feat: added support to force all api calls made by the module to use IBM Cloud private endpoints for use cases where the runtime may not have access to the public network. This can be achieved by setting the use_private_endpoint variable to true.<br>- As part of this effort the ibmcloud_api_key input variable has been removed as an input for the module. (#442)

Author: Aashiq-J

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-04-23T04:36:25Z",
+  "generated_at": "2024-06-14T08:51:41Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -77,16 +77,6 @@
     }
   ],
   "results": {
-    "README.md": [
-      {
-        "hashed_secret": "dce1f02ca7cc4b63ac43008b7a3ce96e702a0c24",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 49,
-        "type": "Secret Keyword",
-        "verified_result": null
-      }
-    ],
     "ibm_catalog.json": [
       {
         "hashed_secret": "a03815a5700107eb9f0d1a9608d2fcbdc48b7f5d",

README.md

@@ -46,7 +46,6 @@ Optionally, the module supports advanced security group management for the worke
 module "ocp_base" {
   source               = "terraform-ibm-modules/base-ocp-vpc/ibm"
   version              = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
-  ibmcloud_api_key     = "XXXXXXXXXXXXXXXXXXX"
   cluster_name         = "example-cluster-name"
   resource_group_id    = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
   region               = "us-south"
@@ -230,6 +229,9 @@ Optionally, you need the following permissions to attach Access Management tags
 | [ibm_container_cluster_config.cluster_config](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_config) | data source |
 | [ibm_container_cluster_versions.cluster_versions](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_versions) | data source |
 | [ibm_container_vpc_worker_pool.all_pools](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_vpc_worker_pool) | data source |
+| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source |
+| [ibm_iam_auth_token.reset_api_key_tokendata](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_auth_token) | data source |
+| [ibm_iam_auth_token.tokendata](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_auth_token) | data source |
 | [ibm_is_lbs.all_lbs](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_lbs) | data source |
 | [ibm_is_virtual_endpoint_gateways.all_vpes](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateways) | data source |
 
@@ -252,7 +254,6 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="input_enable_registry_storage"></a> [enable\_registry\_storage](#input\_enable\_registry\_storage) | Set to `true` to enable IBM Cloud Object Storage for the Red Hat OpenShift internal image registry. Set to `false` only for new cluster deployments in an account that is allowlisted for this feature. | `bool` | `true` | no |
 | <a name="input_existing_cos_id"></a> [existing\_cos\_id](#input\_existing\_cos\_id) | The COS id of an already existing COS instance to use for OpenShift internal registry storage. Only required if 'enable\_registry\_storage' and 'use\_existing\_cos' are true | `string` | `null` | no |
 | <a name="input_force_delete_storage"></a> [force\_delete\_storage](#input\_force\_delete\_storage) | Flag indicating whether or not to delete attached storage when destroying the cluster - Default: false | `bool` | `false` | no |
-| <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | APIkey that's associated with the account to use, set via environment variable TF\_VAR\_ibmcloud\_api\_key | `string` | n/a | yes |
 | <a name="input_ignore_worker_pool_size_changes"></a> [ignore\_worker\_pool\_size\_changes](#input\_ignore\_worker\_pool\_size\_changes) | Enable if using worker autoscaling. Stops Terraform managing worker count | `bool` | `false` | no |
 | <a name="input_kms_config"></a> [kms\_config](#input\_kms\_config) | Use to attach a KMS instance to the cluster. If account\_id is not provided, defaults to the account in use. | <pre>object({<br>    crk_id           = string<br>    instance_id      = string<br>    private_endpoint = optional(bool, true) # defaults to true<br>    account_id       = optional(string)     # To attach KMS instance from another account<br>    wait_for_apply   = optional(bool, true) # defaults to true so terraform will wait until the KMS is applied to the master, ready and deployed<br>  })</pre> | `null` | no |
 | <a name="input_manage_all_addons"></a> [manage\_all\_addons](#input\_manage\_all\_addons) | Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module will destroy any addons that were installed by other sources. | `bool` | `false` | no |
@@ -264,6 +265,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The Id of an existing IBM Cloud resource group where the cluster will be grouped. | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Metadata labels describing this cluster deployment, i.e. test | `list(string)` | `[]` | no |
 | <a name="input_use_existing_cos"></a> [use\_existing\_cos](#input\_use\_existing\_cos) | Flag indicating whether or not to use an existing COS instance for OpenShift internal registry storage. Only applicable if 'enable\_registry\_storage' is true | `bool` | `false` | no |
+| <a name="input_use_private_endpoint"></a> [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
 | <a name="input_verify_worker_network_readiness"></a> [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | Id of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
 | <a name="input_vpc_subnets"></a> [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | <pre>map(list(object({<br>    id         = string<br>    zone       = string<br>    cidr_block = string<br>  })))</pre> | n/a | yes |

examples/add_rules_to_sg/main.tf

@@ -166,7 +166,6 @@ locals {
 module "ocp_base" {
   source               = "../.."
   cluster_name         = var.prefix
-  ibmcloud_api_key     = var.ibmcloud_api_key
   resource_group_id    = module.resource_group.resource_group_id
   region               = var.region
   force_delete_storage = true

examples/advanced/main.tf

@@ -150,7 +150,6 @@ locals {
 module "ocp_base" {
   source               = "../.."
   cluster_name         = var.prefix
-  ibmcloud_api_key     = var.ibmcloud_api_key
   resource_group_id    = module.resource_group.resource_group_id
   region               = var.region
   force_delete_storage = true

examples/basic/main.tf

@@ -69,7 +69,6 @@ locals {
 
 module "ocp_base" {
   source               = "../.."
-  ibmcloud_api_key     = var.ibmcloud_api_key
   resource_group_id    = module.resource_group.resource_group_id
   region               = var.region
   tags                 = var.resource_tags

examples/cross_kms_support/main.tf

@@ -75,7 +75,6 @@ locals {
 
 module "ocp_base" {
   source               = "../.."
-  ibmcloud_api_key     = var.ibmcloud_api_key
   resource_group_id    = module.resource_group.resource_group_id
   region               = var.region
   tags                 = var.resource_tags

examples/custom_sg/main.tf

@@ -94,7 +94,6 @@ module "custom_sg" {
 
 module "ocp_base" {
   source                            = "../.."
-  ibmcloud_api_key                  = var.ibmcloud_api_key
   resource_group_id                 = module.resource_group.resource_group_id
   region                            = var.region
   tags                              = var.resource_tags

examples/fscloud/main.tf

@@ -232,20 +232,38 @@ locals {
   ]
 }
 
+########################################################################################################################
+# Security groups
+# Creating some security group for illustration purpose in this example.
+# Real-world sg would have your own rules set in the `security_group_rules` input.
+########################################################################################################################
+
+module "custom_sg" {
+  for_each                     = toset(["custom-lb-sg"])
+  source                       = "terraform-ibm-modules/security-group/ibm"
+  version                      = "2.6.1"
+  add_ibm_cloud_internal_rules = false
+  security_group_name          = each.key
+  security_group_rules         = []
+  resource_group               = module.resource_group.resource_group_id
+  vpc_id                       = module.vpc.vpc_id
+}
+
 module "ocp_fscloud" {
-  source               = "../../modules/fscloud"
-  cluster_name         = var.prefix
-  ibmcloud_api_key     = var.ibmcloud_api_key
-  resource_group_id    = module.resource_group.resource_group_id
-  region               = var.region
-  force_delete_storage = true
-  vpc_id               = module.vpc.vpc_id
-  vpc_subnets          = local.cluster_vpc_subnets
-  existing_cos_id      = module.cos_fscloud.cos_instance_id
-  worker_pools         = local.worker_pools
-  tags                 = var.resource_tags
-  access_tags          = var.access_tags
-  ocp_version          = var.ocp_version
+  source                           = "../../modules/fscloud"
+  cluster_name                     = var.prefix
+  resource_group_id                = module.resource_group.resource_group_id
+  region                           = var.region
+  force_delete_storage             = true
+  vpc_id                           = module.vpc.vpc_id
+  vpc_subnets                      = local.cluster_vpc_subnets
+  existing_cos_id                  = module.cos_fscloud.cos_instance_id
+  worker_pools                     = local.worker_pools
+  tags                             = var.resource_tags
+  access_tags                      = var.access_tags
+  ocp_version                      = var.ocp_version
+  additional_lb_security_group_ids = [module.custom_sg["custom-lb-sg"].security_group_id]
+  use_private_endpoint             = true
   kms_config = {
     instance_id      = var.hpcs_instance_guid
     crk_id           = local.cluster_hpcs_cluster_key_id

examples/multiple_mzr_clusters/main.tf

@@ -123,7 +123,6 @@ module "ocp_base_cluster_1" {
   worker_pools_taints  = local.worker_pool_taints
   ocp_version          = var.ocp_version
   tags                 = var.resource_tags
-  ibmcloud_api_key     = var.ibmcloud_api_key
 }
 
 module "ocp_base_cluster_2" {
@@ -138,7 +137,6 @@ module "ocp_base_cluster_2" {
   worker_pools_taints  = local.worker_pool_taints
   ocp_version          = var.ocp_version
   tags                 = var.resource_tags
-  ibmcloud_api_key     = var.ibmcloud_api_key
 }
 
 ########################################################################################################################

main.tf

@@ -245,12 +245,19 @@ resource "ibm_resource_tag" "cluster_access_tag" {
 # new key, and simply use the key created by this script. So hence should not face 404s anymore.
 # The IKS team are tracking internally https://github.ibm.com/alchemy-containers/armada-ironsides/issues/5023
 
+data "ibm_iam_auth_token" "reset_api_key_tokendata" {
+}
+
+data "ibm_iam_account_settings" "iam_account_settings" {
+}
+
 resource "null_resource" "reset_api_key" {
   provisioner "local-exec" {
-    command     = "${path.module}/scripts/reset_iks_api_key.sh ${var.region} ${var.resource_group_id}"
+    command     = "${path.module}/scripts/reset_iks_api_key.sh ${var.region} ${var.resource_group_id} ${var.use_private_endpoint}"
     interpreter = ["/bin/bash", "-c"]
     environment = {
-      IBMCLOUD_API_KEY = var.ibmcloud_api_key
+      IAM_TOKEN  = data.ibm_iam_auth_token.reset_api_key_tokendata.iam_access_token
+      ACCOUNT_ID = data.ibm_iam_account_settings.iam_account_settings.account_id
     }
   }
 }
@@ -495,15 +502,20 @@ locals {
   lbs_associated_with_cluster = length(var.additional_lb_security_group_ids) > 0 ? [for lb in data.ibm_is_lbs.all_lbs[0].load_balancers : lb.id if strcontains(lb.name, local.cluster_id)] : []
 }
 
+
+data "ibm_iam_auth_token" "tokendata" {
+  depends_on = [data.ibm_is_lbs.all_lbs]
+}
+
 resource "null_resource" "confirm_lb_active" {
   count      = length(var.additional_lb_security_group_ids)
-  depends_on = [data.ibm_is_lbs.all_lbs]
+  depends_on = [data.ibm_iam_auth_token.tokendata]
 
   provisioner "local-exec" {
-    command     = "${path.module}/scripts/confirm_lb_active.sh ${var.region} ${var.resource_group_id} ${local.lbs_associated_with_cluster[count.index]}"
+    command     = "${path.module}/scripts/confirm_lb_active.sh ${var.region} ${local.lbs_associated_with_cluster[count.index]} ${var.use_private_endpoint}"
     interpreter = ["/bin/bash", "-c"]
     environment = {
-      IBMCLOUD_API_KEY = var.ibmcloud_api_key
+      IAM_TOKEN = data.ibm_iam_auth_token.tokendata.iam_access_token
     }
   }
 }