This repository provides a set of Terraform configurations to automate the provisioning of an IBM Cloud VPC (Virtual Private Cloud) Gen 2 environment. It creates:
- A VPC (or uses an existing one)
- Subnets across multiple zones
- Public gateways
- Security groups and rules
- Virtual Server Instances (VSIs) for Ansible, OpenVPN, and RHEL
- Floating IPs and block storage
The included scripts (in the scripts/ directory) help automate post-provisioning tasks such as disk partitioning, mounting, and system hardening.
Below is a quick reference for the variables in custom.tfvars (all are required unless otherwise noted):
ibmcloud_api_key: IBM Cloud API key with VPC permissionsvpc_name: Name for your VPCvsi_name: Name for the Ansible VSIvsi_openvpn_name: Name for the OpenVPN VSIrhel_image: RHEL image name or IDworkstation_public_ip: Your workstation’s public IP in CIDR formatcreate_vpc: Set to true to create a new VPC, or false to use an existing oneexisting_vpc_id: Existing VPC ID (if not creating a new one)ssh_private_key: SSH private key for accessing the VSIs (in base64 format)ssh_public_key: SSH public key (plain text)resource_group: IBM Cloud Resource Group (default: "Default")
- Create a new variable file called
custom.tfvars. - Update the variables in
custom.tfvarsto match your environment. - Run:
terraform initterraform plan --var-file=custom.tfvarsterraform apply --var-file=custom.tfvars
- Wait for the resources to be provisioned in your IBM Cloud account.
IBM Cloud Schematics allows you to run Terraform automation directly from the IBM Cloud web console, without needing a local Terraform installation. To use this repository with Schematics:
-
Clone or Fork this Repository
- Make your own copy if you want to customize.
-
Create a Schematics Workspace
- In the IBM Cloud console, go to Schematics > Workspaces and click Create workspace.
- Set the source to this repository (GitHub URL).
-
Customize Variables
- In the workspace, go to the Variables tab.
- Enter the required variables (see above). You can copy the contents of your
custom.tfvarsor enter them in the UI. - Important:
ibmcloud_api_keymust be set (use a secure method, e.g., as a sensitive variable).- Set
create_vpctotrueto create a new VPC, orfalseand provideexisting_vpc_idto use an existing VPC. - Update
rhel_imageto match the RHEL image available in your region/account. - Set
workstation_public_ipto your current public IP in CIDR format (e.g.,203.0.113.5/32). - Provide your SSH keys as required.
-
Run the Automation
- Click Plan to preview changes.
- Click Apply to provision resources.
-
Post-Provisioning
- Use the floating IPs and SSH keys to access the provisioned VSIs.
- The scripts in the
scripts/directory (e.g.,ansible_mount.sh,ansible_authselect.sh,rhel9-cis-level2-fix.sh) can be run on the VSIs for additional configuration, such as mounting disks or applying security hardening.
- Regions/Zones:
- The default region is set to
jp-tok(Tokyo). Update theprovider.tfand subnet/zone variables if you need a different region.
- The default region is set to
- Images:
- Ensure the
rhel_imagevariable matches an image available in your IBM Cloud account/region.
- Ensure the
- Resource Group:
- Update the
resource_groupvariable if you want to use a non-default resource group.
- Update the
- SSH Keys:
- You must provide your own SSH key pair for secure access to the VSIs.
- Scripts:
- Review and modify the scripts in
scripts/as needed for your environment or compliance requirements.
- Review and modify the scripts in
This repository automates the creation of a secure, multi-zone IBM Cloud VPC environment with:
- VPC and subnets in three zones
- Public gateways for internet access
- Security groups with rules for SSH and other access
- Multiple VSIs (Ansible, OpenVPN, RHEL) with floating IPs
- Optional block storage and volume attachments
- Post-provisioning scripts for system configuration and hardening
You can use this as a starting point for more complex IBM Cloud VPC deployments, or as a template for your own infrastructure automation.