-
Notifications
You must be signed in to change notification settings - Fork 51
Expand file tree
/
Copy pathmain.tf
More file actions
297 lines (262 loc) · 13.9 KB
/
Copy pathmain.tf
File metadata and controls
297 lines (262 loc) · 13.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
# Copyright Red Hat
# SPDX-License-Identifier: Apache-2.0
data "aws_partition" "current" {}
locals {
path = coalesce(var.path, "/")
account_role_prefix = coalesce(var.account_role_prefix, "${var.cluster_name}-account")
operator_role_prefix = coalesce(var.operator_role_prefix, "${var.cluster_name}-operator")
sts_roles = {
installer_role_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.account_role_prefix}-HCP-ROSA-Installer-Role",
support_role_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.account_role_prefix}-HCP-ROSA-Support-Role",
worker_role_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.account_role_prefix}-HCP-ROSA-Worker-Role"
}
}
##############################################################
# Account roles includes IAM roles and IAM policies
##############################################################
module "account_iam_resources" {
source = "./modules/account-iam-resources"
count = var.create_account_roles ? 1 : 0
account_role_prefix = local.account_role_prefix
path = local.path
permissions_boundary = var.permissions_boundary
tags = var.tags
trust_policy_external_id = var.trust_policy_external_id
}
############################
# OIDC config and provider
############################
module "oidc_config_and_provider" {
source = "./modules/oidc-config-and-provider"
count = var.create_oidc ? 1 : 0
managed = var.managed_oidc
installer_role_arn = var.managed_oidc ? (null) : (
var.create_account_roles ? (module.account_iam_resources[0].account_roles_arn["HCP-ROSA-Installer"]) : (
local.sts_roles.installer_role_arn
)
)
tags = var.tags
}
############################
# operator roles
############################
module "operator_roles" {
source = "./modules/operator-roles"
count = var.create_operator_roles ? 1 : 0
operator_role_prefix = local.operator_role_prefix
path = local.path
oidc_endpoint_url = var.create_oidc ? module.oidc_config_and_provider[0].oidc_endpoint_url : var.oidc_endpoint_url
tags = var.tags
permissions_boundary = var.permissions_boundary
}
############################
# ROSA STS cluster
############################
resource "rhcs_dns_domain" "dns_domain" {
count = var.create_dns_domain_reservation ? 1 : 0
cluster_arch = "hcp"
}
module "rosa_cluster_hcp" {
source = "./modules/rosa-cluster-hcp"
cluster_name = var.cluster_name
operator_role_prefix = var.create_operator_roles ? module.operator_roles[0].operator_role_prefix : local.operator_role_prefix
openshift_version = var.openshift_version
version_channel_group = var.version_channel_group
channel = var.channel
installer_role_arn = var.create_account_roles ? module.account_iam_resources[0].account_roles_arn["HCP-ROSA-Installer"] : local.sts_roles.installer_role_arn
support_role_arn = var.create_account_roles ? module.account_iam_resources[0].account_roles_arn["HCP-ROSA-Support"] : local.sts_roles.support_role_arn
worker_role_arn = var.create_account_roles ? module.account_iam_resources[0].account_roles_arn["HCP-ROSA-Worker"] : local.sts_roles.worker_role_arn
trust_policy_external_id = var.trust_policy_external_id
oidc_config_id = var.create_oidc ? module.oidc_config_and_provider[0].oidc_config_id : var.oidc_config_id
aws_subnet_ids = var.aws_subnet_ids
machine_cidr = var.machine_cidr
service_cidr = var.service_cidr
pod_cidr = var.pod_cidr
host_prefix = var.host_prefix
private = var.private
tags = var.tags
properties = var.properties
etcd_encryption = var.etcd_encryption
etcd_kms_key_arn = var.etcd_kms_key_arn
kms_key_arn = var.kms_key_arn
aws_billing_account_id = var.aws_billing_account_id
ec2_metadata_http_tokens = var.ec2_metadata_http_tokens
base_dns_domain = var.create_dns_domain_reservation ? rhcs_dns_domain.dns_domain[0].id : var.base_dns_domain
domain_prefix = var.domain_prefix
aws_additional_allowed_principals = var.aws_additional_allowed_principals
########
# Cluster Admin User
########
create_admin_user = var.create_admin_user
admin_credentials_username = var.admin_credentials_username
admin_credentials_password = var.admin_credentials_password
########
# Flags
########
wait_for_create_complete = var.wait_for_create_complete
wait_for_std_compute_nodes_complete = var.wait_for_std_compute_nodes_complete
disable_waiting_in_destroy = var.disable_waiting_in_destroy
destroy_timeout = var.destroy_timeout
upgrade_acknowledgements_for = var.upgrade_acknowledgements_for
external_auth_providers_enabled = var.external_auth_providers_enabled
#######################
# Default Machine Pool
#######################
replicas = var.replicas
compute_machine_type = var.compute_machine_type
aws_availability_zones = var.aws_availability_zones
worker_disk_size = var.worker_disk_size
aws_additional_compute_security_group_ids = var.aws_additional_compute_security_group_ids
########
# Proxy
########
http_proxy = var.http_proxy
https_proxy = var.https_proxy
no_proxy = var.no_proxy
additional_trust_bundle = var.additional_trust_bundle
#############
# Autoscaler
#############
cluster_autoscaler_enabled = var.cluster_autoscaler_enabled
autoscaler_max_pod_grace_period = var.autoscaler_max_pod_grace_period
autoscaler_pod_priority_threshold = var.autoscaler_pod_priority_threshold
autoscaler_max_node_provision_time = var.autoscaler_max_node_provision_time
autoscaler_max_nodes_total = var.autoscaler_max_nodes_total
##################
# default_ingress
##################
default_ingress_listening_method = var.default_ingress_listening_method != "" ? (
var.default_ingress_listening_method) : (
var.private ? "internal" : "external"
)
registry_config = var.registry_config
}
######################################
# Multiple Machine Pools Generic block
######################################
module "rhcs_hcp_machine_pool" {
source = "./modules/machine-pool"
for_each = var.machine_pools
cluster_id = module.rosa_cluster_hcp.cluster_id
name = each.value.name
auto_repair = try(each.value.auto_repair, null)
autoscaling = try(each.value.autoscaling, null)
aws_node_pool = each.value.aws_node_pool
openshift_version = try(each.value.openshift_version, null)
tuning_configs = try(each.value.tuning_configs, null)
upgrade_acknowledgements_for = try(each.value.upgrade_acknowledgements_for, null)
replicas = try(each.value.replicas, null)
taints = try(each.value.taints, null)
labels = try(each.value.labels, null)
subnet_id = each.value.subnet_id
kubelet_configs = try(each.value.kubelet_configs, null)
ignore_deletion_error = try(each.value.ignore_deletion_error, var.ignore_machine_pools_deletion_error)
}
###########################################
# Multiple Identity Providers Generic block
###########################################
module "rhcs_identity_provider" {
source = "./modules/idp"
for_each = var.identity_providers
cluster_id = module.rosa_cluster_hcp.cluster_id
name = each.value.name
idp_type = each.value.idp_type
mapping_method = try(each.value.mapping_method, null)
github_idp_client_id = try(each.value.github_idp_client_id, null)
github_idp_client_secret = try(each.value.github_idp_client_secret, null)
github_idp_ca = try(each.value.github_idp_ca, null)
github_idp_hostname = try(each.value.github_idp_hostname, null)
github_idp_organizations = try(jsondecode(each.value.github_idp_organizations), null)
github_idp_teams = try(jsondecode(each.value.github_idp_teams), null)
gitlab_idp_client_id = try(each.value.gitlab_idp_client_id, null)
gitlab_idp_client_secret = try(each.value.gitlab_idp_client_secret, null)
gitlab_idp_url = try(each.value.gitlab_idp_url, null)
gitlab_idp_ca = try(each.value.gitlab_idp_ca, null)
google_idp_client_id = try(each.value.google_idp_client_id, null)
google_idp_client_secret = try(each.value.google_idp_client_secret, null)
google_idp_hosted_domain = try(each.value.google_idp_hosted_domain, null)
htpasswd_idp_users = try(jsondecode(each.value.htpasswd_idp_users), null)
ldap_idp_bind_dn = try(each.value.ldap_idp_bind_dn, null)
ldap_idp_bind_password = try(each.value.ldap_idp_bind_password, null)
ldap_idp_ca = try(each.value.ldap_idp_ca, null)
ldap_idp_insecure = try(each.value.ldap_idp_insecure, null)
ldap_idp_url = try(each.value.ldap_idp_url, null)
ldap_idp_emails = try(jsondecode(each.value.ldap_idp_emails), null)
ldap_idp_ids = try(jsondecode(each.value.ldap_idp_ids), null)
ldap_idp_names = try(jsondecode(each.value.ldap_idp_names), null)
ldap_idp_preferred_usernames = try(jsondecode(each.value.ldap_idp_preferred_usernames), null)
openid_idp_ca = try(each.value.openid_idp_ca, null)
openid_idp_claims_email = try(jsondecode(each.value.openid_idp_claims_email), null)
openid_idp_claims_groups = try(jsondecode(each.value.openid_idp_claims_groups), null)
openid_idp_claims_name = try(jsondecode(each.value.openid_idp_claims_name), null)
openid_idp_claims_preferred_username = try(jsondecode(each.value.openid_idp_claims_preferred_username), null)
openid_idp_client_id = try(each.value.openid_idp_client_id, null)
openid_idp_client_secret = try(each.value.openid_idp_client_secret, null)
openid_idp_extra_scopes = try(jsondecode(each.value.openid_idp_extra_scopes), null)
openid_idp_extra_authorize_parameters = try(jsondecode(each.value.openid_idp_extra_authorize_parameters), null)
openid_idp_issuer = try(each.value.openid_idp_issuer, null)
}
######################################
# Multiple Kubelet Configs block
######################################
module "rhcs_hcp_kubelet_configs" {
source = "./modules/kubelet-configs"
for_each = var.kubelet_configs
cluster_id = module.rosa_cluster_hcp.cluster_id
name = each.value.name
pod_pids_limit = each.value.pod_pids_limit
}
######################################
# Multiple Image Mirrors block
######################################
module "rhcs_hcp_image_mirrors" {
source = "./modules/image-mirrors"
for_each = var.image_mirrors
cluster_id = module.rosa_cluster_hcp.cluster_id
type = each.value.type
source_registry = each.value.source
mirrors = each.value.mirrors
}
######################################
# Multiple Log Forwarders block
######################################
module "rhcs_hcp_log_forwarder" {
source = "./modules/log-forwarder"
for_each = var.log_forwarders
cluster_id = module.rosa_cluster_hcp.cluster_id
s3 = try(each.value.s3, null)
cloudwatch = try(each.value.cloudwatch, null)
applications = try(each.value.applications, null)
groups = try(each.value.groups, null)
}
######################################
# Additional control plane sec groups
######################################
module "rhcs_hcp_additional_controlplane_sg" {
source = "./modules/additional-cp-sg"
count = var.aws_additional_control_plane_security_group_ids == null || var.private == false ? 0 : 1
aws_subnet_id = var.aws_subnet_ids[0]
aws_additional_control_plane_security_group_ids = var.aws_additional_control_plane_security_group_ids
cluster_id = module.rosa_cluster_hcp.cluster_id
}
resource "null_resource" "validations" {
lifecycle {
precondition {
condition = (var.create_operator_roles == true && var.create_oidc != true && var.oidc_endpoint_url == null) == false
error_message = "\"oidc_endpoint_url\" mustn't be empty when oidc is pre-created (create_oidc != true)."
}
precondition {
condition = (var.create_oidc != true && var.oidc_config_id == null) == false
error_message = "\"oidc_config_id\" mustn't be empty when oidc is pre-created (create_oidc != true)."
}
precondition {
condition = (
var.aws_additional_control_plane_security_group_ids == null
|| var.private == false
|| tonumber(format("%03d%03d%03d", split(".", var.openshift_version)[0], split(".", var.openshift_version)[1], split(".", var.openshift_version)[2])) >= 4017002
)
error_message = "\"openshift_version\" must be 4.17.2 or later to add additional security group to Privatelink endpoint."
}
}
}
data "aws_caller_identity" "current" {}