diff --git a/.secrets.baseline b/.secrets.baseline index af25d937..23b773e6 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2025-09-17T10:23:03Z", + "generated_at": "2025-09-24T15:40:32Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -108,7 +108,7 @@ "hashed_secret": "89a6cfe2a229151e8055abee107d45ed087bbb4f", "is_secret": true, "is_verified": false, - "line_number": 36, + "line_number": 28, "type": "Secret Keyword", "verified_result": null }, @@ -116,7 +116,7 @@ "hashed_secret": "365b78d42089abe4583503eded60fa7c1b3e1cd0", "is_secret": true, "is_verified": false, - "line_number": 56, + "line_number": 47, "type": "Secret Keyword", "verified_result": null } diff --git a/tools/access-management/README.md b/tools/access-management/README.md index 6f1ca6f6..9431e3fa 100644 --- a/tools/access-management/README.md +++ b/tools/access-management/README.md @@ -1,13 +1,60 @@ # IAM Permissions Assignment for LSF Deployment -### Before deploying an IBM Cloud LSF cluster, specific IAM permissions must be assigned to either a user or an access group. This script automates that process. +#### Before deploying an IBM Spectrum LSF cluster, specific IAM permissions must be assigned to either a user or an access group. The automation script enables this process. -How to run: +User has the flexibility to run the specific scripts to gain the required IAM permissions to perform the LSF deployment. The automation ensures that if the user has a certain permissions, then the script will omit them and add only the required permissions to perform the deployment. + +For example, for the App configuration service, the user requires Administrator and Manager permissions. If the user already has the Administrator permission, then the script will omit this and provide only Manager permission. + +### Benefits of the scripts: + +#### Interactive input collection - The script prompts for the IBMid (admin email), Resource Group ID, Account ID, and target (User or Access Group). + +#### Permission check - The script verifies that the admin has account-level Administrator rights which is required to assign policies. + +#### Assigns required permissions for LSF deployment - This script grants the appropriate permissions across IBM Cloud services that LSF depends upon (for example, VPC, COS, DNS services, KMS, Secrets Manager, and Sysdig Monitoring). + +#### Avoids duplicates - The script skips the assignment if a matching policy already exists. + +You can get the scripts by performing gitclone on the branch: ``` -ibmcloud login --apikey -g +git clone -b main https://github.com/terraform-ibm-modules/terraform-ibm-hpc.git +``` -chmod +x permissions.sh +1. Navigate to cd tools/access-management, you will get the permissions.sh file. + +2. Login to the IBM Cloud with your API key. Run the following command: +``` +ibmcloud login --apikey -g +chmod +x permissions.sh ./permissions.sh ``` + +3. Enter the admin email or IBMid. + +4. Enter the Resource group and Account ID. + +For the Account ID, login to the IBM Cloud account by using your unique credentials. Go to Manage > Account > Account settings. You will find the Account ID. + +5. You will be asked to assign the roles: + +``` +Access Group - Select this option, if you want to assign the access to the entire access group. +User - Select this option, if you want to assign the access to an individual user. +Select the required option. +``` + +6. Enter the target user email, if you select the option 2. + +7. User policy is successfully created. + +If the user skips to enter the RESOURCE_GROUP_ID or the ACCOUNT_ID, then script displays the error message: + +``` +:x: RESOURCE_GROUP_ID is required. +:x: ACCOUNT_ID is required. +``` + +This script ensures the user or access group has all the required IAM permissions to successfully deploy an LSF environment. diff --git a/tools/access-management/permissions.sh b/tools/access-management/permissions.sh index 60666e40..dd5946ad 100755 --- a/tools/access-management/permissions.sh +++ b/tools/access-management/permissions.sh @@ -49,6 +49,7 @@ has_permission=false check_policies() { local policies="$1" + local scope="$2" # Check Administrator role for serviceType=service local has_admin @@ -70,13 +71,25 @@ check_policies() { select(any(.resources[].attributes[]?; .name == "serviceType" and .value == "platform_service")) ' >/dev/null 2>&1 && echo "true" || echo "false") - # Return true only if both checks pass + # Debug printing + if [ "$has_admin" = "true" ]; then + echo "✅ At $scope policy level: Has Administrator for All Identity and Access enabled service" + else + echo "❌ At $scope policy level: Missing Administrator for All Identity and Access enabled service" + fi + + if [ "$has_platform_role" = "true" ]; then + echo "✅ At $scope policy level: Has Viewer/Editor/Administrator for All Account Management services" + else + echo "❌ At $scope policy level: Missing Viewer/Editor/Administrator for All Account Management services" + fi + [[ "$has_admin" == "true" && "$has_platform_role" == "true" ]] } USER_POLICIES=$(ibmcloud iam user-policies "$ADMIN_EMAIL" --output json 2>/dev/null || echo "[]") if echo "$USER_POLICIES" | jq empty 2>/dev/null; then - if check_policies "$USER_POLICIES"; then + if check_policies "$USER_POLICIES" "User"; then has_permission=true fi fi @@ -84,24 +97,23 @@ fi if [ "$has_permission" != true ]; then ACCESS_GROUPS_FOR_ADMIN=$(ibmcloud iam access-groups -u "$ADMIN_EMAIL" --output json 2>/dev/null || echo "[]") - # Collect all policies from all access groups into a single array ALL_GROUP_POLICIES="[]" while IFS= read -r GROUP_NAME; do GROUP_POLICIES=$(ibmcloud iam access-group-policies "$GROUP_NAME" --output json 2>/dev/null || echo "[]") ALL_GROUP_POLICIES=$(echo "$ALL_GROUP_POLICIES $GROUP_POLICIES" | jq -s 'add') done < <(echo "$ACCESS_GROUPS_FOR_ADMIN" | jq -r '.[].name // empty') - # Check all group policies at once - if check_policies "$ALL_GROUP_POLICIES"; then + # echo $ALL_GROUP_POLICIES + if check_policies "$ALL_GROUP_POLICIES" "Access Group"; then has_permission=true fi fi if [ "$has_permission" != true ]; then - echo "❌ $ADMIN_EMAIL does NOT have account-level Administrator rights — cannot assign permissions." + echo "❌ $ADMIN_EMAIL lacks required Administrator rights (checked User & Access Group policies) — cannot assign permissions." exit 1 fi -echo "✅ $ADMIN_EMAIL has account-level Administrator rights — proceeding." +echo "✅ $ADMIN_EMAIL has Administrator rights (verified from User & Access Group policies) — proceeding with permission assignment." ##################################### # 3. Role assignment definitions @@ -115,7 +127,6 @@ secrets-manager|Administrator|Manager sysdig-secure|Administrator| is|Editor|" -# New friendly names list (service|friendly name) FRIENDLY_NAMES="apprapp|App Configuration cloud-object-storage|Cloud Object Storage dns-svcs|DNS Services @@ -136,44 +147,10 @@ get_friendly_name() { } ##################################### -# 4. Helper to check if policy exists +# 4. Role normalization helper ##################################### -policy_exists() { - local SERVICE="$1" - local ROLES="$2" - local RG_ID="$3" - local ACCOUNT_ID="$4" - - local existing_policies - if [ -n "$ACCESS_GROUP" ]; then - existing_policies=$(ibmcloud iam access-group-policies "$ACCESS_GROUP" --output json 2>/dev/null || echo "[]") - elif [ -n "$USER_EMAIL" ]; then - existing_policies=$(ibmcloud iam user-policies "$USER_EMAIL" --output json 2>/dev/null || echo "[]") - else - echo "❗ ERROR: Neither ACCESS_GROUP nor USER_EMAIL is set in policy_exists" - return 1 - fi - - echo "$existing_policies" | jq -e \ - --arg service "$SERVICE" \ - --arg roles "$ROLES" \ - --arg rg_id "$RG_ID" \ - --arg account_id "$ACCOUNT_ID" ' - .[] | - select(([.roles[].display_name] | sort) == ($roles | split(",") | sort)) | - if $service == "" then - select(any(.resources[].attributes[]?; - .name == "resourceGroupId" and .value == $rg_id)) | - select(all(.resources[].attributes[]?.name; . != "serviceName")) - else - select(any(.resources[].attributes[]?; - .name == "resourceGroupId" and .value == $rg_id)) | - select(any(.resources[].attributes[]?; - .name == "serviceName" and .value == $service)) | - select([.resources[].attributes[]?.name] | unique | sort - == ["accountId","resourceGroupId","serviceName"]) - end - ' >/dev/null +normalize_roles() { + echo "$1" | tr ',' '\n' | sed 's/^ *//;s/ *$//' | sort -u | paste -sd, - } ##################################### @@ -186,24 +163,85 @@ if [ -n "$ACCESS_GROUP" ] && [ -z "$USER_EMAIL" ]; then fname=$(get_friendly_name "$SERVICE_NAME") [ -n "$fname" ] && DISPLAY_NAME="$SERVICE_NAME ($fname)" || DISPLAY_NAME="$SERVICE_NAME" - if ! policy_exists "$SERVICE_NAME" "$ROLES" "$RESOURCE_GROUP_ID" "$ACCOUNT_ID"; then - echo "Assigning roles '$ROLES' for service $DISPLAY_NAME" + existing_policies=$(ibmcloud iam access-group-policies "$ACCESS_GROUP" --output json 2>/dev/null || echo "[]") + + POLICY_ID=$(echo "$existing_policies" | jq -r \ + --arg service "$SERVICE_NAME" \ + --arg rg_id "$RESOURCE_GROUP_ID" ' + .[] | select(any(.resources[].attributes[]?; + .name == "resourceGroupId" and .value == $rg_id)) | + select(any(.resources[].attributes[]?; + .name == "serviceName" and .value == $service)) | + .id' | head -n1) + + if [ -n "$POLICY_ID" ] && [ "$POLICY_ID" != "null" ]; then + EXISTING_ROLES=$(echo "$existing_policies" | jq -r --arg id "$POLICY_ID" ' + .[] | select(.id == $id) | [.roles[].display_name] | join(",")') + + EXISTING_SORTED=$(normalize_roles "$EXISTING_ROLES") + MERGED_SORTED=$(normalize_roles "$EXISTING_ROLES,$ROLES") + + if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then + echo "✅ Policy for $DISPLAY_NAME already includes required roles: $EXISTING_SORTED" + else + NEW_ROLES=$(comm -13 \ + <(echo "$EXISTING_SORTED" | tr ',' '\n' | sort) \ + <(echo "$MERGED_SORTED" | tr ',' '\n' | sort) | paste -sd, -) + + echo "🔄 Updating existing policy $POLICY_ID for $DISPLAY_NAME" + echo " • Current roles : $EXISTING_SORTED" + echo " • Adding roles : $NEW_ROLES" + + ibmcloud iam access-group-policy-update "$ACCESS_GROUP" "$POLICY_ID" \ + --roles "$MERGED_SORTED" \ + --resource-group-id "$RESOURCE_GROUP_ID" \ + --service-name "$SERVICE_NAME" || echo "⚠️ Failed to update roles for $DISPLAY_NAME" + fi + else + echo "➕ Creating new policy for $DISPLAY_NAME" ibmcloud iam access-group-policy-create "$ACCESS_GROUP" \ --roles "$ROLES" \ --service-name "$SERVICE_NAME" \ --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign $ROLES for $DISPLAY_NAME" - else - echo "✅ Policy already exists for $DISPLAY_NAME" fi done - if ! policy_exists "" "Administrator,Manager" "$RESOURCE_GROUP_ID" "$ACCOUNT_ID"; then - echo "Assigning global Administrator,Manager roles to access group: $ACCESS_GROUP" + echo "🔍 Checking global Administrator/Manager policy for access group: $ACCESS_GROUP" + existing_policies=$(ibmcloud iam access-group-policies "$ACCESS_GROUP" --output json 2>/dev/null || echo "[]") + POLICY_ID=$(echo "$existing_policies" | jq -r --arg rg_id "$RESOURCE_GROUP_ID" ' + .[] | + select(any(.resources[].attributes[]?; + .name == "resourceGroupId" and .value == $rg_id)) | + select(all(.resources[].attributes[]?.name; . != "serviceName")) | + .id' | head -n1) + + if [ -n "$POLICY_ID" ] && [ "$POLICY_ID" != "null" ]; then + EXISTING_ROLES=$(echo "$existing_policies" | jq -r --arg id "$POLICY_ID" ' + .[] | select(.id == $id) | [.roles[].display_name] | join(",")') + + EXISTING_SORTED=$(normalize_roles "$EXISTING_ROLES") + MERGED_SORTED=$(normalize_roles "$EXISTING_ROLES,Administrator,Manager") + + if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then + echo "✅ Global Administrator/Manager policy already present with required roles for access group: $ACCESS_GROUP" + else + NEW_ROLES=$(comm -13 \ + <(echo "$EXISTING_SORTED" | tr ',' '\n' | sort) \ + <(echo "$MERGED_SORTED" | tr ',' '\n' | sort) | paste -sd, -) + + echo "🔄 Updating global policy $POLICY_ID for access group: $ACCESS_GROUP" + echo " • Current roles : $EXISTING_SORTED" + echo " • Adding roles : $NEW_ROLES" + + ibmcloud iam access-group-policy-update "$ACCESS_GROUP" "$POLICY_ID" \ + --roles "$MERGED_SORTED" \ + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to update Administrator,Manager roles for All Identity and Access enabled services to access group: $ACCESS_GROUP" + fi + else + echo "➕ Creating new global Administrator/Manager policy for access group: $ACCESS_GROUP" ibmcloud iam access-group-policy-create "$ACCESS_GROUP" \ --roles "Administrator,Manager" \ - --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed for all-service Admin/Manager (access group)" - else - echo "✅ All Identity and Access enabled services Administrator/Manager policy already exists for access group" + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign Administrator,Manager roles for All Identity and Access enabled services to access group: $ACCESS_GROUP" fi elif [ -z "$ACCESS_GROUP" ] && [ -n "$USER_EMAIL" ]; then @@ -213,24 +251,85 @@ elif [ -z "$ACCESS_GROUP" ] && [ -n "$USER_EMAIL" ]; then fname=$(get_friendly_name "$SERVICE_NAME") [ -n "$fname" ] && DISPLAY_NAME="$SERVICE_NAME ($fname)" || DISPLAY_NAME="$SERVICE_NAME" - if ! policy_exists "$SERVICE_NAME" "$ROLES" "$RESOURCE_GROUP_ID" "$ACCOUNT_ID"; then - echo "Assigning roles '$ROLES' for service $DISPLAY_NAME" + existing_policies=$(ibmcloud iam user-policies "$USER_EMAIL" --output json 2>/dev/null || echo "[]") + + POLICY_ID=$(echo "$existing_policies" | jq -r \ + --arg service "$SERVICE_NAME" \ + --arg rg_id "$RESOURCE_GROUP_ID" ' + .[] | select(any(.resources[].attributes[]?; + .name == "resourceGroupId" and .value == $rg_id)) | + select(any(.resources[].attributes[]?; + .name == "serviceName" and .value == $service)) | + .id' | head -n1) + + if [ -n "$POLICY_ID" ] && [ "$POLICY_ID" != "null" ]; then + EXISTING_ROLES=$(echo "$existing_policies" | jq -r --arg id "$POLICY_ID" ' + .[] | select(.id == $id) | [.roles[].display_name] | join(",")') + + EXISTING_SORTED=$(normalize_roles "$EXISTING_ROLES") + MERGED_SORTED=$(normalize_roles "$EXISTING_ROLES,$ROLES") + + if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then + echo "✅ Policy for $DISPLAY_NAME already includes required roles: $EXISTING_SORTED" + else + NEW_ROLES=$(comm -13 \ + <(echo "$EXISTING_SORTED" | tr ',' '\n' | sort) \ + <(echo "$MERGED_SORTED" | tr ',' '\n' | sort) | paste -sd, -) + + echo "🔄 Updating existing policy $POLICY_ID for $DISPLAY_NAME" + echo " • Current roles : $EXISTING_SORTED" + echo " • Adding roles : $NEW_ROLES" + + ibmcloud iam user-policy-update "$USER_EMAIL" "$POLICY_ID" \ + --roles "$MERGED_SORTED" \ + --resource-group-id "$RESOURCE_GROUP_ID" \ + --service-name "$SERVICE_NAME" || echo "⚠️ Failed to update roles for $DISPLAY_NAME" + fi + else + echo "➕ Creating new policy for $DISPLAY_NAME" ibmcloud iam user-policy-create "$USER_EMAIL" \ --roles "$ROLES" \ --service-name "$SERVICE_NAME" \ --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign $ROLES for $DISPLAY_NAME" - else - echo "✅ Policy already exists for $DISPLAY_NAME" fi done - if ! policy_exists "" "Administrator,Manager" "$RESOURCE_GROUP_ID" "$ACCOUNT_ID"; then - echo "Assigning global Administrator,Manager roles to $USER_EMAIL" + echo "🔍 Checking global Administrator/Manager policy for $USER_EMAIL" + existing_policies=$(ibmcloud iam user-policies "$USER_EMAIL" --output json 2>/dev/null || echo "[]") + POLICY_ID=$(echo "$existing_policies" | jq -r --arg rg_id "$RESOURCE_GROUP_ID" ' + .[] | + select(any(.resources[].attributes[]?; + .name == "resourceGroupId" and .value == $rg_id)) | + select(all(.resources[].attributes[]?.name; . != "serviceName")) | + .id' | head -n1) + + if [ -n "$POLICY_ID" ] && [ "$POLICY_ID" != "null" ]; then + EXISTING_ROLES=$(echo "$existing_policies" | jq -r --arg id "$POLICY_ID" ' + .[] | select(.id == $id) | [.roles[].display_name] | join(",")') + + EXISTING_SORTED=$(normalize_roles "$EXISTING_ROLES") + MERGED_SORTED=$(normalize_roles "$EXISTING_ROLES,Administrator,Manager") + + if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then + echo "✅ Global Administrator/Manager policy already present with required roles for $USER_EMAIL" + else + NEW_ROLES=$(comm -13 \ + <(echo "$EXISTING_SORTED" | tr ',' '\n' | sort) \ + <(echo "$MERGED_SORTED" | tr ',' '\n' | sort) | paste -sd, -) + + echo "🔄 Updating global policy $POLICY_ID for $USER_EMAIL" + echo " • Current roles : $EXISTING_SORTED" + echo " • Adding roles : $NEW_ROLES" + + ibmcloud iam user-policy-update "$USER_EMAIL" "$POLICY_ID" \ + --roles "$MERGED_SORTED" \ + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to update Administrator,Manager roles for All Identity and Access enabled services to user: $USER_EMAIL" + fi + else + echo "➕ Creating new global Administrator/Manager policy for $USER_EMAIL" ibmcloud iam user-policy-create "$USER_EMAIL" \ --roles "Administrator,Manager" \ - --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed for all-service Admin/Manager" - else - echo "✅ All Identity and Access enabled services Administrator/Manager policy already exists" + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign Administrator,Manager roles for All Identity and Access enabled services to user: $USER_EMAIL" fi else diff --git a/tools/minimal-demo-prod-scripts/README.md b/tools/minimal-demo-prod-scripts/README.md index 309f6cfa..6d9dbdd8 100644 --- a/tools/minimal-demo-prod-scripts/README.md +++ b/tools/minimal-demo-prod-scripts/README.md @@ -1,37 +1,29 @@ # Deploying and Connecting to LSF Environment via CLI -### Notes: +The current LSF setup is designed for production grade deployments. This approach is high-priced for trying before-you-buy option and demonstration use cases. As a solution, now users can select the deployment options using three different t-shirt sizes - Small, Medium, and Large. This solution has the ability to deploy a smaller and less expensive environment on IBM Cloud to try the capability or to provide a demonstration. -The must be 16 characters or fewer, i.e. abc-lsf +## Deployment Types: -The catalog_values__deployment.json specifies the configuation of the LSF environment. Please review to avoid unexpected costs. +You will be able to choose from these 3 deployment size options: -### Deployment Types: +### Small (Minimal): +This deploys the smallest possible environment (a single management instance) for the fastest setup. All optional services like observability, logging, SCC, Atracker, and LDAP are disabled. -#### Minimal: -Deploys the smallest possible environment (a single management instance) for the fastest setup. All optional services (observability, logging, SCC, Atracker, Ldap etc.) are disabled. +### Medium (Demo): +This displays the full set of capabilities. All optional services like observability, logging, and SCC are enabled. The deployment takes longer compared to minimal. -#### Demo: -Showcases the full set of capabilities. All optional services (observability, logging, SCC, etc.) are enabled. Deployment takes longer compared to minimal. +### Large (Production): +This option allows customization for production grade deployments. The optional services like observability, logging, and SCC are enabled by default but can be changed as required. -#### Production: -Allows customization for production-grade deployments. Optional services like observability, logging, and SCC are enabled by default but can be tailored as required. +All the JSON files are customizable (users can make configuration changes as needed). -All JSON files are customizable (users can tweak configs as needed). -But the .env file is mandatory because that’s where the required variables must always be filled. +#### Note: The .env file is mandatory because it contains all the variables required to update the file regardless of deployment types. -## Step 1. Fill the .env file +### Step 1: Create the .env file -``` -############################################################################## -# Environment Configuration - -# Step 1: Update the variables below as needed. -# Step 2: If you require additional optional variables, update them directly -# in the JSON file(s) for your deployment type. -# Step 3: Always validate the JSON file before running the script. -############################################################################## +The following inputs are required to update the .env file. +``` # IBM Cloud API key API_KEY="YOUR_API_KEY" @@ -40,15 +32,14 @@ ACCOUNT_GUID="ACCOUNT_GUID" ZONES="ZONES" RESOURCE_GROUP="RESOURCE_GROUP" -# SSH key name (must exist in your account) +# SSH key name SSH_KEY="SSH_KEY" # Template JSON file (choose as per your deployment type) TEMPLATE_FILE="catalog_values_minimal_deployment.json" # LSF tile version locator -# Example below is for 3.0.0 version -LSF_TILE_VERSION="1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc.6c26cd4c-4f72-45e5-8bde-77387aa05138-global" +LSF_TILE_VERSION="1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc.2ad06fe1-6125-45c5-b8b6-6454eb4907e6-global" # App Center GUI password # Rules: Minimum 8 characters, at least 1 uppercase, 1 lowercase, 1 number, @@ -56,38 +47,90 @@ LSF_TILE_VERSION="1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc.6c26cd4c-4f72-45e5-8bde-7 APP_CENTER_GUI_PASSWORD="APP_CENTER_GUI_PASSWORD" ``` -## Step 2. Deploy the LSF Environment: +From the above snippet, below are the descriptions for the parameters: + +API_KEY - This key is used to authenticate your deployment and grant the necessary access to create and manage resources in your IBM Cloud environment. + +ACCOUNT_GUID - Login to the IBM Cloud account by using your unique credentials. Go to Manage > Account > Account settings. You will find the Account ID. + +ZONES - Provide the IBM Cloud zone. + +RESOURCE_GROUP - The existing resource group of your IBM Cloud account where VPC resources will be deployed. + +SSH_KEY - A list of SSH key names that are already configured in your IBM Cloud account to establish a connection to the Spectrum LSF nodes. + +TEMPLATE_FILE - All the .json files are uploaded in https://github.ibm.com/workload-eng-services/HPCaaS/tree/sml/tools/minimal-demo-prod-scripts. + +catalog_values_minimal_deployment.json - choose this file for small deployments. +catalog_values_demo_deployment.json - choose this file for medium deployments. +catalog_values_production_deployment.json - choose this file for large deployments. + +LSF_TILE_VERSION - Login to the IBM Cloud catalog by using your unique credentials. Click Review deployment options. In the Deployment options section, select Create from the CLI, copy the version_locator_value, and save this value. +Note: The version_locator_value changes are based on the tile version selected. + +APP_CENTER_GUI_PASSWORD - This is the password that is required to access the IBM Spectrum LSF Application Center (App Center) GUI, which is enabled by default in both Fix Pack 15 and Fix Pack 14 with HTTPS. This is a mandatory value and omitting it will result in deployment failure. + +### Step 2: Deploy the LSF environment + +You can get the scripts by performing gitclone on the branch: + ``` -1. chmod +x create_lsf_environment.sh -2. ./create_lsf_environment.sh +git clone -b main https://github.com/terraform-ibm-modules/terraform-ibm-hpc.git ``` -## Step 3. Connect to the LSF Cluster and Run Jobs +1. Navigate to minimal-demo-prod-scripts to get the all the required files. -Now that your environment is set up, you can connect to the LSF cluster and perform operations such as submitting jobs, monitoring workloads, viewing infrastructure details. etc. +2. Run the chmod +x *.sh, gives permissions to all the files. -#### 1. To view the infra details +``` +chmod +x create_lsf_environment.sh +./create_lsf_environment.sh +``` + +create_lsf_environment - This script automates the end-to-end deployment of an IBM Cloud LSF environment. It installs required plugins, generates configuration files from your .env, triggers the Schematics workspace deployment, and finally the prints access details (bastion, login, management IPs) with next steps for connecting and submitting jobs. + +### Step 3: Connect to the LSF cluster and run the jobs + +Now that your environment is set up, you can connect to the LSF cluster and perform operations such as submitting jobs, monitoring workloads, viewing infrastructure details. + +### Using Utility Scripts + +#### 1. Run the following command to view the infra details: ``` chmod +x show.sh - ./show.sh +./show.sh ``` -#### 2. Copy the job submission script to the cluster +show.sh - This script retrieves details of the Schematics workspace for a given LSF cluster prefix. It ensures you are logged into the correct account and region, locates the workspace, and then displays its full configuration and state. + +#### 2. Copy the job submission script to the cluster by using the command: ``` chmod +x cp.sh - ./cp.sh submit.sh +./cp.sh submit.sh ``` -#### 3. Jump to the LSF Environment +cp.sh - This script copies the submit.sh file into your LSF cluster. It validates account and region, fetches the bastion, login, and management IPs, and then securely transfers the submit.sh file either to the login node (default) or the management node (if management is specified). + +submit.sh - This script demonstrates how to submit a sample job to the LSF scheduler. It provides a simple command (sleep 30) wrapped in an LSF job submission request (bsub). By default, it requests 8 CPU cores for the job. Users can update: + +Job options (for example, -n 8 to change the number of requested cores). + +Command (for example, replace sleep 30 with their own workload). + +This serves as a template for testing job submission and can be adapted for real workloads. + +#### 3. Run the following command to jump to the LSF environment: ``` chmod +x jump.sh - ./jump.sh +./jump.sh ``` -#### 4. Submit jobs +jump.sh - This script connects you directly to the LSF login node. It ensures you are targeting the right IBM Cloud account/region, fetches the bastion, login, and management IPs, and then uses SSH (with bastion as a jump host) to securely log into the LSF login node. + +#### 4. Run the following commands to submit the jobs: ``` sh submit.sh @@ -95,9 +138,9 @@ bjobs lshosts -w ``` -#### 5. To destroy the created infrastructure +#### 5. Run the following command to destroy the created infrastructure ``` chmod +x destroy.sh - ./destroy.sh +./destroy.sh ```