diff --git a/README.md b/README.md
index 4f47de5e..26d6b384 100644
--- a/README.md
+++ b/README.md
@@ -238,6 +238,7 @@ Optionally, you need the following permissions to attach Access Management tags
| [ibm](#requirement\_ibm) | >= 1.78.2, < 2.0.0 |
| [kubernetes](#requirement\_kubernetes) | >= 2.16.1, < 3.0.0 |
| [null](#requirement\_null) | >= 3.2.1, < 4.0.0 |
+| [time](#requirement\_time) | >= 0.9.1, < 1.0.0 |
### Modules
@@ -255,6 +256,7 @@ Optionally, you need the following permissions to attach Access Management tags
| Name | Type |
|------|------|
| [ibm_container_addons.addons](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_addons) | resource |
+| [ibm_container_api_key_reset.reset_api_key](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_api_key_reset) | resource |
| [ibm_container_vpc_cluster.autoscaling_cluster](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_vpc_cluster) | resource |
| [ibm_container_vpc_cluster.cluster](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_vpc_cluster) | resource |
| [ibm_container_vpc_worker_pool.autoscaling_pool](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_vpc_worker_pool) | resource |
@@ -265,13 +267,11 @@ Optionally, you need the following permissions to attach Access Management tags
| [null_resource.config_map_status](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.confirm_network_healthy](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.ocp_console_management](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [null_resource.reset_api_key](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [time_sleep.wait_for_reset_api_key](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [ibm_container_addons.existing_addons](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_addons) | data source |
| [ibm_container_cluster_config.cluster_config](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_config) | data source |
| [ibm_container_cluster_versions.cluster_versions](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_versions) | data source |
| [ibm_container_vpc_worker_pool.all_pools](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_vpc_worker_pool) | data source |
-| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source |
-| [ibm_iam_auth_token.reset_api_key_tokendata](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_auth_token) | data source |
| [ibm_is_lbs.all_lbs](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_lbs) | data source |
| [ibm_is_virtual_endpoint_gateway.api_vpe](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway) | data source |
| [ibm_is_virtual_endpoint_gateway.master_vpe](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway) | data source |
@@ -311,7 +311,6 @@ Optionally, you need the following permissions to attach Access Management tags
| [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
| [tags](#input\_tags) | Metadata labels describing this cluster deployment, i.e. test | `list(string)` | `[]` | no |
| [use\_existing\_cos](#input\_use\_existing\_cos) | Flag indicating whether or not to use an existing COS instance for OpenShift internal registry storage. Only applicable if 'enable\_registry\_storage' is true | `bool` | `false` | no |
-| [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
| [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
| [vpc\_id](#input\_vpc\_id) | Id of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
| [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | map(list(object({
id = string
zone = string
cidr_block = string
}))) | n/a | yes |
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
index 7fc6bcfd..e3312b38 100644
--- a/examples/fscloud/main.tf
+++ b/examples/fscloud/main.tf
@@ -247,7 +247,6 @@ module "ocp_fscloud" {
access_tags = var.access_tags
ocp_version = var.ocp_version
additional_lb_security_group_ids = [module.custom_sg["custom-lb-sg"].security_group_id]
- use_private_endpoint = true
ocp_entitlement = var.ocp_entitlement
enable_ocp_console = false
kms_config = {
diff --git a/ibm_catalog.json b/ibm_catalog.json
index d4963252..fcb74dff 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -289,9 +289,6 @@
{
"key": "existing_subnet_ids"
},
- {
- "key": "use_private_endpoint"
- },
{
"key": "disable_public_endpoint"
},
diff --git a/main.tf b/main.tf
index fb459a62..f3f0ae60 100644
--- a/main.tf
+++ b/main.tf
@@ -133,7 +133,7 @@ resource "ibm_resource_tag" "cos_access_tag" {
##############################################################################
resource "ibm_container_vpc_cluster" "cluster" {
- depends_on = [null_resource.reset_api_key]
+ depends_on = [time_sleep.wait_for_reset_api_key]
count = var.ignore_worker_pool_size_changes ? 0 : 1
name = var.cluster_name
vpc_id = var.vpc_id
@@ -204,7 +204,7 @@ resource "ibm_container_vpc_cluster" "cluster" {
# copy of the cluster resource above which ignores changes to the worker pool for use in autoscaling scenarios
resource "ibm_container_vpc_cluster" "autoscaling_cluster" {
- depends_on = [null_resource.reset_api_key]
+ depends_on = [time_sleep.wait_for_reset_api_key]
count = var.ignore_worker_pool_size_changes ? 1 : 0
name = var.cluster_name
vpc_id = var.vpc_id
@@ -298,22 +298,17 @@ resource "ibm_resource_tag" "cluster_access_tag" {
# new key, and simply use the key created by this script. So hence should not face 404s anymore.
# The IKS team are tracking internally https://github.ibm.com/alchemy-containers/armada-ironsides/issues/5023
-data "ibm_iam_auth_token" "reset_api_key_tokendata" {
+resource "ibm_container_api_key_reset" "reset_api_key" {
+ region = var.region
+ resource_group_id = var.resource_group_id
}
-data "ibm_iam_account_settings" "iam_account_settings" {
+resource "time_sleep" "wait_for_reset_api_key" {
+ depends_on = [ibm_container_api_key_reset.reset_api_key]
+ create_duration = "10s"
}
-resource "null_resource" "reset_api_key" {
- provisioner "local-exec" {
- command = "${path.module}/scripts/reset_iks_api_key.sh ${var.region} ${var.resource_group_id} ${var.use_private_endpoint} ${var.cluster_config_endpoint_type}"
- interpreter = ["/bin/bash", "-c"]
- environment = {
- IAM_TOKEN = data.ibm_iam_auth_token.reset_api_key_tokendata.iam_access_token
- ACCOUNT_ID = data.ibm_iam_account_settings.iam_account_settings.account_id
- }
- }
-}
+
##############################################################################
# Access cluster to kick off RBAC synchronisation
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index a87ac1f9..ed90f9d1 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -136,7 +136,6 @@ No resources.
| [resource\_group\_id](#input\_resource\_group\_id) | The Id of an existing IBM Cloud resource group where the cluster will be grouped. | `string` | n/a | yes |
| [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
| [tags](#input\_tags) | Metadata labels describing this cluster deployment | `list(string)` | `[]` | no |
-| [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
| [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
| [vpc\_id](#input\_vpc\_id) | ID of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
| [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | map(list(object({
id = string
zone = string
cidr_block = string
}))) | n/a | yes |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
index 395f2cab..39337005 100644
--- a/modules/fscloud/main.tf
+++ b/modules/fscloud/main.tf
@@ -11,7 +11,6 @@ module "fscloud" {
ocp_entitlement = var.ocp_entitlement
vpc_id = var.vpc_id
vpc_subnets = var.vpc_subnets
- use_private_endpoint = var.use_private_endpoint
worker_pools = var.worker_pools
disable_public_endpoint = true
cluster_config_endpoint_type = var.cluster_config_endpoint_type
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
index a183d5c3..cdf43f11 100644
--- a/modules/fscloud/variables.tf
+++ b/modules/fscloud/variables.tf
@@ -13,12 +13,6 @@ variable "region" {
description = "The IBM Cloud region where the cluster will be provisioned."
}
-variable "use_private_endpoint" {
- type = bool
- description = "Set this to true to force all api calls to use the IBM Cloud private endpoints."
- default = false
-}
-
# Cluster Variables
variable "tags" {
type = list(string)
diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
index 039c5cf6..48dedd40 100644
--- a/solutions/fully-configurable/README.md
+++ b/solutions/fully-configurable/README.md
@@ -91,7 +91,6 @@ The following resources are provisioned by this example:
| [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
| [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
| [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
-| [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `true` | no |
| [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
| [worker\_pools\_taints](#input\_worker\_pools\_taints) | Optional, Map of lists containing node taints by node-pool name. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/blob/main/solutions/fully-configurable/DA_docs.md#options-with-worker-pools-taints) | `map(list(object({ key = string, value = string, effect = string })))` | `null` | no |
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index 4c7f1d0a..b3b18b4d 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -226,7 +226,6 @@ module "ocp_base" {
number_of_lbs = var.number_of_lbs
pod_subnet_cidr = var.pod_subnet_cidr
service_subnet_cidr = var.service_subnet_cidr
- use_private_endpoint = var.use_private_endpoint
verify_worker_network_readiness = var.verify_worker_network_readiness
worker_pools_taints = var.worker_pools_taints
}
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index fb735e38..2098856d 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -220,12 +220,6 @@ variable "existing_subnet_ids" {
default = []
}
-variable "use_private_endpoint" {
- type = bool
- description = "Set this to true to force all api calls to use the IBM Cloud private endpoints."
- default = true
-}
-
variable "disable_public_endpoint" {
type = bool
description = "Whether access to the public service endpoint is disabled when the cluster is created. Does not affect existing clusters. You can't disable a public endpoint on an existing cluster, so you can't convert a public cluster to a private cluster. To change a public endpoint to private, create another cluster with this input set to `true`."
diff --git a/tests/other_test.go b/tests/other_test.go
index bcd8fb09..14a7fbc2 100644
--- a/tests/other_test.go
+++ b/tests/other_test.go
@@ -78,9 +78,7 @@ func TestRunMultiClusterExample(t *testing.T) {
IgnoreDestroys: testhelper.Exemptions{ // Ignore for consistency check
List: []string{
"module.ocp_base_cluster_1.null_resource.confirm_network_healthy",
- "module.ocp_base_cluster_1.null_resource.reset_api_key",
"module.ocp_base_cluster_2.null_resource.confirm_network_healthy",
- "module.ocp_base_cluster_2.null_resource.reset_api_key",
},
},
IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check
@@ -117,7 +115,6 @@ func TestRunAddRulesToSGExample(t *testing.T) {
ResourceGroup: resourceGroup,
ImplicitDestroy: []string{
"module.ocp_base.null_resource.confirm_network_healthy",
- "module.ocp_base.null_resource.reset_api_key",
},
// Do not hard fail the test if the implicit destroy steps fail to allow a full destroy of resource to occur
ImplicitRequired: false,
diff --git a/tests/pr_test.go b/tests/pr_test.go
index d69113b2..c2b84bb9 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -173,7 +173,6 @@ func TestRunCustomsgExample(t *testing.T) {
CloudInfoService: sharedInfoSvc,
ImplicitDestroy: []string{
"module.ocp_base.null_resource.confirm_network_healthy",
- "module.ocp_base.null_resource.reset_api_key",
},
ImplicitRequired: false,
TerraformVars: map[string]interface{}{
diff --git a/variables.tf b/variables.tf
index 98bbb0d4..86109193 100644
--- a/variables.tf
+++ b/variables.tf
@@ -13,12 +13,6 @@ variable "region" {
description = "The IBM Cloud region where the cluster will be provisioned."
}
-variable "use_private_endpoint" {
- type = bool
- description = "Set this to true to force all api calls to use the IBM Cloud private endpoints."
- default = false
-}
-
# Cluster Variables
variable "tags" {
type = list(string)
diff --git a/version.tf b/version.tf
index 0750c2a1..fac8de8b 100644
--- a/version.tf
+++ b/version.tf
@@ -14,5 +14,9 @@ terraform {
source = "hashicorp/kubernetes"
version = ">= 2.16.1, < 3.0.0"
}
+ time = {
+ source = "hashicorp/time"
+ version = ">= 0.9.1, < 1.0.0"
+ }
}
}