create_policies variable to turn off any potential policy creation tempt (#325) (#442)

* create_policies variable to turn off any potential policy creation attempt (#325)

* create_policies  > review feedback (#325)

* create_policies  > review feedback (#325)

* Renamed kms_key_id to cluster_kms_key_id

Co-authored-by: Ali Mukadam <lmukadam@gmail.com>

Author: slmjy

docs/configuration.adoc

@@ -77,7 +77,7 @@ Alternatively, you can also specify these using Terraform environment variables
 export TF_api_fingerprint = "1a:bc:23:45:6d:78:e9:f0:gh:ij:kl:m1:23:no:4p:5q"
 ----
 
-You would have obtained your values when doing the {uri-prereqs}[Prerequisites]. 
+You would have obtained your values when doing the {uri-prereqs}[Prerequisites].
 
 {uri-terraform-options}#identity-and-access[Reference]
 
@@ -129,7 +129,7 @@ The list of regions can be found {uri-oci-region}[here].
 
 == Configure OCI Networking parameters
 
-The networking parameters concern the VCN and the subnets network configuration as well as whether to enable some specific features such as the NAT Gateway. 
+The networking parameters concern the VCN and the subnets network configuration as well as whether to enable some specific features such as the NAT Gateway.
 
 You can leave most of the default options. However, you may want to change the following 2 parameters:
 
@@ -272,6 +272,7 @@ create_operator = true
 enable_operator_instance_principal = true
 enable_operator_pv_encryption_in_transit = false
 operator_volume_kms_id = <operator_volume_kms_id>
+create_policies = true
 ----
 
 OKE also supports enforcing the use of signed images. You can enforce the use of signed image using the following parameters:

docs/instructions.adoc

@@ -74,9 +74,9 @@ If you wish to use {uri-oci-kms}[OCI KMS] to encrypt Kubernetes secrets, the fol
 ** {uri-oci-manage-policies}[manage policies in root tenancy]
 * link:#adding-the-bastion-host[bastion must be enabled]
 * link:#enabling-instance_principal-on-the-operator-host[operator instance_principal must be enabled]
-
 * use_cluster_encryption must be set to _true_
 * cluster_kms_key_id must be provided
+* create_policies should be set to _true_ if policies for cluster access to KMS are not already in place
 
 If you wish to use {uri-oci-kms}[OCI KMS] to encrypt OKE nodepool boot/block volume, the following is required:
 

docs/terraformoptions.adoc

@@ -31,7 +31,7 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 
 == OCI Provider parameters
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -88,7 +88,7 @@ region = "ap-sydney-1"
 
 == General OCI
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -109,7 +109,7 @@ region = "ap-sydney-1"
 
 == SSH Keys
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -146,7 +146,7 @@ EOT
 
 == OCI Networking
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -171,10 +171,10 @@ EOT
 |internet_gateway_route_rules
 |(Updatable) List of routing rules to add to Internet Gateway Route Table.
 |
-[ 
+[
   {
     destination       = "192.168.0.0/16"
-    destination_type  = "CIDR_BLOCK"     
+    destination_type  = "CIDR_BLOCK"
     network_entity_id = "drg"
     description       = "Terraformed"
   },
@@ -184,7 +184,7 @@ EOT
 |local_peering_gateways
 |Map of Local Peering Gateways to attach to the VCN.
 |
-    to_spoke2 = { 
+    to_spoke2 = {
       route_table_id = ""
       peer_id        = ""
     }
@@ -198,10 +198,10 @@ EOT
 |nat_gateway_route_rules
 |(Updatable) List of routing rules to add to Internet Gateway Route Table.
 |
-[ 
+[
   {
     destination       = "192.168.0.0/16"
-    destination_type  = "CIDR_BLOCK"     
+    destination_type  = "CIDR_BLOCK"
     network_entity_id = "drg"
     description       = "Terraformed"
   },
@@ -254,7 +254,7 @@ EOT
 
 == Bastion Host
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -334,7 +334,7 @@ EOT
 
 == OCI Bastion Service
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -364,7 +364,7 @@ EOT
 
 == Operator Host
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -451,7 +451,7 @@ EOT
 
 == Availability Domain
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -475,7 +475,7 @@ EOT
 
 == Tagging
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -528,7 +528,7 @@ EOT
 
 == OKE
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -604,7 +604,7 @@ EOT
 
 == KMS integration
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -618,8 +618,11 @@ EOT
 
 |cluster_kms_key_id
 |The id of the OCI KMS key to be used as the master encryption key for encrypting Kubernetes' etcd . *Required* if _use_cluster_encryption_ is set to *true*
-|`ocid1.key.oc1....`
-|
+
+|create_policies
+|Whether to create dynamic group for cluster with policies to access {uri-oci-kms}[OCI KMS] when using encryption.
+|true/false
+|true
 
 |use_node_pool_volume_encryption
 |Whether to use {uri-oci-kms}[OCI KMS] to encrypt Kubernetes Nodepool's boot/block volume.
@@ -642,15 +645,15 @@ EOT
 |false
 
 |`image_signing_keys`
-|A list of KMS key ids used by the worker nodes to verify signed images. The keys must use RSA algorithm. *Required* if _use_signed_images_ is set to *true* 
+|A list of KMS key ids used by the worker nodes to verify signed images. The keys must use RSA algorithm. *Required* if _use_signed_images_ is set to *true*
 |
 `["ocid1.key.oc1....", "ocid1.key.oc1...."]`
 |[]
 |===
 
 == Node pools
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -671,8 +674,8 @@ Refer to {uri-topology}[topology] for more thorough examples.
 node_pools = {
 np1 = { shape = "VM.Standard.E4.Flex", ocpus = 1, memory = 16, node_pool_size = 1, boot_volume_size = 150, label = { app = "frontend", pool = "np1" } }
   np2 = {shape="VM.Standard.E2.2",node_pool_size=2,boot_volume_size=150,label={app="application",name="test"}}
-  np3 = {shape="VM.Standard.E2.2",node_pool_size=1} 
-} 
+  np3 = {shape="VM.Standard.E2.2",node_pool_size=1}
+}
 |
 node_pools = {
   np1 = {shape="VM.Standard.E3.Flex",ocpus=2,node_pool_size=2,boot_volume_size=150}
@@ -714,7 +717,7 @@ node_pools = {
 
 == File Storage
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -745,7 +748,7 @@ node_pools = {
 
 == Upgrade cluster
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -776,15 +779,15 @@ node_pools = {
 
 == OKE Load Balancers
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
 |Values
 |Default
 
 |load_balancers
-|The type of load balancer subnets to create. 
+|The type of load balancer subnets to create.
 
 Even if you set the load balancer subnets to be internal, you still need to set the correct {uri-oci-loadbalancer-annotations}[annotations] when creating internal load balancers. Just setting this value to internal is *_not_* sufficient.
 
@@ -826,7 +829,7 @@ Refer to {uri-topology}[topology] for more thorough examples.
 
 == OCIR
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -862,7 +865,7 @@ Refer to {uri-topology}[topology] for more thorough examples.
 
 == Calico
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -883,7 +886,7 @@ Refer to {uri-topology}[topology] for more thorough examples.
 
 == Kubernetes Metrics Server
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -909,7 +912,7 @@ Refer to {uri-topology}[topology] for more thorough examples.
 
 == Gatekeeper
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description
@@ -930,7 +933,7 @@ Refer to {uri-topology}[topology] for more thorough examples.
 
 == Service Account
 
-[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"]
 |===
 |Parameter
 |Description

main.tf

@@ -64,7 +64,7 @@ module "bastion" {
   upgrade_bastion     = var.upgrade_bastion
 
   # bastion notification
-  enable_bastion_notification   = var.enable_bastion_notification
+  enable_bastion_notification   = var.enable_bastion_notification && var.create_policies
   bastion_notification_endpoint = var.bastion_notification_endpoint
   bastion_notification_protocol = var.bastion_notification_protocol
   bastion_notification_topic    = var.bastion_notification_topic
@@ -102,7 +102,7 @@ module "operator" {
 
   # operator host parameters
   operator_image_id                  = var.operator_image_id
-  enable_operator_instance_principal = var.enable_operator_instance_principal
+  enable_operator_instance_principal = var.enable_operator_instance_principal && var.create_policies
   enable_pv_encryption_in_transit    = var.enable_operator_pv_encryption_in_transit
   operator_os_version                = var.operator_os_version
   operator_shape                     = var.operator_shape
@@ -227,6 +227,7 @@ module "oke" {
   vcn_id                                                  = module.vcn.vcn_id
   use_cluster_encryption                                  = var.use_cluster_encryption
   cluster_kms_key_id                                      = var.cluster_kms_key_id
+  create_policies                                         = var.create_policies
   use_signed_images                                       = var.use_signed_images
   image_signing_keys                                      = var.image_signing_keys
   admission_controller_options                            = var.admission_controller_options
@@ -329,6 +330,7 @@ module "extensions" {
   use_cluster_encryption       = var.use_cluster_encryption
   cluster_kms_key_id           = var.cluster_kms_key_id
   cluster_kms_dynamic_group_id = module.oke.cluster_kms_dynamic_group_id
+  create_policies      = var.create_policies
 
   # ocir parameters
   email_address    = var.email_address

modules/extensions/iam.tf

@@ -13,20 +13,25 @@ terraform {
   required_version = ">= 1.0.0"
 }
 
+locals {
+  create_operator_instance_principal_dynamic_group = (var.use_cluster_encryption == true && var.create_policies == true && var.create_bastion_host == true && var.enable_operator_instance_principal == true)
+}
+
 resource "oci_identity_policy" "operator_instance_principal_dynamic_group" {
   provider       = oci.home
   compartment_id = var.tenancy_id
   description    = "policy to allow operator host to manage dynamic group"
   name           = var.label_prefix == "none" ? "operator-instance-principal-dynamic-group-${substr(uuid(), 0, 8)}" : "${var.label_prefix}-operator-instance-principal-dynamic-group-${substr(uuid(), 0, 8)}"
   statements     = ["Allow dynamic-group ${var.operator_dynamic_group} to use dynamic-groups in tenancy"]
-  count          = (var.use_cluster_encryption == true && var.create_bastion_host == true && var.enable_operator_instance_principal == true) ? 1 : 0
+  count          = (local.create_operator_instance_principal_dynamic_group == true) ? 1 : 0
 }
 
 # 30s delay to allow policies to take effect globally
 resource "time_sleep" "wait_30_seconds" {
   depends_on = [oci_identity_policy.operator_instance_principal_dynamic_group]
 
   create_duration = "30s"
+  count          = (local.create_operator_instance_principal_dynamic_group == true) ? 1 : 0
 }
 
 resource "null_resource" "update_dynamic_group" {
@@ -58,5 +63,5 @@ resource "null_resource" "update_dynamic_group" {
     ]
   }
 
-  count = (var.use_cluster_encryption == true && var.create_bastion_host == true && var.bastion_state == "RUNNING" && var.enable_operator_instance_principal == true) ? 1 : 0
+  count = (local.create_operator_instance_principal_dynamic_group && var.bastion_state == "RUNNING" ) ? 1 : 0
 }

modules/extensions/variables.tf

@@ -60,7 +60,13 @@ variable "use_cluster_encryption" {
 
 variable "cluster_kms_key_id" {}
 
+
 variable "cluster_kms_dynamic_group_id" {}
+
+variable "create_policies" {
+  type        = bool
+}
+
 # ocir
 variable "email_address" {}