IBM Cloud Docs
Setting up Terraform for IBM Cloud Activity Tracker

Setting up Terraform for IBM Cloud Activity Tracker

Terraform on IBM Cloud® enables predictable and consistent provisioning of IBM Cloud services so that you can rapidly build complex, multitier cloud environments that follow Infrastructure as Code (IaC) principles. Similar to using the IBM Cloud CLI or API and SDKs, you can automate the provisioning, update, and deletion of your IBM Cloud Activity Tracker instances by using HashiCorp Configuration Language (HCL).

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.

Looking for a managed Terraform on IBM Cloud solution? Try out IBM Cloud® Schematics. With Schematics, you can use the Terraform scripting language that you are familiar with, but you don't need to worry about setting up and maintaining the Terraform command line and the IBM Cloud Provider plug-in. Schematics also provides pre-defined Terraform templates that you can install from the IBM Cloud catalog.

Before you begin, ensure that you have the required access to create and work with Log Analysis resources.

Step 1. Install the Terraform CLI

Complete the following steps to install the Terraform CLI:

  1. Create a terraform folder on your local machine, and navigate to your terraform folder.

    mkdir terraform && cd terraform

  2. Download the Terraform version that you want. For example, you can download terraform_0.15.5_darwin_amd64.zip for a MacOS.

    The IBM Cloud Provider plug-in for Terraform currently supports Terraform version 0.12.x, 0.13.x, and 0.14.x only. Make sure to select a supported Terraform version.

  3. Extract the Terraform zip file and copy the files to your terraform directory.

  4. Set the environment PATH variable to your Terraform files.

    export PATH=$PATH:<terraform-directory>/terraform

  5. Verify that the installation is successful by using a terraform command.

    ./terraform

Step 2. Set up the IBM Cloud Provider plug-in

After the Terraform CLI installation is complete, you must set up the IBM Cloud Provider plug-in for Terraform so that you can start working with resources and services in IBM Cloud. For a list of supported versions, see the IBM Cloud Provider plug-in releases.

The setup of the IBM Cloud Provider plug-in varies depending on the Terraform CLI version that you want to use. To run your Terraform configuration files with Terraform version 0.13.x or higher, installation of the IBM Cloud Provider plug-in for Terraform is not required. For more information, see Terraform v0.13.x and higher.

For example, to run your Terraform configuration files with Terraform version 0.13.x or higher, complete the following steps:

  1. Create a versions.tf file and specify the IBM Cloud Provider plug-in version that you want to use with the version parameter.

    terraform {
    required_providers {
        ibm = {
            source = "IBM-Cloud/ibm"
            version = "<provider version>"
            }
    }
}

    For example:

    terraform {
    required_version = ">= 0.15"
    required_providers {
        ibm = {
            source = "ibm-cloud/ibm"
            version = "~>1.33.0"
        }
    }
}

  2. Store the versions.tf file in your Git repository or the folder where Terraform is set up.

If you are using Terraform on IBM Cloud modules, you must add a versions.tf file to all the module folders. You can refer the Terraform provider block from the provider registry. You can use the IBM Cloud Observability - Terraform Module module to configure an instance.

Step 3. Configure the IBM Cloud Provider plug-in

After you complete the set up, you must configure the IBM Cloud Provider plug-in.

Before you can start working with Terraform on IBM Cloud, you must retrieve the credentials and parameters that are required for a Terraform resource or data source, and specify them in the provider configuration. This configuration is used by the IBM Cloud Provider plug-in to authenticate with the IBM Cloud platform and to view, create, update, or delete IBM Cloud resources and services.

The following table lists input parameters that you can set in the provider block of your Terraform on IBM Cloud configuration file:

List of input parameters that you can set in the provider block of your Terraform
Input parameter Required / optional Description
ibmcloud_api_key Required The IBM Cloud API key to authenticate with the IBM Cloud platform. For more information, about how to create an API key, see Creating an API key. You can specify the API key in the provider block or retrieve the value from the IC_API_KEY or IBMCLOUD_API_KEY environment variables. If both environment variables are defined, IC_API_KEY takes precedence.
ibmcloud_timeout Optional The number of seconds that you want to wait until the IBM Cloud API is considered unavailable. The default value is 60. You can specify the timeout in the provider block or retrieve the value from the IC_TIMEOUT or IBMCLOUD_TIMEOUT environment variables. If both variables are specified, IC_TIMEOUT takes precedence.
region Optional The IBM Cloud region where you want to create your resources. If this value is not specified, us-south is used by default. You can specify the region in the provider block or retrieve the value from the IBMCLOUD_REGION or IC_REGION environment variables. If both environment variables are specified, IC_REGION takes precedence.
resource_group Optional The ID of the resource group that you want to use for your IBM Cloud resources. To retrieve the ID, run ibmcloud resource groups. You can specify the resource group in the provider block or retrieve the value from the IC_RESOURCE_GROUP or IBMCLOUD_RESOURCE_GROUP environment variables. If both environment variables are defined, IC_RESOURCE_GROUP takes precedence.

For more information on how to use environment variables, see Using environment variables.

You can add multiple provider configurations within the same Terraform on the IBM Cloud configuration file to create your IBM Cloud resources with different provider parameters. For example, you can multiple providers so that you can use different input parameters, such as different regions, zones, infrastructure generations, or accounts to create the IBM Cloud resources in your Terraform on IBM Cloud configuration file. For more information, see Multiple Provider Instances.

Option 1. Creating a static provider.tf file

You can declare the input parameters in the provider block directly.

Because the provider block includes sensitive information, do not commit this file into a public source repository. To add version control to your provider configuration, use a local terraform.tfvars file.

Complete the following steps:

  1. Create a provider.tf file and specify the input parameters that are required for your resource or data source.

    provider "ibm" {
    ibmcloud_api_key = "<api_key>"
    region = "<region>"
}

Option 2. Referencing credentials from a Terraform tfvars file

You can store sensitive information, such as credentials, in a local terraform.tfvars file and reference these credentials in your provider block.

Do not commit the terraform.tfvars into a public source repository. This file is meant to be stored in your local machine only.

  1. Create a terraform.tfvars file on your local machine and add the input parameters that are required for your resource or data source.

    ibmcloud_api_key = "<ibmcloud_api_key>"
region = "region"

  2. Create a provider.tf file and use Terraform interpolation syntax to reference the variables from the terraform.tfvars.

    variable "ibmcloud_api_key" {}
variable "region" {}

provider "ibm" {
    ibmcloud_api_key    = var.ibmcloud_api_key
    region = var.region
}

Step 4. Initialize the Terraform CLI.

Next, initialize the Terraform CLI. Run the following command:

./terraform init

You should see the following message: Terraform has been successfully initialized!.

Step 5. Create a variables file

Create a variables file that is named variables.tf to include hard-coded values.

The following sample lists variables that you can use when you provision an instance:

variable "service_type" {
  description = "Type of resource instance"
  type = string
  default = "logdnaat"
}

variable "plan" {
  description = "Type of service plan."
  type = string
  default = "30-day"
}

variable "location" {
  description = "Location where the resource is provisioned"
  type = string
  default = "us-south"
}

variable "name" {
  description = "Name of the resource instance"
  type = string
  default = "demo-auditing-tf-instance"
}

variable "resource_group_name" {
  description = "Name of the resource group associated with the instance"
  type = string
  default = "observability-demo"
}

variable "key_name" {
  description = "Name of the resource key associated with the instance"
  type = string
  default = "demo-auditing-tf-instance-key"
}

To see the list of valid plan values, see Plans.

To see the list of valid regions, see Locations.

Step 6. Create a Terraform configuration file

Next, create a Terraform configuration file that is named main.tf. In this file, you add the configuration to create a Log Analysis instance and to assign a user an access policy in Identity and Access Management (IAM) by using HashiCorp Configuration Language (HCL). For more information, see the Terraform documentation.

The following code shows a sample configuration file to provision an instance. To retrieve the ID of the default resource group, the ibm_resource_group data source is used. The region is retrieved from the terraform.tfvars file that you created in step 1. Then, the user user@ibm.com is assigned the Manager role in the IAM access policy for the namespace for a particular region.

data "ibm_resource_group" "group" {
    name = var.resource_group_name
  }

  locals {
    instance_name = "${var.name}-${var.location}"
  }

  // Create an auditing instance

  resource "ibm_resource_instance" "resource_instance" {
    name = local.instance_name
    service = var.service_type
    plan = var.plan
    location = var.location
    resource_group_id = data.ibm_resource_group.group.id
    tags = ["auditing", "public"]
  }

  // Create the resource key that is associated with the {{site.data.keyword.la_short}} instance

  resource "ibm_resource_key" "resourceKey" {
    name = var.key_name
    role = "Manager"
    resource_instance_id = ibm_resource_instance.instance.id
  }

  // Add a user policy for using the resource instance

  resource "ibm_iam_user_policy" "policy" {
    ibm_id = "user@ibm.com"
    roles  = ["Manager", "Viewer"]

    resources {
      service              = "logdnaat"
      resource_instance_id = element(split(":", ibm_resource_instance.instance.id), 7)
    }
  }

For additional information on how to use Terraform for IBM Cloud resources, see:

Step 7. Provision resources

Complete the following steps:

  1. Initialize the Terraform CLI.

    ./terraform init

  2. Create a Terraform execution plan. The Terraform execution plan summarizes all the actions that need to be run to create the Log Analysis instance, the resource Key, and IAM access policy in your account.

    ./terraform plan

  3. Create the resources.

    ./terraform apply

    To delete resources, run ./terraform destroy.

What's next?

Verify that the resources are created.