terraform-ibm-modules · ludwig-mueller · Oct 7, 2025 · Oct 2, 2025 · Oct 2, 2025 · Oct 2, 2025
@@ -102,7 +102,7 @@ Once the landing zone components are deployed, this architecture leverages the [
 | Requirement | Component | Choice | Alternative choice |
 |-------------|-----------|--------|--------------------|
 |* Deploy PowerVS instances for Bootstrap (temporary), Master, and Worker nodes. | PowerVS instances | The customer can specify the number of master and worker nodes and customize their compute profiles. |
-|* Modify the DNS Service instance to correctly resolve the cluster API | DNS Service instance | Add CNAME entries to DNS zone to resolve internal and external cluster APIs. |
+|* Modify the DNS Service instance to correctly resolve the cluster API | DNS Service instance | Add CNAME entries to DNS zone to resolve internal and external cluster APIs. Only support .test, .example, .invalid domains to prevent public resolution. |
 |* Application Load Balancers to establish connectivity to the cluster API. | Three Application Load Balancers | One for internal API, one for external api, and one for the applications deployed in the cluster. |
 |* Use DHCP to dynamically assign IP addresses to the nodes | DHCP Subnet in PowerVS | Machine network dynamically assigns IP addresses to the nodes. |
 |* Modify security groups to allow network traffic to API. | Default Security Group | The default security group is attached to the load balancers and configured so the required network traffic is able to pass. |

@@ -72,7 +72,7 @@ This example sets up an OpenShift Cluster on PowerVS following infrastructure:
 | <a name="input_IC_SCHEMATICS_WORKSPACE_ID"></a> [IC\_SCHEMATICS\_WORKSPACE\_ID](#input\_IC\_SCHEMATICS\_WORKSPACE\_ID) | leave blank if running locally. This variable will be automatically populated if running from an IBM Cloud Schematics workspace | `string` | `""` | no |
 | <a name="input_ansible_vault_password"></a> [ansible\_vault\_password](#input\_ansible\_vault\_password) | Vault password to encrypt ansible playbooks that contain sensitive information. Password requirements: 15-100 characters and at least one uppercase letter, one lowercase letter, one number, and one special character. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]\_{\|}~. | `string` | n/a | yes |
 | <a name="input_client_to_site_vpn"></a> [client\_to\_site\_vpn](#input\_client\_to\_site\_vpn) | VPN configuration - the client ip pool and list of users email ids to access the environment. If enabled, then a Secret Manager instance is also provisioned with certificates generated. See optional parameters to reuse an existing Secrets manager instance. | <pre>object({<br/>    enable                        = bool<br/>    client_ip_pool                = string<br/>    vpn_client_access_group_users = list(string)<br/>  })</pre> | <pre>{<br/>  "client_ip_pool": "192.168.0.0/16",<br/>  "enable": true,<br/>  "vpn_client_access_group_users": []<br/>}</pre> | no |
-| <a name="input_cluster_base_domain"></a> [cluster\_base\_domain](#input\_cluster\_base\_domain) | The base domain name that will be used by the cluster. (ie: example.com) | `string` | n/a | yes |
+| <a name="input_cluster_base_domain"></a> [cluster\_base\_domain](#input\_cluster\_base\_domain) | The base domain name that will be used by the cluster. Only .test, .example, and .invalid domains are supported (ie: domain.example). | `string` | n/a | yes |
 | <a name="input_cluster_master_node_config"></a> [cluster\_master\_node\_config](#input\_cluster\_master\_node\_config) | Configuration for the master nodes of the OpenShift cluster, including CPU, system type, processor type, and replica count. If system\_type is null, it's chosen based on whether it's supported in the region. This can be overwritten by passing a value, e.g. 's1022' or 's922'. Memory is in GB. | <pre>object({<br/>    processors  = number<br/>    memory      = number<br/>    system_type = string<br/>    proc_type   = string<br/>    replicas    = number<br/>  })</pre> | <pre>{<br/>  "memory": 32,<br/>  "proc_type": "Shared",<br/>  "processors": 4,<br/>  "replicas": 3,<br/>  "system_type": null<br/>}</pre> | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the cluster and a unique identifier used as prefix for resources. Must begin with a lowercase letter and end with a lowercase letter or number. Must contain only lowercase letters, numbers, and - characters. This prefix will be prepended to any resources provisioned by this template. Prefixes must be 16 or fewer characters. | `string` | n/a | yes |
 | <a name="input_cluster_network_config"></a> [cluster\_network\_config](#input\_cluster\_network\_config) | Configuration object for the OpenShift cluster and service network CIDRs. | <pre>object({<br/>    cluster_network_cidr         = string<br/>    cluster_service_network_cidr = string<br/>    cluster_machine_network_cidr = string<br/>  })</pre> | <pre>{<br/>  "cluster_machine_network_cidr": "10.72.0.0/24",<br/>  "cluster_network_cidr": "10.128.0.0/14",<br/>  "cluster_service_network_cidr": "10.67.0.0/16"<br/>}</pre> | no |

@@ -169,6 +169,18 @@ resource "terraform_data" "execute_playbooks" {
     ]
   }
 
+  # Again replace the API Key in any logs where it may have been included in plain text
+  provisioner "remote-exec" {
+    inline = [
+      "if [ ! -z $IBMCLOUD_API_KEY ]; then",
+      "  IBMCLOUD_API_KEY=\"${local.ibmcloud_api_key}\"",
+      "  grep -RIl --devices=skip --exclude-dir='.ansible/' -- \"$IBMCLOUD_API_KEY\" \"/root\" | while IFS= read -r file; do",
+      "    sed -i 's/'\"$IBMCLOUD_API_KEY\"'/***redacted***/g' \"$file\"",
+      "  done",
+      "fi"
+    ]
+  }
+
   # print output of openshift installation if applicable, else do nothing
   provisioner "remote-exec" {
     inline = [
@@ -273,6 +285,18 @@ resource "terraform_data" "execute_playbooks_with_vault" {
     ]
   }
 
+  # Again replace the API Key in any logs where it may have been included in plain text
+  provisioner "remote-exec" {
+    inline = [
+      "if [ ! -z $IBMCLOUD_API_KEY ]; then",
+      "  IBMCLOUD_API_KEY=\"${local.ibmcloud_api_key}\"",
+      "  grep -RIl --devices=skip --exclude-dir='.ansible/' -- \"$IBMCLOUD_API_KEY\" \"/root\" | while IFS= read -r file; do",
+      "    sed -i 's/'\"$IBMCLOUD_API_KEY\"'/***redacted***/g' \"$file\"",
+      "  done",
+      "fi"
+    ]
+  }
+
   # Again delete Ansible Vault password used to encrypt the var
   # files with sensitive information and private ssh key
   provisioner "remote-exec" {

@@ -27,9 +27,21 @@ if [ $? -ne 0 ]; then
     if [ -f /root/.powervs/config.json ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
     rm -f password_file
     rm -rf $${ansible_private_key_file}
+    # remove API Key from any logs where it may have been included in plain text
+    if [ ! -z $IBMCLOUD_API_KEY ]; then
+      grep -RIl --devices=skip --exclude-dir='.ansible/' -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
+        sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
+      done
+    fi
     exit 1
 fi
 echo \"Playbook command successful\"
 rm -rf $${ansible_private_key_file}
 if [ -f /root/.powervs/config.json ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
 rm -f password_file
+# remove API Key from any logs where it may have been included in plain text
+if [ ! -z $IBMCLOUD_API_KEY ]; then
+  grep -RIl --devices=skip --exclude-dir='.ansible/' -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
+    sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
+  done
+fi
@@ -27,9 +27,23 @@ if [ $? -ne 0 ]; then
     if [ -f /root/.powervs/config.json ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
     rm -f password_file
     rm -rf $${ansible_private_key_file}
+    # remove API Key from any logs where it may have been included in plain text
+    if [ ! -z $IBMCLOUD_API_KEY ]; then
+      grep -RIl --devices=skip --exclude-dir='.ansible/' -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
+        sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
+      done
+    fi
     exit 1
 fi
 echo \"Playbook command successful\"
 rm -rf $${ansible_private_key_file}
 if [ -f /root/.powervs/config.json ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
 rm -f password_file
+
+# remove API Key from any logs where it may have been included in plain text
+if [ ! -z $IBMCLOUD_API_KEY ]; then
+  grep -RIl --devices=skip --exclude-dir='.ansible/' -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
+    echo Replacing \"$IBMCLOUD_API_KEY\" in file \"$file\"
+    sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
+  done
+fi
@@ -48,8 +48,13 @@ variable "ansible_vault_password" {
 }
 
 variable "cluster_base_domain" {
-  description = "The base domain name that will be used by the cluster. (ie: example.com)"
+  description = "The base domain name that will be used by the cluster. Only .test, .example, and .invalid domains are supported (ie: domain.example)."
   type        = string
+
+  validation {
+    condition     = endswith(var.cluster_base_domain, ".test") || endswith(var.cluster_base_domain, ".example") || endswith(var.cluster_base_domain, ".invalid")
+    error_message = "value"
+  }
 }
 
 #####################################################