feat: added the ability to skip the explicit creation of the cluster apikey using new input skip_cluster_apikey_creation (#828)

Author: Aashiq-J

README.md

@@ -364,6 +364,7 @@ Optionally, you need the following permissions to attach Access Management tags
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of an existing IBM Cloud resource group where the cluster is grouped. | `string` | n/a | yes |
 | <a name="input_secrets_manager_secret_group_id"></a> [secrets\_manager\_secret\_group\_id](#input\_secrets\_manager\_secret\_group\_id) | Secret group ID where Ingress secrets are stored in the Secrets Manager instance. | `string` | `null` | no |
 | <a name="input_service_subnet_cidr"></a> [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
+| <a name="input_skip_cluster_apikey_creation"></a> [skip\_cluster\_apikey\_creation](#input\_skip\_cluster\_apikey\_creation) | Set to true to skip explicit creation of the `containers-kubernetes-key` for the given region and resource group. You can set this to false if you plan to manually create this key, or if you want to allow the cluster creation process to create it. Please be aware that it may take multiple apply attempts when allowing the cluster creation process to create it it before it will be successful. | `bool` | `false` | no |
 | <a name="input_skip_ocp_secrets_manager_iam_auth_policy"></a> [skip\_ocp\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_ocp\_secrets\_manager\_iam\_auth\_policy) | To skip creating auth policy that allows OCP cluster 'Manager' role access in the existing Secrets Manager instance for managing ingress certificates. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Metadata labels describing this cluster deployment, i.e. test | `list(string)` | `[]` | no |
 | <a name="input_use_existing_cos"></a> [use\_existing\_cos](#input\_use\_existing\_cos) | Flag indicating whether or not to use an existing COS instance for OpenShift internal registry storage. Only applicable if 'enable\_registry\_storage' is true | `bool` | `false` | no |

ibm_catalog.json

@@ -928,6 +928,9 @@
               "key": "skip_ocp_secrets_manager_iam_auth_policy",
               "hidden": true
             },
+            {
+              "key": "skip_cluster_apikey_creation"
+            },
             {
               "key": "subnets",
               "default_value": "{\n    zone-1 = [\n      {\n        name           = \"subnet-a\"\n        cidr           = \"10.10.10.0/24\"\n        public_gateway = true\n        acl_name       = \"vpc-acl\"\n        no_addr_prefix = false\n      }\n    ],\n    zone-2 = [\n      {\n        name           = \"subnet-b\"\n        cidr           = \"10.20.10.0/24\"\n        public_gateway = true\n        acl_name       = \"vpc-acl\"\n        no_addr_prefix = false\n      }\n    ],\n    zone-3 = [\n      {\n        name           = \"subnet-c\"\n        cidr           = \"10.30.10.0/24\"\n        public_gateway = true\n        acl_name       = \"vpc-acl\"\n        no_addr_prefix = false\n      }\n    ]\n  }",
@@ -1518,6 +1521,10 @@
               "key": "address_prefix",
               "hidden": true
             },
+            {
+              "key": "skip_cluster_apikey_creation",
+              "hidden": true
+            },
             {
               "key": "ocp_entitlement"
             },

main.tf

@@ -442,11 +442,13 @@ resource "ibm_resource_tag" "cluster_access_tag" {
 # Enhancement Request: Add support to skip API key reset if a valid key already exists (https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6468).
 
 resource "ibm_container_api_key_reset" "reset_api_key" {
+  count             = var.skip_cluster_apikey_creation ? 0 : 1
   region            = var.region
   resource_group_id = var.resource_group_id
 }
 
 resource "time_sleep" "wait_for_reset_api_key" {
+  count           = var.skip_cluster_apikey_creation ? 0 : 1
   depends_on      = [ibm_container_api_key_reset.reset_api_key]
   create_duration = "10s"
 }

modules/fscloud/README.md

@@ -135,6 +135,7 @@ No resources.
 | <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where the cluster will be provisioned. | `string` | n/a | yes |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The Id of an existing IBM Cloud resource group where the cluster will be grouped. | `string` | n/a | yes |
 | <a name="input_service_subnet_cidr"></a> [service\_subnet\_cidr](#input\_service\_subnet\_cidr) | Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least `/24` or larger. Default value is `172.21.0.0/16` when the variable is set to `null`. | `string` | `null` | no |
+| <a name="input_skip_cluster_apikey_creation"></a> [skip\_cluster\_apikey\_creation](#input\_skip\_cluster\_apikey\_creation) | Set to true to skip explicit creation of the `containers-kubernetes-key` for the given region and resource group. You can set this to false if you plan to manually create this key, or if you want to allow the cluster creation process to create it. Please be aware that it may take multiple apply attempts when allowing the cluster creation process to create it it before it will be successful. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Metadata labels describing this cluster deployment | `list(string)` | `[]` | no |
 | <a name="input_verify_worker_network_readiness"></a> [verify\_worker\_network\_readiness](#input\_verify\_worker\_network\_readiness) | By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. | `bool` | `true` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC instance where this cluster will be provisioned | `string` | n/a | yes |

modules/fscloud/main.tf

@@ -34,4 +34,5 @@ module "fscloud" {
   additional_vpe_security_group_ids     = var.additional_vpe_security_group_ids
   cbr_rules                             = var.cbr_rules
   enable_ocp_console                    = var.enable_ocp_console
+  skip_cluster_apikey_creation          = var.skip_cluster_apikey_creation
 }

modules/fscloud/variables.tf

@@ -287,3 +287,9 @@ variable "enable_ocp_console" {
   type        = bool
   default     = true
 }
+
+variable "skip_cluster_apikey_creation" {
+  type        = bool
+  description = "Set to true to skip explicit creation of the `containers-kubernetes-key` for the given region and resource group. You can set this to false if you plan to manually create this key, or if you want to allow the cluster creation process to create it. Please be aware that it may take multiple apply attempts when allowing the cluster creation process to create it it before it will be successful."
+  default     = false
+}

solutions/fully-configurable/main.tf

@@ -239,6 +239,7 @@ module "ocp_base" {
   existing_secrets_manager_instance_crn    = var.existing_secrets_manager_instance_crn
   secrets_manager_secret_group_id          = var.secrets_manager_secret_group_id != null ? var.secrets_manager_secret_group_id : (var.enable_secrets_manager_integration ? module.secret_group[0].secret_group_id : null)
   skip_ocp_secrets_manager_iam_auth_policy = var.skip_ocp_secrets_manager_iam_auth_policy
+  skip_cluster_apikey_creation             = var.skip_cluster_apikey_creation
 }
 
 module "existing_secrets_manager_instance_parser" {

solutions/fully-configurable/variables.tf

@@ -601,3 +601,9 @@ variable "audit_webhook_listener_image_tag_digest" {
   description = "The tag or digest for the audit webhook listener image to deploy. If changing the value, ensure it is compatible with `audit_webhook_listener_image`."
   default     = "deaabcb8225e800385413ba420cf3f819d3b0671@sha256:acf123f4dba63534cbc104c6886abedff9d25a22a34ab7b549ede988ed6e7144"
 }
+
+variable "skip_cluster_apikey_creation" {
+  type        = bool
+  description = "To skip resetting the `containers-kubernetes-key` for the given region and resource group."
+  default     = false
+}

solutions/quickstart/main.tf

@@ -144,4 +144,5 @@ module "ocp_base" {
   access_tags                         = var.access_tags
   disable_public_endpoint             = !var.allow_public_access_to_cluster_management
   cluster_config_endpoint_type        = "default"
+  skip_cluster_apikey_creation        = var.skip_cluster_apikey_creation
 }

solutions/quickstart/variables.tf

@@ -102,3 +102,9 @@ variable "allow_outbound_traffic" {
   description = "Set to true to allow public outbound access from the cluster workers."
   default     = true
 }
+
+variable "skip_cluster_apikey_creation" {
+  type        = bool
+  description = "Set to true to skip explicit creation of the `containers-kubernetes-key` for the given region and resource group. You can set this to false if you plan to manually create this key, or if you want to allow the cluster creation process to create it. Please be aware that it may take multiple apply attempts when allowing the cluster creation process to create it it before it will be successful."
+  default     = false
+}