From ff78572f26bb3cfae254bfbc2fea792d77d778a0 Mon Sep 17 00:00:00 2001 From: Andrei Ilas Date: Wed, 24 Jul 2024 15:08:38 +0300 Subject: [PATCH] add support for standalone operator policy --- module-operator.tf | 53 ++++++++++++++++++++--------------- modules/operator/iam.tf | 21 ++++++++++++++ modules/operator/variables.tf | 8 +++++- modules/operator/versions.tf | 5 ++-- variables-operator.tf | 6 ++++ 5 files changed, 67 insertions(+), 26 deletions(-) create mode 100644 modules/operator/iam.tf diff --git a/module-operator.tf b/module-operator.tf index cb4d12de..c80b5fc8 100644 --- a/module-operator.tf +++ b/module-operator.tf @@ -54,29 +54,32 @@ module "operator" { bastion_user = var.bastion_user # Operator - assign_dns = var.assign_dns - availability_domain = coalesce(var.operator_availability_domain, lookup(local.ad_numbers_to_names, local.ad_numbers[0])) - cloud_init = var.operator_cloud_init - image_id = local.operator_image_id - install_cilium = var.cilium_install - install_helm = var.operator_install_helm - install_istioctl = var.operator_install_istioctl - install_k9s = var.operator_install_k9s - install_kubectx = var.operator_install_kubectx - install_kubectl_from_repo = var.operator_install_kubectl_from_repo - kubeconfig = yamlencode(local.kubeconfig_private) - kubernetes_version = var.kubernetes_version - nsg_ids = compact(flatten([var.operator_nsg_ids, try(module.network.operator_nsg_id, null)])) - operator_image_os_version = var.operator_image_os_version - pv_transit_encryption = var.operator_pv_transit_encryption - shape = var.operator_shape - ssh_private_key = sensitive(local.ssh_private_key) # to await cloud-init completion - ssh_public_key = local.ssh_public_key - subnet_id = try(module.network.operator_subnet_id, "") # safe destroy; validated in submodule - timezone = var.timezone - upgrade = var.operator_upgrade - user = var.operator_user - volume_kms_key_id = var.operator_volume_kms_key_id + assign_dns = var.assign_dns + availability_domain = coalesce(var.operator_availability_domain, lookup(local.ad_numbers_to_names, local.ad_numbers[0])) + cloud_init = var.operator_cloud_init + create_cluster = var.create_cluster + create_operator_policy_to_manage_cluster = var.create_operator_policy_to_manage_cluster + cluster_id = one(module.cluster[*].cluster_id) + image_id = local.operator_image_id + install_cilium = var.cilium_install + install_helm = var.operator_install_helm + install_istioctl = var.operator_install_istioctl + install_k9s = var.operator_install_k9s + install_kubectx = var.operator_install_kubectx + install_kubectl_from_repo = var.operator_install_kubectl_from_repo + kubeconfig = yamlencode(local.kubeconfig_private) + kubernetes_version = var.kubernetes_version + nsg_ids = compact(flatten([var.operator_nsg_ids, try(module.network.operator_nsg_id, null)])) + operator_image_os_version = var.operator_image_os_version + pv_transit_encryption = var.operator_pv_transit_encryption + shape = var.operator_shape + ssh_private_key = sensitive(local.ssh_private_key) # to await cloud-init completion + ssh_public_key = local.ssh_public_key + subnet_id = try(module.network.operator_subnet_id, "") # safe destroy; validated in submodule + timezone = var.timezone + upgrade = var.operator_upgrade + user = var.operator_user + volume_kms_key_id = var.operator_volume_kms_key_id # Standard tags as defined if enabled for use, or freeform @@ -95,6 +98,10 @@ module "operator" { depends_on = [ module.iam, ] + + providers = { + oci.home = oci.home + } } output "operator_id" { diff --git a/modules/operator/iam.tf b/modules/operator/iam.tf new file mode 100644 index 00000000..3cbc3117 --- /dev/null +++ b/modules/operator/iam.tf @@ -0,0 +1,21 @@ +# Copyright (c) 2022, 2024 Oracle Corporation and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + + +resource "oci_identity_policy" "operator_policy" { + count = var.create_cluster != null && var.create_operator_policy_to_manage_cluster ? 1 : 0 + + provider = oci.home + + compartment_id = var.compartment_id + description = "Policies for OKE Operator host state ${var.state_id}" + name = "oke-operator-${var.state_id}" + statements = [ + "ALLOW any-user to manage cluster-family in compartment id ${var.compartment_id} where all {target.cluster.id = '${var.cluster_id}', request.principal.type = 'instance', request.principal.id = '${oci_core_instance.operator.id}'}" + ] + defined_tags = var.defined_tags + freeform_tags = var.freeform_tags + lifecycle { + ignore_changes = [defined_tags, freeform_tags] + } +} diff --git a/modules/operator/variables.tf b/modules/operator/variables.tf index c503c13b..57efefad 100644 --- a/modules/operator/variables.tf +++ b/modules/operator/variables.tf @@ -13,12 +13,18 @@ variable "bastion_user" { type = string } variable "assign_dns" { type = bool } variable "availability_domain" { type = string } variable "cloud_init" { type = list(map(string)) } +variable "cluster_id" { type = string } +variable "create_cluster" { type = bool } +variable "create_operator_policy_to_manage_cluster" { + type = bool + default = false +} variable "image_id" { type = string } variable "install_cilium" { type = bool } variable "install_helm" { type = bool } variable "install_istioctl" { type = bool } variable "install_k9s" { type = bool } -variable "install_kubectl_from_repo" { +variable "install_kubectl_from_repo" { type = bool default = true } diff --git a/modules/operator/versions.tf b/modules/operator/versions.tf index d5ccd4f1..3d82d59a 100644 --- a/modules/operator/versions.tf +++ b/modules/operator/versions.tf @@ -16,8 +16,9 @@ terraform { } oci = { - source = "oracle/oci" - version = ">= 4.119.0" + configuration_aliases = [oci.home] + source = "oracle/oci" + version = ">= 4.119.0" } } } diff --git a/variables-operator.tf b/variables-operator.tf index d65cc615..66e40025 100644 --- a/variables-operator.tf +++ b/variables-operator.tf @@ -7,6 +7,12 @@ variable "create_operator" { type = bool } +variable "create_operator_policy_to_manage_cluster" { + default = true + description = "Whether to create minimal IAM policy to allow the operator host to manage the cluster." + type = bool +} + variable "operator_availability_domain" { default = null description = "The availability domain for FSS placement. Defaults to first available."