feat: restrict cluster base domain

Author: ludwig-mueller

reference-architectures/standard-openshift/deploy-arch-ibm-pvs-inf-standard-openshift.md

@@ -102,7 +102,7 @@ Once the landing zone components are deployed, this architecture leverages the [
 | Requirement | Component | Choice | Alternative choice |
 |-------------|-----------|--------|--------------------|
 |* Deploy PowerVS instances for Bootstrap (temporary), Master, and Worker nodes. | PowerVS instances | The customer can specify the number of master and worker nodes and customize their compute profiles. |
-|* Modify the DNS Service instance to correctly resolve the cluster API | DNS Service instance | Add CNAME entries to DNS zone to resolve internal and external cluster APIs. |
+|* Modify the DNS Service instance to correctly resolve the cluster API | DNS Service instance | Add CNAME entries to DNS zone to resolve internal and external cluster APIs. Only support .test, .example, .invalid domains to prevent public resolution. |
 |* Application Load Balancers to establish connectivity to the cluster API. | Three Application Load Balancers | One for internal API, one for external api, and one for the applications deployed in the cluster. |
 |* Use DHCP to dynamically assign IP addresses to the nodes | DHCP Subnet in PowerVS | Machine network dynamically assigns IP addresses to the nodes. |
 |* Modify security groups to allow network traffic to API. | Default Security Group | The default security group is attached to the load balancers and configured so the required network traffic is able to pass. |

solutions/standard-openshift/README.md

@@ -72,7 +72,7 @@ This example sets up an OpenShift Cluster on PowerVS following infrastructure:
 | <a name="input_IC_SCHEMATICS_WORKSPACE_ID"></a> [IC\_SCHEMATICS\_WORKSPACE\_ID](#input\_IC\_SCHEMATICS\_WORKSPACE\_ID) | leave blank if running locally. This variable will be automatically populated if running from an IBM Cloud Schematics workspace | `string` | `""` | no |
 | <a name="input_ansible_vault_password"></a> [ansible\_vault\_password](#input\_ansible\_vault\_password) | Vault password to encrypt ansible playbooks that contain sensitive information. Password requirements: 15-100 characters and at least one uppercase letter, one lowercase letter, one number, and one special character. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]\_{\|}~. | `string` | n/a | yes |
 | <a name="input_client_to_site_vpn"></a> [client\_to\_site\_vpn](#input\_client\_to\_site\_vpn) | VPN configuration - the client ip pool and list of users email ids to access the environment. If enabled, then a Secret Manager instance is also provisioned with certificates generated. See optional parameters to reuse an existing Secrets manager instance. | <pre>object({<br/>    enable                        = bool<br/>    client_ip_pool                = string<br/>    vpn_client_access_group_users = list(string)<br/>  })</pre> | <pre>{<br/>  "client_ip_pool": "192.168.0.0/16",<br/>  "enable": true,<br/>  "vpn_client_access_group_users": []<br/>}</pre> | no |
-| <a name="input_cluster_base_domain"></a> [cluster\_base\_domain](#input\_cluster\_base\_domain) | The base domain name that will be used by the cluster. (ie: example.com) | `string` | n/a | yes |
+| <a name="input_cluster_base_domain"></a> [cluster\_base\_domain](#input\_cluster\_base\_domain) | The base domain name that will be used by the cluster. Only .test, .example, and .invalid domains are supported (ie: domain.example). | `string` | n/a | yes |
 | <a name="input_cluster_master_node_config"></a> [cluster\_master\_node\_config](#input\_cluster\_master\_node\_config) | Configuration for the master nodes of the OpenShift cluster, including CPU, system type, processor type, and replica count. If system\_type is null, it's chosen based on whether it's supported in the region. This can be overwritten by passing a value, e.g. 's1022' or 's922'. Memory is in GB. | <pre>object({<br/>    processors  = number<br/>    memory      = number<br/>    system_type = string<br/>    proc_type   = string<br/>    replicas    = number<br/>  })</pre> | <pre>{<br/>  "memory": 32,<br/>  "proc_type": "Shared",<br/>  "processors": 4,<br/>  "replicas": 3,<br/>  "system_type": null<br/>}</pre> | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the cluster and a unique identifier used as prefix for resources. Must begin with a lowercase letter and end with a lowercase letter or number. Must contain only lowercase letters, numbers, and - characters. This prefix will be prepended to any resources provisioned by this template. Prefixes must be 16 or fewer characters. | `string` | n/a | yes |
 | <a name="input_cluster_network_config"></a> [cluster\_network\_config](#input\_cluster\_network\_config) | Configuration object for the OpenShift cluster and service network CIDRs. | <pre>object({<br/>    cluster_network_cidr         = string<br/>    cluster_service_network_cidr = string<br/>    cluster_machine_network_cidr = string<br/>  })</pre> | <pre>{<br/>  "cluster_machine_network_cidr": "10.72.0.0/24",<br/>  "cluster_network_cidr": "10.128.0.0/14",<br/>  "cluster_service_network_cidr": "10.67.0.0/16"<br/>}</pre> | no |

solutions/standard-openshift/variables.tf

@@ -48,8 +48,13 @@ variable "ansible_vault_password" {
 }
 
 variable "cluster_base_domain" {
-  description = "The base domain name that will be used by the cluster. (ie: example.com)"
+  description = "The base domain name that will be used by the cluster. Only .test, .example, and .invalid domains are supported (ie: domain.example)."
   type        = string
+
+  validation {
+    condition     = endswith(var.cluster_base_domain, ".test") || endswith(var.cluster_base_domain, ".example") || endswith(var.cluster_base_domain, ".invalid")
+    error_message = "value"
+  }
 }
 
 #####################################################