terraform-rhcs-rosa-hcp

Terraform module which creates ROSA HCP cluster

Introduction

This module serves as a comprehensive solution for deploying, configuring and managing Red Hat OpenShift on AWS (ROSA) Hosted Control Plane (HCP) clusters within your AWS environment. With a focus on simplicity and efficiency, this module streamlines the process of setting up and maintaining ROSA HCP clusters, enabling users to use the power of OpenShift on AWS infrastructure effortlessly.

Example Usage

module "hcp" {
  source = "terraform-redhat/rosa-hcp/rhcs"
  version = "1.6.2"

  cluster_name           = "my-cluster"
  openshift_version      = "4.14.24"
  machine_cidr           = "10.0.0.0/16"
  aws_subnet_ids         = ["subnet-1", "subnet-2"]
  aws_availability_zones = ["us-west-2a"]
  replicas               = 2

  // STS configuration
  create_account_roles  = true
  account_role_prefix   = "my-cluster-account"
  create_oidc           = true
  create_operator_roles = true
  operator_role_prefix  = "my-cluster-operator"
}

Sub-modules

Sub-modules included in this module:

account-iam-resource: Handles the provisioning of Identity and Access Management (IAM) resources required for managing access and permissions in the AWS account associated with the ROSA HCP cluster.
idp: Responsible for configuring Identity Providers (IDPs) within the ROSA HCP cluster, faciliting seamless integration with external authentication system such as Github (GH), GitLab, Google, HTPasswd, LDAP and OpenID Connect (OIDC).
machine-pool: Facilitates the management of machine pools within the ROSA HCP cluster, enabling users to scale resources and adjust specifications based on workload demands.
oidc-config-and-provider: Manages the configuration of OpenID Connect (OIDC) hosted files and providers for ROSA HCP clusters, enabling secure authentication and access control mechanisms for operator roles.
operator-roles: Oversees the management of roles assigned to operators within the ROSA HCP cluster, enabling to perform required actions with appropriate permissions on the lifecyle of a cluster.
rosa-cluster-hcp: Handles the core configuration and provisioning of the ROSA HCP cluster, including cluster networking, security settings and other essential components.
vpc: Handles the configuration and provisioning of the Virtucal Private Cloud (VPC) infrastracture required for hosting the ROSA HCP cluster and it's associated resources.

The primary sub-modules responsible for ROSA HCP cluster creation includes optional configurations for setting up account roles, operator roles and OIDC config/provider. This comprehensive module handles the entire process of provisioning and configuring ROSA HCP clusters in your AWS environment.

Pre-requisites

Terraform CLI (1.4.6+) must be installed.
An AWS account and the associated credentials that allow you to create resources. These credentials must be configured for the AWS provider (see Authentication and Configuration section in AWS terraform provider documentation.)
The ROSA getting started AWS prerequisites must be completed.
A valid OpenShift Cluster Manager API Token must be configured (see Authentication and configuration for more information).

We recommend you install the following CLI tools:

Requirements

Name	Version
terraform	>= 1.0
aws	>= 5.38.0
null	>= 3.0.0
rhcs	>= 1.6.2

Providers

Name	Version
aws	>= 5.38.0
null	>= 3.0.0

Modules

Name	Source	Version
account_iam_resources	./modules/account-iam-resources	n/a
oidc_config_and_provider	./modules/oidc-config-and-provider	n/a
operator_roles	./modules/operator-roles	n/a
rhcs_hcp_kubelet_configs	./modules/kubelet-configs	n/a
rhcs_hcp_machine_pool	./modules/machine-pool	n/a
rhcs_identity_provider	./modules/idp	n/a
rosa_cluster_hcp	./modules/rosa-cluster-hcp	n/a

Resources

Name	Type
null_resource.validations	resource
aws_caller_identity.current	data source

Inputs

Name	Description	Type	Default	Required
account_role_prefix	User-defined prefix for all generated AWS resources (default "account-role-")	`string`	`null`	no
additional_trust_bundle	A string containing a PEM-encoded X.509 certificate bundle that will be added to the nodes' trusted certificate store.	`string`	`null`	no
admin_credentials_password	Admin password that is created with the cluster. The password must contain at least 14 characters (ASCII-standard) without whitespaces including uppercase letters, lowercase letters, and numbers or symbols.	`string`	`null`	no
admin_credentials_username	Admin username that is created with the cluster. auto generated username - "cluster-admin"	`string`	`null`	no
autoscaler_max_node_provision_time	Maximum time cluster-autoscaler waits for node to be provisioned.	`string`	`null`	no
autoscaler_max_nodes_total	Maximum number of nodes in all node groups. Cluster autoscaler will not grow the cluster beyond this number.	`number`	`null`	no
autoscaler_max_pod_grace_period	Gives pods graceful termination time before scaling down.	`number`	`null`	no
autoscaler_pod_priority_threshold	To allow users to schedule 'best-effort' pods, which shouldn't trigger Cluster Autoscaler actions, but only run when there are spare resources available.	`number`	`null`	no
aws_availability_zones	The AWS availability zones where instances of the default worker machine pool are deployed. Leave empty for the installer to pick availability zones	`list(string)`	`[]`	no
aws_billing_account_id	The AWS billing account identifier where all resources are billed. If no information is provided, the data will be retrieved from the currently connected account.	`string`	`null`	no
aws_subnet_ids	The Subnet IDs to use when installing the cluster.	`list(string)`	n/a	yes
cluster_autoscaler_enabled	Enable Autoscaler for this cluster. This resource is currently unavailable and using will result in error 'Autoscaler configuration is not available'	`bool`	`false`	no
cluster_name	Name of the cluster. After the creation of the resource, it is not possible to update the attribute value.	`string`	n/a	yes
compute_machine_type	Identifies the Instance type used by the default worker machine pool e.g. `m5.xlarge`. Use the `rhcs_machine_types` data source to find the possible values.	`string`	`null`	no
create_account_roles	Create the aws account roles for rosa	`bool`	`false`	no
create_admin_user	To create cluster admin user with default username `cluster-admin` and generated password. It will be ignored if `admin_credentials_username` or `admin_credentials_password` is set. (default: false)	`bool`	`null`	no
create_oidc	Create the oidc resources. This value should not be updated, please create a new resource instead or utilize the submodule to create a new oidc config	`bool`	`false`	no
create_operator_roles	Create the aws account roles for rosa	`bool`	`false`	no
default_ingress_listening_method	Listening Method for ingress. Options are ["internal", "external"]. Default is "external". When empty is set based on private variable.	`string`	`""`	no
destroy_timeout	Maximum duration in minutes to allow for destroying resources. (Default: 60 minutes)	`number`	`null`	no
disable_waiting_in_destroy	Disable addressing cluster state in the destroy resource. Default value is false, and so a `destroy` will wait for the cluster to be deleted.	`bool`	`null`	no
ec2_metadata_http_tokens	Should cluster nodes use both v1 and v2 endpoints or just v2 endpoint of EC2 Instance Metadata Service (IMDS). Available since OpenShift 4.11.0.	`string`	`"optional"`	no
etcd_encryption	Add etcd encryption. By default etcd data is encrypted at rest. This option configures etcd encryption on top of existing storage encryption.	`bool`	`null`	no
etcd_kms_key_arn	The key ARN is the Amazon Resource Name (ARN) of a CMK. It is a unique, fully qualified identifier for the CMK. A key ARN includes the AWS account, Region, and the key ID.	`string`	`null`	no
host_prefix	Subnet prefix length to assign to each individual node. For example, if host prefix is set to "23", then each node is assigned a /23 subnet out of the given CIDR.	`number`	`null`	no
http_proxy	A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be http.	`string`	`null`	no
https_proxy	A proxy URL to use for creating HTTPS connections outside the cluster.	`string`	`null`	no
identity_providers	Provides a generic approach to add multiple identity providers after the creation of the cluster. This variable allows users to specify configurations for multiple identity providers in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the idp sub-module. For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string.	`map(any)`	`{}`	no
kms_key_arn	The key ARN is the Amazon Resource Name (ARN) of a CMK. It is a unique, fully qualified identifier for the CMK. A key ARN includes the AWS account, Region, and the key ID.	`string`	`null`	no
kubelet_configs	Provides a generic approach to add multiple kubelet configs after the creation of the cluster. This variable allows users to specify configurations for multiple kubelet configs in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the idp sub-module. For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string.	`map(any)`	`{}`	no
machine_cidr	Block of IP addresses used by OpenShift while installing the cluster, for example "10.0.0.0/16".	`string`	`null`	no
machine_pools	Provides a generic approach to add multiple machine pools after the creation of the cluster. This variable allows users to specify configurations for multiple machine pools in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the machine-pool sub-module. For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string.	`map(any)`	`{}`	no
managed_oidc	OIDC type managed or unmanaged oidc. Only active when create_oidc also enabled. This value should not be updated, please create a new resource instead	`bool`	`true`	no
no_proxy	A comma-separated list of destination domain names, domains, IP addresses or other network CIDRs to exclude proxying.	`string`	`null`	no
oidc_config_id	The unique identifier associated with users authenticated through OpenID Connect (OIDC) within the ROSA cluster. If create_oidc is false this attribute is required.	`string`	`null`	no
oidc_endpoint_url	Registered OIDC configuration issuer URL, added as the trusted relationship to the operator roles. Valid only when create_oidc is false.	`string`	`null`	no
openshift_version	Desired version of OpenShift for the cluster, for example '4.1.0'. If version is greater than the currently running version, an upgrade will be scheduled.	`string`	n/a	yes
operator_role_prefix	User-defined prefix for generated AWS operator policies. Use "account-role-prefix" in case no value provided.	`string`	`null`	no
path	The arn path for the account/operator roles as well as their policies. Must begin and end with '/'.	`string`	`"/"`	no
permissions_boundary	The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters.	`string`	`""`	no
pod_cidr	Block of IP addresses from which Pod IP addresses are allocated, for example "10.128.0.0/14".	`string`	`null`	no
private	Restrict master API endpoint and application routes to direct, private connectivity. (default: false)	`bool`	`false`	no
properties	User defined properties.	`map(string)`	`null`	no
replicas	Number of worker nodes to provision. This attribute is applicable solely when autoscaling is disabled. Single zone clusters need at least 2 nodes, multizone clusters need at least 3 nodes. Hosted clusters require that the number of worker nodes be a multiple of the number of private subnets. (default: 2)	`number`	`null`	no
service_cidr	Block of IP addresses for services, for example "172.30.0.0/16".	`string`	`null`	no
tags	Apply user defined tags to all cluster resources created in AWS. After the creation of the cluster is completed, it is not possible to update this attribute.	`map(string)`	`null`	no
upgrade_acknowledgements_for	Indicates acknowledgement of agreements required to upgrade the cluster version between minor versions (e.g. a value of "4.12" indicates acknowledgement of any agreements required to upgrade to OpenShift 4.12.z from 4.11 or before).	`string`	`null`	no
wait_for_create_complete	Wait until the cluster is either in a ready state or in an error state. The waiter has a timeout of 20 minutes. (default: true)	`bool`	`true`	no
wait_for_std_compute_nodes_complete	Wait until the initial set of machine pools to be available. The waiter has a timeout of 60 minutes. (default: true)	`bool`	`true`	no

Outputs

Name	Description
account_role_prefix	The prefix used for all generated AWS resources.
account_roles_arn	A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role.
cluster_admin_password	The password of the admin user.
cluster_admin_username	The username of the admin user.
cluster_api_url	The URL of the API server.
cluster_console_url	The URL of the console.
cluster_current_version	The currently running version of OpenShift on the cluster, for example '4.11.0'.
cluster_domain	The DNS domain of cluster.
cluster_id	Unique identifier of the cluster.
cluster_state	The state of the cluster.
oidc_config_id	The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config.
oidc_endpoint_url	Registered OIDC configuration issuer URL, generated by this OIDC config.
operator_role_prefix	Prefix used for generated AWS operator policies.
operator_roles_arn	List of Amazon Resource Names (ARNs) for all operator roles created.
path	The arn path for the account/operator roles as well as their policies.

grantomation/terraform-rhcs-rosa-hcp