feat: renamed kms_key_id to cluster_kms_key_id to avoid confusion. Closes #458 (#487)

hyder · web-flow · commit f776bd3e7788 · 2022-02-24T10:41:54.000+11:00
diff --git a/docs/configuration.adoc b/docs/configuration.adoc
@@ -260,7 +260,7 @@ OKE Variables:-
 
 ----
 use_encryption = true
-kms_key_id = <kms_key_id>
+cluster_kms_key_id = <cluster_kms_key_id>
 use_node_pool_volume_encryption = true
 node_pool_volume_kms_key_id = <node_pool_volume_kms_key_id>
 ----
diff --git a/docs/instructions.adoc b/docs/instructions.adoc
@@ -75,7 +75,7 @@ If you wish to use {uri-oci-kms}[OCI KMS] to encrypt Kubernetes secrets, the fol
 * link:#enabling-instance_principal-on-the-operator-host[operator instance_principal must be enabled]
 
 * use_encryption must be set to _true_
-* kms_key_id must be provided
+* cluster_kms_key_id must be provided
 
 If you wish to use {uri-oci-kms}[OCI KMS] to encrypt OKE nodepool boot/block volume, the following is required:
 
diff --git a/docs/terraformoptions.adoc b/docs/terraformoptions.adoc
@@ -616,8 +616,8 @@ EOT
 |true/false
 |false
 
-|kms_key_id
-|The id of the OCI KMS key to be used as the master encryption key for Kubernetes secrets encryption.. *Required* if _use_encryption_ is set to *true*
+|cluster_kms_key_id
+|The id of the OCI KMS key to be used as the master encryption key for encrypting Kubernetes' etcd . *Required* if _use_encryption_ is set to *true*
 |`ocid1.key.oc1....`
 |
 
diff --git a/main.tf b/main.tf
@@ -222,7 +222,7 @@ module "oke" {
   cluster_subnets                                         = module.network.subnet_ids
   vcn_id                                                  = module.vcn.vcn_id
   use_encryption                                          = var.use_encryption
-  kms_key_id                                              = var.kms_key_id
+  cluster_kms_key_id                                      = var.cluster_kms_key_id
   use_signed_images                                       = var.use_signed_images
   image_signing_keys                                      = var.image_signing_keys
   admission_controller_options                            = var.admission_controller_options
@@ -290,11 +290,11 @@ module "extensions" {
   operator_os_version                = var.operator_os_version
 
   # oke cluster parameters
-  cluster_id           = module.oke.cluster_id
-  pods_cidr            = var.pods_cidr
-  use_encryption       = var.use_encryption
-  kms_key_id           = var.kms_key_id
-  kms_dynamic_group_id = module.oke.kms_dynamic_group_id
+  cluster_id                   = module.oke.cluster_id
+  pods_cidr                    = var.pods_cidr
+  use_encryption               = var.use_encryption
+  cluster_kms_key_id           = var.cluster_kms_key_id
+  cluster_kms_dynamic_group_id = module.oke.cluster_kms_dynamic_group_id
 
   # ocir parameters
   email_address    = var.email_address
diff --git a/modules/extensions/templates.tf b/modules/extensions/templates.tf
@@ -74,7 +74,7 @@ locals {
       region         = var.region
 
       email_address     = var.email_address
-      region_registry   = join("",[var.region,".ocir.io"])
+      region_registry   = join("", [var.region, ".ocir.io"])
       secret_id         = var.secret_id
       secret_name       = var.secret_name
       secret_namespace  = var.secret_namespace
@@ -100,7 +100,7 @@ locals {
 
   update_dynamic_group_template = templatefile("${path.module}/scripts/update_dynamic_group.template.sh",
     {
-      dynamic_group_id   = var.use_encryption == true ? var.kms_dynamic_group_id : "null"
+      dynamic_group_id   = var.use_encryption == true ? var.cluster_kms_dynamic_group_id : "null"
       dynamic_group_rule = local.dynamic_group_rule_this_cluster
       home_region        = data.oci_identity_regions.home_region.regions[0].name
     }
diff --git a/modules/extensions/variables.tf b/modules/extensions/variables.tf
@@ -48,8 +48,7 @@ variable "enable_operator_instance_principal" {
 }
 variable "operator_os_version" {}
 
-
-
+# oke
 variable "cluster_id" {}
 
 variable "pods_cidr" {}
@@ -59,9 +58,9 @@ variable "use_encryption" {
   type = bool
 }
 
-variable "kms_key_id" {}
+variable "cluster_kms_key_id" {}
 
-variable "kms_dynamic_group_id" {}
+variable "cluster_kms_dynamic_group_id" {}
 # ocir
 variable "email_address" {}
 
diff --git a/modules/oke/cluster.tf b/modules/oke/cluster.tf
@@ -11,7 +11,7 @@ resource "time_sleep" "wait_30_seconds" {
 resource "oci_containerengine_cluster" "k8s_cluster" {
   compartment_id     = var.compartment_id
   kubernetes_version = var.cluster_kubernetes_version
-  kms_key_id         = var.use_encryption == true ? var.kms_key_id : null
+  kms_key_id         = var.use_encryption == true ? var.cluster_kms_key_id : null
   name               = var.label_prefix == "none" ? var.cluster_name : "${var.label_prefix}-${var.cluster_name}"
 
   depends_on = [time_sleep.wait_30_seconds]
diff --git a/modules/oke/iam.tf b/modules/oke/iam.tf
@@ -31,7 +31,7 @@ resource "oci_identity_policy" "oke_kms" {
   description    = "policy to allow dynamic group ${var.label_prefix}-oke-kms-cluster to use KMS to encrypt etcd"
   depends_on     = [oci_identity_dynamic_group.oke_kms_cluster]
   name           = var.label_prefix == "none" ? "oke-kms" : "${var.label_prefix}-oke-kms"
-  statements     = [local.policy_statement]
+  statements     = [local.cluster_kms_policy_statement]
   count          = var.use_encryption == true ? 1 : 0
 }
 
diff --git a/modules/oke/locals.tf b/modules/oke/locals.tf
@@ -15,7 +15,7 @@ locals {
   dynamic_group_rule_all_clusters = "ALL {resource.type = 'cluster', resource.compartment.id = '${var.compartment_id}'}"
 
   # policy to allow dynamic group of all clusters to use kms 
-  policy_statement = (var.use_encryption == true) ? "Allow dynamic-group ${oci_identity_dynamic_group.oke_kms_cluster[0].name} to use keys in compartment id ${var.compartment_id} where target.key.id = '${var.kms_key_id}'" : ""
+  cluster_kms_policy_statement = (var.use_encryption == true) ? "Allow dynamic-group ${oci_identity_dynamic_group.oke_kms_cluster[0].name} to use keys in compartment id ${var.compartment_id} where target.key.id = '${var.cluster_kms_key_id}'" : ""
 
   # policy to allow block volumes inside oke to use kms
   oke_volume_kms_policy_statements = (var.use_node_pool_volume_encryption == true) ? [
diff --git a/modules/oke/outputs.tf b/modules/oke/outputs.tf
@@ -5,7 +5,7 @@ output "cluster_id" {
   value = oci_containerengine_cluster.k8s_cluster.id
 }
 
-output "kms_dynamic_group_id" {
+output "cluster_kms_dynamic_group_id" {
   value = var.use_encryption == true ? oci_identity_dynamic_group.oke_kms_cluster[0].id : "null"
 }
 
diff --git a/modules/oke/variables.tf b/modules/oke/variables.tf
@@ -45,7 +45,7 @@ variable "use_encryption" {
   type = bool
 }
 
-variable "kms_key_id" {}
+variable "cluster_kms_key_id" {}
 
 variable "use_node_pool_volume_encryption" {
   type = bool
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
@@ -140,7 +140,7 @@ services_cidr                = "10.96.0.0/16"
 
 ## oke cluster kms integration
 use_encryption = false
-kms_key_id     = ""
+cluster_kms_key_id     = ""
 
 ### oke node pool volume kms integration
 use_node_pool_volume_encryption = false
diff --git a/variables.tf b/variables.tf
@@ -483,7 +483,7 @@ variable "use_encryption" {
   type        = bool
 }
 
-variable "kms_key_id" {
+variable "cluster_kms_key_id" {
   default     = ""
   description = "The id of the OCI KMS key to be used as the master encryption key for Kubernetes secrets encryption."
   type        = string

Original file line number	Diff line number	Diff line change
`@@ -616,8 +616,8 @@ EOT`
`616`	`616`	`\|true/false`
`617`	`617`	`\|false`
`618`	`618`
`619`		`-\|kms_key_id`
`620`		`-\|The id of the OCI KMS key to be used as the master encryption key for Kubernetes secrets encryption.. Required if _use_encryption_ is set to true`
	`619`	`+\|cluster_kms_key_id`
	`620`	`+\|The id of the OCI KMS key to be used as the master encryption key for encrypting Kubernetes' etcd . Required if _use_encryption_ is set to true`
`621`	`621`	\|`ocid1.key.oc1....`
`622`	`622`	`\|`
`623`	`623`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ resource "oci_identity_policy" "oke_kms" {`
`31`	`31`	`description = "policy to allow dynamic group ${var.label_prefix}-oke-kms-cluster to use KMS to encrypt etcd"`
`32`	`32`	`depends_on = [oci_identity_dynamic_group.oke_kms_cluster]`
`33`	`33`	`name = var.label_prefix == "none" ? "oke-kms" : "${var.label_prefix}-oke-kms"`
`34`		`- statements = [local.policy_statement]`
	`34`	`+ statements = [local.cluster_kms_policy_statement]`
`35`	`35`	`count = var.use_encryption == true ? 1 : 0`
`36`	`36`	`}`
`37`	`37`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ output "cluster_id" {`
`5`	`5`	`value = oci_containerengine_cluster.k8s_cluster.id`
`6`	`6`	`}`
`7`	`7`
`8`		`-output "kms_dynamic_group_id" {`
	`8`	`+output "cluster_kms_dynamic_group_id" {`
`9`	`9`	`value = var.use_encryption == true ? oci_identity_dynamic_group.oke_kms_cluster[0].id : "null"`
`10`	`10`	`}`
`11`	`11`