terraform-ibm-modules · ocofaigh · Oct 24, 2025 · Oct 23, 2025 · Oct 23, 2025 · Oct 23, 2025
@@ -363,6 +363,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of an existing IBM Cloud resource group where the cluster is grouped. | `string` | n/a | yes |
 | <a name="input_secrets_manager_secret_group_id"></a> [secrets\_manager\_secret\_group\_id](#input\_secrets\_manager\_secret\_group\_id) | Secret group ID where Ingress secrets are stored in the Secrets Manager instance. | `string` | `null` | no |
 | <a name="input_service_subnet_cidr"></a> [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
+| <a name="input_skip_api_key_reset"></a> [skip\_api\_key\_reset](#input\_skip\_api\_key\_reset) | To skip resetting the `containers-kubernetes-key` for the given region and resource group. | `bool` | `false` | no |
 | <a name="input_skip_ocp_secrets_manager_iam_auth_policy"></a> [skip\_ocp\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_ocp\_secrets\_manager\_iam\_auth\_policy) | To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Metadata labels describing this cluster deployment, i.e. test | `list(string)` | `[]` | no |
 | <a name="input_use_existing_cos"></a> [use\_existing\_cos](#input\_use\_existing\_cos) | Flag indicating whether or not to use an existing COS instance for OpenShift internal registry storage. Only applicable if 'enable\_registry\_storage' is true | `bool` | `false` | no |

@@ -927,6 +927,10 @@
               "key": "skip_ocp_secrets_manager_iam_auth_policy",
               "hidden": true
             },
+            {
+              "key": "skip_api_key_reset",
+              "hidden": true
+            },
             {
               "key": "subnets",
               "default_value": "{\n    zone-1 = [\n      {\n        name           = \"subnet-a\"\n        cidr           = \"10.10.10.0/24\"\n        public_gateway = true\n        acl_name       = \"vpc-acl\"\n        no_addr_prefix = false\n      }\n    ],\n    zone-2 = [\n      {\n        name           = \"subnet-b\"\n        cidr           = \"10.20.10.0/24\"\n        public_gateway = true\n        acl_name       = \"vpc-acl\"\n        no_addr_prefix = false\n      }\n    ],\n    zone-3 = [\n      {\n        name           = \"subnet-c\"\n        cidr           = \"10.30.10.0/24\"\n        public_gateway = true\n        acl_name       = \"vpc-acl\"\n        no_addr_prefix = false\n      }\n    ]\n  }",
@@ -1517,6 +1521,10 @@
               "key": "address_prefix",
               "hidden": true
             },
+            {
+              "key": "skip_api_key_reset",
+              "hidden": true
+            },
             {
               "key": "ocp_entitlement"
             },

@@ -442,11 +442,13 @@ resource "ibm_resource_tag" "cluster_access_tag" {
 # Enhancement Request: Add support to skip API key reset if a valid key already exists (https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6468).
 
 resource "ibm_container_api_key_reset" "reset_api_key" {
+  count             = var.skip_api_key_reset ? 0 : 1
   region            = var.region
   resource_group_id = var.resource_group_id
 }
 
 resource "time_sleep" "wait_for_reset_api_key" {
+  count           = var.skip_api_key_reset ? 0 : 1
   depends_on      = [ibm_container_api_key_reset.reset_api_key]
   create_duration = "10s"
 }

@@ -135,6 +135,7 @@ No resources.
 | <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where the cluster will be provisioned. | `string` | n/a | yes |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The Id of an existing IBM Cloud resource group where the cluster will be grouped. | `string` | n/a | yes |
 | <a name="input_service_subnet_cidr"></a> [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
+| <a name="input_skip_api_key_reset"></a> [skip\_api\_key\_reset](#input\_skip\_api\_key\_reset) | To skip resetting the `containers-kubernetes-key` for the given region and resource group. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Metadata labels describing this cluster deployment | `list(string)` | `[]` | no |
 | <a name="input_verify_worker_network_readiness"></a> [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |

@@ -34,4 +34,5 @@ module "fscloud" {
   additional_vpe_security_group_ids     = var.additional_vpe_security_group_ids
   cbr_rules                             = var.cbr_rules
   enable_ocp_console                    = var.enable_ocp_console
+  skip_api_key_reset                    = var.skip_api_key_reset
 }
@@ -287,3 +287,9 @@ variable "enable_ocp_console" {
   type        = bool
   default     = true
 }
+
+variable "skip_api_key_reset" {
+  type        = bool
+  description = "To skip resetting the `containers-kubernetes-key` for the given region and resource group."
+  default     = false
+}
@@ -239,6 +239,7 @@ module "ocp_base" {
   existing_secrets_manager_instance_crn    = var.existing_secrets_manager_instance_crn
   secrets_manager_secret_group_id          = var.secrets_manager_secret_group_id != null ? var.secrets_manager_secret_group_id : (var.enable_secrets_manager_integration ? module.secret_group[0].secret_group_id : null)
   skip_ocp_secrets_manager_iam_auth_policy = var.skip_ocp_secrets_manager_iam_auth_policy
+  skip_api_key_reset                       = var.skip_api_key_reset
 }
 
 module "existing_secrets_manager_instance_parser" {

@@ -601,3 +601,9 @@ variable "audit_webhook_listener_image_tag_digest" {
   description = "The tag or digest for the audit webhook listener image to deploy. If changing the value, ensure it is compatible with `audit_webhook_listener_image`."
   default     = "deaabcb8225e800385413ba420cf3f819d3b0671@sha256:acf123f4dba63534cbc104c6886abedff9d25a22a34ab7b549ede988ed6e7144"
 }
+
+variable "skip_api_key_reset" {
+  type        = bool
+  description = "To skip resetting the `containers-kubernetes-key` for the given region and resource group."
+  default     = false
+}
@@ -144,4 +144,5 @@ module "ocp_base" {
   access_tags                         = var.access_tags
   disable_public_endpoint             = !var.allow_public_access_to_cluster_management
   cluster_config_endpoint_type        = "default"
+  skip_api_key_reset                  = var.skip_api_key_reset
 }
@@ -102,3 +102,9 @@ variable "allow_outbound_traffic" {
   description = "Set to true to allow public outbound access from the cluster workers."
   default     = true
 }
+
+variable "skip_api_key_reset" {
+  type        = bool
+  description = "To skip resetting the `containers-kubernetes-key` for the given region and resource group."
+  default     = false
+}
@@ -466,3 +466,9 @@ variable "skip_ocp_secrets_manager_iam_auth_policy" {
   description = "To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates."
   default     = false
 }
+
+variable "skip_api_key_reset" {
+  type        = bool
+  description = "To skip resetting the `containers-kubernetes-key` for the given region and resource group."
+  default     = false
+}