feat: add script to check the status of the LB before attaching SG (#417)

Aashiq-J · web-flow · commit 07a8bc4a32ba · 2024-05-07T15:14:13.000+01:00
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-02-29T19:31:09Z",
+  "generated_at": "2024-04-22T04:36:25Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -82,7 +82,7 @@
         "hashed_secret": "dce1f02ca7cc4b63ac43008b7a3ce96e702a0c24",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 47,
+        "line_number": 49,
         "type": "Secret Keyword",
         "verified_result": null
       }
diff --git a/README.md b/README.md
@@ -17,6 +17,8 @@ Optionally, the module supports advanced security group management for the worke
 
 - Ensure that you have an up-to-date version of the [IBM Cloud CLI](https://cloud.ibm.com/docs/cli?topic=cli-getting-started).
 - Ensure that you have an up-to-date version of the [IBM Cloud Kubernetes service CLI](https://cloud.ibm.com/docs/containers?topic=containers-kubernetes-service-cli).
+- Ensure that you have an up-to-date version of the [IBM Cloud VPC Infrastructure service CLI](https://cloud.ibm.com/docs/vpc?topic=vpc-vpc-reference). Only required if providing additional security groups with the `var.additional_lb_security_group_ids`.
+- Ensure that you have an up-to-date version of the [jq](https://jqlang.github.io/jq)
 
 <!-- Below content is automatically populated via pre-commit hook -->
 <!-- BEGIN OVERVIEW HOOK -->
@@ -221,6 +223,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | [ibm_resource_tag.cos_access_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
 | [kubernetes_config_map_v1_data.set_autoscaling](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1_data) | resource |
 | [null_resource.config_map_status](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.confirm_lb_active](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.confirm_network_healthy](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.reset_api_key](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [ibm_container_addons.existing_addons](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_addons) | data source |
diff --git a/main.tf b/main.tf
@@ -491,7 +491,21 @@ locals {
   lbs_associated_with_cluster = length(var.additional_lb_security_group_ids) > 0 ? [for lb in data.ibm_is_lbs.all_lbs[0].load_balancers : lb.id if strcontains(lb.name, local.cluster_id)] : []
 }
 
+resource "null_resource" "confirm_lb_active" {
+  count      = length(var.additional_lb_security_group_ids)
+  depends_on = [data.ibm_is_lbs.all_lbs]
+
+  provisioner "local-exec" {
+    command     = "${path.module}/scripts/confirm_lb_active.sh ${var.region} ${var.resource_group_id} ${local.lbs_associated_with_cluster[count.index]}"
+    interpreter = ["/bin/bash", "-c"]
+    environment = {
+      IBMCLOUD_API_KEY = var.ibmcloud_api_key
+    }
+  }
+}
+
 module "attach_sg_to_lb" {
+  depends_on                     = [null_resource.confirm_lb_active]
   count                          = length(var.additional_lb_security_group_ids)
   source                         = "terraform-ibm-modules/security-group/ibm"
   version                        = "2.6.1"
diff --git a/scripts/confirm_lb_active.sh b/scripts/confirm_lb_active.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set -euo pipefail
+
+REGION="$1"
+RESOURCE_GROUP_ID="$2"
+LB_ID="$3"
+
+# Expects the environment variable $IBMCLOUD_API_KEY to be set
+if [[ -z "${IBMCLOUD_API_KEY}" ]]; then
+    echo "API key must be set with IBMCLOUD_API_KEY environment variable" >&2
+    exit 1
+fi
+
+if [[ -z "${REGION}" ]]; then
+    echo "Region must be passed as first input script argument" >&2
+    exit 1
+fi
+
+if [[ -z "${RESOURCE_GROUP_ID}" ]]; then
+    echo "Resource_group_id must be passed as second input script argument" >&2
+    exit 1
+fi
+
+# Login to ibmcloud with cli
+attempts=1
+until ibmcloud login -q -r "${REGION}" -g "${RESOURCE_GROUP_ID}" || [ $attempts -ge 3 ]; do
+    attempts=$((attempts + 1))
+    echo "Error logging in to IBM Cloud CLI..." >&2
+    sleep 5
+done
+
+lb_attempts=1
+while true; do
+    status=$(ibmcloud is load-balancer "$LB_ID" --output json | jq -r .provisioning_status)
+    echo "Load balancer status: $status"
+    if [[ "$status" == "active" ]]; then
+        break
+    else
+        lb_attempts=$((lb_attempts + 1))
+        if [ $lb_attempts -ge 10 ]; then
+            echo "Load balancer status: $status"
+            break
+        fi
+        echo "Sleeping for 30 secs.."
+        sleep 30
+    fi
+    status=""
+done
