Skip to content

Commit b0252d9

Browse files
committed
OCM-00000 | docs: update ROSA HCP documentation to clarify module scope for AWS-only configurations
1 parent 9530e9b commit b0252d9

4 files changed

Lines changed: 27 additions & 4 deletions

File tree

.cursor/rules/rosa-hcp-terraform.mdc

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
description: ROSA HCP guardrails — architecture, providers, versions, security, variables
2+
description: ROSA HCP guardrails — architecture, module scope, providers, versions, security, variables
33
alwaysApply: true
44
---
55

@@ -30,6 +30,22 @@ This repository implements **ROSA with Hosted Control Plane (HCP)** only. Do not
3030
- **AWS** resources and data sources must be supported by the **AWS** provider version range in **root** and that submodule’s `versions.tf` (same floor policy as **Provider & version constraints**).
3131
- Adding or bumping **`required_providers`** in a submodule must stay consistent across the **module tree** — root `versions.tf` must reflect minimum compatible versions for providers used anywhere in the tree.
3232

33+
## Module scope (AWS-only vs core HCP)
34+
35+
The tree includes **AWS-only** pieces (VPC, IAM, endpoints, etc.) that exist to run **ROSA HCP** in the customer account. Not every AWS pattern belongs in this repository.
36+
37+
**In scope — expand or add AWS-only configuration when all of the following hold:**
38+
39+
- **Reference-aligned:** The pattern is **standard for ROSA HCP**, part of the **reference architecture**, and **called out in official Red Hat documentation** (or in AWS documentation where Red Hat explicitly ties HCP to that AWS behavior).
40+
- **High misconfiguration risk:** Users are **likely to get it wrong** if they implement it themselves (availability, security, or cluster lifecycle impact).
41+
- **Sustainable:** It is **reasonable to test and support** (e.g. `terraform test`, examples, and docs) without unbounded optional surface area.
42+
43+
**Out of scope — do not expand the module for:**
44+
45+
- **Optional AWS** shapes that **vary widely by customer**, are **not** reference architecture, and are **not** documented in official Red Hat (or cited HCP-specific) docs. Prefer **examples**, documented patterns, or **user-owned** Terraform composed alongside this module.
46+
47+
PRs that are **primarily AWS-only** should **link** the relevant official documentation so reviewers can confirm reference alignment.
48+
3349
## Security
3450

3551
- Do not hardcode secrets or long-lived AWS keys in Terraform. Align with existing **`examples/`** and Red Hat guidance for STS, OIDC, and IRSA. Use **`sensitive`** where appropriate; avoid exposing secrets in outputs, state-adjacent logging, or ad-hoc debug prints.

.github/pull_request_template.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,7 @@ For details, see: ./CONTRIBUTING.md
7676
Examples: variable rename/removal, output rename/removal, default value change, resource behavior changes, provider/version requirement changes. -->
7777

7878
## Developer Verification Checklist
79+
- [ ] **AWS-only changes:** If this PR is mainly **AWS-only** (no `rhcs` resources/variables), I linked **official Red Hat or cited ROSA HCP documentation** that supports reference alignment, or I explained why the change still belongs in-repo per **Module scope (AWS-only vs core HCP)** in [`.cursor/rules/rosa-hcp-terraform.mdc`](.cursor/rules/rosa-hcp-terraform.mdc).
7980
- [ ] I checked if this affects terraform-rhcs-rosa-classic and submitted (or already submitted) a companion PR when needed.
8081
- [ ] Commit subject/title follows `[JIRA-TICKET] | [TYPE]: <MESSAGE>`.
8182
- [ ] PR description clearly explains both **what** changed and **why**.

AGENTS.md

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -58,15 +58,20 @@ Useful skills for this codebase:
5858
- Breaking Changes: Do NOT change existing variable names or types without a migration plan (refactor-module skill).
5959
- HCP Specifics: Always verify if a feature is supported in HCP vs. Classic. If the `rhcs` resource type does not include `_hcp`, double-check the provider docs.
6060

61+
## Module scope (AWS-only configuration)
62+
63+
Not every AWS resource belongs in this repo. **When to add or expand AWS-only modules** vs leaving configuration to users is defined in [`.cursor/rules/rosa-hcp-terraform.mdc`](.cursor/rules/rosa-hcp-terraform.mdc) — section **Module scope (AWS-only vs core HCP)**. Favor **reference-documented**, **error-prone-if-DIY**, and **testable** patterns; defer **optional, customer-variable** AWS glue that official docs do not prescribe.
64+
6165
## Workflow Logic for Agents
6266

6367
When asked to add a feature, the agent should follow this internal loop:
6468

6569
1. Verify Provider Support: Check the provider schema/docs for the version range in root versions.tf.
6670
2. Check versions.tf: Does this require a provider bump? If yes, modify the root versions.tf first.
67-
3. Variable Standard: Add variables using the description / type / default order. Ensure descriptions match the upstream provider docs.
68-
4. Docs and tests: apply the required commands and verification steps from **`CONTRIBUTING.md`**.
69-
5. Security: follow **Security** above (canonical rules in `.cursor/rules` first, then the agent-oriented bullets).
71+
3. **Module scope:** For new or expanded **AWS-only** behavior, confirm it meets **Module scope (AWS-only vs core HCP)** in [`.cursor/rules/rosa-hcp-terraform.mdc`](.cursor/rules/rosa-hcp-terraform.mdc); prefer examples or user-owned Terraform when docs do not support in-repo ownership.
72+
4. Variable Standard: Add variables using the description / type / default order. Ensure descriptions match the upstream provider docs.
73+
5. Docs and tests: apply the required commands and verification steps from **`CONTRIBUTING.md`**.
74+
6. Security: follow **Security** above (canonical rules in `.cursor/rules` first, then the agent-oriented bullets).
7075

7176
## Testing Expectations
7277

CONTRIBUTING.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,3 +21,4 @@ This repo is **ROSA HCP** only. The sibling **ROSA Classic** module is [`terrafo
2121
3. **Docs** — If you changed variables, outputs, modules, or root wiring: run `make verify-gen` (runs `terraform-docs` via [`scripts/terraform-docs.sh`](scripts/terraform-docs.sh), then [`scripts/verify-gen.sh`](scripts/verify-gen.sh) to ensure README inject blocks are committed).
2222
4. **Module tests** — If a submodule under `modules/<name>/tests/` has `*.tftest.hcl`, run `terraform init -backend=false && terraform test` from `modules/<name>/`.
2323
5. **Provider** — Treat [`terraform-redhat/rhcs`](https://github.com/terraform-redhat/terraform-provider-rhcs) as the source of truth: mirror its schemas in variables and docs. Add `validation` / `precondition` only to echo the provider’s required fields and allowed values (fail fast); do not duplicate or tighten rules the provider already enforces.
24+
6. **Module scope (AWS-only)** — If the change adds or expands **AWS-only** configuration (no `rhcs` surface), confirm it matches **Module scope (AWS-only vs core HCP)** in [`.cursor/rules/rosa-hcp-terraform.mdc`](.cursor/rules/rosa-hcp-terraform.mdc). In the PR, **link official Red Hat or cited ROSA HCP documentation** that supports shipping it in-repo, or explain why an exception is justified.

0 commit comments

Comments
 (0)