Assigning cluster access by using Terraform for Red Hat OpenShift on IBM Cloud
Terraform on IBM Cloud® enables predictable and consistent provisioning of IBM Cloud services so that you can rapidly build complex, multitiered cloud environments following Infrastructure as Code (IaC) principles. Similar to using the IBM Cloud CLI or API and SDKs, you can automate the provisioning, update, and deletion of your Red Hat OpenShift on IBM Cloud resources by using HashiCorp Configuration Language (HCL).
Looking for a managed Terraform on IBM Cloud® solution? Try out IBM Cloud® Schematics. With Schematics, you can use the Terraform scripting language that you are familiar with, but you don't have to worry about setting up and maintaining the Terraform command line or the IBM Cloud® Provider plug-in. Schematics also provides pre-defined Terraform templates that you can easily install from the IBM Cloud® catalog.
Creating a Red Hat OpenShift cluster by using Terraform
Before you can assign cluster access by using Terraform, follow the steps to create a Red Hat OpenShift cluster using Terraform. If you already have a cluster, see Assigning IAM user access.
Before you begin, make sure that you have the required access to create and work with Red Hat OpenShift on IBM Cloud resources.
-
Follow the Terraform on IBM Cloud® getting started tutorial to install the Terraform CLI and configure the IBM Cloud® Provider plug-in for Terraform. The plug-in abstracts the IBM Cloud® APIs that are used to provision, update, or delete Red Hat OpenShift service instances and resources.
-
Follow the tutorial to create single and multi-zone clusters with Terraform.
-
Optional: Use Terraform to configure IAM user access policies for your Red Hat OpenShift cluster.
Assigning IAM user access to Red Hat OpenShift clusters
You can use Terraform to assign IAM user access for Red Hat OpenShift clusters in an IBM Cloud account. For more information on using Terraform with IAM policies, see the IBM Cloud provider Terraform documentation.
-
In your Terraform directory, create a configuration file that is named
iam.tf
. In youriam.tf
file, add the configuration parameters to create an IAM user access policy for a Red Hat OpenShift cluster by using the HashiCorp Configuration Language (HCL). The following example configuration creates theibm_iam_user_policy
and then assigns the policy to a specified cluster. For more information, see the Terraform documentation.resource "ibm_iam_user_policy" "cluster" { ibm_id = "<ibm_id>" roles = ["<access_role_1>, <access_role_2>"] resources { service = "containers-kubernetes" resource_instance_id = "<cluster_name>" } }
Configuring IAM access policies with Terraform Resource Description ibm_id
The IBM Cloud ID or email address of the user that you want to create the IAM access policy for. roles
A comma-separated list of the access roles that you want to assign the user. service
The type of service that the access policy applies to. Enter "openshift"
for Red Hat OpenShift clusters. For a complete list of applicable service types, runibmcloud oc catalog service-marketplace
.resource_instance_id
The ID or name of the cluster. Example configuration file:
resource "ibm_iam_user_policy" "test_policy" { ibm_id = "ibm_id@ibm.com" roles = ["Viewer", "Editor", "Administrator"] resources { service = "containers-kubernetes" resource_instance_id = "my-cluster" } }
-
Initialize the Terraform CLI.
terraform init
-
Create a Terraform execution plan and review the output. The Terraform execution plan summarizes all the actions that run to create the Red Hat OpenShift cluster in your account. Note the
Plan
section of the output. The example output statesPlan: 1 to add, 0 to change, 0 to destroy
because the configuration file creates one IAM user access policy.Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # ibm_iam_user_policy.test_policy will be created + resource "ibm_iam_user_policy" "test_policy" { + account_management = false + ibm_id = "ibm_id@ibm.com" + id = (known after apply) + roles = [ + "Viewer", + "Editor", + "Administrator", ] + resources { + service = "containers-kubernetes" } } Plan: 1 to add, 0 to change, 0 to destroy.
-
Apply the configuration file to create the access policy. It might take a few seconds to complete. In the output, note the policy ID number after the user's IBM email.
terraform apply
Example output:
ibm_iam_user_policy.test_policy: Creating... ibm_iam_user_policy.test_policy: Creation complete after 2s [id=ibm_id@ibm.com/f81b161f-e1db-4084-8b28-cfcbe88fec72]
-
Verify that the IAM access policy was successfully created by running the command and searching for the policy ID you previously noted.
ibmcloud iam user-policies ibm_id@ibm.com
Example output:
Policy ID: f81b161f-e1db-4084-8b28-cfcbe88fec72 Roles: Viewer, Editor, Administrator Resources: Service Name containers-kubernetes Service Instance my-cluster