add support for standalone operator policy

robo-cap · Jul 24, 2024 · ff78572 · ff78572
1 parent 46ec5f4
commit ff78572
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 26 deletions.
diff --git a/module-operator.tf b/module-operator.tf
@@ -54,29 +54,32 @@ module "operator" {
  bastion_user = var.bastion_user
 
  # Operator
- assign_dns = var.assign_dns
- availability_domain = coalesce(var.operator_availability_domain, lookup(local.ad_numbers_to_names, local.ad_numbers[0]))
- cloud_init = var.operator_cloud_init
- image_id = local.operator_image_id
- install_cilium = var.cilium_install
- install_helm = var.operator_install_helm
- install_istioctl = var.operator_install_istioctl
- install_k9s = var.operator_install_k9s
- install_kubectx = var.operator_install_kubectx
- install_kubectl_from_repo = var.operator_install_kubectl_from_repo
- kubeconfig = yamlencode(local.kubeconfig_private)
- kubernetes_version = var.kubernetes_version
- nsg_ids = compact(flatten([var.operator_nsg_ids, try(module.network.operator_nsg_id, null)]))
- operator_image_os_version = var.operator_image_os_version
- pv_transit_encryption = var.operator_pv_transit_encryption
- shape = var.operator_shape
- ssh_private_key = sensitive(local.ssh_private_key) # to await cloud-init completion
- ssh_public_key = local.ssh_public_key
- subnet_id = try(module.network.operator_subnet_id, "") # safe destroy; validated in submodule
- timezone = var.timezone
- upgrade = var.operator_upgrade
- user = var.operator_user
- volume_kms_key_id = var.operator_volume_kms_key_id
+ assign_dns = var.assign_dns
+ availability_domain = coalesce(var.operator_availability_domain, lookup(local.ad_numbers_to_names, local.ad_numbers[0]))
+ cloud_init = var.operator_cloud_init
+ create_cluster = var.create_cluster
+ create_operator_policy_to_manage_cluster = var.create_operator_policy_to_manage_cluster
+ cluster_id = one(module.cluster[*].cluster_id)
+ image_id = local.operator_image_id
+ install_cilium = var.cilium_install
+ install_helm = var.operator_install_helm
+ install_istioctl = var.operator_install_istioctl
+ install_k9s = var.operator_install_k9s
+ install_kubectx = var.operator_install_kubectx
+ install_kubectl_from_repo = var.operator_install_kubectl_from_repo
+ kubeconfig = yamlencode(local.kubeconfig_private)
+ kubernetes_version = var.kubernetes_version
+ nsg_ids = compact(flatten([var.operator_nsg_ids, try(module.network.operator_nsg_id, null)]))
+ operator_image_os_version = var.operator_image_os_version
+ pv_transit_encryption = var.operator_pv_transit_encryption
+ shape = var.operator_shape
+ ssh_private_key = sensitive(local.ssh_private_key) # to await cloud-init completion
+ ssh_public_key = local.ssh_public_key
+ subnet_id = try(module.network.operator_subnet_id, "") # safe destroy; validated in submodule
+ timezone = var.timezone
+ upgrade = var.operator_upgrade
+ user = var.operator_user
+ volume_kms_key_id = var.operator_volume_kms_key_id
 
 
  # Standard tags as defined if enabled for use, or freeform
@@ -95,6 +98,10 @@ module "operator" {
  depends_on = [
  module.iam,
  ]
+
+ providers = {
+ oci.home = oci.home
+ }
 }
 
 output "operator_id" {

diff --git a/modules/operator/iam.tf b/modules/operator/iam.tf
@@ -0,0 +1,21 @@
+# Copyright (c) 2022, 2024 Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+
+
+resource "oci_identity_policy" "operator_policy" {
+ count = var.create_cluster != null && var.create_operator_policy_to_manage_cluster ? 1 : 0
+
+ provider = oci.home
+
+ compartment_id = var.compartment_id
+ description = "Policies for OKE Operator host state ${var.state_id}"
+ name = "oke-operator-${var.state_id}"
+ statements = [
+ "ALLOW any-user to manage cluster-family in compartment id ${var.compartment_id} where all {target.cluster.id = '${var.cluster_id}', request.principal.type = 'instance', request.principal.id = '${oci_core_instance.operator.id}'}"
+ ]
+ defined_tags = var.defined_tags
+ freeform_tags = var.freeform_tags
+ lifecycle {
+ ignore_changes = [defined_tags, freeform_tags]
+ }
+}
diff --git a/modules/operator/variables.tf b/modules/operator/variables.tf
@@ -13,12 +13,18 @@ variable "bastion_user" { type = string }
 variable "assign_dns" { type = bool }
 variable "availability_domain" { type = string }
 variable "cloud_init" { type = list(map(string)) }
+variable "cluster_id" { type = string }
+variable "create_cluster" { type = bool }
+variable "create_operator_policy_to_manage_cluster" {
+ type = bool
+ default = false
+}
 variable "image_id" { type = string }
 variable "install_cilium" { type = bool }
 variable "install_helm" { type = bool }
 variable "install_istioctl" { type = bool }
 variable "install_k9s" { type = bool }
-variable "install_kubectl_from_repo" { 
+variable "install_kubectl_from_repo" {
  type = bool
  default = true
 }

diff --git a/modules/operator/versions.tf b/modules/operator/versions.tf
@@ -16,8 +16,9 @@ terraform {
  }
 
  oci = {
- source = "oracle/oci"
- version = ">= 4.119.0"
+ configuration_aliases = [oci.home]
+ source = "oracle/oci"
+ version = ">= 4.119.0"
  }
  }
 }
diff --git a/variables-operator.tf b/variables-operator.tf
@@ -7,6 +7,12 @@ variable "create_operator" {
  type = bool
 }
 
+variable "create_operator_policy_to_manage_cluster" {
+ default = true
+ description = "Whether to create minimal IAM policy to allow the operator host to manage the cluster."
+ type = bool
+}
+
 variable "operator_availability_domain" {
  default = null
  description = "The availability domain for FSS placement. Defaults to first available."