Adding required changes related to FIPS on bastion

Signed-off-by: Gaurav Bankar <Gaurav.Bankar@ibm.com>
ocp-power-automation · Oct 18, 2023 · 78dc183 · 78dc183
1 parent 437123c
commit 78dc183
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 0 deletions.
diff --git a/modules/1_bastion/bastion.tf b/modules/1_bastion/bastion.tf
@@ -345,3 +345,55 @@ resource "null_resource" "setup_nfs_disk" {
     ]
   }
 }
+
+resource "null_resource" "fips_enablement" {
+
+  count = var.fips_compliant ? local.bastion_count : 0
+
+  depends_on =  [ openstack_compute_keypair_v2.key-pair ,random_id.label ,openstack_compute_flavor_v2.bastion_scg, openstack_compute_instance_v2.bastion, null_resource.bastion_init, null_resource.setup_proxy_info, null_resource.bastion_register, null_resource.enable_repos, openstack_blockstorage_volume_v3.storage_volume, openstack_compute_volume_attach_v2.storage_v_attach, null_resource.bastion_init , null_resource.setup_nfs_disk]
+
+
+  connection {
+    type        = "ssh"
+    user        = var.rhel_username
+    host        = openstack_compute_instance_v2.bastion[count.index].access_ip_v4
+    private_key = var.private_key
+    agent       = var.ssh_agent
+    timeout     = "${var.connection_timeout}m"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      <<EOF
+# enable FIPS as required
+sudo fips-mode-setup --enable
+EOF
+    ]
+  }
+}
+
+
+resource "null_resource" "bastion_reboot" {
+
+  count = var.fips_compliant ? local.bastion_count : 0
+
+  depends_on =  [ null_resource.fips_enablement ]
+
+  connection {
+    type        = "ssh"
+    user        = var.rhel_username
+    host        = openstack_compute_instance_v2.bastion[count.index].access_ip_v4
+    private_key = var.private_key
+    agent       = var.ssh_agent
+    timeout     = "${var.connection_timeout}m"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      <<EOF
+# rebooting bastion node
+sudo shutdown -r +1
+EOF
+    ]
+  }
+}
diff --git a/modules/1_bastion/variables.tf b/modules/1_bastion/variables.tf
@@ -51,3 +51,4 @@ variable "volume_storage_template" {}
 
 variable "setup_squid_proxy" {}
 variable "proxy" {}
+variable "fips_compliant" {}
diff --git a/ocp.tf b/ocp.tf
@@ -66,6 +66,7 @@ module "bastion" {
   volume_storage_template         = var.volume_storage_template
   setup_squid_proxy               = var.setup_squid_proxy
   proxy                           = var.proxy
+  fips_compliant                  = var.fips_compliant
 }
 
 module "network" {
@@ -83,6 +84,7 @@ module "network" {
 }
 
 module "helpernode" {
+  depends_on = [module.bastion]
   source = "./modules/3_helpernode"
 
   cluster_domain            = var.cluster_domain