feat: Monolith example for base-ocp-vpc DA

README.md

@@ -29,6 +29,7 @@ By default, the module automatically downloads the required dependencies if they
 * [Submodules](./modules)
     * [fscloud](./modules/fscloud)
     * [kube-audit](./modules/kube-audit)
+    * [monolith](./modules/monolith)
     * [worker-pool](./modules/worker-pool)
 * [Examples](./examples)
     * <div style="display: inline-block;"><a href="./examples/add_rules_to_sg">Cluster security group rules example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=bov-add_rules_to_sg-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/tree/main/examples/add_rules_to_sg" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
@@ -37,6 +38,7 @@ By default, the module automatically downloads the required dependencies if they
     * <div style="display: inline-block;"><a href="./examples/cross_kms_support">Cross account KMS encryption example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=bov-cross_kms_support-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/tree/main/examples/cross_kms_support" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
     * <div style="display: inline-block;"><a href="./examples/custom_sg">Attaching custom security groups</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=bov-custom_sg-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/tree/main/examples/custom_sg" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
     * <div style="display: inline-block;"><a href="./examples/fscloud">Financial Services compliant example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=bov-fscloud-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/tree/main/examples/fscloud" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
+    * <div style="display: inline-block;"><a href="./examples/monolith">IBM Cloud OpenShift DA - Monolith Add-ons Module Example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=bov-monolith-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/tree/main/examples/monolith" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
     * <div style="display: inline-block;"><a href="./examples/multiple_mzr_clusters">2 MZR clusters in same VPC example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=bov-multiple_mzr_clusters-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/tree/main/examples/multiple_mzr_clusters" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->

examples/monolith/README.md

@@ -0,0 +1,23 @@
+# IBM Cloud OpenShift DA - Monolith Add-ons Module Example
+
+A simple example that shows how to provision a multi zone OCP VPC cluster as well as all foundational infrastructure and supporting services required for a secure and compliant OpenShift (OCP) cluster deployment on IBM Cloud VPC.
+
+The following resources are provisioned by this example:
+- A new resource group, if an existing one is not passed in.
+- A Key Protect instance with 2 root keys, one for cluster encryption, and one for worker boot volume encryption.
+- A VPC with subnets across 3 zones.
+- A public gateway for all the three zones
+- A multi-zone (3 zone) KMS encrypted OCP VPC cluster, with worker pools in each zone.
+- An additional worker pool named workerpool is created and attached to the cluster using the worker-pool submodule.
+- Auto scaling enabled for the default worker pool.
+- Taints against the workers in zone-2 and zone-3.
+- Enable Kubernetes API server audit logs.
+- A Cloud logs instance
+- A Cloud monitoring instance
+- An activity tracker event routing instance
+- A secrets manager instance
+- A COS instance along with 3 buckets for VPC flow logs, metrics/data bucket and activity tracker bucket.
+- A SCC-WP instance
+- A VPC instance
+- An event notifications instance
+- An app configuration service with aggregator enabled

examples/monolith/main.tf

@@ -0,0 +1,218 @@
+########################################################################################################################
+# Resource group
+########################################################################################################################
+
+module "resource_group" {
+  source                       = "terraform-ibm-modules/resource-group/ibm"
+  version                      = "1.4.0"
+  existing_resource_group_name = var.existing_resource_group_name
+}
+
+########################################################################################################################
+# Add-ons
+########################################################################################################################
+
+module "monolith_add_ons" {
+  source                                    = "../../modules/monolith"
+  prefix                                    = var.prefix
+  region                                    = var.region
+  resource_group_id                         = module.resource_group.resource_group_id
+  kms_encryption_enabled_cluster            = var.kms_encryption_enabled_cluster
+  existing_kms_instance_crn                 = var.existing_kms_instance_crn
+  existing_cluster_kms_key_crn              = var.existing_cluster_kms_key_crn
+  kms_endpoint_type                         = var.kms_endpoint_type
+  key_protect_allowed_network               = var.key_protect_allowed_network
+  kms_encryption_enabled_boot_volume        = var.kms_encryption_enabled_boot_volume
+  existing_boot_volume_kms_key_crn          = var.existing_boot_volume_kms_key_crn
+  kms_plan                                  = var.kms_plan
+  en_service_plan                           = var.en_service_plan
+  en_service_endpoints                      = var.en_service_endpoints
+  existing_secrets_manager_crn              = var.existing_secrets_manager_crn
+  secrets_manager_service_plan              = var.secrets_manager_service_plan
+  secrets_manager_endpoint_type             = var.secrets_manager_endpoint_type
+  secrets_manager_allowed_network           = var.secrets_manager_allowed_network
+  existing_event_notifications_instance_crn = var.existing_event_notifications_instance_crn
+  existing_cos_instance_crn                 = var.existing_cos_instance_crn
+  cos_instance_plan                         = var.cos_instance_plan
+  management_endpoint_type_for_buckets      = var.management_endpoint_type_for_buckets
+  existing_cloud_monitoring_crn             = var.existing_cloud_monitoring_crn
+  cloud_monitoring_plan                     = var.cloud_monitoring_plan
+  existing_cloud_logs_crn                   = var.existing_cloud_logs_crn
+  scc_workload_protection_service_plan      = var.scc_workload_protection_service_plan
+  enable_vpc_flow_logs                      = var.enable_vpc_flow_logs
+  app_config_plan                           = var.app_config_plan
+  app_config_service_endpoints              = var.app_config_service_endpoints
+}
+
+########################################################################################################################
+# OCP VPC cluster
+########################################################################################################################
+
+locals {
+  vpc_subnets = {
+    # The default behavior is to deploy the worker pool across all subnets within the VPC.
+    "default" = [
+      for subnet in module.monolith_add_ons.subnet_zone_list :
+      {
+        id         = subnet.id
+        zone       = subnet.zone
+        cidr_block = subnet.cidr
+      }
+    ]
+  }
+
+  worker_pools = concat([
+    {
+      subnet_prefix     = "default"
+      pool_name         = "default"
+      machine_type      = var.default_worker_pool_machine_type
+      workers_per_zone  = var.default_worker_pool_workers_per_zone
+      resource_group_id = module.resource_group.resource_group_id
+      operating_system  = var.default_worker_pool_operating_system
+      labels            = var.default_worker_pool_labels
+      minSize           = var.default_pool_minimum_number_of_nodes
+      maxSize           = var.default_pool_maximum_number_of_nodes
+      enableAutoscaling = var.enable_autoscaling_for_default_pool
+      boot_volume_encryption_kms_config = {
+        crk             = module.monolith_add_ons.boot_volume_kms_key_id
+        kms_instance_id = module.monolith_add_ons.boot_volume_existing_kms_guid
+        kms_account_id  = module.monolith_add_ons.boot_volume_kms_account_id
+      }
+      additional_security_group_ids = var.additional_security_group_ids
+    }
+    ], [for pool in var.additional_worker_pools : merge(pool, { resource_group_id = module.resource_group.resource_group_id
+      boot_volume_encryption_kms_config = {
+        crk             = module.monolith_add_ons.boot_volume_kms_key_id
+        kms_instance_id = module.monolith_add_ons.boot_volume_existing_kms_guid
+        kms_account_id  = module.monolith_add_ons.boot_volume_kms_account_id
+    } }) if length(pool.vpc_subnets) > 0],
+    [for pool in var.additional_worker_pools : {
+      pool_name         = pool.pool_name
+      machine_type      = pool.machine_type
+      workers_per_zone  = pool.workers_per_zone
+      resource_group_id = module.resource_group.resource_group_id
+      operating_system  = pool.operating_system
+      labels            = pool.labels
+      minSize           = pool.minSize
+      secondary_storage = pool.secondary_storage
+      maxSize           = pool.maxSize
+      enableAutoscaling = pool.enableAutoscaling
+      boot_volume_encryption_kms_config = {
+        crk             = module.monolith_add_ons.boot_volume_kms_key_id
+        kms_instance_id = module.monolith_add_ons.boot_volume_existing_kms_guid
+        kms_account_id  = module.monolith_add_ons.boot_volume_kms_account_id
+      }
+      additional_security_group_ids = pool.additional_security_group_ids
+      subnet_prefix                 = "default"
+  } if length(pool.vpc_subnets) == 0])
+
+  # Managing the ODF version accordingly, as it changes with each OCP version.
+  addons = lookup(var.addons, "openshift-data-foundation", null) != null ? lookup(var.addons["openshift-data-foundation"], "version", null) == null ? { for key, value in var.addons :
+    key => value != null ? {
+      version         = lookup(value, "version", null) == null && key == "openshift-data-foundation" ? "${var.openshift_version}.0" : lookup(value, "version", null)
+      parameters_json = lookup(value, "parameters_json", null)
+  } : null } : var.addons : var.addons
+}
+
+module "ocp_base" {
+  depends_on                               = [module.monolith_add_ons]
+  source                                   = "../.."
+  resource_group_id                        = module.resource_group.resource_group_id
+  region                                   = var.region
+  tags                                     = var.cluster_resource_tags
+  cluster_name                             = "${var.prefix}-${var.cluster_name}"
+  force_delete_storage                     = true
+  use_existing_cos                         = true
+  existing_cos_id                          = module.monolith_add_ons.cos_instance_id
+  vpc_id                                   = module.monolith_add_ons.vpc_id
+  vpc_subnets                              = local.vpc_subnets
+  ocp_version                              = var.openshift_version
+  worker_pools                             = local.worker_pools
+  access_tags                              = var.access_tags
+  ocp_entitlement                          = var.ocp_entitlement
+  additional_lb_security_group_ids         = var.additional_lb_security_group_ids
+  additional_vpe_security_group_ids        = var.additional_vpe_security_group_ids
+  addons                                   = local.addons
+  allow_default_worker_pool_replacement    = var.allow_default_worker_pool_replacement
+  attach_ibm_managed_security_group        = var.attach_ibm_managed_security_group
+  cluster_config_endpoint_type             = var.cluster_config_endpoint_type
+  cbr_rules                                = var.ocp_cbr_rules
+  cluster_ready_when                       = var.cluster_ready_when
+  custom_security_group_ids                = var.custom_security_group_ids
+  disable_outbound_traffic_protection      = var.allow_outbound_traffic
+  disable_public_endpoint                  = !var.allow_public_access_to_cluster_management
+  enable_ocp_console                       = var.enable_ocp_console
+  ignore_worker_pool_size_changes          = var.ignore_worker_pool_size_changes
+  kms_config                               = module.monolith_add_ons.kms_config
+  manage_all_addons                        = var.manage_all_addons
+  number_of_lbs                            = var.number_of_lbs
+  pod_subnet_cidr                          = var.pod_subnet_cidr
+  service_subnet_cidr                      = var.service_subnet_cidr
+  verify_worker_network_readiness          = var.verify_worker_network_readiness
+  worker_pools_taints                      = var.worker_pools_taints
+  enable_secrets_manager_integration       = var.enable_secrets_manager_integration
+  existing_secrets_manager_instance_crn    = module.monolith_add_ons.secrets_manager_crn
+  secrets_manager_secret_group_id          = var.secrets_manager_secret_group_id != null ? var.secrets_manager_secret_group_id : (var.enable_secrets_manager_integration ? module.secret_group[0].secret_group_id : null)
+  skip_ocp_secrets_manager_iam_auth_policy = var.skip_ocp_secrets_manager_iam_auth_policy
+}
+
+resource "terraform_data" "delete_secrets" {
+  depends_on = [module.monolith_add_ons]
+  count      = var.enable_secrets_manager_integration && var.secrets_manager_secret_group_id == null ? 1 : 0
+  input = {
+    secret_id                   = module.secret_group[0].secret_group_id
+    provider_visibility         = var.provider_visibility
+    secrets_manager_instance_id = module.monolith_add_ons.secrets_manager_guid
+    secrets_manager_region      = module.monolith_add_ons.secrets_manager_region
+    secrets_manager_endpoint    = var.secrets_manager_endpoint_type
+  }
+  # api key in triggers_replace to avoid it to be printed out in clear text in terraform_data output
+  triggers_replace = {
+    api_key = var.ibmcloud_api_key
+  }
+  provisioner "local-exec" {
+    when        = destroy
+    command     = "${path.module}/../../solutions/fully-configurable/scripts/delete_secrets.sh ${self.input.secret_id} ${self.input.provider_visibility} ${self.input.secrets_manager_instance_id} ${self.input.secrets_manager_region} ${self.input.secrets_manager_endpoint}"
+    interpreter = ["/bin/bash", "-c"]
+
+    environment = {
+      API_KEY = self.triggers_replace.api_key
+    }
+  }
+}
+
+module "secret_group" {
+  count                    = var.enable_secrets_manager_integration && var.secrets_manager_secret_group_id == null ? 1 : 0
+  source                   = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
+  version                  = "1.3.15"
+  region                   = module.monolith_add_ons.secrets_manager_region
+  secrets_manager_guid     = module.monolith_add_ons.secrets_manager_guid
+  secret_group_name        = module.ocp_base.cluster_id
+  secret_group_description = "Secret group for storing ingress certificates for cluster ${var.cluster_name} with id: ${module.ocp_base.cluster_id}"
+  endpoint_type            = var.secrets_manager_endpoint_type
+}
+
+data "ibm_container_cluster_config" "cluster_config" {
+  count             = var.enable_kube_audit ? 1 : 0
+  cluster_name_id   = module.ocp_base.cluster_id
+  config_dir        = "${path.module}/../../kubeconfig"
+  admin             = true
+  resource_group_id = module.ocp_base.resource_group_id
+  endpoint_type     = var.cluster_config_endpoint_type != "default" ? var.cluster_config_endpoint_type : null
+}
+
+module "kube_audit" {
+  count                                   = var.enable_kube_audit ? 1 : 0
+  ibmcloud_api_key                        = var.ibmcloud_api_key
+  source                                  = "../../modules/kube-audit"
+  cluster_id                              = module.ocp_base.cluster_id
+  cluster_resource_group_id               = module.ocp_base.resource_group_id
+  region                                  = module.ocp_base.region
+  use_private_endpoint                    = var.use_private_endpoint
+  cluster_config_endpoint_type            = var.cluster_config_endpoint_type
+  audit_log_policy                        = var.audit_log_policy
+  audit_namespace                         = var.audit_namespace
+  audit_deployment_name                   = var.audit_deployment_name
+  audit_webhook_listener_image            = var.audit_webhook_listener_image
+  audit_webhook_listener_image_tag_digest = var.audit_webhook_listener_image_tag_digest
+}