feat: init functional release (#15)

feat: init functional release

Author: imprateeksh

.github/settings.yml

@@ -14,12 +14,9 @@ repository:
 
   # By changing this field, you rename the repository.
 
-  # Uncomment this name property and set the name to the current repo name.
-  # name: ""
+  name: "terraform-ibm-base-ocp-vpc"
 
   # The description is displayed under the repository name on the
   # organization page and in the 'About' section of the repository.
 
-  # Uncomment this description property
-  # and update the description to the current repo description.
-  # description: ""
+  description: "Provision an IBM Cloud Red Hat OpenShift cluster on VPC Gen2"

.github/workflows/ci.yml

@@ -15,3 +15,6 @@ jobs:
   call-terraform-ci-pipeline:
     uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/common-terraform-module-ci.yml@v1.7.3
     secrets: inherit
+    with:
+      craTarget: "examples/standard"
+      craGoalIgnoreFile: "cra-tf-validate-ignore-goals.json"

.gitignore

@@ -16,6 +16,8 @@ crash.log
 #
 *.tfvars
 
+.history/*
+
 # Ignore files for local testing
 test.tf
 
@@ -37,7 +39,7 @@ override.tf.json
 .terraformrc
 terraform.rc
 
-# Ignore .tfsec
+# Ignore tfsec
 .tfsec/
 
 # Ignore brew lock
@@ -52,5 +54,5 @@ Brewfile.lock.json
 # Node modules
 /node_modules
 
-# Visual Studio Code
+# VS Code State
 .vscode/

.secrets.baseline

@@ -28,7 +28,7 @@
       "name": "CloudantDetector"
     },
     {
-      "ghe_instance": "github.ibm.com",
+      "ghe_instance": "github.com",
       "name": "GheDetector"
     },
     {

README.md

@@ -0,0 +1,82 @@
+{
+    "scc_goals": [
+        {
+            "scc_goal_id": "3000408",
+            "description": "Check whether Flow Logs for VPC are enabled",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3645",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000902",
+            "description:": "Check whether OpenShift clusters are accessible only by using private endpoints",
+            "ignore_reason": "This is a valid issue - tracking in https://github.ibm.com/GoldenEye/issues/issues/174",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000258",
+            "description": "Check whether Cloud Object Storage has at least # users with the IAM manager role",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3905",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000259",
+            "description:": "Check whether Cloud Object Storage has at least # service IDs with the IAM manager role",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3905",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000266",
+            "description": "Check whether Key Protect has at least # users with the IAM manager role",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3905",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000267",
+            "description:": "Check whether Key Protect has at least # service IDs with the IAM manager role",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3905",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000402",
+            "description": "Check whether Cloud Internet Services (CIS) has DDoS protection enabled",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3905",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000418",
+            "description:": "Check whether account has at least one VPN or Direct Link configured",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/3905",
+            "is_valid": true
+        },
+        {
+            "scc_goal_id": "3000441",
+            "description": "Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to port 22",
+            "ignore_reason": "This is a false alert. The way the subnets are arranged in the VPC ensures proper workload isolation. And it's not a violation of any NIST, SOC or other control. On the contrary, FedRAMP makes it clear that SG or ACLs are currently not seen as a security boundary, only subnets (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf)",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000442",
+            "description:": "Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to port 3389",
+            "ignore_reason": "This is a false alert. The way the subnets are arranged in the VPC ensures proper workload isolation. And it's not a violation of any NIST, SOC or other control. On the contrary, FedRAMP makes it clear that SG or ACLs are currently not seen as a security boundary, only subnets (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf)",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000451",
+            "description": "Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to any port",
+            "ignore_reason": "This is a false alert. The way the subnets are arranged in the VPC ensures proper workload isolation. And it's not a violation of any NIST, SOC or other control. On the contrary, FedRAMP makes it clear that SG or ACLs are currently not seen as a security boundary, only subnets (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf)",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000452",
+            "description:": "Check whether Virtual Private Cloud (VPC) network access control lists don't allow egress from 0.0.0.0/0 to any port",
+            "ignore_reason": "This is a false alert. The way the subnets are arranged in the VPC ensures proper workload isolation. And it's not a violation of any NIST, SOC or other control. On the contrary, FedRAMP makes it clear that SG or ACLs are currently not seen as a security boundary, only subnets (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf)",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000907",
+            "description:": "Check whether OpenShift version is up-to-date",
+            "ignore_reason": "Tracking in https://github.ibm.com/GoldenEye/issues/issues/4000",
+            "is_valid": true
+        }
+    ]
+}

cra-tf-validate-ignore-goals.json

@@ -0,0 +1,3 @@
+# Existing COS
+
+The example will provision an OCP cluster into a given VPC using an existing COS instance.

examples/default/README.md

@@ -0,0 +1,20 @@
+##############################################################################
+# Provision an OCP cluster using an existing COS instance.
+##############################################################################
+
+module "ocp_base" {
+  source               = "../.."
+  ibmcloud_api_key     = var.ibmcloud_api_key
+  ocp_version          = var.ocp_version
+  region               = var.region
+  tags                 = var.resource_tags
+  cluster_name         = var.prefix
+  resource_group_id    = var.resource_group
+  force_delete_storage = true
+  vpc_id               = var.vpc_id
+  vpc_subnets          = var.vpc_subnets
+  use_existing_cos     = true
+  existing_cos_id      = var.existing_cos_id
+}
+
+##############################################################################

examples/default/main.tf

@@ -0,0 +1,10 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "cluster_name" {
+  value       = module.ocp_base.cluster_name
+  description = "The name of the provisioned cluster."
+}
+
+##############################################################################

examples/default/outputs.tf

@@ -0,0 +1,10 @@
+##############################################################################
+# Terraform providers
+##############################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
+
+##############################################################################

examples/default/provider.tf

@@ -0,0 +1,64 @@
+##############################################################################
+# Input Variables
+##############################################################################
+
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud api token"
+  sensitive   = true
+}
+
+variable "resource_group" {
+  type        = string
+  description = "Resource group to provision the cluster in"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix for name of all resource created by this example"
+  default     = "base-ocp-prev-cos"
+  validation {
+    error_message = "Prefix must begin and end with a letter and contain only letters, numbers, and - characters."
+    condition     = can(regex("^([A-z]|[a-z][-a-z0-9]*[a-z0-9])$", var.prefix))
+  }
+}
+
+variable "region" {
+  type        = string
+  description = "Region where resources are created"
+  default     = "eu-gb"
+}
+
+variable "ocp_version" {
+  type        = string
+  description = "Version of the OCP cluster to provision"
+  default     = null
+}
+
+variable "vpc_subnets" {
+  type = map(list(object({
+    id         = string
+    zone       = string
+    cidr_block = string
+  })))
+  description = "Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created"
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "Id of the VPC instance where this cluster will be provisioned"
+}
+
+variable "existing_cos_id" {
+  type        = string
+  description = "The ID of an existing COS instance to use for cluster provisioning"
+}
+
+##############################################################################