-
Notifications
You must be signed in to change notification settings - Fork 51
ROSAENG-6808 | feat: add OCM role submodule with required ROSA CLI tags #154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
openshift-merge-bot
merged 1 commit into
terraform-redhat:main
from
olucasfreitas:ROSAENG-6808
Jun 12, 2026
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| # ocm-role example | ||
|
|
||
| Creates and links an OCM IAM role with the required ROSA CLI-parity tags using the `ocm-role` module. | ||
|
|
||
| <!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK --> | ||
| ## Requirements | ||
|
|
||
| | Name | Version | | ||
| | ---- | ------- | | ||
| | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 | | ||
| | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 | | ||
| | <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.7.7 | | ||
|
|
||
| ## Providers | ||
|
|
||
| No providers. | ||
|
|
||
| ## Modules | ||
|
|
||
| | Name | Source | Version | | ||
| | ---- | ------ | ------- | | ||
| | <a name="module_ocm_role"></a> [ocm\_role](#module\_ocm\_role) | ../../modules/ocm-role | n/a | | ||
|
|
||
| ## Resources | ||
|
|
||
| No resources. | ||
|
|
||
| ## Inputs | ||
|
|
||
| | Name | Description | Type | Default | Required | | ||
| | ---- | ----------- | ---- | ------- | :------: | | ||
| | <a name="input_ocm_role_prefix"></a> [ocm\_role\_prefix](#input\_ocm\_role\_prefix) | User-defined prefix for the OCM IAM role name. | `string` | `"ManagedOpenShift"` | no | | ||
| | <a name="input_profile"></a> [profile](#input\_profile) | Profile of the OCM role to create. Allowed values are `standard`, `admin`, and `no-console`. | `string` | `"standard"` | no | | ||
|
|
||
| ## Outputs | ||
|
|
||
| | Name | Description | | ||
| | ---- | ----------- | | ||
| | <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the created OCM IAM role. | | ||
| | <a name="output_role_link_id"></a> [role\_link\_id](#output\_role\_link\_id) | The identifier of the OCM-side role link. | | ||
| | <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the created OCM IAM role. | | ||
| <!-- END_AUTOMATED_TF_DOCS_BLOCK --> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| # Copyright Red Hat | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| ############################ | ||
| # OCM Role | ||
| ############################ | ||
| module "ocm_role" { | ||
| source = "../../modules/ocm-role" | ||
|
|
||
| ocm_role_prefix = var.ocm_role_prefix | ||
| profile = var.profile | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Copyright Red Hat | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| output "role_arn" { | ||
| value = module.ocm_role.role_arn | ||
| description = "The ARN of the created OCM IAM role." | ||
| } | ||
|
|
||
| output "role_name" { | ||
| value = module.ocm_role.role_name | ||
| description = "The name of the created OCM IAM role." | ||
| } | ||
|
|
||
| output "role_link_id" { | ||
| value = module.ocm_role.role_link_id | ||
| description = "The identifier of the OCM-side role link." | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| # Copyright Red Hat | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| variable "ocm_role_prefix" { | ||
| type = string | ||
| description = "User-defined prefix for the OCM IAM role name." | ||
| default = "ManagedOpenShift" | ||
| } | ||
|
|
||
| variable "profile" { | ||
| type = string | ||
| description = "Profile of the OCM role to create. Allowed values are `standard`, `admin`, and `no-console`." | ||
| default = "standard" | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Copyright Red Hat | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| terraform { | ||
| required_version = ">= 1.0" | ||
|
|
||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = ">= 6.0" | ||
| } | ||
| rhcs = { | ||
| source = "terraform-redhat/rhcs" | ||
| version = ">= 1.7.7" | ||
| } | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| # ocm-role | ||
|
|
||
| ## Introduction | ||
|
|
||
| This Terraform sub-module creates the AWS IAM OCM role with the tags required by the ROSA CLI and OCM. The role is used to grant OpenShift Cluster Manager permissions in the customer's AWS account. | ||
|
|
||
| The module creates the IAM role, attaches the appropriate permission policies for the selected profile, applies the required tags, and links the role to the current OCM organization via `rhcs_rosa_ocm_role_link`. | ||
|
|
||
| For more information, see [Understanding OCM role and User role for ROSA](https://access.redhat.com/articles/6961686). | ||
|
|
||
| ## Example Usage | ||
|
|
||
| ``` | ||
| module "ocm_role" { | ||
| source = "terraform-redhat/rosa-hcp/rhcs//modules/ocm-role" | ||
| version = "1.7.7" | ||
|
|
||
| ocm_role_prefix = "ManagedOpenShift" | ||
| profile = "standard" | ||
| } | ||
| ``` | ||
|
|
||
| <!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK --> | ||
| ## Requirements | ||
|
|
||
| | Name | Version | | ||
| | ---- | ------- | | ||
| | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 | | ||
| | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 | | ||
| | <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.7.7 | | ||
|
|
||
| ## Providers | ||
|
|
||
| | Name | Version | | ||
| | ---- | ------- | | ||
| | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 | | ||
| | <a name="provider_rhcs"></a> [rhcs](#provider\_rhcs) | >= 1.7.7 | | ||
|
|
||
| ## Modules | ||
|
|
||
| No modules. | ||
|
|
||
| ## Resources | ||
|
|
||
| | Name | Type | | ||
| | ---- | ---- | | ||
| | [aws_iam_policy.ocm_admin_permission_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | ||
| | [aws_iam_policy.ocm_no_console_permission_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | ||
| | [aws_iam_policy.standard_permission_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | ||
| | [aws_iam_role.ocm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | ||
| | [aws_iam_role_policy_attachment.ocm_admin_permission_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | ||
| | [aws_iam_role_policy_attachment.ocm_no_console_permission_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | ||
| | [aws_iam_role_policy_attachment.standard_permission_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | ||
| | [rhcs_rosa_ocm_role_link.this](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/resources/rosa_ocm_role_link) | resource | | ||
| | [rhcs_hcp_policies.all_policies](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/data-sources/hcp_policies) | data source | | ||
| | [rhcs_info.current](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/data-sources/info) | data source | | ||
|
|
||
| ## Inputs | ||
|
|
||
| | Name | Description | Type | Default | Required | | ||
| | ---- | ----------- | ---- | ------- | :------: | | ||
| | <a name="input_create_link"></a> [create\_link](#input\_create\_link) | (Optional) Whether to link the created role to the OCM organization via rhcs\_rosa\_ocm\_role\_link. Set to false when importing an already-linked role. | `bool` | `true` | no | | ||
| | <a name="input_ocm_role_prefix"></a> [ocm\_role\_prefix](#input\_ocm\_role\_prefix) | User-defined prefix for the OCM IAM role name. The final role name is `<prefix>-OCM-Role-<organization_external_id>`. | `string` | n/a | yes | | ||
| | <a name="input_path"></a> [path](#input\_path) | (Optional) The IAM path for the OCM role and its policies. Must begin and end with '/'. | `string` | `"/"` | no | | ||
| | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | (Optional) The ARN of the policy used to set the permissions boundary for the OCM IAM role. | `string` | `""` | no | | ||
| | <a name="input_profile"></a> [profile](#input\_profile) | Profile of the OCM role to create. Allowed values are `standard`, `admin`, and `no-console`. | `string` | `"standard"` | no | | ||
| | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Additional AWS resource tags to merge into the OCM role and its policies. | `map(string)` | `null` | no | | ||
|
|
||
| ## Outputs | ||
|
|
||
| | Name | Description | | ||
| | ---- | ----------- | | ||
| | <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the created OCM IAM role. | | ||
| | <a name="output_role_link_id"></a> [role\_link\_id](#output\_role\_link\_id) | The identifier of the OCM-side role link created for the IAM role, or null when create\_link is false. | | ||
| | <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the created OCM IAM role. | | ||
| <!-- END_AUTOMATED_TF_DOCS_BLOCK --> | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,113 @@ | ||
| # Copyright Red Hat | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| locals { | ||
| path = coalesce(var.path, "/") | ||
|
|
||
| role_type = "OCM" | ||
| role_suffix = "-${local.role_type}-Role-${data.rhcs_info.current.organization_external_id}" | ||
| max_prefix_length = 64 - length(local.role_suffix) | ||
| truncated_role_prefix = local.max_prefix_length > 0 ? substr(var.ocm_role_prefix, 0, local.max_prefix_length) : "" | ||
| role_name = "${local.truncated_role_prefix}${local.role_suffix}" | ||
| max_policy_name_length = 128 | ||
| standard_policy_enabled = contains(["standard", "admin"], var.profile) | ||
| admin_policy_enabled = var.profile == "admin" | ||
| no_console_enabled = var.profile == "no-console" | ||
|
|
||
| ocm_environment = ( | ||
| strcontains(data.rhcs_info.current.ocm_api, "api.stage.") ? "staging" : | ||
| ( | ||
| strcontains(data.rhcs_info.current.ocm_api, "integration") || strcontains(data.rhcs_info.current.ocm_api, ".int.") ? "integration" : "production" | ||
| ) | ||
| ) | ||
|
|
||
| base_tags = merge(var.tags, { | ||
| red-hat-managed = true | ||
| rosa_role_prefix = var.ocm_role_prefix | ||
| rosa_role_type = local.role_type | ||
| rosa_environment = local.ocm_environment | ||
| }) | ||
|
|
||
| role_tags = local.admin_policy_enabled ? merge(local.base_tags, { | ||
| rosa_admin_role = true | ||
| }) : ( | ||
| local.no_console_enabled ? merge(local.base_tags, { | ||
| rosa_no_console_role = true | ||
| }) : local.base_tags | ||
| ) | ||
| } | ||
|
|
||
| data "rhcs_hcp_policies" "all_policies" {} | ||
|
|
||
| data "rhcs_info" "current" {} | ||
|
|
||
| resource "aws_iam_role" "ocm_role" { | ||
|
olucasfreitas marked this conversation as resolved.
|
||
| name = local.role_name | ||
| permissions_boundary = var.permissions_boundary | ||
| path = local.path | ||
| assume_role_policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies.sts_ocm_trust_policy | ||
| force_detach_policies = true | ||
|
|
||
| tags = local.role_tags | ||
| } | ||
|
|
||
| resource "aws_iam_policy" "standard_permission_policy" { | ||
| count = local.standard_policy_enabled ? 1 : 0 | ||
|
|
||
| name = substr("${local.role_name}-Policy", 0, local.max_policy_name_length) | ||
| path = local.path | ||
| policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies.sts_ocm_permission_policy | ||
|
|
||
| tags = local.base_tags | ||
| } | ||
|
|
||
| resource "aws_iam_role_policy_attachment" "standard_permission_policy_attachment" { | ||
| count = local.standard_policy_enabled ? 1 : 0 | ||
|
|
||
| role = aws_iam_role.ocm_role.name | ||
| policy_arn = aws_iam_policy.standard_permission_policy[0].arn | ||
| } | ||
|
|
||
| resource "aws_iam_policy" "ocm_admin_permission_policy" { | ||
|
olucasfreitas marked this conversation as resolved.
|
||
| count = local.admin_policy_enabled ? 1 : 0 | ||
|
|
||
| name = substr("${local.role_name}-Admin-Policy", 0, local.max_policy_name_length) | ||
| path = local.path | ||
| policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies.sts_ocm_admin_permission_policy | ||
|
|
||
| tags = merge(local.base_tags, { | ||
| rosa_admin_role = true | ||
| }) | ||
| } | ||
|
|
||
| resource "aws_iam_role_policy_attachment" "ocm_admin_permission_policy_attachment" { | ||
| count = local.admin_policy_enabled ? 1 : 0 | ||
|
|
||
| role = aws_iam_role.ocm_role.name | ||
| policy_arn = aws_iam_policy.ocm_admin_permission_policy[0].arn | ||
| } | ||
|
|
||
| resource "aws_iam_policy" "ocm_no_console_permission_policy" { | ||
| count = local.no_console_enabled ? 1 : 0 | ||
|
|
||
| name = substr("${local.role_name}-NoConsole-Policy", 0, local.max_policy_name_length) | ||
| path = local.path | ||
| policy = data.rhcs_hcp_policies.all_policies.ocm_role_policies.sts_ocm_no_console_permission_policy | ||
|
olucasfreitas marked this conversation as resolved.
|
||
|
|
||
| tags = merge(local.base_tags, { | ||
| rosa_no_console_role = true | ||
| }) | ||
| } | ||
|
|
||
| resource "aws_iam_role_policy_attachment" "ocm_no_console_permission_policy_attachment" { | ||
| count = local.no_console_enabled ? 1 : 0 | ||
|
|
||
| role = aws_iam_role.ocm_role.name | ||
| policy_arn = aws_iam_policy.ocm_no_console_permission_policy[0].arn | ||
| } | ||
|
|
||
| resource "rhcs_rosa_ocm_role_link" "this" { | ||
|
olucasfreitas marked this conversation as resolved.
|
||
| count = var.create_link ? 1 : 0 | ||
|
|
||
| role_arn = aws_iam_role.ocm_role.arn | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Copyright Red Hat | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| output "role_arn" { | ||
| value = aws_iam_role.ocm_role.arn | ||
| description = "The ARN of the created OCM IAM role." | ||
| } | ||
|
|
||
| output "role_name" { | ||
| value = aws_iam_role.ocm_role.name | ||
| description = "The name of the created OCM IAM role." | ||
| } | ||
|
|
||
| output "role_link_id" { | ||
|
olucasfreitas marked this conversation as resolved.
|
||
| value = try(rhcs_rosa_ocm_role_link.this[0].id, null) | ||
| description = "The identifier of the OCM-side role link created for the IAM role, or null when create_link is false." | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.