CORS-2933: IBMCloud: Service endpoint override TF

cjschaef · cjschaef · commit 0a9e0e795b97 · 2023-11-26T20:17:09.000-06:00
Adding support to terraform to allow overrides of IBM Cloud service endpoints. This is a hard requirement for disconnected cluster support, to allow use of non-default endpoints for IBM Cloud services. Related: https://issues.redhat.com/browse/CORS-2933
diff --git a/data/data/ibmcloud/bootstrap/common.tf b/data/data/ibmcloud/bootstrap/common.tf
@@ -1,6 +1,9 @@
 locals {
-  description      = "Created By OpenShift Installer"
-  public_endpoints = var.ibmcloud_publish_strategy == "External" ? true : false
+  description = "Created By OpenShift Installer"
+  # If any Service Endpoints are being overridden, set visibility to 'private'
+  # for IBM Terraform Provider to use the endpoints JSON file.
+  endpoint_visibility = var.ibmcloud_endpoints_json_file != "" ? "private" : "public"
+  public_endpoints    = var.ibmcloud_publish_strategy == "External" ? true : false
   tags = concat(
     ["kubernetes.io_cluster_${var.cluster_id}:owned"],
     var.ibmcloud_extra_tags
@@ -14,4 +17,8 @@ locals {
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.ibmcloud_region
-}
+
+  # Manage endpoints for IBM Cloud services
+  visibility          = local.endpoint_visibility
+  endpoints_file_path = var.ibmcloud_endpoints_json_file
+}
diff --git a/data/data/ibmcloud/bootstrap/ignition.tf b/data/data/ibmcloud/bootstrap/ignition.tf
@@ -1,9 +1,18 @@
+locals {
+  # Use the direct COS endpoint if IBM Cloud Service Endpoints are being overridden,
+  # as public and private may not be available. The direct endpoint requires
+  # additional IBM Cloud Account configuration, which must be configured when using
+  # Service Endpoint overrides.
+  cos_endpoint_type = local.endpoint_visibility == "private" ? "direct" : "public"
+}
+
 ############################################
 # COS bucket
 ############################################
 
 resource "ibm_cos_bucket" "bootstrap_ignition" {
   bucket_name          = "${local.prefix}-bootstrap-ignition"
+  endpoint_type        = local.cos_endpoint_type
   resource_instance_id = var.cos_resource_instance_crn
   region_location      = var.ibmcloud_region
   storage_class        = "smart"
@@ -16,9 +25,10 @@ resource "ibm_cos_bucket" "bootstrap_ignition" {
 resource "ibm_cos_bucket_object" "bootstrap_ignition" {
   bucket_crn      = ibm_cos_bucket.bootstrap_ignition.crn
   bucket_location = ibm_cos_bucket.bootstrap_ignition.region_location
-  key             = "bootstrap.ign"
   content_file    = var.ignition_bootstrap_file
+  endpoint_type   = local.cos_endpoint_type
   etag            = filemd5(var.ignition_bootstrap_file)
+  key             = "bootstrap.ign"
 }
 
 ############################################
diff --git a/data/data/ibmcloud/master/common.tf b/data/data/ibmcloud/master/common.tf
@@ -1,6 +1,9 @@
 locals {
-  description      = "Created By OpenShift Installer"
-  public_endpoints = var.ibmcloud_publish_strategy == "External" ? true : false
+  description = "Created By OpenShift Installer"
+  # If any Service Endpoints are being overridden, set visibility to 'private'
+  # for IBM Terraform Provider to use the endpoints JSON file.
+  endpoint_visibility = var.ibmcloud_endpoints_json_file != "" ? "private" : "public"
+  public_endpoints    = var.ibmcloud_publish_strategy == "External" ? true : false
   tags = concat(
     ["kubernetes.io_cluster_${var.cluster_id}:owned"],
     var.ibmcloud_extra_tags
@@ -14,4 +17,8 @@ locals {
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.ibmcloud_region
-}
+
+  # Manage endpoints for IBM Cloud services
+  visibility          = local.endpoint_visibility
+  endpoints_file_path = var.ibmcloud_endpoints_json_file
+}
diff --git a/data/data/ibmcloud/network/common.tf b/data/data/ibmcloud/network/common.tf
@@ -1,6 +1,9 @@
 locals {
-  description      = "Created By OpenShift Installer"
-  public_endpoints = var.ibmcloud_publish_strategy == "External" ? true : false
+  description = "Created By OpenShift Installer"
+  # If any Service Endpoints are being overridden, set visibility to 'private'
+  # for IBM Terraform Provider to use the endpoints JSON file.
+  endpoint_visibility = var.ibmcloud_endpoints_json_file != "" ? "private" : "public"
+  public_endpoints    = var.ibmcloud_publish_strategy == "External" ? true : false
   tags = concat(
     ["kubernetes.io_cluster_${var.cluster_id}:owned"],
     var.ibmcloud_extra_tags
@@ -14,4 +17,8 @@ locals {
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.ibmcloud_region
-}
+
+  # Manage endpoints for IBM Cloud services
+  visibility          = local.endpoint_visibility
+  endpoints_file_path = var.ibmcloud_endpoints_json_file
+}
diff --git a/data/data/ibmcloud/network/image/main.tf b/data/data/ibmcloud/network/image/main.tf
@@ -1,9 +1,18 @@
 locals {
-  prefix = var.cluster_id
+  # Use the direct COS endpoint if IBM Cloud Service Endpoints are being overridden,
+  # as public and private may not be available. The direct endpoint requires
+  # additional IBM Cloud Account configuration, which must be configured when using
+  # Service Endpoint overrides.
+  cos_endpoint_type = var.endpoint_visibility == "private" ? "direct" : "public"
+  prefix            = var.cluster_id
 }
 
 resource "ibm_cos_bucket" "images" {
-  bucket_name          = "${local.prefix}-vsi-image"
+  bucket_name = "${local.prefix}-vsi-image"
+  # Use the direct COS endpoint if IBM Cloud Service endpoints are being overridden,
+  # as public and private may not be available. Direct requires additional IBM Cloud
+  # Account configuration
+  endpoint_type        = local.cos_endpoint_type
   resource_instance_id = var.cos_resource_instance_crn
   region_location      = var.region
   storage_class        = "smart"
@@ -13,6 +22,7 @@ resource "ibm_cos_bucket_object" "file" {
   bucket_crn      = ibm_cos_bucket.images.crn
   bucket_location = ibm_cos_bucket.images.region_location
   content_file    = var.image_filepath
+  endpoint_type   = local.cos_endpoint_type
   key             = basename(var.image_filepath)
 }
 
diff --git a/data/data/ibmcloud/network/image/variables.tf b/data/data/ibmcloud/network/image/variables.tf
@@ -25,3 +25,7 @@ variable "tags" {
 variable "cos_resource_instance_crn" {
   type = string
 }
+
+variable "endpoint_visibility" {
+  type = string
+}
diff --git a/data/data/ibmcloud/network/main.tf b/data/data/ibmcloud/network/main.tf
@@ -48,6 +48,7 @@ module "image" {
   resource_group_id         = local.resource_group_id
   tags                      = local.tags
   cos_resource_instance_crn = ibm_resource_instance.cos.crn
+  endpoint_visibility       = local.endpoint_visibility
 }
 
 ############################################
diff --git a/data/data/ibmcloud/variables-ibmcloud.tf b/data/data/ibmcloud/variables-ibmcloud.tf
@@ -55,6 +55,12 @@ variable "ibmcloud_image_filepath" {
 # Top-level module variables (optional)
 #######################################
 
+variable "ibmcloud_endpoints_json_file" {
+  type        = string
+  description = "JSON file containing IBM Cloud service endpoints"
+  default     = ""
+}
+
 variable "ibmcloud_preexisting_vpc" {
   type        = bool
   description = "Specifies whether an existing VPC should be used or a new one created for installation."

Original file line number	Diff line number	Diff line change
`@@ -25,3 +25,7 @@ variable "tags" {`
`25`	`25`	`variable "cos_resource_instance_crn" {`
`26`	`26`	`type = string`
`27`	`27`	`}`
	`28`	`+`
	`29`	`+variable "endpoint_visibility" {`
	`30`	`+ type = string`
	`31`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,7 @@ module "image" {`
`48`	`48`	`resource_group_id = local.resource_group_id`
`49`	`49`	`tags = local.tags`
`50`	`50`	`cos_resource_instance_crn = ibm_resource_instance.cos.crn`
	`51`	`+ endpoint_visibility = local.endpoint_visibility`
`51`	`52`	`}`
`52`	`53`
`53`	`54`	`############################################`