feat: added validation for the openshift-ai cluster addon (#884)

Author: zikra-iqbal

README.md

@@ -291,6 +291,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
+| <a name="requirement_external"></a> [external](#requirement\_external) | >=2.3.5, <3.0.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.78.2, < 2.0.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 3.0.0, < 4.0.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1, < 4.0.0 |
@@ -328,9 +329,11 @@ Optionally, you need the following permissions to attach Access Management tags
 | [null_resource.install_required_binaries](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.ocp_console_management](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [time_sleep.wait_for_auth_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [external_external.ocp_addon_versions](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
 | [ibm_container_addons.existing_addons](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_addons) | data source |
 | [ibm_container_cluster_config.cluster_config](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_config) | data source |
 | [ibm_container_cluster_versions.cluster_versions](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_cluster_versions) | data source |
+| [ibm_iam_auth_token.tokendata](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_auth_token) | data source |
 | [ibm_is_lbs.all_lbs](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_lbs) | data source |
 | [ibm_is_virtual_endpoint_gateway.api_vpe](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway) | data source |
 | [ibm_is_virtual_endpoint_gateway.master_vpe](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway) | data source |

main.tf

@@ -53,6 +53,20 @@ locals {
   binaries_path = "/tmp"
 }
 
+########################################################################################################################
+# Get OCP AI Add-on Versions
+########################################################################################################################
+
+data "ibm_iam_auth_token" "tokendata" {}
+
+data "external" "ocp_addon_versions" {
+  program = ["python3", "${path.module}/scripts/get_ocp_addon_versions.py"]
+  query = {
+    IAM_TOKEN = sensitive(data.ibm_iam_auth_token.tokendata.iam_access_token)
+    REGION    = var.region
+  }
+}
+
 # Local block to verify validations for OCP AI Addon.
 locals {
 
@@ -65,6 +79,7 @@ locals {
       is_gpu    = contains(["gx2", "gx3", "gx4"], split(".", pool.machine_type)[0])
     }
   }
+  ocp_ai_addon_supported_versions = jsondecode(data.external.ocp_addon_versions.result["openshift-ai"])
 }
 
 # Separate local block to handle os validations

scripts/get_ocp_addon_versions.py

@@ -0,0 +1,157 @@
+#!/usr/bin/env python3
+import http.client
+import json
+import os
+import sys
+from urllib.parse import urlparse
+
+
+def parse_input():
+    """
+    Reads JSON input from stdin and parses it into a dictionary.
+    Returns:
+        dict: Parsed input data.
+    """
+    try:
+        data = json.loads(sys.stdin.read())
+    except json.JSONDecodeError as e:
+        raise ValueError("Invalid JSON input") from e
+    return data
+
+
+def validate_inputs(data):
+    """
+    Validates required inputs 'IAM_TOKEN' and 'REGION' from the parsed input.
+    Args:
+        data (dict): Input data parsed from JSON.
+    Returns:
+        tuple: A tuple containing (IAM_TOKEN, REGION).
+    """
+    token = data.get("IAM_TOKEN")
+    if not token:
+        raise ValueError("IAM_TOKEN is required")
+
+    region = data.get("REGION")
+    if not region:
+        raise ValueError("REGION is required")
+
+    return token, region
+
+
+def get_env_variable():
+    """
+    Retrieves the value of an environment variable.
+    Returns:
+        str: The value of the environment variable.
+    """
+    api_endpoint = os.getenv("IBMCLOUD_CS_API_ENDPOINT")
+    if not api_endpoint:
+        api_endpoint = "https://containers.test.cloud.ibm.com/global"
+    return api_endpoint
+
+
+def fetch_addon_versions(iam_token, region, api_endpoint):
+    """
+    Fetches openshift add-on versions using HTTP connection.
+    Args:
+        iam_token (str): IBM Cloud IAM token for authentication.
+        region (str): Region to query for add-ons.
+        api_endpoint (str): Base API endpoint URL.
+    Returns:
+        list: Parsed JSON response containing add-on information.
+    """
+    # Add https if user passed just a hostname
+    if not api_endpoint.startswith("https://"):
+        api_endpoint = f"https://{api_endpoint}"
+
+    parsed = urlparse(api_endpoint)
+
+    # Default path to /global if none supplied
+    base_path = parsed.path.rstrip("/") if parsed.path else "/global"
+
+    host = parsed.hostname
+    headers = {
+        "Authorization": f"Bearer {iam_token}",
+        "Accept": "application/json",
+        "X-Region": region,
+    }
+
+    conn = http.client.HTTPSConnection(host)
+    try:
+        # Final API path
+        url = f"{base_path}/v1/addons"
+        conn.request("GET", url, headers=headers)
+        response = conn.getresponse()
+        data = response.read().decode()
+
+        if response.status != 200:
+            raise RuntimeError(
+                f"API request failed: {response.status} {response.reason} - {data}"
+            )
+
+        return json.loads(data)
+    except http.client.HTTPException as e:
+        raise RuntimeError("HTTP request failed") from e
+    finally:
+        conn.close()
+
+
+def transform_cluster_addons_data(addons_data):
+    """
+    Transforms cluster add-on raw data into a nested dictionary structured by add-on name and version.
+    Args:
+        addons_data: Raw data returned by the add-on API.
+    Returns:
+        dict: Transformed add-on data suitable for Terraform consumption.
+    """
+    result = {}
+
+    for addon in addons_data:
+        name = addon.get("name")
+        version = addon.get("version")
+
+        supported_ocp = addon.get("supportedOCPRange", "unsupported")
+        supported_kube = addon.get("supportedKubeRange", "unsupported")
+
+        if name not in result:
+            result[name] = {}
+
+        result[name][version] = {
+            "supported_openshift_range": supported_ocp,
+            "supported_kubernetes_range": supported_kube,
+        }
+
+    if not result:
+        raise RuntimeError("No add-on data found.")
+
+    return result
+
+
+def format_for_terraform(result):
+    """
+    Converts the transformed add-on data into JSON strings for Terraform external data source consumption.
+    Args:
+        result (dict): Transformed add-on data.
+    Returns:
+        dict: A dictionary mapping add-on names to JSON strings of their version info.
+    """
+    return {name: json.dumps(versions) for name, versions in result.items()}
+
+
+def main():
+    """
+    Main execution function: reads input, validates, fetches API data, transforms it,
+    formats it for Terraform and prints the JSON output.
+    """
+    data = parse_input()
+    iam_token, region = validate_inputs(data)
+    api_endpoint = get_env_variable()
+    addons_data = fetch_addon_versions(iam_token, region, api_endpoint)
+    transformed = transform_cluster_addons_data(addons_data)
+    output = format_for_terraform(transformed)
+
+    print(json.dumps(output))
+
+
+if __name__ == "__main__":
+    main()

tests/pr_test.go

@@ -101,7 +101,7 @@ func setupQuickstartOptions(t *testing.T, prefix string) *testschematic.TestSche
 		Region:        region,
 		TarIncludePatterns: []string{
 			"*.tf",
-			quickStartTerraformDir + "/*.tf", "scripts/*.sh", "kubeconfig/README.md",
+			quickStartTerraformDir + "/*.tf", "scripts/*.*", "kubeconfig/README.md",
 			"modules/worker-pool/*.tf",
 			"modules/kube-audit/scripts/*.sh",
 		},
@@ -162,7 +162,7 @@ func TestRunFullyConfigurableInSchematics(t *testing.T) {
 	options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
 		Testing:               t,
 		Prefix:                "ocp-fc",
-		TarIncludePatterns:    []string{"*.tf", fullyConfigurableTerraformDir + "/*.*", fullyConfigurableTerraformDir + "/scripts/*.*", "scripts/*.sh", "kubeconfig/README.md", "modules/kube-audit/*.*", "modules/worker-pool/*.tf", "modules/kube-audit/kubeconfig/README.md", "modules/kube-audit/scripts/*.sh", fullyConfigurableTerraformDir + "/kubeconfig/README.md", "modules/kube-audit/helm-charts/kube-audit/*.*", "modules/kube-audit/helm-charts/kube-audit/templates/*.*"},
+		TarIncludePatterns:    []string{"*.tf", fullyConfigurableTerraformDir + "/*.*", fullyConfigurableTerraformDir + "/scripts/*.*", "scripts/*.*", "kubeconfig/README.md", "modules/kube-audit/*.*", "modules/worker-pool/*.tf", "modules/kube-audit/kubeconfig/README.md", "modules/kube-audit/scripts/*.sh", fullyConfigurableTerraformDir + "/kubeconfig/README.md", "modules/kube-audit/helm-charts/kube-audit/*.*", "modules/kube-audit/helm-charts/kube-audit/templates/*.*"},
 		TemplateFolder:        fullyConfigurableTerraformDir,
 		Tags:                  []string{"test-schematic"},
 		DeleteWorkspaceOnFail: false,
@@ -203,7 +203,7 @@ func TestRunUpgradeFullyConfigurable(t *testing.T) {
 	options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
 		Testing:                    t,
 		Prefix:                     "fc-upg",
-		TarIncludePatterns:         []string{"*.tf", fullyConfigurableTerraformDir + "/*.*", fullyConfigurableTerraformDir + "/scripts/*.*", "scripts/*.sh", "kubeconfig/README.md", "modules/kube-audit/*.*", "modules/kube-audit/kubeconfig/README.md", "modules/kube-audit/scripts/*.sh", fullyConfigurableTerraformDir + "/kubeconfig/README.md", "modules/kube-audit/helm-charts/kube-audit/*.*", "modules/kube-audit/helm-charts/kube-audit/templates/*.*", "modules/worker-pool/*.tf"},
+		TarIncludePatterns:         []string{"*.tf", fullyConfigurableTerraformDir + "/*.*", fullyConfigurableTerraformDir + "/scripts/*.*", "scripts/*.*", "kubeconfig/README.md", "modules/kube-audit/*.*", "modules/kube-audit/kubeconfig/README.md", "modules/kube-audit/scripts/*.sh", fullyConfigurableTerraformDir + "/kubeconfig/README.md", "modules/kube-audit/helm-charts/kube-audit/*.*", "modules/kube-audit/helm-charts/kube-audit/templates/*.*", "modules/worker-pool/*.tf"},
 		TemplateFolder:             fullyConfigurableTerraformDir,
 		Tags:                       []string{"test-schematic"},
 		DeleteWorkspaceOnFail:      false,

variables.tf

@@ -364,9 +364,30 @@ variable "addons" {
   nullable    = false
   default     = {}
 
+  ########################################################################################################################
+  # OCP AI Addon version validation
+  ########################################################################################################################
+
   validation {
-    condition     = (lookup(var.addons, "openshift-ai", null) != null ? lookup(var.addons["openshift-ai"], "version", null) == null : true) || (tonumber(local.ocp_version_num) >= 4.16)
-    error_message = "OCP AI add-on requires OCP version >= 4.16.0"
+    condition = (
+      try(var.addons["openshift-ai"].version, null) == null ||
+      (
+        contains(keys(local.ocp_ai_addon_supported_versions), try(var.addons["openshift-ai"].version, "") != null ? try(var.addons["openshift-ai"].version, "") : "") &&
+        (
+          local.ocp_version_num >= tonumber(regexall("\\d+\\.\\d+", split(" ", lookup(local.ocp_ai_addon_supported_versions, try(var.addons["openshift-ai"].version, "") != null ? try(var.addons["openshift-ai"].version, "") : "", { supported_openshift_range = "0.0 0.0" }).supported_openshift_range)[0])[0])
+        ) &&
+        (
+          local.ocp_version_num < tonumber(regexall("\\d+\\.\\d+", split(" ", lookup(local.ocp_ai_addon_supported_versions, try(var.addons["openshift-ai"].version, "") != null ? try(var.addons["openshift-ai"].version, "") : "", { supported_openshift_range = "0.0 0.0" }).supported_openshift_range)[1])[0])
+        )
+      )
+    )
+
+    error_message = (
+      try(var.addons["openshift-ai"].version, null) != null ?
+      (contains(keys(local.ocp_ai_addon_supported_versions), try(var.addons["openshift-ai"].version, "")) ?
+        format("OCP AI add-on version %s requires OCP version %s", try(var.addons["openshift-ai"].version, ""), lookup(local.ocp_ai_addon_supported_versions, try(var.addons["openshift-ai"].version, ""), { supported_openshift_range = "" }).supported_openshift_range) :
+      format("OCP AI add-on version %s is not supported.", try(var.addons["openshift-ai"].version, ""))) : "Invalid OCP AI configuration."
+    )
   }
 
   validation {

version.tf

@@ -18,5 +18,9 @@ terraform {
       source  = "hashicorp/time"
       version = ">= 0.9.1, < 1.0.0"
     }
+    external = {
+      source  = "hashicorp/external"
+      version = ">=2.3.5, <3.0.0"
+    }
   }
 }