From b24a532ca104c2d18eb251aa619b18cf43dac240 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 25 Feb 2025 17:36:47 +0100 Subject: [PATCH 01/65] wip --- .github/renovate.json5 | 8 +- .../workflows-config/rosa-hcp/test-matrix.yml | 45 +++ .github/workflows/aws_ec2_golden.yml | 3 +- .github/workflows/aws_ec2_tests.yml | 2 +- .../aws_rosa_hcp_daily_cleanup.yml.tmp | 2 + .github/workflows/aws_rosa_hcp_tests.yml | 282 ++++++++++++++++++ .tool-versions | 8 +- 7 files changed, 343 insertions(+), 7 deletions(-) create mode 100644 .github/workflows-config/rosa-hcp/test-matrix.yml create mode 100644 .github/workflows/aws_rosa_hcp_daily_cleanup.yml.tmp create mode 100644 .github/workflows/aws_rosa_hcp_tests.yml diff --git a/.github/renovate.json5 b/.github/renovate.json5 index a697afad5..8a21fb53a 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -7,5 +7,11 @@ matchPackageNames: ["amazon/cloudwatch-agent"], versioning: "regex:^(?\\d)(\\.(?\\d+))(\\.(?\\db\\d+))$", } - ] + ], + "customDatasources": { + "rosa-camunda": { + "defaultRegistryUrlTemplate": "https://camunda.github.io/camunda-tf-rosa/rosa_versions.txt", + "format": "plain", + }, + }, } diff --git a/.github/workflows-config/rosa-hcp/test-matrix.yml b/.github/workflows-config/rosa-hcp/test-matrix.yml new file mode 100644 index 000000000..1340c4309 --- /dev/null +++ b/.github/workflows-config/rosa-hcp/test-matrix.yml @@ -0,0 +1,45 @@ +--- +matrix: + distro: + # /!\ BEFORE ADDING/REMOVING A VERSION: + # /!\ Please keep this matrix synced with the official documentation: + # https://github.com/camunda/camunda-docs/blob/main/docs/self-managed/setup/deploy/openshift/redhat-openshift.md?plain=1#L2 + # According to https://access.redhat.com/support/policy/updates/openshift, this matrix should reference the last 4 (may change) supported versions of OpenShift + - name: OpenShift 4.17 + type: openshift + # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=regex:^4(\.(?\d+))?(\.(?\d+))?$ + version: 4.17.16 + # /!\ Warning: When a new minor version of OpenShift is released, + # you must update all N-1, N-2, and N-3 versions in this matrix. + # rationale: Red Hat supports the last four minor versions of OpenShift. + # Therefore, to ensure compatibility and support, we must test against these versions. + # For more details, refer to the official support policy at https://endoflife.date/red-hat-openshift. + platform: rosa + # According to https://access.redhat.com/support/policy/updates/openshift, + # this matrix should reference the last 4 (may change) supported versions of OpenShift + + - name: OpenShift 4.16 + type: openshift + # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=regex:^4.16(\.(?\d+))?$ + version: 4.16.8 + platform: rosa + + - name: OpenShift 4.15 + type: openshift + # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=regex:^4.15(\.(?\d+))?$ + version: 4.15.21 + platform: rosa + + - name: OpenShift 4.14 + type: openshift + # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=regex:^4.14(\.(?\d+))?$ + version: 4.14.33 + platform: rosa + + scenario: + - name: Chart Setup + desc: Setup chart in production-like setup with Ingress and TLS. + flow: install + - name: Chart Upgrade + desc: Upgrade chart from the latest released version to the current branch. + flow: upgrade diff --git a/.github/workflows/aws_ec2_golden.yml b/.github/workflows/aws_ec2_golden.yml index 919d64a24..1d7b9bea0 100644 --- a/.github/workflows/aws_ec2_golden.yml +++ b/.github/workflows/aws_ec2_golden.yml @@ -1,5 +1,6 @@ --- -name: AWS EC2 Golden Files +name: Tests - Golden - AWS EC2 + on: workflow_dispatch: diff --git a/.github/workflows/aws_ec2_tests.yml b/.github/workflows/aws_ec2_tests.yml index ac84c2bbf..aa45be8bf 100644 --- a/.github/workflows/aws_ec2_tests.yml +++ b/.github/workflows/aws_ec2_tests.yml @@ -1,5 +1,5 @@ --- -name: AWS EC2 Tests +name: Tests - Integration - AWS EC2 on: # Disabling for the time being due to focus shift with 8.7 diff --git a/.github/workflows/aws_rosa_hcp_daily_cleanup.yml.tmp b/.github/workflows/aws_rosa_hcp_daily_cleanup.yml.tmp new file mode 100644 index 000000000..b70d1eb18 --- /dev/null +++ b/.github/workflows/aws_rosa_hcp_daily_cleanup.yml.tmp @@ -0,0 +1,2 @@ +--- +name: Tests - Cleanup - AWS ROSA HCP diff --git a/.github/workflows/aws_rosa_hcp_tests.yml b/.github/workflows/aws_rosa_hcp_tests.yml new file mode 100644 index 000000000..e0f578f9b --- /dev/null +++ b/.github/workflows/aws_rosa_hcp_tests.yml @@ -0,0 +1,282 @@ +--- +name: Tests - Integration - AWS ROSA HCP + +# description: This workflow perform integration tests against ROSA HCP platform + +on: + schedule: + - cron: 0 3 * * 1,3,5 # Runs at 3 AM on Monday, Wednesday, and Friday + pull_request: + paths: + - .github/config/rosa-hcp/test-matrix.yml + - .github/workflows/aws_rosa_hcp_tests.yml + - .github/workflows/aws_rosa_hcp_golden.yml + - .tool-versions + - aws/rosa-hcp/** + - '!aws/rosa-hcp/test/golden/**' + + workflow_dispatch: + inputs: + cluster_name: + description: Cluster name. + required: false + type: string + delete_clusters: + description: Whether to delete the clusters. + type: boolean + default: true + +# limit to a single execution per actor of this workflow +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + # in case of renovate we don't cancel the previous run, so it can finish it + # otherwise weekly renovate PRs with tf docs updates result in broken clusters + cancel-in-progress: ${{ github.actor == 'renovate[bot]' && false || true }} + +env: + AWS_PROFILE: infex + AWS_REGION: eu-west-2 + S3_BACKEND_BUCKET: tests-ra-aws-rosa-hcp-tf-state-eu-central-1 + S3_BUCKET_REGION: eu-central-1 + + OCP_ADMIN_USERNAME: kube-admin + OCP_NAMESPACE: myns + + # TODO: use branches for that versioning + TESTS_CAMUNDA_HELM_DIR: camunda-platform-alpha + + # TEST VARIABLES + + # Vars with "CI_" prefix are used in the CI workflow only. + CI_MATRIX_FILE: .github/workflows-config/config/rosa-hcp/test-matrix.yml + + # Docker Hub auth to avoid image pull rate limit. + # Vars with "TEST_" prefix are used in the test runner tool (Task). + # TODO: reintegrate this properly + TEST_CREATE_DOCKER_LOGIN_SECRET: 'TRUE' + TEST_DOCKER_USERNAME: ${{ secrets.DISTRO_CI_DOCKER_USERNAME_DOCKERHUB }} + TEST_DOCKER_PASSWORD: ${{ secrets.DISTRO_CI_DOCKER_PASSWORD_DOCKERHUB }} + # Camunda registry auth to access WebModeler Docker image since it's not public. + TEST_DOCKER_USERNAME_CAMUNDA_CLOUD: ${{ secrets.DISTRO_CI_DOCKER_USERNAME_CAMUNDA }} + TEST_DOCKER_PASSWORD_CAMUNDA_CLOUD: ${{ secrets.DISTRO_CI_DOCKER_PASSWORD_CAMUNDA }} + + +jobs: + clusters-info: + name: Define Matrix + runs-on: ubuntu-latest + outputs: + platform-matrix: ${{ steps.matrix.outputs.platform-matrix }} + tests-camunda-helm-dir: ${{ env.TESTS_CAMUNDA_HELM_DIR }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + fetch-depth: 0 + + - name: Install asdf tools with cache + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + + - id: matrix + # we define a global matrix in an external file due to https://github.com/orgs/community/discussions/26284 + run: | + # Generate cluster name. + # shellcheck disable=SC2086 + distro_indexes="$(yq '.matrix.distro | to_entries | .[] | .key' ${CI_MATRIX_FILE})" + + # Loop over clusters. + # Vars are exported to pass them to yq instead of local inline syntax. + # shellcheck disable=SC2086 + for distro_index in ${distro_indexes}; do + cluster_name_input="${{ inputs.cluster_name }}" + cluster_name_fallback="hci-$(uuidgen | head -c 8)" + export cluster_name="${cluster_name_input:-${cluster_name_fallback}}" + export distro_index="${distro_index}" + yq -i '.matrix.distro[env(distro_index)].clusterName = env(cluster_name)' "${CI_MATRIX_FILE}" + done + + # Get updated matrix. + # shellcheck disable=SC2086 + platform_matrix="$(yq '.matrix' --indent=0 --output-format json ${CI_MATRIX_FILE})" + echo "${platform_matrix}" | jq + echo "platform-matrix=${platform_matrix}" > "$GITHUB_OUTPUT" + + prepare-clusters: + name: Prepare clusters + needs: + - clusters-info + strategy: + fail-fast: false + matrix: + distro: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).distro }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + fetch-depth: 0 + + - name: Install asdf tools with cache + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + + - name: Import Secrets + id: secrets + uses: hashicorp/vault-action@v3 + with: + url: ${{ secrets.VAULT_ADDR }} + method: approle + roleId: ${{ secrets.VAULT_ROLE_ID }} + secretId: ${{ secrets.VAULT_SECRET_ID }} + exportEnv: false + secrets: | + secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; + secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; + secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; + secret/data/products/infrastructure-experience/ci/common CI_OPENSHIFT_MAIN_PASSWORD; + + - name: Add profile credentials to ~/.aws/credentials + shell: bash + run: | + aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} + + + # TODO: directly use the aws/rosa-hcp/ terraform + # Also remove the versioning + - name: Create ROSA cluster and login + uses: camunda/camunda-tf-rosa/.github/actions/rosa-create-cluster@c94224888fbb8ddc0c737e7054fd66c661c3cd8d # main + # Do not interrupt tests; otherwise, the Terraform state may become inconsistent. + if: always() && success() + with: + rh-token: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} + cluster-name: ${{ matrix.distro.clusterName }} + admin-username: ${{ env.OCP_ADMIN_USERNAME }} + admin-password: ${{ steps.secrets.outputs.CI_OPENSHIFT_MAIN_PASSWORD }} + aws-region: ${{ env.AWS_REGION }} + s3-backend-bucket: ${{ env.S3_BACKEND_BUCKET }} + s3-bucket-region: ${{ env.S3_BUCKET_REGION }} + replicas: 6 + openshift-version: ${{ matrix.distro.version }} + + - name: Export kubeconfig and encrypt it # this is required to pass matrix outputs securely using artifacts + id: export_kube_config + run: | + # shellcheck disable=SC2005 + echo "$(kubectl config view --raw)" > kubeconfig.yaml 2>/dev/null + openssl enc -aes-256-cbc -salt -in kubeconfig.yaml -out encrypted_kubeconfig.enc -pass pass:"${GITHUB_TOKEN}" -pbkdf2 + encrypted_kubeconfig_base64=$(base64 -w 0 encrypted_kubeconfig.enc) + echo "kubeconfig_raw=${encrypted_kubeconfig_base64}" >> "$GITHUB_OUTPUT" + + ## Write for matrix outputs workaround + - uses: cloudposse/github-action-matrix-outputs-write@ed06cf3a6bf23b8dce36d1cf0d63123885bb8375 # v1 + id: out + with: + matrix-step-name: ${{ github.job }} + matrix-key: ${{ matrix.distro.name }} + outputs: |- + kubeconfig_raw: ${{ steps.export_kube_config.outputs.kubeconfig_raw }} + + access-info: + name: Read kube configs from matrix + runs-on: ubuntu-latest + needs: prepare-clusters + outputs: + kubeconfig: ${{ steps.read-workflow.outputs.result }} + steps: + - uses: cloudposse/github-action-matrix-outputs-read@33cac12fa9282a7230a418d859b93fdbc4f27b5a # v1 + id: read-workflow + with: + matrix-step-name: prepare-clusters + + integration-tests: + name: Run integration tests - ${{ matrix.distro.name }} + needs: + - clusters-info + - access-info + strategy: + fail-fast: false + matrix: + distro: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).distro }} + scenario: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).scenario }} + secrets: inherit + + # TODO: we must adapt this tests part + uses: camunda/camunda-platform-helm/./.github/workflows/test-integration-template.yaml@e59b3c5869098815f392e6cc9f3928dedcadaaf8 # main + with: + matrix-data: | + { + "distro": [${{ toJson(matrix.distro) }}], + "scenario": [${{ toJson(matrix.scenario) }}] + } + cluster-type: openshift + platforms: rosa + flows: ${{ matrix.scenario.flow }} + identifier: ${{ matrix.distro.clusterName }}-${{ matrix.scenario.flow }} + auth-data: ${{ fromJson(needs.access-info.outputs.kubeconfig).kubeconfig_raw[matrix.distro.name] }} + camunda-helm-dir: ${{ needs.clusters-info.outputs.tests-camunda-helm-dir }} + + cleanup-clusters: + name: Cleanup ROSA clusters + if: always() + runs-on: ubuntu-latest + needs: + - clusters-info + - integration-tests + strategy: + fail-fast: false + matrix: + distro: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).distro }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + fetch-depth: 0 + + - name: Install asdf tools with cache + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + + - name: Import Secrets + id: secrets + uses: hashicorp/vault-action@v3 + with: + url: ${{ secrets.VAULT_ADDR }} + method: approle + roleId: ${{ secrets.VAULT_ROLE_ID }} + secretId: ${{ secrets.VAULT_SECRET_ID }} + exportEnv: false + secrets: | + secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; + secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; + secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; + secret/data/products/infrastructure-experience/ci/common CI_OPENSHIFT_MAIN_PASSWORD; + + - name: Add profile credentials to ~/.aws/credentials + shell: bash + run: | + aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} + + - name: Delete on-demand ROSA HCP Cluster + uses: camunda/camunda-tf-rosa/.github/actions/rosa-delete-cluster@c94224888fbb8ddc0c737e7054fd66c661c3cd8d # main + if: always() && !(github.event_name == 'workflow_dispatch' && github.event.inputs.delete_clusters == 'false') + timeout-minutes: 125 + with: + rh-token: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} + s3-backend-bucket: ${{ env.S3_BACKEND_BUCKET }} + cluster-name: ${{ matrix.distro.clusterName }} + aws-region: ${{ env.AWS_REGION }} + + report: + name: Report failures + if: github.event_name == 'schedule' && failure() + runs-on: ubuntu-latest + needs: + - integration-tests + - cleanup-clusters + steps: + - name: Notify in Slack in case of failure + id: slack-notification + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + with: + vault_addr: ${{ secrets.VAULT_ADDR }} + vault_role_id: ${{ secrets.VAULT_ROLE_ID }} + vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/.tool-versions b/.tool-versions index a60bb08ed..1ed8f0035 100644 --- a/.tool-versions +++ b/.tool-versions @@ -13,8 +13,6 @@ # check it with # diff <(sed '/^#/d; /^$/d' .tool-versions | sort) <(sed '/^#/d; /^$/d' .tool-versions) && echo ".tool-versions is sorted correctly" || echo ".tool-versions is not sorted correctly" -awscli 2.24.10 - # renovate: datasource=github-tags depName=rhysd/actionlint actionlint 1.7.7 @@ -44,6 +42,8 @@ terraform-docs 0.19.0 tflint 0.55.1 -zbctl 8.5.8 - trivy 0.59.1 + +yq 4.45.1 + +zbctl 8.5.8 From 18e72d6de30a1918a9f51e2a96491da79489dd89 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 25 Feb 2025 17:40:22 +0100 Subject: [PATCH 02/65] fix workflow --- .github/workflows/aws_rosa_hcp_tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aws_rosa_hcp_tests.yml b/.github/workflows/aws_rosa_hcp_tests.yml index e0f578f9b..6d45341b8 100644 --- a/.github/workflows/aws_rosa_hcp_tests.yml +++ b/.github/workflows/aws_rosa_hcp_tests.yml @@ -200,7 +200,7 @@ jobs: secrets: inherit # TODO: we must adapt this tests part - uses: camunda/camunda-platform-helm/./.github/workflows/test-integration-template.yaml@e59b3c5869098815f392e6cc9f3928dedcadaaf8 # main + uses: camunda/camunda-platform-helm/.github/workflows/test-integration-template.yaml@e59b3c5869098815f392e6cc9f3928dedcadaaf8 # main with: matrix-data: | { From b06750709e734f8e50e9203bbbb43c8600823e2a Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 5 Mar 2025 20:52:42 +0100 Subject: [PATCH 03/65] Squash work --- .camunda-version | 1 + .../README.md | 64 ++ .../action.yml | 67 ++ .../scripts/destroy-clusters.sh | 176 ++++++ .../README.md | 131 ++++ .../action.yml | 272 ++++++++ .github/renovate.json5 | 2 +- .../test_matrix.yml} | 19 +- ...golden.yml => aws_ec2_golden.yml.disabled} | 0 ...2_tests.yml => aws_ec2_tests.yml.disabled} | 16 +- ...t_rosa_hcp_single_region_daily_cleanup.yml | 97 +++ ...penshift_rosa_hcp_single_region_golden.yml | 97 +++ ...openshift_rosa_hcp_single_region_tests.yml | 595 ++++++++++++++++++ .../aws_rosa_hcp_daily_cleanup.yml.tmp | 2 - .github/workflows/aws_rosa_hcp_tests.yml | 282 --------- ...neric_openshift_artifact_rosa_versions.yml | 68 ++ .github/workflows/internal_global_links.yml | 54 ++ .../{lint.yml => internal_global_lint.yml} | 2 +- ...=> internal_global_renovate_automerge.yml} | 2 +- .../workflows/internal_global_sync_main.yml | 57 ++ .pre-commit-config.yaml | 6 +- .tool-versions | 14 +- DEVELOPER.md | 1 + MAINTENANCE.md | 24 + README.md | 76 ++- aws/ec2/.tool-versions | 1 + aws/ec2/scripts/.shellcheckrc | 1 + aws/ec2/scripts/camunda-install.sh | 2 +- aws/ec2/test/src/go.mod | 22 +- aws/ec2/test/src/go.sum | 22 + aws/modules/rosa-hcp/README.md | 124 ++++ aws/modules/rosa-hcp/outputs.tf | 49 ++ .../rosa-hcp/providers.tf} | 11 +- aws/modules/rosa-hcp/rosa.tf | 97 +++ aws/modules/rosa-hcp/vars.tf | 95 +++ .../rosa-hcp-dual-region/.tool-versions | 1 + .../rosa-hcp-dual-region/README.md | 2 +- .../acm/auto-import-cluster-secret.yml.tpl | 0 .../procedure/acm/initiate_cluster_set.sh | 0 .../procedure/acm/install-manifest.yml | 0 .../procedure/acm/klusterlet-config.yml.tpl | 0 .../procedure/acm/managed-cluster-set.yml | 0 .../procedure/acm/managed-cluster.yml.tpl | 0 .../procedure/acm/multi-cluster-hub.yml | 0 .../8.7/export_environment_prerequisites.sh | 0 .../camunda/8.7/export_services_submariner.sh | 0 .../camunda/8.7/generate_helm_values.sh | 0 .../camunda/8.7/generate_zeebe_helm_values.sh | 0 .../camunda/8.7/helm-values/values-base.yml | 0 .../8.7/helm-values/values-region-1.yml | 0 .../8.7/helm-values/values-region-2.yml | 0 .../procedure/camunda/8.7/install_chart.sh | 0 .../procedure/camunda/8.7/setup_ns_secrets.sh | 0 .../camunda/8.7/verify_exported_services.sh | 0 .../8.7/verify_installation_completed.sh | 0 .../procedure/camunda/8.7/zbctl-output.txt | 0 .../camunda/8.7/zeebe-http-output.txt | 0 .../submariner/debug-utils-submariner.yml | 0 .../submariner/label_nodes_brokers.sh | 0 .../procedure/submariner/output.txt | 0 .../procedure/submariner/submariner.yml.tpl | 0 .../terraform/backup_bucket/README.md | 0 .../terraform/backup_bucket/backup_bucket.tf | 0 .../terraform/backup_bucket/config.tf | 0 .../terraform/clusters/README.md | 0 .../terraform/clusters/cluster_region_1.tf | 0 .../terraform/clusters/cluster_region_2.tf | 0 .../terraform/clusters/config.tf | 0 .../terraform/peering/README.md | 0 .../terraform/peering/config.tf | 0 .../terraform/peering/peering.tf | 0 .../rosa-hcp-single-region/.tool-versions | 1 + .../rosa-hcp-single-region}/README.md | 7 +- .../rosa-hcp-single-region}/cluster.tf | 5 +- .../rosa-hcp-single-region}/config.tf | 0 aws/rosa-hcp/README.md | 4 - .../camunda-versions/8.6/.tool-versions | 1 - aws/rosa-hcp/camunda-versions/8.6/README.md | 26 - .../8.6/procedure/install/.shellcheckrc | 1 - .../camunda-versions/8.7/.tool-versions | 1 - aws/rosa-hcp/camunda-versions/8.7/cluster.tf | 67 -- .../8.7/procedure/install/.shellcheckrc | 1 - .../8.7/procedure/install/chart-env.sh | 3 - .../install/create-identity-secret.sh | 11 - .../procedure/install/generate-passwords.sh | 8 - .../procedure/install/helm-values/base.yml | 29 - .../install/helm-values/connectors-route.yml | 23 - .../install/helm-values/core-route.yml | 77 --- .../procedure/install/helm-values/domain.yml | 61 -- .../install/helm-values/no-domain.yml | 30 - .../procedure/install/helm-values/no-scc.yml | 5 - .../8.7/procedure/install/helm-values/scc.yml | 5 - .../8.7/procedure/install/install-chart.sh | 13 - .../kubernetes/single-region/.tool-versions | 1 + .../procedure/check-deployment-ready.sh | 14 + .../procedure/check-zeebe-cluster-topology.sh | 16 + .../tests/helm-values/identity.yml | 78 +++ .../tests/helm-values/registry.yml | 20 + .../openshift/single-region/.tool-versions | 1 + .../single-region}/helm-values/base.yml | 6 + .../helm-values/connectors-route.yml | 0 .../single-region}/helm-values/domain.yml | 0 .../single-region}/helm-values/no-domain.yml | 0 .../single-region}/helm-values/no-scc.yml | 0 .../helm-values/operate-route.yml | 0 .../single-region}/helm-values/scc.yml | 0 .../helm-values/tasklist-route.yml | 0 .../helm-values/zeebe-gateway-route.yml | 33 + .../single-region/procedure/.shellcheckrc | 1 + .../single-region/procedure}/chart-env.sh | 4 +- .../procedure}/create-identity-secret.sh | 4 +- .../procedure/enable-ingress-http2.sh | 3 + .../procedure}/generate-passwords.sh | 2 + .../procedure/get-ingress-http2-status.sh | 8 + .../single-region/procedure}/install-chart.sh | 2 + .../procedure/setup-application-domain.sh | 6 + justfile | 28 +- lychee-links.toml | 19 + 118 files changed, 2467 insertions(+), 710 deletions(-) create mode 100644 .camunda-version create mode 100644 .github/actions/aws-openshift-rosa-hcp-single-region-cleanup/README.md create mode 100644 .github/actions/aws-openshift-rosa-hcp-single-region-cleanup/action.yml create mode 100755 .github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh create mode 100644 .github/actions/aws-openshift-rosa-hcp-single-region-create/README.md create mode 100644 .github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml rename .github/workflows-config/{rosa-hcp/test-matrix.yml => aws-openshift-rosa-hcp-single-region/test_matrix.yml} (88%) rename .github/workflows/{aws_ec2_golden.yml => aws_ec2_golden.yml.disabled} (100%) rename .github/workflows/{aws_ec2_tests.yml => aws_ec2_tests.yml.disabled} (96%) create mode 100644 .github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml create mode 100644 .github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml create mode 100644 .github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml delete mode 100644 .github/workflows/aws_rosa_hcp_daily_cleanup.yml.tmp delete mode 100644 .github/workflows/aws_rosa_hcp_tests.yml create mode 100644 .github/workflows/generic_openshift_artifact_rosa_versions.yml create mode 100644 .github/workflows/internal_global_links.yml rename .github/workflows/{lint.yml => internal_global_lint.yml} (89%) rename .github/workflows/{renovate-automerge.yml => internal_global_renovate_automerge.yml} (88%) create mode 100644 .github/workflows/internal_global_sync_main.yml create mode 100644 DEVELOPER.md create mode 100644 MAINTENANCE.md create mode 100644 aws/ec2/.tool-versions create mode 100644 aws/ec2/scripts/.shellcheckrc create mode 100644 aws/modules/rosa-hcp/README.md create mode 100644 aws/modules/rosa-hcp/outputs.tf rename aws/{rosa-hcp/camunda-versions/8.7/config.tf => modules/rosa-hcp/providers.tf} (52%) create mode 100644 aws/modules/rosa-hcp/rosa.tf create mode 100644 aws/modules/rosa-hcp/vars.tf create mode 100644 aws/openshift/rosa-hcp-dual-region/.tool-versions rename aws/{ => openshift}/rosa-hcp-dual-region/README.md (64%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/acm/auto-import-cluster-secret.yml.tpl (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/acm/initiate_cluster_set.sh (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/acm/install-manifest.yml (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/acm/klusterlet-config.yml.tpl (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/acm/managed-cluster-set.yml (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/acm/managed-cluster.yml.tpl (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/acm/multi-cluster-hub.yml (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/export_environment_prerequisites.sh (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/export_services_submariner.sh (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/generate_helm_values.sh (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/generate_zeebe_helm_values.sh (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-base.yml (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-1.yml (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-2.yml (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/install_chart.sh (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/setup_ns_secrets.sh (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/verify_exported_services.sh (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/verify_installation_completed.sh (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/zbctl-output.txt (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/camunda/8.7/zeebe-http-output.txt (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/submariner/debug-utils-submariner.yml (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/submariner/label_nodes_brokers.sh (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/submariner/output.txt (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/procedure/submariner/submariner.yml.tpl (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/terraform/backup_bucket/README.md (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/terraform/backup_bucket/backup_bucket.tf (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/terraform/backup_bucket/config.tf (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/terraform/clusters/README.md (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/terraform/clusters/cluster_region_1.tf (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/terraform/clusters/cluster_region_2.tf (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/terraform/clusters/config.tf (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/terraform/peering/README.md (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/terraform/peering/config.tf (100%) rename aws/{ => openshift}/rosa-hcp-dual-region/terraform/peering/peering.tf (100%) create mode 100644 aws/openshift/rosa-hcp-single-region/.tool-versions rename aws/{rosa-hcp/camunda-versions/8.7 => openshift/rosa-hcp-single-region}/README.md (86%) rename aws/{rosa-hcp/camunda-versions/8.6 => openshift/rosa-hcp-single-region}/cluster.tf (94%) rename aws/{rosa-hcp/camunda-versions/8.6 => openshift/rosa-hcp-single-region}/config.tf (100%) delete mode 100644 aws/rosa-hcp/README.md delete mode 100644 aws/rosa-hcp/camunda-versions/8.6/.tool-versions delete mode 100644 aws/rosa-hcp/camunda-versions/8.6/README.md delete mode 100644 aws/rosa-hcp/camunda-versions/8.6/procedure/install/.shellcheckrc delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/.tool-versions delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/cluster.tf delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/procedure/install/.shellcheckrc delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/procedure/install/chart-env.sh delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/procedure/install/create-identity-secret.sh delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/procedure/install/generate-passwords.sh delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/base.yml delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/connectors-route.yml delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/core-route.yml delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/domain.yml delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/no-domain.yml delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/no-scc.yml delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/scc.yml delete mode 100644 aws/rosa-hcp/camunda-versions/8.7/procedure/install/install-chart.sh create mode 100644 generic/kubernetes/single-region/.tool-versions create mode 100755 generic/kubernetes/single-region/procedure/check-deployment-ready.sh create mode 100755 generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh create mode 100644 generic/kubernetes/single-region/tests/helm-values/identity.yml create mode 100644 generic/kubernetes/single-region/tests/helm-values/registry.yml create mode 100644 generic/openshift/single-region/.tool-versions rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region}/helm-values/base.yml (70%) rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region}/helm-values/connectors-route.yml (100%) rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region}/helm-values/domain.yml (100%) rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region}/helm-values/no-domain.yml (100%) rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region}/helm-values/no-scc.yml (100%) rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region}/helm-values/operate-route.yml (100%) rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region}/helm-values/scc.yml (100%) rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region}/helm-values/tasklist-route.yml (100%) rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region}/helm-values/zeebe-gateway-route.yml (67%) create mode 100644 generic/openshift/single-region/procedure/.shellcheckrc rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region/procedure}/chart-env.sh (76%) mode change 100644 => 100755 rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region/procedure}/create-identity-secret.sh (85%) mode change 100644 => 100755 create mode 100755 generic/openshift/single-region/procedure/enable-ingress-http2.sh rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region/procedure}/generate-passwords.sh (96%) mode change 100644 => 100755 create mode 100755 generic/openshift/single-region/procedure/get-ingress-http2-status.sh rename {aws/rosa-hcp/camunda-versions/8.6/procedure/install => generic/openshift/single-region/procedure}/install-chart.sh (93%) mode change 100644 => 100755 create mode 100755 generic/openshift/single-region/procedure/setup-application-domain.sh create mode 100644 lychee-links.toml diff --git a/.camunda-version b/.camunda-version new file mode 100644 index 000000000..48c26da3e --- /dev/null +++ b/.camunda-version @@ -0,0 +1 @@ +8.6 diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/README.md b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/README.md new file mode 100644 index 000000000..faf7058d6 --- /dev/null +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/README.md @@ -0,0 +1,64 @@ +# Delete AWS ROSA HCP Single Region Clusters + +## Description + +This GitHub Action automates the deletion of aws/openshift/rosa-hcp-single-region reference architecture clusters using a shell script. + + +## Inputs + +| name | description | required | default | +| --- | --- | --- | --- | +| `tf-bucket` |

Bucket containing the clusters states

| `true` | `""` | +| `tf-bucket-region` |

Region of the bucket containing the resources states, if not set, will fallback on AWS_REGION

| `false` | `""` | +| `max-age-hours-cluster` |

Maximum age of clusters in hours

| `false` | `20` | +| `target` |

Specify an ID to destroy specific resources or "all" to destroy all resources

| `false` | `all` | +| `rosa-cli-version` |

Version of the ROSA CLI to use

| `false` | `latest` | +| `openshift-version` |

Version of the OpenShift to install

| `true` | `4.17.16` | + + +## Runs + +This action is a `composite` action. + +## Usage + +```yaml +- uses: camunda/camunda-deployment-references/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup@main + with: + tf-bucket: + # Bucket containing the clusters states + # + # Required: true + # Default: "" + + tf-bucket-region: + # Region of the bucket containing the resources states, if not set, will fallback on AWS_REGION + # + # Required: false + # Default: "" + + max-age-hours-cluster: + # Maximum age of clusters in hours + # + # Required: false + # Default: 20 + + target: + # Specify an ID to destroy specific resources or "all" to destroy all resources + # + # Required: false + # Default: all + + rosa-cli-version: + # Version of the ROSA CLI to use + # + # Required: false + # Default: latest + + openshift-version: + # Version of the OpenShift to install + # + # Required: true + # Default: 4.17.16 +``` diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/action.yml b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/action.yml new file mode 100644 index 000000000..9c2248fb9 --- /dev/null +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/action.yml @@ -0,0 +1,67 @@ +--- +name: Delete AWS ROSA HCP Single Region Clusters + +description: | + This GitHub Action automates the deletion of aws/openshift/rosa-hcp-single-region reference architecture clusters using a shell script. + +inputs: + tf-bucket: + description: Bucket containing the clusters states + required: true + + tf-bucket-region: + description: Region of the bucket containing the resources states, if not set, will fallback on AWS_REGION + + max-age-hours-cluster: + description: Maximum age of clusters in hours + default: '20' + + target: + description: Specify an ID to destroy specific resources or "all" to destroy all resources + default: all + + rosa-cli-version: + description: Version of the ROSA CLI to use + default: latest + + openshift-version: + description: Version of the OpenShift to install + required: true + # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=semver + default: 4.17.16 + +runs: + using: composite + steps: + + - name: Install asdf tools with cache + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + + - name: Install ROSA CLI + shell: bash + run: | + curl -LO "https://mirror.openshift.com/pub/openshift-v4/clients/rosa/${{ inputs.rosa-cli-version }}/rosa-linux.tar.gz" + tar -xvf rosa-linux.tar.gz + sudo mv rosa /usr/local/bin/rosa + chmod +x /usr/local/bin/rosa + rm -f rosa-linux.tar.gz + rosa version + + - name: Install CLI tools from OpenShift Mirror + uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1 + with: + oc: ${{ inputs.openshift-version }} + + - name: Delete clusters + id: delete_clusters + shell: bash + run: | + if [ -n "${{ inputs.tf-bucket-region }}" ]; then + export AWS_S3_REGION="${{ inputs.tf-bucket-region }}" + fi + + # Use repo .tool-version as global version + cp .tool-versions ~/.tool-versions + + ${{ github.action_path }}/scripts/destroy-clusters.sh "${{ inputs.tf-bucket }}" \ + ${{ github.action_path }}/../../../aws/openshift/rosa-hcp-single-region/ /tmp/cleanup/ ${{ inputs.max-age-hours-cluster }} ${{ inputs.target }} diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh new file mode 100755 index 000000000..a215ca066 --- /dev/null +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh @@ -0,0 +1,176 @@ +#!/bin/bash + +set -o pipefail + +# Description: +# This script performs a Terraform destroy operation for clusters defined in an S3 bucket. +# It copies the Terraform module directory to a temporary location, initializes Terraform with +# the appropriate backend configuration, and runs `terraform destroy`. If the destroy operation +# is successful, it removes the corresponding S3 objects. +# +# Usage: +# ./destroy_clusters.sh +# +# Arguments: +# BUCKET: The name of the S3 bucket containing the cluster state files. +# MODULES_DIR: The directory containing the Terraform modules. +# TEMP_DIR_PREFIX: The prefix for the temporary directories created for each cluster. +# MIN_AGE_IN_HOURS: The minimum age (in hours) of clusters to be destroyed. +# ID_OR_ALL: The specific ID suffix to filter objects, or "all" to destroy all objects. +# +# Example: +# ./destroy_clusters.sh tf-state-rosa-ci-eu-west-3 ./modules/rosa-hcp/ /tmp/rosa/ 24 all +# ./destroy_clusters.sh tf-state-rosa-ci-eu-west-3 ./modules/rosa-hcp/ /tmp/rosa/ 24 rosa-cluster-2883 +# +# Requirements: +# - AWS CLI installed and configured with the necessary permissions to access and modify the S3 bucket. +# - Terraform installed and accessible in the PATH. + +# Check for required arguments +if [ "$#" -ne 5 ]; then + echo "Usage: $0 " + exit 1 +fi +# Check if required environment variables are set +if [ -z "$RHCS_TOKEN" ]; then + echo "Error: The environment variable RHCS_TOKEN is not set." + exit 1 +fi + +if [ -z "$AWS_REGION" ]; then + echo "Error: The environment variable AWS_REGION is not set." + exit 1 +fi + +# Variables +BUCKET=$1 +MODULES_DIR=$2 +TEMP_DIR_PREFIX=$3 +MIN_AGE_IN_HOURS=$4 +ID_OR_ALL=$5 +FAILED=0 +CURRENT_DIR=$(pwd) +AWS_S3_REGION=${AWS_S3_REGION:-$AWS_REGION} + + +# Detect operating system and set the appropriate date command +if [[ "$(uname)" == "Darwin" ]]; then + date_command="gdate" +else + date_command="date" +fi + +# Function to perform terraform destroy +destroy_cluster() { + local cluster_id=$1 + local cluster_folder=$2 + # we must add two levels to replicate the "source = ../../modules" relative path presented in the module + local temp_dir="${TEMP_DIR_PREFIX}${cluster_id}/1/2" + local temp_generic_modules_dir="${TEMP_DIR_PREFIX}${cluster_id}/modules/" + local source_generic_modules="$MODULES_DIR/../../modules/" + + echo "Copying generic modules $source_generic_modules in $temp_generic_modules_dir" + + mkdir -p "$temp_generic_modules_dir" || return 1 + cp -a "$source_generic_modules." "$temp_generic_modules_dir" || return 1 + + tree "$source_generic_modules" "$temp_generic_modules_dir" || return 1 + + echo "Copying $MODULES_DIR in $temp_dir" + + mkdir -p "$temp_dir" || return 1 + cp -a "$MODULES_DIR." "$temp_dir" || return 1 + + tree "$MODULES_DIR" "$temp_dir" || return 1 + + cd "$temp_dir" || return 1 + + tree "." || return 1 + + echo "tf state: bucket=$BUCKET key=${cluster_folder}/${cluster_id}.tfstate region=$AWS_S3_REGION" + + if ! terraform init -backend-config="bucket=$BUCKET" -backend-config="key=${cluster_folder}/${cluster_id}.tfstate" -backend-config="region=$AWS_S3_REGION"; then return 1; fi + + # Edit the name of the cluster + sed -i -e "s/\(rosa_cluster_name\s*=\s*\"\)[^\"]*\(\"\)/\1${cluster_id}\2/" cluster.tf + + if ! terraform destroy -auto-approve; then return 1; fi + + # Cleanup S3 + echo "Deleting s3://$BUCKET/$cluster_folder" + if ! aws s3 rm "s3://$BUCKET/$cluster_folder" --recursive; then return 1; fi + if ! aws s3api delete-object --bucket "$BUCKET" --key "$cluster_folder/"; then return 1; fi + + cd - || return 1 + rm -rf "$temp_dir" || return 1 +} + +# List objects in the S3 bucket and parse the cluster IDs +all_objects=$(aws s3 ls "s3://$BUCKET/") +aws_exit_code=$? + +if [ $aws_exit_code -ne 0 ]; then + echo "Error executing the aws s3 ls command (Exit Code: $aws_exit_code):" >&2 + exit 1 +fi + +if [ "$ID_OR_ALL" == "all" ]; then + clusters=$(echo "$all_objects" | awk '{print $2}' | sed -n 's#^tfstate-\(.*\)/$#\1#p') +else + clusters=$(echo "$all_objects" | awk '{print $2}' | grep "tfstate-$ID_OR_ALL/" | sed -n 's#^tfstate-\(.*\)/$#\1#p') +fi + +if [ -z "$clusters" ]; then + echo "No objects found in the S3 bucket. Exiting script." >&2 + exit 0 +fi + +current_timestamp=$($date_command +%s) + +for cluster_id in $clusters; do + cd "$CURRENT_DIR" || return 1 + + + cluster_folder="tfstate-$cluster_id" + echo "Checking cluster $cluster_id in $cluster_folder" + + last_modified=$(aws s3api head-object --bucket "$BUCKET" --key "$cluster_folder/${cluster_id}.tfstate" --output json | grep LastModified | awk -F '"' '{print $4}') + if [ -z "$last_modified" ]; then + echo "Error: Failed to retrieve last modified timestamp for cluster $cluster_id" + exit 1 + fi + + last_modified_timestamp=$($date_command -d "$last_modified" +%s) + if [ -z "$last_modified_timestamp" ]; then + echo "Error: Failed to convert last modified timestamp to seconds since epoch for cluster $cluster_id" + exit 1 + fi + echo "Cluster $cluster_id last modification: $last_modified ($last_modified_timestamp)" + + file_age_hours=$(( (current_timestamp - last_modified_timestamp) / 3600 )) + if [ -z "$file_age_hours" ]; then + echo "Error: Failed to calculate file age in hours for cluster $cluster_id" + exit 1 + fi + echo "Cluster $cluster_id is $file_age_hours hours old" + + if [ $file_age_hours -ge "$MIN_AGE_IN_HOURS" ]; then + echo "Destroying cluster $cluster_id in $cluster_folder" + + if ! destroy_cluster "$cluster_id" "$cluster_folder"; then + echo "Error destroying cluster $cluster_id" + FAILED=1 + fi + else + echo "Skipping cluster $cluster_id as it does not meet the minimum age requirement of $MIN_AGE_IN_HOURS hours" + fi +done + +# Exit with the appropriate status +if [ $FAILED -ne 0 ]; then + echo "One or more operations failed." + exit 1 +else + echo "All operations completed successfully." + exit 0 +fi diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-create/README.md b/.github/actions/aws-openshift-rosa-hcp-single-region-create/README.md new file mode 100644 index 000000000..2aaf9f441 --- /dev/null +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-create/README.md @@ -0,0 +1,131 @@ +# Deploy AWS ROSA HCP Single Region Cluster + +## Description + +This GitHub Action automates the deployment of the aws/openshift/rosa-hcp-single-region reference architecture cluster using Terraform. +This action will also install oc, awscli, rosa cli. +The kube context will be set on the created cluster. + + +## Inputs + +| name | description | required | default | +| --- | --- | --- | --- | +| `rh-token` |

Red Hat Hybrid Cloud Console Token

| `true` | `""` | +| `cluster-name` |

Name of the ROSA cluster to deploy

| `true` | `""` | +| `admin-password` |

Admin password for the ROSA cluster

| `true` | `""` | +| `admin-username` |

Admin username for the ROSA cluster

| `true` | `kube-admin` | +| `aws-region` |

AWS region where the ROSA cluster will be deployed

| `true` | `""` | +| `availability-zones` |

Comma separated list of availability zones (letters only, e.g., a,b,c)

| `true` | `a,b,c` | +| `rosa-cli-version` |

Version of the ROSA CLI to use

| `true` | `latest` | +| `openshift-version` |

Version of the OpenShift to install

| `true` | `4.17.16` | +| `replicas` |

Number of replicas for the ROSA cluster (empty will fallback on default value of the module)

| `false` | `""` | +| `s3-backend-bucket` |

Name of the S3 bucket to store Terraform state

| `true` | `""` | +| `s3-bucket-region` |

Region of the bucket containing the resources states, if not set, will fallback on aws-region

| `false` | `""` | +| `tf-modules-revision` |

Git revision of the tf modules to use

| `true` | `main` | +| `tf-modules-path` |

Path where the tf rosa modules will be cloned

| `true` | `./.action-tf-modules/aws-openshift-rosa-hcp-single-region-create/` | +| `login` |

Authenticate the current kube context on the created cluster

| `true` | `true` | + + +## Outputs + +| name | description | +| --- | --- | +| `openshift-server-api` |

The server API URL of the deployed ROSA cluster

| +| `openshift-cluster-id` |

The ID of the deployed ROSA cluster

| +| `terraform-state-url` |

URL of the Terraform state file in the S3 bucket

| + + +## Runs + +This action is a `composite` action. + +## Usage + +```yaml +- uses: camunda/camunda-deployment-references/.github/actions/aws-openshift-rosa-hcp-single-region-create@main + with: + rh-token: + # Red Hat Hybrid Cloud Console Token + # + # Required: true + # Default: "" + + cluster-name: + # Name of the ROSA cluster to deploy + # + # Required: true + # Default: "" + + admin-password: + # Admin password for the ROSA cluster + # + # Required: true + # Default: "" + + admin-username: + # Admin username for the ROSA cluster + # + # Required: true + # Default: kube-admin + + aws-region: + # AWS region where the ROSA cluster will be deployed + # + # Required: true + # Default: "" + + availability-zones: + # Comma separated list of availability zones (letters only, e.g., a,b,c) + # + # Required: true + # Default: a,b,c + + rosa-cli-version: + # Version of the ROSA CLI to use + # + # Required: true + # Default: latest + + openshift-version: + # Version of the OpenShift to install + # + # Required: true + # Default: 4.17.16 + + replicas: + # Number of replicas for the ROSA cluster (empty will fallback on default value of the module) + # + # Required: false + # Default: "" + + s3-backend-bucket: + # Name of the S3 bucket to store Terraform state + # + # Required: true + # Default: "" + + s3-bucket-region: + # Region of the bucket containing the resources states, if not set, will fallback on aws-region + # + # Required: false + # Default: "" + + tf-modules-revision: + # Git revision of the tf modules to use + # + # Required: true + # Default: main + + tf-modules-path: + # Path where the tf rosa modules will be cloned + # + # Required: true + # Default: ./.action-tf-modules/aws-openshift-rosa-hcp-single-region-create/ + + login: + # Authenticate the current kube context on the created cluster + # + # Required: true + # Default: true +``` diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml b/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml new file mode 100644 index 000000000..3b18446d3 --- /dev/null +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml @@ -0,0 +1,272 @@ +--- +name: Deploy AWS ROSA HCP Single Region Cluster + +description: | + This GitHub Action automates the deployment of the aws/openshift/rosa-hcp-single-region reference architecture cluster using Terraform. + This action will also install oc, awscli, rosa cli. + The kube context will be set on the created cluster. + +inputs: + rh-token: + description: Red Hat Hybrid Cloud Console Token + required: true + cluster-name: + description: Name of the ROSA cluster to deploy + required: true + admin-password: + description: Admin password for the ROSA cluster + required: true + admin-username: + description: Admin username for the ROSA cluster + default: kube-admin + required: true + aws-region: + description: AWS region where the ROSA cluster will be deployed + required: true + availability-zones: + description: Comma separated list of availability zones (letters only, e.g., a,b,c) + required: true + default: a,b,c + rosa-cli-version: + description: Version of the ROSA CLI to use + required: true + default: latest + openshift-version: + description: Version of the OpenShift to install + required: true + # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=semver + default: 4.17.16 + replicas: + description: Number of replicas for the ROSA cluster (empty will fallback on default value of the module) + default: '' + s3-backend-bucket: + description: Name of the S3 bucket to store Terraform state + required: true + s3-bucket-region: + description: Region of the bucket containing the resources states, if not set, will fallback on aws-region + tf-modules-revision: + description: Git revision of the tf modules to use + default: main + required: true + tf-modules-path: + description: Path where the tf rosa modules will be cloned + default: ./.action-tf-modules/aws-openshift-rosa-hcp-single-region-create/ + required: true + login: + description: Authenticate the current kube context on the created cluster + default: 'true' + required: true + +outputs: + openshift-server-api: + description: The server API URL of the deployed ROSA cluster + value: ${{ steps.cluster_info.outputs.cluster_api }} + + openshift-cluster-id: + description: The ID of the deployed ROSA cluster + value: ${{ steps.apply.outputs.cluster_id }} + + terraform-state-url: + description: URL of the Terraform state file in the S3 bucket + value: ${{ steps.set-terraform-variables.outputs.terraform-state-url }} + +runs: + using: composite + steps: + - name: Checkout Repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + repository: camunda/camunda-deployment-references + ref: ${{ inputs.tf-modules-revision }} + path: ${{ inputs.tf-modules-path }} + fetch-depth: 0 + + - name: Install asdf tools with cache for the project + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@feature/working-directory # 1.2.19 + with: + tool_versions_files: .tool-versions,${{ inputs.tf-modules-path }}/aws/openshift/rosa-hcp-single-region/.tool-versions + + # TODO: when available on asdf, migrate this to it + - name: Install ROSA CLI + shell: bash + run: | + curl -LO "https://mirror.openshift.com/pub/openshift-v4/clients/rosa/${{ inputs.rosa-cli-version }}/rosa-linux.tar.gz" + tar -xvf rosa-linux.tar.gz + sudo mv rosa /usr/local/bin/rosa + chmod +x /usr/local/bin/rosa + rm -f rosa-linux.tar.gz + rosa version + + - name: Install CLI tools from OpenShift Mirror + uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1 + with: + oc: ${{ inputs.openshift-version }} + + - name: Set AWS Region and associated AZs + id: construct_azs + shell: bash + run: | + echo "AWS_REGION=${{ inputs.aws-region }}" | tee -a "$GITHUB_ENV" + + IFS=',' read -r -a az_letters <<< "${{ inputs.availability-zones }}" + FULL_AZS=() + for az in "${az_letters[@]}"; do + FULL_AZS+=("\"${AWS_REGION}${az}\"") # Add double quotes around each AZ + done + + # Join the AZs with commas + FULL_AZS_STRING=$(IFS=,; echo "${FULL_AZS[*]}") + echo "FULL_AZS=$FULL_AZS_STRING" | tee -a "$GITHUB_ENV" + + + - name: Login to Red Hat Hybrid Cloud Console + shell: bash + run: | + rosa login --token="${{ inputs.rh-token }}" + rosa whoami + + - name: Verify and enable HCP ROSA on AWS Marketplace + shell: bash + run: | + rosa verify quota + rosa verify permissions + rosa create account-roles --mode auto + + - name: Set Terraform variables + id: set-terraform-variables + shell: bash + run: | + export TFSTATE_BUCKET="${{ inputs.s3-backend-bucket }}" + export TFSTATE_KEY="tfstate-${{ inputs.cluster-name }}/${{ inputs.cluster-name }}.tfstate" + + if [ -z "${{ inputs.s3-bucket-region }}" ]; then + export TFSTATE_REGION="$AWS_REGION" + else + export TFSTATE_REGION="${{ inputs.s3-bucket-region }}" + fi + + echo "TFSTATE_BUCKET=${TFSTATE_BUCKET}" >> "$GITHUB_OUTPUT" + echo "TFSTATE_REGION=${TFSTATE_REGION}" >> "$GITHUB_OUTPUT" + echo "TFSTATE_KEY=${TFSTATE_KEY}" >> "$GITHUB_OUTPUT" + + terraform_state_url="s3://${TFSTATE_BUCKET}/${TFSTATE_KEY}" + echo "terraform-state-url=${terraform_state_url}" >> "$GITHUB_OUTPUT" + + - name: Check if S3 bucket exists + id: create-s3-bucket + shell: bash + run: | + if aws s3api head-bucket --bucket ${{ inputs.s3-backend-bucket }} --region ${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} 2>/dev/null; then + echo "Bucket already exists" + else + echo "Bucket does not exist, creating..." + aws s3api create-bucket --bucket ${{ inputs.s3-backend-bucket }} \ + --region ${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} \ + --create-bucket-configuration LocationConstraint=${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} + fi + + aws s3api put-public-access-block --bucket ${{ inputs.s3-backend-bucket }} \ + --region ${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} \ + --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" + + - name: Terraform Init + id: init + working-directory: ${{ inputs.tf-modules-path }}/aws/openshift/rosa-hcp-single-region/ + env: + RHCS_TOKEN: ${{ inputs.rh-token }} + shell: bash + run: | + set -euxo pipefail + + terraform version + + terraform init \ + -backend-config="bucket=${{ steps.set-terraform-variables.outputs.TFSTATE_BUCKET }}" \ + -backend-config="key=${{ steps.set-terraform-variables.outputs.TFSTATE_KEY }}" \ + -backend-config="region=${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }}" + + terraform validate -no-color + + - name: Terraform Plan + id: plan + working-directory: ${{ inputs.tf-modules-path }}/aws/openshift/rosa-hcp-single-region/ + env: + RHCS_TOKEN: ${{ inputs.rh-token }} + shell: bash + run: | + echo "Adapting the files with input values" + pwd + ls + sed -i -e 's/\(rosa_cluster_name\s*=\s*"\)[^"]*\("\)/\1${{ inputs.cluster-name }}\2/' \ + -e 's/\(rosa_admin_password\s*=\s*"\)[^"]*\("\)/\1${{ inputs.admin-password }}\2/' \ + -e 's/\(rosa_admin_username\s*=\s*"\)[^"]*\("\)/\1${{ inputs.admin-username }}\2/' \ + -e 's/\(openshift_version\s*=\s*"\)[^"]*\("\)/\1${{ inputs.openshift-version }}\2/' \ + -e "s/\(rosa_cluster_zones\s*=\s*\)[^]]*\]/\1[$FULL_AZS]/" \ + cluster.tf + + if [ -n "${{ inputs.replicas }}" ]; then + sed -i -e 's/\(replicas\s*=\s*\)[0-9]\+/\1${{ inputs.replicas }}/' cluster.tf + else + echo "No replicas value provided, skipping replica modification." + fi + + echo "Displaying templated cluster.tf file:" + cat cluster.tf + + terraform plan -no-color -out rosa.plan + + - name: Terraform Apply + id: apply + working-directory: ${{ inputs.tf-modules-path }}/aws/openshift/rosa-hcp-single-region/ + env: + RHCS_TOKEN: ${{ inputs.rh-token }} + shell: bash + run: | + terraform apply -no-color rosa.plan + + export cluster_id="$(terraform output -raw cluster_id)" + echo "cluster_id=$cluster_id" >> "$GITHUB_OUTPUT" + + - name: Retrieve cluster information + id: cluster_info + shell: bash + run: | + rosa describe cluster --output=json -c "${{ steps.apply.outputs.cluster_id }}" + export cluster_api=$(rosa describe cluster --output=json -c "${{ steps.apply.outputs.cluster_id }}" | jq -r '.api.url') + echo "cluster_api=$cluster_api" + echo "cluster_api=$cluster_api" >> "$GITHUB_OUTPUT" + + - name: Login and generate kubeconfig + # we need to retry due as the cluster has just been created and the OIDC provider may not be available yet + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 + id: kube_config + if: inputs.login == 'true' + with: + timeout_minutes: 10 + max_attempts: 40 + shell: bash + retry_wait_seconds: 15 + command: | + : # see https://github.com/nick-fields/retry/issues/133 + set -o errexit + set -o pipefail + + oc login --username "${{ inputs.admin-username }}" --password "${{ inputs.admin-password }}" "${{ steps.cluster_info.outputs.cluster_api }}" + + # Check if the user is already a cluster-admin + if ! rosa list users --cluster="${{ inputs.cluster-name }}" | grep -q "${{ inputs.admin-username }}"; then + rosa grant user cluster-admin --cluster="${{ inputs.cluster-name }}" --user="${{ inputs.admin-username }}" + else + echo "✅ User '${{ inputs.admin-username }}' is already a cluster-admin on '${{ inputs.cluster-name }}'." + fi + + oc whoami + + kubectl config rename-context $(oc config current-context) "${{ inputs.cluster-name }}" + kubectl config use "${{ inputs.cluster-name }}" + + - name: Clean up cloned modules + if: always() + shell: bash + run: | + rm -rf "${{ inputs.tf-modules-path }}" diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 8a21fb53a..97a6efdac 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -10,7 +10,7 @@ ], "customDatasources": { "rosa-camunda": { - "defaultRegistryUrlTemplate": "https://camunda.github.io/camunda-tf-rosa/rosa_versions.txt", + "defaultRegistryUrlTemplate": "https://camunda.github.io/camunda-deployment-references/rosa_versions.txt", "format": "plain", }, }, diff --git a/.github/workflows-config/rosa-hcp/test-matrix.yml b/.github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml similarity index 88% rename from .github/workflows-config/rosa-hcp/test-matrix.yml rename to .github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml index 1340c4309..8b7f5f4e0 100644 --- a/.github/workflows-config/rosa-hcp/test-matrix.yml +++ b/.github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml @@ -5,10 +5,10 @@ matrix: # /!\ Please keep this matrix synced with the official documentation: # https://github.com/camunda/camunda-docs/blob/main/docs/self-managed/setup/deploy/openshift/redhat-openshift.md?plain=1#L2 # According to https://access.redhat.com/support/policy/updates/openshift, this matrix should reference the last 4 (may change) supported versions of OpenShift - - name: OpenShift 4.17 + - name: OpenShift 4.18 type: openshift # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=regex:^4(\.(?\d+))?(\.(?\d+))?$ - version: 4.17.16 + version: 4.18.1 # /!\ Warning: When a new minor version of OpenShift is released, # you must update all N-1, N-2, and N-3 versions in this matrix. # rationale: Red Hat supports the last four minor versions of OpenShift. @@ -18,6 +18,12 @@ matrix: # According to https://access.redhat.com/support/policy/updates/openshift, # this matrix should reference the last 4 (may change) supported versions of OpenShift + - name: OpenShift 4.17 + type: openshift + # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=regex:^4.17(\.(?\d+))?$ + version: 4.17.16 + platform: rosa + - name: OpenShift 4.16 type: openshift # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=regex:^4.16(\.(?\d+))?$ @@ -30,16 +36,7 @@ matrix: version: 4.15.21 platform: rosa - - name: OpenShift 4.14 - type: openshift - # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=regex:^4.14(\.(?\d+))?$ - version: 4.14.33 - platform: rosa - scenario: - name: Chart Setup desc: Setup chart in production-like setup with Ingress and TLS. flow: install - - name: Chart Upgrade - desc: Upgrade chart from the latest released version to the current branch. - flow: upgrade diff --git a/.github/workflows/aws_ec2_golden.yml b/.github/workflows/aws_ec2_golden.yml.disabled similarity index 100% rename from .github/workflows/aws_ec2_golden.yml rename to .github/workflows/aws_ec2_golden.yml.disabled diff --git a/.github/workflows/aws_ec2_tests.yml b/.github/workflows/aws_ec2_tests.yml.disabled similarity index 96% rename from .github/workflows/aws_ec2_tests.yml rename to .github/workflows/aws_ec2_tests.yml.disabled index aa45be8bf..c2b190492 100644 --- a/.github/workflows/aws_ec2_tests.yml +++ b/.github/workflows/aws_ec2_tests.yml.disabled @@ -6,12 +6,12 @@ on: # schedule: # - cron: 0 3 * * 1-5 workflow_dispatch: - pull_request: - paths: - - .github/workflows/aws_ec2_tests.yml - - .tool-versions - - aws/ec2/** - - '!aws/ec2/test/golden/**' + # pull_request: + # paths: + # - .github/workflows/aws_ec2_tests.yml + # - .tool-versions + # - aws/ec2/** + # - '!aws/ec2/test/golden/**' # limit to a single execution per actor of this workflow concurrency: @@ -35,7 +35,7 @@ jobs: matrix: camunda: # renovate: datasource=github-releases depName=camunda/camunda versioning=regex:^8\.6?(\.(?\d+))?$ - - 8.6.9 + - 8.6.10 - 8.7.0-SNAPSHOT architecture: - x86_64 @@ -173,7 +173,7 @@ jobs: SNAPSHOT_ERROR: ${{ steps.determine-if-failed-tests-include-snapshot.outputs.SNAPSHOT_ERROR }} steps: - name: Download artifacts - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 + uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4 with: pattern: test-reports-* path: /tmp/testreports diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml new file mode 100644 index 000000000..79c12fe62 --- /dev/null +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -0,0 +1,97 @@ +--- +name: Tests - Daily Cleanup - AWS OpenShift ROSA HCP Single Region + +on: + workflow_dispatch: + inputs: + max_age_hours_cluster: + description: Maximum age of clusters in hours + required: true + default: '20' + pull_request: + paths: + - .github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml + + schedule: + - cron: 0 1 * * * # At 01:00 everyday. + +env: + MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} + + # please keep those variables synced with aws_rosa_hcp_tests.yml + AWS_PROFILE: infex + S3_BACKEND_BUCKET: tests-ra-aws-rosa-hcp-tf-state-eu-central-1 + S3_BUCKET_REGION: eu-central-1 + AWS_REGION: eu-west-2 + + +jobs: + + cleanup-clusters: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + ref: ${{ github.head_ref }} + fetch-depth: 0 + + - name: Install asdf tools with cache + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + + - name: Use repo .tool-version as global version + run: cp .tool-versions ~/.tool-versions + + - name: Import Secrets + id: secrets + uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3 + with: + url: ${{ secrets.VAULT_ADDR }} + method: approle + roleId: ${{ secrets.VAULT_ROLE_ID }} + secretId: ${{ secrets.VAULT_SECRET_ID }} + exportEnv: false + secrets: | + secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; + secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; + secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; + + # Official action does not support profiles + - name: Add profile credentials to ~/.aws/credentials + run: | + aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} + + - name: Delete clusters + id: delete_clusters + timeout-minutes: 125 + uses: ./.github/actions/aws-openshift-rosa-hcp-single-region-cleanup + env: + RHCS_TOKEN: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} + with: + tf-bucket: ${{ env.S3_BACKEND_BUCKET }} + tf-bucket-region: ${{ env.S3_BUCKET_REGION }} + max-age-hours-cluster: ${{ env.MAX_AGE_HOURS_CLUSTER }} + + # There are cases where the deletion of resources fails due to dependencies. + - name: Retry delete clusters + id: retry_delete_clusters + if: failure() && steps.delete_clusters.outcome == 'failure' + timeout-minutes: 125 + uses: ./.github/actions/aws-openshift-rosa-hcp-single-region-cleanup + env: + RHCS_TOKEN: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} + with: + tf-bucket: ${{ env.S3_BACKEND_BUCKET }} + tf-bucket-region: ${{ env.S3_BUCKET_REGION }} + max-age-hours-cluster: 0 # the previous step alters the age and resets it to 0 + + - name: Notify in Slack in case of failure + id: slack-notification + if: failure() && github.event_name == 'schedule' && steps.retry_delete_clusters.outcome == 'failure' + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + with: + vault_addr: ${{ secrets.VAULT_ADDR }} + vault_role_id: ${{ secrets.VAULT_ROLE_ID }} + vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml new file mode 100644 index 000000000..0f54752b5 --- /dev/null +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml @@ -0,0 +1,97 @@ +--- +name: Tests - Golden - AWS OpenShift ROSA HCP Single Region + +on: + workflow_dispatch: + pull_request: + paths: + - .github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml + - .tool-versions + - aws/modules/rosa-hcp/** + - aws/openshift/rosa-hcp-single-region/** + +# limit to a single execution per actor of this workflow +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +env: + # keep this synced with other workflows + AWS_PROFILE: infex + AWS_REGION: eu-west-2 + S3_BACKEND_BUCKET: tests-ra-aws-rosa-hcp-tf-state-eu-central-1 + S3_BUCKET_REGION: eu-central-1 + S3_BUCKET_KEY: golden.tfstate + + MODULE_DIR: ./aws/openshift/rosa-hcp-single-region/ + +jobs: + compare: + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + - name: Install asdf tools with cache + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + + - name: Import Secrets + id: secrets + uses: hashicorp/vault-action@v3 + with: + url: ${{ secrets.VAULT_ADDR }} + method: approle + roleId: ${{ secrets.VAULT_ROLE_ID }} + secretId: ${{ secrets.VAULT_SECRET_ID }} + exportEnv: false + secrets: | + secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; + secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; + + - name: Add profile credentials to ~/.aws/credentials + shell: bash + run: | + aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} + + - name: Compute golden + run: | + set -euxo pipefail + just regenerate-golden-file "${{ env.MODULE_DIR }}" "${{ env.S3_BUCKET_REGION }}" "${{ env.S3_BACKEND_BUCKET }}" "${{ env.S3_BUCKET_KEY }}" "./compare/" + + - name: Upload pipeline golden result + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 + with: + name: plan-artifact-json + path: ${{ env.MODULE_DIR }}compare/tfplan.json + retention-days: 1 + + - name: Compare Terraform plan with golden file + working-directory: aws/ec2/terraform + run: | + delta "${{ env.MODULE_DIR }}test/golden/tfplan.json" "${{ env.MODULE_DIR }}compare/tfplan.json" + exit $? + + - name: Post diff on PR + if: always() && github.event_name == 'pull_request' + uses: int128/diff-action@db6cce01542cb26e181798736eea1e71f5d36706 # v1 + with: + base: ${{ env.MODULE_DIR }}test/golden/tfplan.json + head: ${{ env.MODULE_DIR }}compare/tfplan.json + comment-header: | + ## Module ${{ env.MODULE_DIR }} - Terraform Golden Plan Diff + + comment-footer: | + 🖲 **Check the delta diff** + in the [workflow run](${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}) for a detailed comparison. + + If the changes are expected, you can use the uploaded artifact on the workflow to update the golden file on your branch. + + 📟 **Alternatively, run the following command locally** to update the golden file: + ```sh + just regenerate-golden-file "${{ env.MODULE_DIR }}" "${{ env.S3_BUCKET_REGION }}" "${{ env.S3_BACKEND_BUCKET }}" "${{ env.S3_BUCKET_KEY }}" + ``` diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml new file mode 100644 index 000000000..e16e84e2a --- /dev/null +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -0,0 +1,595 @@ +--- +name: Tests - Integration - AWS OpenShift ROSA HCP Single Region + +# description: This workflow perform integration tests against ROSA HCP platform + +on: + schedule: + - cron: 0 3 * * 1,3,5 # Runs at 3 AM on Monday, Wednesday, and Friday + pull_request: + paths: + - .github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml + - .github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml + - .github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml + - .github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml + - .tool-versions + - aws/openshift/rosa-hcp-single-region/** + - generic/openshift/single-region/** + - '!aws/openshift/rosa-hcp-single-region/test/golden/**' + - .github/actions/aws-openshift-rosa-hcp-single-region-create/** + - .github/actions/aws-openshift-rosa-hcp-single-region-cleanup/** + + workflow_dispatch: + inputs: + cluster_name: + description: Cluster name. + required: false + type: string + delete_clusters: + description: Whether to delete the clusters. + type: boolean + default: true + enable_tests: + description: Whether to enable the tests. + type: boolean + default: true + +# limit to a single execution per actor of this workflow +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + # in case of renovate we don't cancel the previous run, so it can finish it + # otherwise weekly renovate PRs with tf docs updates result in broken clusters + cancel-in-progress: ${{ github.actor == 'renovate[bot]' && false || true }} + +env: + AWS_PROFILE: infex + AWS_REGION: eu-west-2 + S3_BACKEND_BUCKET: tests-ra-aws-rosa-hcp-tf-state-eu-central-1 + S3_BUCKET_REGION: eu-central-1 + + CLEANUP_CLUSTERS: ${{ github.event.inputs.delete_clusters || 'true' }} + + # TEST VARIABLES + + # Vars with "CI_" prefix are used in the CI workflow only. + CI_MATRIX_FILE: .github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml + + # Docker Hub auth to avoid image pull rate limit. + # Vars with "TEST_" prefix are used in the test runner tool (Task). + TESTS_ENABLED: ${{ github.event.inputs.enable_tests || 'true' }} + TESTS_CAMUNDA_HELM_CHART_REPO_REF: main # git reference used to clone the camunda/camunda-platform-helm repository to perform the tests + TESTS_CAMUNDA_HELM_CHART_REPO_PATH: ./.camunda_helm_repo # where to clone it + + + ROSA_CLI_VERSION: latest + +jobs: + clusters-info: + name: Define Matrix + runs-on: ubuntu-latest + outputs: + platform-matrix: ${{ steps.matrix.outputs.platform-matrix }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + fetch-depth: 0 + + - name: Install asdf tools with cache + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + + - id: matrix + # we define a global matrix in an external file due to https://github.com/orgs/community/discussions/26284 + run: | + set -euxo pipefail # tolerate, nothing. + + # Generate cluster name. + # shellcheck disable=SC2086 + distro_indexes="$(yq '.matrix.distro | to_entries | .[] | .key' ${CI_MATRIX_FILE})" + + # Loop over clusters. + # Vars are exported to pass them to yq instead of local inline syntax. + # shellcheck disable=SC2086 + for distro_index in ${distro_indexes}; do + cluster_name_input="${{ inputs.cluster_name }}" + cluster_name_fallback="hci-$(uuidgen | head -c 8)" + export cluster_name="${cluster_name_input:-${cluster_name_fallback}}" + export distro_index="${distro_index}" + yq -i '.matrix.distro[env(distro_index)].clusterName = env(cluster_name)' "${CI_MATRIX_FILE}" + done + + # Get updated matrix. + # shellcheck disable=SC2086 + platform_matrix="$(yq '.matrix' --indent=0 --output-format json ${CI_MATRIX_FILE})" + echo "${platform_matrix}" | jq + echo "platform-matrix=${platform_matrix}" > "$GITHUB_OUTPUT" + + prepare-clusters: + name: Prepare clusters + needs: + - clusters-info + strategy: + fail-fast: false + matrix: + distro: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).distro }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + ref: ${{ github.head_ref }} + fetch-depth: 0 + + - name: Install asdf tools with cache + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + + - name: Import Secrets + id: secrets + uses: hashicorp/vault-action@v3 + with: + url: ${{ secrets.VAULT_ADDR }} + method: approle + roleId: ${{ secrets.VAULT_ROLE_ID }} + secretId: ${{ secrets.VAULT_SECRET_ID }} + exportEnv: false + secrets: | + secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; + secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; + secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; + secret/data/products/infrastructure-experience/ci/common CI_OPENSHIFT_MAIN_PASSWORD; + secret/data/products/infrastructure-experience/ci/common CI_OPENSHIFT_MAIN_USERNAME; + + - name: Add profile credentials to ~/.aws/credentials + shell: bash + run: | + aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} + + # Also remove the versioning + - name: Create ROSA cluster and login + uses: ./.github/actions/aws-openshift-rosa-hcp-single-region-create + id: create_cluster + # Do not interrupt tests; otherwise, the Terraform state may become inconsistent. + if: always() && success() + with: + rh-token: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} + cluster-name: ${{ matrix.distro.clusterName }} + admin-username: ${{ steps.secrets.outputs.CI_OPENSHIFT_MAIN_USERNAME }} + admin-password: ${{ steps.secrets.outputs.CI_OPENSHIFT_MAIN_PASSWORD }} + aws-region: ${{ env.AWS_REGION }} + s3-backend-bucket: ${{ env.S3_BACKEND_BUCKET }} + s3-bucket-region: ${{ env.S3_BUCKET_REGION }} + openshift-version: ${{ matrix.distro.version }} + tf-modules-revision: ${{ github.head_ref }} + + # This is required for some operations not to fail such as annotation of the IngressController + - name: ⏳ Wait for a minimal age of 5min of the cluster + id: wait_cluster_age + run: | + ns_age=0 + + while [ "$ns_age" -lt 5 ]; do + current_time=$(date +%s) + + ns_creation_time_raw=$(oc get ns default -o jsonpath='{.metadata.creationTimestamp}') + ns_creation_time=$(date -d "$ns_creation_time_raw" +%s) + + echo "Namespace creation timestamp (seconds): $ns_creation_time" + ns_age=$(( (current_time - ns_creation_time) / 60 )) + + # Print the calculated age for debugging + echo "Namespace age in minutes: $ns_age" + + # If ns_age is still less than 5, wait for a bit and check again + if [ "$ns_age" -lt 5 ]; then + echo "⏳ Waiting for namespace 'default' to be at least 5 minutes old..." + sleep 30 + fi + done + + echo "✅ Namespace is older than 5 minutes." + + + - name: Export kubeconfig and encrypt it # this is required to pass matrix outputs securely using artifacts + id: export_kube_config + run: | + # shellcheck disable=SC2005 + echo "$(kubectl config view --raw)" > kubeconfig.yaml 2>/dev/null + openssl enc -aes-256-cbc -salt -in kubeconfig.yaml -out encrypted_kubeconfig.enc -pass pass:"${GITHUB_TOKEN}" -pbkdf2 + encrypted_kubeconfig_base64=$(base64 -w 0 encrypted_kubeconfig.enc) + echo "kubeconfig_raw=${encrypted_kubeconfig_base64}" >> "$GITHUB_OUTPUT" + + ## Write for matrix outputs workaround + - uses: cloudposse/github-action-matrix-outputs-write@ed06cf3a6bf23b8dce36d1cf0d63123885bb8375 # v1 + id: out + with: + matrix-step-name: ${{ github.job }} + matrix-key: ${{ matrix.distro.name }} + outputs: |- + kubeconfig_raw: ${{ steps.export_kube_config.outputs.kubeconfig_raw }} + + access-info: + name: Read kube configs from matrix + runs-on: ubuntu-latest + needs: prepare-clusters + outputs: + kubeconfig: ${{ steps.read-workflow.outputs.result }} + steps: + - uses: cloudposse/github-action-matrix-outputs-read@33cac12fa9282a7230a418d859b93fdbc4f27b5a # v1 + id: read-workflow + with: + matrix-step-name: prepare-clusters + + integration-tests: + name: Run integration tests - ${{ matrix.distro.name }} + runs-on: ubuntu-latest + needs: + - clusters-info + - access-info + strategy: + fail-fast: false + matrix: + distro: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).distro }} + scenario: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).scenario }} + env: + TEST_NAMESPACE: camunda # This namespace is hard-coded in the documentation + # https://github.com/camunda/camunda-platform-helm/blob/test/integration/scenarios/chart-full-setup/Taskfile.yaml#L12C15-L12C32 + TEST_CLUSTER_TYPE: openshift + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + - name: Install asdf tools with cache for the project + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@feature/working-directory # 1.2.19 + with: + tool_versions_files: .tool-versions,./aws/openshift/rosa-hcp-single-region/.tool-versions,./generic/openshift/rosa-hcp-single-region/.tool-versions + + - name: Install CLI tools from OpenShift Mirror + uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1 + with: + oc: ${{ matrix.distro.version }} + + - name: Import Secrets + id: secrets + uses: hashicorp/vault-action@v3 + with: + url: ${{ secrets.VAULT_ADDR }} + method: approle + roleId: ${{ secrets.VAULT_ROLE_ID }} + secretId: ${{ secrets.VAULT_SECRET_ID }} + exportEnv: false + secrets: | + secret/data/products/infrastructure-experience/ci/common DOCKERHUB_USER; + secret/data/products/infrastructure-experience/ci/common DOCKERHUB_PASSWORD; + secret/data/products/infrastructure-experience/ci/common CI_CAMUNDA_USER_TEST_CLIENT_ID; + secret/data/products/infrastructure-experience/ci/common CI_CAMUNDA_USER_TEST_CLIENT_SECRET; + + - name: 🔐 Login into the cluster + run: | + mkdir -p "$HOME/.kube" + echo "${{ fromJson(needs.access-info.outputs.kubeconfig).kubeconfig_raw[matrix.distro.name] }}" | base64 --decode > encrypted_kubeconfig.enc + openssl enc -aes-256-cbc -d -in encrypted_kubeconfig.enc -out "$HOME/.kube/config" -pass pass:"${GITHUB_TOKEN}" -pbkdf2 + rm encrypted_kubeconfig.enc + chmod 600 "$HOME/.kube/config" + + - name: 🛠️ Prepare a FRESH deployment for generic/openshift/single-region + run: | + set -euxo pipefail # tolerate, nothing. + + # Delete the namespace to ensure a fresh start + if kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; then + kubectl delete namespace "$TEST_NAMESPACE" --wait + while kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; do + echo "Namespace $TEST_NAMESPACE still being deleted, waiting..." + sleep 5 + done + fi + + kubectl create namespace "$TEST_NAMESPACE" + + echo "Construct the values.yml file" + + cp generic/openshift/single-region/helm-values/base.yml ./values.yml + + # TODO: [DOC] this should be extract from the doc https://docs.camunda.io/docs/8.7/self-managed/setup/deploy/openshift/redhat-openshift/ + source ./generic/openshift/single-region/procedure/setup-application-domain.sh + echo "CAMUNDA_DOMAIN=$DOMAIN_NAME" | tee -a "$GITHUB_ENV" + + # TODO: [DOC] same + source ./generic/openshift/single-region/procedure/get-ingress-http2-status.sh + ./generic/openshift/single-region/procedure/enable-ingress-http2.sh + + # Enable Routes + yq '. *d load("generic/openshift/single-region/helm-values/zeebe-gateway-route.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + yq '. *d load("generic/openshift/single-region/helm-values/operate-route.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + yq '. *d load("generic/openshift/single-region/helm-values/tasklist-route.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + yq '. *d load("generic/openshift/single-region/helm-values/connectors-route.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + yq '. *d load("generic/openshift/single-region/helm-values/domain.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + + # Enable SCC + yq '. *d load("generic/openshift/single-region/helm-values/scc.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + + # Add integration tests values + if [ "$TESTS_ENABLED" == "true" ]; then + yq '. *d load("generic/kubernetes/single-region/tests/helm-values/registry.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + yq '. *d load("generic/kubernetes/single-region/tests/helm-values/identity.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + fi + + # Generate the final values + envsubst < values.yml > generated-values.yml + + echo "Final generated-values.yml result" + cat generated-values.yml + + + - name: 🏁 Install Camunda 8 using the generic/openshift helm chart procedure + run: | + set -euxo pipefail # tolerate, nothing. + + source generic/openshift/single-region/procedure/chart-env.sh + source generic/openshift/single-region/procedure/generate-passwords.sh + + ./generic/openshift/single-region/procedure/create-identity-secret.sh + + # Generate tests objects + if [ "$TESTS_ENABLED" == "true" ]; then + # Create the pull secrets described in generic/kubernetes/single-region/tests/helm-values/registry.yml + kubectl create secret docker-registry index-docker-io \ + --docker-server=index.docker.io \ + --docker-username="${{ steps.secrets.outputs.DOCKERHUB_USER }}" \ + --docker-password="${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}" \ + --namespace="$TEST_NAMESPACE" + + kubectl create secret generic identity-secret-for-components-integration \ + --from-literal=identity-admin-client-id="${{ steps.secrets.outputs.CI_CAMUNDA_USER_TEST_CLIENT_ID }}" \ + --from-literal=identity-admin-client-secret="${{ steps.secrets.outputs.CI_CAMUNDA_USER_TEST_CLIENT_SECRET }}" \ + --namespace="$TEST_NAMESPACE" + fi + + ./generic/openshift/single-region/procedure/install-chart.sh + + - name: 👀⏳ Wait for the deployment to be healthy using generic/kubernetes/single-region + timeout-minutes: 10 + run: | + # TODO: [DOC] update the doc to reference this snippet + ./generic/kubernetes/single-region/procedure/check-deployment-ready.sh + + - name: 🧙‍♂️ Clone camunda/camunda-platform-helm + if: env.TESTS_ENABLED == 'true' + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + repository: camunda/camunda-platform-helm + ref: ${{ env.TESTS_CAMUNDA_HELM_CHART_REPO_REF }} + path: ${{ env.TESTS_CAMUNDA_HELM_CHART_REPO_PATH }} + fetch-depth: 0 + + - name: 🧪 TESTS - Set variables + if: env.TESTS_ENABLED == 'true' + run: | + set -euxo pipefail # tolerate, nothing. + + CAMUNDA_VERSION=$(cat .camunda-version) + + export TEST_CHART_DIR_STATIC="$TESTS_CAMUNDA_HELM_CHART_REPO_PATH/charts/camunda-platform-$CAMUNDA_VERSION" + echo "TEST_CHART_DIR_STATIC=$TEST_CHART_DIR_STATIC" | tee -a "$GITHUB_ENV" + + TEST_INGRESS_HOST="$CAMUNDA_DOMAIN" + echo "TEST_INGRESS_HOST=$TEST_INGRESS_HOST" | tee -a "$GITHUB_ENV" + + # shellcheck disable=SC2002 + TEST_CHART_VERSION=$(cat "$TEST_CHART_DIR_STATIC/Chart.yaml" | yq '.version') + echo "TEST_CHART_VERSION=$TEST_CHART_VERSION" | tee -a "$GITHUB_ENV" + + # setup docker registry secret for tests + echo "TEST_CREATE_DOCKER_LOGIN_SECRET=true" | tee -a "$GITHUB_ENV" + echo "TEST_DOCKER_USERNAME_CAMUNDA_CLOUD=${{ steps.secrets.outputs.DOCKERHUB_USERNAME }}" | tee -a "$GITHUB_ENV" + echo "TEST_DOCKER_PASSWORD_CAMUNDA_CLOUD=${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}" | tee -a "$GITHUB_ENV" + + CI_TASKS_BASE_DIR="$TESTS_CAMUNDA_HELM_CHART_REPO_PATH/test/integration/scenarios/" + echo "CI_TASKS_BASE_DIR=$CI_TASKS_BASE_DIR" | tee -a "$GITHUB_ENV" + export TEST_CHART_DIR="../../../../charts/camunda-platform-$CAMUNDA_VERSION" + echo "TEST_CHART_DIR=$TEST_CHART_DIR" | tee -a "$GITHUB_ENV" + export TEST_VALUES_BASE_DIR="$TESTS_CAMUNDA_HELM_CHART_REPO_PATH/test/integration/scenarios" + echo "TEST_VALUES_BASE_DIR=$TEST_VALUES_BASE_DIR" | tee -a "$GITHUB_ENV" + + # replace integration with the camunda release name as part of adaptation required to run the tests in our environment + find "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/" -type f -print0 | xargs -0 sed -i 's/integration/camunda/g' + + echo "Configure Venom tests" + # (adapted from https://github.com/camunda/camunda-platform-helm/blob/test/integration/scenarios/chart-full-setup/Taskfile.yaml#L56) + export VARIABLES_ENV_FILE="$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/variables.env" + # Enable the ingress tests + # shellcheck disable=SC2129 + echo "VENOM_VAR_TEST_INGRESS_HOST=$TEST_INGRESS_HOST" >> "$VARIABLES_ENV_FILE" + echo "VENOM_VAR_TEST_CLIENT_ID=${{ steps.secrets.outputs.CI_CAMUNDA_USER_TEST_CLIENT_ID }}" >> "$VARIABLES_ENV_FILE" + echo "VENOM_VAR_TEST_CLIENT_SECRET=${{ steps.secrets.outputs.CI_CAMUNDA_USER_TEST_CLIENT_SECRET }}" >> "$VARIABLES_ENV_FILE" + echo "VENOM_EXTRA_ARGS=--var-from-file=./vars/variables-ingress-combined.yaml" >> "$VARIABLES_ENV_FILE" + ZEEBE_VERSION=$(yq '.zeebe.image.tag' "$TEST_CHART_DIR_STATIC/values.yaml") + # shellcheck disable=SC2129 + echo "ZEEBE_VERSION=$ZEEBE_VERSION" >> "$VARIABLES_ENV_FILE" + # In case the Zeebe version has not been released officially yet. + echo "ZEEBE_VERSION_FALLBACK=8.5.6" >> "$VARIABLES_ENV_FILE" + + # Some variables are not working correctly, patching it with yq directly + # shellcheck disable=SC2129 + echo "VENOM_VAR_SKIP_TEST_WEBMODELER=false" >> "$VARIABLES_ENV_FILE" + echo "VENOM_VAR_SKIP_TEST_INGRESS=true" >> "$VARIABLES_ENV_FILE" + + echo "Patch the test files..." + + # TODO: [BUG] remove the patchs when https://github.com/camunda/camunda-platform-helm/issues/3081 is fixed + echo "Patch expression ShoudBeFalse" + sed "s/ ShouldBeFalse/ ShouldEqual 'false'/g" \ + -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-core.yaml" + sed "s/ ShouldBeFalse/ ShouldEqual 'false'/g" \ + -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-preflight.yaml" + + echo "Skip test ingress is also broken, fixing it" + yq eval '(.testcases[].steps[].skip |= map(select(test("skiptestingress", "i") | not)))' \ + -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-core.yaml" + yq eval 'del(.. | select(has("skip") and .skip | length == 0).skip)' \ + -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-core.yaml" + + echo "Disable Console,Webmodeler in the core tests as it's not enabled" + yq eval 'del(.. | select(has("component") and (.component == "Console" or .component == "WebModeler")))' \ + -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-core.yaml" + + echo "Patch the identity secrets to allow venom to access to the platform" + sed -i 's/integration-test-credentials/identity-secret-for-components/g' "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" + sed -i 's/identity-operate-client-password/operate-secret/g' "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" + sed -i 's/identity-optimize-client-password/optimize-secret/g' "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" + sed -i 's/identity-tasklist-client-password/tasklist-secret/g' "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" + sed -i 's/identity-zeebe-client-password/zeebe-secret/g' "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" + sed -i 's/identity-connectors-client-password/connectors-secret/g' "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" + + # remove venom var client secret as we define it in the file + yq e 'del(.spec.template.spec.containers[].env[] | select(.name == "VENOM_VAR_TEST_CLIENT_SECRET"))' \ + -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" + + echo "Ensure asdf tool is available in the test suite by using our global one" + cp .tool-versions "$TEST_VALUES_BASE_DIR" + + - name: 🧪 TESTS - Run Preflight TestSuite + if: env.TESTS_ENABLED == 'true' + timeout-minutes: 10 + run: | + task -d "${CI_TASKS_BASE_DIR}/chart-full-setup" test.preflight + + - name: 🧪 TESTS - Run Core TestSuite + if: env.TESTS_ENABLED == 'true' + timeout-minutes: 20 + run: | + task -d "${CI_TASKS_BASE_DIR}/chart-full-setup" test.core + + - name: 🧪 TESTS - Run additional tests + if: env.TESTS_ENABLED == 'true' + timeout-minutes: 20 + run: | + set -euxo pipefail # tolerate, nothing. + + echo "Show zeebe cluster topology using generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh:" + export ZEEBE_CLIENT_ID="${{ steps.secrets.outputs.CI_CAMUNDA_USER_TEST_CLIENT_ID }}" + export ZEEBE_CLIENT_SECRET="${{ steps.secrets.outputs.CI_CAMUNDA_USER_TEST_CLIENT_SECRET }}" + export DOMAIN_NAME="$CAMUNDA_DOMAIN" + + # Execute the script and capture the output in a variable + check_zeebe_topology_output=$(./generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh) + + echo "$check_zeebe_topology_output" | jq + + # Checks + error_found=false + check_zeebe_topology_all_healthy=$(echo "$check_zeebe_topology_output" | jq '[.brokers[].partitions[].health == "healthy"] | all') + check_zeebe_topology_cluster_size=$(echo "$check_zeebe_topology_output" | jq '.clusterSize') + check_zeebe_topology_partitions_count=$(echo "$check_zeebe_topology_output" | jq '.partitionsCount') + + if [ "$check_zeebe_topology_all_healthy" = "true" ]; then + echo "✅ All partitions are healthy." + else + echo "❌ Not all partitions are healthy" + error_found=true + fi + + if [ "$check_zeebe_topology_cluster_size" -eq 3 ]; then + echo "✅ Cluster size is 3." + else + echo "❌ Cluster size is not 3." + error_found=true + fi + + if [ "$check_zeebe_topology_partitions_count" -eq 3 ]; then + echo "✅ Partitions count is 3." + else + echo "❌ Partitions count is not 3." + error_found=true + fi + + if [ "$error_found" = true ]; then + exit 1 + fi + + echo "✅ The cluster meets all the expected criteria." + + # TODO: [DOC] integrate it as testable doc + + - name: 🔬🚨 Get failed Pods info + if: failure() + uses: camunda/camunda-platform-helm/./.github/actions/failed-pods-info@52f7c04dc9817a2f8a5b7b1c5450a80a8a6996ae # main + + cleanup-clusters: + name: Cleanup ROSA clusters + if: always() + runs-on: ubuntu-latest + needs: + - clusters-info + - integration-tests + strategy: + fail-fast: false + matrix: + distro: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).distro }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + if: env.CLEANUP_CLUSTERS == 'true' + with: + fetch-depth: 0 + + - name: Install asdf tools with cache + if: env.CLEANUP_CLUSTERS == 'true' + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + + - name: Import Secrets + id: secrets + uses: hashicorp/vault-action@v3 + if: env.CLEANUP_CLUSTERS == 'true' + with: + url: ${{ secrets.VAULT_ADDR }} + method: approle + roleId: ${{ secrets.VAULT_ROLE_ID }} + secretId: ${{ secrets.VAULT_SECRET_ID }} + exportEnv: false + secrets: | + secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; + secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; + secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; + + - name: Add profile credentials to ~/.aws/credentials + shell: bash + if: env.CLEANUP_CLUSTERS == 'true' + run: | + aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} + aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} + + - name: Delete on-demand ROSA HCP Cluster + uses: ./.github/actions/aws-openshift-rosa-hcp-single-region-cleanup + if: always() && env.CLEANUP_CLUSTERS == 'true' + timeout-minutes: 125 + env: + RHCS_TOKEN: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} + with: + tf-bucket: ${{ env.S3_BACKEND_BUCKET }} + tf-bucket-region: ${{ env.S3_BUCKET_REGION }} + max-age-hours-cluster: 0 + target: ${{ matrix.distro.clusterName }} + + report: + name: Report failures + if: github.event_name == 'schedule' && failure() + runs-on: ubuntu-latest + needs: + - integration-tests + - cleanup-clusters + steps: + - name: Notify in Slack in case of failure + id: slack-notification + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + with: + vault_addr: ${{ secrets.VAULT_ADDR }} + vault_role_id: ${{ secrets.VAULT_ROLE_ID }} + vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/.github/workflows/aws_rosa_hcp_daily_cleanup.yml.tmp b/.github/workflows/aws_rosa_hcp_daily_cleanup.yml.tmp deleted file mode 100644 index b70d1eb18..000000000 --- a/.github/workflows/aws_rosa_hcp_daily_cleanup.yml.tmp +++ /dev/null @@ -1,2 +0,0 @@ ---- -name: Tests - Cleanup - AWS ROSA HCP diff --git a/.github/workflows/aws_rosa_hcp_tests.yml b/.github/workflows/aws_rosa_hcp_tests.yml deleted file mode 100644 index 6d45341b8..000000000 --- a/.github/workflows/aws_rosa_hcp_tests.yml +++ /dev/null @@ -1,282 +0,0 @@ ---- -name: Tests - Integration - AWS ROSA HCP - -# description: This workflow perform integration tests against ROSA HCP platform - -on: - schedule: - - cron: 0 3 * * 1,3,5 # Runs at 3 AM on Monday, Wednesday, and Friday - pull_request: - paths: - - .github/config/rosa-hcp/test-matrix.yml - - .github/workflows/aws_rosa_hcp_tests.yml - - .github/workflows/aws_rosa_hcp_golden.yml - - .tool-versions - - aws/rosa-hcp/** - - '!aws/rosa-hcp/test/golden/**' - - workflow_dispatch: - inputs: - cluster_name: - description: Cluster name. - required: false - type: string - delete_clusters: - description: Whether to delete the clusters. - type: boolean - default: true - -# limit to a single execution per actor of this workflow -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - # in case of renovate we don't cancel the previous run, so it can finish it - # otherwise weekly renovate PRs with tf docs updates result in broken clusters - cancel-in-progress: ${{ github.actor == 'renovate[bot]' && false || true }} - -env: - AWS_PROFILE: infex - AWS_REGION: eu-west-2 - S3_BACKEND_BUCKET: tests-ra-aws-rosa-hcp-tf-state-eu-central-1 - S3_BUCKET_REGION: eu-central-1 - - OCP_ADMIN_USERNAME: kube-admin - OCP_NAMESPACE: myns - - # TODO: use branches for that versioning - TESTS_CAMUNDA_HELM_DIR: camunda-platform-alpha - - # TEST VARIABLES - - # Vars with "CI_" prefix are used in the CI workflow only. - CI_MATRIX_FILE: .github/workflows-config/config/rosa-hcp/test-matrix.yml - - # Docker Hub auth to avoid image pull rate limit. - # Vars with "TEST_" prefix are used in the test runner tool (Task). - # TODO: reintegrate this properly - TEST_CREATE_DOCKER_LOGIN_SECRET: 'TRUE' - TEST_DOCKER_USERNAME: ${{ secrets.DISTRO_CI_DOCKER_USERNAME_DOCKERHUB }} - TEST_DOCKER_PASSWORD: ${{ secrets.DISTRO_CI_DOCKER_PASSWORD_DOCKERHUB }} - # Camunda registry auth to access WebModeler Docker image since it's not public. - TEST_DOCKER_USERNAME_CAMUNDA_CLOUD: ${{ secrets.DISTRO_CI_DOCKER_USERNAME_CAMUNDA }} - TEST_DOCKER_PASSWORD_CAMUNDA_CLOUD: ${{ secrets.DISTRO_CI_DOCKER_PASSWORD_CAMUNDA }} - - -jobs: - clusters-info: - name: Define Matrix - runs-on: ubuntu-latest - outputs: - platform-matrix: ${{ steps.matrix.outputs.platform-matrix }} - tests-camunda-helm-dir: ${{ env.TESTS_CAMUNDA_HELM_DIR }} - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - fetch-depth: 0 - - - name: Install asdf tools with cache - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 - - - id: matrix - # we define a global matrix in an external file due to https://github.com/orgs/community/discussions/26284 - run: | - # Generate cluster name. - # shellcheck disable=SC2086 - distro_indexes="$(yq '.matrix.distro | to_entries | .[] | .key' ${CI_MATRIX_FILE})" - - # Loop over clusters. - # Vars are exported to pass them to yq instead of local inline syntax. - # shellcheck disable=SC2086 - for distro_index in ${distro_indexes}; do - cluster_name_input="${{ inputs.cluster_name }}" - cluster_name_fallback="hci-$(uuidgen | head -c 8)" - export cluster_name="${cluster_name_input:-${cluster_name_fallback}}" - export distro_index="${distro_index}" - yq -i '.matrix.distro[env(distro_index)].clusterName = env(cluster_name)' "${CI_MATRIX_FILE}" - done - - # Get updated matrix. - # shellcheck disable=SC2086 - platform_matrix="$(yq '.matrix' --indent=0 --output-format json ${CI_MATRIX_FILE})" - echo "${platform_matrix}" | jq - echo "platform-matrix=${platform_matrix}" > "$GITHUB_OUTPUT" - - prepare-clusters: - name: Prepare clusters - needs: - - clusters-info - strategy: - fail-fast: false - matrix: - distro: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).distro }} - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - fetch-depth: 0 - - - name: Install asdf tools with cache - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 - - - name: Import Secrets - id: secrets - uses: hashicorp/vault-action@v3 - with: - url: ${{ secrets.VAULT_ADDR }} - method: approle - roleId: ${{ secrets.VAULT_ROLE_ID }} - secretId: ${{ secrets.VAULT_SECRET_ID }} - exportEnv: false - secrets: | - secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; - secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; - secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; - secret/data/products/infrastructure-experience/ci/common CI_OPENSHIFT_MAIN_PASSWORD; - - - name: Add profile credentials to ~/.aws/credentials - shell: bash - run: | - aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} - aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} - aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} - - - # TODO: directly use the aws/rosa-hcp/ terraform - # Also remove the versioning - - name: Create ROSA cluster and login - uses: camunda/camunda-tf-rosa/.github/actions/rosa-create-cluster@c94224888fbb8ddc0c737e7054fd66c661c3cd8d # main - # Do not interrupt tests; otherwise, the Terraform state may become inconsistent. - if: always() && success() - with: - rh-token: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} - cluster-name: ${{ matrix.distro.clusterName }} - admin-username: ${{ env.OCP_ADMIN_USERNAME }} - admin-password: ${{ steps.secrets.outputs.CI_OPENSHIFT_MAIN_PASSWORD }} - aws-region: ${{ env.AWS_REGION }} - s3-backend-bucket: ${{ env.S3_BACKEND_BUCKET }} - s3-bucket-region: ${{ env.S3_BUCKET_REGION }} - replicas: 6 - openshift-version: ${{ matrix.distro.version }} - - - name: Export kubeconfig and encrypt it # this is required to pass matrix outputs securely using artifacts - id: export_kube_config - run: | - # shellcheck disable=SC2005 - echo "$(kubectl config view --raw)" > kubeconfig.yaml 2>/dev/null - openssl enc -aes-256-cbc -salt -in kubeconfig.yaml -out encrypted_kubeconfig.enc -pass pass:"${GITHUB_TOKEN}" -pbkdf2 - encrypted_kubeconfig_base64=$(base64 -w 0 encrypted_kubeconfig.enc) - echo "kubeconfig_raw=${encrypted_kubeconfig_base64}" >> "$GITHUB_OUTPUT" - - ## Write for matrix outputs workaround - - uses: cloudposse/github-action-matrix-outputs-write@ed06cf3a6bf23b8dce36d1cf0d63123885bb8375 # v1 - id: out - with: - matrix-step-name: ${{ github.job }} - matrix-key: ${{ matrix.distro.name }} - outputs: |- - kubeconfig_raw: ${{ steps.export_kube_config.outputs.kubeconfig_raw }} - - access-info: - name: Read kube configs from matrix - runs-on: ubuntu-latest - needs: prepare-clusters - outputs: - kubeconfig: ${{ steps.read-workflow.outputs.result }} - steps: - - uses: cloudposse/github-action-matrix-outputs-read@33cac12fa9282a7230a418d859b93fdbc4f27b5a # v1 - id: read-workflow - with: - matrix-step-name: prepare-clusters - - integration-tests: - name: Run integration tests - ${{ matrix.distro.name }} - needs: - - clusters-info - - access-info - strategy: - fail-fast: false - matrix: - distro: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).distro }} - scenario: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).scenario }} - secrets: inherit - - # TODO: we must adapt this tests part - uses: camunda/camunda-platform-helm/.github/workflows/test-integration-template.yaml@e59b3c5869098815f392e6cc9f3928dedcadaaf8 # main - with: - matrix-data: | - { - "distro": [${{ toJson(matrix.distro) }}], - "scenario": [${{ toJson(matrix.scenario) }}] - } - cluster-type: openshift - platforms: rosa - flows: ${{ matrix.scenario.flow }} - identifier: ${{ matrix.distro.clusterName }}-${{ matrix.scenario.flow }} - auth-data: ${{ fromJson(needs.access-info.outputs.kubeconfig).kubeconfig_raw[matrix.distro.name] }} - camunda-helm-dir: ${{ needs.clusters-info.outputs.tests-camunda-helm-dir }} - - cleanup-clusters: - name: Cleanup ROSA clusters - if: always() - runs-on: ubuntu-latest - needs: - - clusters-info - - integration-tests - strategy: - fail-fast: false - matrix: - distro: ${{ fromJson(needs.clusters-info.outputs.platform-matrix).distro }} - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - fetch-depth: 0 - - - name: Install asdf tools with cache - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 - - - name: Import Secrets - id: secrets - uses: hashicorp/vault-action@v3 - with: - url: ${{ secrets.VAULT_ADDR }} - method: approle - roleId: ${{ secrets.VAULT_ROLE_ID }} - secretId: ${{ secrets.VAULT_SECRET_ID }} - exportEnv: false - secrets: | - secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY; - secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY; - secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; - secret/data/products/infrastructure-experience/ci/common CI_OPENSHIFT_MAIN_PASSWORD; - - - name: Add profile credentials to ~/.aws/credentials - shell: bash - run: | - aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }} - aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} - aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} - - - name: Delete on-demand ROSA HCP Cluster - uses: camunda/camunda-tf-rosa/.github/actions/rosa-delete-cluster@c94224888fbb8ddc0c737e7054fd66c661c3cd8d # main - if: always() && !(github.event_name == 'workflow_dispatch' && github.event.inputs.delete_clusters == 'false') - timeout-minutes: 125 - with: - rh-token: ${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} - s3-backend-bucket: ${{ env.S3_BACKEND_BUCKET }} - cluster-name: ${{ matrix.distro.clusterName }} - aws-region: ${{ env.AWS_REGION }} - - report: - name: Report failures - if: github.event_name == 'schedule' && failure() - runs-on: ubuntu-latest - needs: - - integration-tests - - cleanup-clusters - steps: - - name: Notify in Slack in case of failure - id: slack-notification - uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 - with: - vault_addr: ${{ secrets.VAULT_ADDR }} - vault_role_id: ${{ secrets.VAULT_ROLE_ID }} - vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/.github/workflows/generic_openshift_artifact_rosa_versions.yml b/.github/workflows/generic_openshift_artifact_rosa_versions.yml new file mode 100644 index 000000000..d2e9e118e --- /dev/null +++ b/.github/workflows/generic_openshift_artifact_rosa_versions.yml @@ -0,0 +1,68 @@ +--- +# This workflow updates an artifact containing the ROSA versions, +# it's used by renovate and published at https://camunda.github.io/camunda-deployment-references/rosa_versions.txt +name: Generic - OpenShift - Save ROSA Versions as an artifact + +on: + schedule: + - cron: 0 0 * * * + workflow_dispatch: + pull_request: + paths: + - .github/workflows/generic_openshift_artifact_rosa_versions.yml + +jobs: + save-rosa-versions: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + ref: gh-pages + + - name: Import Secrets + id: secrets + uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3 + with: + url: ${{ secrets.VAULT_ADDR }} + method: approle + roleId: ${{ secrets.VAULT_ROLE_ID }} + secretId: ${{ secrets.VAULT_SECRET_ID }} + exportEnv: false + secrets: | + secret/data/products/infrastructure-experience/ci/common RH_OPENSHIFT_TOKEN; + + - name: Install ROSA CLI and output rosa versions + shell: bash + run: | + curl -LO "https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/rosa-linux.tar.gz" + tar -xvf rosa-linux.tar.gz + sudo mv rosa /usr/local/bin/rosa + chmod +x /usr/local/bin/rosa + rm -f rosa-linux.tar.gz + rosa version + rosa login --token=${{ steps.secrets.outputs.RH_OPENSHIFT_TOKEN }} + mkdir -p docs + rosa list versions --output json | jq '.[].raw_id' --raw-output > docs/rosa_versions.txt + + - name: Commit and push ROSA versions file to gh-pages + shell: bash + run: | + git diff --exit-code docs/rosa_versions.txt || { + git config --local user.name "github-actions[bot]" + git config --local user.email "github-actions[bot]@users.noreply.github.com" + git add docs/rosa_versions.txt + git commit -m "Update ROSA versions" + git push origin gh-pages + } + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Notify in Slack in case of failure + id: slack-notification + if: failure() && github.event_name == 'schedule' + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + with: + vault_addr: ${{ secrets.VAULT_ADDR }} + vault_role_id: ${{ secrets.VAULT_ROLE_ID }} + vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/.github/workflows/internal_global_links.yml b/.github/workflows/internal_global_links.yml new file mode 100644 index 000000000..76b1b67c9 --- /dev/null +++ b/.github/workflows/internal_global_links.yml @@ -0,0 +1,54 @@ +--- +name: Internal - Global - Check external links + +on: + push: + workflow_dispatch: + schedule: + - cron: 0 3 1 * * + pull_request: + paths: + - .github/workflows/internal_global_links.yml + +jobs: + lint: + name: links-check + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + - name: Get Current Timestamp + id: timestamp + run: echo "TIMESTAMP=$(date +%s)" >> "$GITHUB_ENV" + + - name: Restore lychee cache + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4 + with: + path: .lycheecache + key: cache-lychee-${{ env.TIMESTAMP }} + restore-keys: cache-lychee- + + - name: Link Checker + uses: lycheeverse/lychee-action@f613c4a64e50d792e0b31ec34bbcbba12263c6a6 # v2.3.0 + with: + fail: true + args: -c ./lychee-links.toml --base . --cache --max-cache-age 1d . --verbose --no-progress '*.md' './**/*.md' + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Create Issue From File + if: failure() && github.event_name == 'schedule' + uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5 + with: + title: Link Checker Report + content-filepath: ./lychee/out.md + labels: report, automated issue + assignees: '@camunda/infraex-medic' + + - name: Notify in Slack in case of failure + id: slack-notification + if: failure() && github.event_name == 'schedule' + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + with: + vault_addr: ${{ secrets.VAULT_ADDR }} + vault_role_id: ${{ secrets.VAULT_ROLE_ID }} + vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/.github/workflows/lint.yml b/.github/workflows/internal_global_lint.yml similarity index 89% rename from .github/workflows/lint.yml rename to .github/workflows/internal_global_lint.yml index 76ff1f43a..2e7b1a49a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/internal_global_lint.yml @@ -1,5 +1,5 @@ --- -name: lint +name: Internal - Global - Lint on: workflow_dispatch: diff --git a/.github/workflows/renovate-automerge.yml b/.github/workflows/internal_global_renovate_automerge.yml similarity index 88% rename from .github/workflows/renovate-automerge.yml rename to .github/workflows/internal_global_renovate_automerge.yml index 41ba9db71..65410f751 100644 --- a/.github/workflows/renovate-automerge.yml +++ b/.github/workflows/internal_global_renovate_automerge.yml @@ -1,5 +1,5 @@ --- -name: Renovate Auto Merge +name: Internal - Global - Renovate Auto Merge on: pull_request: diff --git a/.github/workflows/internal_global_sync_main.yml b/.github/workflows/internal_global_sync_main.yml new file mode 100644 index 000000000..d3c791fa0 --- /dev/null +++ b/.github/workflows/internal_global_sync_main.yml @@ -0,0 +1,57 @@ +--- +name: Internal - Global - Sync Main branch from latest Camunda stable version + +env: + CURRENT_STABLE_BRANCH: camunda-8.7 + +on: + push: + branches: + - camunda-8.7 # keep it updated the current stable version + workflow_dispatch: + + +concurrency: + group: stable-merge + cancel-in-progress: false + +jobs: + sync-main: + runs-on: ubuntu-latest + name: Syncing main from latest stable + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + fetch-depth: 0 # Full clone necessary for proper merge + + - name: Generate token for GitHub + id: generate-github-token + uses: camunda/infra-global-github-actions/generate-github-app-token-from-vault-secrets@5d11ae14b11695bb23f62478361cf5f5cbac6811 # main + with: + github-app-id-vault-key: GITHUB_APP_ID + github-app-id-vault-path: secret/data/products/infrastructure-experience/ci/common + github-app-private-key-vault-key: GITHUB_APP_PRIVATE_KEY + github-app-private-key-vault-path: secret/data/products/infrastructure-experience/ci/common + vault-auth-method: approle + vault-auth-role-id: ${{ secrets.VAULT_ROLE_ID }} + vault-auth-secret-id: ${{ secrets.VAULT_SECRET_ID }} + vault-url: ${{ secrets.VAULT_ADDR }} + + - name: Main sync merge + uses: robotology/gh-action-nightly-merge@81570ba03dd370f582bd3f52d47672d29191829f # v1.5.2 + with: + stable_branch: ${{ env.CURRENT_STABLE_BRANCH }} + development_branch: main + allow_ff: false # Prevent fast-forward merges + env: + GITHUB_TOKEN: ${{ steps.generate-github-token.outputs.token }} + + - name: Notify in Slack in case of failure + id: slack-notification + if: failure() && github.event_name == 'schedule' + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + with: + vault_addr: ${{ secrets.VAULT_ADDR }} + vault_role_id: ${{ secrets.VAULT_ROLE_ID }} + vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 684a75aed..c950026ae 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -26,7 +26,7 @@ repos: - id: actionlint-docker - repo: https://github.com/renovatebot/pre-commit-hooks - rev: 39.174.3 + rev: 39.185.0 hooks: - id: renovate-config-validator args: [--strict] @@ -41,7 +41,7 @@ repos: args: [--strict, --force-scope] - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.97.3 + rev: v1.97.4 hooks: - id: terraform_fmt - id: terraform_tflint @@ -64,7 +64,7 @@ repos: rev: v0.9.0.6 hooks: - id: shellcheck - args: [--external-sources, --source-path, .github/workflows/scripts, '--exclude=SC2154,SC2034,SC1091'] + args: [--external-sources] - repo: https://github.com/adrienverge/yamllint rev: v1.35.1 diff --git a/.tool-versions b/.tool-versions index 1ed8f0035..38feeddaf 100644 --- a/.tool-versions +++ b/.tool-versions @@ -16,27 +16,31 @@ # renovate: datasource=github-tags depName=rhysd/actionlint actionlint 1.7.7 -awscli 2.24.10 +awscli 2.24.15 delta 0.18.2 golang 1.24.0 -helm 3.17.1 - jq 1.7.1 just 1.39.0 +helm 3.17.1 + kubectl 1.32.2 +kustomize 5.6.0 # used by the tests + pre-commit 4.1.0 python 3.13.2 shellcheck 0.10.0 -terraform 1.10.5 +task 3.30.1 # used by the tests + +terraform 1.11.0 terraform-docs 0.19.0 @@ -45,5 +49,3 @@ tflint 0.55.1 trivy 0.59.1 yq 4.45.1 - -zbctl 8.5.8 diff --git a/DEVELOPER.md b/DEVELOPER.md new file mode 100644 index 000000000..b9edda69c --- /dev/null +++ b/DEVELOPER.md @@ -0,0 +1 @@ +TODO: write it (https://github.com/camunda/camunda-deployment-references/issues/117) diff --git a/MAINTENANCE.md b/MAINTENANCE.md new file mode 100644 index 000000000..39889df0e --- /dev/null +++ b/MAINTENANCE.md @@ -0,0 +1,24 @@ +# Maintenance of this repository + +TODO: write the complete maintenance guide (https://github.com/camunda/camunda-deployment-references/issues/110) + +## Branching Strategy for camunda-deployment-references + +The repository [https://github.com/camunda/camunda-deployment-references](https://github.com/camunda/camunda-deployment-references) follows the logic of maintaining only the [latest released version of Camunda](https://docs.camunda.io/docs/8.7/reference/release-notes/) on the `main` branch. + +=> Most of the time, we work on the next unreleased version. + +We should not merge into `main` directly but into the respective Camunda version branch we are working on. + +The `main` branch will be updated automatically when we push to the latest stable version branch, thanks to the workflow `.github/workflows/internal_global_sync_main.yml`. + +For example, consider the following branches: + +- `main/` +- `camunda-8.7` +- `camunda-8.6` +- `camunda-8.5` + +Where `8.6` is the latest stable version and `8.7` is the next one. The branch to target for merge requests should be `8.7` since it represents the upcoming version. + +When `8.7` becomes the new stable version, we will update the `internal_global_sync_main` workflow to merge it into `main`. diff --git a/README.md b/README.md index eb1766f8a..43204886d 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,81 @@ For more details, refer to the official [Camunda Reference Architecture document ## Structure -The repository is structured into cloud providers (`aws`, `azure`, `general`) and internal-only reusable modules (`modules`). +The repository is organized into different cloud providers (`aws`, `azure`, `general`) and internal reusable modules (`modules`) that are associated with each cloud provider. + +### Naming Convention + +The directory structure follows a standardized naming pattern: + +``` +- {cloud_provider} + - modules + - {category} + - {solution}-{declination}-{feature} +``` + +Where: +- `{cloud_provider}`: The cloud provider (`aws`, `azure`, `generic`). +- `{category}`: The type of service or technology (e.g., `kubernetes`, `compute`). +- `{solution}`: The specific solution, such as `eks` (Amazon EKS), `gke` (Google Kubernetes Engine), or `ec2` (Amazon EC2). +- `{declination}`: A variation of the solution, such as: + - `spot-instances` (for EC2 cost optimization). + - `on-demand` (for standard EC2 instances). +- `{feature}`: A specific feature or deployment model, particularly in relation to **Camunda 8**, such as: + - `single-region` (deployment in a single region). + - `dual-region` (high availability across two regions). + +### Modules + +The `modules` directory is tied to specific cloud providers. Each cloud provider may include reusable modules that can be utilized across multiple solutions within that cloud environment. + +### Example Structure + +For AWS Kubernetes and EC2 solutions: + +``` +- aws + - kubernetes + - eks-spot-instances-dual-region + - eks-on-demand-single-region + - compute + - ec2-on-demand-single-region + - modules + - networking + - monitoring +``` + +## Requirements + +To manage the specific versions of this project, we use the following tools: + +- **[asdf](https://asdf-vm.com/)** version manager (see the [installation guide](https://asdf-vm.com/guide/getting-started.html)). +- **[just](https://github.com/casey/just)** as a command runner + You can install it using asdf with the following commands: + ```bash + asdf plugin add just + asdf install just + ``` + +### Installing Tooling + +Once these tools are installed, you can set up the necessary tooling listed in the `.tool-versions` file located at the root of the project by running the following: + +```bash +just install-tooling + +# To list all available recipes: +just --list +``` + +### Installing Tooling for a Specific Reference Architecture + +Each reference architecture has its own `.tool-versions` file located in its respective directory. To install the tooling for a specific architecture, navigate to the appropriate directory and run: + +```bash +cd aws/openshift/rosa-hcp-single-region +just install-tooling-current-dir +``` ## Support diff --git a/aws/ec2/.tool-versions b/aws/ec2/.tool-versions new file mode 100644 index 000000000..e86d752b8 --- /dev/null +++ b/aws/ec2/.tool-versions @@ -0,0 +1 @@ +# Specific tools used by this implementation only diff --git a/aws/ec2/scripts/.shellcheckrc b/aws/ec2/scripts/.shellcheckrc new file mode 100644 index 000000000..5806607be --- /dev/null +++ b/aws/ec2/scripts/.shellcheckrc @@ -0,0 +1 @@ +disable=SC2154,SC1091,SC2034 diff --git a/aws/ec2/scripts/camunda-install.sh b/aws/ec2/scripts/camunda-install.sh index 743f8b7be..f30e69c04 100755 --- a/aws/ec2/scripts/camunda-install.sh +++ b/aws/ec2/scripts/camunda-install.sh @@ -10,7 +10,7 @@ set -euo pipefail # Executed on remote host, defaults should be set here or env vars preconfigured on remote host OPENJDK_VERSION=${OPENJDK_VERSION:-"21"} # renovate: datasource=github-releases depName=camunda/camunda versioning=regex:^8\.6?(\.(?\d+))?$ -CAMUNDA_VERSION=${CAMUNDA_VERSION:-"8.6.9"} +CAMUNDA_VERSION=${CAMUNDA_VERSION:-"8.6.10"} # renovate: datasource=github-releases depName=camunda/connectors versioning=regex:^8\.6?(\.(?\d+))?$ CAMUNDA_CONNECTORS_VERSION=${CAMUNDA_CONNECTORS_VERSION:-"8.6.8"} MNT_DIR=${MNT_DIR:-"/opt/camunda"} diff --git a/aws/ec2/test/src/go.mod b/aws/ec2/test/src/go.mod index 94cbc9587..0ac15d2a4 100644 --- a/aws/ec2/test/src/go.mod +++ b/aws/ec2/test/src/go.mod @@ -4,8 +4,8 @@ go 1.23.2 require ( github.com/aws/aws-sdk-go v1.55.6 - github.com/aws/aws-sdk-go-v2/config v1.29.7 - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.45.14 + github.com/aws/aws-sdk-go-v2/config v1.29.8 + github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.46.0 github.com/gruntwork-io/terratest v0.48.2 github.com/stretchr/testify v1.10.0 github.com/tidwall/gjson v1.18.0 @@ -20,18 +20,18 @@ require ( github.com/agext/levenshtein v1.2.3 // indirect github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect - github.com/aws/aws-sdk-go-v2 v1.36.2 // indirect + github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.60 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.29 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.33 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.33 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.61 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.14 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.24.16 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.15 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.33.15 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.25.0 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.0 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.33.16 // indirect github.com/aws/smithy-go v1.22.2 // indirect github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect github.com/davecgh/go-spew v1.1.1 // indirect diff --git a/aws/ec2/test/src/go.sum b/aws/ec2/test/src/go.sum index 603f77a4b..7688422ba 100644 --- a/aws/ec2/test/src/go.sum +++ b/aws/ec2/test/src/go.sum @@ -231,6 +231,8 @@ github.com/aws/aws-sdk-go-v2 v1.36.1 h1:iTDl5U6oAhkNPba0e1t1hrwAo02ZMqbrGq4k5JBW github.com/aws/aws-sdk-go-v2 v1.36.1/go.mod h1:5PMILGVKiW32oDzjj6RU52yrNrDPUHcbZQYr1sM7qmM= github.com/aws/aws-sdk-go-v2 v1.36.2 h1:Ub6I4lq/71+tPb/atswvToaLGVMxKZvjYDVOWEExOcU= github.com/aws/aws-sdk-go-v2 v1.36.2/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg= +github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM= +github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.6 h1:pT3hpW0cOHRJx8Y0DfJUEQuqPild8jRGmSFmBgvydr0= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.6/go.mod h1:j/I2++U0xX+cr44QjHay4Cvxj6FUbnxrgmqN3H1jTZA= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 h1:lL7IfaFzngfx0ZwUGOZdsFFnQ5uLvR0hWqqhyE7Q9M8= @@ -263,6 +265,8 @@ github.com/aws/aws-sdk-go-v2/config v1.29.6 h1:fqgqEKK5HaZVWLQoLiC9Q+xDlSp+1LYid github.com/aws/aws-sdk-go-v2/config v1.29.6/go.mod h1:Ft+WLODzDQmCTHDvqAH1JfC2xxbZ0MxpZAcJqmE1LTQ= github.com/aws/aws-sdk-go-v2/config v1.29.7 h1:71nqi6gUbAUiEQkypHQcNVSFJVUFANpSeUNShiwWX2M= github.com/aws/aws-sdk-go-v2/config v1.29.7/go.mod h1:yqJQ3nh2HWw/uxd56bicyvmDW4KSc+4wN6lL8pYjynU= +github.com/aws/aws-sdk-go-v2/config v1.29.8 h1:RpwAfYcV2lr/yRc4lWhUM9JRPQqKgKWmou3LV7UfWP4= +github.com/aws/aws-sdk-go-v2/config v1.29.8/go.mod h1:t+G7Fq1OcO8cXTPPXzxQSnj/5Xzdc9jAAD3Xrn9/Mgo= github.com/aws/aws-sdk-go-v2/credentials v1.17.41 h1:7gXo+Axmp+R4Z+AK8YFQO0ZV3L0gizGINCOWxSLY9W8= github.com/aws/aws-sdk-go-v2/credentials v1.17.41/go.mod h1:u4Eb8d3394YLubphT4jLEwN1rLNq2wFOlT6OuxFwPzU= github.com/aws/aws-sdk-go-v2/credentials v1.17.44 h1:qqfs5kulLUHUEXlHEZXLJkgGoF3kkUeFUTVA585cFpU= @@ -285,6 +289,8 @@ github.com/aws/aws-sdk-go-v2/credentials v1.17.59 h1:9btwmrt//Q6JcSdgJOLI98sdr5p github.com/aws/aws-sdk-go-v2/credentials v1.17.59/go.mod h1:NM8fM6ovI3zak23UISdWidyZuI1ghNe2xjzUZAyT+08= github.com/aws/aws-sdk-go-v2/credentials v1.17.60 h1:1dq+ELaT5ogfmqtV1eocq8SpOK1NRsuUfmhQtD/XAh4= github.com/aws/aws-sdk-go-v2/credentials v1.17.60/go.mod h1:HDes+fn/xo9VeszXqjBVkxOo/aUy8Mc6QqKvZk32GlE= +github.com/aws/aws-sdk-go-v2/credentials v1.17.61 h1:Hd/uX6Wo2iUW1JWII+rmyCD7MMhOe7ALwQXN6sKDd1o= +github.com/aws/aws-sdk-go-v2/credentials v1.17.61/go.mod h1:L7vaLkwHY1qgW0gG1zG0z/X0sQ5tpIY5iI13+j3qI80= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.17 h1:TMH3f/SCAWdNtXXVPPu5D6wrr4G5hI1rAxbcocKfC7Q= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.17/go.mod h1:1ZRXLdTpzdJb9fwTMXiLipENRxkGMTn1sfKexGllQCw= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19 h1:woXadbf0c7enQ2UGCi8gW/WuKmE0xIzxBF/eD94jMKQ= @@ -305,6 +311,8 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.28 h1:KwsodFKVQTlI5EyhRSugAL github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.28/go.mod h1:EY3APf9MzygVhKuPXAc5H+MkGb8k/DOSQjWS0LgkKqI= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.29 h1:JO8pydejFKmGcUNiiwt75dzLHRWthkwApIvPoyUtXEg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.29/go.mod h1:adxZ9i9DRmB8zAT0pO0yGnsmu0geomp5a3uq5XpgOJ8= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 h1:UAsR3xA31QGf79WzpG/ixT9FZvQlh5HY1NRqSHBNOCk= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21/go.mod h1:JNr43NFf5L9YaG3eKTm7HQzls9J+A9YYcGI5Quh1r2Y= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 h1:A2w6m6Tmr+BNXjDsr7M90zkWjsu4JXHwrzPg235STs4= @@ -325,6 +333,8 @@ github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.32 h1:BjUcr3X3K0wZPGFg2 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.32/go.mod h1:80+OGC/bgzzFFTUmcuwD0lb4YutwQeKLFpmt6hoWapU= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.33 h1:knLyPMw3r3JsU8MFHWctE4/e2qWbPaxDYLlohPvnY8c= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.33/go.mod h1:EBp2HQ3f+XCB+5J+IoEbGhoV7CpJbnrsd4asNXmTL0A= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 h1:6jZVETqmYCadGFvrYEQfC5fAQmlo80CeL5psbno6r0s= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21/go.mod h1:1SR0GbLlnN3QUmYaflZNiH1ql+1qrSiB2vwcJ+4UM60= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 h1:pgYW9FCabt2M25MoHYCfMrVY2ghiiBKYWUVXfwZs+sU= @@ -345,6 +355,8 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.32 h1:m1GeXHVMJsRsUAqG6H github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.32/go.mod h1:IitoQxGfaKdVLNg0hD8/DXmAqNy0H4K2H2Sf91ti8sI= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.33 h1:K0+Ne08zqti8J9jwENxZ5NoUyBnaFDTu3apwQJWrwwA= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.33/go.mod h1:K97stwwzaWzmqxO8yLGHhClbVW1tC6VT1pDLk1pGrq4= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 h1:Pg9URiobXy85kgFev3og2CuOZ8JZUBENF+dcgWBaYNk= @@ -373,6 +385,8 @@ github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.45.13 h1:K/SMc/txIuI5AdrF github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.45.13/go.mod h1:Uzoo03M67tRA/VZwTjhNnPJE0Lr63EhN0rT2H1Qzf6c= github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.45.14 h1:Xc90sglbEnAC1X4d4ui422Ppw0HWjyNoqGAE1Dq+Rcg= github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.45.14/go.mod h1:IbPFVuHnR+Klb3rrZHai890N1dnMCJZ0GeRfG0fj+ys= +github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.46.0 h1:HPS8ojAC0E1tIPYgH+fWi8y88+LZPZrcDowEfhsVdCM= +github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.46.0/go.mod h1:uo14VBn5cNk/BPGTPz3kyLBxgpgOObgO8lmz+H7Z4Ck= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 h1:TToQNkvGguu209puTojY/ozlqy2d/SFNcoLIqTFi42g= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0/go.mod h1:0jp+ltwkf+SwG2fm/PKo8t4y8pJSgOCO4D8Lz3k0aHQ= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y= @@ -401,6 +415,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.13 h1:SYVGSFQH github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.13/go.mod h1:kizuDaLX37bG5WZaoxGPQR/LNFXpxp0vsUnqfkWXfNE= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.14 h1:2scbY6//jy/s8+5vGrk7l1+UtHl0h9A4MjOO2k/TM2E= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.14/go.mod h1:bRpZPHZpSe5YRHmPfK3h1M7UBFCn2szHzyx0rw04zro= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY= github.com/aws/aws-sdk-go-v2/service/sso v1.24.2 h1:bSYXVyUzoTHoKalBmwaZxs97HU9DWWI3ehHSAMa7xOk= github.com/aws/aws-sdk-go-v2/service/sso v1.24.2/go.mod h1:skMqY7JElusiOUjMJMOv1jJsP7YUg7DrhgqZZWuzu1U= github.com/aws/aws-sdk-go-v2/service/sso v1.24.5 h1:HJwZwRt2Z2Tdec+m+fPjvdmkq2s9Ra+VR0hjF7V2o40= @@ -421,6 +437,8 @@ github.com/aws/aws-sdk-go-v2/service/sso v1.24.15 h1:/eE3DogBjYlvlbhd2ssWyeuovWu github.com/aws/aws-sdk-go-v2/service/sso v1.24.15/go.mod h1:2PCJYpi7EKeA5SkStAmZlF6fi0uUABuhtF8ILHjGc3Y= github.com/aws/aws-sdk-go-v2/service/sso v1.24.16 h1:YV6xIKDJp6U7YB2bxfud9IENO1LRpGhe2Tv/OKtPrOQ= github.com/aws/aws-sdk-go-v2/service/sso v1.24.16/go.mod h1:DvbmMKgtpA6OihFJK13gHMZOZrCHttz8wPHGKXqU+3o= +github.com/aws/aws-sdk-go-v2/service/sso v1.25.0 h1:2U9sF8nKy7UgyEeLiZTRg6ShBS22z8UnYpV6aRFL0is= +github.com/aws/aws-sdk-go-v2/service/sso v1.25.0/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.2 h1:AhmO1fHINP9vFYUE0LHzCWg/LfUWUF+zFPEcY9QXb7o= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.2/go.mod h1:o8aQygT2+MVP0NaV6kbdE1YnnIM8RRVQzoeUH45GOdI= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 h1:zcx9LiGWZ6i6pjdcoE9oXAB6mUdeyC36Ia/QEiIvYdg= @@ -441,6 +459,8 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.14 h1:M/zwXiL2iXUrHputuXgmO94 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.14/go.mod h1:RVwIw3y/IqxC2YEXSIkAzRDdEU1iRabDPaYjpGCbCGQ= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.15 h1:kMyK3aKotq1aTBsj1eS8ERJLjqYRRRcsmP33ozlCvlk= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.15/go.mod h1:5uPZU7vSNzb8Y0dm75xTikinegPYK3uJmIHQZFq5Aqo= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.0 h1:wjAdc85cXdQR5uLx5FwWvGIHm4OPJhTyzUHU8craXtE= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.0/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs= github.com/aws/aws-sdk-go-v2/service/sts v1.32.2 h1:CiS7i0+FUe+/YY1GvIBLLrR/XNGZ4CtM1Ll0XavNuVo= github.com/aws/aws-sdk-go-v2/service/sts v1.32.2/go.mod h1:HtaiBI8CjYoNVde8arShXb94UbQQi9L4EMr6D+xGBwo= github.com/aws/aws-sdk-go-v2/service/sts v1.32.4 h1:yDxvkz3/uOKfxnv8YhzOi9m+2OGIxF+on3KOISbK5IU= @@ -463,6 +483,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.33.14 h1:TzeR06UCMUq+KA3bDkujxK1GVGy github.com/aws/aws-sdk-go-v2/service/sts v1.33.14/go.mod h1:dspXf/oYWGWo6DEvj98wpaTeqt5+DMidZD0A9BYTizc= github.com/aws/aws-sdk-go-v2/service/sts v1.33.15 h1:ht1jVmeeo2anR7zDiYJLSnRYnO/9NILXXu42FP3rJg0= github.com/aws/aws-sdk-go-v2/service/sts v1.33.15/go.mod h1:xWZ5cOiFe3czngChE4LhCBqUxNwgfwndEF7XlYP/yD8= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.16 h1:BHEK2Q/7CMRMCb3nySi/w8UbIcPhKvYP5s1xf8/izn0= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.16/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4= github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM= github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= diff --git a/aws/modules/rosa-hcp/README.md b/aws/modules/rosa-hcp/README.md new file mode 100644 index 000000000..7a90ca995 --- /dev/null +++ b/aws/modules/rosa-hcp/README.md @@ -0,0 +1,124 @@ +# rosa-hcp + +This module automates the creation of a ROSA HCP cluster with an opinionated configuration targeting Camunda 8 on AWS using Terraform. + +## Requirements + +Requirements not installed by asdf: + +* ROSA CLI ([installation guide](https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-installing-rosa.html)) +* OpenShift CLI ([installation guide](https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html)) + + +### Enable ROSA in AWS Marketplace + +1. Login onto AWS +2. Check if ELB role exists +```bash +# To check if the role exists for your account, run this command in your terminal: +aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing" + +# If the role doesn't exist, create it by running the following command: +aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com" + +``` +3. Login onto [Red Hat Hybrid Cloud Console](https://console.redhat.com/openshift/token) +4. Generate an Offline token, click on "Load Token" +```bash +export RHCS_TOKEN=yourToken +rosa login --token="$RHCS_TOKEN" + +rosa whoami + +rosa verify quota --region="$AWS_REGION" + +# this may fail due to org policy +rosa verify permissions --region="$AWS_REGION" + +rosa create account-roles --mode auto +``` +5. Enable HCP ROSA on [AWS MarkePlace](https://docs.openshift.com/rosa/cloud_experts_tutorials/cloud-experts-rosa-hcp-activation-and-account-linking-tutorial.html) + * Navigate to the ROSA console : https://console.aws.amazon.com/rosa + * Choose Get started. + * On the Verify ROSA prerequisites page, select I agree to share my contact information with Red Hat. + * Choose Enable ROSA + +Please note that **Only a single AWS account that will be used for service billing can be associated with a Red Hat account.** + +Base tutorial https://aws.amazon.com/blogs/containers/build-rosa-clusters-with-terraform/ + +## Retrieve cluster informations + +1. In the output, you will have the created cluster id: +```bash +cluster_id = "2b3sq2r4geb7b6htaibb4uqk9qc9c3fa" +``` +2. Describe the cluster +```bash +export CLUSTER_ID="2b3sq2r4geb7b6htaibb4uqk9qc9c3fa" + +rosa describe cluster --output=json -c $CLUSTER_ID +``` +3. Generate the kubeconfig: +```bash +export NAMESPACE="myNs" +export SERVER_API=$(rosa describe cluster --output=json -c "$CLUSTER_ID" | jq -r '.api.url') +oc login --username "$ADMIN_USER" --password "$ADMIN_PASS" --server=$SERVER_API + +kubectl config rename-context $(oc config current-context) "$CLUSTER_NAME" +kubectl config use "$CLUSTER_NAME" + +# create a new project +oc new-project "$NAMESPACE" +``` + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [htpasswd\_idp](#module\_htpasswd\_idp) | terraform-redhat/rosa-hcp/rhcs//modules/idp | 1.6.5 | +| [rosa\_hcp](#module\_rosa\_hcp) | terraform-redhat/rosa-hcp/rhcs | 1.6.5 | +| [vpc](#module\_vpc) | terraform-redhat/rosa-hcp/rhcs//modules/vpc | 1.6.5 | +## Resources + +| Name | Type | +|------|------| +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_eips.current_usage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eips) | data source | +| [aws_servicequotas_service_quota.elastic_ip_quota](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/servicequotas_service_quota) | data source | +| [aws_vpcs.current_vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source | +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [availability\_zones](#input\_availability\_zones) | A list of availability zone names in the region. By default, this is set to `null` and is not used; instead, `availability_zones_count` manages the number of availability zones. This value should not be updated directly. To make changes, please create a new resource. | `list(string)` | `null` | no | +| [availability\_zones\_count](#input\_availability\_zones\_count) | The count of availability (minimum 2) zones to utilize within the specified AWS Region, where pairs of public and private subnets will be generated. Valid only when availability\_zones variable is not provided. This value should not be updated, please create a new resource instead. | `number` | `2` | no | +| [aws\_availability\_zones](#input\_aws\_availability\_zones) | The AWS availability zones where instances of the default worker machine pool are deployed. Leave empty for the installer to pick availability zones from the VPC `availability_zones` or `availability_zones_count` | `list(string)` | `[]` | no | +| [cluster\_name](#input\_cluster\_name) | The name of the ROSA cluster to create | `string` | `"my-ocp-cluster"` | no | +| [compute\_node\_instance\_type](#input\_compute\_node\_instance\_type) | The EC2 instance type to use for compute nodes | `string` | `"m7i.xlarge"` | no | +| [host\_prefix](#input\_host\_prefix) | The subnet mask to assign to each compute node in the cluster | `string` | `"23"` | no | +| [htpasswd\_password](#input\_htpasswd\_password) | htpasswd password | `string` | n/a | yes | +| [htpasswd\_username](#input\_htpasswd\_username) | htpasswd username | `string` | `"kubeadmin"` | no | +| [machine\_cidr\_block](#input\_machine\_cidr\_block) | value of the CIDR block to use for the machine | `string` | `"10.0.0.0/18"` | no | +| [openshift\_version](#input\_openshift\_version) | The version of ROSA to be deployed | `string` | `"4.18.1"` | no | +| [pod\_cidr\_block](#input\_pod\_cidr\_block) | value of the CIDR block to use for the pods | `string` | `"10.0.64.0/18"` | no | +| [private](#input\_private) | Restrict master API endpoint and application routes to direct, private connectivity. | `bool` | `false` | no | +| [replicas](#input\_replicas) | The number of computer nodes to create. Must be a minimum of 2 for a single-AZ cluster, 3 for multi-AZ. | `string` | `"2"` | no | +| [service\_cidr\_block](#input\_service\_cidr\_block) | value of the CIDR block to use for the services | `string` | `"10.0.128.0/18"` | no | +| [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | value of the CIDR block to use for the VPC | `string` | `"10.0.0.0/16"` | no | +## Outputs + +| Name | Description | +|------|-------------| +| [all\_subnets](#output\_all\_subnets) | A comma-separated list of all subnet IDs (both public and private) in the VPC. This list can be used with the '--subnet-ids' parameter in ROSA commands for configuring cluster networking. | +| [aws\_caller\_identity\_account\_id](#output\_aws\_caller\_identity\_account\_id) | The AWS account ID of the caller. This is the account under which the Terraform code is being executed. | +| [cluster\_console\_url](#output\_cluster\_console\_url) | The URL endpoint for accessing the OpenShift web console. This endpoint provides a web-based user interface for managing the OpenShift cluster. | +| [cluster\_id](#output\_cluster\_id) | The unique identifier of the OpenShift cluster created on Red Hat OpenShift Service on AWS (ROSA). This ID is used to reference the cluster in subsequent operations. | +| [oidc\_provider\_id](#output\_oidc\_provider\_id) | OIDC provider for the OpenShift ROSA cluster. Allows to add additional IRSA mappings. | +| [openshift\_api\_url](#output\_openshift\_api\_url) | The URL endpoint for accessing the OpenShift API. This endpoint is used to interact with the OpenShift cluster's API server. | +| [private\_subnet\_ids](#output\_private\_subnet\_ids) | A comma-separated list of private subnet IDs in the VPC. These subnets are typically used for internal resources that do not require direct internet access. | +| [public\_subnet\_ids](#output\_public\_subnet\_ids) | A comma-separated list of public subnet IDs in the VPC. These subnets are typically used for resources that require internet access. | +| [vpc\_availability\_zones](#output\_vpc\_availability\_zones) | The availability zones in which the VPC is located. This provides information about the distribution of resources across different physical locations within the AWS region. | +| [vpc\_id](#output\_vpc\_id) | The ID of the Virtual Private Cloud (VPC) where the OpenShift cluster and related resources are deployed. | + diff --git a/aws/modules/rosa-hcp/outputs.tf b/aws/modules/rosa-hcp/outputs.tf new file mode 100644 index 000000000..fadbe4c82 --- /dev/null +++ b/aws/modules/rosa-hcp/outputs.tf @@ -0,0 +1,49 @@ +output "public_subnet_ids" { + value = join(",", module.vpc.public_subnets) + description = "A comma-separated list of public subnet IDs in the VPC. These subnets are typically used for resources that require internet access." +} + +output "private_subnet_ids" { + value = join(",", module.vpc.private_subnets) + description = "A comma-separated list of private subnet IDs in the VPC. These subnets are typically used for internal resources that do not require direct internet access." +} + +output "all_subnets" { + value = join(",", concat(module.vpc.private_subnets, module.vpc.public_subnets)) + description = "A comma-separated list of all subnet IDs (both public and private) in the VPC. This list can be used with the '--subnet-ids' parameter in ROSA commands for configuring cluster networking." +} + +output "cluster_id" { + value = module.rosa_hcp.cluster_id + description = "The unique identifier of the OpenShift cluster created on Red Hat OpenShift Service on AWS (ROSA). This ID is used to reference the cluster in subsequent operations." +} + +output "openshift_api_url" { + value = module.rosa_hcp.cluster_api_url + description = "The URL endpoint for accessing the OpenShift API. This endpoint is used to interact with the OpenShift cluster's API server." +} + +output "cluster_console_url" { + value = module.rosa_hcp.cluster_console_url + description = "The URL endpoint for accessing the OpenShift web console. This endpoint provides a web-based user interface for managing the OpenShift cluster." +} + +output "vpc_id" { + value = module.vpc.vpc_id + description = "The ID of the Virtual Private Cloud (VPC) where the OpenShift cluster and related resources are deployed." +} + +output "vpc_availability_zones" { + value = module.vpc.availability_zones + description = "The availability zones in which the VPC is located. This provides information about the distribution of resources across different physical locations within the AWS region." +} + +output "aws_caller_identity_account_id" { + value = data.aws_caller_identity.current.account_id + description = "The AWS account ID of the caller. This is the account under which the Terraform code is being executed." +} + +output "oidc_provider_id" { + value = module.rosa_hcp.oidc_config_id + description = "OIDC provider for the OpenShift ROSA cluster. Allows to add additional IRSA mappings." +} diff --git a/aws/rosa-hcp/camunda-versions/8.7/config.tf b/aws/modules/rosa-hcp/providers.tf similarity index 52% rename from aws/rosa-hcp/camunda-versions/8.7/config.tf rename to aws/modules/rosa-hcp/providers.tf index 78ac718f0..b57501ebe 100644 --- a/aws/rosa-hcp/camunda-versions/8.7/config.tf +++ b/aws/modules/rosa-hcp/providers.tf @@ -1,3 +1,5 @@ +data "aws_caller_identity" "current" {} + terraform { required_version = ">= 1.0" @@ -7,15 +9,8 @@ terraform { version = ">= 5.35.0" } rhcs = { - version = "1.6.8" + version = ">= 1.6.0" source = "terraform-redhat/rhcs" } } - - backend "s3" { - encrypt = true - } } - -# ensure RHCS_TOKEN env variable is set with a value from https://console.redhat.com/openshift/token/rosa -provider "rhcs" {} diff --git a/aws/modules/rosa-hcp/rosa.tf b/aws/modules/rosa-hcp/rosa.tf new file mode 100644 index 000000000..0b5b5d11f --- /dev/null +++ b/aws/modules/rosa-hcp/rosa.tf @@ -0,0 +1,97 @@ +locals { + account_role_prefix = "${var.cluster_name}-account" + operator_role_prefix = "${var.cluster_name}-operator" + + tags = { + "owner" = data.aws_caller_identity.current.arn + } + + availability_zones_count_computed = var.availability_zones == null ? var.availability_zones_count : (length(var.availability_zones) > 0 ? length(var.availability_zones) : var.availability_zones_count) +} + +data "aws_servicequotas_service_quota" "elastic_ip_quota" { + service_code = "ec2" + quota_code = "L-0263D0A3" # Quota code for Elastic IP addresses per region +} + + +data "aws_eips" "current_usage" {} + +# Data source to check if the VPC exists +data "aws_vpcs" "current_vpcs" { + tags = { + Name = "${var.cluster_name}-vpc" + } +} + +check "elastic_ip_quota_check" { + + # Only check the condition when no existing vpc is there. + assert { + condition = length(data.aws_vpcs.current_vpcs.ids) > 0 || (data.aws_servicequotas_service_quota.elastic_ip_quota.value - length(data.aws_eips.current_usage.public_ips)) >= local.availability_zones_count_computed + error_message = "Not enough available Elastic IPs to cover all local availability zones (need: ${local.availability_zones_count_computed}, have: ${(data.aws_servicequotas_service_quota.elastic_ip_quota.value - length(data.aws_eips.current_usage.public_ips))})." + } +} + +module "rosa_hcp" { + source = "terraform-redhat/rosa-hcp/rhcs" + version = "1.6.5" + + openshift_version = var.openshift_version + cluster_name = var.cluster_name + private = var.private + + compute_machine_type = var.compute_node_instance_type + tags = local.tags + + machine_cidr = var.machine_cidr_block + service_cidr = var.service_cidr_block + pod_cidr = var.pod_cidr_block + properties = { rosa_creator_arn = data.aws_caller_identity.current.arn } + + + replicas = var.replicas + aws_availability_zones = length(var.aws_availability_zones) > 0 ? var.aws_availability_zones : module.vpc.availability_zones + + aws_subnet_ids = concat( + module.vpc.public_subnets, module.vpc.private_subnets, + ) + + host_prefix = var.host_prefix + + // STS configuration + create_account_roles = true + account_role_prefix = local.account_role_prefix + create_oidc = true + create_operator_roles = true + operator_role_prefix = local.operator_role_prefix + + wait_for_create_complete = true + wait_for_std_compute_nodes_complete = true + + depends_on = [ + module.vpc, + ] +} + +module "htpasswd_idp" { + source = "terraform-redhat/rosa-hcp/rhcs//modules/idp" + version = "1.6.5" + + cluster_id = module.rosa_hcp.cluster_id + name = "htpasswd-idp" + idp_type = "htpasswd" + htpasswd_idp_users = [{ username = var.htpasswd_username, password = var.htpasswd_password }] +} + +module "vpc" { + source = "terraform-redhat/rosa-hcp/rhcs//modules/vpc" + version = "1.6.5" + + name_prefix = var.cluster_name + + availability_zones_count = var.availability_zones != null ? null : var.availability_zones_count + availability_zones = var.availability_zones + + vpc_cidr = var.vpc_cidr_block +} diff --git a/aws/modules/rosa-hcp/vars.tf b/aws/modules/rosa-hcp/vars.tf new file mode 100644 index 000000000..d1ed6804f --- /dev/null +++ b/aws/modules/rosa-hcp/vars.tf @@ -0,0 +1,95 @@ + +variable "cluster_name" { + type = string + description = "The name of the ROSA cluster to create" + default = "my-ocp-cluster" +} + +variable "openshift_version" { + type = string + description = "The version of ROSA to be deployed" + # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=semver + default = "4.18.1" + validation { + condition = can(regex("^[0-9]*[0-9]+.[0-9]*[0-9]+.[0-9]*[0-9]+$", var.openshift_version)) + error_message = "openshift_version must be with structure .. (for example 4.13.6)." + } +} + +variable "replicas" { + type = string + description = "The number of computer nodes to create. Must be a minimum of 2 for a single-AZ cluster, 3 for multi-AZ." + default = "2" +} + +variable "private" { + type = bool + description = "Restrict master API endpoint and application routes to direct, private connectivity." + default = false +} + +variable "compute_node_instance_type" { + type = string + description = "The EC2 instance type to use for compute nodes" + default = "m7i.xlarge" +} + +variable "host_prefix" { + type = string + description = "The subnet mask to assign to each compute node in the cluster" + default = "23" +} + +variable "availability_zones_count" { + type = number + description = "The count of availability (minimum 2) zones to utilize within the specified AWS Region, where pairs of public and private subnets will be generated. Valid only when availability_zones variable is not provided. This value should not be updated, please create a new resource instead." + default = 2 +} + +variable "availability_zones" { + type = list(string) + description = "A list of availability zone names in the region. By default, this is set to `null` and is not used; instead, `availability_zones_count` manages the number of availability zones. This value should not be updated directly. To make changes, please create a new resource." + default = null +} + + +variable "aws_availability_zones" { + type = list(string) + description = "The AWS availability zones where instances of the default worker machine pool are deployed. Leave empty for the installer to pick availability zones from the VPC `availability_zones` or `availability_zones_count`" + default = [] +} + +variable "vpc_cidr_block" { + type = string + description = "value of the CIDR block to use for the VPC" + default = "10.0.0.0/16" +} + +variable "machine_cidr_block" { + type = string + description = "value of the CIDR block to use for the machine" + default = "10.0.0.0/18" +} + +variable "service_cidr_block" { + type = string + description = "value of the CIDR block to use for the services" + default = "10.0.128.0/18" +} +variable "pod_cidr_block" { + type = string + description = "value of the CIDR block to use for the pods" + default = "10.0.64.0/18" +} + +variable "htpasswd_username" { + type = string + description = "htpasswd username" + default = "kubeadmin" +} + +variable "htpasswd_password" { + type = string + description = "htpasswd password" + sensitive = true +} diff --git a/aws/openshift/rosa-hcp-dual-region/.tool-versions b/aws/openshift/rosa-hcp-dual-region/.tool-versions new file mode 100644 index 000000000..e86d752b8 --- /dev/null +++ b/aws/openshift/rosa-hcp-dual-region/.tool-versions @@ -0,0 +1 @@ +# Specific tools used by this implementation only diff --git a/aws/rosa-hcp-dual-region/README.md b/aws/openshift/rosa-hcp-dual-region/README.md similarity index 64% rename from aws/rosa-hcp-dual-region/README.md rename to aws/openshift/rosa-hcp-dual-region/README.md index 3dcabe341..7956b1c8a 100644 --- a/aws/rosa-hcp-dual-region/README.md +++ b/aws/openshift/rosa-hcp-dual-region/README.md @@ -1,4 +1,4 @@ # Camunda on AWS ROSA dual-region This folder describes the IaC of Camunda on AWS ROSA in a dual-region setup. -Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/openshift/terraform-setup-dual-region/ +Instructions can be found on the official documentation: https://docs.camunda.io/docs/8.7/self-managed/setup/deploy/amazon/openshift/terraform-setup-dual-region/ diff --git a/aws/rosa-hcp-dual-region/procedure/acm/auto-import-cluster-secret.yml.tpl b/aws/openshift/rosa-hcp-dual-region/procedure/acm/auto-import-cluster-secret.yml.tpl similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/acm/auto-import-cluster-secret.yml.tpl rename to aws/openshift/rosa-hcp-dual-region/procedure/acm/auto-import-cluster-secret.yml.tpl diff --git a/aws/rosa-hcp-dual-region/procedure/acm/initiate_cluster_set.sh b/aws/openshift/rosa-hcp-dual-region/procedure/acm/initiate_cluster_set.sh similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/acm/initiate_cluster_set.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/acm/initiate_cluster_set.sh diff --git a/aws/rosa-hcp-dual-region/procedure/acm/install-manifest.yml b/aws/openshift/rosa-hcp-dual-region/procedure/acm/install-manifest.yml similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/acm/install-manifest.yml rename to aws/openshift/rosa-hcp-dual-region/procedure/acm/install-manifest.yml diff --git a/aws/rosa-hcp-dual-region/procedure/acm/klusterlet-config.yml.tpl b/aws/openshift/rosa-hcp-dual-region/procedure/acm/klusterlet-config.yml.tpl similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/acm/klusterlet-config.yml.tpl rename to aws/openshift/rosa-hcp-dual-region/procedure/acm/klusterlet-config.yml.tpl diff --git a/aws/rosa-hcp-dual-region/procedure/acm/managed-cluster-set.yml b/aws/openshift/rosa-hcp-dual-region/procedure/acm/managed-cluster-set.yml similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/acm/managed-cluster-set.yml rename to aws/openshift/rosa-hcp-dual-region/procedure/acm/managed-cluster-set.yml diff --git a/aws/rosa-hcp-dual-region/procedure/acm/managed-cluster.yml.tpl b/aws/openshift/rosa-hcp-dual-region/procedure/acm/managed-cluster.yml.tpl similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/acm/managed-cluster.yml.tpl rename to aws/openshift/rosa-hcp-dual-region/procedure/acm/managed-cluster.yml.tpl diff --git a/aws/rosa-hcp-dual-region/procedure/acm/multi-cluster-hub.yml b/aws/openshift/rosa-hcp-dual-region/procedure/acm/multi-cluster-hub.yml similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/acm/multi-cluster-hub.yml rename to aws/openshift/rosa-hcp-dual-region/procedure/acm/multi-cluster-hub.yml diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/export_environment_prerequisites.sh b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/export_environment_prerequisites.sh similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/export_environment_prerequisites.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/export_environment_prerequisites.sh diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/export_services_submariner.sh b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/export_services_submariner.sh similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/export_services_submariner.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/export_services_submariner.sh diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/generate_helm_values.sh b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/generate_helm_values.sh similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/generate_helm_values.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/generate_helm_values.sh diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/generate_zeebe_helm_values.sh b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/generate_zeebe_helm_values.sh similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/generate_zeebe_helm_values.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/generate_zeebe_helm_values.sh diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-base.yml b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-base.yml similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-base.yml rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-base.yml diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-1.yml b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-1.yml similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-1.yml rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-1.yml diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-2.yml b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-2.yml similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-2.yml rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-2.yml diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/install_chart.sh b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/install_chart.sh similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/install_chart.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/install_chart.sh diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/setup_ns_secrets.sh b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/setup_ns_secrets.sh similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/setup_ns_secrets.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/setup_ns_secrets.sh diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/verify_exported_services.sh b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/verify_exported_services.sh similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/verify_exported_services.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/verify_exported_services.sh diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/verify_installation_completed.sh b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/verify_installation_completed.sh similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/verify_installation_completed.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/verify_installation_completed.sh diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/zbctl-output.txt b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/zbctl-output.txt similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/zbctl-output.txt rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/zbctl-output.txt diff --git a/aws/rosa-hcp-dual-region/procedure/camunda/8.7/zeebe-http-output.txt b/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/zeebe-http-output.txt similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/camunda/8.7/zeebe-http-output.txt rename to aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/zeebe-http-output.txt diff --git a/aws/rosa-hcp-dual-region/procedure/submariner/debug-utils-submariner.yml b/aws/openshift/rosa-hcp-dual-region/procedure/submariner/debug-utils-submariner.yml similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/submariner/debug-utils-submariner.yml rename to aws/openshift/rosa-hcp-dual-region/procedure/submariner/debug-utils-submariner.yml diff --git a/aws/rosa-hcp-dual-region/procedure/submariner/label_nodes_brokers.sh b/aws/openshift/rosa-hcp-dual-region/procedure/submariner/label_nodes_brokers.sh similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/submariner/label_nodes_brokers.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/submariner/label_nodes_brokers.sh diff --git a/aws/rosa-hcp-dual-region/procedure/submariner/output.txt b/aws/openshift/rosa-hcp-dual-region/procedure/submariner/output.txt similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/submariner/output.txt rename to aws/openshift/rosa-hcp-dual-region/procedure/submariner/output.txt diff --git a/aws/rosa-hcp-dual-region/procedure/submariner/submariner.yml.tpl b/aws/openshift/rosa-hcp-dual-region/procedure/submariner/submariner.yml.tpl similarity index 100% rename from aws/rosa-hcp-dual-region/procedure/submariner/submariner.yml.tpl rename to aws/openshift/rosa-hcp-dual-region/procedure/submariner/submariner.yml.tpl diff --git a/aws/rosa-hcp-dual-region/terraform/backup_bucket/README.md b/aws/openshift/rosa-hcp-dual-region/terraform/backup_bucket/README.md similarity index 100% rename from aws/rosa-hcp-dual-region/terraform/backup_bucket/README.md rename to aws/openshift/rosa-hcp-dual-region/terraform/backup_bucket/README.md diff --git a/aws/rosa-hcp-dual-region/terraform/backup_bucket/backup_bucket.tf b/aws/openshift/rosa-hcp-dual-region/terraform/backup_bucket/backup_bucket.tf similarity index 100% rename from aws/rosa-hcp-dual-region/terraform/backup_bucket/backup_bucket.tf rename to aws/openshift/rosa-hcp-dual-region/terraform/backup_bucket/backup_bucket.tf diff --git a/aws/rosa-hcp-dual-region/terraform/backup_bucket/config.tf b/aws/openshift/rosa-hcp-dual-region/terraform/backup_bucket/config.tf similarity index 100% rename from aws/rosa-hcp-dual-region/terraform/backup_bucket/config.tf rename to aws/openshift/rosa-hcp-dual-region/terraform/backup_bucket/config.tf diff --git a/aws/rosa-hcp-dual-region/terraform/clusters/README.md b/aws/openshift/rosa-hcp-dual-region/terraform/clusters/README.md similarity index 100% rename from aws/rosa-hcp-dual-region/terraform/clusters/README.md rename to aws/openshift/rosa-hcp-dual-region/terraform/clusters/README.md diff --git a/aws/rosa-hcp-dual-region/terraform/clusters/cluster_region_1.tf b/aws/openshift/rosa-hcp-dual-region/terraform/clusters/cluster_region_1.tf similarity index 100% rename from aws/rosa-hcp-dual-region/terraform/clusters/cluster_region_1.tf rename to aws/openshift/rosa-hcp-dual-region/terraform/clusters/cluster_region_1.tf diff --git a/aws/rosa-hcp-dual-region/terraform/clusters/cluster_region_2.tf b/aws/openshift/rosa-hcp-dual-region/terraform/clusters/cluster_region_2.tf similarity index 100% rename from aws/rosa-hcp-dual-region/terraform/clusters/cluster_region_2.tf rename to aws/openshift/rosa-hcp-dual-region/terraform/clusters/cluster_region_2.tf diff --git a/aws/rosa-hcp-dual-region/terraform/clusters/config.tf b/aws/openshift/rosa-hcp-dual-region/terraform/clusters/config.tf similarity index 100% rename from aws/rosa-hcp-dual-region/terraform/clusters/config.tf rename to aws/openshift/rosa-hcp-dual-region/terraform/clusters/config.tf diff --git a/aws/rosa-hcp-dual-region/terraform/peering/README.md b/aws/openshift/rosa-hcp-dual-region/terraform/peering/README.md similarity index 100% rename from aws/rosa-hcp-dual-region/terraform/peering/README.md rename to aws/openshift/rosa-hcp-dual-region/terraform/peering/README.md diff --git a/aws/rosa-hcp-dual-region/terraform/peering/config.tf b/aws/openshift/rosa-hcp-dual-region/terraform/peering/config.tf similarity index 100% rename from aws/rosa-hcp-dual-region/terraform/peering/config.tf rename to aws/openshift/rosa-hcp-dual-region/terraform/peering/config.tf diff --git a/aws/rosa-hcp-dual-region/terraform/peering/peering.tf b/aws/openshift/rosa-hcp-dual-region/terraform/peering/peering.tf similarity index 100% rename from aws/rosa-hcp-dual-region/terraform/peering/peering.tf rename to aws/openshift/rosa-hcp-dual-region/terraform/peering/peering.tf diff --git a/aws/openshift/rosa-hcp-single-region/.tool-versions b/aws/openshift/rosa-hcp-single-region/.tool-versions new file mode 100644 index 000000000..e86d752b8 --- /dev/null +++ b/aws/openshift/rosa-hcp-single-region/.tool-versions @@ -0,0 +1 @@ +# Specific tools used by this implementation only diff --git a/aws/rosa-hcp/camunda-versions/8.7/README.md b/aws/openshift/rosa-hcp-single-region/README.md similarity index 86% rename from aws/rosa-hcp/camunda-versions/8.7/README.md rename to aws/openshift/rosa-hcp-single-region/README.md index f2d6d7853..b5a82f2d6 100644 --- a/aws/rosa-hcp/camunda-versions/8.7/README.md +++ b/aws/openshift/rosa-hcp-single-region/README.md @@ -1,11 +1,14 @@ -# 8.7 +# Camunda on AWS ROSA single-region + +This folder describes the IaC of Camunda on AWS ROSA in a single-region setup. +Instructions can be found on the official documentation: https://docs.camunda.io/docs/8.6/self-managed/setup/deploy/amazon/openshift/terraform-setup/ ## Modules | Name | Source | Version | |------|--------|---------| -| [rosa\_cluster](#module\_rosa\_cluster) | git::https://github.com/camunda/camunda-tf-rosa//modules/rosa-hcp | v2.1.1 | +| [rosa\_cluster](#module\_rosa\_cluster) | ../../modules/rosa-hcp | n/a | ## Resources No resources. diff --git a/aws/rosa-hcp/camunda-versions/8.6/cluster.tf b/aws/openshift/rosa-hcp-single-region/cluster.tf similarity index 94% rename from aws/rosa-hcp/camunda-versions/8.6/cluster.tf rename to aws/openshift/rosa-hcp-single-region/cluster.tf index e45575245..e977150d2 100644 --- a/aws/rosa-hcp/camunda-versions/8.6/cluster.tf +++ b/aws/openshift/rosa-hcp-single-region/cluster.tf @@ -8,7 +8,7 @@ locals { } module "rosa_cluster" { - source = "git::https://github.com/camunda/camunda-tf-rosa//modules/rosa-hcp?ref=v2.1.1" + source = "../../modules/rosa-hcp" cluster_name = local.rosa_cluster_name @@ -27,6 +27,9 @@ module "rosa_cluster" { # Default node type for the OpenShift cluster compute_node_instance_type = "m7i.xlarge" replicas = 6 + + # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=semver + openshift_version = "4.17.16" } # Outputs of the parent module diff --git a/aws/rosa-hcp/camunda-versions/8.6/config.tf b/aws/openshift/rosa-hcp-single-region/config.tf similarity index 100% rename from aws/rosa-hcp/camunda-versions/8.6/config.tf rename to aws/openshift/rosa-hcp-single-region/config.tf diff --git a/aws/rosa-hcp/README.md b/aws/rosa-hcp/README.md deleted file mode 100644 index 0b45e04d4..000000000 --- a/aws/rosa-hcp/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# Camunda on AWS ROSA - -This folder describes the IaC of Camunda on AWS ROSA. -Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/openshift/terraform-setup/ diff --git a/aws/rosa-hcp/camunda-versions/8.6/.tool-versions b/aws/rosa-hcp/camunda-versions/8.6/.tool-versions deleted file mode 100644 index a947d071f..000000000 --- a/aws/rosa-hcp/camunda-versions/8.6/.tool-versions +++ /dev/null @@ -1 +0,0 @@ -# TODO: must be filled for tests integration diff --git a/aws/rosa-hcp/camunda-versions/8.6/README.md b/aws/rosa-hcp/camunda-versions/8.6/README.md deleted file mode 100644 index b735f26d6..000000000 --- a/aws/rosa-hcp/camunda-versions/8.6/README.md +++ /dev/null @@ -1,26 +0,0 @@ -# 8.6 - - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [rosa\_cluster](#module\_rosa\_cluster) | git::https://github.com/camunda/camunda-tf-rosa//modules/rosa-hcp | v2.1.1 | -## Resources - -No resources. -## Inputs - -No inputs. -## Outputs - -| Name | Description | -|------|-------------| -| [aws\_caller\_identity\_account\_id](#output\_aws\_caller\_identity\_account\_id) | The AWS account ID of the caller. This is the account under which the Terraform code is being executed. | -| [cluster\_console\_url](#output\_cluster\_console\_url) | The URL endpoint for accessing the OpenShift web console. This endpoint provides a web-based user interface for managing the OpenShift cluster. | -| [cluster\_id](#output\_cluster\_id) | The unique identifier of the OpenShift cluster created on Red Hat OpenShift Service on AWS (ROSA). This ID is used to reference the cluster in subsequent operations. | -| [oidc\_provider\_id](#output\_oidc\_provider\_id) | OIDC provider for the ROSA cluster. Allows adding additional IAM Role for Service Accounts (IRSA) mappings. | -| [openshift\_api\_url](#output\_openshift\_api\_url) | The endpoint URL for accessing the OpenShift API. This endpoint is used to interact with the OpenShift cluster's API server. | -| [private\_subnet\_ids](#output\_private\_subnet\_ids) | A comma-separated list of private subnet IDs in the VPC. These subnets are typically used for internal resources that do not require direct internet access. | -| [public\_subnet\_ids](#output\_public\_subnet\_ids) | A comma-separated list of public subnet IDs in the VPC. These subnets are typically used for resources that require internet access. | - diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/.shellcheckrc b/aws/rosa-hcp/camunda-versions/8.6/procedure/install/.shellcheckrc deleted file mode 100644 index 5f4b7a68f..000000000 --- a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/.shellcheckrc +++ /dev/null @@ -1 +0,0 @@ -disable=SC2148,SC2155 diff --git a/aws/rosa-hcp/camunda-versions/8.7/.tool-versions b/aws/rosa-hcp/camunda-versions/8.7/.tool-versions deleted file mode 100644 index a947d071f..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/.tool-versions +++ /dev/null @@ -1 +0,0 @@ -# TODO: must be filled for tests integration diff --git a/aws/rosa-hcp/camunda-versions/8.7/cluster.tf b/aws/rosa-hcp/camunda-versions/8.7/cluster.tf deleted file mode 100644 index e45575245..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/cluster.tf +++ /dev/null @@ -1,67 +0,0 @@ -locals { - rosa_cluster_name = "my-rosa" # Change this to a name of your choice - - rosa_cluster_zones = ["eu-north-1a", "eu-north-1b", "eu-north-1c"] # Adjust to your needs and align with your value of AWS_REGION - - rosa_admin_username = "kubeadmin" - rosa_admin_password = "CHANGEME1234r!" # Change the password of your admin password -} - -module "rosa_cluster" { - source = "git::https://github.com/camunda/camunda-tf-rosa//modules/rosa-hcp?ref=v2.1.1" - - cluster_name = local.rosa_cluster_name - - availability_zones = local.rosa_cluster_zones - - # Set CIDR ranges or use the defaults - vpc_cidr_block = "10.0.0.0/16" - machine_cidr_block = "10.0.0.0/18" - service_cidr_block = "10.0.128.0/18" - pod_cidr_block = "10.0.64.0/18" - - # admin access - htpasswd_username = local.rosa_admin_username - htpasswd_password = local.rosa_admin_password - - # Default node type for the OpenShift cluster - compute_node_instance_type = "m7i.xlarge" - replicas = 6 -} - -# Outputs of the parent module - -output "public_subnet_ids" { - value = module.rosa_cluster.public_subnet_ids - description = "A comma-separated list of public subnet IDs in the VPC. These subnets are typically used for resources that require internet access." -} - -output "private_subnet_ids" { - value = module.rosa_cluster.private_subnet_ids - description = "A comma-separated list of private subnet IDs in the VPC. These subnets are typically used for internal resources that do not require direct internet access." -} - -output "cluster_id" { - value = module.rosa_cluster.cluster_id - description = "The unique identifier of the OpenShift cluster created on Red Hat OpenShift Service on AWS (ROSA). This ID is used to reference the cluster in subsequent operations." -} - -output "oidc_provider_id" { - value = module.rosa_cluster.oidc_provider_id - description = "OIDC provider for the ROSA cluster. Allows adding additional IAM Role for Service Accounts (IRSA) mappings." -} - -output "aws_caller_identity_account_id" { - value = module.rosa_cluster.aws_caller_identity_account_id - description = "The AWS account ID of the caller. This is the account under which the Terraform code is being executed." -} - -output "openshift_api_url" { - value = module.rosa_cluster.openshift_api_url - description = "The endpoint URL for accessing the OpenShift API. This endpoint is used to interact with the OpenShift cluster's API server." -} - -output "cluster_console_url" { - value = module.rosa_cluster.cluster_console_url - description = "The URL endpoint for accessing the OpenShift web console. This endpoint provides a web-based user interface for managing the OpenShift cluster." -} diff --git a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/.shellcheckrc b/aws/rosa-hcp/camunda-versions/8.7/procedure/install/.shellcheckrc deleted file mode 100644 index 5f4b7a68f..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/.shellcheckrc +++ /dev/null @@ -1 +0,0 @@ -disable=SC2148,SC2155 diff --git a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/chart-env.sh b/aws/rosa-hcp/camunda-versions/8.7/procedure/install/chart-env.sh deleted file mode 100644 index c2ec1d239..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/chart-env.sh +++ /dev/null @@ -1,3 +0,0 @@ -# The Camunda 8 Helm Chart version -# renovate: datasource=helm depName=camunda-platform versioning=regex:^12(\.(?\d+))?(\.(?\d+))?$ registryUrl=https://helm.camunda.io -export CAMUNDA_HELM_CHART_VERSION="0.0.0-snapshot-alpha" diff --git a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/create-identity-secret.sh b/aws/rosa-hcp/camunda-versions/8.7/procedure/install/create-identity-secret.sh deleted file mode 100644 index 2ae8ab49b..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/create-identity-secret.sh +++ /dev/null @@ -1,11 +0,0 @@ -kubectl create secret generic identity-secret-for-components \ - --namespace camunda \ - --from-literal=identity-connectors-client-token="$CONNECTORS_SECRET" \ - --from-literal=identity-console-client-token="$CONSOLE_SECRET" \ - --from-literal=identity-core-client-token="$CORE_SECRET" \ - --from-literal=identity-optimize-client-token="$OPTIMIZE_SECRET" \ - --from-literal=identity-keycloak-admin-password="$ADMIN_PASSWORD" \ - --from-literal=identity-firstuser-password="$FIRST_USER_PASSWORD" \ - --from-literal=identity-keycloak-postgresql-user-password="$KEYCLOAK_PG_USER_PASSWORD" \ - --from-literal=identity-keycloak-postgresql-admin-password="$KEYCLOAK_PG_ADMIN_PASSWORD" \ - --from-literal=smtp-password="" diff --git a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/generate-passwords.sh b/aws/rosa-hcp/camunda-versions/8.7/procedure/install/generate-passwords.sh deleted file mode 100644 index 263c18fa3..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/generate-passwords.sh +++ /dev/null @@ -1,8 +0,0 @@ -export CONNECTORS_SECRET="$(openssl rand -hex 16)" -export CONSOLE_SECRET="$(openssl rand -hex 16)" -export OPTIMIZE_SECRET="$(openssl rand -hex 16)" -export CORE_SECRET="$(openssl rand -hex 16)" -export ADMIN_PASSWORD="$(openssl rand -hex 16)" -export FIRST_USER_PASSWORD="$(openssl rand -hex 16)" -export KEYCLOAK_PG_USER_PASSWORD="$(openssl rand -hex 16)" -export KEYCLOAK_PG_ADMIN_PASSWORD="$(openssl rand -hex 16)" diff --git a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/base.yml b/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/base.yml deleted file mode 100644 index 4953c48bd..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/base.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -global: - elasticsearch: - enabled: true # use the embbeded elasticsearch - - secrets: - name: identity-secret-for-components - -identity: - firstUser: - existingSecret: identity-secret-for-components - -identityKeycloak: - postgresql: - enabled: true # use the embbeded database - auth: - existingSecret: identity-secret-for-components - auth: - existingSecret: identity-secret-for-components - -console: - enabled: false # by default, console is not enabled - -webModeler: - enabled: false # by default, webModeler is not enabled - - restapi: - mail: - fromAddress: changeme@example.com # change this required value diff --git a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/connectors-route.yml b/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/connectors-route.yml deleted file mode 100644 index 9104e3829..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/connectors-route.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -connectors: - inbound: - mode: oauth - env: - - name: ZEEBE_CLIENT_BROKER_GATEWAY-ADDRESS - value: camunda-core.camunda.svc.cluster.local:26500 - - name: ZEEBE_CLIENT_SECURITY_PLAINTEXT - value: 'false' - - name: CAMUNDA_CLIENT_ZEEBE_CACERTIFICATEPATH - value: /usr/local/certificates/tls.crt - extraVolumeMounts: - - name: certificate - mountPath: /usr/local/certificates/tls.crt - subPath: tls.crt - extraVolumes: - - name: certificate - secret: - secretName: camunda-platform-internal-service-certificate - items: - - key: tls.crt - path: tls.crt - defaultMode: 420 diff --git a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/core-route.yml b/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/core-route.yml deleted file mode 100644 index 04b628c49..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/core-route.yml +++ /dev/null @@ -1,77 +0,0 @@ ---- -core: - service: - annotations: - # enerate a TLS certificate for the Zeebe Gateway Service - service.beta.openshift.io/serving-cert-secret-name: camunda-platform-internal-service-certificate - - ingress: - enabled: true - grpc: - enabled: true - annotations: - haproxy.router.openshift.io/timeout: 300s - route.openshift.io/termination: reencrypt - # reference the re-encrypt secret - route.openshift.io/destination-ca-certificate-secret: camunda-platform-internal-service-certificate - className: openshift-default - tls: - enabled: true - # explicitely no secret as we rely on the IngressOperator to handle the TLS secret, if you use a custom certificate, you might want to fill this value - secretName: '' - host: zeebe-${DOMAIN_NAME} - - env: - ##### Tasklist - - name: CAMUNDA_TASKLIST_ZEEBE_SECURE - value: 'true' - - name: CAMUNDA_TASKLIST_ZEEBE_CERTIFICATEPATH - value: /usr/local/core/config/tls.crt - - name: CAMUNDA_TASKLIST_ZEEBE_GATEWAYADDRESS - value: camunda-core.camunda.svc.cluster.local:26500 - - ##### Gateway TLS - - name: ZEEBE_BROKER_GATEWAY_SECURITY_ENABLED - value: 'true' - - name: ZEEBE_BROKER_GATEWAY_SECURITY_CERTIFICATECHAINPATH - value: /usr/local/core/config/tls.crt - - name: ZEEBE_BROKER_GATEWAY_SECURITY_PRIVATEKEYPATH - value: /usr/local/core/config/tls.key - - - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_ENABLED - value: 'true' - - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_CERTIFICATECHAINPATH - value: /usr/local/core/config/tls.crt - - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_PRIVATEKEYPATH - value: /usr/local/core/config/tls.key - - ##### Operate - - name: CAMUNDA_OPERATE_ZEEBE_SECURE - value: 'true' - - name: CAMUNDA_OPERATE_ZEEBE_CERTIFICATEPATH - value: /usr/local/core/config/tls.crt - - name: CAMUNDA_OPERATE_ZEEBE_GATEWAYADDRESS - # camunda-core..svc.cluster.local - value: camunda-core.camunda.svc.cluster.local:26500 - extraVolumeMounts: - - name: certificate - mountPath: /usr/local/core/config/tls.crt - subPath: tls.crt - - name: key - mountPath: /usr/local/core/config/tls.key - subPath: tls.key - extraVolumes: - - name: key - secret: - secretName: camunda-platform-internal-service-certificate - items: - - key: tls.key - path: tls.key - defaultMode: 420 - - name: certificate - secret: - secretName: camunda-platform-internal-service-certificate - items: - - key: tls.crt - path: tls.crt - defaultMode: 420 diff --git a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/domain.yml b/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/domain.yml deleted file mode 100644 index 93e54f979..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/domain.yml +++ /dev/null @@ -1,61 +0,0 @@ ---- -global: - - # the ingress is manages directly by the Route manifests ../manifest/routes.yml - ingress: - enabled: true - className: openshift-default - host: ${DOMAIN_NAME} - tls: - enabled: true - # explicitely no secret as we rely on the IngressOperator to handle the TLS secret, if you use a custom certificate, you might want to fill this value - secretName: '' - annotations: - route.openshift.io/termination: edge - # enforce HSTS - haproxy.router.openshift.io/hsts_header: max-age=31536000; includeSubDomains;preload - - - identity: - auth: - publicIssuerUrl: https://${DOMAIN_NAME}/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding - - optimize: - redirectUrl: https://${DOMAIN_NAME}/optimize # replace this with a port of your choice when you will do port forwarding - existingSecret: - name: identity-secret-for-components - webModeler: - redirectUrl: https://${DOMAIN_NAME}/modeler - console: - redirectUrl: https://${DOMAIN_NAME}/console - existingSecret: - name: identity-secret-for-components - core: - redirectUrl: http://${DOMAIN_NAME} - existingSecret: - name: identity-secret-for-components - connectors: - existingSecret: - name: identity-secret-for-components - admin: - existingSecret: - name: identity-secret-for-components - -identity: - contextPath: /identity - fullURL: https://${DOMAIN_NAME}/identity - -webModeler: - contextPath: /modeler - -optimize: - contextPath: /optimize - -core: - contextPath: / - -console: - contextPath: /console - -connectors: - contextPath: /connectors diff --git a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/no-domain.yml b/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/no-domain.yml deleted file mode 100644 index cee21da60..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/no-domain.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -global: - identity: - - auth: - publicIssuerUrl: http://localhost:18080/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding - - optimize: - redirectUrl: http://localhost:8083 # replace this with a port of your choice when you will do port forwarding - existingSecret: - name: identity-secret-for-components - webModeler: - redirectUrl: http://localhost:8084 - console: - redirectUrl: http://localhost:8085 - existingSecret: - name: identity-secret-for-components - core: - redirectUrl: http://localhost:8082 - existingSecret: - name: identity-secret-for-components - connectors: - existingSecret: - name: identity-secret-for-components - admin: - existingSecret: - name: identity-secret-for-components - -identity: - fullURL: http://localhost:8080 # replace this with a port of your choice when you will do port forwarding diff --git a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/no-scc.yml b/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/no-scc.yml deleted file mode 100644 index 9750dc3a7..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/no-scc.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -global: - compatibility: - openshift: - adaptSecurityContext: disabled # do not enforce SCCs, default diff --git a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/scc.yml b/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/scc.yml deleted file mode 100644 index 0f9942fec..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/scc.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -global: - compatibility: - openshift: - adaptSecurityContext: force # enforce compatibility with SCCs diff --git a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/install-chart.sh b/aws/rosa-hcp/camunda-versions/8.7/procedure/install/install-chart.sh deleted file mode 100644 index f4c272088..000000000 --- a/aws/rosa-hcp/camunda-versions/8.7/procedure/install/install-chart.sh +++ /dev/null @@ -1,13 +0,0 @@ -# helm upgrade --install \ -# camunda camunda-platform \ -# --repo https://helm.camunda.io \ -# --version "$CAMUNDA_HELM_CHART_VERSION" \ -# --namespace camunda \ -# -f generated-values.yml - -# TODO: before the release, update this! - -helm upgrade --install \ - camunda oci://ghcr.io/camunda/helm/camunda-platform \ - --version "$CAMUNDA_HELM_CHART_VERSION" --namespace camunda \ - -f generated-values.yml diff --git a/generic/kubernetes/single-region/.tool-versions b/generic/kubernetes/single-region/.tool-versions new file mode 100644 index 000000000..e86d752b8 --- /dev/null +++ b/generic/kubernetes/single-region/.tool-versions @@ -0,0 +1 @@ +# Specific tools used by this implementation only diff --git a/generic/kubernetes/single-region/procedure/check-deployment-ready.sh b/generic/kubernetes/single-region/procedure/check-deployment-ready.sh new file mode 100755 index 000000000..803991f42 --- /dev/null +++ b/generic/kubernetes/single-region/procedure/check-deployment-ready.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +while true; do + kubectl get pods -n camunda --output=wide + + if [ "$(kubectl get pods -n camunda --field-selector=status.phase!=Running -o name | wc -l)" -eq 0 ] && + [ "$(kubectl get pods -n camunda -o json | jq -r '.items[] | select(.status.containerStatuses[]?.ready == false)' | wc -l)" -eq 0 ]; then + echo "All pods are Running and Healthy - Installation completed!" + exit 0 + else + echo "Some pods are not Running or Healthy, please wait..." + sleep 5 + fi +done diff --git a/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh new file mode 100755 index 000000000..d0270d362 --- /dev/null +++ b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# TODO: [DOC] update this in the doc + +ZEEBE_ADDRESS_REST="https://$DOMAIN_NAME/zeebe" +ZEEBE_AUTHORIZATION_SERVER_URL="https://$DOMAIN_NAME/auth/realms/camunda-platform/protocol/openid-connect/token" + +# Generate a temporary token from the authorization server (keycloak) +TOKEN=$(curl --location --request POST "${ZEEBE_AUTHORIZATION_SERVER_URL}" \ +--header "Content-Type: application/x-www-form-urlencoded" \ +--data-urlencode "client_id=${ZEEBE_CLIENT_ID}" \ +--data-urlencode "client_secret=${ZEEBE_CLIENT_SECRET}" \ +--data-urlencode "grant_type=client_credentials" | jq '.access_token' -r) + +# Show the zeebe cluster topology +curl --header "Authorization: Bearer ${TOKEN}" "${ZEEBE_ADDRESS_REST}/v2/topology" diff --git a/generic/kubernetes/single-region/tests/helm-values/identity.yml b/generic/kubernetes/single-region/tests/helm-values/identity.yml new file mode 100644 index 000000000..21f3900ce --- /dev/null +++ b/generic/kubernetes/single-region/tests/helm-values/identity.yml @@ -0,0 +1,78 @@ +--- +# keep it synced with https://github.com/camunda/camunda-platform-helm/blob/main/charts/camunda-platform-8.6/test/integration/scenarios/common/values-integration-test.yaml +# it generates the CI user used to connect to the platform + +identity: + # Keycloak client seed which is used to query Camunda APIs. + env: + - name: KEYCLOAK_CLIENTS_2_ID + valueFrom: + secretKeyRef: + name: identity-secret-for-components-integration + key: identity-admin-client-id + - name: KEYCLOAK_CLIENTS_2_NAME + valueFrom: + secretKeyRef: + name: identity-secret-for-components-integration + key: identity-admin-client-id + - name: KEYCLOAK_CLIENTS_2_SECRET + valueFrom: + secretKeyRef: + name: identity-secret-for-components-integration + key: identity-admin-client-secret + - name: KEYCLOAK_CLIENTS_2_REDIRECT_URIS_0 + value: /dummy + - name: KEYCLOAK_CLIENTS_2_ROOT_URL + value: http://dummy + - name: KEYCLOAK_CLIENTS_2_TYPE + value: CONFIDENTIAL + # Identity access. + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_0_RESOURCE_SERVER_ID + value: camunda-identity-resource-server + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_0_DEFINITION + value: read + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_1_RESOURCE_SERVER_ID + value: camunda-identity-resource-server + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_1_DEFINITION + value: write + # Operate access. + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_2_RESOURCE_SERVER_ID + value: operate-api + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_2_DEFINITION + value: read:* + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_3_RESOURCE_SERVER_ID + value: operate-api + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_3_DEFINITION + value: write:* + # Tasklist access. + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_4_RESOURCE_SERVER_ID + value: tasklist-api + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_4_DEFINITION + value: read:* + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_5_RESOURCE_SERVER_ID + value: tasklist-api + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_5_DEFINITION + value: write:* + # Optimize access. + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_6_RESOURCE_SERVER_ID + value: optimize-api + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_6_DEFINITION + value: write:* + # Zeebe access. + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_7_RESOURCE_SERVER_ID + value: zeebe-api + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_7_DEFINITION + value: write:* + # WebModeler access. + # NOTE: This actually should be only in the chart-with-web-modeler scenarios, + # but since Helm doesn't support merge lists it's added here. + # It could be removed later when the env vars could be configured via ConfigMap. + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_8_RESOURCE_SERVER_ID + value: web-modeler-api + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_8_DEFINITION + value: write:* + # Console access. + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_9_RESOURCE_SERVER_ID + value: console-api + - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_9_DEFINITION + value: write:* diff --git a/generic/kubernetes/single-region/tests/helm-values/registry.yml b/generic/kubernetes/single-region/tests/helm-values/registry.yml new file mode 100644 index 000000000..77635dce9 --- /dev/null +++ b/generic/kubernetes/single-region/tests/helm-values/registry.yml @@ -0,0 +1,20 @@ +--- +# This file contains specific values used during the integration tests + + +# Auth to avoid Docker download rate limit. +# https://docs.docker.com/docker-hub/download-rate-limit/ +identityKeycloak: + image: + pullSecrets: + - name: index-docker-io + +global: + image: + pullSecrets: + - name: index-docker-io + +elasticsearch: + global: + imagePullSecrets: + - name: index-docker-io diff --git a/generic/openshift/single-region/.tool-versions b/generic/openshift/single-region/.tool-versions new file mode 100644 index 000000000..e86d752b8 --- /dev/null +++ b/generic/openshift/single-region/.tool-versions @@ -0,0 +1 @@ +# Specific tools used by this implementation only diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/base.yml b/generic/openshift/single-region/helm-values/base.yml similarity index 70% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/base.yml rename to generic/openshift/single-region/helm-values/base.yml index 361b19c17..fc03c7e32 100644 --- a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/base.yml +++ b/generic/openshift/single-region/helm-values/base.yml @@ -6,6 +6,12 @@ global: identityKeycloak: postgresql: enabled: true # use the embbeded database + + # TODO: [BUG] 8.6 only remove when https://github.com/camunda/camunda-platform-helm/pull/3018 is release + # context https://github.com/camunda/camunda-platform-helm/pull/2944 + auth: + existingSecret: '' + auth: existingSecret: identity-secret-for-components diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/connectors-route.yml b/generic/openshift/single-region/helm-values/connectors-route.yml similarity index 100% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/connectors-route.yml rename to generic/openshift/single-region/helm-values/connectors-route.yml diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/domain.yml b/generic/openshift/single-region/helm-values/domain.yml similarity index 100% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/domain.yml rename to generic/openshift/single-region/helm-values/domain.yml diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/no-domain.yml b/generic/openshift/single-region/helm-values/no-domain.yml similarity index 100% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/no-domain.yml rename to generic/openshift/single-region/helm-values/no-domain.yml diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/no-scc.yml b/generic/openshift/single-region/helm-values/no-scc.yml similarity index 100% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/no-scc.yml rename to generic/openshift/single-region/helm-values/no-scc.yml diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/operate-route.yml b/generic/openshift/single-region/helm-values/operate-route.yml similarity index 100% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/operate-route.yml rename to generic/openshift/single-region/helm-values/operate-route.yml diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/scc.yml b/generic/openshift/single-region/helm-values/scc.yml similarity index 100% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/scc.yml rename to generic/openshift/single-region/helm-values/scc.yml diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/tasklist-route.yml b/generic/openshift/single-region/helm-values/tasklist-route.yml similarity index 100% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/tasklist-route.yml rename to generic/openshift/single-region/helm-values/tasklist-route.yml diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/zeebe-gateway-route.yml b/generic/openshift/single-region/helm-values/zeebe-gateway-route.yml similarity index 67% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/zeebe-gateway-route.yml rename to generic/openshift/single-region/helm-values/zeebe-gateway-route.yml index e8f72b3f3..bff94cdfe 100644 --- a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/zeebe-gateway-route.yml +++ b/generic/openshift/single-region/helm-values/zeebe-gateway-route.yml @@ -58,3 +58,36 @@ zeebeGateway: - key: tls.key path: tls.key defaultMode: 420 + +# TODO: [DOC] before merge update the doc to indicate why we do this +zeebe: + env: + - name: ZEEBE_BROKER_NETWORK_SECURITY_ENABLED + value: 'true' + - name: ZEEBE_BROKER_NETWORK_SECURITY_CERTIFICATECHAINPATH + value: /usr/local/zeebe/config/tls.crt + - name: ZEEBE_BROKER_NETWORK_SECURITY_PRIVATEKEYPATH + value: /usr/local/zeebe/config/tls.key + + extraVolumeMounts: + - name: certificate + mountPath: /usr/local/zeebe/config/tls.crt + subPath: tls.crt + - name: key + mountPath: /usr/local/zeebe/config/tls.key + subPath: tls.key + extraVolumes: + - name: key + secret: + secretName: camunda-platform-internal-service-certificate + items: + - key: tls.key + path: tls.key + defaultMode: 420 + - name: certificate + secret: + secretName: camunda-platform-internal-service-certificate + items: + - key: tls.crt + path: tls.crt + defaultMode: 420 diff --git a/generic/openshift/single-region/procedure/.shellcheckrc b/generic/openshift/single-region/procedure/.shellcheckrc new file mode 100644 index 000000000..40e02e71c --- /dev/null +++ b/generic/openshift/single-region/procedure/.shellcheckrc @@ -0,0 +1 @@ +disable=SC2155 diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/chart-env.sh b/generic/openshift/single-region/procedure/chart-env.sh old mode 100644 new mode 100755 similarity index 76% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/chart-env.sh rename to generic/openshift/single-region/procedure/chart-env.sh index 145b922b4..236cad342 --- a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/chart-env.sh +++ b/generic/openshift/single-region/procedure/chart-env.sh @@ -1,3 +1,5 @@ +#!/bin/bash + # The Camunda 8 Helm Chart version # renovate: datasource=helm depName=camunda-platform versioning=regex:^11(\.(?\d+))?(\.(?\d+))?$ registryUrl=https://helm.camunda.io -export CAMUNDA_HELM_CHART_VERSION="11.0.4" +export CAMUNDA_HELM_CHART_VERSION="11.2.1" diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/create-identity-secret.sh b/generic/openshift/single-region/procedure/create-identity-secret.sh old mode 100644 new mode 100755 similarity index 85% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/create-identity-secret.sh rename to generic/openshift/single-region/procedure/create-identity-secret.sh index a5b074a26..a6af07fba --- a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/create-identity-secret.sh +++ b/generic/openshift/single-region/procedure/create-identity-secret.sh @@ -1,4 +1,6 @@ -kubectl create secret generic identity-secret-for-components \ +#!/bin/bash + +oc create secret generic identity-secret-for-components \ --namespace camunda \ --from-literal=connectors-secret="$CONNECTORS_SECRET" \ --from-literal=console-secret="$CONSOLE_SECRET" \ diff --git a/generic/openshift/single-region/procedure/enable-ingress-http2.sh b/generic/openshift/single-region/procedure/enable-ingress-http2.sh new file mode 100755 index 000000000..44567af6a --- /dev/null +++ b/generic/openshift/single-region/procedure/enable-ingress-http2.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +oc -n openshift-ingress-operator annotate "ingresscontrollers/$OC_INGRESS_CONTROLLER_NAME" ingress.operator.openshift.io/default-enable-http2=true diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/generate-passwords.sh b/generic/openshift/single-region/procedure/generate-passwords.sh old mode 100644 new mode 100755 similarity index 96% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/generate-passwords.sh rename to generic/openshift/single-region/procedure/generate-passwords.sh index 098ed07b6..6bffa72c4 --- a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/generate-passwords.sh +++ b/generic/openshift/single-region/procedure/generate-passwords.sh @@ -1,3 +1,5 @@ +#!/bin/bash + export CONNECTORS_SECRET="$(openssl rand -hex 16)" export CONSOLE_SECRET="$(openssl rand -hex 16)" export OPERATE_SECRET="$(openssl rand -hex 16)" diff --git a/generic/openshift/single-region/procedure/get-ingress-http2-status.sh b/generic/openshift/single-region/procedure/get-ingress-http2-status.sh new file mode 100755 index 000000000..f7358133d --- /dev/null +++ b/generic/openshift/single-region/procedure/get-ingress-http2-status.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# List your IngressControllers +oc -n openshift-ingress-operator get ingresscontrollers + +# Replace OC_INGRESS_CONTROLLER_NAME with your IngressController name from the previous command +export OC_INGRESS_CONTROLLER_NAME=default +oc -n openshift-ingress-operator get "ingresscontrollers/$OC_INGRESS_CONTROLLER_NAME" -o json | jq '.metadata.annotations."ingress.operator.openshift.io/default-enable-http2"' diff --git a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/install-chart.sh b/generic/openshift/single-region/procedure/install-chart.sh old mode 100644 new mode 100755 similarity index 93% rename from aws/rosa-hcp/camunda-versions/8.6/procedure/install/install-chart.sh rename to generic/openshift/single-region/procedure/install-chart.sh index 90055512a..54924d37c --- a/aws/rosa-hcp/camunda-versions/8.6/procedure/install/install-chart.sh +++ b/generic/openshift/single-region/procedure/install-chart.sh @@ -1,3 +1,5 @@ +#!/bin/bash + helm upgrade --install \ camunda camunda-platform \ --repo https://helm.camunda.io \ diff --git a/generic/openshift/single-region/procedure/setup-application-domain.sh b/generic/openshift/single-region/procedure/setup-application-domain.sh new file mode 100755 index 000000000..8b78ff57e --- /dev/null +++ b/generic/openshift/single-region/procedure/setup-application-domain.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +OPENSHIFT_APPS_DOMAIN="$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')" +export DOMAIN_NAME="camunda.$OPENSHIFT_APPS_DOMAIN" + +echo "Camunda 8 will be reachable from $DOMAIN_NAME" diff --git a/justfile b/justfile index 4918430fb..93ff02b6e 100644 --- a/justfile +++ b/justfile @@ -11,15 +11,28 @@ regenerate-aws-ec2-golden-file: rm -rf tfplan tfplan.json rm -rf provider_override.tf +regenerate-golden-file module_dir backend_bucket_region backend_bucket_name backend_bucket_key relative_output_path="./test/golden/": + #!/bin/bash + cd {{ justfile_directory() }}/{{ module_dir }} + terraform init \ + -backend-config="bucket={{ backend_bucket_name }}" \ + -backend-config="key={{ backend_bucket_key }}" \ + -backend-config="region={{ backend_bucket_region }}" + RHCS_TOKEN="" AWS_REGION="eu-west-2" terraform plan -out=tfplan + terraform show -json tfplan | jq > tfplan.json + mkdir -p {{ relative_output_path }} + jq --sort-keys '.planned_values.root_module' tfplan.json > {{ relative_output_path }}tfplan.json + rm -rf tfplan tfplan.json + # Install all the tooling install-tooling: asdf-install # Install asdf plugins -asdf-plugins: +asdf-plugins tool_versions_dir="./": #!/bin/sh echo "Installing asdf plugins" - for plugin in $(awk '{print $1}' .tool-versions); do \ + for plugin in $(awk '{print $1}' {{tool_versions_dir}}.tool-versions); do \ asdf plugin add ${plugin} 2>&1 | (grep "already added" && exit 0); \ done @@ -29,3 +42,14 @@ asdf-plugins: # Install tools using asdf asdf-install: asdf-plugins asdf install + +# Install tooling of the current dir (https://just.systems/man/en/working-directory.html) +[no-cd] +install-tooling-current-dir: asdf-install-current-dir + +[no-cd] +asdf-install-current-dir: + #!/bin/sh + + just asdf-plugins "$(pwd)/" + asdf install diff --git a/lychee-links.toml b/lychee-links.toml new file mode 100644 index 000000000..8fe7ed815 --- /dev/null +++ b/lychee-links.toml @@ -0,0 +1,19 @@ +# Cache the results of Lychee if ran locally in order to minimise the chance of rate limiting +cache = true +# Ignore all private link (such as localhost) to avoid errors +exclude_all_private = true +# HTTP status code: 429 (Too Many Requests) will also be treated as a valid link if Lychee gets rate limited +accept = ["200", "403"] +# retry +max_retries = 6 +retry_wait_time = 10 +max_concurrency = 3 + +# Exclude all unsupported versioned_docs +exclude_path = [ +] + +# Explicitly exclude some URLs +exclude = [ + "^file:", +] From 00165c594e4fb8fb6fc05d9b7de86ca2589722b5 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 5 Mar 2025 22:21:25 +0100 Subject: [PATCH 04/65] fix golden plan --- ...penshift_rosa_hcp_single_region_golden.yml | 8 +- .gitignore | 2 + .../test/golden/tfplan-golden.json | 2571 +++++++++++++++++ justfile | 25 +- 4 files changed, 2599 insertions(+), 7 deletions(-) create mode 100644 aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml index 0f54752b5..c59a896ab 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml @@ -67,21 +67,21 @@ jobs: uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 with: name: plan-artifact-json - path: ${{ env.MODULE_DIR }}compare/tfplan.json + path: ${{ env.MODULE_DIR }}compare/tfplan-golden.json retention-days: 1 - name: Compare Terraform plan with golden file working-directory: aws/ec2/terraform run: | - delta "${{ env.MODULE_DIR }}test/golden/tfplan.json" "${{ env.MODULE_DIR }}compare/tfplan.json" + delta "${{ env.MODULE_DIR }}test/golden/tfplan-golden.json" "${{ env.MODULE_DIR }}compare/tfplan-golden.json" exit $? - name: Post diff on PR if: always() && github.event_name == 'pull_request' uses: int128/diff-action@db6cce01542cb26e181798736eea1e71f5d36706 # v1 with: - base: ${{ env.MODULE_DIR }}test/golden/tfplan.json - head: ${{ env.MODULE_DIR }}compare/tfplan.json + base: ${{ env.MODULE_DIR }}test/golden/tfplan-golden.json + head: ${{ env.MODULE_DIR }}compare/tfplan-golden.json comment-header: | ## Module ${{ env.MODULE_DIR }} - Terraform Golden Plan Diff diff --git a/.gitignore b/.gitignore index 4cb3b8d86..79f7cd0fc 100644 --- a/.gitignore +++ b/.gitignore @@ -58,6 +58,8 @@ Temporary Items *.tfstate.* .terraform.lock.hcl *.plan +tfplan.json +tfplan-redacted.json # Crash log files crash.log diff --git a/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json b/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json new file mode 100644 index 000000000..081844519 --- /dev/null +++ b/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json @@ -0,0 +1,2571 @@ +{ + "child_modules": [ + { + "address": "module.rosa_cluster", + "child_modules": [ + { + "address": "module.rosa_cluster.module.vpc", + "resources": [ + { + "address": "module.rosa_cluster.module.vpc.aws_eip.eip[0]", + "index": 0, + "mode": "managed", + "name": "eip", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_eip", + "values": { + "address": null, + "associate_with_private_ip": null, + "customer_owned_ipv4_pool": null, + "domain": "vpc", + "tags": { + "Name": "my-rosa-eip-eu-north-1a" + }, + "tags_all": { + "Name": "my-rosa-eip-eu-north-1a" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_eip.eip[1]", + "index": 1, + "mode": "managed", + "name": "eip", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_eip", + "values": { + "address": null, + "associate_with_private_ip": null, + "customer_owned_ipv4_pool": null, + "domain": "vpc", + "tags": { + "Name": "my-rosa-eip-eu-north-1b" + }, + "tags_all": { + "Name": "my-rosa-eip-eu-north-1b" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_eip.eip[2]", + "index": 2, + "mode": "managed", + "name": "eip", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_eip", + "values": { + "address": null, + "associate_with_private_ip": null, + "customer_owned_ipv4_pool": null, + "domain": "vpc", + "tags": { + "Name": "my-rosa-eip-eu-north-1c" + }, + "tags_all": { + "Name": "my-rosa-eip-eu-north-1c" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_internet_gateway.internet_gateway", + "mode": "managed", + "name": "internet_gateway", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_internet_gateway", + "values": { + "tags": { + "Name": "my-rosa-igw" + }, + "tags_all": { + "Name": "my-rosa-igw" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[0]", + "index": 0, + "mode": "managed", + "name": "public_nat_gateway", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "secondary_private_ip_addresses": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_nat_gateway", + "values": { + "connectivity_type": "public", + "secondary_allocation_ids": null, + "tags": { + "Name": "my-rosa-nat-public0-eu-north-1a" + }, + "tags_all": { + "Name": "my-rosa-nat-public0-eu-north-1a" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[1]", + "index": 1, + "mode": "managed", + "name": "public_nat_gateway", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "secondary_private_ip_addresses": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_nat_gateway", + "values": { + "connectivity_type": "public", + "secondary_allocation_ids": null, + "tags": { + "Name": "my-rosa-nat-public1-eu-north-1b" + }, + "tags_all": { + "Name": "my-rosa-nat-public1-eu-north-1b" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[2]", + "index": 2, + "mode": "managed", + "name": "public_nat_gateway", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "secondary_private_ip_addresses": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_nat_gateway", + "values": { + "connectivity_type": "public", + "secondary_allocation_ids": null, + "tags": { + "Name": "my-rosa-nat-public2-eu-north-1c" + }, + "tags_all": { + "Name": "my-rosa-nat-public2-eu-north-1c" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route.ipv4_egress_route", + "mode": "managed", + "name": "ipv4_egress_route", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": "0.0.0.0/0", + "destination_ipv6_cidr_block": null, + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "local_gateway_id": null, + "nat_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route.ipv6_egress_route", + "mode": "managed", + "name": "ipv6_egress_route", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": null, + "destination_ipv6_cidr_block": "::/0", + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "local_gateway_id": null, + "nat_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route.private_nat[0]", + "index": 0, + "mode": "managed", + "name": "private_nat", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": "0.0.0.0/0", + "destination_ipv6_cidr_block": null, + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "gateway_id": null, + "local_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route.private_nat[1]", + "index": 1, + "mode": "managed", + "name": "private_nat", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": "0.0.0.0/0", + "destination_ipv6_cidr_block": null, + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "gateway_id": null, + "local_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route.private_nat[2]", + "index": 2, + "mode": "managed", + "name": "private_nat", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": "0.0.0.0/0", + "destination_ipv6_cidr_block": null, + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "gateway_id": null, + "local_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[0]", + "index": 0, + "mode": "managed", + "name": "private_route_table", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "propagating_vgws": [], + "route": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_route_table", + "values": { + "tags": { + "Name": "my-rosa-rtb-private0-eu-north-1a" + }, + "tags_all": { + "Name": "my-rosa-rtb-private0-eu-north-1a" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[1]", + "index": 1, + "mode": "managed", + "name": "private_route_table", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "propagating_vgws": [], + "route": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_route_table", + "values": { + "tags": { + "Name": "my-rosa-rtb-private1-eu-north-1b" + }, + "tags_all": { + "Name": "my-rosa-rtb-private1-eu-north-1b" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[2]", + "index": 2, + "mode": "managed", + "name": "private_route_table", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "propagating_vgws": [], + "route": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_route_table", + "values": { + "tags": { + "Name": "my-rosa-rtb-private2-eu-north-1c" + }, + "tags_all": { + "Name": "my-rosa-rtb-private2-eu-north-1c" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route_table.public_route_table", + "mode": "managed", + "name": "public_route_table", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "propagating_vgws": [], + "route": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_route_table", + "values": { + "tags": { + "Name": "my-rosa-public" + }, + "tags_all": { + "Name": "my-rosa-public" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[0]", + "index": 0, + "mode": "managed", + "name": "private_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[1]", + "index": 1, + "mode": "managed", + "name": "private_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[2]", + "index": 2, + "mode": "managed", + "name": "private_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[0]", + "index": 0, + "mode": "managed", + "name": "public_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[1]", + "index": 1, + "mode": "managed", + "name": "public_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[2]", + "index": 2, + "mode": "managed", + "name": "public_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[0]", + "index": 0, + "mode": "managed", + "name": "private_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1a", + "cidr_block": "10.0.12.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-private1-eu-north-1a", + "kubernetes.io/role/internal-elb": "" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[1]", + "index": 1, + "mode": "managed", + "name": "private_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1b", + "cidr_block": "10.0.16.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-private2-eu-north-1b", + "kubernetes.io/role/internal-elb": "" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[2]", + "index": 2, + "mode": "managed", + "name": "private_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1c", + "cidr_block": "10.0.20.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-private3-eu-north-1c", + "kubernetes.io/role/internal-elb": "" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[0]", + "index": 0, + "mode": "managed", + "name": "public_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1a", + "cidr_block": "10.0.0.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-public1-eu-north-1a", + "kubernetes.io/role/elb": "" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[1]", + "index": 1, + "mode": "managed", + "name": "public_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1b", + "cidr_block": "10.0.4.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-public2-eu-north-1b", + "kubernetes.io/role/elb": "" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[2]", + "index": 2, + "mode": "managed", + "name": "public_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1c", + "cidr_block": "10.0.8.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-public3-eu-north-1c", + "kubernetes.io/role/elb": "" + }, + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_vpc.vpc", + "mode": "managed", + "name": "vpc", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_vpc", + "values": { + "assign_generated_ipv6_cidr_block": null, + "cidr_block": "10.0.0.0/16", + "enable_dns_hostnames": true, + "enable_dns_support": true, + "instance_tenancy": "default", + "ipv4_ipam_pool_id": null, + "ipv4_netmask_length": null, + "ipv6_ipam_pool_id": null, + "ipv6_netmask_length": null, + "tags": { + "Name": "my-rosa-vpc" + }, + "tags_all": { + "Name": "my-rosa-vpc" + } + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_vpc_endpoint.s3", + "mode": "managed", + "name": "s3", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "cidr_blocks": [], + "dns_entry": [], + "dns_options": [], + "network_interface_ids": [], + "route_table_ids": [], + "security_group_ids": [], + "subnet_configuration": [], + "subnet_ids": [], + "tags_all": {} + }, + "type": "aws_vpc_endpoint", + "values": { + "auto_accept": null, + "resource_configuration_arn": null, + "service_name": "com.amazonaws.eu-west-2.s3", + "service_network_arn": null, + "tags": null, + "timeouts": null, + "vpc_endpoint_type": "Gateway" + } + }, + { + "address": "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[0]", + "index": 0, + "mode": "managed", + "name": "private_vpc_endpoint_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_vpc_endpoint_route_table_association" + }, + { + "address": "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[1]", + "index": 1, + "mode": "managed", + "name": "private_vpc_endpoint_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_vpc_endpoint_route_table_association" + }, + { + "address": "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[2]", + "index": 2, + "mode": "managed", + "name": "private_vpc_endpoint_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_vpc_endpoint_route_table_association" + }, + { + "address": "module.rosa_cluster.module.vpc.time_sleep.vpc_resources_wait", + "mode": "managed", + "name": "vpc_resources_wait", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "sensitive_values": { + "triggers": {} + }, + "type": "time_sleep", + "values": { + "create_duration": "20s", + "destroy_duration": "20s", + "triggers": { + "cidr_block": "10.0.0.0/16" + } + } + } + ] + }, + { + "address": "module.rosa_cluster.module.rosa_hcp", + "child_modules": [ + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0]", + "resources": [ + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[0]", + "index": 0, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-image-registry-installer-cloud-creden", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "installer-cloud-credentials", + "operator_namespace": "openshift-image-registry", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "installer-cloud-credentials", + "operator_namespace": "openshift-image-registry", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[1]", + "index": 1, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-ingress-operator-cloud-credentials", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-ingress-operator", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-ingress-operator", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[2]", + "index": 2, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "ebs-cloud-credentials", + "operator_namespace": "openshift-cluster-csi-drivers", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "ebs-cloud-credentials", + "operator_namespace": "openshift-cluster-csi-drivers", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[3]", + "index": 3, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-cloud-network-config-controller-cloud", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-cloud-network-config-controller", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-cloud-network-config-controller", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[4]", + "index": 4, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-kube-controller-manager", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "kube-controller-manager", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "kube-controller-manager", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[5]", + "index": 5, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-capa-controller-manager", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "capa-controller-manager", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "capa-controller-manager", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[6]", + "index": 6, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-control-plane-operator", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "control-plane-operator", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "control-plane-operator", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[7]", + "index": 7, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-kms-provider", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "kms-provider", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "kms-provider", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[0]", + "index": 0, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-image-registry-installer-cloud-creden" + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[1]", + "index": 1, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-ingress-operator-cloud-credentials" + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[2]", + "index": 2, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent" + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[3]", + "index": 3, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-cloud-network-config-controller-cloud" + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[4]", + "index": 4, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-kube-controller-manager" + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[5]", + "index": 5, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-capa-controller-manager" + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[6]", + "index": 6, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-control-plane-operator" + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[7]", + "index": 7, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-kms-provider" + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_caller_identity.current", + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_caller_identity" + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[0]", + "index": 0, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false, + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator", + "system:serviceaccount:openshift-image-registry:registry" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[1]", + "index": 1, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-ingress-operator:ingress-operator" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[2]", + "index": 2, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false, + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-operator", + "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[3]", + "index": 3, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-cloud-network-config-controller:cloud-network-config-controller" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[4]", + "index": 4, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:kube-controller-manager" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[5]", + "index": 5, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:capa-controller-manager" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[6]", + "index": 6, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:control-plane-operator" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[7]", + "index": 7, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:kms-provider" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].time_sleep.role_resources_propagation", + "mode": "managed", + "name": "role_resources_propagation", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "sensitive_values": { + "triggers": {} + }, + "type": "time_sleep", + "values": { + "create_duration": "20s", + "destroy_duration": null, + "triggers": { + "operator_policy_arns": "[\"ARN_REDACTED", + "operator_role_prefix": "my-rosa-operator" + } + } + } + ] + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0]", + "resources": [ + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[0]", + "index": 0, + "mode": "managed", + "name": "account_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-account-HCP-ROSA-Installer-Role", + "path": "/", + "permissions_boundary": "", + "tags": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "installer" + }, + "tags_all": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "installer" + } + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[1]", + "index": 1, + "mode": "managed", + "name": "account_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-account-HCP-ROSA-Support-Role", + "path": "/", + "permissions_boundary": "", + "tags": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "support" + }, + "tags_all": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "support" + } + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[2]", + "index": 2, + "mode": "managed", + "name": "account_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-account-HCP-ROSA-Worker-Role", + "path": "/", + "permissions_boundary": "", + "tags": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "instance_worker" + }, + "tags_all": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "instance_worker" + } + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[0]", + "index": 0, + "mode": "managed", + "name": "account_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-account-HCP-ROSA-Installer-Role" + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[1]", + "index": 1, + "mode": "managed", + "name": "account_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-account-HCP-ROSA-Support-Role" + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]", + "index": 2, + "mode": "managed", + "name": "account_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-account-HCP-ROSA-Worker-Role" + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[0]", + "index": 0, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRole" + ], + "condition": [], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "AWS" + } + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[1]", + "index": 1, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRole" + ], + "condition": [], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "AWS" + } + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[2]", + "index": 2, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRole" + ], + "condition": [], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + "ec2.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_partition.current", + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_partition" + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_hcp_policies.all_policies", + "mode": "data", + "name": "all_policies", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": { + "account_role_policies": {}, + "operator_role_policies": {} + }, + "type": "rhcs_hcp_policies" + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_info.current", + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": {}, + "type": "rhcs_info" + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].time_sleep.account_iam_resources_wait", + "mode": "managed", + "name": "account_iam_resources_wait", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "sensitive_values": { + "triggers": {} + }, + "type": "time_sleep", + "values": { + "create_duration": "10s", + "destroy_duration": "10s", + "triggers": { + "account_iam_role_name": "[\"my-rosa-account-HCP-ROSA-Installer-Role\",\"my-rosa-account-HCP-ROSA-Support-Role\",\"my-rosa-account-HCP-ROSA-Worker-Role\"]", + "account_policy_arns": "[\"ARN_REDACTED", + "account_role_prefix": "my-rosa-account", + "path": "/" + } + } + } + ] + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp", + "resources": [ + { + "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_caller_identity.current[0]", + "index": 0, + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_caller_identity" + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_region.current[0]", + "index": 0, + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_region" + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[0]", + "index": 0, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[1]", + "index": 1, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[2]", + "index": 2, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[3]", + "index": 3, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[4]", + "index": 4, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[5]", + "index": 5, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_cluster_rosa_hcp.rosa_hcp_cluster", + "mode": "managed", + "name": "rosa_hcp_cluster", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": { + "admin_credentials": true, + "availability_zones": [ + false, + false, + false + ], + "aws_subnet_ids": [ + false, + false, + false, + false, + false, + false + ], + "ocm_properties": {}, + "properties": {}, + "sts": { + "instance_iam_roles": {} + }, + "tags": {} + }, + "type": "rhcs_cluster_rosa_hcp", + "values": { + "availability_zones": [ + "eu-north-1a", + "eu-north-1b", + "eu-north-1c" + ], + "aws_additional_allowed_principals": null, + "aws_additional_compute_security_group_ids": null, + "aws_subnet_ids": [ + null, + null, + null, + null, + null, + null + ], + "channel_group": "stable", + "compute_machine_type": "m7i.xlarge", + "create_admin_user": null, + "destroy_timeout": null, + "disable_waiting_in_destroy": null, + "ec2_metadata_http_tokens": "optional", + "etcd_kms_key_arn": null, + "host_prefix": 23, + "kms_key_arn": null, + "machine_cidr": "10.0.0.0/18", + "max_hcp_cluster_wait_timeout_in_minutes": null, + "max_machinepool_wait_timeout_in_minutes": null, + "name": "my-rosa", + "pod_cidr": "10.0.64.0/18", + "private": false, + "properties": { + "rosa_creator_arn": "ARN_REDACTED" + }, + "proxy": null, + "registry_config": null, + "replicas": 6, + "service_cidr": "10.0.128.0/18", + "shared_vpc": null, + "sts": { + "instance_iam_roles": {}, + "operator_role_prefix": "my-rosa-operator" + }, + "tags": { + "owner": "ARN_REDACTED" + }, + "upgrade_acknowledgements_for": null, + "version": "4.17.16", + "wait_for_create_complete": true, + "wait_for_std_compute_nodes_complete": true, + "worker_disk_size": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_hcp_default_ingress.default_ingress", + "mode": "managed", + "name": "default_ingress", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": {}, + "type": "rhcs_hcp_default_ingress", + "values": { + "listening_method": "external" + } + } + ] + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0]", + "resources": [ + { + "address": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].aws_iam_openid_connect_provider.oidc_provider", + "mode": "managed", + "name": "oidc_provider", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "client_id_list": [ + false, + false + ], + "tags": {}, + "tags_all": {}, + "thumbprint_list": [] + }, + "type": "aws_iam_openid_connect_provider", + "values": { + "client_id_list": [ + "openshift", + "sts.amazonaws.com" + ], + "tags": { + "owner": "ARN_REDACTED" + }, + "tags_all": { + "owner": "ARN_REDACTED" + } + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].data.aws_region.current", + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_region" + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].null_resource.unmanaged_vars_validation", + "mode": "managed", + "name": "unmanaged_vars_validation", + "provider_name": "registry.terraform.io/hashicorp/null", + "schema_version": 0, + "sensitive_values": {}, + "type": "null_resource", + "values": { + "triggers": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].rhcs_rosa_oidc_config.oidc_config", + "mode": "managed", + "name": "oidc_config", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": {}, + "type": "rhcs_rosa_oidc_config", + "values": { + "installer_role_arn": null, + "managed": true, + "secret_arn": null + } + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].time_sleep.wait_10_seconds", + "mode": "managed", + "name": "wait_10_seconds", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "sensitive_values": { + "triggers": {} + }, + "type": "time_sleep", + "values": { + "create_duration": "10s", + "destroy_duration": "10s", + "triggers": { + "discover_doc_object": null, + "policy_attached_to_bucket": null, + "public_access_block_attached_to_bucket": null, + "s3_object": null, + "secret_arn": null + } + } + } + ] + } + ], + "resources": [ + { + "address": "module.rosa_cluster.module.rosa_hcp.data.aws_caller_identity.current", + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_caller_identity" + }, + { + "address": "module.rosa_cluster.module.rosa_hcp.null_resource.validations", + "mode": "managed", + "name": "validations", + "provider_name": "registry.terraform.io/hashicorp/null", + "schema_version": 0, + "sensitive_values": {}, + "type": "null_resource", + "values": { + "triggers": null + } + } + ] + }, + { + "address": "module.rosa_cluster.module.htpasswd_idp", + "resources": [ + { + "address": "module.rosa_cluster.module.htpasswd_idp.rhcs_identity_provider.htpasswd_identity_provider[0]", + "index": 0, + "mode": "managed", + "name": "htpasswd_identity_provider", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": { + "htpasswd": { + "users": true + } + }, + "type": "rhcs_identity_provider", + "values": { + "github": null, + "gitlab": null, + "google": null, + "htpasswd": { + "users": [ + { + "password": "CHANGEME1234r!", + "username": "kubeadmin" + } + ] + }, + "ldap": null, + "mapping_method": "claim", + "name": "htpasswd-idp", + "openid": null + } + } + ] + } + ] + } + ] +} diff --git a/justfile b/justfile index 93ff02b6e..0006c2be2 100644 --- a/justfile +++ b/justfile @@ -1,6 +1,8 @@ regenerate-aws-ec2-golden-file: #!/bin/bash + set -euxo pipefail + cd {{justfile_directory()}}/aws/ec2/terraform cp {{justfile_directory()}}/aws/ec2/test/fixtures/provider_override.tf . export AWS_REGION="eu-west-2" @@ -13,16 +15,34 @@ regenerate-aws-ec2-golden-file: regenerate-golden-file module_dir backend_bucket_region backend_bucket_name backend_bucket_key relative_output_path="./test/golden/": #!/bin/bash + set -euxo pipefail + cd {{ justfile_directory() }}/{{ module_dir }} terraform init \ -backend-config="bucket={{ backend_bucket_name }}" \ -backend-config="key={{ backend_bucket_key }}" \ -backend-config="region={{ backend_bucket_region }}" + + # we always use the same region and fake rhcs token to have a pre-defined output RHCS_TOKEN="" AWS_REGION="eu-west-2" terraform plan -out=tfplan terraform show -json tfplan | jq > tfplan.json + rm -f tfplan mkdir -p {{ relative_output_path }} - jq --sort-keys '.planned_values.root_module' tfplan.json > {{ relative_output_path }}tfplan.json - rm -rf tfplan tfplan.json + + # redact sensible/specific values + sed 's/"arn:[^\"]*\"/"ARN_REDACTED"/g' tfplan.json > tfplan-redacted.json + rm -f tfplan.json + sed -E 's/"arn:([^"\\]|\\.)*"/"ARN_REDACTED"/g; s/'\''arn:([^'\''\\]|\\.)*'\''/'\''ARN_REDACTED'\''/g' tfplan-redacted.json > tfplan.json + rm -f tfplan-redacted.json + + # bring order + jq --sort-keys '.planned_values.root_module' tfplan.json > {{ relative_output_path }}tfplan-golden.json + rm -f tfplan.json + + if grep -E -q '\b@camunda\.[A-Za-z]{2,}\b' {{ relative_output_path }}tfplan-golden.json; then + echo "ERROR: The golden file {{ relative_output_path }}tfplan-golden.json file contains user-specific information." + exit 1 + fi # Install all the tooling @@ -50,6 +70,5 @@ install-tooling-current-dir: asdf-install-current-dir [no-cd] asdf-install-current-dir: #!/bin/sh - just asdf-plugins "$(pwd)/" asdf install From dcd5d60b0b673d7a3af5f1a62968dca45124f332 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 5 Mar 2025 22:27:30 +0100 Subject: [PATCH 05/65] fix fresh namespace --- ...openshift_rosa_hcp_single_region_tests.yml | 38 +++++++++++++------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index e16e84e2a..848154cc9 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -270,21 +270,35 @@ jobs: rm encrypted_kubeconfig.enc chmod 600 "$HOME/.kube/config" - - name: 🛠️ Prepare a FRESH deployment for generic/openshift/single-region + - name: 🏗️ Prepare a fresh namespace for the tests + # we need to retry due as the cluster has just been created and the permissions are sometime refused + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 + id: kube_config + with: + timeout_minutes: 10 + max_attempts: 40 + shell: bash + retry_wait_seconds: 15 + command: | + : # see https://github.com/nick-fields/retry/issues/133 + set -o errexit + set -o pipefail + + # Delete the namespace to ensure a fresh start + if kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; then + kubectl delete namespace "$TEST_NAMESPACE" --wait + while kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; do + echo "Namespace $TEST_NAMESPACE still being deleted, waiting..." + sleep 5 + done + fi + + kubectl create namespace "$TEST_NAMESPACE" + + - name: 🛠️ Assemble deployment values of generic/openshift/single-region run: | set -euxo pipefail # tolerate, nothing. - # Delete the namespace to ensure a fresh start - if kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; then - kubectl delete namespace "$TEST_NAMESPACE" --wait - while kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; do - echo "Namespace $TEST_NAMESPACE still being deleted, waiting..." - sleep 5 - done - fi - - kubectl create namespace "$TEST_NAMESPACE" - echo "Construct the values.yml file" cp generic/openshift/single-region/helm-values/base.yml ./values.yml From 48f95653a5fddb252adec90533e1af15fb08c970 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 5 Mar 2025 22:32:50 +0100 Subject: [PATCH 06/65] re-sort --- justfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/justfile b/justfile index 0006c2be2..a4fac00a1 100644 --- a/justfile +++ b/justfile @@ -36,7 +36,7 @@ regenerate-golden-file module_dir backend_bucket_region backend_bucket_name back rm -f tfplan-redacted.json # bring order - jq --sort-keys '.planned_values.root_module' tfplan.json > {{ relative_output_path }}tfplan-golden.json + jq --sort-keys '.' tfplan.json > {{ relative_output_path }}tfplan-golden.json rm -f tfplan.json if grep -E -q '\b@camunda\.[A-Za-z]{2,}\b' {{ relative_output_path }}tfplan-golden.json; then From 3e9c964e9311ff12180536231e3ea57972b6f78e Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 5 Mar 2025 22:58:15 +0100 Subject: [PATCH 07/65] fix sort of json --- .../test/golden/tfplan-golden.json | 2236 ++++++++--------- justfile | 23 +- 2 files changed, 1140 insertions(+), 1119 deletions(-) diff --git a/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json b/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json index 081844519..4b0dddc0c 100644 --- a/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json +++ b/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json @@ -1,15 +1,14 @@ { "child_modules": [ { - "address": "module.rosa_cluster", "child_modules": [ { - "address": "module.rosa_cluster.module.vpc", + "module.rosa_cluster.module.vpc": "module.rosa_cluster.module.vpc", "resources": [ { - "address": "module.rosa_cluster.module.vpc.aws_eip.eip[0]", "index": 0, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_eip.eip[0]": "module.rosa_cluster.module.vpc.aws_eip.eip[0]", "name": "eip", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -33,9 +32,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_eip.eip[1]", "index": 1, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_eip.eip[1]": "module.rosa_cluster.module.vpc.aws_eip.eip[1]", "name": "eip", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -59,9 +58,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_eip.eip[2]", "index": 2, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_eip.eip[2]": "module.rosa_cluster.module.vpc.aws_eip.eip[2]", "name": "eip", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -85,8 +84,8 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_internet_gateway.internet_gateway", "mode": "managed", + "module.rosa_cluster.module.vpc.aws_internet_gateway.internet_gateway": "module.rosa_cluster.module.vpc.aws_internet_gateway.internet_gateway", "name": "internet_gateway", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -106,9 +105,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[0]", "index": 0, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[0]": "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[0]", "name": "public_nat_gateway", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -131,9 +130,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[1]", "index": 1, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[1]": "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[1]", "name": "public_nat_gateway", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -156,9 +155,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[2]", "index": 2, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[2]": "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[2]", "name": "public_nat_gateway", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -181,8 +180,8 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route.ipv4_egress_route", "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route.ipv4_egress_route": "module.rosa_cluster.module.vpc.aws_route.ipv4_egress_route", "name": "ipv4_egress_route", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -204,8 +203,8 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route.ipv6_egress_route", "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route.ipv6_egress_route": "module.rosa_cluster.module.vpc.aws_route.ipv6_egress_route", "name": "ipv6_egress_route", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -227,9 +226,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route.private_nat[0]", "index": 0, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route.private_nat[0]": "module.rosa_cluster.module.vpc.aws_route.private_nat[0]", "name": "private_nat", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -251,9 +250,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route.private_nat[1]", "index": 1, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route.private_nat[1]": "module.rosa_cluster.module.vpc.aws_route.private_nat[1]", "name": "private_nat", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -275,9 +274,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route.private_nat[2]", "index": 2, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route.private_nat[2]": "module.rosa_cluster.module.vpc.aws_route.private_nat[2]", "name": "private_nat", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -299,9 +298,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[0]", "index": 0, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[0]": "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[0]", "name": "private_route_table", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -323,9 +322,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[1]", "index": 1, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[1]": "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[1]", "name": "private_route_table", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -347,9 +346,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[2]", "index": 2, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[2]": "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[2]", "name": "private_route_table", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -371,8 +370,8 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route_table.public_route_table", "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route_table.public_route_table": "module.rosa_cluster.module.vpc.aws_route_table.public_route_table", "name": "public_route_table", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -394,9 +393,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[0]", "index": 0, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[0]": "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[0]", "name": "private_route_table_association", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -408,9 +407,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[1]", "index": 1, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[1]": "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[1]", "name": "private_route_table_association", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -422,9 +421,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[2]", "index": 2, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[2]": "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[2]", "name": "private_route_table_association", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -436,9 +435,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[0]", "index": 0, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[0]": "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[0]", "name": "public_route_table_association", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -450,9 +449,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[1]", "index": 1, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[1]": "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[1]", "name": "public_route_table_association", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -464,9 +463,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[2]", "index": 2, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[2]": "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[2]", "name": "public_route_table_association", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -478,9 +477,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[0]", "index": 0, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[0]": "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[0]", "name": "private_subnet", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 1, @@ -511,9 +510,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[1]", "index": 1, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[1]": "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[1]", "name": "private_subnet", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 1, @@ -544,9 +543,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[2]", "index": 2, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[2]": "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[2]", "name": "private_subnet", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 1, @@ -577,9 +576,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[0]", "index": 0, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[0]": "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[0]", "name": "public_subnet", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 1, @@ -610,9 +609,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[1]", "index": 1, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[1]": "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[1]", "name": "public_subnet", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 1, @@ -643,9 +642,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[2]", "index": 2, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[2]": "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[2]", "name": "public_subnet", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 1, @@ -676,8 +675,8 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_vpc.vpc", "mode": "managed", + "module.rosa_cluster.module.vpc.aws_vpc.vpc": "module.rosa_cluster.module.vpc.aws_vpc.vpc", "name": "vpc", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 1, @@ -705,8 +704,8 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_vpc_endpoint.s3", "mode": "managed", + "module.rosa_cluster.module.vpc.aws_vpc_endpoint.s3": "module.rosa_cluster.module.vpc.aws_vpc_endpoint.s3", "name": "s3", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -733,9 +732,9 @@ } }, { - "address": "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[0]", "index": 0, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[0]": "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[0]", "name": "private_vpc_endpoint_route_table_association", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -743,9 +742,9 @@ "type": "aws_vpc_endpoint_route_table_association" }, { - "address": "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[1]", "index": 1, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[1]": "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[1]", "name": "private_vpc_endpoint_route_table_association", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -753,9 +752,9 @@ "type": "aws_vpc_endpoint_route_table_association" }, { - "address": "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[2]", "index": 2, "mode": "managed", + "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[2]": "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[2]", "name": "private_vpc_endpoint_route_table_association", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -763,8 +762,8 @@ "type": "aws_vpc_endpoint_route_table_association" }, { - "address": "module.rosa_cluster.module.vpc.time_sleep.vpc_resources_wait", "mode": "managed", + "module.rosa_cluster.module.vpc.time_sleep.vpc_resources_wait": "module.rosa_cluster.module.vpc.time_sleep.vpc_resources_wait", "name": "vpc_resources_wait", "provider_name": "registry.terraform.io/hashicorp/time", "schema_version": 0, @@ -783,250 +782,366 @@ ] }, { - "address": "module.rosa_cluster.module.rosa_hcp", "child_modules": [ { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0]", + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0]": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0]", "resources": [ { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[0]", - "index": 0, "mode": "managed", - "name": "operator_role", + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].aws_iam_openid_connect_provider.oidc_provider": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].aws_iam_openid_connect_provider.oidc_provider", + "name": "oidc_provider", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], + "client_id_list": [ + false, + false + ], "tags": {}, - "tags_all": {} + "tags_all": {}, + "thumbprint_list": [] }, - "type": "aws_iam_role", + "type": "aws_iam_openid_connect_provider", "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-openshift-image-registry-installer-cloud-creden", - "path": "/", - "permissions_boundary": "", + "client_id_list": [ + "openshift", + "sts.amazonaws.com" + ], "tags": { - "operator_name": "installer-cloud-credentials", - "operator_namespace": "openshift-image-registry", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "owner": "ARN_REDACTED" }, "tags_all": { - "operator_name": "installer-cloud-credentials", - "operator_namespace": "openshift-image-registry", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "owner": "ARN_REDACTED" } } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[1]", - "index": 1, - "mode": "managed", - "name": "operator_role", + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].data.aws_region.current": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].data.aws_region.current", + "name": "current", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", + "sensitive_values": {}, + "type": "aws_region" + }, + { + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].null_resource.unmanaged_vars_validation": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].null_resource.unmanaged_vars_validation", + "name": "unmanaged_vars_validation", + "provider_name": "registry.terraform.io/hashicorp/null", + "schema_version": 0, + "sensitive_values": {}, + "type": "null_resource", "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-openshift-ingress-operator-cloud-credentials", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "cloud-credentials", - "operator_namespace": "openshift-ingress-operator", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - }, - "tags_all": { - "operator_name": "cloud-credentials", - "operator_namespace": "openshift-ingress-operator", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - } + "triggers": null } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[2]", - "index": 2, "mode": "managed", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].rhcs_rosa_oidc_config.oidc_config": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].rhcs_rosa_oidc_config.oidc_config", + "name": "oidc_config", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": {}, + "type": "rhcs_rosa_oidc_config", + "values": { + "installer_role_arn": null, + "managed": true, + "secret_arn": null + } + }, + { + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].time_sleep.wait_10_seconds": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].time_sleep.wait_10_seconds", + "name": "wait_10_seconds", + "provider_name": "registry.terraform.io/hashicorp/time", "schema_version": 0, "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} + "triggers": {} }, - "type": "aws_iam_role", + "type": "time_sleep", "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "ebs-cloud-credentials", - "operator_namespace": "openshift-cluster-csi-drivers", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - }, - "tags_all": { - "operator_name": "ebs-cloud-credentials", - "operator_namespace": "openshift-cluster-csi-drivers", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "create_duration": "10s", + "destroy_duration": "10s", + "triggers": { + "discover_doc_object": null, + "policy_attached_to_bucket": null, + "public_access_block_attached_to_bucket": null, + "s3_object": null, + "secret_arn": null } } + } + ] + }, + { + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp", + "resources": [ + { + "index": 0, + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_caller_identity.current[0]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_caller_identity.current[0]", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_caller_identity" }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[3]", - "index": 3, - "mode": "managed", - "name": "operator_role", + "index": 0, + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_region.current[0]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_region.current[0]", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_region" + }, + { + "index": 0, + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[0]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[0]", + "name": "provided_subnet", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} + "filter": [], + "tags": {} }, - "type": "aws_iam_role", + "type": "aws_subnet", "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-openshift-cloud-network-config-controller-cloud", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "cloud-credentials", - "operator_namespace": "openshift-cloud-network-config-controller", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - }, - "tags_all": { - "operator_name": "cloud-credentials", - "operator_namespace": "openshift-cloud-network-config-controller", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - } + "filter": [], + "timeouts": null } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[4]", - "index": 4, - "mode": "managed", - "name": "operator_role", + "index": 1, + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[1]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[1]", + "name": "provided_subnet", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} + "filter": [], + "tags": {} }, - "type": "aws_iam_role", + "type": "aws_subnet", "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-kube-system-kube-controller-manager", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "kube-controller-manager", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - }, - "tags_all": { - "operator_name": "kube-controller-manager", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - } + "filter": [], + "timeouts": null } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[5]", - "index": 5, - "mode": "managed", - "name": "operator_role", + "index": 2, + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[2]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[2]", + "name": "provided_subnet", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} + "filter": [], + "tags": {} }, - "type": "aws_iam_role", + "type": "aws_subnet", "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-kube-system-capa-controller-manager", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "capa-controller-manager", - "operator_namespace": "kube-system", + "filter": [], + "timeouts": null + } + }, + { + "index": 3, + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[3]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[3]", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + { + "index": 4, + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[4]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[4]", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + { + "index": 5, + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[5]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[5]", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + { + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_cluster_rosa_hcp.rosa_hcp_cluster": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_cluster_rosa_hcp.rosa_hcp_cluster", + "name": "rosa_hcp_cluster", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": { + "admin_credentials": true, + "availability_zones": [ + false, + false, + false + ], + "aws_subnet_ids": [ + false, + false, + false, + false, + false, + false + ], + "ocm_properties": {}, + "properties": {}, + "sts": { + "instance_iam_roles": {} + }, + "tags": {} + }, + "type": "rhcs_cluster_rosa_hcp", + "values": { + "availability_zones": [ + "eu-north-1a", + "eu-north-1b", + "eu-north-1c" + ], + "aws_additional_allowed_principals": null, + "aws_additional_compute_security_group_ids": null, + "aws_subnet_ids": [ + null, + null, + null, + null, + null, + null + ], + "channel_group": "stable", + "compute_machine_type": "m7i.xlarge", + "create_admin_user": null, + "destroy_timeout": null, + "disable_waiting_in_destroy": null, + "ec2_metadata_http_tokens": "optional", + "etcd_kms_key_arn": null, + "host_prefix": 23, + "kms_key_arn": null, + "machine_cidr": "10.0.0.0/18", + "max_hcp_cluster_wait_timeout_in_minutes": null, + "max_machinepool_wait_timeout_in_minutes": null, + "name": "my-rosa", + "pod_cidr": "10.0.64.0/18", + "private": false, + "properties": { + "rosa_creator_arn": "ARN_REDACTED" + }, + "proxy": null, + "registry_config": null, + "replicas": 6, + "service_cidr": "10.0.128.0/18", + "shared_vpc": null, + "sts": { + "instance_iam_roles": {}, + "operator_role_prefix": "my-rosa-operator" + }, + "tags": { + "owner": "ARN_REDACTED" + }, + "upgrade_acknowledgements_for": null, + "version": "4.17.16", + "wait_for_create_complete": true, + "wait_for_std_compute_nodes_complete": true, + "worker_disk_size": null + } + }, + { + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_hcp_default_ingress.default_ingress": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_hcp_default_ingress.default_ingress", + "name": "default_ingress", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": {}, + "type": "rhcs_hcp_default_ingress", + "values": { + "listening_method": "external" + } + } + ] + }, + { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0]", + "resources": [ + { + "index": 0, + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[0]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[0]", + "name": "account_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-account-HCP-ROSA-Installer-Role", + "path": "/", + "permissions_boundary": "", + "tags": { "owner": "ARN_REDACTED", "red-hat-managed": "true", "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "installer" }, "tags_all": { - "operator_name": "capa-controller-manager", - "operator_namespace": "kube-system", "owner": "ARN_REDACTED", "red-hat-managed": "true", "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "installer" } } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[6]", - "index": 6, + "index": 1, "mode": "managed", - "name": "operator_role", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[1]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[1]", + "name": "account_role", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { @@ -1040,32 +1155,32 @@ "description": null, "force_detach_policies": false, "max_session_duration": 3600, - "name": "my-rosa-operator-kube-system-control-plane-operator", + "name": "my-rosa-account-HCP-ROSA-Support-Role", "path": "/", "permissions_boundary": "", "tags": { - "operator_name": "control-plane-operator", - "operator_namespace": "kube-system", "owner": "ARN_REDACTED", "red-hat-managed": "true", "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "support" }, "tags_all": { - "operator_name": "control-plane-operator", - "operator_namespace": "kube-system", "owner": "ARN_REDACTED", "red-hat-managed": "true", "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "support" } } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[7]", - "index": 7, + "index": 2, "mode": "managed", - "name": "operator_role", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[2]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[2]", + "name": "account_role", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { @@ -1079,181 +1194,95 @@ "description": null, "force_detach_policies": false, "max_session_duration": 3600, - "name": "my-rosa-operator-kube-system-kms-provider", + "name": "my-rosa-account-HCP-ROSA-Worker-Role", "path": "/", "permissions_boundary": "", "tags": { - "operator_name": "kms-provider", - "operator_namespace": "kube-system", "owner": "ARN_REDACTED", "red-hat-managed": "true", "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "instance_worker" }, "tags_all": { - "operator_name": "kms-provider", - "operator_namespace": "kube-system", "owner": "ARN_REDACTED", "red-hat-managed": "true", "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "instance_worker" } } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[0]", "index": 0, "mode": "managed", - "name": "operator_role_policy_attachment", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[0]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[0]", + "name": "account_role_policy_attachment", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": {}, "type": "aws_iam_role_policy_attachment", "values": { "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-openshift-image-registry-installer-cloud-creden" + "role": "my-rosa-account-HCP-ROSA-Installer-Role" } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[1]", "index": 1, "mode": "managed", - "name": "operator_role_policy_attachment", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[1]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[1]", + "name": "account_role_policy_attachment", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": {}, "type": "aws_iam_role_policy_attachment", "values": { "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-openshift-ingress-operator-cloud-credentials" + "role": "my-rosa-account-HCP-ROSA-Support-Role" } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[2]", "index": 2, "mode": "managed", - "name": "operator_role_policy_attachment", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]", + "name": "account_role_policy_attachment", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": {}, "type": "aws_iam_role_policy_attachment", "values": { "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent" + "role": "my-rosa-account-HCP-ROSA-Worker-Role" } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[3]", - "index": 3, - "mode": "managed", - "name": "operator_role_policy_attachment", + "index": 0, + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[0]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[0]", + "name": "custom_trust_policy", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-openshift-cloud-network-config-controller-cloud" - } - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[4]", - "index": 4, - "mode": "managed", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-kube-system-kube-controller-manager" - } - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[5]", - "index": 5, - "mode": "managed", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-kube-system-capa-controller-manager" - } - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[6]", - "index": 6, - "mode": "managed", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-kube-system-control-plane-operator" - } - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[7]", - "index": 7, - "mode": "managed", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-kube-system-kms-provider" - } - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_caller_identity.current", - "mode": "data", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_caller_identity" - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[0]", - "index": 0, - "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false, - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } - ] - }, - "type": "aws_iam_policy_document", + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", "values": { "override_json": null, "override_policy_documents": null, @@ -1263,17 +1292,9 @@ "statement": [ { "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator", - "system:serviceaccount:openshift-image-registry:registry" - ] - } + "sts:AssumeRole" ], + "condition": [], "effect": "Allow", "not_actions": null, "not_principals": [], @@ -1283,7 +1304,7 @@ "identifiers": [ null ], - "type": "Federated" + "type": "AWS" } ], "resources": null, @@ -1294,9 +1315,9 @@ } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[1]", "index": 1, "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[1]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[1]", "name": "custom_trust_policy", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -1306,13 +1327,7 @@ "actions": [ false ], - "condition": [ - { - "values": [ - false - ] - } - ], + "condition": [], "not_principals": [], "principals": [ { @@ -1334,16 +1349,9 @@ "statement": [ { "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:openshift-ingress-operator:ingress-operator" - ] - } + "sts:AssumeRole" ], + "condition": [], "effect": "Allow", "not_actions": null, "not_principals": [], @@ -1353,7 +1361,7 @@ "identifiers": [ null ], - "type": "Federated" + "type": "AWS" } ], "resources": null, @@ -1364,9 +1372,9 @@ } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[2]", "index": 2, "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[2]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[2]", "name": "custom_trust_policy", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -1376,14 +1384,7 @@ "actions": [ false ], - "condition": [ - { - "values": [ - false, - false - ] - } - ], + "condition": [], "not_principals": [], "principals": [ { @@ -1405,17 +1406,9 @@ "statement": [ { "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-operator", - "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa" - ] - } + "sts:AssumeRole" ], + "condition": [], "effect": "Allow", "not_actions": null, "not_principals": [], @@ -1423,9 +1416,9 @@ "principals": [ { "identifiers": [ - null + "ec2.amazonaws.com" ], - "type": "Federated" + "type": "Service" } ], "resources": null, @@ -1436,384 +1429,222 @@ } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[3]", - "index": 3, "mode": "data", - "name": "custom_trust_policy", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_partition.current": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_partition.current", + "name": "current", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, + "sensitive_values": {}, + "type": "aws_partition" + }, + { + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_hcp_policies.all_policies": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_hcp_policies.all_policies", + "name": "all_policies", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } - ] + "account_role_policies": {}, + "operator_role_policies": {} }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:openshift-cloud-network-config-controller:cloud-network-config-controller" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } - ], - "version": null - } + "type": "rhcs_hcp_policies" }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[4]", - "index": 4, "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_info.current": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_info.current", + "name": "current", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": {}, + "type": "rhcs_info" + }, + { + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].time_sleep.account_iam_resources_wait": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].time_sleep.account_iam_resources_wait", + "name": "account_iam_resources_wait", + "provider_name": "registry.terraform.io/hashicorp/time", "schema_version": 0, "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } - ] + "triggers": {} }, - "type": "aws_iam_policy_document", + "type": "time_sleep", "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:kube-system:kube-controller-manager" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } - ], - "version": null + "create_duration": "10s", + "destroy_duration": "10s", + "triggers": { + "account_iam_role_name": "[\"my-rosa-account-HCP-ROSA-Installer-Role\",\"my-rosa-account-HCP-ROSA-Support-Role\",\"my-rosa-account-HCP-ROSA-Worker-Role\"]", + "account_policy_arns": "[\"ARN_REDACTED", + "account_role_prefix": "my-rosa-account", + "path": "/" + } } - }, + } + ] + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0]", + "resources": [ { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[5]", - "index": 5, - "mode": "data", - "name": "custom_trust_policy", + "index": 0, + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[0]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[0]", + "name": "operator_role", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } - ] + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} }, - "type": "aws_iam_policy_document", + "type": "aws_iam_role", "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:kube-system:capa-controller-manager" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } - ], - "version": null + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-image-registry-installer-cloud-creden", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "installer-cloud-credentials", + "operator_namespace": "openshift-image-registry", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "installer-cloud-credentials", + "operator_namespace": "openshift-image-registry", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[6]", - "index": 6, - "mode": "data", - "name": "custom_trust_policy", + "index": 1, + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[1]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[1]", + "name": "operator_role", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } - ] + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} }, - "type": "aws_iam_policy_document", + "type": "aws_iam_role", "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:kube-system:control-plane-operator" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } - ], - "version": null + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-ingress-operator-cloud-credentials", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-ingress-operator", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-ingress-operator", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[7]", - "index": 7, - "mode": "data", - "name": "custom_trust_policy", + "index": 2, + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[2]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[2]", + "name": "operator_role", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } - ] + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} }, - "type": "aws_iam_policy_document", + "type": "aws_iam_role", "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:kube-system:kms-provider" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } - ], - "version": null + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "ebs-cloud-credentials", + "operator_namespace": "openshift-cluster-csi-drivers", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "ebs-cloud-credentials", + "operator_namespace": "openshift-cluster-csi-drivers", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].time_sleep.role_resources_propagation", + "index": 3, "mode": "managed", - "name": "role_resources_propagation", - "provider_name": "registry.terraform.io/hashicorp/time", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[3]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[3]", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { - "triggers": {} + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} }, - "type": "time_sleep", + "type": "aws_iam_role", "values": { - "create_duration": "20s", - "destroy_duration": null, - "triggers": { - "operator_policy_arns": "[\"ARN_REDACTED", - "operator_role_prefix": "my-rosa-operator" + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-cloud-network-config-controller-cloud", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-cloud-network-config-controller", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-cloud-network-config-controller", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" } } - } - ] - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0]", - "resources": [ + }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[0]", - "index": 0, + "index": 4, "mode": "managed", - "name": "account_role", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[4]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[4]", + "name": "operator_role", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { @@ -1827,32 +1658,32 @@ "description": null, "force_detach_policies": false, "max_session_duration": 3600, - "name": "my-rosa-account-HCP-ROSA-Installer-Role", + "name": "my-rosa-operator-kube-system-kube-controller-manager", "path": "/", "permissions_boundary": "", "tags": { + "operator_name": "kube-controller-manager", + "operator_namespace": "kube-system", "owner": "ARN_REDACTED", "red-hat-managed": "true", "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "installer" + "rosa_managed_policies": "true" }, "tags_all": { + "operator_name": "kube-controller-manager", + "operator_namespace": "kube-system", "owner": "ARN_REDACTED", "red-hat-managed": "true", "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "installer" + "rosa_managed_policies": "true" } } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[1]", - "index": 1, + "index": 5, "mode": "managed", - "name": "account_role", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[5]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[5]", + "name": "operator_role", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { @@ -1866,32 +1697,32 @@ "description": null, "force_detach_policies": false, "max_session_duration": 3600, - "name": "my-rosa-account-HCP-ROSA-Support-Role", + "name": "my-rosa-operator-kube-system-capa-controller-manager", "path": "/", "permissions_boundary": "", "tags": { + "operator_name": "capa-controller-manager", + "operator_namespace": "kube-system", "owner": "ARN_REDACTED", "red-hat-managed": "true", "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "support" + "rosa_managed_policies": "true" }, "tags_all": { + "operator_name": "capa-controller-manager", + "operator_namespace": "kube-system", "owner": "ARN_REDACTED", "red-hat-managed": "true", "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "support" + "rosa_managed_policies": "true" } } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[2]", - "index": 2, + "index": 6, "mode": "managed", - "name": "account_role", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[6]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[6]", + "name": "operator_role", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { @@ -1905,107 +1736,240 @@ "description": null, "force_detach_policies": false, "max_session_duration": 3600, - "name": "my-rosa-account-HCP-ROSA-Worker-Role", + "name": "my-rosa-operator-kube-system-control-plane-operator", "path": "/", "permissions_boundary": "", "tags": { + "operator_name": "control-plane-operator", + "operator_namespace": "kube-system", "owner": "ARN_REDACTED", "red-hat-managed": "true", "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "instance_worker" + "rosa_managed_policies": "true" }, "tags_all": { + "operator_name": "control-plane-operator", + "operator_namespace": "kube-system", "owner": "ARN_REDACTED", "red-hat-managed": "true", "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "instance_worker" + "rosa_managed_policies": "true" + } + } + }, + { + "index": 7, + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[7]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[7]", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-kms-provider", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "kms-provider", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "kms-provider", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" } } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[0]", "index": 0, "mode": "managed", - "name": "account_role_policy_attachment", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[0]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[0]", + "name": "operator_role_policy_attachment", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": {}, "type": "aws_iam_role_policy_attachment", "values": { "policy_arn": "ARN_REDACTED", - "role": "my-rosa-account-HCP-ROSA-Installer-Role" + "role": "my-rosa-operator-openshift-image-registry-installer-cloud-creden" } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[1]", "index": 1, "mode": "managed", - "name": "account_role_policy_attachment", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[1]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[1]", + "name": "operator_role_policy_attachment", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": {}, "type": "aws_iam_role_policy_attachment", "values": { "policy_arn": "ARN_REDACTED", - "role": "my-rosa-account-HCP-ROSA-Support-Role" + "role": "my-rosa-operator-openshift-ingress-operator-cloud-credentials" } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]", "index": 2, "mode": "managed", - "name": "account_role_policy_attachment", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[2]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[2]", + "name": "operator_role_policy_attachment", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": {}, "type": "aws_iam_role_policy_attachment", "values": { "policy_arn": "ARN_REDACTED", - "role": "my-rosa-account-HCP-ROSA-Worker-Role" + "role": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent" } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[0]", - "index": 0, - "mode": "data", - "name": "custom_trust_policy", + "index": 3, + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[3]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[3]", + "name": "operator_role_policy_attachment", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } - ] - }, - "type": "aws_iam_policy_document", + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", "values": { - "override_json": null, - "override_policy_documents": null, + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-cloud-network-config-controller-cloud" + } + }, + { + "index": 4, + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[4]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[4]", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-kube-controller-manager" + } + }, + { + "index": 5, + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[5]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[5]", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-capa-controller-manager" + } + }, + { + "index": 6, + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[6]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[6]", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-control-plane-operator" + } + }, + { + "index": 7, + "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[7]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[7]", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-kms-provider" + } + }, + { + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_caller_identity.current": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_caller_identity.current", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_caller_identity" + }, + { + "index": 0, + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[0]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[0]", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false, + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, "policy_id": null, "source_json": null, "source_policy_documents": null, "statement": [ { "actions": [ - "sts:AssumeRole" + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator", + "system:serviceaccount:openshift-image-registry:registry" + ] + } ], - "condition": [], "effect": "Allow", "not_actions": null, "not_principals": [], @@ -2015,7 +1979,7 @@ "identifiers": [ null ], - "type": "AWS" + "type": "Federated" } ], "resources": null, @@ -2026,9 +1990,9 @@ } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[1]", "index": 1, "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[1]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[1]", "name": "custom_trust_policy", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -2038,7 +2002,13 @@ "actions": [ false ], - "condition": [], + "condition": [ + { + "values": [ + false + ] + } + ], "not_principals": [], "principals": [ { @@ -2060,9 +2030,16 @@ "statement": [ { "actions": [ - "sts:AssumeRole" + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-ingress-operator:ingress-operator" + ] + } ], - "condition": [], "effect": "Allow", "not_actions": null, "not_principals": [], @@ -2072,7 +2049,7 @@ "identifiers": [ null ], - "type": "AWS" + "type": "Federated" } ], "resources": null, @@ -2083,9 +2060,9 @@ } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[2]", "index": 2, "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[2]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[2]", "name": "custom_trust_policy", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -2095,7 +2072,14 @@ "actions": [ false ], - "condition": [], + "condition": [ + { + "values": [ + false, + false + ] + } + ], "not_principals": [], "principals": [ { @@ -2117,9 +2101,17 @@ "statement": [ { "actions": [ - "sts:AssumeRole" + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-operator", + "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa" + ] + } ], - "condition": [], "effect": "Allow", "not_actions": null, "not_principals": [], @@ -2127,9 +2119,9 @@ "principals": [ { "identifiers": [ - "ec2.amazonaws.com" + null ], - "type": "Service" + "type": "Federated" } ], "resources": null, @@ -2140,350 +2132,359 @@ } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_partition.current", - "mode": "data", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_partition" - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_hcp_policies.all_policies", - "mode": "data", - "name": "all_policies", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": { - "account_role_policies": {}, - "operator_role_policies": {} - }, - "type": "rhcs_hcp_policies" - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_info.current", - "mode": "data", - "name": "current", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": {}, - "type": "rhcs_info" - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].time_sleep.account_iam_resources_wait", - "mode": "managed", - "name": "account_iam_resources_wait", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "sensitive_values": { - "triggers": {} - }, - "type": "time_sleep", - "values": { - "create_duration": "10s", - "destroy_duration": "10s", - "triggers": { - "account_iam_role_name": "[\"my-rosa-account-HCP-ROSA-Installer-Role\",\"my-rosa-account-HCP-ROSA-Support-Role\",\"my-rosa-account-HCP-ROSA-Worker-Role\"]", - "account_policy_arns": "[\"ARN_REDACTED", - "account_role_prefix": "my-rosa-account", - "path": "/" - } - } - } - ] - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp", - "resources": [ - { - "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_caller_identity.current[0]", - "index": 0, - "mode": "data", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_caller_identity" - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_region.current[0]", - "index": 0, - "mode": "data", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_region" - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[0]", - "index": 0, - "mode": "data", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null - } - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[1]", - "index": 1, - "mode": "data", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null - } - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[2]", - "index": 2, - "mode": "data", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null - } - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[3]", "index": 3, "mode": "data", - "name": "provided_subnet", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[3]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[3]", + "name": "custom_trust_policy", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { - "filter": [], - "tags": {} + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] }, - "type": "aws_subnet", + "type": "aws_iam_policy_document", "values": { - "filter": [], - "timeouts": null + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-cloud-network-config-controller:cloud-network-config-controller" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[4]", "index": 4, "mode": "data", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null - } - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[5]", - "index": 5, - "mode": "data", - "name": "provided_subnet", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[4]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[4]", + "name": "custom_trust_policy", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null - } - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_cluster_rosa_hcp.rosa_hcp_cluster", - "mode": "managed", - "name": "rosa_hcp_cluster", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": { - "admin_credentials": true, - "availability_zones": [ - false, - false, - false - ], - "aws_subnet_ids": [ - false, - false, - false, - false, - false, - false - ], - "ocm_properties": {}, - "properties": {}, - "sts": { - "instance_iam_roles": {} - }, - "tags": {} + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] }, - "type": "rhcs_cluster_rosa_hcp", + "type": "aws_iam_policy_document", "values": { - "availability_zones": [ - "eu-north-1a", - "eu-north-1b", - "eu-north-1c" - ], - "aws_additional_allowed_principals": null, - "aws_additional_compute_security_group_ids": null, - "aws_subnet_ids": [ - null, - null, - null, - null, - null, - null - ], - "channel_group": "stable", - "compute_machine_type": "m7i.xlarge", - "create_admin_user": null, - "destroy_timeout": null, - "disable_waiting_in_destroy": null, - "ec2_metadata_http_tokens": "optional", - "etcd_kms_key_arn": null, - "host_prefix": 23, - "kms_key_arn": null, - "machine_cidr": "10.0.0.0/18", - "max_hcp_cluster_wait_timeout_in_minutes": null, - "max_machinepool_wait_timeout_in_minutes": null, - "name": "my-rosa", - "pod_cidr": "10.0.64.0/18", - "private": false, - "properties": { - "rosa_creator_arn": "ARN_REDACTED" - }, - "proxy": null, - "registry_config": null, - "replicas": 6, - "service_cidr": "10.0.128.0/18", - "shared_vpc": null, - "sts": { - "instance_iam_roles": {}, - "operator_role_prefix": "my-rosa-operator" - }, - "tags": { - "owner": "ARN_REDACTED" - }, - "upgrade_acknowledgements_for": null, - "version": "4.17.16", - "wait_for_create_complete": true, - "wait_for_std_compute_nodes_complete": true, - "worker_disk_size": null + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:kube-controller-manager" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_hcp_default_ingress.default_ingress", - "mode": "managed", - "name": "default_ingress", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": {}, - "type": "rhcs_hcp_default_ingress", - "values": { - "listening_method": "external" - } - } - ] - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0]", - "resources": [ - { - "address": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].aws_iam_openid_connect_provider.oidc_provider", - "mode": "managed", - "name": "oidc_provider", + "index": 5, + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[5]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[5]", + "name": "custom_trust_policy", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "sensitive_values": { - "client_id_list": [ - false, - false - ], - "tags": {}, - "tags_all": {}, - "thumbprint_list": [] + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] }, - "type": "aws_iam_openid_connect_provider", + "type": "aws_iam_policy_document", "values": { - "client_id_list": [ - "openshift", - "sts.amazonaws.com" + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:capa-controller-manager" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } ], - "tags": { - "owner": "ARN_REDACTED" - }, - "tags_all": { - "owner": "ARN_REDACTED" - } + "version": null } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].data.aws_region.current", + "index": 6, "mode": "data", - "name": "current", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[6]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[6]", + "name": "custom_trust_policy", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, - "sensitive_values": {}, - "type": "aws_region" - }, - { - "address": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].null_resource.unmanaged_vars_validation", - "mode": "managed", - "name": "unmanaged_vars_validation", - "provider_name": "registry.terraform.io/hashicorp/null", - "schema_version": 0, - "sensitive_values": {}, - "type": "null_resource", + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", "values": { - "triggers": null + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:control-plane-operator" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].rhcs_rosa_oidc_config.oidc_config", - "mode": "managed", - "name": "oidc_config", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "index": 7, + "mode": "data", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[7]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[7]", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, - "sensitive_values": {}, - "type": "rhcs_rosa_oidc_config", + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", "values": { - "installer_role_arn": null, - "managed": true, - "secret_arn": null + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:kms-provider" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } }, { - "address": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].time_sleep.wait_10_seconds", "mode": "managed", - "name": "wait_10_seconds", + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].time_sleep.role_resources_propagation": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].time_sleep.role_resources_propagation", + "name": "role_resources_propagation", "provider_name": "registry.terraform.io/hashicorp/time", "schema_version": 0, "sensitive_values": { @@ -2491,24 +2492,22 @@ }, "type": "time_sleep", "values": { - "create_duration": "10s", - "destroy_duration": "10s", + "create_duration": "20s", + "destroy_duration": null, "triggers": { - "discover_doc_object": null, - "policy_attached_to_bucket": null, - "public_access_block_attached_to_bucket": null, - "s3_object": null, - "secret_arn": null + "operator_policy_arns": "[\"ARN_REDACTED", + "operator_role_prefix": "my-rosa-operator" } } } ] } ], + "module.rosa_cluster.module.rosa_hcp": "module.rosa_cluster.module.rosa_hcp", "resources": [ { - "address": "module.rosa_cluster.module.rosa_hcp.data.aws_caller_identity.current", "mode": "data", + "module.rosa_cluster.module.rosa_hcp.data.aws_caller_identity.current": "module.rosa_cluster.module.rosa_hcp.data.aws_caller_identity.current", "name": "current", "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, @@ -2516,8 +2515,8 @@ "type": "aws_caller_identity" }, { - "address": "module.rosa_cluster.module.rosa_hcp.null_resource.validations", "mode": "managed", + "module.rosa_cluster.module.rosa_hcp.null_resource.validations": "module.rosa_cluster.module.rosa_hcp.null_resource.validations", "name": "validations", "provider_name": "registry.terraform.io/hashicorp/null", "schema_version": 0, @@ -2530,12 +2529,12 @@ ] }, { - "address": "module.rosa_cluster.module.htpasswd_idp", + "module.rosa_cluster.module.htpasswd_idp": "module.rosa_cluster.module.htpasswd_idp", "resources": [ { - "address": "module.rosa_cluster.module.htpasswd_idp.rhcs_identity_provider.htpasswd_identity_provider[0]", "index": 0, "mode": "managed", + "module.rosa_cluster.module.htpasswd_idp.rhcs_identity_provider.htpasswd_identity_provider[0]": "module.rosa_cluster.module.htpasswd_idp.rhcs_identity_provider.htpasswd_identity_provider[0]", "name": "htpasswd_identity_provider", "provider_name": "registry.terraform.io/terraform-redhat/rhcs", "schema_version": 0, @@ -2565,7 +2564,8 @@ } ] } - ] + ], + "module.rosa_cluster": "module.rosa_cluster" } ] } diff --git a/justfile b/justfile index a4fac00a1..5d77a1b36 100644 --- a/justfile +++ b/justfile @@ -36,7 +36,28 @@ regenerate-golden-file module_dir backend_bucket_region backend_bucket_name back rm -f tfplan-redacted.json # bring order - jq --sort-keys '.' tfplan.json > {{ relative_output_path }}tfplan-golden.json + jq --sort-keys '.planned_values.root_module' tfplan.json > tfplan-redacted.json + rm -f tfplan.json + + jq 'def replace_address: + if type == "object" then + with_entries( + if .key == "address" and .value != null then + { key: .value, value: .value } + else + { key: .key, value: (.value | replace_address) } + end + ) + elif type == "array" then + map(replace_address) + else + . + end; + replace_address' tfplan-redacted.json > tfplan.json + rm -f tfplan-redacted.json + + # final sort + jq --sort-keys '.' tfplan.json > {{ relative_output_path }}tfplan-golden.json rm -f tfplan.json if grep -E -q '\b@camunda\.[A-Za-z]{2,}\b' {{ relative_output_path }}tfplan-golden.json; then From 0041f229739379f530fd1d83a82ba1ac1975f004 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 5 Mar 2025 23:08:10 +0100 Subject: [PATCH 08/65] fix --- .../test/golden/tfplan-golden.json | 4803 +++++++++-------- justfile | 23 +- 2 files changed, 2462 insertions(+), 2364 deletions(-) diff --git a/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json b/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json index 4b0dddc0c..c23faaa4a 100644 --- a/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json +++ b/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json @@ -1,2571 +1,2670 @@ { "child_modules": [ { - "child_modules": [ - { - "module.rosa_cluster.module.vpc": "module.rosa_cluster.module.vpc", - "resources": [ - { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_eip.eip[0]": "module.rosa_cluster.module.vpc.aws_eip.eip[0]", - "name": "eip", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_eip", - "values": { - "address": null, - "associate_with_private_ip": null, - "customer_owned_ipv4_pool": null, - "domain": "vpc", - "tags": { - "Name": "my-rosa-eip-eu-north-1a" - }, - "tags_all": { - "Name": "my-rosa-eip-eu-north-1a" - }, - "timeouts": null - } - }, - { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_eip.eip[1]": "module.rosa_cluster.module.vpc.aws_eip.eip[1]", - "name": "eip", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_eip", - "values": { - "address": null, - "associate_with_private_ip": null, - "customer_owned_ipv4_pool": null, - "domain": "vpc", - "tags": { - "Name": "my-rosa-eip-eu-north-1b" - }, - "tags_all": { - "Name": "my-rosa-eip-eu-north-1b" - }, - "timeouts": null - } - }, - { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_eip.eip[2]": "module.rosa_cluster.module.vpc.aws_eip.eip[2]", - "name": "eip", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_eip", - "values": { - "address": null, - "associate_with_private_ip": null, - "customer_owned_ipv4_pool": null, - "domain": "vpc", - "tags": { - "Name": "my-rosa-eip-eu-north-1c" - }, - "tags_all": { - "Name": "my-rosa-eip-eu-north-1c" - }, - "timeouts": null - } - }, - { - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_internet_gateway.internet_gateway": "module.rosa_cluster.module.vpc.aws_internet_gateway.internet_gateway", - "name": "internet_gateway", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_internet_gateway", - "values": { - "tags": { - "Name": "my-rosa-igw" - }, - "tags_all": { - "Name": "my-rosa-igw" - }, - "timeouts": null - } - }, - { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[0]": "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[0]", - "name": "public_nat_gateway", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "secondary_private_ip_addresses": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_nat_gateway", - "values": { - "connectivity_type": "public", - "secondary_allocation_ids": null, - "tags": { - "Name": "my-rosa-nat-public0-eu-north-1a" - }, - "tags_all": { - "Name": "my-rosa-nat-public0-eu-north-1a" - }, - "timeouts": null - } - }, - { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[1]": "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[1]", - "name": "public_nat_gateway", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "secondary_private_ip_addresses": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_nat_gateway", - "values": { - "connectivity_type": "public", - "secondary_allocation_ids": null, - "tags": { - "Name": "my-rosa-nat-public1-eu-north-1b" - }, - "tags_all": { - "Name": "my-rosa-nat-public1-eu-north-1b" - }, - "timeouts": null - } - }, - { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[2]": "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[2]", - "name": "public_nat_gateway", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "secondary_private_ip_addresses": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_nat_gateway", - "values": { - "connectivity_type": "public", - "secondary_allocation_ids": null, - "tags": { - "Name": "my-rosa-nat-public2-eu-north-1c" - }, - "tags_all": { - "Name": "my-rosa-nat-public2-eu-north-1c" - }, - "timeouts": null - } - }, - { - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route.ipv4_egress_route": "module.rosa_cluster.module.vpc.aws_route.ipv4_egress_route", - "name": "ipv4_egress_route", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route", - "values": { - "carrier_gateway_id": null, - "core_network_arn": null, - "destination_cidr_block": "0.0.0.0/0", - "destination_ipv6_cidr_block": null, - "destination_prefix_list_id": null, - "egress_only_gateway_id": null, - "local_gateway_id": null, - "nat_gateway_id": null, - "timeouts": null, - "transit_gateway_id": null, - "vpc_endpoint_id": null, - "vpc_peering_connection_id": null - } - }, - { - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route.ipv6_egress_route": "module.rosa_cluster.module.vpc.aws_route.ipv6_egress_route", - "name": "ipv6_egress_route", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route", - "values": { - "carrier_gateway_id": null, - "core_network_arn": null, - "destination_cidr_block": null, - "destination_ipv6_cidr_block": "::/0", - "destination_prefix_list_id": null, - "egress_only_gateway_id": null, - "local_gateway_id": null, - "nat_gateway_id": null, - "timeouts": null, - "transit_gateway_id": null, - "vpc_endpoint_id": null, - "vpc_peering_connection_id": null - } - }, - { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route.private_nat[0]": "module.rosa_cluster.module.vpc.aws_route.private_nat[0]", - "name": "private_nat", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route", - "values": { - "carrier_gateway_id": null, - "core_network_arn": null, - "destination_cidr_block": "0.0.0.0/0", - "destination_ipv6_cidr_block": null, - "destination_prefix_list_id": null, - "egress_only_gateway_id": null, - "gateway_id": null, - "local_gateway_id": null, - "timeouts": null, - "transit_gateway_id": null, - "vpc_endpoint_id": null, - "vpc_peering_connection_id": null - } - }, - { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route.private_nat[1]": "module.rosa_cluster.module.vpc.aws_route.private_nat[1]", - "name": "private_nat", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route", - "values": { - "carrier_gateway_id": null, - "core_network_arn": null, - "destination_cidr_block": "0.0.0.0/0", - "destination_ipv6_cidr_block": null, - "destination_prefix_list_id": null, - "egress_only_gateway_id": null, - "gateway_id": null, - "local_gateway_id": null, - "timeouts": null, - "transit_gateway_id": null, - "vpc_endpoint_id": null, - "vpc_peering_connection_id": null - } - }, - { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route.private_nat[2]": "module.rosa_cluster.module.vpc.aws_route.private_nat[2]", - "name": "private_nat", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route", - "values": { - "carrier_gateway_id": null, - "core_network_arn": null, - "destination_cidr_block": "0.0.0.0/0", - "destination_ipv6_cidr_block": null, - "destination_prefix_list_id": null, - "egress_only_gateway_id": null, - "gateway_id": null, - "local_gateway_id": null, - "timeouts": null, - "transit_gateway_id": null, - "vpc_endpoint_id": null, - "vpc_peering_connection_id": null - } - }, - { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[0]": "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[0]", - "name": "private_route_table", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "propagating_vgws": [], - "route": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_route_table", - "values": { - "tags": { - "Name": "my-rosa-rtb-private0-eu-north-1a" - }, - "tags_all": { - "Name": "my-rosa-rtb-private0-eu-north-1a" - }, - "timeouts": null - } - }, - { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[1]": "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[1]", - "name": "private_route_table", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "propagating_vgws": [], - "route": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_route_table", - "values": { - "tags": { - "Name": "my-rosa-rtb-private1-eu-north-1b" - }, - "tags_all": { - "Name": "my-rosa-rtb-private1-eu-north-1b" - }, - "timeouts": null - } - }, - { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[2]": "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[2]", - "name": "private_route_table", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "propagating_vgws": [], - "route": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_route_table", - "values": { - "tags": { - "Name": "my-rosa-rtb-private2-eu-north-1c" - }, - "tags_all": { - "Name": "my-rosa-rtb-private2-eu-north-1c" - }, - "timeouts": null - } - }, - { - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route_table.public_route_table": "module.rosa_cluster.module.vpc.aws_route_table.public_route_table", - "name": "public_route_table", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "propagating_vgws": [], - "route": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_route_table", - "values": { - "tags": { - "Name": "my-rosa-public" - }, - "tags_all": { - "Name": "my-rosa-public" - }, - "timeouts": null - } - }, - { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[0]": "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[0]", - "name": "private_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route_table_association", - "values": { - "gateway_id": null, - "timeouts": null - } - }, - { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[1]": "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[1]", - "name": "private_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route_table_association", - "values": { - "gateway_id": null, - "timeouts": null - } - }, - { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[2]": "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[2]", - "name": "private_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route_table_association", - "values": { - "gateway_id": null, - "timeouts": null - } - }, - { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[0]": "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[0]", - "name": "public_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route_table_association", - "values": { - "gateway_id": null, - "timeouts": null - } - }, - { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[1]": "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[1]", - "name": "public_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route_table_association", - "values": { - "gateway_id": null, - "timeouts": null - } - }, - { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[2]": "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[2]", - "name": "public_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route_table_association", - "values": { - "gateway_id": null, - "timeouts": null - } - }, - { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[0]": "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[0]", - "name": "private_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_subnet", - "values": { - "assign_ipv6_address_on_creation": false, - "availability_zone": "eu-north-1a", - "cidr_block": "10.0.12.0/22", - "customer_owned_ipv4_pool": null, - "enable_dns64": false, - "enable_lni_at_device_index": null, - "enable_resource_name_dns_a_record_on_launch": false, - "enable_resource_name_dns_aaaa_record_on_launch": false, - "ipv6_cidr_block": null, - "ipv6_native": false, - "map_customer_owned_ip_on_launch": null, - "map_public_ip_on_launch": false, - "outpost_arn": null, - "tags": { - "Name": "my-rosa-subnet-private1-eu-north-1a", - "kubernetes.io/role/internal-elb": "" - }, - "timeouts": null - } - }, - { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[1]": "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[1]", - "name": "private_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_subnet", - "values": { - "assign_ipv6_address_on_creation": false, - "availability_zone": "eu-north-1b", - "cidr_block": "10.0.16.0/22", - "customer_owned_ipv4_pool": null, - "enable_dns64": false, - "enable_lni_at_device_index": null, - "enable_resource_name_dns_a_record_on_launch": false, - "enable_resource_name_dns_aaaa_record_on_launch": false, - "ipv6_cidr_block": null, - "ipv6_native": false, - "map_customer_owned_ip_on_launch": null, - "map_public_ip_on_launch": false, - "outpost_arn": null, - "tags": { - "Name": "my-rosa-subnet-private2-eu-north-1b", - "kubernetes.io/role/internal-elb": "" - }, - "timeouts": null - } - }, - { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[2]": "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[2]", - "name": "private_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_subnet", - "values": { - "assign_ipv6_address_on_creation": false, - "availability_zone": "eu-north-1c", - "cidr_block": "10.0.20.0/22", - "customer_owned_ipv4_pool": null, - "enable_dns64": false, - "enable_lni_at_device_index": null, - "enable_resource_name_dns_a_record_on_launch": false, - "enable_resource_name_dns_aaaa_record_on_launch": false, - "ipv6_cidr_block": null, - "ipv6_native": false, - "map_customer_owned_ip_on_launch": null, - "map_public_ip_on_launch": false, - "outpost_arn": null, - "tags": { - "Name": "my-rosa-subnet-private3-eu-north-1c", - "kubernetes.io/role/internal-elb": "" - }, - "timeouts": null - } - }, - { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[0]": "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[0]", - "name": "public_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_subnet", - "values": { - "assign_ipv6_address_on_creation": false, - "availability_zone": "eu-north-1a", - "cidr_block": "10.0.0.0/22", - "customer_owned_ipv4_pool": null, - "enable_dns64": false, - "enable_lni_at_device_index": null, - "enable_resource_name_dns_a_record_on_launch": false, - "enable_resource_name_dns_aaaa_record_on_launch": false, - "ipv6_cidr_block": null, - "ipv6_native": false, - "map_customer_owned_ip_on_launch": null, - "map_public_ip_on_launch": false, - "outpost_arn": null, - "tags": { - "Name": "my-rosa-subnet-public1-eu-north-1a", - "kubernetes.io/role/elb": "" - }, - "timeouts": null - } - }, - { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[1]": "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[1]", - "name": "public_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_subnet", - "values": { - "assign_ipv6_address_on_creation": false, - "availability_zone": "eu-north-1b", - "cidr_block": "10.0.4.0/22", - "customer_owned_ipv4_pool": null, - "enable_dns64": false, - "enable_lni_at_device_index": null, - "enable_resource_name_dns_a_record_on_launch": false, - "enable_resource_name_dns_aaaa_record_on_launch": false, - "ipv6_cidr_block": null, - "ipv6_native": false, - "map_customer_owned_ip_on_launch": null, - "map_public_ip_on_launch": false, - "outpost_arn": null, - "tags": { - "Name": "my-rosa-subnet-public2-eu-north-1b", - "kubernetes.io/role/elb": "" - }, - "timeouts": null - } - }, - { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[2]": "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[2]", - "name": "public_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_subnet", - "values": { - "assign_ipv6_address_on_creation": false, - "availability_zone": "eu-north-1c", - "cidr_block": "10.0.8.0/22", - "customer_owned_ipv4_pool": null, - "enable_dns64": false, - "enable_lni_at_device_index": null, - "enable_resource_name_dns_a_record_on_launch": false, - "enable_resource_name_dns_aaaa_record_on_launch": false, - "ipv6_cidr_block": null, - "ipv6_native": false, - "map_customer_owned_ip_on_launch": null, - "map_public_ip_on_launch": false, - "outpost_arn": null, - "tags": { - "Name": "my-rosa-subnet-public3-eu-north-1c", - "kubernetes.io/role/elb": "" - }, - "timeouts": null - } - }, - { - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_vpc.vpc": "module.rosa_cluster.module.vpc.aws_vpc.vpc", - "name": "vpc", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_vpc", - "values": { - "assign_generated_ipv6_cidr_block": null, - "cidr_block": "10.0.0.0/16", - "enable_dns_hostnames": true, - "enable_dns_support": true, - "instance_tenancy": "default", - "ipv4_ipam_pool_id": null, - "ipv4_netmask_length": null, - "ipv6_ipam_pool_id": null, - "ipv6_netmask_length": null, - "tags": { - "Name": "my-rosa-vpc" - }, - "tags_all": { - "Name": "my-rosa-vpc" - } - } - }, - { - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_vpc_endpoint.s3": "module.rosa_cluster.module.vpc.aws_vpc_endpoint.s3", - "name": "s3", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cidr_blocks": [], - "dns_entry": [], - "dns_options": [], - "network_interface_ids": [], - "route_table_ids": [], - "security_group_ids": [], - "subnet_configuration": [], - "subnet_ids": [], - "tags_all": {} - }, - "type": "aws_vpc_endpoint", - "values": { - "auto_accept": null, - "resource_configuration_arn": null, - "service_name": "com.amazonaws.eu-west-2.s3", - "service_network_arn": null, - "tags": null, - "timeouts": null, - "vpc_endpoint_type": "Gateway" - } - }, - { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[0]": "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[0]", - "name": "private_vpc_endpoint_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_vpc_endpoint_route_table_association" - }, - { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[1]": "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[1]", - "name": "private_vpc_endpoint_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_vpc_endpoint_route_table_association" - }, - { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[2]": "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[2]", - "name": "private_vpc_endpoint_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_vpc_endpoint_route_table_association" - }, - { - "mode": "managed", - "module.rosa_cluster.module.vpc.time_sleep.vpc_resources_wait": "module.rosa_cluster.module.vpc.time_sleep.vpc_resources_wait", - "name": "vpc_resources_wait", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "sensitive_values": { - "triggers": {} - }, - "type": "time_sleep", - "values": { - "create_duration": "20s", - "destroy_duration": "20s", - "triggers": { - "cidr_block": "10.0.0.0/16" - } - } - } - ] - }, - { - "child_modules": [ - { - "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0]": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0]", + "module.rosa_cluster": { + "child_modules": [ + { + "module.rosa_cluster.module.vpc": { "resources": [ { - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].aws_iam_openid_connect_provider.oidc_provider": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].aws_iam_openid_connect_provider.oidc_provider", - "name": "oidc_provider", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "client_id_list": [ - false, - false - ], - "tags": {}, - "tags_all": {}, - "thumbprint_list": [] - }, - "type": "aws_iam_openid_connect_provider", - "values": { - "client_id_list": [ - "openshift", - "sts.amazonaws.com" - ], - "tags": { - "owner": "ARN_REDACTED" + "module.rosa_cluster.module.vpc.aws_eip.eip[0]": { + "index": 0, + "mode": "managed", + "name": "eip", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "tags": {}, + "tags_all": {} }, - "tags_all": { - "owner": "ARN_REDACTED" + "type": "aws_eip", + "values": { + "address": null, + "associate_with_private_ip": null, + "customer_owned_ipv4_pool": null, + "domain": "vpc", + "tags": { + "Name": "my-rosa-eip-eu-north-1a" + }, + "tags_all": { + "Name": "my-rosa-eip-eu-north-1a" + }, + "timeouts": null } } }, { - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].data.aws_region.current": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].data.aws_region.current", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_region" - }, - { - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].null_resource.unmanaged_vars_validation": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].null_resource.unmanaged_vars_validation", - "name": "unmanaged_vars_validation", - "provider_name": "registry.terraform.io/hashicorp/null", - "schema_version": 0, - "sensitive_values": {}, - "type": "null_resource", - "values": { - "triggers": null + "module.rosa_cluster.module.vpc.aws_eip.eip[1]": { + "index": 1, + "mode": "managed", + "name": "eip", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_eip", + "values": { + "address": null, + "associate_with_private_ip": null, + "customer_owned_ipv4_pool": null, + "domain": "vpc", + "tags": { + "Name": "my-rosa-eip-eu-north-1b" + }, + "tags_all": { + "Name": "my-rosa-eip-eu-north-1b" + }, + "timeouts": null + } } }, { - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].rhcs_rosa_oidc_config.oidc_config": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].rhcs_rosa_oidc_config.oidc_config", - "name": "oidc_config", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": {}, - "type": "rhcs_rosa_oidc_config", - "values": { - "installer_role_arn": null, - "managed": true, - "secret_arn": null + "module.rosa_cluster.module.vpc.aws_eip.eip[2]": { + "index": 2, + "mode": "managed", + "name": "eip", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_eip", + "values": { + "address": null, + "associate_with_private_ip": null, + "customer_owned_ipv4_pool": null, + "domain": "vpc", + "tags": { + "Name": "my-rosa-eip-eu-north-1c" + }, + "tags_all": { + "Name": "my-rosa-eip-eu-north-1c" + }, + "timeouts": null + } } }, { - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].time_sleep.wait_10_seconds": "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].time_sleep.wait_10_seconds", - "name": "wait_10_seconds", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "sensitive_values": { - "triggers": {} - }, - "type": "time_sleep", - "values": { - "create_duration": "10s", - "destroy_duration": "10s", - "triggers": { - "discover_doc_object": null, - "policy_attached_to_bucket": null, - "public_access_block_attached_to_bucket": null, - "s3_object": null, - "secret_arn": null + "module.rosa_cluster.module.vpc.aws_internet_gateway.internet_gateway": { + "mode": "managed", + "name": "internet_gateway", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_internet_gateway", + "values": { + "tags": { + "Name": "my-rosa-igw" + }, + "tags_all": { + "Name": "my-rosa-igw" + }, + "timeouts": null } } - } - ] - }, - { - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp", - "resources": [ - { - "index": 0, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_caller_identity.current[0]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_caller_identity.current[0]", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_caller_identity" - }, - { - "index": 0, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_region.current[0]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_region.current[0]", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_region" }, { - "index": 0, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[0]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[0]", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null + "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[0]": { + "index": 0, + "mode": "managed", + "name": "public_nat_gateway", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "secondary_private_ip_addresses": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_nat_gateway", + "values": { + "connectivity_type": "public", + "secondary_allocation_ids": null, + "tags": { + "Name": "my-rosa-nat-public0-eu-north-1a" + }, + "tags_all": { + "Name": "my-rosa-nat-public0-eu-north-1a" + }, + "timeouts": null + } } }, { - "index": 1, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[1]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[1]", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null + "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[1]": { + "index": 1, + "mode": "managed", + "name": "public_nat_gateway", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "secondary_private_ip_addresses": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_nat_gateway", + "values": { + "connectivity_type": "public", + "secondary_allocation_ids": null, + "tags": { + "Name": "my-rosa-nat-public1-eu-north-1b" + }, + "tags_all": { + "Name": "my-rosa-nat-public1-eu-north-1b" + }, + "timeouts": null + } } }, { - "index": 2, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[2]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[2]", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null + "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[2]": { + "index": 2, + "mode": "managed", + "name": "public_nat_gateway", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "secondary_private_ip_addresses": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_nat_gateway", + "values": { + "connectivity_type": "public", + "secondary_allocation_ids": null, + "tags": { + "Name": "my-rosa-nat-public2-eu-north-1c" + }, + "tags_all": { + "Name": "my-rosa-nat-public2-eu-north-1c" + }, + "timeouts": null + } } }, { - "index": 3, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[3]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[3]", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null + "module.rosa_cluster.module.vpc.aws_route.ipv4_egress_route": { + "mode": "managed", + "name": "ipv4_egress_route", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": "0.0.0.0/0", + "destination_ipv6_cidr_block": null, + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "local_gateway_id": null, + "nat_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } } }, { - "index": 4, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[4]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[4]", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null + "module.rosa_cluster.module.vpc.aws_route.ipv6_egress_route": { + "mode": "managed", + "name": "ipv6_egress_route", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": null, + "destination_ipv6_cidr_block": "::/0", + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "local_gateway_id": null, + "nat_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } } }, { - "index": 5, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[5]": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[5]", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null + "module.rosa_cluster.module.vpc.aws_route.private_nat[0]": { + "index": 0, + "mode": "managed", + "name": "private_nat", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": "0.0.0.0/0", + "destination_ipv6_cidr_block": null, + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "gateway_id": null, + "local_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } } }, { - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_cluster_rosa_hcp.rosa_hcp_cluster": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_cluster_rosa_hcp.rosa_hcp_cluster", - "name": "rosa_hcp_cluster", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": { - "admin_credentials": true, - "availability_zones": [ - false, - false, - false - ], - "aws_subnet_ids": [ - false, - false, - false, - false, - false, - false - ], - "ocm_properties": {}, - "properties": {}, - "sts": { - "instance_iam_roles": {} - }, - "tags": {} - }, - "type": "rhcs_cluster_rosa_hcp", - "values": { - "availability_zones": [ - "eu-north-1a", - "eu-north-1b", - "eu-north-1c" - ], - "aws_additional_allowed_principals": null, - "aws_additional_compute_security_group_ids": null, - "aws_subnet_ids": [ - null, - null, - null, - null, - null, - null - ], - "channel_group": "stable", - "compute_machine_type": "m7i.xlarge", - "create_admin_user": null, - "destroy_timeout": null, - "disable_waiting_in_destroy": null, - "ec2_metadata_http_tokens": "optional", - "etcd_kms_key_arn": null, - "host_prefix": 23, - "kms_key_arn": null, - "machine_cidr": "10.0.0.0/18", - "max_hcp_cluster_wait_timeout_in_minutes": null, - "max_machinepool_wait_timeout_in_minutes": null, - "name": "my-rosa", - "pod_cidr": "10.0.64.0/18", - "private": false, - "properties": { - "rosa_creator_arn": "ARN_REDACTED" - }, - "proxy": null, - "registry_config": null, - "replicas": 6, - "service_cidr": "10.0.128.0/18", - "shared_vpc": null, - "sts": { - "instance_iam_roles": {}, - "operator_role_prefix": "my-rosa-operator" - }, - "tags": { - "owner": "ARN_REDACTED" - }, - "upgrade_acknowledgements_for": null, - "version": "4.17.16", - "wait_for_create_complete": true, - "wait_for_std_compute_nodes_complete": true, - "worker_disk_size": null + "module.rosa_cluster.module.vpc.aws_route.private_nat[1]": { + "index": 1, + "mode": "managed", + "name": "private_nat", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": "0.0.0.0/0", + "destination_ipv6_cidr_block": null, + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "gateway_id": null, + "local_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } } }, { - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_hcp_default_ingress.default_ingress": "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_hcp_default_ingress.default_ingress", - "name": "default_ingress", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": {}, - "type": "rhcs_hcp_default_ingress", - "values": { - "listening_method": "external" + "module.rosa_cluster.module.vpc.aws_route.private_nat[2]": { + "index": 2, + "mode": "managed", + "name": "private_nat", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": "0.0.0.0/0", + "destination_ipv6_cidr_block": null, + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "gateway_id": null, + "local_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } } - } - ] - }, - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0]", - "resources": [ + }, { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[0]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[0]", - "name": "account_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-account-HCP-ROSA-Installer-Role", - "path": "/", - "permissions_boundary": "", - "tags": { - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "installer" + "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[0]": { + "index": 0, + "mode": "managed", + "name": "private_route_table", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "propagating_vgws": [], + "route": [], + "tags": {}, + "tags_all": {} }, - "tags_all": { - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "installer" + "type": "aws_route_table", + "values": { + "tags": { + "Name": "my-rosa-rtb-private0-eu-north-1a" + }, + "tags_all": { + "Name": "my-rosa-rtb-private0-eu-north-1a" + }, + "timeouts": null } } }, { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[1]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[1]", - "name": "account_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-account-HCP-ROSA-Support-Role", - "path": "/", - "permissions_boundary": "", - "tags": { - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "support" + "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[1]": { + "index": 1, + "mode": "managed", + "name": "private_route_table", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "propagating_vgws": [], + "route": [], + "tags": {}, + "tags_all": {} }, - "tags_all": { - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "support" + "type": "aws_route_table", + "values": { + "tags": { + "Name": "my-rosa-rtb-private1-eu-north-1b" + }, + "tags_all": { + "Name": "my-rosa-rtb-private1-eu-north-1b" + }, + "timeouts": null } } }, { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[2]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[2]", - "name": "account_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-account-HCP-ROSA-Worker-Role", - "path": "/", - "permissions_boundary": "", - "tags": { - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "instance_worker" + "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[2]": { + "index": 2, + "mode": "managed", + "name": "private_route_table", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "propagating_vgws": [], + "route": [], + "tags": {}, + "tags_all": {} }, - "tags_all": { - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "instance_worker" + "type": "aws_route_table", + "values": { + "tags": { + "Name": "my-rosa-rtb-private2-eu-north-1c" + }, + "tags_all": { + "Name": "my-rosa-rtb-private2-eu-north-1c" + }, + "timeouts": null } } }, { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[0]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[0]", - "name": "account_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-account-HCP-ROSA-Installer-Role" + "module.rosa_cluster.module.vpc.aws_route_table.public_route_table": { + "mode": "managed", + "name": "public_route_table", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "propagating_vgws": [], + "route": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_route_table", + "values": { + "tags": { + "Name": "my-rosa-public" + }, + "tags_all": { + "Name": "my-rosa-public" + }, + "timeouts": null + } } }, { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[1]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[1]", - "name": "account_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-account-HCP-ROSA-Support-Role" + "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[0]": { + "index": 0, + "mode": "managed", + "name": "private_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } } }, { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]", - "name": "account_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-account-HCP-ROSA-Worker-Role" + "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[1]": { + "index": 1, + "mode": "managed", + "name": "private_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } } }, { - "index": 0, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[0]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[0]", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } - ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRole" - ], - "condition": [], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "AWS" - } - ], - "resources": null, - "sid": null - } - ], - "version": null + "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[2]": { + "index": 2, + "mode": "managed", + "name": "private_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } } }, { - "index": 1, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[1]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[1]", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } - ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRole" - ], - "condition": [], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "AWS" - } - ], - "resources": null, - "sid": null - } - ], - "version": null + "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[0]": { + "index": 0, + "mode": "managed", + "name": "public_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } } }, { - "index": 2, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[2]": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[2]", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } - ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRole" - ], - "condition": [], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - "ec2.amazonaws.com" - ], - "type": "Service" - } - ], - "resources": null, - "sid": null - } - ], - "version": null + "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[1]": { + "index": 1, + "mode": "managed", + "name": "public_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } } }, { - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_partition.current": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_partition.current", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_partition" - }, - { - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_hcp_policies.all_policies": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_hcp_policies.all_policies", - "name": "all_policies", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": { - "account_role_policies": {}, - "operator_role_policies": {} - }, - "type": "rhcs_hcp_policies" - }, - { - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_info.current": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_info.current", - "name": "current", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": {}, - "type": "rhcs_info" - }, - { - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].time_sleep.account_iam_resources_wait": "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].time_sleep.account_iam_resources_wait", - "name": "account_iam_resources_wait", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "sensitive_values": { - "triggers": {} - }, - "type": "time_sleep", - "values": { - "create_duration": "10s", - "destroy_duration": "10s", - "triggers": { - "account_iam_role_name": "[\"my-rosa-account-HCP-ROSA-Installer-Role\",\"my-rosa-account-HCP-ROSA-Support-Role\",\"my-rosa-account-HCP-ROSA-Worker-Role\"]", - "account_policy_arns": "[\"ARN_REDACTED", - "account_role_prefix": "my-rosa-account", - "path": "/" + "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[2]": { + "index": 2, + "mode": "managed", + "name": "public_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null } } - } - ] - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0]", - "resources": [ + }, { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[0]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[0]", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-openshift-image-registry-installer-cloud-creden", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "installer-cloud-credentials", - "operator_namespace": "openshift-image-registry", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[0]": { + "index": 0, + "mode": "managed", + "name": "private_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} }, - "tags_all": { - "operator_name": "installer-cloud-credentials", - "operator_namespace": "openshift-image-registry", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1a", + "cidr_block": "10.0.12.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-private1-eu-north-1a", + "kubernetes.io/role/internal-elb": "" + }, + "timeouts": null } } }, { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[1]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[1]", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-openshift-ingress-operator-cloud-credentials", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "cloud-credentials", - "operator_namespace": "openshift-ingress-operator", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[1]": { + "index": 1, + "mode": "managed", + "name": "private_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} }, - "tags_all": { - "operator_name": "cloud-credentials", - "operator_namespace": "openshift-ingress-operator", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1b", + "cidr_block": "10.0.16.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-private2-eu-north-1b", + "kubernetes.io/role/internal-elb": "" + }, + "timeouts": null } } }, { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[2]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[2]", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "ebs-cloud-credentials", - "operator_namespace": "openshift-cluster-csi-drivers", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[2]": { + "index": 2, + "mode": "managed", + "name": "private_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} }, - "tags_all": { - "operator_name": "ebs-cloud-credentials", - "operator_namespace": "openshift-cluster-csi-drivers", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1c", + "cidr_block": "10.0.20.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-private3-eu-north-1c", + "kubernetes.io/role/internal-elb": "" + }, + "timeouts": null } } }, { - "index": 3, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[3]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[3]", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-openshift-cloud-network-config-controller-cloud", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "cloud-credentials", - "operator_namespace": "openshift-cloud-network-config-controller", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[0]": { + "index": 0, + "mode": "managed", + "name": "public_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} }, - "tags_all": { - "operator_name": "cloud-credentials", - "operator_namespace": "openshift-cloud-network-config-controller", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1a", + "cidr_block": "10.0.0.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-public1-eu-north-1a", + "kubernetes.io/role/elb": "" + }, + "timeouts": null } } }, { - "index": 4, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[4]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[4]", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-kube-system-kube-controller-manager", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "kube-controller-manager", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[1]": { + "index": 1, + "mode": "managed", + "name": "public_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} }, - "tags_all": { - "operator_name": "kube-controller-manager", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1b", + "cidr_block": "10.0.4.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-public2-eu-north-1b", + "kubernetes.io/role/elb": "" + }, + "timeouts": null } } }, { - "index": 5, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[5]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[5]", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-kube-system-capa-controller-manager", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "capa-controller-manager", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[2]": { + "index": 2, + "mode": "managed", + "name": "public_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} }, - "tags_all": { - "operator_name": "capa-controller-manager", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1c", + "cidr_block": "10.0.8.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-public3-eu-north-1c", + "kubernetes.io/role/elb": "" + }, + "timeouts": null } } }, { - "index": 6, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[6]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[6]", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-kube-system-control-plane-operator", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "control-plane-operator", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "module.rosa_cluster.module.vpc.aws_vpc.vpc": { + "mode": "managed", + "name": "vpc", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} }, - "tags_all": { - "operator_name": "control-plane-operator", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "type": "aws_vpc", + "values": { + "assign_generated_ipv6_cidr_block": null, + "cidr_block": "10.0.0.0/16", + "enable_dns_hostnames": true, + "enable_dns_support": true, + "instance_tenancy": "default", + "ipv4_ipam_pool_id": null, + "ipv4_netmask_length": null, + "ipv6_ipam_pool_id": null, + "ipv6_netmask_length": null, + "tags": { + "Name": "my-rosa-vpc" + }, + "tags_all": { + "Name": "my-rosa-vpc" + } } } }, { - "index": 7, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[7]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[7]", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-kube-system-kms-provider", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "kms-provider", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "module.rosa_cluster.module.vpc.aws_vpc_endpoint.s3": { + "mode": "managed", + "name": "s3", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "cidr_blocks": [], + "dns_entry": [], + "dns_options": [], + "network_interface_ids": [], + "route_table_ids": [], + "security_group_ids": [], + "subnet_configuration": [], + "subnet_ids": [], + "tags_all": {} }, - "tags_all": { - "operator_name": "kms-provider", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" + "type": "aws_vpc_endpoint", + "values": { + "auto_accept": null, + "resource_configuration_arn": null, + "service_name": "com.amazonaws.eu-west-2.s3", + "service_network_arn": null, + "tags": null, + "timeouts": null, + "vpc_endpoint_type": "Gateway" } } }, { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[0]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[0]", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-openshift-image-registry-installer-cloud-creden" - } - }, - { - "index": 1, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[1]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[1]", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-openshift-ingress-operator-cloud-credentials" - } - }, - { - "index": 2, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[2]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[2]", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent" - } - }, - { - "index": 3, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[3]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[3]", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-openshift-cloud-network-config-controller-cloud" - } - }, - { - "index": 4, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[4]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[4]", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-kube-system-kube-controller-manager" + "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[0]": { + "index": 0, + "mode": "managed", + "name": "private_vpc_endpoint_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_vpc_endpoint_route_table_association" } }, { - "index": 5, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[5]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[5]", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-kube-system-capa-controller-manager" + "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[1]": { + "index": 1, + "mode": "managed", + "name": "private_vpc_endpoint_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_vpc_endpoint_route_table_association" } }, { - "index": 6, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[6]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[6]", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-kube-system-control-plane-operator" + "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[2]": { + "index": 2, + "mode": "managed", + "name": "private_vpc_endpoint_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_vpc_endpoint_route_table_association" } }, { - "index": 7, - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[7]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[7]", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-kube-system-kms-provider" + "module.rosa_cluster.module.vpc.time_sleep.vpc_resources_wait": { + "mode": "managed", + "name": "vpc_resources_wait", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "sensitive_values": { + "triggers": {} + }, + "type": "time_sleep", + "values": { + "create_duration": "20s", + "destroy_duration": "20s", + "triggers": { + "cidr_block": "10.0.0.0/16" + } + } } - }, - { - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_caller_identity.current": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_caller_identity.current", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_caller_identity" - }, + } + ] + } + }, + { + "module.rosa_cluster.module.rosa_hcp": { + "child_modules": [ { - "index": 0, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[0]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[0]", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0]": { + "resources": [ { - "actions": [ - false - ], - "condition": [ - { - "values": [ + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].aws_iam_openid_connect_provider.oidc_provider": { + "mode": "managed", + "name": "oidc_provider", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "client_id_list": [ false, false - ] + ], + "tags": {}, + "tags_all": {}, + "thumbprint_list": [] + }, + "type": "aws_iam_openid_connect_provider", + "values": { + "client_id_list": [ + "openshift", + "sts.amazonaws.com" + ], + "tags": { + "owner": "ARN_REDACTED" + }, + "tags_all": { + "owner": "ARN_REDACTED" + } } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].data.aws_region.current": { + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_region" + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].null_resource.unmanaged_vars_validation": { + "mode": "managed", + "name": "unmanaged_vars_validation", + "provider_name": "registry.terraform.io/hashicorp/null", + "schema_version": 0, + "sensitive_values": {}, + "type": "null_resource", + "values": { + "triggers": null } - ] - } - ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ + } + }, { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator", - "system:serviceaccount:openshift-image-registry:registry" - ] + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].rhcs_rosa_oidc_config.oidc_config": { + "mode": "managed", + "name": "oidc_config", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": {}, + "type": "rhcs_rosa_oidc_config", + "values": { + "installer_role_arn": null, + "managed": true, + "secret_arn": null } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].time_sleep.wait_10_seconds": { + "mode": "managed", + "name": "wait_10_seconds", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "sensitive_values": { + "triggers": {} + }, + "type": "time_sleep", + "values": { + "create_duration": "10s", + "destroy_duration": "10s", + "triggers": { + "discover_doc_object": null, + "policy_attached_to_bucket": null, + "public_access_block_attached_to_bucket": null, + "s3_object": null, + "secret_arn": null + } } - ], - "resources": null, - "sid": null + } } - ], - "version": null + ] } }, { - "index": 1, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[1]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[1]", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0]": { + "resources": [ { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[0]": { + "index": 0, + "mode": "managed", + "name": "account_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-account-HCP-ROSA-Installer-Role", + "path": "/", + "permissions_boundary": "", + "tags": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "installer" + }, + "tags_all": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "installer" + } } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[1]": { + "index": 1, + "mode": "managed", + "name": "account_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-account-HCP-ROSA-Support-Role", + "path": "/", + "permissions_boundary": "", + "tags": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "support" + }, + "tags_all": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "support" + } } - ] - } - ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ + } + }, { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:openshift-ingress-operator:ingress-operator" - ] + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[2]": { + "index": 2, + "mode": "managed", + "name": "account_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-account-HCP-ROSA-Worker-Role", + "path": "/", + "permissions_boundary": "", + "tags": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "instance_worker" + }, + "tags_all": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "instance_worker" + } } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[0]": { + "index": 0, + "mode": "managed", + "name": "account_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-account-HCP-ROSA-Installer-Role" } - ], - "resources": null, - "sid": null - } - ], - "version": null - } - }, - { - "index": 2, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[2]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[2]", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ + } + }, { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false, - false - ] + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[1]": { + "index": 1, + "mode": "managed", + "name": "account_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-account-HCP-ROSA-Support-Role" } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]": { + "index": 2, + "mode": "managed", + "name": "account_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-account-HCP-ROSA-Worker-Role" + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[0]": { + "index": 0, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRole" + ], + "condition": [], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "AWS" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } - ] - } - ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ + } + }, { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-operator", - "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa" + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[1]": { + "index": 1, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRole" + ], + "condition": [], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "AWS" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[2]": { + "index": 2, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRole" + ], + "condition": [], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + "ec2.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": null, + "sid": null + } ], - "type": "Federated" + "version": null } - ], - "resources": null, - "sid": null + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_partition.current": { + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_partition" + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_hcp_policies.all_policies": { + "mode": "data", + "name": "all_policies", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": { + "account_role_policies": {}, + "operator_role_policies": {} + }, + "type": "rhcs_hcp_policies" + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_info.current": { + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": {}, + "type": "rhcs_info" + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].time_sleep.account_iam_resources_wait": { + "mode": "managed", + "name": "account_iam_resources_wait", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "sensitive_values": { + "triggers": {} + }, + "type": "time_sleep", + "values": { + "create_duration": "10s", + "destroy_duration": "10s", + "triggers": { + "account_iam_role_name": "[\"my-rosa-account-HCP-ROSA-Installer-Role\",\"my-rosa-account-HCP-ROSA-Support-Role\",\"my-rosa-account-HCP-ROSA-Worker-Role\"]", + "account_policy_arns": "[\"ARN_REDACTED", + "account_role_prefix": "my-rosa-account", + "path": "/" + } + } + } } - ], - "version": null + ] } }, { - "index": 3, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[3]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[3]", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp": { + "resources": [ { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_caller_identity.current[0]": { + "index": 0, + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_caller_identity" + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_region.current[0]": { + "index": 0, + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_region" + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[0]": { + "index": 0, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[1]": { + "index": 1, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null } - ] - } - ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ + } + }, { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:openshift-cloud-network-config-controller:cloud-network-config-controller" - ] + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[2]": { + "index": 2, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[3]": { + "index": 3, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[4]": { + "index": 4, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[5]": { + "index": 5, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_cluster_rosa_hcp.rosa_hcp_cluster": { + "mode": "managed", + "name": "rosa_hcp_cluster", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": { + "admin_credentials": true, + "availability_zones": [ + false, + false, + false + ], + "aws_subnet_ids": [ + false, + false, + false, + false, + false, + false + ], + "ocm_properties": {}, + "properties": {}, + "sts": { + "instance_iam_roles": {} + }, + "tags": {} + }, + "type": "rhcs_cluster_rosa_hcp", + "values": { + "availability_zones": [ + "eu-north-1a", + "eu-north-1b", + "eu-north-1c" + ], + "aws_additional_allowed_principals": null, + "aws_additional_compute_security_group_ids": null, + "aws_subnet_ids": [ + null, + null, + null, + null, + null, null ], - "type": "Federated" + "channel_group": "stable", + "compute_machine_type": "m7i.xlarge", + "create_admin_user": null, + "destroy_timeout": null, + "disable_waiting_in_destroy": null, + "ec2_metadata_http_tokens": "optional", + "etcd_kms_key_arn": null, + "host_prefix": 23, + "kms_key_arn": null, + "machine_cidr": "10.0.0.0/18", + "max_hcp_cluster_wait_timeout_in_minutes": null, + "max_machinepool_wait_timeout_in_minutes": null, + "name": "my-rosa", + "pod_cidr": "10.0.64.0/18", + "private": false, + "properties": { + "rosa_creator_arn": "ARN_REDACTED" + }, + "proxy": null, + "registry_config": null, + "replicas": 6, + "service_cidr": "10.0.128.0/18", + "shared_vpc": null, + "sts": { + "instance_iam_roles": {}, + "operator_role_prefix": "my-rosa-operator" + }, + "tags": { + "owner": "ARN_REDACTED" + }, + "upgrade_acknowledgements_for": null, + "version": "4.17.16", + "wait_for_create_complete": true, + "wait_for_std_compute_nodes_complete": true, + "worker_disk_size": null } - ], - "resources": null, - "sid": null + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_hcp_default_ingress.default_ingress": { + "mode": "managed", + "name": "default_ingress", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": {}, + "type": "rhcs_hcp_default_ingress", + "values": { + "listening_method": "external" + } + } } - ], - "version": null + ] } }, { - "index": 4, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[4]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[4]", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0]": { + "resources": [ { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[0]": { + "index": 0, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-image-registry-installer-cloud-creden", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "installer-cloud-credentials", + "operator_namespace": "openshift-image-registry", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "installer-cloud-credentials", + "operator_namespace": "openshift-image-registry", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[1]": { + "index": 1, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-ingress-operator-cloud-credentials", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-ingress-operator", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-ingress-operator", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } } - ] - } - ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ + } + }, { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:kube-system:kube-controller-manager" - ] + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[2]": { + "index": 2, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "ebs-cloud-credentials", + "operator_namespace": "openshift-cluster-csi-drivers", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "ebs-cloud-credentials", + "operator_namespace": "openshift-cluster-csi-drivers", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[3]": { + "index": 3, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-cloud-network-config-controller-cloud", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-cloud-network-config-controller", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-cloud-network-config-controller", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } } - ], - "resources": null, - "sid": null - } - ], - "version": null - } - }, - { - "index": 5, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[5]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[5]", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ + } + }, { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[4]": { + "index": 4, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-kube-controller-manager", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "kube-controller-manager", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "kube-controller-manager", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[5]": { + "index": 5, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-capa-controller-manager", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "capa-controller-manager", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "capa-controller-manager", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } } - ] - } - ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ + } + }, { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:kube-system:capa-controller-manager" - ] + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[6]": { + "index": 6, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-control-plane-operator", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "control-plane-operator", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "control-plane-operator", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[7]": { + "index": 7, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-kms-provider", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "kms-provider", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "kms-provider", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + } } - ], - "resources": null, - "sid": null - } - ], - "version": null - } - }, - { - "index": 6, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[6]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[6]", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ + } + }, { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[0]": { + "index": 0, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-image-registry-installer-cloud-creden" + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[1]": { + "index": 1, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-ingress-operator-cloud-credentials" + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[2]": { + "index": 2, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent" + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[3]": { + "index": 3, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-cloud-network-config-controller-cloud" + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[4]": { + "index": 4, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-kube-controller-manager" + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[5]": { + "index": 5, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-capa-controller-manager" + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[6]": { + "index": 6, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-control-plane-operator" + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[7]": { + "index": 7, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-kms-provider" + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_caller_identity.current": { + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_caller_identity" + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[0]": { + "index": 0, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false, + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator", + "system:serviceaccount:openshift-image-registry:registry" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[1]": { + "index": 1, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-ingress-operator:ingress-operator" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } - ] - } - ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ + } + }, { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:kube-system:control-plane-operator" + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[2]": { + "index": 2, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false, + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-operator", + "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[3]": { + "index": 3, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-cloud-network-config-controller:cloud-network-config-controller" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } ], - "type": "Federated" + "version": null } - ], - "resources": null, - "sid": null - } - ], - "version": null - } - }, - { - "index": 7, - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[7]": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[7]", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ + } + }, { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[4]": { + "index": 4, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:kube-controller-manager" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[5]": { + "index": 5, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:capa-controller-manager" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } - ] - } - ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ + } + }, { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:kube-system:kms-provider" + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[6]": { + "index": 6, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:control-plane-operator" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[7]": { + "index": 7, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] + } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:kms-provider" + ] + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" + } + ], + "resources": null, + "sid": null + } ], - "type": "Federated" + "version": null + } + } + }, + { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].time_sleep.role_resources_propagation": { + "mode": "managed", + "name": "role_resources_propagation", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "sensitive_values": { + "triggers": {} + }, + "type": "time_sleep", + "values": { + "create_duration": "20s", + "destroy_duration": null, + "triggers": { + "operator_policy_arns": "[\"ARN_REDACTED", + "operator_role_prefix": "my-rosa-operator" + } } - ], - "resources": null, - "sid": null + } } - ], - "version": null + ] + } + } + ], + "resources": [ + { + "module.rosa_cluster.module.rosa_hcp.data.aws_caller_identity.current": { + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_caller_identity" } }, { - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].time_sleep.role_resources_propagation": "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].time_sleep.role_resources_propagation", - "name": "role_resources_propagation", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "sensitive_values": { - "triggers": {} - }, - "type": "time_sleep", - "values": { - "create_duration": "20s", - "destroy_duration": null, - "triggers": { - "operator_policy_arns": "[\"ARN_REDACTED", - "operator_role_prefix": "my-rosa-operator" + "module.rosa_cluster.module.rosa_hcp.null_resource.validations": { + "mode": "managed", + "name": "validations", + "provider_name": "registry.terraform.io/hashicorp/null", + "schema_version": 0, + "sensitive_values": {}, + "type": "null_resource", + "values": { + "triggers": null } } } ] } - ], - "module.rosa_cluster.module.rosa_hcp": "module.rosa_cluster.module.rosa_hcp", - "resources": [ - { - "mode": "data", - "module.rosa_cluster.module.rosa_hcp.data.aws_caller_identity.current": "module.rosa_cluster.module.rosa_hcp.data.aws_caller_identity.current", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_caller_identity" - }, - { - "mode": "managed", - "module.rosa_cluster.module.rosa_hcp.null_resource.validations": "module.rosa_cluster.module.rosa_hcp.null_resource.validations", - "name": "validations", - "provider_name": "registry.terraform.io/hashicorp/null", - "schema_version": 0, - "sensitive_values": {}, - "type": "null_resource", - "values": { - "triggers": null - } - } - ] - }, - { - "module.rosa_cluster.module.htpasswd_idp": "module.rosa_cluster.module.htpasswd_idp", - "resources": [ - { - "index": 0, - "mode": "managed", - "module.rosa_cluster.module.htpasswd_idp.rhcs_identity_provider.htpasswd_identity_provider[0]": "module.rosa_cluster.module.htpasswd_idp.rhcs_identity_provider.htpasswd_identity_provider[0]", - "name": "htpasswd_identity_provider", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": { - "htpasswd": { - "users": true - } - }, - "type": "rhcs_identity_provider", - "values": { - "github": null, - "gitlab": null, - "google": null, - "htpasswd": { - "users": [ - { - "password": "CHANGEME1234r!", - "username": "kubeadmin" + }, + { + "module.rosa_cluster.module.htpasswd_idp": { + "resources": [ + { + "module.rosa_cluster.module.htpasswd_idp.rhcs_identity_provider.htpasswd_identity_provider[0]": { + "index": 0, + "mode": "managed", + "name": "htpasswd_identity_provider", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": { + "htpasswd": { + "users": true + } + }, + "type": "rhcs_identity_provider", + "values": { + "github": null, + "gitlab": null, + "google": null, + "htpasswd": { + "users": [ + { + "password": "CHANGEME1234r!", + "username": "kubeadmin" + } + ] + }, + "ldap": null, + "mapping_method": "claim", + "name": "htpasswd-idp", + "openid": null } - ] - }, - "ldap": null, - "mapping_method": "claim", - "name": "htpasswd-idp", - "openid": null - } + } + } + ] } - ] - } - ], - "module.rosa_cluster": "module.rosa_cluster" + } + ] + } } ] } diff --git a/justfile b/justfile index 5d77a1b36..a3de10215 100644 --- a/justfile +++ b/justfile @@ -39,21 +39,20 @@ regenerate-golden-file module_dir backend_bucket_region backend_bucket_name back jq --sort-keys '.planned_values.root_module' tfplan.json > tfplan-redacted.json rm -f tfplan.json - jq 'def replace_address: - if type == "object" then - with_entries( - if .key == "address" and .value != null then - { key: .value, value: .value } - else - { key: .key, value: (.value | replace_address) } - end - ) - elif type == "array" then - map(replace_address) + # transform the tfoutput to deal only with keys to keep simple ordering + jq 'def transform: + if type == "array" then + map(transform) + elif type == "object" then + if has("address") and .address != null then + { (.address): with_entries(select(.key != "address")) | map_values(transform) } + else + with_entries(.value |= transform) + end else . end; - replace_address' tfplan-redacted.json > tfplan.json + transform' tfplan-redacted.json > tfplan.json rm -f tfplan-redacted.json # final sort From 2aee69d17f678a431a6e56826683760b92b1574b Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 5 Mar 2025 23:20:00 +0100 Subject: [PATCH 09/65] final order --- .../test/golden/tfplan-golden.json | 4798 ++++++++--------- justfile | 12 +- 2 files changed, 2311 insertions(+), 2499 deletions(-) diff --git a/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json b/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json index c23faaa4a..270aa5114 100644 --- a/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json +++ b/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json @@ -1,2670 +1,2472 @@ { - "child_modules": [ - { - "module.rosa_cluster": { - "child_modules": [ - { - "module.rosa_cluster.module.vpc": { - "resources": [ - { - "module.rosa_cluster.module.vpc.aws_eip.eip[0]": { - "index": 0, - "mode": "managed", - "name": "eip", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_eip", - "values": { - "address": null, - "associate_with_private_ip": null, - "customer_owned_ipv4_pool": null, - "domain": "vpc", - "tags": { - "Name": "my-rosa-eip-eu-north-1a" - }, - "tags_all": { - "Name": "my-rosa-eip-eu-north-1a" - }, - "timeouts": null + "child_modules": { + "module.rosa_cluster": { + "child_modules": { + "module.rosa_cluster.module.htpasswd_idp": { + "resources": { + "module.rosa_cluster.module.htpasswd_idp.rhcs_identity_provider.htpasswd_identity_provider[0]": { + "index": 0, + "mode": "managed", + "name": "htpasswd_identity_provider", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": { + "htpasswd": { + "users": true + } + }, + "type": "rhcs_identity_provider", + "values": { + "github": null, + "gitlab": null, + "google": null, + "htpasswd": { + "users": [ + { + "password": "CHANGEME1234r!", + "username": "kubeadmin" } - } + ] }, - { - "module.rosa_cluster.module.vpc.aws_eip.eip[1]": { - "index": 1, - "mode": "managed", - "name": "eip", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "tags": {}, - "tags_all": {} + "ldap": null, + "mapping_method": "claim", + "name": "htpasswd-idp", + "openid": null + } + } + } + }, + "module.rosa_cluster.module.rosa_hcp": { + "child_modules": { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0]": { + "resources": { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[0]": { + "index": 0, + "mode": "managed", + "name": "account_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-account-HCP-ROSA-Installer-Role", + "path": "/", + "permissions_boundary": "", + "tags": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "installer" }, - "type": "aws_eip", - "values": { - "address": null, - "associate_with_private_ip": null, - "customer_owned_ipv4_pool": null, - "domain": "vpc", - "tags": { - "Name": "my-rosa-eip-eu-north-1b" - }, - "tags_all": { - "Name": "my-rosa-eip-eu-north-1b" - }, - "timeouts": null + "tags_all": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "installer" } } }, - { - "module.rosa_cluster.module.vpc.aws_eip.eip[2]": { - "index": 2, - "mode": "managed", - "name": "eip", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "tags": {}, - "tags_all": {} + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[1]": { + "index": 1, + "mode": "managed", + "name": "account_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-account-HCP-ROSA-Support-Role", + "path": "/", + "permissions_boundary": "", + "tags": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "support" }, - "type": "aws_eip", - "values": { - "address": null, - "associate_with_private_ip": null, - "customer_owned_ipv4_pool": null, - "domain": "vpc", - "tags": { - "Name": "my-rosa-eip-eu-north-1c" - }, - "tags_all": { - "Name": "my-rosa-eip-eu-north-1c" - }, - "timeouts": null + "tags_all": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "support" } } }, - { - "module.rosa_cluster.module.vpc.aws_internet_gateway.internet_gateway": { - "mode": "managed", - "name": "internet_gateway", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "tags": {}, - "tags_all": {} + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[2]": { + "index": 2, + "mode": "managed", + "name": "account_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-account-HCP-ROSA-Worker-Role", + "path": "/", + "permissions_boundary": "", + "tags": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "instance_worker" }, - "type": "aws_internet_gateway", - "values": { - "tags": { - "Name": "my-rosa-igw" - }, - "tags_all": { - "Name": "my-rosa-igw" - }, - "timeouts": null + "tags_all": { + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true", + "rosa_role_prefix": "my-rosa-account", + "rosa_role_type": "instance_worker" } } }, - { - "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[0]": { - "index": 0, - "mode": "managed", - "name": "public_nat_gateway", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "secondary_private_ip_addresses": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_nat_gateway", - "values": { - "connectivity_type": "public", - "secondary_allocation_ids": null, - "tags": { - "Name": "my-rosa-nat-public0-eu-north-1a" - }, - "tags_all": { - "Name": "my-rosa-nat-public0-eu-north-1a" - }, - "timeouts": null - } + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[0]": { + "index": 0, + "mode": "managed", + "name": "account_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-account-HCP-ROSA-Installer-Role" } }, - { - "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[1]": { - "index": 1, - "mode": "managed", - "name": "public_nat_gateway", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "secondary_private_ip_addresses": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_nat_gateway", - "values": { - "connectivity_type": "public", - "secondary_allocation_ids": null, - "tags": { - "Name": "my-rosa-nat-public1-eu-north-1b" - }, - "tags_all": { - "Name": "my-rosa-nat-public1-eu-north-1b" - }, - "timeouts": null - } + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[1]": { + "index": 1, + "mode": "managed", + "name": "account_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-account-HCP-ROSA-Support-Role" } }, - { - "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[2]": { - "index": 2, - "mode": "managed", - "name": "public_nat_gateway", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "secondary_private_ip_addresses": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_nat_gateway", - "values": { - "connectivity_type": "public", - "secondary_allocation_ids": null, - "tags": { - "Name": "my-rosa-nat-public2-eu-north-1c" - }, - "tags_all": { - "Name": "my-rosa-nat-public2-eu-north-1c" - }, - "timeouts": null - } + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]": { + "index": 2, + "mode": "managed", + "name": "account_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-account-HCP-ROSA-Worker-Role" } }, - { - "module.rosa_cluster.module.vpc.aws_route.ipv4_egress_route": { - "mode": "managed", - "name": "ipv4_egress_route", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route", - "values": { - "carrier_gateway_id": null, - "core_network_arn": null, - "destination_cidr_block": "0.0.0.0/0", - "destination_ipv6_cidr_block": null, - "destination_prefix_list_id": null, - "egress_only_gateway_id": null, - "local_gateway_id": null, - "nat_gateway_id": null, - "timeouts": null, - "transit_gateway_id": null, - "vpc_endpoint_id": null, - "vpc_peering_connection_id": null - } + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[0]": { + "index": 0, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRole" + ], + "condition": [], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "AWS" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } }, - { - "module.rosa_cluster.module.vpc.aws_route.ipv6_egress_route": { - "mode": "managed", - "name": "ipv6_egress_route", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route", - "values": { - "carrier_gateway_id": null, - "core_network_arn": null, - "destination_cidr_block": null, - "destination_ipv6_cidr_block": "::/0", - "destination_prefix_list_id": null, - "egress_only_gateway_id": null, - "local_gateway_id": null, - "nat_gateway_id": null, - "timeouts": null, - "transit_gateway_id": null, - "vpc_endpoint_id": null, - "vpc_peering_connection_id": null - } + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[1]": { + "index": 1, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRole" + ], + "condition": [], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "AWS" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } }, - { - "module.rosa_cluster.module.vpc.aws_route.private_nat[0]": { - "index": 0, - "mode": "managed", - "name": "private_nat", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route", - "values": { - "carrier_gateway_id": null, - "core_network_arn": null, - "destination_cidr_block": "0.0.0.0/0", - "destination_ipv6_cidr_block": null, - "destination_prefix_list_id": null, - "egress_only_gateway_id": null, - "gateway_id": null, - "local_gateway_id": null, - "timeouts": null, - "transit_gateway_id": null, - "vpc_endpoint_id": null, - "vpc_peering_connection_id": null - } + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[2]": { + "index": 2, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ + { + "actions": [ + false + ], + "condition": [], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] + } + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRole" + ], + "condition": [], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + "ec2.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": null, + "sid": null + } + ], + "version": null } }, - { - "module.rosa_cluster.module.vpc.aws_route.private_nat[1]": { - "index": 1, - "mode": "managed", - "name": "private_nat", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route", - "values": { - "carrier_gateway_id": null, - "core_network_arn": null, - "destination_cidr_block": "0.0.0.0/0", - "destination_ipv6_cidr_block": null, - "destination_prefix_list_id": null, - "egress_only_gateway_id": null, - "gateway_id": null, - "local_gateway_id": null, - "timeouts": null, - "transit_gateway_id": null, - "vpc_endpoint_id": null, - "vpc_peering_connection_id": null - } - } + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_partition.current": { + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_partition" }, - { - "module.rosa_cluster.module.vpc.aws_route.private_nat[2]": { - "index": 2, - "mode": "managed", - "name": "private_nat", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route", - "values": { - "carrier_gateway_id": null, - "core_network_arn": null, - "destination_cidr_block": "0.0.0.0/0", - "destination_ipv6_cidr_block": null, - "destination_prefix_list_id": null, - "egress_only_gateway_id": null, - "gateway_id": null, - "local_gateway_id": null, - "timeouts": null, - "transit_gateway_id": null, - "vpc_endpoint_id": null, - "vpc_peering_connection_id": null - } - } + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_hcp_policies.all_policies": { + "mode": "data", + "name": "all_policies", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": { + "account_role_policies": {}, + "operator_role_policies": {} + }, + "type": "rhcs_hcp_policies" }, - { - "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[0]": { - "index": 0, - "mode": "managed", - "name": "private_route_table", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "propagating_vgws": [], - "route": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_route_table", - "values": { - "tags": { - "Name": "my-rosa-rtb-private0-eu-north-1a" - }, - "tags_all": { - "Name": "my-rosa-rtb-private0-eu-north-1a" - }, - "timeouts": null - } - } + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_info.current": { + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": {}, + "type": "rhcs_info" }, - { - "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[1]": { - "index": 1, - "mode": "managed", - "name": "private_route_table", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "propagating_vgws": [], - "route": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_route_table", - "values": { - "tags": { - "Name": "my-rosa-rtb-private1-eu-north-1b" - }, - "tags_all": { - "Name": "my-rosa-rtb-private1-eu-north-1b" - }, - "timeouts": null + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].time_sleep.account_iam_resources_wait": { + "mode": "managed", + "name": "account_iam_resources_wait", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "sensitive_values": { + "triggers": {} + }, + "type": "time_sleep", + "values": { + "create_duration": "10s", + "destroy_duration": "10s", + "triggers": { + "account_iam_role_name": "[\"my-rosa-account-HCP-ROSA-Installer-Role\",\"my-rosa-account-HCP-ROSA-Support-Role\",\"my-rosa-account-HCP-ROSA-Worker-Role\"]", + "account_policy_arns": "[\"ARN_REDACTED", + "account_role_prefix": "my-rosa-account", + "path": "/" } } - }, - { - "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[2]": { - "index": 2, - "mode": "managed", - "name": "private_route_table", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "propagating_vgws": [], - "route": [], - "tags": {}, - "tags_all": {} + } + } + }, + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0]": { + "resources": { + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].aws_iam_openid_connect_provider.oidc_provider": { + "mode": "managed", + "name": "oidc_provider", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "client_id_list": [ + false, + false + ], + "tags": {}, + "tags_all": {}, + "thumbprint_list": [] + }, + "type": "aws_iam_openid_connect_provider", + "values": { + "client_id_list": [ + "openshift", + "sts.amazonaws.com" + ], + "tags": { + "owner": "ARN_REDACTED" }, - "type": "aws_route_table", - "values": { - "tags": { - "Name": "my-rosa-rtb-private2-eu-north-1c" - }, - "tags_all": { - "Name": "my-rosa-rtb-private2-eu-north-1c" - }, - "timeouts": null + "tags_all": { + "owner": "ARN_REDACTED" } } }, - { - "module.rosa_cluster.module.vpc.aws_route_table.public_route_table": { - "mode": "managed", - "name": "public_route_table", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "propagating_vgws": [], - "route": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_route_table", - "values": { - "tags": { - "Name": "my-rosa-public" - }, - "tags_all": { - "Name": "my-rosa-public" - }, - "timeouts": null - } - } + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].data.aws_region.current": { + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_region" }, - { - "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[0]": { - "index": 0, - "mode": "managed", - "name": "private_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route_table_association", - "values": { - "gateway_id": null, - "timeouts": null - } + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].null_resource.unmanaged_vars_validation": { + "mode": "managed", + "name": "unmanaged_vars_validation", + "provider_name": "registry.terraform.io/hashicorp/null", + "schema_version": 0, + "sensitive_values": {}, + "type": "null_resource", + "values": { + "triggers": null } }, - { - "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[1]": { - "index": 1, - "mode": "managed", - "name": "private_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route_table_association", - "values": { - "gateway_id": null, - "timeouts": null - } + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].rhcs_rosa_oidc_config.oidc_config": { + "mode": "managed", + "name": "oidc_config", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": {}, + "type": "rhcs_rosa_oidc_config", + "values": { + "installer_role_arn": null, + "managed": true, + "secret_arn": null } }, - { - "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[2]": { - "index": 2, - "mode": "managed", - "name": "private_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route_table_association", - "values": { - "gateway_id": null, - "timeouts": null + "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].time_sleep.wait_10_seconds": { + "mode": "managed", + "name": "wait_10_seconds", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "sensitive_values": { + "triggers": {} + }, + "type": "time_sleep", + "values": { + "create_duration": "10s", + "destroy_duration": "10s", + "triggers": { + "discover_doc_object": null, + "policy_attached_to_bucket": null, + "public_access_block_attached_to_bucket": null, + "s3_object": null, + "secret_arn": null } } - }, - { - "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[0]": { - "index": 0, - "mode": "managed", - "name": "public_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route_table_association", - "values": { - "gateway_id": null, - "timeouts": null + } + } + }, + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0]": { + "resources": { + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[0]": { + "index": 0, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-image-registry-installer-cloud-creden", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "installer-cloud-credentials", + "operator_namespace": "openshift-image-registry", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "installer-cloud-credentials", + "operator_namespace": "openshift-image-registry", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" } } }, - { - "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[1]": { - "index": 1, - "mode": "managed", - "name": "public_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route_table_association", - "values": { - "gateway_id": null, - "timeouts": null + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[1]": { + "index": 1, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-ingress-operator-cloud-credentials", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-ingress-operator", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-ingress-operator", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" } } }, - { - "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[2]": { - "index": 2, - "mode": "managed", - "name": "public_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_route_table_association", - "values": { - "gateway_id": null, - "timeouts": null + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[2]": { + "index": 2, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "ebs-cloud-credentials", + "operator_namespace": "openshift-cluster-csi-drivers", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" + }, + "tags_all": { + "operator_name": "ebs-cloud-credentials", + "operator_namespace": "openshift-cluster-csi-drivers", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" } } }, - { - "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[0]": { - "index": 0, - "mode": "managed", - "name": "private_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[3]": { + "index": 3, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-openshift-cloud-network-config-controller-cloud", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-cloud-network-config-controller", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" }, - "type": "aws_subnet", - "values": { - "assign_ipv6_address_on_creation": false, - "availability_zone": "eu-north-1a", - "cidr_block": "10.0.12.0/22", - "customer_owned_ipv4_pool": null, - "enable_dns64": false, - "enable_lni_at_device_index": null, - "enable_resource_name_dns_a_record_on_launch": false, - "enable_resource_name_dns_aaaa_record_on_launch": false, - "ipv6_cidr_block": null, - "ipv6_native": false, - "map_customer_owned_ip_on_launch": null, - "map_public_ip_on_launch": false, - "outpost_arn": null, - "tags": { - "Name": "my-rosa-subnet-private1-eu-north-1a", - "kubernetes.io/role/internal-elb": "" - }, - "timeouts": null + "tags_all": { + "operator_name": "cloud-credentials", + "operator_namespace": "openshift-cloud-network-config-controller", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" } } }, - { - "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[1]": { - "index": 1, - "mode": "managed", - "name": "private_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[4]": { + "index": 4, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-kube-controller-manager", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "kube-controller-manager", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" }, - "type": "aws_subnet", - "values": { - "assign_ipv6_address_on_creation": false, - "availability_zone": "eu-north-1b", - "cidr_block": "10.0.16.0/22", - "customer_owned_ipv4_pool": null, - "enable_dns64": false, - "enable_lni_at_device_index": null, - "enable_resource_name_dns_a_record_on_launch": false, - "enable_resource_name_dns_aaaa_record_on_launch": false, - "ipv6_cidr_block": null, - "ipv6_native": false, - "map_customer_owned_ip_on_launch": null, - "map_public_ip_on_launch": false, - "outpost_arn": null, - "tags": { - "Name": "my-rosa-subnet-private2-eu-north-1b", - "kubernetes.io/role/internal-elb": "" - }, - "timeouts": null + "tags_all": { + "operator_name": "kube-controller-manager", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" } } }, - { - "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[2]": { - "index": 2, - "mode": "managed", - "name": "private_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[5]": { + "index": 5, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-capa-controller-manager", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "capa-controller-manager", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" }, - "type": "aws_subnet", - "values": { - "assign_ipv6_address_on_creation": false, - "availability_zone": "eu-north-1c", - "cidr_block": "10.0.20.0/22", - "customer_owned_ipv4_pool": null, - "enable_dns64": false, - "enable_lni_at_device_index": null, - "enable_resource_name_dns_a_record_on_launch": false, - "enable_resource_name_dns_aaaa_record_on_launch": false, - "ipv6_cidr_block": null, - "ipv6_native": false, - "map_customer_owned_ip_on_launch": null, - "map_public_ip_on_launch": false, - "outpost_arn": null, - "tags": { - "Name": "my-rosa-subnet-private3-eu-north-1c", - "kubernetes.io/role/internal-elb": "" - }, - "timeouts": null + "tags_all": { + "operator_name": "capa-controller-manager", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" } } }, - { - "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[0]": { - "index": 0, - "mode": "managed", - "name": "public_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[6]": { + "index": 6, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-control-plane-operator", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "control-plane-operator", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" }, - "type": "aws_subnet", - "values": { - "assign_ipv6_address_on_creation": false, - "availability_zone": "eu-north-1a", - "cidr_block": "10.0.0.0/22", - "customer_owned_ipv4_pool": null, - "enable_dns64": false, - "enable_lni_at_device_index": null, - "enable_resource_name_dns_a_record_on_launch": false, - "enable_resource_name_dns_aaaa_record_on_launch": false, - "ipv6_cidr_block": null, - "ipv6_native": false, - "map_customer_owned_ip_on_launch": null, - "map_public_ip_on_launch": false, - "outpost_arn": null, - "tags": { - "Name": "my-rosa-subnet-public1-eu-north-1a", - "kubernetes.io/role/elb": "" - }, - "timeouts": null + "tags_all": { + "operator_name": "control-plane-operator", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" } } }, - { - "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[1]": { - "index": 1, - "mode": "managed", - "name": "public_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[7]": { + "index": 7, + "mode": "managed", + "name": "operator_role", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "inline_policy": [], + "managed_policy_arns": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_iam_role", + "values": { + "description": null, + "force_detach_policies": false, + "max_session_duration": 3600, + "name": "my-rosa-operator-kube-system-kms-provider", + "path": "/", + "permissions_boundary": "", + "tags": { + "operator_name": "kms-provider", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" }, - "type": "aws_subnet", - "values": { - "assign_ipv6_address_on_creation": false, - "availability_zone": "eu-north-1b", - "cidr_block": "10.0.4.0/22", - "customer_owned_ipv4_pool": null, - "enable_dns64": false, - "enable_lni_at_device_index": null, - "enable_resource_name_dns_a_record_on_launch": false, - "enable_resource_name_dns_aaaa_record_on_launch": false, - "ipv6_cidr_block": null, - "ipv6_native": false, - "map_customer_owned_ip_on_launch": null, - "map_public_ip_on_launch": false, - "outpost_arn": null, - "tags": { - "Name": "my-rosa-subnet-public2-eu-north-1b", - "kubernetes.io/role/elb": "" - }, - "timeouts": null + "tags_all": { + "operator_name": "kms-provider", + "operator_namespace": "kube-system", + "owner": "ARN_REDACTED", + "red-hat-managed": "true", + "rosa_hcp_policies": "true", + "rosa_managed_policies": "true" } } }, - { - "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[2]": { - "index": 2, - "mode": "managed", - "name": "public_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_subnet", - "values": { - "assign_ipv6_address_on_creation": false, - "availability_zone": "eu-north-1c", - "cidr_block": "10.0.8.0/22", - "customer_owned_ipv4_pool": null, - "enable_dns64": false, - "enable_lni_at_device_index": null, - "enable_resource_name_dns_a_record_on_launch": false, - "enable_resource_name_dns_aaaa_record_on_launch": false, - "ipv6_cidr_block": null, - "ipv6_native": false, - "map_customer_owned_ip_on_launch": null, - "map_public_ip_on_launch": false, - "outpost_arn": null, - "tags": { - "Name": "my-rosa-subnet-public3-eu-north-1c", - "kubernetes.io/role/elb": "" - }, - "timeouts": null - } + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[0]": { + "index": 0, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-image-registry-installer-cloud-creden" } }, - { - "module.rosa_cluster.module.vpc.aws_vpc.vpc": { - "mode": "managed", - "name": "vpc", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "sensitive_values": { - "tags": {}, - "tags_all": {} - }, - "type": "aws_vpc", - "values": { - "assign_generated_ipv6_cidr_block": null, - "cidr_block": "10.0.0.0/16", - "enable_dns_hostnames": true, - "enable_dns_support": true, - "instance_tenancy": "default", - "ipv4_ipam_pool_id": null, - "ipv4_netmask_length": null, - "ipv6_ipam_pool_id": null, - "ipv6_netmask_length": null, - "tags": { - "Name": "my-rosa-vpc" - }, - "tags_all": { - "Name": "my-rosa-vpc" - } - } + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[1]": { + "index": 1, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-ingress-operator-cloud-credentials" } }, - { - "module.rosa_cluster.module.vpc.aws_vpc_endpoint.s3": { - "mode": "managed", - "name": "s3", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cidr_blocks": [], - "dns_entry": [], - "dns_options": [], - "network_interface_ids": [], - "route_table_ids": [], - "security_group_ids": [], - "subnet_configuration": [], - "subnet_ids": [], - "tags_all": {} - }, - "type": "aws_vpc_endpoint", - "values": { - "auto_accept": null, - "resource_configuration_arn": null, - "service_name": "com.amazonaws.eu-west-2.s3", - "service_network_arn": null, - "tags": null, - "timeouts": null, - "vpc_endpoint_type": "Gateway" - } + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[2]": { + "index": 2, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent" } }, - { - "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[0]": { - "index": 0, - "mode": "managed", - "name": "private_vpc_endpoint_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_vpc_endpoint_route_table_association" + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[3]": { + "index": 3, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-openshift-cloud-network-config-controller-cloud" } }, - { - "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[1]": { - "index": 1, - "mode": "managed", - "name": "private_vpc_endpoint_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_vpc_endpoint_route_table_association" + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[4]": { + "index": 4, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-kube-controller-manager" } }, - { - "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[2]": { - "index": 2, - "mode": "managed", - "name": "private_vpc_endpoint_route_table_association", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_vpc_endpoint_route_table_association" + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[5]": { + "index": 5, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-capa-controller-manager" } }, - { - "module.rosa_cluster.module.vpc.time_sleep.vpc_resources_wait": { - "mode": "managed", - "name": "vpc_resources_wait", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "sensitive_values": { - "triggers": {} - }, - "type": "time_sleep", - "values": { - "create_duration": "20s", - "destroy_duration": "20s", - "triggers": { - "cidr_block": "10.0.0.0/16" - } - } + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[6]": { + "index": 6, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-control-plane-operator" } - } - ] - } - }, - { - "module.rosa_cluster.module.rosa_hcp": { - "child_modules": [ - { - "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0]": { - "resources": [ + }, + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[7]": { + "index": 7, + "mode": "managed", + "name": "operator_role_policy_attachment", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_iam_role_policy_attachment", + "values": { + "policy_arn": "ARN_REDACTED", + "role": "my-rosa-operator-kube-system-kms-provider" + } + }, + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_caller_identity.current": { + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_caller_identity" + }, + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[0]": { + "index": 0, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].aws_iam_openid_connect_provider.oidc_provider": { - "mode": "managed", - "name": "oidc_provider", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "client_id_list": [ + "actions": [ + false + ], + "condition": [ + { + "values": [ false, false - ], - "tags": {}, - "tags_all": {}, - "thumbprint_list": [] - }, - "type": "aws_iam_openid_connect_provider", - "values": { - "client_id_list": [ - "openshift", - "sts.amazonaws.com" - ], - "tags": { - "owner": "ARN_REDACTED" - }, - "tags_all": { - "owner": "ARN_REDACTED" - } + ] } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].data.aws_region.current": { - "mode": "data", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_region" - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].null_resource.unmanaged_vars_validation": { - "mode": "managed", - "name": "unmanaged_vars_validation", - "provider_name": "registry.terraform.io/hashicorp/null", - "schema_version": 0, - "sensitive_values": {}, - "type": "null_resource", - "values": { - "triggers": null + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] } - } - }, + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].rhcs_rosa_oidc_config.oidc_config": { - "mode": "managed", - "name": "oidc_config", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": {}, - "type": "rhcs_rosa_oidc_config", - "values": { - "installer_role_arn": null, - "managed": true, - "secret_arn": null + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator", + "system:serviceaccount:openshift-image-registry:registry" + ] } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.oidc_config_and_provider[0].time_sleep.wait_10_seconds": { - "mode": "managed", - "name": "wait_10_seconds", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "sensitive_values": { - "triggers": {} - }, - "type": "time_sleep", - "values": { - "create_duration": "10s", - "destroy_duration": "10s", - "triggers": { - "discover_doc_object": null, - "policy_attached_to_bucket": null, - "public_access_block_attached_to_bucket": null, - "s3_object": null, - "secret_arn": null - } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" } - } + ], + "resources": null, + "sid": null } - ] + ], + "version": null } }, - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0]": { - "resources": [ - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[0]": { - "index": 0, - "mode": "managed", - "name": "account_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-account-HCP-ROSA-Installer-Role", - "path": "/", - "permissions_boundary": "", - "tags": { - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "installer" - }, - "tags_all": { - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "installer" - } - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[1]": { - "index": 1, - "mode": "managed", - "name": "account_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-account-HCP-ROSA-Support-Role", - "path": "/", - "permissions_boundary": "", - "tags": { - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "support" - }, - "tags_all": { - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "support" - } - } - } - }, + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[1]": { + "index": 1, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role.account_role[2]": { - "index": 2, - "mode": "managed", - "name": "account_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-account-HCP-ROSA-Worker-Role", - "path": "/", - "permissions_boundary": "", - "tags": { - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "instance_worker" - }, - "tags_all": { - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true", - "rosa_role_prefix": "my-rosa-account", - "rosa_role_type": "instance_worker" - } - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[0]": { - "index": 0, - "mode": "managed", - "name": "account_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-account-HCP-ROSA-Installer-Role" - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[1]": { - "index": 1, - "mode": "managed", - "name": "account_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-account-HCP-ROSA-Support-Role" - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]": { - "index": 2, - "mode": "managed", - "name": "account_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-account-HCP-ROSA-Worker-Role" - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[0]": { - "index": 0, - "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } + "actions": [ + false + ], + "condition": [ + { + "values": [ + false ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRole" - ], - "condition": [], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "AWS" - } - ], - "resources": null, - "sid": null - } - ], - "version": null } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[1]": { - "index": 1, - "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRole" - ], - "condition": [], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "AWS" - } - ], - "resources": null, - "sid": null - } - ], - "version": null } - } - }, + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_iam_policy_document.custom_trust_policy[2]": { - "index": 2, - "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-ingress-operator:ingress-operator" ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRole" - ], - "condition": [], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - "ec2.amazonaws.com" - ], - "type": "Service" - } - ], - "resources": null, - "sid": null - } - ], - "version": null } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.aws_partition.current": { - "mode": "data", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_partition" - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_hcp_policies.all_policies": { - "mode": "data", - "name": "all_policies", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": { - "account_role_policies": {}, - "operator_role_policies": {} - }, - "type": "rhcs_hcp_policies" - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].data.rhcs_info.current": { - "mode": "data", - "name": "current", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": {}, - "type": "rhcs_info" - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].time_sleep.account_iam_resources_wait": { - "mode": "managed", - "name": "account_iam_resources_wait", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "sensitive_values": { - "triggers": {} - }, - "type": "time_sleep", - "values": { - "create_duration": "10s", - "destroy_duration": "10s", - "triggers": { - "account_iam_role_name": "[\"my-rosa-account-HCP-ROSA-Installer-Role\",\"my-rosa-account-HCP-ROSA-Support-Role\",\"my-rosa-account-HCP-ROSA-Worker-Role\"]", - "account_policy_arns": "[\"ARN_REDACTED", - "account_role_prefix": "my-rosa-account", - "path": "/" - } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" } - } + ], + "resources": null, + "sid": null } - ] + ], + "version": null } }, - { - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp": { - "resources": [ - { - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_caller_identity.current[0]": { - "index": 0, - "mode": "data", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_caller_identity" - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_region.current[0]": { - "index": 0, - "mode": "data", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_region" - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[0]": { - "index": 0, - "mode": "data", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null - } - } - }, + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[2]": { + "index": 2, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[1]": { - "index": 1, - "mode": "data", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[2]": { - "index": 2, - "mode": "data", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[3]": { - "index": 3, - "mode": "data", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null + "actions": [ + false + ], + "condition": [ + { + "values": [ + false, + false + ] } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[4]": { - "index": 4, - "mode": "data", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] } - } - }, + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[5]": { - "index": 5, - "mode": "data", - "name": "provided_subnet", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "filter": [], - "tags": {} - }, - "type": "aws_subnet", - "values": { - "filter": [], - "timeouts": null + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-operator", + "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa" + ] } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_cluster_rosa_hcp.rosa_hcp_cluster": { - "mode": "managed", - "name": "rosa_hcp_cluster", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": { - "admin_credentials": true, - "availability_zones": [ - false, - false, - false - ], - "aws_subnet_ids": [ - false, - false, - false, - false, - false, - false - ], - "ocm_properties": {}, - "properties": {}, - "sts": { - "instance_iam_roles": {} - }, - "tags": {} - }, - "type": "rhcs_cluster_rosa_hcp", - "values": { - "availability_zones": [ - "eu-north-1a", - "eu-north-1b", - "eu-north-1c" - ], - "aws_additional_allowed_principals": null, - "aws_additional_compute_security_group_ids": null, - "aws_subnet_ids": [ - null, - null, - null, - null, - null, + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ null ], - "channel_group": "stable", - "compute_machine_type": "m7i.xlarge", - "create_admin_user": null, - "destroy_timeout": null, - "disable_waiting_in_destroy": null, - "ec2_metadata_http_tokens": "optional", - "etcd_kms_key_arn": null, - "host_prefix": 23, - "kms_key_arn": null, - "machine_cidr": "10.0.0.0/18", - "max_hcp_cluster_wait_timeout_in_minutes": null, - "max_machinepool_wait_timeout_in_minutes": null, - "name": "my-rosa", - "pod_cidr": "10.0.64.0/18", - "private": false, - "properties": { - "rosa_creator_arn": "ARN_REDACTED" - }, - "proxy": null, - "registry_config": null, - "replicas": 6, - "service_cidr": "10.0.128.0/18", - "shared_vpc": null, - "sts": { - "instance_iam_roles": {}, - "operator_role_prefix": "my-rosa-operator" - }, - "tags": { - "owner": "ARN_REDACTED" - }, - "upgrade_acknowledgements_for": null, - "version": "4.17.16", - "wait_for_create_complete": true, - "wait_for_std_compute_nodes_complete": true, - "worker_disk_size": null + "type": "Federated" } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_hcp_default_ingress.default_ingress": { - "mode": "managed", - "name": "default_ingress", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": {}, - "type": "rhcs_hcp_default_ingress", - "values": { - "listening_method": "external" - } - } + ], + "resources": null, + "sid": null } - ] + ], + "version": null } }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0]": { - "resources": [ - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[0]": { - "index": 0, - "mode": "managed", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-openshift-image-registry-installer-cloud-creden", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "installer-cloud-credentials", - "operator_namespace": "openshift-image-registry", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - }, - "tags_all": { - "operator_name": "installer-cloud-credentials", - "operator_namespace": "openshift-image-registry", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - } - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[1]": { - "index": 1, - "mode": "managed", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-openshift-ingress-operator-cloud-credentials", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "cloud-credentials", - "operator_namespace": "openshift-ingress-operator", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - }, - "tags_all": { - "operator_name": "cloud-credentials", - "operator_namespace": "openshift-ingress-operator", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - } - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[2]": { - "index": 2, - "mode": "managed", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "ebs-cloud-credentials", - "operator_namespace": "openshift-cluster-csi-drivers", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - }, - "tags_all": { - "operator_name": "ebs-cloud-credentials", - "operator_namespace": "openshift-cluster-csi-drivers", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - } - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[3]": { - "index": 3, - "mode": "managed", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-openshift-cloud-network-config-controller-cloud", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "cloud-credentials", - "operator_namespace": "openshift-cloud-network-config-controller", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - }, - "tags_all": { - "operator_name": "cloud-credentials", - "operator_namespace": "openshift-cloud-network-config-controller", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - } - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[4]": { - "index": 4, - "mode": "managed", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-kube-system-kube-controller-manager", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "kube-controller-manager", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - }, - "tags_all": { - "operator_name": "kube-controller-manager", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - } - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[5]": { - "index": 5, - "mode": "managed", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-kube-system-capa-controller-manager", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "capa-controller-manager", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - }, - "tags_all": { - "operator_name": "capa-controller-manager", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - } - } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[6]": { - "index": 6, - "mode": "managed", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-kube-system-control-plane-operator", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "control-plane-operator", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - }, - "tags_all": { - "operator_name": "control-plane-operator", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - } - } - } - }, + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[3]": { + "index": 3, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role.operator_role[7]": { - "index": 7, - "mode": "managed", - "name": "operator_role", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "inline_policy": [], - "managed_policy_arns": [], - "tags": {}, - "tags_all": {} - }, - "type": "aws_iam_role", - "values": { - "description": null, - "force_detach_policies": false, - "max_session_duration": 3600, - "name": "my-rosa-operator-kube-system-kms-provider", - "path": "/", - "permissions_boundary": "", - "tags": { - "operator_name": "kms-provider", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - }, - "tags_all": { - "operator_name": "kms-provider", - "operator_namespace": "kube-system", - "owner": "ARN_REDACTED", - "red-hat-managed": "true", - "rosa_hcp_policies": "true", - "rosa_managed_policies": "true" - } + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[0]": { - "index": 0, - "mode": "managed", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-openshift-image-registry-installer-cloud-creden" + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] } - } - }, + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[1]": { - "index": 1, - "mode": "managed", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-openshift-ingress-operator-cloud-credentials" + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:openshift-cloud-network-config-controller:cloud-network-config-controller" + ] } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[2]": { - "index": 2, - "mode": "managed", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-openshift-cluster-csi-drivers-ebs-cloud-credent" + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" } - } - }, + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[4]": { + "index": 4, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[3]": { - "index": 3, - "mode": "managed", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-openshift-cloud-network-config-controller-cloud" + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[4]": { - "index": 4, - "mode": "managed", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-kube-system-kube-controller-manager" + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false + ] } - } - }, + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[5]": { - "index": 5, - "mode": "managed", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-kube-system-capa-controller-manager" + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:kube-controller-manager" + ] } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[6]": { - "index": 6, - "mode": "managed", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-kube-system-control-plane-operator" + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" } - } - }, + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[5]": { + "index": 5, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].aws_iam_role_policy_attachment.operator_role_policy_attachment[7]": { - "index": 7, - "mode": "managed", - "name": "operator_role_policy_attachment", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_iam_role_policy_attachment", - "values": { - "policy_arn": "ARN_REDACTED", - "role": "my-rosa-operator-kube-system-kms-provider" + "actions": [ + false + ], + "condition": [ + { + "values": [ + false + ] } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_caller_identity.current": { - "mode": "data", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_caller_identity" - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[0]": { - "index": 0, - "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false, - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator", - "system:serviceaccount:openshift-image-registry:registry" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } - ], - "version": null } - } - }, + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[1]": { - "index": 1, - "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:capa-controller-manager" ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:openshift-ingress-operator:ingress-operator" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null ], - "version": null + "type": "Federated" } - } - }, + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[6]": { + "index": 6, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[2]": { - "index": 2, - "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false, - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } + "actions": [ + false + ], + "condition": [ + { + "values": [ + false ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-operator", - "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } - ], - "version": null } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[3]": { - "index": 3, - "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:openshift-cloud-network-config-controller:cloud-network-config-controller" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } - ], - "version": null } - } - }, + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[4]": { - "index": 4, - "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:control-plane-operator" ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:kube-system:kube-controller-manager" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } + } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null ], - "version": null + "type": "Federated" } - } - }, + ], + "resources": null, + "sid": null + } + ], + "version": null + } + }, + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[7]": { + "index": 7, + "mode": "data", + "name": "custom_trust_policy", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[5]": { - "index": 5, - "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } + "actions": [ + false + ], + "condition": [ + { + "values": [ + false ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:kube-system:capa-controller-manager" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } - ], - "version": null } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[6]": { - "index": 6, - "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } + ], + "not_principals": [], + "principals": [ + { + "identifiers": [ + false ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:kube-system:control-plane-operator" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } - ], - "version": null } - } - }, + ] + } + ] + }, + "type": "aws_iam_policy_document", + "values": { + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].data.aws_iam_policy_document.custom_trust_policy[7]": { - "index": 7, - "mode": "data", - "name": "custom_trust_policy", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false - ], - "condition": [ - { - "values": [ - false - ] - } - ], - "not_principals": [], - "principals": [ - { - "identifiers": [ - false - ] - } - ] - } + "actions": [ + "sts:AssumeRoleWithWebIdentity" + ], + "condition": [ + { + "test": "StringEquals", + "values": [ + "system:serviceaccount:kube-system:kms-provider" ] - }, - "type": "aws_iam_policy_document", - "values": { - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "sts:AssumeRoleWithWebIdentity" - ], - "condition": [ - { - "test": "StringEquals", - "values": [ - "system:serviceaccount:kube-system:kms-provider" - ] - } - ], - "effect": "Allow", - "not_actions": null, - "not_principals": [], - "not_resources": null, - "principals": [ - { - "identifiers": [ - null - ], - "type": "Federated" - } - ], - "resources": null, - "sid": null - } - ], - "version": null } - } - }, - { - "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].time_sleep.role_resources_propagation": { - "mode": "managed", - "name": "role_resources_propagation", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "sensitive_values": { - "triggers": {} - }, - "type": "time_sleep", - "values": { - "create_duration": "20s", - "destroy_duration": null, - "triggers": { - "operator_policy_arns": "[\"ARN_REDACTED", - "operator_role_prefix": "my-rosa-operator" - } + ], + "effect": "Allow", + "not_actions": null, + "not_principals": [], + "not_resources": null, + "principals": [ + { + "identifiers": [ + null + ], + "type": "Federated" } - } + ], + "resources": null, + "sid": null } - ] + ], + "version": null + } + }, + "module.rosa_cluster.module.rosa_hcp.module.operator_roles[0].time_sleep.role_resources_propagation": { + "mode": "managed", + "name": "role_resources_propagation", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "sensitive_values": { + "triggers": {} + }, + "type": "time_sleep", + "values": { + "create_duration": "20s", + "destroy_duration": null, + "triggers": { + "operator_policy_arns": "[\"ARN_REDACTED", + "operator_role_prefix": "my-rosa-operator" + } } } - ], - "resources": [ - { - "module.rosa_cluster.module.rosa_hcp.data.aws_caller_identity.current": { - "mode": "data", - "name": "current", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_caller_identity" + } + }, + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp": { + "resources": { + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_caller_identity.current[0]": { + "index": 0, + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_caller_identity" + }, + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_region.current[0]": { + "index": 0, + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_region" + }, + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[0]": { + "index": 0, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null } }, - { - "module.rosa_cluster.module.rosa_hcp.null_resource.validations": { - "mode": "managed", - "name": "validations", - "provider_name": "registry.terraform.io/hashicorp/null", - "schema_version": 0, - "sensitive_values": {}, - "type": "null_resource", - "values": { - "triggers": null - } + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[1]": { + "index": 1, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[2]": { + "index": 2, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[3]": { + "index": 3, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[4]": { + "index": 4, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.data.aws_subnet.provided_subnet[5]": { + "index": 5, + "mode": "data", + "name": "provided_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "filter": [], + "tags": {} + }, + "type": "aws_subnet", + "values": { + "filter": [], + "timeouts": null + } + }, + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_cluster_rosa_hcp.rosa_hcp_cluster": { + "mode": "managed", + "name": "rosa_hcp_cluster", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": { + "admin_credentials": true, + "availability_zones": [ + false, + false, + false + ], + "aws_subnet_ids": [ + false, + false, + false, + false, + false, + false + ], + "ocm_properties": {}, + "properties": {}, + "sts": { + "instance_iam_roles": {} + }, + "tags": {} + }, + "type": "rhcs_cluster_rosa_hcp", + "values": { + "availability_zones": [ + "eu-north-1a", + "eu-north-1b", + "eu-north-1c" + ], + "aws_additional_allowed_principals": null, + "aws_additional_compute_security_group_ids": null, + "aws_subnet_ids": [ + null, + null, + null, + null, + null, + null + ], + "channel_group": "stable", + "compute_machine_type": "m7i.xlarge", + "create_admin_user": null, + "destroy_timeout": null, + "disable_waiting_in_destroy": null, + "ec2_metadata_http_tokens": "optional", + "etcd_kms_key_arn": null, + "host_prefix": 23, + "kms_key_arn": null, + "machine_cidr": "10.0.0.0/18", + "max_hcp_cluster_wait_timeout_in_minutes": null, + "max_machinepool_wait_timeout_in_minutes": null, + "name": "my-rosa", + "pod_cidr": "10.0.64.0/18", + "private": false, + "properties": { + "rosa_creator_arn": "ARN_REDACTED" + }, + "proxy": null, + "registry_config": null, + "replicas": 6, + "service_cidr": "10.0.128.0/18", + "shared_vpc": null, + "sts": { + "instance_iam_roles": {}, + "operator_role_prefix": "my-rosa-operator" + }, + "tags": { + "owner": "ARN_REDACTED" + }, + "upgrade_acknowledgements_for": null, + "version": "4.17.16", + "wait_for_create_complete": true, + "wait_for_std_compute_nodes_complete": true, + "worker_disk_size": null + } + }, + "module.rosa_cluster.module.rosa_hcp.module.rosa_cluster_hcp.rhcs_hcp_default_ingress.default_ingress": { + "mode": "managed", + "name": "default_ingress", + "provider_name": "registry.terraform.io/terraform-redhat/rhcs", + "schema_version": 0, + "sensitive_values": {}, + "type": "rhcs_hcp_default_ingress", + "values": { + "listening_method": "external" } } - ] + } } }, - { - "module.rosa_cluster.module.htpasswd_idp": { - "resources": [ - { - "module.rosa_cluster.module.htpasswd_idp.rhcs_identity_provider.htpasswd_identity_provider[0]": { - "index": 0, - "mode": "managed", - "name": "htpasswd_identity_provider", - "provider_name": "registry.terraform.io/terraform-redhat/rhcs", - "schema_version": 0, - "sensitive_values": { - "htpasswd": { - "users": true - } - }, - "type": "rhcs_identity_provider", - "values": { - "github": null, - "gitlab": null, - "google": null, - "htpasswd": { - "users": [ - { - "password": "CHANGEME1234r!", - "username": "kubeadmin" - } - ] - }, - "ldap": null, - "mapping_method": "claim", - "name": "htpasswd-idp", - "openid": null - } - } + "resources": { + "module.rosa_cluster.module.rosa_hcp.data.aws_caller_identity.current": { + "mode": "data", + "name": "current", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_caller_identity" + }, + "module.rosa_cluster.module.rosa_hcp.null_resource.validations": { + "mode": "managed", + "name": "validations", + "provider_name": "registry.terraform.io/hashicorp/null", + "schema_version": 0, + "sensitive_values": {}, + "type": "null_resource", + "values": { + "triggers": null + } + } + } + }, + "module.rosa_cluster.module.vpc": { + "resources": { + "module.rosa_cluster.module.vpc.aws_eip.eip[0]": { + "index": 0, + "mode": "managed", + "name": "eip", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_eip", + "values": { + "address": null, + "associate_with_private_ip": null, + "customer_owned_ipv4_pool": null, + "domain": "vpc", + "tags": { + "Name": "my-rosa-eip-eu-north-1a" + }, + "tags_all": { + "Name": "my-rosa-eip-eu-north-1a" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_eip.eip[1]": { + "index": 1, + "mode": "managed", + "name": "eip", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_eip", + "values": { + "address": null, + "associate_with_private_ip": null, + "customer_owned_ipv4_pool": null, + "domain": "vpc", + "tags": { + "Name": "my-rosa-eip-eu-north-1b" + }, + "tags_all": { + "Name": "my-rosa-eip-eu-north-1b" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_eip.eip[2]": { + "index": 2, + "mode": "managed", + "name": "eip", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_eip", + "values": { + "address": null, + "associate_with_private_ip": null, + "customer_owned_ipv4_pool": null, + "domain": "vpc", + "tags": { + "Name": "my-rosa-eip-eu-north-1c" + }, + "tags_all": { + "Name": "my-rosa-eip-eu-north-1c" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_internet_gateway.internet_gateway": { + "mode": "managed", + "name": "internet_gateway", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_internet_gateway", + "values": { + "tags": { + "Name": "my-rosa-igw" + }, + "tags_all": { + "Name": "my-rosa-igw" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[0]": { + "index": 0, + "mode": "managed", + "name": "public_nat_gateway", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "secondary_private_ip_addresses": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_nat_gateway", + "values": { + "connectivity_type": "public", + "secondary_allocation_ids": null, + "tags": { + "Name": "my-rosa-nat-public0-eu-north-1a" + }, + "tags_all": { + "Name": "my-rosa-nat-public0-eu-north-1a" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[1]": { + "index": 1, + "mode": "managed", + "name": "public_nat_gateway", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "secondary_private_ip_addresses": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_nat_gateway", + "values": { + "connectivity_type": "public", + "secondary_allocation_ids": null, + "tags": { + "Name": "my-rosa-nat-public1-eu-north-1b" + }, + "tags_all": { + "Name": "my-rosa-nat-public1-eu-north-1b" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_nat_gateway.public_nat_gateway[2]": { + "index": 2, + "mode": "managed", + "name": "public_nat_gateway", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "secondary_private_ip_addresses": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_nat_gateway", + "values": { + "connectivity_type": "public", + "secondary_allocation_ids": null, + "tags": { + "Name": "my-rosa-nat-public2-eu-north-1c" + }, + "tags_all": { + "Name": "my-rosa-nat-public2-eu-north-1c" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_route.ipv4_egress_route": { + "mode": "managed", + "name": "ipv4_egress_route", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": "0.0.0.0/0", + "destination_ipv6_cidr_block": null, + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "local_gateway_id": null, + "nat_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } + }, + "module.rosa_cluster.module.vpc.aws_route.ipv6_egress_route": { + "mode": "managed", + "name": "ipv6_egress_route", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": null, + "destination_ipv6_cidr_block": "::/0", + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "local_gateway_id": null, + "nat_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } + }, + "module.rosa_cluster.module.vpc.aws_route.private_nat[0]": { + "index": 0, + "mode": "managed", + "name": "private_nat", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": "0.0.0.0/0", + "destination_ipv6_cidr_block": null, + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "gateway_id": null, + "local_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } + }, + "module.rosa_cluster.module.vpc.aws_route.private_nat[1]": { + "index": 1, + "mode": "managed", + "name": "private_nat", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": "0.0.0.0/0", + "destination_ipv6_cidr_block": null, + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "gateway_id": null, + "local_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } + }, + "module.rosa_cluster.module.vpc.aws_route.private_nat[2]": { + "index": 2, + "mode": "managed", + "name": "private_nat", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route", + "values": { + "carrier_gateway_id": null, + "core_network_arn": null, + "destination_cidr_block": "0.0.0.0/0", + "destination_ipv6_cidr_block": null, + "destination_prefix_list_id": null, + "egress_only_gateway_id": null, + "gateway_id": null, + "local_gateway_id": null, + "timeouts": null, + "transit_gateway_id": null, + "vpc_endpoint_id": null, + "vpc_peering_connection_id": null + } + }, + "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[0]": { + "index": 0, + "mode": "managed", + "name": "private_route_table", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "propagating_vgws": [], + "route": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_route_table", + "values": { + "tags": { + "Name": "my-rosa-rtb-private0-eu-north-1a" + }, + "tags_all": { + "Name": "my-rosa-rtb-private0-eu-north-1a" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[1]": { + "index": 1, + "mode": "managed", + "name": "private_route_table", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "propagating_vgws": [], + "route": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_route_table", + "values": { + "tags": { + "Name": "my-rosa-rtb-private1-eu-north-1b" + }, + "tags_all": { + "Name": "my-rosa-rtb-private1-eu-north-1b" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_route_table.private_route_table[2]": { + "index": 2, + "mode": "managed", + "name": "private_route_table", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "propagating_vgws": [], + "route": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_route_table", + "values": { + "tags": { + "Name": "my-rosa-rtb-private2-eu-north-1c" + }, + "tags_all": { + "Name": "my-rosa-rtb-private2-eu-north-1c" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_route_table.public_route_table": { + "mode": "managed", + "name": "public_route_table", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "propagating_vgws": [], + "route": [], + "tags": {}, + "tags_all": {} + }, + "type": "aws_route_table", + "values": { + "tags": { + "Name": "my-rosa-public" + }, + "tags_all": { + "Name": "my-rosa-public" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[0]": { + "index": 0, + "mode": "managed", + "name": "private_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[1]": { + "index": 1, + "mode": "managed", + "name": "private_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_route_table_association.private_route_table_association[2]": { + "index": 2, + "mode": "managed", + "name": "private_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[0]": { + "index": 0, + "mode": "managed", + "name": "public_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[1]": { + "index": 1, + "mode": "managed", + "name": "public_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_route_table_association.public_route_table_association[2]": { + "index": 2, + "mode": "managed", + "name": "public_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_route_table_association", + "values": { + "gateway_id": null, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[0]": { + "index": 0, + "mode": "managed", + "name": "private_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1a", + "cidr_block": "10.0.12.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-private1-eu-north-1a", + "kubernetes.io/role/internal-elb": "" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[1]": { + "index": 1, + "mode": "managed", + "name": "private_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1b", + "cidr_block": "10.0.16.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-private2-eu-north-1b", + "kubernetes.io/role/internal-elb": "" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_subnet.private_subnet[2]": { + "index": 2, + "mode": "managed", + "name": "private_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1c", + "cidr_block": "10.0.20.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-private3-eu-north-1c", + "kubernetes.io/role/internal-elb": "" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[0]": { + "index": 0, + "mode": "managed", + "name": "public_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1a", + "cidr_block": "10.0.0.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-public1-eu-north-1a", + "kubernetes.io/role/elb": "" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[1]": { + "index": 1, + "mode": "managed", + "name": "public_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1b", + "cidr_block": "10.0.4.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-public2-eu-north-1b", + "kubernetes.io/role/elb": "" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_subnet.public_subnet[2]": { + "index": 2, + "mode": "managed", + "name": "public_subnet", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_subnet", + "values": { + "assign_ipv6_address_on_creation": false, + "availability_zone": "eu-north-1c", + "cidr_block": "10.0.8.0/22", + "customer_owned_ipv4_pool": null, + "enable_dns64": false, + "enable_lni_at_device_index": null, + "enable_resource_name_dns_a_record_on_launch": false, + "enable_resource_name_dns_aaaa_record_on_launch": false, + "ipv6_cidr_block": null, + "ipv6_native": false, + "map_customer_owned_ip_on_launch": null, + "map_public_ip_on_launch": false, + "outpost_arn": null, + "tags": { + "Name": "my-rosa-subnet-public3-eu-north-1c", + "kubernetes.io/role/elb": "" + }, + "timeouts": null + } + }, + "module.rosa_cluster.module.vpc.aws_vpc.vpc": { + "mode": "managed", + "name": "vpc", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "sensitive_values": { + "tags": {}, + "tags_all": {} + }, + "type": "aws_vpc", + "values": { + "assign_generated_ipv6_cidr_block": null, + "cidr_block": "10.0.0.0/16", + "enable_dns_hostnames": true, + "enable_dns_support": true, + "instance_tenancy": "default", + "ipv4_ipam_pool_id": null, + "ipv4_netmask_length": null, + "ipv6_ipam_pool_id": null, + "ipv6_netmask_length": null, + "tags": { + "Name": "my-rosa-vpc" + }, + "tags_all": { + "Name": "my-rosa-vpc" + } + } + }, + "module.rosa_cluster.module.vpc.aws_vpc_endpoint.s3": { + "mode": "managed", + "name": "s3", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "cidr_blocks": [], + "dns_entry": [], + "dns_options": [], + "network_interface_ids": [], + "route_table_ids": [], + "security_group_ids": [], + "subnet_configuration": [], + "subnet_ids": [], + "tags_all": {} + }, + "type": "aws_vpc_endpoint", + "values": { + "auto_accept": null, + "resource_configuration_arn": null, + "service_name": "com.amazonaws.eu-west-2.s3", + "service_network_arn": null, + "tags": null, + "timeouts": null, + "vpc_endpoint_type": "Gateway" + } + }, + "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[0]": { + "index": 0, + "mode": "managed", + "name": "private_vpc_endpoint_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_vpc_endpoint_route_table_association" + }, + "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[1]": { + "index": 1, + "mode": "managed", + "name": "private_vpc_endpoint_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_vpc_endpoint_route_table_association" + }, + "module.rosa_cluster.module.vpc.aws_vpc_endpoint_route_table_association.private_vpc_endpoint_route_table_association[2]": { + "index": 2, + "mode": "managed", + "name": "private_vpc_endpoint_route_table_association", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": {}, + "type": "aws_vpc_endpoint_route_table_association" + }, + "module.rosa_cluster.module.vpc.time_sleep.vpc_resources_wait": { + "mode": "managed", + "name": "vpc_resources_wait", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "sensitive_values": { + "triggers": {} + }, + "type": "time_sleep", + "values": { + "create_duration": "20s", + "destroy_duration": "20s", + "triggers": { + "cidr_block": "10.0.0.0/16" } - ] + } } } - ] + } } } - ] + } } diff --git a/justfile b/justfile index a3de10215..66328ff19 100644 --- a/justfile +++ b/justfile @@ -42,10 +42,20 @@ regenerate-golden-file module_dir backend_bucket_region backend_bucket_name back # transform the tfoutput to deal only with keys to keep simple ordering jq 'def transform: if type == "array" then - map(transform) + . as $arr | + if $arr | length > 0 and (.[0] | type == "object" and has("address")) then + # Transform array elements into an object with address as the key + map({ (.address): with_entries(select(.key != "address")) | map_values(transform) }) | add + else + . + end elif type == "object" then if has("address") and .address != null then { (.address): with_entries(select(.key != "address")) | map_values(transform) } + elif has("resources") then + { "resources": map(transform) | add } + elif has("child_modules") then + { "child_modules": map(transform) | add } else with_entries(.value |= transform) end From 22510defdaf705d633ccbb4b3231b395b9655098 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 5 Mar 2025 23:28:19 +0100 Subject: [PATCH 10/65] fix working dir --- .../workflows/aws_openshift_rosa_hcp_single_region_golden.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml index c59a896ab..de64b7bf1 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml @@ -71,13 +71,12 @@ jobs: retention-days: 1 - name: Compare Terraform plan with golden file - working-directory: aws/ec2/terraform run: | delta "${{ env.MODULE_DIR }}test/golden/tfplan-golden.json" "${{ env.MODULE_DIR }}compare/tfplan-golden.json" exit $? - name: Post diff on PR - if: always() && github.event_name == 'pull_request' + if: failure() && github.event_name == 'pull_request' uses: int128/diff-action@db6cce01542cb26e181798736eea1e71f5d36706 # v1 with: base: ${{ env.MODULE_DIR }}test/golden/tfplan-golden.json From 47a90c28e5914a9d0826c11127063bf00217960c Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 5 Mar 2025 23:29:55 +0100 Subject: [PATCH 11/65] trigger delta --- .../rosa-hcp-single-region/test/golden/tfplan-golden.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json b/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json index 270aa5114..06aec8869 100644 --- a/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json +++ b/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json @@ -90,7 +90,7 @@ "tags": {}, "tags_all": {} }, - "type": "aws_iam_role", + "type": "different-opn-p", "values": { "description": null, "force_detach_policies": false, @@ -180,7 +180,7 @@ "role": "my-rosa-account-HCP-ROSA-Support-Role" } }, - "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]": { + "module.dd.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]": { "index": 2, "mode": "managed", "name": "account_role_policy_attachment", From 653c7a8d655066ed4c3cbf7ead2fbaba2eba80f8 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 5 Mar 2025 23:31:37 +0100 Subject: [PATCH 12/65] revert changes --- .../rosa-hcp-single-region/test/golden/tfplan-golden.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json b/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json index 06aec8869..270aa5114 100644 --- a/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json +++ b/aws/openshift/rosa-hcp-single-region/test/golden/tfplan-golden.json @@ -90,7 +90,7 @@ "tags": {}, "tags_all": {} }, - "type": "different-opn-p", + "type": "aws_iam_role", "values": { "description": null, "force_detach_policies": false, @@ -180,7 +180,7 @@ "role": "my-rosa-account-HCP-ROSA-Support-Role" } }, - "module.dd.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]": { + "module.rosa_cluster.module.rosa_hcp.module.account_iam_resources[0].aws_iam_role_policy_attachment.account_role_policy_attachment[2]": { "index": 2, "mode": "managed", "name": "account_role_policy_attachment", From 3c886fdd677277442331160e0bd8a3938d4e3624 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 6 Mar 2025 10:55:27 +0100 Subject: [PATCH 13/65] update branches names and fix timeout --- ...openshift_rosa_hcp_single_region_tests.yml | 65 +++++++++++-------- .../workflows/internal_global_sync_main.yml | 4 +- MAINTENANCE.md | 6 +- 3 files changed, 42 insertions(+), 33 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 848154cc9..080537196 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -161,34 +161,6 @@ jobs: openshift-version: ${{ matrix.distro.version }} tf-modules-revision: ${{ github.head_ref }} - # This is required for some operations not to fail such as annotation of the IngressController - - name: ⏳ Wait for a minimal age of 5min of the cluster - id: wait_cluster_age - run: | - ns_age=0 - - while [ "$ns_age" -lt 5 ]; do - current_time=$(date +%s) - - ns_creation_time_raw=$(oc get ns default -o jsonpath='{.metadata.creationTimestamp}') - ns_creation_time=$(date -d "$ns_creation_time_raw" +%s) - - echo "Namespace creation timestamp (seconds): $ns_creation_time" - ns_age=$(( (current_time - ns_creation_time) / 60 )) - - # Print the calculated age for debugging - echo "Namespace age in minutes: $ns_age" - - # If ns_age is still less than 5, wait for a bit and check again - if [ "$ns_age" -lt 5 ]; then - echo "⏳ Waiting for namespace 'default' to be at least 5 minutes old..." - sleep 30 - fi - done - - echo "✅ Namespace is older than 5 minutes." - - - name: Export kubeconfig and encrypt it # this is required to pass matrix outputs securely using artifacts id: export_kube_config run: | @@ -270,6 +242,43 @@ jobs: rm encrypted_kubeconfig.enc chmod 600 "$HOME/.kube/config" + - name: ⏳ Wait for a minimal age of 5min of the cluster + id: wait_cluster_age + # we need to retry due as the cluster has just been created and the permissions are sometime refused + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 + with: + timeout_minutes: 10 + max_attempts: 40 + shell: bash + retry_wait_seconds: 15 + command: | + : # see https://github.com/nick-fields/retry/issues/133 + set -o errexit + set -o pipefail + + ns_age=0 + ns_name='default' + + while [ "$ns_age" -lt 5 ]; do + current_time=$(date +%s) + + ns_creation_time_raw=$(oc get ns "$ns_name" -o jsonpath='{.metadata.creationTimestamp}') + ns_creation_time=$(date -d "$ns_creation_time_raw" +%s) + + echo "Namespace '$ns_name' creation timestamp (seconds): $ns_creation_time" + ns_age=$(( (current_time - ns_creation_time) / 60 )) + + echo "Namespace '$ns_name' age in minutes: $ns_age" + + # If ns_age is still less than 5, wait for a bit and check again + if [ "$ns_age" -lt 5 ]; then + echo "⏳ Waiting for namespace '$ns_name' to be at least 5 minutes old..." + sleep 30 + fi + done + + echo "✅ Namespace '$ns_name' is older than 5 minutes." + - name: 🏗️ Prepare a fresh namespace for the tests # we need to retry due as the cluster has just been created and the permissions are sometime refused uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 diff --git a/.github/workflows/internal_global_sync_main.yml b/.github/workflows/internal_global_sync_main.yml index d3c791fa0..aa78635ac 100644 --- a/.github/workflows/internal_global_sync_main.yml +++ b/.github/workflows/internal_global_sync_main.yml @@ -2,12 +2,12 @@ name: Internal - Global - Sync Main branch from latest Camunda stable version env: - CURRENT_STABLE_BRANCH: camunda-8.7 + CURRENT_STABLE_BRANCH: stable/8.7 on: push: branches: - - camunda-8.7 # keep it updated the current stable version + - stable/8.7 # keep it updated the current stable version workflow_dispatch: diff --git a/MAINTENANCE.md b/MAINTENANCE.md index 39889df0e..d70c4fcbb 100644 --- a/MAINTENANCE.md +++ b/MAINTENANCE.md @@ -15,9 +15,9 @@ The `main` branch will be updated automatically when we push to the latest stabl For example, consider the following branches: - `main/` -- `camunda-8.7` -- `camunda-8.6` -- `camunda-8.5` +- `stable/8.7` +- `stable/8.6` +- `stable/8.5` Where `8.6` is the latest stable version and `8.7` is the next one. The branch to target for merge requests should be `8.7` since it represents the upcoming version. From a277b2957fdc0bc4299ed14f1cec39c82a8ab52e Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 6 Mar 2025 10:56:34 +0100 Subject: [PATCH 14/65] up --- generic/openshift/single-region/helm-values/base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/generic/openshift/single-region/helm-values/base.yml b/generic/openshift/single-region/helm-values/base.yml index fc03c7e32..d1a021ea0 100644 --- a/generic/openshift/single-region/helm-values/base.yml +++ b/generic/openshift/single-region/helm-values/base.yml @@ -7,7 +7,7 @@ identityKeycloak: postgresql: enabled: true # use the embbeded database - # TODO: [BUG] 8.6 only remove when https://github.com/camunda/camunda-platform-helm/pull/3018 is release + # TODO: [BUG] 8.6 only remove when https://github.com/camunda/camunda-platform-helm/pull/3018 is released and chart is set to 11.2.2 # context https://github.com/camunda/camunda-platform-helm/pull/2944 auth: existingSecret: '' From b24aaa5746fecf62d819acf8ca998d0f90796c78 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 6 Mar 2025 12:39:30 +0100 Subject: [PATCH 15/65] add golden files --- ...openshift_rosa_hcp_single_region_tests.yml | 34 ++++++-- .../check-zeebe-cluster-topology-output.json | 77 +++++++++++++++++++ .../procedure/check-zeebe-cluster-topology.sh | 2 - .../helm-values/zeebe-gateway-route.yml | 1 - 4 files changed, 106 insertions(+), 8 deletions(-) create mode 100644 generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 080537196..7b1a33422 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -312,11 +312,9 @@ jobs: cp generic/openshift/single-region/helm-values/base.yml ./values.yml - # TODO: [DOC] this should be extract from the doc https://docs.camunda.io/docs/8.7/self-managed/setup/deploy/openshift/redhat-openshift/ source ./generic/openshift/single-region/procedure/setup-application-domain.sh echo "CAMUNDA_DOMAIN=$DOMAIN_NAME" | tee -a "$GITHUB_ENV" - # TODO: [DOC] same source ./generic/openshift/single-region/procedure/get-ingress-http2-status.sh ./generic/openshift/single-region/procedure/enable-ingress-http2.sh @@ -380,7 +378,6 @@ jobs: - name: 👀⏳ Wait for the deployment to be healthy using generic/kubernetes/single-region timeout-minutes: 10 run: | - # TODO: [DOC] update the doc to reference this snippet ./generic/kubernetes/single-region/procedure/check-deployment-ready.sh - name: 🧙‍♂️ Clone camunda/camunda-platform-helm @@ -533,13 +530,40 @@ jobs: error_found=true fi + echo "Comparing golden file of the zeebe topology output..." + + reference_file="./generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json" + # Save the output to a temporary file + temp_output=$(mktemp) + echo "$check_zeebe_topology_output" > "$temp_output" + + if ! jq -e . "$temp_output" > /dev/null 2>&1 || ! jq -e . "$reference_file" > /dev/null 2>&1; then + echo "❌ One of the files is not a valid JSON." + error_found=true + fi + + # Compare the two files using diff (in compacted JSON format) + diff_output=$(delta <(jq -S . "$temp_output") <(jq -S . "$reference_file")) + + if [[ -n "$diff_output" ]]; then + # If differences are found, print the error and the diff + echo "❌ Error: The golden files of zeebe topology files do not match." + echo "Differences found:" + echo "$diff_output" + + # Display the new generated version + echo "New version:" + cat "$temp_output" + + error_found=true + fi + if [ "$error_found" = true ]; then + echo "❌ Some tests failed." exit 1 fi - echo "✅ The cluster meets all the expected criteria." - # TODO: [DOC] integrate it as testable doc - name: 🔬🚨 Get failed Pods info if: failure() diff --git a/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json new file mode 100644 index 000000000..3bc081c0a --- /dev/null +++ b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json @@ -0,0 +1,77 @@ +{ + "brokers": [ + { + "nodeId": 0, + "host": "camunda-zeebe-0.camunda-zeebe", + "port": 26501, + "partitions": [ + { + "partitionId": 1, + "role": "leader", + "health": "healthy" + }, + { + "partitionId": 2, + "role": "follower", + "health": "healthy" + }, + { + "partitionId": 3, + "role": "follower", + "health": "healthy" + } + ], + "version": "8.6.0" + }, + { + "nodeId": 1, + "host": "camunda-zeebe-1.camunda-zeebe", + "port": 26501, + "partitions": [ + { + "partitionId": 1, + "role": "follower", + "health": "healthy" + }, + { + "partitionId": 2, + "role": "leader", + "health": "healthy" + }, + { + "partitionId": 3, + "role": "follower", + "health": "healthy" + } + ], + "version": "8.6.0" + }, + { + "nodeId": 2, + "host": "camunda-zeebe-2.camunda-zeebe", + "port": 26501, + "partitions": [ + { + "partitionId": 1, + "role": "follower", + "health": "healthy" + }, + { + "partitionId": 2, + "role": "follower", + "health": "healthy" + }, + { + "partitionId": 3, + "role": "leader", + "health": "healthy" + } + ], + "version": "8.6.0" + } + ], + "clusterSize": 3, + "partitionsCount": 3, + "replicationFactor": 3, + "gatewayVersion": "8.6.0" +} diff --git a/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh index d0270d362..2b46ebb7b 100755 --- a/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh +++ b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh @@ -1,7 +1,5 @@ #!/bin/bash -# TODO: [DOC] update this in the doc - ZEEBE_ADDRESS_REST="https://$DOMAIN_NAME/zeebe" ZEEBE_AUTHORIZATION_SERVER_URL="https://$DOMAIN_NAME/auth/realms/camunda-platform/protocol/openid-connect/token" diff --git a/generic/openshift/single-region/helm-values/zeebe-gateway-route.yml b/generic/openshift/single-region/helm-values/zeebe-gateway-route.yml index bff94cdfe..adb9c53de 100644 --- a/generic/openshift/single-region/helm-values/zeebe-gateway-route.yml +++ b/generic/openshift/single-region/helm-values/zeebe-gateway-route.yml @@ -59,7 +59,6 @@ zeebeGateway: path: tls.key defaultMode: 420 -# TODO: [DOC] before merge update the doc to indicate why we do this zeebe: env: - name: ZEEBE_BROKER_NETWORK_SECURITY_ENABLED From f31f9a2ae6d9a2f68cc7234a6908290f3ac021f7 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 6 Mar 2025 12:45:43 +0100 Subject: [PATCH 16/65] update action version --- .../aws-openshift-rosa-hcp-single-region-create/action.yml | 2 +- .../workflows/aws_openshift_rosa_hcp_single_region_tests.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml b/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml index 3b18446d3..d992da888 100644 --- a/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml @@ -82,7 +82,7 @@ runs: fetch-depth: 0 - name: Install asdf tools with cache for the project - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@feature/working-directory # 1.2.19 + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@6158b7c7534f6dbeb3fa7c3c836f6e6aa6881b2e # 1.3.0 with: tool_versions_files: .tool-versions,${{ inputs.tf-modules-path }}/aws/openshift/rosa-hcp-single-region/.tool-versions diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 7b1a33422..8daf0766a 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -210,7 +210,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install asdf tools with cache for the project - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@feature/working-directory # 1.2.19 + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@6158b7c7534f6dbeb3fa7c3c836f6e6aa6881b2e # 1.3.0 with: tool_versions_files: .tool-versions,./aws/openshift/rosa-hcp-single-region/.tool-versions,./generic/openshift/rosa-hcp-single-region/.tool-versions From db60d7061cd8dc2ba975d5c20c4df7d41a7d2091 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 6 Mar 2025 13:40:08 +0100 Subject: [PATCH 17/65] cleanup old clusters --- .../aws_openshift_rosa_hcp_single_region_daily_cleanup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index 79c12fe62..9d8aed03f 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -16,7 +16,7 @@ on: - cron: 0 1 * * * # At 01:00 everyday. env: - MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} + MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '0' }} # please keep those variables synced with aws_rosa_hcp_tests.yml AWS_PROFILE: infex From e5450fe7dab23868969146cf7498074aee4304ca Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 6 Mar 2025 13:40:20 +0100 Subject: [PATCH 18/65] revert cleanup --- .../aws_openshift_rosa_hcp_single_region_daily_cleanup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index 9d8aed03f..79c12fe62 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -16,7 +16,7 @@ on: - cron: 0 1 * * * # At 01:00 everyday. env: - MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '0' }} + MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} # please keep those variables synced with aws_rosa_hcp_tests.yml AWS_PROFILE: infex From 87145385ba0d44159b46d43eb6879e949000f37a Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 6 Mar 2025 17:35:51 +0100 Subject: [PATCH 19/65] fix ordering and cluster refusing permissions --- ...openshift_rosa_hcp_single_region_tests.yml | 55 ++++++++----------- .../check-zeebe-cluster-topology-output.json | 8 +-- 2 files changed, 28 insertions(+), 35 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 8daf0766a..095f584bb 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -245,10 +245,11 @@ jobs: - name: ⏳ Wait for a minimal age of 5min of the cluster id: wait_cluster_age # we need to retry due as the cluster has just been created and the permissions are sometime refused + # the minimal age is here to prevent following commands/script to fail uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 with: - timeout_minutes: 10 - max_attempts: 40 + timeout_minutes: 30 + max_attempts: 80 shell: bash retry_wait_seconds: 15 command: | @@ -258,8 +259,9 @@ jobs: ns_age=0 ns_name='default' + minimal_age=20 - while [ "$ns_age" -lt 5 ]; do + while [ "$ns_age" -lt $minimal_age ]; do current_time=$(date +%s) ns_creation_time_raw=$(oc get ns "$ns_name" -o jsonpath='{.metadata.creationTimestamp}') @@ -270,39 +272,31 @@ jobs: echo "Namespace '$ns_name' age in minutes: $ns_age" - # If ns_age is still less than 5, wait for a bit and check again - if [ "$ns_age" -lt 5 ]; then - echo "⏳ Waiting for namespace '$ns_name' to be at least 5 minutes old..." + # If ns_age is still less than $minimal_age, wait for a bit and check again + if [ "$ns_age" -lt $minimal_age ]; then + echo "⏳ Waiting for namespace '$ns_name' to be at least $minimal_age minutes old..." sleep 30 fi done - echo "✅ Namespace '$ns_name' is older than 5 minutes." + echo "✅ Namespace '$ns_name' is older than $minimal_age minutes." - name: 🏗️ Prepare a fresh namespace for the tests - # we need to retry due as the cluster has just been created and the permissions are sometime refused - uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 id: kube_config - with: - timeout_minutes: 10 - max_attempts: 40 - shell: bash - retry_wait_seconds: 15 - command: | - : # see https://github.com/nick-fields/retry/issues/133 - set -o errexit - set -o pipefail + run: | + set -euxo pipefail # tolerate, nothing. - # Delete the namespace to ensure a fresh start - if kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; then - kubectl delete namespace "$TEST_NAMESPACE" --wait - while kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; do - echo "Namespace $TEST_NAMESPACE still being deleted, waiting..." - sleep 5 - done - fi - kubectl create namespace "$TEST_NAMESPACE" + # Delete the namespace to ensure a fresh start + if kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; then + kubectl delete namespace "$TEST_NAMESPACE" --wait + while kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; do + echo "Namespace $TEST_NAMESPACE still being deleted, waiting..." + sleep 5 + done + fi + + kubectl create namespace "$TEST_NAMESPACE" - name: 🛠️ Assemble deployment values of generic/openshift/single-region run: | @@ -537,10 +531,9 @@ jobs: temp_output=$(mktemp) echo "$check_zeebe_topology_output" > "$temp_output" - if ! jq -e . "$temp_output" > /dev/null 2>&1 || ! jq -e . "$reference_file" > /dev/null 2>&1; then - echo "❌ One of the files is not a valid JSON." - error_found=true - fi + # Order each file + yq e '.brokers |= sort_by(.host) | .brokers[] |= (.partitions |= sort_by(.partitionId))' -i "$temp_output" + yq e '.brokers |= sort_by(.host) | .brokers[] |= (.partitions |= sort_by(.partitionId))' -i "$reference_file" # Compare the two files using diff (in compacted JSON format) diff_output=$(delta <(jq -S . "$temp_output") <(jq -S . "$reference_file")) diff --git a/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json index 3bc081c0a..cb13c71fc 100644 --- a/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json +++ b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json @@ -21,7 +21,7 @@ "health": "healthy" } ], - "version": "8.6.0" + "version": "8.6.9" }, { "nodeId": 1, @@ -44,7 +44,7 @@ "health": "healthy" } ], - "version": "8.6.0" + "version": "8.6.9" }, { "nodeId": 2, @@ -67,11 +67,11 @@ "health": "healthy" } ], - "version": "8.6.0" + "version": "8.6.9" } ], "clusterSize": 3, "partitionsCount": 3, "replicationFactor": 3, - "gatewayVersion": "8.6.0" + "gatewayVersion": "8.6.9" } From 0bbc13a30d02f982bf6541d35a958be760289531 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 6 Mar 2025 18:57:30 +0100 Subject: [PATCH 20/65] fix error prone cmd --- ...openshift_rosa_hcp_single_region_tests.yml | 79 ++++++------------- 1 file changed, 26 insertions(+), 53 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 095f584bb..34730bdd8 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -242,75 +242,48 @@ jobs: rm encrypted_kubeconfig.enc chmod 600 "$HOME/.kube/config" - - name: ⏳ Wait for a minimal age of 5min of the cluster - id: wait_cluster_age - # we need to retry due as the cluster has just been created and the permissions are sometime refused - # the minimal age is here to prevent following commands/script to fail + - name: 🏗️ Prepare a fresh namespace for the tests + # we need to retry due as the cluster has just been created and the OIDC provider may not be available yet uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 with: - timeout_minutes: 30 - max_attempts: 80 + timeout_minutes: 10 + max_attempts: 40 shell: bash retry_wait_seconds: 15 command: | - : # see https://github.com/nick-fields/retry/issues/133 - set -o errexit + set -o errexit # this is required https://github.com/nick-fields/retry/issues/133 set -o pipefail - ns_age=0 - ns_name='default' - minimal_age=20 - - while [ "$ns_age" -lt $minimal_age ]; do - current_time=$(date +%s) - - ns_creation_time_raw=$(oc get ns "$ns_name" -o jsonpath='{.metadata.creationTimestamp}') - ns_creation_time=$(date -d "$ns_creation_time_raw" +%s) - - echo "Namespace '$ns_name' creation timestamp (seconds): $ns_creation_time" - ns_age=$(( (current_time - ns_creation_time) / 60 )) - - echo "Namespace '$ns_name' age in minutes: $ns_age" - - # If ns_age is still less than $minimal_age, wait for a bit and check again - if [ "$ns_age" -lt $minimal_age ]; then - echo "⏳ Waiting for namespace '$ns_name' to be at least $minimal_age minutes old..." - sleep 30 - fi - done - - echo "✅ Namespace '$ns_name' is older than $minimal_age minutes." - - - name: 🏗️ Prepare a fresh namespace for the tests - id: kube_config - run: | - set -euxo pipefail # tolerate, nothing. - + # Delete the namespace to ensure a fresh start + if kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; then + kubectl delete namespace "$TEST_NAMESPACE" --wait + while kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; do + echo "Namespace $TEST_NAMESPACE still being deleted, waiting..." + sleep 5 + done + fi - # Delete the namespace to ensure a fresh start - if kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; then - kubectl delete namespace "$TEST_NAMESPACE" --wait - while kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; do - echo "Namespace $TEST_NAMESPACE still being deleted, waiting..." - sleep 5 - done - fi - - kubectl create namespace "$TEST_NAMESPACE" + kubectl create namespace "$TEST_NAMESPACE" - name: 🛠️ Assemble deployment values of generic/openshift/single-region + timeout-minutes: 10 run: | set -euxo pipefail # tolerate, nothing. + # some commands are prone to error on OpenShift + GOBIN="$HOME/.local/bin" + echo "GOBIN=$GOBIN" | tee -a "$GITHUB_ENV" + go install github.com/joshdk/retry@v1.4.0 + echo "Construct the values.yml file" cp generic/openshift/single-region/helm-values/base.yml ./values.yml - source ./generic/openshift/single-region/procedure/setup-application-domain.sh + retry -max-time=120s source ./generic/openshift/single-region/procedure/setup-application-domain.sh echo "CAMUNDA_DOMAIN=$DOMAIN_NAME" | tee -a "$GITHUB_ENV" - source ./generic/openshift/single-region/procedure/get-ingress-http2-status.sh - ./generic/openshift/single-region/procedure/enable-ingress-http2.sh + retry -max-time=120s source ./generic/openshift/single-region/procedure/get-ingress-http2-status.sh + retry -max-time=120s ./generic/openshift/single-region/procedure/enable-ingress-http2.sh # Enable Routes yq '. *d load("generic/openshift/single-region/helm-values/zeebe-gateway-route.yml")' values.yml > values-result.yml @@ -531,9 +504,9 @@ jobs: temp_output=$(mktemp) echo "$check_zeebe_topology_output" > "$temp_output" - # Order each file - yq e '.brokers |= sort_by(.host) | .brokers[] |= (.partitions |= sort_by(.partitionId))' -i "$temp_output" - yq e '.brokers |= sort_by(.host) | .brokers[] |= (.partitions |= sort_by(.partitionId))' -i "$reference_file" + # Order each file also remove not predictable fields + yq e '.brokers |= sort_by(.host) | .brokers[] |= (.partitions |= sort_by(.partitionId) | .partitions[].role = "NOT_PREDICTABLE")' -i "$temp_output" + yq e '.brokers |= sort_by(.host) | .brokers[] |= (.partitions |= sort_by(.partitionId) | .partitions[].role = "NOT_PREDICTABLE")' -i "$reference_file" # Compare the two files using diff (in compacted JSON format) diff_output=$(delta <(jq -S . "$temp_output") <(jq -S . "$reference_file")) From 58f21833c0b81681b732b29158ee687061fc8137 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 6 Mar 2025 20:16:39 +0100 Subject: [PATCH 21/65] fix gobin --- .../workflows/aws_openshift_rosa_hcp_single_region_tests.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 34730bdd8..2405c25ab 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -271,7 +271,7 @@ jobs: set -euxo pipefail # tolerate, nothing. # some commands are prone to error on OpenShift - GOBIN="$HOME/.local/bin" + export GOBIN="$HOME/.local/bin" echo "GOBIN=$GOBIN" | tee -a "$GITHUB_ENV" go install github.com/joshdk/retry@v1.4.0 @@ -530,6 +530,9 @@ jobs: fi echo "✅ The cluster meets all the expected criteria." + - name: Setup tmate session + if: failure() + uses: mxschmitt/action-tmate@v3 - name: 🔬🚨 Get failed Pods info if: failure() From 4a006b0edbf0959c5468f5b84e5875043bfa665a Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 6 Mar 2025 21:10:26 +0100 Subject: [PATCH 22/65] fix retry --- .../aws_openshift_rosa_hcp_single_region_tests.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 2405c25ab..04720db36 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -279,10 +279,14 @@ jobs: cp generic/openshift/single-region/helm-values/base.yml ./values.yml - retry -max-time=120s source ./generic/openshift/single-region/procedure/setup-application-domain.sh + retry -max-time=120s ./generic/openshift/single-region/procedure/setup-application-domain.sh + # do it again to source it... + source ./generic/openshift/single-region/procedure/setup-application-domain.sh echo "CAMUNDA_DOMAIN=$DOMAIN_NAME" | tee -a "$GITHUB_ENV" - retry -max-time=120s source ./generic/openshift/single-region/procedure/get-ingress-http2-status.sh + retry -max-time=120s ./generic/openshift/single-region/procedure/get-ingress-http2-status.sh + source ./generic/openshift/single-region/procedure/get-ingress-http2-status.sh + retry -max-time=120s ./generic/openshift/single-region/procedure/enable-ingress-http2.sh # Enable Routes From 8f2c5faa13a019e3af62991d8849cab0372584ed Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 7 Mar 2025 09:41:44 +0100 Subject: [PATCH 23/65] add retry step --- ...openshift_rosa_hcp_single_region_tests.yml | 84 ++++++++++--------- 1 file changed, 43 insertions(+), 41 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 04720db36..006354aca 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -266,58 +266,60 @@ jobs: kubectl create namespace "$TEST_NAMESPACE" - name: 🛠️ Assemble deployment values of generic/openshift/single-region - timeout-minutes: 10 - run: | - set -euxo pipefail # tolerate, nothing. + # we need to retry due as the cluster has just been created and the OIDC provider may not be available yet + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 + with: + timeout_minutes: 10 + max_attempts: 40 + shell: bash + retry_wait_seconds: 15 + command: | + set -o errexit + set -euxo pipefail # tolerate, nothing. - # some commands are prone to error on OpenShift - export GOBIN="$HOME/.local/bin" - echo "GOBIN=$GOBIN" | tee -a "$GITHUB_ENV" - go install github.com/joshdk/retry@v1.4.0 + # As this action can be retried due to OpenShift API error, it must + # be stateless (all commmands can be rerun without issue) - echo "Construct the values.yml file" + echo "Construct the values.yml file" - cp generic/openshift/single-region/helm-values/base.yml ./values.yml + cp -f generic/openshift/single-region/helm-values/base.yml ./values.yml - retry -max-time=120s ./generic/openshift/single-region/procedure/setup-application-domain.sh - # do it again to source it... - source ./generic/openshift/single-region/procedure/setup-application-domain.sh - echo "CAMUNDA_DOMAIN=$DOMAIN_NAME" | tee -a "$GITHUB_ENV" + source ./generic/openshift/single-region/procedure/setup-application-domain.sh + echo "CAMUNDA_DOMAIN=$DOMAIN_NAME" | tee -a "$GITHUB_ENV" - retry -max-time=120s ./generic/openshift/single-region/procedure/get-ingress-http2-status.sh - source ./generic/openshift/single-region/procedure/get-ingress-http2-status.sh + source ./generic/openshift/single-region/procedure/get-ingress-http2-status.sh - retry -max-time=120s ./generic/openshift/single-region/procedure/enable-ingress-http2.sh + ./generic/openshift/single-region/procedure/enable-ingress-http2.sh - # Enable Routes - yq '. *d load("generic/openshift/single-region/helm-values/zeebe-gateway-route.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml - yq '. *d load("generic/openshift/single-region/helm-values/operate-route.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml - yq '. *d load("generic/openshift/single-region/helm-values/tasklist-route.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml - yq '. *d load("generic/openshift/single-region/helm-values/connectors-route.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml - yq '. *d load("generic/openshift/single-region/helm-values/domain.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml + # Enable Routes + yq '. *d load("generic/openshift/single-region/helm-values/zeebe-gateway-route.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + yq '. *d load("generic/openshift/single-region/helm-values/operate-route.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + yq '. *d load("generic/openshift/single-region/helm-values/tasklist-route.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + yq '. *d load("generic/openshift/single-region/helm-values/connectors-route.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + yq '. *d load("generic/openshift/single-region/helm-values/domain.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml - # Enable SCC - yq '. *d load("generic/openshift/single-region/helm-values/scc.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml + # Enable SCC + yq '. *d load("generic/openshift/single-region/helm-values/scc.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml - # Add integration tests values - if [ "$TESTS_ENABLED" == "true" ]; then - yq '. *d load("generic/kubernetes/single-region/tests/helm-values/registry.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml - yq '. *d load("generic/kubernetes/single-region/tests/helm-values/identity.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml - fi + # Add integration tests values + if [ "$TESTS_ENABLED" == "true" ]; then + yq '. *d load("generic/kubernetes/single-region/tests/helm-values/registry.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + yq '. *d load("generic/kubernetes/single-region/tests/helm-values/identity.yml")' values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + fi - # Generate the final values - envsubst < values.yml > generated-values.yml + # Generate the final values + envsubst < values.yml > generated-values.yml - echo "Final generated-values.yml result" - cat generated-values.yml + echo "Final generated-values.yml result" + cat generated-values.yml - name: 🏁 Install Camunda 8 using the generic/openshift helm chart procedure From 6eaa36ce5f540fd8e54d86c695937f19dc171eb5 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 7 Mar 2025 11:24:04 +0100 Subject: [PATCH 24/65] integrate console and webmodeler in the tests --- ...openshift_rosa_hcp_single_region_tests.yml | 74 +++++++++++-------- 1 file changed, 45 insertions(+), 29 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 006354aca..a5bae3ad4 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -60,6 +60,9 @@ env: TESTS_CAMUNDA_HELM_CHART_REPO_REF: main # git reference used to clone the camunda/camunda-platform-helm repository to perform the tests TESTS_CAMUNDA_HELM_CHART_REPO_PATH: ./.camunda_helm_repo # where to clone it + # Components that are not enabled by default in the doc, but enabled in our tests to have a better coverage + WEBMODELER_ENABLED: 'true' + CONSOLE_ENABLED: 'true' ROSA_CLI_VERSION: latest @@ -292,27 +295,31 @@ jobs: ./generic/openshift/single-region/procedure/enable-ingress-http2.sh # Enable Routes - yq '. *d load("generic/openshift/single-region/helm-values/zeebe-gateway-route.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml - yq '. *d load("generic/openshift/single-region/helm-values/operate-route.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml - yq '. *d load("generic/openshift/single-region/helm-values/tasklist-route.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml - yq '. *d load("generic/openshift/single-region/helm-values/connectors-route.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml - yq '. *d load("generic/openshift/single-region/helm-values/domain.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml + for file in zeebe-gateway-route.yml operate-route.yml tasklist-route.yml connectors-route.yml domain.yml; do + yq ". *d load(\"generic/openshift/single-region/helm-values/$file\")" values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + done # Enable SCC yq '. *d load("generic/openshift/single-region/helm-values/scc.yml")' values.yml > values-result.yml cat values-result.yml && mv values-result.yml values.yml + if [ "$WEBMODELER_ENABLED" == "true" ]; then + echo "Enabling WebModeler" + yq -i '.webModeler.enabled = true' values.yml + fi + + if [ "$CONSOLE_ENABLED" == "true" ]; then + echo "Enabling Console" + yq -i '.console.enabled = true' values.yml + fi + # Add integration tests values if [ "$TESTS_ENABLED" == "true" ]; then - yq '. *d load("generic/kubernetes/single-region/tests/helm-values/registry.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml - yq '. *d load("generic/kubernetes/single-region/tests/helm-values/identity.yml")' values.yml > values-result.yml - cat values-result.yml && mv values-result.yml values.yml + for file in registry.yml identity.yml; do + yq ". *d load(\"generic/kubernetes/single-region/tests/helm-values/$file\")" values.yml > values-result.yml + cat values-result.yml && mv values-result.yml values.yml + done fi # Generate the final values @@ -410,18 +417,15 @@ jobs: echo "ZEEBE_VERSION_FALLBACK=8.5.6" >> "$VARIABLES_ENV_FILE" # Some variables are not working correctly, patching it with yq directly - # shellcheck disable=SC2129 - echo "VENOM_VAR_SKIP_TEST_WEBMODELER=false" >> "$VARIABLES_ENV_FILE" echo "VENOM_VAR_SKIP_TEST_INGRESS=true" >> "$VARIABLES_ENV_FILE" echo "Patch the test files..." # TODO: [BUG] remove the patchs when https://github.com/camunda/camunda-platform-helm/issues/3081 is fixed echo "Patch expression ShoudBeFalse" - sed "s/ ShouldBeFalse/ ShouldEqual 'false'/g" \ - -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-core.yaml" - sed "s/ ShouldBeFalse/ ShouldEqual 'false'/g" \ - -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-preflight.yaml" + sed -i "s/ ShouldBeFalse/ ShouldEqual 'false'/g" \ + "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-core.yaml" \ + "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-preflight.yaml" echo "Skip test ingress is also broken, fixing it" yq eval '(.testcases[].steps[].skip |= map(select(test("skiptestingress", "i") | not)))' \ @@ -429,17 +433,29 @@ jobs: yq eval 'del(.. | select(has("skip") and .skip | length == 0).skip)' \ -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-core.yaml" - echo "Disable Console,Webmodeler in the core tests as it's not enabled" - yq eval 'del(.. | select(has("component") and (.component == "Console" or .component == "WebModeler")))' \ - -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-core.yaml" + if [ "$WEBMODELER_ENABLED" != "true" ]; then + echo "Disable Webmodeler in the core tests as it's not enabled" + + echo "VENOM_VAR_SKIP_TEST_WEBMODELER=false" >> "$VARIABLES_ENV_FILE" + yq eval 'del(.. | select(has("component") and .component == "WebModeler"))' \ + -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-core.yaml" + fi + + if [ "$CONSOLE_ENABLED" != "true" ]; then + echo "Disable Console in the core tests as it's not enabled" + + yq eval 'del(.. | select(has("component") and .component == "Console"))' \ + -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-core.yaml" + fi echo "Patch the identity secrets to allow venom to access to the platform" - sed -i 's/integration-test-credentials/identity-secret-for-components/g' "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" - sed -i 's/identity-operate-client-password/operate-secret/g' "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" - sed -i 's/identity-optimize-client-password/optimize-secret/g' "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" - sed -i 's/identity-tasklist-client-password/tasklist-secret/g' "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" - sed -i 's/identity-zeebe-client-password/zeebe-secret/g' "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" - sed -i 's/identity-connectors-client-password/connectors-secret/g' "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" + sed -i -e 's/integration-test-credentials/identity-secret-for-components/g' \ + -e 's/identity-operate-client-password/operate-secret/g' \ + -e 's/identity-optimize-client-password/optimize-secret/g' \ + -e 's/identity-tasklist-client-password/tasklist-secret/g' \ + -e 's/identity-zeebe-client-password/zeebe-secret/g' \ + -e 's/identity-connectors-client-password/connectors-secret/g' \ + "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" # remove venom var client secret as we define it in the file yq e 'del(.spec.template.spec.containers[].env[] | select(.name == "VENOM_VAR_TEST_CLIENT_SECRET"))' \ From cc9a9b7486ab18adee54d1d25c1f81f055680a71 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 7 Mar 2025 12:09:20 +0100 Subject: [PATCH 25/65] add login instructions --- .../aws_openshift_rosa_hcp_single_region_tests.yml | 5 +++++ .../rosa-hcp-single-region/procedure/.shellcheckrc | 1 + .../procedure/gather-cluster-login-id.sh | 6 ++++++ 3 files changed, 12 insertions(+) create mode 100644 aws/openshift/rosa-hcp-single-region/procedure/.shellcheckrc create mode 100755 aws/openshift/rosa-hcp-single-region/procedure/gather-cluster-login-id.sh diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index a5bae3ad4..c426bf94b 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -257,6 +257,11 @@ jobs: set -o errexit # this is required https://github.com/nick-fields/retry/issues/133 set -o pipefail + source ./aws/openshift/rosa-hcp-single-region/procedure/gather-cluster-login-id.sh + echo "CLUSTER_NAME=$CLUSTER_NAME" + echo "CLUSTER_API_URL=$CLUSTER_API_URL" + echo "CLUSTER_ADMIN_USERNAME=$CLUSTER_ADMIN_USERNAME" + # Delete the namespace to ensure a fresh start if kubectl get namespace "$TEST_NAMESPACE" &>/dev/null; then kubectl delete namespace "$TEST_NAMESPACE" --wait diff --git a/aws/openshift/rosa-hcp-single-region/procedure/.shellcheckrc b/aws/openshift/rosa-hcp-single-region/procedure/.shellcheckrc new file mode 100644 index 000000000..40e02e71c --- /dev/null +++ b/aws/openshift/rosa-hcp-single-region/procedure/.shellcheckrc @@ -0,0 +1 @@ +disable=SC2155 diff --git a/aws/openshift/rosa-hcp-single-region/procedure/gather-cluster-login-id.sh b/aws/openshift/rosa-hcp-single-region/procedure/gather-cluster-login-id.sh new file mode 100755 index 000000000..0424cc69f --- /dev/null +++ b/aws/openshift/rosa-hcp-single-region/procedure/gather-cluster-login-id.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +export CLUSTER_NAME="$(terraform console << Date: Fri, 7 Mar 2025 12:23:20 +0100 Subject: [PATCH 26/65] fix postgresql not enabled for webModeler --- .../workflows/aws_openshift_rosa_hcp_single_region_tests.yml | 1 + generic/openshift/single-region/helm-values/base.yml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index c426bf94b..51aa8c5d2 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -312,6 +312,7 @@ jobs: if [ "$WEBMODELER_ENABLED" == "true" ]; then echo "Enabling WebModeler" yq -i '.webModeler.enabled = true' values.yml + yq -i '.postgresql.enabled = true' values.yml fi if [ "$CONSOLE_ENABLED" == "true" ]; then diff --git a/generic/openshift/single-region/helm-values/base.yml b/generic/openshift/single-region/helm-values/base.yml index d1a021ea0..c4eef3438 100644 --- a/generic/openshift/single-region/helm-values/base.yml +++ b/generic/openshift/single-region/helm-values/base.yml @@ -25,3 +25,7 @@ webModeler: mail: existingSecret: identity-secret-for-components # reference the smtp password fromAddress: changeme@example.com # change this required value +postgresql: + # Will deploy a postgresql datbase for webModeler. + # If you enable webModeler, you either need to turn it true or use an external database + enabled: false From 4ec4c0709a0afec8814f757b4f0092cbe7ef4623 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 7 Mar 2025 12:31:55 +0100 Subject: [PATCH 27/65] include assemble as part of generic --- .../aws_openshift_rosa_hcp_single_region_tests.yml | 6 +----- .../single-region/procedure/assemble-envsubst-values.sh | 7 +++++++ 2 files changed, 8 insertions(+), 5 deletions(-) create mode 100755 generic/openshift/single-region/procedure/assemble-envsubst-values.sh diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 51aa8c5d2..b88d92d9a 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -328,11 +328,7 @@ jobs: done fi - # Generate the final values - envsubst < values.yml > generated-values.yml - - echo "Final generated-values.yml result" - cat generated-values.yml + ./generic/openshift/single-region/procedure/assemble-envsubst-values.sh - name: 🏁 Install Camunda 8 using the generic/openshift helm chart procedure diff --git a/generic/openshift/single-region/procedure/assemble-envsubst-values.sh b/generic/openshift/single-region/procedure/assemble-envsubst-values.sh new file mode 100755 index 000000000..b25f42d9c --- /dev/null +++ b/generic/openshift/single-region/procedure/assemble-envsubst-values.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# Generate the final values +envsubst < values.yml > generated-values.yml + +echo "Final generated-values.yml result" +cat generated-values.yml From c5064e51c9a137b4620e3c34d594bb2c4bf286a5 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 7 Mar 2025 12:58:20 +0100 Subject: [PATCH 28/65] add get copy --- ...aws_openshift_rosa_hcp_single_region_tests.yml | 8 ++++++++ .../procedure/get-your-copy.sh | 15 +++++++++++++++ .../procedure/assemble-envsubst-values.sh | 7 +++++++ 3 files changed, 30 insertions(+) create mode 100755 aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh create mode 100755 generic/kubernetes/single-region/procedure/assemble-envsubst-values.sh diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index b88d92d9a..ac938a52f 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -245,6 +245,14 @@ jobs: rm encrypted_kubeconfig.enc chmod 600 "$HOME/.kube/config" + - name: 📁 Get a copy of the reference architecture + run: | + # run it as specified in the doc + set -euxo pipefail # tolerate, nothing. + + ./aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh + tree + - name: 🏗️ Prepare a fresh namespace for the tests # we need to retry due as the cluster has just been created and the OIDC provider may not be available yet uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3 diff --git a/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh b/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh new file mode 100755 index 000000000..7ded8b5c0 --- /dev/null +++ b/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# Download a copy of the reference architecture + +# URL of the GitHub repository and specific branch +REPO_URL="https://github.com/camunda/camunda-deployment-references" +BRANCH="feature/integrate-tests-rosa" # TODO: Change the branch to 8.6 + +# Download the zip file from the specified branch +BRANCH_HYPHENATED="${BRANCH//\//-}" +curl -L "${REPO_URL}/archive/refs/heads/${BRANCH}.zip" -o "ra-${BRANCH_HYPHENATED}.zip" +unzip "ra-${BRANCH_HYPHENATED}.zip" + +# Navigate to the specific directory +cd "camunda-deployment-references-${BRANCH_HYPHENATED}/aws/openshift/rosa-hcp-single-region" || exit 1 +echo "You are now in the reference architecture directory $(pwd)." diff --git a/generic/kubernetes/single-region/procedure/assemble-envsubst-values.sh b/generic/kubernetes/single-region/procedure/assemble-envsubst-values.sh new file mode 100755 index 000000000..b25f42d9c --- /dev/null +++ b/generic/kubernetes/single-region/procedure/assemble-envsubst-values.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# Generate the final values +envsubst < values.yml > generated-values.yml + +echo "Final generated-values.yml result" +cat generated-values.yml From a9293f603d081af79b220d9c0d66eafb88213567 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 7 Mar 2025 13:23:57 +0100 Subject: [PATCH 29/65] cleanup clusters --- .../aws_openshift_rosa_hcp_single_region_daily_cleanup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index 79c12fe62..9d8aed03f 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -16,7 +16,7 @@ on: - cron: 0 1 * * * # At 01:00 everyday. env: - MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} + MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '0' }} # please keep those variables synced with aws_rosa_hcp_tests.yml AWS_PROFILE: infex From e981f3de59485a7c1d7b26bb94e62585eb1df21f Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 7 Mar 2025 14:21:09 +0100 Subject: [PATCH 30/65] simplify copy --- ...openshift_rosa_hcp_single_region_daily_cleanup.yml | 2 +- .../rosa-hcp-single-region/procedure/get-your-copy.sh | 11 ++++------- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index 9d8aed03f..79c12fe62 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -16,7 +16,7 @@ on: - cron: 0 1 * * * # At 01:00 everyday. env: - MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '0' }} + MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} # please keep those variables synced with aws_rosa_hcp_tests.yml AWS_PROFILE: infex diff --git a/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh b/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh index 7ded8b5c0..bbb7edf9e 100755 --- a/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh +++ b/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh @@ -1,15 +1,12 @@ #!/bin/bash -# Download a copy of the reference architecture -# URL of the GitHub repository and specific branch -REPO_URL="https://github.com/camunda/camunda-deployment-references" +# Download a copy of the reference architecture BRANCH="feature/integrate-tests-rosa" # TODO: Change the branch to 8.6 # Download the zip file from the specified branch -BRANCH_HYPHENATED="${BRANCH//\//-}" -curl -L "${REPO_URL}/archive/refs/heads/${BRANCH}.zip" -o "ra-${BRANCH_HYPHENATED}.zip" -unzip "ra-${BRANCH_HYPHENATED}.zip" +curl -L "https://github.com/camunda/camunda-deployment-references/archive/refs/heads/${BRANCH}.zip" -o "camunda-ra.zip" +unzip camunda-deployment-references "camunda-ra.zip" # Navigate to the specific directory -cd "camunda-deployment-references-${BRANCH_HYPHENATED}/aws/openshift/rosa-hcp-single-region" || exit 1 +cd "camunda-deployment-references/aws/openshift/rosa-hcp-single-region" || exit 1 echo "You are now in the reference architecture directory $(pwd)." From 5edba4b4e5ed228e1e22784e732fd215c13a1b4f Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 7 Mar 2025 17:01:20 +0100 Subject: [PATCH 31/65] fix copy --- .../procedure/get-your-copy.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh b/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh index bbb7edf9e..699ea2e72 100755 --- a/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh +++ b/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh @@ -5,7 +5,17 @@ BRANCH="feature/integrate-tests-rosa" # TODO: Change the branch to 8.6 # Download the zip file from the specified branch curl -L "https://github.com/camunda/camunda-deployment-references/archive/refs/heads/${BRANCH}.zip" -o "camunda-ra.zip" -unzip camunda-deployment-references "camunda-ra.zip" + + +unzip "camunda-ra.zip" -d temp_extract + +# Identify the root folder created by GitHub +ROOT_FOLDER=$(find temp_extract -mindepth 1 -maxdepth 1 -type d | head -n 1) + +# Move only the contents into the target directory +mkdir -p camunda-deployment-references +mv temp_extract/"$ROOT_FOLDER"/* camunda-deployment-references/ +rm -Rf temp_extract camunda-ra.zip # Navigate to the specific directory cd "camunda-deployment-references/aws/openshift/rosa-hcp-single-region" || exit 1 From 332097e31dc02130414fbb1c8f4d49255352530b Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 7 Mar 2025 17:05:46 +0100 Subject: [PATCH 32/65] simplify the get --- .../procedure/get-your-copy.sh | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh b/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh index 699ea2e72..d7ce6b1bf 100755 --- a/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh +++ b/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh @@ -3,20 +3,8 @@ # Download a copy of the reference architecture BRANCH="feature/integrate-tests-rosa" # TODO: Change the branch to 8.6 -# Download the zip file from the specified branch -curl -L "https://github.com/camunda/camunda-deployment-references/archive/refs/heads/${BRANCH}.zip" -o "camunda-ra.zip" +git clone --depth 1 --branch "$BRANCH" https://github.com/camunda/camunda-deployment-references.git - -unzip "camunda-ra.zip" -d temp_extract - -# Identify the root folder created by GitHub -ROOT_FOLDER=$(find temp_extract -mindepth 1 -maxdepth 1 -type d | head -n 1) - -# Move only the contents into the target directory -mkdir -p camunda-deployment-references -mv temp_extract/"$ROOT_FOLDER"/* camunda-deployment-references/ -rm -Rf temp_extract camunda-ra.zip - -# Navigate to the specific directory +# Navigate to the desired directory cd "camunda-deployment-references/aws/openshift/rosa-hcp-single-region" || exit 1 echo "You are now in the reference architecture directory $(pwd)." From e555e42d127362a0543e79476779b085575c1a79 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 7 Mar 2025 19:08:08 +0100 Subject: [PATCH 33/65] fix console domain --- generic/openshift/single-region/helm-values/domain.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/generic/openshift/single-region/helm-values/domain.yml b/generic/openshift/single-region/helm-values/domain.yml index 05c0535c8..0c95b4892 100644 --- a/generic/openshift/single-region/helm-values/domain.yml +++ b/generic/openshift/single-region/helm-values/domain.yml @@ -41,7 +41,7 @@ global: webModeler: redirectUrl: https://${DOMAIN_NAME}/modeler console: - redirectUrl: https://${DOMAIN_NAME}/console + redirectUrl: https://${DOMAIN_NAME} existingSecret: name: identity-secret-for-components @@ -65,7 +65,7 @@ zeebeGateway: contextPath: /zeebe console: - contextPath: /console + contextPath: / connectors: contextPath: /connectors From fa6dee55bb135807c0af89e128df68486c5875f7 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 10 Mar 2025 13:43:16 +0100 Subject: [PATCH 34/65] re-enable ec2 --- ...golden.yml.disabled => aws_ec2_golden.yml} | 20 +++++++++---------- ...2_tests.yml.disabled => aws_ec2_tests.yml} | 2 +- ...t_rosa_hcp_single_region_daily_cleanup.yml | 7 +++++++ ...openshift_rosa_hcp_single_region_tests.yml | 2 +- 4 files changed, 19 insertions(+), 12 deletions(-) rename .github/workflows/{aws_ec2_golden.yml.disabled => aws_ec2_golden.yml} (94%) rename .github/workflows/{aws_ec2_tests.yml.disabled => aws_ec2_tests.yml} (99%) diff --git a/.github/workflows/aws_ec2_golden.yml.disabled b/.github/workflows/aws_ec2_golden.yml similarity index 94% rename from .github/workflows/aws_ec2_golden.yml.disabled rename to .github/workflows/aws_ec2_golden.yml index 1d7b9bea0..4d0a7f606 100644 --- a/.github/workflows/aws_ec2_golden.yml.disabled +++ b/.github/workflows/aws_ec2_golden.yml @@ -4,16 +4,16 @@ name: Tests - Golden - AWS EC2 on: workflow_dispatch: - pull_request: - paths: - - .github/workflows/aws_ec2_golden.yml - - .tool-versions - - aws/ec2/terraform/** - push: - branches: - - main - paths: - - aws/ec2/terraform/** + # pull_request: + # paths: + # - .github/workflows/aws_ec2_golden.yml + # - .tool-versions + # - aws/ec2/terraform/** + # push: + # branches: + # - main + # paths: + # - aws/ec2/terraform/** # limit to a single execution per actor of this workflow concurrency: diff --git a/.github/workflows/aws_ec2_tests.yml.disabled b/.github/workflows/aws_ec2_tests.yml similarity index 99% rename from .github/workflows/aws_ec2_tests.yml.disabled rename to .github/workflows/aws_ec2_tests.yml index c2b190492..9621b5702 100644 --- a/.github/workflows/aws_ec2_tests.yml.disabled +++ b/.github/workflows/aws_ec2_tests.yml @@ -18,7 +18,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} # in case of renovate we don't cancel the previous run, so it can finish it # otherwise weekly renovate PRs with tf docs updates result in broken clusters - cancel-in-progress: ${{ github.actor == 'renovate[bot]' && false || true }} + cancel-in-progress: ${{ !contains('renovate[bot]', github.actor) }} env: AWS_PROFILE: infex diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index 79c12fe62..6ca2f453d 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -15,6 +15,13 @@ on: schedule: - cron: 0 1 * * * # At 01:00 everyday. +# limit to a single execution per actor of this workflow +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + # in case of renovate we don't cancel the previous run, so it can finish it + # otherwise weekly renovate PRs with tf docs updates result in broken clusters + cancel-in-progress: ${{ !contains('renovate[bot]', github.actor) }} + env: MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index ac938a52f..58989655b 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -39,7 +39,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} # in case of renovate we don't cancel the previous run, so it can finish it # otherwise weekly renovate PRs with tf docs updates result in broken clusters - cancel-in-progress: ${{ github.actor == 'renovate[bot]' && false || true }} + cancel-in-progress: ${{ !contains('renovate[bot]', github.actor) }} env: AWS_PROFILE: infex From 62ad96ac6dd2b6244e6b688ab08d868b22122179 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 10 Mar 2025 18:41:21 +0100 Subject: [PATCH 35/65] fix some reported issues --- .github/renovate.json5 | 13 ----- .github/workflows/internal_global_links.yml | 17 ++++-- .../workflows/internal_global_sync_main.yml | 57 ------------------- MAINTENANCE.md | 13 ++--- 4 files changed, 15 insertions(+), 85 deletions(-) delete mode 100644 .github/workflows/internal_global_sync_main.yml diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 97a6efdac..258f0fd70 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -1,17 +1,4 @@ { $schema: "https://docs.renovatebot.com/renovate-schema.json", extends: ["github>camunda/infraex-common-config:default.json5"], - packageRules: [ - { - // The versioning is a bit strange, so we need to help a bit with parsing it correctly - matchPackageNames: ["amazon/cloudwatch-agent"], - versioning: "regex:^(?\\d)(\\.(?\\d+))(\\.(?\\db\\d+))$", - } - ], - "customDatasources": { - "rosa-camunda": { - "defaultRegistryUrlTemplate": "https://camunda.github.io/camunda-deployment-references/rosa_versions.txt", - "format": "plain", - }, - }, } diff --git a/.github/workflows/internal_global_links.yml b/.github/workflows/internal_global_links.yml index 76b1b67c9..76827276a 100644 --- a/.github/workflows/internal_global_links.yml +++ b/.github/workflows/internal_global_links.yml @@ -17,16 +17,15 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - name: Get Current Timestamp - id: timestamp - run: echo "TIMESTAMP=$(date +%s)" >> "$GITHUB_ENV" + - name: Get Current Date + id: dateofday + run: echo "DATEOFDAY=$(date +%Y-%m-%d)" >> "$GITHUB_ENV" - name: Restore lychee cache - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4 + uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4 with: path: .lycheecache - key: cache-lychee-${{ env.TIMESTAMP }} - restore-keys: cache-lychee- + key: cache-lychee-${{ env.DATEOFDAY }} - name: Link Checker uses: lycheeverse/lychee-action@f613c4a64e50d792e0b31ec34bbcbba12263c6a6 # v2.3.0 @@ -35,6 +34,12 @@ jobs: args: -c ./lychee-links.toml --base . --cache --max-cache-age 1d . --verbose --no-progress '*.md' './**/*.md' token: ${{ secrets.GITHUB_TOKEN }} + - name: Cache links + uses: actions/cache/save@d4323d4df104b026a6aa633fdb11d772146be0bf # v4 + with: + path: .lycheecache + key: cache-lychee-${{ env.DATEOFDAY }} + - name: Create Issue From File if: failure() && github.event_name == 'schedule' uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5 diff --git a/.github/workflows/internal_global_sync_main.yml b/.github/workflows/internal_global_sync_main.yml deleted file mode 100644 index aa78635ac..000000000 --- a/.github/workflows/internal_global_sync_main.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -name: Internal - Global - Sync Main branch from latest Camunda stable version - -env: - CURRENT_STABLE_BRANCH: stable/8.7 - -on: - push: - branches: - - stable/8.7 # keep it updated the current stable version - workflow_dispatch: - - -concurrency: - group: stable-merge - cancel-in-progress: false - -jobs: - sync-main: - runs-on: ubuntu-latest - name: Syncing main from latest stable - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - fetch-depth: 0 # Full clone necessary for proper merge - - - name: Generate token for GitHub - id: generate-github-token - uses: camunda/infra-global-github-actions/generate-github-app-token-from-vault-secrets@5d11ae14b11695bb23f62478361cf5f5cbac6811 # main - with: - github-app-id-vault-key: GITHUB_APP_ID - github-app-id-vault-path: secret/data/products/infrastructure-experience/ci/common - github-app-private-key-vault-key: GITHUB_APP_PRIVATE_KEY - github-app-private-key-vault-path: secret/data/products/infrastructure-experience/ci/common - vault-auth-method: approle - vault-auth-role-id: ${{ secrets.VAULT_ROLE_ID }} - vault-auth-secret-id: ${{ secrets.VAULT_SECRET_ID }} - vault-url: ${{ secrets.VAULT_ADDR }} - - - name: Main sync merge - uses: robotology/gh-action-nightly-merge@81570ba03dd370f582bd3f52d47672d29191829f # v1.5.2 - with: - stable_branch: ${{ env.CURRENT_STABLE_BRANCH }} - development_branch: main - allow_ff: false # Prevent fast-forward merges - env: - GITHUB_TOKEN: ${{ steps.generate-github-token.outputs.token }} - - - name: Notify in Slack in case of failure - id: slack-notification - if: failure() && github.event_name == 'schedule' - uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 - with: - vault_addr: ${{ secrets.VAULT_ADDR }} - vault_role_id: ${{ secrets.VAULT_ROLE_ID }} - vault_secret_id: ${{ secrets.VAULT_SECRET_ID }} diff --git a/MAINTENANCE.md b/MAINTENANCE.md index d70c4fcbb..36de3e5ed 100644 --- a/MAINTENANCE.md +++ b/MAINTENANCE.md @@ -4,21 +4,16 @@ TODO: write the complete maintenance guide (https://github.com/camunda/camunda-d ## Branching Strategy for camunda-deployment-references -The repository [https://github.com/camunda/camunda-deployment-references](https://github.com/camunda/camunda-deployment-references) follows the logic of maintaining only the [latest released version of Camunda](https://docs.camunda.io/docs/8.7/reference/release-notes/) on the `main` branch. +The repository [https://github.com/camunda/camunda-deployment-references](https://github.com/camunda/camunda-deployment-references) follows the logic of maintaining only the [next unreleased version of Camunda](https://docs.camunda.io/docs/8.7/reference/release-notes/) on the `main` branch. -=> Most of the time, we work on the next unreleased version. - -We should not merge into `main` directly but into the respective Camunda version branch we are working on. - -The `main` branch will be updated automatically when we push to the latest stable version branch, thanks to the workflow `.github/workflows/internal_global_sync_main.yml`. +=> Most of the time, we work on the next unreleased version, we should then merge into `main`. For example, consider the following branches: - `main/` -- `stable/8.7` - `stable/8.6` - `stable/8.5` -Where `8.6` is the latest stable version and `8.7` is the next one. The branch to target for merge requests should be `8.7` since it represents the upcoming version. +Where `8.6` is the latest stable version and `8.7` is the next one. The branch to target for merge requests should be `main` since it represents the upcoming version. -When `8.7` becomes the new stable version, we will update the `internal_global_sync_main` workflow to merge it into `main`. +When `8.7` becomes the new stable version, we create the `stable/8.7` branch from `main` and then `main` will be used for the next unrelease version (`8.8`). From a5e4be18633a226bcba7e920e154397ed8a52ab3 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 10 Mar 2025 20:08:40 +0100 Subject: [PATCH 36/65] update asdf install --- .../aws-openshift-rosa-hcp-single-region-cleanup/action.yml | 2 +- .github/workflows/aws_ec2_golden.yml | 2 +- .github/workflows/aws_ec2_tests.yml | 2 +- .../aws_openshift_rosa_hcp_single_region_daily_cleanup.yml | 4 ++-- .../aws_openshift_rosa_hcp_single_region_golden.yml | 2 +- .../aws_openshift_rosa_hcp_single_region_tests.yml | 6 +++--- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/action.yml b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/action.yml index 9c2248fb9..191358ec9 100644 --- a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/action.yml +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/action.yml @@ -35,7 +35,7 @@ runs: steps: - name: Install asdf tools with cache - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@6dc218bf7ee3812a4b6b13c305bce60d5d1d46e5 # 1.3.1 - name: Install ROSA CLI shell: bash diff --git a/.github/workflows/aws_ec2_golden.yml b/.github/workflows/aws_ec2_golden.yml index 4d0a7f606..736338fd0 100644 --- a/.github/workflows/aws_ec2_golden.yml +++ b/.github/workflows/aws_ec2_golden.yml @@ -37,7 +37,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install asdf tools with cache - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@6dc218bf7ee3812a4b6b13c305bce60d5d1d46e5 # 1.3.1 - name: Import Secrets id: secrets diff --git a/.github/workflows/aws_ec2_tests.yml b/.github/workflows/aws_ec2_tests.yml index 9621b5702..ca9e889bc 100644 --- a/.github/workflows/aws_ec2_tests.yml +++ b/.github/workflows/aws_ec2_tests.yml @@ -54,7 +54,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install asdf tools with cache - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@6dc218bf7ee3812a4b6b13c305bce60d5d1d46e5 # 1.3.1 - name: Import Secrets id: secrets diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index 6ca2f453d..7169ed343 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -23,7 +23,7 @@ concurrency: cancel-in-progress: ${{ !contains('renovate[bot]', github.actor) }} env: - MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} + MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '0' }} # please keep those variables synced with aws_rosa_hcp_tests.yml AWS_PROFILE: infex @@ -44,7 +44,7 @@ jobs: fetch-depth: 0 - name: Install asdf tools with cache - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@6dc218bf7ee3812a4b6b13c305bce60d5d1d46e5 # 1.3.1 - name: Use repo .tool-version as global version run: cp .tool-versions ~/.tool-versions diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml index de64b7bf1..e730a73b8 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml @@ -36,7 +36,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install asdf tools with cache - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@6dc218bf7ee3812a4b6b13c305bce60d5d1d46e5 # 1.3.1 - name: Import Secrets id: secrets diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 58989655b..505cc6d6a 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -78,7 +78,7 @@ jobs: fetch-depth: 0 - name: Install asdf tools with cache - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@6dc218bf7ee3812a4b6b13c305bce60d5d1d46e5 # 1.3.1 - id: matrix # we define a global matrix in an external file due to https://github.com/orgs/community/discussions/26284 @@ -122,7 +122,7 @@ jobs: fetch-depth: 0 - name: Install asdf tools with cache - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@6dc218bf7ee3812a4b6b13c305bce60d5d1d46e5 # 1.3.1 - name: Import Secrets id: secrets @@ -589,7 +589,7 @@ jobs: - name: Install asdf tools with cache if: env.CLEANUP_CLUSTERS == 'true' - uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 + uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@6dc218bf7ee3812a4b6b13c305bce60d5d1d46e5 # 1.3.1 - name: Import Secrets id: secrets From a1e2af9ace09739bd8ebaf1da0ad5925c5a7bb7a Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 10 Mar 2025 20:10:41 +0100 Subject: [PATCH 37/65] revert delete all --- .../aws_openshift_rosa_hcp_single_region_daily_cleanup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index 7169ed343..c9f03bd21 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -23,7 +23,7 @@ concurrency: cancel-in-progress: ${{ !contains('renovate[bot]', github.actor) }} env: - MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '0' }} + MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} # please keep those variables synced with aws_rosa_hcp_tests.yml AWS_PROFILE: infex From cb301c2d1a8eb5a407da214d920bc146895e7a10 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 10 Mar 2025 22:04:18 +0100 Subject: [PATCH 38/65] new env --- .github/workflows/aws_ec2_golden.yml | 2 ++ .github/workflows/aws_ec2_tests.yml | 5 ++++- .../aws_openshift_rosa_hcp_single_region_daily_cleanup.yml | 4 +++- .../aws_openshift_rosa_hcp_single_region_golden.yml | 2 ++ .../workflows/aws_openshift_rosa_hcp_single_region_tests.yml | 5 ++++- 5 files changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/aws_ec2_golden.yml b/.github/workflows/aws_ec2_golden.yml index 736338fd0..1217da0ef 100644 --- a/.github/workflows/aws_ec2_golden.yml +++ b/.github/workflows/aws_ec2_golden.yml @@ -21,6 +21,8 @@ concurrency: cancel-in-progress: true env: + IS_SCHEDULE: ${{ contains(github.ref, 'refs/heads/schedule/') || github.event_name == 'schedule' && 'true' || 'false' }} + AWS_PROFILE: infex AWS_REGION: eu-west-2 TF_PATH: ${{ github.workspace }}/aws/ec2/terraform diff --git a/.github/workflows/aws_ec2_tests.yml b/.github/workflows/aws_ec2_tests.yml index ca9e889bc..c845c788e 100644 --- a/.github/workflows/aws_ec2_tests.yml +++ b/.github/workflows/aws_ec2_tests.yml @@ -21,6 +21,8 @@ concurrency: cancel-in-progress: ${{ !contains('renovate[bot]', github.actor) }} env: + IS_SCHEDULE: ${{ contains(github.ref, 'refs/heads/schedule/') || github.event_name == 'schedule' && 'true' || 'false' }} + AWS_PROFILE: infex AWS_REGION: eu-west-2 S3_BACKEND_BUCKET: tf-state-multi-reg @@ -198,13 +200,14 @@ jobs: notify-on-failure: runs-on: ubuntu-latest # if only snapshot error was detected, don't report - if: github.event_name == 'schedule' && failure() && needs.test-report.outputs.SNAPSHOT_ERROR == 'false' + if: failure() && needs.test-report.outputs.SNAPSHOT_ERROR == 'false' needs: - test - test-report steps: - name: Notify in Slack in case of failure id: slack-notification + if: ${{ env.IS_SCHEDULE == 'true' }} uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 with: vault_addr: ${{ secrets.VAULT_ADDR }} diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index c9f03bd21..8b79f0403 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -23,6 +23,8 @@ concurrency: cancel-in-progress: ${{ !contains('renovate[bot]', github.actor) }} env: + IS_SCHEDULE: ${{ contains(github.ref, 'refs/heads/schedule/') || github.event_name == 'schedule' && 'true' || 'false' }} + MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} # please keep those variables synced with aws_rosa_hcp_tests.yml @@ -96,7 +98,7 @@ jobs: - name: Notify in Slack in case of failure id: slack-notification - if: failure() && github.event_name == 'schedule' && steps.retry_delete_clusters.outcome == 'failure' + if: ${{ failure() && env.IS_SCHEDULE == 'true' && steps.retry_delete_clusters.outcome == 'failure' }} uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 with: vault_addr: ${{ secrets.VAULT_ADDR }} diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml index e730a73b8..57bd3d633 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml @@ -16,6 +16,8 @@ concurrency: cancel-in-progress: true env: + IS_SCHEDULE: ${{ contains(github.ref, 'refs/heads/schedule/') || github.event_name == 'schedule' && 'true' || 'false' }} + # keep this synced with other workflows AWS_PROFILE: infex AWS_REGION: eu-west-2 diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 505cc6d6a..622a64228 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -42,6 +42,8 @@ concurrency: cancel-in-progress: ${{ !contains('renovate[bot]', github.actor) }} env: + IS_SCHEDULE: ${{ contains(github.ref, 'refs/heads/schedule/') || github.event_name == 'schedule' && 'true' || 'false' }} + AWS_PROFILE: infex AWS_REGION: eu-west-2 S3_BACKEND_BUCKET: tests-ra-aws-rosa-hcp-tf-state-eu-central-1 @@ -628,7 +630,7 @@ jobs: report: name: Report failures - if: github.event_name == 'schedule' && failure() + if: failure() runs-on: ubuntu-latest needs: - integration-tests @@ -636,6 +638,7 @@ jobs: steps: - name: Notify in Slack in case of failure id: slack-notification + if: ${{ env.IS_SCHEDULE == 'true' }} uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@e9a9f33ab193348a82a79bd9250fdf12f708390a # 1.2.19 with: vault_addr: ${{ secrets.VAULT_ADDR }} From b259edb2050c300d93793c7acb9cdcf8721146d6 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 09:51:17 +0100 Subject: [PATCH 39/65] add todos --- .../scripts/destroy-clusters.sh | 2 ++ .../aws-openshift-rosa-hcp-single-region-create/action.yml | 1 + .../aws_openshift_rosa_hcp_single_region_daily_cleanup.yml | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh index a215ca066..6fcf77402 100755 --- a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh @@ -26,6 +26,8 @@ set -o pipefail # - AWS CLI installed and configured with the necessary permissions to access and modify the S3 bucket. # - Terraform installed and accessible in the PATH. +# TODO: add key_prefix + # Check for required arguments if [ "$#" -ne 5 ]; then echo "Usage: $0 " diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml b/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml index d992da888..e42ebe5ec 100644 --- a/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml @@ -136,6 +136,7 @@ runs: id: set-terraform-variables shell: bash run: | + # TODO: add key prefix export TFSTATE_BUCKET="${{ inputs.s3-backend-bucket }}" export TFSTATE_KEY="tfstate-${{ inputs.cluster-name }}/${{ inputs.cluster-name }}.tfstate" diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index 8b79f0403..a47369f16 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -25,7 +25,7 @@ concurrency: env: IS_SCHEDULE: ${{ contains(github.ref, 'refs/heads/schedule/') || github.event_name == 'schedule' && 'true' || 'false' }} - MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} + MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '0' }} # please keep those variables synced with aws_rosa_hcp_tests.yml AWS_PROFILE: infex From 7b20c04110072c25f887adc3808ee2d51bbee477 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 12:04:19 +0100 Subject: [PATCH 40/65] revert cleanup date --- .../aws_openshift_rosa_hcp_single_region_daily_cleanup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index a47369f16..8b79f0403 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -25,7 +25,7 @@ concurrency: env: IS_SCHEDULE: ${{ contains(github.ref, 'refs/heads/schedule/') || github.event_name == 'schedule' && 'true' || 'false' }} - MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '0' }} + MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} # please keep those variables synced with aws_rosa_hcp_tests.yml AWS_PROFILE: infex From edfc00be8c2df454dd4661d050ce52a2c1f89e91 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 12:14:17 +0100 Subject: [PATCH 41/65] update to 8.7 --- .camunda-version | 2 +- MAINTENANCE.md | 5 +++++ aws/openshift/rosa-hcp-single-region/README.md | 2 +- .../rosa-hcp-single-region/procedure/get-your-copy.sh | 2 +- .../single-region/tests/helm-values/identity.yml | 3 ++- generic/openshift/single-region/procedure/chart-env.sh | 5 +++-- generic/openshift/single-region/procedure/install-chart.sh | 7 +++++++ 7 files changed, 20 insertions(+), 6 deletions(-) diff --git a/.camunda-version b/.camunda-version index 48c26da3e..0ff41bfab 100644 --- a/.camunda-version +++ b/.camunda-version @@ -1 +1 @@ -8.6 +8.7 diff --git a/MAINTENANCE.md b/MAINTENANCE.md index 36de3e5ed..25be4e0f6 100644 --- a/MAINTENANCE.md +++ b/MAINTENANCE.md @@ -17,3 +17,8 @@ For example, consider the following branches: Where `8.6` is the latest stable version and `8.7` is the next one. The branch to target for merge requests should be `main` since it represents the upcoming version. When `8.7` becomes the new stable version, we create the `stable/8.7` branch from `main` and then `main` will be used for the next unrelease version (`8.8`). + +## Release duty + +When we plan to release, the `main` branch will be cut into a `stable/8.x` +All the `TODO [release-duty] must be solved during this process` diff --git a/aws/openshift/rosa-hcp-single-region/README.md b/aws/openshift/rosa-hcp-single-region/README.md index b5a82f2d6..63678888f 100644 --- a/aws/openshift/rosa-hcp-single-region/README.md +++ b/aws/openshift/rosa-hcp-single-region/README.md @@ -1,7 +1,7 @@ # Camunda on AWS ROSA single-region This folder describes the IaC of Camunda on AWS ROSA in a single-region setup. -Instructions can be found on the official documentation: https://docs.camunda.io/docs/8.6/self-managed/setup/deploy/amazon/openshift/terraform-setup/ +Instructions can be found on the official documentation: https://docs.camunda.io/docs/8.7/self-managed/setup/deploy/amazon/openshift/terraform-setup/ ## Modules diff --git a/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh b/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh index d7ce6b1bf..1e78fe4ff 100755 --- a/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh +++ b/aws/openshift/rosa-hcp-single-region/procedure/get-your-copy.sh @@ -1,7 +1,7 @@ #!/bin/bash # Download a copy of the reference architecture -BRANCH="feature/integrate-tests-rosa" # TODO: Change the branch to 8.6 +BRANCH="feature/rosa-8.7" # TODO: Change the branch to main then [release-duty] to 8.7 git clone --depth 1 --branch "$BRANCH" https://github.com/camunda/camunda-deployment-references.git diff --git a/generic/kubernetes/single-region/tests/helm-values/identity.yml b/generic/kubernetes/single-region/tests/helm-values/identity.yml index 21f3900ce..210f0d265 100644 --- a/generic/kubernetes/single-region/tests/helm-values/identity.yml +++ b/generic/kubernetes/single-region/tests/helm-values/identity.yml @@ -1,5 +1,6 @@ --- -# keep it synced with https://github.com/camunda/camunda-platform-helm/blob/main/charts/camunda-platform-8.6/test/integration/scenarios/common/values-integration-test.yaml +# TODO: [release-duty] when release update the link with 8.7 +# keep it synced with https://github.com/camunda/camunda-platform-helm/blob/main/charts/camunda-platform-alpha/test/integration/scenarios/common/values-integration-test.yaml # it generates the CI user used to connect to the platform identity: diff --git a/generic/openshift/single-region/procedure/chart-env.sh b/generic/openshift/single-region/procedure/chart-env.sh index 236cad342..3371aff03 100755 --- a/generic/openshift/single-region/procedure/chart-env.sh +++ b/generic/openshift/single-region/procedure/chart-env.sh @@ -1,5 +1,6 @@ #!/bin/bash # The Camunda 8 Helm Chart version -# renovate: datasource=helm depName=camunda-platform versioning=regex:^11(\.(?\d+))?(\.(?\d+))?$ registryUrl=https://helm.camunda.io -export CAMUNDA_HELM_CHART_VERSION="11.2.1" +# renovate: datasource=helm depName=camunda-platform versioning=regex:^12(\.(?\d+))?(\.(?\d+))?$ registryUrl=https://helm.camunda.io +export CAMUNDA_HELM_CHART_VERSION="0.0.0-snapshot-alpha" +# TODO: [release-duty] before the release, update this! diff --git a/generic/openshift/single-region/procedure/install-chart.sh b/generic/openshift/single-region/procedure/install-chart.sh index 54924d37c..9355b779b 100755 --- a/generic/openshift/single-region/procedure/install-chart.sh +++ b/generic/openshift/single-region/procedure/install-chart.sh @@ -1,5 +1,12 @@ #!/bin/bash +# TODO: [release-duty] before the release, update this! + +helm upgrade --install \ + camunda oci://ghcr.io/camunda/helm/camunda-platform \ + --version "$CAMUNDA_HELM_CHART_VERSION" --namespace camunda \ + -f generated-values.yml + helm upgrade --install \ camunda camunda-platform \ --repo https://helm.camunda.io \ From b0b4ea69d914f6f162c3595c16f94c48accad959 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 12:15:34 +0100 Subject: [PATCH 42/65] up --- MAINTENANCE.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/MAINTENANCE.md b/MAINTENANCE.md index 25be4e0f6..7708f0fbb 100644 --- a/MAINTENANCE.md +++ b/MAINTENANCE.md @@ -20,5 +20,21 @@ When `8.7` becomes the new stable version, we create the `stable/8.7` branch fro ## Release duty -When we plan to release, the `main` branch will be cut into a `stable/8.x` -All the `TODO [release-duty] must be solved during this process` +When a new version is ready for release, we need to cut the `main` branch to create a new stable branch (`stable/8.x`). Follow these steps: + +1. **Create the stable branch** + - From `main`, create a new branch `stable/8.x`. + - Example: If the current stable version is `8.6` and we are preparing to release `8.7`, run: + ```sh + git checkout main + git checkout -b stable/8.7 + git push origin stable/8.7 + ``` + +1. **Ensure all release tasks are completed** + - Resolve all `TODO [release-duty]` items in the codebase. + - Verify that documentation, configurations, and dependencies are up to date. + +1. **Prepare `main` for the next version** + - The `main` branch now represents the next unreleased version (`8.8`). + - Update version references in relevant files to reflect the new development cycle. From 9826e0fb8d5a003ea864c644d69f2a75b97ff338 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 12:22:35 +0100 Subject: [PATCH 43/65] fix missing --- .github/workflows/aws_ec2_tests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/aws_ec2_tests.yml b/.github/workflows/aws_ec2_tests.yml index 447d8ae09..f866d0110 100644 --- a/.github/workflows/aws_ec2_tests.yml +++ b/.github/workflows/aws_ec2_tests.yml @@ -207,6 +207,7 @@ jobs: steps: - name: Notify in Slack in case of failure id: slack-notification + if: ${{ env.IS_SCHEDULE == 'true' }} uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@6158b7c7534f6dbeb3fa7c3c836f6e6aa6881b2e # 1.3.0 with: vault_addr: ${{ secrets.VAULT_ADDR }} From ff95ff0cdae9a26d66f1f200e57a841a519e81e1 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 14:27:49 +0100 Subject: [PATCH 44/65] fix installation step --- .../single-region/procedure/install-chart.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/generic/openshift/single-region/procedure/install-chart.sh b/generic/openshift/single-region/procedure/install-chart.sh index 9355b779b..9914184a6 100755 --- a/generic/openshift/single-region/procedure/install-chart.sh +++ b/generic/openshift/single-region/procedure/install-chart.sh @@ -7,9 +7,9 @@ helm upgrade --install \ --version "$CAMUNDA_HELM_CHART_VERSION" --namespace camunda \ -f generated-values.yml -helm upgrade --install \ - camunda camunda-platform \ - --repo https://helm.camunda.io \ - --version "$CAMUNDA_HELM_CHART_VERSION" \ - --namespace camunda \ - -f generated-values.yml +# helm upgrade --install \ +# camunda camunda-platform \ +# --repo https://helm.camunda.io \ +# --version "$CAMUNDA_HELM_CHART_VERSION" \ +# --namespace camunda \ +# -f generated-values.yml From 098711d3ecedf21c3c93a6c432bda5eab38a682f Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 16:47:30 +0100 Subject: [PATCH 45/65] remove .tool-versions for each ref arch --- .../action.yml | 2 -- .../aws_openshift_rosa_hcp_single_region_tests.yml | 2 -- README.md | 9 --------- aws/ec2/.tool-versions | 1 - aws/openshift/rosa-hcp-dual-region/.tool-versions | 1 - aws/openshift/rosa-hcp-single-region/.tool-versions | 1 - generic/kubernetes/single-region/.tool-versions | 1 - generic/openshift/single-region/.tool-versions | 1 - 8 files changed, 18 deletions(-) delete mode 100644 aws/ec2/.tool-versions delete mode 100644 aws/openshift/rosa-hcp-dual-region/.tool-versions delete mode 100644 aws/openshift/rosa-hcp-single-region/.tool-versions delete mode 100644 generic/kubernetes/single-region/.tool-versions delete mode 100644 generic/openshift/single-region/.tool-versions diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml b/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml index e42ebe5ec..e6ee2a116 100644 --- a/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml @@ -83,8 +83,6 @@ runs: - name: Install asdf tools with cache for the project uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@6158b7c7534f6dbeb3fa7c3c836f6e6aa6881b2e # 1.3.0 - with: - tool_versions_files: .tool-versions,${{ inputs.tf-modules-path }}/aws/openshift/rosa-hcp-single-region/.tool-versions # TODO: when available on asdf, migrate this to it - name: Install ROSA CLI diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 622a64228..103e3afe8 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -216,8 +216,6 @@ jobs: - name: Install asdf tools with cache for the project uses: camunda/infraex-common-config/./.github/actions/asdf-install-tooling@6158b7c7534f6dbeb3fa7c3c836f6e6aa6881b2e # 1.3.0 - with: - tool_versions_files: .tool-versions,./aws/openshift/rosa-hcp-single-region/.tool-versions,./generic/openshift/rosa-hcp-single-region/.tool-versions - name: Install CLI tools from OpenShift Mirror uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1 diff --git a/README.md b/README.md index 43204886d..014944bf9 100644 --- a/README.md +++ b/README.md @@ -81,15 +81,6 @@ just install-tooling just --list ``` -### Installing Tooling for a Specific Reference Architecture - -Each reference architecture has its own `.tool-versions` file located in its respective directory. To install the tooling for a specific architecture, navigate to the appropriate directory and run: - -```bash -cd aws/openshift/rosa-hcp-single-region -just install-tooling-current-dir -``` - ## Support Please note that the modules have been tested with **[Terraform](https://github.com/hashicorp/terraform)** in the version described in the [.tool-versions](./.tool-versions) of this project. diff --git a/aws/ec2/.tool-versions b/aws/ec2/.tool-versions deleted file mode 100644 index e86d752b8..000000000 --- a/aws/ec2/.tool-versions +++ /dev/null @@ -1 +0,0 @@ -# Specific tools used by this implementation only diff --git a/aws/openshift/rosa-hcp-dual-region/.tool-versions b/aws/openshift/rosa-hcp-dual-region/.tool-versions deleted file mode 100644 index e86d752b8..000000000 --- a/aws/openshift/rosa-hcp-dual-region/.tool-versions +++ /dev/null @@ -1 +0,0 @@ -# Specific tools used by this implementation only diff --git a/aws/openshift/rosa-hcp-single-region/.tool-versions b/aws/openshift/rosa-hcp-single-region/.tool-versions deleted file mode 100644 index e86d752b8..000000000 --- a/aws/openshift/rosa-hcp-single-region/.tool-versions +++ /dev/null @@ -1 +0,0 @@ -# Specific tools used by this implementation only diff --git a/generic/kubernetes/single-region/.tool-versions b/generic/kubernetes/single-region/.tool-versions deleted file mode 100644 index e86d752b8..000000000 --- a/generic/kubernetes/single-region/.tool-versions +++ /dev/null @@ -1 +0,0 @@ -# Specific tools used by this implementation only diff --git a/generic/openshift/single-region/.tool-versions b/generic/openshift/single-region/.tool-versions deleted file mode 100644 index e86d752b8..000000000 --- a/generic/openshift/single-region/.tool-versions +++ /dev/null @@ -1 +0,0 @@ -# Specific tools used by this implementation only From fbb3148832dca7738505ee4a4e0449f994a1c70d Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 17:24:49 +0100 Subject: [PATCH 46/65] apply various feedbacks --- .../action.yml | 3 ++ .../test_matrix.yml | 3 ++ .github/workflows/aws_ec2_golden.yml | 2 +- .github/workflows/aws_ec2_tests.yml | 2 +- ...t_rosa_hcp_single_region_daily_cleanup.yml | 6 ++- ...penshift_rosa_hcp_single_region_golden.yml | 2 +- ...openshift_rosa_hcp_single_region_tests.yml | 35 ++++++++------- ...rnal_openshift_artifact_rosa_versions.yml} | 4 +- DEVELOPER.md | 44 ++++++++++++++++++- 9 files changed, 77 insertions(+), 24 deletions(-) rename .github/workflows/{generic_openshift_artifact_rosa_versions.yml => internal_openshift_artifact_rosa_versions.yml} (95%) diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml b/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml index e6ee2a116..21032e2d7 100644 --- a/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml @@ -196,6 +196,9 @@ runs: echo "Adapting the files with input values" pwd ls + + # We use sed instead of -var because the module presented to the user + # uses locals for simplicity. Locals cannot be overwritten with the CLI. sed -i -e 's/\(rosa_cluster_name\s*=\s*"\)[^"]*\("\)/\1${{ inputs.cluster-name }}\2/' \ -e 's/\(rosa_admin_password\s*=\s*"\)[^"]*\("\)/\1${{ inputs.admin-password }}\2/' \ -e 's/\(rosa_admin_username\s*=\s*"\)[^"]*\("\)/\1${{ inputs.admin-username }}\2/' \ diff --git a/.github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml b/.github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml index 8b7f5f4e0..98f146bc3 100644 --- a/.github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml +++ b/.github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml @@ -19,18 +19,21 @@ matrix: # this matrix should reference the last 4 (may change) supported versions of OpenShift - name: OpenShift 4.17 + schedule_only: true # Old versions are only checked during schedule workflows type: openshift # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=regex:^4.17(\.(?\d+))?$ version: 4.17.16 platform: rosa - name: OpenShift 4.16 + schedule_only: true type: openshift # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=regex:^4.16(\.(?\d+))?$ version: 4.16.8 platform: rosa - name: OpenShift 4.15 + schedule_only: true type: openshift # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=regex:^4.15(\.(?\d+))?$ version: 4.15.21 diff --git a/.github/workflows/aws_ec2_golden.yml b/.github/workflows/aws_ec2_golden.yml index 1217da0ef..88a46ee2d 100644 --- a/.github/workflows/aws_ec2_golden.yml +++ b/.github/workflows/aws_ec2_golden.yml @@ -43,7 +43,7 @@ jobs: - name: Import Secrets id: secrets - uses: hashicorp/vault-action@v3 + uses: hashicorp/vault-action@7709c609789c5e27b757a85817483caadbb5939a # v3 with: url: ${{ secrets.VAULT_ADDR }} method: approle diff --git a/.github/workflows/aws_ec2_tests.yml b/.github/workflows/aws_ec2_tests.yml index f866d0110..874653816 100644 --- a/.github/workflows/aws_ec2_tests.yml +++ b/.github/workflows/aws_ec2_tests.yml @@ -60,7 +60,7 @@ jobs: - name: Import Secrets id: secrets - uses: hashicorp/vault-action@v3 + uses: hashicorp/vault-action@7709c609789c5e27b757a85817483caadbb5939a # v3 with: url: ${{ secrets.VAULT_ADDR }} method: approle diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index 8b79f0403..cdf5111f9 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -11,6 +11,10 @@ on: pull_request: paths: - .github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml + - .tool-versions + - aws/openshift/rosa-hcp-single-region/** + - '!aws/openshift/rosa-hcp-single-region/test/golden/**' + - .github/actions/aws-openshift-rosa-hcp-single-region-cleanup/** schedule: - cron: 0 1 * * * # At 01:00 everyday. @@ -42,7 +46,7 @@ jobs: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: - ref: ${{ github.head_ref }} + ref: ${{ github.ref_name }} fetch-depth: 0 - name: Install asdf tools with cache diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml index 57bd3d633..c5fd85a00 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml @@ -42,7 +42,7 @@ jobs: - name: Import Secrets id: secrets - uses: hashicorp/vault-action@v3 + uses: hashicorp/vault-action@7709c609789c5e27b757a85817483caadbb5939a # v3 with: url: ${{ secrets.VAULT_ADDR }} method: approle diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 103e3afe8..b34c2dcc2 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -5,16 +5,15 @@ name: Tests - Integration - AWS OpenShift ROSA HCP Single Region on: schedule: - - cron: 0 3 * * 1,3,5 # Runs at 3 AM on Monday, Wednesday, and Friday + - cron: 0 3 * * 1 # Runs at 3 AM on Monday pull_request: paths: - - .github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml - - .github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml - .github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml - - .github/workflows/aws_openshift_rosa_hcp_single_region_golden.yml + - .github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml - .tool-versions - - aws/openshift/rosa-hcp-single-region/** + - generic/kubernetes/single-region/** - generic/openshift/single-region/** + - aws/openshift/rosa-hcp-single-region/** - '!aws/openshift/rosa-hcp-single-region/test/golden/**' - .github/actions/aws-openshift-rosa-hcp-single-region-create/** - .github/actions/aws-openshift-rosa-hcp-single-region-cleanup/** @@ -102,9 +101,15 @@ jobs: yq -i '.matrix.distro[env(distro_index)].clusterName = env(cluster_name)' "${CI_MATRIX_FILE}" done - # Get updated matrix. - # shellcheck disable=SC2086 - platform_matrix="$(yq '.matrix' --indent=0 --output-format json ${CI_MATRIX_FILE})" + echo "Filtering the matrix with strategy IS_SCHEDULE=$IS_SCHEDULE" + if [[ "$IS_SCHEDULE" == "true" ]]; then + # shellcheck disable=SC2086 + platform_matrix="$(yq '.matrix | map(select(.schedule_only == true))' --indent=0 --output-format json ${CI_MATRIX_FILE})" + else + # shellcheck disable=SC2086 + platform_matrix="$(yq '.matrix | map(select(.schedule_only == null or .schedule_only == false))' --indent=0 --output-format json ${CI_MATRIX_FILE})" + fi + echo "${platform_matrix}" | jq echo "platform-matrix=${platform_matrix}" > "$GITHUB_OUTPUT" @@ -120,7 +125,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: - ref: ${{ github.head_ref }} + ref: ${{ github.ref_name }} fetch-depth: 0 - name: Install asdf tools with cache @@ -128,7 +133,7 @@ jobs: - name: Import Secrets id: secrets - uses: hashicorp/vault-action@v3 + uses: hashicorp/vault-action@7709c609789c5e27b757a85817483caadbb5939a # v3 with: url: ${{ secrets.VAULT_ADDR }} method: approle @@ -164,7 +169,7 @@ jobs: s3-backend-bucket: ${{ env.S3_BACKEND_BUCKET }} s3-bucket-region: ${{ env.S3_BUCKET_REGION }} openshift-version: ${{ matrix.distro.version }} - tf-modules-revision: ${{ github.head_ref }} + tf-modules-revision: ${{ github.ref_name }} - name: Export kubeconfig and encrypt it # this is required to pass matrix outputs securely using artifacts id: export_kube_config @@ -224,7 +229,7 @@ jobs: - name: Import Secrets id: secrets - uses: hashicorp/vault-action@v3 + uses: hashicorp/vault-action@7709c609789c5e27b757a85817483caadbb5939a # v3 with: url: ${{ secrets.VAULT_ADDR }} method: approle @@ -562,10 +567,6 @@ jobs: fi echo "✅ The cluster meets all the expected criteria." - - name: Setup tmate session - if: failure() - uses: mxschmitt/action-tmate@v3 - - name: 🔬🚨 Get failed Pods info if: failure() uses: camunda/camunda-platform-helm/./.github/actions/failed-pods-info@52f7c04dc9817a2f8a5b7b1c5450a80a8a6996ae # main @@ -593,7 +594,7 @@ jobs: - name: Import Secrets id: secrets - uses: hashicorp/vault-action@v3 + uses: hashicorp/vault-action@7709c609789c5e27b757a85817483caadbb5939a # v3 if: env.CLEANUP_CLUSTERS == 'true' with: url: ${{ secrets.VAULT_ADDR }} diff --git a/.github/workflows/generic_openshift_artifact_rosa_versions.yml b/.github/workflows/internal_openshift_artifact_rosa_versions.yml similarity index 95% rename from .github/workflows/generic_openshift_artifact_rosa_versions.yml rename to .github/workflows/internal_openshift_artifact_rosa_versions.yml index d2e9e118e..27ee6e73a 100644 --- a/.github/workflows/generic_openshift_artifact_rosa_versions.yml +++ b/.github/workflows/internal_openshift_artifact_rosa_versions.yml @@ -1,7 +1,7 @@ --- # This workflow updates an artifact containing the ROSA versions, # it's used by renovate and published at https://camunda.github.io/camunda-deployment-references/rosa_versions.txt -name: Generic - OpenShift - Save ROSA Versions as an artifact +name: Internal - OpenShift - Save ROSA Versions as an artifact on: schedule: @@ -9,7 +9,7 @@ on: workflow_dispatch: pull_request: paths: - - .github/workflows/generic_openshift_artifact_rosa_versions.yml + - .github/workflows/internal_openshift_artifact_rosa_versions.yml jobs: save-rosa-versions: diff --git a/DEVELOPER.md b/DEVELOPER.md index b9edda69c..773f87843 100644 --- a/DEVELOPER.md +++ b/DEVELOPER.md @@ -1 +1,43 @@ -TODO: write it (https://github.com/camunda/camunda-deployment-references/issues/117) +# Developer Documentation + +## Workflow Naming Convention + +Our workflows follow a standardized naming convention to ensure clarity and consistency across internal and external processes. + +### Internal Workflows +All internal workflows are prefixed with `internal_` followed by: +1. **Scope**: Either `global`, `openshift`, or any related component name. +2. **Workflow Purpose**: A description of the workflow's function. + +#### Examples: +- `internal_global_lint.yml`: Linting workflow for global scope. +- `internal_openshift_lint.yml`: Linting workflow for OpenShift scope. +- `internal_openshift_artifact_rosa_versions.yml`: Workflow for managing ROSA artifact versions in OpenShift. + +### Test Workflows +For architecture reference tests, the naming follows the folder structure where the tests reside. + +#### Example: +For a test located in `aws/openshift/rosa-hcp-single-region`, the corresponding workflow file is named: +``` +aws_openshift_rosa_hcp_single_region_tests.yml +``` + +## Standardized Workflow Naming +Inside each workflow file, the `name` field is also standardized to maintain uniformity. + +#### Examples: +- **Linting Workflow:** + ```yaml + name: Internal - Global - Lint + ``` +- **Integration Test Workflow:** + ```yaml + name: Tests - Integration - AWS OpenShift ROSA HCP Single Region + ``` +- **Daily Cleanup Workflow:** + ```yaml + name: Tests - Daily Cleanup - AWS OpenShift ROSA HCP Single Region + ``` + +By following these conventions, we ensure a clear and structured approach to workflow management, making it easier to understand, maintain, and scale our CI/CD pipelines. From 5cdf315739b29011d9fdbafa2d4509471db033b4 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 17:48:40 +0100 Subject: [PATCH 47/65] add prefix to state --- .../README.md | 7 +++++++ .../action.yml | 7 ++++++- .../scripts/destroy-clusters.sh | 17 ++++++++++------- .../README.md | 7 +++++++ .../action.yml | 6 ++++-- ...ift_rosa_hcp_single_region_daily_cleanup.yml | 8 ++++++++ ...s_openshift_rosa_hcp_single_region_tests.yml | 14 ++++++++++++++ 7 files changed, 56 insertions(+), 10 deletions(-) diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/README.md b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/README.md index faf7058d6..9411c3953 100644 --- a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/README.md +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/README.md @@ -11,6 +11,7 @@ This GitHub Action automates the deletion of aws/openshift/rosa-hcp-single-regio | --- | --- | --- | --- | | `tf-bucket` |

Bucket containing the clusters states

| `true` | `""` | | `tf-bucket-region` |

Region of the bucket containing the resources states, if not set, will fallback on AWS_REGION

| `false` | `""` | +| `tf-bucket-key-prefix` |

Key prefix of the bucket containing the resources states. It must contain a / at the end e.g 'my-prefix/'.

| `false` | `""` | | `max-age-hours-cluster` |

Maximum age of clusters in hours

| `false` | `20` | | `target` |

Specify an ID to destroy specific resources or "all" to destroy all resources

| `false` | `all` | | `rosa-cli-version` |

Version of the ROSA CLI to use

| `false` | `latest` | @@ -38,6 +39,12 @@ This action is a `composite` action. # Required: false # Default: "" + tf-bucket-key-prefix: + # Key prefix of the bucket containing the resources states. It must contain a / at the end e.g 'my-prefix/'. + # + # Required: false + # Default: "" + max-age-hours-cluster: # Maximum age of clusters in hours # diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/action.yml b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/action.yml index 191358ec9..ce1326dfb 100644 --- a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/action.yml +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/action.yml @@ -12,6 +12,10 @@ inputs: tf-bucket-region: description: Region of the bucket containing the resources states, if not set, will fallback on AWS_REGION + tf-bucket-key-prefix: + description: Key prefix of the bucket containing the resources states. It must contain a / at the end e.g 'my-prefix/'. + default: '' + max-age-hours-cluster: description: Maximum age of clusters in hours default: '20' @@ -64,4 +68,5 @@ runs: cp .tool-versions ~/.tool-versions ${{ github.action_path }}/scripts/destroy-clusters.sh "${{ inputs.tf-bucket }}" \ - ${{ github.action_path }}/../../../aws/openshift/rosa-hcp-single-region/ /tmp/cleanup/ ${{ inputs.max-age-hours-cluster }} ${{ inputs.target }} + ${{ github.action_path }}/../../../aws/openshift/rosa-hcp-single-region/ /tmp/cleanup/ \ + ${{ inputs.max-age-hours-cluster }} ${{ inputs.target }} ${{ inputs.tf-bucket-key-prefix }} diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh index 6fcf77402..33419609c 100755 --- a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh @@ -9,7 +9,7 @@ set -o pipefail # is successful, it removes the corresponding S3 objects. # # Usage: -# ./destroy_clusters.sh +# ./destroy_clusters.sh [KEY_PREFIX] # # Arguments: # BUCKET: The name of the S3 bucket containing the cluster state files. @@ -17,22 +17,24 @@ set -o pipefail # TEMP_DIR_PREFIX: The prefix for the temporary directories created for each cluster. # MIN_AGE_IN_HOURS: The minimum age (in hours) of clusters to be destroyed. # ID_OR_ALL: The specific ID suffix to filter objects, or "all" to destroy all objects. +# KEY_PREFIX (optional): A prefix (with a '/' at the end) for filtering objects in the S3 bucket. # # Example: # ./destroy_clusters.sh tf-state-rosa-ci-eu-west-3 ./modules/rosa-hcp/ /tmp/rosa/ 24 all # ./destroy_clusters.sh tf-state-rosa-ci-eu-west-3 ./modules/rosa-hcp/ /tmp/rosa/ 24 rosa-cluster-2883 +# ./destroy_clusters.sh tf-state-rosa-ci-eu-west-3 ./modules/rosa-hcp/ /tmp/rosa/ 24 all my-prefix/ # # Requirements: # - AWS CLI installed and configured with the necessary permissions to access and modify the S3 bucket. # - Terraform installed and accessible in the PATH. -# TODO: add key_prefix # Check for required arguments -if [ "$#" -ne 5 ]; then - echo "Usage: $0 " +if [ "$#" -lt 5 ] || [ "$#" -gt 6 ]; then + echo "Usage: $0 [KEY_PREFIX]" exit 1 fi + # Check if required environment variables are set if [ -z "$RHCS_TOKEN" ]; then echo "Error: The environment variable RHCS_TOKEN is not set." @@ -50,6 +52,7 @@ MODULES_DIR=$2 TEMP_DIR_PREFIX=$3 MIN_AGE_IN_HOURS=$4 ID_OR_ALL=$5 +KEY_PREFIX=${6:-""} # Key prefix is optional FAILED=0 CURRENT_DIR=$(pwd) AWS_S3_REGION=${AWS_S3_REGION:-$AWS_REGION} @@ -65,7 +68,7 @@ fi # Function to perform terraform destroy destroy_cluster() { local cluster_id=$1 - local cluster_folder=$2 + local cluster_folder="$KEY_PREFIX$2" # we must add two levels to replicate the "source = ../../modules" relative path presented in the module local temp_dir="${TEMP_DIR_PREFIX}${cluster_id}/1/2" local temp_generic_modules_dir="${TEMP_DIR_PREFIX}${cluster_id}/modules/" @@ -108,7 +111,7 @@ destroy_cluster() { } # List objects in the S3 bucket and parse the cluster IDs -all_objects=$(aws s3 ls "s3://$BUCKET/") +all_objects=$(aws s3 ls "s3://$BUCKET/$KEY_PREFIX") aws_exit_code=$? if [ $aws_exit_code -ne 0 ]; then @@ -136,7 +139,7 @@ for cluster_id in $clusters; do cluster_folder="tfstate-$cluster_id" echo "Checking cluster $cluster_id in $cluster_folder" - last_modified=$(aws s3api head-object --bucket "$BUCKET" --key "$cluster_folder/${cluster_id}.tfstate" --output json | grep LastModified | awk -F '"' '{print $4}') + last_modified=$(aws s3api head-object --bucket "$BUCKET" --key "$KEY_PREFIX$cluster_folder/${cluster_id}.tfstate" --output json | grep LastModified | awk -F '"' '{print $4}') if [ -z "$last_modified" ]; then echo "Error: Failed to retrieve last modified timestamp for cluster $cluster_id" exit 1 diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-create/README.md b/.github/actions/aws-openshift-rosa-hcp-single-region-create/README.md index 2aaf9f441..611759950 100644 --- a/.github/actions/aws-openshift-rosa-hcp-single-region-create/README.md +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-create/README.md @@ -22,6 +22,7 @@ The kube context will be set on the created cluster. | `replicas` |

Number of replicas for the ROSA cluster (empty will fallback on default value of the module)

| `false` | `""` | | `s3-backend-bucket` |

Name of the S3 bucket to store Terraform state

| `true` | `""` | | `s3-bucket-region` |

Region of the bucket containing the resources states, if not set, will fallback on aws-region

| `false` | `""` | +| `s3-bucket-key-prefix` |

Key prefix of the bucket containing the resources states. It must contain a / at the end e.g 'my-prefix/'.

| `false` | `""` | | `tf-modules-revision` |

Git revision of the tf modules to use

| `true` | `main` | | `tf-modules-path` |

Path where the tf rosa modules will be cloned

| `true` | `./.action-tf-modules/aws-openshift-rosa-hcp-single-region-create/` | | `login` |

Authenticate the current kube context on the created cluster

| `true` | `true` | @@ -111,6 +112,12 @@ This action is a `composite` action. # Required: false # Default: "" + s3-bucket-key-prefix: + # Key prefix of the bucket containing the resources states. It must contain a / at the end e.g 'my-prefix/'. + # + # Required: false + # Default: "" + tf-modules-revision: # Git revision of the tf modules to use # diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml b/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml index 21032e2d7..3e7ac6ffa 100644 --- a/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-create/action.yml @@ -44,6 +44,9 @@ inputs: required: true s3-bucket-region: description: Region of the bucket containing the resources states, if not set, will fallback on aws-region + s3-bucket-key-prefix: + description: Key prefix of the bucket containing the resources states. It must contain a / at the end e.g 'my-prefix/'. + default: '' tf-modules-revision: description: Git revision of the tf modules to use default: main @@ -134,9 +137,8 @@ runs: id: set-terraform-variables shell: bash run: | - # TODO: add key prefix export TFSTATE_BUCKET="${{ inputs.s3-backend-bucket }}" - export TFSTATE_KEY="tfstate-${{ inputs.cluster-name }}/${{ inputs.cluster-name }}.tfstate" + export TFSTATE_KEY="${{ inputs.s3-bucket-key-prefix }}tfstate-${{ inputs.cluster-name }}/${{ inputs.cluster-name }}.tfstate" if [ -z "${{ inputs.s3-bucket-region }}" ]; then export TFSTATE_REGION="$AWS_REGION" diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index cdf5111f9..38fd851ad 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -55,6 +55,12 @@ jobs: - name: Use repo .tool-version as global version run: cp .tool-versions ~/.tool-versions + - name: Set current Camunda version + id: camunda-version + run: | + CAMUNDA_VERSION=$(cat .camunda-version) + echo "CAMUNDA_VERSION=$CAMUNDA_VERSION" | tee -a "$GITHUB_OUTPUT" + - name: Import Secrets id: secrets uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3 @@ -86,6 +92,7 @@ jobs: tf-bucket: ${{ env.S3_BACKEND_BUCKET }} tf-bucket-region: ${{ env.S3_BUCKET_REGION }} max-age-hours-cluster: ${{ env.MAX_AGE_HOURS_CLUSTER }} + tf-bucket-key-prefix: ${{ steps.camunda-version.outputs.CAMUNDA_VERSION }}/ # There are cases where the deletion of resources fails due to dependencies. - name: Retry delete clusters @@ -99,6 +106,7 @@ jobs: tf-bucket: ${{ env.S3_BACKEND_BUCKET }} tf-bucket-region: ${{ env.S3_BUCKET_REGION }} max-age-hours-cluster: 0 # the previous step alters the age and resets it to 0 + tf-bucket-key-prefix: ${{ steps.camunda-version.outputs.CAMUNDA_VERSION }}/ - name: Notify in Slack in case of failure id: slack-notification diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index b34c2dcc2..117300329 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -154,6 +154,12 @@ jobs: aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} + - name: Set current Camunda version + id: camunda-version + run: | + CAMUNDA_VERSION=$(cat .camunda-version) + echo "CAMUNDA_VERSION=$CAMUNDA_VERSION" | tee -a "$GITHUB_OUTPUT" + # Also remove the versioning - name: Create ROSA cluster and login uses: ./.github/actions/aws-openshift-rosa-hcp-single-region-create @@ -168,6 +174,7 @@ jobs: aws-region: ${{ env.AWS_REGION }} s3-backend-bucket: ${{ env.S3_BACKEND_BUCKET }} s3-bucket-region: ${{ env.S3_BUCKET_REGION }} + s3-bucket-key-prefix: ${{ steps.camunda-version.outputs.CAMUNDA_VERSION }}/ openshift-version: ${{ matrix.distro.version }} tf-modules-revision: ${{ github.ref_name }} @@ -615,6 +622,12 @@ jobs: aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }} aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }} + - name: Set current Camunda version + id: camunda-version + run: | + CAMUNDA_VERSION=$(cat .camunda-version) + echo "CAMUNDA_VERSION=$CAMUNDA_VERSION" | tee -a "$GITHUB_OUTPUT" + - name: Delete on-demand ROSA HCP Cluster uses: ./.github/actions/aws-openshift-rosa-hcp-single-region-cleanup if: always() && env.CLEANUP_CLUSTERS == 'true' @@ -626,6 +639,7 @@ jobs: tf-bucket-region: ${{ env.S3_BUCKET_REGION }} max-age-hours-cluster: 0 target: ${{ matrix.distro.clusterName }} + tf-bucket-key-prefix: ${{ steps.camunda-version.outputs.CAMUNDA_VERSION }}/ report: name: Report failures From 52bdb065a75b1708ba09e9a09d8cddc963314f3b Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 17:52:54 +0100 Subject: [PATCH 48/65] fix github.ref_name to ref --- .../aws_openshift_rosa_hcp_single_region_daily_cleanup.yml | 2 +- .../workflows/aws_openshift_rosa_hcp_single_region_tests.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index 38fd851ad..0268d53b5 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -46,7 +46,7 @@ jobs: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: - ref: ${{ github.ref_name }} + ref: ${{ github.ref }} fetch-depth: 0 - name: Install asdf tools with cache diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 117300329..11e7f639d 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -125,7 +125,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: - ref: ${{ github.ref_name }} + ref: ${{ github.ref }} fetch-depth: 0 - name: Install asdf tools with cache @@ -176,7 +176,7 @@ jobs: s3-bucket-region: ${{ env.S3_BUCKET_REGION }} s3-bucket-key-prefix: ${{ steps.camunda-version.outputs.CAMUNDA_VERSION }}/ openshift-version: ${{ matrix.distro.version }} - tf-modules-revision: ${{ github.ref_name }} + tf-modules-revision: ${{ github.ref }} - name: Export kubeconfig and encrypt it # this is required to pass matrix outputs securely using artifacts id: export_kube_config From fb7ac22ac3d59bee2b6af338598a829472f4c430 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 17:54:49 +0100 Subject: [PATCH 49/65] fix matrix --- .../aws-openshift-rosa-hcp-single-region/test_matrix.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml b/.github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml index 98f146bc3..a28a67640 100644 --- a/.github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml +++ b/.github/workflows-config/aws-openshift-rosa-hcp-single-region/test_matrix.yml @@ -7,6 +7,7 @@ matrix: # According to https://access.redhat.com/support/policy/updates/openshift, this matrix should reference the last 4 (may change) supported versions of OpenShift - name: OpenShift 4.18 type: openshift + schedule_only: false # renovate: datasource=custom.rosa-camunda depName=red-hat-openshift versioning=regex:^4(\.(?\d+))?(\.(?\d+))?$ version: 4.18.1 # /!\ Warning: When a new minor version of OpenShift is released, From 1ef980d21301edc75ccbf77824f8e7d5cd595270 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 18:01:03 +0100 Subject: [PATCH 50/65] fix filter --- .../aws_openshift_rosa_hcp_single_region_tests.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 11e7f639d..1ca5eff06 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -104,10 +104,12 @@ jobs: echo "Filtering the matrix with strategy IS_SCHEDULE=$IS_SCHEDULE" if [[ "$IS_SCHEDULE" == "true" ]]; then # shellcheck disable=SC2086 - platform_matrix="$(yq '.matrix | map(select(.schedule_only == true))' --indent=0 --output-format json ${CI_MATRIX_FILE})" + platform_matrix="$(yq '.matrix |= (.distro |= map(select(.schedule_only == true)))' \ + --indent=0 --output-format json ${CI_MATRIX_FILE})" else # shellcheck disable=SC2086 - platform_matrix="$(yq '.matrix | map(select(.schedule_only == null or .schedule_only == false))' --indent=0 --output-format json ${CI_MATRIX_FILE})" + platform_matrix="$(yq '.matrix |= (.distro |= map(select(.schedule_only == null or .schedule_only == false)))' \ + --indent=0 --output-format json ${CI_MATRIX_FILE})" fi echo "${platform_matrix}" | jq From 10d2eb6067afa696e40b587f2bb823949b0c444d Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 18:06:15 +0100 Subject: [PATCH 51/65] fix --- .github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 1ca5eff06..eab72ec5b 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -112,6 +112,7 @@ jobs: --indent=0 --output-format json ${CI_MATRIX_FILE})" fi + platform_matrix="$(echo "$platform_matrix" | yq '.matrix' --indent=0 --output-format json)" echo "${platform_matrix}" | jq echo "platform-matrix=${platform_matrix}" > "$GITHUB_OUTPUT" From 74ec20328f06b323545dcb6b90fa547e33d1305e Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 18:13:26 +0100 Subject: [PATCH 52/65] don't fail on folder --- .../scripts/destroy-clusters.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh index 33419609c..fba91b983 100755 --- a/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh +++ b/.github/actions/aws-openshift-rosa-hcp-single-region-cleanup/scripts/destroy-clusters.sh @@ -114,7 +114,8 @@ destroy_cluster() { all_objects=$(aws s3 ls "s3://$BUCKET/$KEY_PREFIX") aws_exit_code=$? -if [ $aws_exit_code -ne 0 ]; then +# don't fail on folder absent +if [ $aws_exit_code -ne 0 ] && [ "$all_objects" != "" ]; then echo "Error executing the aws s3 ls command (Exit Code: $aws_exit_code):" >&2 exit 1 fi From 38636cfa6d319e948543ead50e1a7aced57a8f64 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 18:18:06 +0100 Subject: [PATCH 53/65] temporarly disable connectors --- generic/openshift/single-region/helm-values/base.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/generic/openshift/single-region/helm-values/base.yml b/generic/openshift/single-region/helm-values/base.yml index c4eef3438..ed148dd49 100644 --- a/generic/openshift/single-region/helm-values/base.yml +++ b/generic/openshift/single-region/helm-values/base.yml @@ -15,6 +15,10 @@ identityKeycloak: auth: existingSecret: identity-secret-for-components +connectors: + # TODO: investigate why connectors are not working in 8.7 + enabled: false + console: enabled: false # by default, console is not enabled From 26ac01816a6fe5d9a11833e21775371526091d02 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 19:45:09 +0100 Subject: [PATCH 54/65] fix camunda version for unreleased --- .camunda-version | 2 +- MAINTENANCE.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.camunda-version b/.camunda-version index 0ff41bfab..4a5800705 100644 --- a/.camunda-version +++ b/.camunda-version @@ -1 +1 @@ -8.7 +alpha diff --git a/MAINTENANCE.md b/MAINTENANCE.md index 7708f0fbb..33f4c8a06 100644 --- a/MAINTENANCE.md +++ b/MAINTENANCE.md @@ -22,6 +22,7 @@ When `8.7` becomes the new stable version, we create the `stable/8.7` branch fro When a new version is ready for release, we need to cut the `main` branch to create a new stable branch (`stable/8.x`). Follow these steps: +0. Update the value of the release in `.camunda-version` 1. **Create the stable branch** - From `main`, create a new branch `stable/8.x`. - Example: If the current stable version is `8.6` and we are preparing to release `8.7`, run: From 69aed8647fd68a370524fb9b74aa0167d8191ebb Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 21:15:54 +0100 Subject: [PATCH 55/65] feat(rosa): integrate 8.8 --- .camunda-version | 2 +- ...openshift_rosa_hcp_single_region_tests.yml | 5 +- .../procedure/check-zeebe-cluster-topology.sh | 2 +- .../single-region/helm-values/base.yml | 18 ++-- .../helm-values/connectors-route.yml | 2 +- .../single-region/helm-values/core-route.yml | 77 ++++++++++++++++ .../single-region/helm-values/domain.yml | 38 +++----- .../single-region/helm-values/no-domain.yml | 25 +++-- .../helm-values/operate-route.yml | 22 ----- .../helm-values/tasklist-route.yml | 21 ----- .../helm-values/zeebe-gateway-route.yml | 92 ------------------- .../single-region/procedure/chart-env.sh | 2 +- .../procedure/create-identity-secret.sh | 15 +-- .../procedure/generate-passwords.sh | 7 +- 14 files changed, 130 insertions(+), 198 deletions(-) create mode 100644 generic/openshift/single-region/helm-values/core-route.yml delete mode 100644 generic/openshift/single-region/helm-values/operate-route.yml delete mode 100644 generic/openshift/single-region/helm-values/tasklist-route.yml delete mode 100644 generic/openshift/single-region/helm-values/zeebe-gateway-route.yml diff --git a/.camunda-version b/.camunda-version index 4a5800705..0f14ad521 100644 --- a/.camunda-version +++ b/.camunda-version @@ -1 +1 @@ -alpha +alpha-8.8 diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index eab72ec5b..f3991fd6e 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -323,7 +323,7 @@ jobs: ./generic/openshift/single-region/procedure/enable-ingress-http2.sh # Enable Routes - for file in zeebe-gateway-route.yml operate-route.yml tasklist-route.yml connectors-route.yml domain.yml; do + for file in core-route.yml connectors-route.yml domain.yml; do yq ". *d load(\"generic/openshift/single-region/helm-values/$file\")" values.yml > values-result.yml cat values-result.yml && mv values-result.yml values.yml done @@ -435,7 +435,7 @@ jobs: echo "VENOM_VAR_TEST_CLIENT_ID=${{ steps.secrets.outputs.CI_CAMUNDA_USER_TEST_CLIENT_ID }}" >> "$VARIABLES_ENV_FILE" echo "VENOM_VAR_TEST_CLIENT_SECRET=${{ steps.secrets.outputs.CI_CAMUNDA_USER_TEST_CLIENT_SECRET }}" >> "$VARIABLES_ENV_FILE" echo "VENOM_EXTRA_ARGS=--var-from-file=./vars/variables-ingress-combined.yaml" >> "$VARIABLES_ENV_FILE" - ZEEBE_VERSION=$(yq '.zeebe.image.tag' "$TEST_CHART_DIR_STATIC/values.yaml") + ZEEBE_VERSION=$(yq '.core.image.tag' "$TEST_CHART_DIR_STATIC/values.yaml") # shellcheck disable=SC2129 echo "ZEEBE_VERSION=$ZEEBE_VERSION" >> "$VARIABLES_ENV_FILE" # In case the Zeebe version has not been released officially yet. @@ -473,6 +473,7 @@ jobs: -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-core.yaml" fi + # TODO: 8.8 fix echo "Patch the identity secrets to allow venom to access to the platform" sed -i -e 's/integration-test-credentials/identity-secret-for-components/g' \ -e 's/identity-operate-client-password/operate-secret/g' \ diff --git a/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh index 2b46ebb7b..cdc30b6f5 100755 --- a/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh +++ b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology.sh @@ -1,6 +1,6 @@ #!/bin/bash -ZEEBE_ADDRESS_REST="https://$DOMAIN_NAME/zeebe" +ZEEBE_ADDRESS_REST="https://$DOMAIN_NAME/core" ZEEBE_AUTHORIZATION_SERVER_URL="https://$DOMAIN_NAME/auth/realms/camunda-platform/protocol/openid-connect/token" # Generate a temporary token from the authorization server (keycloak) diff --git a/generic/openshift/single-region/helm-values/base.yml b/generic/openshift/single-region/helm-values/base.yml index ed148dd49..e2de22b6d 100644 --- a/generic/openshift/single-region/helm-values/base.yml +++ b/generic/openshift/single-region/helm-values/base.yml @@ -3,22 +3,21 @@ global: elasticsearch: enabled: true # use the embbeded elasticsearch + secrets: + name: identity-secret-for-components + +identity: + firstUser: + existingSecret: identity-secret-for-components + identityKeycloak: postgresql: enabled: true # use the embbeded database - - # TODO: [BUG] 8.6 only remove when https://github.com/camunda/camunda-platform-helm/pull/3018 is released and chart is set to 11.2.2 - # context https://github.com/camunda/camunda-platform-helm/pull/2944 auth: - existingSecret: '' - + existingSecret: identity-secret-for-components auth: existingSecret: identity-secret-for-components -connectors: - # TODO: investigate why connectors are not working in 8.7 - enabled: false - console: enabled: false # by default, console is not enabled @@ -29,6 +28,7 @@ webModeler: mail: existingSecret: identity-secret-for-components # reference the smtp password fromAddress: changeme@example.com # change this required value + postgresql: # Will deploy a postgresql datbase for webModeler. # If you enable webModeler, you either need to turn it true or use an external database diff --git a/generic/openshift/single-region/helm-values/connectors-route.yml b/generic/openshift/single-region/helm-values/connectors-route.yml index a3b8454d0..9104e3829 100644 --- a/generic/openshift/single-region/helm-values/connectors-route.yml +++ b/generic/openshift/single-region/helm-values/connectors-route.yml @@ -4,7 +4,7 @@ connectors: mode: oauth env: - name: ZEEBE_CLIENT_BROKER_GATEWAY-ADDRESS - value: camunda-zeebe-gateway.camunda.svc.cluster.local:26500 + value: camunda-core.camunda.svc.cluster.local:26500 - name: ZEEBE_CLIENT_SECURITY_PLAINTEXT value: 'false' - name: CAMUNDA_CLIENT_ZEEBE_CACERTIFICATEPATH diff --git a/generic/openshift/single-region/helm-values/core-route.yml b/generic/openshift/single-region/helm-values/core-route.yml new file mode 100644 index 000000000..04b628c49 --- /dev/null +++ b/generic/openshift/single-region/helm-values/core-route.yml @@ -0,0 +1,77 @@ +--- +core: + service: + annotations: + # enerate a TLS certificate for the Zeebe Gateway Service + service.beta.openshift.io/serving-cert-secret-name: camunda-platform-internal-service-certificate + + ingress: + enabled: true + grpc: + enabled: true + annotations: + haproxy.router.openshift.io/timeout: 300s + route.openshift.io/termination: reencrypt + # reference the re-encrypt secret + route.openshift.io/destination-ca-certificate-secret: camunda-platform-internal-service-certificate + className: openshift-default + tls: + enabled: true + # explicitely no secret as we rely on the IngressOperator to handle the TLS secret, if you use a custom certificate, you might want to fill this value + secretName: '' + host: zeebe-${DOMAIN_NAME} + + env: + ##### Tasklist + - name: CAMUNDA_TASKLIST_ZEEBE_SECURE + value: 'true' + - name: CAMUNDA_TASKLIST_ZEEBE_CERTIFICATEPATH + value: /usr/local/core/config/tls.crt + - name: CAMUNDA_TASKLIST_ZEEBE_GATEWAYADDRESS + value: camunda-core.camunda.svc.cluster.local:26500 + + ##### Gateway TLS + - name: ZEEBE_BROKER_GATEWAY_SECURITY_ENABLED + value: 'true' + - name: ZEEBE_BROKER_GATEWAY_SECURITY_CERTIFICATECHAINPATH + value: /usr/local/core/config/tls.crt + - name: ZEEBE_BROKER_GATEWAY_SECURITY_PRIVATEKEYPATH + value: /usr/local/core/config/tls.key + + - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_ENABLED + value: 'true' + - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_CERTIFICATECHAINPATH + value: /usr/local/core/config/tls.crt + - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_PRIVATEKEYPATH + value: /usr/local/core/config/tls.key + + ##### Operate + - name: CAMUNDA_OPERATE_ZEEBE_SECURE + value: 'true' + - name: CAMUNDA_OPERATE_ZEEBE_CERTIFICATEPATH + value: /usr/local/core/config/tls.crt + - name: CAMUNDA_OPERATE_ZEEBE_GATEWAYADDRESS + # camunda-core..svc.cluster.local + value: camunda-core.camunda.svc.cluster.local:26500 + extraVolumeMounts: + - name: certificate + mountPath: /usr/local/core/config/tls.crt + subPath: tls.crt + - name: key + mountPath: /usr/local/core/config/tls.key + subPath: tls.key + extraVolumes: + - name: key + secret: + secretName: camunda-platform-internal-service-certificate + items: + - key: tls.key + path: tls.key + defaultMode: 420 + - name: certificate + secret: + secretName: camunda-platform-internal-service-certificate + items: + - key: tls.crt + path: tls.crt + defaultMode: 420 diff --git a/generic/openshift/single-region/helm-values/domain.yml b/generic/openshift/single-region/helm-values/domain.yml index 0c95b4892..527e20b6d 100644 --- a/generic/openshift/single-region/helm-values/domain.yml +++ b/generic/openshift/single-region/helm-values/domain.yml @@ -1,6 +1,5 @@ --- global: - # the ingress is manages directly by the Route manifests ../manifest/routes.yml ingress: enabled: true @@ -20,28 +19,25 @@ global: auth: publicIssuerUrl: https://${DOMAIN_NAME}/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding - zeebe: - existingSecret: - name: identity-secret-for-components - connectors: + optimize: + redirectUrl: https://${DOMAIN_NAME}/optimize # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components - operate: - redirectUrl: https://${DOMAIN_NAME}/operate # replace this with a port of your choice when you will do port forwarding + webModeler: + redirectUrl: https://${DOMAIN_NAME}/modeler + console: + redirectUrl: https://${DOMAIN_NAME}/ existingSecret: name: identity-secret-for-components - tasklist: - redirectUrl: https://${DOMAIN_NAME}/tasklist # replace this with a port of your choice when you will do port forwarding + core: + redirectUrl: http://${DOMAIN_NAME}/core existingSecret: name: identity-secret-for-components - optimize: - redirectUrl: https://${DOMAIN_NAME}/optimize # replace this with a port of your choice when you will do port forwarding + connectors: existingSecret: name: identity-secret-for-components - webModeler: - redirectUrl: https://${DOMAIN_NAME}/modeler - console: - redirectUrl: https://${DOMAIN_NAME} + admin: + enabled: true existingSecret: name: identity-secret-for-components @@ -49,23 +45,17 @@ identity: contextPath: /identity fullURL: https://${DOMAIN_NAME}/identity -operate: - contextPath: /operate - -tasklist: - contextPath: /tasklist - webModeler: contextPath: /modeler optimize: contextPath: /optimize -zeebeGateway: - contextPath: /zeebe - console: contextPath: / +core: + contextPath: /core + connectors: contextPath: /connectors diff --git a/generic/openshift/single-region/helm-values/no-domain.yml b/generic/openshift/single-region/helm-values/no-domain.yml index d619e1c8d..d2a7ca604 100644 --- a/generic/openshift/single-region/helm-values/no-domain.yml +++ b/generic/openshift/single-region/helm-values/no-domain.yml @@ -5,20 +5,6 @@ global: auth: publicIssuerUrl: http://localhost:18080/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding - zeebe: - existingSecret: - name: identity-secret-for-components - connectors: - existingSecret: - name: identity-secret-for-components - operate: - redirectUrl: http://localhost:8081 # replace this with a port of your choice when you will do port forwarding - existingSecret: - name: identity-secret-for-components - tasklist: - redirectUrl: http://localhost:8082 # replace this with a port of your choice when you will do port forwarding - existingSecret: - name: identity-secret-for-components optimize: redirectUrl: http://localhost:8083 # replace this with a port of your choice when you will do port forwarding existingSecret: @@ -29,6 +15,17 @@ global: redirectUrl: http://localhost:8085 existingSecret: name: identity-secret-for-components + core: + redirectUrl: http://localhost:8082 + existingSecret: + name: identity-secret-for-components + connectors: + existingSecret: + name: identity-secret-for-components + admin: + enabled: true + existingSecret: + name: identity-secret-for-components identity: fullURL: http://localhost:8080 # replace this with a port of your choice when you will do port forwarding diff --git a/generic/openshift/single-region/helm-values/operate-route.yml b/generic/openshift/single-region/helm-values/operate-route.yml deleted file mode 100644 index 97b8cd532..000000000 --- a/generic/openshift/single-region/helm-values/operate-route.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -operate: - env: - - name: CAMUNDA_OPERATE_ZEEBE_SECURE - value: 'true' - - name: CAMUNDA_OPERATE_ZEEBE_CERTIFICATEPATH - value: /usr/local/operate/config/tls.crt - - name: CAMUNDA_OPERATE_ZEEBE_GATEWAYADDRESS - # camunda-zeebe-gateway..svc.cluster.local - value: camunda-zeebe-gateway.camunda.svc.cluster.local:26500 - extraVolumeMounts: - - name: certificate - mountPath: /usr/local/operate/config/tls.crt - subPath: tls.crt - extraVolumes: - - name: certificate - secret: - secretName: camunda-platform-internal-service-certificate - items: - - key: tls.crt - path: tls.crt - defaultMode: 420 diff --git a/generic/openshift/single-region/helm-values/tasklist-route.yml b/generic/openshift/single-region/helm-values/tasklist-route.yml deleted file mode 100644 index d21d85a9c..000000000 --- a/generic/openshift/single-region/helm-values/tasklist-route.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -tasklist: - env: - - name: CAMUNDA_TASKLIST_ZEEBE_SECURE - value: 'true' - - name: CAMUNDA_TASKLIST_ZEEBE_CERTIFICATEPATH - value: /usr/local/tasklist/config/tls.crt - - name: CAMUNDA_TASKLIST_ZEEBE_GATEWAYADDRESS - value: camunda-zeebe-gateway.camunda.svc.cluster.local:26500 - extraVolumeMounts: - - name: certificate - mountPath: /usr/local/tasklist/config/tls.crt - subPath: tls.crt - extraVolumes: - - name: certificate - secret: - secretName: camunda-platform-internal-service-certificate - items: - - key: tls.crt - path: tls.crt - defaultMode: 420 diff --git a/generic/openshift/single-region/helm-values/zeebe-gateway-route.yml b/generic/openshift/single-region/helm-values/zeebe-gateway-route.yml deleted file mode 100644 index adb9c53de..000000000 --- a/generic/openshift/single-region/helm-values/zeebe-gateway-route.yml +++ /dev/null @@ -1,92 +0,0 @@ ---- -zeebeGateway: - - service: - annotations: - # enerate a TLS certificate for the Zeebe Gateway Service - service.beta.openshift.io/serving-cert-secret-name: camunda-platform-internal-service-certificate - - ingress: - enabled: true - grpc: - annotations: - haproxy.router.openshift.io/timeout: 300s - route.openshift.io/termination: reencrypt - # reference the re-encrypt secret - route.openshift.io/destination-ca-certificate-secret: camunda-platform-internal-service-certificate - className: openshift-default - tls: - enabled: true - # explicitely no secret as we rely on the IngressOperator to handle the TLS secret, if you use a custom certificate, you might want to fill this value - secretName: '' - host: zeebe-${DOMAIN_NAME} - - # mount the Service certificate in the pod - env: - - name: ZEEBE_GATEWAY_SECURITY_ENABLED - value: 'true' - - name: ZEEBE_GATEWAY_SECURITY_CERTIFICATECHAINPATH - value: /usr/local/zeebe/config/tls.crt - - name: ZEEBE_GATEWAY_SECURITY_PRIVATEKEYPATH - value: /usr/local/zeebe/config/tls.key - - - name: ZEEBE_GATEWAY_CLUSTER_SECURITY_ENABLED - value: 'true' - - name: ZEEBE_GATEWAY_CLUSTER_SECURITY_CERTIFICATECHAINPATH - value: /usr/local/zeebe/config/tls.crt - - name: ZEEBE_GATEWAY_CLUSTER_SECURITY_PRIVATEKEYPATH - value: /usr/local/zeebe/config/tls.key - extraVolumeMounts: - - name: certificate - mountPath: /usr/local/zeebe/config/tls.crt - subPath: tls.crt - - name: key - mountPath: /usr/local/zeebe/config/tls.key - subPath: tls.key - extraVolumes: - - name: certificate - secret: - secretName: camunda-platform-internal-service-certificate - items: - - key: tls.crt - path: tls.crt - defaultMode: 420 - - name: key - secret: - secretName: camunda-platform-internal-service-certificate - items: - - key: tls.key - path: tls.key - defaultMode: 420 - -zeebe: - env: - - name: ZEEBE_BROKER_NETWORK_SECURITY_ENABLED - value: 'true' - - name: ZEEBE_BROKER_NETWORK_SECURITY_CERTIFICATECHAINPATH - value: /usr/local/zeebe/config/tls.crt - - name: ZEEBE_BROKER_NETWORK_SECURITY_PRIVATEKEYPATH - value: /usr/local/zeebe/config/tls.key - - extraVolumeMounts: - - name: certificate - mountPath: /usr/local/zeebe/config/tls.crt - subPath: tls.crt - - name: key - mountPath: /usr/local/zeebe/config/tls.key - subPath: tls.key - extraVolumes: - - name: key - secret: - secretName: camunda-platform-internal-service-certificate - items: - - key: tls.key - path: tls.key - defaultMode: 420 - - name: certificate - secret: - secretName: camunda-platform-internal-service-certificate - items: - - key: tls.crt - path: tls.crt - defaultMode: 420 diff --git a/generic/openshift/single-region/procedure/chart-env.sh b/generic/openshift/single-region/procedure/chart-env.sh index 3371aff03..4922e133a 100755 --- a/generic/openshift/single-region/procedure/chart-env.sh +++ b/generic/openshift/single-region/procedure/chart-env.sh @@ -2,5 +2,5 @@ # The Camunda 8 Helm Chart version # renovate: datasource=helm depName=camunda-platform versioning=regex:^12(\.(?\d+))?(\.(?\d+))?$ registryUrl=https://helm.camunda.io -export CAMUNDA_HELM_CHART_VERSION="0.0.0-snapshot-alpha" +export CAMUNDA_HELM_CHART_VERSION="0.0.0-snapshot-alpha-8.8" # TODO: [release-duty] before the release, update this! diff --git a/generic/openshift/single-region/procedure/create-identity-secret.sh b/generic/openshift/single-region/procedure/create-identity-secret.sh index a6af07fba..ab48d66af 100755 --- a/generic/openshift/single-region/procedure/create-identity-secret.sh +++ b/generic/openshift/single-region/procedure/create-identity-secret.sh @@ -2,11 +2,12 @@ oc create secret generic identity-secret-for-components \ --namespace camunda \ - --from-literal=connectors-secret="$CONNECTORS_SECRET" \ - --from-literal=console-secret="$CONSOLE_SECRET" \ - --from-literal=operate-secret="$OPERATE_SECRET" \ - --from-literal=optimize-secret="$OPTIMIZE_SECRET" \ - --from-literal=tasklist-secret="$TASKLIST_SECRET" \ - --from-literal=zeebe-secret="$ZEEBE_SECRET" \ - --from-literal=admin-password="$ADMIN_PASSWORD" \ + --from-literal=identity-connectors-client-token="$CONNECTORS_SECRET" \ + --from-literal=identity-console-client-token="$CONSOLE_SECRET" \ + --from-literal=identity-core-client-token="$CORE_SECRET" \ + --from-literal=identity-optimize-client-token="$OPTIMIZE_SECRET" \ + --from-literal=identity-keycloak-admin-password="$ADMIN_PASSWORD" \ + --from-literal=identity-firstuser-password="$FIRST_USER_PASSWORD" \ + --from-literal=identity-keycloak-postgresql-user-password="$KEYCLOAK_PG_USER_PASSWORD" \ + --from-literal=identity-keycloak-postgresql-admin-password="$KEYCLOAK_PG_ADMIN_PASSWORD" \ --from-literal=smtp-password="" diff --git a/generic/openshift/single-region/procedure/generate-passwords.sh b/generic/openshift/single-region/procedure/generate-passwords.sh index 6bffa72c4..633e999fb 100755 --- a/generic/openshift/single-region/procedure/generate-passwords.sh +++ b/generic/openshift/single-region/procedure/generate-passwords.sh @@ -2,8 +2,9 @@ export CONNECTORS_SECRET="$(openssl rand -hex 16)" export CONSOLE_SECRET="$(openssl rand -hex 16)" -export OPERATE_SECRET="$(openssl rand -hex 16)" export OPTIMIZE_SECRET="$(openssl rand -hex 16)" -export TASKLIST_SECRET="$(openssl rand -hex 16)" -export ZEEBE_SECRET="$(openssl rand -hex 16)" +export CORE_SECRET="$(openssl rand -hex 16)" export ADMIN_PASSWORD="$(openssl rand -hex 16)" +export FIRST_USER_PASSWORD="$(openssl rand -hex 16)" +export KEYCLOAK_PG_USER_PASSWORD="$(openssl rand -hex 16)" +export KEYCLOAK_PG_ADMIN_PASSWORD="$(openssl rand -hex 16)" From e16bf6810488f8a1d2c7253d7e08fae76b68e0ac Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 21:20:24 +0100 Subject: [PATCH 56/65] remove sed --- .../aws_openshift_rosa_hcp_single_region_tests.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index f3991fd6e..5b795b046 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -473,16 +473,6 @@ jobs: -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/vars/files/testsuite-core.yaml" fi - # TODO: 8.8 fix - echo "Patch the identity secrets to allow venom to access to the platform" - sed -i -e 's/integration-test-credentials/identity-secret-for-components/g' \ - -e 's/identity-operate-client-password/operate-secret/g' \ - -e 's/identity-optimize-client-password/optimize-secret/g' \ - -e 's/identity-tasklist-client-password/tasklist-secret/g' \ - -e 's/identity-zeebe-client-password/zeebe-secret/g' \ - -e 's/identity-connectors-client-password/connectors-secret/g' \ - "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" - # remove venom var client secret as we define it in the file yq e 'del(.spec.template.spec.containers[].env[] | select(.name == "VENOM_VAR_TEST_CLIENT_SECRET"))' \ -i "$TEST_CHART_DIR_STATIC/test/integration/testsuites/core/patches/job.yaml" From 0a077ade6e612a546d43517ca1496729ee6cc5f5 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 11 Mar 2025 21:19:58 +0100 Subject: [PATCH 57/65] update Maintenance --- MAINTENANCE.md | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTENANCE.md b/MAINTENANCE.md index 33f4c8a06..21aeef046 100644 --- a/MAINTENANCE.md +++ b/MAINTENANCE.md @@ -23,6 +23,7 @@ When `8.7` becomes the new stable version, we create the `stable/8.7` branch fro When a new version is ready for release, we need to cut the `main` branch to create a new stable branch (`stable/8.x`). Follow these steps: 0. Update the value of the release in `.camunda-version` +0. Add all the schedules for the version in `.github/workflows-config/workflow-scheduler.yml` 1. **Create the stable branch** - From `main`, create a new branch `stable/8.x`. - Example: If the current stable version is `8.6` and we are preparing to release `8.7`, run: From 52725628501e7bd8d9b27ff759002ba920bfbdd2 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 12 Mar 2025 09:12:49 +0100 Subject: [PATCH 58/65] fix 8.8 values --- ...aws_openshift_rosa_hcp_single_region_tests.yml | 2 +- .../openshift/single-region/helm-values/base.yml | 2 +- .../single-region/helm-values/domain.yml | 15 +++++---------- .../single-region/helm-values/no-domain.yml | 15 +++++---------- 4 files changed, 12 insertions(+), 22 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 5b795b046..c800107c7 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -335,7 +335,7 @@ jobs: if [ "$WEBMODELER_ENABLED" == "true" ]; then echo "Enabling WebModeler" yq -i '.webModeler.enabled = true' values.yml - yq -i '.postgresql.enabled = true' values.yml + yq -i '.webModelerPostgresql.enabled = true' values.yml fi if [ "$CONSOLE_ENABLED" == "true" ]; then diff --git a/generic/openshift/single-region/helm-values/base.yml b/generic/openshift/single-region/helm-values/base.yml index e2de22b6d..742c7d733 100644 --- a/generic/openshift/single-region/helm-values/base.yml +++ b/generic/openshift/single-region/helm-values/base.yml @@ -29,7 +29,7 @@ webModeler: existingSecret: identity-secret-for-components # reference the smtp password fromAddress: changeme@example.com # change this required value -postgresql: +webModelerPostgresql: # Will deploy a postgresql datbase for webModeler. # If you enable webModeler, you either need to turn it true or use an external database enabled: false diff --git a/generic/openshift/single-region/helm-values/domain.yml b/generic/openshift/single-region/helm-values/domain.yml index 527e20b6d..eeb83aa67 100644 --- a/generic/openshift/single-region/helm-values/domain.yml +++ b/generic/openshift/single-region/helm-values/domain.yml @@ -21,25 +21,20 @@ global: optimize: redirectUrl: https://${DOMAIN_NAME}/optimize # replace this with a port of your choice when you will do port forwarding - existingSecret: - name: identity-secret-for-components + existingSecret: identity-secret-for-components webModeler: redirectUrl: https://${DOMAIN_NAME}/modeler console: redirectUrl: https://${DOMAIN_NAME}/ - existingSecret: - name: identity-secret-for-components + existingSecret: identity-secret-for-components core: redirectUrl: http://${DOMAIN_NAME}/core - existingSecret: - name: identity-secret-for-components + existingSecret: identity-secret-for-components connectors: - existingSecret: - name: identity-secret-for-components + existingSecret: identity-secret-for-components admin: enabled: true - existingSecret: - name: identity-secret-for-components + existingSecret: identity-secret-for-components identity: contextPath: /identity diff --git a/generic/openshift/single-region/helm-values/no-domain.yml b/generic/openshift/single-region/helm-values/no-domain.yml index d2a7ca604..2e493725b 100644 --- a/generic/openshift/single-region/helm-values/no-domain.yml +++ b/generic/openshift/single-region/helm-values/no-domain.yml @@ -7,25 +7,20 @@ global: optimize: redirectUrl: http://localhost:8083 # replace this with a port of your choice when you will do port forwarding - existingSecret: - name: identity-secret-for-components + existingSecret: identity-secret-for-components webModeler: redirectUrl: http://localhost:8084 console: redirectUrl: http://localhost:8085 - existingSecret: - name: identity-secret-for-components + existingSecret: identity-secret-for-components core: redirectUrl: http://localhost:8082 - existingSecret: - name: identity-secret-for-components + existingSecret: identity-secret-for-components connectors: - existingSecret: - name: identity-secret-for-components + existingSecret: identity-secret-for-components admin: enabled: true - existingSecret: - name: identity-secret-for-components + existingSecret: identity-secret-for-components identity: fullURL: http://localhost:8080 # replace this with a port of your choice when you will do port forwarding From 10aef95a240e8cf24301befad4daf92f6ffd5ecb Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 12 Mar 2025 09:54:55 +0100 Subject: [PATCH 59/65] fix missing secrets --- generic/openshift/single-region/helm-values/base.yml | 5 +++++ .../single-region/procedure/create-identity-secret.sh | 2 ++ .../openshift/single-region/procedure/generate-passwords.sh | 2 ++ 3 files changed, 9 insertions(+) diff --git a/generic/openshift/single-region/helm-values/base.yml b/generic/openshift/single-region/helm-values/base.yml index 742c7d733..45d45db35 100644 --- a/generic/openshift/single-region/helm-values/base.yml +++ b/generic/openshift/single-region/helm-values/base.yml @@ -33,3 +33,8 @@ webModelerPostgresql: # Will deploy a postgresql datbase for webModeler. # If you enable webModeler, you either need to turn it true or use an external database enabled: false + auth: + existingSecret: identity-secret-for-components + secretKeys: + adminPasswordKey: identity-webmodeler-postgres-admin-password + userPasswordKey: identity-webmodeler-postgres-user-password diff --git a/generic/openshift/single-region/procedure/create-identity-secret.sh b/generic/openshift/single-region/procedure/create-identity-secret.sh index ab48d66af..6e1f09e5f 100755 --- a/generic/openshift/single-region/procedure/create-identity-secret.sh +++ b/generic/openshift/single-region/procedure/create-identity-secret.sh @@ -10,4 +10,6 @@ oc create secret generic identity-secret-for-components \ --from-literal=identity-firstuser-password="$FIRST_USER_PASSWORD" \ --from-literal=identity-keycloak-postgresql-user-password="$KEYCLOAK_PG_USER_PASSWORD" \ --from-literal=identity-keycloak-postgresql-admin-password="$KEYCLOAK_PG_ADMIN_PASSWORD" \ + --from-literal=identity-webmodeler-postgres-admin-password="$WEBMODELER_PG_ADMIN_PASSWORD" \ + --from-literal=identity-webmodeler-postgres-user-password="$WEBMODELER_PG_USER_PASSWORD" \ --from-literal=smtp-password="" diff --git a/generic/openshift/single-region/procedure/generate-passwords.sh b/generic/openshift/single-region/procedure/generate-passwords.sh index 633e999fb..66e0534ad 100755 --- a/generic/openshift/single-region/procedure/generate-passwords.sh +++ b/generic/openshift/single-region/procedure/generate-passwords.sh @@ -8,3 +8,5 @@ export ADMIN_PASSWORD="$(openssl rand -hex 16)" export FIRST_USER_PASSWORD="$(openssl rand -hex 16)" export KEYCLOAK_PG_USER_PASSWORD="$(openssl rand -hex 16)" export KEYCLOAK_PG_ADMIN_PASSWORD="$(openssl rand -hex 16)" +export WEBMODELER_PG_ADMIN_PASSWORD="$(openssl rand -hex 16)" +export WEBMODELER_PG_USER_PASSWORD="$(openssl rand -hex 16)" From 22cd31229201ad190790d9edf79746580c1697c0 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 12 Mar 2025 09:57:42 +0100 Subject: [PATCH 60/65] fix missing cat --- .github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index c800107c7..0aa61bd89 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -618,6 +618,7 @@ jobs: - name: Set current Camunda version id: camunda-version + if: env.CLEANUP_CLUSTERS == 'true' run: | CAMUNDA_VERSION=$(cat .camunda-version) echo "CAMUNDA_VERSION=$CAMUNDA_VERSION" | tee -a "$GITHUB_OUTPUT" From 023b65265c4edb87d4420e97bfd866b0e109d621 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 12 Mar 2025 11:56:11 +0100 Subject: [PATCH 61/65] move dual region --- .../{camunda/8.7 => }/export_environment_prerequisites.sh | 0 .../procedure/{camunda/8.7 => }/export_services_submariner.sh | 0 .../procedure/{camunda/8.7 => }/generate_helm_values.sh | 0 .../procedure/{camunda/8.7 => }/generate_zeebe_helm_values.sh | 0 .../procedure/{camunda/8.7 => }/helm-values/values-base.yml | 0 .../procedure/{camunda/8.7 => }/helm-values/values-region-1.yml | 0 .../procedure/{camunda/8.7 => }/helm-values/values-region-2.yml | 0 .../procedure/{camunda/8.7 => }/install_chart.sh | 0 .../procedure/{camunda/8.7 => }/setup_ns_secrets.sh | 0 .../procedure/{camunda/8.7 => }/verify_exported_services.sh | 0 .../procedure/{camunda/8.7 => }/verify_installation_completed.sh | 0 .../procedure/{camunda/8.7 => }/zbctl-output.txt | 0 .../procedure/{camunda/8.7 => }/zeebe-http-output.txt | 0 13 files changed, 0 insertions(+), 0 deletions(-) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/export_environment_prerequisites.sh (100%) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/export_services_submariner.sh (100%) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/generate_helm_values.sh (100%) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/generate_zeebe_helm_values.sh (100%) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/helm-values/values-base.yml (100%) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/helm-values/values-region-1.yml (100%) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/helm-values/values-region-2.yml (100%) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/install_chart.sh (100%) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/setup_ns_secrets.sh (100%) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/verify_exported_services.sh (100%) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/verify_installation_completed.sh (100%) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/zbctl-output.txt (100%) rename aws/openshift/rosa-hcp-dual-region/procedure/{camunda/8.7 => }/zeebe-http-output.txt (100%) diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/export_environment_prerequisites.sh b/aws/openshift/rosa-hcp-dual-region/procedure/export_environment_prerequisites.sh similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/export_environment_prerequisites.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/export_environment_prerequisites.sh diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/export_services_submariner.sh b/aws/openshift/rosa-hcp-dual-region/procedure/export_services_submariner.sh similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/export_services_submariner.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/export_services_submariner.sh diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/generate_helm_values.sh b/aws/openshift/rosa-hcp-dual-region/procedure/generate_helm_values.sh similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/generate_helm_values.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/generate_helm_values.sh diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/generate_zeebe_helm_values.sh b/aws/openshift/rosa-hcp-dual-region/procedure/generate_zeebe_helm_values.sh similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/generate_zeebe_helm_values.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/generate_zeebe_helm_values.sh diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-base.yml b/aws/openshift/rosa-hcp-dual-region/procedure/helm-values/values-base.yml similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-base.yml rename to aws/openshift/rosa-hcp-dual-region/procedure/helm-values/values-base.yml diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-1.yml b/aws/openshift/rosa-hcp-dual-region/procedure/helm-values/values-region-1.yml similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-1.yml rename to aws/openshift/rosa-hcp-dual-region/procedure/helm-values/values-region-1.yml diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-2.yml b/aws/openshift/rosa-hcp-dual-region/procedure/helm-values/values-region-2.yml similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/helm-values/values-region-2.yml rename to aws/openshift/rosa-hcp-dual-region/procedure/helm-values/values-region-2.yml diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/install_chart.sh b/aws/openshift/rosa-hcp-dual-region/procedure/install_chart.sh similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/install_chart.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/install_chart.sh diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/setup_ns_secrets.sh b/aws/openshift/rosa-hcp-dual-region/procedure/setup_ns_secrets.sh similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/setup_ns_secrets.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/setup_ns_secrets.sh diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/verify_exported_services.sh b/aws/openshift/rosa-hcp-dual-region/procedure/verify_exported_services.sh similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/verify_exported_services.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/verify_exported_services.sh diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/verify_installation_completed.sh b/aws/openshift/rosa-hcp-dual-region/procedure/verify_installation_completed.sh similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/verify_installation_completed.sh rename to aws/openshift/rosa-hcp-dual-region/procedure/verify_installation_completed.sh diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/zbctl-output.txt b/aws/openshift/rosa-hcp-dual-region/procedure/zbctl-output.txt similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/zbctl-output.txt rename to aws/openshift/rosa-hcp-dual-region/procedure/zbctl-output.txt diff --git a/aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/zeebe-http-output.txt b/aws/openshift/rosa-hcp-dual-region/procedure/zeebe-http-output.txt similarity index 100% rename from aws/openshift/rosa-hcp-dual-region/procedure/camunda/8.7/zeebe-http-output.txt rename to aws/openshift/rosa-hcp-dual-region/procedure/zeebe-http-output.txt From 1c42f4732b06ecf01714d739b1167a5ee470c55a Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 12 Mar 2025 12:06:47 +0100 Subject: [PATCH 62/65] update README --- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 014944bf9..3aea521d8 100644 --- a/README.md +++ b/README.md @@ -49,10 +49,13 @@ For AWS Kubernetes and EC2 solutions: ``` - aws - kubernetes - - eks-spot-instances-dual-region - - eks-on-demand-single-region + - eks-single-region + - eks-single-region-spot-instances + - eks-dual-region + - eks-dual-region-karpenter - compute - - ec2-on-demand-single-region + - ec2-single-region + - ec2-single-region-spot-instances - modules - networking - monitoring From fd4cec200e2d6f486f3bf46472e9b46e2d814dc8 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 12 Mar 2025 16:57:02 +0100 Subject: [PATCH 63/65] remove patch version --- .../aws_openshift_rosa_hcp_single_region_tests.yml | 4 ++++ .../procedure/check-zeebe-cluster-topology-output.json | 8 ++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 0aa61bd89..50eba41fd 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -542,6 +542,10 @@ jobs: temp_output=$(mktemp) echo "$check_zeebe_topology_output" > "$temp_output" + # Replace patch version + yq e '.brokers[].version |= sub("[.][0-9]+$", ".X") | .gatewayVersion |= sub("[.][0-9]+$", ".X")' -i "$temp_output" + yq e '.brokers[].version |= sub("[.][0-9]+$", ".X") | .gatewayVersion |= sub("[.][0-9]+$", ".X")' -i "$reference_file" + # Order each file also remove not predictable fields yq e '.brokers |= sort_by(.host) | .brokers[] |= (.partitions |= sort_by(.partitionId) | .partitions[].role = "NOT_PREDICTABLE")' -i "$temp_output" yq e '.brokers |= sort_by(.host) | .brokers[] |= (.partitions |= sort_by(.partitionId) | .partitions[].role = "NOT_PREDICTABLE")' -i "$reference_file" diff --git a/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json index cb13c71fc..920a014c9 100644 --- a/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json +++ b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json @@ -21,7 +21,7 @@ "health": "healthy" } ], - "version": "8.6.9" + "version": "8.6.X" }, { "nodeId": 1, @@ -44,7 +44,7 @@ "health": "healthy" } ], - "version": "8.6.9" + "version": "8.6.X" }, { "nodeId": 2, @@ -67,11 +67,11 @@ "health": "healthy" } ], - "version": "8.6.9" + "version": "8.6.X" } ], "clusterSize": 3, "partitionsCount": 3, "replicationFactor": 3, - "gatewayVersion": "8.6.9" + "gatewayVersion": "8.6.X" } From 00c40221da57f649e73726971f8db6815f665398 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 12 Mar 2025 16:57:58 +0100 Subject: [PATCH 64/65] use z for the pathc --- .../aws_openshift_rosa_hcp_single_region_tests.yml | 4 ++-- .../procedure/check-zeebe-cluster-topology-output.json | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml index 50eba41fd..31c573b0b 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_tests.yml @@ -543,8 +543,8 @@ jobs: echo "$check_zeebe_topology_output" > "$temp_output" # Replace patch version - yq e '.brokers[].version |= sub("[.][0-9]+$", ".X") | .gatewayVersion |= sub("[.][0-9]+$", ".X")' -i "$temp_output" - yq e '.brokers[].version |= sub("[.][0-9]+$", ".X") | .gatewayVersion |= sub("[.][0-9]+$", ".X")' -i "$reference_file" + yq e '.brokers[].version |= sub("[.][0-9]+$", ".z") | .gatewayVersion |= sub("[.][0-9]+$", ".z")' -i "$temp_output" + yq e '.brokers[].version |= sub("[.][0-9]+$", ".z") | .gatewayVersion |= sub("[.][0-9]+$", ".z")' -i "$reference_file" # Order each file also remove not predictable fields yq e '.brokers |= sort_by(.host) | .brokers[] |= (.partitions |= sort_by(.partitionId) | .partitions[].role = "NOT_PREDICTABLE")' -i "$temp_output" diff --git a/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json index 920a014c9..dd1fd85cf 100644 --- a/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json +++ b/generic/kubernetes/single-region/procedure/check-zeebe-cluster-topology-output.json @@ -21,7 +21,7 @@ "health": "healthy" } ], - "version": "8.6.X" + "version": "8.6.z" }, { "nodeId": 1, @@ -44,7 +44,7 @@ "health": "healthy" } ], - "version": "8.6.X" + "version": "8.6.z" }, { "nodeId": 2, @@ -67,11 +67,11 @@ "health": "healthy" } ], - "version": "8.6.X" + "version": "8.6.z" } ], "clusterSize": 3, "partitionsCount": 3, "replicationFactor": 3, - "gatewayVersion": "8.6.X" + "gatewayVersion": "8.6.z" } From b1f3fbf6f3b3a32a7dff95add94eaf83d17c88c6 Mon Sep 17 00:00:00 2001 From: "Leo J." <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 12 Mar 2025 17:17:04 +0100 Subject: [PATCH 65/65] clean all --- .../aws_openshift_rosa_hcp_single_region_daily_cleanup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml index 0268d53b5..76f14edb3 100644 --- a/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml +++ b/.github/workflows/aws_openshift_rosa_hcp_single_region_daily_cleanup.yml @@ -29,7 +29,7 @@ concurrency: env: IS_SCHEDULE: ${{ contains(github.ref, 'refs/heads/schedule/') || github.event_name == 'schedule' && 'true' || 'false' }} - MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '20' }} + MAX_AGE_HOURS_CLUSTER: ${{ github.event.inputs.max_age_hours_cluster || '0' }} # please keep those variables synced with aws_rosa_hcp_tests.yml AWS_PROFILE: infex