Terraform for k8s-power-conformance job on ibmcloud

Signed-off-by: Prajyot-Parab <[email protected]>

Author: Prajyot-Parab

infra/ibmcloud/terraform/k8s-power-conformance/README.md

@@ -0,0 +1,61 @@
+# _TF: IBM K8s Power Conformance_
+These define Terraform resources for setting up infrastructure for the Kubernetes on Power conformance job.
+
+---
+## Initial Setup
+
+### Supporting infrastructure
+
+#### Deploy k8s-infra-setup resources
+
+- this covers things like Resource Group, Power Virtual Server Workspace, Virtual Private Cloud, IBM Cloud Secret Manager Secrets, Transit Gateway, etc.
+- Once the deployment successfully completes, the `service_instance_id` and `secrets_manager_id` will be generated and should be used in the subsequent steps.
+
+---
+#### Deploy k8s-power-conformance resources
+
+**1. Navigate to the correct directory**
+<br> You need to be in the `k8s-power-conformance` directory to run the automation.
+
+**2. Check the `versions.tf` file**
+<br> Set `secret_key` and `access_key` in `versions.tf` to configure the remote S3 backend (IBM Cloud COS).
+
+**3. Initialize Terraform**
+<br> Execute the following command to initialize Terraform in your project directory. This command will download the necessary provider plugins and prepare the working environment.
+```
+terraform init -reconfigure
+```
+
+**4. Check the `variables.tf` file**
+<br> Open the `variables.tf` file to review all the available variables. This file lists all customizable inputs for your Terraform configuration.
+
+`ibmcloud_api_key`, `service_instance_id`, `secrets_manager_id` are the only required variables that you must set in order to proceed. You can set this key either by adding it to your `var.tfvars` file or by exporting it as an environment variable.
+
+**Option 1:** Set in `var.tfvars` file
+Create `var.tfvars` file and set the following variables in `var.tfvars` file:
+```
+ibmcloud_api_key    = "<YOUR_API_KEY>"
+service_instance_id = "<POWERVS_SERVICE_INSTANCE_ID>"
+secrets_manager_id  = "<SECRETS_MANAGER_ID>"
+```
+
+**Option 2:** Export as an environment variable
+Alternatively, you can export above as an environment variable before running Terraform:
+```
+export TF_VAR_ibmcloud_api_key="<YOUR_API_KEY>"
+export TF_VAR_service_instance_id="<POWERVS_SERVICE_INSTANCE_ID>"
+export TF_VAR_secrets_manager_id="<SECRETS_MANAGER_ID>"
+```
+
+**5. Run Terraform Apply**
+<br> After setting the necessary variables (particularly the API_KEY), execute the following command to apply the Terraform configuration and provision the infrastructure:
+```
+terraform apply -var-file var.tfvars
+```
+Terraform will display a plan of the actions it will take, and you'll be prompted to confirm the execution. Type `yes` to proceed.
+
+**6. Get Output Information**
+<br> Once the infrastructure has been provisioned, use the terraform output command to list details about the provisioned resources.
+```
+terraform output
+```

infra/ibmcloud/terraform/k8s-power-conformance/main.tf

@@ -0,0 +1,45 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+module "resource_group" {
+  source = "./modules/resource_group"
+}
+
+module "iam_custom_role" {
+  source = "./modules/iam/custom_role"
+}
+
+module "service_ids" {
+  depends_on                = [module.iam_custom_role]
+  source                    = "./modules/iam/service_ids"
+  project_resource_group_id = module.resource_group.k8s_project_rg_id
+}
+
+module "iam_access_groups" {
+  depends_on                = [module.iam_custom_role]
+  source                    = "./modules/iam/access_groups"
+  resource_group_id         = module.resource_group.k8s_rg_id
+  project_resource_group_id = module.resource_group.k8s_project_rg_id
+}
+
+module "secrets_manager" {
+  source                         = "./modules/secrets_manager"
+  secrets_manager_id             = var.secrets_manager_id
+  pvs_access_group_id            = module.iam_access_groups.pvs_access_group_id
+  janitor_access_group_id        = module.iam_access_groups.janitor_access_group_id
+  secret_rotator_access_group_id = module.iam_access_groups.secret_rotator_access_group_id
+  apikey                         = module.service_ids.sm_read_apikey
+}

infra/ibmcloud/terraform/k8s-power-conformance/modules/iam/access_groups/access_groups.tf

@@ -0,0 +1,60 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+resource "ibm_iam_access_group" "pvs" {
+  name        = "powervs-access"
+  description = "Access group with the necessary permissions for Prow job on the PowerVS service."
+}
+
+resource "ibm_iam_access_group_policy" "pvs" {
+  access_group_id = ibm_iam_access_group.pvs.id
+  roles           = ["PVSRole"]
+
+  resources {
+    service           = "power-iaas"
+    resource_group_id = var.resource_group_id
+  }
+}
+
+resource "ibm_iam_access_group" "janitor" {
+  name        = "janitor-access"
+  description = "Access group with the necessary permissions for the Boskos Janitor."
+}
+
+resource "ibm_iam_access_group_policy" "janitor_pvs" {
+  access_group_id = ibm_iam_access_group.janitor.id
+  roles           = ["JanitorPVSRole"]
+
+  resources {
+    service           = "power-iaas"
+    resource_group_id = var.resource_group_id
+  }
+}
+
+resource "ibm_iam_access_group" "secret_rotator" {
+  name        = "secret-rotator"
+  description = "Access group with the necessary permissions for secret-manager(rotator)."
+}
+
+resource "ibm_iam_access_group_policy" "secret_rotator" {
+  access_group_id = ibm_iam_access_group.secret_rotator.id
+  roles           = ["SecretRotator"]
+
+  resources {
+    service           = "secrets-manager"
+    resource_group_id = var.project_resource_group_id
+  }
+}

infra/ibmcloud/terraform/k8s-power-conformance/modules/iam/access_groups/outputs.tf

@@ -0,0 +1,27 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+output "pvs_access_group_id" {
+  value = ibm_iam_access_group.pvs.id
+}
+
+output "janitor_access_group_id" {
+  value = ibm_iam_access_group.janitor.id
+}
+
+output "secret_rotator_access_group_id" {
+  value = ibm_iam_access_group.secret_rotator.id
+}

infra/ibmcloud/terraform/k8s-power-conformance/modules/iam/access_groups/variables.tf

@@ -0,0 +1,18 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+variable "resource_group_id" {}
+variable "project_resource_group_id" {}

infra/ibmcloud/terraform/k8s-power-conformance/modules/iam/access_groups/versions.tf

@@ -0,0 +1,23 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+terraform {
+  required_providers {
+    ibm = {
+      source = "IBM-Cloud/ibm"
+    }
+  }
+}

infra/ibmcloud/terraform/k8s-power-conformance/modules/iam/custom_role/iam_custom_role.tf

@@ -0,0 +1,65 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+resource "ibm_iam_custom_role" "pvs" {
+  name         = "PVSRole"
+  display_name = "PVSRole"
+  service      = "power-iaas.workspace"
+  actions = [
+    "power-iaas.network.create",
+    "power-iaas.network.delete",
+    "power-iaas.pvm-instance.create",
+    "power-iaas.pvm-instance.delete",
+    "power-iaas.cloud-instance-image.list",
+    "power-iaas.cloud-instance-image.read",
+    "power-iaas.cloud-instance.read",
+  ]
+}
+
+resource "ibm_iam_custom_role" "sm" {
+  name         = "SMRead"
+  display_name = "SMRead"
+  service      = "secrets-manager"
+  actions = [
+    "secrets-manager.secrets.list",
+    "secrets-manager.secret.read",
+  ]
+}
+
+resource "ibm_iam_custom_role" "janitor_pvs" {
+  name         = "JanitorPVSRole"
+  display_name = "JanitorPVSRole"
+  service      = "power-iaas.workspace"
+  actions = [
+    "power-iaas.dashboard.view",
+    "power-iaas.cloud-instance.modify",
+    "power-iaas.cloud-instance.read",
+    "resource-controller.instance.retrieve",
+    "resource-controller.group.retrieve",
+  ]
+}
+
+resource "ibm_iam_custom_role" "secret_rotator" {
+  name         = "SecretRotator"
+  display_name = "SecretRotator"
+  service      = "secrets-manager"
+  actions = [
+    "secrets-manager.secret-version.read",
+    "secrets-manager.secret-version.create",
+    "secrets-manager.secret.read",
+    "secrets-manager.secret.rotate",
+  ]
+}

infra/ibmcloud/terraform/k8s-power-conformance/modules/iam/custom_role/versions.tf

@@ -0,0 +1,23 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+terraform {
+  required_providers {
+    ibm = {
+      source = "IBM-Cloud/ibm"
+    }
+  }
+}

infra/ibmcloud/terraform/k8s-power-conformance/modules/iam/service_ids/outputs.tf

@@ -0,0 +1,20 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+output "sm_read_apikey" {
+  value     = ibm_iam_service_api_key.service_id_apikey.apikey
+  sensitive = true
+}