terraform-redhat/terraform-provider-rhcs

Creation of ROSA cluster using AWS Private Link requires setting of undocumented argument 'private'

Closed this issue · 12 comments

The creation of a ROSA STS cluster with an AWS private link using provider version 1.3.0-prerelease.2 errors unless the undocumented resource argument private is set to true. Can the documentation be updated please.

resource "rhcs_cluster_rosa_classic" "rosa_sts_cluster" {
  ....
  aws_private_link = true
  multi_az     = true
  private  = true  
  version = "4.12.27" # or 4.13.8

  ... 
  lifecycle {    
    ignore_changes = [
      proxy.additional_trust_bundle
    ]
  }
}
tshefi commented

Hi @am90670

x-prerelease.x builds are intended for Dev/QE testing, the last tested release users should try is still v1.2.2, where you won't his this issue, unless your willing to live on the edge.

Private feature was partially added on 1.3.0-prerelease.1, but needed .2 to actually work, awaiting an additional fix probably 1.3.0-prerelease.4(?), before I can verify the feature, documentation would also be amended.

Tzach

Hi @tshefi,

Thanks for the update.

Alistair

oybed commented

Looks like v1.3.0 release still doesn't include the documentation for the new private argument - is the expectation that users still use v1.2.x(?).

Also is there documentation somewhere showing what the "correct" version to use is? (the https://registry.terraform.io/providers/terraform-redhat/rhcs documentation isn't very useful for this)

nirarg commented

Hi @oybed,
Any none "prerelease" version is validated version.
You can use v1.3.0

The private attribute is included in the documentation here
We work on more descriptions, can you please indicate if there is anything else you look for in this context?

Hi @nirarg @bardielle

Suppose i have deployed private link ROSA cluster using old module with below configuration

resource "rhcs_cluster_rosa_classic" "rosa" {
  name = var.cluster_name

  cloud_region   = var.aws_region
  aws_account_id = data.aws_caller_identity.current.account_id
  tags           = local.tags

  replicas             = var.replicas
  availability_zones   = var.availability_zones
  aws_private_link     = var.enable_private_link
  aws_subnet_ids       = var.enable_private_link ? module.rosa-vpc.private_subnets : concat(module.rosa-vpc.private_subnets, module.rosa-vpc.public_subnets)
  compute_machine_type = var.compute_node_instance_type
  multi_az             = length(module.rosa-vpc.private_subnets) == 3 ? true : false
  version              = var.rosa_version
  machine_cidr         = module.rosa-vpc.vpc_cidr_block
  properties           = { rosa_creator_arn = data.aws_caller_identity.current.arn }
  sts                  = var.enable_sts ? local.sts_roles : null
  depends_on           = [module.rosa-vpc]
}

Now, if i introduce/add private = true in my existing code will it impact on the existing deployed ROSA clusters ?

Hi @vsomwanshi ,

The private parameter cannot be changed in existing cluster.
In case you created a cluster in old version, before this attribute was added, you need to update your manifest accordingly to the value of aws_private_link attribute

@nirarg For testing i added private parameter in existing manifest file and rerun the terraform plan .. looks good it is not touching to existing cluster

resource "rhcs_cluster_rosa_classic" "rosa" {
  name = var.cluster_name

  cloud_region   = var.aws_region
  aws_account_id = data.aws_caller_identity.current.account_id
  tags           = local.tags

  replicas             = var.replicas
  availability_zones   = var.availability_zones
  aws_private_link     = var.enable_private_link
  private              = var.private
  aws_subnet_ids       = var.enable_private_link ? module.rosa-vpc.private_subnets : concat(module.rosa-vpc.private_subnets, module.rosa-vpc.public_subnets)
  compute_machine_type = var.compute_node_instance_type
  multi_az             = length(module.rosa-vpc.private_subnets) == 3 ? true : false
  version              = var.rosa_version
  machine_cidr         = module.rosa-vpc.vpc_cidr_block
  properties           = { rosa_creator_arn = data.aws_caller_identity.current.arn }
  sts                  = var.enable_sts ? local.sts_roles : null
  depends_on           = [module.rosa-vpc]
}

Earlier i was using aws_private_link without private parameter.

So can i use the above mentioned configuration and continue working with this one for upcoming clusters. because i am using the same file rosa_with_new_vpc.tf to manage and deploy all the clusters.

here is my folder structure

├── backend.tf
├── cluster_deploy.log
├── datacenter
│   └── aws_account
│       ├── dev
│       │   └── dev.tf
│       ├── prod
│       │   └── prod.tf
│       ├── sre
│       │   ├── sre.tf
│       │   └── sre-pvt-link.tf
│       └── stage
│           ├── stage.tf
│           └── stage1.tf
├── errored.tfstate
├── main.tf
├── output.tf
├── rosa_with_new_vpc.tf
├── terraform.tfstate
├── terraform.tfstate.d
│   ├── dev
│   │   ├── terraform.tfstate
│   │   └── terraform.tfstate.backup
│   └── sre
│       ├── terraform.tfstate
│       └── terraform.tfstate.backup
├── vars.tf
└── vpc.tf

Yes, I don't see any reason why not

Thanks @nirarg for the confirmation.

I see it's there. Please see this link

Hi @manish-jangra ,
Thank you for confirming this
I'm closing this issue