Skip to content
This repository has been archived by the owner on Feb 22, 2023. It is now read-only.

Adding OpenID resource type, AWS tags #54

Open
wants to merge 30 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
ee6680c
Added optional mapping method key to header
thatcherhubbard Jul 21, 2022
e6ab247
Added working tags field to ocm_cluster resource so they can be propo…
thatcherhubbard Jul 21, 2022
d3d2b6b
Merge pull request #2 from rh-mobb/feature/tags
thatcherhubbard Sep 8, 2022
ff99e82
Create a waiter resource to synchronize cluster creation
datianshi Sep 12, 2022
ad66305
Merge pull request #3 from rh-mobb/cluster_waiter
thatcherhubbard Sep 12, 2022
818bf94
Updating CI with correct secret names
thatcherhubbard Sep 15, 2022
a873d86
Updating CI actions
thatcherhubbard Sep 15, 2022
0fa74bf
More CI tweaks, bump Go to 1.18
thatcherhubbard Sep 15, 2022
5226464
More CI troubleshooting
thatcherhubbard Sep 15, 2022
24e2a6c
Updating CI definitions
thatcherhubbard Sep 16, 2022
505fcd0
Added optional mapping method key to header
thatcherhubbard Jul 21, 2022
8ec8fe4
Added working tags field to ocm_cluster resource so they can be propo…
thatcherhubbard Jul 21, 2022
70975b0
Create a waiter resource to synchronize cluster creation
datianshi Sep 12, 2022
e1a964d
Updating CI with correct secret names
thatcherhubbard Sep 15, 2022
c24b5e8
Updating CI actions
thatcherhubbard Sep 15, 2022
ed37d0c
More CI tweaks, bump Go to 1.18
thatcherhubbard Sep 15, 2022
00c999f
More CI troubleshooting
thatcherhubbard Sep 15, 2022
39a52f0
Updating CI definitions
thatcherhubbard Sep 16, 2022
3cf50ca
Merge pull request #5 from bardielle/rh_main
datianshi Oct 5, 2022
9a4c4e9
change example to rh-mobb instead of openshift-online
datianshi Oct 5, 2022
5059636
add custom role rosa sts creation example
datianshi Oct 6, 2022
c030c27
use terraform registry module
datianshi Oct 6, 2022
adec14b
Added basic handling of trust bundle string
thatcherhubbard Nov 23, 2022
45c0d35
.
thatcherhubbard Dec 6, 2022
f5d238d
With good example trust bundle
thatcherhubbard Dec 13, 2022
6eef449
fix the test... as adding the line break for the expected result
datianshi Dec 14, 2022
d82aa40
Additional trust bundle test passing
thatcherhubbard Dec 14, 2022
09ac486
Merge pull request #6 from rh-mobb/feature/additional_trust_bundle
thatcherhubbard Dec 15, 2022
b97df2f
point at official
paulczar Aug 14, 2023
4b719a6
Merge pull request #8 from paulczar/deprecate
paulczar Aug 14, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 14 additions & 7 deletions .github/workflows/publish-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,25 +28,32 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout the source
uses: actions/checkout@v2
uses: actions/checkout@v3

- name: Unshallow
run: git fetch --prune --unshallow

- name: Setup Go
uses: actions/setup-go@v2
uses: actions/setup-go@v3
with:
go-version: 1.17
go-version-file: 'go.mod'
cache: true

- name: Import GPG key
id: import_gpg_key
uses: crazy-max/[email protected]
uses: crazy-max/ghaction-import-gpg@v5
id: import_gpg
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}

- name: List GPG keys
run: gpg -K

- name: Run releaser
uses: goreleaser/goreleaser-action@v2.8.0
uses: goreleaser/goreleaser-action@v3.0.0
with:
version: latest
args: release --rm-dist
env:
GPG_FINGERPRINT: ${{ steps.import_gpg_key.outputs.fingerprint }}
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2 changes: 2 additions & 0 deletions .tool-versions
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
golang 1.18.3
ginkgo 2.1.4
213 changes: 2 additions & 211 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,214 +1,5 @@
# Terraform provider for OCM

> **IMPORTANT**: The version of the provider is currently 0.1 to indicate that
> it is at very early stage of development. The functionality isn't complete
> and there is no backwards compatibility guarantee.
>
> When it is ready for production the version will be updated to 1.0.
**IMPORTANT** This provider is archived and should not be used.

## Introduction

### Create OSD AWS Cluster

The OCM provider simplifies the provisioning of _OpenShift_ managed clusters
using the [OpenShift Cluster Manager](https://console.redhat.com/openshift)
application programming interface.

For example, to create a simple cluster with an identity provider that allows
login with a simple user name and password create a `main.tf` file similar this
and then run `terraform apply`:

```hcl
terraform {
required_providers {
ocm = {
version = ">= 0.1"
source = "openshift-online/ocm"
}
}
}

provider "ocm" {
token = "..."
}

resource "ocm_cluster" "my_cluster" {
name = "my-cluster"
cloud_provider = "aws"
product = "osd"
cloud_region = "us-east-1"
}

resource "ocm_identity_provider" "my_idp" {
cluster = ocm_cluster.my_cluster.id
name = "my-idp"
htpasswd = {
username = "admin"
password = "redhat123"
}
}

resource "ocm_group_membership" "my_admin" {
cluster = ocm_cluster.my_cluster.id
group = "dedicated-admins"
user = "admin"
}
```

The value of the `token` attribute of the provider should be the OCM
authentication token that you can get [here](https://console.redhat.com/openshift/token).
If this attribute isn't used then the provider will try to get the token it from
the `OCM_TOKEN` environment variable.

### Create AWS Rosa STS Cluster

The following example shows a production grade rosa cluster with:

* Existing VPC & Subnets
* Multi AZ
* Proxy
* STS

```
data "aws_caller_identity" "current" {}

locals {
sts_roles = {
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ManagedOpenShift-Installer-Role",
support_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ManagedOpenShift-Support-Role",
operator_iam_roles = [
{
name = "cloud-credential-operator-iam-ro-creds",
namespace = "openshift-cloud-credential-operator",
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.operator_role_prefix}-openshift-cloud-credential-operator-cloud-c",
},
{
name = "installer-cloud-credentials",
namespace = "openshift-image-registry",
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.operator_role_prefix}-openshift-image-registry-installer-cloud-cr",
},
{
name = "cloud-credentials",
namespace = "openshift-ingress-operator",
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.operator_role_prefix}-openshift-ingress-operator-cloud-credential",
},
{
name = "ebs-cloud-credentials",
namespace = "openshift-cluster-csi-drivers",
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.operator_role_prefix}-openshift-cluster-csi-drivers-ebs-cloud-cre",
},
{
name = "cloud-credentials",
namespace = "openshift-cloud-network-config-controller",
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.operator_role_prefix}-openshift-cloud-network-config-controller-c",
},
{
name = "aws-cloud-credentials",
namespace = "openshift-machine-api",
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.operator_role_prefix}-openshift-machine-api-aws-cloud-credentials",
},
]
instance_iam_roles = {
master_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ManagedOpenShift-ControlPlane-Role",
worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ManagedOpenShift-Worker-Role"
},
}
}
resource "ocm_cluster" "rosa_cluster" {
name = var.cluster_name
cloud_provider = "aws"
cloud_region = "us-east-2"
product = "rosa"
aws_account_id = data.aws_caller_identity.current.account_id
aws_subnet_ids = var.rosa_subnet_ids
machine_cidr = var.rosa_vpc_cidr
multi_az = true
aws_private_link = true
availability_zones = ["us-east-2a", "us-east-2b", "us-east-2c"]
proxy = {
http_proxy = var.proxy
https_proxy = var.proxy
}
properties = {
rosa_creator_arn = data.aws_caller_identity.current.arn
}
wait = false
sts = local.sts_roles
}

module sts_roles {
source = "rh-mobb/rosa-sts-roles/aws"
create_account_roles = false
clusters = [{
id = ocm_cluster.rosa_cluster.id
operator_role_prefix = var.operator_role_prefix
}]
}
```


## Documentation

The reference documentation of the provider is available in the Terraform
[registry](https://registry.terraform.io/providers/rh-mobb/ocm/latest/docs).

## Examples

Check the [examples](examples) directory for complete examples.

## Development

To build the provider run the `make` command:

```shell
$ make
```

This will create a local Terraform plugin registry in the directory
`.terraform.d/plugins` of the project. Assuming that you have the project
checked out in `/files/projects/terraform-provider-ocm/repository` you will need
to add something like this to your Terraform CLI configuration file:

```hcl
provider_installation {
filesystem_mirror {
path = "/files/projects/terraform-provider-ocm/repository/.terraform.d/plugins"
include = ["localhost/*/*"]
}
}
```

If you don't want to change your global CLI configuation file you can put this
in any file you like and then use the `TF_CLI_CONFIG_FILE` environment variable
to point to it. For example, put the configuration in
`/files/projects/terraform-provider-ocm/terraform.rc` and then set the
environment variable pointing to it:

```shell
$ cat >/files/projects/terraform-provider-ocm/terraform.rc <<.
provider_installation {
filesystem_mirror {
path = "/files/projects/terraform-provider-ocm/repository/.terraform.d/plugins"
include = ["localhost/*/*"]
}
}
.
$ export TF_CLI_CONFIG_FILE=/files/projects/terraform-provider-ocm/terraform.rc
```

Once your configuration is ready you can go to the directory containing the
Terraform `.tf` files and run the `terraform init` and `terraform apply`
commands:

```shell
$ terraform init
$ terraform apply
```

To see the debug log of the provider set the `TF_LOG` environment variable to
`DEBUG` before running the `terraform apply` command:

```shell
$ export TF_LOG=DEBUG
$ terraform apply
```
Please use the official ROSA module / provider found at [registry.terraform.io/namespaces/terraform-redhat](https://registry.terraform.io/namespaces/terraform-redhat).
2 changes: 1 addition & 1 deletion docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ terraform {
required_providers {
ocm = {
version = ">= 0.1"
source = "openshift-online/ocm"
source = "rh-mobb/ocm"
}
}
}
Expand Down
23 changes: 23 additions & 0 deletions docs/resources/ocm_identity_provider.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ Identity provider.

- **htpasswd** (Attributes) Details of the 'htpasswd' identity provider. (see [below for nested schema](#nestedatt--htpasswd))
- **ldap** (Attributes) Details of the LDAP identity provider. (see [below for nested schema](#nestedatt--ldap))
- **oidc** (Attributes) Details of the LDAP identity provider. (see [below for nested schema](#nestedatt--oidc))

### Read-Only

Expand Down Expand Up @@ -57,4 +58,26 @@ Optional:
- **name** (List of String)
- **preferred_username** (List of String)

<a id="nestedatt--openid"></a>
### Nested Schema for `openid`

Optional:

- **claims** (Attributes) (see [below for nested schema](#nestedatt--openid--claims))
- **client_id** (String)
- **client_secret** (String, Sensitive)
- **ca** (String)
- **extra_scopes** (List of String, Optional)
- **exta_authorize_parameters** (Map of String, Optional)
- **issuer** (String)

<a id="nestedatt--openid--claims"></a>
### Nested Schema for `openid.claims`

Optional:

- **email** (List of String)
- **group** (List of String)
- **name** (List of String)
- **preferred_username** (List of String)

2 changes: 1 addition & 1 deletion examples/create_ccs_cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ terraform {
}
ocm = {
version = ">= 0.1"
source = "openshift-online/ocm"
source = "rh-mobb/ocm"
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ terraform {
}
ocm = {
version = ">= 0.1"
source = "openshift-online/ocm"
source = "rh-mobb/ocm"
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ terraform {
}
ocm = {
version = ">= 0.1"
source = "openshift-online/ocm"
source = "rh-mobb/ocm"
}
}
}
Expand Down
25 changes: 25 additions & 0 deletions examples/create_rosa_cluster/create_rosa_sts_custom_role/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# ROSA STS cluster custom role name creation example

This example shows how to create an STS _ROSA_ cluster with custom role names. _ROSA_ stands for Red Hat Openshift Service on AWS
and is a cluster that is created in the AWS cloud infrastructure.

To run it:

* Provide OCM Authentication Token

OCM authentication token that you can get [here](https://console.redhat.com/openshift/token).

```
export TF_VAR_token=...
```

* Decide STS role_prefix and role_suffix

```
export TF_VAR_role_prefix=...
export TF_VAR_role_suffix=...
export TF_VAR_cluster_name=...
```

`main.tf` file and then run the `terraform apply` command.

Loading