revert kube-audit changes

Aashiq-J · Aashiq-J · commit 5cca92d524ed · 2025-12-02T17:21:49.000+05:30
diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf
@@ -219,6 +219,7 @@ module "kube_audit" {
   cluster_resource_group_id = module.resource_group.resource_group_id
   audit_log_policy          = "WriteRequestBodies"
   region                    = var.region
+  ibmcloud_api_key          = var.ibmcloud_api_key
 }
 
 
diff --git a/modules/kube-audit/README.md b/modules/kube-audit/README.md
@@ -90,6 +90,7 @@ No modules.
 | <a name="input_cluster_config_endpoint_type"></a> [cluster\_config\_endpoint\_type](#input\_cluster\_config\_endpoint\_type) | Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster. | `string` | `"default"` | no |
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | The ID of the cluster to deploy the log collection service in. | `string` | n/a | yes |
 | <a name="input_cluster_resource_group_id"></a> [cluster\_resource\_group\_id](#input\_cluster\_resource\_group\_id) | The resource group ID of the cluster. | `string` | n/a | yes |
+| <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud api key to generate an IAM token. | `string` | n/a | yes |
 | <a name="input_install_required_binaries"></a> [install\_required\_binaries](#input\_install\_required\_binaries) | When set to true, a script will run to check if `kubectl` and `jq` exist on the runtime and if not attempt to download them from the public internet and install them to /tmp. Set to false to skip running this script. | `bool` | `true` | no |
 | <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where the cluster is provisioned. | `string` | n/a | yes |
 | <a name="input_use_private_endpoint"></a> [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
diff --git a/modules/kube-audit/main.tf b/modules/kube-audit/main.tf
@@ -110,20 +110,25 @@ locals {
   audit_server = "https://127.0.0.1:2040/api/v1/namespaces/${var.audit_namespace}/services/${var.audit_deployment_name}-service/proxy/post"
 }
 
+# see [issue](https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6107)
+# data "ibm_iam_auth_token" "webhook_api_key_tokendata" {
+#   depends_on = [data.ibm_container_cluster_config.cluster_config]
+# }
+
 data "ibm_iam_auth_token" "webhook_api_key_tokendata" {
   depends_on = [time_sleep.wait_for_kube_audit]
 }
 
 resource "null_resource" "set_audit_webhook" {
-  depends_on = [null_resource.install_required_binaries]
+  depends_on = [null_resource.install_required_binaries, time_sleep.wait_for_kube_audit]
   triggers = {
     audit_log_policy = var.audit_log_policy
   }
   provisioner "local-exec" {
     command     = "${path.module}/scripts/set_webhook.sh ${var.region} ${var.use_private_endpoint} ${var.cluster_config_endpoint_type} ${var.cluster_id} ${var.cluster_resource_group_id} ${var.audit_log_policy != "default" ? "verbose" : "default"} ${local.binaries_path}"
     interpreter = ["/bin/bash", "-c"]
     environment = {
-      IAM_TOKEN    = sensitive(data.ibm_iam_auth_token.webhook_api_key_tokendata.iam_access_token)
+      IAM_API_KEY  = var.ibmcloud_api_key
       AUDIT_SERVER = local.audit_server
       CLIENT_CERT  = data.ibm_container_cluster_config.cluster_config.admin_certificate
       CLIENT_KEY   = data.ibm_container_cluster_config.cluster_config.admin_key
diff --git a/modules/kube-audit/scripts/set_webhook.sh b/modules/kube-audit/scripts/set_webhook.sh
@@ -2,9 +2,6 @@
 
 set -euo pipefail
 
-# Adding sleep for the token to be ready
-sleep 10
-
 REGION="$1"
 PRIVATE_ENV="$2"
 CLUSTER_ENDPOINT="$3"
@@ -16,13 +13,33 @@ POLICY="$6"
 export PATH=$PATH:${7:-"/tmp"}
 
 get_cloud_endpoint() {
+    iam_cloud_endpoint="${IBMCLOUD_IAM_API_ENDPOINT:-"iam.cloud.ibm.com"}"
+    IBMCLOUD_IAM_API_ENDPOINT=${iam_cloud_endpoint#https://}
     cs_api_endpoint="${IBMCLOUD_CS_API_ENDPOINT:-"containers.cloud.ibm.com"}"
     cs_api_endpoint=${cs_api_endpoint#https://}
     IBMCLOUD_CS_API_ENDPOINT=${cs_api_endpoint%/global}
 }
 
 get_cloud_endpoint
 
+# This is a workaround function added to retrieve a new token, this can be removed once this issue(https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6107) is fixed.
+fetch_token() {
+    if [ "$IBMCLOUD_IAM_API_ENDPOINT" = "iam.cloud.ibm.com" ]; then
+        if [ "$PRIVATE_ENV" = true ]; then
+            IAM_URL="https://private.$IBMCLOUD_IAM_API_ENDPOINT/identity/token"
+        else
+            IAM_URL="https://$IBMCLOUD_IAM_API_ENDPOINT/identity/token"
+        fi
+    else
+        IAM_URL="https://$IBMCLOUD_IAM_API_ENDPOINT/identity/token"
+    fi
+
+    token=$(curl -s -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=urn:ibm:params:oauth:grant-type:apikey&apikey=$IAM_API_KEY" -X POST "$IAM_URL") #pragma: allowlist secret
+    IAM_TOKEN=$(echo "$token" | jq -r .access_token)
+}
+
+fetch_token
+
 # This is a workaround function added to retrieve the CA cert, this can be removed once this issue(https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6068) is fixed.
 get_ca_cert() {
     if [ "$IBMCLOUD_CS_API_ENDPOINT" = "containers.cloud.ibm.com" ]; then
diff --git a/modules/kube-audit/variables.tf b/modules/kube-audit/variables.tf
@@ -2,6 +2,12 @@
 # Cluster variables
 ##############################################################################
 
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud api key to generate an IAM token."
+  sensitive   = true
+}
+
 variable "cluster_id" {
   type        = string
   description = "The ID of the cluster to deploy the log collection service in."
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
@@ -298,6 +298,7 @@ data "ibm_container_cluster_config" "cluster_config" {
 
 module "kube_audit" {
   count                                   = var.enable_kube_audit ? 1 : 0
+  ibmcloud_api_key                        = var.ibmcloud_api_key
   source                                  = "../../modules/kube-audit"
   cluster_id                              = module.ocp_base.cluster_id
   cluster_resource_group_id               = module.ocp_base.resource_group_id
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -102,6 +102,7 @@ func setupQuickstartOptions(t *testing.T, prefix string) *testschematic.TestSche
 			"*.tf",
 			quickStartTerraformDir + "/*.tf", "scripts/*.sh", "kubeconfig/README.md",
 			"modules/worker-pool/*.tf",
+			"modules/kube-audit/scripts/*.sh",
 		},
 		TemplateFolder:             quickStartTerraformDir,
 		Tags:                       []string{"test-schematic"},

Original file line number	Diff line number	Diff line change
`@@ -219,6 +219,7 @@ module "kube_audit" {`
`219`	`219`	`cluster_resource_group_id = module.resource_group.resource_group_id`
`220`	`220`	`audit_log_policy = "WriteRequestBodies"`
`221`	`221`	`region = var.region`
	`222`	`+ ibmcloud_api_key = var.ibmcloud_api_key`
`222`	`223`	`}`
`223`	`224`
`224`	`225`