ROSA automation

[RishabhKodes]

Added the scripts for creating and managing ROSA clusters.

[mjiao]

Please remove the two pipeline runs in the .tekton folder.

[mjiao]

Hi @RishabhKodes

Thanks for your progress on this.

After reviewing, I think we need to pivot our approach on the IaC tool. Given our broader strategy involving a hybrid cloud, Terraform is much better suited for our needs than CloudFormation. Could you please switch the implementation from CloudFormation to Terraform? Once the foundation is in Terraform, we can proceed with adding the following services:

• Amazon RDS for PostgreSQL (with password authentication)
• Amazon ElastiCache for Redis (with AUTH for the default user)

Happy to sync up to discuss the implementation. Let me know your thoughts.

[RishabhKodes]

Hi @RishabhKodes

Thanks for your progress on this.

After reviewing, I think we need to pivot our approach on the IaC tool. Given our broader strategy involving a hybrid cloud, Terraform is much better suited for our needs than CloudFormation. Could you please switch the implementation from CloudFormation to Terraform? Once the foundation is in Terraform, we can proceed with adding the following services:

• Amazon RDS for PostgreSQL (with password authentication)
• Amazon ElastiCache for Redis (with AUTH for the default user)

Happy to sync up to discuss the implementation. Let me know your thoughts.

@mjiao I've added Terraform as the IaC tool, would appreciate your review.

[mjiao]

EFS can also be managed via terraform https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system

You might need to add further configuration to make it usable in the openshift.

[RishabhKodes]

@mjiao please review the latest changes, which have end-to-end Terraform integration. FYI, the EFS has still not been integrated completely. I'm in the process of testing that.

[kksat]

as we now have terraform code I suggest to run terraform linter in CI/CD, here is what tflint output at the moment

tflint       
5 issue(s) found:

Warning: [Fixable] Comparing a collection with an empty list is invalid. To detect an empty collection, check its length. (terraform_empty_list_equali
ty)

  on rosa-hcp.tf line 24:
  24:   aws_availability_zones = var.availability_zones != [] ? var.availability_zones : []

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.12.0/docs/rules/terraform_empty_list_equality.md

Warning: [Fixable] variable "channel_group" is declared but not used (terraform_unused_declarations)

  on variables.tf line 102:
 102: variable "channel_group" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.12.0/docs/rules/terraform_unused_declarations.md

Warning: [Fixable] variable "enable_autoscaling" is declared but not used (terraform_unused_declarations)

  on variables.tf line 200:
 200: variable "enable_autoscaling" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.12.0/docs/rules/terraform_unused_declarations.md

Warning: [Fixable] variable "min_replicas" is declared but not used (terraform_unused_declarations)

  on variables.tf line 206:
 206: variable "min_replicas" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.12.0/docs/rules/terraform_unused_declarations.md

Warning: [Fixable] variable "max_replicas" is declared but not used (terraform_unused_declarations)

  on variables.tf line 212:
 212: variable "max_replicas" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.12.0/docs/rules/terraform_unused_declarations.md

[kksat]

maybe separate makefile target?

[kksat]

ROSA_DOMAIN is already environment variable, no need to reassign it.

[kksat]

rosa account roles will not be created here, because rosa-login is not in dependencies list, one more reason to have it as separate makefile target

[kksat]

I think there is no need for if statements below to check status if 'euo' is set. Script will fail as soon as any command will fail.

[kksat]

I see domain is required below, no need to set it to empty string here, I think

[kksat]

I would propose to set secret parameters via env variables

export TF_VAR_rosa_token="$ROSA_TOKEN"

This guarantees that we will not forget some @ at the begining of the command and expose secret in the log

[kksat]

Here you are just creating a file. Makefile targets are perfect for this. So we should have makefile target rosa/terraform/network.tfvars

Second point - there is command envsubst that uses template file and substites environment variables with their values to create new file. For instance:

envsubst < rosa/terraform/network.tfvars.envsubst > rosa/terraform/network.tfvars

[kksat]

this is a separate target, its prerequsite is that network.tfvars file is present.

[kksat]

There is a way to run any command with make targets. I will show you example separately, so you can adopt it to this use case.

[mjiao]

Pls make sure vpc name is derived from cluster_name, e.g. vpc_name = "rosa-${var.cluster_name}-vpc"

[RishabhKodes]

@mjiao the vpc_name is already being set as rosa-${var.cluster_name}-vpc here https://github.com/redhat-sap/sap-edge/blob/rosa/rosa.makefile#L113, I also checked in the AWS console it is being set correctly.

Nevertheless, I have updated the code in terraform.tfvars.example as well, ensuring that it does not create any confusion.

[mjiao]

When running terraform apply multiple times on this ROSA HCP deployment, Terraform detects
"drift" because ROSA/OpenShift automatically adds tags to subnets (like
kubernetes.io/cluster/, api.openshift.com/, etc.) that aren't managed in the Terraform
configuration.

Could you pls fix this?