Planning for the landing zone deployable architectures

Before you begin the deployment of a landing zone deployable architecture, make sure that you understand and meet the prerequisites.

Confirm your IBM Cloud settings

Complete the following steps before you deploy the VPC landing zone deployable architecture.

Confirm or set up an IBM Cloud account:

Make sure that you have an IBM Cloud Pay-As-You-Go or Subscription account:
- If you don't have an IBM Cloud account, create one.
- If you have a Trial or Lite account, upgrade your account.
Configure your IBM Cloud account:
1. Log in to IBM Cloud with the IBMid you used to set up the account. This IBMid user is the account owner and has full IAM access.
2. Complete the company profile and contact information for the account. This profile is required to stay in compliance with IBM Cloud Financial Services profile.
3. Enable the Financial Services Validated option for your account.
4. Enable virtual routing and forwarding (VRF) and service endpoints by creating a support case. Follow the instructions in enabling VRF and service endpoints.

Set the IAM permissions

Set up account access (Cloud Identity and Access Management (IAM)):
1. Create an IBM Cloud API key. The user who owns this key must have the Administrator role.
  
  Service ID API keys are not supported for the Red Hat OpenShift Container Platform on VPC landing zone deployable architecture.
2. For compliance with IBM Cloud Framework for Financial Services: Require users in your account to use multifactor authentication (MFA).
3. Set up access groups.
  
  User access to IBM Cloud resources is controlled by using the access policies that are assigned to access groups. For IBM Cloud Financial Services validation, do not assign direct IAM access to any IBM Cloud resources.
  
  Select All Identity and Access enabled services when you assign access to the group.

Verify access roles

IAM access roles are required to install this deployable architecture and create all the required elements.

You need the following permissions for this deployable architecture:

Create services from IBM Cloud catalog.
Create and modify IBM Cloud VPC services, virtual server instances, networks, network prefixes, storage volumes, SSH keys, and security groups of this VPC.
Create and modify IBM Cloud direct links and IBM Cloud Transit Gateway.
Access existing Object Storage services.

For information about configuring permissions, contact your IBM Cloud account administrator.

Access for IBM Cloud projects

You can use IBM Cloud projects as a deployment option. Projects are designed with infrastructure as code and compliance in mind to help ensure that your projects are managed, secure, and always compliant. For more information, see Learn about IaC deployments with projects.

You need the following access to create a project and create project tooling resources within the account. Make sure you have the following access:

The Editor role on the Projects service.
The Editor and Manager role on the Schematics service
The Viewer role on the resource group for the project

For more information, see Assigning users access to projects.

Create an SSH key

Make sure that you have an SSH key that you can use for authentication. This key is used to log in to all virtual server instances that you create. For more information about creating SSH keys, see SSH keys.

(Optional) Set up IBM Cloud Hyper Protect Crypto Services

For key management services, you can use IBM Cloud Hyper Protect Crypto Services instead of IBM Cloud Object Storage. Hyper Protect Crypto Services is a dedicated key management service and hardware security module based on IBM Cloud that enables keep your own key (KYOK) features.

By using Hyper Protect Crypto Services, your deployable architecture satisfies the requirements for the following controls:

For more information, see the security information in the VPC reference architecture for IBM Cloud for Financial Services.

It is not possible to update an existing deployable architecture from Key Protect to Hyper Protect Crypto Services. You must create and deploy another deployable architecture.

Provisioning and initializing the Hyper Protect Crypto Services service

Before you deploy this deployable architecture, you need an instance of the Hyper Protect Crypto Services service.

You can provision Hyper Protect Crypto Services in one of two ways:
- By using the IBM Cloud Hyper Protect Crypto Services Terraform module.
- By creating and initializing an instance directly.
  1. (Optional) Create a resource group for your instance.
  2. On the Hyper Protect Crypto Services details page, select a plan.
  3. Complete the required details and click Create.
Initialize Hyper Protect Crypto Services:
- If you used the IBM Cloud Hyper Protect Crypto Services module, follow the steps in the module readme file.
- If you created the instance directly, follow the steps in Getting started with IBM Cloud Hyper Protect Crypto Services.
For proof-of-technology environments, use the auto-init flag. For more information, see Initializing service instances using recovery crypto units.
When you configure your deployable architecture, specify the resource group in the hs_crypto_resource_group input variable and the instance name in the hs_crypto_instance_name variable. If you don't provide values for those variables, the default Key Protect encryption is used.