Skip to content

Latest commit

 

History

History
197 lines (172 loc) · 30.4 KB

README.md

File metadata and controls

197 lines (172 loc) · 30.4 KB
Raw

terraform-rhcs-rosa-classic

A Terraform module which creates ROSA Classic clusters

Introduction

This module serves as a comprehensive solution for deploying, configuring, and managing Red Hat OpenShift on AWS (ROSA) Classic clusters within your AWS environment. With a focus on simplicity and efficiency, this module streamlines the process of setting up and maintaining ROSA Classic clusters, enabling users to use the power of OpenShift using AWS infrastructure effortlessly.

Example Usage

module "rosa_cluster_classic" {
  source = "terraform-redhat/rosa-classic/rhcs"

  cluster_name          = "my-cluster"
  openshift_version     = "4.14.24"
  create_account_roles  = true
  create_operator_roles = true
  create_oidc           = true
  create_admin_user     = true
}

Sub-modules

Sub-modules included in this module:

  • account-iam-resources: Handles the provisioning of IAM (Identity and Access Management) resources required for managing access and permissions in the AWS account associated with the ROSA Classic cluster.
  • idp: Responsible for configuring Identity Providers (IDPs) within the ROSA Classic cluster, facilitating seamless integration with external authentication systems such as GitHub, GitLab, Google, HTPasswd, LDAP, and OpenID Connect (OIDC).
  • machine-pool: Facilitates the management of machine pools within the ROSA Classic cluster, enabling users to scale resources and adjust specifications based on workload demands.
  • oidc-config-and-provider: Manages the configuration of OIDC (OpenID Connect) providers within the ROSA Classic cluster, enabling secure authentication and access control mechanisms.
  • operator-policies: Responsible for managing policies associated with ROSA operators within the cluster, ensuring proper permissions for core cluster functionalities.
  • operator-roles: Oversees the management of roles assigned to operators within the ROSA Classic cluster, enabling them to perform required actions with the appropriate permissions.
  • rosa-cluster-classic: Handles the core configuration and provisioning of the ROSA Classic cluster, including cluster networking, security settings, and other essential components.
  • shared-vpc-policy-and-hosted-zone: Manages policies and configurations related to shared Virtual Private Cloud (VPC) resources and Route 53 hosted zones, facilitating connectivity and access control in the AWS environment.
  • vpc: Handles the configuration and provisioning of the Virtual Private Cloud (VPC) infrastructure required for hosting the ROSA Classic cluster and its associated resources.

The primary sub-module responsible for ROSA Classic cluster creation includes the optional configurations for setting up account roles, operator roles, and OIDC configurations. This comprehensive module handles the entire process of provisioning and configuring ROSA Classic clusters in your AWS environment.

Prerequisites

We recommend you install the following CLI tools:

Requirements

Name Version
terraform >= 1.0
aws >= 4.0
null >= 3.0.0
rhcs >= 1.6.2

Providers

Name Version
aws >= 4.0
null >= 3.0.0

Modules

Name Source Version
account_iam_resources ./modules/account-iam-resources n/a
oidc_config_and_provider ./modules/oidc-config-and-provider n/a
operator_policies ./modules/operator-policies n/a
operator_roles ./modules/operator-roles n/a
rhcs_identity_provider ./modules/idp n/a
rhcs_machine_pool ./modules/machine-pool n/a
rosa_cluster_classic ./modules/rosa-cluster-classic n/a

Resources

Name Type
null_resource.validations resource
aws_caller_identity.current data source
aws_partition.current data source

Inputs

Name Description Type Default Required
account_role_prefix User-defined prefix for all generated AWS resources (default "account-role-"). string null no
additional_trust_bundle A string containing a PEM-encoded X.509 certificate bundle that will be added to the nodes' trusted certificate store. string null no
admin_credentials_password Admin password that is created with the cluster. The password must contain at least 14 characters (ASCII-standard) without whitespaces including uppercase letters, lowercase letters, and numbers or symbols. string null no
admin_credentials_username Admin username that is created with the cluster. auto generated username - "cluster-admin" string null no
autoscaler_balance_similar_node_groups Automatically identify node groups with the same instance type and the same set of labels and try to keep the respective sizes of those node groups balanced. bool null no
autoscaler_balancing_ignored_labels This option specifies labels that cluster autoscaler should ignore when considering node group similarity. For example, if you have nodes with 'topology.ebs.csi.aws.com/zone' label, you can add name of this label here to prevent cluster autoscaler from splitting nodes into different node groups based on its value. list(string) null no
autoscaler_cores Minimum and maximum number of cores in cluster, in the format :. Cluster autoscaler does not scale the cluster beyond these numbers. 
object({
    min = number
    max = number
  })
 null no
autoscaler_gpus Minimum and maximum number of different GPUs in cluster, in the format <gpu_type>::. Cluster autoscaler does not scale the cluster beyond these numbers. Can be passed multiple times. 
list(object({
    type = string
    range = object({
      min = number
      max = number
    })
  }))
 null no
autoscaler_ignore_daemonsets_utilization Should cluster-autoscaler ignore DaemonSet pods when calculating resource utilization for scaling down. Default is false. bool null no
autoscaler_log_verbosity Sets the autoscaler log level. Default value is 1, level 4 is recommended for DEBUGGING and level 6 enables almost everything. number null no
autoscaler_max_node_provision_time Maximum time cluster-autoscaler waits for node to be provisioned. string null no
autoscaler_max_nodes_total Maximum number of nodes in all node groups. Cluster autoscaler does not grow the cluster beyond this number. number null no
autoscaler_max_pod_grace_period Gives pods graceful termination time before scaling down. number null no
autoscaler_memory Minimum and maximum number of gigabytes of memory in cluster, in the format :. Cluster autoscaler does not scale the cluster beyond these numbers. 
object({
    min = number
    max = number
  })
 null no
autoscaler_pod_priority_threshold To allow users to schedule 'best-effort' pods, which shouldn't trigger cluster autoscaler actions, but only run when there are spare resources available. number null no
autoscaler_scale_down_delay_after_add How long after scale up that scale down evaluation resumes. string null no
autoscaler_scale_down_delay_after_delete How long after node deletion that scale down evaluation resumes. string null no
autoscaler_scale_down_delay_after_failure How long after scale down failure that scale down evaluation resumes. string null no
autoscaler_scale_down_enabled Should cluster-autoscaler scale down the cluster. bool null no
autoscaler_scale_down_unneeded_time How long a node should be unneeded before it is eligible for scale down. string null no
autoscaler_scale_down_utilization_threshold Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. string null no
autoscaler_skip_nodes_with_local_storage If true, cluster autoscaler never deletes nodes with pods with local storage, e.g. EmptyDir or HostPath. Default is true. bool null no
autoscaling_enabled Enable autoscaling for the initial worker pool. (default: false) bool null no
aws_additional_compute_security_group_ids The additional security group IDs to be added to the default worker machine pool. list(string) null no
aws_additional_control_plane_security_group_ids The additional security group IDs to be added to the control plane nodes. list(string) null no
aws_additional_infra_security_group_ids The additional security group IDs to be added to the infra worker nodes. list(string) null no
aws_availability_zones The AWS availability zones where instances of the default worker machine pool are deployed. Leave empty for the installer to pick availability zones. list(string) [] no
aws_private_link Provides private connectivity between VPCs, AWS services, and on-premises networks, without exposing traffic to the public internet. (default: false) bool null no
aws_subnet_ids The subnet IDs to use when installing the cluster. Leave empty for installer provisioned subnet IDs. list(string) [] no
base_dns_domain Base DNS domain name previously reserved and matching the hosted zone name of the private Route 53 hosted zone associated with intended shared VPC, e.g., '1vo8.p1.openshiftapps.com'. string null no
cluster_autoscaler_enabled Enable autoscaler for this cluster. bool false no
cluster_name Name of the cluster. After resource creation, it is not possible to update the attribute value. string n/a yes
compute_machine_type Identifies the Instance type used by the default worker machine pool e.g. m5.xlarge. Use the rhcs_machine_types data source to find the possible values. string null no
create_account_roles Create the AWS account roles for ROSA. bool false no
create_admin_user To create cluster admin user with default username cluster-admin and generated password. It will be ignored if admin_credentials_username or admin_credentials_password is set. (default: false) bool null no
create_oidc Create the OIDC resources. bool false no
create_operator_roles Create the AWS account roles for ROSA. bool false no
default_ingress_cluster_routes_hostname Components route hostname for oauth, console, download. string null no
default_ingress_cluster_routes_tls_secret_ref Components route TLS secret reference for oauth, console, download. string null no
default_ingress_excluded_namespaces Excluded namespaces for ingress. Format should be a comma-separated list 'value1, value2...'. If no values are specified, all namespaces are exposed. list(string) null no
default_ingress_id Unique identifier of the ingress. string null no
default_ingress_load_balancer_type Type of Load Balancer. Options are ["classic", "nlb"]:with. string null no
default_ingress_route_namespace_ownership_policy Namespace ownership policy for ingress. Options are ["Strict", "InterNamespaceAllowed"]. Default is "Strict". string null no
default_ingress_route_selectors Route Selectors for ingress. Format should be a comma-separated list of 'key=value'. If no label is specified, all routes are exposed on both routers. For legacy ingress support, these are inclusion labels, otherwise they are treated as exclusion label. map(string) null no
default_ingress_route_wildcard_policy Wildcard policy for ingress. Options are ["WildcardsDisallowed", "WildcardsAllowed"]. Default is "WildcardsDisallowed". string null no
default_mp_labels Labels for the worker machine pool. This list overwrites any modifications made to node labels on an ongoing basis. map(string) null no
destroy_timeout Maximum duration in minutes to allow for destroying resources. (Default: 60 minutes) number null no
disable_scp_checks Indicates if cloud permission checks are disabled when attempting installation of the cluster. bool null no
disable_waiting_in_destroy Disable addressing cluster state in the destroy resource. Default value is false; destroy waits for the cluster to be deleted. bool null no
disable_workload_monitoring Enables you to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. bool null no
ec2_metadata_http_tokens Should cluster nodes use both v1 and v2 endpoints or just v2 endpoint of EC2 Instance Metadata Service (IMDS). Available since OpenShift 4.11.0. string null no
etcd_encryption Add etcd encryption. By default, etcd data is encrypted at rest. This option configures etcd encryption on top of existing storage encryption. bool null no
fips Create cluster that uses FIPS Validated / Modules in Process cryptographic libraries. bool null no
host_prefix Subnet prefix length to assign to each individual node. For example, if host prefix is set to "23", then each node is assigned a /23 subnet out of the given CIDR. number null no
http_proxy A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be http. string null no
https_proxy A proxy URL to use for creating HTTPS connections outside the cluster. string null no
identity_providers Provides a generic approach to add multiple identity providers after the creation of the cluster. This variable allows users to specify configurations for multiple identity providers in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the idp sub-module. For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string. map(any) {} no
kms_key_arn The key ARN is the Amazon Resource Name (ARN) of a CMK. It is a unique, fully qualified identifier for the CMK. A key ARN includes the AWS account, region, and the key ID. string null no
machine_cidr Block of IP addresses used by OpenShift while installing the cluster, for example "10.0.0.0/16". string null no
machine_pools Provides a generic approach to add multiple machine pools after the creation of the cluster. This variable allows users to specify configurations for multiple machine pools in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the machine-pool sub-module. For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string. map(any) {} no
managed_oidc OIDC type managed or unmanaged OIDC. bool true no
max_replicas Maximum number of compute nodes. This attribute is applicable solely when autoscaling is enabled. (default: 2) number null no
min_replicas Minimum number of compute nodes. This attribute is applicable solely when autoscaling is enabled. (default: 2) number null no
multi_az Specifies whether the deployment of the cluster should extend across multiple availability zones. (default: false) bool null no
no_proxy A comma-separated list of destination domain names, domains, IP addresses or other network CIDRs to exclude proxying. string null no
oidc_config_id The unique identifier associated with users authenticated through OpenID Connect (OIDC) within the ROSA cluster. string null no
oidc_endpoint_url Registered OIDC configuration issuer URL, added as the trusted relationship to the operator roles. Valid only when create_oidc is false. string null no
openshift_version Desired version of OpenShift for the cluster, for example '4.1.0'. If version is later than the currently running version, an upgrade is scheduled. string n/a yes
operator_role_prefix User-defined prefix for generated AWS operator policies. Use "account-role-prefix" in case no value provided. string null no
path The ARN path for the account/operator roles and policies. string "/" no
permissions_boundary The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters. string "" no
pod_cidr Block of IP addresses from which pod IP addresses are allocated, for example "10.128.0.0/14". string null no
private Restrict master API endpoint and application routes to direct, private connectivity. (default: false) bool null no
private_hosted_zone_id ID assigned by AWS to private Route 53 hosted zone associated with intended shared VPC, e.g., 'Z05646003S02O1ENCDCSN'. string null no
private_hosted_zone_role_arn AWS IAM role ARN with a policy attached, granting permissions necessary to create and manage Route 53 DNS records in private Route 53 hosted zone associated with intended shared VPC. string null no
properties User defined properties. map(string) null no
replicas Number of worker nodes to provision. This attribute is applicable solely when autoscaling is disabled. Single zone clusters need at least 2 nodes, multizone clusters need at least 3 nodes. Hosted clusters require that the number of worker nodes be a multiple of the number of private subnets. (default: 2) number null no
service_cidr Block of IP addresses for services, for example "172.30.0.0/16". string null no
tags Apply user defined tags to all cluster resources created in AWS. After the creation of the cluster is completed, it is not possible to update this attribute. map(string) null no
upgrade_acknowledgements_for Indicates acknowledgement of agreements required to upgrade the cluster version between minor versions (e.g. a value of "4.12" indicates acknowledgement of any agreements required to upgrade to OpenShift 4.12.z from 4.11 or before). string null no
wait_for_create_complete Wait until the cluster is either in a ready state or in an error state. The waiter has a timeout of 60 minutes. (default: true) bool true no
worker_disk_size Default worker machine pool root disk size with a unit suffix like GiB or TiB, e.g. 200GiB. number null no

Outputs

Name Description
account_role_prefix The prefix used for all generated AWS resources.
account_roles_arn A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role.
api_url URL of the API server.
cluster_admin_password The password of the admin user.
cluster_admin_username The username of the admin user.
cluster_id Unique identifier of the cluster.
console_url URL of the console.
current_version The currently running version of OpenShift on the cluster, for example '4.11.0'.
domain DNS domain of cluster.
infra_id The ROSA cluster infrastructure ID.
oidc_config_id The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config.
oidc_endpoint_url Registered OIDC configuration issuer URL, generated by this OIDC config.
operator_role_prefix Prefix used for generated AWS operator policies.
operator_roles_arn List of Amazon Resource Names (ARNs) for all operator roles created.
path The arn path for the account/operator roles as well as their policies.
private_hosted_zone_id ID assigned by AWS to private Route 53 hosted zone associated with intended shared VPC
state The state of the cluster.