Secure Network Extension for Terraform for protected networks
Published On
Dec 17, 2024 - 12:59 PM
Secure Network Extension for Terraform for protected networks
Provision Terraform resources on secured private clouds.
The WebSocket protocol is used in the Terraform Engine to provision resources on private clouds With private clouds, providers are hosted on-premises and network access is protected using a VPN. Normally a Kyndryl Modern Operations Applications instance must have network access to a provider to provision services from that prover, so a VPN connection needs to be set up and firewall rules applied to the host to allow inbound connections. The Kyndryl Modern Operations Applications instance needs a VPN client to connect to the on-premises provider. In addition, in some cases NAT must also be configured on the on-premises network. All of this adds dependencies and complexity to the system.
To solve this problem, Kyndryl Modern Operations Applications has the Secure Network Extension for Terraform. This extension of the Terraform Engine creates a dedicated communication channel between your data center or protected network and the Terraform Engine, while respecting your network security guidelines. It is extremely quick and simple to set up.
Prerequisites
You must meet these prerequisites before you can enable the Secure Network Extension for Terraform. The following are sizing guidelines for your virtual machine (VM). Your actual usage may influence the performance stability of the VM, so you must monitor its usage to ensure it is always operational.
User role:
To download the installer script, the user must have the IAM Admin role.
Ensure the docker container is allocated enough memory. Depending on the complexity of your templates and the frequency of your provisioning, you might require long running operations. Therefore, 512 MB - 1 GB of RAM is suggested.
Disk configuration:
Please review the operation system and Docker system requirements to select an appropriate disk size for your VM. Depending on the complexity of your templates, the WebSockets adapter can use up to 1 GB of disk space. This space is cleaned up automatically. Monitor your actual usage to tune the sizing of your VM.
Software:
Docker must be installed on the system where you run the script to run the container. Follow the instructions in the Docker documentation to install Docker on your VM.
You can use Podman instead of Docker during installation. For information, see the Podman documentation.
Docker is needed to run the container, so it must also be installed.
Ensure that your VM has outbound network access to the Kyndryl Modern Operations Applications tenant for registration.
Basic steps
The following are the steps required to enable Secure Network Extension:
Determine the configuration values needed in the
configs.env
file. This varies depending on whether your tenant uses Foundation APIs:
. You will need the Administrator role in order to perform this activity.
In the pane that opens, select the provider that you want to use in the
Provider Name
field and click
Continue
.
A compressed file for the provider that you selected is downloaded. Copy this file onto the server where you want to run the Secure Network Extension for Terraform and extract it.
If you are using Podman, update BUILD_EXECUTOR value to podman in the
configs.env
file.
If your system is in a proxy network and the firewall is enabled, update the following variables with the values for your proxy server in the
configs.env
file:
export HTTP_PROXY=""
export HTTPS_PROXY=""
export NO_PROXY=""
Determining configuration values for Foundation APIs
If your tenant uses Foundation APIs, you will need to determine two two configuration values that need to be entered in the
page, enter a descriptive name for the new service ID and optionally add a description, and then click
Add
to save the new service ID.
Click the
Service IDs
menu option and then search for the service Id that you created.
Click the
Actions
icon or the service ID and select
View Details
.
Copy the service ID from the section immediately after
service-ids
and before
view
in the page URL as shown highlighted in this example:
...iam/service-ids/
65e19c13b9eb00a3762dbcf2
/view/access-groups
.
Paste the service ID as the IAM_SERVICE_ID in your
configs.env
file.
Click the
API Keys
menu option.
Click
Add API Key
.
On the
Add API Key
page, enter a descriptive name for the API key and click
Add
.
On the
API Key has been successfully added
page, copy the API key.
Paste the API key generated as the IAM_SERVICE_API_KEY in your
configs.env
file.
Enabling the Secure Network Extension for Terraform
The next steps depend on whether the Docker pull command works on the system where the adapter is going to be installed.
If the
Docker pull command does work
, complete these step:
Copy the installer zip downloaded from the Terraform provider page to the system where the adapter will be installed.
Extract the
installer.zip
file.
Run the
installer.sh
file to create a secure network extension Docker image:
./installer.sh
.
Run the
run_container.sh
file to create the secure network extension container:
./run_container
.
Run the
check_logs.sh
file to check the logs of secure network extension container to ensure that the container is deployed and is communicating with Enterprise Marketplace:
./check_logs.sh
.
If the
Docker pull command does not work
on the system, complete these steps instead:
Bundle the image into a tar file using the following command in the same environment:
docker save -o {file_name}.tar {image_name}
.
The {file_name} can be anything. The {image_name} must be an image that exists in the
run_configs.env
file.
Copy the
installer_zip
,
run_configs
and
tar
files that you just created to the VM where the secure network extension needs to be installed.
Extract the
installer.zip
file.
Run the
installer.sh
file to create a secure network extension Docker image:
./installer.sh
. The image name is stored in the
run_configs.env
file.
Load the bundled Docker image
tar
file into a Docker image that can be used to run the container Docker load using the following command:
-i {file_name}.tar
.
Use the same {file_name} you entered in step 2.
Run the
run_container.sh
file to create the secure network extension container:
./run_container
.
Run the
check_logs.sh
file to check the logs of secure network extension container to ensure that the container is deployed and is communicating with Enterprise Marketplace:
./check_logs.sh
.
Troubleshooting
If you run into problems, you can run the
check-logs.sh
script to see the logs using this command:
$ sh check_logs.sh
If you are not able to pull the images into your private network, configure your proxy network using the following variables:
export HTTP_PROXY=""
export HTTPS_PROXY=""
export NO_PROXY=""
If changing those proxy variables does not work, complete these steps:
Run the
installer.sh
file to build the secure network extension docker image:
./installer.sh
.
Save the docker image into a tar file:
docker save -o {file_name}.tar {image_name}
. The image name can be found in the
run_configs.env
file generated in the last step.
Copy the tar file to the private network.
Copy the installer files and the
run_configs.env
file that were generated in step 1.
Load the tar file into a Docker image:
docker load -i {file_name}.tar
.
Run the
installer.sh
file to create a secure network extension docker image:
./installer.sh
.
Run the
run_conatiner.sh
file to create the secure network extension container:
./run_container
.
Run the
check_logs.sh
file to check the logs of secure network extension container:
./check_logs.sh
to ensure that the container is deployed and communicating with Enterprise Marketplace.