Terraform Module For MCP Gateway On IBM Cloud IKS, ROKS, Code Engine

This article delves into the development and features of a Terraform module designed to streamline the deployment of MCP Gateway on IBM Cloud. This module, named terraform-ibm-mcpgateway, aims to provide operators with a simple, one-command solution for provisioning MCP Gateway across various IBM Cloud runtime environments, including IBM Cloud Kubernetes Service (IKS), Red Hat OpenShift on IBM Cloud (ROKS), and Code Engine. This comprehensive guide covers the module's goals, features, user stories, architecture, repository layout, and rollout plan. We'll explore how this module simplifies infrastructure-as-code for MCP Gateway deployments, making it easier for users to manage their applications on IBM Cloud.

Goal: Simplifying MCP Gateway Deployment on IBM Cloud

The primary goal of the terraform-ibm-mcpgateway module is to deliver an official Terraform module that enables operators to deploy MCP Gateway on IBM Cloud with a single command. This module is designed to support three managed runtimes:

1. IKS (IBM Cloud Kubernetes Service): Specifically, VPC Gen 2.
2. ROKS (Red Hat OpenShift on IBM Cloud): Managed OCP 4.
3. Code Engine: A fully-managed serverless container platform.

This Terraform module aims to offer opinionated defaults, integrate seamlessly with IBM Cloud managed data stores, and provide an optional solution for users who prefer Helm or other Infrastructure-as-Code (IaC) tools. The target registry for this module is registry.terraform.io/ibm-mcp-gateways/mcpgateway/ibm. This strategic goal focuses on making MCP Gateway deployments more accessible and efficient for IBM Cloud users, reducing the complexity associated with manual configurations and deployments.

Key Features and Inputs of the Terraform Module

The terraform-ibm-mcpgateway module comes with a range of features and configurable inputs designed to provide flexibility and control over MCP Gateway deployments. These features are crucial for tailoring the deployment to specific needs and environments. This key feature overview ensures users can effectively utilize the module's capabilities.

Variable	Type / Default	Description
platform	"iks" | "roks" | "codeengine" | "none"	Target runtime.
gateway_version	string ="latest"	Docker tag / Helm chart version.
replicas	number =2	Deployment replica count (K8s Deploy/STS, CE min-instances).
db_engine	"databases-for-postgresql" | "databases-for-mongodb" | "sqlite"	Managed DB or in-pod SQLite.
enable_redis	bool =true	Provision Databases-for-Redis for rate-limiting & sessions.
custom_domain	string	Fully-qualified domain name; provisions Certificate Manager cert + ALB/Ingress or Code Engine domain mapping.
policy_bundle_cos_url	string	Optional COS (S3) URL to a Rego bundle for Policy-as-Code engine.
observability	object	Toggle LogDNA, Sysdig, Monitoring dashboards (JSON) and alerts.
resource_group	string ="default"	Resource Group for all resources.
tags	list(string)	Resource tags (propagated via IBMC Tags API).

The module also provides several outputs, including:

• Public HTTPS endpoint (ALB host or CE domain)
• Database hostname / URI
• Redis hostname (if enabled)
• IAM Service IDs & API keys
• Cluster resource IDs (IKS/ROKS) or Code Engine App name

These inputs and outputs provide a comprehensive set of configuration options, allowing users to tailor their MCP Gateway deployment to meet specific requirements.

User Stories and Acceptance Criteria: Real-World Scenarios

To ensure the terraform-ibm-mcpgateway module meets the needs of its users, several user stories and acceptance criteria have been defined. These scenarios cover a range of deployment options and configurations, providing a clear roadmap for module development and testing. Understanding user stories and acceptance criteria helps ensure the module is practical and effective.

Story 1 — Minimal IKS Deployment

This story focuses on deploying MCP Gateway on IKS with default settings. The scenario involves logging into the ibmcloud CLI, targeting a specific resource group, and declaring a Terraform module with the platform set to "iks", a custom domain, and tags. The acceptance criteria include verifying that the HTTPS endpoint returns a 200 status code and that the version matches the specified gateway version.

Scenario: Deploy MCP Gateway on IKS with defaults
Given ibmcloud CLI is logged in and target resource group "demo-rg"
When I declare:
  module "gateway" {
    source        = "ibm-mcp-gateways/mcpgateway/ibm"
    platform      = "iks"
    custom_domain = "api.demo.example.com"
    tags          = ["env:demo","team:platform"]
  }
And I run "terraform apply"
Then HTTPS https://api.demo.example.com/health returns 200
And GET /version equals var.gateway_version

Story 2 — Minimal ROKS Deployment

This story focuses on deploying MCP Gateway to a ROKS cluster. The scenario involves setting the platform to "roks" and specifying a custom domain. The acceptance criteria include verifying that the Ingress hostname responds with a 200 status code to the /health endpoint and that the OpenShift route for mcp-gateway is available.

Scenario: Deploy to ROKS cluster
When platform="roks" and custom_domain="api.roks.demo.example.com"
Then Ingress hostname responds 200 to /health
And oc get route mcp-gateway returns status = "Available"

Story 3 — Code Engine with Databases-for-PostgreSQL & Redis

This story involves deploying MCP Gateway on Code Engine with a Databases-for-PostgreSQL instance and Redis enabled. The scenario sets the platform to "codeengine", the database engine to "databases-for-postgresql", and enables Redis. The acceptance criteria include verifying that the PostgreSQL instance is active and that the Code Engine application logs indicate successful connections to both the database and Redis.

Scenario: Code Engine serverless deployment
Given platform="codeengine" db_engine="databases-for-postgresql" enable_redis=true
When apply completes
Then Cloud Databases for PostgreSQL instance state is "active"
And Code Engine application logs contain "Connected to DB ✔" and "Connected to Redis ✔"

Story 4 — Policy Bundle from Cloud Object Storage

This story focuses on loading a Rego bundle from Cloud Object Storage at startup. The scenario involves the existence of a Rego bundle in COS and a variable pointing to its URL. The acceptance criteria include verifying that the gateway container logs indicate the successful loading of the policy bundle within 60 seconds of startup. This policy bundle ensures the correct policies are enforced.

Scenario: Load Rego bundle at start-up
Given object "cos://mcp-bucket/bundles/policy.tar.gz" exists
And variable policy_bundle_cos_url points to that URL
When the gateway container starts
Then logs contain "Loaded policy bundle (v1)" within 60 seconds

Story 5 — Destroy Preserves Existing VPC When Flagged

This story ensures that shared VPC resources are preserved when the Terraform destroy command is executed with a specific flag. The scenario involves setting a variable to prevent VPC creation and then running terraform destroy. The acceptance criteria include verifying that the VPC and subnet are not destroyed.

Scenario: Keep shared VPC resources
Given create_vpc = false
When terraform destroy runs
Then VPC "prod-shared" and subnet "prod-subnet" are NOT destroyed

These user stories and acceptance criteria provide a solid foundation for testing and validating the terraform-ibm-mcpgateway module, ensuring it meets the needs of its users in various deployment scenarios.

Architecture Diagram: Understanding the Infrastructure

The architecture diagram provides a visual representation of the infrastructure components involved in deploying MCP Gateway on IBM Cloud. This diagram helps users understand the relationships between different services and the overall structure of the deployment. Understanding the architecture diagram provides insight into how the module functions.

flowchart TD
    %%  IBM Cloud runtime options
    subgraph "IBM Cloud"
        ALB["Public ALB / Ingress"]
        IKS["IKS Deployment"]
        ROKS["ROKS Deployment"]
        CE["Code Engine App"]

        PG["Databases-for-PostgreSQL"]
        REDIS["Databases-for-Redis"]

        ALB --> IKS
        ALB --> ROKS
        ALB --> CE

        IKS --> PG
        ROKS --> PG
        CE  --> PG

        IKS --> REDIS
        ROKS --> REDIS
        CE  --> REDIS
    end

    %% Optional edge-WAF in front of the ALB/Ingress
    WAF["IBM Cloud WAF (optional)"] -.-> ALB

The diagram illustrates the following key components:

• IBM Cloud Runtime Options:
  • IKS (IBM Cloud Kubernetes Service): MCP Gateway can be deployed within an IKS cluster.
  • ROKS (Red Hat OpenShift on IBM Cloud): MCP Gateway can also be deployed on a ROKS cluster.
  • Code Engine: A serverless option for deploying MCP Gateway.
• Public ALB / Ingress: Acts as the entry point for external traffic, routing requests to the appropriate runtime.
• Databases-for-PostgreSQL: A managed database service used for data persistence.
• Databases-for-Redis: A managed Redis service used for caching and session management.
• IBM Cloud WAF (optional): An optional Web Application Firewall for added security.

The diagram shows how the ALB/Ingress routes traffic to either IKS, ROKS, or Code Engine, and how these runtimes interact with Databases-for-PostgreSQL and Databases-for-Redis. The optional WAF component provides an additional layer of security, protecting the application from common web exploits. This comprehensive architecture ensures that MCP Gateway is deployed securely and efficiently on IBM Cloud.

Repository Layout: Organizing the Module Components

The repository layout of the terraform-ibm-mcpgateway module is structured to promote maintainability, reusability, and clarity. Understanding the repository layout helps developers and users navigate the module's components efficiently. A well-organized structure is crucial for managing complex Terraform modules.

terraform-ibm-mcpgateway/
├── main.tf
├── variables.tf
├── outputs.tf
├── versions.tf
├── modules/
│   ├── iks/           # IKS cluster creation + Helm release
│   ├── roks/          # ROKS (openshift_cluster) + Helm release
│   ├── codeengine/    # Code Engine app + domain mapping
│   ├── postgres/      # Databases-for-PostgreSQL
│   └── redis/         # Databases-for-Redis
├── examples/
│   ├── iks_minimal/
│   ├── roks_minimal/
│   └── codeengine_full/
└── docs/
    ├── README.md
    ├── advanced.md
    └── architecture.puml

The repository includes the following key directories and files:

• main.tf: The main Terraform configuration file, which orchestrates the deployment of MCP Gateway.
• variables.tf: Defines the input variables for the module, allowing users to customize their deployments.
• outputs.tf: Defines the output values of the module, providing users with important information about their deployed resources.
• versions.tf: Specifies the required Terraform version and provider versions, ensuring compatibility.
• modules/: Contains sub-modules for each supported runtime and service:
  • iks/: Handles IKS cluster creation and Helm release deployments.
  • roks/: Manages ROKS cluster deployments and Helm releases via oc.
  • codeengine/: Deploys MCP Gateway on Code Engine, including app creation and domain mapping.
  • postgres/: Provisions Databases-for-PostgreSQL instances.
  • redis/: Provisions Databases-for-Redis instances.
• examples/: Contains example configurations for different deployment scenarios:
  • iks_minimal/: A minimal IKS deployment example.
  • roks_minimal/: A minimal ROKS deployment example.
  • codeengine_full/: A comprehensive Code Engine deployment example.
• docs/: Contains documentation for the module:
  • README.md: Provides a quick start guide and general information about the module.
  • advanced.md: Covers advanced configuration options and use cases.
  • architecture.puml: Contains the architecture diagram in PlantUML format.

This well-defined structure ensures that the module is easy to navigate, understand, and extend, making it a valuable tool for deploying MCP Gateway on IBM Cloud.

Global Acceptance Checklist: Ensuring Quality and Reliability

To ensure the terraform-ibm-mcpgateway module meets high standards of quality and reliability, a global acceptance checklist has been established. This global acceptance checklist outlines the key criteria that must be met before the module is considered ready for use. These criteria cover various aspects of the module, including code quality, functionality, documentation, and compatibility. This checklist ensures the module is robust and user-friendly.

• [ ] terraform validate, tflint, and checkov show no high/critical findings. This ensures that the Terraform configuration is valid, follows best practices, and adheres to security standards.
• [ ] Running each example (iks_minimal, roks_minimal, codeengine_full) results in an endpoint where /health returns 200. This verifies that the module can successfully deploy MCP Gateway in different environments.
• [ ] Module published to Terraform Registry with autogenerated docs, inputs, outputs, and example usage. This makes the module easily accessible and provides users with comprehensive documentation.
• [ ] GitHub Actions CI runs terraform init -backend=false && terraform validate && terraform fmt -check for all three platforms. This ensures that the module is automatically validated and formatted on each commit.
• [ ] README includes quick-start, cost table (IKS worker-hour, ROKS worker-hour, Code Engine vCPU-seconds, DB/Redis plans) and troubleshooting FAQ. This provides users with essential information for getting started and managing their deployments.
• [ ] Compatible with Terraform ≥ 1.6 and IBM Cloud provider ≥ 2.0. This ensures that the module works with recent versions of Terraform and the IBM Cloud provider.
• [ ] Rego bundle downloaded from COS when policy_bundle_cos_url is set. This verifies that the module can load policy bundles from Cloud Object Storage.
• [ ] Enabling observability provisions LogDNA log sources and Sysdig dashboards; outputs include dashboard URLs. This ensures that users can easily monitor their deployments.

By adhering to this checklist, the terraform-ibm-mcpgateway module can maintain a high level of quality and reliability, providing users with a robust and dependable solution for deploying MCP Gateway on IBM Cloud.

Roll-Out Plan: A Phased Approach to Development

The roll-out plan for the terraform-ibm-mcpgateway module follows a phased approach, allowing for incremental development and testing. This roll-out plan ensures that the module is built and deployed in a systematic manner, reducing the risk of issues and ensuring that each component is thoroughly tested before moving on to the next. A phased approach allows for better management of the development process.

1. Scaffold repository terraform-ibm-mcpgateway. This involves setting up the basic repository structure and initial files.
2. Implement Code Engine sub-module (App, project, ingress). This focuses on deploying MCP Gateway on Code Engine, including creating the application, project, and ingress resources.
3. Build Databases-for-PostgreSQL and Databases-for-Redis sub-modules. This involves creating modules for provisioning managed database and Redis instances.
4. Implement IKS sub-module: create VPC, subnet, worker pool, ALB Ingress, Helm release. This focuses on deploying MCP Gateway on IKS, including creating the necessary network infrastructure, worker pools, and a Helm release.
5. Implement ROKS sub-module: create OpenShift cluster, set up OpenShift Ingress, Helm release via oc. This involves deploying MCP Gateway on ROKS, including setting up the OpenShift cluster and deploying the application via oc.
6. Add examples for each platform and CI validation matrix. This provides users with example configurations and ensures that the module is validated across different platforms.
7. Add observability option: LogDNA log source and pre-built Sysdig dashboards (JSON). This allows users to easily monitor their deployments using LogDNA and Sysdig.
8. Publish on Terraform Registry; tag release in GitHub. This makes the module publicly available and provides versioned releases.
9. Record GIF demo, update main project docs with link. This creates a visual demonstration of the module and provides users with comprehensive documentation.

This phased roll-out plan ensures that the terraform-ibm-mcpgateway module is developed and deployed in a controlled and systematic manner, resulting in a high-quality and reliable solution for deploying MCP Gateway on IBM Cloud.

Conclusion

The terraform-ibm-mcpgateway module represents a significant step forward in simplifying the deployment of MCP Gateway on IBM Cloud. By providing a single, unified solution for provisioning MCP Gateway across IKS, ROKS, and Code Engine, this module empowers operators to deploy and manage their applications more efficiently. The module's comprehensive feature set, combined with its well-defined architecture and phased roll-out plan, ensures that it meets the needs of a wide range of users. This Terraform module streamlines the deployment process, making it easier for organizations to leverage MCP Gateway on IBM Cloud, and ultimately reduces the complexity of managing infrastructure-as-code. The Terraform module is a valuable tool for modern cloud deployments, offering efficiency and consistency across various platforms.