IBM Cloud Docs
Setting up Terraform for Container Registry

Setting up Terraform for Container Registry

Terraform on IBM Cloud® enables predictable and consistent provisioning of IBM Cloud services so that you can rapidly build complex, multitiered cloud environments that follow Infrastructure as Code (IaC) principles. Similar to using the IBM Cloud CLI or API and SDKs, you can automate the provisioning, update, and deletion of your IBM Cloud® Container Registry instances by using HashiCorp Configuration Language (HCL).

Are you looking for a managed Terraform on IBM Cloud solution? Try out IBM Cloud Schematics. With Schematics, you can use the Terraform scripting language that you are familiar with, but you don't need to worry about setting up and maintaining the Terraform command line and the IBM Cloud Provider plug-in. Schematics also provides pre-defined Terraform templates that you can install from the IBM Cloud catalog.

Installing Terraform and creating a Container Registry namespace

Before you begin, ensure that you have the required access to create and work with IBM Cloud Container Registry resources.

  1. To install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform, follow the Terraform on IBM Cloud getting started tutorial. The plug-in abstracts the IBM Cloud APIs that are used to provision, update, or delete Container Registry resources.

  2. Create a Terraform configuration file that is named main.tf. In this file, you add the configuration to create a Container Registry namespace and to assign a user an IAM access policyA method for granting users, service IDs, and access groups access to account resources. An access policy includes a subject, target, and role. in Identity and Access Management (IAM) for that namespace by using HashiCorp Configuration Language (HCL). For more information, see the Terraform Language Documentation.

    The following example creates a namespace in the default resource groupThe environment, and constraints, in which contained resource instances adhere to. A user can be associated with a resource group to enable collaboration. with a name of your choice and attaches an image retention policy to that namespace that retains 10 images. To retrieve the ID of the default resource group, the ibm_resource_group data source is used. Then, the user user@ibm.com is assigned the Manager role in the IAM access policy for the namespace for a particular region. The region is retrieved from the terraform.tfvars file that you created in step 1.

    data "ibm_resource_group" "group" {
    name = "default"
}

resource "ibm_cr_namespace" "cr_namespace" {
    name = "<namespace_name>"
    resource_group_id = data.ibm_resource_group.group.id
}

resource "ibm_cr_retention_policy" "cr_retention_policy" {
    namespace = ibm_cr_namespace.cr_namespace.id
    images_per_repo = 10
}

resource "ibm_iam_user_policy" "policy" {
    ibm_id = "user@ibm.com"
    roles  = ["Manager"]

    resources {
        service = "container-registry"
        resource = ibm_cr_namespace.cr_namespace.id
        resource_type = "namespace"
        region = var.region
    }
}

    Updating a namespace by using Terraform is not supported. You can use Terraform to create and remove namespaces only.

  3. Initialize the Terraform CLI.

    terraform init

  4. Create a Terraform execution plan. The Terraform execution plan summarizes all the actions that need to be run to create the Container Registry namespace and IAM access policy in your account.

    terraform plan

  5. Create the Container Registry namespace and IAM access policy in IBM Cloud.

    terraform apply

  6. From the Container Registry namespace overview page, verify that your namespace is created successfully.

  7. Verify that the IAM access policy is successfully assigned. For more information, see Reviewing assigned access in the console.

Next steps

Now that you successfully created your first Container Registry namespace with Terraform on IBM Cloud, you can choose between the following tasks: