OCPBUGS-24473: IBMCloud: Set IBM TF visibility based on URLs

Set the IBM Cloud Terraform visibility mode based on whether
any ServiceEndpoints are suspected to be private (or direct for COS),
based on their URL's.

Related: https://issues.redhat.com/browse/OCPBUGS-24473

Author: cjschaef

data/data/ibmcloud/bootstrap/common.tf

@@ -1,8 +1,7 @@
 locals {
   description = "Created By OpenShift Installer"
-  # If any Service Endpoints are being overridden, set visibility to 'private'
-  # for IBM Terraform Provider to use the endpoints JSON file.
-  endpoint_visibility = var.ibmcloud_endpoints_json_file != "" ? "private" : "public"
+  # If specified, set visibility to 'private' for IBM Terraform Provider
+  endpoint_visibility = var.ibmcloud_terraform_private_visibility ? "private" : "public"
   public_endpoints    = var.ibmcloud_publish_strategy == "External" ? true : false
   tags = concat(
     ["kubernetes.io_cluster_${var.cluster_id}:owned"],

data/data/ibmcloud/master/common.tf

@@ -1,8 +1,7 @@
 locals {
   description = "Created By OpenShift Installer"
-  # If any Service Endpoints are being overridden, set visibility to 'private'
-  # for IBM Terraform Provider to use the endpoints JSON file.
-  endpoint_visibility = var.ibmcloud_endpoints_json_file != "" ? "private" : "public"
+  # If specified, set visibility to 'private' for IBM Terraform Provider
+  endpoint_visibility = var.ibmcloud_terraform_private_visibility ? "private" : "public"
   public_endpoints    = var.ibmcloud_publish_strategy == "External" ? true : false
   tags = concat(
     ["kubernetes.io_cluster_${var.cluster_id}:owned"],

data/data/ibmcloud/network/common.tf

@@ -1,8 +1,7 @@
 locals {
   description = "Created By OpenShift Installer"
-  # If any Service Endpoints are being overridden, set visibility to 'private'
-  # for IBM Terraform Provider to use the endpoints JSON file.
-  endpoint_visibility = var.ibmcloud_endpoints_json_file != "" ? "private" : "public"
+  # If specified, set visibility to 'private' for IBM Terraform Provider
+  endpoint_visibility = var.ibmcloud_terraform_private_visibility ? "private" : "public"
   public_endpoints    = var.ibmcloud_publish_strategy == "External" ? true : false
   tags = concat(
     ["kubernetes.io_cluster_${var.cluster_id}:owned"],

data/data/ibmcloud/variables-ibmcloud.tf

@@ -51,6 +51,12 @@ variable "ibmcloud_image_filepath" {
   description = "The file path to the RHCOS image"
 }
 
+variable "ibmcloud_terraform_private_visibility" {
+  type        = bool
+  description = "Specified whether the IBM Cloud terraform provider visibility mode should be private, for endpoint usage."
+  default     = false
+}
+
 #######################################
 # Top-level module variables (optional)
 #######################################

pkg/asset/cluster/tfvars.go

@@ -657,40 +657,52 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 		// NOTE(cjschaef): If one or more ServiceEndpoint's are supplied, attempt to build the Terraform endpoint_file_path
 		// https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints#file-structure-for-endpoints-file
 		var endpointsJSONFile string
+		// Set Terraform visibility mode if necessary
+		terraformPrivateVisibility := false
 		if len(installConfig.Config.Platform.IBMCloud.ServiceEndpoints) > 0 {
+			// Determine if any endpoints require 'private' Terraform visibility mode (any contain 'private' or 'direct' for COS)
+			// This is a requirement for the IBM Cloud Terraform provider, forcing 'public' or 'private' visibility mode.
+			for _, endpoint := range installConfig.Config.Platform.IBMCloud.ServiceEndpoints {
+				if strings.Contains(endpoint.URL, "private") || strings.Contains(endpoint.URL, "direct") {
+					// If at least one endpoint is private (or direct) we expect to use Private visibility mode
+					terraformPrivateVisibility = true
+					break
+				}
+			}
+
 			endpointData, err := ibmcloudtfvars.CreateEndpointJSON(installConfig.Config.Platform.IBMCloud.ServiceEndpoints, installConfig.Config.Platform.IBMCloud.Region)
 			if err != nil {
 				return err
 			}
-			// While we should have already confirmed there are ServiceEndpoints, we can verify data did get created, requiring the JSON file gets created and passed along
-			if endpointData == nil {
-				return fmt.Errorf("failed to generate endpoint JSON with provided IBM Cloud ServiceEndpoints")
+			// While service endpoints may not be empty, they may not be required for Terraform.
+			// So, if we have not endpoint data, we don't need to generate the JSON override file.
+			if endpointData != nil {
+				// Add endpoint JSON data to list of generated files for Terraform
+				t.FileList = append(t.FileList, &asset.File{
+					Filename: ibmcloudtfvars.IBMCloudEndpointJSONFileName,
+					Data:     endpointData,
+				})
+				endpointsJSONFile = ibmcloudtfvars.IBMCloudEndpointJSONFileName
 			}
-
-			// Add endpoint JSON data to list of generated files for Terraform
-			t.FileList = append(t.FileList, &asset.File{
-				Filename: ibmcloudtfvars.IBMCloudEndpointJSONFileName,
-				Data:     endpointData,
-			})
-			endpointsJSONFile = ibmcloudtfvars.IBMCloudEndpointJSONFileName
 		}
 
 		data, err = ibmcloudtfvars.TFVars(
 			ibmcloudtfvars.TFVarsSources{
-				Auth:                     auth,
-				CISInstanceCRN:           cisCRN,
-				DNSInstanceID:            dnsID,
-				EndpointsJSONFile:        endpointsJSONFile,
-				ImageURL:                 string(*rhcosImage),
-				MasterConfigs:            masterConfigs,
-				MasterDedicatedHosts:     masterDedicatedHosts,
-				NetworkResourceGroupName: installConfig.Config.Platform.IBMCloud.NetworkResourceGroupName,
-				PreexistingVPC:           preexistingVPC,
-				PublishStrategy:          installConfig.Config.Publish,
-				ResourceGroupName:        installConfig.Config.Platform.IBMCloud.ResourceGroupName,
-				VPCPermitted:             vpcPermitted,
-				WorkerConfigs:            workerConfigs,
-				WorkerDedicatedHosts:     workerDedicatedHosts,
+				Auth:                       auth,
+				CISInstanceCRN:             cisCRN,
+				DNSInstanceID:              dnsID,
+				EndpointsJSONFile:          endpointsJSONFile,
+				ImageURL:                   string(*rhcosImage),
+				MasterConfigs:              masterConfigs,
+				MasterDedicatedHosts:       masterDedicatedHosts,
+				NetworkResourceGroupName:   installConfig.Config.Platform.IBMCloud.NetworkResourceGroupName,
+				PreexistingVPC:             preexistingVPC,
+				PublishStrategy:            installConfig.Config.Publish,
+				ResourceGroupName:          installConfig.Config.Platform.IBMCloud.ResourceGroupName,
+				TerraformPrivateVisibility: terraformPrivateVisibility,
+				VPCPermitted:               vpcPermitted,
+				WorkerConfigs:              workerConfigs,
+				WorkerDedicatedHosts:       workerDedicatedHosts,
 			},
 		)
 		if err != nil {

pkg/destroy/bootstrap/bootstrap.go

@@ -68,17 +68,15 @@ func Destroy(ctx context.Context, dir string) (err error) {
 		if err != nil {
 			return fmt.Errorf("failed generating endpoint override JSON data for bootstrap destroy: %w", err)
 		}
-		// Since there are ServiceEndpoints, we expect JSON data to be generated.
-		if jsonData == nil {
-			return fmt.Errorf("no endpoint override JSON data generated for set of endpoint overrides")
-		}
 
 		// If JSON data was generated, create the JSON file for IBM Cloud Terraform provider to use during destroy.
-		endpointsFilePath := filepath.Join(dir, ibmcloudtfvars.IBMCloudEndpointJSONFileName)
-		if err := os.WriteFile(endpointsFilePath, jsonData, 0o600); err != nil {
-			return fmt.Errorf("failed to write IBM Cloud service endpoint override JSON file for bootstrap destroy: %w", err)
+		if jsonData != nil {
+			endpointsFilePath := filepath.Join(dir, ibmcloudtfvars.IBMCloudEndpointJSONFileName)
+			if err := os.WriteFile(endpointsFilePath, jsonData, 0o600); err != nil {
+				return fmt.Errorf("failed to write IBM Cloud service endpoint override JSON file for bootstrap destroy: %w", err)
+			}
+			logrus.Debugf("generated ibm endpoint overrides file: %s", endpointsFilePath)
 		}
-		logrus.Debugf("generated ibm endpoint overrides file: %s", endpointsFilePath)
 	}
 
 	fg := featuregates.FeatureGateFromFeatureSets(configv1.FeatureSets, metadata.FeatureSet, metadata.CustomFeatureSet)