IBM Cloud Docs
Assigning cluster access by using Terraform for IBM Cloud Kubernetes Service

Assigning cluster access by using Terraform for IBM Cloud Kubernetes Service

Terraform on IBM Cloud® enables predictable and consistent provisioning of IBM Cloud services so that you can rapidly build complex, multitiered cloud environments following Infrastructure as Code (IaC) principles. Similar to using the IBM Cloud CLI or API and SDKs, you can automate the provisioning, update, and deletion of your IBM Cloud Kubernetes Service resources by using HashiCorp Configuration Language (HCL).

Looking for a managed Terraform on IBM Cloud® solution? Try out IBM Cloud® Schematics. With Schematics, you can use the Terraform scripting language that you are familiar with, but you don't have to worry about setting up and maintaining the Terraform command line or the IBM Cloud® Provider plug-in. Schematics also provides pre-defined Terraform templates that you can easily install from the IBM Cloud® catalog.

Creating a Kubernetes Service cluster by using Terraform

Before you can assign cluster access by using Terraform, follow the steps to create a Kubernetes Service cluster using Terraform. If you already have a cluster, see Assigning IAM user access.

Before you begin, make sure that you have the required access to create and work with IBM Cloud Kubernetes Service resources.

  1. Follow the Terraform on IBM Cloud® getting started tutorial to install the Terraform CLI and configure the IBM Cloud® Provider plug-in for Terraform. The plug-in abstracts the IBM Cloud® APIs that are used to provision, update, or delete Kubernetes Service service instances and resources.

  2. Follow the tutorial to create single and multi-zone clusters with Terraform.

  3. Optional: Use Terraform to configure IAM user access policies for your Kubernetes Service cluster.

Assigning IAM user access to Kubernetes Service clusters

You can use Terraform to assign IAM user access for Kubernetes Service clusters in an IBM Cloud account. For more information on using Terraform with IAM policies, see the IBM Cloud provider Terraform documentation.

  1. In your Terraform directory, create a configuration file that is named iam.tf. In your iam.tf file, add the configuration parameters to create an IAM user access policy for a Kubernetes Service cluster by using the HashiCorp Configuration Language (HCL). The following example configuration creates the ibm_iam_user_policy and then assigns the policy to a specified cluster. For more information, see the Terraform documentation.

    resource "ibm_iam_user_policy" "cluster" {
    ibm_id = "<ibm_id>"
    roles  = ["<access_role_1>, <access_role_2>"]
    
    resources {
        service = "containers-kubernetes"
        resource_instance_id  = "<cluster_name>"
    }
    }
    
    Configuring IAM access policies with Terraform
    Resource Description
    ibm_id The IBM Cloud ID or email address of the user that you want to create the IAM access policy for.
    roles A comma-separated list of the access roles that you want to assign the user.
    service The type of service that the access policy applies to. Enter "containers-kubernetes" for Kubernetes Service clusters. For a complete list of applicable service types, run ibmcloud ks catalog service-marketplace.
    resource_instance_id The ID or name of the cluster.

    Example configuration file:

    resource "ibm_iam_user_policy" "test_policy" {
        ibm_id = "ibm_id@ibm.com"
        roles  = ["Viewer", "Editor", "Administrator"]
    
        resources {
            service = "containers-kubernetes"
            resource_instance_id  = "my-cluster"
        }
    }
    
  2. Initialize the Terraform CLI.

    terraform init
    
  3. Create a Terraform execution plan and review the output. The Terraform execution plan summarizes all the actions that run to create the Kubernetes Service cluster in your account. Note the Plan section of the output. The example output states Plan: 1 to add, 0 to change, 0 to destroy because the configuration file creates one IAM user access policy.

    Terraform used the selected providers to generate the following execution plan. Resource actions are
    indicated with the following symbols:
    + create
    
    Terraform will perform the following actions:
    
    # ibm_iam_user_policy.test_policy will be created
    + resource "ibm_iam_user_policy" "test_policy" {
        + account_management = false
        + ibm_id             = "ibm_id@ibm.com"
        + id                 = (known after apply)
        + roles              = [
            + "Viewer",
            + "Editor",
            + "Administrator",
            ]
    
        + resources {
            + service = "containers-kubernetes"
            }
        }
    
    Plan: 1 to add, 0 to change, 0 to destroy.
    
  4. Apply the configuration file to create the access policy. It might take a few seconds to complete. In the output, note the policy ID number after the user's IBM email.

    terraform apply
    

    Example output:

    ibm_iam_user_policy.test_policy: Creating...
    ibm_iam_user_policy.test_policy: Creation complete after 2s [id=ibm_id@ibm.com/f81b161f-e1db-4084-8b28-cfcbe88fec72]
    
  5. Verify that the IAM access policy was successfully created by running the command and searching for the policy ID you previously noted.

    ibmcloud iam user-policies ibm_id@ibm.com
    

    Example output:

    Policy ID:   f81b161f-e1db-4084-8b28-cfcbe88fec72   
    Roles:       Viewer, Editor, Administrator   
    Resources:                        
                Service Name       containers-kubernetes   
                Service Instance   my-cluster