Resource Manager supports custom Grafana, Ingress and compartment level IAM (#64)

* Resource manager supports custom Grafana and Ingress

* Resource manager supports compartment level IAM

Author: gablyu-oci

oci_lens_terraform/main.tf

@@ -132,6 +132,15 @@ module "app" {
   superuser_email    = var.superuser_email
   grafana_admin_password = var.grafana_admin_password
   ingress_domain    = var.ingress_domain
+  use_external_grafana = var.use_external_grafana
+  grafana_url       = var.grafana_url
+  grafana_api_token = var.grafana_api_token
+  use_external_ingress = var.use_external_ingress
+  ingress_cert_manager_cluster_issuer = var.ingress_cert_manager_cluster_issuer
+  ingress_class_name = var.ingress_class_name
+  ingress_external_namespace = var.ingress_external_namespace
+  ingress_external_service_name = var.ingress_external_service_name
+  authorized_compartments = var.authorized_compartments
 
   # wait for cluster (if new cluster was created)
   depends_on = [time_sleep.after_cluster]

oci_lens_terraform/modules/app/main.tf

@@ -42,6 +42,11 @@ resource "helm_release" "app" {
     value = var.tenancy_ocid
   }
 
+  set {
+    name  = "backend.authorizedCompartments"
+    value = var.authorized_compartments
+  }
+
   set {
     name = "backend.superuser.username"
     value = var.superuser_username
@@ -72,6 +77,80 @@ resource "helm_release" "app" {
     value = var.ingress_domain != "" ? var.ingress_domain : "nip.io"
   }
 
+  # External Grafana configuration
+  dynamic "set" {
+    for_each = var.use_external_grafana ? [1] : []
+    content {
+      name  = "grafana.enabled"
+      value = "false"
+    }
+  }
+
+  dynamic "set" {
+    for_each = var.use_external_grafana && var.grafana_url != "" ? [1] : []
+    content {
+      name  = "backend.grafanaUrl"
+      value = var.grafana_url
+    }
+  }
+
+  dynamic "set" {
+    for_each = var.use_external_grafana && var.grafana_api_token != "" ? [1] : []
+    content {
+      name  = "backend.grafanaApiToken"
+      value = var.grafana_api_token
+    }
+  }
+
+  # External Ingress and Cert-Manager configuration
+  dynamic "set" {
+    for_each = var.use_external_ingress ? [1] : []
+    content {
+      name  = "cert-manager.enabled"
+      value = "false"
+    }
+  }
+
+  dynamic "set" {
+    for_each = var.use_external_ingress ? [1] : []
+    content {
+      name  = "ingress-nginx.enabled"
+      value = "false"
+    }
+  }
+
+  dynamic "set" {
+    for_each = var.use_external_ingress && var.ingress_cert_manager_cluster_issuer != "" ? [1] : []
+    content {
+      name  = "ingress.certManager.clusterIssuer"
+      value = var.ingress_cert_manager_cluster_issuer
+    }
+  }
+
+  dynamic "set" {
+    for_each = var.use_external_ingress && var.ingress_class_name != "" ? [1] : []
+    content {
+      name  = "ingress.className"
+      value = var.ingress_class_name
+    }
+  }
+
+  dynamic "set" {
+    for_each = var.use_external_ingress && var.ingress_external_namespace != "" ? [1] : []
+    content {
+      name  = "ingress.external.namespace"
+      value = var.ingress_external_namespace
+    }
+  }
+
+  dynamic "set" {
+    for_each = var.use_external_ingress && var.ingress_external_service_name != "" ? [1] : []
+    content {
+      name  = "ingress.external.serviceName"
+      value = var.ingress_external_service_name
+    }
+  }
+
   depends_on = [
     kubernetes_namespace.ns,
   ]
@@ -95,6 +174,8 @@ data "kubernetes_ingress_v1" "backend_ingress" {
 }
 
 data "kubernetes_ingress_v1" "grafana_ingress" {
+  count = var.use_external_grafana ? 0 : 1
+
   metadata {
     name      = "lens-grafana-ingress"
     namespace = kubernetes_namespace.ns.metadata[0].name
@@ -113,8 +194,8 @@ data "kubernetes_ingress_v1" "prometheus_ingress" {
 # Data source to get the ingress-nginx LoadBalancer IP
 data "kubernetes_service_v1" "ingress_nginx_controller" {
   metadata {
-    name      = "ingress-nginx-controller"
-    namespace = kubernetes_namespace.ns.metadata[0].name
+    name      = var.use_external_ingress ? var.ingress_external_service_name : "${helm_release.app.name}-ingress-nginx-controller"
+    namespace = var.use_external_ingress ? var.ingress_external_namespace    : kubernetes_namespace.ns.metadata[0].name
   }
   depends_on = [helm_release.app]
 }

oci_lens_terraform/modules/app/outputs.tf

@@ -54,7 +54,7 @@ output "backend_ingress_host" {
 
 output "grafana_ingress_host" {
   description = "The ingress host for Grafana"
-  value       = try(data.kubernetes_ingress_v1.grafana_ingress.spec[0].rule[0].host, "")
+  value       = var.use_external_grafana ? "" : try(data.kubernetes_ingress_v1.grafana_ingress[0].spec[0].rule[0].host, "")
 }
 
 output "prometheus_ingress_host" {

oci_lens_terraform/modules/app/variables.tf

@@ -39,6 +39,12 @@ variable "policy_name" {
   default = "lens-backend-workload-policy"
 }
 
+variable "authorized_compartments" {
+  description = "Comma-separated list of compartment OCIDs to grant IAM policy access. Leave blank to authorize access to the whole tenancy."
+  type = string
+  default = ""
+}
+
 variable "superuser_username" {
   description = "Username for the superuser of Lens API Backend"
   type = string
@@ -65,4 +71,53 @@ variable "ingress_domain" {
   description = "Domain for ingress. Empty string defaults to nip.io."
   type = string
   default = ""
+}
+
+variable "use_external_grafana" {
+  description = "Use your own Grafana instance instead of deploying one."
+  type = bool
+  default = false
+}
+
+variable "grafana_url" {
+  description = "URL of your existing Grafana instance."
+  type = string
+  default = ""
+}
+
+variable "grafana_api_token" {
+  description = "API token for authenticating with your existing Grafana instance."
+  type = string
+  sensitive = true
+  default = ""
+}
+
+variable "use_external_ingress" {
+  description = "Use your own ingress controller and cert-manager instead of deploying them."
+  type = bool
+  default = false
+}
+
+variable "ingress_cert_manager_cluster_issuer" {
+  description = "Name of your existing cert-manager ClusterIssuer for TLS certificate management."
+  type = string
+  default = ""
+}
+
+variable "ingress_class_name" {
+  description = "Ingress class name for your existing ingress controller."
+  type = string
+  default = ""
+}
+
+variable "ingress_external_namespace" {
+  description = "Namespace where your existing ingress controller service is deployed."
+  type = string
+  default = ""
+}
+
+variable "ingress_external_service_name" {
+  description = "Service name of your existing ingress controller."
+  type = string
+  default = ""
 }

oci_lens_terraform/schema.yaml

@@ -24,6 +24,21 @@ variableGroups:
       - ingress_domain
       - create_iam_policy
       - policy_name
+      - authorized_compartments
+  - title: "Grafana Configuration"
+    visible: true
+    variables:
+      - use_external_grafana
+      - grafana_url
+      - grafana_api_token
+  - title: "Ingress and Cert-Manager Configuration"
+    visible: true
+    variables:
+      - use_external_ingress
+      - ingress_cert_manager_cluster_issuer
+      - ingress_class_name
+      - ingress_external_namespace
+      - ingress_external_service_name
 
 variables:
   tenancy_ocid:
@@ -84,6 +99,12 @@ variables:
       and:
         - create_iam_policy
 
+  authorized_compartments:
+    type: string
+    title: "Authorized Compartments"
+    description: "Compartment OCID to grant IAM policy access. Leave blank to authorize access to the whole tenancy."
+    default: ""
+
   superuser_username:
     type: string
     title: "Superuser Username"
@@ -110,6 +131,79 @@ variables:
     sensitive: true
     default: "admin123"
 
+  use_external_grafana:
+    type: boolean
+    title: "Use External Grafana"
+    description: "Use your own Grafana instance instead of deploying one. If enabled, Grafana will not be deployed and you must provide Grafana URL and API token."
+    default: false
+
+  grafana_url:
+    type: string
+    title: "Grafana URL"
+    description: "URL of your existing Grafana instance (e.g., http://grafana-service.namespace.svc.cluster.local:80 or http://your-grafana-domain.com)."
+    default: ""
+    required: true
+    visible:
+      and:
+        - use_external_grafana
+
+  grafana_api_token:
+    type: string
+    title: "Grafana API Token"
+    description: "API token for authenticating with your existing Grafana instance. Create one in Grafana under Administration > Users and Access > Service Accounts with admin rights."
+    sensitive: true
+    default: ""
+    required: true
+    visible:
+      and:
+        - use_external_grafana
+
+  use_external_ingress:
+    type: boolean
+    title: "Use External Ingress and Cert-Manager"
+    description: "Use your own ingress controller and cert-manager instead of deploying them. If enabled, cert-manager and ingress-nginx will not be deployed."
+    default: false
+
+  ingress_cert_manager_cluster_issuer:
+    type: string
+    title: "Cert-Manager Cluster Issuer"
+    description: "Name of your existing cert-manager ClusterIssuer for TLS certificate management."
+    default: ""
+    required: true
+    visible:
+      and:
+        - use_external_ingress
+
+  ingress_class_name:
+    type: string
+    title: "Ingress Class Name"
+    description: "Ingress class name for your existing ingress controller."
+    default: ""
+    required: true
+    visible:
+      and:
+        - use_external_ingress
+
+  ingress_external_namespace:
+    type: string
+    title: "External Ingress Namespace"
+    description: "Namespace where your existing ingress controller service is deployed."
+    default: ""
+    required: true
+    visible:
+      and:
+        - use_external_ingress
+
+  ingress_external_service_name:
+    type: string
+    title: "External Ingress Service Name"
+    description: "Service name of your existing ingress controller."
+    default: ""
+    required: true
+    visible:
+      and:
+        - use_external_ingress
+
 outputs:
   # OCI GPU Scanner Portal
   portal_url:

oci_lens_terraform/variables.tf

@@ -32,6 +32,12 @@ variable "policy_name" {
   default     = "lens-backend-workload-policy"
 }
 
+variable "authorized_compartments" {
+  description = "Comma-separated list of compartment OCIDs to grant IAM policy access (e.g., ocid1.compartment.oc1..xxx,ocid1.compartment.oc1..yyy). Leave blank to authorize access to the whole tenancy."
+  type        = string
+  default     = ""
+}
+
 variable "superuser_username" {
   description = "Username for OCI GPU Scanner portal and backend API"
   type        = string
@@ -62,4 +68,53 @@ variable "ingress_domain" {
   description = "Domain for ingress. Leave empty to use nip.io (wildcard DNS service)."
   type        = string
   default     = ""
+}
+
+variable "use_external_grafana" {
+  description = "Use your own Grafana instance instead of deploying one."
+  type        = bool
+  default     = false
+}
+
+variable "grafana_url" {
+  description = "URL of your existing Grafana instance."
+  type        = string
+  default     = ""
+}
+
+variable "grafana_api_token" {
+  description = "API token for authenticating with your existing Grafana instance."
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "use_external_ingress" {
+  description = "Use your own ingress controller and cert-manager instead of deploying them."
+  type        = bool
+  default     = false
+}
+
+variable "ingress_cert_manager_cluster_issuer" {
+  description = "Name of your existing cert-manager ClusterIssuer for TLS certificate management."
+  type        = string
+  default     = ""
+}
+
+variable "ingress_class_name" {
+  description = "Ingress class name for your existing ingress controller."
+  type        = string
+  default     = ""
+}
+
+variable "ingress_external_namespace" {
+  description = "Namespace where your existing ingress controller service is deployed."
+  type        = string
+  default     = ""
+}
+
+variable "ingress_external_service_name" {
+  description = "Service name of your existing ingress controller."
+  type        = string
+  default     = ""
 }