feat: added the ability to optionally set the operating_system value inside the worker_pools input variable list object. Validation has also been added to ensure only the following allowed values are passed: REDHAT_8_64, RHCOS (only allowed in OCP version 4.15 or later) (#466)

imprateeksh · web-flow · commit 1f67919c6c32 · 2024-07-17T09:12:19.000+01:00
diff --git a/README.md b/README.md
@@ -269,7 +269,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="input_verify_worker_network_readiness"></a> [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | Id of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
 | <a name="input_vpc_subnets"></a> [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | <pre>map(list(object({<br>    id         = string<br>    zone       = string<br>    cidr_block = string<br>  })))</pre> | n/a | yes |
-| <a name="input_worker_pools"></a> [worker\_pools](#input\_worker\_pools) | List of worker pools | <pre>list(object({<br>    subnet_prefix = optional(string)<br>    vpc_subnets = optional(list(object({<br>      id         = string<br>      zone       = string<br>      cidr_block = string<br>    })))<br>    pool_name         = string<br>    machine_type      = string<br>    workers_per_zone  = number<br>    resource_group_id = optional(string)<br>    labels            = optional(map(string))<br>    minSize           = optional(number)<br>    maxSize           = optional(number)<br>    enableAutoscaling = optional(bool)<br>    boot_volume_encryption_kms_config = optional(object({<br>      crk             = string<br>      kms_instance_id = string<br>      kms_account_id  = optional(string)<br>    }))<br>    additional_security_group_ids = optional(list(string))<br>  }))</pre> | n/a | yes |
+| <a name="input_worker_pools"></a> [worker\_pools](#input\_worker\_pools) | List of worker pools | <pre>list(object({<br>    subnet_prefix = optional(string)<br>    vpc_subnets = optional(list(object({<br>      id         = string<br>      zone       = string<br>      cidr_block = string<br>    })))<br>    pool_name         = string<br>    machine_type      = string<br>    workers_per_zone  = number<br>    resource_group_id = optional(string)<br>    operating_system  = optional(string)<br>    labels            = optional(map(string))<br>    minSize           = optional(number)<br>    maxSize           = optional(number)<br>    enableAutoscaling = optional(bool)<br>    boot_volume_encryption_kms_config = optional(object({<br>      crk             = string<br>      kms_instance_id = string<br>      kms_account_id  = optional(string)<br>    }))<br>    additional_security_group_ids = optional(list(string))<br>  }))</pre> | n/a | yes |
 | <a name="input_worker_pools_taints"></a> [worker\_pools\_taints](#input\_worker\_pools\_taints) | Optional, Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | `null` | no |
 
 ### Outputs
diff --git a/common-dev-assets b/common-dev-assets
@@ -1 +1 @@
-Subproject commit 16e53c8b1608b7e6e2753637316a756b4130344e
+Subproject commit 9a438e425f51effead16d9a7b6e634ddd145d2b9
diff --git a/examples/multiple_mzr_clusters/main.tf b/examples/multiple_mzr_clusters/main.tf
@@ -62,6 +62,12 @@ resource "ibm_is_subnet" "subnet_cluster_2" {
 ########################################################################################################################
 
 locals {
+
+  # Choosing RHEL for the default worker pool will limit all additional worker pools to RHEL.
+  # If we plan to use RHCOS with the cluster, we should create the default worker pool with RHCOS.
+
+  os_rhcos = "RHCOS"
+  os_rhel  = "REDHAT_8_64"
   cluster_1_vpc_subnets = {
     default = [
       for subnet in ibm_is_subnet.subnet_cluster_1 :
@@ -90,13 +96,15 @@ locals {
       pool_name        = "default" # ibm_container_vpc_cluster automatically names standard pool "standard" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
       machine_type     = "bx2.4x16"
       workers_per_zone = 2
+      operating_system = local.os_rhcos
     },
     {
       subnet_prefix    = "default"
       pool_name        = "logging-worker-pool"
       machine_type     = "bx2.4x16"
       workers_per_zone = 2
       labels           = { "dedicated" : "logging-worker-pool" }
+      operating_system = local.os_rhel
     }
   ]
 
@@ -112,33 +120,37 @@ locals {
 }
 
 module "ocp_base_cluster_1" {
-  source               = "../.."
-  cluster_name         = "${var.prefix}-cluster-1"
-  resource_group_id    = module.resource_group.resource_group_id
-  region               = var.region
-  force_delete_storage = true
-  vpc_id               = ibm_is_vpc.vpc.id
-  vpc_subnets          = local.cluster_1_vpc_subnets
-  worker_pools         = local.worker_pools
-  worker_pools_taints  = local.worker_pool_taints
-  ocp_version          = var.ocp_version
-  tags                 = var.resource_tags
-  ocp_entitlement      = var.ocp_entitlement
+  source                              = "../.."
+  cluster_name                        = "${var.prefix}-cluster-1"
+  resource_group_id                   = module.resource_group.resource_group_id
+  region                              = var.region
+  force_delete_storage                = true
+  vpc_id                              = ibm_is_vpc.vpc.id
+  vpc_subnets                         = local.cluster_1_vpc_subnets
+  disable_outbound_traffic_protection = true
+  worker_pools                        = local.worker_pools
+  operating_system                    = local.os_rhcos
+  worker_pools_taints                 = local.worker_pool_taints
+  ocp_version                         = var.ocp_version
+  tags                                = var.resource_tags
+  ocp_entitlement                     = var.ocp_entitlement
 }
 
 module "ocp_base_cluster_2" {
-  source               = "../.."
-  cluster_name         = "${var.prefix}-cluster-2"
-  resource_group_id    = module.resource_group.resource_group_id
-  region               = var.region
-  force_delete_storage = true
-  vpc_id               = ibm_is_vpc.vpc.id
-  vpc_subnets          = local.cluster_2_vpc_subnets
-  worker_pools         = local.worker_pools
-  worker_pools_taints  = local.worker_pool_taints
-  ocp_version          = var.ocp_version
-  tags                 = var.resource_tags
-  ocp_entitlement      = var.ocp_entitlement
+  source                              = "../.."
+  cluster_name                        = "${var.prefix}-cluster-2"
+  resource_group_id                   = module.resource_group.resource_group_id
+  region                              = var.region
+  force_delete_storage                = true
+  vpc_id                              = ibm_is_vpc.vpc.id
+  disable_outbound_traffic_protection = true
+  vpc_subnets                         = local.cluster_2_vpc_subnets
+  worker_pools                        = local.worker_pools
+  operating_system                    = local.os_rhcos
+  worker_pools_taints                 = local.worker_pool_taints
+  ocp_version                         = var.ocp_version
+  tags                                = var.resource_tags
+  ocp_entitlement                     = var.ocp_entitlement
 }
 
 ########################################################################################################################
diff --git a/main.tf b/main.tf
@@ -53,6 +53,36 @@ locals {
   disable_outbound_traffic_protection = startswith(local.ocp_version, "4.12") || startswith(local.ocp_version, "4.13") || startswith(local.ocp_version, "4.14") ? null : var.disable_outbound_traffic_protection
 }
 
+# Separate local block to handle os validations
+locals {
+  os_rhel  = "REDHAT_8_64"
+  os_rhcos = "RHCOS"
+
+  # Strip OCP VERSION and use this ocp version in logic
+  ocp_version_num           = regex("^([0-9]+\\.[0-9]+)", local.ocp_version)[0]
+  is_valid_version          = local.ocp_version_num != null ? tonumber(local.ocp_version_num) >= 4.15 : false
+  rhcos_allowed_ocp_version = var.operating_system == local.os_rhcos && local.is_valid_version
+  worker_pool_rhcos_entry   = [for worker in var.worker_pools : (worker.operating_system == null || worker.operating_system == local.os_rhel || (worker.operating_system == local.os_rhcos && local.is_valid_version) ? true : false)]
+
+  # To verify rhcos operating system exists only for OCP versions >=4.15
+  # tflint-ignore: terraform_unused_declarations
+  cluster_rhcos_validation = var.operating_system == null || var.operating_system == local.os_rhel || local.rhcos_allowed_ocp_version ? true : tobool("RHCOS requires VPC clusters created from 4.15 onwards. Upgraded clusters from 4.14 cannot use RHCOS")
+
+  # tflint-ignore: terraform_unused_declarations
+  worker_pool_rhcos_validation = alltrue(local.worker_pool_rhcos_entry) ? true : tobool("RHCOS requires VPC clusters created from 4.15 onwards. Upgraded clusters from 4.14 cannot use RHCOS")
+
+  # Validate if default worker pool's operating system is RHEL, all pools' operating system must be RHEL
+  check_other_os             = local.default_pool.operating_system == null || local.default_pool.operating_system == local.os_rhcos
+  rhel_check_for_other_pools = [for pool in var.worker_pools : pool.pool_name != "default" && pool.operating_system == local.os_rhel ? true : false]
+  # tflint-ignore: terraform_unused_declarations
+  valid_rhel_worker_pools = local.check_other_os || (local.default_pool.operating_system == local.os_rhel && alltrue(local.rhel_check_for_other_pools)) == true ? true : tobool("Choosing RHEL for the default worker pool will limit all additional worker pools to RHEL.")
+
+  # Validate if RHCOS is used as operating system for the cluster then the default worker pool must be created with RHCOS
+  rhcos_check = var.operating_system == null || var.operating_system == local.os_rhel || (var.operating_system == local.os_rhcos && local.default_pool.operating_system == local.os_rhcos)
+  # tflint-ignore: terraform_unused_declarations
+  default_wp_validation = local.rhcos_check == true ? true : tobool("If RHCOS is used with this cluster, the default worker pool should be created with RHCOS.")
+}
+
 # Lookup the current default kube version
 data "ibm_container_cluster_versions" "cluster_versions" {
   resource_group_id = var.resource_group_id
@@ -298,6 +328,7 @@ resource "ibm_container_vpc_worker_pool" "pool" {
   cluster           = local.cluster_id
   worker_pool_name  = each.value.pool_name
   flavor            = each.value.machine_type
+  operating_system  = each.value.operating_system
   worker_count      = each.value.workers_per_zone
   labels            = each.value.labels
   crk               = each.value.boot_volume_encryption_kms_config == null ? null : each.value.boot_volume_encryption_kms_config.crk
@@ -340,6 +371,7 @@ resource "ibm_container_vpc_worker_pool" "autoscaling_pool" {
   cluster           = local.cluster_id
   worker_pool_name  = each.value.pool_name
   flavor            = each.value.machine_type
+  operating_system  = each.value.operating_system
   worker_count      = each.value.workers_per_zone
   labels            = each.value.labels
   crk               = each.value.boot_volume_encryption_kms_config == null ? null : each.value.boot_volume_encryption_kms_config.crk
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
@@ -56,7 +56,7 @@ No resources.
 | <a name="input_verify_worker_network_readiness"></a> [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
 | <a name="input_vpc_subnets"></a> [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | <pre>map(list(object({<br>    id         = string<br>    zone       = string<br>    cidr_block = string<br>  })))</pre> | n/a | yes |
-| <a name="input_worker_pools"></a> [worker\_pools](#input\_worker\_pools) | List of worker pools | <pre>list(object({<br>    subnet_prefix     = string<br>    pool_name         = string<br>    machine_type      = string<br>    workers_per_zone  = number<br>    resource_group_id = optional(string)<br>    labels            = optional(map(string))<br>    boot_volume_encryption_kms_config = optional(object({<br>      crk             = string<br>      kms_instance_id = string<br>      kms_account_id  = optional(string)<br>    }))<br>    additional_security_group_ids = optional(list(string))<br>  }))</pre> | n/a | yes |
+| <a name="input_worker_pools"></a> [worker\_pools](#input\_worker\_pools) | List of worker pools | <pre>list(object({<br>    subnet_prefix     = string<br>    pool_name         = string<br>    machine_type      = string<br>    workers_per_zone  = number<br>    resource_group_id = optional(string)<br>    operating_system  = optional(string)<br>    labels            = optional(map(string))<br>    boot_volume_encryption_kms_config = optional(object({<br>      crk             = string<br>      kms_instance_id = string<br>      kms_account_id  = optional(string)<br>    }))<br>    additional_security_group_ids = optional(list(string))<br>  }))</pre> | n/a | yes |
 | <a name="input_worker_pools_taints"></a> [worker\_pools\_taints](#input\_worker\_pools\_taints) | Optional, Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | `null` | no |
 
 ### Outputs
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
@@ -47,6 +47,7 @@ variable "worker_pools" {
     machine_type      = string
     workers_per_zone  = number
     resource_group_id = optional(string)
+    operating_system  = optional(string)
     labels            = optional(map(string))
     boot_volume_encryption_kms_config = optional(object({
       crk             = string
@@ -203,6 +204,11 @@ variable "operating_system" {
   type        = string
   description = "The operating system of the workers in the default worker pool. If no value is specified, the current default version OS will be used. See https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions#openshift_versions_available ."
   default     = null
+  validation {
+    error_message = "RHEL 8 (REDHAT_8_64) or Red Hat Enterprise Linux CoreOS (RHCOS) are the allowed OS values. RHCOS requires VPC clusters created from 4.15 onwards. Upgraded clusters from 4.14 cannot use RHCOS."
+    condition     = var.operating_system == null || var.operating_system == "REDHAT_8_64" || var.operating_system == "RHCOS"
+  }
+
 }
 
 ##############################################################################
diff --git a/variables.tf b/variables.tf
@@ -52,6 +52,7 @@ variable "worker_pools" {
     machine_type      = string
     workers_per_zone  = number
     resource_group_id = optional(string)
+    operating_system  = optional(string)
     labels            = optional(map(string))
     minSize           = optional(number)
     maxSize           = optional(number)
@@ -86,6 +87,17 @@ variable "worker_pools" {
     condition     = length([for worker_pool in var.worker_pools : worker_pool if(worker_pool.subnet_prefix == null && worker_pool.vpc_subnets == null) || (worker_pool.subnet_prefix != null && worker_pool.vpc_subnets != null)]) == 0
     error_message = "Please provide exactly one of subnet_prefix or vpc_subnets. Passing neither or both is invalid."
   }
+  validation {
+    condition = alltrue([
+      for worker_pool in var.worker_pools :
+      anytrue([
+        worker_pool.operating_system == null,
+        worker_pool.operating_system == "REDHAT_8_64",
+        worker_pool.operating_system == "RHCOS"
+      ])
+    ])
+    error_message = "RHEL 8 (REDHAT_8_64) or Red Hat Enterprise Linux CoreOS (RHCOS) are the allowed OS values. RHCOS requires VPC clusters created from 4.15 onwards. Upgraded clusters from 4.14 cannot use RHCOS."
+  }
 }
 
 variable "worker_pools_taints" {
@@ -253,6 +265,10 @@ variable "operating_system" {
   type        = string
   description = "The operating system of the workers in the default worker pool. If no value is specified, the current default version OS will be used. See https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions#openshift_versions_available ."
   default     = null
+  validation {
+    error_message = "RHEL 8 (REDHAT_8_64) or Red Hat Enterprise Linux CoreOS (RHCOS) are the allowed OS values. RHCOS requires VPC clusters created from 4.15 onwards. Upgraded clusters from 4.14 cannot use RHCOS."
+    condition     = var.operating_system == null || var.operating_system == "REDHAT_8_64" || var.operating_system == "RHCOS"
+  }
 }
 
 # VPC Variables
