feat: Removed support for "WriteRequestBodies" from the audit_log_policy input. Allowed values are now "default" and "verbose". This is because patching the Kube Audit Profile in APIServer Custom Resource is not possible in version 4.18 and onwards because a newly introduced validatingadmissionpolicy named config prevents it. Audit logs are enabled in the backend and completely managed by IBM Cloud. (#954)

Author: vkuma17

examples/add_rules_to_sg/main.tf

@@ -158,7 +158,7 @@ locals {
       pool_name         = "default" # ibm_container_vpc_cluster automatically names standard pool "standard" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
       machine_type      = "bx2.4x16"
       workers_per_zone  = 2
-      operating_system  = "REDHAT_8_64"
+      operating_system  = "RHCOS"
       labels            = {}
       resource_group_id = module.resource_group.resource_group_id
     }

examples/advanced/main.tf

@@ -113,7 +113,7 @@ locals {
       pool_name                         = "default" # ibm_container_vpc_cluster automatically names default pool "default" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
       machine_type                      = "mx2.4x32"
       workers_per_zone                  = 1
-      operating_system                  = "REDHAT_8_64"
+      operating_system                  = "RHEL_9_64"
       enableAutoscaling                 = true
       minSize                           = 1
       maxSize                           = 6
@@ -125,15 +125,15 @@ locals {
       machine_type                      = "bx2.4x16"
       workers_per_zone                  = 1
       secondary_storage                 = "300gb.5iops-tier"
-      operating_system                  = "REDHAT_8_64"
+      operating_system                  = "RHEL_9_64"
       boot_volume_encryption_kms_config = local.boot_volume_encryption_kms_config
     },
     {
       subnet_prefix                     = "zone-3"
       pool_name                         = "zone-3"
       machine_type                      = "bx2.4x16"
       workers_per_zone                  = 1
-      operating_system                  = "REDHAT_8_64"
+      operating_system                  = "RHEL_9_64"
       boot_volume_encryption_kms_config = local.boot_volume_encryption_kms_config
     }
   ]
@@ -157,7 +157,7 @@ locals {
       subnet_prefix    = "zone-1"
       pool_name        = "workerpool"
       machine_type     = "bx2.4x16"
-      operating_system = "REDHAT_8_64"
+      operating_system = "RHEL_9_64"
       workers_per_zone = 2
     }
   ]
@@ -223,7 +223,7 @@ module "kube_audit" {
   # version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
   cluster_id                = module.ocp_base.cluster_id
   cluster_resource_group_id = module.resource_group.resource_group_id
-  audit_log_policy          = "WriteRequestBodies"
+  audit_log_policy          = "verbose"
   region                    = var.region
   ibmcloud_api_key          = var.ibmcloud_api_key
 }

examples/cross_kms_support/main.tf

@@ -68,7 +68,7 @@ locals {
       pool_name                         = "default" # ibm_container_vpc_cluster automatically names default pool "default" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
       machine_type                      = "bx2.4x16"
       workers_per_zone                  = 2 # minimum of 2 is allowed when using single zone
-      operating_system                  = "REDHAT_8_64"
+      operating_system                  = "RHCOS"
       boot_volume_encryption_kms_config = local.boot_volume_encryption_kms_config
     }
   ]

examples/fscloud/main.tf

@@ -66,7 +66,7 @@ module "vpc" {
   clean_default_sg_acl                   = true
   enable_vpc_flow_logs                   = true
   create_authorization_policy_vpc_to_cos = true
-  existing_storage_bucket_name           = module.flowlogs_bucket.bucket_configs[0].bucket_name
+  existing_storage_bucket_name           = module.flowlogs_bucket.buckets["${var.prefix}-vpc-flowlogs"].bucket_name
   security_group_rules                   = []
   existing_cos_instance_guid             = module.cos_fscloud.cos_instance_guid
   subnets = {

ibm_catalog.json

@@ -953,8 +953,8 @@
                 },
                 {
                   "description": "Detailed verbose logging.",
-                  "displayname": "Write Request Bodies",
-                  "value": "WriteRequestBodies"
+                  "displayname": "Verbose",
+                  "value": "verbose"
                 }
               ]
             },

modules/fscloud/README.md

@@ -78,7 +78,7 @@ module "ocp_base_fscloud" {
       pool_name        = "default"
       machine_type     = "bx2.4x16"
       workers_per_zone = 2
-      operating_system = "REDHAT_8_64"
+      operating_system = "RHCOS"
     }
   ]
   import_default_worker_pool_on_create = false

modules/kube-audit/README.md

@@ -71,7 +71,6 @@ No modules.
 |------|------|
 | [helm_release.kube_audit](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [null_resource.enable_https_traffic](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [null_resource.set_audit_log_policy](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.set_audit_webhook](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [terraform_data.install_required_binaries](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [time_sleep.wait_for_kube_audit](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
@@ -83,7 +82,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_audit_deployment_name"></a> [audit\_deployment\_name](#input\_audit\_deployment\_name) | The name of log collection deployment and service. | `string` | `"ibmcloud-kube-audit"` | no |
-| <a name="input_audit_log_policy"></a> [audit\_log\_policy](#input\_audit\_log\_policy) | Specify the amount of information that is logged to the API server audit logs by choosing the audit log policy profile to use. Supported values are `default` and `WriteRequestBodies`. | `string` | `"default"` | no |
+| <a name="input_audit_log_policy"></a> [audit\_log\_policy](#input\_audit\_log\_policy) | Specify the amount of information that is logged to the API server audit logs by choosing the audit log policy profile to use. Supported values are `default` and `verbose`. | `string` | `"default"` | no |
 | <a name="input_audit_namespace"></a> [audit\_namespace](#input\_audit\_namespace) | The name of the namespace where log collection service and a deployment will be created. | `string` | `"ibm-kube-audit"` | no |
 | <a name="input_audit_webhook_listener_image"></a> [audit\_webhook\_listener\_image](#input\_audit\_webhook\_listener\_image) | The audit webhook listener image reference in the format of `[registry-url]/[namespace]/[image]`.The sub-module uses the `icr.io/ibm/ibmcloud-kube-audit-to-ibm-cloud-logs` image to forward logs to IBM Cloud Logs. This image is for demonstration purposes only. For a production solution, configure and maintain your own log forwarding image. | `string` | `"icr.io/ibm/ibmcloud-kube-audit-to-ibm-cloud-logs"` | no |
 | <a name="input_audit_webhook_listener_image_tag_digest"></a> [audit\_webhook\_listener\_image\_tag\_digest](#input\_audit\_webhook\_listener\_image\_tag\_digest) | The tag or digest for the audit webhook listener image to deploy. If changing the value, ensure it is compatible with `audit_webhook_listener_image`. | `string` | `"8309d2a56ef85a5c486f195178d68c616a5123b3@sha256:a484d3dfeeb8f021fd51ca54fcc8a6618e0d49eecd1ca8c520d73d51cbfbfdb4"` | no |

modules/kube-audit/main.tf

@@ -38,20 +38,6 @@ locals {
   validate_existing_vpc_id = tonumber(regex("^([0-9]+\\.[0-9]+)", data.ibm_container_vpc_cluster.cluster.kube_version)[0]) > "4.14" ? true : tobool("Kubernetes API server audit logs forwarding is only supported in ocp versions 4.15 and later.")
 }
 
-resource "null_resource" "set_audit_log_policy" {
-  depends_on = [terraform_data.install_required_binaries]
-  triggers = {
-    audit_log_policy = var.audit_log_policy
-  }
-  provisioner "local-exec" {
-    command     = "${path.module}/scripts/set_audit_log_policy.sh ${var.audit_log_policy} ${local.binaries_path}"
-    interpreter = ["/bin/bash", "-c"]
-    environment = {
-      KUBECONFIG = data.ibm_container_cluster_config.cluster_config.config_file_path
-    }
-  }
-}
-
 #########################################################################################################################
 # Creates a log collection service and container
 ########################################################################################################################
@@ -61,7 +47,7 @@ locals {
 }
 
 resource "helm_release" "kube_audit" {
-  depends_on    = [terraform_data.install_required_binaries, null_resource.set_audit_log_policy, data.ibm_container_vpc_cluster.cluster]
+  depends_on    = [terraform_data.install_required_binaries, data.ibm_container_vpc_cluster.cluster]
   name          = var.audit_deployment_name
   chart         = local.kube_audit_chart_location
   timeout       = 1200
@@ -139,7 +125,7 @@ resource "null_resource" "set_audit_webhook" {
     enable_https_traffic = var.enable_https_traffic
   }
   provisioner "local-exec" {
-    command     = "${path.module}/scripts/set_webhook.sh ${var.region} ${var.use_private_endpoint} ${var.cluster_config_endpoint_type} ${var.cluster_id} ${var.cluster_resource_group_id} ${var.audit_log_policy != "default" ? "verbose" : "default"} ${local.binaries_path}"
+    command     = "${path.module}/scripts/set_webhook.sh ${var.region} ${var.use_private_endpoint} ${var.cluster_config_endpoint_type} ${var.cluster_id} ${var.cluster_resource_group_id} ${var.audit_log_policy} ${local.binaries_path}"
     interpreter = ["/bin/bash", "-c"]
     environment = {
       IAM_API_KEY  = var.ibmcloud_api_key

modules/kube-audit/scripts/set_audit_log_policy.sh

@@ -64,12 +64,12 @@ variable "cluster_config_endpoint_type" {
 
 variable "audit_log_policy" {
   type        = string
-  description = "Specify the amount of information that is logged to the API server audit logs by choosing the audit log policy profile to use. Supported values are `default` and `WriteRequestBodies`."
+  description = "Specify the amount of information that is logged to the API server audit logs by choosing the audit log policy profile to use. Supported values are `default` and `verbose`."
   default     = "default"
 
   validation {
-    error_message = "Invalid Audit log policy Type! Valid values are 'default' or 'WriteRequestBodies'"
-    condition     = contains(["default", "WriteRequestBodies"], var.audit_log_policy)
+    error_message = "Invalid Audit log policy Type! Valid values are 'default' or 'verbose'"
+    condition     = contains(["default", "verbose"], var.audit_log_policy)
   }
 }