terraform-ibm-modules
diff --git a/‎README.md‎
Lines changed: 3 additions & 5 deletions b/‎README.md‎
Lines changed: 3 additions & 5 deletions
diff --git a/‎main.tf‎
Lines changed: 6 additions & 11 deletions b/‎main.tf‎
Lines changed: 6 additions & 11 deletions
diff --git a/‎modules/kube-audit/README.md‎
Lines changed: 2 additions & 2 deletions b/‎modules/kube-audit/README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎modules/kube-audit/main.tf‎
Lines changed: 10 additions & 8 deletions b/‎modules/kube-audit/main.tf‎
Lines changed: 10 additions & 8 deletions
diff --git a/‎modules/kube-audit/scripts/confirm-rollout-status.sh‎
Lines changed: 1 addition & 0 deletions b/‎modules/kube-audit/scripts/confirm-rollout-status.sh‎
Lines changed: 1 addition & 0 deletions
@@ -17,9 +17,8 @@ Optionally, the module supports advanced security group management for the worke
 
 - Ensure that you have an up-to-date version of the [jq](https://jqlang.github.io/jq).
 - Ensure that you have an up-to-date version of the [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl).
-- Ensure that you have an up-to-date version of the [oc](https://docs.redhat.com/en/documentation/openshift_container_platform/4.11/html/cli_tools/openshift-cli-oc).
 
-By default, the module automatically downloads the required dependencies if they are not already installed. You can disable this behavior by setting `install_dependencies` to `false`. When enabled, the module fetches dependencies from official online binaries. If you prefer to use third-party repositories, you can specify their URLs by setting the following environment variables: `CUSTOM_KUBECTL_URL`, `CUSTOM_JQ_URL`, and `CUSTOM_OC_URL`.
+By default, the module automatically downloads the required dependencies if they are not already installed. You can disable this behavior by setting `install_required_binaries` to `false`. When enabled, the module fetches dependencies from official online binaries. If you prefer to use third-party repositories, you can specify their URLs by setting the following environment variables: `KUBECTL_DOWNLOAD_URL`, `JQ_DOWNLOAD_URL`.
 
 <!-- Below content is automatically populated via pre-commit hook -->
 <!-- BEGIN OVERVIEW HOOK -->
@@ -323,7 +322,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | [kubernetes_config_map_v1_data.set_autoscaling](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1_data) | resource |
 | [null_resource.config_map_status](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.confirm_network_healthy](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [null_resource.install_dependencies](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.install_required_binaries](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.ocp_console_management](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [time_sleep.wait_for_auth_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [ibm_container_addons.existing_addons](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_addons) | data source |
@@ -350,7 +349,6 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="input_cluster_ready_when"></a> [cluster\_ready\_when](#input\_cluster\_ready\_when) | The cluster is ready based on one of the following:: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady | `string` | `"IngressReady"` | no |
 | <a name="input_cos_name"></a> [cos\_name](#input\_cos\_name) | Name of the COS instance to provision for OpenShift internal registry storage. New instance only provisioned if 'enable\_registry\_storage' is true and 'use\_existing\_cos' is false. Default: '<cluster\_name>\_cos' | `string` | `null` | no |
 | <a name="input_custom_security_group_ids"></a> [custom\_security\_group\_ids](#input\_custom\_security\_group\_ids) | Security groups to add to all worker nodes. This comes in addition to the IBM maintained security group if `attach_ibm_managed_security_group` is set to true. If this variable is set, the default VPC security group is NOT assigned to the worker nodes. | `list(string)` | `null` | no |
-| <a name="input_disable_external_binary_download"></a> [disable\_external\_binary\_download](#input\_disable\_external\_binary\_download) | Set this variable to true to prevent the script from downloading binaries from the internet. | `bool` | `false` | no |
 | <a name="input_disable_outbound_traffic_protection"></a> [disable\_outbound\_traffic\_protection](#input\_disable\_outbound\_traffic\_protection) | Whether to allow public outbound access from the cluster workers. This is only applicable for OCP 4.15 and later. | `bool` | `false` | no |
 | <a name="input_disable_public_endpoint"></a> [disable\_public\_endpoint](#input\_disable\_public\_endpoint) | Whether access to the public service endpoint is disabled when the cluster is created. Does not affect existing clusters. You can't disable a public endpoint on an existing cluster, so you can't convert a public cluster to a private cluster. To change a public endpoint to private, create another cluster with this input set to `true`. | `bool` | `false` | no |
 | <a name="input_enable_ocp_console"></a> [enable\_ocp\_console](#input\_enable\_ocp\_console) | Flag to specify whether to enable or disable the OpenShift console. If set to `null` the module does not modify the current setting on the cluster. Keep in mind that when this input is set to `true` or `false` on a cluster with private only endpoint enabled, the runtime must be able to access the private endpoint. | `bool` | `null` | no |
@@ -361,7 +359,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="input_existing_secrets_manager_instance_crn"></a> [existing\_secrets\_manager\_instance\_crn](#input\_existing\_secrets\_manager\_instance\_crn) | CRN of the Secrets Manager instance where Ingress certificate secrets are stored. If 'enable\_secrets\_manager\_integration' is set to true then this value is required. | `string` | `null` | no |
 | <a name="input_force_delete_storage"></a> [force\_delete\_storage](#input\_force\_delete\_storage) | Flag indicating whether or not to delete attached storage when destroying the cluster - Default: false | `bool` | `false` | no |
 | <a name="input_ignore_worker_pool_size_changes"></a> [ignore\_worker\_pool\_size\_changes](#input\_ignore\_worker\_pool\_size\_changes) | Enable if using worker autoscaling. Stops Terraform managing worker count | `bool` | `false` | no |
-| <a name="input_install_dependencies"></a> [install\_dependencies](#input\_install\_dependencies) | This module includes scripts to support cluster provisioning. Set this variable to true to install all required runtime dependencies. | `bool` | `true` | no |
+| <a name="input_install_required_binaries"></a> [install\_required\_binaries](#input\_install\_required\_binaries) | When set to true, a script will run to check if `kubectl` and `jq` exist on the runtime and if not attempt to download them from the public internet and install them to /tmp. If the runtime does not have access to the public internet, you can override the download urls using environment variables `KUBECTL_DOWNLOAD_URL` and `JQ_DOWNLOAD_URL`. Set to false to skip running this script. | `bool` | `true` | no |
 | <a name="input_kms_config"></a> [kms\_config](#input\_kms\_config) | Use to attach a KMS instance to the cluster. If account\_id is not provided, defaults to the account in use. | <pre>object({<br/>    crk_id           = string<br/>    instance_id      = string<br/>    private_endpoint = optional(bool, true) # defaults to true<br/>    account_id       = optional(string)     # To attach KMS instance from another account<br/>    wait_for_apply   = optional(bool, true) # defaults to true so terraform will wait until the KMS is applied to the master, ready and deployed<br/>  })</pre> | `null` | no |
 | <a name="input_manage_all_addons"></a> [manage\_all\_addons](#input\_manage\_all\_addons) | Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module destroys any addons that were installed by other sources. | `bool` | `false` | no |
 | <a name="input_number_of_lbs"></a> [number\_of\_lbs](#input\_number\_of\_lbs) | The number of LBs to associated the `additional_lb_security_group_names` security group with. | `number` | `1` | no |
 
@@ -99,18 +99,14 @@ locals {
   default_wp_validation = local.rhcos_check ? true : tobool("If RHCOS is used with this cluster, the default worker pool should be created with RHCOS.")
 }
 
-resource "null_resource" "install_dependencies" {
-  count = var.install_dependencies ? 1 : 0
-  # change trigger to run every time
+resource "null_resource" "install_required_binaries" {
+  count = var.install_required_binaries && (var.verify_worker_network_readiness || var.enable_ocp_console != null || lookup(var.addons, "cluster-autoscaler", null) != null) ? 1 : 0
   triggers = {
     build_number = timestamp()
   }
   provisioner "local-exec" {
-    command     = "${path.module}/scripts/install-deps.sh"
+    command     = "${path.module}/scripts/install-binaries.sh"
     interpreter = ["/bin/bash", "-c"]
-    environment = {
-      DISABLE_EXTERNAL_DOWNLOADS = var.disable_external_binary_download
-    }
   }
 }
 
@@ -491,7 +487,7 @@ resource "null_resource" "confirm_network_healthy" {
   # Worker pool creation can start before the 'ibm_container_vpc_cluster' completes since there is no explicit
   # depends_on in 'ibm_container_vpc_worker_pool', just an implicit depends_on on the cluster ID. Cluster ID can exist before
   # 'ibm_container_vpc_cluster' completes, so hence need to add explicit depends on against 'ibm_container_vpc_cluster' here.
-  depends_on = [null_resource.install_dependencies, ibm_container_vpc_cluster.cluster, ibm_container_vpc_cluster.cluster_with_upgrade, ibm_container_vpc_cluster.autoscaling_cluster, ibm_container_vpc_cluster.autoscaling_cluster_with_upgrade, module.worker_pools]
+  depends_on = [null_resource.install_required_binaries, ibm_container_vpc_cluster.cluster, ibm_container_vpc_cluster.cluster_with_upgrade, ibm_container_vpc_cluster.autoscaling_cluster, ibm_container_vpc_cluster.autoscaling_cluster_with_upgrade, module.worker_pools]
 
   provisioner "local-exec" {
     command     = "${path.module}/scripts/confirm_network_healthy.sh"
@@ -507,7 +503,7 @@ resource "null_resource" "confirm_network_healthy" {
 ##############################################################################
 resource "null_resource" "ocp_console_management" {
   count      = var.enable_ocp_console != null ? 1 : 0
-  depends_on = [null_resource.install_dependencies, null_resource.confirm_network_healthy]
+  depends_on = [null_resource.install_required_binaries, null_resource.confirm_network_healthy]
   provisioner "local-exec" {
     command     = "${path.module}/scripts/enable_disable_ocp_console.sh"
     interpreter = ["/bin/bash", "-c"]
@@ -581,7 +577,7 @@ locals {
 
 resource "null_resource" "config_map_status" {
   count      = lookup(var.addons, "cluster-autoscaler", null) != null ? 1 : 0
-  depends_on = [null_resource.install_dependencies, ibm_container_addons.addons]
+  depends_on = [null_resource.install_required_binaries, ibm_container_addons.addons]
 
   provisioner "local-exec" {
     command     = "${path.module}/scripts/get_config_map_status.sh"
@@ -772,7 +768,6 @@ resource "time_sleep" "wait_for_auth_policy" {
   create_duration = "30s"
 }
 
-
 resource "ibm_container_ingress_instance" "instance" {
   count           = var.enable_secrets_manager_integration ? 1 : 0
   depends_on      = [time_sleep.wait_for_auth_policy]
 
@@ -70,7 +70,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [helm_release.kube_audit](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [null_resource.install_dependencies](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.install_required_binaries](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.set_audit_log_policy](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.set_audit_webhook](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [time_sleep.wait_for_kube_audit](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
@@ -91,7 +91,7 @@ No modules.
 | <a name="input_cluster_resource_group_id"></a> [cluster\_resource\_group\_id](#input\_cluster\_resource\_group\_id) | The resource group ID of the cluster. | `string` | n/a | yes |
 | <a name="input_disable_external_binary_download"></a> [disable\_external\_binary\_download](#input\_disable\_external\_binary\_download) | Set this variable to true to prevent the script from downloading binaries from the internet. | `bool` | `false` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud api key to generate an IAM token. | `string` | n/a | yes |
-| <a name="input_install_dependencies"></a> [install\_dependencies](#input\_install\_dependencies) | This module includes scripts to support cluster provisioning. Set this variable to true to install all required runtime dependencies. | `bool` | `true` | no |
+| <a name="input_install_required_binaries"></a> [install\_required\_binaries](#input\_install\_required\_binaries) | This module includes scripts to support cluster provisioning. Set this variable to true to install all required runtime dependencies. | `bool` | `true` | no |
 | <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where the cluster is provisioned. | `string` | n/a | yes |
 | <a name="input_use_private_endpoint"></a> [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
 | <a name="input_wait_till"></a> [wait\_till](#input\_wait\_till) | To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported args are `MasterNodeReady`, `OneWorkerNodeReady`, `IngressReady` and `Normal` | `string` | `"IngressReady"` | no |
 
@@ -1,11 +1,13 @@
-resource "null_resource" "install_dependencies" {
-  count = var.install_dependencies ? 1 : 0
-  # change trigger to run every time
+resource "null_resource" "install_required_binaries" {
+  count = var.install_required_binaries ? 1 : 0
+
   triggers = {
-    build_number = timestamp()
+    set_audit_log_policy = null_resource.set_audit_log_policy
+    set_webhook          = null_resource.set_audit_webhook
+    kube_audit           = helm_release.kube_audit
   }
   provisioner "local-exec" {
-    command     = "${path.module}/scripts/install-deps.sh"
+    command     = "${path.module}/scripts/install-binaries.sh"
     interpreter = ["/bin/bash", "-c"]
     environment = {
       DISABLE_EXTERNAL_DOWNLOADS = var.disable_external_binary_download
@@ -34,7 +36,7 @@ locals {
 }
 
 resource "null_resource" "set_audit_log_policy" {
-  depends_on = [null_resource.install_dependencies]
+  depends_on = [null_resource.install_required_binaries]
   triggers = {
     audit_log_policy = var.audit_log_policy
   }
@@ -56,7 +58,7 @@ locals {
 }
 
 resource "helm_release" "kube_audit" {
-  depends_on    = [null_resource.install_dependencies, null_resource.set_audit_log_policy, data.ibm_container_vpc_cluster.cluster]
+  depends_on    = [null_resource.install_required_binaries, null_resource.set_audit_log_policy, data.ibm_container_vpc_cluster.cluster]
   name          = var.audit_deployment_name
   chart         = local.kube_audit_chart_location
   timeout       = 1200
@@ -112,7 +114,7 @@ locals {
 # }
 
 resource "null_resource" "set_audit_webhook" {
-  depends_on = [time_sleep.wait_for_kube_audit, null_resource.install_dependencies]
+  depends_on = [time_sleep.wait_for_kube_audit, null_resource.install_required_binaries]
   triggers = {
     audit_log_policy = var.audit_log_policy
   }
 
@@ -2,6 +2,7 @@
 
 set -e
 
+# The binaries downloaded by the install-binaries script are located in the /tmp directory.
 export PATH=$PATH:"/tmp"
 
 deployment=$1