feat: add support for access tags (#94)

Author: MatthewLemmond

README.md

@@ -109,6 +109,12 @@ You need the following permissions to run this module.
         - `Administrator` platform access
         - `Manager` service access
 
+Optionally, you need the following permissions to attach Access Management tags to resources in this module.
+
+- IAM Services
+    - **Tagging** service
+        - `Administrator` platform access
+
 ## Note :
  - One worker pool should always be named as `default`. Refer [issue 2849](https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849) for further details.
 
@@ -145,6 +151,8 @@ No modules.
 | [ibm_container_vpc_worker_pool.autoscaling_pool](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_vpc_worker_pool) | resource |
 | [ibm_container_vpc_worker_pool.pool](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_vpc_worker_pool) | resource |
 | [ibm_resource_instance.cos_instance](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource |
+| [ibm_resource_tag.cluster_access_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
+| [ibm_resource_tag.cos_access_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
 | [null_resource.confirm_network_healthy](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.reset_api_key](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [ibm_container_cluster_config.cluster_config](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_config) | data source |
@@ -154,6 +162,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the resources created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details | `list(string)` | `[]` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name that will be assigned to the provisioned cluster | `string` | n/a | yes |
 | <a name="input_cluster_ready_when"></a> [cluster\_ready\_when](#input\_cluster\_ready\_when) | The cluster is ready when one of the following: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady | `string` | `"IngressReady"` | no |
 | <a name="input_cos_name"></a> [cos\_name](#input\_cos\_name) | Name of the COS instance to provision. New instance only provisioned if `use_existing_cos = false`. Default: `<cluster_name>_cos` | `string` | `null` | no |

examples/standard/main.tf

@@ -89,6 +89,7 @@ module "ocp_base" {
     instance_id = module.kp_all_inclusive.key_protect_guid
     crk_id      = module.kp_all_inclusive.keys["ocp.${var.prefix}-cluster-key"].key_id
   }
+  access_tags = var.access_tags
 }
 
 ##############################################################################

examples/standard/variables.tf

@@ -60,6 +60,12 @@ variable "worker_pools" {
   default     = []
 }
 
+variable "access_tags" {
+  type        = list(string)
+  description = "Optional list of access management tags to be added to the created resources."
+  default     = []
+}
+
 ##############################################################################
 # VPC variables
 ##############################################################################

main.tf

@@ -44,6 +44,13 @@ resource "ibm_resource_instance" "cos_instance" {
   location          = local.cos_location
 }
 
+resource "ibm_resource_tag" "cos_access_tag" {
+  count       = var.use_existing_cos || length(var.access_tags) == 0 ? 0 : 1
+  resource_id = ibm_resource_instance.cos_instance[0].crn
+  tags        = var.access_tags
+  tag_type    = "access"
+}
+
 ##############################################################################
 # Create a OCP Cluster
 ##############################################################################
@@ -170,6 +177,17 @@ resource "ibm_container_vpc_cluster" "autoscaling_cluster" {
   }
 }
 
+##############################################################################
+# Cluster Access Tag
+##############################################################################
+
+resource "ibm_resource_tag" "cluster_access_tag" {
+  count       = length(var.access_tags) == 0 ? 0 : 1
+  resource_id = var.ignore_worker_pool_size_changes ? ibm_container_vpc_cluster.autoscaling_cluster[0].crn : ibm_container_vpc_cluster.cluster[0].crn
+  tags        = var.access_tags
+  tag_type    = "access"
+}
+
 # Cluster provisioning will automatically create an IAM API key called "containers-kubernetes-key" if one does not exist
 # for the given region and resource group. The API key is used to access several services, such as the IBM Cloud classic
 # infrastructure portfolio, and is required to manage the cluster. Immediately after the IAM API key is created and

module-metadata.json

@@ -1,6 +1,28 @@
 {
   "path": ".",
   "variables": {
+    "access_tags": {
+      "name": "access_tags",
+      "type": "list(string)",
+      "description": "A list of access tags to apply to the resources created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details",
+      "default": [],
+      "source": [
+        "ibm_resource_tag.cluster_access_tag.count",
+        "ibm_resource_tag.cluster_access_tag.tags",
+        "ibm_resource_tag.cos_access_tag.tags"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 148
+      },
+      "min_length": 1,
+      "max_length": 128,
+      "matches": "^[A-Za-z0-9:_ .-]+$",
+      "computed": true,
+      "elem": {
+        "type": "TypeString"
+      }
+    },
     "cluster_name": {
       "name": "cluster_name",
       "type": "string",
@@ -92,14 +114,19 @@
       "type": "bool",
       "description": "Enable if using worker autoscaling. Stops Terraform managing worker count",
       "default": false,
+      "required": true,
       "source": [
         "ibm_container_vpc_cluster.autoscaling_cluster.count",
-        "ibm_container_vpc_cluster.cluster.count"
+        "ibm_container_vpc_cluster.cluster.count",
+        "ibm_resource_tag.cluster_access_tag.resource_id"
       ],
       "pos": {
         "filename": "variables.tf",
         "line": 66
-      }
+      },
+      "min_length": 1,
+      "max_length": 1024,
+      "matches": "^crn:v1(:[a-zA-Z0-9 \\-\\._~\\*\\+,;=!$\u0026'\\(\\)\\/\\?#\\[\\]@]*){8}$|^[0-9]+$"
     },
     "kms_config": {
       "name": "kms_config",
@@ -194,7 +221,8 @@
       "description": "Flag indicating whether or not to use an existing COS instance",
       "default": false,
       "source": [
-        "ibm_resource_instance.cos_instance.count"
+        "ibm_resource_instance.cos_instance.count",
+        "ibm_resource_tag.cos_access_tag.count"
       ],
       "pos": {
         "filename": "variables.tf",
@@ -212,7 +240,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 154
+        "line": 167
       }
     },
     "vpc_id": {
@@ -228,7 +256,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 149
+        "line": 162
       },
       "immutable": true
     },
@@ -399,7 +427,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 113
+        "line": 120
       }
     },
     "ibm_container_vpc_cluster.cluster": {
@@ -422,7 +450,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 51
+        "line": 58
       }
     },
     "ibm_container_vpc_worker_pool.autoscaling_pool": {
@@ -438,7 +466,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 253
+        "line": 271
       }
     },
     "ibm_container_vpc_worker_pool.pool": {
@@ -454,7 +482,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 212
+        "line": 230
       }
     },
     "ibm_resource_instance.cos_instance": {
@@ -473,6 +501,39 @@
         "line": 37
       }
     },
+    "ibm_resource_tag.cluster_access_tag": {
+      "mode": "managed",
+      "type": "ibm_resource_tag",
+      "name": "cluster_access_tag",
+      "attributes": {
+        "count": "access_tags",
+        "resource_id": "ignore_worker_pool_size_changes",
+        "tags": "access_tags"
+      },
+      "provider": {
+        "name": "ibm"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 184
+      }
+    },
+    "ibm_resource_tag.cos_access_tag": {
+      "mode": "managed",
+      "type": "ibm_resource_tag",
+      "name": "cos_access_tag",
+      "attributes": {
+        "count": "use_existing_cos",
+        "tags": "access_tags"
+      },
+      "provider": {
+        "name": "ibm"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 47
+      }
+    },
     "null_resource.confirm_network_healthy": {
       "mode": "managed",
       "type": "null_resource",
@@ -485,7 +546,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 313
+        "line": 331
       }
     },
     "null_resource.reset_api_key": {
@@ -497,7 +558,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 187
+        "line": 205
       }
     }
   },
@@ -515,7 +576,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 201
+        "line": 219
       }
     },
     "data.ibm_container_cluster_versions.cluster_versions": {

tests/pr_test.go

@@ -2,30 +2,42 @@
 package test
 
 import (
+	"log"
 	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/cloudinfo"
+	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common"
 	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
 )
 
 const resourceGroup = "geretain-test-base-ocp-vpc"
 const standardExampleTerraformDir = "examples/standard"
 
+// Define a struct with fields that match the structure of the YAML data
+const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml"
+
 // Ensure there is one test per supported OCP version
 const ocpVersion1 = "4.12"
 const ocpVersion2 = "4.11"
 const ocpVersion3 = "4.10"
 const ocpVersion4 = "4.9"
 
 var sharedInfoSvc *cloudinfo.CloudInfoService
+var permanentResources map[string]interface{}
 
 // TestMain will be run before any parallel tests, used to set up a shared InfoService object to track region usage
 // for multiple tests
 func TestMain(m *testing.M) {
-
 	sharedInfoSvc, _ = cloudinfo.NewCloudInfoServiceFromEnv("TF_VAR_ibmcloud_api_key", cloudinfo.CloudInfoServiceOptions{})
+
+	var err error
+	permanentResources, err = common.LoadMapFromYaml(yamlLocation)
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	os.Exit(m.Run())
 }
 
@@ -38,6 +50,7 @@ func setupOptions(t *testing.T, prefix string, terraformDir string) *testhelper.
 		CloudInfoService: sharedInfoSvc,
 		TerraformVars: map[string]interface{}{
 			"ocp_version": ocpVersion1,
+			"access_tags": permanentResources["accessTags"],
 		},
 	})
 

variables.tf

@@ -145,6 +145,19 @@ variable "kms_config" {
   default     = null
 }
 
+variable "access_tags" {
+  type        = list(string)
+  description = "A list of access tags to apply to the resources created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details"
+  default     = []
+
+  validation {
+    condition = alltrue([
+      for tag in var.access_tags : can(regex("[\\w\\-_\\.]+:[\\w\\-_\\.]+", tag)) && length(tag) <= 128
+    ])
+    error_message = "Tags must match the regular expression \"[\\w\\-_\\.]+:[\\w\\-_\\.]+\", see https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits for more details"
+  }
+}
+
 # VPC Variables
 variable "vpc_id" {
   type        = string