|
| 1 | +# Private ROSA HCP with Additional Control Plane Security Groups |
| 2 | + |
| 3 | +## Introduction |
| 4 | + |
| 5 | +This is a Terraform manifest example for creating a Red Hat OpenShift Service on AWS (ROSA) Hosted Control Plane (HCP) cluster. This example provides a structured configuration template that demonstrates how to deploy a ROSA cluster within your AWS environment by using Terraform. |
| 6 | + |
| 7 | +This example includes: |
| 8 | +- A ROSA cluster with private access. |
| 9 | +- Additional security groups attached to the control plane VPC endpoint. |
| 10 | +- All AWS resources (IAM and networking) that are created as part of the ROSA cluster module execution. |
| 11 | +- A bastion host EC2 instance that allows to reach the private cluster. |
| 12 | + |
| 13 | +## Example Usage |
| 14 | + |
| 15 | +``` |
| 16 | +############################ |
| 17 | +# Additional Security Groups |
| 18 | +############################ |
| 19 | +resource "aws_security_group" "sg1" { |
| 20 | + name = "my-cluster-sg1" |
| 21 | + description = "Additional SG 1" |
| 22 | + vpc_id = module.vpc.vpc_id |
| 23 | +
|
| 24 | + tags = { |
| 25 | + Name = "my-cluster-sg1" |
| 26 | + } |
| 27 | +} |
| 28 | +resource "aws_vpc_security_group_ingress_rule" "sg1" { |
| 29 | + security_group_id = aws_security_group.sg1.id |
| 30 | + cidr_ipv4 = "172.16.0.0/16" |
| 31 | + from_port = 443 |
| 32 | + ip_protocol = "tcp" |
| 33 | + to_port = 443 |
| 34 | +} |
| 35 | +
|
| 36 | +resource "aws_security_group" "sg2" { |
| 37 | + name = "my-cluster-sg2" |
| 38 | + description = "Additional SG 2" |
| 39 | + vpc_id = module.vpc.vpc_id |
| 40 | +
|
| 41 | + tags = { |
| 42 | + Name = "my-cluster-sg2" |
| 43 | + } |
| 44 | +} |
| 45 | +resource "aws_vpc_security_group_ingress_rule" "sg2" { |
| 46 | + security_group_id = aws_security_group.sg2.id |
| 47 | + cidr_ipv4 = "192.168.0.0/16" |
| 48 | + from_port = 443 |
| 49 | + ip_protocol = "tcp" |
| 50 | + to_port = 443 |
| 51 | +} |
| 52 | +
|
| 53 | +############################ |
| 54 | +# Cluster |
| 55 | +############################ |
| 56 | +module "hcp" { |
| 57 | + source = "terraform-redhat/rosa-hcp/rhcs" |
| 58 | + version = "1.6.2" |
| 59 | +
|
| 60 | + cluster_name = "my-cluster" |
| 61 | + openshift_version = "4.14.24" |
| 62 | + machine_cidr = module.vpc.cidr_block |
| 63 | + aws_subnet_ids = module.vpc.private_subnets |
| 64 | + replicas = 2 |
| 65 | + private = true |
| 66 | + create_admin_user = true |
| 67 | + admin_credentials_username = "admin" |
| 68 | + admin_credentials_password = random_password.password.result |
| 69 | + ec2_metadata_http_tokens = "required" |
| 70 | + aws_additional_control_plane_security_group_ids = [aws_security_group.sg1.id, aws_security_group.sg2.id] |
| 71 | +
|
| 72 | + // STS configuration |
| 73 | + create_account_roles = true |
| 74 | + account_role_prefix = "my-cluster-account" |
| 75 | + create_oidc = true |
| 76 | + create_operator_roles = true |
| 77 | + operator_role_prefix = "my-cluster-operator" |
| 78 | +} |
| 79 | +
|
| 80 | +resource "random_password" "password" { |
| 81 | + length = 14 |
| 82 | + special = true |
| 83 | + min_lower = 1 |
| 84 | + min_numeric = 1 |
| 85 | + min_special = 1 |
| 86 | + min_upper = 1 |
| 87 | +} |
| 88 | +
|
| 89 | +############################ |
| 90 | +# VPC |
| 91 | +############################ |
| 92 | +module "vpc" { |
| 93 | + source = "terraform-redhat/rosa-hcp/rhcs//modules/vpc" |
| 94 | +
|
| 95 | + name_prefix = "my-cluster" |
| 96 | + availability_zones_count = 1 |
| 97 | +} |
| 98 | +
|
| 99 | +############################ |
| 100 | +# Bastion instance for connection to the cluster |
| 101 | +############################ |
| 102 | +module "bastion_host" { |
| 103 | + source = "terraform-redhat/rosa-hcp/rhcs//modules/bastion-host" |
| 104 | + prefix = "my-cluster" |
| 105 | + vpc_id = module.vpc.vpc_id |
| 106 | + subnet_ids = [module.vpc.public_subnets[0]] |
| 107 | +} |
| 108 | +``` |
| 109 | + |
| 110 | +<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK --> |
| 111 | +## Requirements |
| 112 | + |
| 113 | +| Name | Version | |
| 114 | +| ---- | ------- | |
| 115 | +| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 | |
| 116 | +| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.35.0 | |
| 117 | +| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 | |
| 118 | +| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.6.2 | |
| 119 | + |
| 120 | +## Providers |
| 121 | + |
| 122 | +| Name | Version | |
| 123 | +| ---- | ------- | |
| 124 | +| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.35.0 | |
| 125 | +| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 | |
| 126 | + |
| 127 | +## Modules |
| 128 | + |
| 129 | +| Name | Source | Version | |
| 130 | +| ---- | ------ | ------- | |
| 131 | +| <a name="module_bastion_host"></a> [bastion\_host](#module\_bastion\_host) | ../../modules/bastion-host | n/a | |
| 132 | +| <a name="module_hcp"></a> [hcp](#module\_hcp) | ../../ | n/a | |
| 133 | +| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../modules/vpc | n/a | |
| 134 | + |
| 135 | +## Resources |
| 136 | + |
| 137 | +| Name | Type | |
| 138 | +| ---- | ---- | |
| 139 | +| [aws_security_group.sg1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | |
| 140 | +| [aws_security_group.sg2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | |
| 141 | +| [aws_vpc_security_group_ingress_rule.sg1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | |
| 142 | +| [aws_vpc_security_group_ingress_rule.sg2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | |
| 143 | +| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | |
| 144 | + |
| 145 | +## Inputs |
| 146 | + |
| 147 | +| Name | Description | Type | Default | Required | |
| 148 | +| ---- | ----------- | ---- | ------- | :------: | |
| 149 | +| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster. After the creation of the resource, it is not possible to update the attribute value. | `string` | n/a | yes | |
| 150 | +| <a name="input_openshift_version"></a> [openshift\_version](#input\_openshift\_version) | The required version of Red Hat OpenShift for the cluster, for example '4.1.0'. If version is greater than the currently running version, an upgrade will be scheduled. | `string` | `"4.19.3"` | no | |
| 151 | + |
| 152 | +## Outputs |
| 153 | + |
| 154 | +| Name | Description | |
| 155 | +| ---- | ----------- | |
| 156 | +| <a name="output_account_role_prefix"></a> [account\_role\_prefix](#output\_account\_role\_prefix) | The prefix used for all generated AWS resources. | |
| 157 | +| <a name="output_account_roles_arn"></a> [account\_roles\_arn](#output\_account\_roles\_arn) | A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role. | |
| 158 | +| <a name="output_additional_security_group_ids"></a> [additional\_security\_group\_ids](#output\_additional\_security\_group\_ids) | List of additional security groups that have been added to the control plane VPC endpoint | |
| 159 | +| <a name="output_bastion_host_pem_path"></a> [bastion\_host\_pem\_path](#output\_bastion\_host\_pem\_path) | Bastion Host key file path | |
| 160 | +| <a name="output_bastion_host_public_ip"></a> [bastion\_host\_public\_ip](#output\_bastion\_host\_public\_ip) | Bastion Host Public IP | |
| 161 | +| <a name="output_cluster_api_url"></a> [cluster\_api\_url](#output\_cluster\_api\_url) | The URL of the API server. | |
| 162 | +| <a name="output_cluster_console_url"></a> [cluster\_console\_url](#output\_cluster\_console\_url) | The URL of the console. | |
| 163 | +| <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | Unique identifier of the cluster. | |
| 164 | +| <a name="output_oidc_config_id"></a> [oidc\_config\_id](#output\_oidc\_config\_id) | The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config. | |
| 165 | +| <a name="output_oidc_endpoint_url"></a> [oidc\_endpoint\_url](#output\_oidc\_endpoint\_url) | Registered OIDC configuration issuer URL, generated by this OIDC config. | |
| 166 | +| <a name="output_operator_role_prefix"></a> [operator\_role\_prefix](#output\_operator\_role\_prefix) | Prefix used for generated AWS operator policies. | |
| 167 | +| <a name="output_operator_roles_arn"></a> [operator\_roles\_arn](#output\_operator\_roles\_arn) | List of Amazon Resource Names (ARNs) for all operator roles created. | |
| 168 | +| <a name="output_password"></a> [password](#output\_password) | n/a | |
| 169 | +| <a name="output_path"></a> [path](#output\_path) | The arn path for the account/operator roles as well as their policies. | |
| 170 | +<!-- END_AUTOMATED_TF_DOCS_BLOCK --> |
0 commit comments