|
1 | 1 | --- |
2 | | -description: ROSA HCP guardrails — architecture, providers, versions, security, variables |
| 2 | +description: ROSA HCP guardrails — architecture, module scope, providers, versions, security, variables |
3 | 3 | alwaysApply: true |
4 | 4 | --- |
5 | 5 |
|
@@ -30,6 +30,22 @@ This repository implements **ROSA with Hosted Control Plane (HCP)** only. Do not |
30 | 30 | - **AWS** resources and data sources must be supported by the **AWS** provider version range in **root** and that submodule’s `versions.tf` (same floor policy as **Provider & version constraints**). |
31 | 31 | - Adding or bumping **`required_providers`** in a submodule must stay consistent across the **module tree** — root `versions.tf` must reflect minimum compatible versions for providers used anywhere in the tree. |
32 | 32 |
|
| 33 | +## Module scope (AWS-only vs core HCP) |
| 34 | + |
| 35 | +The tree includes **AWS-only** pieces (VPC, IAM, endpoints, etc.) that exist to run **ROSA HCP** in the customer account. Not every AWS pattern belongs in this repository. |
| 36 | + |
| 37 | +**In scope — expand or add AWS-only configuration when all of the following hold:** |
| 38 | + |
| 39 | +- **Reference-aligned:** The pattern is **standard for ROSA HCP**, part of the **reference architecture**, and **called out in official Red Hat documentation** (or in AWS documentation where Red Hat explicitly ties HCP to that AWS behavior). |
| 40 | +- **High misconfiguration risk:** Users are **likely to get it wrong** if they implement it themselves (availability, security, or cluster lifecycle impact). |
| 41 | +- **Sustainable:** It is **reasonable to test and support** (e.g. `terraform test`, examples, and docs) without unbounded optional surface area. |
| 42 | + |
| 43 | +**Out of scope — do not expand the module for:** |
| 44 | + |
| 45 | +- **Optional AWS** shapes that **vary widely by customer**, are **not** reference architecture, and are **not** documented in official Red Hat (or cited HCP-specific) docs. Prefer **examples**, documented patterns, or **user-owned** Terraform composed alongside this module. |
| 46 | + |
| 47 | +PRs that are **primarily AWS-only** should **link** the relevant official documentation so reviewers can confirm reference alignment. |
| 48 | + |
33 | 49 | ## Security |
34 | 50 |
|
35 | 51 | - Do not hardcode secrets or long-lived AWS keys in Terraform. Align with existing **`examples/`** and Red Hat guidance for STS, OIDC, and IRSA. Use **`sensitive`** where appropriate; avoid exposing secrets in outputs, state-adjacent logging, or ad-hoc debug prints. |
|
0 commit comments