Cloud Services

Enterprise Marketplace

Secure Network Extension for Terraform for protected networks
Published On Jun 06, 2024 - 2:38 PM

Secure Network Extension for Terraform for protected networks

Provision Terraform resources on secured private clouds.
The WebSocket protocol is used in the Terraform Engine to provision resources on private clouds With private clouds, providers are hosted on-premises and network access is protected using a VPN. Normally a Kyndryl Modern Operations Applications instance must have network access to a provider to provision services from that prover, so a VPN connection needs to be set up and firewall rules applied to the host to allow inbound connections. The Kyndryl Modern Operations Applications instance needs a VPN client to connect to the on-premises provider. In addition, in some cases NAT must also be configured on the on-premises network. All of this adds dependencies and complexity to the system.
To solve this problem, Kyndryl Modern Operations Applications has the Secure Network Extension for Terraform. This extension of the Terraform Engine creates a dedicated communication channel between your data center or protected network and the Terraform Engine, while respecting your network security guidelines. It is extremely quick and simple to set up.

Prerequisites

You must meet these prerequisites before you can enable the Secure Network Extension for Terraform. The following are sizing guidelines for your virtual machine (VM). Your actual usage may influence the performance stability of the VM, so you must monitor its usage to ensure it is always operational.
  • User role:
    To download the installer script, the user must have the IAM Admin role.
  • CPU and memory configuration:
    • Review Docker system requirements to select an appropriate configuration.
    • Ensure the docker container is allocated enough memory. Depending on the complexity of your templates and the frequency of your provisioning, you might require long running operations. Therefore, 512 MB - 1 GB of RAM is suggested.
  • Disk configuration:
    • Please review the operation system and Docker system requirements to select an appropriate disk size for your VM. Depending on the complexity of your templates, the WebSockets adapter can use up to 1 GB of disk space. This space is cleaned up automatically. Monitor your actual usage to tune the sizing of your VM.
  • Software:
    • Docker must be installed on the system where you run the script to run the container. Follow the instructions in the Docker documentation to install Docker on your VM.
    • You can use Podman instead of Docker during installation. For information, see the Podman documentation.
      Docker is needed to run the container, so it must also be installed.
    • Ensure that your VM has outbound network access to the Kyndryl Modern Operations Applications tenant for registration.

Basic steps

The following are the steps required to enable Secure Network Extension:
  1. Determine the configuration values needed in the
    configs.env
    file. This varies depending on whether your tenant is v3 Auth enabled:

Determining configuration values before v3 Auth

Determining the configuration values you need to enter in the
configs.env
file used to enable the Secure Network Extension for Terraform involves completing the following steps:
If your tenant is v3 Auth enabled, see Determining configuration values for v3 Auth for alternate procedures.
  1. Navigate to the
    Terraform Provider Management
    page. To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation.
  2. In the
    Quick Start
    section, click
    Download Installer
    . You will need the Administrator role in order to perform this activity.
  3. In the pane that opens, select the provider that you want to use in the
    Provider Name
    field and click
    Continue
    .
  4. A compressed file for the provider that you selected is downloaded. Copy this file onto the server where you want to run the Secure Network Extension for Terraform and extract it.
  5. If you are using Podman, update BUILD_EXECUTOR value to podman in the
    configs.env
    file.
  6. If your system is in a proxy network and the firewall is enabled, update the following variables with the values for your proxy server in the
    configs.env
    file:
    • export HTTP_PROXY=""
    • export HTTPS_PROXY=""
    • export NO_PROXY=""

Determining configuration values for v3 Auth

If your tenant is v3 Auth enabled, you will need to determine two configuration values that need to be entered in the
configs.env
file:
If your tenant is not v3 Auth enabled, see Determining configuration values before v3 Auth for alternate procedures.
  • IAM_SERVICE_ID
  • IAM_SERVICE_API_KEY
To get these values, complete these steps:
  1. Log in to your tenant.
  2. Navigate to the
    IAM
    section. To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation.
  3. Click
    Add Service ID
    .
  4. On the
    Add Service ID
    page, enter a descriptive name for the new service ID and optionally add a description, and then click
    Add
    to save the new service ID.
  5. Click the
    Service IDs
    menu option and then search for the service Id that you created.
  6. Click the
    Actions
    icon or the service ID and select
    View Details
    .
  7. Copy the service ID from the section immediately after
    service-ids
    and before
    view
    in the page URL as shown highlighted in this example:
    ...iam/service-ids/
    65e19c13b9eb00a3762dbcf2
    /view/access-groups
    .
  8. Paste the service ID as the IAM_SERVICE_ID in your
    configs.env
    file.
  9. Click the
    API Keys
    menu option.
  10. Click
    Add API Key
    .
  11. On the
    Add API Key
    page, enter a descriptive name for the API key and click
    Add
    .
  12. On the
    API Key has been successfully added
    page, copy the API key.
  13. Paste the API key generated as the IAM_SERVICE_API_KEY in your
    configs.env
    file.

Enabling the Secure Network Extension for Terraform

The next steps depend on whether the Docker pull command works on the system where the adapter is going to be installed.
If the
Docker pull command does work
, complete these step:
  1. Copy the installer zip downloaded from the Terraform provider page to the system where the adapter will be installed.
  2. Extract the
    installer.zip
    file.
  3. Run the
    installer.sh
    file to create a secure network extension Docker image:
    ./installer.sh
    .
  4. Run the
    run_container.sh
    file to create the secure network extension container:
    ./run_container
    .
  5. Run the
    check_logs.sh
    file to check the logs of secure network extension container to ensure that the container is deployed and is communicating with Enterprise Marketplace:
    ./check_logs.sh
    .
If the
Docker pull command does not work
on the system, complete these steps instead:
  1. Bundle the image into a tar file using the following command in the same environment:
    docker save -o {file_name}.tar {image_name}
    .
    The {file_name} can be anything. The {image_name} must be an image that exists in the
    run_configs.env
    file.
  2. Copy the
    installer_zip
    ,
    run_configs
    and
    tar
    files that you just created to the VM where the secure network extension needs to be installed.
  3. Extract the
    installer.zip
    file.
  4. Run the
    installer.sh
    file to create a secure network extension Docker image:
    ./installer.sh
    .  The image name is stored in the
    run_configs.env
    file.
  5. Load the bundled Docker image
    tar
    file into a Docker image that can be used to run the container Docker load using the following command:
    -i {file_name}.tar
    .
    Use the same {file_name} you entered in step 2.
  6. Run the
    run_container.sh
    file to create the secure network extension container:
    ./run_container
    .
  7. Run the
    check_logs.sh
    file to check the logs of secure network extension container to ensure that the container is deployed and is communicating with Enterprise Marketplace:
    ./check_logs.sh
    .

Troubleshooting

If you run into problems, you can run the
check-logs.sh
script to see the logs using this command:
$ sh check_logs.sh
If you are not able to pull the images into your private network, configure your proxy network using the following variables:
  • export HTTP_PROXY=""
  • export HTTPS_PROXY=""
  • export NO_PROXY=""
If changing those proxy variables does not work, complete these steps:
  1. Run the
    installer.sh
    file to build the secure network extension docker image:
    ./installer.sh
    .
  2. Save the docker image into a tar file:
    docker save -o {file_name}.tar {image_name}
    . The image name can be found in the
    run_configs.env
    file generated in the last step.
  3. Copy the tar file to the private network.
  4. Copy the installer files and the
    run_configs.env
    file that were generated in step 1.
  5. Load the tar file into a Docker image:
    docker load -i {file_name}.tar
    .
  6. Run the
    installer.sh
    file to create a secure network extension docker image: 
    ./installer.sh
    .
  7. Run the
    run_conatiner.sh
    file to create the secure network extension container:
    ./run_container
    .
  8. Run the
    check_logs.sh
    file to check the logs of secure network extension container:
    ./check_logs.sh
    to ensure that the container is deployed and communicating with Enterprise Marketplace.
Do you have two minutes for a quick survey?
Take Survey