chore: Add support for IKS (VPC and classic) and ROKS (classic) (#171)

examples/basic/README.md

@@ -3,6 +3,7 @@
 An end-to-end basic example that will provision the following:
 - A new resource group if one is not passed in.
 - A new VPC with single subnet and zone, and public gateway
-- A OCP VPC cluster
+- A cluster in IBM Cloud
+  - It supports IKS and ROKS in both VPC and classic with the variables `is_openshift` and `is_vpc_cluster`
 - A new SCC Workload Portection instance
 - A new SCC Workload Portection agent

examples/basic/main.tf

@@ -15,26 +15,29 @@ module "resource_group" {
 ##############################################################################
 
 resource "ibm_is_vpc" "vpc" {
+  count                     = var.is_vpc_cluster ? 1 : 0
   name                      = "${var.prefix}-vpc"
   resource_group            = module.resource_group.resource_group_id
   address_prefix_management = "auto"
   tags                      = var.resource_tags
 }
 
 resource "ibm_is_public_gateway" "gateway" {
+  count          = var.is_vpc_cluster ? 1 : 0
   name           = "${var.prefix}-gateway-1"
-  vpc            = ibm_is_vpc.vpc.id
+  vpc            = ibm_is_vpc.vpc[0].id
   resource_group = module.resource_group.resource_group_id
   zone           = "${var.region}-1"
 }
 
 resource "ibm_is_subnet" "subnet_zone_1" {
+  count                    = var.is_vpc_cluster ? 1 : 0
   name                     = "${var.prefix}-subnet-1"
-  vpc                      = ibm_is_vpc.vpc.id
+  vpc                      = ibm_is_vpc.vpc[0].id
   resource_group           = module.resource_group.resource_group_id
   zone                     = "${var.region}-1"
   total_ipv4_address_count = 256
-  public_gateway           = ibm_is_public_gateway.gateway.id
+  public_gateway           = ibm_is_public_gateway.gateway[0].id
 }
 
 ##############################################################################
@@ -44,9 +47,9 @@ locals {
   cluster_vpc_subnets = {
     default = [
       {
-        id         = ibm_is_subnet.subnet_zone_1.id
-        cidr_block = ibm_is_subnet.subnet_zone_1.ipv4_cidr_block
-        zone       = ibm_is_subnet.subnet_zone_1.zone
+        id         = var.is_vpc_cluster ? ibm_is_subnet.subnet_zone_1[0].id : null
+        cidr_block = var.is_vpc_cluster ? ibm_is_subnet.subnet_zone_1[0].ipv4_cidr_block : null
+        zone       = var.is_vpc_cluster ? ibm_is_subnet.subnet_zone_1[0].zone : null
       }
     ]
   }
@@ -63,20 +66,89 @@ locals {
   ]
 }
 
+# Create OCP cluster in VPC
 module "ocp_base" {
+  count                = var.is_openshift && var.is_vpc_cluster ? 1 : 0
   source               = "terraform-ibm-modules/base-ocp-vpc/ibm"
   version              = "3.25.0"
   cluster_name         = var.prefix
   ibmcloud_api_key     = var.ibmcloud_api_key
   resource_group_id    = module.resource_group.resource_group_id
   region               = var.region
   force_delete_storage = true
-  vpc_id               = ibm_is_vpc.vpc.id
+  vpc_id               = ibm_is_vpc.vpc[0].id
   vpc_subnets          = local.cluster_vpc_subnets
   worker_pools         = local.worker_pools
   tags                 = var.resource_tags
 }
 
+# Lookup the current default kube version
+data "ibm_container_cluster_versions" "cluster_versions" {}
+locals {
+  default_version = var.is_openshift ? "${data.ibm_container_cluster_versions.cluster_versions.default_openshift_version}_openshift" : data.ibm_container_cluster_versions.cluster_versions.default_kube_version
+}
+
+# Create IKS VPC cluster, only if variable is_openshift is false and is_vpc_cluster is true
+resource "ibm_container_vpc_cluster" "cluster" {
+  count                = var.is_vpc_cluster && !var.is_openshift ? 1 : 0
+  name                 = var.prefix
+  vpc_id               = ibm_is_vpc.vpc[0].id
+  kube_version         = local.default_version
+  flavor               = "bx2.4x16"
+  worker_count         = "2"
+  force_delete_storage = true
+  wait_till            = "Normal"
+  zones {
+    subnet_id = ibm_is_subnet.subnet_zone_1[0].id
+    name      = "${var.region}-1"
+  }
+  resource_group_id = module.resource_group.resource_group_id
+  tags              = var.resource_tags
+
+  timeouts {
+    delete = "2h"
+    create = "3h"
+  }
+}
+
+# Create IKS or ROKS classic cluster, only if is_vpc_cluster is false
+resource "ibm_container_cluster" "cluster" {
+  #checkov:skip=CKV2_IBM_7:Public endpoint is required for testing purposes
+  count                = var.is_vpc_cluster ? 0 : 1
+  name                 = var.prefix
+  datacenter           = var.datacenter
+  default_pool_size    = 2
+  hardware             = "shared"
+  kube_version         = local.default_version
+  entitlement          = var.is_openshift ? "cloud_pak" : null
+  force_delete_storage = true
+  machine_type         = "b3c.4x16"
+  public_vlan_id       = ibm_network_vlan.public_vlan[0].id
+  private_vlan_id      = ibm_network_vlan.private_vlan[0].id
+  wait_till            = "Normal"
+  resource_group_id    = module.resource_group.resource_group_id
+  tags                 = var.resource_tags
+
+  timeouts {
+    delete = "2h"
+    create = "3h"
+  }
+}
+
+# Public network VLAN for classic clusters
+resource "ibm_network_vlan" "public_vlan" {
+  count      = var.is_vpc_cluster ? 0 : 1
+  datacenter = var.datacenter
+  type       = "PUBLIC"
+}
+
+# Private network VLAN for classic clusters
+resource "ibm_network_vlan" "private_vlan" {
+  count      = var.is_vpc_cluster ? 0 : 1
+  datacenter = var.datacenter
+  type       = "PRIVATE"
+}
+
 ##############################################################################
 # SCC Workload Protection Instance
 ##############################################################################
@@ -91,13 +163,20 @@ module "scc_wp" {
 
 }
 
+# Sleep to allow RBAC sync on cluster
+resource "time_sleep" "wait_operators" {
+  depends_on      = [data.ibm_container_cluster_config.cluster_config]
+  create_duration = "5s"
+}
+
 ##############################################################################
 # SCC Workload Protection Agent
 ##############################################################################
 
 module "scc_wp_agent" {
   source       = "../.."
-  cluster_name = module.ocp_base.cluster_name
+  depends_on   = [time_sleep.wait_operators]
+  cluster_name = (!var.is_vpc_cluster ? ibm_container_cluster.cluster[0].name : (var.is_openshift ? module.ocp_base[0].cluster_name : ibm_container_vpc_cluster.cluster[0].name))
   access_key   = module.scc_wp.access_key
   region       = var.region
   name         = "${var.prefix}-scc-wp-agent"

examples/basic/provider.tf

@@ -9,15 +9,16 @@ provider "ibm" {
 
 # Init cluster config for helm and kubernetes providers
 data "ibm_container_cluster_config" "cluster_config" {
-  cluster_name_id   = module.ocp_base.cluster_id
-  resource_group_id = module.ocp_base.resource_group_id
+  cluster_name_id   = (!var.is_vpc_cluster ? ibm_container_cluster.cluster[0].name : (var.is_openshift ? module.ocp_base[0].cluster_name : ibm_container_vpc_cluster.cluster[0].name))
+  resource_group_id = module.resource_group.resource_group_id
 }
 
 # Helm provider used to deploy workload protection agent
 provider "helm" {
   kubernetes {
-    host  = data.ibm_container_cluster_config.cluster_config.host
-    token = data.ibm_container_cluster_config.cluster_config.token
+    host                   = data.ibm_container_cluster_config.cluster_config.host
+    token                  = data.ibm_container_cluster_config.cluster_config.token
+    cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
   }
 }
 

examples/basic/variables.tf

@@ -36,4 +36,22 @@ variable "resource_tags" {
   default     = []
 }
 
+variable "is_openshift" {
+  type        = bool
+  description = "Defines whether this is an OpenShift or Kubernetes cluster"
+  default     = true
+}
+
+variable "is_vpc_cluster" {
+  type        = bool
+  description = "Specify true if the target cluster for the workload protection agents is a VPC cluster, false if it is classic cluster."
+  default     = true
+}
+
+variable "datacenter" {
+  type        = string
+  description = "If creating a classic cluster, the data center where the cluster is created"
+  default     = "syd01"
+}
+
 ##############################################################################

examples/basic/version.tf

@@ -13,5 +13,9 @@ terraform {
       source  = "hashicorp/kubernetes"
       version = ">= 2.16.1"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9.1"
+    }
   }
 }

tests/pr_test.go

@@ -83,3 +83,41 @@ func TestSecureExampleInSchematic(t *testing.T) {
 	err := options.RunSchematicTest()
 	assert.Nil(t, err, "This should not have errored")
 }
+
+// TestRunBasicAgentsVPCKubernetes validates this module against an IKS VPC cluster
+func TestRunBasicAgentsVPCKubernetes(t *testing.T) {
+	t.Parallel()
+
+	options := setupOptions(t, "scc-wp-a-vpc-k8s", basicExampleDir)
+	options.TerraformVars["is_openshift"] = false
+
+	output, err := options.RunTestConsistency()
+	assert.Nil(t, err, "This should not have errored")
+	assert.NotNil(t, output, "Expected some output")
+}
+
+// TestRunBasicAgentsClassicKubernetes validates this module against an IKS Classic cluster
+func TestRunBasicAgentsClassicKubernetes(t *testing.T) {
+	t.Parallel()
+
+	options := setupOptions(t, "scc-wp-a-cla-k8s", basicExampleDir)
+	options.TerraformVars["is_openshift"] = false
+	options.TerraformVars["is_vpc_cluster"] = false
+
+	output, err := options.RunTestConsistency()
+	assert.Nil(t, err, "This should not have errored")
+	assert.NotNil(t, output, "Expected some output")
+}
+
+// TestRunBasicAgentsClassicOpenShift validates this module against a ROKS Classic cluster
+func TestRunBasicAgentsClassicOpenShift(t *testing.T) {
+	t.Parallel()
+
+	options := setupOptions(t, "scc-wp-a-cla-ocp", basicExampleDir)
+	options.TerraformVars["is_openshift"] = true
+	options.TerraformVars["is_vpc_cluster"] = false
+
+	output, err := options.RunTestConsistency()
+	assert.Nil(t, err, "This should not have errored")
+	assert.NotNil(t, output, "Expected some output")
+}