OCM-6285 | feat: Day1 SG support for HCP

terraform-redhat · Oct 8, 2024 · 6052d7d · 6052d7d
1 parent a2f1b94
commit 6052d7d
Show file tree

Hide file tree

Showing 9 changed files with 133 additions and 9 deletions.
diff --git a/docs/data-sources/cluster_rosa_hcp.md b/docs/data-sources/cluster_rosa_hcp.md
@@ -37,6 +37,7 @@ data "rhcs_cluster_rosa_hcp" "cluster" {
 - `api_url` (String) URL of the API server.
 - `availability_zones` (List of String) Availability zones. This attribute specifically applies to the Worker Machine Pool and becomes irrelevant once the resource is created. Any modifications to the initial Machine Pool should be made through the Terraform imported Machine Pool resource. For more details, refer to [Worker Machine Pool in ROSA Cluster](../guides/worker-machine-pool.md)
 - `aws_account_id` (String) Identifier of the AWS account. After the creation of the resource, it is not possible to update the attribute value.
+- `aws_additional_compute_security_group_ids` (List of String) AWS additional compute security group ids. After the creation of the resource, it is not possible to update the attribute value.
 - `aws_billing_account_id` (String) Identifier of the AWS account for billing. After the creation of the resource, it is not possible to update the attribute value.
 - `aws_subnet_ids` (List of String) AWS subnet IDs. After the creation of the resource, it is not possible to update the attribute value.
 - `channel_group` (String) This attribute is not supported for cluster data source. Therefore, it will not be displayed as an output of the datasource

diff --git a/docs/resources/cluster_rosa_hcp.md b/docs/resources/cluster_rosa_hcp.md
@@ -60,6 +60,7 @@ resource "rhcs_cluster_rosa_hcp" "rosa_sts_cluster" {
 ### Optional
 
 - `admin_credentials` (Attributes) Admin user credentials. After the creation of the resource, it is not possible to update the attribute value. (see [below for nested schema](#nestedatt--admin_credentials))
+- `aws_additional_compute_security_group_ids` (List of String) AWS additional compute security group ids.
 - `channel_group` (String) Name of the channel group where you select the OpenShift cluster version, for example 'stable'. For ROSA, only 'stable' is supported. After the creation of the resource, it is not possible to update the attribute value.
 - `compute_machine_type` (String) Identifies the machine type used by the initial worker nodes, for example `m5.xlarge`. Use the `rhcs_machine_types` data source to find the possible values. This attribute specifically applies to the Worker Machine Pool and becomes irrelevant once the resource is created. Any modifications to the initial Machine Pool should be made through the Terraform imported Machine Pool resource. For more details, refer to [Worker Machine Pool in ROSA Cluster](../guides/worker-machine-pool.md)
 - `create_admin_user` (Boolean) Indicates if create cluster admin user. Set it true to create cluster admin user with default username `cluster-admin` and generated password. It will be ignored if `admin_credentials` is set.After the creation of the resource, it is not possible to update the attribute value.

diff --git a/provider/clusterrosa/hcp/datasource.go b/provider/clusterrosa/hcp/datasource.go
@@ -260,6 +260,11 @@ func (r *ClusterRosaHcpDatasource) Schema(ctx context.Context, req datasource.Sc
 				Description: deprecatedMessage,
 				Computed:    true,
 			},
+			"aws_additional_compute_security_group_ids": schema.ListAttribute{
+				Description: "AWS additional compute security group ids. " + common.ValueCannotBeChangedStringDescription,
+				ElementType: types.StringType,
+				Computed:    true,
+			},
 		},
 	}
 }

diff --git a/provider/clusterrosa/hcp/resource.go b/provider/clusterrosa/hcp/resource.go
@@ -374,6 +374,11 @@ func (r *ClusterRosaHcpResource) Schema(ctx context.Context, req resource.Schema
 				Description: "Compute node root disk size, in GiB. " + rosaTypes.PoolMessage,
 				Optional:    true,
 			},
+			"aws_additional_compute_security_group_ids": schema.ListAttribute{
+				Description: "AWS additional compute security group ids.",
+				ElementType: types.StringType,
+				Optional:    true,
+			},
 		},
 	}
 }
@@ -519,6 +524,10 @@ func createHcpClusterObject(ctx context.Context,
 	if err != nil {
 		return nil, err
 	}
+	awsAdditionalComputeSecurityGroupIds, err := common.StringListToArray(ctx, state.AWSAdditionalComputeSecurityGroupIds)
+	if err != nil {
+		return nil, err
+	}
 	var stsBuilder *cmv1.STSBuilder
 	if state.Sts != nil {
 		stsBuilder = ocmr.CreateSTS(state.Sts.RoleARN.ValueString(), state.Sts.SupportRoleArn.ValueString(),
@@ -533,7 +542,7 @@ func createHcpClusterObject(ctx context.Context,
 	if err := ocmClusterResource.CreateAWSBuilder(rosaTypes.Hcp, awsTags, ec2MetadataHttpTokens,
 		kmsKeyARN, etcdKmsKeyArn,
 		isPrivate, awsAccountID, awsBillingAccountId, stsBuilder, awsSubnetIDs, nil, nil,
-		nil, nil, nil); err != nil {
+		awsAdditionalComputeSecurityGroupIds, nil, nil); err != nil {
 		return nil, err
 	}
 
@@ -874,6 +883,7 @@ func validateNoImmutableAttChange(state, plan *ClusterRosaHcpState) diag.Diagnos
 	common.ValidateStateAndPlanEquals(state.Sts.InstanceIAMRoles.WorkerRoleARN, plan.Sts.InstanceIAMRoles.WorkerRoleARN, "sts.instance_iam_roles.worker_role_arn", &diags)
 	common.ValidateStateAndPlanEquals(state.Sts.OIDCConfigID, plan.Sts.OIDCConfigID, "sts.oidc_config_id", &diags)
 	common.ValidateStateAndPlanEquals(state.Sts.OperatorRolePrefix, plan.Sts.OperatorRolePrefix, "sts.operator_role_prefix", &diags)
+	common.ValidateStateAndPlanEquals(state.AWSAdditionalComputeSecurityGroupIds, plan.AWSAdditionalComputeSecurityGroupIds, "aws_additional_compute_security_group_ids", &diags)
 
 	// default node pool's attributes
 	//common.ValidateStateAndPlanEquals(state.AutoScalingEnabled, plan.AutoScalingEnabled, "autoscaling_enabled", &diags)

diff --git a/provider/clusterrosa/hcp/state.go b/provider/clusterrosa/hcp/state.go
@@ -22,14 +22,15 @@ type ClusterRosaHcpState struct {
 	State          types.String `tfsdk:"state"`
 
 	// AWS fields
-	AWSAccountID        types.String `tfsdk:"aws_account_id"`
-	AWSBillingAccountID types.String `tfsdk:"aws_billing_account_id"`
-	AWSSubnetIDs        types.List   `tfsdk:"aws_subnet_ids"`
-	Sts                 *sts.HcpSts  `tfsdk:"sts"`
-	CloudRegion         types.String `tfsdk:"cloud_region"`
-	KMSKeyArn           types.String `tfsdk:"kms_key_arn"`
-	EtcdKmsKeyArn       types.String `tfsdk:"etcd_kms_key_arn"`
-	Tags                types.Map    `tfsdk:"tags"`
+	AWSAccountID                         types.String `tfsdk:"aws_account_id"`
+	AWSBillingAccountID                  types.String `tfsdk:"aws_billing_account_id"`
+	AWSSubnetIDs                         types.List   `tfsdk:"aws_subnet_ids"`
+	Sts                                  *sts.HcpSts  `tfsdk:"sts"`
+	CloudRegion                          types.String `tfsdk:"cloud_region"`
+	KMSKeyArn                            types.String `tfsdk:"kms_key_arn"`
+	EtcdKmsKeyArn                        types.String `tfsdk:"etcd_kms_key_arn"`
+	Tags                                 types.Map    `tfsdk:"tags"`
+	AWSAdditionalComputeSecurityGroupIds types.List   `tfsdk:"aws_additional_compute_security_group_ids"`
 
 	// Network fields
 	Domain      types.String `tfsdk:"domain"`

diff --git a/subsystem/hcp/cluster_resource_test.go b/subsystem/hcp/cluster_resource_test.go
@@ -3564,6 +3564,102 @@ var _ = Describe("HCP Cluster", func() {
 			Expect(runOutput.ExitCode).To(BeZero())
 		})
 
+		It("Creates private cluster with aws subnet ids & additional security groups", func() {
+			// Prepare the server:
+			TestServer.AppendHandlers(
+				CombineHandlers(
+					VerifyRequest(http.MethodGet, "/api/clusters_mgmt/v1/versions"),
+					RespondWithJSON(http.StatusOK, versionListPage),
+				),
+				CombineHandlers(
+					VerifyRequest(http.MethodPost, "/api/clusters_mgmt/v1/clusters"),
+					VerifyJQ(`.name`, "my-cluster"),
+					VerifyJQ(`.cloud_provider.id`, "aws"),
+					VerifyJQ(`.region.id`, "us-west-1"),
+					VerifyJQ(`.product.id`, "rosa"),
+					VerifyJQ(`.aws.subnet_ids.[0]`, "id1"),
+					VerifyJQ(`.aws.private_link`, true),
+					VerifyJQ(`.nodes.availability_zones.[0]`, "us-west-1a"),
+					VerifyJQ(`.api.listening`, "internal"),
+					VerifyJQ(`.aws.additional_compute_security_group_ids.[0]`, "id1"),
+					RespondWithPatchedJSON(http.StatusOK, template, `[
+					{
+					  "op": "add",
+					  "path": "/aws",
+					  "value": {
+						  "private_link": true,
+						  "subnet_ids": ["id1", "id2", "id3"],
+						  "additional_compute_security_group_ids": ["id1"],
+						  "sts" : {
+							  "oidc_endpoint_url": "https://127.0.0.1",
+							  "thumbprint": "111111",
+							  "role_arn": "",
+							  "support_role_arn": "",
+							  "instance_iam_roles" : {
+								"worker_role_arn" : ""
+							  },
+							  "operator_role_prefix" : "test"
+						  }
+					  }
+					},
+					{
+					  "op": "add",
+					  "path": "/api",
+					  "value": {
+					  	"listening": "internal"
+					  }
+					},
+					{
+					  "op": "replace",
+					  "path": "/nodes",
+					  "value": {
+						"availability_zones": [
+      						"us-west-1a",
+							"us-west-1b",
+							"us-west-1c"
+    					],
+						"compute_machine_type": {
+						   "id": "r5.xlarge"
+	    				}
+					  }
+					}]`),
+				),
+			)
+
+			// Run the apply command:
+			Terraform.Source(`
+			resource "rhcs_cluster_rosa_hcp" "my_cluster" {
+				name           = "my-cluster"
+				cloud_region   = "us-west-1"
+				aws_account_id = "123456789012"
+				aws_billing_account_id = "123456789012"
+				private = true
+				aws_subnet_ids = [
+					"id1", "id2", "id3"
+				]
+				aws_additional_compute_security_group_ids = [
+					"id1"
+				]
+				sts = {
+					operator_role_prefix = "test"
+					role_arn = "",
+					support_role_arn = "",
+					instance_iam_roles = {
+						worker_role_arn = "",
+					}
+				}
+				availability_zones = [
+					"us-west-1a",
+					"us-west-1b",
+					"us-west-1c",
+				]
+			}`)
+			runOutput := Terraform.Apply()
+			Expect(runOutput.ExitCode).To(BeZero())
+			resource := Terraform.Resource("rhcs_cluster_rosa_hcp", "my_cluster")
+			Expect(resource).To(MatchJQ(".attributes.aws_additional_compute_security_group_ids.[0]", "id1"))
+		})
+
 		It("Creates cluster when private link is false", func() {
 			// Prepare the server:
 			TestServer.AppendHandlers(

diff --git a/tests/tf-manifests/rhcs/clusters/rosa-hcp/main.tf b/tests/tf-manifests/rhcs/clusters/rosa-hcp/main.tf
@@ -63,6 +63,7 @@ resource "rhcs_cluster_rosa_hcp" "rosa_hcp_cluster" {
   proxy                        = var.proxy
   aws_subnet_ids               = var.aws_subnet_ids
   private                      = var.private
+  aws_additional_compute_security_group_ids       = var.additional_compute_security_groups
   compute_machine_type         = var.compute_machine_type
   ec2_metadata_http_tokens     = var.ec2_metadata_http_tokens
   etcd_encryption              = var.etcd_encryption

diff --git a/tests/tf-manifests/rhcs/clusters/rosa-hcp/output.tf b/tests/tf-manifests/rhcs/clusters/rosa-hcp/output.tf
@@ -16,4 +16,8 @@ output "properties" {
 
 output "tags" {
   value = rhcs_cluster_rosa_hcp.rosa_hcp_cluster.tags
+}
+
+output "additional_control_plane_security_groups" {
+  value = rhcs_cluster_rosa_hcp.rosa_hcp_cluster.aws_additional_compute_security_group_ids
 }
diff --git a/tests/tf-manifests/rhcs/clusters/rosa-hcp/variables.tf b/tests/tf-manifests/rhcs/clusters/rosa-hcp/variables.tf
@@ -215,3 +215,8 @@ variable "registry_config" {
   })
   default = null
 }
+
+variable "additional_compute_security_groups" {
+  type    = list(string)
+  default = null
+}