IBM Cloud Docs
Before you begin deploying

Before you begin deploying

This tutorial walks through necessary steps required to be preformed which enables a user to successfully deploy the architecture.

IAM Permissions

IAM access roles are required to install this deployable architecture and create all the required elements.

You need the following permissions for this deployable architecture:

  1. Create services from IBM Cloud catalog.
  2. Create and modify IBM Cloud VPC services, virtual server instances, networks, network prefixes, storage volumes, SSH keys, and security groups of this VPC.
  3. Create and modify Power® Virtual Server services, virtual server instances, networks, storage volumes, ssh keys of this Power® Virtual Server.
  4. Create and modify IBM Cloud direct links and IBM Cloud Transit Gateway.
  5. Access existing Object Storage services.
  6. The Editor role on the Projects service.
  7. The Editor and Manager role on the Schematics service.
  8. The Viewer role on the resource group for the project.

For information about configuring permissions, contact your IBM Cloud account administrator.

Generate API key

The API key is mandatory for the deployment. The API keys can be deleted independently if compromised without interfering with other API keys or even the user. You can create up to 20 API keys.

To create an API key for your user identity in the UI, complete the following steps:

  1. In the IBM Cloud console, go to Manage > Access (IAM) > API keys.
  2. Click Create an IBM Cloud API key.
  3. Enter a name and description for your API key.
  4. Click Create.
  5. Then, click Show to display the API key. Or, click Copy to copy and save it for later, or click Download.

Generate a SSH key Pair

This key is used to log in to all virtual server instances that you create.

This step can be skipped if user has already a pair of ssh keys which meet the following requirements:

  1. Key is of RSA format
  2. No passphrase (must not be password encrypted)
  3. SSH public key is currently unused in the target deployment region.

Paste the content of id_rsa.pub key and id_rsa key directly in the field for input variables ssh_public_key and ssh_private_key respectively.

If you do not have existing keys, steps to generate keys is defined below.

SSH Key can be generated by using any method. When generating a key pair, make sure that:

  1. passphrase is empty (must not be password encrypted)
  2. Key format is RSA.

Linux OS

On the command line type, the command ssh-keygen. It places the id_rsa and id_rsa.pub files under /root/.ssh/id_rsa.

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:TUdZn9O6tnwK2lc4m917Cs1KvbyXs2n46yrlE2I1t/I root@ans-jump-box-001
The key's randomart image is:
+---[RSA 3072]----+
|            .o.  |
|           ..  .o|
|          . .  oo|
|         o . o o.|
|        S . . +..|
|           o Boo.|
|          . B @*o|
|           = @+EB|
|          . +o#&*|
+----[SHA256]-----+

Windows OS

You can install MobaXterm application and start a local terminal. On the command line type, the command ssh-keygen. It places the id_rsa and id_rsa.pub files under /home/mobaxterm/.ssh/

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mobaxterm/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mobaxterm/.ssh/id_rsa
Your public key has been saved in /home/mobaxterm/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:TUdZn9O6tnwK2lc4m917Cs1KvbyXs2n46yrlE2I1t/I
The key's randomart image is:
+---[RSA 3072]----+
|            .o.  |
|           ..  .o|
|          . .  oo|
|         o . o o.|
|        S . . +..|
|           o Boo.|
|          . B @*o|
|           = @+EB|
|          . +o#&*|
+----[SHA256]-----+

These public and private key values can now be used in the input variables for the Deployable architectures.

Paste the content of id_rsa.pub key and id_rsa key directly in the field for input variables ssh_public_key and ssh_private_keyrespectively.

Reusing existing Secrets Manager Instance (Optional)

The Deployable architecture supports creation of Client to Site VPN server optionally. If enabled, the prerequisite for creating a Client to Site VPN server is a Server Certificate which can be only read from a Secrets Manager instance.

The automation provides flexibility in : Automatically generating a new VPN server Certificate, creating a new Secrets Manager instance and storing the certificate.

OR

Allowing the user to pass the details of existing Secrets Manager instance and the certificate details in the optional parameters field which would override the default configuration of creating a new Secrets Manager instance.

  • To reuse the Secrets Manager instance if you have one, you need the following information:

    The Terraform module creates a Secrets Manager instance if you don't already have one.

    • Copy the region of your Secrets Manager instance by using the IBM Cloud console.
    • Copy the GUID of the instance. You can locate the Secrets Manager GUID in your account from the resource list in the IBM Cloud console as shown in the following screenshot.
      1. Enter secret in the product filter. A list of Secrets Manager instances are displayed.

      2. Click the row to display the details in the sidebar for the Secrets Manager instance that you want to use.

      3. Copy the GUID.

        Example of resource list
        Example view of the resource list in IBM Cloud console

    • If you used a certificate template to create a private certificate that is applied to your Secrets Manager instance, copy the name of the certificate template.
      1. In the resource list, click the name of the Secrets Manager instance that you selected earlier.
      2. Click Secrets engines > Private certificates.
      3. In the Certificate authority table, expand the certificate authority and copy the name of the template.

Additional background information