Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCM-13095 | feat: include zero egress vpc support #58

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ This module serves as a comprehensive solution for deploying, configuring and ma
```
module "hcp" {
source = "terraform-redhat/rosa-hcp/rhcs"
version = "1.6.2"

cluster_name = "my-cluster"
openshift_version = "4.14.24"
Expand Down Expand Up @@ -125,6 +124,7 @@ We recommend you install the following CLI tools:
| <a name="input_https_proxy"></a> [https\_proxy](#input\_https\_proxy) | A proxy URL to use for creating HTTPS connections outside the cluster. | `string` | `null` | no |
| <a name="input_identity_providers"></a> [identity\_providers](#input\_identity\_providers) | Provides a generic approach to add multiple identity providers after the creation of the cluster. This variable allows users to specify configurations for multiple identity providers in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [idp sub-module](./modules/idp). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string. | `map(any)` | `{}` | no |
| <a name="input_ignore_machine_pools_deletion_error"></a> [ignore\_machine\_pools\_deletion\_error](#input\_ignore\_machine\_pools\_deletion\_error) | Ignore machine pool deletion error. Assists when cluster resource is managed within the same file for the destroy use case | `bool` | `false` | no |
| <a name="input_is_zero_ingress"></a> [is\_zero\_ingress](#input\_is\_zero\_ingress) | Indicates use of zero ingress resources | `bool` | `false` | no |
| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The key ARN is the Amazon Resource Name (ARN) of a CMK. It is a unique, fully qualified identifier for the CMK. A key ARN includes the AWS account, Region, and the key ID. | `string` | `null` | no |
| <a name="input_kubelet_configs"></a> [kubelet\_configs](#input\_kubelet\_configs) | Provides a generic approach to add multiple kubelet configs after the creation of the cluster. This variable allows users to specify configurations for multiple kubelet configs in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [idp sub-module](./modules/kubelet-configs). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string. | `map(any)` | `{}` | no |
| <a name="input_machine_cidr"></a> [machine\_cidr](#input\_machine\_cidr) | Block of IP addresses used by OpenShift while installing the cluster, for example "10.0.0.0/16". | `string` | `null` | no |
Expand Down
155 changes: 155 additions & 0 deletions examples/rosa-hcp-private-zero-egress/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
# Private Zero Egress ROSA HCP

## Introduction

This is a Terraform manifest example for creating a Red Hat OpenShift Service on AWS (ROSA) Hosted Control Plane (HCP) cluster. This example provides a structured configuration template that demonstrates how to deploy a ROSA cluster within your AWS environment by using Terraform.

This example includes:
- A Zero Egress ROSA cluster with private access.
- All AWS resources (IAM and networking) that are created as part of the ROSA cluster module execution.
- A bastion host EC2 instance that allows to reach the private cluster.

## Example Usage

```
############################
# Cluster
############################
module "hcp" {
source = "terraform-redhat/rosa-hcp/rhcs"

cluster_name = "my-cluster"
openshift_version = "4.14.24"
machine_cidr = module.vpc.cidr_block
aws_subnet_ids = module.vpc.private_subnets
aws_availability_zones = module.vpc.availability_zones
replicas = 2
private = true
create_admin_user = true
admin_credentials_username = "admin"
admin_credentials_password = random_password.password.result

// STS configuration
create_account_roles = true
account_role_prefix = "my-cluster-account"
create_oidc = true
create_operator_roles = true
operator_role_prefix = "my-cluster-operator"
is_zero_ingress = true
}

resource "random_password" "password" {
length = 14
special = true
min_lower = 1
min_numeric = 1
min_special = 1
min_upper = 1
}

############################
# VPC
############################
module "vpc" {
source = "terraform-redhat/rosa-hcp/rhcs//modules/vpc"

name_prefix = "my-vpc"
availability_zones_count = 1
is_zero_ingress = true
}

############################
# Bastion instance for connection to the cluster
############################
data "aws_ami" "rhel9" {
most_recent = true

filter {
name = "platform-details"
values = ["Red Hat Enterprise Linux"]
}

filter {
name = "architecture"
values = ["x86_64"]
}

filter {
name = "root-device-type"
values = ["ebs"]
}

filter {
name = "manifest-location"
values = ["amazon/RHEL-9.*_HVM-*-x86_64-*-Hourly2-GP2"]
}

owners = ["309956199498"] # Amazon's "Official Red Hat" account
}
module "bastion_host" {
source = "../../modules/bastion-host"
prefix = "my-host"
vpc_id = module.vpc.vpc_id
subnet_ids = [module.vpc.public_subnets[0]]
ami_id = aws_ami.rhel9.id
user_data_file = file("bastion-host-user-data.yaml")
}
```


<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.35.0 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.6.2 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.35.0 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_bastion_host"></a> [bastion\_host](#module\_bastion\_host) | ../../modules/bastion-host | n/a |
| <a name="module_hcp"></a> [hcp](#module\_hcp) | ../../ | n/a |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../modules/vpc | n/a |

## Resources

| Name | Type |
|------|------|
| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [aws_ami.rhel9](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | n/a | `string` | n/a | yes |
| <a name="input_openshift_version"></a> [openshift\_version](#input\_openshift\_version) | n/a | `string` | `"4.16.3"` | no |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_account_role_prefix"></a> [account\_role\_prefix](#output\_account\_role\_prefix) | The prefix used for all generated AWS resources. |
| <a name="output_account_roles_arn"></a> [account\_roles\_arn](#output\_account\_roles\_arn) | A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role. |
| <a name="output_bastion_host_public_ip"></a> [bastion\_host\_public\_ip](#output\_bastion\_host\_public\_ip) | Bastion Host Public IP |
| <a name="output_cluster_api_url"></a> [cluster\_api\_url](#output\_cluster\_api\_url) | The URL of the API server. |
| <a name="output_cluster_console_url"></a> [cluster\_console\_url](#output\_cluster\_console\_url) | The URL of the console. |
| <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | Unique identifier of the cluster. |
| <a name="output_oidc_config_id"></a> [oidc\_config\_id](#output\_oidc\_config\_id) | The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config. |
| <a name="output_oidc_endpoint_url"></a> [oidc\_endpoint\_url](#output\_oidc\_endpoint\_url) | Registered OIDC configuration issuer URL, generated by this OIDC config. |
| <a name="output_operator_role_prefix"></a> [operator\_role\_prefix](#output\_operator\_role\_prefix) | Prefix used for generated AWS operator policies. |
| <a name="output_operator_roles_arn"></a> [operator\_roles\_arn](#output\_operator\_roles\_arn) | List of Amazon Resource Names (ARNs) for all operator roles created. |
| <a name="output_password"></a> [password](#output\_password) | n/a |
| <a name="output_path"></a> [path](#output\_path) | The arn path for the account/operator roles as well as their policies. |
<!-- END_AUTOMATED_TF_DOCS_BLOCK -->
87 changes: 87 additions & 0 deletions examples/rosa-hcp-private-zero-egress/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
locals {
account_role_prefix = "${var.cluster_name}-account"
operator_role_prefix = "${var.cluster_name}-operator"
}

############################
# Cluster
############################
module "hcp" {
source = "../../"

cluster_name = var.cluster_name
openshift_version = var.openshift_version
machine_cidr = module.vpc.cidr_block
aws_subnet_ids = module.vpc.private_subnets
replicas = 2
private = true
create_admin_user = true
admin_credentials_username = "admin"
admin_credentials_password = random_password.password.result
ec2_metadata_http_tokens = "required"

// STS configuration
create_account_roles = true
account_role_prefix = local.account_role_prefix
create_oidc = true
create_operator_roles = true
operator_role_prefix = local.operator_role_prefix
is_zero_ingress = true
}

resource "random_password" "password" {
length = 14
special = true
min_lower = 1
min_numeric = 1
min_special = 1
min_upper = 1
}

############################
# VPC
############################
module "vpc" {
source = "../../modules/vpc"

name_prefix = var.cluster_name
availability_zones_count = 1
is_zero_egress = true
}

############################
# Bastion instance for connection to the cluster
############################
data "aws_ami" "rhel9" {
most_recent = true

filter {
name = "platform-details"
values = ["Red Hat Enterprise Linux"]
}

filter {
name = "architecture"
values = ["x86_64"]
}

filter {
name = "root-device-type"
values = ["ebs"]
}

filter {
name = "manifest-location"
values = ["amazon/RHEL-9.*_HVM-*-x86_64-*-Hourly2-GP2"]
}

owners = ["309956199498"] # Amazon's "Official Red Hat" account
}
module "bastion_host" {
source = "../../modules/bastion-host"
prefix = var.cluster_name
vpc_id = module.vpc.vpc_id
subnet_ids = [module.vpc.public_subnets[0]]
ami_id = data.aws_ami.rhel9.id
user_data_file = file("../../assets/bastion-host-user-data.yaml")
}
59 changes: 59 additions & 0 deletions examples/rosa-hcp-private-zero-egress/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
output "bastion_host_public_ip" {
value = module.bastion_host.bastion_host_public_ip
description = "Bastion Host Public IP"
}

output "cluster_id" {
value = module.hcp.cluster_id
description = "Unique identifier of the cluster."
}

output "cluster_api_url" {
value = module.hcp.cluster_api_url
description = "The URL of the API server."
}

output "cluster_console_url" {
value = module.hcp.cluster_console_url
description = "The URL of the console."
}

output "account_role_prefix" {
value = module.hcp.account_role_prefix
description = "The prefix used for all generated AWS resources."
}

output "account_roles_arn" {
value = module.hcp.account_roles_arn
description = "A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role."
}

output "path" {
value = module.hcp.path
description = "The arn path for the account/operator roles as well as their policies."
}

output "oidc_config_id" {
value = module.hcp.oidc_config_id
description = "The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config."
}

output "oidc_endpoint_url" {
value = module.hcp.oidc_endpoint_url
description = "Registered OIDC configuration issuer URL, generated by this OIDC config."
}

output "operator_role_prefix" {
value = module.hcp.operator_role_prefix
description = "Prefix used for generated AWS operator policies."
}

output "operator_roles_arn" {
value = module.hcp.operator_roles_arn
description = "List of Amazon Resource Names (ARNs) for all operator roles created."
}

output "password" {
value = resource.random_password.password
sensitive = true
}
12 changes: 12 additions & 0 deletions examples/rosa-hcp-private-zero-egress/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
variable "openshift_version" {
type = string
default = "4.16.3"
validation {
condition = can(regex("^[0-9]*[0-9]+.[0-9]*[0-9]+.[0-9]*[0-9]+$", var.openshift_version))
error_message = "openshift_version must be with structure <major>.<minor>.<patch> (for example 4.13.6)."
}
}

variable "cluster_name" {
type = string
}
18 changes: 18 additions & 0 deletions examples/rosa-hcp-private-zero-egress/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
terraform {
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.35.0"
}
rhcs = {
version = ">= 1.6.2"
source = "terraform-redhat/rhcs"
}
random = {
source = "hashicorp/random"
version = ">= 2.0"
}
}
}
1 change: 0 additions & 1 deletion examples/rosa-hcp-private/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ This example includes:
############################
module "hcp" {
source = "terraform-redhat/rosa-hcp/rhcs"
version = "1.6.2"

cluster_name = "my-cluster"
openshift_version = "4.14.24"
Expand Down
1 change: 0 additions & 1 deletion examples/rosa-hcp-public-unmanaged-oidc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ This example includes:
############################
module "hcp" {
source = "terraform-redhat/rosa-hcp/rhcs"
version = "1.6.2"

cluster_name = "my-cluster"
openshift_version = "4.14.24"
Expand Down
1 change: 0 additions & 1 deletion examples/rosa-hcp-public/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ This example includes:
############################
module "hcp" {
source = "terraform-redhat/rosa-hcp/rhcs"
version = "1.6.2"

cluster_name = "my-cluster"
openshift_version = "4.14.24"
Expand Down
Loading