Skip to content

ROSAENG-6808 | feat: add OCM role submodule with required ROSA CLI tags#154

Merged
openshift-merge-bot[bot] merged 1 commit into
terraform-redhat:mainfrom
olucasfreitas:ROSAENG-6808
Jun 12, 2026
Merged

ROSAENG-6808 | feat: add OCM role submodule with required ROSA CLI tags#154
openshift-merge-bot[bot] merged 1 commit into
terraform-redhat:mainfrom
olucasfreitas:ROSAENG-6808

Conversation

@olucasfreitas

@olucasfreitas olucasfreitas commented May 29, 2026

Copy link
Copy Markdown
Contributor

PR Summary

Add modules/ocm-role/ submodule that creates the AWS IAM OCM role with the tags required by the ROSA CLI, and an example showing composition with rhcs_rosa_ocm_role_link.

Detailed Description of the Issue

The ROSA CLI tags OCM IAM roles with red-hat-managed, rosa_role_prefix, rosa_role_type, rosa_environment, and conditionally rosa_admin_role. The terraform-rhcs-rosa-hcp module had no OCM role creation path, so customers using Terraform-only workflows had to tag the role manually or risk the role not being recognized by ROSA tooling.

This PR adds a standalone modules/ocm-role/ submodule that creates the OCM IAM role with the correct tags, builds the trust policy trusting RH-Managed-OpenShift-Installer in the OCM AWS account (with sts:ExternalId for the org ID), and attaches the appropriate permission policy (standard or admin) from data.rhcs_hcp_policies.ocm_role_policies.

The submodule is not wired into root main.tf because the OCM role is org-level (one per AWS account per organization), not cluster-level. Instead, the example at examples/ocm-role/ shows how to compose the submodule with rhcs_rosa_ocm_role_link for the full flow.

Related Issues and PRs

Type of Change

  • feat - adds a new module capability or new user-facing behavior.
  • fix - resolves incorrect module behavior or bug.
  • docs - updates documentation only.
  • style - formatting/naming changes with no logic impact.
  • refactor - module code restructuring with no behavior change.
  • test - adds or updates tests only.
  • chore - maintenance work (tooling, housekeeping, non-product code).
  • build - changes build system, packaging, or dependencies for build output.
  • ci - changes CI pipelines, jobs, or automation workflows.
  • perf - improves performance without changing intended behavior.

Previous Behavior

The HCP module had no OCM role creation path. Customers had to create and tag the OCM IAM role manually or via the ROSA CLI.

Behavior After This Change

Customers can call modules/ocm-role/ to create a compliant OCM IAM role with all required ROSA CLI-parity tags, then compose with rhcs_rosa_ocm_role_link to complete the OCM-side link.

Tags applied to the role match the ROSA CLI contract:

  • red-hat-managed = true
  • rosa_role_prefix = user-specified prefix
  • rosa_role_type = ocm
  • rosa_environment = OCM environment
  • rosa_admin_role = true (only when admin = true)

How to Test (Step-by-Step)

Preconditions

Terraform >= 1.0 installed. No live credentials needed for the mock-based tests.

Test Steps

  1. cd modules/ocm-role && terraform init -backend=false && terraform test
  2. terraform fmt -check -recursive modules/ocm-role/ examples/ocm-role/
  3. cd examples/ocm-role && terraform init -backend=false && terraform validate
  4. make terraform-docs && make verify-gen

Expected Results

All 6 tests pass (standard role, admin role, custom environment, invalid environment, prefix too long, prefix invalid chars). Format check and validate pass. Docs are up to date.

Proof of the Fix

  • Logs/CLI output: terraform test — 6 passed, 0 failed
  • Other artifacts: Generated README.md for both submodule and example

Breaking Changes

  • No breaking changes
  • Yes, this PR introduces a breaking change (describe impact and migration plan below)

Breaking Change Details / Migration Plan

N/A

Developer Verification Checklist

  • AWS-only changes: This submodule uses rhcs data sources (rhcs_hcp_policies, rhcs_info) alongside AWS resources. Official docs linked: Understanding OCM role and User role for ROSA.
  • I checked if this affects terraform-rhcs-rosa-classic and submitted (or already submitted) a companion PR when needed. (ROSAENG-6809 tracks the classic module separately.)
  • Commit subject/title follows [JIRA-TICKET] | [TYPE]: <MESSAGE>.
  • PR description clearly explains both what changed and why.
  • Relevant Jira/GitHub issues and related PRs are linked.
  • Tests were added/updated where appropriate.
  • I manually tested the change.
  • make verify passes.
  • make verify-gen passes.
  • Documentation was added/updated where appropriate (see make terraform-docs).
  • Any risk, limitation, or follow-up work is documented.

Risks / Follow-ups

  • The no-console profile tag (rosa_no_console_role) is deferred until the tag contract is confirmed in the ROSA CLI.
  • This submodule requires rhcs >= 1.7.6 (provider with ocm_role_policies support). Root versions.tf already declares this floor.
  • The sibling classic module update is tracked separately in ROSAENG-6809.

Summary by CodeRabbit

  • New Features

    • Added an OCM IAM role module to create AWS roles with OCM integration, supporting standard, admin, and no-console profiles, conditional linking, and outputs for role ARN/name/link ID.
  • Documentation

    • Added comprehensive module and example docs with usage examples and embedded automated Terraform docs (requirements, inputs, outputs).
  • Examples

    • Added a runnable example showing module usage, variables, and example outputs.
  • Tests

    • Added test suite validating profiles, environment-derived tags, and input validations.

@coderabbitai

coderabbitai Bot commented May 29, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1db694d9-f8f2-4162-85e5-657b2e1e3aab

📥 Commits

Reviewing files that changed from the base of the PR and between a01e04b and 6bc8147.

📒 Files selected for processing (11)
  • examples/ocm-role/README.md
  • examples/ocm-role/main.tf
  • examples/ocm-role/outputs.tf
  • examples/ocm-role/variables.tf
  • examples/ocm-role/versions.tf
  • modules/ocm-role/README.md
  • modules/ocm-role/main.tf
  • modules/ocm-role/outputs.tf
  • modules/ocm-role/tests/ocm_role.tftest.hcl
  • modules/ocm-role/variables.tf
  • modules/ocm-role/versions.tf
✅ Files skipped from review due to trivial changes (2)
  • modules/ocm-role/README.md
  • examples/ocm-role/README.md
🚧 Files skipped from review as they are similar to previous changes (9)
  • examples/ocm-role/main.tf
  • modules/ocm-role/versions.tf
  • modules/ocm-role/outputs.tf
  • examples/ocm-role/variables.tf
  • examples/ocm-role/outputs.tf
  • modules/ocm-role/variables.tf
  • examples/ocm-role/versions.tf
  • modules/ocm-role/tests/ocm_role.tftest.hcl
  • modules/ocm-role/main.tf

Walkthrough

Adds an OCM IAM role Terraform module with input validation, conditional IAM policies, role linking, outputs, comprehensive tests, module/docs, and a runnable example with version constraints.

Changes

OCM Role Module and Example

Layer / File(s) Summary
Module inputs, validations and version constraints
modules/ocm-role/variables.tf, modules/ocm-role/versions.tf
Input variables for ocm_role_prefix (regex and length validation), profile (enum: standard/admin/no-console), path, permissions_boundary, tags, and create_link; module requires Terraform >= 1.0, aws >= 6.0, rhcs >= 1.7.7.
IAM role, tags, data sources, and conditional policies
modules/ocm-role/main.tf
Computes role name/path/tags from inputs and RHCS data, uses RHCS-provided trust/permission JSON, creates aws_iam_role, conditionally creates and attaches standard/admin/no-console permission policies, and optionally creates rhcs_rosa_ocm_role_link.
Module outputs
modules/ocm-role/outputs.tf
Exports role_arn and role_name from aws_iam_role, and role_link_id with try(..., null) when link isn't created.
Test harness and plan tests
modules/ocm-role/tests/ocm_role.tftest.hcl
Mocked aws and rhcs providers, plan assertions for standard/admin/no-console profiles, environment derivation tests (staging/integration), and validation-failure cases for invalid profile/prefix.
Module documentation
modules/ocm-role/README.md
Describes module purpose, example usage with pinned version, and an automated Terraform docs block listing requirements, providers, data sources, inputs, and outputs.
Example usage, variables, outputs, versions, and README
examples/ocm-role/variables.tf, examples/ocm-role/versions.tf, examples/ocm-role/main.tf, examples/ocm-role/outputs.tf, examples/ocm-role/README.md
Example Terraform configuration instantiating the module with ocm_role_prefix and profile, example-level variables and outputs (role_arn, role_name, role_link_id), version constraints, and example README with automated docs block.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

lgtm, ok-to-test

Suggested reviewers

  • gdbranco
  • BraeTroutman
  • amandahla
🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Title check ✅ Passed The PR title clearly and specifically describes the main change: adding a new OCM role submodule with required ROSA CLI tags.
Description check ✅ Passed The PR description is comprehensive and complete, covering all required sections: summary, detailed issue description, related issues/PRs, type of change (feat), previous/new behavior, test steps, proof, breaking changes, and developer verification checklist.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Pr Checklist Claims Vs Evidence (Generic) ✅ Passed PR checklist claims generally match evidence: new ocm-role module uses rhcs data sources + AWS IAM resources and READMEs include automated docs blocks; items about manual testing and make verify/ve...

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@olucasfreitas olucasfreitas force-pushed the ROSAENG-6808 branch 2 times, most recently from 569daf9 to 47c873a Compare May 29, 2026 18:01
@olucasfreitas olucasfreitas marked this pull request as draft May 29, 2026 18:01
@olucasfreitas olucasfreitas marked this pull request as ready for review June 8, 2026 18:28
@openshift-ci openshift-ci Bot requested a review from gdbranco June 8, 2026 18:28
Comment thread modules/ocm-role/README.md
Comment thread modules/ocm-role/variables.tf Outdated
Comment thread examples/ocm-role/variables.tf Outdated
Comment thread modules/ocm-role/variables.tf Outdated
Comment thread modules/ocm-role/variables.tf Outdated
Comment thread modules/ocm-role/variables.tf
Comment thread modules/ocm-role/main.tf Outdated
Comment thread modules/ocm-role/main.tf Outdated
Comment thread modules/ocm-role/main.tf Outdated
Comment thread examples/ocm-role/main.tf Outdated

@robpblake robpblake left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@olucasfreitas You haven't included the ability for customers to use the --no-console option here. That is a critical requirement

Comment thread modules/ocm-role/main.tf Outdated
Comment thread modules/ocm-role/variables.tf Outdated
Comment thread modules/ocm-role/outputs.tf

@robpblake robpblake left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comments @olucasfreitas .

Have you tested that this creates and successfully links the various OCM Role profiles?

Comment thread modules/ocm-role/main.tf
Comment thread modules/ocm-role/variables.tf
Comment thread modules/ocm-role/main.tf Outdated
Comment thread modules/ocm-role/main.tf
Comment thread modules/ocm-role/main.tf
@olucasfreitas olucasfreitas force-pushed the ROSAENG-6808 branch 2 times, most recently from 6ea1d78 to ac082ef Compare June 10, 2026 17:56
@robpblake

Copy link
Copy Markdown

This looks good to me, but I'll defer to @amandahla for final sign-off.

@amandahla

Copy link
Copy Markdown
Member

/approve
/lgtm

The security-check can be ignored, I need to fix this one, sorry for the noise.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@modules/ocm-role/tests/ocm_role.tftest.hcl`:
- Around line 98-165: Add a new test run that exercises the branch where
create_link = false: duplicate the existing "standard_ocm_role_plan" run (or
create a new run name) but set variables { ocm_role_prefix = "ManagedOpenShift"
create_link = false } and add an assert that
length(rhcs_rosa_ocm_role_link.this) == 0 (with an appropriate error_message).
Ensure the new run keeps necessary providers and other asserts unchanged except
remove or adjust the existing assert that expects
rhcs_rosa_ocm_role_link.this[0].id so both link-present and link-absent
scenarios are covered.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 74d78314-cc1b-45fc-ba52-8b33ae1a146f

📥 Commits

Reviewing files that changed from the base of the PR and between 6ea1d78 and a01e04b.

📒 Files selected for processing (11)
  • examples/ocm-role/README.md
  • examples/ocm-role/main.tf
  • examples/ocm-role/outputs.tf
  • examples/ocm-role/variables.tf
  • examples/ocm-role/versions.tf
  • modules/ocm-role/README.md
  • modules/ocm-role/main.tf
  • modules/ocm-role/outputs.tf
  • modules/ocm-role/tests/ocm_role.tftest.hcl
  • modules/ocm-role/variables.tf
  • modules/ocm-role/versions.tf
✅ Files skipped from review due to trivial changes (3)
  • examples/ocm-role/README.md
  • examples/ocm-role/versions.tf
  • modules/ocm-role/README.md
🚧 Files skipped from review as they are similar to previous changes (6)
  • examples/ocm-role/main.tf
  • examples/ocm-role/outputs.tf
  • modules/ocm-role/outputs.tf
  • modules/ocm-role/versions.tf
  • modules/ocm-role/variables.tf
  • modules/ocm-role/main.tf

Comment on lines +98 to +165
# Standard OCM role (default profile) -- plans successfully with correct tags, naming, and link.
run "standard_ocm_role_plan" {
command = plan

providers = {
rhcs = rhcs.prod
aws = aws.default
}

variables {
ocm_role_prefix = "ManagedOpenShift"
}

assert {
condition = aws_iam_role.ocm_role.name == "ManagedOpenShift-OCM-Role-orgext123"
error_message = "Expected OCM role name to follow the ROSA CLI naming pattern."
}

assert {
condition = aws_iam_role.ocm_role.tags["red-hat-managed"] == "true"
error_message = "Expected red-hat-managed tag to be true."
}

assert {
condition = aws_iam_role.ocm_role.tags["rosa_role_prefix"] == "ManagedOpenShift"
error_message = "Expected rosa_role_prefix tag to match the prefix variable."
}

assert {
condition = aws_iam_role.ocm_role.tags["rosa_role_type"] == "OCM"
error_message = "Expected rosa_role_type tag to be OCM."
}

assert {
condition = aws_iam_role.ocm_role.tags["rosa_environment"] == "production"
error_message = "Expected rosa_environment tag to default to production."
}

assert {
condition = !contains(keys(aws_iam_role.ocm_role.tags), "rosa_admin_role")
error_message = "Standard role must not have rosa_admin_role tag."
}

assert {
condition = !contains(keys(aws_iam_role.ocm_role.tags), "rosa_no_console_role")
error_message = "Standard role must not have rosa_no_console_role tag."
}

assert {
condition = length(aws_iam_policy.standard_permission_policy) == 1
error_message = "Standard role must create the standard permission policy."
}

assert {
condition = length(aws_iam_policy.ocm_admin_permission_policy) == 0
error_message = "Standard role must not create the admin permission policy."
}

assert {
condition = length(aws_iam_policy.ocm_no_console_permission_policy) == 0
error_message = "Standard role must not create the no-console permission policy."
}

assert {
condition = rhcs_rosa_ocm_role_link.this[0].id == "ocm-link-id"
error_message = "Expected the module to create the OCM-side link resource."
}
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add test coverage for create_link = false.

The module has a create_link boolean variable that conditionally creates the rhcs_rosa_ocm_role_link resource. The current test suite only covers the default create_link = true case (line 162 asserts the link resource exists). As per coding guidelines, when module behavior branches on boolean variables (e.g., link creation), prefer multiple separated test scenarios to cover both true/false outcomes.

Add a test run that sets create_link = false and asserts that length(rhcs_rosa_ocm_role_link.this) == 0.

🧪 Suggested test case for create_link = false
+# OCM role without creating the OCM-side link.
+run "ocm_role_without_link_plan" {
+  command = plan
+
+  providers = {
+    rhcs = rhcs.prod
+    aws  = aws.default
+  }
+
+  variables {
+    ocm_role_prefix = "ManagedOpenShift"
+    create_link     = false
+  }
+
+  assert {
+    condition     = aws_iam_role.ocm_role.name == "ManagedOpenShift-OCM-Role-orgext123"
+    error_message = "Expected OCM role to be created even when link is not created."
+  }
+
+  assert {
+    condition     = length(rhcs_rosa_ocm_role_link.this) == 0
+    error_message = "Expected no OCM link resource when create_link is false."
+  }
+}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/ocm-role/tests/ocm_role.tftest.hcl` around lines 98 - 165, Add a new
test run that exercises the branch where create_link = false: duplicate the
existing "standard_ocm_role_plan" run (or create a new run name) but set
variables { ocm_role_prefix = "ManagedOpenShift" create_link = false } and add
an assert that length(rhcs_rosa_ocm_role_link.this) == 0 (with an appropriate
error_message). Ensure the new run keeps necessary providers and other asserts
unchanged except remove or adjust the existing assert that expects
rhcs_rosa_ocm_role_link.this[0].id so both link-present and link-absent
scenarios are covered.

Source: Coding guidelines

@amandahla

Copy link
Copy Markdown
Member

/approve
/lgtm
/override ci/prow/security-check

@openshift-ci openshift-ci Bot added the lgtm label Jun 11, 2026
@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown

@amandahla: Overrode contexts on behalf of amandahla: ci/prow/security-check

Details

In response to this:

/approve
/lgtm
/override ci/prow/security-check

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amandahla, olucasfreitas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [amandahla,olucasfreitas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown

@olucasfreitas: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify-gen 10d521a link true /test verify-gen

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Add modules/ocm-role/ that creates the AWS IAM OCM role with the tags
the ROSA CLI applies (red-hat-managed, rosa_role_prefix, rosa_role_type,
rosa_environment, and conditional rosa_admin_role). Permission policies
are read from the rhcs_hcp_policies data source using the policy IDs
confirmed in terraform-provider-rhcs PR #1156.

The submodule outputs role_arn for composition with the provider's
rhcs_rosa_ocm_role_link resource. An example and tests are included.

Signed-off-by: lufreita <lufreita@redhat.com>
@olucasfreitas

Copy link
Copy Markdown
Contributor Author

/override ci/prow/rosa-hcp-public
/override ci/prow/rosa-hcp-private

@openshift-ci

openshift-ci Bot commented Jun 12, 2026

Copy link
Copy Markdown

@olucasfreitas: Overrode contexts on behalf of olucasfreitas: ci/prow/rosa-hcp-private, ci/prow/rosa-hcp-public

Details

In response to this:

/override ci/prow/rosa-hcp-public
/override ci/prow/rosa-hcp-private

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@amandahla

Copy link
Copy Markdown
Member

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label Jun 12, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit 33c9f18 into terraform-redhat:main Jun 12, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants