OCM-13095 | feat: include zero egress vpc support

terraform-redhat · Dec 13, 2024 · 56748a4 · 56748a4
1 parent 71a7adc
commit 56748a4
Show file tree

Hide file tree

Showing 28 changed files with 539 additions and 71 deletions.
diff --git a/README.md b/README.md
@@ -10,7 +10,6 @@ This module serves as a comprehensive solution for deploying, configuring and ma
 ```
 module "hcp" {
   source = "terraform-redhat/rosa-hcp/rhcs"
-  version = "1.6.2"
 
   cluster_name           = "my-cluster"
   openshift_version      = "4.14.24"
@@ -125,6 +124,7 @@ We recommend you install the following CLI tools:
 | <a name="input_https_proxy"></a> [https\_proxy](#input\_https\_proxy) | A proxy URL to use for creating HTTPS connections outside the cluster. | `string` | `null` | no |
 | <a name="input_identity_providers"></a> [identity\_providers](#input\_identity\_providers) | Provides a generic approach to add multiple identity providers after the creation of the cluster. This variable allows users to specify configurations for multiple identity providers in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [idp sub-module](./modules/idp). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string. | `map(any)` | `{}` | no |
 | <a name="input_ignore_machine_pools_deletion_error"></a> [ignore\_machine\_pools\_deletion\_error](#input\_ignore\_machine\_pools\_deletion\_error) | Ignore machine pool deletion error. Assists when cluster resource is managed within the same file for the destroy use case | `bool` | `false` | no |
+| <a name="input_is_zero_ingress"></a> [is\_zero\_ingress](#input\_is\_zero\_ingress) | Indicates use of zero ingress resources | `bool` | `false` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The key ARN is the Amazon Resource Name (ARN) of a CMK. It is a unique, fully qualified identifier for the CMK. A key ARN includes the AWS account, Region, and the key ID. | `string` | `null` | no |
 | <a name="input_kubelet_configs"></a> [kubelet\_configs](#input\_kubelet\_configs) | Provides a generic approach to add multiple kubelet configs after the creation of the cluster. This variable allows users to specify configurations for multiple kubelet configs in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [idp sub-module](./modules/kubelet-configs). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string. | `map(any)` | `{}` | no |
 | <a name="input_machine_cidr"></a> [machine\_cidr](#input\_machine\_cidr) | Block of IP addresses used by OpenShift while installing the cluster, for example "10.0.0.0/16". | `string` | `null` | no |

diff --git a/examples/rosa-hcp-private-zero-egress/README.md b/examples/rosa-hcp-private-zero-egress/README.md
@@ -0,0 +1,155 @@
+# Private Zero Egress ROSA HCP
+
+## Introduction
+
+This is a Terraform manifest example for creating a Red Hat OpenShift Service on AWS (ROSA) Hosted Control Plane (HCP) cluster. This example provides a structured configuration template that demonstrates how to deploy a ROSA cluster within your AWS environment by using Terraform.
+
+This example includes:
+- A Zero Egress ROSA cluster with private access.
+- All AWS resources (IAM and networking) that are created as part of the ROSA cluster module execution.
+- A bastion host EC2 instance that allows to reach the private cluster.
+
+## Example Usage
+
+```
+############################
+# Cluster
+############################
+module "hcp" {
+  source = "terraform-redhat/rosa-hcp/rhcs"
+
+  cluster_name           = "my-cluster"
+  openshift_version      = "4.14.24"
+  machine_cidr           = module.vpc.cidr_block
+  aws_subnet_ids         = module.vpc.private_subnets
+  aws_availability_zones = module.vpc.availability_zones
+  replicas               = 2
+  private                = true
+  create_admin_user          = true
+  admin_credentials_username = "admin"
+  admin_credentials_password = random_password.password.result
+
+  // STS configuration
+  create_account_roles  = true
+  account_role_prefix   = "my-cluster-account"
+  create_oidc           = true
+  create_operator_roles = true
+  operator_role_prefix  = "my-cluster-operator"
+  is_zero_ingress       = true
+}
+
+resource "random_password" "password" {
+  length  = 14
+  special = true
+  min_lower = 1
+  min_numeric = 1
+  min_special = 1
+  min_upper = 1
+}
+
+############################
+# VPC
+############################
+module "vpc" {
+  source = "terraform-redhat/rosa-hcp/rhcs//modules/vpc"
+
+  name_prefix              = "my-vpc"
+  availability_zones_count = 1
+  is_zero_ingress       = true
+}
+
+############################
+# Bastion instance for connection to the cluster
+############################
+data "aws_ami" "rhel9" {
+  most_recent = true
+
+  filter {
+    name   = "platform-details"
+    values = ["Red Hat Enterprise Linux"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "manifest-location"
+    values = ["amazon/RHEL-9.*_HVM-*-x86_64-*-Hourly2-GP2"]
+  }
+
+  owners = ["309956199498"] # Amazon's "Official Red Hat" account
+}
+module "bastion_host" {
+  source     = "../../modules/bastion-host"
+  prefix     = "my-host"
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = [module.vpc.public_subnets[0]]
+  ami_id         = aws_ami.rhel9.id
+  user_data_file = file("bastion-host-user-data.yaml")
+}
+```
+
+
+<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.35.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
+| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.6.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.35.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_bastion_host"></a> [bastion\_host](#module\_bastion\_host) | ../../modules/bastion-host | n/a |
+| <a name="module_hcp"></a> [hcp](#module\_hcp) | ../../ | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../modules/vpc | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [aws_ami.rhel9](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | n/a | `string` | n/a | yes |
+| <a name="input_openshift_version"></a> [openshift\_version](#input\_openshift\_version) | n/a | `string` | `"4.16.3"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_account_role_prefix"></a> [account\_role\_prefix](#output\_account\_role\_prefix) | The prefix used for all generated AWS resources. |
+| <a name="output_account_roles_arn"></a> [account\_roles\_arn](#output\_account\_roles\_arn) | A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role. |
+| <a name="output_bastion_host_public_ip"></a> [bastion\_host\_public\_ip](#output\_bastion\_host\_public\_ip) | Bastion Host Public IP |
+| <a name="output_cluster_api_url"></a> [cluster\_api\_url](#output\_cluster\_api\_url) | The URL of the API server. |
+| <a name="output_cluster_console_url"></a> [cluster\_console\_url](#output\_cluster\_console\_url) | The URL of the console. |
+| <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | Unique identifier of the cluster. |
+| <a name="output_oidc_config_id"></a> [oidc\_config\_id](#output\_oidc\_config\_id) | The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config. |
+| <a name="output_oidc_endpoint_url"></a> [oidc\_endpoint\_url](#output\_oidc\_endpoint\_url) | Registered OIDC configuration issuer URL, generated by this OIDC config. |
+| <a name="output_operator_role_prefix"></a> [operator\_role\_prefix](#output\_operator\_role\_prefix) | Prefix used for generated AWS operator policies. |
+| <a name="output_operator_roles_arn"></a> [operator\_roles\_arn](#output\_operator\_roles\_arn) | List of Amazon Resource Names (ARNs) for all operator roles created. |
+| <a name="output_password"></a> [password](#output\_password) | n/a |
+| <a name="output_path"></a> [path](#output\_path) | The arn path for the account/operator roles as well as their policies. |
+<!-- END_AUTOMATED_TF_DOCS_BLOCK -->
diff --git a/examples/rosa-hcp-private-zero-egress/main.tf b/examples/rosa-hcp-private-zero-egress/main.tf
@@ -0,0 +1,87 @@
+locals {
+  account_role_prefix  = "${var.cluster_name}-account"
+  operator_role_prefix = "${var.cluster_name}-operator"
+}
+
+############################
+# Cluster
+############################
+module "hcp" {
+  source = "../../"
+
+  cluster_name               = var.cluster_name
+  openshift_version          = var.openshift_version
+  machine_cidr               = module.vpc.cidr_block
+  aws_subnet_ids             = module.vpc.private_subnets
+  replicas                   = 2
+  private                    = true
+  create_admin_user          = true
+  admin_credentials_username = "admin"
+  admin_credentials_password = random_password.password.result
+  ec2_metadata_http_tokens   = "required"
+
+  // STS configuration
+  create_account_roles  = true
+  account_role_prefix   = local.account_role_prefix
+  create_oidc           = true
+  create_operator_roles = true
+  operator_role_prefix  = local.operator_role_prefix
+  is_zero_ingress       = true
+}
+
+resource "random_password" "password" {
+  length      = 14
+  special     = true
+  min_lower   = 1
+  min_numeric = 1
+  min_special = 1
+  min_upper   = 1
+}
+
+############################
+# VPC
+############################
+module "vpc" {
+  source = "../../modules/vpc"
+
+  name_prefix              = var.cluster_name
+  availability_zones_count = 1
+  is_zero_egress           = true
+}
+
+############################
+# Bastion instance for connection to the cluster
+############################
+data "aws_ami" "rhel9" {
+  most_recent = true
+
+  filter {
+    name   = "platform-details"
+    values = ["Red Hat Enterprise Linux"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "manifest-location"
+    values = ["amazon/RHEL-9.*_HVM-*-x86_64-*-Hourly2-GP2"]
+  }
+
+  owners = ["309956199498"] # Amazon's "Official Red Hat" account
+}
+module "bastion_host" {
+  source         = "../../modules/bastion-host"
+  prefix         = var.cluster_name
+  vpc_id         = module.vpc.vpc_id
+  subnet_ids     = [module.vpc.public_subnets[0]]
+  ami_id         = data.aws_ami.rhel9.id
+  user_data_file = file("../../assets/bastion-host-user-data.yaml")
+}
diff --git a/examples/rosa-hcp-private-zero-egress/outputs.tf b/examples/rosa-hcp-private-zero-egress/outputs.tf
@@ -0,0 +1,59 @@
+output "bastion_host_public_ip" {
+  value       = module.bastion_host.bastion_host_public_ip
+  description = "Bastion Host Public IP"
+}
+
+output "cluster_id" {
+  value       = module.hcp.cluster_id
+  description = "Unique identifier of the cluster."
+}
+
+output "cluster_api_url" {
+  value       = module.hcp.cluster_api_url
+  description = "The URL of the API server."
+}
+
+output "cluster_console_url" {
+  value       = module.hcp.cluster_console_url
+  description = "The URL of the console."
+}
+
+output "account_role_prefix" {
+  value       = module.hcp.account_role_prefix
+  description = "The prefix used for all generated AWS resources."
+}
+
+output "account_roles_arn" {
+  value       = module.hcp.account_roles_arn
+  description = "A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role."
+}
+
+output "path" {
+  value       = module.hcp.path
+  description = "The arn path for the account/operator roles as well as their policies."
+}
+
+output "oidc_config_id" {
+  value       = module.hcp.oidc_config_id
+  description = "The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config."
+}
+
+output "oidc_endpoint_url" {
+  value       = module.hcp.oidc_endpoint_url
+  description = "Registered OIDC configuration issuer URL, generated by this OIDC config."
+}
+
+output "operator_role_prefix" {
+  value       = module.hcp.operator_role_prefix
+  description = "Prefix used for generated AWS operator policies."
+}
+
+output "operator_roles_arn" {
+  value       = module.hcp.operator_roles_arn
+  description = "List of Amazon Resource Names (ARNs) for all operator roles created."
+}
+
+output "password" {
+  value     = resource.random_password.password
+  sensitive = true
+}
diff --git a/examples/rosa-hcp-private-zero-egress/variables.tf b/examples/rosa-hcp-private-zero-egress/variables.tf
@@ -0,0 +1,12 @@
+variable "openshift_version" {
+  type    = string
+  default = "4.16.3"
+  validation {
+    condition     = can(regex("^[0-9]*[0-9]+.[0-9]*[0-9]+.[0-9]*[0-9]+$", var.openshift_version))
+    error_message = "openshift_version must be with structure <major>.<minor>.<patch> (for example 4.13.6)."
+  }
+}
+
+variable "cluster_name" {
+  type = string
+}
diff --git a/examples/rosa-hcp-private-zero-egress/versions.tf b/examples/rosa-hcp-private-zero-egress/versions.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.35.0"
+    }
+    rhcs = {
+      version = ">= 1.6.2"
+      source  = "terraform-redhat/rhcs"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.0"
+    }
+  }
+}
diff --git a/examples/rosa-hcp-private/README.md b/examples/rosa-hcp-private/README.md
@@ -17,7 +17,6 @@ This example includes:
 ############################
 module "hcp" {
   source = "terraform-redhat/rosa-hcp/rhcs"
-  version = "1.6.2"
 
   cluster_name           = "my-cluster"
   openshift_version      = "4.14.24"

diff --git a/examples/rosa-hcp-public-unmanaged-oidc/README.md b/examples/rosa-hcp-public-unmanaged-oidc/README.md
@@ -16,7 +16,6 @@ This example includes:
 ############################
 module "hcp" {
   source = "terraform-redhat/rosa-hcp/rhcs"
-  version = "1.6.2"
 
   cluster_name           = "my-cluster"
   openshift_version      = "4.14.24"

diff --git a/examples/rosa-hcp-public/README.md b/examples/rosa-hcp-public/README.md
@@ -16,7 +16,6 @@ This example includes:
 ############################
 module "hcp" {
   source = "terraform-redhat/rosa-hcp/rhcs"
-  version = "1.6.2"
 
   cluster_name           = "my-cluster"
   openshift_version      = "4.14.24"