| access_tags |
A list of access tags to apply to the resources created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details |
list(string) |
[] |
no |
| additional_lb_security_group_ids |
Additional security groups to add to the load balancers associated with the cluster. Ensure that the number_of_lbs is set to the number of LBs associated with the cluster. This comes in addition to the IBM maintained security group. |
list(string) |
[] |
no |
| additional_vpe_security_group_ids |
Additional security groups to add to all existing load balancers. This comes in addition to the IBM maintained security group. |
object({
master = optional(list(string), [])
registry = optional(list(string), [])
api = optional(list(string), [])
}) |
{} |
no |
| addons |
Map of OCP cluster add-on versions to install (NOTE: The 'vpc-block-csi-driver' add-on is installed by default for VPC clusters and 'ibm-storage-operator' is installed by default in OCP 4.15 and later, however you can explicitly specify it here if you wish to choose a later version than the default one). For full list of all supported add-ons and versions, see https://cloud.ibm.com/docs/containers?topic=containers-supported-cluster-addon-versions |
object({
debug-tool = optional(string)
image-key-synchronizer = optional(string)
openshift-data-foundation = optional(string)
vpc-file-csi-driver = optional(string)
static-route = optional(string)
cluster-autoscaler = optional(string)
vpc-block-csi-driver = optional(string)
ibm-storage-operator = optional(string)
}) |
{} |
no |
| allow_default_worker_pool_replacement |
(Advanced users) Set to true to allow the module to recreate a default worker pool. Only use in the case where you are getting an error indicating that the default worker pool cannot be replaced on apply. Once the default worker pool is handled as a stand-alone ibm_container_vpc_worker_pool, if you wish to make any change to the default worker pool which requires the re-creation of the default pool set this variable to true. |
bool |
false |
no |
| attach_ibm_managed_security_group |
Specify whether to attach the IBM-defined default security group (whose name is kube-) to all worker nodes. Only applicable if custom_security_group_ids is set. |
bool |
true |
no |
| cbr_rules |
The list of context-based restriction rules to create. |
list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
tags = optional(list(object({
name = string
value = string
})), [])
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) |
[] |
no |
| cluster_config_endpoint_type |
Specify which type of endpoint to use for for cluster config access: 'private', 'vpe', 'link'. |
string |
"private" |
no |
| cluster_name |
The name that will be assigned to the provisioned cluster |
string |
n/a |
yes |
| cluster_ready_when |
The cluster is ready when one of the following: MasterNodeReady (not recommended), OneWorkerNodeReady, Normal, IngressReady |
string |
"IngressReady" |
no |
| custom_security_group_ids |
Security groups to add to all worker nodes. This comes in addition to the IBM maintained security group if use_ibm_managed_security_group is set to true. If this variable is set, the default VPC security group is NOT assigned to the worker nodes. |
list(string) |
null |
no |
| enable_ocp_console |
Flag to specify whether to enable or disable the OpenShift console. |
bool |
true |
no |
| existing_cos_id |
The COS id of an already existing COS instance |
string |
n/a |
yes |
| force_delete_storage |
Flag indicating whether or not to delete attached storage when destroying the cluster - Default: false |
bool |
false |
no |
| ignore_worker_pool_size_changes |
Enable if using worker autoscaling. Stops Terraform managing worker count |
bool |
false |
no |
| import_default_worker_pool_on_create |
(Advanced users) Whether to handle the default worker pool as a stand-alone ibm_container_vpc_worker_pool resource on cluster creation. Only set to false if you understand the implications of managing the default worker pool as part of the cluster resource. Set to true to import the default worker pool as a separate resource. Set to false to manage the default worker pool as part of the cluster resource. |
bool |
true |
no |
| kms_config |
Use to attach a HPCS instance to the cluster. If account_id is not provided, defaults to the account in use. |
object({
crk_id = string
instance_id = string
private_endpoint = optional(bool, true) # defaults to true
account_id = optional(string) # To attach HPCS instance from another account
wait_for_apply = optional(bool, true) # defaults to true so terraform will wait until the KMS is applied to the master, ready and deployed
}) |
n/a |
yes |
| number_of_lbs |
The number of LBs to associated the additional_lb_security_group_names security group with. |
number |
1 |
no |
| ocp_entitlement |
Value that is applied to the entitlements for OCP cluster provisioning |
string |
null |
no |
| ocp_version |
The version of the OpenShift cluster that should be provisioned (format 4.x). This is only used during initial cluster provisioning, but ignored for future updates. Supports passing the string 'default' (current IKS default recommended version). If no value is passed, it will default to 'default'. |
string |
null |
no |
| pod_subnet_cidr |
Specify a custom subnet CIDR to provide private IP addresses for pods. The subnet must have a CIDR of at least /23 or larger. Default value is 172.30.0.0/16 when the variable is set to null. |
string |
null |
no |
| region |
The IBM Cloud region where the cluster will be provisioned. |
string |
n/a |
yes |
| resource_group_id |
The Id of an existing IBM Cloud resource group where the cluster will be grouped. |
string |
n/a |
yes |
| service_subnet_cidr |
Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least /24 or larger. Default value is 172.21.0.0/16 when the variable is set to null. |
string |
null |
no |
| tags |
Metadata labels describing this cluster deployment |
list(string) |
[] |
no |
| use_private_endpoint |
Set this to true to force all api calls to use the IBM Cloud private endpoints. |
bool |
false |
no |
| verify_worker_network_readiness |
By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false. |
bool |
true |
no |
| vpc_id |
ID of the VPC instance where this cluster will be provisioned |
string |
n/a |
yes |
| vpc_subnets |
Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster will be created |
map(list(object({
id = string
zone = string
cidr_block = string
}))) |
n/a |
yes |
| worker_pools |
List of worker pools |
list(object({
subnet_prefix = optional(string)
vpc_subnets = optional(list(object({
id = string
zone = string
cidr_block = string
})))
pool_name = string
machine_type = string
workers_per_zone = number
resource_group_id = optional(string)
operating_system = string
labels = optional(map(string))
minSize = optional(number)
secondary_storage = optional(string)
maxSize = optional(number)
enableAutoscaling = optional(bool)
boot_volume_encryption_kms_config = optional(object({
crk = string
kms_instance_id = string
kms_account_id = optional(string)
}))
additional_security_group_ids = optional(list(string))
})) |
n/a |
yes |
| worker_pools_taints |
Optional, Map of lists containing node taints by node-pool name |
map(list(object({ key = string, value = string, effect = string }))) |
null |
no |