Merge pull request #7805 from cjschaef/ocpbugs-24473

OCPBUGS-24473: IBMCloud: Set IBM TF visibility based on URLs

Author: openshift-merge-bot[bot]

data/data/ibmcloud/bootstrap/common.tf

@@ -1,8 +1,7 @@
 locals {
   description = "Created By OpenShift Installer"
-  # If any Service Endpoints are being overridden, set visibility to 'private'
-  # for IBM Terraform Provider to use the endpoints JSON file.
-  endpoint_visibility = var.ibmcloud_endpoints_json_file != "" ? "private" : "public"
+  # If specified, set visibility to 'private' for IBM Terraform Provider
+  endpoint_visibility = var.ibmcloud_terraform_private_visibility ? "private" : "public"
   public_endpoints    = var.ibmcloud_publish_strategy == "External" ? true : false
   tags = concat(
     ["kubernetes.io_cluster_${var.cluster_id}:owned"],

data/data/ibmcloud/master/common.tf

@@ -1,8 +1,7 @@
 locals {
   description = "Created By OpenShift Installer"
-  # If any Service Endpoints are being overridden, set visibility to 'private'
-  # for IBM Terraform Provider to use the endpoints JSON file.
-  endpoint_visibility = var.ibmcloud_endpoints_json_file != "" ? "private" : "public"
+  # If specified, set visibility to 'private' for IBM Terraform Provider
+  endpoint_visibility = var.ibmcloud_terraform_private_visibility ? "private" : "public"
   public_endpoints    = var.ibmcloud_publish_strategy == "External" ? true : false
   tags = concat(
     ["kubernetes.io_cluster_${var.cluster_id}:owned"],

data/data/ibmcloud/network/common.tf

@@ -1,8 +1,7 @@
 locals {
   description = "Created By OpenShift Installer"
-  # If any Service Endpoints are being overridden, set visibility to 'private'
-  # for IBM Terraform Provider to use the endpoints JSON file.
-  endpoint_visibility = var.ibmcloud_endpoints_json_file != "" ? "private" : "public"
+  # If specified, set visibility to 'private' for IBM Terraform Provider
+  endpoint_visibility = var.ibmcloud_terraform_private_visibility ? "private" : "public"
   public_endpoints    = var.ibmcloud_publish_strategy == "External" ? true : false
   tags = concat(
     ["kubernetes.io_cluster_${var.cluster_id}:owned"],

data/data/ibmcloud/variables-ibmcloud.tf

@@ -51,6 +51,12 @@ variable "ibmcloud_image_filepath" {
   description = "The file path to the RHCOS image"
 }
 
+variable "ibmcloud_terraform_private_visibility" {
+  type        = bool
+  description = "Specified whether the IBM Cloud terraform provider visibility mode should be private, for endpoint usage."
+  default     = false
+}
+
 #######################################
 # Top-level module variables (optional)
 #######################################

pkg/asset/cluster/tfvars.go

@@ -657,40 +657,52 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 		// NOTE(cjschaef): If one or more ServiceEndpoint's are supplied, attempt to build the Terraform endpoint_file_path
 		// https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints#file-structure-for-endpoints-file
 		var endpointsJSONFile string
+		// Set Terraform visibility mode if necessary
+		terraformPrivateVisibility := false
 		if len(installConfig.Config.Platform.IBMCloud.ServiceEndpoints) > 0 {
+			// Determine if any endpoints require 'private' Terraform visibility mode (any contain 'private' or 'direct' for COS)
+			// This is a requirement for the IBM Cloud Terraform provider, forcing 'public' or 'private' visibility mode.
+			for _, endpoint := range installConfig.Config.Platform.IBMCloud.ServiceEndpoints {
+				if strings.Contains(endpoint.URL, "private") || strings.Contains(endpoint.URL, "direct") {
+					// If at least one endpoint is private (or direct) we expect to use Private visibility mode
+					terraformPrivateVisibility = true
+					break
+				}
+			}
+
 			endpointData, err := ibmcloudtfvars.CreateEndpointJSON(installConfig.Config.Platform.IBMCloud.ServiceEndpoints, installConfig.Config.Platform.IBMCloud.Region)
 			if err != nil {
 				return err
 			}
-			// While we should have already confirmed there are ServiceEndpoints, we can verify data did get created, requiring the JSON file gets created and passed along
-			if endpointData == nil {
-				return fmt.Errorf("failed to generate endpoint JSON with provided IBM Cloud ServiceEndpoints")
+			// While service endpoints may not be empty, they may not be required for Terraform.
+			// So, if we have not endpoint data, we don't need to generate the JSON override file.
+			if endpointData != nil {
+				// Add endpoint JSON data to list of generated files for Terraform
+				t.FileList = append(t.FileList, &asset.File{
+					Filename: ibmcloudtfvars.IBMCloudEndpointJSONFileName,
+					Data:     endpointData,
+				})
+				endpointsJSONFile = ibmcloudtfvars.IBMCloudEndpointJSONFileName
 			}
-
-			// Add endpoint JSON data to list of generated files for Terraform
-			t.FileList = append(t.FileList, &asset.File{
-				Filename: ibmcloudtfvars.IBMCloudEndpointJSONFileName,
-				Data:     endpointData,
-			})
-			endpointsJSONFile = ibmcloudtfvars.IBMCloudEndpointJSONFileName
 		}
 
 		data, err = ibmcloudtfvars.TFVars(
 			ibmcloudtfvars.TFVarsSources{
-				Auth:                     auth,
-				CISInstanceCRN:           cisCRN,
-				DNSInstanceID:            dnsID,
-				EndpointsJSONFile:        endpointsJSONFile,
-				ImageURL:                 string(*rhcosImage),
-				MasterConfigs:            masterConfigs,
-				MasterDedicatedHosts:     masterDedicatedHosts,
-				NetworkResourceGroupName: installConfig.Config.Platform.IBMCloud.NetworkResourceGroupName,
-				PreexistingVPC:           preexistingVPC,
-				PublishStrategy:          installConfig.Config.Publish,
-				ResourceGroupName:        installConfig.Config.Platform.IBMCloud.ResourceGroupName,
-				VPCPermitted:             vpcPermitted,
-				WorkerConfigs:            workerConfigs,
-				WorkerDedicatedHosts:     workerDedicatedHosts,
+				Auth:                       auth,
+				CISInstanceCRN:             cisCRN,
+				DNSInstanceID:              dnsID,
+				EndpointsJSONFile:          endpointsJSONFile,
+				ImageURL:                   string(*rhcosImage),
+				MasterConfigs:              masterConfigs,
+				MasterDedicatedHosts:       masterDedicatedHosts,
+				NetworkResourceGroupName:   installConfig.Config.Platform.IBMCloud.NetworkResourceGroupName,
+				PreexistingVPC:             preexistingVPC,
+				PublishStrategy:            installConfig.Config.Publish,
+				ResourceGroupName:          installConfig.Config.Platform.IBMCloud.ResourceGroupName,
+				TerraformPrivateVisibility: terraformPrivateVisibility,
+				VPCPermitted:               vpcPermitted,
+				WorkerConfigs:              workerConfigs,
+				WorkerDedicatedHosts:       workerDedicatedHosts,
 			},
 		)
 		if err != nil {

pkg/destroy/bootstrap/bootstrap.go

@@ -68,17 +68,15 @@ func Destroy(ctx context.Context, dir string) (err error) {
 		if err != nil {
 			return fmt.Errorf("failed generating endpoint override JSON data for bootstrap destroy: %w", err)
 		}
-		// Since there are ServiceEndpoints, we expect JSON data to be generated.
-		if jsonData == nil {
-			return fmt.Errorf("no endpoint override JSON data generated for set of endpoint overrides")
-		}
 
 		// If JSON data was generated, create the JSON file for IBM Cloud Terraform provider to use during destroy.
-		endpointsFilePath := filepath.Join(dir, ibmcloudtfvars.IBMCloudEndpointJSONFileName)
-		if err := os.WriteFile(endpointsFilePath, jsonData, 0o600); err != nil {
-			return fmt.Errorf("failed to write IBM Cloud service endpoint override JSON file for bootstrap destroy: %w", err)
+		if jsonData != nil {
+			endpointsFilePath := filepath.Join(dir, ibmcloudtfvars.IBMCloudEndpointJSONFileName)
+			if err := os.WriteFile(endpointsFilePath, jsonData, 0o600); err != nil {
+				return fmt.Errorf("failed to write IBM Cloud service endpoint override JSON file for bootstrap destroy: %w", err)
+			}
+			logrus.Debugf("generated ibm endpoint overrides file: %s", endpointsFilePath)
 		}
-		logrus.Debugf("generated ibm endpoint overrides file: %s", endpointsFilePath)
 	}
 
 	fg := featuregates.FeatureGateFromFeatureSets(configv1.FeatureSets, metadata.FeatureSet, metadata.CustomFeatureSet)