terraform-redhat
diff --git a/‎README.md
-1 b/‎README.md
-1
diff --git a/‎examples/rosa-hcp-private-zero-egress/README.md
+162 b/‎examples/rosa-hcp-private-zero-egress/README.md
+162
diff --git a/‎examples/rosa-hcp-private-zero-egress/main.tf
+87 b/‎examples/rosa-hcp-private-zero-egress/main.tf
+87
diff --git a/‎examples/rosa-hcp-private-zero-egress/outputs.tf
+59 b/‎examples/rosa-hcp-private-zero-egress/outputs.tf
+59
diff --git a/‎examples/rosa-hcp-private-zero-egress/variables.tf
+12 b/‎examples/rosa-hcp-private-zero-egress/variables.tf
+12
diff --git a/‎examples/rosa-hcp-private-zero-egress/versions.tf
+18 b/‎examples/rosa-hcp-private-zero-egress/versions.tf
+18
diff --git a/‎examples/rosa-hcp-private/README.md
-1 b/‎examples/rosa-hcp-private/README.md
-1
diff --git a/‎examples/rosa-hcp-public-unmanaged-oidc/README.md
-1 b/‎examples/rosa-hcp-public-unmanaged-oidc/README.md
-1
diff --git a/‎examples/rosa-hcp-public/README.md
-1 b/‎examples/rosa-hcp-public/README.md
-1
@@ -10,7 +10,6 @@ This module serves as a comprehensive solution for deploying, configuring and ma
 ```
 module "hcp" {
   source = "terraform-redhat/rosa-hcp/rhcs"
-  version = "1.6.2"
 
   cluster_name           = "my-cluster"
   openshift_version      = "4.14.24"
 
@@ -0,0 +1,162 @@
+# Private Zero Egress ROSA HCP
+
+## Introduction
+
+This is a Terraform manifest example for creating a Red Hat OpenShift Service on AWS (ROSA) Hosted Control Plane (HCP) cluster. This example provides a structured configuration template that demonstrates how to deploy a ROSA cluster within your AWS environment by using Terraform.
+
+This example includes:
+- A Zero Egress ROSA cluster with private access.
+- All AWS resources (IAM and networking) that are created as part of the ROSA cluster module execution.
+- A bastion host EC2 instance that allows to reach the private cluster.
+
+## Example Usage
+
+```
+############################
+# Cluster
+############################
+module "hcp" {
+  source = "terraform-redhat/rosa-hcp/rhcs"
+
+  cluster_name           = "my-cluster"
+  openshift_version      = "4.14.24"
+  machine_cidr           = module.vpc.cidr_block
+  aws_subnet_ids         = module.vpc.private_subnets
+  aws_availability_zones = module.vpc.availability_zones
+  replicas               = length(module.vpc.availability_zones)
+  private                = true
+
+  // STS configuration
+  create_account_roles  = true
+  account_role_prefix   = "my-cluster-account"
+  create_oidc           = true
+  create_operator_roles = true
+  operator_role_prefix  = "my-cluster-operator"
+}
+
+############################
+# HTPASSWD IDP
+############################
+module "htpasswd_idp" {
+  source = "terraform-redhat/rosa-hcp/rhcs//modules/idp"
+
+  cluster_id         = module.hcp.cluster_id
+  name               = "htpasswd-idp"
+  idp_type           = "htpasswd"
+  htpasswd_idp_users = [{ username = "test-user", password = random_password.password.result }]
+}
+
+resource "random_password" "password" {
+  length  = 14
+  special = true
+  min_lower = 1
+  min_numeric = 1
+  min_special = 1
+  min_upper = 1
+}
+
+############################
+# VPC
+############################
+module "vpc" {
+  source = "terraform-redhat/rosa-hcp/rhcs//modules/vpc"
+
+  name_prefix              = "my-vpc"
+  availability_zones_count = 3
+}
+
+############################
+# Bastion instance for connection to the cluster
+############################
+data "aws_ami" "rhel9" {
+  most_recent = true
+
+  filter {
+    name   = "platform-details"
+    values = ["Red Hat Enterprise Linux"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "manifest-location"
+    values = ["amazon/RHEL-9.*_HVM-*-x86_64-*-Hourly2-GP2"]
+  }
+
+  owners = ["309956199498"] # Amazon's "Official Red Hat" account
+}
+module "bastion_host" {
+  source     = "../../modules/bastion-host"
+  prefix     = "my-host"
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = [module.vpc.public_subnets[0]]
+  ami_id         = aws_ami.rhel9.id
+  user_data_file = file("bastion-host-user-data.yaml")
+}
+```
+
+
+<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
+## Requirements
+
+| Name                                                                      | Version   |
+| ------------------------------------------------------------------------- | --------- |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0    |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws)                   | >= 5.35.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random)          | >= 2.0    |
+| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs)                | >= 1.6.2  |
+
+## Providers
+
+| Name                                                       | Version   |
+| ---------------------------------------------------------- | --------- |
+| <a name="provider_aws"></a> [aws](#provider\_aws)          | >= 5.35.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0    |
+
+## Modules
+
+| Name                                                                       | Source                     | Version |
+| -------------------------------------------------------------------------- | -------------------------- | ------- |
+| <a name="module_bastion_host"></a> [bastion\_host](#module\_bastion\_host) | ../../modules/bastion-host | n/a     |
+| <a name="module_hcp"></a> [hcp](#module\_hcp)                              | ../../                     | n/a     |
+| <a name="module_vpc"></a> [vpc](#module\_vpc)                              | ../../modules/vpc          | n/a     |
+
+## Resources
+
+| Name                                                                                                                | Type        |
+| ------------------------------------------------------------------------------------------------------------------- | ----------- |
+| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource    |
+| [aws_ami.rhel9](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami)                 | data source |
+
+## Inputs
+
+| Name                                                                                    | Description | Type     | Default    | Required |
+| --------------------------------------------------------------------------------------- | ----------- | -------- | ---------- | :------: |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name)                | n/a         | `string` | n/a        |   yes    |
+| <a name="input_openshift_version"></a> [openshift\_version](#input\_openshift\_version) | n/a         | `string` | `"4.16.3"` |    no    |
+
+## Outputs
+
+| Name                                                                                                         | Description                                                                                                                                                                                                                                  |
+| ------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| <a name="output_account_role_prefix"></a> [account\_role\_prefix](#output\_account\_role\_prefix)            | The prefix used for all generated AWS resources.                                                                                                                                                                                             |
+| <a name="output_account_roles_arn"></a> [account\_roles\_arn](#output\_account\_roles\_arn)                  | A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role. |
+| <a name="output_bastion_host_public_ip"></a> [bastion\_host\_public\_ip](#output\_bastion\_host\_public\_ip) | Bastion Host Public IP                                                                                                                                                                                                                       |
+| <a name="output_cluster_api_url"></a> [cluster\_api\_url](#output\_cluster\_api\_url)                        | The URL of the API server.                                                                                                                                                                                                                   |
+| <a name="output_cluster_console_url"></a> [cluster\_console\_url](#output\_cluster\_console\_url)            | The URL of the console.                                                                                                                                                                                                                      |
+| <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id)                                         | Unique identifier of the cluster.                                                                                                                                                                                                            |
+| <a name="output_oidc_config_id"></a> [oidc\_config\_id](#output\_oidc\_config\_id)                           | The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config.                                                                                                                       |
+| <a name="output_oidc_endpoint_url"></a> [oidc\_endpoint\_url](#output\_oidc\_endpoint\_url)                  | Registered OIDC configuration issuer URL, generated by this OIDC config.                                                                                                                                                                     |
+| <a name="output_operator_role_prefix"></a> [operator\_role\_prefix](#output\_operator\_role\_prefix)         | Prefix used for generated AWS operator policies.                                                                                                                                                                                             |
+| <a name="output_operator_roles_arn"></a> [operator\_roles\_arn](#output\_operator\_roles\_arn)               | List of Amazon Resource Names (ARNs) for all operator roles created.                                                                                                                                                                         |
+| <a name="output_password"></a> [password](#output\_password)                                                 | n/a                                                                                                                                                                                                                                          |
+| <a name="output_path"></a> [path](#output\_path)                                                             | The arn path for the account/operator roles as well as their policies.                                                                                                                                                                       |
+<!-- END_AUTOMATED_TF_DOCS_BLOCK -->
@@ -0,0 +1,87 @@
+locals {
+  account_role_prefix  = "${var.cluster_name}-account"
+  operator_role_prefix = "${var.cluster_name}-operator"
+}
+
+############################
+# Cluster
+############################
+module "hcp" {
+  source = "../../"
+
+  cluster_name               = var.cluster_name
+  openshift_version          = var.openshift_version
+  machine_cidr               = module.vpc.cidr_block
+  aws_subnet_ids             = module.vpc.private_subnets
+  replicas                   = 2
+  private                    = true
+  create_admin_user          = true
+  admin_credentials_username = "admin"
+  admin_credentials_password = random_password.password.result
+  ec2_metadata_http_tokens   = "required"
+
+  // STS configuration
+  create_account_roles  = true
+  account_role_prefix   = local.account_role_prefix
+  create_oidc           = true
+  create_operator_roles = true
+  operator_role_prefix  = local.operator_role_prefix
+  is_zero_ingress       = true
+}
+
+resource "random_password" "password" {
+  length      = 14
+  special     = true
+  min_lower   = 1
+  min_numeric = 1
+  min_special = 1
+  min_upper   = 1
+}
+
+############################
+# VPC
+############################
+module "vpc" {
+  source = "../../modules/vpc"
+
+  name_prefix              = var.cluster_name
+  availability_zones_count = 1
+  is_zero_egress           = true
+}
+
+############################
+# Bastion instance for connection to the cluster
+############################
+data "aws_ami" "rhel9" {
+  most_recent = true
+
+  filter {
+    name   = "platform-details"
+    values = ["Red Hat Enterprise Linux"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "manifest-location"
+    values = ["amazon/RHEL-9.*_HVM-*-x86_64-*-Hourly2-GP2"]
+  }
+
+  owners = ["309956199498"] # Amazon's "Official Red Hat" account
+}
+module "bastion_host" {
+  source         = "../../modules/bastion-host"
+  prefix         = var.cluster_name
+  vpc_id         = module.vpc.vpc_id
+  subnet_ids     = [module.vpc.public_subnets[0]]
+  ami_id         = data.aws_ami.rhel9.id
+  user_data_file = file("../../assets/bastion-host-user-data.yaml")
+}
@@ -0,0 +1,59 @@
+output "bastion_host_public_ip" {
+  value       = module.bastion_host.bastion_host_public_ip
+  description = "Bastion Host Public IP"
+}
+
+output "cluster_id" {
+  value       = module.hcp.cluster_id
+  description = "Unique identifier of the cluster."
+}
+
+output "cluster_api_url" {
+  value       = module.hcp.cluster_api_url
+  description = "The URL of the API server."
+}
+
+output "cluster_console_url" {
+  value       = module.hcp.cluster_console_url
+  description = "The URL of the console."
+}
+
+output "account_role_prefix" {
+  value       = module.hcp.account_role_prefix
+  description = "The prefix used for all generated AWS resources."
+}
+
+output "account_roles_arn" {
+  value       = module.hcp.account_roles_arn
+  description = "A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role."
+}
+
+output "path" {
+  value       = module.hcp.path
+  description = "The arn path for the account/operator roles as well as their policies."
+}
+
+output "oidc_config_id" {
+  value       = module.hcp.oidc_config_id
+  description = "The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config."
+}
+
+output "oidc_endpoint_url" {
+  value       = module.hcp.oidc_endpoint_url
+  description = "Registered OIDC configuration issuer URL, generated by this OIDC config."
+}
+
+output "operator_role_prefix" {
+  value       = module.hcp.operator_role_prefix
+  description = "Prefix used for generated AWS operator policies."
+}
+
+output "operator_roles_arn" {
+  value       = module.hcp.operator_roles_arn
+  description = "List of Amazon Resource Names (ARNs) for all operator roles created."
+}
+
+output "password" {
+  value     = resource.random_password.password
+  sensitive = true
+}
@@ -0,0 +1,12 @@
+variable "openshift_version" {
+  type    = string
+  default = "4.16.3"
+  validation {
+    condition     = can(regex("^[0-9]*[0-9]+.[0-9]*[0-9]+.[0-9]*[0-9]+$", var.openshift_version))
+    error_message = "openshift_version must be with structure <major>.<minor>.<patch> (for example 4.13.6)."
+  }
+}
+
+variable "cluster_name" {
+  type = string
+}
@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.35.0"
+    }
+    rhcs = {
+      version = ">= 1.6.2"
+      source  = "terraform-redhat/rhcs"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.0"
+    }
+  }
+}
@@ -17,7 +17,6 @@ This example includes:
 ############################
 module "hcp" {
   source = "terraform-redhat/rosa-hcp/rhcs"
-  version = "1.6.2"
 
   cluster_name           = "my-cluster"
   openshift_version      = "4.14.24"
 
@@ -16,7 +16,6 @@ This example includes:
 ############################
 module "hcp" {
   source = "terraform-redhat/rosa-hcp/rhcs"
-  version = "1.6.2"
 
   cluster_name           = "my-cluster"
   openshift_version      = "4.14.24"
 
@@ -16,7 +16,6 @@ This example includes:
 ############################
 module "hcp" {
   source = "terraform-redhat/rosa-hcp/rhcs"
-  version = "1.6.2"
 
   cluster_name           = "my-cluster"
   openshift_version      = "4.14.24"