feat: Elastic configuration for Watson Assistant (#120)

- Control the provisioning of different Watson sub-components
  - Watson Discovery: if `watson_discovery_instance_id` is provided, a discovery project with a collection will be created and sample data from [artifacts/WatsonDiscovery](/terraform-ibm-modules/terraform-ibm-rag-sample-da/tree/main/solutions/banking/artifacts/WatsonDiscovery) will be uploaded into a collection. Previous version always created Discovery project and collection.
  - Watson Machine Learning: if `watson_machine_learning_instance_guid` is provided, a COS instance and a project referencing it will be created in the WML instance. Previous version always created WML project and COS instance.
  - Elastic index: if `elastic_instance_crn` is provided, the following resources will be provisioned:
    - New index in the Elastic DB
    - Sample data from [bank loan FAQs](/terraform-ibm-modules/terraform-ibm-rag-sample-da/tree/main/solutions/banking/artifacts/watsonx.Assistant/bank-loan-faqs.json) uploaded into the index (can be skipped if `elastic_upload_sample_data = false` )
    - Search skill enabled in Watson Assistant workspace pointed to the Elastic index with specified credentials (needs Elastic service credentials `wxasst_db_user`)
    - Action skill enabled in Watson Assistant workspace using [predefined action](/terraform-ibm-modules/terraform-ibm-rag-sample-da/tree/main/solutions/banking/artifacts/watsonx.Assistant/wxa-conv-srch-es-v1.json). 
- When Elastic index option is used, this DA results in fully configured Assistant that can be immediately used with the application.
- Dependencies on CD instance added for better handling of provisioning / destroying when a new CD instance is created - otherwise pipeline resource creation may fail if pipelines are older than a grace period.

Author: in-1911

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-05-31T17:16:48Z",
+  "generated_at": "2024-07-19T17:07:55Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -77,50 +77,60 @@
     }
   ],
   "results": {
-    "solutions/banking/artifacts/watsonx.Assistant/cc-bank-loan-v1-action.json": [
+    "modules/watson-assistant/scripts/assistant-create.sh": [
       {
-        "hashed_secret": "859b9d6bf67cb6fdac5cc9dca1fbfd11191d26f6",
+        "hashed_secret": "20e0438047329f2ff165b6d2a4c081e42d280a3b",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 913,
-        "type": "Hex High Entropy String",
+        "line_number": 4,
+        "type": "Secret Keyword",
         "verified_result": null
-      },
+      }
+    ],
+    "modules/watson-assistant/scripts/assistant-destroy.sh": [
       {
-        "hashed_secret": "1020bf59dff762463413f6c7a536c4e5254d1dd8",
+        "hashed_secret": "20e0438047329f2ff165b6d2a4c081e42d280a3b",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1301,
-        "type": "Hex High Entropy String",
+        "line_number": 5,
+        "type": "Secret Keyword",
         "verified_result": null
       }
     ],
-    "solutions/banking/watson-scripts/assistant-create.sh": [
+    "modules/watson-assistant/scripts/assistant-read.sh": [
       {
         "hashed_secret": "20e0438047329f2ff165b6d2a4c081e42d280a3b",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 4,
+        "line_number": 5,
         "type": "Secret Keyword",
         "verified_result": null
       }
     ],
-    "solutions/banking/watson-scripts/assistant-destroy.sh": [
+    "solutions/banking/artifacts/watsonx.Assistant/cc-bank-loan-v1-action.json": [
       {
-        "hashed_secret": "20e0438047329f2ff165b6d2a4c081e42d280a3b",
+        "hashed_secret": "859b9d6bf67cb6fdac5cc9dca1fbfd11191d26f6",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 5,
-        "type": "Secret Keyword",
+        "line_number": 913,
+        "type": "Hex High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "1020bf59dff762463413f6c7a536c4e5254d1dd8",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 1301,
+        "type": "Hex High Entropy String",
         "verified_result": null
       }
     ],
-    "solutions/banking/watson-scripts/assistant-read.sh": [
+    "solutions/banking/artifacts/watsonx.Assistant/elastic-search-skill.json": [
       {
-        "hashed_secret": "20e0438047329f2ff165b6d2a4c081e42d280a3b",
+        "hashed_secret": "1f5e25be9b575e9f5d39c82dfd1d9f4d73f1975c",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 5,
+        "line_number": 17,
         "type": "Secret Keyword",
         "verified_result": null
       }

modules/elastic-index/main.tf

@@ -0,0 +1,51 @@
+locals {
+  elastic_auth_base64 = sensitive(base64encode("${var.elastic_service_binding.username}:${var.elastic_service_binding.password}"))
+}
+
+# Elastic index creation
+
+resource "elasticstack_elasticsearch_index" "sample_index" {
+  name                = var.elastic_index_name
+  deletion_protection = false
+}
+
+## Upload sample data entries
+
+/*
+# Note: Elastic uses CA certificate for connection, and restapi does not have an option to specify that
+# Therefore the Elastic APIs are used from shell_script
+*/
+
+resource "shell_script" "elastic_index_entries" {
+  count      = var.elastic_index_entries_file != null ? 1 : 0
+  depends_on = [elasticstack_elasticsearch_index.sample_index] #  shell_script.elastic_index
+  lifecycle_commands {
+    create = <<-EOT
+      set -e
+      source ./${path.module}/scripts/elastic-index-utils.sh
+      create_index_entries
+    EOT
+    delete = <<-EOT
+      set -e
+      source ./${path.module}/scripts/elastic-index-utils.sh
+      delete_index_entries
+    EOT
+  }
+
+  environment = {
+    ELASTIC_URL          = var.elastic_service_binding.url
+    ELASTIC_CACERT       = var.elastic_service_binding.ca_data_base64
+    ELASTIC_INDEX_NAME   = urlencode(elasticstack_elasticsearch_index.sample_index.name) # shell_script.elastic_index.output.index_name)
+    ELASTIC_ENTRIES_FILE = var.elastic_index_entries_file
+    MODULE_PATH          = path.module
+  }
+
+  sensitive_environment = {
+    ELASTIC_AUTH_BASE64 = local.elastic_auth_base64
+  }
+
+  # Change in apikey should not trigger assistant re-create
+  lifecycle {
+    ignore_changes = [sensitive_environment]
+  }
+}

modules/elastic-index/outputs.tf

@@ -0,0 +1,9 @@
+output "elastic_index" {
+  description = "Elastic DB index attributes."
+  value       = elasticstack_elasticsearch_index.sample_index
+}
+
+output "elastic_upload_count" {
+  description = "Count of uploaded entries."
+  value       = var.elastic_index_entries_file != null ? tonumber(shell_script.elastic_index_entries[0].output.count) : 0
+}

modules/elastic-index/scripts/elastic-index-utils.sh

@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+
+function create_index() {
+    local OUTPUT
+    # Skip -f
+    OUTPUT=$(curl -LsS -X PUT --location "$ELASTIC_URL/$ELASTIC_INDEX_NAME" \
+    --header "Authorization: Basic $ELASTIC_AUTH_BASE64" \
+    --header "Accepts: application/json" \
+    --cacert <(cat <<< "$ELASTIC_CACERT" | base64 -d) )
+    check_error "$OUTPUT"
+    # Read index attributes
+    get_index "$ELASTIC_INDEX_NAME"
+}
+
+function read_index() {
+    IN=$(cat)
+    local existing_index_name
+    existing_index_name="$(echo "$IN" | jq -r '.index_name')"
+    if [[ -z "$existing_index_name" ]]; then
+        exit 0
+    fi
+    get_index "$existing_index_name"
+}
+
+function get_index() {
+    local existing_index_name
+    existing_index_name=$1
+    local OUTPUT
+    OUTPUT=$(curl -LsS -X GET --location "${ELASTIC_URL}/$existing_index_name" \
+    --header "Authorization: Basic $ELASTIC_AUTH_BASE64" \
+    --cacert <(cat <<< "$ELASTIC_CACERT" | base64 -d) \
+    --header "Accepts: application/json"  )
+    check_error "$OUTPUT"
+    echo "$OUTPUT" | jq '. | to_entries[] | select( .value.aliases != null )' | jq -S --arg instance_id "$ELASTIC_INSTANCE_ID" '{"instance_id": $instance_id, "index_name": .key, "id": .value.settings.index.uuid}'
+}
+
+
+function delete_index() {
+    IN=$(cat)
+    local existing_index_name
+    existing_index_name=$(echo "$IN" | jq -r '.index_name')
+    if [[ -z "$existing_index_name" ]]; then
+        exit 0
+    fi
+    local OUTPUT
+    OUTPUT=$(curl -LsS -X DELETE --location "$ELASTIC_URL/$existing_index_name" \
+    --header "Authorization: Basic $ELASTIC_AUTH_BASE64" \
+    --header "Accepts: application/json" \
+    --cacert <(cat <<< "$ELASTIC_CACERT" | base64 -d) )
+    check_error "$OUTPUT"
+    echo "$OUTPUT" | jq '. | select( .acknowledged == true )'
+}
+
+function create_index_entries() {
+    local OUTPUT
+
+    OUTPUT=$(curl -LsS -X POST --location "$ELASTIC_URL/$ELASTIC_INDEX_NAME/_bulk" \
+    --header "Authorization: Basic $ELASTIC_AUTH_BASE64" \
+    --header "Content-Type: application/json" \
+    --header "Accepts: application/json" \
+    --data-binary @<(jq -r '.[] | tojson | ("{\"index\" : {} }\n" + .)' < "$ELASTIC_ENTRIES_FILE") \
+    --cacert <(cat <<< "$ELASTIC_CACERT" | base64 -d)
+     )
+    check_error "$OUTPUT"
+    if [[ $(echo "$OUTPUT" | jq -r '. | .errors') == "true" ]]; then
+        echo "$OUTPUT" | jq '[.items[] | select( .index?.error != null ) | .index]'
+        exit 1
+    fi
+    echo "$OUTPUT" | jq '{ "count": (.items | length) }'
+}
+
+function delete_index_entries() {
+    local OUTPUT
+
+    OUTPUT=$(curl -LsS -X POST --location "$ELASTIC_URL/$ELASTIC_INDEX_NAME/_delete_by_query?conflicts=proceed" \
+    --header "Authorization: Basic $ELASTIC_AUTH_BASE64" \
+    --header "Content-Type: application/json" \
+    --header "Accepts: application/json" \
+    --data '{"query": {"match_all": {}}}' \
+    --cacert <(cat <<< "$ELASTIC_CACERT" | base64 -d)
+     )
+    check_error "$OUTPUT"
+    if [[ ! $(echo "$OUTPUT" | jq -r '. | .failures | length') == "0" ]]; then
+        echo "$OUTPUT"
+        exit 1
+    fi
+}
+
+function check_error() {
+    status=$?
+    if [ $status -ne 0 ]; then
+        echo "API call returned an error code $status"
+        echo "$1"
+        exit 1
+    fi
+
+    local error
+    error=$(echo "$1" | jq '.error')
+    if [[ -n "$error" && ! "$error" == "null" ]]; then
+        echo "$error" | jq
+        exit 1
+    fi
+}

modules/elastic-index/variables.tf

@@ -0,0 +1,21 @@
+variable "elastic_service_binding" {
+  description = "Elastic ICD instance credentials"
+  type = object({
+    url            = string
+    username       = string
+    password       = string
+    ca_data_base64 = optional(string)
+  })
+}
+
+variable "elastic_index_name" {
+  description = "Name of index in Elastic instance"
+  type        = string
+  default     = "sample-rag-app-content"
+}
+
+variable "elastic_index_entries_file" {
+  description = "Path to JSON file with content entries"
+  type        = string
+  default     = null
+}

modules/elastic-index/version.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    shell = {
+      source  = "scottwinkler/shell"
+      version = ">= 1.7.10"
+    }
+    elasticstack = {
+      source  = "elastic/elasticstack"
+      version = ">= 0.11.0"
+    }
+  }
+  required_version = ">= 1.3.0"
+}