[WIP] feat: Integrate ocp-base with SLZ

README.md

@@ -38,7 +38,8 @@ For more information about the default configuration, see [Default Secure Landin
 ## Overview
 * [terraform-ibm-landing-zone](#terraform-ibm-landing-zone)
 * [Examples](./examples)
-    * [One VPC with one VSI example](./examples/one-vpc-one-vsi)
+    * [One VPC with one VSI](./examples/one-vpc-one-vsi)
+    * [One VSI with one IKS](./examples/one-vsi-one-iks)
     * [Override.json example](./examples/override-example)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
@@ -837,6 +838,44 @@ module "cluster_pattern" {
 }
 ```
 
+## Required IAM access policies
+
+<!-- PERMISSIONS REQUIRED TO RUN MODULE
+If this module requires permissions, uncomment the following block and update
+the sample permissions, following the format.
+Replace the sample Account and IBM Cloud service names and roles with the
+information in the console at
+Manage > Access (IAM) > Access groups > Access policies.
+-->
+
+<!--
+You need the following permissions to run this module.
+
+- Account Management
+    - **Sample Account Service** service
+        - `Editor` platform access
+        - `Manager` service access
+    - IAM Services
+        - **Sample Cloud Service** service
+            - `Administrator` platform access
+-->
+
+<!-- NO PERMISSIONS FOR MODULE
+If no permissions are required for the module, uncomment the following
+statement instead the previous block.
+-->
+
+<!-- No permissions are needed to run this module.-->
+<!-- END MODULE HOOK -->
+
+<!-- BEGIN EXAMPLES HOOK -->
+## Examples
+
+- [ One VPC with one VSI](examples/one-vpc-one-vsi)
+- [ One VSI with one IKS](examples/one-vsi-one-iks)
+- [ Override.json example](examples/override-example)
+<!-- END EXAMPLES HOOK -->
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ### Requirements
 
@@ -852,6 +891,7 @@ module "cluster_pattern" {
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_bastion_host"></a> [bastion\_host](#module\_bastion\_host) | terraform-ibm-modules/landing-zone-vsi/ibm | 3.3.0 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | terraform-ibm-modules/base-ocp-vpc/ibm | 3.27.0 |
 | <a name="module_dynamic_values"></a> [dynamic\_values](#module\_dynamic\_values) | ./dynamic_values | n/a |
 | <a name="module_f5_vsi"></a> [f5\_vsi](#module\_f5\_vsi) | terraform-ibm-modules/landing-zone-vsi/ibm | 3.3.0 |
 | <a name="module_key_management"></a> [key\_management](#module\_key\_management) | ./kms | n/a |
@@ -909,7 +949,7 @@ module "cluster_pattern" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_appid"></a> [appid](#input\_appid) | The App ID instance to be used for the teleport vsi deployments | <pre>object({<br>    name           = optional(string)<br>    resource_group = optional(string)<br>    use_data       = optional(bool)<br>    keys           = optional(list(string))<br>    use_appid      = bool<br>  })</pre> | <pre>{<br>  "use_appid": false<br>}</pre> | no |
 | <a name="input_atracker"></a> [atracker](#input\_atracker) | atracker variables | <pre>object({<br>    resource_group        = string<br>    receive_global_events = bool<br>    collector_bucket_name = string<br>    add_route             = bool<br>  })</pre> | n/a | yes |
-| <a name="input_clusters"></a> [clusters](#input\_clusters) | A list describing clusters workloads to create | <pre>list(<br>    object({<br>      name                                = string           # Name of Cluster<br>      vpc_name                            = string           # Name of VPC<br>      subnet_names                        = list(string)     # List of vpc subnets for cluster<br>      workers_per_subnet                  = number           # Worker nodes per subnet.<br>      machine_type                        = string           # Worker node flavor<br>      kube_type                           = string           # iks or openshift<br>      kube_version                        = optional(string) # Can be a version from `ibmcloud ks versions` or `default`<br>      entitlement                         = optional(string) # entitlement option for openshift<br>      secondary_storage                   = optional(string) # Secondary storage type<br>      pod_subnet                          = optional(string) # Portable subnet for pods<br>      service_subnet                      = optional(string) # Portable subnet for services<br>      resource_group                      = string           # Resource Group used for cluster<br>      cos_name                            = optional(string) # Name of COS instance Required only for OpenShift clusters<br>      access_tags                         = optional(list(string), [])<br>      boot_volume_crk_name                = optional(string)      # Boot volume encryption key name<br>      disable_public_endpoint             = optional(bool, true)  # disable cluster public, leaving only private endpoint<br>      disable_outbound_traffic_protection = optional(bool, false) # public outbound access from the cluster workers<br>      cluster_force_delete_storage        = optional(bool, false) # force the removal of persistent storage associated with the cluster during cluster deletion<br>      addons = optional(object({                                  # Map of OCP cluster add-on versions to install<br>        debug-tool                = optional(string)<br>        image-key-synchronizer    = optional(string)<br>        openshift-data-foundation = optional(string)<br>        vpc-file-csi-driver       = optional(string)<br>        static-route              = optional(string)<br>        cluster-autoscaler        = optional(string)<br>        vpc-block-csi-driver      = optional(string)<br>      }), {})<br>      manage_all_addons = optional(bool, false) # Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module will destroy any addons that were installed by other sources.<br>      kms_config = optional(<br>        object({<br>          crk_name         = string         # Name of key<br>          private_endpoint = optional(bool) # Private endpoint<br>        })<br>      )<br>      worker_pools = optional(<br>        list(<br>          object({<br>            name                 = string           # Worker pool name<br>            vpc_name             = string           # VPC name<br>            workers_per_subnet   = number           # Worker nodes per subnet<br>            flavor               = string           # Worker node flavor<br>            subnet_names         = list(string)     # List of vpc subnets for worker pool<br>            entitlement          = optional(string) # entitlement option for openshift<br>            secondary_storage    = optional(string) # Secondary storage type<br>            boot_volume_crk_name = optional(string) # Boot volume encryption key name<br>          })<br>        )<br>      )<br>    })<br>  )</pre> | n/a | yes |
+| <a name="input_clusters"></a> [clusters](#input\_clusters) | A list describing clusters workloads to create | <pre>list(<br>    object({<br>      name                                = string           # Name of Cluster<br>      vpc_name                            = string           # Name of VPC<br>      subnet_names                        = list(string)     # List of vpc subnets for cluster<br>      workers_per_subnet                  = number           # Worker nodes per subnet.<br>      machine_type                        = string           # Worker node flavor<br>      kube_type                           = string           # iks or openshift<br>      kube_version                        = optional(string) # Can be a version from `ibmcloud ks versions` or `default`<br>      entitlement                         = optional(string) # entitlement option for openshift<br>      secondary_storage                   = optional(string) # Secondary storage type<br>      pod_subnet                          = optional(string) # Portable subnet for pods<br>      service_subnet                      = optional(string) # Portable subnet for services<br>      resource_group                      = string           # Resource Group used for cluster<br>      cos_name                            = optional(string) # Name of COS instance Required only for OpenShift clusters<br>      access_tags                         = optional(list(string), [])<br>      boot_volume_crk_name                = optional(string)      # Boot volume encryption key name<br>      disable_public_endpoint             = optional(bool, true)  # disable cluster public, leaving only private endpoint<br>      disable_outbound_traffic_protection = optional(bool, false) # public outbound access from the cluster workers<br>      cluster_force_delete_storage        = optional(bool, false) # force the removal of persistent storage associated with the cluster during cluster deletion<br>      verify_worker_network_readiness     = optional(bool)        # Flag to run a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false.<br>      use_private_endpoint                = optional(bool, false) # Flag to force all cluster related api calls to use the IBM Cloud private endpoints.<br>      minimum_size                        = optional(number)      # Minimum number of worker nodes per zone that the cluster autoscaler can scale down the worker pool to.<br>      maximum_size                        = optional(number)      # Maximum number of worker nodes per zone that the cluster autoscaler can scale up the worker pool to.<br>      enable_autoscaling                  = optional(bool, false) # Flag to set cluster autoscaler to manage scaling for the worker pool.<br>      addons = optional(object({                                  # Map of OCP cluster add-on versions to install<br>        debug-tool                = optional(string)<br>        image-key-synchronizer    = optional(string)<br>        openshift-data-foundation = optional(string)<br>        vpc-file-csi-driver       = optional(string)<br>        static-route              = optional(string)<br>        cluster-autoscaler        = optional(string)<br>        vpc-block-csi-driver      = optional(string)<br>      }), {})<br>      manage_all_addons = optional(bool, false) # Instructs Terraform to manage all cluster addons, even if addons were installed outside of the module. If set to 'true' this module will destroy any addons that were installed by other sources.<br>      kms_config = optional(<br>        object({<br>          crk_name         = string         # Name of key<br>          private_endpoint = optional(bool) # Private endpoint<br>        })<br>      )<br>      worker_pools = optional(<br>        list(<br>          object({<br>            name                 = string                # Worker pool name<br>            vpc_name             = string                # VPC name<br>            workers_per_subnet   = number                # Worker nodes per subnet<br>            flavor               = string                # Worker node flavor<br>            subnet_names         = list(string)          # List of vpc subnets for worker pool<br>            entitlement          = optional(string)      # entitlement option for openshift<br>            secondary_storage    = optional(string)      # Secondary storage type<br>            boot_volume_crk_name = optional(string)      # Boot volume encryption key name<br>            minimum_size         = optional(number)      # Minimum number of worker nodes per zone that the cluster autoscaler can scale down the worker pool to.<br>            maximum_size         = optional(number)      # Maximum number of worker nodes per zone that the cluster autoscaler can scale up the worker pool to.<br>            enable_autoscaling   = optional(bool, false) # Flag to set cluster autoscaler to manage scaling for the worker pool.<br>          })<br>        )<br>      )<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_cos"></a> [cos](#input\_cos) | Object describing the cloud object storage instance, buckets, and keys. Set `use_data` to false to create instance | <pre>list(<br>    object({<br>      name           = string<br>      use_data       = optional(bool)<br>      resource_group = string<br>      plan           = optional(string)<br>      random_suffix  = optional(bool) # Use a random suffix for COS instance<br>      access_tags    = optional(list(string), [])<br>      buckets = list(object({<br>        name                  = string<br>        storage_class         = string<br>        endpoint_type         = string<br>        force_delete          = bool<br>        single_site_location  = optional(string)<br>        region_location       = optional(string)<br>        cross_region_location = optional(string)<br>        kms_key               = optional(string)<br>        access_tags           = optional(list(string), [])<br>        allowed_ip            = optional(list(string), [])<br>        hard_quota            = optional(number)<br>        archive_rule = optional(object({<br>          days    = number<br>          enable  = bool<br>          rule_id = optional(string)<br>          type    = string<br>        }))<br>        expire_rule = optional(object({<br>          days                         = optional(number)<br>          date                         = optional(string)<br>          enable                       = bool<br>          expired_object_delete_marker = optional(string)<br>          prefix                       = optional(string)<br>          rule_id                      = optional(string)<br>        }))<br>        activity_tracking = optional(object({<br>          activity_tracker_crn = string<br>          read_data_events     = bool<br>          write_data_events    = bool<br>        }))<br>        metrics_monitoring = optional(object({<br>          metrics_monitoring_crn  = string<br>          request_metrics_enabled = optional(bool)<br>          usage_metrics_enabled   = optional(bool)<br>        }))<br>      }))<br>      keys = optional(<br>        list(object({<br>          name        = string<br>          role        = string<br>          enable_HMAC = bool<br>        }))<br>      )<br><br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_enable_transit_gateway"></a> [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Create transit gateway | `bool` | `true` | no |
 | <a name="input_f5_template_data"></a> [f5\_template\_data](#input\_f5\_template\_data) | Data for all f5 templates | <pre>object({<br>    tmos_admin_password     = optional(string)<br>    license_type            = optional(string)<br>    byol_license_basekey    = optional(string)<br>    license_host            = optional(string)<br>    license_username        = optional(string)<br>    license_password        = optional(string)<br>    license_pool            = optional(string)<br>    license_sku_keyword_1   = optional(string)<br>    license_sku_keyword_2   = optional(string)<br>    license_unit_of_measure = optional(string)<br>    do_declaration_url      = optional(string)<br>    as3_declaration_url     = optional(string)<br>    ts_declaration_url      = optional(string)<br>    phone_home_url          = optional(string)<br>    template_source         = optional(string)<br>    template_version        = optional(string)<br>    app_id                  = optional(string)<br>    tgactive_url            = optional(string)<br>    tgstandby_url           = optional(string)<br>    tgrefresh_url           = optional(string)<br>  })</pre> | <pre>{<br>  "license_type": "none"<br>}</pre> | no |