fix: removed support for deprecated OCP version 4.10 (#298)

Author: ocofaigh

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-07-09T10:32:00Z",
+  "generated_at": "2023-11-23T15:12:20Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -76,7 +76,18 @@
       "name": "TwilioKeyDetector"
     }
   ],
-  "results": {},
+  "results": {
+    "README.md": [
+      {
+        "hashed_secret": "dce1f02ca7cc4b63ac43008b7a3ce96e702a0c24",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 37,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ]
+  },
   "version": "0.13.1+ibm.61.dss",
   "word_list": {
     "file": null,

README.md

@@ -1,40 +1,48 @@
-<!-- BEGIN MODULE HOOK -->
-
-<!-- Update the title to match the module name and add a description -->
-
-# terraform-ibm-base-ocp-vpc module
-
-<!-- UPDATE BADGE: Update the link for the badge below-->
+# Red Hat OpenShift VPC cluster on IBM Cloud module
 
 [![Graduated (Supported)](https://img.shields.io/badge/Status-Graduated%20(Supported)-brightgreen)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
 [![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-base-ocp-vpc?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/releases/latest)
 [![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)
 [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
 
-A module for provisioning an IBM Cloud Red Hat OpenShift cluster on VPC Gen2. The module either creates the required Cloud Object Storage instance or uses an existing instance. The module also supports optionally passing a key management configuration for secret encryption and boot volume encryption
+A module for provisioning an IBM Cloud Red Hat OpenShift cluster on VPC Gen2. The module either creates the required Cloud Object Storage instance or uses an existing instance. The module also supports optionally passing a key management configuration for secret encryption and boot volume encryption.
 
-## Before you begin
+### Before you begin
 
 - Make sure that you have a recent version of the [IBM Cloud CLI](https://cloud.ibm.com/docs/cli?topic=cli-getting-started)
 - Make sure that you have a recent version of the [IBM Cloud Kubernetes service CLI](https://cloud.ibm.com/docs/containers?topic=containers-kubernetes-service-cli)
 
-## Usage
+<!-- Below content is automatically populated via pre-commit hook -->
+<!-- BEGIN OVERVIEW HOOK -->
+## Overview
+* [terraform-ibm-base-ocp-vpc](#terraform-ibm-base-ocp-vpc)
+* [Submodules](./modules)
+    * [fscloud](./modules/fscloud)
+* [Examples](./examples)
+    * [2 MZR clusters in same VPC example](./examples/multiple_mzr_clusters)
+    * [Advanced example (mzr, auto-scale, kms, taints)](./examples/advanced)
+    * [Basic single zone example](./examples/basic)
+    * [Cluster security group rules example](./examples/add_rules_to_sg)
+    * [Financial Services compliant example](./examples/fscloud)
+* [Contributing](#contributing)
+<!-- END OVERVIEW HOOK -->
+
+<!-- This heading should always match the name of the root level module (aka the repo name) -->
+## terraform-ibm-base-ocp-vpc
+
+### Usage
 ```hcl
-# Replace "master" with a GIT release version to lock into a specific release
 module "ocp_base" {
-  # update this value to the value of your IBM Cloud API key
-  ibmcloud_api_key     = "ibm cloud api key" # pragma: allowlist secret
-  source  = "terraform-ibm-modules/base-ocp-vpc/ibm"
-  version = "latest" # Replace "latest" with a release version to lock into a specific release
+  ibmcloud_api_key     = "XXXXXXXXXXXXXXXXXXX"
+  source               = "terraform-ibm-modules/base-ocp-vpc/ibm"
+  version              = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
   cluster_name         = "example-cluster-name"
-  # modify the value for resource_group_id with and id of a group you own
-  resource_group_id    = "id of existing resource group"
+  resource_group_id    = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
   region               = "us-south"
   force_delete_storage = true
-  vpc_id               = "id of existing VPC"
-  ## obtain the below values from the targeted VPC and adjust to the number of zones,
-  ## subnets, subnet name, cidr_block, id, zone
+  vpc_id               = "79cxxxx-xxxx-xxxx-xxxx-xxxxxXX8667"
+  # obtain the below values from the targeted VPC and adjust to the number of zones, subnets, subnet name, cidr_block, id, zone
   vpc_subnets          = {
     zone-1    = [
         {
@@ -91,9 +99,9 @@ module "ocp_base" {
 }
 ```
 
-## Troubleshooting
+### Troubleshooting
 
-### New kube_version message
+#### New kube_version message
 
 - When you run a `terraform plan` command, you might get a message about a new version of Kubernetes, as in the following example:
 
@@ -107,7 +115,7 @@ module "ocp_base" {
 
     The Kubernetes version is ignored in the module code, so the infrastructure will not be changed. The message identifies only that drift exists in the versions, and after you run a `terraform apply` command, the state will be refreshed.
 
-## Required IAM access policies
+### Required IAM access policies
 You need the following permissions to run this module.
 
 - Account Management
@@ -132,21 +140,9 @@ Optionally, you need the following permissions to attach Access Management tags
     - **Tagging** service
         - `Administrator` platform access
 
-## Note :
+### Note :
  - One worker pool should always be named as `default`. Refer [issue 2849](https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849) for further details.
 
-<!-- BEGIN EXAMPLES HOOK -->
-## Examples
-
-- [ Add Rules to Security Groups Example](examples/add_rules_to_sg)
-- [ Apply Taints Example](examples/apply_taints)
-- [ Existing COS](examples/existing_cos)
-- [ Financial Services Cloud profile example](examples/fscloud)
-- [ 2 MZR clusters in same VPC](examples/multiple_mzr_clusters)
-- [ Single zone autoscaling cluster example](examples/single_zone_autoscale_cluster)
-- [ Standard Example With User Managed Boot Volume Encryption](examples/standard)
-<!-- END EXAMPLES HOOK -->
-
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ### Requirements
 
@@ -230,12 +226,9 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="output_workerpools"></a> [workerpools](#output\_workerpools) | Worker pools created |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
-<!-- BEGIN CONTRIBUTING HOOK -->
-
 <!-- Leave this section as is so that your module has a link to local development environment set up steps for contributors to follow -->
 ## Contributing
 
 You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md).
 
 To set up your local development environment, see [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.
-<!-- END CONTRIBUTING HOOK -->

examples/add_rules_to_sg/README.md

@@ -1,3 +1,9 @@
-# Add Rules to Security Groups Example
+# Cluster security group rules example
 
-This example will add security rules to the `kube-<vpcid>` and `kube-<clusterId>` security groups
+This example will add security rules to the `kube-<vpcid>` and `kube-<clusterId>` security groups.
+
+The following resources are provisioned by this example:
+- A new resource group, if an existing one is not passed in.
+- A VPC with subnets in a single zone and public gw attached
+- Security rules to the `kube-<vpcid>` and `kube-<clusterId>` security groups
+- A basic single zone OCP VPC cluster

examples/add_rules_to_sg/main.tf

@@ -1,6 +1,6 @@
-##############################################################################
-# Provision an OCP cluster with one extra worker pool inside a VPC
-##############################################################################
+########################################################################################################################
+# Resource Group
+########################################################################################################################
 
 module "resource_group" {
   source  = "terraform-ibm-modules/resource-group/ibm"
@@ -10,13 +10,9 @@ module "resource_group" {
   existing_resource_group_name = var.resource_group
 }
 
-##############################################################################
-# Create a VPC with single subnet and zone, and public gateway
-# NOTE: this is a very simple VPC/Subnet configuration for example purposes only,
-# that will allow all traffic ingress/egress by default.
-# For production use cases this would need to be enhanced by adding more subnets
-# and zones for resiliency, and ACLs/Security Groups for network security.
-##############################################################################
+########################################################################################################################
+# VPC
+########################################################################################################################
 
 resource "ibm_is_vpc" "vpc" {
   name                      = "${var.prefix}-vpc"
@@ -25,13 +21,21 @@ resource "ibm_is_vpc" "vpc" {
   tags                      = var.resource_tags
 }
 
+########################################################################################################################
+# Public Gateway in zone-1
+########################################################################################################################
+
 resource "ibm_is_public_gateway" "gateway" {
   name           = "${var.prefix}-gateway-1"
   vpc            = ibm_is_vpc.vpc.id
   resource_group = module.resource_group.resource_group_id
   zone           = "${var.region}-1"
 }
 
+########################################################################################################################
+# Subnet in zone-1
+########################################################################################################################
+
 resource "ibm_is_subnet" "subnet_zone_1" {
   name                     = "${var.prefix}-subnet-1"
   vpc                      = ibm_is_vpc.vpc.id
@@ -41,9 +45,9 @@ resource "ibm_is_subnet" "subnet_zone_1" {
   public_gateway           = ibm_is_public_gateway.gateway.id
 }
 
-##############################################################################
-# Security Group Rules addition.
-##############################################################################
+########################################################################################################################
+# Security Group Rules addition
+########################################################################################################################
 
 locals {
   standard_cluster_allow_rules = [
@@ -127,23 +131,9 @@ resource "ibm_is_security_group_rule" "kube_cluster_rules" {
   }
 }
 
-##############################################################################
-# Key Protect
-##############################################################################
-
-module "kp_all_inclusive" {
-  source                    = "terraform-ibm-modules/key-protect-all-inclusive/ibm"
-  version                   = "4.4.1"
-  key_protect_instance_name = "${var.prefix}-kp-instance"
-  resource_group_id         = module.resource_group.resource_group_id
-  region                    = var.region
-  resource_tags             = var.resource_tags
-  key_map                   = { "ocp" = ["${var.prefix}-cluster-key"] }
-}
-
-##############################################################################
-# Base OCP Cluster
-##############################################################################
+########################################################################################################################
+# OCP VPC single zone cluster
+########################################################################################################################
 
 locals {
   cluster_vpc_subnets = {
@@ -180,10 +170,4 @@ module "ocp_base" {
   worker_pools         = local.worker_pools
   ocp_version          = var.ocp_version
   tags                 = var.resource_tags
-  kms_config = {
-    instance_id = module.kp_all_inclusive.key_protect_guid
-    crk_id      = module.kp_all_inclusive.keys["ocp.${var.prefix}-cluster-key"].key_id
-  }
 }
-
-##############################################################################

examples/add_rules_to_sg/outputs.tf

@@ -1,6 +1,6 @@
-##############################################################################
+########################################################################################################################
 # Outputs
-##############################################################################
+########################################################################################################################
 
 output "cluster_name" {
   value       = module.ocp_base.cluster_name
@@ -18,5 +18,3 @@ output "kube_cluster_rule_id" {
   description = "The kube-cluster-id security group rule ids"
   value       = join(",", [for rule in data.ibm_is_security_group.kube_cluster_sg.rules : rule.rule_id])
 }
-
-##############################################################################

examples/add_rules_to_sg/provider.tf

@@ -1,10 +1,8 @@
-##############################################################################
+########################################################################################################################
 # Terraform providers
-##############################################################################
+########################################################################################################################
 
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.region
 }
-
-##############################################################################

examples/add_rules_to_sg/variables.tf

@@ -1,17 +1,17 @@
-##############################################################################
+########################################################################################################################
 # Input Variables
-##############################################################################
+########################################################################################################################
 
 variable "ibmcloud_api_key" {
   type        = string
-  description = "The IBM Cloud api token"
+  description = "The IBM Cloud api key"
   sensitive   = true
 }
 
 variable "prefix" {
   type        = string
   description = "Prefix for name of all resource created by this example"
-  default     = "base-ocp-std"
+  default     = "base-ocp-sg"
   validation {
     error_message = "Prefix must begin and end with a letter and contain only letters, numbers, and - characters."
     condition     = can(regex("^([A-z]|[a-z][-a-z0-9]*[a-z0-9])$", var.prefix))

examples/add_rules_to_sg/version.tf

@@ -1,11 +1,12 @@
 terraform {
-  required_version = ">=1.3.0, < 1.6.0"
+  required_version = ">= 1.3.0, <1.6.0"
+
+  # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
+  # module's version.tf (basic and add_rules_to_sg), and 1 example that will always use the latest provider version (advanced, fscloud and multiple mzr).
   required_providers {
     ibm = {
-      source  = "ibm-cloud/ibm"
-      version = ">= 1.59.0"
+      source  = "IBM-Cloud/ibm"
+      version = "1.59.0"
     }
   }
 }
-
-##############################################################################

examples/advanced/README.md

@@ -0,0 +1,12 @@
+# Advanced example (mzr, auto-scale, kms, taints)
+
+An advanced example which shows how to create a multi-zone KMS encrypted OCP VPC cluster with custom worker node taints
+
+The following resources are provisioned by this example:
+- A new resource group, if an existing one is not passed in.
+- A Key Protect instance with 2 root keys, one for cluster encryption, and one for worker block storage encryption
+- A VPC with subnets across 3 zones
+- A public gateway only in zone-1
+- A multi-zone (3 zone) KMS encrypted OCP VPC cluster, with worker pools in each zone
+- Auto scaling enabled for the default worker pool
+- Taints against the workers in zone-2 and zone-3