diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/README.md b/infra/ibmcloud/terraform/k8s-s390x-conformance/README.md
new file mode 100644
index 00000000000..b0f37d57d84
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/README.md
@@ -0,0 +1,59 @@
+# _TF: IBM K8s s390x Conformance_
+These define Terraform resources for setting up infrastructure for the Kubernetes on s390x conformance job.
+
+---
+## Initial Setup
+
+### Supporting infrastructure
+
+#### Deploy k8s-infra-setup resources
+
+- this covers things like Resource Group, s390x Virtual Server Workspace, Virtual Private Cloud, IBM Cloud Secret Manager Secrets, Transit Gateway, etc.
+- Once the deployment successfully completes, the `service_instance_id` and `secrets_manager_id` will be generated and should be used in the subsequent steps.
+
+---
+#### Deploy k8s-s390x-conformance resources
+
+**1. Navigate to the correct directory**
+
You need to be in the `k8s-s390x-conformance` directory to run the automation.
+
+**2. Check the `versions.tf` file**
+
Set `secret_key` and `access_key` in `versions.tf` to configure the remote S3 backend (IBM Cloud COS).
+
+**3. Initialize Terraform**
+
Execute the following command to initialize Terraform in your project directory. This command will download the necessary provider plugins and prepare the working environment.
+```
+terraform init -reconfigure
+```
+
+**4. Check the `variables.tf` file**
+
Open the `variables.tf` file to review all the available variables. This file lists all customizable inputs for your Terraform configuration.
+
+`ibmcloud_api_key`, `service_instance_id`, `secrets_manager_id` are the only required variables that you must set in order to proceed. You can set this key either by adding it to your `var.tfvars` file or by exporting it as an environment variable.
+
+**Option 1:** Set in `var.tfvars` file
+Create `var.tfvars` file and set the following variables in `var.tfvars` file:
+```
+ibmcloud_api_key = ""
+secrets_manager_id = ""
+```
+
+**Option 2:** Export as an environment variable
+Alternatively, you can export above as an environment variable before running Terraform:
+```
+export TF_VAR_ibmcloud_api_key=""
+export TF_VAR_secrets_manager_id=""
+```
+
+**5. Run Terraform Apply**
+
After setting the necessary variables (particularly the API_KEY), execute the following command to apply the Terraform configuration and provision the infrastructure:
+```
+terraform apply -var-file var.tfvars
+```
+Terraform will display a plan of the actions it will take, and you'll be prompted to confirm the execution. Type `yes` to proceed.
+
+**6. Get Output Information**
+
Once the infrastructure has been provisioned, use the terraform output command to list details about the provisioned resources.
+```
+terraform output
+```
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/main.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/main.tf
new file mode 100644
index 00000000000..e5d37498093
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/main.tf
@@ -0,0 +1,52 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+module "resource_group" {
+ source = "./modules/resource_group"
+}
+module "iam_custom_role" {
+ source = "./modules/iam/custom_role"
+}
+
+module "service_ids" {
+ depends_on = [module.iam_custom_role]
+ source = "./modules/iam/service_ids"
+ resource_group_id = module.resource_group.conformance_resource_group_id
+}
+
+module "iam_access_groups" {
+ depends_on = [module.iam_custom_role]
+ source = "./modules/iam/access_groups"
+ resource_group_id = module.resource_group.conformance_resource_group_id
+}
+
+module "secrets_manager" {
+ source = "./modules/secrets_manager"
+ janitor_access_group_id = module.iam_access_groups.janitor_access_group_id
+ vpc_build_cluster_access_group_id = module.iam_access_groups.vpc_build_cluster_access_group_id
+ secret_rotator_access_group_id = module.iam_access_groups.secret_rotator_access_group_id
+ apikey = module.service_ids.sm_read_apikey
+ resource_group_id = module.resource_group.conformance_resource_group_id
+ secrets_manager_id = var.secrets_manager_id
+}
+module "vpc" {
+ providers = {
+ ibm = ibm.vpc
+ }
+ source = "./modules/vpc"
+ zone = var.zone
+ resource_group_id = module.resource_group.conformance_resource_group_id
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/access_groups/access_groups.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/access_groups/access_groups.tf
new file mode 100644
index 00000000000..239b08206ec
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/access_groups/access_groups.tf
@@ -0,0 +1,60 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+resource "ibm_iam_access_group" "vpc_build_cluster" {
+ name = "vpc-build-cluster-access"
+ description = "Access group with the necessary permissions for provisioning VPC-based build clusters."
+}
+
+resource "ibm_iam_access_group_policy" "vpc_build_cluster" {
+ access_group_id = ibm_iam_access_group.vpc_build_cluster.id
+ roles = ["VPCBuildClusterRole"]
+
+ resources {
+ service = "is"
+ resource_group_id = var.resource_group_id
+ }
+}
+
+resource "ibm_iam_access_group" "janitor" {
+ name = "janitor-access"
+ description = "Access group with the necessary permissions for the Boskos Janitor."
+}
+
+resource "ibm_iam_access_group_policy" "janitor_vpc" {
+ access_group_id = ibm_iam_access_group.janitor.id
+ roles = ["JanitorVPCRole"]
+
+ resources {
+ service = "is"
+ resource_group_id = var.resource_group_id
+ }
+}
+
+resource "ibm_iam_access_group" "secret_rotator" {
+ name = "secret-rotator"
+ description = "Access group with the necessary permissions for secret-manager(rotator)."
+}
+
+resource "ibm_iam_access_group_policy" "secret_rotator" {
+ access_group_id = ibm_iam_access_group.secret_rotator.id
+ roles = ["SecretRotator"]
+
+ resources {
+ service = "secrets-manager"
+ resource_group_id = var.resource_group_id
+ }
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/access_groups/outputs.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/access_groups/outputs.tf
new file mode 100644
index 00000000000..7a9b34fbd50
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/access_groups/outputs.tf
@@ -0,0 +1,28 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+output "vpc_build_cluster_access_group_id" {
+ value = ibm_iam_access_group.vpc_build_cluster.id
+}
+
+output "janitor_access_group_id" {
+ value = ibm_iam_access_group.janitor.id
+}
+
+output "secret_rotator_access_group_id" {
+ value = ibm_iam_access_group.secret_rotator.id
+}
+
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/access_groups/variables.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/access_groups/variables.tf
new file mode 100644
index 00000000000..3d0dfd46f9d
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/access_groups/variables.tf
@@ -0,0 +1,17 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+variable "resource_group_id" {}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/access_groups/versions.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/access_groups/versions.tf
new file mode 100644
index 00000000000..3987f68e95a
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/access_groups/versions.tf
@@ -0,0 +1,23 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+terraform {
+ required_providers {
+ ibm = {
+ source = "IBM-Cloud/ibm"
+ }
+ }
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/custom_role/iam_custom_role.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/custom_role/iam_custom_role.tf
new file mode 100644
index 00000000000..d1fc8b5cc8d
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/custom_role/iam_custom_role.tf
@@ -0,0 +1,68 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+resource "ibm_iam_custom_role" "vpc_build_cluster" {
+ name = "VPCBuildClusterRole"
+ display_name = "VPCBuildClusterRole"
+ service = "is"
+ actions = [
+ "is.vpc.vpc.read",
+ "is.vpc.vpc.create",
+ "is.vpc.vpc.update",
+ "is.vpc.vpc.list",
+ "is.vpc.vpc.delete",
+ ]
+}
+
+resource "ibm_iam_custom_role" "sm" {
+ name = "SMRead"
+ display_name = "SMRead"
+ service = "secrets-manager"
+ actions = [
+ "secrets-manager.secrets.list",
+ "secrets-manager.secret.read",
+ ]
+}
+
+resource "ibm_iam_custom_role" "janitor_vpc" {
+ name = "JanitorVPCRole"
+ display_name = "JanitorVPCRole"
+ service = "is"
+ actions = [
+ "is.instance.instance.delete",
+ "is.subnet.subnet.delete",
+ "is.security-group.security-group.delete",
+ "is.floating-ip.floating-ip.delete",
+ "is.vpc.vpc.read",
+ "is.subnet.subnet.read",
+ "is.security-group.security-group.read",
+ "is.instance.instance.read",
+ "resource-controller.instance.retrieve",
+ "resource-controller.group.retrieve"
+ ]
+}
+
+resource "ibm_iam_custom_role" "secret_rotator" {
+ name = "SecretRotator"
+ display_name = "SecretRotator"
+ service = "secrets-manager"
+ actions = [
+ "secrets-manager.secret-version.read",
+ "secrets-manager.secret-version.create",
+ "secrets-manager.secret.read",
+ "secrets-manager.secret.rotate",
+ ]
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/custom_role/versions.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/custom_role/versions.tf
new file mode 100644
index 00000000000..3987f68e95a
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/custom_role/versions.tf
@@ -0,0 +1,23 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+terraform {
+ required_providers {
+ ibm = {
+ source = "IBM-Cloud/ibm"
+ }
+ }
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/service_ids/outputs.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/service_ids/outputs.tf
new file mode 100644
index 00000000000..17ec40a0c08
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/service_ids/outputs.tf
@@ -0,0 +1,20 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+output "sm_read_apikey" {
+ value = ibm_iam_service_api_key.service_id_apikey.apikey
+ sensitive = true
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/service_ids/service_ids.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/service_ids/service_ids.tf
new file mode 100644
index 00000000000..c03ca205bda
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/service_ids/service_ids.tf
@@ -0,0 +1,55 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+resource "ibm_iam_service_id" "service_id" {
+ name = "sm-service-id"
+ description = "Service id associated with secrets manager"
+}
+
+resource "ibm_iam_service_api_key" "service_id_apikey" {
+ name = "sm-read-apikey"
+ iam_service_id = ibm_iam_service_id.service_id.iam_id
+ store_value = true
+ locked = true
+}
+
+resource "ibm_iam_service_policy" "policy_sm" {
+ iam_service_id = ibm_iam_service_id.service_id.id
+ roles = ["SMRead"]
+
+ resources {
+ service = "secrets-manager"
+ resource_group_id = var.resource_group_id
+ }
+}
+
+resource "ibm_iam_service_policy" "policy_iam_groups" {
+ iam_service_id = ibm_iam_service_id.service_id.id
+ roles = ["Editor"]
+
+ resources {
+ service = "iam-groups"
+ }
+}
+
+resource "ibm_iam_service_policy" "policy_iam_identity" {
+ iam_service_id = ibm_iam_service_id.service_id.id
+ roles = ["Operator"]
+
+ resources {
+ service = "iam-identity"
+ }
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/service_ids/variables.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/service_ids/variables.tf
new file mode 100644
index 00000000000..3d0dfd46f9d
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/service_ids/variables.tf
@@ -0,0 +1,17 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+variable "resource_group_id" {}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/service_ids/versions.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/service_ids/versions.tf
new file mode 100644
index 00000000000..3987f68e95a
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/iam/service_ids/versions.tf
@@ -0,0 +1,23 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+terraform {
+ required_providers {
+ ibm = {
+ source = "IBM-Cloud/ibm"
+ }
+ }
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/resource_group/outputs.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/resource_group/outputs.tf
new file mode 100644
index 00000000000..0bf515dab91
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/resource_group/outputs.tf
@@ -0,0 +1,18 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+output "conformance_resource_group_id" {
+ value = ibm_resource_group.conformance_resource_group.id
+}
\ No newline at end of file
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/resource_group/resource_group.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/resource_group/resource_group.tf
new file mode 100644
index 00000000000..9905af4e359
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/resource_group/resource_group.tf
@@ -0,0 +1,18 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+resource "ibm_resource_group" "conformance_resource_group" {
+ name = "rg-conformance-test"
+}
\ No newline at end of file
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/resource_group/versions.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/resource_group/versions.tf
new file mode 100644
index 00000000000..bd694dea3a8
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/resource_group/versions.tf
@@ -0,0 +1,22 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+terraform {
+ required_providers {
+ ibm = {
+ source = "IBM-Cloud/ibm"
+ }
+ }
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/secrets_manager/outputs.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/secrets_manager/outputs.tf
new file mode 100644
index 00000000000..917b215bf56
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/secrets_manager/outputs.tf
@@ -0,0 +1,22 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+output "k8s_janitor_secret_id" {
+ value = ibm_sm_iam_credentials_secret.janitor_secret.secret_id
+}
+
+output "k8s_secret_rotator_id" {
+ value = ibm_sm_iam_credentials_secret.secret_rotator.secret_id
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/secrets_manager/secret_manager.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/secrets_manager/secret_manager.tf
new file mode 100644
index 00000000000..b654be14003
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/secrets_manager/secret_manager.tf
@@ -0,0 +1,92 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+locals {
+ secrets_manager_region = "eu-de"
+}
+
+resource "ibm_sm_iam_credentials_configuration" "sm_iam_credentials_configuration_instance" {
+ instance_id = var.secrets_manager_id
+ region = local.secrets_manager_region
+ name = "iam_config"
+ api_key = var.apikey
+}
+resource "ibm_sm_iam_credentials_secret" "prow_secret" {
+ depends_on = [ibm_sm_iam_credentials_configuration.sm_iam_credentials_configuration_instance]
+ instance_id = var.secrets_manager_id
+ description = "API key used for running the Prow job on the s390x platform."
+ region = local.secrets_manager_region
+ name = "prow-job-api-key"
+ access_groups = [var.vpc_build_cluster_access_group_id]
+ labels = ["rotate:true"]
+
+ //The time-to-live (TTL) or lease duration of generated secret 14400seconds = 4hrs
+ ttl = "14400"
+}
+resource "ibm_sm_iam_credentials_secret" "janitor_secret" {
+ depends_on = [ibm_sm_iam_credentials_configuration.sm_iam_credentials_configuration_instance]
+ instance_id = var.secrets_manager_id
+ description = "API key used by Boskos deployment ibmcloud-janitor."
+ region = local.secrets_manager_region
+ name = "boskos-janitor-api-key"
+ labels = ["rotate:true"]
+ access_groups = [var.janitor_access_group_id]
+
+ //The time-to-live (TTL) or lease duration of generated secret 14400seconds = 4hrs
+ ttl = "14400"
+}
+
+resource "ibm_sm_iam_credentials_secret" "secret_rotator" {
+ depends_on = [ibm_sm_iam_credentials_configuration.sm_iam_credentials_configuration_instance]
+ instance_id = var.secrets_manager_id
+ description = "API key used by secret-manager(rotator)."
+ region = local.secrets_manager_region
+ name = "secret-rotator-api-key"
+ access_groups = [var.secret_rotator_access_group_id]
+
+ //Auto rotate secret after 1day = 24hrs, the minimum value is 1
+ rotation {
+ auto_rotate = true
+ interval = 1
+ unit = "day"
+ }
+
+ //The time-to-live (TTL) or lease duration of generated secret 86400seconds = 24hrs
+ ttl = "86400"
+}
+
+# RSA key of size 4096 bits
+resource "tls_private_key" "private_key" {
+ algorithm = "RSA"
+ rsa_bits = 4096
+}
+
+resource "ibm_sm_arbitrary_secret" "ssh_private_key" {
+ name = "prow-job-ssh-private-key"
+ description = "Private SSH key used for authenticating and securely connecting to servers or systems during the execution of Prow jobs."
+ instance_id = var.secrets_manager_id
+ region = local.secrets_manager_region
+ labels = ["prow-job-ssh-private-key"]
+ payload = tls_private_key.private_key.private_key_openssh
+}
+
+resource "ibm_sm_arbitrary_secret" "ssh_public_key" {
+ name = "prow-job-ssh-public-key"
+ description = "Public SSH key used for securely authenticating Prow jobs by allowing access to servers or systems during job execution."
+ instance_id = var.secrets_manager_id
+ region = local.secrets_manager_region
+ labels = ["prow-job-ssh-public-key"]
+ payload = tls_private_key.private_key.public_key_openssh
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/secrets_manager/variables.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/secrets_manager/variables.tf
new file mode 100644
index 00000000000..549f0fa3533
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/secrets_manager/variables.tf
@@ -0,0 +1,21 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+variable "resource_group_id" {}
+variable "apikey" {}
+variable "janitor_access_group_id" {}
+variable "secret_rotator_access_group_id" {}
+variable "secrets_manager_id" {}
+variable "vpc_build_cluster_access_group_id" {}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/secrets_manager/versions.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/secrets_manager/versions.tf
new file mode 100644
index 00000000000..e51f5b24c6b
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/secrets_manager/versions.tf
@@ -0,0 +1,23 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+terraform {
+ required_providers {
+ ibm = {
+ source = "IBM-Cloud/ibm"
+ }
+ }
+}
+
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/vpc/outputs.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/vpc/outputs.tf
new file mode 100644
index 00000000000..184267a3eac
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/vpc/outputs.tf
@@ -0,0 +1,24 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+output "vpc_id" {
+ value = ibm_is_vpc.vpc.id
+}
+output "subnet_id" {
+ value = ibm_is_subnet.subnet.id
+}
+output "crn" {
+ value = ibm_is_vpc.vpc.crn
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/vpc/variables.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/vpc/variables.tf
new file mode 100644
index 00000000000..7033b8873a0
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/vpc/variables.tf
@@ -0,0 +1,17 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+variable "resource_group_id" {}
+variable "zone" {}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/vpc/versions.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/vpc/versions.tf
new file mode 100644
index 00000000000..3987f68e95a
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/vpc/versions.tf
@@ -0,0 +1,23 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+terraform {
+ required_providers {
+ ibm = {
+ source = "IBM-Cloud/ibm"
+ }
+ }
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/vpc/vpc.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/vpc/vpc.tf
new file mode 100644
index 00000000000..03031f9774f
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/modules/vpc/vpc.tf
@@ -0,0 +1,29 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+# VPC
+resource "ibm_is_vpc" "vpc" {
+ name = "k8s-s390x-test-vpc"
+ resource_group = var.resource_group_id
+}
+
+# Subnet
+resource "ibm_is_subnet" "subnet" {
+ name = "k8s-s390x-test-subnet"
+ vpc = ibm_is_vpc.vpc.id
+ zone = var.zone
+ resource_group = var.resource_group_id
+ total_ipv4_address_count = 256
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/outputs.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/outputs.tf
new file mode 100644
index 00000000000..d47f337c727
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/outputs.tf
@@ -0,0 +1,23 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+output "boskos_janitor_api_key_id" {
+ value = module.secrets_manager.k8s_janitor_secret_id
+}
+
+output "secret_rotator_api_key_id" {
+ value = module.secrets_manager.k8s_secret_rotator_id
+}
\ No newline at end of file
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/providers.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/providers.tf
new file mode 100644
index 00000000000..6a48d3a19db
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/providers.tf
@@ -0,0 +1,37 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+locals {
+ key = var.ibmcloud_api_key
+ region = "eu-de"
+ zone = "eu-de-1"
+}
+
+provider "ibm" {
+ ibmcloud_api_key = local.key
+ region = local.region
+ zone = local.zone
+}
+provider "ibm" {
+ alias = "vpc"
+ ibmcloud_api_key = local.key
+ region = local.region
+}
+provider "ibm" {
+ alias = "vpcs"
+ ibmcloud_api_key = local.key
+ region = local.region
+}
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/variables.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/variables.tf
new file mode 100644
index 00000000000..db2fe1c41e7
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/variables.tf
@@ -0,0 +1,41 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+variable "ibmcloud_api_key" {
+ type = string
+ description = "IBM Cloud API key associated with user's identity"
+ sensitive = true
+
+ validation {
+ condition = var.ibmcloud_api_key != ""
+ error_message = "The ibmcloud_api_key is required and cannot be empty."
+ }
+}
+variable "zone" {
+ description = "IBM Cloud zone for resources"
+ type = string
+ default = "eu-de-1"
+}
+variable "secrets_manager_id" {
+ type = string
+ description = "The instance ID of your secrets manager"
+ default = ""
+
+ validation {
+ condition = var.secrets_manager_id != ""
+ error_message = "The secrets_manager_id is required and cannot be empty."
+ }
+}
\ No newline at end of file
diff --git a/infra/ibmcloud/terraform/k8s-s390x-conformance/versions.tf b/infra/ibmcloud/terraform/k8s-s390x-conformance/versions.tf
new file mode 100644
index 00000000000..72435cfb64f
--- /dev/null
+++ b/infra/ibmcloud/terraform/k8s-s390x-conformance/versions.tf
@@ -0,0 +1,37 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+terraform {
+ backend "s3" {
+ bucket = "k8s-infra-tf-states"
+ key = "k8s-s390x-conformance/terraform.tfstate"
+ region = "eu-geo"
+ skip_region_validation = true
+ skip_requesting_account_id = true
+ skip_credentials_validation = true
+ skip_s3_checksum = true
+ endpoints = {
+ s3 = "https://s3.us.cloud-object-storage.appdomain.cloud"
+ }
+ secret_key = ""
+ access_key = ""
+ }
+ required_providers {
+ ibm = {
+ source = "IBM-Cloud/ibm"
+ }
+ }
+}