terraform-ibm-modules · Aashiq-J · May 19, 2025 · May 19, 2025 · May 19, 2025 · May 19, 2025
@@ -238,6 +238,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.78.2, < 2.0.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.16.1, < 3.0.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1, < 4.0.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1, < 1.0.0 |
 
 ### Modules
 
@@ -255,6 +256,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | Name | Type |
 |------|------|
 | [ibm_container_addons.addons](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_addons) | resource |
+| [ibm_container_api_key_reset.reset_api_key](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_api_key_reset) | resource |
 | [ibm_container_vpc_cluster.autoscaling_cluster](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_vpc_cluster) | resource |
 | [ibm_container_vpc_cluster.cluster](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_vpc_cluster) | resource |
 | [ibm_container_vpc_worker_pool.autoscaling_pool](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_vpc_worker_pool) | resource |
@@ -265,13 +267,11 @@ Optionally, you need the following permissions to attach Access Management tags
 | [null_resource.config_map_status](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.confirm_network_healthy](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.ocp_console_management](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [null_resource.reset_api_key](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [time_sleep.wait_for_reset_api_key](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [ibm_container_addons.existing_addons](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_addons) | data source |
 | [ibm_container_cluster_config.cluster_config](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_config) | data source |
 | [ibm_container_cluster_versions.cluster_versions](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_versions) | data source |
 | [ibm_container_vpc_worker_pool.all_pools](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_vpc_worker_pool) | data source |
-| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source |
-| [ibm_iam_auth_token.reset_api_key_tokendata](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_auth_token) | data source |
 | [ibm_is_lbs.all_lbs](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_lbs) | data source |
 | [ibm_is_virtual_endpoint_gateway.api_vpe](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway) | data source |
 | [ibm_is_virtual_endpoint_gateway.master_vpe](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway) | data source |
@@ -311,7 +311,6 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="input_service_subnet_cidr"></a> [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Metadata labels describing this cluster deployment, i.e. test | `list(string)` | `[]` | no |
 | <a name="input_use_existing_cos"></a> [use\_existing\_cos](#input\_use\_existing\_cos) | Flag indicating whether or not to use an existing COS instance for OpenShift internal registry storage. Only applicable if 'enable\_registry\_storage' is true | `bool` | `false` | no |
-| <a name="input_use_private_endpoint"></a> [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
 | <a name="input_verify_worker_network_readiness"></a> [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | Id of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
 | <a name="input_vpc_subnets"></a> [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | <pre>map(list(object({<br/>    id         = string<br/>    zone       = string<br/>    cidr_block = string<br/>  })))</pre> | n/a | yes |

@@ -247,7 +247,6 @@ module "ocp_fscloud" {
   access_tags                      = var.access_tags
   ocp_version                      = var.ocp_version
   additional_lb_security_group_ids = [module.custom_sg["custom-lb-sg"].security_group_id]
-  use_private_endpoint             = true
   ocp_entitlement                  = var.ocp_entitlement
   enable_ocp_console               = false
   kms_config = {

@@ -289,9 +289,6 @@
             {
               "key": "existing_subnet_ids"
             },
-            {
-              "key": "use_private_endpoint"
-            },
             {
               "key": "disable_public_endpoint"
             },

@@ -133,7 +133,7 @@ resource "ibm_resource_tag" "cos_access_tag" {
 ##############################################################################
 
 resource "ibm_container_vpc_cluster" "cluster" {
-  depends_on                          = [null_resource.reset_api_key]
+  depends_on                          = [time_sleep.wait_for_reset_api_key]
   count                               = var.ignore_worker_pool_size_changes ? 0 : 1
   name                                = var.cluster_name
   vpc_id                              = var.vpc_id
@@ -204,7 +204,7 @@ resource "ibm_container_vpc_cluster" "cluster" {
 
 # copy of the cluster resource above which ignores changes to the worker pool for use in autoscaling scenarios
 resource "ibm_container_vpc_cluster" "autoscaling_cluster" {
-  depends_on                          = [null_resource.reset_api_key]
+  depends_on                          = [time_sleep.wait_for_reset_api_key]
   count                               = var.ignore_worker_pool_size_changes ? 1 : 0
   name                                = var.cluster_name
   vpc_id                              = var.vpc_id
@@ -298,22 +298,17 @@ resource "ibm_resource_tag" "cluster_access_tag" {
 # new key, and simply use the key created by this script. So hence should not face 404s anymore.
 # The IKS team are tracking internally https://github.ibm.com/alchemy-containers/armada-ironsides/issues/5023
 
-data "ibm_iam_auth_token" "reset_api_key_tokendata" {
+resource "ibm_container_api_key_reset" "reset_api_key" {
+  region            = var.region
+  resource_group_id = var.resource_group_id
 }
 
-data "ibm_iam_account_settings" "iam_account_settings" {
+resource "time_sleep" "wait_for_reset_api_key" {
+  depends_on      = [ibm_container_api_key_reset.reset_api_key]
+  create_duration = "10s"
 }
 
-resource "null_resource" "reset_api_key" {
-  provisioner "local-exec" {
-    command     = "${path.module}/scripts/reset_iks_api_key.sh ${var.region} ${var.resource_group_id} ${var.use_private_endpoint} ${var.cluster_config_endpoint_type}"
-    interpreter = ["/bin/bash", "-c"]
-    environment = {
-      IAM_TOKEN  = data.ibm_iam_auth_token.reset_api_key_tokendata.iam_access_token
-      ACCOUNT_ID = data.ibm_iam_account_settings.iam_account_settings.account_id
-    }
-  }
-}
+
 
 ##############################################################################
 # Access cluster to kick off RBAC synchronisation

@@ -136,7 +136,6 @@ No resources.
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The Id of an existing IBM Cloud resource group where the cluster will be grouped. | `string` | n/a | yes |
 | <a name="input_service_subnet_cidr"></a> [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Metadata labels describing this cluster deployment | `list(string)` | `[]` | no |
-| <a name="input_use_private_endpoint"></a> [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
 | <a name="input_verify_worker_network_readiness"></a> [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
 | <a name="input_vpc_subnets"></a> [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | <pre>map(list(object({<br/>    id         = string<br/>    zone       = string<br/>    cidr_block = string<br/>  })))</pre> | n/a | yes |

@@ -11,7 +11,6 @@ module "fscloud" {
   ocp_entitlement                       = var.ocp_entitlement
   vpc_id                                = var.vpc_id
   vpc_subnets                           = var.vpc_subnets
-  use_private_endpoint                  = var.use_private_endpoint
   worker_pools                          = var.worker_pools
   disable_public_endpoint               = true
   cluster_config_endpoint_type          = var.cluster_config_endpoint_type

@@ -13,12 +13,6 @@ variable "region" {
   description = "The IBM Cloud region where the cluster will be provisioned."
 }
 
-variable "use_private_endpoint" {
-  type        = bool
-  description = "Set this to true to force all api calls to use the IBM Cloud private endpoints."
-  default     = false
-}
-
 # Cluster Variables
 variable "tags" {
   type        = list(string)

@@ -91,7 +91,6 @@ The following resources are provisioned by this example:
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to add to all resources that this solution creates (e.g `prod`, `test`, `dev`). To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
 | <a name="input_provider_visibility"></a> [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
 | <a name="input_service_subnet_cidr"></a> [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
-| <a name="input_use_private_endpoint"></a> [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `true` | no |
 | <a name="input_verify_worker_network_readiness"></a> [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
 | <a name="input_worker_pools_taints"></a> [worker\_pools\_taints](#input\_worker\_pools\_taints) | Optional, Map of lists containing node taints by node-pool name. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/blob/main/solutions/fully-configurable/DA_docs.md#options-with-worker-pools-taints) | `map(list(object({ key = string, value = string, effect = string })))` | `null` | no |
 

@@ -226,7 +226,6 @@ module "ocp_base" {
   number_of_lbs                         = var.number_of_lbs
   pod_subnet_cidr                       = var.pod_subnet_cidr
   service_subnet_cidr                   = var.service_subnet_cidr
-  use_private_endpoint                  = var.use_private_endpoint
   verify_worker_network_readiness       = var.verify_worker_network_readiness
   worker_pools_taints                   = var.worker_pools_taints
 }
@@ -220,12 +220,6 @@ variable "existing_subnet_ids" {
   default     = []
 }
 
-variable "use_private_endpoint" {
-  type        = bool
-  description = "Set this to true to force all api calls to use the IBM Cloud private endpoints."
-  default     = true
-}
-
 variable "disable_public_endpoint" {
   type        = bool
   description = "Whether access to the public service endpoint is disabled when the cluster is created. Does not affect existing clusters. You can't disable a public endpoint on an existing cluster, so you can't convert a public cluster to a private cluster. To change a public endpoint to private, create another cluster with this input set to `true`."

@@ -78,9 +78,7 @@ func TestRunMultiClusterExample(t *testing.T) {
 		IgnoreDestroys: testhelper.Exemptions{ // Ignore for consistency check
 			List: []string{
 				"module.ocp_base_cluster_1.null_resource.confirm_network_healthy",
-				"module.ocp_base_cluster_1.null_resource.reset_api_key",
 				"module.ocp_base_cluster_2.null_resource.confirm_network_healthy",
-				"module.ocp_base_cluster_2.null_resource.reset_api_key",
 			},
 		},
 		IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check
@@ -117,7 +115,6 @@ func TestRunAddRulesToSGExample(t *testing.T) {
 		ResourceGroup: resourceGroup,
 		ImplicitDestroy: []string{
 			"module.ocp_base.null_resource.confirm_network_healthy",
-			"module.ocp_base.null_resource.reset_api_key",
 		},
 		// Do not hard fail the test if the implicit destroy steps fail to allow a full destroy of resource to occur
 		ImplicitRequired: false,

@@ -173,7 +173,6 @@ func TestRunCustomsgExample(t *testing.T) {
 		CloudInfoService: sharedInfoSvc,
 		ImplicitDestroy: []string{
 			"module.ocp_base.null_resource.confirm_network_healthy",
-			"module.ocp_base.null_resource.reset_api_key",
 		},
 		ImplicitRequired: false,
 		TerraformVars: map[string]interface{}{

@@ -13,12 +13,6 @@ variable "region" {
   description = "The IBM Cloud region where the cluster will be provisioned."
 }
 
-variable "use_private_endpoint" {
-  type        = bool
-  description = "Set this to true to force all api calls to use the IBM Cloud private endpoints."
-  default     = false
-}
-
 # Cluster Variables
 variable "tags" {
   type        = list(string)

@@ -14,5 +14,9 @@ terraform {
       source  = "hashicorp/kubernetes"
       version = ">= 2.16.1, < 3.0.0"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9.1, < 1.0.0"
+    }
   }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -289,9 +289,6 @@ @@
                 {
                   "key": "existing_subnet_ids"
                 },
-                {
-                  "key": "use_private_endpoint"
-                },
                 {
                   "key": "disable_public_endpoint"
                 },
@@ Expand Down @@