diff --git a/README.md b/README.md
index 4f237ea8..3a1c1785 100644
--- a/README.md
+++ b/README.md
@@ -259,6 +259,7 @@ Optionally, you need the following permissions to attach Access Management tags
| Name | Type |
|------|------|
| [ibm_container_addons.addons](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_addons) | resource |
+| [ibm_container_api_key_reset.reset_api_key](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_api_key_reset) | resource |
| [ibm_container_ingress_instance.instance](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_ingress_instance) | resource |
| [ibm_container_vpc_cluster.autoscaling_cluster](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_vpc_cluster) | resource |
| [ibm_container_vpc_cluster.cluster](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_vpc_cluster) | resource |
@@ -271,14 +272,12 @@ Optionally, you need the following permissions to attach Access Management tags
| [null_resource.config_map_status](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.confirm_network_healthy](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.ocp_console_management](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [null_resource.reset_api_key](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [time_sleep.wait_for_auth_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.wait_for_reset_api_key](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [ibm_container_addons.existing_addons](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_addons) | data source |
| [ibm_container_cluster_config.cluster_config](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_config) | data source |
| [ibm_container_cluster_versions.cluster_versions](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_versions) | data source |
| [ibm_container_vpc_worker_pool.all_pools](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_vpc_worker_pool) | data source |
-| [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source |
-| [ibm_iam_auth_token.reset_api_key_tokendata](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_auth_token) | data source |
| [ibm_is_lbs.all_lbs](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_lbs) | data source |
| [ibm_is_virtual_endpoint_gateway.api_vpe](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway) | data source |
| [ibm_is_virtual_endpoint_gateway.master_vpe](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway) | data source |
@@ -322,7 +321,6 @@ Optionally, you need the following permissions to attach Access Management tags
| [skip\_ocp\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_ocp\_secrets\_manager\_iam\_auth\_policy) | To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates. | `bool` | `false` | no |
| [tags](#input\_tags) | Metadata labels describing this cluster deployment, i.e. test | `list(string)` | `[]` | no |
| [use\_existing\_cos](#input\_use\_existing\_cos) | Flag indicating whether or not to use an existing COS instance for OpenShift internal registry storage. Only applicable if 'enable\_registry\_storage' is true | `bool` | `false` | no |
-| [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all API calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
| [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script runs kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, set this value to false. | `bool` | `true` | no |
| [vpc\_id](#input\_vpc\_id) | ID of the VPC instance where this cluster is provisioned. | `string` | n/a | yes |
| [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster is created. | map(list(object({
id = string
zone = string
cidr_block = string
}))) | n/a | yes |
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
index b43e781f..1b994e67 100644
--- a/examples/fscloud/main.tf
+++ b/examples/fscloud/main.tf
@@ -247,7 +247,6 @@ module "ocp_fscloud" {
access_tags = var.access_tags
ocp_version = var.ocp_version
additional_lb_security_group_ids = [module.custom_sg["custom-lb-sg"].security_group_id]
- use_private_endpoint = true
ocp_entitlement = var.ocp_entitlement
enable_ocp_console = false
kms_config = {
diff --git a/main.tf b/main.tf
index 71b2d44b..7dd35cf5 100644
--- a/main.tf
+++ b/main.tf
@@ -126,7 +126,7 @@ resource "ibm_resource_tag" "cos_access_tag" {
##############################################################################
resource "ibm_container_vpc_cluster" "cluster" {
- depends_on = [null_resource.reset_api_key]
+ depends_on = [time_sleep.wait_for_reset_api_key]
count = var.ignore_worker_pool_size_changes ? 0 : 1
name = var.cluster_name
vpc_id = var.vpc_id
@@ -197,7 +197,7 @@ resource "ibm_container_vpc_cluster" "cluster" {
# copy of the cluster resource above which ignores changes to the worker pool for use in autoscaling scenarios
resource "ibm_container_vpc_cluster" "autoscaling_cluster" {
- depends_on = [null_resource.reset_api_key]
+ depends_on = [time_sleep.wait_for_reset_api_key]
count = var.ignore_worker_pool_size_changes ? 1 : 0
name = var.cluster_name
vpc_id = var.vpc_id
@@ -284,28 +284,16 @@ resource "ibm_resource_tag" "cluster_access_tag" {
# when the IAM API key is initially created and when it is fully replicated across Cloudant instances where the API key
# does not work because it is not fully replicated, so commands that require the API key may fail with 404.
#
-# WORKAROUND:
-# Run a script that checks if an IAM API key already exists for the given region and resource group, and if it does not,
-# run the ibmcloud ks api-key reset command to create one. The script will then pause for some time to allow any IAM
-# Cloudant replication to occur. By doing this, it means the cluster provisioning process will not attempt to create a
-# new key, and simply use the key created by this script. So hence should not face 404s anymore.
-# The IKS team are tracking internally https://github.ibm.com/alchemy-containers/armada-ironsides/issues/5023
+# Enhancement Request: Add support to skip API key reset if a valid key already exists (https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6468).
-data "ibm_iam_auth_token" "reset_api_key_tokendata" {
-}
-
-data "ibm_iam_account_settings" "iam_account_settings" {
+resource "ibm_container_api_key_reset" "reset_api_key" {
+ region = var.region
+ resource_group_id = var.resource_group_id
}
-resource "null_resource" "reset_api_key" {
- provisioner "local-exec" {
- command = "${path.module}/scripts/reset_iks_api_key.sh ${var.region} ${var.resource_group_id} ${var.use_private_endpoint} ${var.cluster_config_endpoint_type}"
- interpreter = ["/bin/bash", "-c"]
- environment = {
- IAM_TOKEN = data.ibm_iam_auth_token.reset_api_key_tokendata.iam_access_token
- ACCOUNT_ID = data.ibm_iam_account_settings.iam_account_settings.account_id
- }
- }
+resource "time_sleep" "wait_for_reset_api_key" {
+ depends_on = [ibm_container_api_key_reset.reset_api_key]
+ create_duration = "10s"
}
##############################################################################
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index b4cc9329..5a61899c 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -136,7 +136,6 @@ No resources.
| [resource\_group\_id](#input\_resource\_group\_id) | The Id of an existing IBM Cloud resource group where the cluster will be grouped. | `string` | n/a | yes |
| [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
| [tags](#input\_tags) | Metadata labels describing this cluster deployment | `list(string)` | `[]` | no |
-| [use\_private\_endpoint](#input\_use\_private\_endpoint) | Set this to true to force all api calls to use the IBM Cloud private endpoints. | `bool` | `false` | no |
| [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
| [vpc\_id](#input\_vpc\_id) | ID of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
| [vpc\_subnets](#input\_vpc\_subnets) | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | map(list(object({
id = string
zone = string
cidr_block = string
}))) | n/a | yes |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
index 395f2cab..39337005 100644
--- a/modules/fscloud/main.tf
+++ b/modules/fscloud/main.tf
@@ -11,7 +11,6 @@ module "fscloud" {
ocp_entitlement = var.ocp_entitlement
vpc_id = var.vpc_id
vpc_subnets = var.vpc_subnets
- use_private_endpoint = var.use_private_endpoint
worker_pools = var.worker_pools
disable_public_endpoint = true
cluster_config_endpoint_type = var.cluster_config_endpoint_type
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
index 706e128e..7874a651 100644
--- a/modules/fscloud/variables.tf
+++ b/modules/fscloud/variables.tf
@@ -13,12 +13,6 @@ variable "region" {
description = "The IBM Cloud region where the cluster will be provisioned."
}
-variable "use_private_endpoint" {
- type = bool
- description = "Set this to true to force all api calls to use the IBM Cloud private endpoints."
- default = false
-}
-
# Cluster Variables
variable "tags" {
type = list(string)
diff --git a/scripts/reset_iks_api_key.sh b/scripts/reset_iks_api_key.sh
deleted file mode 100755
index c83af2cf..00000000
--- a/scripts/reset_iks_api_key.sh
+++ /dev/null
@@ -1,162 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-REGION="$1"
-RESOURCE_GROUP_ID="$2"
-APIKEY_KEY_NAME="containers-kubernetes-key"
-PRIVATE_ENV="$3"
-CLUSTER_ENDPOINT="$4"
-MAX_ATTEMPTS=10
-
-if [[ -z "${REGION}" ]]; then
- echo "Region must be passed as first input script argument" >&2
- exit 1
-fi
-
-if [[ -z "${RESOURCE_GROUP_ID}" ]]; then
- echo "Resource_group_id must be passed as second input script argument" >&2
- exit 1
-fi
-
-# ENVIRONMENT VARIABLE VALIDATION
-if [[ -z "${IAM_TOKEN}" ]]; then
- echo "Environment variable IAM_TOKEN is not set." >&2
- exit 1
-fi
-
-if [[ -z "${ACCOUNT_ID}" ]]; then
- echo "Environment variable ACCOUNT_ID is not set." >&2
- exit 1
-fi
-
-
-get_cloud_endpoint() {
- iam_cloud_endpoint="${IBMCLOUD_IAM_API_ENDPOINT:-"iam.cloud.ibm.com"}"
- IBMCLOUD_IAM_API_ENDPOINT=${iam_cloud_endpoint#https://}
-
- cs_api_endpoint="${IBMCLOUD_CS_API_ENDPOINT:-"containers.cloud.ibm.com"}"
- cs_api_endpoint=${cs_api_endpoint#https://}
- IBMCLOUD_CS_API_ENDPOINT=${cs_api_endpoint%/global}
-}
-
-get_cloud_endpoint
-
-if [ "$IBMCLOUD_IAM_API_ENDPOINT" = "iam.cloud.ibm.com" ]; then
- if [ "$PRIVATE_ENV" = true ]; then
- IAM_URL="https://private.$IBMCLOUD_IAM_API_ENDPOINT/v1/apikeys?account_id=$ACCOUNT_ID&scope=account&pagesize=100&type=user&sort=name"
- else
- IAM_URL="https://$IBMCLOUD_IAM_API_ENDPOINT/v1/apikeys?account_id=$ACCOUNT_ID&scope=account&pagesize=100&type=user&sort=name"
- fi
-else
- IAM_URL="https://$IBMCLOUD_IAM_API_ENDPOINT/v1/apikeys?account_id=$ACCOUNT_ID&scope=account&pagesize=100&type=user&sort=name"
-fi
-
-reset=true
-
-# Function to fetch data and handle pagination
-fetch_data() {
- local url="$IAM_URL"
- local fetch_attempt=0
- local retry_wait_time=5
-
- while [ "$url" != "null" ]; do
- fetch_attempt=0
- # Retry loop for each API call
- while [ $fetch_attempt -lt $MAX_ATTEMPTS ]; do
-
- # Fetch data from the API
- IAM_RESPONSE=$(curl -s "$url" --header "Authorization: $IAM_TOKEN" --header "Content-Type: application/json")
-
- # check if the response is valid JSON.
- if ! echo "${IAM_RESPONSE}" | jq -e . >/dev/null 2>&1; then
- echo "Error: API did not return valid JSON on attempt $((fetch_attempt + 1))." >&2
- echo "Response was: ${IAM_RESPONSE}" >&2
- fetch_attempt=$((fetch_attempt + 1))
-
- if [ $fetch_attempt -lt $MAX_ATTEMPTS ]; then
- echo "Retrying in ${retry_wait_time} seconds..." >&2
- sleep $retry_wait_time
- continue
- else
- echo "Maximum retry attempts reached for fetching data." >&2
- exit 1
- fi
- fi
-
- ERROR_MESSAGE=$(echo "${IAM_RESPONSE}" | jq 'has("errors")')
- if [[ "${ERROR_MESSAGE}" != false ]]; then
- echo "API returned errors on attempt $((fetch_attempt + 1)):" >&2
- echo " ${IAM_RESPONSE}" >&2
- fetch_attempt=$((fetch_attempt + 1))
-
- if [ $fetch_attempt -lt $MAX_ATTEMPTS ]; then
- echo "Retrying in ${retry_wait_time} seconds..." >&2
- sleep $retry_wait_time
- continue
- else
- echo "Maximum retry attempts reached. Could not obtain api keys." >&2
- exit 1
- fi
- fi
- # Success - break out of retry loop
- break
- done
-
- next_url=$(echo "${IAM_RESPONSE}" | jq -r '.next')
- key_descriptions=$(echo "$IAM_RESPONSE" | jq -r --arg name "${APIKEY_KEY_NAME}" '.apikeys | .[] | select(.name == $name) | .description')
- for i in "${key_descriptions[@]}"; do
- if [[ "$i" =~ ${REGION} ]] && [[ "$i" =~ ${RESOURCE_GROUP_ID} ]]; then
- echo "Found key named ${APIKEY_KEY_NAME} which covers clusters in ${REGION} and resource group ID ${RESOURCE_GROUP_ID}"
- reset=false
- break
- fi
- done
- url=$next_url
- done
-}
-
-fetch_data
-
-attempt=0
-retry_wait_time=5
-
-if [ "${reset}" == true ]; then
- while [ $attempt -lt $MAX_ATTEMPTS ]; do
- if [ "$IBMCLOUD_CS_API_ENDPOINT" = "containers.cloud.ibm.com" ]; then
- if [ "$PRIVATE_ENV" = true ]; then
- if [ "$CLUSTER_ENDPOINT" == "private" ] || [ "$CLUSTER_ENDPOINT" == "default" ]; then
- RESET_URL="https://private.$REGION.$IBMCLOUD_CS_API_ENDPOINT/v1/keys"
- result=$(curl -i -H "accept: application/json" -H "Authorization: $IAM_TOKEN" -H "X-Auth-Resource-Group: $RESOURCE_GROUP_ID" -X POST "$RESET_URL" 2>/dev/null)
- status_code=$(echo "$result" | head -n 1 | cut -d$' ' -f2)
- elif [ "$CLUSTER_ENDPOINT" == "vpe" ]; then
- RESET_URL="https://api.$REGION.$IBMCLOUD_CS_API_ENDPOINT/v1/keys"
- result=$(curl -i -H "accept: application/json" -H "Authorization: $IAM_TOKEN" -H "X-Auth-Resource-Group: $RESOURCE_GROUP_ID" -X POST "$RESET_URL" 2>/dev/null)
- status_code=$(echo "$result" | head -n 1 | cut -d$' ' -f2)
- fi
- else
- RESET_URL="https://$IBMCLOUD_CS_API_ENDPOINT/global/v1/keys"
- result=$(curl -i -H "accept: application/json" -H "X-Region: $REGION" -H "Authorization: $IAM_TOKEN" -H "X-Auth-Resource-Group: $RESOURCE_GROUP_ID" -X POST "$RESET_URL" -d '' 2>/dev/null)
- status_code=$(echo "$result" | head -n 1 | cut -d$' ' -f2)
- fi
- else
- RESET_URL="https://$IBMCLOUD_CS_API_ENDPOINT/global/v1/keys"
- result=$(curl -i -H "accept: application/json" -H "X-Region: $REGION" -H "Authorization: $IAM_TOKEN" -H "X-Auth-Resource-Group: $RESOURCE_GROUP_ID" -X POST "$RESET_URL" -d '' 2>/dev/null)
- status_code=$(echo "$result" | head -n 1 | cut -d$' ' -f2)
- fi
-
- if [ "${status_code}" == "204" ] || [ "${status_code}" == "200" ]; then
- echo "The IAM API key is successfully reset."
- sleep 10
- exit 0
- else
- echo "ERROR:: FAILED TO RESET THE IAM API KEY"
- echo "$result"
- sleep $retry_wait_time
- attempt=$((attempt+1))
- fi
- # sleep for 10 secs to allow the new key to be replicated across backend DB instances before attempting to create cluster
- done
- echo "Maximum retry attempts reached. Could not reset api key."
- exit 1
-fi
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index fff56158..dbd53bc0 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -233,7 +233,6 @@ module "ocp_base" {
number_of_lbs = var.number_of_lbs
pod_subnet_cidr = var.pod_subnet_cidr
service_subnet_cidr = var.service_subnet_cidr
- use_private_endpoint = var.use_private_endpoint
verify_worker_network_readiness = var.verify_worker_network_readiness
worker_pools_taints = var.worker_pools_taints
enable_secrets_manager_integration = var.enable_secrets_manager_integration
diff --git a/solutions/quickstart/main.tf b/solutions/quickstart/main.tf
index b08b1ae3..cfb15099 100644
--- a/solutions/quickstart/main.tf
+++ b/solutions/quickstart/main.tf
@@ -143,6 +143,5 @@ module "ocp_base" {
disable_outbound_traffic_protection = var.allow_outbound_traffic
access_tags = var.access_tags
disable_public_endpoint = !var.allow_public_access_to_cluster
- use_private_endpoint = true
cluster_config_endpoint_type = "default"
}
diff --git a/variables.tf b/variables.tf
index 711a531b..19c66cdf 100644
--- a/variables.tf
+++ b/variables.tf
@@ -13,12 +13,6 @@ variable "region" {
description = "The IBM Cloud region where the cluster is provisioned."
}
-variable "use_private_endpoint" {
- type = bool
- description = "Set this to true to force all API calls to use the IBM Cloud private endpoints."
- default = false
-}
-
# Cluster Variables
variable "tags" {
type = list(string)