WHEN adding or expanding AWS-only configuration — all In scope criteria below must hold. DEFAULT: Do not expand the module — use examples or user-owned Terraform.
- MUST: Reference-aligned — standard ROSA HCP pattern in official Red Hat (or cited HCP-specific AWS) docs.
- MUST: High misconfiguration risk if users DIY.
- MUST: Testable and supportable (
terraform test, examples, docs) without unbounded optional surface.
- MUST NOT: Expand for optional AWS shapes that vary by customer, lack reference architecture, or lack official HCP docs.
WHEN an AWS-only pattern is in scope — implement in a first-party submodule with direct aws_* resources.
DEFAULT: Do not wrap third-party Terraform modules (community VPC/IAM wrappers).
- MUST NOT: Classic-only patterns in AWS-only submodules — they are still HCP modules.
- MUST NOT: Add
rhcsto an intentionally AWS-only submodule unless truly required — follow that submodule's existingmain.tf/versions.tf. - MUST: AWS resources supported by root and submodule
versions.tffloors — seeproviders-and-versions.md. - MUST: Submodule interface changes update root,
examples/, andmodules/*/tests/*.tftest.hcl. - MUST: Least privilege for IAM/STS/OIDC/IRSA — link non-obvious cross-account or shared-VPC patterns to official ROSA HCP docs.
- MUST:
depends_on/ waits / preconditions when assuming immediate IAM/STS effect — follow thetime_sleeppattern used by existing modules in this repo (seemodules/account-iam-resourcesormodules/operator-roles).
WHEN a module encapsulates a resource whose Create fails if the resource already exists (i.e. non-idempotent, such as rhcs_rosa_ocm_role_link):
- MUST: Expose a boolean variable named
create_<resource>(e.g.create_link), defaulttrue, withcount = var.create_<resource> ? 1 : 0on that resource. - MUST: Document the import path in the variable's
description— users importing an existing resource set this tofalseto suppress the duplicate-create error on first apply.
WHEN adding or changing Variables shared across IAM submodules (account-iam-resources, operator-roles, ocm-role):
- MUST have a matching validation block for every format or value constraint — existing modules that omit it have a gap; do not copy the gap.
aws_iam_rolewith a computednameorpathMUST setforce_detach_policies = true— if the name changes, Terraform recreates the role and may attempt deletion before detaching its policies.
WHEN adding a new submodule — MUST add an entry to this section describing its key constraints (tag contract, naming convention, policy source, required outputs).
- modules/rosa-cluster-hcp: MUST match provider for
rhcs_cluster_rosa_hcp; document min OpenShift version when gated. - modules/shared-vpc-resources: MUST follow shared VPC docs; narrow IAM bindings over broad IAM.
- modules/ocm-role: MUST match ROSA CLI tag contract (
red-hat-managed,rosa_role_type=OCM,rosa_role_prefix,rosa_admin_rolewhen admin). Trust and permission policy documents come fromdata.rhcs_hcp_policies.ocm_role_policies— do not hard-code ARNs or JSON. Role name follows{prefix}-OCM-Role-{ocm_org_external_id}(truncated to 64 chars, sourced fromdata.rhcs_info.organization_external_id). Outputrole_arnis the only inputrhcs_rosa_ocm_role_linkneeds.
- MUST: Link official docs on primarily AWS-only PRs.
- MUST pass items described in
CONTRIBUTING.mdin Before you open a PR