fix: Ignore lifecycle changes, support Resource Manager variables (#583)

* Remove extraneous icmp_options reporting change each apply

Signed-off-by: Devon Crouse <[email protected]>

* Ignore node pool changes for automatic tagging and dynamic variables reporting change each apply

Signed-off-by: Devon Crouse <[email protected]>

* Use specific compartment for AD listing

Signed-off-by: Devon Crouse <[email protected]>

* Ignore cluster changes for automatic tagging reporting change each apply

Signed-off-by: Devon Crouse <[email protected]>

* Suppress reported output changes on each apply/destroy

Signed-off-by: Devon Crouse <[email protected]>

* Ignore dynamic kubeconfig changes reported each apply w/ refresh option

Signed-off-by: Devon Crouse <[email protected]>

* Support variable naming populated by Resource Manager

Signed-off-by: Devon Crouse <[email protected]>

* Provided bastion IP fallback if creation disabled, omit -i if no key file for output var

Signed-off-by: Devon Crouse <[email protected]>

* Use stable random suffix for dynamic group name

Signed-off-by: Devon Crouse <[email protected]>

* Fall back to provided bastion/operator addresses, user config

Signed-off-by: Devon Crouse <[email protected]>

* Clarify TF resource naming for operator IAM

* Update modules: bastion 3.1.2, operator 3.1.1

Signed-off-by: Devon Crouse <[email protected]>

Signed-off-by: Devon Crouse <[email protected]>

Author: devoncrouse

datasource.tf

@@ -4,7 +4,7 @@
 data "oci_core_vcns" "vcns" {
   count = var.create_vcn == true ? 0 : 1
 
-  compartment_id = var.compartment_id
+  compartment_id = local.compartment_id
   display_name   = var.vcn_display_name
 
   state = "AVAILABLE"
@@ -13,7 +13,7 @@ data "oci_core_vcns" "vcns" {
 data "oci_core_route_tables" "nat" {
   count = var.create_vcn == true ? 0 : 1
 
-  compartment_id = var.compartment_id
+  compartment_id = local.compartment_id
 
   display_name = var.nat_route_table_display_name
   vcn_id       = local.vcn_id
@@ -24,7 +24,7 @@ data "oci_core_route_tables" "nat" {
 data "oci_core_route_tables" "ig" {
   count = var.create_vcn == true ? 0 : 1
 
-  compartment_id = var.compartment_id
+  compartment_id = local.compartment_id
 
   display_name = var.ig_route_table_display_name
   vcn_id       = local.vcn_id

docs/instructions.adoc

@@ -241,6 +241,10 @@ export KUBECONFIG=generated/kubeconfig
 *Ensure you install the same kubectl version as the OKE Kubernetes version for compatibility.*
 ****
 
+****
+*To refresh the generated kubeconfig, run `terraform apply` with `update_kubeconfig: true`.*
+****
+
 == Creating a Secret for OCIR
 
 {uri-oci-ocir}[Oracle Cloud Infrastructure Registry] is a highly available private container registry service for storing and sharing container images within the same regions as the OKE Cluster. Use the following rules to determine if you need to create a Kubernetes Secret for OCIR:

docs/terraformoptions.adoc

@@ -16,11 +16,14 @@
 :uri-kubernetes-vpa: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler
 :uri-metrics-server: https://github.com/kubernetes-incubator/metrics-server
 :uri-openpolicyagent-gatekeeper: https://open-policy-agent.github.io/gatekeeper/website/docs/
+:uri-oci-content: https://docs.cloud.oracle.com/iaas/Content
 :uri-oci-images: https://docs.cloud.oracle.com/iaas/images/
-:uri-oci-kms: https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Concepts/keyoverview.htm
+:uri-oci-kms: {uri-oci-content}/KeyManagement/Concepts/keyoverview.htm
 :uri-oci-loadbalancer-annotations: https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md
-:uri-oci-region: https://docs.cloud.oracle.com/iaas/Content/General/Concepts/regions.htm
-:uri-oci-tags: https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm#workdefined
+:uri-oci-provider-config: {uri-oci-content}/API/SDKDocs/terraformproviderconfiguration.htm
+:uri-oci-region: {uri-oci-content}/General/Concepts/regions.htm
+:uri-oci-rm-config: {uri-oci-content}/ResourceManager/Concepts/terraformconfigresourcemanager.htm#configvar
+:uri-oci-tags: {uri-oci-content}/Tagging/Tasks/managingtagsandtagnamespaces.htm#workdefined
 :uri-terraform-cidrsubnet: https://www.terraform.io/docs/configuration/functions/cidrsubnet.html
 :uri-terraform-dependencies: {uri-docs}/dependencies.adoc
 :uri-timezones: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
@@ -32,6 +35,8 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 
 == OCI Provider parameters
 
+See {uri-oci-provider-config}[Terraform OCI Provider] or {uri-oci-rm-config}[Resource Manager] configuration.
+
 [stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
@@ -332,6 +337,11 @@ EOT
 |7.9
 |7.9
 
+|`bastion_user`
+|The user for SSH access to the bastion host. Always 'opc' on supported images.
+|opc
+|opc
+
 |bastion_shape
 |The shape of bastion instance. *Required*
 |
@@ -447,6 +457,11 @@ EOT
 |e.g. 7.9, 8
 |8
 
+|`operator_user`
+|The user for SSH access to the operator host. Always 'opc' on supported images.
+|opc
+|opc
+
 |`operator_shape`
 |The shape of operator instance. *Required*
 |

locals.tf

@@ -2,13 +2,20 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 locals {
-  bastion_public_ip                      = var.create_bastion_host == true ? module.bastion[0].bastion_public_ip : ""
-  operator_private_ip                    = var.create_operator == true ? module.operator[0].operator_private_ip : ""
+  tenancy_id     = coalesce(var.tenancy_id, var.tenancy_ocid)
+  compartment_id = coalesce(
+    var.compartment_id, var.compartment_ocid,
+    var.tenancy_id, var.tenancy_ocid,
+  )
+
+  bastion_public_ip                      = var.create_bastion_host == true ? module.bastion[0].bastion_public_ip : coalesce(var.bastion_public_ip, "")
+  operator_private_ip                    = var.create_operator == true ? module.operator[0].operator_private_ip : coalesce(var.operator_private_ip, "")
   operator_instance_principal_group_name = var.create_operator == true ? module.operator[0].operator_instance_principal_group_name : ""
 
   vcn_id       = var.create_vcn == true ? module.vcn[0].vcn_id : coalesce(var.vcn_id, try(data.oci_core_vcns.vcns[0].virtual_networks[0].id,""))
   ig_route_id  = var.create_vcn == true ? module.vcn[0].ig_route_id : coalesce(var.ig_route_table_id, try(data.oci_core_route_tables.ig[0].route_tables[0].id,""))
   nat_route_id = var.create_vcn == true ? module.vcn[0].nat_route_id : coalesce(var.nat_route_table_id, try(data.oci_core_route_tables.nat[0].route_tables[0].id,""))
 
+  ssh_key_arg                            = var.ssh_private_key_path == "none" ? "" : " -i ${var.ssh_private_key_path}"
   validate_drg_input = var.create_drg && (var.drg_id != null) ? tobool("[ERROR]: create_drg variable can not be true if drg_id is provided.]") : true
 }

main.tf

@@ -6,7 +6,7 @@ module "vcn" {
   version = "3.5.1"
 
   # general oci parameters
-  compartment_id = var.compartment_id
+  compartment_id = local.compartment_id
   label_prefix   = var.label_prefix
 
   # gateways
@@ -35,12 +35,11 @@ module "vcn" {
 }
 
 module "drg" {
-
   source  = "oracle-terraform-modules/drg/oci"
   version = "1.0.3"
 
   # general oci parameters
-  compartment_id = var.compartment_id
+  compartment_id = local.compartment_id
   label_prefix   = var.label_prefix
 
   # drg parameters
@@ -60,10 +59,10 @@ module "drg" {
 
 module "bastion" {
   source  = "oracle-terraform-modules/bastion/oci"
-  version = "3.1.1"
+  version = "3.1.2"
 
-  tenancy_id     = var.tenancy_id
-  compartment_id = var.compartment_id
+  tenancy_id     = local.tenancy_id
+  compartment_id = local.compartment_id
 
   label_prefix = var.label_prefix
 
@@ -109,12 +108,12 @@ module "bastion" {
 
 module "operator" {
   source  = "oracle-terraform-modules/operator/oci"
-  version = "3.1.0"
+  version = "3.1.1"
 
-  tenancy_id = var.tenancy_id
 
   # general oci parameters
-  compartment_id = var.compartment_id
+  tenancy_id     = local.tenancy_id
+  compartment_id = local.compartment_id
   label_prefix   = var.label_prefix
 
   # networking
@@ -162,7 +161,7 @@ module "bastionsvc" {
   source = "./modules/bastionsvc"
 
   # general oci parameters
-  compartment_id = var.compartment_id
+  compartment_id = local.compartment_id
   label_prefix   = var.label_prefix
 
   # bastion service parameters
@@ -184,7 +183,7 @@ module "network" {
   source = "./modules/network"
 
   # general oci parameters
-  compartment_id = var.compartment_id
+  compartment_id = local.compartment_id
   label_prefix   = var.label_prefix
 
   # oke networking parameters
@@ -233,10 +232,10 @@ module "oke" {
   source = "./modules/oke"
 
   # provider
-  tenancy_id = var.tenancy_id
+  tenancy_id = local.tenancy_id
 
   # general oci parameters
-  compartment_id = var.compartment_id
+  compartment_id = local.compartment_id
   label_prefix   = var.label_prefix
 
   # ssh keys
@@ -301,8 +300,8 @@ module "storage" {
   source = "./modules/storage"
 
   # general oci parameters
-  tenancy_id          = var.tenancy_id
-  compartment_id      = var.compartment_id
+  tenancy_id          = local.tenancy_id
+  compartment_id      = local.compartment_id
   availability_domain = var.availability_domains["fss"]
   label_prefix        = var.label_prefix
 
@@ -330,10 +329,10 @@ module "extensions" {
   source = "./modules/extensions"
 
   # provider
-  tenancy_id = var.tenancy_id
+  tenancy_id = local.tenancy_id
 
   # general oci parameters
-  compartment_id = var.compartment_id
+  compartment_id = local.compartment_id
   label_prefix   = var.label_prefix
 
   # region parameters
@@ -348,11 +347,13 @@ module "extensions" {
   # bastion
   create_bastion_host = var.create_bastion_host
   bastion_public_ip   = local.bastion_public_ip
+  bastion_user        = var.bastion_user
   bastion_state       = var.bastion_state
 
   # operator details
   create_operator                    = var.create_operator
   operator_private_ip                = local.operator_private_ip
+  operator_user                      = var.operator_user
   operator_state                     = var.operator_state
   operator_dynamic_group             = local.operator_instance_principal_group_name
   enable_operator_instance_principal = var.enable_operator_instance_principal
@@ -400,7 +401,8 @@ module "extensions" {
   nodepool_upgrade_method = var.nodepool_upgrade_method
   node_pools_to_drain     = var.node_pools_to_drain
 
-  debug_mode = var.debug_mode
+  debug_mode        = var.debug_mode
+  update_kubeconfig = var.update_kubeconfig
 
   depends_on = [
     module.bastion,

modules/extensions/activeworker.tf

@@ -11,10 +11,10 @@ resource "null_resource" "check_worker_active" {
     private_key = local.ssh_private_key
     timeout     = "40m"
     type        = "ssh"
-    user        = "opc"
+    user        = var.operator_user
 
     bastion_host        = var.bastion_public_ip
-    bastion_user        = "opc"
+    bastion_user        = var.bastion_user
     bastion_private_key = local.ssh_private_key
   }
 

modules/extensions/calico.tf

@@ -7,10 +7,10 @@ resource "null_resource" "install_calico" {
     private_key = local.ssh_private_key
     timeout     = "40m"
     type        = "ssh"
-    user        = "opc"
+    user        = var.operator_user
 
     bastion_host        = var.bastion_public_ip
-    bastion_user        = "opc"
+    bastion_user        = var.bastion_user
     bastion_private_key = local.ssh_private_key
   }
 

modules/extensions/drain.tf

@@ -7,10 +7,10 @@ resource "null_resource" "drain_nodes" {
     private_key = local.ssh_private_key
     timeout     = "40m"
     type        = "ssh"
-    user        = "opc"
+    user        = var.operator_user
 
     bastion_host        = var.bastion_public_ip
-    bastion_user        = "opc"
+    bastion_user        = var.bastion_user
     bastion_private_key = local.ssh_private_key
   }
 

modules/extensions/gatekeeper.tf

@@ -7,10 +7,10 @@ resource "null_resource" "enable_gatekeeper" {
     private_key = local.ssh_private_key
     timeout     = "40m"
     type        = "ssh"
-    user        = "opc"
+    user        = var.operator_user
 
     bastion_host        = var.bastion_public_ip
-    bastion_user        = "opc"
+    bastion_user        = var.bastion_user
     bastion_private_key = local.ssh_private_key
   }
 

modules/extensions/iam.tf

@@ -14,24 +14,39 @@ terraform {
 }
 
 locals {
-  create_operator_instance_principal_dynamic_group = (var.use_cluster_encryption == true && var.create_policies == true && var.create_bastion_host == true && var.enable_operator_instance_principal == true)
+  create_operator_dynamic_group_policy = (var.use_cluster_encryption == true && var.create_policies == true && var.create_bastion_host == true && var.enable_operator_instance_principal == true)
 }
 
-resource "oci_identity_policy" "operator_instance_principal_dynamic_group" {
+resource "random_id" "dynamic_group_suffix" {
+  keepers = {
+    # Generate a new suffix only when variables are changed
+    label_prefix         = local.dynamic_group_prefix
+    tenancy_id           = var.tenancy_id
+  }
+
+  byte_length = 8
+}
+
+# TODO Move to Operator module
+resource "oci_identity_policy" "operator_use_dynamic_group_policy" {
   provider       = oci.home
-  compartment_id = var.tenancy_id
+  compartment_id = random_id.dynamic_group_suffix.keepers.tenancy_id
   description    = "policy to allow operator host to manage dynamic group"
-  name           = var.label_prefix == "none" ? "operator-instance-principal-dynamic-group-${substr(uuid(), 0, 8)}" : "${var.label_prefix}-operator-instance-principal-dynamic-group-${substr(uuid(), 0, 8)}"
+  name           = join("-", compact([
+    random_id.dynamic_group_suffix.keepers.label_prefix,
+    "operator-instance-principal-dynamic-group",
+    random_id.dynamic_group_suffix.hex
+  ]))
   statements     = ["Allow dynamic-group ${var.operator_dynamic_group} to use dynamic-groups in tenancy"]
-  count          = (local.create_operator_instance_principal_dynamic_group == true) ? 1 : 0
+  count          = (local.create_operator_dynamic_group_policy == true) ? 1 : 0
 }
 
 # 30s delay to allow policies to take effect globally
 resource "time_sleep" "wait_30_seconds" {
-  depends_on = [oci_identity_policy.operator_instance_principal_dynamic_group]
+  depends_on = [oci_identity_policy.operator_use_dynamic_group_policy]
 
   create_duration = "30s"
-  count          = (local.create_operator_instance_principal_dynamic_group == true) ? 1 : 0
+  count          = (local.create_operator_dynamic_group_policy == true) ? 1 : 0
 }
 
 resource "null_resource" "update_dynamic_group" {
@@ -41,10 +56,10 @@ resource "null_resource" "update_dynamic_group" {
     private_key = local.ssh_private_key
     timeout     = "40m"
     type        = "ssh"
-    user        = "opc"
+    user        = var.operator_user
 
     bastion_host        = var.bastion_public_ip
-    bastion_user        = "opc"
+    bastion_user        = var.bastion_user
     bastion_private_key = local.ssh_private_key
   }
 
@@ -61,5 +76,5 @@ resource "null_resource" "update_dynamic_group" {
     ]
   }
 
-  count = (local.create_operator_instance_principal_dynamic_group && var.bastion_state == "RUNNING" ) ? 1 : 0
+  count = (local.create_operator_dynamic_group_policy && var.bastion_state == "RUNNING" ) ? 1 : 0
 }