terraform-ibm-modules · iamar7 · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025 · Nov 12, 2025
@@ -216,7 +216,7 @@
               ]
             },
             {
-              "key": "enable_primary_metadata_region"
+              "key": "use_private_endpoint"
             },
             {
               "key": "metrics_routing_route_name"

@@ -0,0 +1,66 @@
+# Primary Metadata Region
+
+This module retrieves the `primary_metadata_region` value from the IBM Cloud Metrics Routing Account Settings.
+
+### Prerequisites
+
+This module utilizes an external script that relies on the following command-line tools being installed on the system where Terraform is executed:
+
+- `jq`: A lightweight and flexible command-line JSON processor. It is required for parsing the input provided by the Terraform external data source.
+- `curl`: A tool to transfer data with URLs, required for making API calls to the IBM Cloud Enterprise Management API.
+
+### Customizing default cloud service endpoints
+
+The user must export the endpoint as an environment variable in order to use custom cloud service endpoints with this module. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints#getting-started-with-custom-service-endpoints).
+
+**Important** The only supported method for customizing cloud service endpoints is to export the environment variables endpoint; be sure to export the value for `IBMCLOUD_IAM_API_ENDPOINT` and `IBMCLOUD_METRICS_ROUTING_API_ENDPOINT`. For example,
+
+```
+export IBM_IAM_ENDPOINT="<endpoint_url>"
+export IBMCLOUD_METRICS_ROUTING_API_ENDPOINT="<endpoint_url>"
+```
+
+## Usage
+
+```hcl
+module "metrics_router" {
+  source = "terraform-ibm-modules/cloud-monitoring/ibm//modules/get_primary_metadata_region"
+
+  ibmcloud_api_key    = "XXXXXXXXXXXXXXXXXXXXXXXX"  # pragma: allowlist secret
+  region              = "us-south"
+  use_private_endpoint = false
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
+| <a name="requirement_external"></a> [external](#requirement\_external) | >= 2.3.5, <3.0.0 |
+
+### Modules
+
+No modules.
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [external_external.get_primary_metadata_region](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API Key. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The IBM Cloud Metrics Routing region. | `string` | `"us-south"` | no |
+| <a name="input_use_private_endpoint"></a> [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set to true to use the private endpoints instead of public endpoints for IBM Cloud Metrics Routing service. When true, the script queries the private Metrics Routing endpoint for the given region. [Learn more](https://cloud.ibm.com/docs/metrics-router?topic=metrics-router-endpoints) | `bool` | `false` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_primary_metadata_region"></a> [primary\_metadata\_region](#output\_primary\_metadata\_region) | The current primary metadata region set for IBM Cloud Metrics Routing. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -0,0 +1,16 @@
+########################################################################
+# Metrics Routing Primary Metadata Region
+#########################################################################
+
+data "external" "get_primary_metadata_region" {
+  program = [
+    "bash",
+    "-c",
+    "IBM_API_KEY='${var.ibmcloud_api_key}' ${path.module}/scripts/get_primary_metadata_region.sh"
+  ]
+
+  query = {
+    region               = var.region
+    use_private_endpoint = var.use_private_endpoint
+  }
+}
@@ -0,0 +1,8 @@
+########################################################################
+# Output
+#########################################################################
+
+output "primary_metadata_region" {
+  value       = data.external.get_primary_metadata_region.result.primary_metadata_region
+  description = "The current primary metadata region set for IBM Cloud Metrics Routing."
+}
diff --git a/modules/get_primary_metadata_region/scripts/get_primary_metadata_region.sh b/modules/get_primary_metadata_region/scripts/get_primary_metadata_region.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+set -eo pipefail
+
+API_KEY="$IBM_API_KEY"
+
+
+input=$(cat)
+REGION=$(echo "$input" | jq -r '.region')
+USE_PRIVATE_ENDPOINT=$(echo "$input" | jq -r '.use_private_endpoint')
+
+get_iam_endpoint() {
+  endpoint="${IBMCLOUD_IAM_API_ENDPOINT:-https://iam.cloud.ibm.com}"
+  endpoint="${endpoint#https://}"
+
+  if [ "$USE_PRIVATE_ENDPOINT" = true ] && [ "$endpoint" = "iam.cloud.ibm.com" ]; then
+      IBMCLOUD_IAM_API_ENDPOINT="private.${endpoint}"
+  else
+      IBMCLOUD_IAM_API_ENDPOINT="${endpoint}"
+  fi
+}
+
+get_metrics_router_endpoint() {
+  metrics_endpoint="${IBMCLOUD_METRICS_ROUTING_API_ENDPOINT:-metrics-router.cloud.ibm.com}"
+  metrics_endpoint="${metrics_endpoint#https://}"
+
+  if [ "$metrics_endpoint" = "metrics-router.cloud.ibm.com" ]; then
+    if [ "$USE_PRIVATE_ENDPOINT" = true ]; then
+        BASE_URL="https://private.${REGION}.${metrics_endpoint}"
+    else
+        BASE_URL="https://${REGION}.${metrics_endpoint}"
+    fi
+  else
+    BASE_URL="https://${metrics_endpoint}"
+  fi
+}
+
+get_iam_endpoint
+get_metrics_router_endpoint
+
+iam_response=$(curl --retry 3 -s -X POST "https://${IBMCLOUD_IAM_API_ENDPOINT}/identity/token" --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept: application/json' --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' --data-urlencode "apikey=$API_KEY") # pragma: allowlist secret
+error_message=$(echo "${iam_response}" | jq 'has("errorMessage")')
+
+if [[ "${error_message}" != false ]]; then
+    echo "${iam_response}" | jq '.errorMessage' >&2
+    echo "Could not obtain an IAM access token" >&2
+    exit 1
+fi
+IAM_TOKEN=$(echo "${iam_response}" | jq -r '.access_token')
+
+URL="${BASE_URL}/api/v3/settings"
+
+max_retries=5
+retry_delay=3
+
+for ((i=1; i<=max_retries; i++)); do
+  response=$(curl -s -X GET "$URL" -H "Authorization: Bearer ${IAM_TOKEN}" || true)
+  if echo "$response" | jq -e '.primary_metadata_region' >/dev/null; then
+    break
+  fi
+  echo "Attempt $i failed, retrying in ${retry_delay}s..." >&2
+  sleep "$retry_delay"
+done
+
+primary_region=$(echo "$response" | jq -r '.primary_metadata_region // empty')
+
+if [[ -z "$primary_region" ]]; then
+  echo "Warning: primary_metadata_region is empty" >&2
+fi
+
+jq -n --arg primary_region "$primary_region" '{primary_metadata_region: $primary_region}'
@@ -0,0 +1,21 @@
+##############################################################################
+# Input Variables
+##############################################################################
+
+variable "ibmcloud_api_key" {
+  description = "The IBM Cloud API Key."
+  type        = string
+  sensitive   = true
+}
+
+variable "region" {
+  description = "The IBM Cloud Metrics Routing region."
+  type        = string
+  default     = "us-south"
+}
+
+variable "use_private_endpoint" {
+  type        = bool
+  description = "Set to true to use the private endpoints instead of public endpoints for IBM Cloud Metrics Routing service. When true, the script queries the private Metrics Routing endpoint for the given region. [Learn more](https://cloud.ibm.com/docs/metrics-router?topic=metrics-router-endpoints)"
+  default     = false
+}
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.9.0"
+  required_providers {
+    external = {
+      source  = "hashicorp/external"
+      version = ">= 2.3.5, <3.0.0"
+    }
+  }
+}
@@ -72,5 +72,12 @@ module "metrics_routing" {
   ]
 
   metrics_router_routes   = length(var.metrics_router_routes) != 0 ? var.metrics_router_routes : local.default_metrics_router_route
-  metrics_router_settings = var.enable_primary_metadata_region ? { primary_metadata_region = var.region } : null
+  metrics_router_settings = length(module.primary_metadata_region.primary_metadata_region) != 0 ? null : { primary_metadata_region = var.region }
+}
+
+module "primary_metadata_region" {
+  source               = "../../modules/get_primary_metadata_region"
+  ibmcloud_api_key     = var.ibmcloud_api_key
+  region               = var.region
+  use_private_endpoint = var.use_private_endpoint
 }
@@ -120,6 +120,12 @@ variable "enable_platform_metrics" {
 # Metrics Routing
 ########################################################################################################################
 
+variable "use_private_endpoint" {
+  type        = bool
+  description = "Set to true to use the private endpoints instead of public endpoints for IBM Cloud Metrics Routing service. When true, the script queries the private Metrics Routing endpoint for the given region. [Learn more](https://cloud.ibm.com/docs/metrics-router?topic=metrics-router-endpoints)"
+  default     = false
+}
+
 variable "metrics_routing_target_name" {
   type        = string
   description = "The name of the IBM Cloud Metrics Routing target where metrics are collected. If the prefix variable is passed, the name of the target is prefixed to the value in the `<prefix>-value` format."
@@ -138,12 +144,6 @@ variable "enable_metrics_routing_to_cloud_monitoring" {
   default     = true
 }
 
-variable "enable_primary_metadata_region" {
-  type        = bool
-  description = "When set to `true`, sets `primary_metadata_region` to `region`, storing Metrics Router metadata in that region. When `false`, no region is set and the default global region is used. For new accounts, creating targets and routes will fail until primary_metadata_region is set, so it is recommended to default enable_primary_metadata_region to true. [Learn more](https://cloud.ibm.com/docs/metrics-router?topic=metrics-router-getting-started#configuring_account_settings)."
-  default     = true
-}
-
 variable "metrics_router_routes" {
   type = list(object({
     name = string

@@ -50,6 +50,8 @@ func setupOptions(t *testing.T, prefix string) *testschematic.TestSchematicOptio
 		TarIncludePatterns: []string{
 			"*.tf",
 			"modules/metrics_routing" + "/*.tf",
+			"modules/get_primary_metadata_region" + "/*.tf",
+			"modules/get_primary_metadata_region/scripts" + "/*.sh",
 			fullyConfigurableDADir + "/*.tf",
 		},
 		TemplateFolder:             fullyConfigurableDADir,
@@ -111,6 +113,8 @@ func TestRunAccountSettingsDA(t *testing.T) {
 		Testing: t,
 		TarIncludePatterns: []string{
 			"modules/metrics_routing" + "/*.tf",
+			"modules/get_primary_metadata_region" + "/*.tf",
+			"modules/get_primary_metadata_region/scripts" + "/*.sh",
 			accountSettingsDADir + "/*.tf",
 		},
 		TemplateFolder:         accountSettingsDADir,
-Original file line number
+Diff line change
@@ Expand Up / @@ -216,7 +216,7 @@ @@
                   ]
                 },
                 {
-                  "key": "enable_primary_metadata_region"
+                  "key": "use_private_endpoint"
                 },
                 {
                   "key": "metrics_routing_route_name"
@@ Expand Down @@