generated from terraform-ibm-modules/terraform-ibm-module-template
-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.tf
185 lines (163 loc) · 6.85 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
########################################################################################################################
# Resource group
########################################################################################################################
module "resource_group" {
source = "terraform-ibm-modules/resource-group/ibm"
version = "1.1.6"
# if an existing resource group is not set (null) create a new one using prefix
resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null
existing_resource_group_name = var.resource_group
}
##############################################################################
# Create a VPC with single subnet and zone, and public gateway
##############################################################################
resource "ibm_is_vpc" "vpc" {
count = var.is_vpc_cluster ? 1 : 0
name = "${var.prefix}-vpc"
resource_group = module.resource_group.resource_group_id
address_prefix_management = "auto"
tags = var.resource_tags
}
resource "ibm_is_public_gateway" "gateway" {
count = var.is_vpc_cluster ? 1 : 0
name = "${var.prefix}-gateway-1"
vpc = ibm_is_vpc.vpc[0].id
resource_group = module.resource_group.resource_group_id
zone = "${var.region}-1"
}
resource "ibm_is_subnet" "subnet_zone_1" {
count = var.is_vpc_cluster ? 1 : 0
name = "${var.prefix}-subnet-1"
vpc = ibm_is_vpc.vpc[0].id
resource_group = module.resource_group.resource_group_id
zone = "${var.region}-1"
total_ipv4_address_count = 256
public_gateway = ibm_is_public_gateway.gateway[0].id
}
##############################################################################
# Base OCP Cluster in single zone
##############################################################################
locals {
cluster_vpc_subnets = {
default = [
{
id = var.is_vpc_cluster ? ibm_is_subnet.subnet_zone_1[0].id : null
cidr_block = var.is_vpc_cluster ? ibm_is_subnet.subnet_zone_1[0].ipv4_cidr_block : null
zone = var.is_vpc_cluster ? ibm_is_subnet.subnet_zone_1[0].zone : null
}
]
}
worker_pools = [
{
subnet_prefix = "default"
pool_name = "default" # ibm_container_vpc_cluster automatically names standard pool "default" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
machine_type = "bx2.4x16"
operating_system = "REDHAT_8_64"
workers_per_zone = 2
labels = {}
resource_group_id = module.resource_group.resource_group_id
}
]
}
# Create OCP cluster in VPC
module "ocp_base" {
count = var.is_openshift && var.is_vpc_cluster ? 1 : 0
source = "terraform-ibm-modules/base-ocp-vpc/ibm"
version = "3.34.0"
cluster_name = var.prefix
resource_group_id = module.resource_group.resource_group_id
region = var.region
force_delete_storage = true
vpc_id = ibm_is_vpc.vpc[0].id
vpc_subnets = local.cluster_vpc_subnets
worker_pools = local.worker_pools
tags = var.resource_tags
}
# Lookup the current default kube version
data "ibm_container_cluster_versions" "cluster_versions" {}
locals {
default_version = var.is_openshift ? "${data.ibm_container_cluster_versions.cluster_versions.default_openshift_version}_openshift" : data.ibm_container_cluster_versions.cluster_versions.default_kube_version
}
# Create IKS VPC cluster, only if variable is_openshift is false and is_vpc_cluster is true
resource "ibm_container_vpc_cluster" "cluster" {
count = var.is_vpc_cluster && !var.is_openshift ? 1 : 0
name = var.prefix
vpc_id = ibm_is_vpc.vpc[0].id
kube_version = local.default_version
flavor = "bx2.4x16"
worker_count = "2"
force_delete_storage = true
wait_till = "Normal"
zones {
subnet_id = ibm_is_subnet.subnet_zone_1[0].id
name = "${var.region}-1"
}
resource_group_id = module.resource_group.resource_group_id
tags = var.resource_tags
timeouts {
delete = "2h"
create = "3h"
}
}
# Create IKS or ROKS classic cluster, only if is_vpc_cluster is false
resource "ibm_container_cluster" "cluster" {
#checkov:skip=CKV2_IBM_7:Public endpoint is required for testing purposes
count = var.is_vpc_cluster ? 0 : 1
name = var.prefix
datacenter = var.datacenter
default_pool_size = 2
hardware = "shared"
kube_version = local.default_version
entitlement = var.is_openshift ? "cloud_pak" : null
force_delete_storage = true
machine_type = "b3c.4x16"
public_vlan_id = ibm_network_vlan.public_vlan[0].id
private_vlan_id = ibm_network_vlan.private_vlan[0].id
wait_till = "Normal"
resource_group_id = module.resource_group.resource_group_id
tags = var.resource_tags
timeouts {
delete = "2h"
create = "3h"
}
}
# Public network VLAN for classic clusters
resource "ibm_network_vlan" "public_vlan" {
count = var.is_vpc_cluster ? 0 : 1
datacenter = var.datacenter
type = "PUBLIC"
}
# Private network VLAN for classic clusters
resource "ibm_network_vlan" "private_vlan" {
count = var.is_vpc_cluster ? 0 : 1
datacenter = var.datacenter
type = "PRIVATE"
}
##############################################################################
# SCC Workload Protection Instance
##############################################################################
module "scc_wp" {
source = "terraform-ibm-modules/scc-workload-protection/ibm"
version = "v1.4.0"
name = "${var.prefix}-scc-wp"
region = var.region
resource_group_id = module.resource_group.resource_group_id
resource_key_tags = var.resource_tags
}
# Sleep to allow RBAC sync on cluster
resource "time_sleep" "wait_operators" {
depends_on = [data.ibm_container_cluster_config.cluster_config]
create_duration = "5s"
}
##############################################################################
# SCC Workload Protection Agent
##############################################################################
module "scc_wp_agent" {
source = "../.."
depends_on = [time_sleep.wait_operators]
cluster_name = (!var.is_vpc_cluster ? ibm_container_cluster.cluster[0].name : (var.is_openshift ? module.ocp_base[0].cluster_name : ibm_container_vpc_cluster.cluster[0].name))
access_key = module.scc_wp.access_key
region = var.region
name = "${var.prefix}-scc-wp-agent"
}
##############################################################################