feat: new optional attribute account_id added to the kms_config input variable providing the ability to attach a KMS instance to a cluster from a different account. As this feature only became available in IBM provider version 1.60.0, the modules version constraints have been updated to >= 1.60.0, <2.0.0. See [Cross account KMS encryption example](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/tree/kms-acc/examples/cross_kms_support) for more information.(#301)

Ak-sky · web-flow · commit d85b328e58bf · 2023-12-12T09:33:40.000Z
diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml
@@ -16,3 +16,5 @@ offerings:
         mark_ready: true
       - name: add_rules_to_sg
         mark_ready: true
+      - name: cross_kms_support
+        mark_ready: true
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -82,7 +82,7 @@
         "hashed_secret": "dce1f02ca7cc4b63ac43008b7a3ce96e702a0c24",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 40,
+        "line_number": 41,
         "type": "Secret Keyword",
         "verified_result": null
       }
diff --git a/README.md b/README.md
@@ -11,8 +11,8 @@ Use this module to provision an [IBM Cloud Red Hat OpenShift cluster](https://cl
 
 ### Before you begin
 
-- Make sure that you have a recent version of the [IBM Cloud CLI](https://cloud.ibm.com/docs/cli?topic=cli-getting-started)
-- Make sure that you have a recent version of the [IBM Cloud Kubernetes service CLI](https://cloud.ibm.com/docs/containers?topic=containers-kubernetes-service-cli)
+- Make sure that you have a recent version of the [IBM Cloud CLI](https://cloud.ibm.com/docs/cli?topic=cli-getting-started).
+- Make sure that you have a recent version of the [IBM Cloud Kubernetes service CLI](https://cloud.ibm.com/docs/containers?topic=containers-kubernetes-service-cli).
 
 <!-- Below content is automatically populated via pre-commit hook -->
 <!-- BEGIN OVERVIEW HOOK -->
@@ -25,6 +25,7 @@ Use this module to provision an [IBM Cloud Red Hat OpenShift cluster](https://cl
     * [Advanced example (mzr, auto-scale, kms, taints)](./examples/advanced)
     * [Basic single zone example](./examples/basic)
     * [Cluster security group rules example](./examples/add_rules_to_sg)
+    * [Cross account KMS encryption example](./examples/cross_kms_support)
     * [Financial Services compliant example](./examples/fscloud)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
@@ -150,7 +151,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0, < 1.6.0 |
-| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.59.0, < 2.0.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.60.0, < 2.0.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.16.1 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1 |
@@ -195,7 +196,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="input_force_delete_storage"></a> [force\_delete\_storage](#input\_force\_delete\_storage) | Flag indicating whether or not to delete attached storage when destroying the cluster - Default: false | `bool` | `false` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | APIkey that's associated with the account to use, set via environment variable TF\_VAR\_ibmcloud\_api\_key | `string` | n/a | yes |
 | <a name="input_ignore_worker_pool_size_changes"></a> [ignore\_worker\_pool\_size\_changes](#input\_ignore\_worker\_pool\_size\_changes) | Enable if using worker autoscaling. Stops Terraform managing worker count | `bool` | `false` | no |
-| <a name="input_kms_config"></a> [kms\_config](#input\_kms\_config) | Use to attach a Key Protect instance to the cluster | <pre>object({<br>    crk_id           = string<br>    instance_id      = string<br>    private_endpoint = optional(bool, true) # defaults to true<br>  })</pre> | `null` | no |
+| <a name="input_kms_config"></a> [kms\_config](#input\_kms\_config) | Use to attach a KMS instance to the cluster. If account\_id is not provided, defaults to the account in use. | <pre>object({<br>    crk_id           = string<br>    instance_id      = string<br>    private_endpoint = optional(bool, true) # defaults to true<br>    account_id       = optional(string)     # To attach KMS instance from another account<br>  })</pre> | `null` | no |
 | <a name="input_manage_all_addons"></a> [manage\_all\_addons](#input\_manage\_all\_addons) | Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module will destroy any addons that were installed by other sources. | `bool` | `false` | no |
 | <a name="input_ocp_entitlement"></a> [ocp\_entitlement](#input\_ocp\_entitlement) | Value that is applied to the entitlements for OCP cluster provisioning | `string` | `"cloud_pak"` | no |
 | <a name="input_ocp_version"></a> [ocp\_version](#input\_ocp\_version) | The version of the OpenShift cluster that should be provisioned (format 4.x). This is only used during initial cluster provisioning, but ignored for future updates. Supports passing the string 'latest' (current latest available version) or 'default' (current IKS default recommended version). If no value is passed, it will default to 'default'. | `string` | `null` | no |
@@ -218,6 +219,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | Name of the created cluster |
 | <a name="output_cos_crn"></a> [cos\_crn](#output\_cos\_crn) | CRN of the COS instance |
 | <a name="output_ingress_hostname"></a> [ingress\_hostname](#output\_ingress\_hostname) | Ingress hostname |
+| <a name="output_kms_config"></a> [kms\_config](#output\_kms\_config) | KMS configuration details |
 | <a name="output_ocp_version"></a> [ocp\_version](#output\_ocp\_version) | Openshift Version of the cluster |
 | <a name="output_private_service_endpoint_url"></a> [private\_service\_endpoint\_url](#output\_private\_service\_endpoint\_url) | Private service endpoint URL |
 | <a name="output_public_service_endpoint_url"></a> [public\_service\_endpoint\_url](#output\_public\_service\_endpoint\_url) | Public service endpoint URL |
diff --git a/common-dev-assets b/common-dev-assets
@@ -1 +1 @@
-Subproject commit b273cc7cd7d2a80da1ed02684c3250150faaa03b
+Subproject commit 3f72dcec43245fcd9c9e9b99dfa13158a1d280fb
diff --git a/examples/add_rules_to_sg/README.md b/examples/add_rules_to_sg/README.md
@@ -4,6 +4,6 @@ This example will add security rules to the `kube-<vpcid>` and `kube-<clusterId>
 
 The following resources are provisioned by this example:
 - A new resource group, if an existing one is not passed in.
-- A VPC with subnets in a single zone and public gw attached
-- Security rules to the `kube-<vpcid>` and `kube-<clusterId>` security groups
-- A basic single zone OCP VPC cluster
+- A VPC with subnets in a single zone and public gw attached.
+- Security rules to the `kube-<vpcid>` and `kube-<clusterId>` security groups.
+- A basic single zone OCP VPC cluster.
diff --git a/examples/add_rules_to_sg/version.tf b/examples/add_rules_to_sg/version.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.59.0"
+      version = "1.60.0"
     }
   }
 }
diff --git a/examples/advanced/README.md b/examples/advanced/README.md
@@ -1,12 +1,12 @@
 # Advanced example (mzr, auto-scale, kms, taints)
 
-An advanced example which shows how to create a multi-zone KMS encrypted OCP VPC cluster with custom worker node taints
+An advanced example which shows how to create a multi-zone KMS encrypted OCP VPC cluster with custom worker node taints.
 
 The following resources are provisioned by this example:
 - A new resource group, if an existing one is not passed in.
-- A Key Protect instance with 2 root keys, one for cluster encryption, and one for worker block storage encryption
-- A VPC with subnets across 3 zones
-- A public gateway only in zone-1
-- A multi-zone (3 zone) KMS encrypted OCP VPC cluster, with worker pools in each zone
-- Auto scaling enabled for the default worker pool
-- Taints against the workers in zone-2 and zone-3
+- A Key Protect instance with 2 root keys, one for cluster encryption, and one for worker block storage encryption.
+- A VPC with subnets across 3 zones.
+- A public gateway only in zone-1.
+- A multi-zone (3 zone) KMS encrypted OCP VPC cluster, with worker pools in each zone.
+- Auto scaling enabled for the default worker pool.
+- Taints against the workers in zone-2 and zone-3.
diff --git a/examples/advanced/version.tf b/examples/advanced/version.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = ">= 1.59.0"
+      version = ">= 1.60.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/examples/basic/README.md b/examples/basic/README.md
@@ -4,5 +4,5 @@ A simple example that shows how to provision a basic single zone OCP VPC cluster
 
 The following resources are provisioned by this example:
 - A new resource group, if an existing one is not passed in.
-- A basic VPC and subnet with public gateway enabled
-- A single zone OCP VPC cluster
+- A basic VPC and subnet with public gateway enabled.
+- A single zone OCP VPC cluster.
diff --git a/examples/basic/version.tf b/examples/basic/version.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.59.0"
+      version = "1.60.0"
     }
   }
 }
diff --git a/examples/cross_kms_support/README.md b/examples/cross_kms_support/README.md
@@ -0,0 +1,14 @@
+# Cross account KMS encryption example
+
+A simple example that shows how to provision a VPC with single subnet in a single zone with a public gateway enabled OCP VPC cluster with cross account KMS encryption.
+
+The following resources are provisioned by this example:
+- A new resource group, if an existing one is not passed in.
+- A basic VPC and subnet with public gateway enabled.
+- A single zone OCP VPC cluster configured with KMS encryption for cluster data and worker block storage using a KMS encryption key from another account.
+- Will allow all traffic ingress/egress by default.
+
+## Note:
+- This requires an `account_id` value (IBM account ID where KMS instance is deployed) in the `kms_config` input variable.
+- An IBM IAM service to service authorization policy between VPC cluster and KMS instance is required to set up in the IBM account where KMS instance is created.
+- For production use cases this would need to be enhanced by adding more subnets and zones for resiliency and ACLs/Security Groups for network security.
diff --git a/examples/cross_kms_support/catalogValidationValues.json.template b/examples/cross_kms_support/catalogValidationValues.json.template
@@ -0,0 +1,9 @@
+{
+  "ibmcloud_api_key": $VALIDATION_APIKEY,
+  "region": "au-syd",
+  "resource_tags": $TAGS,
+  "prefix": $PREFIX,
+  "kms_instance_guid": $GE_OPS_KP_US_SOUTH_GUID,
+  "kms_key_id": $GE_OPS_KP_US_ROOT_KEY_ID,
+  "kms_cross_account_id": $GE_OPS_ACCOUNT_ID
+}
diff --git a/examples/cross_kms_support/main.tf b/examples/cross_kms_support/main.tf
@@ -0,0 +1,95 @@
+########################################################################################################################
+# Resource Group
+########################################################################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.4"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+########################################################################################################################
+# VPC + Subnet + Public Gateway
+#
+# NOTE: This is a very simple VPC with single subnet in a single zone with a public gateway enabled, that will allow
+# all traffic ingress/egress by default.
+# For production use cases this would need to be enhanced by adding more subnets and zones for resiliency, and
+# ACLs/Security Groups for network security.
+########################################################################################################################
+
+resource "ibm_is_vpc" "vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_public_gateway" "gateway" {
+  name           = "${var.prefix}-gateway-1"
+  vpc            = ibm_is_vpc.vpc.id
+  resource_group = module.resource_group.resource_group_id
+  zone           = "${var.region}-1"
+}
+
+resource "ibm_is_subnet" "subnet_zone_1" {
+  name                     = "${var.prefix}-subnet-1"
+  vpc                      = ibm_is_vpc.vpc.id
+  resource_group           = module.resource_group.resource_group_id
+  zone                     = "${var.region}-1"
+  total_ipv4_address_count = 256
+  public_gateway           = ibm_is_public_gateway.gateway.id
+}
+
+########################################################################################################################
+# OCP VPC cluster (single zone)
+########################################################################################################################
+
+locals {
+  boot_volume_encryption_kms_config = {
+    crk             = var.kms_key_id
+    kms_instance_id = var.kms_instance_guid
+    kms_account_id  = var.kms_cross_account_id
+  }
+
+  cluster_vpc_subnets = {
+    default = [
+      {
+        id         = ibm_is_subnet.subnet_zone_1.id
+        cidr_block = ibm_is_subnet.subnet_zone_1.ipv4_cidr_block
+        zone       = ibm_is_subnet.subnet_zone_1.zone
+      }
+    ]
+  }
+
+  worker_pools = [
+    {
+      subnet_prefix                     = "default"
+      pool_name                         = "default" # ibm_container_vpc_cluster automatically names default pool "default" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
+      machine_type                      = "bx2.4x16"
+      workers_per_zone                  = 2 # minimum of 2 is allowed when using single zone
+      boot_volume_encryption_kms_config = local.boot_volume_encryption_kms_config
+    }
+  ]
+}
+
+module "ocp_base" {
+  source               = "../.."
+  ibmcloud_api_key     = var.ibmcloud_api_key
+  resource_group_id    = module.resource_group.resource_group_id
+  region               = var.region
+  tags                 = var.resource_tags
+  cluster_name         = var.prefix
+  force_delete_storage = true
+  vpc_id               = ibm_is_vpc.vpc.id
+  vpc_subnets          = local.cluster_vpc_subnets
+  ocp_version          = var.ocp_version
+  worker_pools         = local.worker_pools
+  access_tags          = var.access_tags
+
+  kms_config = {
+    instance_id = var.kms_instance_guid
+    crk_id      = var.kms_key_id
+    account_id  = var.kms_cross_account_id
+  }
+}
diff --git a/examples/cross_kms_support/outputs.tf b/examples/cross_kms_support/outputs.tf
@@ -0,0 +1,18 @@
+########################################################################################################################
+# Outputs
+########################################################################################################################
+
+output "cluster_name" {
+  value       = module.ocp_base.cluster_name
+  description = "The name of the provisioned cluster."
+}
+
+output "kms_cross_account_id" {
+  value       = module.ocp_base.kms_config.account_id
+  description = "Id of the cross account which owns the KMS instance."
+}
+
+output "kms_instance_guid" {
+  value       = module.ocp_base.kms_config.instance_id
+  description = "GUID of the KMS instance existing in the cross account."
+}
diff --git a/examples/cross_kms_support/provider.tf b/examples/cross_kms_support/provider.tf
@@ -0,0 +1,8 @@
+########################################################################################################################
+# Provider config
+########################################################################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
diff --git a/examples/cross_kms_support/variables.tf b/examples/cross_kms_support/variables.tf
@@ -0,0 +1,64 @@
+########################################################################################################################
+# Input variables
+########################################################################################################################
+
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud api token"
+  sensitive   = true
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix for name of all resource created by this example"
+  default     = "cross-kms"
+  validation {
+    error_message = "Prefix must begin and end with a letter and contain only letters, numbers, and - characters."
+    condition     = can(regex("^([A-z]|[a-z][-a-z0-9]*[a-z0-9])$", var.prefix))
+  }
+}
+
+variable "region" {
+  type        = string
+  description = "Region where resources are created"
+  default     = "us-south"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "ocp_version" {
+  type        = string
+  description = "Version of the OCP cluster to provision"
+  default     = null
+}
+
+variable "access_tags" {
+  type        = list(string)
+  description = "A list of access tags to apply to the resources created by the module."
+  default     = []
+}
+
+variable "kms_instance_guid" {
+  type        = string
+  description = "The GUID of the KMS instance to provision the encryption keys"
+}
+
+variable "kms_key_id" {
+  type        = string
+  description = "The id of the root key in the KMS instance that will be used to encrypt the cluster."
+}
+
+variable "kms_cross_account_id" {
+  type        = string
+  description = "Id of the account that owns the KMS instance to encrypt the cluster"
+}
diff --git a/examples/cross_kms_support/version.tf b/examples/cross_kms_support/version.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_version = ">= 1.3.0, <1.6.0"
+
+  # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
+  # module's version.tf (basic and add_rules_to_sg), and 1 example that will always use the latest provider version (advanced, fscloud and multiple mzr).
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.60.0"
+    }
+  }
+}
diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
@@ -4,13 +4,13 @@ This example uses the [Profile for IBM Cloud Framework for Financial Services](h
 
 The following resources are provisioned by this example:
 - A new resource group, if an existing one is not passed in.
-- A Cloud Object Storage instance
-- An Object Storage bucket (for VPC Flow logs)
-- A secure Virtual Private Cloud (VPC)
-- An IBM Cloud Monitoring (Sysdig) instance
-- An IBM Cloud Activity Tracker instance, if existing ones is not passed in
-- A context-based restriction (CBR) rule to only allow COS Instance to be accessible from within the VPC
-- An OCP cluster in a VPC with the default worker pool deployed across 3 availability zones with cluster and boot volume encrypted with the given Hyper Protect Crypto Service root key
+- A Cloud Object Storage instance.
+- An Object Storage bucket (for VPC Flow logs).
+- A secure Virtual Private Cloud (VPC).
+- An IBM Cloud Monitoring (Sysdig) instance.
+- An IBM Cloud Activity Tracker instance, if existing ones is not passed in.
+- A context-based restriction (CBR) rule to only allow COS Instance to be accessible from within the VPC.
+- An OCP cluster in a VPC with the default worker pool deployed across 3 availability zones with cluster and boot volume encrypted with the given Hyper Protect Crypto Service root key.
 
 :exclamation: **Important:** OCP provisions a COS bucket, but you cannot use your own encryption keys. This will fail the requirement for Cloud Object Storage to be enabled with customer-managed encryption and Keep Your Own Key (KYOK). In OCP 4.14, COS will become optional to provision a cluster.
 
diff --git a/examples/fscloud/version.tf b/examples/fscloud/version.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "ibm-cloud/ibm"
-      version = ">= 1.59.0"
+      version = ">= 1.60.0"
     }
     logdna = {
       source  = "logdna/logdna"
diff --git a/examples/multiple_mzr_clusters/version.tf b/examples/multiple_mzr_clusters/version.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "ibm-cloud/ibm"
-      version = ">= 1.59.0"
+      version = ">= 1.60.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/ibm_catalog.json b/ibm_catalog.json
diff --git a/main.tf b/main.tf
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
diff --git a/modules/fscloud/version.tf b/modules/fscloud/version.tf
diff --git a/outputs.tf b/outputs.tf
diff --git a/tests/other_test.go b/tests/other_test.go
diff --git a/tests/pr_test.go b/tests/pr_test.go
diff --git a/variables.tf b/variables.tf
diff --git a/version.tf b/version.tf

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@`
`82`	`82`	`"hashed_secret": "dce1f02ca7cc4b63ac43008b7a3ce96e702a0c24",`
`83`	`83`	`"is_secret": false,`
`84`	`84`	`"is_verified": false,`
`85`		`- "line_number": 40,`
	`85`	`+ "line_number": 41,`
`86`	`86`	`"type": "Secret Keyword",`
`87`	`87`	`"verified_result": null`
`88`	`88`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ terraform {`
`6`	`6`	`required_providers {`
`7`	`7`	`ibm = {`
`8`	`8`	`source = "IBM-Cloud/ibm"`
`9`		`- version = "1.59.0"`
	`9`	`+ version = "1.60.0"`
`10`	`10`	`}`
`11`	`11`	`}`
`12`	`12`	`}`