feat: exposed the addons variable in the fscloud submodule + refactored the logic around csi-driver version determination (#258)

Aashiq-J · web-flow · commit cb2ee8d8a5ae · 2023-10-12T19:14:05.000+01:00
diff --git a/README.md b/README.md
@@ -179,6 +179,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | [null_resource.confirm_network_healthy](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.reset_api_key](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [time_sleep.wait_operators](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [ibm_container_addons.existing_addons](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_addons) | data source |
 | [ibm_container_cluster_config.cluster_config](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_config) | data source |
 | [ibm_container_cluster_versions.cluster_versions](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_versions) | data source |
 
@@ -187,7 +188,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the resources created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details | `list(string)` | `[]` | no |
-| <a name="input_addons"></a> [addons](#input\_addons) | List of all addons supported by the ocp cluster. | <pre>object({<br>    alb-oauth-proxy           = optional(string)<br>    debug-tool                = optional(string)<br>    image-key-synchronizer    = optional(string)<br>    istio                     = optional(string)<br>    openshift-data-foundation = optional(string)<br>    static-route              = optional(string)<br>    cluster-autoscaler        = optional(string)<br>    vpc-block-csi-driver      = optional(string)<br>  })</pre> | `null` | no |
+| <a name="input_addons"></a> [addons](#input\_addons) | Map of OCP cluster add-on versions to install (NOTE: The 'vpc-block-csi-driver' add-on is installed by default for VPC clusters, however you can explicitly specify it here if you wish to choose a later version than the default one). For full list of all supported add-ons and versions, see https://cloud.ibm.com/docs/containers?topic=containers-supported-cluster-addon-versions | <pre>object({<br>    alb-oauth-proxy           = optional(string)<br>    debug-tool                = optional(string)<br>    image-key-synchronizer    = optional(string)<br>    istio                     = optional(string)<br>    openshift-data-foundation = optional(string)<br>    static-route              = optional(string)<br>    cluster-autoscaler        = optional(string)<br>    vpc-block-csi-driver      = optional(string)<br>  })</pre> | `null` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name that will be assigned to the provisioned cluster | `string` | n/a | yes |
 | <a name="input_cluster_ready_when"></a> [cluster\_ready\_when](#input\_cluster\_ready\_when) | The cluster is ready when one of the following: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady | `string` | `"IngressReady"` | no |
 | <a name="input_cos_name"></a> [cos\_name](#input\_cos\_name) | Name of the COS instance to provision. New instance only provisioned if `use_existing_cos = false`. Default: `<cluster_name>_cos` | `string` | `null` | no |
diff --git a/cra-tf-validate-ignore-rules.json b/cra-tf-validate-ignore-rules.json
@@ -5,6 +5,12 @@
             "description": "Check whether Cloud Object Storage network access is restricted to a specific IP range",
             "ignore_reason": "This module supports restricting network access using Context Based Restrictions (CBRs), however SCC does not yet support scanning for CBR rules, hence the rule currently fails. SCC CBR support is being tracked in AHA SCC-961",
             "is_valid": true
+        },
+        {
+            "scc_rule_id": "rule-216e2449-27d7-4afc-929a-b66e196a9cf9",
+            "description": "Check whether Flow Logs for VPC are enabled",
+            "ignore_reason": "This rule is not relevant to the module itself, just the VPC resource is used in the example that is scanned",
+            "is_valid": false
         }
     ]
 }
diff --git a/main.tf b/main.tf
@@ -25,8 +25,12 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   validate_check = regex("^${local.validate_msg}$", (!local.validate_condition ? local.validate_msg : ""))
 
+  csi_driver_version = [
+    for addon in data.ibm_container_addons.existing_addons.addons :
+    addon.version if addon.name == "vpc-block-csi-driver"
+  ]
   addons_list = var.addons != null ? { for k, v in var.addons : k => v if v != null } : {}
-  addons      = lookup(local.addons_list, "vpc-block-csi-driver", null) == null ? merge(local.addons_list, { vpc-block-csi-driver = "5.1" }) : local.addons_list
+  addons      = lookup(local.addons_list, "vpc-block-csi-driver", null) == null ? merge(local.addons_list, { vpc-block-csi-driver = local.csi_driver_version[0] }) : local.addons_list
 
   delete_timeout = "2h"
   create_timeout = "3h"
@@ -360,6 +364,10 @@ resource "null_resource" "confirm_network_healthy" {
   }
 }
 
+# Lookup the current default csi-driver version
+data "ibm_container_addons" "existing_addons" {
+  cluster = local.cluster_id
+}
 
 resource "ibm_container_addons" "addons" {
 
diff --git a/module-metadata.json b/module-metadata.json
@@ -26,7 +26,7 @@
     "addons": {
       "name": "addons",
       "type": "object({\n    alb-oauth-proxy           = optional(string)\n    debug-tool                = optional(string)\n    image-key-synchronizer    = optional(string)\n    istio                     = optional(string)\n    openshift-data-foundation = optional(string)\n    static-route              = optional(string)\n    cluster-autoscaler        = optional(string)\n    vpc-block-csi-driver      = optional(string)\n  })",
-      "description": "List of all addons supported by the ocp cluster.",
+      "description": "Map of OCP cluster add-on versions to install (NOTE: The 'vpc-block-csi-driver' add-on is installed by default for VPC clusters, however you can explicitly specify it here if you wish to choose a later version than the default one). For full list of all supported add-ons and versions, see https://cloud.ibm.com/docs/containers?topic=containers-supported-cluster-addon-versions",
       "pos": {
         "filename": "variables.tf",
         "line": 202
@@ -444,7 +444,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 364
+        "line": 372
       }
     },
     "ibm_container_vpc_cluster.autoscaling_cluster": {
@@ -467,7 +467,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 134
+        "line": 138
       }
     },
     "ibm_container_vpc_cluster.cluster": {
@@ -490,7 +490,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 72
+        "line": 76
       }
     },
     "ibm_container_vpc_worker_pool.autoscaling_pool": {
@@ -506,7 +506,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 285
+        "line": 289
       }
     },
     "ibm_container_vpc_worker_pool.pool": {
@@ -522,7 +522,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 244
+        "line": 248
       }
     },
     "ibm_resource_tag.cluster_access_tag": {
@@ -539,7 +539,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 198
+        "line": 202
       }
     },
     "ibm_resource_tag.cos_access_tag": {
@@ -555,7 +555,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 61
+        "line": 65
       }
     },
     "kubernetes_config_map_v1_data.set_autoscaling": {
@@ -570,7 +570,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 405
+        "line": 413
       }
     },
     "null_resource.confirm_network_healthy": {
@@ -585,7 +585,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 345
+        "line": 349
       }
     },
     "null_resource.reset_api_key": {
@@ -597,7 +597,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 219
+        "line": 223
       }
     },
     "time_sleep.wait_operators": {
@@ -609,11 +609,23 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 387
+        "line": 395
       }
     }
   },
   "data_resources": {
+    "data.ibm_container_addons.existing_addons": {
+      "mode": "data",
+      "type": "ibm_container_addons",
+      "name": "existing_addons",
+      "provider": {
+        "name": "ibm"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 368
+      }
+    },
     "data.ibm_container_cluster_config.cluster_config": {
       "mode": "data",
       "type": "ibm_container_cluster_config",
@@ -627,7 +639,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 233
+        "line": 237
       }
     },
     "data.ibm_container_cluster_versions.cluster_versions": {
@@ -642,7 +654,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 39
+        "line": 43
       }
     }
   },
@@ -904,7 +916,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 43
+        "line": 47
       }
     }
   }
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
@@ -28,6 +28,7 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_addons"></a> [addons](#input\_addons) | Map of OCP cluster add-on versions to install (NOTE: The 'vpc-block-csi-driver' add-on is installed by default for VPC clusters, however you can explicitly specify it here if you wish to choose a later version than the default one). For full list of all supported add-ons and versions, see https://cloud.ibm.com/docs/containers?topic=containers-supported-cluster-addon-versions | <pre>object({<br>    alb-oauth-proxy           = optional(string)<br>    debug-tool                = optional(string)<br>    image-key-synchronizer    = optional(string)<br>    istio                     = optional(string)<br>    openshift-data-foundation = optional(string)<br>    static-route              = optional(string)<br>    cluster-autoscaler        = optional(string)<br>    vpc-block-csi-driver      = optional(string)<br>  })</pre> | `null` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name that will be assigned to the provisioned cluster | `string` | n/a | yes |
 | <a name="input_cluster_ready_when"></a> [cluster\_ready\_when](#input\_cluster\_ready\_when) | The cluster is ready when one of the following: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady | `string` | `"IngressReady"` | no |
 | <a name="input_existing_cos_id"></a> [existing\_cos\_id](#input\_existing\_cos\_id) | The COS id of an already existing COS instance | `string` | n/a | yes |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -22,4 +22,5 @@ module "fscloud" {
   existing_cos_id                 = var.existing_cos_id
   tags                            = var.tags
   kms_config                      = var.kms_config
+  addons                          = var.addons
 }
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
@@ -117,5 +117,18 @@ variable "verify_worker_network_readiness" {
   default     = true
 }
 
-
+variable "addons" {
+  type = object({
+    alb-oauth-proxy           = optional(string)
+    debug-tool                = optional(string)
+    image-key-synchronizer    = optional(string)
+    istio                     = optional(string)
+    openshift-data-foundation = optional(string)
+    static-route              = optional(string)
+    cluster-autoscaler        = optional(string)
+    vpc-block-csi-driver      = optional(string)
+  })
+  description = "Map of OCP cluster add-on versions to install (NOTE: The 'vpc-block-csi-driver' add-on is installed by default for VPC clusters, however you can explicitly specify it here if you wish to choose a later version than the default one). For full list of all supported add-ons and versions, see https://cloud.ibm.com/docs/containers?topic=containers-supported-cluster-addon-versions"
+  default     = null
+}
 ##############################################################################
diff --git a/variables.tf b/variables.tf
@@ -210,7 +210,7 @@ variable "addons" {
     cluster-autoscaler        = optional(string)
     vpc-block-csi-driver      = optional(string)
   })
-  description = "List of all addons supported by the ocp cluster."
+  description = "Map of OCP cluster add-on versions to install (NOTE: The 'vpc-block-csi-driver' add-on is installed by default for VPC clusters, however you can explicitly specify it here if you wish to choose a later version than the default one). For full list of all supported add-ons and versions, see https://cloud.ibm.com/docs/containers?topic=containers-supported-cluster-addon-versions"
   default     = null
 }
 

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,12 @@`
`5`	`5`	`"description": "Check whether Cloud Object Storage network access is restricted to a specific IP range",`
`6`	`6`	`"ignore_reason": "This module supports restricting network access using Context Based Restrictions (CBRs), however SCC does not yet support scanning for CBR rules, hence the rule currently fails. SCC CBR support is being tracked in AHA SCC-961",`
`7`	`7`	`"is_valid": true`
	`8`	`+ },`
	`9`	`+ {`
	`10`	`+ "scc_rule_id": "rule-216e2449-27d7-4afc-929a-b66e196a9cf9",`
	`11`	`+ "description": "Check whether Flow Logs for VPC are enabled",`
	`12`	`+ "ignore_reason": "This rule is not relevant to the module itself, just the VPC resource is used in the example that is scanned",`
	`13`	`+ "is_valid": false`
`8`	`14`	`}`
`9`	`15`	`]`
`10`	`16`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,4 +22,5 @@ module "fscloud" {`
`22`	`22`	`existing_cos_id = var.existing_cos_id`
`23`	`23`	`tags = var.tags`
`24`	`24`	`kms_config = var.kms_config`
	`25`	`+ addons = var.addons`
`25`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -210,7 +210,7 @@ variable "addons" {`
`210`	`210`	`cluster-autoscaler = optional(string)`
`211`	`211`	`vpc-block-csi-driver = optional(string)`
`212`	`212`	`})`
`213`		`- description = "List of all addons supported by the ocp cluster."`
	`213`	`+ description = "Map of OCP cluster add-on versions to install (NOTE: The 'vpc-block-csi-driver' add-on is installed by default for VPC clusters, however you can explicitly specify it here if you wish to choose a later version than the default one). For full list of all supported add-ons and versions, see https://cloud.ibm.com/docs/containers?topic=containers-supported-cluster-addon-versions"`
`214`	`214`	`default = null`
`215`	`215`	`}`
`216`	`216`