diff --git a/README.md b/README.md
index 4d26c550..8149c5f4 100644
--- a/README.md
+++ b/README.md
@@ -364,6 +364,7 @@ Optionally, you need the following permissions to attach Access Management tags
| [resource\_group\_id](#input\_resource\_group\_id) | The ID of an existing IBM Cloud resource group where the cluster is grouped. | `string` | n/a | yes |
| [secrets\_manager\_secret\_group\_id](#input\_secrets\_manager\_secret\_group\_id) | Secret group ID where Ingress secrets are stored in the Secrets Manager instance. | `string` | `null` | no |
| [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
+| [skip\_cluster\_apikey\_creation](#input\_skip\_cluster\_apikey\_creation) | Set to true to skip explicit creation of the `containers-kubernetes-key` for the given region and resource group. You can set this to false if you plan to manually create this key, or if you want to allow the cluster creation process to create it. Please be aware that it may take multiple apply attempts when allowing the cluster creation process to create it it before it will be successful. | `bool` | `false` | no |
| [skip\_ocp\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_ocp\_secrets\_manager\_iam\_auth\_policy) | To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates. | `bool` | `false` | no |
| [tags](#input\_tags) | Metadata labels describing this cluster deployment, i.e. test | `list(string)` | `[]` | no |
| [use\_existing\_cos](#input\_use\_existing\_cos) | Flag indicating whether or not to use an existing COS instance for OpenShift internal registry storage. Only applicable if 'enable\_registry\_storage' is true | `bool` | `false` | no |
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 88f0c09a..8afa8415 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -928,6 +928,9 @@
"key": "skip_ocp_secrets_manager_iam_auth_policy",
"hidden": true
},
+ {
+ "key": "skip_cluster_apikey_creation"
+ },
{
"key": "subnets",
"default_value": "{\n zone-1 = [\n {\n name = \"subnet-a\"\n cidr = \"10.10.10.0/24\"\n public_gateway = true\n acl_name = \"vpc-acl\"\n no_addr_prefix = false\n }\n ],\n zone-2 = [\n {\n name = \"subnet-b\"\n cidr = \"10.20.10.0/24\"\n public_gateway = true\n acl_name = \"vpc-acl\"\n no_addr_prefix = false\n }\n ],\n zone-3 = [\n {\n name = \"subnet-c\"\n cidr = \"10.30.10.0/24\"\n public_gateway = true\n acl_name = \"vpc-acl\"\n no_addr_prefix = false\n }\n ]\n }",
@@ -1518,6 +1521,10 @@
"key": "address_prefix",
"hidden": true
},
+ {
+ "key": "skip_cluster_apikey_creation",
+ "hidden": true
+ },
{
"key": "ocp_entitlement"
},
diff --git a/main.tf b/main.tf
index e41ed004..26c73c59 100644
--- a/main.tf
+++ b/main.tf
@@ -442,11 +442,13 @@ resource "ibm_resource_tag" "cluster_access_tag" {
# Enhancement Request: Add support to skip API key reset if a valid key already exists (https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6468).
resource "ibm_container_api_key_reset" "reset_api_key" {
+ count = var.skip_cluster_apikey_creation ? 0 : 1
region = var.region
resource_group_id = var.resource_group_id
}
resource "time_sleep" "wait_for_reset_api_key" {
+ count = var.skip_cluster_apikey_creation ? 0 : 1
depends_on = [ibm_container_api_key_reset.reset_api_key]
create_duration = "10s"
}
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index 5a61899c..8f403827 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -135,6 +135,7 @@ No resources.
| [region](#input\_region) | The IBM Cloud region where the cluster will be provisioned. | `string` | n/a | yes |
| [resource\_group\_id](#input\_resource\_group\_id) | The Id of an existing IBM Cloud resource group where the cluster will be grouped. | `string` | n/a | yes |
| [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
+| [skip\_cluster\_apikey\_creation](#input\_skip\_cluster\_apikey\_creation) | Set to true to skip explicit creation of the `containers-kubernetes-key` for the given region and resource group. You can set this to false if you plan to manually create this key, or if you want to allow the cluster creation process to create it. Please be aware that it may take multiple apply attempts when allowing the cluster creation process to create it it before it will be successful. | `bool` | `false` | no |
| [tags](#input\_tags) | Metadata labels describing this cluster deployment | `list(string)` | `[]` | no |
| [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
| [vpc\_id](#input\_vpc\_id) | ID of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
index 39337005..2755b033 100644
--- a/modules/fscloud/main.tf
+++ b/modules/fscloud/main.tf
@@ -34,4 +34,5 @@ module "fscloud" {
additional_vpe_security_group_ids = var.additional_vpe_security_group_ids
cbr_rules = var.cbr_rules
enable_ocp_console = var.enable_ocp_console
+ skip_cluster_apikey_creation = var.skip_cluster_apikey_creation
}
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
index 7874a651..8224bde4 100644
--- a/modules/fscloud/variables.tf
+++ b/modules/fscloud/variables.tf
@@ -287,3 +287,9 @@ variable "enable_ocp_console" {
type = bool
default = true
}
+
+variable "skip_cluster_apikey_creation" {
+ type = bool
+ description = "Set to true to skip explicit creation of the `containers-kubernetes-key` for the given region and resource group. You can set this to false if you plan to manually create this key, or if you want to allow the cluster creation process to create it. Please be aware that it may take multiple apply attempts when allowing the cluster creation process to create it it before it will be successful."
+ default = false
+}
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index 44f4e13d..6857dd94 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -239,6 +239,7 @@ module "ocp_base" {
existing_secrets_manager_instance_crn = var.existing_secrets_manager_instance_crn
secrets_manager_secret_group_id = var.secrets_manager_secret_group_id != null ? var.secrets_manager_secret_group_id : (var.enable_secrets_manager_integration ? module.secret_group[0].secret_group_id : null)
skip_ocp_secrets_manager_iam_auth_policy = var.skip_ocp_secrets_manager_iam_auth_policy
+ skip_cluster_apikey_creation = var.skip_cluster_apikey_creation
}
module "existing_secrets_manager_instance_parser" {
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index c5710c9c..3633a88c 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -601,3 +601,9 @@ variable "audit_webhook_listener_image_tag_digest" {
description = "The tag or digest for the audit webhook listener image to deploy. If changing the value, ensure it is compatible with `audit_webhook_listener_image`."
default = "deaabcb8225e800385413ba420cf3f819d3b0671@sha256:acf123f4dba63534cbc104c6886abedff9d25a22a34ab7b549ede988ed6e7144"
}
+
+variable "skip_cluster_apikey_creation" {
+ type = bool
+ description = "To skip resetting the `containers-kubernetes-key` for the given region and resource group."
+ default = false
+}
diff --git a/solutions/quickstart/main.tf b/solutions/quickstart/main.tf
index 2a2c891a..a057fec9 100644
--- a/solutions/quickstart/main.tf
+++ b/solutions/quickstart/main.tf
@@ -144,4 +144,5 @@ module "ocp_base" {
access_tags = var.access_tags
disable_public_endpoint = !var.allow_public_access_to_cluster_management
cluster_config_endpoint_type = "default"
+ skip_cluster_apikey_creation = var.skip_cluster_apikey_creation
}
diff --git a/solutions/quickstart/variables.tf b/solutions/quickstart/variables.tf
index cc4dfd24..3d2a03ac 100644
--- a/solutions/quickstart/variables.tf
+++ b/solutions/quickstart/variables.tf
@@ -102,3 +102,9 @@ variable "allow_outbound_traffic" {
description = "Set to true to allow public outbound access from the cluster workers."
default = true
}
+
+variable "skip_cluster_apikey_creation" {
+ type = bool
+ description = "Set to true to skip explicit creation of the `containers-kubernetes-key` for the given region and resource group. You can set this to false if you plan to manually create this key, or if you want to allow the cluster creation process to create it. Please be aware that it may take multiple apply attempts when allowing the cluster creation process to create it it before it will be successful."
+ default = false
+}
diff --git a/variables.tf b/variables.tf
index 500c25bc..323bb4e5 100644
--- a/variables.tf
+++ b/variables.tf
@@ -466,3 +466,9 @@ variable "skip_ocp_secrets_manager_iam_auth_policy" {
description = "To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates."
default = false
}
+
+variable "skip_cluster_apikey_creation" {
+ type = bool
+ description = "Set to true to skip explicit creation of the `containers-kubernetes-key` for the given region and resource group. You can set this to false if you plan to manually create this key, or if you want to allow the cluster creation process to create it. Please be aware that it may take multiple apply attempts when allowing the cluster creation process to create it it before it will be successful."
+ default = false
+}