Uploaded image for project: 'OpenShift Installer'
  1. OpenShift Installer
  2. CORS-2829

Enable non-Terraform Infra Providers

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Critical Critical
    • openshift-4.15
    • None
    • None
    • None
    • Enable non-TF Infra Providers
    • Strategic Product Work
    • False
    • None
    • False
    • Green
    • Done
    • OCPSTRAT-912 - Enable AWS Install for ROSA with Terraform-Free Image
    • OCPSTRAT-912Enable AWS Install for ROSA with Terraform-Free Image
    • 0% To Do, 0% In Progress, 100% Done
    • Hide

      11/20: Dev complete. Now that this is done, the next step is to test HIVE-2343.

      11/2: All remaining PRs to complete this epic are in code review.

      Show
      11/20: Dev complete. Now that this is done, the next step is to test HIVE-2343 . 11/2: All remaining PRs to complete this epic are in code review.

      Epic Goal

      • Enact a strategy to comply with license changes around Terraform and handle any CVEs that may arise (within Terraform) during the process of replacing Terraform.

       

      Two major parts:

      1. Get AWS off Terraform (for ROSA)
      2. Strategy for all other platforms that stay on terraform

      Why is this important?

      • Hashicorp will continue to backport CVE fixes to MPL versions of Terraform through the end of 2023. After that period, we will not be able to address any CVEs within Terraform through upgrades. This epic provides a strategy to use until we can remove Terraform entirely from the product.

      Scenarios

      1. AWS: due to FedRamp compliance within ROSA, will need to fix any medium CVE–exploitable or not.
      2. Backporting (see open questions)

      Acceptance Criteria

      • AWS platform must be able to fix all medium CVEs, regardless of whether they are exploitable
      • All other platforms must be able to handle CVEs based on our normal practices
      • ...

      Dependencies (internal and external)

      1. If we decide to produce a ROSA-specific build (as expected), ROSA and Hive will need to be able to consume a separate installer binary.

      Previous Work (Optional):

      1.  

      Open questions::

      1. Priority of backporting CVE fixes
      2. Can we get more concrete about standards for fixing CVEs
      3. What would managing our own Terraform fork entail
      4. Can we remove the alibaba provider? This would be helpful to decrease vulnerabilities.

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

            padillon Patrick Dillon
            padillon Patrick Dillon
            Yunfei Jiang Yunfei Jiang
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: