PR changes

Author: mukulpalit-ibm

examples/monolith/README.md

@@ -2,25 +2,8 @@
 
 A simple example that shows how to provision a multi zone OCP VPC cluster as well as all foundational infrastructure and supporting services required for a secure and compliant OpenShift (OCP) cluster deployment on IBM Cloud VPC.
 
-The following resources are provisioned by this example:
-- A new resource group, if an existing one is not passed in.
-- A Key Protect instance with 2 root keys, one for cluster encryption, and one for worker boot volume encryption.
-- A VPC with subnets across 3 zones.
-- A public gateway for all the three zones.
-- A multi-zone (3 zone) KMS encrypted OCP VPC cluster, with worker pools in each zone.
-- An additional worker pool named workerpool is created and attached to the cluster using the worker-pool submodule.
-- Auto scaling enabled for the default worker pool.
-- Taints against the workers in zone-2 and zone-3.
-- Enable Kubernetes API server audit logs.
-- A Cloud logs instance.
-- A Cloud monitoring instance.
-- An activity tracker event routing instance.
-- A secrets manager instance.
-- A COS instance along with 3 buckets for VPC flow logs, metrics/data bucket and activity tracker bucket.
-- A SCC-WP instance.
-- A VPC instance.
-- An event notifications instance.
-- An app configuration service with aggregator enabled.
+- Refer [here](../../modules/monolith/README.md) to check all the resources are provisioned by this example by calling the monolith module.
+- A new resource group if an existing resource group is not passed.
 - Monitoring agent.
 - A Trusted Profile with Sender role to logs service.
 - Logs agent.

examples/monolith/main.tf

@@ -12,209 +12,43 @@ module "resource_group" {
 # Add-ons
 ########################################################################################################################
 
-module "monolith_add_ons" {
+module "ocp_cluster_with_add_ons" {
   source                                    = "../../modules/monolith"
   prefix                                    = var.prefix
   region                                    = var.region
+  ibmcloud_api_key                          = var.ibmcloud_api_key
+  provider_visibility                       = var.provider_visibility
   resource_group_id                         = module.resource_group.resource_group_id
-  kms_encryption_enabled_cluster            = var.kms_encryption_enabled_cluster
+  kms_encryption_enabled_cluster            = true
   existing_kms_instance_crn                 = var.existing_kms_instance_crn
   existing_cluster_kms_key_crn              = var.existing_cluster_kms_key_crn
-  kms_endpoint_type                         = var.kms_endpoint_type
-  key_protect_allowed_network               = var.key_protect_allowed_network
-  kms_encryption_enabled_boot_volume        = var.kms_encryption_enabled_boot_volume
+  kms_endpoint_type                         = "private"
+  key_protect_allowed_network               = "private-only"
+  kms_encryption_enabled_boot_volume        = true
   existing_boot_volume_kms_key_crn          = var.existing_boot_volume_kms_key_crn
-  kms_plan                                  = var.kms_plan
-  en_service_plan                           = var.en_service_plan
-  en_service_endpoints                      = var.en_service_endpoints
+  kms_plan                                  = "tiered-pricing"
+  en_service_plan                           = "standard"
+  en_service_endpoints                      = "public-and-private"
   existing_secrets_manager_crn              = var.existing_secrets_manager_crn
-  secrets_manager_service_plan              = var.secrets_manager_service_plan
-  secrets_manager_endpoint_type             = var.secrets_manager_endpoint_type
-  secrets_manager_allowed_network           = var.secrets_manager_allowed_network
+  secrets_manager_service_plan              = "standard"
+  secrets_manager_endpoint_type             = "private"
   existing_event_notifications_instance_crn = var.existing_event_notifications_instance_crn
   existing_cos_instance_crn                 = var.existing_cos_instance_crn
-  cos_instance_plan                         = var.cos_instance_plan
-  management_endpoint_type_for_buckets      = var.management_endpoint_type_for_buckets
+  cos_instance_plan                         = "standard"
+  management_endpoint_type_for_buckets      = "direct"
   existing_cloud_monitoring_crn             = var.existing_cloud_monitoring_crn
-  cloud_monitoring_plan                     = var.cloud_monitoring_plan
+  cloud_monitoring_plan                     = "graduated-tier"
   existing_cloud_logs_crn                   = var.existing_cloud_logs_crn
-  scc_workload_protection_service_plan      = var.scc_workload_protection_service_plan
-  enable_vpc_flow_logs                      = var.enable_vpc_flow_logs
-  app_config_plan                           = var.app_config_plan
-  app_config_service_endpoints              = var.app_config_service_endpoints
-}
-
-########################################################################################################################
-# OCP VPC cluster
-########################################################################################################################
-
-locals {
-  vpc_subnets = {
-    # The default behavior is to deploy the worker pool across all subnets within the VPC.
-    "default" = [
-      for subnet in module.monolith_add_ons.subnet_zone_list :
-      {
-        id         = subnet.id
-        zone       = subnet.zone
-        cidr_block = subnet.cidr
-      }
-    ]
-  }
-
-  worker_pools = concat([
-    {
-      subnet_prefix     = "default"
-      pool_name         = "default"
-      machine_type      = var.default_worker_pool_machine_type
-      workers_per_zone  = var.default_worker_pool_workers_per_zone
-      resource_group_id = module.resource_group.resource_group_id
-      operating_system  = var.default_worker_pool_operating_system
-      labels            = var.default_worker_pool_labels
-      minSize           = var.default_pool_minimum_number_of_nodes
-      maxSize           = var.default_pool_maximum_number_of_nodes
-      enableAutoscaling = var.enable_autoscaling_for_default_pool
-      boot_volume_encryption_kms_config = {
-        crk             = module.monolith_add_ons.boot_volume_kms_key_id
-        kms_instance_id = module.monolith_add_ons.boot_volume_existing_kms_guid
-        kms_account_id  = module.monolith_add_ons.boot_volume_kms_account_id
-      }
-      additional_security_group_ids = var.additional_security_group_ids
-    }
-    ], [for pool in var.additional_worker_pools : merge(pool, { resource_group_id = module.resource_group.resource_group_id
-      boot_volume_encryption_kms_config = {
-        crk             = module.monolith_add_ons.boot_volume_kms_key_id
-        kms_instance_id = module.monolith_add_ons.boot_volume_existing_kms_guid
-        kms_account_id  = module.monolith_add_ons.boot_volume_kms_account_id
-    } }) if length(pool.vpc_subnets) > 0],
-    [for pool in var.additional_worker_pools : {
-      pool_name         = pool.pool_name
-      machine_type      = pool.machine_type
-      workers_per_zone  = pool.workers_per_zone
-      resource_group_id = module.resource_group.resource_group_id
-      operating_system  = pool.operating_system
-      labels            = pool.labels
-      minSize           = pool.minSize
-      secondary_storage = pool.secondary_storage
-      maxSize           = pool.maxSize
-      enableAutoscaling = pool.enableAutoscaling
-      boot_volume_encryption_kms_config = {
-        crk             = module.monolith_add_ons.boot_volume_kms_key_id
-        kms_instance_id = module.monolith_add_ons.boot_volume_existing_kms_guid
-        kms_account_id  = module.monolith_add_ons.boot_volume_kms_account_id
-      }
-      additional_security_group_ids = pool.additional_security_group_ids
-      subnet_prefix                 = "default"
-  } if length(pool.vpc_subnets) == 0])
-
-  # Managing the ODF version accordingly, as it changes with each OCP version.
-  addons = lookup(var.addons, "openshift-data-foundation", null) != null ? lookup(var.addons["openshift-data-foundation"], "version", null) == null ? { for key, value in var.addons :
-    key => value != null ? {
-      version         = lookup(value, "version", null) == null && key == "openshift-data-foundation" ? "${var.openshift_version}.0" : lookup(value, "version", null)
-      parameters_json = lookup(value, "parameters_json", null)
-  } : null } : var.addons : var.addons
-}
-
-module "ocp_base" {
-  depends_on                               = [module.monolith_add_ons]
-  source                                   = "../.."
-  resource_group_id                        = module.resource_group.resource_group_id
-  region                                   = var.region
-  tags                                     = var.cluster_resource_tags
-  cluster_name                             = "${var.prefix}-${var.cluster_name}"
-  force_delete_storage                     = true
-  use_existing_cos                         = true
-  existing_cos_id                          = module.monolith_add_ons.cos_instance_id
-  vpc_id                                   = module.monolith_add_ons.vpc_id
-  vpc_subnets                              = local.vpc_subnets
-  ocp_version                              = var.openshift_version
-  worker_pools                             = local.worker_pools
-  access_tags                              = var.access_tags
-  ocp_entitlement                          = var.ocp_entitlement
-  additional_lb_security_group_ids         = var.additional_lb_security_group_ids
-  additional_vpe_security_group_ids        = var.additional_vpe_security_group_ids
-  addons                                   = local.addons
-  allow_default_worker_pool_replacement    = var.allow_default_worker_pool_replacement
-  attach_ibm_managed_security_group        = var.attach_ibm_managed_security_group
-  cluster_config_endpoint_type             = var.cluster_config_endpoint_type
-  cbr_rules                                = var.ocp_cbr_rules
-  cluster_ready_when                       = var.cluster_ready_when
-  custom_security_group_ids                = var.custom_security_group_ids
-  disable_outbound_traffic_protection      = var.allow_outbound_traffic
-  disable_public_endpoint                  = !var.allow_public_access_to_cluster_management
-  enable_ocp_console                       = var.enable_ocp_console
-  ignore_worker_pool_size_changes          = var.ignore_worker_pool_size_changes
-  kms_config                               = module.monolith_add_ons.kms_config
-  manage_all_addons                        = var.manage_all_addons
-  number_of_lbs                            = var.number_of_lbs
-  pod_subnet_cidr                          = var.pod_subnet_cidr
-  service_subnet_cidr                      = var.service_subnet_cidr
-  verify_worker_network_readiness          = var.verify_worker_network_readiness
-  worker_pools_taints                      = var.worker_pools_taints
-  enable_secrets_manager_integration       = var.enable_secrets_manager_integration
-  existing_secrets_manager_instance_crn    = module.monolith_add_ons.secrets_manager_crn
-  secrets_manager_secret_group_id          = var.secrets_manager_secret_group_id != null ? var.secrets_manager_secret_group_id : (var.enable_secrets_manager_integration ? module.secret_group[0].secret_group_id : null)
-  skip_ocp_secrets_manager_iam_auth_policy = var.skip_ocp_secrets_manager_iam_auth_policy
-}
-
-resource "terraform_data" "delete_secrets" {
-  depends_on = [module.monolith_add_ons]
-  count      = var.enable_secrets_manager_integration && var.secrets_manager_secret_group_id == null ? 1 : 0
-  input = {
-    secret_id                   = module.secret_group[0].secret_group_id
-    provider_visibility         = var.provider_visibility
-    secrets_manager_instance_id = module.monolith_add_ons.secrets_manager_guid
-    secrets_manager_region      = module.monolith_add_ons.secrets_manager_region
-    secrets_manager_endpoint    = var.secrets_manager_endpoint_type
-  }
-  # api key in triggers_replace to avoid it to be printed out in clear text in terraform_data output
-  triggers_replace = {
-    api_key = var.ibmcloud_api_key
-  }
-  provisioner "local-exec" {
-    when        = destroy
-    command     = "${path.module}/../../solutions/fully-configurable/scripts/delete_secrets.sh ${self.input.secret_id} ${self.input.provider_visibility} ${self.input.secrets_manager_instance_id} ${self.input.secrets_manager_region} ${self.input.secrets_manager_endpoint}"
-    interpreter = ["/bin/bash", "-c"]
-
-    environment = {
-      API_KEY = self.triggers_replace.api_key
-    }
-  }
-}
-
-module "secret_group" {
-  count                    = var.enable_secrets_manager_integration && var.secrets_manager_secret_group_id == null ? 1 : 0
-  source                   = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
-  version                  = "1.3.15"
-  region                   = module.monolith_add_ons.secrets_manager_region
-  secrets_manager_guid     = module.monolith_add_ons.secrets_manager_guid
-  secret_group_name        = module.ocp_base.cluster_id
-  secret_group_description = "Secret group for storing ingress certificates for cluster ${var.cluster_name} with id: ${module.ocp_base.cluster_id}"
-  endpoint_type            = var.secrets_manager_endpoint_type
+  scc_workload_protection_service_plan      = "graduated-tier"
+  enable_vpc_flow_logs                      = true
+  app_config_plan                           = "enterprise"
+  app_config_service_endpoints              = "public-and-private"
 }
 
 data "ibm_container_cluster_config" "cluster_config" {
-  count             = var.enable_kube_audit ? 1 : 0
-  cluster_name_id   = module.ocp_base.cluster_id
+  cluster_name_id   = module.ocp_cluster_with_add_ons.cluster_id
+  resource_group_id = module.resource_group.resource_group_id
   config_dir        = "${path.module}/../../kubeconfig"
-  admin             = true
-  resource_group_id = module.ocp_base.resource_group_id
-  endpoint_type     = var.cluster_config_endpoint_type != "default" ? var.cluster_config_endpoint_type : null
-}
-
-module "kube_audit" {
-  count                                   = var.enable_kube_audit ? 1 : 0
-  ibmcloud_api_key                        = var.ibmcloud_api_key
-  source                                  = "../../modules/kube-audit"
-  cluster_id                              = module.ocp_base.cluster_id
-  cluster_resource_group_id               = module.ocp_base.resource_group_id
-  region                                  = module.ocp_base.region
-  use_private_endpoint                    = var.use_private_endpoint
-  cluster_config_endpoint_type            = var.cluster_config_endpoint_type
-  audit_log_policy                        = var.audit_log_policy
-  audit_namespace                         = var.audit_namespace
-  audit_deployment_name                   = var.audit_deployment_name
-  audit_webhook_listener_image            = var.audit_webhook_listener_image
-  audit_webhook_listener_image_tag_digest = var.audit_webhook_listener_image_tag_digest
 }
 
 ##############################################################################
@@ -224,10 +58,10 @@ module "kube_audit" {
 module "monitoring_agent" {
   source                    = "terraform-ibm-modules/monitoring-agent/ibm"
   version                   = "1.19.0"
-  cluster_id                = module.ocp_base.cluster_id
+  cluster_id                = module.ocp_cluster_with_add_ons.cluster_id
   cluster_resource_group_id = module.resource_group.resource_group_id
   is_vpc_cluster            = true
-  access_key                = module.monolith_add_ons.cloud_monitoring_access_key
+  access_key                = module.ocp_cluster_with_add_ons.cloud_monitoring_access_key
   instance_region           = var.region
   metrics_filter            = [{ exclude = "metricA.*" }, { include = "metricB.*" }]
   container_filter          = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
@@ -263,7 +97,7 @@ module "trusted_profile" {
     cr_type           = "ROKS_SA"
     unique_identifier = "logs-agent-link"
     links = [{
-      crn       = module.ocp_base.cluster_crn
+      crn       = module.ocp_cluster_with_add_ons.cluster_crn
       namespace = local.logs_agent_namespace
       name      = local.logs_agent_name
     }]
@@ -274,18 +108,18 @@ module "trusted_profile" {
 module "logs_agent" {
   source                    = "terraform-ibm-modules/logs-agent/ibm"
   version                   = "1.10.0"
-  cluster_id                = module.ocp_base.cluster_id
+  cluster_id                = module.ocp_cluster_with_add_ons.cluster_id
   cluster_resource_group_id = module.resource_group.resource_group_id
   # Logs agent
   logs_agent_trusted_profile_id = module.trusted_profile.trusted_profile.id
   logs_agent_namespace          = local.logs_agent_namespace
   logs_agent_name               = local.logs_agent_name
-  cloud_logs_ingress_endpoint   = module.monolith_add_ons.cloud_logs_ingress_private_endpoint
+  cloud_logs_ingress_endpoint   = module.ocp_cluster_with_add_ons.cloud_logs_ingress_private_endpoint
   cloud_logs_ingress_port       = 3443
   # example of how to add additional metadata to the logs agent
   logs_agent_additional_metadata = [{
     key   = "cluster_id"
-    value = module.ocp_base.cluster_id
+    value = module.ocp_cluster_with_add_ons.cluster_id
   }]
   logs_agent_resources = {
     limits = {