Rebase from openshift-installer: allow multiple CIDR, allow dynamic endpoint URL, change to terraform community provider

Author: Budi Darmawan

.terraform.lock.hcl

@@ -2,7 +2,25 @@ locals {
   public_endpoints = var.publish_strategy == "External" ? true : false
 }
 
+terraform {
+  required_providers {
+    ignition = {
+      source = "community-terraform-providers/ignition"
+      version = "2.1.2"
+    }
+  }
+}
+
+provider "ignition" {
+  # Configuration options
+}
+
+data "aws_partition" "current" {}
+
+data "aws_ebs_default_kms_key" "current" {}
+
 resource "aws_s3_bucket" "ignition" {
+  bucket = var.ignition_bucket
   acl = "private"
 
   tags = merge(
@@ -60,7 +78,7 @@ resource "aws_iam_role" "bootstrap" {
         {
             "Action": "sts:AssumeRole",
             "Principal": {
-                "Service": "ec2.amazonaws.com"
+                "Service": "ec2.${data.aws_partition.current.dns_suffix}"
             },
             "Effect": "Allow",
             "Sid": ""
@@ -119,8 +137,7 @@ resource "aws_instance" "bootstrap" {
   iam_instance_profile        = aws_iam_instance_profile.bootstrap.name
   instance_type               = var.instance_type
   subnet_id                   = var.subnet_id
-  user_data                   = replace(data.ignition_config.redirect.rendered, "2.1.0", "3.1.0")
-  # data.ignition_config.redirect.rendered
+  user_data                   = data.ignition_config.redirect.rendered
   vpc_security_group_ids      = flatten([var.vpc_security_group_ids, aws_security_group.bootstrap.id])
   associate_public_ip_address = local.public_endpoints
 
@@ -141,6 +158,8 @@ resource "aws_instance" "bootstrap" {
     volume_type = var.volume_type
     volume_size = var.volume_size
     iops        = var.volume_type == "io1" ? var.volume_iops : 0
+    encrypted   = true
+    kms_key_id  = var.volume_kms_key_id == "" ? data.aws_ebs_default_kms_key.current.key_arn : var.volume_kms_key_id
   }
 
   volume_tags = merge(

bootstrap/main.tf

@@ -13,25 +13,38 @@ variable "ignition" {
   description = "The content of the bootstrap ignition file."
 }
 
-variable "instance_type" {
+variable "ignition_bucket" {
+  type        = string
+  description = "The S3 bucket where the ignition configuration is stored"
+}
+
+variable "ignition_stub" {
   type        = string
+  description = <<EOF
+The stub Ignition config that should be used to boot the bootstrap instance. This already points to the presigned URL for the s3 bucket
+specified in ignition_bucket.
+EOF
+}
+
+variable "instance_type" {
+  type = string
   description = "The instance type of the bootstrap node."
 }
 
 variable "subnet_id" {
-  type        = string
+  type = string
   description = "The subnet ID for the bootstrap node."
 }
 
 variable "tags" {
-  type        = map(string)
-  default     = {}
+  type = map(string)
+  default = {}
   description = "AWS tags to be applied to created resources."
 }
 
 variable "target_group_arns" {
-  type        = list(string)
-  default     = []
+  type = list(string)
+  default = []
   description = "The list of target group ARNs for the load balancer."
 }
 
@@ -40,41 +53,46 @@ variable "target_group_arns_length" {
 }
 
 variable "volume_iops" {
-  type        = string
-  default     = "100"
+  type = string
+  default = "100"
   description = "The amount of IOPS to provision for the disk."
 }
 
 variable "volume_size" {
-  type        = string
-  default     = "30"
+  type = string
+  default = "30"
   description = "The volume size (in gibibytes) for the bootstrap node's root volume."
 }
 
 variable "volume_type" {
-  type        = string
-  default     = "gp2"
+  type = string
+  default = "gp2"
   description = "The volume type for the bootstrap node's root volume."
 }
 
+variable "volume_kms_key_id" {
+  type = string
+  description = "The KMS key id that should be used to encrypt the bootstrap node's root block device."
+}
+
 variable "vpc_id" {
-  type        = string
+  type = string
   description = "VPC ID is used to create resources like security group rules for bootstrap machine."
 }
 
 variable "vpc_cidrs" {
-  type        = list(string)
-  default     = []
+  type = list(string)
+  default = []
   description = "VPC CIDR blocks."
 }
 
 variable "vpc_security_group_ids" {
-  type        = list(string)
-  default     = []
+  type = list(string)
+  default = []
   description = "VPC security group IDs for the bootstrap node."
 }
 
 variable "publish_strategy" {
-  type        = string
+  type = string
   description = "The publishing strategy for endpoints like load balancers"
 }

bootstrap/variables.tf

@@ -1,29 +1,3 @@
-variable "openshift_pull_secret" {
-  type        = string
-  default     = "./openshift_pull_secret.json"
-}
-
-variable "openshift_installer_url" {
-  type        = string
-  description = <<EOF
-The URL to download OpenShift installer.
-
-default is "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest"
-To install a specific version, use https://mirror.openshift.com/pub/openshift-v4/clients/ocp/<version>
-EOF
-  default     = "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest"
-}
-
-variable "aws_access_key_id" {
-  type        = string
-  description = "AWS access key"
-}
-
-variable "aws_secret_access_key" {
-  type        = string
-  description = "AWS Secret"
-}
-
 terraform {
   required_version = ">= 0.12"
 }
@@ -38,6 +12,9 @@ EOF
   default = "10.0.0.0/16"
 }
 
+
+
+
 variable "base_domain" {
   type = string
 
@@ -53,18 +30,19 @@ EOF
 
 }
 
-variable "clustername" {
+variable "cluster_domain" {
   type = string
 
   description = <<EOF
-The name of the cluster. It must NOT contain a trailing period. Some
+The domain of the cluster. It must NOT contain a trailing period. Some
 DNS providers will automatically add this if necessary.
 
+All the records for the cluster are created under this domain.
+
 Note: This field MUST be set manually prior to creating the cluster.
 EOF
 
 }
-
 // This variable is generated by OpenShift internally. Do not modify
 variable "cluster_id" {
   type = string
@@ -88,9 +66,35 @@ EOF
 
 variable "use_ipv6" {
   type = bool
+  description = <<EOF
+Should the cluster be created with ipv6 networking.
+EOF
+
   default = false
+}
+
+variable "openshift_pull_secret" {
+  type        = string
+  default     = "./openshift_pull_secret.json"
+}
+
+variable "openshift_installer_url" {
+  type        = string
   description = <<EOF
-Should the cluster be created with ipv6 networking. (default = false)
+The URL to download OpenShift installer.
+
+default is "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest"
+To install a specific version, use https://mirror.openshift.com/pub/openshift-v4/clients/ocp/<version>
 EOF
+  default     = "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest"
+}
+
+variable "aws_access_key_id" {
+  type        = string
+  description = "AWS access key"
+}
 
+variable "aws_secret_access_key" {
+  type        = string
+  description = "AWS Secret"
 }

config.tf

@@ -2,6 +2,8 @@ locals {
   arn = "aws"
 }
 
+data "aws_partition" "current" {}
+
 resource "aws_iam_instance_profile" "worker" {
   name = "${var.cluster_id}-worker-profile"
 
@@ -19,7 +21,7 @@ resource "aws_iam_role" "worker_role" {
         {
             "Action": "sts:AssumeRole",
             "Principal": {
-                "Service": "ec2.amazonaws.com"
+                "Service": "ec2.${data.aws_partition.current.dns_suffix}"
             },
             "Effect": "Allow",
             "Sid": ""
@@ -46,7 +48,10 @@ resource "aws_iam_role_policy" "worker_policy" {
   "Statement": [
     {
       "Effect": "Allow",
-      "Action": "ec2:Describe*",
+      "Action": [
+        "ec2:DescribeInstances",
+        "ec2:DescribeRegions"
+      ],
       "Resource": "*"
     }
   ]