|
| 1 | +# ocm-role |
| 2 | + |
| 3 | +## Introduction |
| 4 | + |
| 5 | +This Terraform sub-module creates the AWS IAM OCM role with the tags required by the ROSA CLI and OCM. The role is used to grant OpenShift Cluster Manager permissions in the customer's AWS account. |
| 6 | + |
| 7 | +The module creates the IAM role, attaches the appropriate permission policy (standard or admin), and applies the required tags so the role is recognized by ROSA tooling. The OCM-side link is handled separately via the `rhcs_rosa_ocm_role_link` provider resource. |
| 8 | + |
| 9 | +For more information, see [Understanding OCM role and User role for ROSA](https://access.redhat.com/articles/6961686). |
| 10 | + |
| 11 | +## Example Usage |
| 12 | + |
| 13 | +``` |
| 14 | +module "ocm_role" { |
| 15 | + source = "terraform-redhat/rosa-hcp/rhcs//modules/ocm-role" |
| 16 | + version = "1.7.6" |
| 17 | +
|
| 18 | + ocm_role_prefix = "ManagedOpenShift" |
| 19 | + ocm_organization_id = "1abc2defg3hijk4l5mn6op7qr8s" |
| 20 | +} |
| 21 | +
|
| 22 | +resource "rhcs_rosa_ocm_role_link" "link" { |
| 23 | + role_arn = module.ocm_role.role_arn |
| 24 | +} |
| 25 | +``` |
| 26 | + |
| 27 | +<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK --> |
| 28 | +## Requirements |
| 29 | + |
| 30 | +| Name | Version | |
| 31 | +| ---- | ------- | |
| 32 | +| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 | |
| 33 | +| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 | |
| 34 | +| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.7.6 | |
| 35 | + |
| 36 | +## Providers |
| 37 | + |
| 38 | +| Name | Version | |
| 39 | +| ---- | ------- | |
| 40 | +| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 | |
| 41 | +| <a name="provider_rhcs"></a> [rhcs](#provider\_rhcs) | >= 1.7.6 | |
| 42 | + |
| 43 | +## Modules |
| 44 | + |
| 45 | +No modules. |
| 46 | + |
| 47 | +## Resources |
| 48 | + |
| 49 | +| Name | Type | |
| 50 | +| ---- | ---- | |
| 51 | +| [aws_iam_policy.ocm_admin_permission_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | |
| 52 | +| [aws_iam_policy.ocm_permission_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | |
| 53 | +| [aws_iam_role.ocm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | |
| 54 | +| [aws_iam_role_policy_attachment.ocm_admin_permission_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | |
| 55 | +| [aws_iam_role_policy_attachment.ocm_permission_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | |
| 56 | +| [aws_iam_policy_document.ocm_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | |
| 57 | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | |
| 58 | +| [rhcs_hcp_policies.all_policies](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/data-sources/hcp_policies) | data source | |
| 59 | +| [rhcs_info.current](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/data-sources/info) | data source | |
| 60 | + |
| 61 | +## Inputs |
| 62 | + |
| 63 | +| Name | Description | Type | Default | Required | |
| 64 | +| ---- | ----------- | ---- | ------- | :------: | |
| 65 | +| <a name="input_admin"></a> [admin](#input\_admin) | Enable admin capabilities for the OCM role. When true the admin permission policy is attached and the role is tagged with rosa\_admin\_role=true. | `bool` | `false` | no | |
| 66 | +| <a name="input_ocm_environment"></a> [ocm\_environment](#input\_ocm\_environment) | OCM environment for the rosa\_environment tag (production, staging, or integration). | `string` | `"production"` | no | |
| 67 | +| <a name="input_ocm_organization_id"></a> [ocm\_organization\_id](#input\_ocm\_organization\_id) | The OCM organization external ID used as the sts:ExternalId condition in the OCM role trust policy. | `string` | n/a | yes | |
| 68 | +| <a name="input_ocm_role_prefix"></a> [ocm\_role\_prefix](#input\_ocm\_role\_prefix) | User-defined prefix for the OCM IAM role name. The final role name is `<prefix>-OCM-Role`. | `string` | n/a | yes | |
| 69 | +| <a name="input_path"></a> [path](#input\_path) | (Optional) The IAM path for the OCM role and its policies. Must begin and end with '/'. | `string` | `"/"` | no | |
| 70 | +| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy used to set the permissions boundary for the OCM IAM role. | `string` | `""` | no | |
| 71 | +| <a name="input_tags"></a> [tags](#input\_tags) | Additional AWS resource tags to merge into the OCM role and its policies. | `map(string)` | `null` | no | |
| 72 | + |
| 73 | +## Outputs |
| 74 | + |
| 75 | +| Name | Description | |
| 76 | +| ---- | ----------- | |
| 77 | +| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the created OCM IAM role. Pass this to rhcs\_rosa\_ocm\_role\_link to complete the OCM-side link. | |
| 78 | +| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the created OCM IAM role. | |
| 79 | +<!-- END_AUTOMATED_TF_DOCS_BLOCK --> |
0 commit comments