This repository helps to create an OTC-based cloud-native infrastructure landscape with Kubernetes, load balancers, VPCs, etc. With these modules, we provide you a rocket start while you can still deep-dive into detailed configuration later.

License: GNU General Public License v3.0

HCL 97.07% Shell 1.81% Go 1.11%

otc opentelekomcloud terraform terraform-modules repository

terraform-opentelekomcloud-project-factory's Introduction

Common Terraform Modules for Open Telekom Cloud

These are commonly usable Terraform Modules for the Open Telekom Cloud based on the awesome Terraform OTC Provider.

These modules are developed by iits-consulting - your Cloud-Native Innovation Teams as a Service!

Usage:

For fully integrated examples please visit the Terratest Directory You pick modules which you would like to use like this:

module "vpc" {
   source     = "registry.terraform.io/iits-consulting/project-factory/opentelekomcloud//modules/vpc"
   version    = "5.2.0"
   name       = "myproject-dev-vpc"
   cidr_block = "192.168.0.0/16"
   subnets = {
      "myproject-dev-subnet" = cidrsubnet("192.168.0.0/16", 1, 0)
   }
}

Currently Available Modules

ACME: Create, sign and update HTTPS certificates via OTC DNS
CCE: A module designed to support full capabilities of OTC CCE while simplifying the configuration for ease of use.
cts: This module enables the Cloud Tracing functionality in the OTC.
jumphost: A module designed to create SSH jumphosts via OTC ECS for private networks.
keycloak_saml: Connects Keycloak with OTC SAML IDP
keycloak_oidc: Connects Keycloak with OTC OIDC IDP
loadbalancer: Module for creating an OTC ELB resource with public EIP
obs_secrets_reader: This modules reads JSON formatted secrets from an OBS bucket.
obs_secrets_writer: This modules creates an OBS Bucket with KMS SSE default encryption and a JSON encoded secrets file within the bucket.
obs_restricted: This modules creates OBS bucket restricted by predefined access policy.
private_dns: Create and manage a private DNS zone within you VPC
public_dns: Create and manage a public DNS zone
rds: A module designed to support full capabilities of OTC RDS while simplifying the configuration for ease of use.
snat: Public SNAT gateway to grant internet access from a VPC without shared SNAT.
vpn: Creates a VPN tunnel.
waf: Create Web Application Firewall for a Domain
evs: Create an encrypted Elastic Volume Service (EVS)
state_bucket: Create an encrypted state bucket for Terraform
cce_gpu_node_pool: GPU Node Pool for CCE

Quickstart

As a quick start we recommend using this template:

https://github.com/iits-consulting/otc-terraform-template

Then just adjust the set-env.sh and the showcase/dev/main.tf as you wish

Common Concepts behind the modules

There are some variables that occur on multiple modules. The ideas behind them are explained here.

Variable	Description	Example
`context`	A human-readable name of the project	`website`, `payments-service`
`stage`	Name of the environment	`dev`, `test`, `qa`, `prod`

Remarks

The following modules are currently not working for Swiss OTC:

public_dns: Create and manage a public DNS zone
waf: Create Web Application Firewall for a Domain

Recommendations

We recommend this kind of Terraform folder structure:
Set up a secure remote Terraform state . Copy the backend output of that module to your settings.tf file
Use https://github.com/iits-consulting/otc-infrastructure-charts-template if you want to use ArgoCD (GitOps)

Requirements

No requirements.

Providers

No providers.

Modules

No modules.

Resources

No resources.

Inputs

No inputs.

Outputs

No outputs.

terraform-opentelekomcloud-project-factory's People

Contributors

Stargazers

Watchers

terraform-opentelekomcloud-project-factory's Issues

Extension of loadbalancer/snat terraform module

We need to add an snat rule via terraform . For this, floating ip id is required ( https://registry.terraform.io/providers/opentelekomcloud/opentelekomcloud/latest/docs/resources/nat_snat_rule_v2) . we want to use as floating ip id the elastic ip id.
. this could be taken from the loadbalancer module ( https://github.com/iits-consulting/terraform-opentelekomcloud-project-factory/blob/master/modules/loadbalancer/main.tf)
unfortunately this does not have the elastic ip id as output. can this output be added to the module?

SNAT: Example from README.md gives error

Hi iits-Team,

before submitting I want to thank you for sharing and enhancing these modules.

I was using the example VPC and SNAT module usage from the snat readme

this is what my test looks like:

module "vpc" {
  source  = "registry.terraform.io/iits-consulting/project-factory/opentelekomcloud//modules/vpc"
  version = "4.2.2"

  cidr_block         = var.vpc_cidr
  name               = "vpc-${var.context_name}-${var.stage_name}"
  enable_shared_snat = false
  subnets = {
    "subnet-0" = cidrsubnet(var.vpc_cidr, 2, 0)
    "subnet-1" = cidrsubnet(var.vpc_cidr, 2, 1)
    "subnet-2" = cidrsubnet(var.vpc_cidr, 2, 2)
    "subnet-3" = cidrsubnet(var.vpc_cidr, 2, 3)
  }
  tags = var.tags
}

module "snat" {
  source  = "registry.terraform.io/iits-consulting/project-factory/opentelekomcloud//modules/snat"
  version = "4.2.2"

  name_prefix = "${var.context_name}-${var.stage_name}"
  subnet_id   = module.vpc.subnets["subnet-0"].id
  vpc_id      = module.vpc.vpc.id
  network_ids = values(module.vpc.subnets)[*].id
  tags        = var.tags
}

this is my variables.auto.tfvars

vpc_cidr     = "10.41.0.0/16"
stage_name   = "nonprod"
context_name = "team1"
tags = {}

While running tf apply I get this error (with TF version v1.2.7 and v1.1.9):

╷
│ Error: Invalid count argument
│ 
│   on .terraform/modules/snat/modules/snat/snat.tf line 22, in resource "opentelekomcloud_nat_snat_rule_v2" "snat_subnet_default":
│   22:   count          = length(var.network_ids) > 0 ? 0 : 1
│ 
│ The "count" value depends on resource attributes that cannot be determined
│ until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only
│ the resources that the count depends on.
╵
╷
│ Error: Invalid for_each argument
│ 
│   on .terraform/modules/snat/modules/snat/snat.tf line 30, in resource "opentelekomcloud_nat_snat_rule_v2" "snat_subnet":
│   30:   for_each       = var.network_ids
│     ├────────────────
│     │ var.network_ids is set of string with 4 elements
│ 
│ The "for_each" value depends on resource attributes that cannot be
│ determined until apply, so Terraform cannot predict how many instances will
│ be created. To work around this, use the -target argument to first apply
│ only the resources that the for_each depends on.

What I tried:

storing values(module.vpc.subnets)[*].id in a local variable and reference that in the snat module -> same error

I can work around this problem by:

comment out the snat module && tf apply
1a. comment in again the snat module && tf apply
or
separate the state of vpc and snat (different folders / backends) and use a data source

Do you see any chance to get this applied together in the same tfstate?
Did you every got the example in the snat readme working; if yes, with which version of terraform?

Any hint is very welcome.
Thanks Karsten

Module for SAML IDP Integration

Since the terraform provider of OTC supports now SAML IDP we should make a module for that

Restricted OBS Module for Project Factory

We need a module for a restricted OBS which uses the predefined opentelekomcloud_obs_bucket_policy

We use the project already in several other projects and i think we can make it public

ACME module uses unsupported argument default_project_id

Dear iits colleagues

Running the ACME example I get an error

╷
│ Error: Unsupported argument
│
│   on .terraform/modules/acme_certificate/modules/acme/dns_admin.tf line 39, in resource "opentelekomcloud_identity_user_v3" "dns_admin":
│   39:   default_project_id = data.opentelekomcloud_identity_project_v3.project.id
│
│ An argument named "default_project_id" is not expected here.
╵

seems there is no default_project_id in opentelekomcloud_identity_user_v3 (https://registry.terraform.io/providers/opentelekomcloud/opentelekomcloud/1.36.0/docs/resources/identity_user_v3)
maybe was in the past?

My code

module "acme_certificate" {
  source                  = "registry.terraform.io/iits-consulting/project-factory/opentelekomcloud//modules/acme"
  version                 = "5.7.1"
  otc_domain_name         = var.otc_domain
  otc_project_name        = var.otc_project
  cert_registration_email = local.acme_email
  dns_admin_name          = local.acme_dns_admin_name
  domains = {
    "${local.domain_name}" = ["*.${local.domain_name}"]
  }
}

Regards,
Sener

Add Data Volume KMS Encryption for CCE Node Pools

We need to have a variable to be able to Encryption the data volume for the CCE Node Pools.

The default value should be true

Feature request allow 0 for SNAT and make it Default

Since OTC also allows the mini SNAT it should be the default for our terraform provider

variable.tf of module cce version 4.2.2 not campatible with Terraform version 1.3.2

With Terraform version 1.3.2 , trying to create CCE version 4.2.2, we get below error
Error: Call to unknown function
│
│ on variables.tf line 46, in locals:
│ 46: cluster_config = defaults(var.cluster_config, {
│ 47: cluster_type = "VirtualMachine"
│ 48: cluster_size = "small"
│ 49: container_network_type = var.cluster_config.cluster_type == "VirtualMachine" || var.cluster_config.cluster_type == null ? "vpc-router" : "underlay_ipvlan"
│ 50: container_cidr = "172.16.0.0/16"
│ 51: service_cidr = "10.247.0.0/16"
│ 52: high_availability = false
│ 53: enable_scaling = false
│ 54: install_icagent = false
│ 55: })
│ ├────────────────
│ │ var.cluster_config is a object
│ │ var.cluster_config.cluster_type is a string
│
│ There is no function named "defaults".

Misleading naming of vpc subnet ids / network ids

CCE-Module
For the CCE module, the naming of the attribute "subnet_id" suggests, that indeed the "subnet_id" is needed.
Instead it should be named "network_id" because it is the network_id that has to be used here.

Also for the VPC module "subnets" outputs, it might make more sense to use "network_id" and "subnet_id".

Suggestion:

VPC-Module
Change

vpc_subnets = {
      id        = "xxxx-xxxx-xxxx-xxxx-xxxx"
      subnet_id = "xxxx-xxxx-xxxx-xxxx-xxxx-yyyy"
 }

vpc_subnets = {
      network_id  = "xxxx-xxxx-xxxx-xxxx-xxxx"
      subnet_id   = "xxxx-xxxx-xxxx-xxxx-xxxx-yyyy"
 }

Improvement: Modify node pools - changes without downtime

Hi iits team,

as always: thanks a million for all your work and effort in this.

We have following question:
In case we what to change the node flavor or operation system version, all nodes in all node pools are replaced. By default this is done all at once in parallel in terraform - which causes a downtime.
Do you see any chance to ensure the nodes are replaced without downtime?

My idea was to use the create_before_destroy meta argument in the node pool resource.
I was able to test this successfully -- e.g. it is possible to have two node pools named "mycluster-nodes-eu-de-03".

Thanks in advance.
Karsten

Allow to set container_network_type for CCE Module

Currently we are not able to container_network_type for the CCE Module.

Please add a variable to be able to set the container_network_type

Module for Public DNS Handling

For Public DNS we need something similiar like the private DNS module.

It is for a common case where you just need to make A Entries

Add a RDS module

It would be nice to have a RDS module which makes it easier to create a OTC RDS setup.

Add module for remote tf state creation (encrypted)

ssh_keypair-module is missing ssh-key output

v1.0.1
Is there any chance to output the ssh.key? (pem File) or write it into the vault?

RDS: issues with securitygroup protocol

details

Hi iits team,
we're using your rds module since quite some time. Just recently, we're seeing an error.
Not sure if there was a breaking change in the underlying provider.
Have you experienced the same error and discovered a workaround ?

Thanks Karsten

tf code

terraform {
  required_providers {
    opentelekomcloud = {
      source  = "opentelekomcloud/opentelekomcloud"
      version = "1.34.3"
    }
  }
}

module "rds" {
  source  = "registry.terraform.io/iits-consulting/project-factory/opentelekomcloud//modules/rds"
  version = "5.3.0"

  name                          = "myrds"
  vpc_id                        = data.opentelekomcloud_vpc_v1.vpc_1.id
  subnet_id                     = data.opentelekomcloud_vpc_subnet_v1.subnet_1.id
  sg_allowed_cidr               = ["10.233.4.0/22", "192.168.0.0/16"]
  db_type                       = "PostgreSQL"
  db_version                    = "13"
  db_cpus                       = "4"
  db_memory                     = "16"
  db_high_availability          = false
  db_ha_replication_mode        = "async"
  db_volume_encryption_key_name = "default_kms"
  db_parameters = {
    max_connections = "1000",
  }
}

error

$ terraform apply

Initializing modules...
Downloading registry.terraform.io/iits-consulting/project-factory/opentelekomcloud 5.3.0 for rds...
- rds in .terraform/modules/rds/modules/rds
Initializing the backend...
Successfully configured the backend "http"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding opentelekomcloud/opentelekomcloud versions matching "1.34.3"...
- Finding latest version of iits-consulting/errorcheck...
- Finding latest version of hashicorp/random...
- Installing opentelekomcloud/opentelekomcloud v1.34.3...
- Installed opentelekomcloud/opentelekomcloud v1.34.3 (self-signed, key ID 3EDA0171114F71DF)
- Installing iits-consulting/errorcheck v3.0.3...
- Installed iits-consulting/errorcheck v3.0.3 (self-signed, key ID B455D9AE9E8CCCD8)
- Installing hashicorp/random v3.5.1...
- Installed hashicorp/random v3.5.1 (signed by HashiCorp)
Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
module.rds.errorcheck_is_valid.db_ha_replication_mode_constraint: Creating...
module.rds.errorcheck_is_valid.db_ha_replication_mode_constraint: Creation complete after 0s [id=Check if a selected HA replication mode is supported on OTC.]
module.rds.random_password.db_root_password: Creating...
module.rds.random_password.db_root_password: Creation complete after 0s [id=none]
module.rds.errorcheck_is_valid.db_availability_zones: Creating...
module.rds.errorcheck_is_valid.db_availability_zones: Creation complete after 0s [id=Check if db_availability_zones is set up correctly.]
module.rds.opentelekomcloud_networking_secgroup_v2.db_secgroup[0]: Creating...
module.rds.errorcheck_is_valid.db_flavor_constraint: Creating...
module.rds.errorcheck_is_valid.db_flavor_constraint: Creation complete after 0s [id=Check if a flavor is found in OTC.]
module.rds.opentelekomcloud_networking_secgroup_v2.db_secgroup[0]: Creation complete after 2s [id=485430d4-c06f-4601-aacf-8f6fefbf83b5]
module.rds.opentelekomcloud_networking_secgroup_rule_v2.db_secgroup_out[0]: Creating...
module.rds.opentelekomcloud_networking_secgroup_rule_v2.db_allow_cidr["192.168.0.0/16"]: Creating...
module.rds.opentelekomcloud_networking_secgroup_rule_v2.db_allow_out[0]: Creating...
module.rds.opentelekomcloud_networking_secgroup_rule_v2.db_secgroup_in[0]: Creating...
module.rds.opentelekomcloud_networking_secgroup_rule_v2.db_allow_cidr["10.233.4.0/22"]: Creating...
module.rds.opentelekomcloud_networking_secgroup_rule_v2.db_allow_cidr["10.233.4.0/22"]: Creation complete after 0s [id=3841d4cd-405a-4446-be81-bb27f14ae4e4]
module.rds.opentelekomcloud_networking_secgroup_rule_v2.db_allow_cidr["192.168.0.0/16"]: Creation complete after 0s [id=04aacbc7-8239-4112-8eb2-a3bef4926421]
module.rds.opentelekomcloud_rds_instance_v3.db_instance: Creating...
module.rds.opentelekomcloud_rds_instance_v3.db_instance: Still creating... [10s elapsed]
module.rds.opentelekomcloud_rds_instance_v3.db_instance: Still creating... [20s elapsed]
...
module.rds.opentelekomcloud_rds_instance_v3.db_instance: Still creating... [8m0s elapsed]
module.rds.opentelekomcloud_rds_instance_v3.db_instance: Creation complete after 8m1s [id=938d72b6cc3446d4881d3bcbce49459din03]
module.rds.opentelekomcloud_ces_alarmrule.db_storage_alarm[0]: Creating...
module.rds.opentelekomcloud_ces_alarmrule.db_storage_alarm[0]: Creation complete after 0s [id=al16836167366[28]
╷
│ Error: Bad request with: [POST https://vpc.eu-de.otc.t-systems.com/v2.0/security-group-rules], error message: {"NeutronError":{"message":"Must also specify protocol if port range is given.","type":"SecurityGroupProtocolRequiredWithPorts","detail":""}}
│ 
│   with module.rds.opentelekomcloud_networking_secgroup_rule_v2.db_secgroup_in[0],
│   on .terraform/modules/rds/modules/rds/security.tf line 8, in resource "opentelekomcloud_networking_secgroup_rule_v2" "db_secgroup_in":
│    8: resource "opentelekomcloud_networking_secgroup_rule_v2" "db_secgroup_in" {
│ 
╵
╷
│ Error: Bad request with: [POST https://vpc.eu-de.otc.t-systems.com/v2.0/security-group-rules], error message: {"NeutronError":{"message":"Must also specify protocol if port range is given.","type":"SecurityGroupProtocolRequiredWithPorts","detail":""}}
│ 
│   with module.rds.opentelekomcloud_networking_secgroup_rule_v2.db_secgroup_out[0],
│   on .terraform/modules/rds/modules/rds/security.tf line 19, in resource "opentelekomcloud_networking_secgroup_rule_v2" "db_secgroup_out":
│   19: resource "opentelekomcloud_networking_secgroup_rule_v2" "db_secgroup_out" {
│ 
╵
╷
│ Error: Bad request with: [POST https://vpc.eu-de.otc.t-systems.com/v2.0/security-group-rules], error message: {"NeutronError":{"message":"Must also specify protocol if port range is given.","type":"SecurityGroupProtocolRequiredWithPorts","detail":""}}
│ 
│   with module.rds.opentelekomcloud_networking_secgroup_rule_v2.db_allow_out[0],
│   on .terraform/modules/rds/modules/rds/security.tf line [30], in resource "opentelekomcloud_networking_secgroup_rule_v2" "db_allow_out":
│   30: resource "opentelekomcloud_networking_secgroup_rule_v2" "db_allow_out" {
│ 
╵

Add a SNAT Module

Currently eu-nl does not install a SNAT by default we should develop a SNAT Module for that

CCE Autoscaler Module has required parameter region, which is optional for CCE

Version 1.0.1.
This is not consistent. That parameter also does not seem to be used anywhere...

Add validation for CCE node_container_runtime

It would be nice to have a validation for the CCE node_container_runtime.
Only "docker" and "containerd" is currently possible.

We also need to adjust the settings.tf and set the required OTC Version to ">=1.34.2"

Use newly created context from cce module

When creating a new kubeconfig, by default, the "current-context" is set to something different from the newly created context.

terraform-opentelekomcloud-project-factory/modules/cce/kubectl.tf

Line 29 in dd4261b

current-context = var.stage_name

Add test which tests all the modules

We need a test which auto checks all modules and installs them into some OTC tenant and afterwards cleans it up

Experiment "module_variable_optional_attrs" is no longer available

Getting an error when trying to use cce module with latest terraform version:

[linux]$ cat cce.tf
module "cce" {
  source             = "registry.terraform.io/iits-consulting/project-factory/opentelekomcloud//modules/cce"
  name               = "var.${cce_cluster_name}_test"
  autoscaling_config = {
    nodes_max = 8
  }
  cluster_config     = {
    vpc_id            = module.vpc.vpc_id
    subnet_id         = lookup(module.vpc.subnet_list, "tos-cce")
    cluster_version   = "v1.21"
    high_availability = true
    enable_scaling    = true #set this flag to false to disable auto scaling
  }
  node_config        = {
    availability_zones = ["eu-ch2a", "eu-ch2b"]
    node_count         = 3
    node_flavor        = local.node_spec_default
    node_storage_type  = "SSD"
    node_storage_size  = 100
  }
}

Error is:

│ Error: Experiment has concluded
│
│   on .terraform/modules/cce/modules/cce/versions.tf line 9, in terraform:
│    9:     module_variable_optional_attrs,
│
│ Experiment "module_variable_optional_attrs" is no longer available. The final feature corresponding to this experiment
│ differs from the experimental form and is available in the Terraform language from Terraform v1.3.0 onwards.
╵

terraform version:

[linux]$ terraform --version
Terraform v1.3.0-alpha20220803
on linux_amd64
+ provider registry.terraform.io/opentelekomcloud/opentelekomcloud v1.31.0

Terratest EU-NL is failing

https://github.com/iits-consulting/terraform-opentelekomcloud-project-factory/actions/runs/3966925596/jobs/6798298600

most probably a false alarm

How to set up encrypted CCE Node Storage correct?

Hello all,

first of all thank you for these great terraform modules, they are really helpful.

But i have a question, we are trying to encrypt the CCE Node Storage, but when we are set up the configuration and agency for this feature, our nodes cannot start. Could it be that we forgot some settings or is there some documentation somewhere on how to set up encryption for the nodes?

Here is our CCE and Agency declaration:

module "cce" {
  source  = "registry.terraform.io/iits-consulting/project-factory/opentelekomcloud//modules/cce"
  version = "4.2.2"
  name    = "${var.context}-${var.stage}"

  cluster_config = {
    vpc_id            = module.vpc.vpc.id
    subnet_id         = module.vpc.subnets["kubernetes-subnet"].id
    cluster_version   = "v1.21"
    high_availability = false
    enable_scaling    = true
  }
  node_config = {
    availability_zones = [
      "${var.region}-03",
      "${var.region}-01"
    ]
    node_count                        = 2
    node_flavor                       = "s3.large.4"
    node_storage_type                 = "SSD"
    node_storage_size                 = 100
    node_storage_encryption_enabled   = true
  }
  autoscaling_config = {
    nodes_max = 2
  }
  tags = local.tags
}

resource "opentelekomcloud_identity_agency_v3" "agency" {
  name                  = "EVSAccessKMS"
  description           = "Node encryption"
  delegated_domain_name = "op_svc_evs"
  domain_roles          = ["KMS Administrator", ]
}

With this setting we get the following errors in our OTC console:

Create user node VMs. The process takes about 2 to 3 minutes.[0/1] | Failed |  
Install the Kubernetes software on the user node. The process takes about 1 to 2 minutes. [0/1] |  Failed |

and in the cluster we get these errors:

Failed to create node(s) (Internal error)
Failed to install the node (Internal error)
Failed to create the node VM (Internal error)

The agency and encryption keys are created.

Add module for gpu node pool for cce

Parallelize test deployment for eu-de and eu-nl

To speedup tests we should parallelize the test deployments for eu-de and eu-nl

Add iits-fullstack-ollama

It would be nice to publish a opensource version of our llm stack here.

ollama
airbyte
weaviate
ollama ui

LoadBalancer module AntiDDoS deprecated

|Warning: Deprecated Resource
│ 
│   with module.loadbalancer.opentelekomcloud_antiddos_v1.anti_ddos,
│   on .terraform/modules/loadbalancer/modules/loadbalancer/main.tf line 20, in resource "opentelekomcloud_antiddos_v1" "anti_ddos":
│   20: resource "opentelekomcloud_antiddos_v1" "anti_ddos" {
│ 
│ AntiDDoS protection for Elastic IP is provided by default and shouldn't be created manually.

RDS: CES alarm rule for PostgreSQL and SQL Server does not work

The Cloud Eye alarm rule (db_storage_alarm_threshold) does not work for other databases than MySQL.

In modules/rds/database.tf the name in dimensions for "db_storage_alarm" must be:

postgresql_instance_id for PostgreSQL (https://docs.otc.t-systems.com/relational-database-service/umn/working_with_rds_for_postgresql/metrics_and_alarms/configuring_displayed_metrics.html)
rds_instance_sqlserver_id for SQL Server (https://docs.otc.t-systems.com/relational-database-service/umn/working_with_rds_for_sql_server/metrics_and_alarms/configuring_displayed_metrics.html)
and rds_instance_id for MySQL (https://docs.otc.t-systems.com/relational-database-service/umn/working_with_rds_for_mysql/metrics_and_alarms/configuring_displayed_metrics.html)

Fix Terratests

We need to fix broken tests, to make Actions green again.

Support CCE Node Data default encryption

Since OTC provider version 1.24.1, the data volumes can be encrypted. See https://github.com/opentelekomcloud/terraform-provider-opentelekomcloud/blob/devel/CHANGELOG.md#1241-june-17-2021

This should be utilized by our module.

request for depends_on keycloak module

i would like to add dependencies to create keycloak server first or something else:

changed and tested:

keycloak_idp.tf

resource "opentelekomcloud_identity_protocol_v3" "saml" {
  protocol    = "saml"
  provider_id = opentelekomcloud_identity_provider_v3.provider.id
  mapping_id  = opentelekomcloud_identity_mapping_v3.mapping.id

  metadata {
    domain_id = data.opentelekomcloud_identity_project_v3.current.domain_id
    metadata  = data.curl.saml_descriptor.response
  }

  depends_on = [ var.otc_tf_dependencies ]
}

variables.tf

variable "otc_tf_dependencies" {
  type        = list
  description = "The list of ressource dependencies. For example the compute instance which is configured outside of the module: opentelekomcloud_compute_instance_v2"
}

idp.tf

module "otc_keycloak_sso" {
    source               = "registry.terraform.io/iits-consulting/project-factory/opentelekomcloud//modules/keycloak_sso"
    ...
    otc_tf_dependencies = [ opentelekomcloud_compute_instance_v2.keycloak ]
   ...

Support specifying provider in all modules

All modules should support specifying which OTC provider to utilize, so that different resources can be created in different OTC projects or by different accounts.

CCE: add kms encryption support for node pool root volumes

In version 1.30.1 of the OTC Terraform Provider support was added for KMS encryption for the node pool root/system volume.
Once you upgrade the provider version in your module to a version later or equal 1.30.1, please adapt the root volume.

  root_volume {
    size       = 50
    volumetype = "SSD"
  + kms_id     = local.node_config.node_storage_encryption_enabled ? opentelekomcloud_kms_key_v1.node_storage_encryption_key[0].id : null
  }

  data_volumes {
    size       = local.node_config.node_storage_size
    volumetype = local.node_config.node_storage_type
    kms_id     = local.node_config.node_storage_encryption_enabled ? opentelekomcloud_kms_key_v1.node_storage_encryption_key[0].id : null
  }

This issue is a kind reminder, so we do not forget this feature was added.
Of course, we need to test how this works on existing clusters.

Add Support for region eu-ch2

Currently we support eu-de and eu-nl but we need now also to support eu-ch2 now

iits-consulting / terraform-opentelekomcloud-project-factory Goto Github PK