feat: Exposed the following variables in the fscloud submodule: additional_vpe_security_group_ids, number_of_lbs, additional_lb_security_group_ids, custom_security_group_ids, attach_ibm_managed_security_group<br>* The worker_pools variable also now has optional attribute additional_security_group_ids (#386)

Author: kierramarie

modules/fscloud/README.md

@@ -33,15 +33,20 @@ No resources.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the resources created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details | `list(string)` | `[]` | no |
+| <a name="input_additional_lb_security_group_ids"></a> [additional\_lb\_security\_group\_ids](#input\_additional\_lb\_security\_group\_ids) | Additional security groups to add to the load balancers associated with the cluster. Ensure that the number\_of\_lbs is set to the number of LBs associated with the cluster. This comes in addition to the IBM maintained security group. | `list(string)` | `[]` | no |
+| <a name="input_additional_vpe_security_group_ids"></a> [additional\_vpe\_security\_group\_ids](#input\_additional\_vpe\_security\_group\_ids) | Additional security groups to add to all existing load balancers. This comes in addition to the IBM maintained security group. | <pre>object({<br>    master   = optional(list(string), [])<br>    registry = optional(list(string), [])<br>    api      = optional(list(string), [])<br>  })</pre> | `{}` | no |
 | <a name="input_addons"></a> [addons](#input\_addons) | Map of OCP cluster add-on versions to install (NOTE: The 'vpc-block-csi-driver' add-on is installed by default for VPC clusters, however you can explicitly specify it here if you wish to choose a later version than the default one). For full list of all supported add-ons and versions, see https://cloud.ibm.com/docs/containers?topic=containers-supported-cluster-addon-versions | <pre>object({<br>    debug-tool                = optional(string)<br>    image-key-synchronizer    = optional(string)<br>    openshift-data-foundation = optional(string)<br>    vpc-file-csi-driver       = optional(string)<br>    static-route              = optional(string)<br>    cluster-autoscaler        = optional(string)<br>    vpc-block-csi-driver      = optional(string)<br>  })</pre> | `null` | no |
+| <a name="input_attach_ibm_managed_security_group"></a> [attach\_ibm\_managed\_security\_group](#input\_attach\_ibm\_managed\_security\_group) | Specify whether to attach the IBM-defined default security group (whose name is kube-<clusterid>) to all worker nodes. Only applicable if custom\_security\_group\_ids is set. | `bool` | `true` | no |
 | <a name="input_cluster_config_endpoint_type"></a> [cluster\_config\_endpoint\_type](#input\_cluster\_config\_endpoint\_type) | Specify which type of endpoint to use for for cluster config access: 'private', 'vpe', 'link'. | `string` | `"private"` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name that will be assigned to the provisioned cluster | `string` | n/a | yes |
 | <a name="input_cluster_ready_when"></a> [cluster\_ready\_when](#input\_cluster\_ready\_when) | The cluster is ready when one of the following: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady | `string` | `"IngressReady"` | no |
+| <a name="input_custom_security_group_ids"></a> [custom\_security\_group\_ids](#input\_custom\_security\_group\_ids) | Security groups to add to all worker nodes. This comes in addition to the IBM maintained security group if use\_ibm\_managed\_security\_group is set to true. If this variable is set, the default VPC security group is NOT assigned to the worker nodes. | `list(string)` | `null` | no |
 | <a name="input_existing_cos_id"></a> [existing\_cos\_id](#input\_existing\_cos\_id) | The COS id of an already existing COS instance | `string` | n/a | yes |
 | <a name="input_force_delete_storage"></a> [force\_delete\_storage](#input\_force\_delete\_storage) | Flag indicating whether or not to delete attached storage when destroying the cluster - Default: false | `bool` | `false` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | APIkey that's associated with the account to use | `string` | n/a | yes |
 | <a name="input_ignore_worker_pool_size_changes"></a> [ignore\_worker\_pool\_size\_changes](#input\_ignore\_worker\_pool\_size\_changes) | Enable if using worker autoscaling. Stops Terraform managing worker count | `bool` | `false` | no |
 | <a name="input_kms_config"></a> [kms\_config](#input\_kms\_config) | Use to attach a HPCS instance to the cluster. If account\_id is not provided, defaults to the account in use. | <pre>object({<br>    crk_id           = string<br>    instance_id      = string<br>    private_endpoint = optional(bool, true) # defaults to true<br>    account_id       = optional(string)     # To attach HPCS instance from another account<br>  })</pre> | n/a | yes |
+| <a name="input_number_of_lbs"></a> [number\_of\_lbs](#input\_number\_of\_lbs) | The number of LBs to associated the additional\_lb\_security\_group\_names security group with. | `number` | `1` | no |
 | <a name="input_ocp_entitlement"></a> [ocp\_entitlement](#input\_ocp\_entitlement) | Value that is applied to the entitlements for OCP cluster provisioning | `string` | `"cloud_pak"` | no |
 | <a name="input_ocp_version"></a> [ocp\_version](#input\_ocp\_version) | The version of the OpenShift cluster that should be provisioned (format 4.x). This is only used during initial cluster provisioning, but ignored for future updates. Supports passing the string 'default' (current IKS default recommended version). If no value is passed, it will default to 'default'. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where the cluster will be provisioned. | `string` | n/a | yes |
@@ -50,7 +55,7 @@ No resources.
 | <a name="input_verify_worker_network_readiness"></a> [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
 | <a name="input_vpc_subnets"></a> [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | <pre>map(list(object({<br>    id         = string<br>    zone       = string<br>    cidr_block = string<br>  })))</pre> | n/a | yes |
-| <a name="input_worker_pools"></a> [worker\_pools](#input\_worker\_pools) | List of worker pools | <pre>list(object({<br>    subnet_prefix     = string<br>    pool_name         = string<br>    machine_type      = string<br>    workers_per_zone  = number<br>    resource_group_id = optional(string)<br>    labels            = optional(map(string))<br>    boot_volume_encryption_kms_config = optional(object({<br>      crk             = string<br>      kms_instance_id = string<br>      kms_account_id  = optional(string)<br>    }))<br>  }))</pre> | n/a | yes |
+| <a name="input_worker_pools"></a> [worker\_pools](#input\_worker\_pools) | List of worker pools | <pre>list(object({<br>    subnet_prefix     = string<br>    pool_name         = string<br>    machine_type      = string<br>    workers_per_zone  = number<br>    resource_group_id = optional(string)<br>    labels            = optional(map(string))<br>    boot_volume_encryption_kms_config = optional(object({<br>      crk             = string<br>      kms_instance_id = string<br>      kms_account_id  = optional(string)<br>    }))<br>    additional_security_group_ids = optional(list(string))<br>  }))</pre> | n/a | yes |
 | <a name="input_worker_pools_taints"></a> [worker\_pools\_taints](#input\_worker\_pools\_taints) | Optional, Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | `null` | no |
 
 ### Outputs

modules/fscloud/main.tf

@@ -3,26 +3,31 @@
 module "fscloud" {
   source = "../.."
 
-  ibmcloud_api_key                = var.ibmcloud_api_key
-  cluster_name                    = var.cluster_name
-  resource_group_id               = var.resource_group_id
-  region                          = var.region
-  force_delete_storage            = var.force_delete_storage
-  ocp_version                     = var.ocp_version
-  ocp_entitlement                 = var.ocp_entitlement
-  vpc_id                          = var.vpc_id
-  vpc_subnets                     = var.vpc_subnets
-  worker_pools                    = var.worker_pools
-  disable_public_endpoint         = true
-  cluster_config_endpoint_type    = var.cluster_config_endpoint_type
-  cluster_ready_when              = var.cluster_ready_when
-  ignore_worker_pool_size_changes = var.ignore_worker_pool_size_changes
-  verify_worker_network_readiness = var.verify_worker_network_readiness
-  worker_pools_taints             = var.worker_pools_taints
-  use_existing_cos                = true
-  existing_cos_id                 = var.existing_cos_id
-  tags                            = var.tags
-  kms_config                      = var.kms_config
-  addons                          = var.addons
-  access_tags                     = var.access_tags
+  ibmcloud_api_key                  = var.ibmcloud_api_key
+  cluster_name                      = var.cluster_name
+  resource_group_id                 = var.resource_group_id
+  region                            = var.region
+  force_delete_storage              = var.force_delete_storage
+  ocp_version                       = var.ocp_version
+  ocp_entitlement                   = var.ocp_entitlement
+  vpc_id                            = var.vpc_id
+  vpc_subnets                       = var.vpc_subnets
+  worker_pools                      = var.worker_pools
+  disable_public_endpoint           = true
+  cluster_config_endpoint_type      = var.cluster_config_endpoint_type
+  cluster_ready_when                = var.cluster_ready_when
+  ignore_worker_pool_size_changes   = var.ignore_worker_pool_size_changes
+  verify_worker_network_readiness   = var.verify_worker_network_readiness
+  worker_pools_taints               = var.worker_pools_taints
+  use_existing_cos                  = true
+  existing_cos_id                   = var.existing_cos_id
+  tags                              = var.tags
+  kms_config                        = var.kms_config
+  addons                            = var.addons
+  access_tags                       = var.access_tags
+  attach_ibm_managed_security_group = var.attach_ibm_managed_security_group
+  custom_security_group_ids         = var.custom_security_group_ids
+  additional_lb_security_group_ids  = var.additional_lb_security_group_ids
+  number_of_lbs                     = var.number_of_lbs
+  additional_vpe_security_group_ids = var.additional_vpe_security_group_ids
 }

modules/fscloud/variables.tf

@@ -53,6 +53,7 @@ variable "worker_pools" {
       kms_instance_id = string
       kms_account_id  = optional(string)
     }))
+    additional_security_group_ids = optional(list(string))
   }))
   description = "List of worker pools"
 }
@@ -149,4 +150,52 @@ variable "cluster_config_endpoint_type" {
   }
 }
 
+variable "attach_ibm_managed_security_group" {
+  description = "Specify whether to attach the IBM-defined default security group (whose name is kube-<clusterid>) to all worker nodes. Only applicable if custom_security_group_ids is set."
+  type        = bool
+  default     = true
+}
+
+variable "custom_security_group_ids" {
+  description = "Security groups to add to all worker nodes. This comes in addition to the IBM maintained security group if use_ibm_managed_security_group is set to true. If this variable is set, the default VPC security group is NOT assigned to the worker nodes."
+  type        = list(string)
+  default     = null
+  validation {
+    condition     = var.custom_security_group_ids == null ? true : length(var.custom_security_group_ids) <= 4
+    error_message = "Please provide at most 4 additional security groups."
+  }
+}
+
+variable "additional_lb_security_group_ids" {
+  description = "Additional security groups to add to the load balancers associated with the cluster. Ensure that the number_of_lbs is set to the number of LBs associated with the cluster. This comes in addition to the IBM maintained security group."
+  type        = list(string)
+  default     = []
+  nullable    = false
+  validation {
+    condition     = var.additional_lb_security_group_ids == null ? true : length(var.additional_lb_security_group_ids) <= 4
+    error_message = "Please provide at most 4 additional security groups."
+  }
+}
+
+variable "number_of_lbs" {
+  description = "The number of LBs to associated the additional_lb_security_group_names security group with."
+  type        = number
+  default     = 1
+  nullable    = false
+  validation {
+    condition     = var.number_of_lbs >= 1
+    error_message = "Please set the number_of_lbs to a minumum of."
+  }
+}
+
+variable "additional_vpe_security_group_ids" {
+  description = "Additional security groups to add to all existing load balancers. This comes in addition to the IBM maintained security group."
+  type = object({
+    master   = optional(list(string), [])
+    registry = optional(list(string), [])
+    api      = optional(list(string), [])
+  })
+  default = {}
+}
+
 ##############################################################################