IBM Cloud Docs
Assigning cluster access by using Terraform for Red Hat OpenShift on IBM Cloud

Assigning cluster access by using Terraform for Red Hat OpenShift on IBM Cloud

Terraform on IBM Cloud® enables predictable and consistent provisioning of IBM Cloud services so that you can rapidly build complex, multitiered cloud environments following Infrastructure as Code (IaC) principles. Similar to using the IBM Cloud CLI or API and SDKs, you can automate the provisioning, update, and deletion of your Red Hat OpenShift on IBM Cloud resources by using HashiCorp Configuration Language (HCL).

Looking for a managed Terraform on IBM Cloud® solution? Try out IBM Cloud® Schematics. With Schematics, you can use the Terraform scripting language that you are familiar with, but you don't have to worry about setting up and maintaining the Terraform command line or the IBM Cloud® Provider plug-in. Schematics also provides pre-defined Terraform templates that you can easily install from the IBM Cloud® catalog.

Creating a Red Hat OpenShift cluster by using Terraform

Before you can assign cluster access by using Terraform, follow the steps to create a Red Hat OpenShift cluster using Terraform. If you already have a cluster, see Assigning IAM user access.

Before you begin, make sure that you have the required access to create and work with Red Hat OpenShift on IBM Cloud resources.

  1. Follow the Terraform on IBM Cloud® getting started tutorial to install the Terraform CLI and configure the IBM Cloud® Provider plug-in for Terraform. The plug-in abstracts the IBM Cloud® APIs that are used to provision, update, or delete Red Hat OpenShift service instances and resources.

  2. Follow the tutorial to create single and multi-zone clusters with Terraform.

  3. Optional: Use Terraform to configure IAM user access policies for your Red Hat OpenShift cluster.

Assigning IAM user access to Red Hat OpenShift clusters

You can use Terraform to assign IAM user access for Red Hat OpenShift clusters in an IBM Cloud account. For more information on using Terraform with IAM policies, see the IBM Cloud provider Terraform documentation.

  1. In your Terraform directory, create a configuration file that is named iam.tf. In your iam.tf file, add the configuration parameters to create an IAM user access policy for a Red Hat OpenShift cluster by using the HashiCorp Configuration Language (HCL). The following example configuration creates the ibm_iam_user_policy and then assigns the policy to a specified cluster. For more information, see the Terraform documentation.

    resource "ibm_iam_user_policy" "cluster" {
ibm_id = "<ibm_id>"
roles  = ["<access_role_1>, <access_role_2>"]

resources {
    service = "containers-kubernetes"
    resource_instance_id  = "<cluster_name>"
}
}
    Configuring IAM access policies with Terraform
    Resource Description
    ibm_id The IBM Cloud ID or email address of the user that you want to create the IAM access policy for.
    roles A comma-separated list of the access roles that you want to assign the user.
    service The type of service that the access policy applies to. Enter "openshift" for Red Hat OpenShift clusters. For a complete list of applicable service types, run ibmcloud oc catalog service-marketplace.
    resource_instance_id The ID or name of the cluster.

    Example configuration file:

    resource "ibm_iam_user_policy" "test_policy" {
    ibm_id = "ibm_id@ibm.com"
    roles  = ["Viewer", "Editor", "Administrator"]

    resources {
        service = "containers-kubernetes"
        resource_instance_id  = "my-cluster"
    }
}

  2. Initialize the Terraform CLI.

    terraform init

  3. Create a Terraform execution plan and review the output. The Terraform execution plan summarizes all the actions that run to create the Red Hat OpenShift cluster in your account. Note the Plan section of the output. The example output states Plan: 1 to add, 0 to change, 0 to destroy because the configuration file creates one IAM user access policy.

    Terraform used the selected providers to generate the following execution plan. Resource actions are
indicated with the following symbols:
+ create

Terraform will perform the following actions:

# ibm_iam_user_policy.test_policy will be created
+ resource "ibm_iam_user_policy" "test_policy" {
    + account_management = false
    + ibm_id             = "ibm_id@ibm.com"
    + id                 = (known after apply)
    + roles              = [
        + "Viewer",
        + "Editor",
        + "Administrator",
        ]

    + resources {
        + service = "containers-kubernetes"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

  4. Apply the configuration file to create the access policy. It may take a few seconds to complete. In the output, note the policy ID number after the user's IBM email.

    terraform apply

    Example output:

    ibm_iam_user_policy.test_policy: Creating...
ibm_iam_user_policy.test_policy: Creation complete after 2s [id=ibm_id@ibm.com/f81b161f-e1db-4084-8b28-cfcbe88fec72]

  5. Verify that the IAM access policy was successfully created by running the command and searching for the policy ID you previously noted.

    ibmcloud iam user-policies ibm_id@ibm.com

    Example output:

    Policy ID:   f81b161f-e1db-4084-8b28-cfcbe88fec72   
Roles:       Viewer, Editor, Administrator   
Resources:                        
            Service Name       containers-kubernetes   
            Service Instance   my-cluster