feat: added ROKS Quickstart pattern (#716)

toddgiguere · vburckhardt · ocofaigh · web-flow · commit 28d91581703d · 2024-02-28T13:53:06.000Z
---------

Co-authored-by: Vincent Burckhardt &lt;vincent.burckhardt@ie.ibm.com&gt;
Co-authored-by: Conall Ó Cofaigh &lt;ocofaigh@ie.ibm.com&gt;
diff --git a/README.md b/README.md
@@ -901,7 +901,7 @@ module "cluster_pattern" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_appid"></a> [appid](#input\_appid) | The App ID instance to be used for the teleport vsi deployments | <pre>object({<br>    name           = optional(string)<br>    resource_group = optional(string)<br>    use_data       = optional(bool)<br>    keys           = optional(list(string))<br>    use_appid      = bool<br>  })</pre> | <pre>{<br>  "use_appid": false<br>}</pre> | no |
 | <a name="input_atracker"></a> [atracker](#input\_atracker) | atracker variables | <pre>object({<br>    resource_group        = string<br>    receive_global_events = bool<br>    collector_bucket_name = string<br>    add_route             = bool<br>  })</pre> | n/a | yes |
-| <a name="input_clusters"></a> [clusters](#input\_clusters) | A list describing clusters workloads to create | <pre>list(<br>    object({<br>      name                 = string           # Name of Cluster<br>      vpc_name             = string           # Name of VPC<br>      subnet_names         = list(string)     # List of vpc subnets for cluster<br>      workers_per_subnet   = number           # Worker nodes per subnet.<br>      machine_type         = string           # Worker node flavor<br>      kube_type            = string           # iks or openshift<br>      kube_version         = optional(string) # Can be a version from `ibmcloud ks versions` or `default`<br>      entitlement          = optional(string) # entitlement option for openshift<br>      secondary_storage    = optional(string) # Secondary storage type<br>      pod_subnet           = optional(string) # Portable subnet for pods<br>      service_subnet       = optional(string) # Portable subnet for services<br>      resource_group       = string           # Resource Group used for cluster<br>      cos_name             = optional(string) # Name of COS instance Required only for OpenShift clusters<br>      access_tags          = optional(list(string), [])<br>      boot_volume_crk_name = optional(string) # Boot volume encryption key name<br>      kms_config = optional(<br>        object({<br>          crk_name         = string         # Name of key<br>          private_endpoint = optional(bool) # Private endpoint<br>        })<br>      )<br>      worker_pools = optional(<br>        list(<br>          object({<br>            name                 = string           # Worker pool name<br>            vpc_name             = string           # VPC name<br>            workers_per_subnet   = number           # Worker nodes per subnet<br>            flavor               = string           # Worker node flavor<br>            subnet_names         = list(string)     # List of vpc subnets for worker pool<br>            entitlement          = optional(string) # entitlement option for openshift<br>            secondary_storage    = optional(string) # Secondary storage type<br>            boot_volume_crk_name = optional(string) # Boot volume encryption key name<br>          })<br>        )<br>      )<br>    })<br>  )</pre> | n/a | yes |
+| <a name="input_clusters"></a> [clusters](#input\_clusters) | A list describing clusters workloads to create | <pre>list(<br>    object({<br>      name                    = string           # Name of Cluster<br>      vpc_name                = string           # Name of VPC<br>      subnet_names            = list(string)     # List of vpc subnets for cluster<br>      workers_per_subnet      = number           # Worker nodes per subnet.<br>      machine_type            = string           # Worker node flavor<br>      kube_type               = string           # iks or openshift<br>      kube_version            = optional(string) # Can be a version from `ibmcloud ks versions` or `default`<br>      entitlement             = optional(string) # entitlement option for openshift<br>      secondary_storage       = optional(string) # Secondary storage type<br>      pod_subnet              = optional(string) # Portable subnet for pods<br>      service_subnet          = optional(string) # Portable subnet for services<br>      resource_group          = string           # Resource Group used for cluster<br>      cos_name                = optional(string) # Name of COS instance Required only for OpenShift clusters<br>      access_tags             = optional(list(string), [])<br>      boot_volume_crk_name    = optional(string)     # Boot volume encryption key name<br>      disable_public_endpoint = optional(bool, true) # disable cluster public, leaving only private endpoint<br>      kms_config = optional(<br>        object({<br>          crk_name         = string         # Name of key<br>          private_endpoint = optional(bool) # Private endpoint<br>        })<br>      )<br>      worker_pools = optional(<br>        list(<br>          object({<br>            name                 = string           # Worker pool name<br>            vpc_name             = string           # VPC name<br>            workers_per_subnet   = number           # Worker nodes per subnet<br>            flavor               = string           # Worker node flavor<br>            subnet_names         = list(string)     # List of vpc subnets for worker pool<br>            entitlement          = optional(string) # entitlement option for openshift<br>            secondary_storage    = optional(string) # Secondary storage type<br>            boot_volume_crk_name = optional(string) # Boot volume encryption key name<br>          })<br>        )<br>      )<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_cos"></a> [cos](#input\_cos) | Object describing the cloud object storage instance, buckets, and keys. Set `use_data` to false to create instance | <pre>list(<br>    object({<br>      name           = string<br>      use_data       = optional(bool)<br>      resource_group = string<br>      plan           = optional(string)<br>      random_suffix  = optional(bool) # Use a random suffix for COS instance<br>      access_tags    = optional(list(string), [])<br>      buckets = list(object({<br>        name                  = string<br>        storage_class         = string<br>        endpoint_type         = string<br>        force_delete          = bool<br>        single_site_location  = optional(string)<br>        region_location       = optional(string)<br>        cross_region_location = optional(string)<br>        kms_key               = optional(string)<br>        access_tags           = optional(list(string), [])<br>        allowed_ip            = optional(list(string))<br>        hard_quota            = optional(number)<br>        archive_rule = optional(object({<br>          days    = number<br>          enable  = bool<br>          rule_id = optional(string)<br>          type    = string<br>        }))<br>        expire_rule = optional(object({<br>          days                         = optional(number)<br>          date                         = optional(string)<br>          enable                       = bool<br>          expired_object_delete_marker = optional(string)<br>          prefix                       = optional(string)<br>          rule_id                      = optional(string)<br>        }))<br>        activity_tracking = optional(object({<br>          activity_tracker_crn = string<br>          read_data_events     = bool<br>          write_data_events    = bool<br>        }))<br>        metrics_monitoring = optional(object({<br>          metrics_monitoring_crn  = string<br>          request_metrics_enabled = optional(bool)<br>          usage_metrics_enabled   = optional(bool)<br>        }))<br>      }))<br>      keys = optional(<br>        list(object({<br>          name        = string<br>          role        = string<br>          enable_HMAC = bool<br>        }))<br>      )<br><br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_enable_transit_gateway"></a> [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Create transit gateway | `bool` | `true` | no |
 | <a name="input_f5_template_data"></a> [f5\_template\_data](#input\_f5\_template\_data) | Data for all f5 templates | <pre>object({<br>    tmos_admin_password     = optional(string)<br>    license_type            = optional(string)<br>    byol_license_basekey    = optional(string)<br>    license_host            = optional(string)<br>    license_username        = optional(string)<br>    license_password        = optional(string)<br>    license_pool            = optional(string)<br>    license_sku_keyword_1   = optional(string)<br>    license_sku_keyword_2   = optional(string)<br>    license_unit_of_measure = optional(string)<br>    do_declaration_url      = optional(string)<br>    as3_declaration_url     = optional(string)<br>    ts_declaration_url      = optional(string)<br>    phone_home_url          = optional(string)<br>    template_source         = optional(string)<br>    template_version        = optional(string)<br>    app_id                  = optional(string)<br>    tgactive_url            = optional(string)<br>    tgstandby_url           = optional(string)<br>    tgrefresh_url           = optional(string)<br>  })</pre> | <pre>{<br>  "license_type": "none"<br>}</pre> | no |
diff --git a/cluster.tf b/cluster.tf
@@ -80,7 +80,7 @@ resource "ibm_container_vpc_cluster" "cluster" {
     }
   }
 
-  disable_public_service_endpoint = true
+  disable_public_service_endpoint = coalesce(each.value.disable_public_endpoint, true) # disable if not set or null
 
   timeouts {
     create = "3h"
diff --git a/patterns/roks-quickstart/README.md b/patterns/roks-quickstart/README.md
@@ -0,0 +1,12 @@
+# Red Hat OpenShift Container Platform on VPC landing zone (QuickStart pattern)
+
+This pattern deploys the following infrastructure:
+
+- Management VPC with one subnet, allow-all ACL and Security Group
+- Workload VPC with two subnets, in two zones, allow-all ACL and Security Group
+- Transit Gateway connecting VPCs
+- One ROKS cluster in workload VPC with two worker nodes, public endpoint enabled
+- Key Protect for cluster encryption keys
+- Cloud Object Storage instance (required for cluster)
+
+**Important:** This pattern helps you get started quickly, but is not highly available or validated for the IBM Cloud Framework for Financial Services.
diff --git a/patterns/roks-quickstart/main.tf b/patterns/roks-quickstart/main.tf
@@ -0,0 +1,255 @@
+##############################################################################
+# QuickStart VSI Landing Zone
+##############################################################################
+
+locals {
+  default_ocp_version = "${data.ibm_container_cluster_versions.cluster_versions.default_openshift_version}_openshift"
+  ocp_version         = var.kube_version == null || var.kube_version == "default" ? local.default_ocp_version : "${var.kube_version}_openshift"
+}
+
+data "ibm_container_cluster_versions" "cluster_versions" {
+}
+
+module "landing_zone" {
+  source               = "../roks/module"
+  prefix               = var.prefix
+  region               = var.region
+  override_json_string = local.override_string
+  tags                 = var.resource_tags
+}
+
+locals {
+  override_string = <<EOF
+{
+   "atracker": {
+      "collector_bucket_name": "",
+      "receive_global_events": false,
+      "resource_group": "",
+      "add_route": false
+   },
+   "clusters": [
+      {
+         "boot_volume_crk_name": "slz-vsi-volume-key",
+         "cos_name": "cos",
+         "kms_config": null,
+         "kube_type": "openshift",
+         "kube_version": "${local.ocp_version}",
+         "machine_type": "${var.flavor}",
+         "name": "workload-cluster",
+         "resource_group": "workload-rg",
+         "kms_config": {
+            "crk_name": "roks-key",
+            "private_endpoint": true
+         },
+         "subnet_names": [
+               "vsi-zone-1",
+               "vsi-zone-2"
+         ],
+         "vpc_name": "workload",
+         "worker_pools": [],
+         "workers_per_subnet": 1,
+         "entitlement": "cloud_pak",
+         "disable_public_endpoint": false
+      }
+   ],
+   "cos": [
+      {
+         "access_tags": [],
+         "buckets": [],
+         "keys": [],
+         "name": "cos",
+         "plan": "standard",
+         "random_suffix": true,
+         "resource_group": "service-rg",
+         "use_data": false
+      }
+   ],
+   "enable_transit_gateway": true,
+   "transit_gateway_global": false,
+   "key_management": {
+      "keys": [
+         {
+            "key_ring": "slz-ring",
+            "name": "slz-vsi-volume-key",
+            "root_key": true,
+            "policies": {
+               "rotation": {
+                  "interval_month": 12
+               }
+            }
+         },
+         {
+            "key_ring": "slz-ring",
+            "name": "roks-key",
+            "policies": {
+               "rotation": {
+                  "interval_month": 12
+               }
+            },
+            "root_key": true
+         }
+      ],
+      "name": "slz-kms",
+      "resource_group": "service-rg",
+      "use_hs_crypto": false,
+      "use_data": false
+   },
+   "network_cidr": "10.0.0.0/8",
+   "resource_groups": [
+      {
+         "create": true,
+         "name": "service-rg",
+         "use_prefix": true
+      },
+      {
+         "create": true,
+         "name": "management-rg",
+         "use_prefix": true
+      },
+      {
+         "create": true,
+         "name": "workload-rg",
+         "use_prefix": true
+      }
+   ],
+   "security_groups": [],
+   "transit_gateway_connections": [
+      "management",
+      "workload"
+   ],
+   "transit_gateway_resource_group": "service-rg",
+   "virtual_private_endpoints": [],
+   "vpcs": [
+      {
+         "default_security_group_rules": [],
+         "clean_default_sg_acl": false,
+         "flow_logs_bucket_name": null,
+         "network_acls": [
+            {
+               "add_cluster_rules": false,
+               "name": "management-acl",
+               "rules": [
+                  {
+                     "name": "allow-ssh-inbound",
+                     "action": "allow",
+                     "direction": "inbound",
+                     "tcp": {
+                        "port_min": 22,
+                        "port_max": 22
+                     },
+                     "source": "0.0.0.0/0",
+                     "destination": "10.0.0.0/8"
+                  },
+                  {
+                     "action": "allow",
+                     "destination": "10.0.0.0/8",
+                     "direction": "inbound",
+                     "name": "allow-ibm-inbound",
+                     "source": "161.26.0.0/16"
+                  },
+                  {
+                     "action": "allow",
+                     "destination": "10.0.0.0/8",
+                     "direction": "inbound",
+                     "name": "allow-all-network-inbound",
+                     "source": "10.0.0.0/8"
+                  },
+                  {
+                     "action": "allow",
+                     "destination": "0.0.0.0/0",
+                     "direction": "outbound",
+                     "name": "allow-all-outbound",
+                     "source": "0.0.0.0/0"
+                  }
+               ]
+            }
+         ],
+         "prefix": "management",
+         "resource_group": "management-rg",
+         "subnets": {
+            "zone-1": [
+               {
+                  "acl_name": "management-acl",
+                  "cidr": "10.10.10.0/24",
+                  "name": "vsi-zone-1",
+                  "public_gateway": false
+               }
+            ],
+            "zone-2": [],
+            "zone-3": []
+         },
+         "use_public_gateways": {
+            "zone-1": false,
+            "zone-2": false,
+            "zone-3": false
+         },
+         "address_prefixes": {
+            "zone-1": [],
+            "zone-2": [],
+            "zone-3": []
+         }
+      },
+      {
+         "default_security_group_rules": [],
+         "clean_default_sg_acl": false,
+         "flow_logs_bucket_name": null,
+         "network_acls": [
+            {
+               "add_cluster_rules": false,
+               "name": "workload-acl",
+               "rules": [
+                  {
+                     "action": "allow",
+                     "destination": "0.0.0.0/0",
+                     "direction": "inbound",
+                     "name": "allow-all-network-inbound",
+                     "source": "0.0.0.0/0"
+                  },
+                  {
+                     "action": "allow",
+                     "destination": "0.0.0.0/0",
+                     "direction": "outbound",
+                     "name": "allow-all-outbound",
+                     "source": "0.0.0.0/0"
+                  }
+               ]
+            }
+         ],
+         "prefix": "workload",
+         "resource_group": "workload-rg",
+         "subnets": {
+            "zone-1": [
+               {
+                  "acl_name": "workload-acl",
+                  "cidr": "10.40.10.0/24",
+                  "name": "vsi-zone-1",
+                  "public_gateway": true
+               }
+            ],
+            "zone-2": [
+               {
+                  "acl_name": "workload-acl",
+                  "cidr": "10.50.10.0/24",
+                  "name": "vsi-zone-2",
+                  "public_gateway": true
+               }
+            ],
+            "zone-3": []
+         },
+         "use_public_gateways": {
+            "zone-1": true,
+            "zone-2": true,
+            "zone-3": false
+         },
+         "address_prefixes": {
+            "zone-1": [],
+            "zone-2": [],
+            "zone-3": []
+         }
+      }
+   ],
+   "vpn_gateways": []
+}
+EOF
+
+}
diff --git a/patterns/roks-quickstart/outputs.tf b/patterns/roks-quickstart/outputs.tf
@@ -0,0 +1,8 @@
+##############################################################################
+# Output Variables
+##############################################################################
+
+output "config" {
+  description = "Output configuration as encoded JSON"
+  value       = module.landing_zone.config
+}
diff --git a/patterns/roks-quickstart/provider.tf b/patterns/roks-quickstart/provider.tf
@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
diff --git a/patterns/roks-quickstart/variables.tf b/patterns/roks-quickstart/variables.tf
@@ -0,0 +1,44 @@
+##############################################################################
+# Account Variables
+##############################################################################
+
+variable "ibmcloud_api_key" {
+  description = "The IBM Cloud platform API key needed to deploy IAM enabled resources."
+  type        = string
+  sensitive   = true
+}
+
+variable "prefix" {
+  description = "A unique identifier for resources. Must begin with a lowercase letter and end with a lowercase letter or number. This prefix will be prepended to any resources provisioned by this template. Prefixes must be 13 or fewer characters."
+  type        = string
+  default     = "land-zone-roks-qs"
+
+  validation {
+    error_message = "Prefix must begin with a letter and contain only lowercase letters, numbers, and - characters. Prefixes must end with a lowercase letter or number and be 13 or fewer characters."
+    condition     = can(regex("^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$", var.prefix)) && length(var.prefix) <= 13
+  }
+}
+
+variable "region" {
+  description = "Region where VPC will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions."
+  type        = string
+  default     = "us-south"
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "kube_version" {
+  description = "Kubernetes version to use for cluster. To get available versions, use the IBM Cloud CLI command `ibmcloud ks versions`. Also supports passing the string 'default' (current IKS default recommended version)."
+  type        = string
+  default     = "default"
+}
+
+variable "flavor" {
+  description = "Machine type for cluster. Use the IBM Cloud CLI command `ibmcloud ks flavors` to find valid machine types"
+  type        = string
+  default     = "bx2.4x16"
+}
diff --git a/patterns/roks-quickstart/version.tf b/patterns/roks-quickstart/version.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3, < 1.6"
+  required_providers {
+    # renovate is set up to keep provider version at the latest for all DA solutions
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.62.0"
+    }
+  }
+}
diff --git a/tests/pr_test.go b/tests/pr_test.go
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ resource "ibm_container_vpc_cluster" "cluster" {`
`80`	`80`	`}`
`81`	`81`	`}`
`82`	`82`
`83`		`- disable_public_service_endpoint = true`
	`83`	`+ disable_public_service_endpoint = coalesce(each.value.disable_public_endpoint, true) # disable if not set or null`
`84`	`84`
`85`	`85`	`timeouts {`
`86`	`86`	`create = "3h"`