feat: add support for deploying ocp in custom cloud endpoints

README.md

@@ -302,6 +302,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name that will be assigned to the provisioned cluster | `string` | n/a | yes |
 | <a name="input_cluster_ready_when"></a> [cluster\_ready\_when](#input\_cluster\_ready\_when) | The cluster is ready when one of the following: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady | `string` | `"IngressReady"` | no |
 | <a name="input_cos_name"></a> [cos\_name](#input\_cos\_name) | Name of the COS instance to provision for OpenShift internal registry storage. New instance only provisioned if 'enable\_registry\_storage' is true and 'use\_existing\_cos' is false. Default: '<cluster\_name>\_cos' | `string` | `null` | no |
+| <a name="input_custom_cloud_endpoint"></a> [custom\_cloud\_endpoint](#input\_custom\_cloud\_endpoint) | Set this value to use a different cloud endpoint than the production cloud endpoint. For example, `test.cloud.ibm.com`. | `string` | `null` | no |
 | <a name="input_custom_security_group_ids"></a> [custom\_security\_group\_ids](#input\_custom\_security\_group\_ids) | Security groups to add to all worker nodes. This comes in addition to the IBM maintained security group if attach\_ibm\_managed\_security\_group is set to true. If this variable is set, the default VPC security group is NOT assigned to the worker nodes. | `list(string)` | `null` | no |
 | <a name="input_disable_outbound_traffic_protection"></a> [disable\_outbound\_traffic\_protection](#input\_disable\_outbound\_traffic\_protection) | Whether to allow public outbound access from the cluster workers. This is only applicable for `ocp_version` 4.15 | `bool` | `false` | no |
 | <a name="input_disable_public_endpoint"></a> [disable\_public\_endpoint](#input\_disable\_public\_endpoint) | Whether access to the public service endpoint is disabled when the cluster is created. Does not affect existing clusters. You can't disable a public endpoint on an existing cluster, so you can't convert a public cluster to a private cluster. To change a public endpoint to private, create another cluster with this input set to `true`. | `bool` | `false` | no |

main.tf

@@ -30,7 +30,8 @@ locals {
   create_timeout = "3h"
   update_timeout = "3h"
 
-  cluster_id = var.ignore_worker_pool_size_changes ? ibm_container_vpc_cluster.autoscaling_cluster[0].id : ibm_container_vpc_cluster.cluster[0].id
+  cloud_endpoint = var.custom_cloud_endpoint != null && var.custom_cloud_endpoint != "" ? var.custom_cloud_endpoint : "cloud.ibm.com"
+  cluster_id     = var.ignore_worker_pool_size_changes ? ibm_container_vpc_cluster.autoscaling_cluster[0].id : ibm_container_vpc_cluster.cluster[0].id
 
   # security group attached to worker pool
   # the terraform provider / iks api take a security group id hardcoded to "cluster", so this pseudo-value is injected into the array based on attach_default_cluster_security_group
@@ -286,7 +287,7 @@ data "ibm_iam_account_settings" "iam_account_settings" {
 
 resource "null_resource" "reset_api_key" {
   provisioner "local-exec" {
-    command     = "${path.module}/scripts/reset_iks_api_key.sh ${var.region} ${var.resource_group_id} ${var.use_private_endpoint} ${var.ocp_version == "4.13" && var.disable_public_endpoint ? "vpe" : var.cluster_config_endpoint_type}" # private only cluster on 4.13 will use VPE endpoint.
+    command     = "${path.module}/scripts/reset_iks_api_key.sh ${var.region} ${var.resource_group_id} ${var.use_private_endpoint} ${var.ocp_version == "4.13" && var.disable_public_endpoint ? "vpe" : var.cluster_config_endpoint_type} ${local.cloud_endpoint}" # private only cluster on 4.13 will use VPE endpoint.
     interpreter = ["/bin/bash", "-c"]
     environment = {
       IAM_TOKEN  = data.ibm_iam_auth_token.reset_api_key_tokendata.iam_access_token
@@ -573,7 +574,7 @@ resource "null_resource" "confirm_lb_active" {
   depends_on = [data.ibm_iam_auth_token.tokendata]
 
   provisioner "local-exec" {
-    command     = "${path.module}/scripts/confirm_lb_active.sh ${var.region} ${local.lbs_associated_with_cluster[count.index]} ${var.use_private_endpoint}"
+    command     = "${path.module}/scripts/confirm_lb_active.sh ${var.region} ${local.lbs_associated_with_cluster[count.index]} ${var.use_private_endpoint} ${local.cloud_endpoint}"
     interpreter = ["/bin/bash", "-c"]
     environment = {
       IAM_TOKEN = data.ibm_iam_auth_token.tokendata.iam_access_token

scripts/confirm_lb_active.sh

@@ -5,6 +5,7 @@ set -euo pipefail
 REGION="$1"
 LB_ID="$2"
 PRIVATE_ENV="$3"
+CLOUD_ENDPOINT="$4"
 API_VERSION="2024-03-01"
 
 if [[ -z "${REGION}" ]]; then
@@ -14,9 +15,9 @@ fi
 
 lb_attempts=1
 if [ "$PRIVATE_ENV" = true ]; then
-    URL="https://$REGION.private.iaas.cloud.ibm.com/v1/load_balancers/$LB_ID?version=$API_VERSION&generation=2"
+    URL="https://$REGION.private.iaas.$CLOUD_ENDPOINT/v1/load_balancers/$LB_ID?version=$API_VERSION&generation=2"
 else
-    URL="https://$REGION.iaas.cloud.ibm.com/v1/load_balancers/$LB_ID?version=$API_VERSION&generation=2"
+    URL="https://$REGION.iaas.$CLOUD_ENDPOINT/v1/load_balancers/$LB_ID?version=$API_VERSION&generation=2"
 fi
 
 while true; do

scripts/reset_iks_api_key.sh

@@ -7,6 +7,7 @@ RESOURCE_GROUP_ID="$2"
 APIKEY_KEY_NAME="containers-kubernetes-key"
 PRIVATE_ENV="$3"
 CLUSTER_ENDPOINT="$4"
+CLOUD_ENDPOINT="$5"
 
 if [[ -z "${REGION}" ]]; then
     echo "Region must be passed as first input script argument" >&2
@@ -19,9 +20,9 @@ if [[ -z "${RESOURCE_GROUP_ID}" ]]; then
 fi
 
 if [ "$PRIVATE_ENV" = true ]; then
-    IAM_URL="https://private.iam.cloud.ibm.com/v1/apikeys?account_id=$ACCOUNT_ID&scope=account&pagesize=100&type=user&sort=name"
+    IAM_URL="https://private.iam.$CLOUD_ENDPOINT/v1/apikeys?account_id=$ACCOUNT_ID&scope=account&pagesize=100&type=user&sort=name"
 else
-    IAM_URL="https://iam.cloud.ibm.com/v1/apikeys?account_id=$ACCOUNT_ID&scope=account&pagesize=100&type=user&sort=name"
+    IAM_URL="https://iam.$CLOUD_ENDPOINT/v1/apikeys?account_id=$ACCOUNT_ID&scope=account&pagesize=100&type=user&sort=name"
 fi
 
 reset=true
@@ -53,16 +54,16 @@ fetch_data
 if [ "${reset}" == true ]; then
     if [ "$PRIVATE_ENV" = true ]; then
         if [ "$CLUSTER_ENDPOINT" == "private" ] || [ "$CLUSTER_ENDPOINT" == "default" ]; then
-            RESET_URL="https://private.$REGION.containers.cloud.ibm.com/v1/keys"
+            RESET_URL="https://private.$REGION.containers.$CLOUD_ENDPOINT/v1/keys"
             result=$(curl -i -H "accept: application/json" -H "Authorization: $IAM_TOKEN" -H "X-Auth-Resource-Group: $RESOURCE_GROUP_ID" -X POST "$RESET_URL" 2>/dev/null)
             status_code=$(echo "$result" | head -n 1 | cut -d$' ' -f2)
         elif [ "$CLUSTER_ENDPOINT" == "vpe" ]; then
-            RESET_URL="https://api.$REGION.containers.cloud.ibm.com/v1/keys"
+            RESET_URL="https://api.$REGION.containers.$CLOUD_ENDPOINT/v1/keys"
             result=$(curl -i -H "accept: application/json" -H "Authorization: $IAM_TOKEN" -H "X-Auth-Resource-Group: $RESOURCE_GROUP_ID" -X POST "$RESET_URL" 2>/dev/null)
             status_code=$(echo "$result" | head -n 1 | cut -d$' ' -f2)
         fi
     else
-        RESET_URL="https://containers.cloud.ibm.com/global/v1/keys"
+        RESET_URL="https://containers.$CLOUD_ENDPOINT/global/v1/keys"
         result=$(curl -i -H "accept: application/json" -H "X-Region: $REGION" -H "Authorization: $IAM_TOKEN" -H "X-Auth-Resource-Group: $RESOURCE_GROUP_ID" -X POST "$RESET_URL" -d '' 2>/dev/null)
         status_code=$(echo "$result" | head -n 1 | cut -d$' ' -f2)
     fi

variables.tf

@@ -19,6 +19,12 @@ variable "use_private_endpoint" {
   default     = false
 }
 
+variable "custom_cloud_endpoint" {
+  type        = string
+  description = "Set this value to use a different cloud endpoint than the production cloud endpoint. For example, `test.cloud.ibm.com`."
+  default     = null
+}
+
 # Cluster Variables
 variable "tags" {
   type        = list(string)