Terraform module which creates ROSA cluster
This module is currently in its Alpha version and remains under active development; using it carries inherent risks that you should be aware of.
For the supported provider go to https://registry.terraform.io/providers/terraform-redhat/rhcs/latest For the supported rosa-sts module go to https://registry.terraform.io/modules/terraform-redhat/rosa-sts/aws/latest
This module serves as a comprehensive solution for deploying, configuring, and managing ROSA Classic clusters within your AWS environment. With a focus on simplicity and efficiency, this module streamlines the process of setting up and maintaining ROSA Classic clusters, enabling users to leverage the power of OpenShift on AWS infrastructure effortlessly.
Sub-modules included in this module:
- account-iam-resources: Handles the provisioning of IAM (Identity and Access Management) resources required for managing access and permissions within the AWS account associated with the ROSA Classic cluster.
- idp: Responsible for configuring Identity Providers (IDPs) within the ROSA Classic cluster, facilitating seamless integration with external authentication systems such as GitHub, GitLab, Google, HTPasswd, LDAP, and OpenID Connect (OIDC).
- machine-pool: Facilitates the management of machine pools within the ROSA Classic cluster, enabling users to scale resources and adjust specifications based on workload demands.
- oidc-config-and-provider: Manages the configuration of OIDC (OpenID Connect) providers within the ROSA Classic cluster, enabling secure authentication and access control mechanisms.
- operator-policies: Responsible for managing policies associated with ROSA operators within the cluster, ensuring proper permissions for core cluster functionalities.
- operator-roles: Oversees the management of roles assigned to operators within the ROSA Classic cluster, enabling them to perform required actions with the appropriate permissions.
- rosa-cluster-classic: Handles the core configuration and provisioning of the ROSA Classic cluster, including cluster networking, security settings, and other essential components.
- shared-vpc-policy-and-hosted-zone: Manages policies and configurations related to shared Virtual Private Cloud (VPC) resources and Route 53 hosted zones, facilitating connectivity and access control within the AWS environment.
- vpc: Handles the configuration and provisioning of the Virtual Private Cloud (VPC) infrastructure required for hosting the ROSA Classic cluster and its associated resources.
The primary sub-module responsible for ROSA cluster creation includes the optional configurations for setting up account roles, operator roles, and OIDC configurations. This comprehensive module handles the entire process of provisioning and configuring ROSA clusters within the AWS environment.
- The Terraform CLI (1.4.6+) installed.
- AWS account and associated credentials that allow you to create resources. The credentials configured for the AWS provider (see Authentication and Configuration section in AWS terraform provider documentations)
- Completed the ROSA getting started AWS prerequisites
- Valid OpenShift Cluster Manager API Token configured (see Authentication and configuration for more info)
Installation of the following CLI tools is recommended:
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.0 |
| null | >= 3.0.0 |
| rhcs | >= 1.5.0 |
| Name | Version |
|---|---|
| aws | >= 4.0 |
| null | >= 3.0.0 |
| Name | Source | Version |
|---|---|---|
| account_iam_resources | ./modules/account-iam-resources | n/a |
| oidc_config_and_provider | ./modules/oidc-config-and-provider | n/a |
| operator_policies | ./modules/operator-policies | n/a |
| operator_roles | ./modules/operator-roles | n/a |
| rhcs_identity_provider | ./modules/idp | n/a |
| rhcs_machine_pool | ./modules/machine-pool | n/a |
| rosa_cluster_classic | ./modules/rosa-cluster-classic | n/a |
| Name | Type |
|---|---|
| null_resource.validations | resource |
| aws_caller_identity.current | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_role_prefix | User-defined prefix for all generated AWS resources (default "account-role-") | string |
null |
no |
| additional_trust_bundle | A string containing a PEM-encoded X.509 certificate bundle that will be added to the nodes' trusted certificate store. | string |
null |
no |
| admin_credentials_password | Admin password that will be created with the cluster. The password must contain at least 14 characters (ASCII-standard) without whitespaces including uppercase letters, lowercase letters, and numbers or symbols. | string |
null |
no |
| admin_credentials_username | Admin username that will be created with the cluster. auto generated username - "cluster-admin" | string |
null |
no |
| autoscaler_balance_similar_node_groups | Automatically identify node groups with the same instance type and the same set of labels and try to keep the respective sizes of those node groups balanced. | bool |
null |
no |
| autoscaler_balancing_ignored_labels | This option specifies labels that cluster autoscaler should ignore when considering node group similarity. For example, if you have nodes with 'topology.ebs.csi.aws.com/zone' label, you can add name of this label here to prevent cluster autoscaler from splitting nodes into different node groups based on its value. | list(string) |
null |
no |
| autoscaler_cores | Minimum and maximum number of cores in cluster, in the format :. Cluster autoscaler will not scale the cluster beyond these numbers. | object({ |
null |
no |
| autoscaler_gpus | Minimum and maximum number of different GPUs in cluster, in the format <gpu_type>::. Cluster autoscaler will not scale the cluster beyond these numbers. Can be passed multiple times. | list(object({ |
null |
no |
| autoscaler_ignore_daemonsets_utilization | Should cluster-autoscaler ignore DaemonSet pods when calculating resource utilization for scaling down. false by default. | bool |
null |
no |
| autoscaler_log_verbosity | Sets the autoscaler log level. Default value is 1, level 4 is recommended for DEBUGGING and level 6 will enable almost everything. | number |
null |
no |
| autoscaler_max_node_provision_time | Maximum time cluster-autoscaler waits for node to be provisioned. | string |
null |
no |
| autoscaler_max_nodes_total | Maximum number of nodes in all node groups. Cluster autoscaler will not grow the cluster beyond this number. | number |
null |
no |
| autoscaler_max_pod_grace_period | Gives pods graceful termination time before scaling down. | number |
null |
no |
| autoscaler_memory | Minimum and maximum number of gigabytes of memory in cluster, in the format :. Cluster autoscaler will not scale the cluster beyond these numbers. | object({ |
null |
no |
| autoscaler_pod_priority_threshold | To allow users to schedule 'best-effort' pods, which shouldn't trigger Cluster Autoscaler actions, but only run when there are spare resources available. | number |
null |
no |
| autoscaler_scale_down_delay_after_add | How long after scale up that scale down evaluation resumes. | string |
null |
no |
| autoscaler_scale_down_delay_after_delete | How long after node deletion that scale down evaluation resumes. | string |
null |
no |
| autoscaler_scale_down_delay_after_failure | How long after scale down failure that scale down evaluation resumes. | string |
null |
no |
| autoscaler_scale_down_enabled | Should cluster-autoscaler scale down the cluster. | bool |
null |
no |
| autoscaler_scale_down_unneeded_time | How long a node should be unneeded before it is eligible for scale down. | string |
null |
no |
| autoscaler_scale_down_utilization_threshold | Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. | string |
null |
no |
| autoscaler_skip_nodes_with_local_storage | If true cluster autoscaler will never delete nodes with pods with local storage, e.g. EmptyDir or HostPath. default is true. | bool |
null |
no |
| autoscaling_enabled | Enable autoscaling for the initial worker pool. (default: false) | bool |
null |
no |
| aws_additional_compute_security_group_ids | The additional Security Group IDs to be added to the default worker machine pool. | list(string) |
null |
no |
| aws_additional_control_plane_security_group_ids | The additional Security Group IDs to be added to the control plane nodes. | list(string) |
null |
no |
| aws_additional_infra_security_group_ids | The additional Security Group IDs to be added to the infra worker nodes. | list(string) |
null |
no |
| aws_availability_zones | The AWS availability zones where instances of the default worker machine pool are deployed. Leave empty for the installer to pick availability zones | list(string) |
[] |
no |
| aws_private_link | Provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. (default: false) | bool |
null |
no |
| aws_subnet_ids | The Subnet IDs to use when installing the cluster. Leave empty for installer provisioned subnet IDs. | list(string) |
[] |
no |
| cluster_name | Name of the cluster. After the creation of the resource, it is not possible to update the attribute value. | string |
n/a | yes |
| compute_machine_type | Identifies the Instance type used by the default worker machine pool e.g. m5.xlarge. Use the rhcs_machine_types data source to find the possible values. |
string |
null |
no |
| create_account_roles | Create the aws account roles for rosa | bool |
false |
no |
| create_oidc | Create the oidc resources. | bool |
false |
no |
| create_operator_roles | Create the aws account roles for rosa | bool |
false |
no |
| default_ingress_cluster_routes_hostname | Components route hostname for oauth, console, download. | string |
null |
no |
| default_ingress_cluster_routes_tls_secret_ref | Components route TLS secret reference for oauth, console, download. | string |
null |
no |
| default_ingress_excluded_namespaces | Excluded namespaces for ingress. Format should be a comma-separated list 'value1, value2...'. If no values are specified, all namespaces will be exposed. | list(string) |
null |
no |
| default_ingress_id | Unique identifier of the ingress. | string |
null |
no |
| default_ingress_load_balancer_type | Type of Load Balancer. Options are ["classic", "nlb"]:with. |
string |
null |
no |
| default_ingress_route_namespace_ownership_policy | Namespace Ownership Policy for ingress. Options are ["Strict", "InterNamespaceAllowed"]. Default is "Strict". | string |
null |
no |
| default_ingress_route_selectors | Route Selectors for ingress. Format should be a comma-separated list of 'key=value'. If no label is specified, all routes will be exposed on both routers. For legacy ingress support these are inclusion labels, otherwise they are treated as exclusion label. | map(string) |
null |
no |
| default_ingress_route_wildcard_policy | Wildcard Policy for ingress. Options are ["WildcardsDisallowed", "WildcardsAllowed"]. Default is "WildcardsDisallowed". | string |
null |
no |
| default_mp_labels | Labels for the worker machine pool. This list will overwrite any modifications made to Node labels on an ongoing basis. | map(string) |
null |
no |
| destroy_timeout | Maximum duration in minutes to allow for destroying resources. (Default: 60 minutes) | number |
null |
no |
| disable_scp_checks | Indicates if cloud permission checks are disabled when attempting installation of the cluster. | bool |
null |
no |
| disable_waiting_in_destroy | Disable addressing cluster state in the destroy resource. Default value is false, and so a destroy will wait for the cluster to be deleted. |
bool |
null |
no |
| disable_workload_monitoring | Enables you to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. | bool |
null |
no |
| ec2_metadata_http_tokens | Should cluster nodes use both v1 and v2 endpoints or just v2 endpoint of EC2 Instance Metadata Service (IMDS). Available since OpenShift version 4.11.0. | string |
null |
no |
| etcd_encryption | Add etcd encryption. By default etcd data is encrypted at rest. This option configures etcd encryption on top of existing storage encryption. | bool |
null |
no |
| fips | Create cluster that uses FIPS Validated / Modules in Process cryptographic libraries. | bool |
null |
no |
| host_prefix | Subnet prefix length to assign to each individual node. For example, if host prefix is set to "23", then each node is assigned a /23 subnet out of the given CIDR. | number |
null |
no |
| http_proxy | A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be http. | string |
null |
no |
| https_proxy | A proxy URL to use for creating HTTPS connections outside the cluster. | string |
null |
no |
| identity_providers | Provides a generic approach to add multiple identity providers after the creation of the cluster. This variable allows users to specify configurations for multiple identity providers in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, please refer to the idp sub-module. For non-primitive variables (such as maps, lists, and objects), please supply the JSON-encoded string. | map(any) |
{} |
no |
| kms_key_arn | The key ARN is the Amazon Resource Name (ARN) of a CMK. It is a unique, fully qualified identifier for the CMK. A key ARN includes the AWS account, Region, and the key ID. | string |
null |
no |
| machine_cidr | Block of IP addresses used by OpenShift while installing the cluster, for example "10.0.0.0/16". | string |
null |
no |
| machine_pools | Provides a generic approach to add multiple machine pools after the creation of the cluster. This variable allows users to specify configurations for multiple machine pools in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, please refer to the machine-pool sub-module. For non-primitive variables (such as maps, lists, and objects), please supply the JSON-encoded string. | map(any) |
{} |
no |
| managed_oidc | OIDC type managed or unmanaged oidc | bool |
true |
no |
| max_replicas | Maximum number of compute nodes. This attribute is applicable solely when autoscaling is enabled. (default: 2) | number |
null |
no |
| min_replicas | Minimum number of compute nodes. This attribute is applicable solely when autoscaling is enabled. (default: 2) | number |
null |
no |
| multi_az | Specifies whether the deployment of the cluster should extend across multiple availability zones. (default: false) | bool |
null |
no |
| no_proxy | A comma-separated list of destination domain names, domains, IP addresses or other network CIDRs to exclude proxying. | string |
null |
no |
| oidc_config_id | The unique identifier associated with users authenticated through OpenID Connect (OIDC) within the ROSA cluster. | string |
null |
no |
| oidc_endpoint_url | Registered OIDC configuration issuer URL, added as the trusted relationship to the operator roles. Valid only when create_oidc is false. | string |
null |
no |
| openshift_version | Desired version of OpenShift for the cluster, for example '4.1.0'. If version is greater than the currently running version, an upgrade will be scheduled. | string |
n/a | yes |
| operator_role_prefix | User-defined prefix for generated AWS operator policies. Use "account-role-prefix" in case no value provided. | string |
null |
no |
| path | The arn path for the account/operator roles as well as their policies. | string |
"/" |
no |
| permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters. | string |
"" |
no |
| pod_cidr | Block of IP addresses from which Pod IP addresses are allocated, for example "10.128.0.0/14". | string |
null |
no |
| private | Restrict master API endpoint and application routes to direct, private connectivity. (default: false) | bool |
null |
no |
| properties | User defined properties. | map(string) |
null |
no |
| replicas | Number of worker nodes to provision. This attribute is applicable solely when autoscaling is disabled. Single zone clusters need at least 2 nodes, multizone clusters need at least 3 nodes. Hosted clusters require that the number of worker nodes be a multiple of the number of private subnets. (default: 2) | number |
null |
no |
| service_cidr | Block of IP addresses for services, for example "172.30.0.0/16". | string |
null |
no |
| tags | Apply user defined tags to all cluster resources created in AWS. After the creation of the cluster is completed, it is not possible to update this attribute. | map(string) |
null |
no |
| upgrade_acknowledgements_for | Indicates acknowledgement of agreements required to upgrade the cluster version between minor versions (e.g. a value of "4.12" indicates acknowledgement of any agreements required to upgrade to OpenShift 4.12.z from 4.11 or before). | bool |
null |
no |
| wait_for_create_complete | Wait until the cluster is either in a ready state or in an error state. The waiter has a timeout of 60 minutes. (default: true) | bool |
true |
no |
| worker_disk_size | Default worker machine pool root disk size with a unit suffix like GiB or TiB, e.g. 200GiB. | number |
null |
no |
| Name | Description |
|---|---|
| cluster_id | Unique identifier of the cluster. |