64 update to latest aro module (#66)

* Updates azure image to latest

Signed-off-by: rich-ehrhardt <[email protected]>

* Updates quickstart ARO to latest modules

Signed-off-by: rich-ehrhardt <[email protected]>

* Updates script for user input

Signed-off-by: rich-ehrhardt <[email protected]>

* Updates quickstart aro tfvar for latest modules

Signed-off-by: rich-ehrhardt <[email protected]>

* Updates ARO standard to latest module versions

Signed-off-by: rich-ehrhardt <[email protected]>

* Updates show login for ARO

Signed-off-by: rich-ehrhardt <[email protected]>

* Fixes disable public endpoints flag

Signed-off-by: rich-ehrhardt <[email protected]>

* Fixes typo in Azure metadata

Signed-off-by: rich-ehrhardt <[email protected]>

* Adds interactive option to launch and setup

Signed-off-by: rich-ehrhardt <[email protected]>

* Updates interactive mode to confirm credentials

Signed-off-by: rich-ehrhardt <[email protected]>

* Updates readmes for changes

Signed-off-by: rich-ehrhardt <[email protected]>

Signed-off-by: rich-ehrhardt <[email protected]>

.github/workflows/verify-workflow.yaml

@@ -32,7 +32,7 @@ jobs:
   verify:
     runs-on: ubuntu-latest
     container:
-      image: quay.io/cloudnativetoolkit/cli-tools-azure:v1.2-v0.4.20
+      image: quay.io/cloudnativetoolkit/cli-tools-azure:v1.2-v0.6.0
       options: --privileged --user root
 
     strategy:

.gitignore

@@ -34,3 +34,5 @@ px-spec.yaml
 *.tgz
 
 **/certs/*
+
+.stop

1-quickstart/1-aro/105-azure-aro/105-azure-aro.auto.tfvars

@@ -19,3 +19,9 @@
 ## name_prefix: The name of the vpc resource
 #name_prefix=""
 
+## pull_secret: The contents of the pull secret needed to access Red Hat content. The contents can either be provided directly or passed through the `pull_secret_file` variable
+#pull_secret=""
+
+## pull_secret_file: Name of the file containing the pull secret needed to access Red Hat content. The contents can either be provided in this file or directly via the `pull_secret` variable
+#pull_secret_file=""
+

1-quickstart/1-aro/105-azure-aro/apply.sh

@@ -4,7 +4,7 @@ SCRIPT_DIR=$(cd $(dirname $0); pwd -P)
 
 VARIABLES_FILE="${1}"
 if [[ -z "${VARIABLES_FILE}" ]]; then
-  VARIABLES_FILE="${SCRIPT_DIR}/variables.yaml"
+  VARIABLES_FILE="variables.yaml"
 fi
 
 YQ=$(command -v yq4 || command -v yq)
@@ -13,11 +13,25 @@ if [[ -z "${YQ}" ]] || [[ $(${YQ} --version | sed -E "s/.*version ([34]).*/\1/g"
   exit 1
 fi
 
-if [[ -f "${SCRIPT_DIR}/terraform/terraform.tfvars" ]]; then
-  cp "${SCRIPT_DIR}/terraform/terraform.tfvars" "${SCRIPT_DIR}/terraform/terraform.tfvars.backup"
-  rm "${SCRIPT_DIR}/terraform/terraform.tfvars"
+if ! command -v jq 1> /dev/null 2> /dev/null; then
+  echo "jq is required"
+  exit 1
 fi
 
+CREDENTIALS_PROPERTIES="credentials.properties"
+TERRAFORM_TFVARS="terraform/terraform.tfvars"
+
+if [[ -f "${TERRAFORM_TFVARS}" ]]; then
+  cp "${TERRAFORM_TFVARS}" "${TERRAFORM_TFVARS}.backup"
+  rm "${TERRAFORM_TFVARS}"
+fi
+
+if [[ -f "${CREDENTIALS_PROPERTIES}" ]]; then
+  cp "${CREDENTIALS_PROPERTIES}" "${CREDENTIALS_PROPERTIES}.backup"
+  rm "${CREDENTIALS_PROPERTIES}"
+fi
+touch "${CREDENTIALS_PROPERTIES}"
+
 if [[ ! -f "${VARIABLES_FILE}" ]]; then
   echo "Variables can be provided in a yaml file passed as the first argument"
   echo ""
@@ -27,17 +41,18 @@ TMP_VARIABLES_FILE="${VARIABLES_FILE}.tmp"
 
 echo "variables: []" > ${TMP_VARIABLES_FILE}
 
-cat "${SCRIPT_DIR}/bom.yaml" | ${YQ} e '.spec.variables[] | .name' - | while read name; do
-  default_value=$(cat "${SCRIPT_DIR}/bom.yaml" | NAME="${name}" ${YQ} e '.spec.variables[] | select(.name == env(NAME)) | .defaultValue // ""' -)
-  sensitive=$(cat "${SCRIPT_DIR}/bom.yaml" | NAME="${name}" ${YQ} e '.spec.variables[] | select(.name == env(NAME)) | .sensitive // false' -)
-  description=$(cat "${SCRIPT_DIR}/bom.yaml" | NAME="${name}" ${YQ} e '.spec.variables[] | select(.name == env(NAME)) | .description // ""' -)
+function process_variable () {
+  local name="$1"
+  local default_value="$2"
+  local sensitive="$3"
+  local description="$4"
 
-  variable_name="TF_VAR_${name}"
+  local variable_name="TF_VAR_${name}"
 
   environment_variable=$(env | grep "${variable_name}" | sed -E 's/.*=(.*).*/\1/g')
   value="${environment_variable}"
   if [[ -f "${VARIABLES_FILE}" ]]; then
-    value=$(cat "${VARIABLES_FILE}" | NAME="${name}" ${YQ} e '.variables[] | select(.name == env(NAME)) | .value // ""' -)
+    value=$(cat "${VARIABLES_FILE}" | NAME="${name}" ${YQ} e -o json '.variables[] | select(.name == env(NAME)) | .value // ""' - | jq -c -r '.')
     if [[ -z "${value}" ]]; then
       value="${environment_variable}"
     fi
@@ -60,15 +75,44 @@ cat "${SCRIPT_DIR}/bom.yaml" | ${YQ} e '.spec.variables[] | .name' - | while rea
     value=${value:-$default_value}
   done
 
-  echo "${name} = \"${value}\"" >> "${SCRIPT_DIR}/terraform/terraform.tfvars"
+  output_value=$(echo "${value}" | sed 's/"/\\"/g')
+
   if [[ "${sensitive}" != "true" ]]; then
+    echo "${name} = \"${output_value}\"" >> "${TERRAFORM_TFVARS}"
     NAME="${name}" VALUE="${value}" ${YQ} e -i -P '.variables += [{"name": env(NAME), "value": env(VALUE)}]' "${TMP_VARIABLES_FILE}"
+  else
+    echo "export ${name}=\"${output_value}\"" >> "${CREDENTIALS_PROPERTIES}"
+  fi
+}
+
+cat "bom.yaml" | ${YQ} e '.spec.variables[] | .name' - | while read name; do
+  variable=$(cat "bom.yaml" | NAME="${name}" ${YQ} e '.spec.variables[] | select(.name == env(NAME))' -)
+
+  default_value=$(echo "${variable}" | ${YQ} e -o json '.defaultValue // ""' - | jq -c -r '.')
+  sensitive=$(echo "${variable}" | ${YQ} e '.sensitive // false' -)
+  description=$(echo "${variable}" | ${YQ} e '.description // ""' -)
+
+  process_variable "${name}" "${default_value}" "${sensitive}" "${description}"
+done
+
+cat "${VARIABLES_FILE}" | ${YQ} e '.variables[]' -o json - | jq -c '.' | while read var; do
+  name=$(echo "${var}" | jq -r '.name')
+
+  value=$(echo "${var}" | jq -r '.value // empty')
+  sensitive=$(echo "${var}" | jq -r '.sensitive')
+
+  bom_var=$(cat bom.yaml | ${YQ} e '.spec.variables[]' -o json - | jq --arg NAME "${name}" -c 'select(.name == $NAME)')
+
+  if [[ -z "${bom_var}" ]]; then
+    process_variable "${name}" "${value}" "${sensitive}" ""
   fi
 done
 
 cp "${TMP_VARIABLES_FILE}" "${VARIABLES_FILE}"
 rm "${TMP_VARIABLES_FILE}"
 
-cd ${SCRIPT_DIR}/terraform
+source credentials.properties
+
+cd terraform
 terraform init
 terraform apply

1-quickstart/1-aro/105-azure-aro/bom.yaml

@@ -24,7 +24,7 @@ spec:
             - 10.0.0.0/20
     - name: azure-vnet-subnets
       alias: master-subnet
-      version: v1.3.8
+      version: v1.3.10
       variables:
         - name: label
           value: master
@@ -37,7 +37,7 @@ spec:
             - Microsoft.Storage
     - name: azure-vnet-subnets
       alias: worker-subnet
-      version: v1.3.8
+      version: v1.3.10
       variables:
         - name: label
           value: worker
@@ -50,7 +50,7 @@ spec:
             - Microsoft.Storage
     - name: azure-aro
       alias: cluster
-      version: v1.0.0
+      version: v2.0.0
       dependencies:
         - name: master-subnet
           ref: master-subnet
@@ -81,3 +81,17 @@ spec:
       type: string
       description: The name of the vpc resource
       defaultValue: ''
+    - name: pull_secret
+      type: string
+      description: >-
+        The contents of the pull secret needed to access Red Hat content. The
+        contents can either be provided directly or passed through the
+        `pull_secret_file` variable
+      defaultValue: ''
+    - name: pull_secret_file
+      type: string
+      description: >-
+        Name of the file containing the pull secret needed to access Red Hat
+        content. The contents can either be provided in this file or directly
+        via the `pull_secret` variable
+      defaultValue: ''

1-quickstart/1-aro/105-azure-aro/docs/azure-aro.md

@@ -3,20 +3,29 @@
 ## Module Overview
 
 Module creates an Azure RedHat OpenShift (ARO) cluster. It includes the following resources:
-- terraform-util-clis (to setup CLI utils for build)
-- random_domain
-- terraform-azure-resource-group (to create a resource group for the ARO cluster)
-- null_resource_aro (creates and destroys the cluster)
+- terraform-util-clis - to setup CLI utils for build
+- terraform-ocp-login - to login to the cluster once it is built
+- random_domain - generates a random domain name
+- null_resource az_login - to login to the az cli with the supplied credentials, or use existing login
+- external aro_rp - to obtain OpenShift resource provider details
+- null_resource service_principal - to create and destroy a service principal for cluster to use to call Azure API
+- azurerm_key_vault - if a key_vault_id is not provided, this will create a new key vault for the service principal details
+- azurerm_key_vault_secret - to store the service principal details
+- azurerm_role_assignment - assigns required roles to service principal and resource provider
+- azapi_resource - CRUD for the ARO cluster
+- external aro - obtains details of the created cluster
+- time_sleep - a delay to allow the cluster to settle
 
 ### Software dependencies
 
-- terraform CLI >= 1.2.6
-- Azure CLI (az) >= 2.39.0
+- terraform CLI >= 1.2.6 
+- Azure CLI (az) >= 2.42.0 (must be in the path environment variable)
 
 ### Terraform providers
 
 - Terraform >= 0.15.0
-- Azure provider >= 3.0.0
+- Azure provider (azurerm) >= 3.3.0
+- Azure API provider (azapi) >= 1.0.0
 
 ### Module dependencies
 
@@ -27,9 +36,17 @@ This module makes use of the output from other modules:
 
 ## Prerequisites
 
-### Option 1 - Use a service principal 
+### Common
 
-The service principal needs the following roles assigned
+Ensure that the subscription has the `Microsoft.RedHatOpenShift` provider namespace registerd. 
+To do so:
+  ```
+  $ az provider register --namespace "Microsoft.RedHatOpenShift"
+  ```
+
+### Azure Login Option 1 - Use a service principal 
+
+Use this option with automated execution. The service principal needs the following roles assigned
 - In the active directory, application and user administrator permissions
 
   - User Administrator
@@ -68,9 +85,46 @@ The service principal needs the following roles assigned
     1. Choose the service principal
     1. Review and assign
 
-### Option 2 - Login with your own user
-
-Functionality to support using your own user will be provided in a future release.
+1. Export the service principal details are environment variables.
+
+  ```
+  $ export TF_VAR_subscription_id=<subscription_id>
+  $ export TF_VAR_tenant_id=<tenant_id>
+  $ export TF_VAR_client_id=<service_principal_app_id>
+  $ export TF_VAR_client_secret=<service_principal_secret>
+  ```
+
+1. Set the variables in the provider block to use those credentials
+  ```hcl-terraform
+  provider "azurerm" {
+    features {}
+    subscription_id = var.subscription_id
+    client_id       = var.client_id
+    client_secret   = var.client_secret
+    tenant_id       = var.tenant_id
+  }
+  ```
+
+### Azure Login Option 2 - Use your Azure user id
+
+Use this option if running from your terminal. Uses your Azure user. 
+***Note that your Azure user must have contributor and user access administrator rights to the subscription***
+1. Login to the az cli from within the container before proceeding with terraform actions.  
+  ```
+  $ az login
+  ```
+1. If you have more than one subscription, set the relevant subscription to be used.
+  ```
+  $ az account set --subscription="<SUBSCRIPTION_ID>"
+  ```
+  where <SUBSCRIPTION_ID> is the id of the subscription to be utilized.
+
+1. Do not include the login details in the provider.tf file in terraform
+  ```hcl-terraform
+  provider "azurerm" {
+    features {}
+  }
+  ```
 
 ## Example Usage
 
@@ -119,39 +173,29 @@ module "aro" {
   source               = "github.com/cloud-native-toolkit/terraform-azure-aro"
 
   name_prefix           = "mytest"
-  
-  subscription_id       = var.azure_subscription_id
-  tenant_id             = var.azure_tenant_id
-  client_id             = var.service_principal_id
-  client_secret         = var.service_principal_secret
 
   resource_group_name   = module.resource_group.name
-  region                = module.resource_group.region
   vnet_name             = module.vnet.name
   master_subnet_id      = module.master-subnet.id
-  worker_subent_id      = module.worker-subnet.id
+  worker_subnet_id      = module.worker-subnet.id
+
+  encrypt               = true
 }
 ```
 
 ## Variables
 
 ### Inputs
 
-### Inputs
-
 This module has the following input variables:
-| Variable | Mandatory / Optional | Default Value | Description |
+| Variable | Default Value | Mandatory / Optional | Description |
 | -------------------------------- | --------------| ------------------ | ----------------------------------------------------------------------------- |
-| resource_group_name | Mandatory |  | The resource group of the network (VNet and subnet) components. A new resource group will be created for the cluster.  |
-| region | | Manadatory | The Azure region/location where the cluster is to be deployed |
+| resource_group_name | | Mandatory  | The resource group of the network (VNet and subnet) components. A new resource group will be created for the cluster. The location of the cluster will be the same as this resource group.  |
 | vnet_name | | Mandatory | The Azure VNet on which to create the cluster |
 | worker_subnet_id | | Mandatory | The id of the Azure subnet to attach the worker/compute nodes to |
 | master_subnet_id | | Mandatory | The id of the Azure subnet to attach the master/controller nodes to |
-| name_prefix | Mandatory | | Name to prefix the created resources |
-| subscription_id | Mandatory | | Azure subscription id where the cluster will be installed |
-| tenant_id | Mandatory | | Azure tenant id where the cluster will be installed |
-| client_id | Mandatory | | The id of the service principal to be used for the cluster creation and ongoing management |
-| client_secret | Mandatory | | The secret of the service principal to be used for the cluster creation and ongoing management |
+| name_prefix | | Mandatory | Name to prefix the created resources |
+| client_secret | "" | Optional  | The secret of the service principal to be used for the cluster creation and ongoing management. Provide if using a service principal for azurerm login. |
 | name | "" | Optional | The name to give to the cluster. If left blank, the name will be generated from the name_prefix |
 | name_prefix | "" | Optional | The prefix for the cluster name. If left blank, the network resource group name will be used to derive the cluster name | 
 | master_flavor | Standard_D8s_v3 | Optional | The VM size for the master/controller nodes |
@@ -162,6 +206,12 @@ This module has the following input variables:
 | pull_secret | "" | Optional | A Red Hat pull secret used to access a Red Hat account. If left blank and no pull secret file is provided, cluster will still deploy, but additional content will not be available |
 | pull_secret_file | "" | Optional | Path to a file containing a Red Hat pull secret used to access a Red Hat account. If left blank and no pull secret is provided, cluster will still deploy, but additional content will not be available |
 | label | cluster | Optional | Suffix to be added to the name_prefix to derive the cluster name if no name is provided |
+| key_vault_id | "" | Optional | Existing key vault id to use (will create a new one if not provided) |
+| encrypt | false | Optional | Flag to encrypt the master and worker nodes with server side encryption |
+| pod_cidr | 10.128.0.0/14 | Optional | CIDR for the internal pod subnet |
+| service_cidr | 172.30.0.0/16 | Optional | CIDR for the internal services subnet |
+| fips | false | Optional | Flag to use FIPS validated modules |
+| tags | {} | Optional | List of tags to be included as name value key pairs |
 
 ### Outputs
 
@@ -177,4 +227,5 @@ The module outputs the following values:
 | username | The login username for the cluster |
 | password | The login password for the cluster |
 | serverURL | The API URL for the cluster |
+| console_url | The URL of the web console for the cluster |
 | platform | Object containing details of the cluster (refer to output.tf for details) |