r4f4
diff --git a/‎data/data/ibmcloud/bootstrap/main.tf‎
Lines changed: 10 additions & 0 deletions b/‎data/data/ibmcloud/bootstrap/main.tf‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎data/data/ibmcloud/master/main.tf‎
Lines changed: 15 additions & 6 deletions b/‎data/data/ibmcloud/master/main.tf‎
Lines changed: 15 additions & 6 deletions
diff --git a/‎data/data/ibmcloud/variables-ibmcloud.tf‎
Lines changed: 6 additions & 0 deletions b/‎data/data/ibmcloud/variables-ibmcloud.tf‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 9 additions & 6 deletions b/‎go.mod‎
Lines changed: 9 additions & 6 deletions
@@ -6,6 +6,9 @@ locals {
   # If we need to setup SecurityGroupRules to SSH to bootstrap, for non-public clusters (no Floating IP)
   # combine the Control Plane and Compute subnet CIDRs, to create rules for ingress on those CIDR's
   all_subnet_cidrs = local.public_endpoints ? [] : concat(data.ibm_is_subnet.control_plane_subnets[*].ipv4_cidr_block, data.ibm_is_subnet.compute_subnets[*].ipv4_cidr_block)
+
+  # If a boot volume encryption key CRN was supplied, create a list containing that CRN, otherwise an empty list for a dynamic block of boot volumes
+  boot_volume_key_crns = var.ibmcloud_control_plane_boot_volume_key == "" ? [] : [var.ibmcloud_control_plane_boot_volume_key]
 }
 
 ############################################
@@ -40,6 +43,13 @@ resource "ibm_is_instance" "bootstrap_node" {
     security_groups = concat(var.control_plane_security_group_id_list, [ibm_is_security_group.bootstrap.id])
   }
 
+  dynamic "boot_volume" {
+    for_each = local.boot_volume_key_crns
+    content {
+      encryption = boot_volume.value
+    }
+  }
+
   dedicated_host = length(var.control_plane_dedicated_host_id_list) > 0 ? var.control_plane_dedicated_host_id_list[0] : null
 
   vpc  = var.vpc_id
 
@@ -1,9 +1,11 @@
 locals {
-  prefix              = var.cluster_id
-  port_kubernetes_api = 6443
-  port_machine_config = 22623
-  subnet_count        = length(var.control_plane_subnet_id_list)
-  zone_count          = length(var.control_plane_subnet_zone_list)
+  # If a boot volume encryption key CRN was supplied, create a list containing that CRN, otherwise an empty list for a dynamic block of boot volumes
+  boot_volume_key_crns = var.ibmcloud_control_plane_boot_volume_key == "" ? [] : [var.ibmcloud_control_plane_boot_volume_key]
+  prefix               = var.cluster_id
+  port_kubernetes_api  = 6443
+  port_machine_config  = 22623
+  subnet_count         = length(var.control_plane_subnet_id_list)
+  zone_count           = length(var.control_plane_subnet_zone_list)
 }
 
 ############################################
@@ -25,6 +27,13 @@ resource "ibm_is_instance" "master_node" {
     security_groups = var.control_plane_security_group_id_list
   }
 
+  dynamic "boot_volume" {
+    for_each = local.boot_volume_key_crns
+    content {
+      encryption = boot_volume.value
+    }
+  }
+
   dedicated_host = length(var.control_plane_dedicated_host_id_list) > 0 ? var.control_plane_dedicated_host_id_list[count.index % local.zone_count] : null
 
   vpc  = var.vpc_id
@@ -63,4 +72,4 @@ resource "ibm_is_lb_pool_member" "machine_config" {
   pool           = var.lb_pool_machine_config_id
   port           = local.port_machine_config
   target_address = ibm_is_instance.master_node[count.index].primary_network_interface.0.primary_ipv4_address
-}
+}
@@ -79,6 +79,12 @@ variable "ibmcloud_vpc" {
   default     = null
 }
 
+variable "ibmcloud_control_plane_boot_volume_key" {
+  type        = string
+  description = "IBM Cloud Key Protect key CRN to use to encrypt the control plane's volume(s)."
+  default     = null
+}
+
 variable "ibmcloud_control_plane_subnets" {
   type        = list(string)
   description = "The names of the existing subnets for the control plane."
 
@@ -19,9 +19,10 @@ require (
 	github.com/IBM-Cloud/bluemix-go v0.0.0-20211102075456-ffc4e11dfb16
 	github.com/IBM-Cloud/power-go-client v1.5.3
 	github.com/IBM/go-sdk-core/v5 v5.14.1
+	github.com/IBM/keyprotect-go-client v0.12.2
 	github.com/IBM/networking-go-sdk v0.42.2
-	github.com/IBM/platform-services-go-sdk v0.42.0
-	github.com/IBM/vpc-go-sdk v0.20.0
+	github.com/IBM/platform-services-go-sdk v0.52.1
+	github.com/IBM/vpc-go-sdk v0.42.0
 	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1264
 	github.com/aliyun/aliyun-oss-go-sdk v2.1.8+incompatible
 	github.com/apparentlymart/go-cidr v1.1.0
@@ -59,18 +60,18 @@ require (
 	github.com/microsoftgraph/msgraph-sdk-go v0.47.0
 	github.com/nutanix-cloud-native/prism-go-client v0.2.1-0.20220804130801-c8a253627c64
 	github.com/onsi/gomega v1.28.1
-	github.com/openshift/api v0.0.0-20231120222239-b86761094ee3
+	github.com/openshift/api v0.0.0-20231128111040-e1845c5a7acd
 	github.com/openshift/assisted-image-service v0.0.0-20230829160050-0b98ec74397b
 	github.com/openshift/assisted-service/api v0.0.0
 	github.com/openshift/assisted-service/client v0.0.0
 	github.com/openshift/assisted-service/models v0.0.0
-	github.com/openshift/client-go v0.0.0-20221019143426-16aed247da5c
+	github.com/openshift/client-go v0.0.0-20230503144108-75015d2347cb
 	github.com/openshift/cloud-credential-operator v0.0.0-20200316201045-d10080b52c9e
 	github.com/openshift/cluster-api-provider-baremetal v0.0.0-20220408122422-7a548effc26e
 	github.com/openshift/cluster-api-provider-libvirt v0.2.1-0.20230308152226-83c0473d4429
 	github.com/openshift/cluster-api-provider-ovirt v0.1.1-0.20220323121149-e3f2850dd519
 	github.com/openshift/hive/apis v0.0.0-20220222213051-def9088fdb5a
-	github.com/openshift/library-go v0.0.0-20220920133651-093893cf326b
+	github.com/openshift/library-go v0.0.0-20230508110756-9b7abe2c9cbf
 	github.com/openshift/machine-api-provider-ibmcloud v0.0.0-20230124105206-50aa171a52e1
 	github.com/openshift/machine-config-operator v0.0.0
 	github.com/ovirt/go-ovirt v0.0.0-20210809163552-d4276e35d3db
@@ -175,7 +176,6 @@ require (
 	github.com/googleapis/gax-go/v2 v2.11.0 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-hclog v1.2.0 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/terraform-json v0.14.0 // indirect
@@ -263,6 +263,9 @@ replace (
 // sigs.k8s.io/cluster-api-provider-azure => github.com/openshift/cluster-api-provider-azure v0.1.0-alpha.3.0.20210626224711-5d94c794092f // Indirect dependency through MAO from cluster API providers
 )
 
+// TODO(cjschaef): Remove before merge
+replace github.com/openshift/machine-api-provider-ibmcloud => github.com/cjschaef/machine-api-provider-ibmcloud v0.0.0-20231125212514-e4de41aba4e9
+
 replace sigs.k8s.io/cluster-api-provider-aws/v2 => sigs.k8s.io/cluster-api-provider-aws/v2 v2.0.0-20231024062453-0bf78b04b305
 
 replace sigs.k8s.io/cluster-api-provider-azure => sigs.k8s.io/cluster-api-provider-azure v1.11.1-0.20231026140308-a3f4914170d9