_code: 201
+    status_code: 201
+    timeout: 500

ansible/template-test/roles/download_tar/tasks/main.yml

@@ -9,3 +9,5 @@
     status_code: 200
     dest: "{{playbook_dir}}/{{template}}.tar"
     timeout: 500
+  delay: 60
+  retries: 2

ansible/template-test/roles/run_schematics_action/tasks/main.yml

@@ -7,6 +7,7 @@
     headers:
       Authorization: Bearer {{token.json.access_token}}
   register: schematics_actions
+  timeout: 120
 
 - name: Get target action ID
   set_fact:
@@ -38,4 +39,5 @@
       command_object_id: "{{ action_id }}"
       command_name: ansible_playbook_run
       command_parameter: main.yml
-    status_code: 201
+    status_code: 201
+  timeout: 120

ansible/template-test/roles/update_variablestore/tasks/main.yml

@@ -2,5 +2,6 @@
 # tasks file for update_variablestore
 - name: Update variablestore
   set_fact:
-    variablestore: "{{ variablestore +  [{'name': item, 'secure': false, 'use_default': false,  'value': (item == 'dal10gw_on_prem_connection_preshared_key') | ternary(tf_var_preshared_key, tf_var_ssh_key) }] }}"
-  loop: "{{template_map[template]}}"
+    variablestore: "{{ variablestore +  [{'name': item, 'secure': false, 'use_default': false,  'value': vars[ssh_key_map[item]] }] }}"
+  loop: "{{template_map[template]}}"
+

ansible/template-test/roles/update_workspace_variables/tasks/main.yml

@@ -2,11 +2,14 @@
 # tasks file for update_workspace_variables
 - name: Update Workspace Variables
   uri:
-        url: "https://schematics.cloud.ibm.com/v1/workspaces/{{ existing_workspace_id if use_existing_workspace == 'true' else new_workspace_id }}/template_data/{{ template_id }}/values"
-        method: PUT
-        headers:
-          Authorization: Bearer {{token.json.access_token}}
-          Content-Type: application/json
-        body_format: json
-        body: 
-          variablestore: "{{ variablestore }}"
+    url: "https://schematics.cloud.ibm.com/v1/workspaces/{{ existing_workspace_id if use_existing_workspace == 'true' else new_workspace_id }}/template_data/{{ template_id }}/values"
+    method: PUT
+    headers:
+      Authorization: Bearer {{token.json.access_token}}
+      Content-Type: application/json
+    body_format: json
+    body: 
+      variablestore: "{{ variablestore }}"
+    timeout: 500
+  delay: 60
+  retries: 2

ansible/template-test/test-inside-action.yml

@@ -18,25 +18,24 @@
         inputs:
           - name: template
             value: "{{ template }}"
-            use_default: false
           - name: tf_var_api_key
             value: "{{ tf_var_api_key }}"
-            use_default: false
             metadata:
               secure: true
           - name: tf_var_prefix
             value: "{{ tf_var_prefix }}"
-            use_default: false  
           - name: workspace_name
             value: "{{ workspace_name }}"
           - name: tf_var_preshared_key
-            value: "{{ tf_var_preshared_key }}"
+            value: "{{ tf_var_preshared_key | default('NONE') }}"
             metadata:
               secure: true
           - name: tf_var_ssh_key
-            value: "{{ tf_var_ssh_key }}"
+            value: "{{ tf_var_ssh_key | default('NONE') }}"
+          - name: tf_var_power_ssh_key
+            value: "{{ tf_var_power_ssh_key | default('NONE') }}"
           - name: use_existing_workspace
-            value: "{{ use_existing_workspace }}"
+            value: "{{ use_existing_workspace | default('false')}}"
           - name: existing_workspace_id
-            value: "{{ existing_workspace_id }}"
+            value: "{{ existing_workspace_id | default('NONE') }}"
     - role: run_schematics_action

ansible/template-test/vars/template_override_vars/mixed.yml

@@ -0,0 +1,54 @@
+override_craig:
+  atracker:
+    enabled: false
+    type: cos
+    name: atracker
+    target_name: atracker-cos
+    bucket: atracker-bucket
+    add_route: true
+    cos_key: cos-bind-key
+    locations:
+    - global
+    - us-south
+    instance: false
+    plan: lite
+    resource_group: 
+    archive: false
+  transit_gateways:
+    - name: transit-gateway
+      resource_group: service-rg
+      global: false
+      connections: []
+      use_data: false
+      prefix_filters: []
+      gre_tunnels: []
+      crns: 
+      classic: false
+  clusters: []
+  vsi:
+    - kms: kms
+      encryption_key: vsi-volume-key
+      image: ibm-ubuntu-22-04-1-minimal-amd64-1
+      profile: cx2-4x8
+      name: management-server
+      security_groups:
+      - management-vsi
+      ssh_keys:
+      - ssh-key
+      subnets:
+      - vsi-zone-1
+      - vsi-zone-2
+      - vsi-zone-3
+      vpc: management
+      vsi_per_subnet: 1
+      resource_group: management-rg
+      override_vsi_name: 
+      user_data: 
+      network_interfaces: []
+      volumes: []
+      image_name: 
+      enable_floating_ip: false
+      primary_interface_ip_spoofing: false
+      use_variable_names: false
+      snapshot: 
+      use_snapshot: false