OCTOPUS-527: added iam policy support to image.tf

Signed-off-by: Paul Bastide <pbastide@us.ibm.com>
IBM · Nov 2, 2023 · 41e902f · 41e902f
1 parent 4433867
commit 41e902f
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 11 deletions.
diff --git a/main.tf b/main.tf
@@ -125,15 +125,16 @@ module "image" {
   depends_on = [module.support]
   source     = "./modules/5_image"
 
-  name_prefix         = local.name_prefix
-  vpc_region          = var.vpc_region
-  rhel_username       = var.rhel_username
-  bastion_public_ip   = var.powervs_bastion_ip
-  private_key_file    = var.private_key_file
-  ssh_agent           = var.ssh_agent
-  connection_timeout  = var.connection_timeout
-  ibmcloud_api_key    = var.ibmcloud_api_key
-  resource_group_name = module.vpc.vpc_resource_group_name
+  name_prefix                      = local.name_prefix
+  vpc_region                       = var.vpc_region
+  rhel_username                    = var.rhel_username
+  bastion_public_ip                = var.powervs_bastion_ip
+  private_key_file                 = var.private_key_file
+  ssh_agent                        = var.ssh_agent
+  connection_timeout               = var.connection_timeout
+  ibmcloud_api_key                 = var.ibmcloud_api_key
+  resource_group_name              = module.vpc.vpc_resource_group_name
+  skip_authorization_policy_create = var.skip_authorization_policy_create
 }
 
 module "worker" {

diff --git a/modules/5_image/image.tf b/modules/5_image/image.tf
@@ -69,6 +69,17 @@ EOF
   }
 }
 
+# Dev Note: required however, it may require superadmin privileges to set.
+# Ref: https://github.com/openshift/installer/blob/master/data/data/ibmcloud/network/image/main.tf#L19
+resource "ibm_iam_authorization_policy" "policy" {
+  count                       = var.skip_authorization_policy_create ? 0 : 1
+  source_service_name         = "is"
+  source_resource_type        = "image"
+  target_service_name         = "cloud-object-storage"
+  target_resource_instance_id = element(split(":", ibm_resource_instance.cos_instance.id), 7)
+  roles                       = ["Reader"]
+}
+
 locals {
   cos_region = ibm_cos_bucket.cos_bucket.region_location
 }
@@ -79,7 +90,7 @@ locals {
 # Ref: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4267
 # Ref: https://cloud.ibm.com/iam/authorizations/grant
 resource "ibm_is_image" "worker_image_id" {
-  depends_on       = [null_resource.upload_rhcos_image, ibm_cos_bucket.cos_bucket]
+  depends_on       = [null_resource.upload_rhcos_image, ibm_cos_bucket.cos_bucket, ibm_iam_authorization_policy.policy]
   name             = "${var.name_prefix}-rhcos-img"
   href             = "cos://${local.cos_region}/${var.name_prefix}-mac-intel/${var.name_prefix}-rhcos.qcow2"
   operating_system = "rhel-coreos-stable-amd64"

diff --git a/modules/5_image/variables.tf b/modules/5_image/variables.tf
@@ -12,3 +12,4 @@ variable "ssh_agent" {}
 variable "connection_timeout" {}
 variable "ibmcloud_api_key" {}
 variable "resource_group_name" {}
+variable "skip_authorization_policy_create" {}
diff --git a/variables.tf b/variables.tf
@@ -306,4 +306,11 @@ variable "cicd_image_pruner_cleanup" {
   type        = bool
   description = "Cleans up image pruner jobs"
   default     = false
-}
+}
+
+variable "skip_authorization_policy_create" {
+  type        = bool
+  description = "Skips trying to create the authorization policy for the Image Service for VPC's access to COS"
+  default     = false
+}
+