\_cos' | `string` | `null` | no |
| [custom\_security\_group\_ids](#input\_custom\_security\_group\_ids) | Security groups to add to all worker nodes. This comes in addition to the IBM maintained security group if `attach_ibm_managed_security_group` is set to true. If this variable is set, the default VPC security group is NOT assigned to the worker nodes. | `list(string)` | `null` | no |
| [disable\_outbound\_traffic\_protection](#input\_disable\_outbound\_traffic\_protection) | Whether to allow public outbound access from the cluster workers. This is only applicable for OCP 4.15 and later. | `bool` | `false` | no |
| [disable\_public\_endpoint](#input\_disable\_public\_endpoint) | Whether access to the public service endpoint is disabled when the cluster is created. Does not affect existing clusters. You can't disable a public endpoint on an existing cluster, so you can't convert a public cluster to a private cluster. To change a public endpoint to private, create another cluster with this input set to `true`. | `bool` | `false` | no |
-| [enable\_ocp\_console](#input\_enable\_ocp\_console) | Flag to specify whether to enable or disable the OpenShift console. If set to `null` the module will not modify the setting currently set on the cluster. Bare in mind when setting this to `true` or `false` on a cluster with private only endpoint enabled, the runtime must be able to access the private endpoint. | `bool` | `null` | no |
+| [enable\_ocp\_console](#input\_enable\_ocp\_console) | Flag to specify whether to enable or disable the OpenShift console. If set to `null` the module does not modify the current setting on the cluster. Keep in mind that when this input is set to `true` or `false` on a cluster with private only endpoint enabled, the runtime must be able to access the private endpoint. | `bool` | `null` | no |
| [enable\_registry\_storage](#input\_enable\_registry\_storage) | Set to `true` to enable IBM Cloud Object Storage for the Red Hat OpenShift internal image registry. Set to `false` only for new cluster deployments in an account that is allowlisted for this feature. | `bool` | `true` | no |
+| [enable\_secrets\_manager\_integration](#input\_enable\_secrets\_manager\_integration) | Integrate with IBM Cloud Secrets Manager so you can centrally manage Ingress subdomain certificates and other secrets. [Learn more](https://cloud.ibm.com/docs/containers?topic=containers-secrets-mgr) | `bool` | `false` | no |
| [existing\_cos\_id](#input\_existing\_cos\_id) | The COS id of an already existing COS instance to use for OpenShift internal registry storage. Only required if 'enable\_registry\_storage' and 'use\_existing\_cos' are true. | `string` | `null` | no |
+| [existing\_secrets\_manager\_instance\_crn](#input\_existing\_secrets\_manager\_instance\_crn) | CRN of the Secrets Manager instance where Ingress certificate secrets are stored. If 'enable\_secrets\_manager\_integration' is set to true then this value is required. | `string` | `null` | no |
| [force\_delete\_storage](#input\_force\_delete\_storage) | Flag indicating whether or not to delete attached storage when destroying the cluster - Default: false | `bool` | `false` | no |
| [ignore\_worker\_pool\_size\_changes](#input\_ignore\_worker\_pool\_size\_changes) | Enable if using worker autoscaling. Stops Terraform managing worker count | `bool` | `false` | no |
| [kms\_config](#input\_kms\_config) | Use to attach a KMS instance to the cluster. If account\_id is not provided, defaults to the account in use. | object({
crk_id = string
instance_id = string
private_endpoint = optional(bool, true) # defaults to true
account_id = optional(string) # To attach KMS instance from another account
wait_for_apply = optional(bool, true) # defaults to true so terraform will wait until the KMS is applied to the master, ready and deployed
}) | `null` | no |
-| [manage\_all\_addons](#input\_manage\_all\_addons) | Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module will destroy any addons that were installed by other sources. | `bool` | `false` | no |
+| [manage\_all\_addons](#input\_manage\_all\_addons) | Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module destroys any addons that were installed by other sources. | `bool` | `false` | no |
| [number\_of\_lbs](#input\_number\_of\_lbs) | The number of LBs to associated the `additional_lb_security_group_names` security group with. | `number` | `1` | no |
| [ocp\_entitlement](#input\_ocp\_entitlement) | Value that is applied to the entitlements for OCP cluster provisioning | `string` | `null` | no |
| [ocp\_version](#input\_ocp\_version) | The version of the OpenShift cluster that should be provisioned (format 4.x). If no value is specified, the current default version is used. You can also specify `default`. This input is used only during initial cluster provisioning and is ignored for updates. To prevent possible destructive changes, update the cluster version outside of Terraform. | `string` | `null` | no |
| [pod\_subnet\_cidr](#input\_pod\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for pods. The subnet must have a CIDR of at least `/23` or larger. Default value is `172.30.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
-| [region](#input\_region) | The IBM Cloud region where the cluster will be provisioned. | `string` | n/a | yes |
-| [resource\_group\_id](#input\_resource\_group\_id) | The Id of an existing IBM Cloud resource group where the cluster will be grouped. | `string` | n/a | yes |
+| [region](#input\_region) | The IBM Cloud region where the cluster is provisioned. | `string` | n/a | yes |
+| [resource\_group\_id](#input\_resource\_group\_id) | The ID of an existing IBM Cloud resource group where the cluster is grouped. | `string` | n/a | yes |
+| [secrets\_manager\_secret\_group\_id](#input\_secrets\_manager\_secret\_group\_id) | Secret group ID where Ingress secrets are stored in the Secrets Manager instance. | `string` | `null` | no |
| [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
+| [skip\_ocp\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_ocp\_secrets\_manager\_iam\_auth\_policy) | To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates. | `bool` | `false` | no |
| [tags](#input\_tags) | Metadata labels describing this cluster deployment, i.e. test | `list(string)` | `[]` | no |
| [use\_existing\_cos](#input\_use\_existing\_cos) | Flag indicating whether or not to use an existing COS instance for OpenShift internal registry storage. Only applicable if 'enable\_registry\_storage' is true | `bool` | `false` | no |
-| [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
-| [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
-| [vpc\_id](#input\_vpc\_id) | Id of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
-| [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | map(list(object({
id = string
zone = string
cidr_block = string
}))) | n/a | yes |
+| [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all API calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
+| [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script runs kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, set this value to false. | `bool` | `true` | no |
+| [vpc\_id](#input\_vpc\_id) | ID of the VPC instance where this cluster is provisioned. | `string` | n/a | yes |
+| [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster is created. | map(list(object({
id = string
zone = string
cidr_block = string
}))) | n/a | yes |
| [worker\_pools](#input\_worker\_pools) | List of worker pools | list(object({
subnet_prefix = optional(string)
vpc_subnets = optional(list(object({
id = string
zone = string
cidr_block = string
})))
pool_name = string
machine_type = string
workers_per_zone = number
resource_group_id = optional(string)
operating_system = string
labels = optional(map(string))
minSize = optional(number)
secondary_storage = optional(string)
maxSize = optional(number)
enableAutoscaling = optional(bool)
boot_volume_encryption_kms_config = optional(object({
crk = string
kms_instance_id = string
kms_account_id = optional(string)
}))
additional_security_group_ids = optional(list(string))
})) | n/a | yes |
| [worker\_pools\_taints](#input\_worker\_pools\_taints) | Optional, Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | `null` | no |
@@ -323,9 +332,9 @@ Optionally, you need the following permissions to attach Access Management tags
| Name | Description |
|------|-------------|
| [api\_vpe](#output\_api\_vpe) | Info about the api VPE, if it exists. For more info about schema, see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway |
-| [cluster\_crn](#output\_cluster\_crn) | CRN for the created cluster |
-| [cluster\_id](#output\_cluster\_id) | ID of cluster created |
-| [cluster\_name](#output\_cluster\_name) | Name of the created cluster |
+| [cluster\_crn](#output\_cluster\_crn) | CRN of the cluster |
+| [cluster\_id](#output\_cluster\_id) | ID of the cluster |
+| [cluster\_name](#output\_cluster\_name) | Name of the cluster |
| [cos\_crn](#output\_cos\_crn) | CRN of the COS instance |
| [ingress\_hostname](#output\_ingress\_hostname) | The hostname that was assigned to your Ingress subdomain. |
| [kms\_config](#output\_kms\_config) | KMS configuration details |
@@ -336,9 +345,10 @@ Optionally, you need the following permissions to attach Access Management tags
| [operating\_system](#output\_operating\_system) | The operating system of the workers in the default worker pool. |
| [private\_service\_endpoint\_url](#output\_private\_service\_endpoint\_url) | Private service endpoint URL |
| [public\_service\_endpoint\_url](#output\_public\_service\_endpoint\_url) | Public service endpoint URL |
-| [region](#output\_region) | Region cluster is deployed in |
+| [region](#output\_region) | Region that the cluster is deployed to |
| [registry\_vpe](#output\_registry\_vpe) | Info about the registry VPE, if it exists. For more info about schema, see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway |
| [resource\_group\_id](#output\_resource\_group\_id) | Resource group ID the cluster is deployed in |
+| [secrets\_manager\_integration\_config](#output\_secrets\_manager\_integration\_config) | Information about the Secrets Manager instance that is used to store the Ingress certificates. |
| [vpc\_id](#output\_vpc\_id) | ID of the clusters VPC |
| [vpe\_url](#output\_vpe\_url) | The virtual private endpoint URL of the Kubernetes cluster. |
| [workerpools](#output\_workerpools) | Worker pools created |
diff --git a/ibm_catalog.json b/ibm_catalog.json
index d4963252..878b15a6 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -388,6 +388,21 @@
},
{
"key": "cbr_rules"
+ },
+ {
+ "key": "enable_secrets_manager_integration"
+ },
+ {
+ "key": "existing_secrets_manager_instance_crn"
+ },
+ {
+ "key": "secrets_manager_secret_group_id"
+ },
+ {
+ "key": "secrets_manager_endpoint_type"
+ },
+ {
+ "key": "skip_ocp_secrets_manager_iam_auth_policy"
}
],
"dependencies": [
@@ -561,14 +576,22 @@
"reference_version": true
},
{
- "dependency_input": "resource_group_name",
- "version_input": "existing_resource_group_name",
+ "dependency_input": "secrets_manager_endpoint_type",
+ "version_input": "secrets_manager_endpoint_type",
"reference_version": true
},
{
"dependency_input": "use_existing_resource_group",
"value": true,
"reference_version": true
+ },
+ {
+ "dependency_output": "secrets_manager_crn",
+ "version_input": "existing_secrets_manager_instance_crn"
+ },
+ {
+ "version_input": "enable_secrets_manager_integration",
+ "value": true
}
]
}
diff --git a/main.tf b/main.tf
index fb459a62..f95c4051 100644
--- a/main.tf
+++ b/main.tf
@@ -719,3 +719,40 @@ module "cbr_rule" {
}]
operations = var.cbr_rules[count.index].operations == null ? local.default_operations : var.cbr_rules[count.index].operations
}
+
+##############################################################
+# Ingress Secrets Manager Integration
+##############################################################
+
+module "existing_secrets_manager_instance_parser" {
+ count = var.enable_secrets_manager_integration ? 1 : 0
+ source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+ version = "1.1.0"
+ crn = var.existing_secrets_manager_instance_crn
+}
+
+resource "ibm_iam_authorization_policy" "ocp_secrets_manager_iam_auth_policy" {
+ count = var.enable_secrets_manager_integration && !var.skip_ocp_secrets_manager_iam_auth_policy ? 1 : 0
+ depends_on = [ibm_container_vpc_cluster.cluster, ibm_container_vpc_cluster.autoscaling_cluster, ibm_container_vpc_worker_pool.pool, ibm_container_vpc_worker_pool.autoscaling_pool]
+ source_service_name = "containers-kubernetes"
+ source_resource_instance_id = local.cluster_id
+ target_service_name = "secrets-manager"
+ target_resource_instance_id = module.existing_secrets_manager_instance_parser[0].service_instance
+ roles = ["Manager"]
+}
+
+resource "time_sleep" "wait_for_auth_policy" {
+ count = var.enable_secrets_manager_integration ? 1 : 0
+ depends_on = [ibm_iam_authorization_policy.ocp_secrets_manager_iam_auth_policy[0]]
+ create_duration = "30s"
+}
+
+
+resource "ibm_container_ingress_instance" "instance" {
+ count = var.enable_secrets_manager_integration ? 1 : 0
+ depends_on = [time_sleep.wait_for_auth_policy]
+ cluster = var.cluster_name
+ instance_crn = var.existing_secrets_manager_instance_crn
+ is_default = true
+ secret_group_id = var.secrets_manager_secret_group_id
+}
diff --git a/outputs.tf b/outputs.tf
index 1de8c508..5e8853ec 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -3,19 +3,19 @@
##############################################################################
output "cluster_id" {
- description = "ID of cluster created"
+ description = "ID of the cluster"
value = var.ignore_worker_pool_size_changes ? ibm_container_vpc_cluster.autoscaling_cluster[0].id : ibm_container_vpc_cluster.cluster[0].id
depends_on = [null_resource.confirm_network_healthy]
}
output "cluster_name" {
- description = "Name of the created cluster"
+ description = "Name of the cluster"
value = var.ignore_worker_pool_size_changes ? ibm_container_vpc_cluster.autoscaling_cluster[0].name : ibm_container_vpc_cluster.cluster[0].name
depends_on = [null_resource.confirm_network_healthy]
}
output "cluster_crn" {
- description = "CRN for the created cluster"
+ description = "CRN of the cluster"
value = var.ignore_worker_pool_size_changes ? ibm_container_vpc_cluster.autoscaling_cluster[0].crn : ibm_container_vpc_cluster.cluster[0].crn
depends_on = [null_resource.confirm_network_healthy]
}
@@ -41,7 +41,7 @@ output "vpc_id" {
}
output "region" {
- description = "Region cluster is deployed in"
+ description = "Region that the cluster is deployed to"
value = var.region
}
@@ -104,3 +104,8 @@ output "registry_vpe" {
description = "Info about the registry VPE, if it exists. For more info about schema, see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway"
value = local.registry_vpe_id
}
+
+output "secrets_manager_integration_config" {
+ description = "Information about the Secrets Manager instance that is used to store the Ingress certificates."
+ value = var.enable_secrets_manager_integration ? ibm_container_ingress_instance.instance[0] : null
+}
diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
index 039c5cf6..e1204fd8 100644
--- a/solutions/fully-configurable/README.md
+++ b/solutions/fully-configurable/README.md
@@ -26,15 +26,18 @@ The following resources are provisioned by this example:
| [existing\_boot\_volume\_kms\_key\_crn\_parser](#module\_existing\_boot\_volume\_kms\_key\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
| [existing\_cluster\_kms\_key\_crn\_parser](#module\_existing\_cluster\_kms\_key\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
| [existing\_kms\_crn\_parser](#module\_existing\_kms\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
+| [existing\_secrets\_manager\_instance\_parser](#module\_existing\_secrets\_manager\_instance\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
| [existing\_vpc\_crn\_parser](#module\_existing\_vpc\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
| [kms](#module\_kms) | terraform-ibm-modules/kms-all-inclusive/ibm | 5.1.5 |
| [ocp\_base](#module\_ocp\_base) | ../.. | n/a |
| [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.2.0 |
+| [secret\_group](#module\_secret\_group) | terraform-ibm-modules/secrets-manager-secret-group/ibm | 1.3.4 |
### Resources
| Name | Type |
|------|------|
+| [terraform_data.delete_secrets](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
| [ibm_is_subnet.subnets](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.78.2/docs/data-sources/is_subnet) | data source |
| [ibm_is_subnets.vpc_subnets](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.78.2/docs/data-sources/is_subnets) | data source |
@@ -53,11 +56,11 @@ The following resources are provisioned by this example:
| [boot\_volume\_key\_name](#input\_boot\_volume\_key\_name) | The name for the key created for the block storage volumes. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"boot-volume-key"` | no |
| [boot\_volume\_key\_ring\_name](#input\_boot\_volume\_key\_ring\_name) | The name for the key ring created for the block storage volumes key. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"boot-volume-key-ring"` | no |
| [cbr\_rules](#input\_cbr\_rules) | The list of context-based restriction rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/blob/main/solutions/fully-configurable/DA_docs.md#options-with-cbr) | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
tags = optional(list(object({
name = string
value = string
})), [])
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
-| [cluster\_config\_endpoint\_type](#input\_cluster\_config\_endpoint\_type) | Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster. | `string` | `"default"` | no |
+| [cluster\_config\_endpoint\_type](#input\_cluster\_config\_endpoint\_type) | Specify which type of endpoint to use for cluster config access: 'default', 'private', 'vpe', 'link'. A 'default' value uses the default endpoint of the cluster. | `string` | `"default"` | no |
| [cluster\_key\_name](#input\_cluster\_key\_name) | The name of the key to be created for the cluster's Object Storage bucket encryption. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"cluster-key"` | no |
| [cluster\_key\_ring\_name](#input\_cluster\_key\_ring\_name) | The name of the key ring to be created for the cluster's Object Storage bucket encryption key. Applies only if not specifying an existing key. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"cluster-key-ring"` | no |
| [cluster\_name](#input\_cluster\_name) | The name of the new IBM Cloud OpenShift Cluster. If a `prefix` input variable is specified, it is added to this name in the `-value` format. | `string` | `"openshift"` | no |
-| [cluster\_ready\_when](#input\_cluster\_ready\_when) | The cluster is ready when one of the following: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady. | `string` | `"IngressReady"` | no |
+| [cluster\_ready\_when](#input\_cluster\_ready\_when) | The cluster is ready based on one of the following:: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady. | `string` | `"IngressReady"` | no |
| [cluster\_resource\_tags](#input\_cluster\_resource\_tags) | Metadata labels describing this cluster deployment, i.e. test. | `list(string)` | `[]` | no |
| [custom\_security\_group\_ids](#input\_custom\_security\_group\_ids) | Security groups to add to all worker nodes. This comes in addition to the IBM maintained security group if `attach_ibm_managed_security_group` is set to true. If this variable is set, the default VPC security group is NOT assigned to the worker nodes. | `list(string)` | `null` | no |
| [default\_pool\_maximum\_number\_of\_nodes](#input\_default\_pool\_maximum\_number\_of\_nodes) | The maximum number of worker nodes allowed in the pool, preventing the pool from exceeding three workers. | `number` | `3` | no |
@@ -69,30 +72,35 @@ The following resources are provisioned by this example:
| [disable\_outbound\_traffic\_protection](#input\_disable\_outbound\_traffic\_protection) | Whether to allow public outbound access from the cluster workers. This is only applicable for OCP 4.15 and later. | `bool` | `false` | no |
| [disable\_public\_endpoint](#input\_disable\_public\_endpoint) | Whether access to the public service endpoint is disabled when the cluster is created. Does not affect existing clusters. You can't disable a public endpoint on an existing cluster, so you can't convert a public cluster to a private cluster. To change a public endpoint to private, create another cluster with this input set to `true`. | `bool` | `true` | no |
| [enable\_autoscaling\_for\_default\_pool](#input\_enable\_autoscaling\_for\_default\_pool) | Set `true` to enable automatic scaling of worker based on workload demand. | `bool` | `false` | no |
-| [enable\_ocp\_console](#input\_enable\_ocp\_console) | Flag to specify whether to enable or disable the OpenShift console. If set to `null` the module will not modify the setting currently set on the cluster. Bare in mind when setting this to `true` or `false` on a cluster with private only endpoint enabled, the runtime must be able to access the private endpoint. | `bool` | `null` | no |
+| [enable\_ocp\_console](#input\_enable\_ocp\_console) | Flag to specify whether to enable or disable the OpenShift console. If set to `null` the module does not modify the current setting on the cluster. Keep in mind that when this input is set to `true` or `false` on a cluster with private only endpoint enabled, the runtime must be able to access the private endpoint. | `bool` | `null` | no |
+| [enable\_secrets\_manager\_integration](#input\_enable\_secrets\_manager\_integration) | Integrate with IBM Cloud Secrets Manager so you can centrally manage Ingress subdomain certificates and other secrets. [Learn more](https://cloud.ibm.com/docs/containers?topic=containers-secrets-mgr) | `bool` | `false` | no |
| [existing\_boot\_volume\_kms\_key\_crn](#input\_existing\_boot\_volume\_kms\_key\_crn) | The CRN of an existing KMS key to use to encrypt the the block storage volumes for VPC. If no value is set for this variable, specify a value for either the `existing_kms_instance_crn` variable to create a key ring and key. | `string` | `null` | no |
-| [existing\_cluster\_kms\_key\_crn](#input\_existing\_cluster\_kms\_key\_crn) | The CRN of an existing KMS key to use for encrypting the Object Storage of the Cluster. If no value is set for this variable, please specify a value for `existing_kms_instance_crn` variable to create a key ring and key. | `string` | `null` | no |
+| [existing\_cluster\_kms\_key\_crn](#input\_existing\_cluster\_kms\_key\_crn) | The CRN of an existing KMS key to use for encrypting the Object Storage of the Cluster. If no value is set for this variable, specify a value for `existing_kms_instance_crn` variable to create a key ring and key. | `string` | `null` | no |
| [existing\_cos\_instance\_crn](#input\_existing\_cos\_instance\_crn) | The CRN of an already existing Object Storage instance to use for OpenShift internal registry storage. | `string` | n/a | yes |
| [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of an existing KMS instance (Hyper Protect Crypto Services or Key Protect). If the KMS instance is in different account you must also provide a value for `ibmcloud_kms_api_key`. | `string` | `null` | no |
| [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of an existing resource group to provision the cluster. | `string` | `"Default"` | no |
-| [existing\_subnet\_ids](#input\_existing\_subnet\_ids) | The list of IDs of existing subnets where the default worker pool nodes of the cluster will be provisioned. | `list(string)` | `[]` | no |
-| [existing\_vpc\_crn](#input\_existing\_vpc\_crn) | The CRN of an existing VPC. If the user provides only the `existing_vpc_crn` the default worker pool will be provisioned across all the subnets in the VPC. | `string` | n/a | yes |
+| [existing\_secrets\_manager\_instance\_crn](#input\_existing\_secrets\_manager\_instance\_crn) | CRN of the Secrets Manager instance where Ingress certificate secrets are stored. If 'enable\_secrets\_manager\_integration' is set to true then this value is required. | `string` | `null` | no |
+| [existing\_subnet\_ids](#input\_existing\_subnet\_ids) | The list of IDs of existing subnets where the default worker pool nodes of the cluster are provisioned. | `list(string)` | `[]` | no |
+| [existing\_vpc\_crn](#input\_existing\_vpc\_crn) | The CRN of an existing VPC. If the user provides only the `existing_vpc_crn` the default worker pool is provisioned across all the subnets in the VPC. | `string` | n/a | yes |
| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud api key. | `string` | n/a | yes |
| [ibmcloud\_kms\_api\_key](#input\_ibmcloud\_kms\_api\_key) | The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance for the cluster. If not specified, the 'ibmcloud\_api\_key' variable is used. Specify this key if the KMS instance in `existing_kms_instance_crn` is in an account that is different from the cluster's account. Leave this input empty if both the cluster and the KMS instance are in the same account. | `string` | `null` | no |
| [ignore\_worker\_pool\_size\_changes](#input\_ignore\_worker\_pool\_size\_changes) | Enable if using worker autoscaling. Stops Terraform managing worker count. | `bool` | `false` | no |
| [kms\_encryption\_enabled\_boot\_volume](#input\_kms\_encryption\_enabled\_boot\_volume) | Set this to true to control the encryption keys used to encrypt the data that for the block storage volumes for VPC. If set to false, the data is encrypted by using randomly generated keys. For more info on encrypting block storage volumes, see https://cloud.ibm.com/docs/vpc?topic=vpc-creating-instances-byok | `bool` | `false` | no |
| [kms\_encryption\_enabled\_cluster](#input\_kms\_encryption\_enabled\_cluster) | Set to true to enable KMS encryption for the cluster's Object Storage bucket. When set to true, a value must be passed for either `existing_cluster_kms_key_crn` or `existing_kms_instance_crn`. | `bool` | `false` | no |
| [kms\_endpoint\_type](#input\_kms\_endpoint\_type) | The endpoint for communicating with the KMS instance. Possible values: `public`, `private`. Applies only if `kms_encryption_enabled_cluster` is true | `string` | `"private"` | no |
-| [manage\_all\_addons](#input\_manage\_all\_addons) | Instructs deployable architecture to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this DA will destroy any addons that were installed by other sources. | `bool` | `false` | no |
+| [manage\_all\_addons](#input\_manage\_all\_addons) | Instructs deployable architecture to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this deployable architecture destroys any addons that were installed by other sources. | `bool` | `false` | no |
| [number\_of\_lbs](#input\_number\_of\_lbs) | The number of LBs to associated the `additional_lb_security_group_names` security group with. | `number` | `1` | no |
| [ocp\_entitlement](#input\_ocp\_entitlement) | Value that is applied to the entitlements for OCP cluster provisioning. | `string` | `null` | no |
| [ocp\_version](#input\_ocp\_version) | Version of the OCP cluster to provision. | `string` | `"4.17"` | no |
| [pod\_subnet\_cidr](#input\_pod\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for pods. The subnet must have a CIDR of at least `/23` or larger. Default value is `172.30.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
| [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
| [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
+| [secrets\_manager\_endpoint\_type](#input\_secrets\_manager\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API. | `string` | `"private"` | no |
+| [secrets\_manager\_secret\_group\_id](#input\_secrets\_manager\_secret\_group\_id) | Secret group ID where Ingress secrets are stored in the Secrets Manager instance. If 'enable\_secrets\_manager\_integration' is set to true and 'secrets\_manager\_secret\_group\_id' is not provided, a new group will be created with the same name as cluster\_id. | `string` | `null` | no |
| [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
-| [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `true` | no |
-| [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
+| [skip\_ocp\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_ocp\_secrets\_manager\_iam\_auth\_policy) | To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates. | `bool` | `false` | no |
+| [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all API calls to use the IBM Cloud private endpoints. | `bool` | `true` | no |
+| [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script runs kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, set this value to false. | `bool` | `true` | no |
| [worker\_pools\_taints](#input\_worker\_pools\_taints) | Optional, Map of lists containing node taints by node-pool name. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/blob/main/solutions/fully-configurable/DA_docs.md#options-with-worker-pools-taints) | `map(list(object({ key = string, value = string, effect = string })))` | `null` | no |
### Outputs
@@ -116,6 +124,7 @@ The following resources are provisioned by this example:
| [region](#output\_region) | The IBM Cloud region where the cluster is deployed. |
| [registry\_vpe](#output\_registry\_vpe) | Details of the registry Virtual Private Endpoint (VPE), if it exists. For more info about schema, see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway |
| [resource\_group\_id](#output\_resource\_group\_id) | The ID of the resource group where the cluster is deployed. |
+| [secrets\_manager\_integration\_config](#output\_secrets\_manager\_integration\_config) | Information about the Secrets Manager instance that is used to store the Ingress certificates. |
| [vpc\_id](#output\_vpc\_id) | The ID of the Virtual Private Cloud (VPC) in which the cluster is deployed. |
| [vpe\_url](#output\_vpe\_url) | The Virtual Private Endpoint (VPE) URL used for private network access to the cluster. |
| [workerpools](#output\_workerpools) | A list of worker pools associated with the provisioned cluster |
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index 4c7f1d0a..3e4b85bf 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -194,39 +194,86 @@ locals {
}
module "ocp_base" {
- source = "../.."
- resource_group_id = module.resource_group.resource_group_id
- region = local.vpc_region
- tags = var.cluster_resource_tags
- cluster_name = local.cluster_name
- force_delete_storage = true
- use_existing_cos = true
- existing_cos_id = var.existing_cos_instance_crn
- vpc_id = local.existing_vpc_id
- vpc_subnets = local.vpc_subnets
- ocp_version = var.ocp_version
- worker_pools = local.worker_pools
- access_tags = var.access_tags
- ocp_entitlement = var.ocp_entitlement
- additional_lb_security_group_ids = var.additional_lb_security_group_ids
- additional_vpe_security_group_ids = var.additional_vpe_security_group_ids
- addons = var.addons
- allow_default_worker_pool_replacement = var.allow_default_worker_pool_replacement
- attach_ibm_managed_security_group = var.attach_ibm_managed_security_group
- cluster_config_endpoint_type = var.cluster_config_endpoint_type
- cbr_rules = var.cbr_rules
- cluster_ready_when = var.cluster_ready_when
- custom_security_group_ids = var.custom_security_group_ids
- disable_outbound_traffic_protection = var.disable_outbound_traffic_protection
- disable_public_endpoint = var.disable_public_endpoint
- enable_ocp_console = var.enable_ocp_console
- ignore_worker_pool_size_changes = var.ignore_worker_pool_size_changes
- kms_config = local.kms_config
- manage_all_addons = var.manage_all_addons
- number_of_lbs = var.number_of_lbs
- pod_subnet_cidr = var.pod_subnet_cidr
- service_subnet_cidr = var.service_subnet_cidr
- use_private_endpoint = var.use_private_endpoint
- verify_worker_network_readiness = var.verify_worker_network_readiness
- worker_pools_taints = var.worker_pools_taints
+ source = "../.."
+ resource_group_id = module.resource_group.resource_group_id
+ region = local.vpc_region
+ tags = var.cluster_resource_tags
+ cluster_name = local.cluster_name
+ force_delete_storage = true
+ use_existing_cos = true
+ existing_cos_id = var.existing_cos_instance_crn
+ vpc_id = local.existing_vpc_id
+ vpc_subnets = local.vpc_subnets
+ ocp_version = var.ocp_version
+ worker_pools = local.worker_pools
+ access_tags = var.access_tags
+ ocp_entitlement = var.ocp_entitlement
+ additional_lb_security_group_ids = var.additional_lb_security_group_ids
+ additional_vpe_security_group_ids = var.additional_vpe_security_group_ids
+ addons = var.addons
+ allow_default_worker_pool_replacement = var.allow_default_worker_pool_replacement
+ attach_ibm_managed_security_group = var.attach_ibm_managed_security_group
+ cluster_config_endpoint_type = var.cluster_config_endpoint_type
+ cbr_rules = var.cbr_rules
+ cluster_ready_when = var.cluster_ready_when
+ custom_security_group_ids = var.custom_security_group_ids
+ disable_outbound_traffic_protection = var.disable_outbound_traffic_protection
+ disable_public_endpoint = var.disable_public_endpoint
+ enable_ocp_console = var.enable_ocp_console
+ ignore_worker_pool_size_changes = var.ignore_worker_pool_size_changes
+ kms_config = local.kms_config
+ manage_all_addons = var.manage_all_addons
+ number_of_lbs = var.number_of_lbs
+ pod_subnet_cidr = var.pod_subnet_cidr
+ service_subnet_cidr = var.service_subnet_cidr
+ use_private_endpoint = var.use_private_endpoint
+ verify_worker_network_readiness = var.verify_worker_network_readiness
+ worker_pools_taints = var.worker_pools_taints
+ enable_secrets_manager_integration = var.enable_secrets_manager_integration
+ existing_secrets_manager_instance_crn = var.existing_secrets_manager_instance_crn
+ secrets_manager_secret_group_id = var.secrets_manager_secret_group_id != null ? var.secrets_manager_secret_group_id : (var.enable_secrets_manager_integration ? module.secret_group[0].secret_group_id : null)
+ skip_ocp_secrets_manager_iam_auth_policy = var.skip_ocp_secrets_manager_iam_auth_policy
+}
+
+module "existing_secrets_manager_instance_parser" {
+ count = var.enable_secrets_manager_integration ? 1 : 0
+ source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+ version = "1.1.0"
+ crn = var.existing_secrets_manager_instance_crn
+}
+
+resource "terraform_data" "delete_secrets" {
+
+ count = var.enable_secrets_manager_integration && var.secrets_manager_secret_group_id == null ? 1 : 0
+ input = {
+ secret_id = module.secret_group[0].secret_group_id
+ api_key = var.ibmcloud_api_key
+ provider_visibility = var.provider_visibility
+ secrets_manager_instance_id = module.existing_secrets_manager_instance_parser[0].service_instance
+ secrets_manager_region = module.existing_secrets_manager_instance_parser[0].region
+ secrets_manager_endpoint = var.secrets_manager_endpoint_type
+ }
+ provisioner "local-exec" {
+ when = destroy
+ command = "${path.module}/scripts/delete_secrets.sh ${self.input.secret_id} ${self.input.provider_visibility} ${self.input.secrets_manager_instance_id} ${self.input.secrets_manager_region} ${self.input.secrets_manager_endpoint}"
+ interpreter = ["/bin/bash", "-c"]
+
+ environment = {
+ API_KEY = self.input.api_key
+ }
+ }
+}
+
+module "secret_group" {
+ providers = {
+ ibm = ibm.secrets_manager
+ }
+ count = var.enable_secrets_manager_integration && var.secrets_manager_secret_group_id == null ? 1 : 0
+ source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
+ version = "1.3.4"
+ region = module.existing_secrets_manager_instance_parser[0].region
+ secrets_manager_guid = module.existing_secrets_manager_instance_parser[0].service_instance
+ secret_group_name = module.ocp_base.cluster_id
+ secret_group_description = "Secret group for storing ingress certificates for cluster ${var.cluster_name} with id: ${module.ocp_base.cluster_id}"
+ endpoint_type = var.secrets_manager_endpoint_type
}
diff --git a/solutions/fully-configurable/outputs.tf b/solutions/fully-configurable/outputs.tf
index f38aaa93..242dddaa 100644
--- a/solutions/fully-configurable/outputs.tf
+++ b/solutions/fully-configurable/outputs.tf
@@ -101,3 +101,8 @@ output "registry_vpe" {
description = "Details of the registry Virtual Private Endpoint (VPE), if it exists. For more info about schema, see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway"
value = module.ocp_base.registry_vpe
}
+
+output "secrets_manager_integration_config" {
+ description = "Information about the Secrets Manager instance that is used to store the Ingress certificates."
+ value = module.ocp_base.secrets_manager_integration_config
+}
diff --git a/solutions/fully-configurable/provider.tf b/solutions/fully-configurable/provider.tf
index 0c6f84d7..ebbc8672 100644
--- a/solutions/fully-configurable/provider.tf
+++ b/solutions/fully-configurable/provider.tf
@@ -14,3 +14,10 @@ provider "ibm" {
region = local.cluster_kms_region
visibility = var.provider_visibility
}
+
+provider "ibm" {
+ alias = "secrets_manager"
+ ibmcloud_api_key = var.ibmcloud_api_key
+ region = var.enable_secrets_manager_integration ? module.existing_secrets_manager_instance_parser[0].region : local.vpc_region
+ visibility = var.provider_visibility
+}
diff --git a/solutions/fully-configurable/scripts/delete_secrets.sh b/solutions/fully-configurable/scripts/delete_secrets.sh
new file mode 100755
index 00000000..bf0fc773
--- /dev/null
+++ b/solutions/fully-configurable/scripts/delete_secrets.sh
@@ -0,0 +1,98 @@
+#!/bin/bash
+
+set -e
+
+# This script is going to delete the ingress certificate secret inside the secret group which
+# got created as part of the DA since it is not a good practice to store secrets in
+# default group.
+
+secret_group_id=$1
+provider_visibility=$2
+secrets_manager_instance_id=$3
+secrets_manager_region=$4
+secrets_manager_endpoint=$5
+
+# decide the iam endpoint depending upon the IBMCLOUD_IAM_API_ENDPOINT env variable set by the user and
+# whether provider visibility is public or private
+iam_cloud_endpoint="${IBMCLOUD_IAM_API_ENDPOINT:-"iam.cloud.ibm.com"}"
+IBMCLOUD_IAM_API_ENDPOINT=${iam_cloud_endpoint#https://}
+
+if [[ "$IBMCLOUD_IAM_API_ENDPOINT" == "iam.cloud.ibm.com" ]]; then
+ if [[ "$provider_visibility" == "private" ]]; then
+ IBMCLOUD_IAM_API_ENDPOINT="private.${IBMCLOUD_IAM_API_ENDPOINT}"
+ fi
+fi
+
+# generate iam_token from the ibmcloud_api_key. This will be used to make API requests to secrets manager instance endpoint for fetching and deleting secrets
+iam_response=$(curl --retry 3 -s -X POST "https://${IBMCLOUD_IAM_API_ENDPOINT}/identity/token" --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept: application/json' --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' --data-urlencode "apikey=$API_KEY") # pragma: allowlist secret
+error_message=$(echo "${iam_response}" | jq 'has("errorMessage")')
+
+if [[ "${error_message}" != false ]]; then
+ echo "${iam_response}" | jq '.errorMessage' >&2
+ echo "Could not obtain an IAM access token" >&2
+ exit 1
+fi
+iam_token=$(echo "${iam_response}" | jq -r '.access_token')
+
+# deciding the url of secrets_manager_instance depending upon whether secrets_manager_endpoint is public or private
+
+base_url=https://${secrets_manager_instance_id}
+if [[ $secrets_manager_endpoint == "private" ]];then
+ base_url="${base_url}.private"
+fi
+base_url="${base_url}.${secrets_manager_region}.secrets-manager.appdomain.cloud"
+
+# curl command would return the list of secrets, jq is used to fetch length of secrets array in json output and fetching id of secret at particular index
+# which will be used while making the DELETE request
+
+
+json_output=$(curl --fail --retry 3 -s -X GET --location \
+ --header "Authorization: Bearer ${iam_token}" \
+ --header "Accept: application/json" \
+ "${base_url}/api/v2/secrets?groups=$secret_group_id")
+
+secrets_length=$(echo "$json_output" | jq '.secrets | length')
+
+if [[ "$secrets_length" == 0 ]];then
+ echo "Found no secrets to delete" >&2
+ exit 0
+fi
+
+# delete the secrets inside the secret group
+# retrycount for deleting a particular secret incase curl command for delete command fails
+
+retryCount=2;
+for ((i=0; i&2
+ for ((j=1; j<=retryCount; j++)); do
+ if ! curl --retry 3 -X DELETE --location --header "Authorization: Bearer ${iam_token}" "${base_url}/api/v2/secrets/${secret_id}";then
+ if [[ "$j" == "$retryCount" ]];then
+ echo "Failed to delete the secret.. please delete manually" >&2
+ exit 1
+ fi
+ echo "Failed to remove the secret.. retrying one more time" >&2
+ else
+ echo "Successfully deleted the secret" >&2
+ break
+ fi
+ done
+done
+
+echo "Waiting for the secrets to be deleted" >&2
+sleep 5
+
+secret_count=$(curl --fail --retry 3 -s -X GET --location \
+ --header "Authorization: Bearer ${iam_token}" \
+ --header "Accept: application/json" \
+ "${base_url}/api/v2/secrets?groups=$secret_group_id" | \
+ jq '.secrets | length')
+
+if [[ "$secret_count" == 0 ]];then
+ echo "successfully deleted all the secrets in the group" >&2
+else
+ echo "Failed to delete 1 or more secrets.. Please delete manually" >&2
+ exit 1
+fi
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index fb735e38..5ca213f0 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -68,12 +68,12 @@ variable "ocp_entitlement" {
variable "cluster_ready_when" {
type = string
- description = "The cluster is ready when one of the following: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady."
+ description = "The cluster is ready based on one of the following:: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady."
default = "IngressReady"
}
variable "enable_ocp_console" {
- description = "Flag to specify whether to enable or disable the OpenShift console. If set to `null` the module will not modify the setting currently set on the cluster. Bare in mind when setting this to `true` or `false` on a cluster with private only endpoint enabled, the runtime must be able to access the private endpoint."
+ description = "Flag to specify whether to enable or disable the OpenShift console. If set to `null` the module does not modify the current setting on the cluster. Keep in mind that when this input is set to `true` or `false` on a cluster with private only endpoint enabled, the runtime must be able to access the private endpoint."
type = bool
default = null
nullable = true
@@ -100,7 +100,7 @@ variable "manage_all_addons" {
type = bool
default = false
nullable = false
- description = "Instructs deployable architecture to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this DA will destroy any addons that were installed by other sources."
+ description = "Instructs deployable architecture to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this deployable architecture destroys any addons that were installed by other sources."
}
variable "worker_pools_taints" {
@@ -211,18 +211,18 @@ variable "existing_cos_instance_crn" {
variable "existing_vpc_crn" {
type = string
- description = "The CRN of an existing VPC. If the user provides only the `existing_vpc_crn` the default worker pool will be provisioned across all the subnets in the VPC."
+ description = "The CRN of an existing VPC. If the user provides only the `existing_vpc_crn` the default worker pool is provisioned across all the subnets in the VPC."
}
variable "existing_subnet_ids" {
type = list(string)
- description = "The list of IDs of existing subnets where the default worker pool nodes of the cluster will be provisioned."
+ description = "The list of IDs of existing subnets where the default worker pool nodes of the cluster are provisioned."
default = []
}
variable "use_private_endpoint" {
type = bool
- description = "Set this to true to force all api calls to use the IBM Cloud private endpoints."
+ description = "Set this to true to force all API calls to use the IBM Cloud private endpoints."
default = true
}
@@ -233,7 +233,7 @@ variable "disable_public_endpoint" {
}
variable "cluster_config_endpoint_type" {
- description = "Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster."
+ description = "Specify which type of endpoint to use for cluster config access: 'default', 'private', 'vpe', 'link'. A 'default' value uses the default endpoint of the cluster."
type = string
default = "default"
nullable = false
@@ -247,7 +247,7 @@ variable "disable_outbound_traffic_protection" {
variable "verify_worker_network_readiness" {
type = bool
- description = "By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false."
+ description = "By setting this to true, a script runs kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, set this value to false."
default = true
}
@@ -351,7 +351,7 @@ variable "existing_kms_instance_crn" {
variable "existing_cluster_kms_key_crn" {
type = string
default = null
- description = "The CRN of an existing KMS key to use for encrypting the Object Storage of the Cluster. If no value is set for this variable, please specify a value for `existing_kms_instance_crn` variable to create a key ring and key."
+ description = "The CRN of an existing KMS key to use for encrypting the Object Storage of the Cluster. If no value is set for this variable, specify a value for `existing_kms_instance_crn` variable to create a key ring and key."
validation {
condition = anytrue([
@@ -473,3 +473,46 @@ variable "cbr_rules" {
description = "The list of context-based restriction rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/blob/main/solutions/fully-configurable/DA_docs.md#options-with-cbr)"
default = []
}
+
+##############################################################
+# Ingress Secrets Manager Integration
+##############################################################
+
+variable "enable_secrets_manager_integration" {
+ type = bool
+ description = "Integrate with IBM Cloud Secrets Manager so you can centrally manage Ingress subdomain certificates and other secrets. [Learn more](https://cloud.ibm.com/docs/containers?topic=containers-secrets-mgr)"
+ default = false
+ nullable = false
+ validation {
+ condition = var.enable_secrets_manager_integration ? var.existing_secrets_manager_instance_crn != null : true
+ error_message = "'existing_secrets_manager_instance_crn' should be provided if setting 'enable_secrets_manager_integration' to true."
+ }
+}
+
+variable "existing_secrets_manager_instance_crn" {
+ type = string
+ description = "CRN of the Secrets Manager instance where Ingress certificate secrets are stored. If 'enable_secrets_manager_integration' is set to true then this value is required."
+ default = null
+}
+
+variable "secrets_manager_secret_group_id" {
+ type = string
+ description = "Secret group ID where Ingress secrets are stored in the Secrets Manager instance. If 'enable_secrets_manager_integration' is set to true and 'secrets_manager_secret_group_id' is not provided, a new group will be created with the same name as cluster_id."
+ default = null
+}
+
+variable "secrets_manager_endpoint_type" {
+ type = string
+ description = "The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API."
+ default = "private"
+ validation {
+ condition = contains(["public", "private"], var.secrets_manager_endpoint_type)
+ error_message = "The specified service endpoint is not a valid selection!"
+ }
+}
+
+variable "skip_ocp_secrets_manager_iam_auth_policy" {
+ type = bool
+ description = "To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates."
+ default = false
+}
diff --git a/tests/pr_test.go b/tests/pr_test.go
index d69113b2..89151e68 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -105,7 +105,7 @@ func TestRunFullyConfigurableInSchematics(t *testing.T) {
options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
Testing: t,
Prefix: "ocp-fc",
- TarIncludePatterns: []string{"*.tf", fullyConfigurableTerraformDir + "/*.*", "scripts/*.sh", "kubeconfig/README.md"},
+ TarIncludePatterns: []string{"*.tf", fullyConfigurableTerraformDir + "/*.*", fullyConfigurableTerraformDir + "/scripts/*.*", "scripts/*.sh", "kubeconfig/README.md"},
TemplateFolder: fullyConfigurableTerraformDir,
Tags: []string{"test-schematic"},
DeleteWorkspaceOnFail: false,
@@ -123,6 +123,8 @@ func TestRunFullyConfigurableInSchematics(t *testing.T) {
{Name: "kms_encryption_enabled_cluster", Value: "true", DataType: "bool"},
{Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
{Name: "kms_encryption_enabled_boot_volume", Value: "true", DataType: "bool"},
+ {Name: "enable_secrets_manager_integration", Value: "true", DataType: "bool"},
+ {Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"},
}
require.NoError(t, options.RunSchematicTest(), "This should not have errored")
cleanupTerraform(t, existingTerraformOptions, prefix)
@@ -139,7 +141,7 @@ func TestRunUpgradeFullyConfigurable(t *testing.T) {
options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
Testing: t,
Prefix: "fc-upg",
- TarIncludePatterns: []string{"*.tf", "scripts/*.sh", "kubeconfig/README.md", fullyConfigurableTerraformDir + "/*.*"},
+ TarIncludePatterns: []string{"*.tf", "scripts/*.sh", "kubeconfig/README.md", fullyConfigurableTerraformDir + "/*.*", fullyConfigurableTerraformDir + "/scripts/*.*"},
TemplateFolder: fullyConfigurableTerraformDir,
Tags: []string{"test-schematic"},
DeleteWorkspaceOnFail: false,
@@ -153,6 +155,8 @@ func TestRunUpgradeFullyConfigurable(t *testing.T) {
{Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"},
{Name: "existing_cos_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "cos_instance_id"), DataType: "string"},
{Name: "existing_vpc_crn", Value: terraform.Output(t, existingTerraformOptions, "vpc_crn"), DataType: "string"},
+ {Name: "enable_secrets_manager_integration", Value: "true", DataType: "bool"},
+ {Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"},
}
require.NoError(t, options.RunSchematicUpgradeTest(), "This should not have errored")
diff --git a/variables.tf b/variables.tf
index 98bbb0d4..5307a8d0 100644
--- a/variables.tf
+++ b/variables.tf
@@ -5,17 +5,17 @@
# Resource Group Variables
variable "resource_group_id" {
type = string
- description = "The Id of an existing IBM Cloud resource group where the cluster will be grouped."
+ description = "The ID of an existing IBM Cloud resource group where the cluster is grouped."
}
variable "region" {
type = string
- description = "The IBM Cloud region where the cluster will be provisioned."
+ description = "The IBM Cloud region where the cluster is provisioned."
}
variable "use_private_endpoint" {
type = bool
- description = "Set this to true to force all api calls to use the IBM Cloud private endpoints."
+ description = "Set this to true to force all API calls to use the IBM Cloud private endpoints."
default = false
}
@@ -28,7 +28,7 @@ variable "tags" {
variable "cluster_name" {
type = string
- description = "The name that will be assigned to the provisioned cluster"
+ description = "The name that is assigned to the provisioned cluster."
}
variable "vpc_subnets" {
@@ -37,7 +37,7 @@ variable "vpc_subnets" {
zone = string
cidr_block = string
})))
- description = "Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created"
+ description = "Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster is created."
}
variable "allow_default_worker_pool_replacement" {
@@ -74,7 +74,7 @@ variable "worker_pools" {
}))
description = "List of worker pools"
validation {
- error_message = "Please provide value for minSize and maxSize while enableAutoscaling is set to true."
+ error_message = "Provide a value for minSize and maxSize while enableAutoscaling is set to true."
condition = length(
flatten(
[
@@ -207,12 +207,12 @@ variable "ocp_version" {
variable "cluster_ready_when" {
type = string
- description = "The cluster is ready when one of the following: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady"
+ description = "The cluster is ready based on one of the following:: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady"
default = "IngressReady"
validation {
condition = contains(["MasterNodeReady", "OneWorkerNodeReady", "Normal", "IngressReady"], var.cluster_ready_when)
- error_message = "The input variable cluster_ready_when must one of: \"MasterNodeReady\", \"OneWorkerNodeReady\", \"Normal\" or \"IngressReady\"."
+ error_message = "The input variable cluster_ready_when must be one of the following: \"MasterNodeReady\", \"OneWorkerNodeReady\", \"Normal\" or \"IngressReady\"."
}
}
variable "disable_public_endpoint" {
@@ -308,12 +308,12 @@ variable "service_subnet_cidr" {
# VPC Variables
variable "vpc_id" {
type = string
- description = "Id of the VPC instance where this cluster will be provisioned"
+ description = "ID of the VPC instance where this cluster is provisioned."
}
variable "verify_worker_network_readiness" {
type = bool
- description = "By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false."
+ description = "By setting this to true, a script runs kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, set this value to false."
default = true
}
@@ -359,11 +359,11 @@ variable "manage_all_addons" {
type = bool
default = false
nullable = false # null values are set to default value
- description = "Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module will destroy any addons that were installed by other sources."
+ description = "Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module destroys any addons that were installed by other sources."
}
variable "cluster_config_endpoint_type" {
- description = "Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster."
+ description = "Specify which type of endpoint to use for cluster config access: 'default', 'private', 'vpe', 'link'. A 'default' value uses the default endpoint of the cluster."
type = string
default = "default"
nullable = false # use default if null is passed in
@@ -374,7 +374,7 @@ variable "cluster_config_endpoint_type" {
}
variable "enable_ocp_console" {
- description = "Flag to specify whether to enable or disable the OpenShift console. If set to `null` the module will not modify the setting currently set on the cluster. Bare in mind when setting this to `true` or `false` on a cluster with private only endpoint enabled, the runtime must be able to access the private endpoint."
+ description = "Flag to specify whether to enable or disable the OpenShift console. If set to `null` the module does not modify the current setting on the cluster. Keep in mind that when this input is set to `true` or `false` on a cluster with private only endpoint enabled, the runtime must be able to access the private endpoint."
type = bool
default = null
nullable = true
@@ -409,3 +409,36 @@ variable "cbr_rules" {
description = "The list of context-based restriction rules to create."
default = []
}
+
+##############################################################
+# Ingress Secrets Manager Integration
+##############################################################
+
+variable "enable_secrets_manager_integration" {
+ type = bool
+ description = "Integrate with IBM Cloud Secrets Manager so you can centrally manage Ingress subdomain certificates and other secrets. [Learn more](https://cloud.ibm.com/docs/containers?topic=containers-secrets-mgr)"
+ default = false
+ nullable = false
+ validation {
+ condition = var.enable_secrets_manager_integration ? var.existing_secrets_manager_instance_crn != null : true
+ error_message = "'existing_secrets_manager_instance_crn' should be provided if setting 'enable_secrets_manager_integration' to true."
+ }
+}
+
+variable "existing_secrets_manager_instance_crn" {
+ type = string
+ description = "CRN of the Secrets Manager instance where Ingress certificate secrets are stored. If 'enable_secrets_manager_integration' is set to true then this value is required."
+ default = null
+}
+
+variable "secrets_manager_secret_group_id" {
+ type = string
+ description = "Secret group ID where Ingress secrets are stored in the Secrets Manager instance."
+ default = null
+}
+
+variable "skip_ocp_secrets_manager_iam_auth_policy" {
+ type = bool
+ description = "To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates."
+ default = false
+}
diff --git a/version.tf b/version.tf
index 0750c2a1..fac8de8b 100644
--- a/version.tf
+++ b/version.tf
@@ -14,5 +14,9 @@ terraform {
source = "hashicorp/kubernetes"
version = ">= 2.16.1, < 3.0.0"
}
+ time = {
+ source = "hashicorp/time"
+ version = ">= 0.9.1, < 1.0.0"
+ }
}
}