-brightgreen){kind=icon}
Use this module to provision an IBM Cloud Red Hat OpenShift cluster on VPC Gen2. The module either creates the required Cloud Object Storage instance or uses an existing instance. The module also supports optionally passing a key management configuration for secret encryption and boot volume encryption.
Optionally, the module supports advanced security group management for the worker nodes, VPE, and load balancer associated with the cluster. This feature allows you to configure security groups for the cluster's worker nodes, VPE, and load balancer.
❗ Important: You can't update Red Hat OpenShift cluster nodes by using this module. The Terraform logic ignores updates to prevent possible destructive changes.
- Ensure that you have an up-to-date version of the IBM Cloud CLI.
- Ensure that you have an up-to-date version of the IBM Cloud Kubernetes service CLI.
- Ensure that you have an up-to-date version of the IBM Cloud VPC Infrastructure service CLI. Only required if providing additional security groups with the
var.additional_lb_security_group_ids. - Ensure that you have an up-to-date version of the jq
module "ocp_base" {
source = "terraform-ibm-modules/base-ocp-vpc/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
ibmcloud_api_key = "XXXXXXXXXXXXXXXXXXX"
cluster_name = "example-cluster-name"
resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
region = "us-south"
force_delete_storage = true
vpc_id = "79cxxxx-xxxx-xxxx-xxxx-xxxxxXX8667"
# obtain the below values from the targeted VPC and adjust to the number of zones, subnets, subnet name, cidr_block, id, zone
vpc_subnets = {
zone-1 = [
{
cidr_block = "192.168.32.0/22"
id = "0717-afc29fbb-0dbe-493a-a5b9-f3c5899cb8b9"
zone = "us-south-1"
},
{
cidr_block = "192.168.36.0/22"
id = "0727-d65c1eda-9e38-4200-8452-cb8ff5bb3140"
zone = "us-south-2"
},
{
cidr_block = "192.168.40.0/22"
id = "0737-9a823cd3-16bf-4ba4-a429-9e1fc7db74b8"
zone = "us-south-3"
}
]
zone-2 = [
{
cidr_block = "192.168.0.0/22"
id = "0717-846b9490-34ae-4a6c-8288-28112dca1ba3"
zone = "us-south-1"
},
{
cidr_block = "192.168.4.0/22"
id = "0727-ef8db7f6-ffa5-4d8b-a317-4631741a45ee"
zone = "us-south-2"
},
{
cidr_block = "192.168.8.0/22"
id = "0737-c9a6d871-d95b-4914-abf5-82c22f4161d1"
zone = "us-south-3"
}
]
zone-3 = [
{
cidr_block = "192.168.16.0/22"
id = "0717-d46e227c-89d4-4b02-9008-d03907a275b6"
zone = "us-south-1"
},
{
cidr_block = "192.168.20.0/22"
id = "0727-93b1edcb-966c-4517-a7af-6ac63cd93adf"
zone = "us-south-2"
},
{
cidr_block = "192.168.24.0/22"
id = "0737-807ec4f1-4d84-484e-b2f4-62dd5e431065"
zone = "us-south-3"
}
]
}
}The Terraform module provides options to attach additional security groups to the worker nodes, VPE, and load balancer associated with the cluster.
The custom_sg example demonstrates how to use these capabilities.
See the IBM Cloud documentation on this topic here
Tip: The terraform-ibm-security-groups module can be used to create security groups and rules.
- Additional security groups can be specified at cluster creation time. These security groups are attached to all worker nodes of the cluster, including additional worker nodes/pools added after the creation of the cluster. See the variable
custom_security_group_ids. - Additional security groups can be specified for specific worker pools. These security groups only apply to the worker pool. See the field
additional_security_group_idsin the variableworker_pools.
In all cases, note that:
- The default VPC security is no longer attached to the worker nodes.
- You can opt-out of attaching the IBM-managed cluster security group (named kube-) through the flag
attach_ibm_managed_security_group. - It is impossible to change the security groups associated with a cluster after the creation of that cluster.
- The IBM Cloud OCP stack creates VPEs by default. Prior to version 4.14, a VPE to the master is created. From version 4.14, VPEs to the master, container registry, and IBM Cloud kube APIs are created.
- You can attach additional security groups through the
additional_vpe_security_group_idsvariable. - The default IBM-managed security group is attached to those VPEs in all cases.
- The IBM Cloud OCP stack manages the lifecycle of VPC Loadbalancers for your cluster. See the LoadBalancer section in the Understanding options for exposing apps.
- By default, one load balancer is created at cluster creation for the default cluster ingress.
- You can attach additional security groups using the
additional_lb_security_group_idsvariable. This set of security groups is attached to all loadbalancers managed by the cluster. - Important: If additional load balancers are added after creating the cluster, for example, by exposing a Kubernetes service of type LoadBalancer, update the
number_of_lbsvariable and re-run this module to attach the extra security groups to the newly created load balancer. - The default IBM-managed security group is attached to the LBs in all cases.
-
When you run a
terraform plancommand, you might get a message about a new version of Kubernetes, as in the following example:kube_version = "4.12.16_openshift" -> "4.12.20_openshift" Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.
A new version is detected because the Kubernetes master node is updated outside of Terraform, and the Terraform state is out of date with that version.
The Kubernetes version is ignored in the module code, so the infrastructure will not be modified. The message identifies that drift exists in the versions, and after running the
terraform applycommand, the state will be refreshed.
You need the following permissions to run this module.
- Account Management
- All Identity and Access Enabled service
Viewerplatform access
- All Resource Groups service
Viewerplatform access
- All Identity and Access Enabled service
- IAM Services
- Cloud Object Storage service
Editorplatform accessManagerservice access
- Kubernetes service
Administratorplatform accessManagerservice access
- VPC Infrastructure service
Administratorplatform accessManagerservice access
- Cloud Object Storage service
Optionally, you need the following permissions to attach Access Management tags to resources in this module.
- IAM Services
- Tagging service
Administratorplatform access
- Tagging service
- One worker pool should always be named as
default. Refer issue 2849 for further details.
| Name | Version |
|---|---|
| terraform | >= 1.3.0, < 1.7.0 |
| ibm | >= 1.64.0, < 2.0.0 |
| kubernetes | >= 2.16.1, < 3.0.0 |
| null | >= 3.2.1, < 4.0.0 |
| Name | Source | Version |
|---|---|---|
| attach_sg_to_api_vpe | terraform-ibm-modules/security-group/ibm | 2.6.1 |
| attach_sg_to_lb | terraform-ibm-modules/security-group/ibm | 2.6.1 |
| attach_sg_to_master_vpe | terraform-ibm-modules/security-group/ibm | 2.6.1 |
| attach_sg_to_registry_vpe | terraform-ibm-modules/security-group/ibm | 2.6.1 |
| cos_instance | terraform-ibm-modules/cos/ibm | 8.2.13 |
| Name | Type |
|---|---|
| ibm_container_addons.addons | resource |
| ibm_container_vpc_cluster.autoscaling_cluster | resource |
| ibm_container_vpc_cluster.cluster | resource |
| ibm_container_vpc_worker_pool.autoscaling_pool | resource |
| ibm_container_vpc_worker_pool.pool | resource |
| ibm_resource_tag.cluster_access_tag | resource |
| ibm_resource_tag.cos_access_tag | resource |
| kubernetes_config_map_v1_data.set_autoscaling | resource |
| null_resource.config_map_status | resource |
| null_resource.confirm_lb_active | resource |
| null_resource.confirm_network_healthy | resource |
| null_resource.reset_api_key | resource |
| ibm_container_addons.existing_addons | data source |
| ibm_container_cluster_config.cluster_config | data source |
| ibm_container_cluster_versions.cluster_versions | data source |
| ibm_container_vpc_worker_pool.all_pools | data source |
| ibm_is_lbs.all_lbs | data source |
| ibm_is_virtual_endpoint_gateways.all_vpes | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_tags | A list of access tags to apply to the resources created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details | list(string) |
[] |
no |
| additional_lb_security_group_ids | Additional security groups to add to the load balancers associated with the cluster. Ensure that the number_of_lbs is set to the number of LBs associated with the cluster. This comes in addition to the IBM maintained security group. | list(string) |
[] |
no |
| additional_vpe_security_group_ids | Additional security groups to add to all existing load balancers. This comes in addition to the IBM maintained security group. | object({ |
{} |
no |
| addons | Map of OCP cluster add-on versions to install (NOTE: The 'vpc-block-csi-driver' add-on is installed by default for VPC clusters, however you can explicitly specify it here if you wish to choose a later version than the default one). For full list of all supported add-ons and versions, see https://cloud.ibm.com/docs/containers?topic=containers-supported-cluster-addon-versions | object({ |
null |
no |
| attach_ibm_managed_security_group | Specify whether to attach the IBM-defined default security group (whose name is kube-) to all worker nodes. Only applicable if custom_security_group_ids is set. | bool |
true |
no |
| cluster_config_endpoint_type | Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster. | string |
"default" |
no |
| cluster_name | The name that will be assigned to the provisioned cluster | string |
n/a | yes |
| cluster_ready_when | The cluster is ready when one of the following: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady | string |
"IngressReady" |
no |
| cos_name | Name of the COS instance to provision for OpenShift internal registry storage. New instance only provisioned if 'enable_registry_storage' is true and 'use_existing_cos' is false. Default: '<cluster_name>_cos' | string |
null |
no |
| custom_security_group_ids | Security groups to add to all worker nodes. This comes in addition to the IBM maintained security group if attach_ibm_managed_security_group is set to true. If this variable is set, the default VPC security group is NOT assigned to the worker nodes. | list(string) |
null |
no |
| disable_outbound_traffic_protection | Whether to allow public outbound access from the cluster workers. This is only applicable for ocp_version 4.15 |
bool |
false |
no |
| disable_public_endpoint | Whether access to the public service endpoint is disabled when the cluster is created. Does not affect existing clusters. You can't disable a public endpoint on an existing cluster, so you can't convert a public cluster to a private cluster. To change a public endpoint to private, create another cluster with this input set to true. |
bool |
false |
no |
| enable_registry_storage | Set to true to enable IBM Cloud Object Storage for the Red Hat OpenShift internal image registry. Set to false only for new cluster deployments in an account that is allowlisted for this feature. |
bool |
true |
no |
| existing_cos_id | The COS id of an already existing COS instance to use for OpenShift internal registry storage. Only required if 'enable_registry_storage' and 'use_existing_cos' are true | string |
null |
no |
| force_delete_storage | Flag indicating whether or not to delete attached storage when destroying the cluster - Default: false | bool |
false |
no |
| ibmcloud_api_key | APIkey that's associated with the account to use, set via environment variable TF_VAR_ibmcloud_api_key | string |
n/a | yes |
| ignore_worker_pool_size_changes | Enable if using worker autoscaling. Stops Terraform managing worker count | bool |
false |
no |
| kms_config | Use to attach a KMS instance to the cluster. If account_id is not provided, defaults to the account in use. | object({ |
null |
no |
| manage_all_addons | Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module will destroy any addons that were installed by other sources. | bool |
false |
no |
| number_of_lbs | The number of LBs to associated the additional_lb_security_group_names security group with. | number |
1 |
no |
| ocp_entitlement | Value that is applied to the entitlements for OCP cluster provisioning | string |
"cloud_pak" |
no |
| ocp_version | The version of the OpenShift cluster that should be provisioned (format 4.x). If no value is specified, the current default version is used. You can also specify default. This input is used only during initial cluster provisioning and is ignored for updates. To prevent possible destructive changes, update the cluster version outside of Terraform. |
string |
null |
no |
| operating_system | The operating system of the workers in the default worker pool. If no value is specified, the current default version OS will be used. See https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions#openshift_versions_available . | string |
null |
no |
| region | The IBM Cloud region where the cluster will be provisioned. | string |
n/a | yes |
| resource_group_id | The Id of an existing IBM Cloud resource group where the cluster will be grouped. | string |
n/a | yes |
| tags | Metadata labels describing this cluster deployment, i.e. test | list(string) |
[] |
no |
| use_existing_cos | Flag indicating whether or not to use an existing COS instance for OpenShift internal registry storage. Only applicable if 'enable_registry_storage' is true | bool |
false |
no |
| verify_worker_network_readiness | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | bool |
true |
no |
| vpc_id | Id of the VPC instance where this cluster will be provisioned | string |
n/a | yes |
| vpc_subnets | Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created | map(list(object({ |
n/a | yes |
| worker_pools | List of worker pools | list(object({ |
n/a | yes |
| worker_pools_taints | Optional, Map of lists containing node taints by node-pool name | map(list(object({ key = string, value = string, effect = string }))) |
null |
no |
| Name | Description |
|---|---|
| api_vpe | Info about the api VPE, if it exists. For more info about schema, see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway |
| cluster_crn | CRN for the created cluster |
| cluster_id | ID of cluster created |
| cluster_name | Name of the created cluster |
| cos_crn | CRN of the COS instance |
| ingress_hostname | The hostname that was assigned to your Ingress subdomain. |
| kms_config | KMS configuration details |
| master_status | The status of the Kubernetes master. |
| master_url | The URL of the Kubernetes master. |
| master_vpe | Info about the master, or default, VPE. For more info about schema, see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway |
| ocp_version | Openshift Version of the cluster |
| operating_system | The operating system of the workers in the default worker pool. |
| private_service_endpoint_url | Private service endpoint URL |
| public_service_endpoint_url | Public service endpoint URL |
| region | Region cluster is deployed in |
| registry_vpe | Info about the registry VPE, if it exists. For more info about schema, see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway |
| resource_group_id | Resource group ID the cluster is deployed in |
| vpc_id | ID of the clusters VPC |
| vpe_url | The virtual private endpoint URL of the Kubernetes cluster. |
| workerpools | Worker pools created |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent