Add terraform for provisioning s390x build cluster on ibmcloud

[sudharshanibm]

Add terraform for provisioning s390x build cluster on ibmcloud

• k8s-s390x-infra-setup: Terraform resources to set up the necessary infrastructure in an IBM Cloud account, which will serve as prerequisites for the k8s-s390x-build-cluster automation.
• k8s-s390x-build-cluster: Terraform resources to provision the s390x Build Cluster infrastructure in IBM Cloud.

[k8s-ci-robot]

Welcome @sudharshanibm!

It looks like this is your first PR to kubernetes/k8s.io 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/k8s.io has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @sudharshanibm. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sudharshanibm
Once this PR has been reviewed and has the lgtm label, please assign upodroid for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• infra/ibmcloud/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bryantbiggs]

this is not very declarative - is this truly required or can the verification be run as a one-off by someone? do we expect things to not be setup correct via Terraform (i.e. - verification here fails) periodically or at all? (if so - that seems problematic and who or what is intended to fix that 😅 )

[sudharshanibm]

The bastion instance’s initial setup and networking configuration are handled through a cloud-init script in user_data. Runtime verification of the bastion’s internal state is treated as an operational concern, and can be performed outside of Terraform via automation/manual checks.

[bryantbiggs]

can we use an improved alternate terminology? main, primary, control-plane?

[sudharshanibm]

updated all occurrences of master to control-plane

[bryantbiggs]

the use of k8s-* throughout the file names, resource names, etc. seems to be redundant (i.e. - its defined in a K8s repo/org so its assumed to be for K8s, no need to re-state that in the names)

[sudharshanibm]

Hi @bryantbiggs , thanks for pointing that out
I followed the same naming convention since the existing s390x setup is already connected to ArgoCD with k8s-* prefixed names (ref: #8332 ).

[bryantbiggs]

the names should be viewed as a hierarchy level just below the resource type, but read together. so ibm_is_lb.k8s_load_balancer is essentially IBM load balancer - Kubernetes load balancer

what about something shorter and more descriptive public (ibm_is.lb.public)?

[sudharshanibm]

Updated k8s_load_balancer to public

[bryantbiggs]

again, the name is very redundant. Its in a K8s repo, is this infrastructure deployed in an account that hosts resources for things outside of K8s? If yes = fine, keep the k8s, if not, drop it. Also, the resource is a load balancer so no need to add that to the name (my name is Bryant Biggs not Bryant Biggs human 😅 ). Lastly, I assume this is only for testing on s390x platforms so is that adding anything to the name? Maybe it is, maybe it isn't - I don't have enough context to say. But what about something more descriptive as to its intent and aligned with resources already defined in the repo

k8s.io/infra/aws/terraform/kops-infra-ci/locals.tf

Line 19 in 384da9f

kops-infra-ci-name = "kops-infra-ci"

what about s390x-ci? or if you desire the full name k8s-s390x-ci?

[bryantbiggs]

Note: this same thinking above applies throughout the change set

[sudharshanibm]

updated k8s-s390x-lb to k8s-s390x-ci

[bryantbiggs]

6443 appears in a number of places - good chance it should be a local variable to avoid mis-matches

[sudharshanibm]

refactored to use a variable api_server_port (default 6443)

[bryantbiggs]

Suggested change

	data "ibm_is_security_group" "bastion_sg" {
	data "ibm_is_security_group" "bastion" {

Security group is already in the resource type - don't repeat in the resource name

[sudharshanibm]

I already have resource ibm_is_instance bastion defined in bastion.tf, so reusing bastion here would cause a naming conflict

[bryantbiggs]

no - thats a different resource from this data source so no conflict

[sudharshanibm]

renamed bastion_sg --> bastion

[bryantbiggs]

this should be a for_each so that we avoid amplifying disruptions

[sudharshanibm]

updated the control-plane to use for_each in nodes.tf

[bryantbiggs]

should this be a variable?

[sudharshanibm]

Removed the variable, Thanks!

[bryantbiggs]

should this be a variable?

[sudharshanibm]

bastion now generated in locals

[bryantbiggs]

should this be a variable?

[sudharshanibm]

control-plane now generated in locals

[bryantbiggs]

should this be a variable?

[sudharshanibm]

compute now generated in locals

[bryantbiggs]

variables are mostly used in modules - I would argue, are these required? Should they be local variables instead (if they are used in multiple places but not intended to be configured dynamically outside of whats stored in git)?

[sudharshanibm]

In this case, these values are intended to be configurable by automation (Ansible playbooks) rather than hard-coded in the repo

[bryantbiggs]

ansible to deploy Terraform - why?

[sudharshanibm]

Thanks for circling back on this. I realize my earlier explanation may have caused some confusion. What I meant is that while we do have downstream automation that consumes certain outputs for cluster setup, that doesn’t mean all of the Terraform configuration itself needs to be exposed as variables.

After revisiting your feedback, I’ve updated the code so that only true external inputs like API key, region, secrets manager ID, counts, profiles, etc., remain as variables. The structured definitions for bastion, control-plane, and compute nodes are now generated in locals, which keeps the interface cleaner and avoids over-exposing internal implementation details

[bryantbiggs]

likewise, use for_each

[sudharshanibm]

updated the compute to use for_each in nodes.tf

[bryantbiggs]

this doesn't appear to be doing anything - can it be removed?

[bryantbiggs]

outputs are intended to be consumed elsewhere - are all of these intended to be consumed somewhere else?

[sudharshanibm]

Yes, these outputs are consumed in our Ansible automation for installing Kubernetes. Specifically, the IPs and load balancer hostname are passed into the Ansible playbook ansible-playbook -v -i examples/k8s-build-cluster/hosts.yml install-k8s-ha.yaml -e @group_vars/bastion_configuration --extra-vars @group_vars/all to configure the bastion, control-plane, and worker nodes.

[bryantbiggs]

using what modules?

[sudharshanibm]

updated the README to explicitly list the modules being used vpc, secrets_manager and resource_group

[bryantbiggs]

we should use AWS IAM roles for state access - the use of secrets like this is bound to end up getting committed at some point. Plus sharing static secrets is not good either, no auditability

[sudharshanibm]

removed access_key and secret_key from versions.tf, instead it picks up HMAC credentials from environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

[bryantbiggs]

why -reconfigure? should this be -upgrade?

[bryantbiggs]

can we get around this? if we are using an AWS IAM role for statefile access, can we place the API key in an AWS SSM parameter or SecretManager secret and dynamically fetch that API Key via Terraform? Goal is to improve reproducibility, reduce sharing of static secrets, improve auditability, and make secret rotation painless

[sudharshanibm]

Agreed that dynamically fetching the IBM Cloud API key from a secret manager would be ideal for auditability and rotation. However, in this setup the Terraform run creates the Secrets Manager itself, so the key must be provided upfront via var.tfvars or environment variable

[bryantbiggs]

tfvars or variables.tf should not be required here in my opinion - just define the configuration plainly, its not a module

[sudharshanibm]

You’re right, since this isn’t a module, ideally we wouldn’t require variables.tf or var.tfvars. however in this setup the TF run creates the Secrets Manager itself, so we need the IBM Cloud API key upfront to provision that resource.
For now, the key must be provided via var.tfvars or environment variable.

[bryantbiggs]

for what purpose?

[sudharshanibm]

these outputs are used by our ansible automation to install k8s. The IPs and load balancer hostname from Terraform are passed into the playbook (install-k8s-ha.yaml) to configure the bastion, control plane, and worker nodes

[bryantbiggs]

single resource modules are no bueno - just use the resource as is in the configuration

[sudharshanibm]

removed the resource_group module and now define ibm_resource_group directly in main.tf.
the other modules secrets_manager and vpc consume its ID from there

[bryantbiggs]

no no no - declarative. Terraform should not be treated as "if this else that". its just "do this"

[sudharshanibm]

refactored the code to make it fully declarative
the secrets manager resource is always created and downstream secrets reference it directly instead of using any conditional logic

[bryantbiggs]

well thats not nice! we should have the proper definition - description/type/default

[sudharshanibm]

Updated with description and type

[bryantbiggs]

we need the min required versions of Terraform and the provider

[sudharshanibm]

The minimum required versions are defined in versions.tf

[bryantbiggs]

??? who should adjust based on what CIDR - this is hard coded

[sudharshanibm]

Replaced hardcoded CIDR "10.243.0.0/24" with dynamic references to the actual subnet CIDR block: ibm_is_subnet.subnet.ipv4_cidr_block

[bryantbiggs]

this is not a module so shouldn't required variables.tf or outputs.tf

[sudharshanibm]

You’re right that this folder isn’t a reusable module in the TF sense. The reason I’ve added an outputs.tf here is because the k8s-s390x-infra-setup stage produces values secrets_manager_id that are explicitly required by the k8s-s390x-build-cluster stage.

as shown in the build-cluster README, we need to export this ID before running the cluster provisioning

[bryantbiggs]

don't copy paste across statefiles though - either refer to the state itself or use the AWS provider to refer to the value directly

[sudharshanibm]

yes, that makes sense
The intent was to make the secrets_manager_id available for the build-cluster stage, but I see your point about not copy-pasting state outputs manually.
I can switch this to use a terraform_remote_state data source so that the build-cluster config reads the value directly from the infra-setup state instead of requiring a manual export

[sudharshanibm]

Hi @bryantbiggs,
I removed outputs.tf and am not using terraform_remote_state because:

• the infra setup is one-time, while build-clusters are multiple, so each cluster creation shouldn’t depend on the infra state.
• to avoid state coupling, there’s no need to copy outputs or access remote state, keeping configs independent.

Also, the README has been updated with clear steps to retrieve the Secrets Manager GUID and export it as a Terraform variable for cluster provisioning.

I’d be happy to hear your suggestions or feedback on this approach.

[bryantbiggs]

min required versions of Terraform and providers

[sudharshanibm]

The minimum required versions are defined in versions.tf

[bryantbiggs]

why 3 copies of the same provider if their configurations are all the same? typically aliased providers are required if you are deploying resources into multiple regions or multiple accounts but these are all using the same API key and region

[sudharshanibm]

removed the duplicate provider blocks

[bryantbiggs]

this is still susceptible to the issues created by using index based resource creation (i.e. like count). any disruption to the first bastion will cause all instances to be replaced

[sudharshanibm]

thanks for pointing this out. I’ve updated the code to replace the count/range style with a for_each over a map of bastion nodes

using named keys (primary, secondary, ...) now tracks bastions by stable identifiers rather than by index.
if one bastion is changed/removed only that resource is affected instead of forcing all to be recreated

right now I’ve defined a single primary bastion but the pattern allows adding more bastions safely just by extending the map