terraform-ibm-modules · ocofaigh · Feb 8, 2024 · Feb 5, 2024 · Feb 5, 2024 · Feb 5, 2024
@@ -22,7 +22,7 @@ repository:
 
   # Uncomment this description property
   # and update the description to the current repo description.
-  # description: ""
+  description: "Configures a Kubernetes namespace or Openshift project."
 
   # Use a comma-separated list of topics to set on the repo (ensure not to use any caps in the topic string).
-  topics: terraform, ibm-cloud, terraform-module
+  topics: terraform, namespace, core-team, ibm-cloud, terraform-module, supported, graduated, project, kubernetes, openshift
@@ -1,86 +1,93 @@
-<!-- Update the title -->
-# Terraform Modules Template Project
-
-<!--
-Update status and "latest release" badges:
-  1. For the status options, see https://terraform-ibm-modules.github.io/documentation/#/badge-status
-  2. Update the "latest release" badge to point to the correct module's repo. Replace "terraform-ibm-module-template" in two places.
--->
-[![Incubating (Not yet consumable)](https://img.shields.io/badge/status-Incubating%20(Not%20yet%20consumable)-red)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
-[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-module-template?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-module-template/releases/latest)
+# Namespace module
+
+[![Graduated (Supported)](https://img.shields.io/badge/Status-Graduated%20(Supported)-brightgreen)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
+[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-namespace?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-namespace/releases/latest)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
 [![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)
 [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
 
 <!-- Add a description of module(s) in this repo -->
-TODO: Replace me with description of the module(s) in this repo
-
+This module supports creating multiple Kubernetes namespaces / OpenShift projects with optional annotations and labels.
 
 <!-- Below content is automatically populated via pre-commit hook -->
 <!-- BEGIN OVERVIEW HOOK -->
 ## Overview
 * [terraform-ibm-namespace](#terraform-ibm-namespace)
 * [Examples](./examples)
     * [Basic example](./examples/basic)
-    * [Complete example](./examples/complete)
+    * [Create Namespace on the existing cluster example](./examples/create-namespaces-existing-cluster)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 
-
-<!--
-If this repo contains any reference architectures, uncomment the heading below and links to them.
-(Usually in the `/reference-architectures` directory.)
-See "Reference architecture" in Authoring Guidelines in the public documentation at
-https://terraform-ibm-modules.github.io/documentation/#/implementation-guidelines?id=reference-architecture
--->
-<!-- ## Reference architectures -->
-
-
-<!-- This heading should always match the name of the root level module (aka the repo name) -->
 ## terraform-ibm-namespace
 
 ### Usage
 
-<!--
-Add an example of the use of the module in the following code block.
-
-Use real values instead of "var.<var_name>" or other placeholder values
-unless real values don't help users know what to change.
--->
-
 ```hcl
-
+##############################################################################
+# Init cluster config for kubernetes providers
+##############################################################################
+
+data "ibm_container_cluster_config" "cluster_config" {
+  cluster_name_id = var.cluster_id
+}
+
+##############################################################################
+# Config providers
+##############################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key # pragma: allowlist secret
+}
+
+provider "kubernetes" {
+  host                   = data.ibm_container_cluster_config.cluster_config.host
+  token                  = data.ibm_container_cluster_config.cluster_config.token
+  cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
+}
+
+##############################################################################
+# Namespace module
+##############################################################################
+
+module "namespace" {
+  source            = "terraform-ibm-modules/namespace/ibm"
+  version           = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific
+  namespaces = [
+    {
+      name = "my-namespace"
+      metadata = {
+        labels = {
+          "istio-injection" = "enabled"
+        }
+        annotations = {
+          "name" = "example-annotation"
+        }
+      }
+    },
+    {
+      name = "my-namespace-2"
+      metadata = {
+        labels = {
+          "istio-injection" = "enabled"
+        }
+        annotations = {
+          "name" = "example-annotation"
+        }
+      }
+    }
+  ]
+}
 ```
 
 ### Required IAM access policies
 
-<!-- PERMISSIONS REQUIRED TO RUN MODULE
-If this module requires permissions, uncomment the following block and update
-the sample permissions, following the format.
-Replace the sample Account and IBM Cloud service names and roles with the
-information in the console at
-Manage > Access (IAM) > Access groups > Access policies.
--->
-
-<!--
 You need the following permissions to run this module.
 
-- Account Management
-    - **Sample Account Service** service
-        - `Editor` platform access
-        - `Manager` service access
-    - IAM Services
-        - **Sample Cloud Service** service
-            - `Administrator` platform access
--->
-
-<!-- NO PERMISSIONS FOR MODULE
-If no permissions are required for the module, uncomment the following
-statement instead the previous block.
--->
-
-<!-- No permissions are needed to run this module.-->
-
+- IAM Services
+  - **Kubernetes** service
+      - `Viewer` platform access
+      - `Manager` service access
 
 <!-- Below content is automatically populated via pre-commit hook -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -89,18 +96,23 @@ statement instead the previous block.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0, <1.6.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.16.1, < 3.0.0 |
 
 ### Modules
 
 No modules.
 
 ### Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [kubernetes_namespace.create_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 
 ### Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_namespaces"></a> [namespaces](#input\_namespaces) | Set of namespaces to create | <pre>list(object({<br>    name = string<br>    metadata = optional(object({<br>      labels      = map(string)<br>      annotations = map(string)<br>    }))<br>  }))</pre> | n/a | yes |
 
 ### Outputs
 

@@ -1,7 +1,7 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/complete" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "examples/basic" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
     PROFILE_ID: "0e6e7b5a-817d-4344-ab6f-e5d7a9c49520" # SCC profile ID (currently set to the FSCloud 1.4.0 profile).
     # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.

@@ -1,3 +1,10 @@
 {
-    "scc_rules": []
+    "scc_rules": [
+        {
+            "scc_rule_id": "rule-2325054a-c338-474a-9740-0b7034487e40",
+            "description:": "Check whether OpenShift clusters are accessible only by using private endpoints",
+            "ignore_reason": "This rule is not relevant to the module itself, just the cluster resource that is used in the example that is scanned",
+            "is_valid": false
+        }
+    ]
 }
@@ -1,11 +1,11 @@
 # Basic example
 
-<!--
-The basic example should call the module(s) stored in this repository with a basic configuration.
-Note, there is a pre-commit hook that will take the title of each example and include it in the repos main README.md.
-The text below should describe exactly what resources are provisioned / configured by the example.
--->
-
-An end-to-end basic example that will provision the following:
-- A new resource group if one is not passed in.
-- A new Cloud Object Storage instance.
+A basic example that shows how to create multiple namespaces (projects) with custom annotations and labels in an OCP cluster.
+
+The following resources are provisioned by this example:
+
+- A new resource group, if an existing one is not passed in.
+- A basic VPC.
+- An OCP VPC cluster.
+
+The namespace module then runs and creates project(s) in the OCP cluster.
@@ -1,6 +1,15 @@
-########################################################################################################################
-# Resource group
-########################################################################################################################
+##############################################################################
+# Locals
+##############################################################################
+
+locals {
+  cluster_name = var.prefix
+}
+
+
+##############################################################################
+# Resource Group
+##############################################################################
 
 module "resource_group" {
   source  = "terraform-ibm-modules/resource-group/ibm"
@@ -10,15 +19,94 @@ module "resource_group" {
   existing_resource_group_name = var.resource_group
 }
 
-########################################################################################################################
-# COS instance
-########################################################################################################################
+##################################################################
+## Create VPC and Cluster where namespaces will be created
+##################################################################
+
+resource "ibm_is_vpc" "example_vpc" {
+  name           = "${var.prefix}-vpc"
+  resource_group = module.resource_group.resource_group_id
+  tags           = var.resource_tags
+}
+
+resource "ibm_is_subnet" "testacc_subnet" {
+  name                     = "${var.prefix}-subnet"
+  vpc                      = ibm_is_vpc.example_vpc.id
+  zone                     = "${var.region}-2"
+  total_ipv4_address_count = 256
+  resource_group           = module.resource_group.resource_group_id
+}
 
 resource "ibm_resource_instance" "cos_instance" {
   name              = "${var.prefix}-cos"
-  resource_group_id = module.resource_group.resource_group_id
   service           = "cloud-object-storage"
   plan              = "standard"
   location          = "global"
-  tags              = var.resource_tags
+  resource_group_id = module.resource_group.resource_group_id
+}
+
+# Lookup the current default kube version
+data "ibm_container_cluster_versions" "cluster_versions" {}
+locals {
+  default_ocp_version = "${data.ibm_container_cluster_versions.cluster_versions.default_openshift_version}_openshift"
+}
+
+resource "ibm_container_vpc_cluster" "cluster" {
+  name                 = local.cluster_name
+  vpc_id               = ibm_is_vpc.example_vpc.id
+  kube_version         = local.default_ocp_version
+  flavor               = "bx2.4x16"
+  worker_count         = "2"
+  entitlement          = "cloud_pak"
+  cos_instance_crn     = ibm_resource_instance.cos_instance.id
+  force_delete_storage = true
+  zones {
+    subnet_id = ibm_is_subnet.testacc_subnet.id
+    name      = "${var.region}-2"
+  }
+  resource_group_id = module.resource_group.resource_group_id
+}
+
+data "ibm_container_cluster_config" "cluster_config" {
+  cluster_name_id   = ibm_container_vpc_cluster.cluster.id
+  resource_group_id = module.resource_group.resource_group_id
+}
+
+# Sleep for 30 secs to allow RBAC sync on cluster
+resource "time_sleep" "wait_operators" {
+  depends_on      = [data.ibm_container_cluster_config.cluster_config]
+  create_duration = "30s"
+}
+
+##############################################################################
+# NAMESPACE
+##############################################################################
+
+module "namespace" {
+  source     = "../../"
+  depends_on = [time_sleep.wait_operators]
+  namespaces = [
+    {
+      name = "my-namespace"
+      metadata = {
+        labels = {
+          "istio-injection" = "enabled"
+        }
+        annotations = {
+          "name" = "example-annotation"
+        }
+      }
+    },
+    {
+      name = "my-namespace-2"
+      metadata = {
+        labels = {
+          "istio-injection" = "enabled"
+        }
+        annotations = {
+          "name" = "example-annotation"
+        }
+      }
+    }
+  ]
 }
@@ -1,18 +1,13 @@
-########################################################################################################################
-# Outputs
-########################################################################################################################
-
-output "cos_instance_id" {
-  description = "COS instance id"
-  value       = ibm_resource_instance.cos_instance.id
+data "kubernetes_all_namespaces" "allns" {
+  depends_on = [module.namespace]
 }
 
-output "resource_group_name" {
-  description = "Resource group name"
-  value       = module.resource_group.resource_group_name
+output "my_namespace_present" {
+  value       = contains(data.kubernetes_all_namespaces.allns.namespaces, "my-namespace")
+  description = "Returns true if 'my-namespace' namespace is created. Otherwise false"
 }
 
-output "resource_group_id" {
-  description = "Resource group ID"
-  value       = module.resource_group.resource_group_id
+output "my_namespace_2_present" {
+  value       = contains(data.kubernetes_all_namespaces.allns.namespaces, "my-namespace-2")
+  description = "Returns true if 'my-namespace-2' namespace is created. Otherwise false"
 }
@@ -1,8 +1,10 @@
-########################################################################################################################
-# Provider config
-########################################################################################################################
-
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.region
 }
+
+provider "kubernetes" {
+  host                   = data.ibm_container_cluster_config.cluster_config.host
+  token                  = data.ibm_container_cluster_config.cluster_config.token
+  cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
+}