Skip to content

Commit

Permalink
i4745 - add optional account id to kms config (#4944)
Browse files Browse the repository at this point in the history
* add account_id to kms_config

* use [email protected]

---------

Co-authored-by: Zoltan Illes <[email protected]>
  • Loading branch information
z0za and Zoltan Illes authored Nov 23, 2023
1 parent a23e7e7 commit cc498ae
Show file tree
Hide file tree
Showing 7 changed files with 56 additions and 14 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module github.com/IBM-Cloud/terraform-provider-ibm
go 1.18

require (
github.com/IBM-Cloud/bluemix-go v0.0.0-20231017073329-75ebe90c98ba
github.com/IBM-Cloud/bluemix-go v0.0.0-20231123082353-50e8cc9c6959
github.com/IBM-Cloud/container-services-go-sdk v0.0.0-20231106114255-c50117860a3c
github.com/IBM-Cloud/power-go-client v1.5.4
github.com/IBM/apigateway-go-sdk v0.0.0-20210714141226-a5d5d49caaca
Expand Down
11 changes: 6 additions & 5 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -100,8 +100,8 @@ github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3
github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4=
github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
github.com/DataDog/zstd v1.4.4/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
github.com/IBM-Cloud/bluemix-go v0.0.0-20231017073329-75ebe90c98ba h1:8U4HByOYJiaGWBpGjdRIzyzu0NBzjywh//CZnSbEsPw=
github.com/IBM-Cloud/bluemix-go v0.0.0-20231017073329-75ebe90c98ba/go.mod h1:mt+O8ryLVANrBKlA4RxKdENp3q6Q7mKQIi2nkiibZbU=
github.com/IBM-Cloud/bluemix-go v0.0.0-20231123082353-50e8cc9c6959 h1:dvvI4ybsYx6M7fFGrg3HjlNnYxEBi9jJdSU0JhjJbG8=
github.com/IBM-Cloud/bluemix-go v0.0.0-20231123082353-50e8cc9c6959/go.mod h1:jIGLnIfj+uBv2ALz3rVHzNbNwt0V/bEWNeJKECa8Q+k=
github.com/IBM-Cloud/container-services-go-sdk v0.0.0-20231106114255-c50117860a3c h1:tRS4VuOG3lHNG+yrsh3vZZQDVNLuFJB0oZbTJp9YXds=
github.com/IBM-Cloud/container-services-go-sdk v0.0.0-20231106114255-c50117860a3c/go.mod h1:xUQL9SGAjoZFd4GNjrjjtEpjpkgU7RFXRyHesbKTjiY=
github.com/IBM-Cloud/ibm-cloud-cli-sdk v0.5.3/go.mod h1:RiUvKuHKTBmBApDMUQzBL14pQUGKcx/IioKQPIcRQjs=
Expand Down Expand Up @@ -1269,8 +1269,8 @@ github.com/onsi/ginkgo/v2 v2.9.2/go.mod h1:WHcJJG2dIlcCqVfBAwUCrJxSPFb6v4azBwgxe
github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k=
github.com/onsi/ginkgo/v2 v2.9.7/go.mod h1:cxrmXWykAwTwhQsJOPfdIDiJ+l2RYq7U8hFU+M/1uw0=
github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM=
github.com/onsi/ginkgo/v2 v2.12.0 h1:UIVDowFPwpg6yMUpPjGkYvf06K3RAiJXUhCxEwQVHRI=
github.com/onsi/ginkgo/v2 v2.12.0/go.mod h1:ZNEzXISYlqpb8S36iN71ifqLi3vVD1rVJGvWRCJOUpQ=
github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
Expand Down Expand Up @@ -1301,8 +1301,8 @@ github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+q
github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4=
github.com/onsi/gomega v1.27.8/go.mod h1:2J8vzI/s+2shY9XHRApDkdgPo1TKT7P2u6fXeJKFnNQ=
github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
github.com/onsi/gomega v1.28.0/go.mod h1:A1H2JE76sI14WIP57LMKj7FVfCHx3g3BcZVjJG8bjX8=
github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
Expand Down Expand Up @@ -1935,6 +1935,7 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
Expand Down
11 changes: 11 additions & 0 deletions ibm/service/kubernetes/resource_ibm_container_cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,11 @@ func ResourceIBMContainerCluster() *schema.Resource {
Default: false,
Description: "Specify this option to use the KMS public service endpoint.",
},
"account_id": {
Type: schema.TypeString,
Optional: true,
Description: "Account ID of KMS instance holder - if not provided, defaults to the account in use",
},
},
},
},
Expand Down Expand Up @@ -1047,6 +1052,12 @@ func resourceIBMContainerClusterUpdate(d *schema.ResourceData, meta interface{})
endpoint := privateEndpoint.(bool)
kmsConfig.PrivateEndpoint = endpoint
}

//Read optional account id
if accountid := kmsMap["account_id"]; accountid != nil {
accountid_string := accountid.(string)
kmsConfig.AccountID = accountid_string
}
}
}

Expand Down
11 changes: 11 additions & 0 deletions ibm/service/kubernetes/resource_ibm_container_vpc_cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,11 @@ func ResourceIBMContainerVpcCluster() *schema.Resource {
Default: false,
Description: "Specify this option to use the KMS public service endpoint.",
},
"account_id": {
Type: schema.TypeString,
Optional: true,
Description: "Account ID of KMS instance holder - if not provided, defaults to the account in use",
},
},
},
},
Expand Down Expand Up @@ -685,6 +690,12 @@ func resourceIBMContainerVpcClusterUpdate(d *schema.ResourceData, meta interface
endpoint := privateEndpoint.(bool)
kmsConfig.PrivateEndpoint = endpoint
}

//Read optional account id
if accountid := kmsMap["account_id"]; accountid != nil {
accountid_string := accountid.(string)
kmsConfig.AccountID = accountid_string
}
}
}

Expand Down
21 changes: 19 additions & 2 deletions ibm/service/kubernetes/resource_ibm_container_vpc_cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -464,7 +464,7 @@ func TestAccIBMContainerVpcClusterBaseEnvvar(t *testing.T) {
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{
"wait_till", "update_all_workers", "kms_config", "force_delete_storage", "wait_for_worker_update"},
"wait_till", "update_all_workers", "kms_config", "force_delete_storage", "wait_for_worker_update", "albs"},
},
},
})
Expand Down Expand Up @@ -512,7 +512,22 @@ func testAccCheckIBMContainerVpcClusterEnvvar(name string) string {
// export IBM_CLUSTER_VPC_ID
// export IBM_CLUSTER_VPC_SUBNET_ID
// export IBM_CLUSTER_VPC_RESOURCE_GROUP_ID
// optionally for kms and cross account kms:
// export IBM_KMS_INSTANCE_ID
// export IBM_CRK_ID
// for cross account kms:
// export IBM_KMS_ACCOUNT_ID
func testAccCheckIBMContainerVpcClusterBaseEnvvar(name string) string {
var kmsConfig string
if acc.KmsInstanceID != "" {
kmsConfig = fmt.Sprintf(`
kms_config {
instance_id = "%[1]s"
crk_id = "%[2]s"
account_id = "%[3]s"
}
`, acc.KmsInstanceID, acc.CrkID, acc.KmsAccountID)
}
config := fmt.Sprintf(`
resource "ibm_container_vpc_cluster" "cluster" {
name = "%[1]s"
Expand All @@ -525,8 +540,10 @@ func testAccCheckIBMContainerVpcClusterBaseEnvvar(name string) string {
name = "us-south-1"
}
wait_till = "normal"
%[5]s
}
`, name, acc.IksClusterVpcID, acc.IksClusterResourceGroupID, acc.IksClusterSubnetID)
`, name, acc.IksClusterVpcID, acc.IksClusterResourceGroupID, acc.IksClusterSubnetID, kmsConfig)

fmt.Println(config)
return config
}
3 changes: 2 additions & 1 deletion website/docs/r/container_cluster.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -204,12 +204,13 @@ Review the argument references that you can specify for your resource.
- `hardware` - (Optional, Forces new resource, String) The level of hardware isolation for your worker node. Use `dedicated` to have available physical resources dedicated to you only, or `shared` to allow physical resources to be shared with other IBM customers. This option is available for virtual machine worker node flavors only.
- `image_security_enforcement` - (Optional, Bool) Set to **true** to enable image security enforcement policies in a cluster.
- `gateway_enabled` - (Optional, Bool) Set to **true** if you want to automatically create a gateway-enabled cluster. If `gateway_enabled` is set to **true**, then `private_service_endpoint` must be set to **true** at the same time.
- `kms_config` - (Optional, List) Used to attach a Key Protect instance to a cluster. Nested `kms_config` block have `instance_id`, `crk_id`, `private_endpoint` structure.
- `kms_config` - (Optional, List) Used to attach a Key Protect instance to a cluster. Nested `kms_config` block has an `instance_id`, `crk_id`, `private_endpoint` and `account_id`.

Nested scheme for `kms_config`:
- `crk_id` - (Optional, String) The ID of the customer root key (CRK).
- `instance_id` - (Optional, String) The GUID of the Key Protect instance.
- `private_endpoint` - (Optional, Bool) Set to **true** to configure the KMS private service endpoint. Default value is **false**.
- `account_id` - (Optional, String) Account ID of KMS instance holder - if not provided, defaults to the account in use.
- `kube_version` - (Optional, String) The Kubernetes or OpenShift version that you want to set up in your cluster. If the version is not specified, the default version in [IBM Cloud Kubernetes Service](https://cloud.ibm.com/docs/containers?topic=containers-cs_versions) or [Red Hat OpenShift on IBM Cloud](https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions#version_types) is used. For example, to specify Kubernetes version 1.16, enter `1.16`. For OpenShift clusters, you can specify version `3.11_openshift` or `4.3.1_openshift`.
- `labels`- (Optional, Map) Labels on all the workers in the default worker pool.
- `machine_type` - (Optional, Forces new resource, String) The machine type for your worker node. The machine type determines the amount of memory, CPU, and disk space that is available to the worker node. For an overview of supported machine types, see [Planning your worker node setup](https://cloud.ibm.com/docs/containers?topic=containers-planning_worker_nodes). You can retrieve the value by executing the `ibmcloud ks machine-types <data-center>` command in the IBM Cloud CLI.
Expand Down
11 changes: 6 additions & 5 deletions website/docs/r/container_vpc_cluster.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -178,13 +178,14 @@ Review the argument references that you can specify for your resource.
- `flavor` - (Required, Forces new resource, String) The flavor of the VPC worker node that you want to use.
- `image_security_enforcement` - (Optional, Bool) Set to **true** to enable image security enforcement policies in a cluster.
- `name` - (Required, Forces new resource, String) The name of the cluster.
- `kms_config` - (Optional, String) Use to attach a Key Protect instance to a cluster. Nested `kms_config` block has an `instance_id`, `crk_id`, `private_endpoint`.
- `host_pool_id` - (Optional, String) If provided, the cluster will be associated with a dedicated host pool identified by this ID.
- `kms_config` - (Optional, String) Use to attach a Key Protect instance to a cluster. Nested `kms_config` block has an `instance_id`, `crk_id`, `private_endpoint` and `account_id`.

Nested scheme for `kms_config`:
- `crk_id` - (Optional, String) The ID of the customer root key (CRK).
- `instance_id` - (Optional, String) The GUID of the Key Protect instance.
- `private_endpoint` - (Optional, Bool) Set **true** to configure the KMS private service endpoint. Default value is **false**.
- `account_id` - (Optional, String) Account ID of KMS instance holder - if not provided, defaults to the account in use.
- `host_pool_id` - (Optional, String) If provided, the cluster will be associated with a dedicated host pool identified by this ID.
- `kube_version` - (Optional, String) Specify the Kubernetes version, including the major.minor version. If you do not include this flag, the default version is used. To see available versions, run `ibmcloud ks versions`.
- `operating_system` - (Optional, Forces new resource, String) The operating system of the workers in the default worker pool. For supported options, see [Red Hat OpenShift on IBM Cloud version information](https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions) or [IBM Cloud Kubernetes Service version information](https://cloud.ibm.com/docs/containers?topic=containers-cs_versions).
- `secondary_storage` - (Optional, Forces new resource, String) The secondary storage option for the default worker pool.
Expand Down Expand Up @@ -213,9 +214,9 @@ Review the argument references that you can specify for your resource.
- `name` - (Required, Forces new resource, String) The zone name for the default worker pool in a multizone cluster.
- `subnet_id` - (Required, Forces new resource, String) The VPC subnet to assign the cluster's default worker pool.

- `crk` - Root Key ID for boot volume encryption.
- `kms_instance_id` - Instance ID for boot volume encryption.
- `kms_account_id` - Account ID for boot volume encryption, if other account is providing the kms.
- `crk` - (Optional, String) Root Key ID for boot volume encryption.
- `kms_instance_id` - (Optional, String) Instance ID for boot volume encryption.
- `kms_account_id` - (Optional, String) Account ID for boot volume encryption, if other account is providing the kms.

**Note**

Expand Down

0 comments on commit cc498ae

Please sign in to comment.