feat: add new input variable kms_wait_for_apply to make terraform wait until KMS is applied to cluster master and it is ready and deployed. Default value is true. (#833)

Author: ocofaigh

README.md

@@ -53,7 +53,6 @@ For more information about the default configuration, see [Default Secure Landin
 
 Complete the following steps before you deploy the Secure Landing Zone module.
 ### Set up an IBM Cloud Account
-
 1.  Make sure that you have an IBM Cloud Pay-As-You-Go or Subscription account:
 
     - If you don't have an IBM Cloud account, [create one](https://cloud.ibm.com/docs/account?topic=account-account-getting-started).
@@ -843,7 +842,7 @@ module "cluster_pattern" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.60.0, < 2.0.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.66.0, < 2.0.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.4.3, < 4.0.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1, < 1.0.0 |
 
@@ -909,7 +908,7 @@ module "cluster_pattern" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_appid"></a> [appid](#input\_appid) | The App ID instance to be used for the teleport vsi deployments | <pre>object({<br>    name           = optional(string)<br>    resource_group = optional(string)<br>    use_data       = optional(bool)<br>    keys           = optional(list(string))<br>    use_appid      = bool<br>  })</pre> | <pre>{<br>  "use_appid": false<br>}</pre> | no |
 | <a name="input_atracker"></a> [atracker](#input\_atracker) | atracker variables | <pre>object({<br>    resource_group        = string<br>    receive_global_events = bool<br>    collector_bucket_name = string<br>    add_route             = bool<br>  })</pre> | n/a | yes |
-| <a name="input_clusters"></a> [clusters](#input\_clusters) | A list describing clusters workloads to create | <pre>list(<br>    object({<br>      name                                = string           # Name of Cluster<br>      vpc_name                            = string           # Name of VPC<br>      subnet_names                        = list(string)     # List of vpc subnets for cluster<br>      workers_per_subnet                  = number           # Worker nodes per subnet.<br>      machine_type                        = string           # Worker node flavor<br>      kube_type                           = string           # iks or openshift<br>      kube_version                        = optional(string) # Can be a version from `ibmcloud ks versions` or `default`<br>      entitlement                         = optional(string) # entitlement option for openshift<br>      secondary_storage                   = optional(string) # Secondary storage type<br>      pod_subnet                          = optional(string) # Portable subnet for pods<br>      service_subnet                      = optional(string) # Portable subnet for services<br>      resource_group                      = string           # Resource Group used for cluster<br>      cos_name                            = optional(string) # Name of COS instance Required only for OpenShift clusters<br>      access_tags                         = optional(list(string), [])<br>      boot_volume_crk_name                = optional(string)      # Boot volume encryption key name<br>      disable_public_endpoint             = optional(bool, true)  # disable cluster public, leaving only private endpoint<br>      disable_outbound_traffic_protection = optional(bool, false) # public outbound access from the cluster workers<br>      cluster_force_delete_storage        = optional(bool, false) # force the removal of persistent storage associated with the cluster during cluster deletion<br>      addons = optional(object({                                  # Map of OCP cluster add-on versions to install<br>        debug-tool                = optional(string)<br>        image-key-synchronizer    = optional(string)<br>        openshift-data-foundation = optional(string)<br>        vpc-file-csi-driver       = optional(string)<br>        static-route              = optional(string)<br>        cluster-autoscaler        = optional(string)<br>        vpc-block-csi-driver      = optional(string)<br>      }), {})<br>      manage_all_addons = optional(bool, false) # Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module will destroy any addons that were installed by other sources.<br>      kms_config = optional(<br>        object({<br>          crk_name         = string         # Name of key<br>          private_endpoint = optional(bool) # Private endpoint<br>        })<br>      )<br>      worker_pools = optional(<br>        list(<br>          object({<br>            name                 = string           # Worker pool name<br>            vpc_name             = string           # VPC name<br>            workers_per_subnet   = number           # Worker nodes per subnet<br>            flavor               = string           # Worker node flavor<br>            subnet_names         = list(string)     # List of vpc subnets for worker pool<br>            entitlement          = optional(string) # entitlement option for openshift<br>            secondary_storage    = optional(string) # Secondary storage type<br>            boot_volume_crk_name = optional(string) # Boot volume encryption key name<br>          })<br>        )<br>      )<br>    })<br>  )</pre> | n/a | yes |
+| <a name="input_clusters"></a> [clusters](#input\_clusters) | A list describing clusters workloads to create | <pre>list(<br>    object({<br>      name                                = string           # Name of Cluster<br>      vpc_name                            = string           # Name of VPC<br>      subnet_names                        = list(string)     # List of vpc subnets for cluster<br>      workers_per_subnet                  = number           # Worker nodes per subnet.<br>      machine_type                        = string           # Worker node flavor<br>      kube_type                           = string           # iks or openshift<br>      kube_version                        = optional(string) # Can be a version from `ibmcloud ks versions` or `default`<br>      entitlement                         = optional(string) # entitlement option for openshift<br>      secondary_storage                   = optional(string) # Secondary storage type<br>      pod_subnet                          = optional(string) # Portable subnet for pods<br>      service_subnet                      = optional(string) # Portable subnet for services<br>      resource_group                      = string           # Resource Group used for cluster<br>      cos_name                            = optional(string) # Name of COS instance Required only for OpenShift clusters<br>      access_tags                         = optional(list(string), [])<br>      boot_volume_crk_name                = optional(string)      # Boot volume encryption key name<br>      disable_public_endpoint             = optional(bool, true)  # disable cluster public, leaving only private endpoint<br>      disable_outbound_traffic_protection = optional(bool, false) # public outbound access from the cluster workers<br>      cluster_force_delete_storage        = optional(bool, false) # force the removal of persistent storage associated with the cluster during cluster deletion<br>      kms_wait_for_apply                  = optional(bool, true)  # make terraform wait until KMS is applied to master and it is ready and deployed<br>      addons = optional(object({                                  # Map of OCP cluster add-on versions to install<br>        debug-tool                = optional(string)<br>        image-key-synchronizer    = optional(string)<br>        openshift-data-foundation = optional(string)<br>        vpc-file-csi-driver       = optional(string)<br>        static-route              = optional(string)<br>        cluster-autoscaler        = optional(string)<br>        vpc-block-csi-driver      = optional(string)<br>      }), {})<br>      manage_all_addons = optional(bool, false) # Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module will destroy any addons that were installed by other sources.<br>      kms_config = optional(<br>        object({<br>          crk_name         = string         # Name of key<br>          private_endpoint = optional(bool) # Private endpoint<br>        })<br>      )<br>      worker_pools = optional(<br>        list(<br>          object({<br>            name                 = string           # Worker pool name<br>            vpc_name             = string           # VPC name<br>            workers_per_subnet   = number           # Worker nodes per subnet<br>            flavor               = string           # Worker node flavor<br>            subnet_names         = list(string)     # List of vpc subnets for worker pool<br>            entitlement          = optional(string) # entitlement option for openshift<br>            secondary_storage    = optional(string) # Secondary storage type<br>            boot_volume_crk_name = optional(string) # Boot volume encryption key name<br>          })<br>        )<br>      )<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_cos"></a> [cos](#input\_cos) | Object describing the cloud object storage instance, buckets, and keys. Set `use_data` to false to create instance | <pre>list(<br>    object({<br>      name           = string<br>      use_data       = optional(bool)<br>      resource_group = string<br>      plan           = optional(string)<br>      random_suffix  = optional(bool) # Use a random suffix for COS instance<br>      access_tags    = optional(list(string), [])<br>      buckets = list(object({<br>        name                  = string<br>        storage_class         = string<br>        endpoint_type         = string<br>        force_delete          = bool<br>        single_site_location  = optional(string)<br>        region_location       = optional(string)<br>        cross_region_location = optional(string)<br>        kms_key               = optional(string)<br>        access_tags           = optional(list(string), [])<br>        allowed_ip            = optional(list(string), [])<br>        hard_quota            = optional(number)<br>        archive_rule = optional(object({<br>          days    = number<br>          enable  = bool<br>          rule_id = optional(string)<br>          type    = string<br>        }))<br>        expire_rule = optional(object({<br>          days                         = optional(number)<br>          date                         = optional(string)<br>          enable                       = bool<br>          expired_object_delete_marker = optional(string)<br>          prefix                       = optional(string)<br>          rule_id                      = optional(string)<br>        }))<br>        activity_tracking = optional(object({<br>          activity_tracker_crn = string<br>          read_data_events     = bool<br>          write_data_events    = bool<br>        }))<br>        metrics_monitoring = optional(object({<br>          metrics_monitoring_crn  = string<br>          request_metrics_enabled = optional(bool)<br>          usage_metrics_enabled   = optional(bool)<br>        }))<br>      }))<br>      keys = optional(<br>        list(object({<br>          name        = string<br>          role        = string<br>          enable_HMAC = bool<br>        }))<br>      )<br><br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_enable_transit_gateway"></a> [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Create transit gateway | `bool` | `true` | no |
 | <a name="input_f5_template_data"></a> [f5\_template\_data](#input\_f5\_template\_data) | Data for all f5 templates | <pre>object({<br>    tmos_admin_password     = optional(string)<br>    license_type            = optional(string)<br>    byol_license_basekey    = optional(string)<br>    license_host            = optional(string)<br>    license_username        = optional(string)<br>    license_password        = optional(string)<br>    license_pool            = optional(string)<br>    license_sku_keyword_1   = optional(string)<br>    license_sku_keyword_2   = optional(string)<br>    license_unit_of_measure = optional(string)<br>    do_declaration_url      = optional(string)<br>    as3_declaration_url     = optional(string)<br>    ts_declaration_url      = optional(string)<br>    phone_home_url          = optional(string)<br>    template_source         = optional(string)<br>    template_version        = optional(string)<br>    app_id                  = optional(string)<br>    tgactive_url            = optional(string)<br>    tgstandby_url           = optional(string)<br>    tgrefresh_url           = optional(string)<br>  })</pre> | <pre>{<br>  "license_type": "none"<br>}</pre> | no |

cluster.tf

@@ -81,6 +81,7 @@ resource "ibm_container_vpc_cluster" "cluster" {
       instance_id      = regex(".*:(.*):key:.*", module.key_management.key_map[kms_config.value.crk_name].crn)[0]
       private_endpoint = kms_config.value.private_endpoint
       account_id       = regex("a/([a-f0-9]{32})", module.key_management.key_map[kms_config.value.crk_name].crn)[0] == data.ibm_iam_account_settings.iam_account_settings.account_id ? null : regex("a/([a-f0-9]{32})", module.key_management.key_map[kms_config.value.crk_name].crn)[0]
+      wait_for_apply   = each.value.kms_wait_for_apply
     }
   }
 

patterns/roks-quickstart/main.tf

@@ -39,6 +39,7 @@ locals {
          "resource_group": "workload-rg",
          "disable_outbound_traffic_protection": true,
          "cluster_force_delete_storage": true,
+         "kms_wait_for_apply": true,
          "kms_config": {
             "crk_name": "roks-key",
             "private_endpoint": true

patterns/roks/main.tf

@@ -94,6 +94,7 @@ module "roks_landing_zone" {
   license_type                           = var.license_type
   teleport_management_zones              = var.teleport_management_zones
   IC_SCHEMATICS_WORKSPACE_ID             = var.IC_SCHEMATICS_WORKSPACE_ID
+  kms_wait_for_apply                     = var.kms_wait_for_apply
 }
 
 moved {

patterns/roks/module/config.tf

@@ -92,6 +92,7 @@ locals {
         boot_volume_crk_name                = "${var.prefix}-roks-key"
         disable_outbound_traffic_protection = var.disable_outbound_traffic_protection
         cluster_force_delete_storage        = var.cluster_force_delete_storage
+        kms_wait_for_apply                  = var.kms_wait_for_apply
         # By default, create dedicated pool for logging
         worker_pools = [
           # {

patterns/roks/module/variables.tf

@@ -151,6 +151,12 @@ variable "wait_till" {
   }
 }
 
+variable "kms_wait_for_apply" {
+  type        = bool
+  description = "Set true to make terraform wait until KMS is applied to master and it is ready and deployed. Default value is true."
+  default     = true
+}
+
 variable "entitlement" {
   description = "If you do not have an entitlement, leave as null. Entitlement reduces additional OCP Licence cost in OpenShift clusters. Use Cloud Pak with OCP Licence entitlement to create the OpenShift cluster. Note It is set only when the first time creation of the cluster, further modifications are not impacted Set this argument to cloud_pak only if you use the cluster with a Cloud Pak that has an OpenShift entitlement."
   type        = string

patterns/roks/override.json

@@ -16,6 +16,7 @@
             "resource_group": "slz-management-rg",
             "disable_outbound_traffic_protection": false,
             "cluster_force_delete_storage": false,
+            "kms_wait_for_apply": true,
             "kms_config": {
                 "crk_name": "slz-roks-key",
                 "private_endpoint": true
@@ -52,6 +53,7 @@
             "resource_group": "slz-workload-rg",
             "disable_outbound_traffic_protection": false,
             "cluster_force_delete_storage": false,
+            "kms_wait_for_apply": true,
             "kms_config": {
                 "crk_name": "slz-roks-key",
                 "private_endpoint": true

patterns/roks/variables.tf

@@ -166,6 +166,12 @@ variable "wait_till" {
   }
 }
 
+variable "kms_wait_for_apply" {
+  type        = bool
+  description = "Set true to make terraform wait until KMS is applied to master and it is ready and deployed. Default value is true."
+  default     = true
+}
+
 variable "entitlement" {
   description = "Reduces the cost of additional OCP in OpenShift clusters. If you do not have an entitlement, leave as null. Use Cloud Pak with OCP License entitlement to create the OpenShift cluster. Specify `cloud_pak` only if you use the cluster with a Cloud Pak that has an OpenShift entitlement. The value is set only when the cluster is created."
   type        = string

tests/pr_test.go

@@ -393,7 +393,7 @@ func setupOptionsSchematics(t *testing.T, prefix string, dir string) *testschema
 		Prefix:                 prefix,
 		Tags:                   []string{"test-schematic"},
 		DeleteWorkspaceOnFail:  false,
-		WaitJobCompleteMinutes: 60,
+		WaitJobCompleteMinutes: 90,
 		CloudInfoService:       sharedInfoSvc,
 	})
 

variables.tf

@@ -850,6 +850,7 @@ variable "clusters" {
       disable_public_endpoint             = optional(bool, true)  # disable cluster public, leaving only private endpoint
       disable_outbound_traffic_protection = optional(bool, false) # public outbound access from the cluster workers
       cluster_force_delete_storage        = optional(bool, false) # force the removal of persistent storage associated with the cluster during cluster deletion
+      kms_wait_for_apply                  = optional(bool, true)  # make terraform wait until KMS is applied to master and it is ready and deployed
       addons = optional(object({                                  # Map of OCP cluster add-on versions to install
         debug-tool                = optional(string)
         image-key-synchronizer    = optional(string)