Added required changes related of FIPS on bastion node of OCP

Signed-off-by: Gaurav Bankar <Gaurav.Bankar@ibm.com>
ocp-power-automation · Oct 25, 2023 · ebea1a5 · ebea1a5
1 parent 437123c
commit ebea1a5
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 0 deletions.
diff --git a/modules/1_bastion/bastion.tf b/modules/1_bastion/bastion.tf
@@ -345,3 +345,53 @@ resource "null_resource" "setup_nfs_disk" {
     ]
   }
 }
+
+resource "null_resource" "fips_enablement" {
+
+  count = var.fips_compliant ? local.bastion_count : 0
+  depends_on =  [openstack_compute_keypair_v2.key-pair, random_id.label, openstack_compute_flavor_v2.bastion_scg, openstack_compute_instance_v2.bastion, null_resource.bastion_init, null_resource.setup_proxy_info, null_resource.bastion_register, null_resource.enable_repos, null_resource.bastion_packages, openstack_blockstorage_volume_v3.storage_volume, openstack_compute_volume_attach_v2.storage_v_attach, null_resource.setup_nfs_disk]
+
+  connection {
+    type        = "ssh"
+    user        = var.rhel_username
+    host        = openstack_compute_instance_v2.bastion[count.index].access_ip_v4
+    private_key = var.private_key
+    agent       = var.ssh_agent
+    timeout     = "${var.connection_timeout}m"
+  }
+  provisioner "remote-exec" {
+    inline = [
+      <<EOF
+sudo fips-mode-setup --enable
+sudo shutdown -r +1
+EOF
+    ]
+  }
+}
+
+resource "time_sleep" "wait_60_seconds" {
+  count = var.fips_compliant ? local.bastion_count : 0
+  depends_on = [null_resource.fips_enablement]
+
+  create_duration = "60s"
+}
+
+resource "null_resource" "bastion_nop" {
+
+  count = var.fips_compliant ? local.bastion_count : 0
+  depends_on =  [null_resource.fips_enablement, time_sleep.wait_60_seconds]
+
+  connection {
+    type        = "ssh"
+    user        = var.rhel_username
+    host        = openstack_compute_instance_v2.bastion[count.index].access_ip_v4
+    private_key = var.private_key
+    agent       = var.ssh_agent
+    timeout     = "${var.connection_timeout}m"
+  }
+  provisioner "remote-exec" {
+    inline = [
+      "whoami"
+    ]
+  }
+}
diff --git a/modules/1_bastion/variables.tf b/modules/1_bastion/variables.tf
@@ -51,3 +51,4 @@ variable "volume_storage_template" {}
 
 variable "setup_squid_proxy" {}
 variable "proxy" {}
+variable "fips_compliant" {}
diff --git a/modules/1_bastion/versions.tf b/modules/1_bastion/versions.tf
@@ -32,6 +32,9 @@ terraform {
       source  = "hashicorp/random"
       version = "~> 3.4"
     }
+    time = {
+      source = "hashicorp/time"
+      version = "0.9.1"
   }
   required_version = ">= 1.2.0"
 }
diff --git a/ocp.tf b/ocp.tf
@@ -66,6 +66,7 @@ module "bastion" {
   volume_storage_template         = var.volume_storage_template
   setup_squid_proxy               = var.setup_squid_proxy
   proxy                           = var.proxy
+  fips_compliant                  = var.fips_compliant
 }
 
 module "network" {
@@ -83,6 +84,7 @@ module "network" {
 }
 
 module "helpernode" {
+  depends_on = [module.bastion]
   source = "./modules/3_helpernode"
 
   cluster_domain            = var.cluster_domain