Skip to content

Latest commit

 

History

History
76 lines (57 loc) · 4.39 KB

README.md

File metadata and controls

76 lines (57 loc) · 4.39 KB
Raw

operator-policies

Introduction

This Terraform sub-module manages the IAM policies linked to the roles used by operators within the cluster for their necessary actions in the AWS account.

The following permissions are included in this sub-module:

  • ROSA Ingress Operator IAM policy: This IAM policy grants the ROSA Ingress Operator the necessary permissions to oversee external access to a cluster.
  • ROSA back-end storage IAM policy: This IAM policy is essential for ROSA to manage back-end storage through the Container Storage Interface (CSI).
  • ROSA Machine Config Operator policy: This IAM policy furnishes the ROSA Machine Config Operator with the permissions required to execute core cluster functionalities.
  • ROSA Cloud Credential Operator policy: This IAM policy offers the ROSA Cloud Credential Operator the necessary permissions for managing cloud provider credentials.
  • ROSA Image Registry Operator policy: This IAM policy provides the ROSA Image Registry Operator with permissions to manage the OpenShift image registry storage in AWS S3 for a cluster.

For more information, see the operator-roles sub-module description and About IAM resources for ROSA clusters that use STS in the ROSA documentation.

Example Usage

module "operator_policies" {
  source = "terraform-redhat/rosa-classic/rhcs//modules/operator-policies"

  account_role_prefix  = "my-cluster-account"
  openshift_version    = "4.14.24"
}

Requirements

Name Version
terraform >= 1.0
aws >= 4.0
null >= 3.0.0
rhcs >= 1.6.2
time >= 0.9

Providers

Name Version
aws >= 4.0
null >= 3.0.0
rhcs >= 1.6.2
time >= 0.9

Modules

No modules.

Resources

Name Type
aws_iam_policy.operator-policy resource
null_resource.validate_openshift_version resource
time_sleep.operator_policy_wait resource
rhcs_policies.all_policies data source
rhcs_versions.all_versions data source

Inputs

Name Description Type Default Required
account_role_prefix User-defined prefix for all generated AWS resources (default "account-role-") string n/a yes
openshift_version The Openshift cluster version of the cluster these operator policies are used for. string n/a yes
path The ARN path for the account/operator roles as well as their policies. Must use the same path used for "account_iam_roles". string "/" no
shared_vpc_role_arn The role ARN used to access the private hosted zone, in case shared VPC is used. string "" no
tags List of AWS resource tags to apply. map(string) null no

Outputs

Name Description
account_role_prefix User-defined prefix for all generated AWS resources (default "account-role-")