feat: added support to attach additional security groups to the worker pools, VPE and load balancers. See the new [Attaching custom security groups example](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/tree/main/examples/custom_sg) for usage. (#342)

vburckhardt · web-flow · commit 0db7afdf5167 · 2024-01-31T15:57:23.000Z
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-12-11T10:54:11Z",
+  "generated_at": "2024-01-31T10:58:57Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -82,7 +82,7 @@
         "hashed_secret": "dce1f02ca7cc4b63ac43008b7a3ce96e702a0c24",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 41,
+        "line_number": 45,
         "type": "Secret Keyword",
         "verified_result": null
       }
diff --git a/README.md b/README.md
diff --git a/common-dev-assets b/common-dev-assets
@@ -1 +1 @@
-Subproject commit f2e1cf26801616446a54f63b6ba2057a81c00cf0
+Subproject commit 5eb3bbe40bd75226910408121afe7121e5cb97e1
diff --git a/examples/add_rules_to_sg/README.md b/examples/add_rules_to_sg/README.md
@@ -3,7 +3,10 @@
 This example will add security rules to the `kube-<vpcid>` and `kube-<clusterId>` security groups.
 
 The following resources are provisioned by this example:
+
 - A new resource group, if an existing one is not passed in.
 - A VPC with subnets in a single zone and public gw attached.
 - Security rules to the `kube-<vpcid>` and `kube-<clusterId>` security groups.
 - A basic single zone OCP VPC cluster.
+
+You may also be interested in the [example](../custom_sg) that attaches separate security groups to worker nodes, as opposed to adding rules to existing IBM managed security groups.
diff --git a/examples/add_rules_to_sg/version.tf b/examples/add_rules_to_sg/version.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.60.0"
+      version = "1.62.0"
     }
   }
 }
diff --git a/examples/advanced/version.tf b/examples/advanced/version.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.60.0"
+      version = "1.62.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/examples/basic/version.tf b/examples/basic/version.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.60.0"
+      version = "1.62.0"
     }
   }
 }
diff --git a/examples/cross_kms_support/version.tf b/examples/cross_kms_support/version.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.60.0"
+      version = "1.62.0"
     }
   }
 }
diff --git a/examples/custom_sg/README.md b/examples/custom_sg/README.md
@@ -0,0 +1,12 @@
+# Attaching custom security groups
+
+An example showing how to attach additional security groups to the worker pools, VPE and load balancers:
+
+1. A custom security group, named `custom-cluster-sg`, is specified at cluster creation. This security group is attached to all worker nodes of the cluster, including the worker nodes created after the creation of the cluster.
+2. A second custom security group, named `custom-worker-pool-sg`, is specified for one of the `custom-sg` worker pools. This security group is not applied to other worker pools.
+3. Three custom security groups, named `custom-master-vpe-sg`, `custom-registry-vpe-sg`, and `custom-api-vpe-sg`, are attached to the three VPEs created by the ROKS-stack: the master VPE, the container registry VPE, and the kubernetes API VPE. This is in addition to the IBM-managed security groups that are still attached to those resources.
+4. One custom security group, named `custom-kube-api-vpe-sg`, is attached to the LB created out-of-the-box by the IBM stack.
+
+Furthermore, the default IBM-managed `kube-<clusterId>` security group is linked to all worker nodes of the cluster by utilizing the `attach_ibm_managed_security_group` input variable. It is important to note that, in this configuration, the default VPC security group is not connected to any worker node.
+
+See [Adding VPC security groups to clusters and worker pools during create time](https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-security-group&interface=ui#vpc-sg-worker-pool) for further details.
diff --git a/examples/custom_sg/catalogValidationValues.json.template b/examples/custom_sg/catalogValidationValues.json.template
@@ -0,0 +1,6 @@
+{
+  "ibmcloud_api_key": $VALIDATION_APIKEY,
+  "region": "au-syd",
+  "resource_tags": $TAGS,
+  "prefix": $PREFIX
+}
diff --git a/examples/custom_sg/main.tf b/examples/custom_sg/main.tf
@@ -0,0 +1,116 @@
+########################################################################################################################
+# Resource Group
+########################################################################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.4"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+########################################################################################################################
+# VPC + Subnet + Public Gateway
+#
+# NOTE: This is a very simple VPC with single subnet in a single zone with a public gateway enabled, that will allow
+# all traffic ingress/egress by default.
+# For production use cases this would need to be enhanced by adding more subnets and zones for resiliency, and
+# ACLs/Security Groups for network security.
+########################################################################################################################
+
+resource "ibm_is_vpc" "vpc" {
+  name                      = "${var.prefix}-vpc"
+  resource_group            = module.resource_group.resource_group_id
+  address_prefix_management = "auto"
+  tags                      = var.resource_tags
+}
+
+resource "ibm_is_public_gateway" "gateway" {
+  name           = "${var.prefix}-gateway-1"
+  vpc            = ibm_is_vpc.vpc.id
+  resource_group = module.resource_group.resource_group_id
+  zone           = "${var.region}-1"
+}
+
+resource "ibm_is_subnet" "subnet_zone_1" {
+  name                     = "${var.prefix}-subnet-1"
+  vpc                      = ibm_is_vpc.vpc.id
+  resource_group           = module.resource_group.resource_group_id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  public_gateway           = ibm_is_public_gateway.gateway.id
+}
+
+########################################################################################################################
+# OCP VPC cluster (single zone)
+########################################################################################################################
+
+locals {
+  cluster_vpc_subnets = {
+    default = [
+      {
+        id         = ibm_is_subnet.subnet_zone_1.id
+        cidr_block = ibm_is_subnet.subnet_zone_1.ipv4_cidr_block
+        zone       = ibm_is_subnet.subnet_zone_1.zone
+      }
+    ]
+  }
+
+  worker_pools = [
+    {
+      subnet_prefix    = "default"
+      pool_name        = "default" # ibm_container_vpc_cluster automatically names default pool "default" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
+      machine_type     = "bx2.4x16"
+      workers_per_zone = 2 # minimum of 2 is allowed when using single zone
+    },
+    {
+      subnet_prefix                 = "default"
+      pool_name                     = "custom-sg"
+      machine_type                  = "bx2.4x16"
+      workers_per_zone              = 2
+      additional_security_group_ids = [module.custom_sg["custom-worker-pool-sg"].security_group_id]
+    },
+  ]
+}
+
+########################################################################################################################
+# Security groups
+# Creating some security group for illustration purpose in this example.
+# Real-world sg would have your own rules set in the `security_group_rules` input.
+########################################################################################################################
+
+module "custom_sg" {
+  for_each                     = toset(["custom-cluster-sg", "custom-worker-pool-sg", "custom-lb-sg", "custom-master-vpe-sg", "custom-registry-vpe-sg", "custom-kube-api-vpe-sg"])
+  source                       = "terraform-ibm-modules/security-group/ibm"
+  version                      = "2.3.1"
+  add_ibm_cloud_internal_rules = false
+  security_group_name          = each.key
+  security_group_rules         = []
+  resource_group               = module.resource_group.resource_group_id
+  vpc_id                       = ibm_is_vpc.vpc.id
+}
+
+
+module "ocp_base" {
+  source                            = "../.."
+  ibmcloud_api_key                  = var.ibmcloud_api_key
+  resource_group_id                 = module.resource_group.resource_group_id
+  region                            = var.region
+  tags                              = var.resource_tags
+  cluster_name                      = var.prefix
+  force_delete_storage              = true
+  vpc_id                            = ibm_is_vpc.vpc.id
+  vpc_subnets                       = local.cluster_vpc_subnets
+  ocp_version                       = var.ocp_version
+  worker_pools                      = local.worker_pools
+  access_tags                       = var.access_tags
+  attach_ibm_managed_security_group = true # true is the default
+  custom_security_group_ids         = [module.custom_sg["custom-cluster-sg"].security_group_id]
+  additional_lb_security_group_ids  = [module.custom_sg["custom-lb-sg"].security_group_id]
+  additional_vpe_security_group_ids = {
+    "master"   = [module.custom_sg["custom-master-vpe-sg"].security_group_id]
+    "api"      = [module.custom_sg["custom-kube-api-vpe-sg"].security_group_id]
+    "registry" = [module.custom_sg["custom-registry-vpe-sg"].security_group_id]
+  }
+}
diff --git a/examples/custom_sg/outputs.tf b/examples/custom_sg/outputs.tf
@@ -0,0 +1,8 @@
+########################################################################################################################
+# Outputs
+########################################################################################################################
+
+output "cluster_name" {
+  value       = module.ocp_base.cluster_name
+  description = "The name of the provisioned cluster."
+}
diff --git a/examples/custom_sg/provider.tf b/examples/custom_sg/provider.tf
@@ -0,0 +1,8 @@
+########################################################################################################################
+# Provider config
+########################################################################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
diff --git a/examples/custom_sg/variables.tf b/examples/custom_sg/variables.tf
@@ -0,0 +1,49 @@
+########################################################################################################################
+# Input variables
+########################################################################################################################
+
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud api token"
+  sensitive   = true
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix for name of all resource created by this example"
+  default     = "base-ocp-std"
+  validation {
+    error_message = "Prefix must begin and end with a letter and contain only letters, numbers, and - characters."
+    condition     = can(regex("^([A-z]|[a-z][-a-z0-9]*[a-z0-9])$", var.prefix))
+  }
+}
+
+variable "region" {
+  type        = string
+  description = "Region where resources are created"
+  default     = "eu-gb"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "ocp_version" {
+  type        = string
+  description = "Version of the OCP cluster to provision"
+  default     = "4.14"
+}
+
+variable "access_tags" {
+  type        = list(string)
+  description = "A list of access tags to apply to the resources created by the module."
+  default     = []
+}
diff --git a/examples/custom_sg/version.tf b/examples/custom_sg/version.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_version = ">= 1.3.0, <1.6.0"
+
+  # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
+  # module's version.tf (basic and add_rules_to_sg), and 1 example that will always use the latest provider version (advanced, fscloud and multiple mzr).
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.62.0"
+    }
+  }
+}
diff --git a/examples/fscloud/version.tf b/examples/fscloud/version.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "ibm-cloud/ibm"
-      version = ">= 1.60.0"
+      version = ">= 1.62.0"
     }
     logdna = {
       source  = "logdna/logdna"
diff --git a/examples/multiple_mzr_clusters/version.tf b/examples/multiple_mzr_clusters/version.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "ibm-cloud/ibm"
-      version = ">= 1.60.0"
+      version = ">= 1.62.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/main.tf b/main.tf
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
diff --git a/modules/fscloud/version.tf b/modules/fscloud/version.tf
diff --git a/variables.tf b/variables.tf
diff --git a/version.tf b/version.tf

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ terraform {`
`6`	`6`	`required_providers {`
`7`	`7`	`ibm = {`
`8`	`8`	`source = "IBM-Cloud/ibm"`
`9`		`- version = "1.60.0"`
	`9`	`+ version = "1.62.0"`
`10`	`10`	`}`
`11`	`11`	`}`
`12`	`12`	`}`