Skip to content

Commit f8273ef

Browse files
committed
OCM-23504 | test: Adding example for additional cp sgs
1 parent 62b0b3a commit f8273ef

5 files changed

Lines changed: 374 additions & 0 deletions

File tree

Lines changed: 170 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,170 @@
1+
# Private ROSA HCP with Additional Control Plane Security Groups
2+
3+
## Introduction
4+
5+
This is a Terraform manifest example for creating a Red Hat OpenShift Service on AWS (ROSA) Hosted Control Plane (HCP) cluster. This example provides a structured configuration template that demonstrates how to deploy a ROSA cluster within your AWS environment by using Terraform.
6+
7+
This example includes:
8+
- A ROSA cluster with private access.
9+
- Additional security groups attached to the control plane VPC endpoint.
10+
- All AWS resources (IAM and networking) that are created as part of the ROSA cluster module execution.
11+
- A bastion host EC2 instance that allows to reach the private cluster.
12+
13+
## Example Usage
14+
15+
```
16+
############################
17+
# Additional Security Groups
18+
############################
19+
resource "aws_security_group" "sg1" {
20+
name = "my-cluster-sg1"
21+
description = "Additional SG 1"
22+
vpc_id = module.vpc.vpc_id
23+
24+
tags = {
25+
Name = "my-cluster-sg1"
26+
}
27+
}
28+
resource "aws_vpc_security_group_ingress_rule" "sg1" {
29+
security_group_id = aws_security_group.sg1.id
30+
cidr_ipv4 = "172.16.0.0/16"
31+
from_port = 443
32+
ip_protocol = "tcp"
33+
to_port = 443
34+
}
35+
36+
resource "aws_security_group" "sg2" {
37+
name = "my-cluster-sg2"
38+
description = "Additional SG 2"
39+
vpc_id = module.vpc.vpc_id
40+
41+
tags = {
42+
Name = "my-cluster-sg2"
43+
}
44+
}
45+
resource "aws_vpc_security_group_ingress_rule" "sg2" {
46+
security_group_id = aws_security_group.sg2.id
47+
cidr_ipv4 = "192.168.0.0/16"
48+
from_port = 443
49+
ip_protocol = "tcp"
50+
to_port = 443
51+
}
52+
53+
############################
54+
# Cluster
55+
############################
56+
module "hcp" {
57+
source = "terraform-redhat/rosa-hcp/rhcs"
58+
version = "1.6.2"
59+
60+
cluster_name = "my-cluster"
61+
openshift_version = "4.14.24"
62+
machine_cidr = module.vpc.cidr_block
63+
aws_subnet_ids = module.vpc.private_subnets
64+
replicas = 2
65+
private = true
66+
create_admin_user = true
67+
admin_credentials_username = "admin"
68+
admin_credentials_password = random_password.password.result
69+
ec2_metadata_http_tokens = "required"
70+
aws_additional_control_plane_security_group_ids = [aws_security_group.sg1.id, aws_security_group.sg2.id]
71+
72+
// STS configuration
73+
create_account_roles = true
74+
account_role_prefix = "my-cluster-account"
75+
create_oidc = true
76+
create_operator_roles = true
77+
operator_role_prefix = "my-cluster-operator"
78+
}
79+
80+
resource "random_password" "password" {
81+
length = 14
82+
special = true
83+
min_lower = 1
84+
min_numeric = 1
85+
min_special = 1
86+
min_upper = 1
87+
}
88+
89+
############################
90+
# VPC
91+
############################
92+
module "vpc" {
93+
source = "terraform-redhat/rosa-hcp/rhcs//modules/vpc"
94+
95+
name_prefix = "my-cluster"
96+
availability_zones_count = 1
97+
}
98+
99+
############################
100+
# Bastion instance for connection to the cluster
101+
############################
102+
module "bastion_host" {
103+
source = "terraform-redhat/rosa-hcp/rhcs//modules/bastion-host"
104+
prefix = "my-cluster"
105+
vpc_id = module.vpc.vpc_id
106+
subnet_ids = [module.vpc.public_subnets[0]]
107+
}
108+
```
109+
110+
<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
111+
## Requirements
112+
113+
| Name | Version |
114+
| ---- | ------- |
115+
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
116+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.35.0 |
117+
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
118+
| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.6.2 |
119+
120+
## Providers
121+
122+
| Name | Version |
123+
| ---- | ------- |
124+
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.35.0 |
125+
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
126+
127+
## Modules
128+
129+
| Name | Source | Version |
130+
| ---- | ------ | ------- |
131+
| <a name="module_bastion_host"></a> [bastion\_host](#module\_bastion\_host) | ../../modules/bastion-host | n/a |
132+
| <a name="module_hcp"></a> [hcp](#module\_hcp) | ../../ | n/a |
133+
| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../modules/vpc | n/a |
134+
135+
## Resources
136+
137+
| Name | Type |
138+
| ---- | ---- |
139+
| [aws_security_group.sg1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
140+
| [aws_security_group.sg2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
141+
| [aws_vpc_security_group_ingress_rule.sg1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
142+
| [aws_vpc_security_group_ingress_rule.sg2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
143+
| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
144+
145+
## Inputs
146+
147+
| Name | Description | Type | Default | Required |
148+
| ---- | ----------- | ---- | ------- | :------: |
149+
| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster. After the creation of the resource, it is not possible to update the attribute value. | `string` | n/a | yes |
150+
| <a name="input_openshift_version"></a> [openshift\_version](#input\_openshift\_version) | The required version of Red Hat OpenShift for the cluster, for example '4.1.0'. If version is greater than the currently running version, an upgrade will be scheduled. | `string` | `"4.19.3"` | no |
151+
152+
## Outputs
153+
154+
| Name | Description |
155+
| ---- | ----------- |
156+
| <a name="output_account_role_prefix"></a> [account\_role\_prefix](#output\_account\_role\_prefix) | The prefix used for all generated AWS resources. |
157+
| <a name="output_account_roles_arn"></a> [account\_roles\_arn](#output\_account\_roles\_arn) | A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role. |
158+
| <a name="output_additional_security_group_ids"></a> [additional\_security\_group\_ids](#output\_additional\_security\_group\_ids) | List of additional security groups that have been added to the control plane VPC endpoint |
159+
| <a name="output_bastion_host_pem_path"></a> [bastion\_host\_pem\_path](#output\_bastion\_host\_pem\_path) | Bastion Host key file path |
160+
| <a name="output_bastion_host_public_ip"></a> [bastion\_host\_public\_ip](#output\_bastion\_host\_public\_ip) | Bastion Host Public IP |
161+
| <a name="output_cluster_api_url"></a> [cluster\_api\_url](#output\_cluster\_api\_url) | The URL of the API server. |
162+
| <a name="output_cluster_console_url"></a> [cluster\_console\_url](#output\_cluster\_console\_url) | The URL of the console. |
163+
| <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | Unique identifier of the cluster. |
164+
| <a name="output_oidc_config_id"></a> [oidc\_config\_id](#output\_oidc\_config\_id) | The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config. |
165+
| <a name="output_oidc_endpoint_url"></a> [oidc\_endpoint\_url](#output\_oidc\_endpoint\_url) | Registered OIDC configuration issuer URL, generated by this OIDC config. |
166+
| <a name="output_operator_role_prefix"></a> [operator\_role\_prefix](#output\_operator\_role\_prefix) | Prefix used for generated AWS operator policies. |
167+
| <a name="output_operator_roles_arn"></a> [operator\_roles\_arn](#output\_operator\_roles\_arn) | List of Amazon Resource Names (ARNs) for all operator roles created. |
168+
| <a name="output_password"></a> [password](#output\_password) | n/a |
169+
| <a name="output_path"></a> [path](#output\_path) | The arn path for the account/operator roles as well as their policies. |
170+
<!-- END_AUTOMATED_TF_DOCS_BLOCK -->
Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
locals {
2+
account_role_prefix = "${var.cluster_name}-account"
3+
operator_role_prefix = "${var.cluster_name}-operator"
4+
}
5+
6+
############################
7+
# Additional Security Groups
8+
############################
9+
resource "aws_security_group" "sg1" {
10+
name = "${var.cluster_name}-sg1"
11+
description = "Additional SG 1"
12+
vpc_id = module.vpc.vpc_id
13+
14+
tags = {
15+
Name = "${var.cluster_name}-sg1"
16+
}
17+
}
18+
resource "aws_vpc_security_group_ingress_rule" "sg1" {
19+
security_group_id = aws_security_group.sg1.id
20+
cidr_ipv4 = "172.16.0.0/16"
21+
from_port = 443
22+
ip_protocol = "tcp"
23+
to_port = 443
24+
}
25+
26+
resource "aws_security_group" "sg2" {
27+
name = "${var.cluster_name}-sg2"
28+
description = "Additional SG 2"
29+
vpc_id = module.vpc.vpc_id
30+
31+
tags = {
32+
Name = "${var.cluster_name}-sg2"
33+
}
34+
}
35+
resource "aws_vpc_security_group_ingress_rule" "sg2" {
36+
security_group_id = aws_security_group.sg2.id
37+
cidr_ipv4 = "192.168.0.0/16"
38+
from_port = 443
39+
ip_protocol = "tcp"
40+
to_port = 443
41+
}
42+
43+
locals {
44+
additional_sg_ids = [
45+
aws_security_group.sg1.id,
46+
aws_security_group.sg2.id,
47+
]
48+
}
49+
50+
############################
51+
# Cluster
52+
############################
53+
module "hcp" {
54+
source = "../../"
55+
56+
cluster_name = var.cluster_name
57+
openshift_version = var.openshift_version
58+
machine_cidr = module.vpc.cidr_block
59+
aws_subnet_ids = module.vpc.private_subnets
60+
replicas = 2
61+
private = true
62+
create_admin_user = true
63+
admin_credentials_username = "admin"
64+
admin_credentials_password = random_password.password.result
65+
ec2_metadata_http_tokens = "required"
66+
aws_additional_control_plane_security_group_ids = local.additional_sg_ids
67+
68+
// STS configuration
69+
create_account_roles = true
70+
account_role_prefix = local.account_role_prefix
71+
create_oidc = true
72+
create_operator_roles = true
73+
operator_role_prefix = local.operator_role_prefix
74+
}
75+
76+
resource "random_password" "password" {
77+
length = 14
78+
special = true
79+
min_lower = 1
80+
min_numeric = 1
81+
min_special = 1
82+
min_upper = 1
83+
}
84+
85+
############################
86+
# VPC
87+
############################
88+
module "vpc" {
89+
source = "../../modules/vpc"
90+
91+
name_prefix = var.cluster_name
92+
availability_zones_count = 1
93+
}
94+
95+
############################
96+
# Bastion instance for connection to the cluster
97+
############################
98+
module "bastion_host" {
99+
source = "../../modules/bastion-host"
100+
prefix = var.cluster_name
101+
vpc_id = module.vpc.vpc_id
102+
subnet_ids = [module.vpc.public_subnets[0]]
103+
}
Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
output "bastion_host_public_ip" {
2+
value = module.bastion_host.bastion_host_public_ip
3+
description = "Bastion Host Public IP"
4+
}
5+
6+
output "bastion_host_pem_path" {
7+
value = module.bastion_host.bastion_host_pem_path
8+
description = "Bastion Host key file path"
9+
}
10+
11+
output "cluster_id" {
12+
value = module.hcp.cluster_id
13+
description = "Unique identifier of the cluster."
14+
}
15+
16+
output "cluster_api_url" {
17+
value = module.hcp.cluster_api_url
18+
description = "The URL of the API server."
19+
}
20+
21+
output "cluster_console_url" {
22+
value = module.hcp.cluster_console_url
23+
description = "The URL of the console."
24+
}
25+
26+
output "account_role_prefix" {
27+
value = module.hcp.account_role_prefix
28+
description = "The prefix used for all generated AWS resources."
29+
}
30+
31+
output "account_roles_arn" {
32+
value = module.hcp.account_roles_arn
33+
description = "A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role."
34+
}
35+
36+
output "path" {
37+
value = module.hcp.path
38+
description = "The arn path for the account/operator roles as well as their policies."
39+
}
40+
41+
output "oidc_config_id" {
42+
value = module.hcp.oidc_config_id
43+
description = "The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config."
44+
}
45+
46+
output "oidc_endpoint_url" {
47+
value = module.hcp.oidc_endpoint_url
48+
description = "Registered OIDC configuration issuer URL, generated by this OIDC config."
49+
}
50+
51+
output "operator_role_prefix" {
52+
value = module.hcp.operator_role_prefix
53+
description = "Prefix used for generated AWS operator policies."
54+
}
55+
56+
output "operator_roles_arn" {
57+
value = module.hcp.operator_roles_arn
58+
description = "List of Amazon Resource Names (ARNs) for all operator roles created."
59+
}
60+
61+
output "password" {
62+
value = resource.random_password.password
63+
sensitive = true
64+
}
65+
66+
output "additional_security_group_ids" {
67+
value = local.additional_sg_ids
68+
description = "List of additional security groups that have been added to the control plane VPC endpoint"
69+
}
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
variable "openshift_version" {
2+
type = string
3+
default = "4.19.3"
4+
description = "The required version of Red Hat OpenShift for the cluster, for example '4.1.0'. If version is greater than the currently running version, an upgrade will be scheduled."
5+
validation {
6+
condition = can(regex("^[0-9]*[0-9]+.[0-9]*[0-9]+.[0-9]*[0-9]+$", var.openshift_version))
7+
error_message = "openshift_version must be with structure <major>.<minor>.<patch> (for example 4.13.6)."
8+
}
9+
}
10+
11+
variable "cluster_name" {
12+
type = string
13+
description = "Name of the cluster. After the creation of the resource, it is not possible to update the attribute value."
14+
}
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
terraform {
2+
required_version = ">= 1.0"
3+
4+
required_providers {
5+
aws = {
6+
source = "hashicorp/aws"
7+
version = ">= 5.35.0"
8+
}
9+
rhcs = {
10+
version = ">= 1.6.2"
11+
source = "terraform-redhat/rhcs"
12+
}
13+
random = {
14+
source = "hashicorp/random"
15+
version = ">= 2.0"
16+
}
17+
}
18+
}

0 commit comments

Comments
 (0)