feat: add storage delegation from SaaS DA for WatsonX project (#129)

brendankellyibm · web-flow · commit 76282083dcd6 · 2024-08-02T20:10:46.000+01:00
diff --git a/modules/watson-machine-learning/main.tf b/modules/watson-machine-learning/main.tf
@@ -10,11 +10,26 @@ module "cos" {
   cos_plan          = "standard"
 }
 
+module "storage_delegation" {
+  providers = {
+    ibm                           = ibm
+    ibm.deployer                  = ibm
+    restapi.restapi_watsonx_admin = restapi.restapi_watsonx_admin
+  }
+  source               = "git::https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-saas-da.git//storage_delegation?ref=v1.4.0"
+  count                = var.watsonx_project_delegated ? 1 : 0
+  cos_kms_crn          = var.cos_kms_crn
+  cos_kms_key_crn      = var.cos_kms_key_crn
+  cos_kms_new_key_name = var.cos_kms_new_key_name
+  cos_kms_ring_id      = var.cos_kms_ring_id
+  cos_guid             = module.cos.cos_instance_guid
+}
+
 ## Use code from Watson SaaS directly to avoid "legacy module" issues
 ## Note: passing a non-null delegated storage attribute may result in API errors
 
-
 resource "restapi_object" "configure_project" {
+  depends_on     = [module.storage_delegation]
   provider       = restapi.restapi_watsonx_admin
   path           = local.dataplatform_api
   read_path      = "${local.dataplatform_api}{id}"
diff --git a/modules/watson-machine-learning/variables.tf b/modules/watson-machine-learning/variables.tf
@@ -8,6 +8,37 @@ variable "cos_instance_name" {
   type        = string
 }
 
+variable "cos_kms_crn" {
+  description = "KMS service instance CRN used to encrypt the COS buckets used by the watsonx projects."
+  type        = string
+  default     = null
+
+  validation {
+    condition = anytrue([
+      can(regex("^crn:(.*:){3}kms:(.*:){2}[0-9a-fA-F]{8}(?:-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}::$", var.cos_kms_crn)),
+      var.cos_kms_crn == null,
+    ])
+    error_message = "Key Protect CRN validation failed."
+  }
+}
+
+variable "cos_kms_key_crn" {
+  description = "KMS key CRN used to encrypt the COS buckets used by the watsonx projects. If not set, then the cos_kms_new_key_name must be specified."
+  type        = string
+  default     = null
+}
+
+variable "cos_kms_new_key_name" {
+  description = "Name of the KMS key to create for encrypting the COS buckets used by the watsonx projects."
+  type        = string
+}
+
+variable "cos_kms_ring_id" {
+  description = "The identifier of the KMS ring to create the cos_kms_new_key_name into. If it is not set, then the new key will be created in the default ring."
+  type        = string
+  default     = null
+}
+
 variable "watson_ml_instance_crn" {
   description = "Watson Machine Learning instance CRN"
   type        = string
diff --git a/solutions/banking/main.tf b/solutions/banking/main.tf
@@ -3,6 +3,8 @@ locals {
   use_watson_machine_learning = (var.watson_machine_learning_instance_guid != null) ? true : false
   use_elastic_index           = (var.elastic_instance_crn != null) ? true : false
 
+  cos_instance_name                = var.prefix != null ? "${var.prefix}-rag-sample-app-cos" : "gen-ai-rag-sample-app-cos"
+  cos_kms_new_key_name             = var.prefix != null ? "${var.prefix}-${var.cos_kms_new_key_name}" : var.cos_kms_new_key_name
   watsonx_assistant_url            = "//api.${var.watson_assistant_region}.assistant.watson.cloud.ibm.com/instances/${var.watson_assistant_instance_id}"
   watson_discovery_url             = local.use_watson_discovery ? "//api.${var.watson_discovery_region}.discovery.watson.cloud.ibm.com/instances/${var.watson_discovery_instance_id}" : null
   watson_discovery_project_name    = var.prefix != null ? "${var.prefix}-gen-ai-rag-sample-app-project" : "gen-ai-rag-sample-app-project"
@@ -106,18 +108,24 @@ resource "ibm_resource_instance" "cd_instance" {
 
 module "configure_wml_project" {
   providers = {
+    ibm                           = ibm.ibm_resources
     ibm.ibm_resources             = ibm.ibm_resources
     restapi.restapi_watsonx_admin = restapi.restapi_watsonx_admin
   }
   count                            = local.use_watson_machine_learning ? 1 : 0
   source                           = "../../modules/watson-machine-learning"
+  watsonx_project_delegated        = var.cos_kms_crn != null ? true : false
   watson_ml_instance_guid          = var.watson_machine_learning_instance_guid
   watson_ml_instance_crn           = var.watson_machine_learning_instance_crn
   watson_ml_instance_resource_name = var.watson_machine_learning_instance_resource_name
   watson_ml_project_name           = local.watson_ml_project_name
   resource_group_id                = module.resource_group.resource_group_id
-  cos_instance_name                = "${var.prefix}-rag-sample-app-cos"
-  location                         = var.watson_discovery_region # WatsonX services needs to be in the same region anyway
+  cos_instance_name                = local.cos_instance_name
+  cos_kms_crn                      = var.cos_kms_crn
+  cos_kms_key_crn                  = var.cos_kms_key_crn
+  cos_kms_ring_id                  = var.cos_kms_ring_id
+  cos_kms_new_key_name             = local.cos_kms_new_key_name
+  location                         = var.watson_assistant_region
 }
 
 moved {
diff --git a/solutions/banking/variables.tf b/solutions/banking/variables.tf
@@ -100,6 +100,38 @@ variable "watson_machine_learning_instance_resource_name" {
   default     = null # WML usage is optional, elastic can be used instead
 }
 
+variable "cos_kms_crn" {
+  description = "Key Protect service instance CRN used to encrypt the COS buckets used by the watsonx projects."
+  type        = string
+  default     = null
+
+  validation {
+    condition = anytrue([
+      can(regex("^crn:(.*:){3}kms:(.*:){2}[0-9a-fA-F]{8}(?:-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}::$", var.cos_kms_crn)),
+      var.cos_kms_crn == null,
+    ])
+    error_message = "Key Protect CRN validation failed."
+  }
+}
+
+variable "cos_kms_key_crn" {
+  description = "Key Protect key CRN used to encrypt the COS buckets used by the watsonx projects. If not set, then the cos_kms_new_key_name must be specified."
+  type        = string
+  default     = null
+}
+
+variable "cos_kms_new_key_name" {
+  description = "Name of the Key Protect key to create for encrypting the COS buckets used by the watsonx projects."
+  type        = string
+  default     = ""
+}
+
+variable "cos_kms_ring_id" {
+  description = "The identifier of the Key Protect ring to create the cos_kms_new_key_name into. If it is not set, then the new key will be created in the default ring."
+  type        = string
+  default     = null
+}
+
 variable "elastic_instance_crn" {
   description = "Elastic ICD instance CRN"
   type        = string
