{"id":44823713,"url":"https://github.com/supernovae/rosa-tf","last_synced_at":"2026-02-16T21:02:05.474Z","repository":{"id":336904340,"uuid":"1145517440","full_name":"supernovae/rosa-tf","owner":"supernovae","description":"Commercial \u0026 GovCloud Terraform for ROSA HCP and ROSA Classic","archived":false,"fork":false,"pushed_at":"2026-02-13T23:05:12.000Z","size":691,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-14T02:21:45.976Z","etag":null,"topics":["aws","commercial","fedramp","govcloud","kubernetes","kubernetes-deployment","openshift","redhat","rosa","terraform"],"latest_commit_sha":null,"homepage":"https://redhat.com","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/supernovae.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"docs/SECURITY-GROUPS.md","support":null,"governance":null,"roadmap":"docs/ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-29T22:09:03.000Z","updated_at":"2026-02-13T23:05:15.000Z","dependencies_parsed_at":"2026-02-16T21:01:25.101Z","dependency_job_id":null,"html_url":"https://github.com/supernovae/rosa-tf","commit_stats":null,"previous_names":["supernovae/rosa-tf"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/supernovae/rosa-tf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supernovae%2Frosa-tf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supernovae%2Frosa-tf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supernovae%2Frosa-tf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supernovae%2Frosa-tf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/supernovae","download_url":"https://codeload.github.com/supernovae/rosa-tf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supernovae%2Frosa-tf/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29518594,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-16T18:37:19.720Z","status":"ssl_error","status_checked_at":"2026-02-16T18:36:46.920Z","response_time":115,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","commercial","fedramp","govcloud","kubernetes","kubernetes-deployment","openshift","redhat","rosa","terraform"],"created_at":"2026-02-16T21:01:19.197Z","updated_at":"2026-02-16T21:02:05.465Z","avatar_url":"https://github.com/supernovae.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ROSA Terraform - Multi-Environment Framework\n\n\u003c!-- Versioning --\u003e\n[![Latest Tag](https://img.shields.io/github/v/tag/supernovae/rosa-tf)](https://github.com/supernovae/rosa-tf/tags)\n[![Latest Release](https://img.shields.io/github/release/supernovae/rosa-tf)](https://github.com/supernovae/rosa-tf/releases)\n\n\u003c!-- Terraform \u0026 ROSA --\u003e\n![Terraform Version](https://img.shields.io/badge/Terraform-%3E%3D%201.6-623CE4?logo=terraform)\n![AWS Provider](https://img.shields.io/badge/AWS%20Provider-%3E%3D%205.0-orange?logo=amazon-aws)\n![ROSA](https://img.shields.io/badge/ROSA-HCP%20%7C%20Classic-red?logo=red-hat)\n\n\u003c!-- Security Posture --\u003e\n![Trivy IaC](https://img.shields.io/badge/Trivy-IaC%20Scanning-blue?logo=aqua)\n[![Security Checks](https://github.com/supernovae/rosa-tf/actions/workflows/security.yml/badge.svg)](https://github.com/supernovae/rosa-tf/actions/workflows/security.yml)\n[![Dependabot](https://img.shields.io/badge/Dependabot-enabled-brightgreen?logo=dependabot)](https://github.com/supernovae/rosa-tf/security)\n\n\u003c!-- GovCloud \u0026 Compliance Signals --\u003e\n[![GovCloud Safe](https://img.shields.io/badge/GovCloud-Safe-success)](docs/FEDRAMP.md)\n[![Reproducible Builds](https://img.shields.io/badge/Reproducible-Builds-blue)](docs/FEDRAMP.md#vendor-terraform-providers)\n[![Telemetry Disabled](https://img.shields.io/badge/Telemetry-Disabled-lightgrey)](docs/FEDRAMP.md#disable-terraform-telemetry)\n\n\u003c!-- CI --\u003e\n[![Release Workflow](https://github.com/supernovae/rosa-tf/actions/workflows/release.yml/badge.svg)](https://github.com/supernovae/rosa-tf/actions/workflows/release.yml)\n\nDeploy Red Hat OpenShift Service on AWS (ROSA) across Commercial and GovCloud environments with Classic or Hosted Control Plane (HCP) cluster types.\n\n## Getting Started\n\n```bash\n# Clone the repository\ngit clone https://github.com/supernovae/rosa-tf.git\ncd rosa-tf\n\n# Checkout the latest tagged release (recommended for production)\ngit checkout $(git describe --tags --abbrev=0)\n```\n\n\u003e **Tip:** Pin to a tagged release for stability. Check [Releases](https://github.com/supernovae/rosa-tf/releases) for the latest version. Use `git tag -l` to list available tags, or pin a specific version with `git checkout v1.1.0`.\n\n## Quick Start\n\n### Prerequisites Setup (Required for All Environments)\n\nBefore deploying any cluster, complete these steps:\n\n**1. AWS Login**\n```bash\n# Commercial AWS\naws configure\n# Or use SSO\naws sso login --profile your-profile\n\n# GovCloud\naws configure --profile govcloud\nexport AWS_PROFILE=govcloud\n```\n\n**2. Set AWS Region**\n```bash\n# Commercial\nexport AWS_REGION=us-east-1          # or us-west-2, etc.\n\n# GovCloud\nexport AWS_REGION=us-gov-west-1      # or us-gov-east-1\n```\n\n\u003e **Note:** The `aws_region` is set in your `.tfvars` file, not via environment variable. The `AWS_REGION` export above is for the AWS CLI and ROSA CLI only.\n\n**3. ROSA Login**\n```bash\n# Commercial\nrosa login --use-auth-code\n\n# GovCloud\nrosa login --govcloud --token=\"\u003cyour_token_from_console.openshiftusgov.com_here\u003e\"\n```\n\n**4. Set RHCS Authentication**\n\n**Commercial AWS** -- uses service account (client ID + client secret):\n\n1. Create a service account at [console.redhat.com/iam/service-accounts](https://console.redhat.com/iam/service-accounts)\n2. Assign **OpenShift Cluster Manager** permissions at [console.redhat.com/iam/user-access/users](https://console.redhat.com/iam/user-access/users)\n3. Save the client secret immediately -- it is only shown once\n\n```bash\nexport TF_VAR_rhcs_client_id=\"your-client-id\"\nexport TF_VAR_rhcs_client_secret=\"your-client-secret\"\n```\n\n\u003e **Note:** The offline OCM token is deprecated for commercial cloud. Service accounts are the recommended method for workstation and CI/CD use.\n\n**GovCloud** -- uses offline OCM token:\n\n```bash\n# Get token from: https://console.openshiftusgov.com/openshift/token\nexport TF_VAR_ocm_token=\"your-offline-token-here\"\n\n# Clear any conflicting environment variables\nunset RHCS_TOKEN RHCS_URL\n```\n\n**5. Verify Setup**\n```bash\naws sts get-caller-identity\nrosa whoami\nrosa verify quota\n```\n\n### HCP Account Roles (Required Before HCP Clusters)\n\n\u003e **Skip this section** if deploying Classic clusters only.\n\nHCP clusters require **account-level IAM roles** that are shared across all HCP clusters in an AWS account. These must exist **before** deploying your first HCP cluster.\n\n**Option A: Use Terraform (Recommended - manage roles as code)**\n```bash\ncd environments/account-hcp\n\n# Commercial AWS\nterraform init\nterraform apply -var-file=commercial.tfvars\n\n# GovCloud\nterraform apply -var-file=govcloud.tfvars\n```\n\n**Option B: Use ROSA CLI**\n```bash\n# Commercial\nrosa create account-roles --hosted-cp --mode auto\n\n# GovCloud  \nrosa create account-roles --hosted-cp --mode auto\n```\n\n\u003e **Note:** Unlike Classic clusters (where IAM roles are created/destroyed with each cluster), HCP account roles persist independently and are reused across clusters. See [IAM Lifecycle Management](docs/IAM-LIFECYCLE.md) for details.\n\n### Deploy Classic Clusters\n\n```bash\n# Commercial Classic\ncd environments/commercial-classic\nterraform init\nterraform plan  -var-file=cluster-dev.tfvars\nterraform apply -var-file=cluster-dev.tfvars\n\n# GovCloud Classic (FedRAMP)\ncd environments/govcloud-classic\nterraform init\nterraform plan  -var-file=cluster-dev.tfvars\nterraform apply -var-file=cluster-dev.tfvars\n```\n\n### Deploy HCP Clusters\n\n\u003e **Prerequisite:** Complete [HCP Account Roles](#hcp-account-roles-required-before-hcp-clusters) setup first.\n\n```bash\n# Commercial HCP (~15 min provisioning)\ncd environments/commercial-hcp\nterraform init\nterraform plan  -var-file=cluster-dev.tfvars\nterraform apply -var-file=cluster-dev.tfvars\n\n# GovCloud HCP (FedRAMP)\ncd environments/govcloud-hcp\nterraform init\nterraform plan  -var-file=cluster-dev.tfvars\nterraform apply -var-file=cluster-dev.tfvars\n```\n\nIf account roles are missing, Terraform will detect this and show instructions to create them.\n\n## Environments\n\n| Environment | Type | Security | Guide |\n|-------------|------|----------|-------|\n| [commercial-classic](environments/commercial-classic/) | Classic | Configurable | [README](environments/commercial-classic/README.md) |\n| [commercial-hcp](environments/commercial-hcp/) | HCP | Configurable | [README](environments/commercial-hcp/README.md) |\n| [govcloud-classic](environments/govcloud-classic/) | Classic | FIPS, Private, KMS mandatory | [README](environments/govcloud-classic/README.md) |\n| [govcloud-hcp](environments/govcloud-hcp/) | HCP | FIPS, Private, KMS mandatory | [README](environments/govcloud-hcp/README.md) |\n\nEach environment includes split tfvars for the two-phase deployment pattern:\n- `cluster-dev.tfvars` / `cluster-prod.tfvars` -- Phase 1: cluster provisioning (`install_gitops = false`)\n- `gitops-dev.tfvars` / `gitops-prod.tfvars` -- Phase 2: GitOps overlay (`install_gitops = true`, stacked on top of cluster tfvars)\n\n## Regional Limitations\n\nSome AWS regions have limited availability zone support which affects ROSA deployment options:\n\n| Region | AZs | Classic Single-AZ | Classic Multi-AZ | HCP Single-AZ | HCP Multi-AZ |\n|--------|-----|-------------------|------------------|---------------|--------------|\n| us-east-1, us-west-2 | 4+ | ✅ | ✅ | ✅ | ✅ |\n| us-east-2, eu-west-1 | 3 | ✅ | ✅ | ✅ | ✅ |\n| **us-west-1** | **2** | ✅ | ❌ | ❌ | ❌ |\n| us-gov-west-1 | 3 | ✅ | ✅ | ✅ | ✅ |\n| us-gov-east-1 | 3 | ✅ | ✅ | ✅ | ✅ |\n\n**Notes:**\n- **Multi-AZ requires 3+ AZs** for proper control plane and worker distribution\n- **us-west-1**: HCP is NOT available (no ETA); use Classic single-AZ only\n- AZs like `us-east-1e` are auto-filtered (don't support NAT Gateway/common instance types)\n\nIf you attempt an unsupported deployment, Terraform will show a helpful error message with alternatives.\n\n## Classic vs HCP\n\n| Feature | Classic | HCP |\n|---------|---------|-----|\n| Control Plane | Customer nodes | Red Hat managed |\n| Provisioning | ~45 minutes | ~15 minutes |\n| IAM Policies | Customer managed | AWS managed |\n| Account Roles | 4 (cluster-scoped) | 3 (account-level, shared) |\n| IAM Lifecycle | Created/destroyed with cluster | Persist independently |\n| Spot Instances | ✅ Supported | ❌ Not supported |\n| Version Drift | Independent | Machine pools n-2 of CP |\n\n\u003e **HCP IAM Note:** HCP account roles must exist before deploying HCP clusters. See [HCP Account Roles](#hcp-account-roles-required-before-hcp-clusters).\n\n## GitOps Integration (Optional)\n\nThis framework includes optional GitOps integration for Day 2 operations via OpenShift GitOps (ArgoCD). GitOps layers are applied in a **separate phase** after cluster provisioning using stacked tfvars.\n\n**Key Principles:**\n- **Two-phase deployment**: Phase 1 creates the cluster (`cluster-*.tfvars`), Phase 2 applies GitOps layers (`gitops-*.tfvars` overlay)\n- **Infrastructure-focused**: Deploys cluster operators and platform services, not user workloads\n- **No secrets in GitOps**: Credentials and secrets are managed by Terraform/AWS, never in Git\n- **Native Terraform providers**: All Kubernetes resources are managed via `hashicorp/kubernetes` and `alekc/kubectl` -- no shell scripts or `local-exec`\n- **Dedicated Service Account**: A `terraform-operator` ServiceAccount with cluster-admin is created during Phase 2 for long-term state management\n\n**Included Layers:**\n- Web Terminal - Browser-based cluster access\n- OADP (Velero) - Backup/restore with Terraform-provisioned S3\n- OpenShift Virtualization - KubeVirt for VM workloads\n- Cert-Manager - Automated TLS with Let's Encrypt DNS01 + custom IngressController\n- Monitoring (Loki + Grafana) - Centralized log aggregation\n\nSee [Deployment](#deployment) for the two-phase workflow, or the full **[GitOps Documentation](gitops-layers/README.md)** for architecture, layer details, and customization.\n\n## Repository Structure\n\n```\n├── environments/\n│   ├── account-hcp/             # HCP account-level IAM roles\n│   ├── commercial-classic/      # AWS Commercial + Classic\n│   ├── commercial-hcp/          # AWS Commercial + HCP\n│   ├── govcloud-classic/        # GovCloud + Classic (FedRAMP)\n│   └── govcloud-hcp/            # GovCloud + HCP (FedRAMP)\n│       ├── cluster-dev.tfvars   # Phase 1: cluster provisioning\n│       ├── gitops-dev.tfvars    # Phase 2: GitOps overlay\n│       ├── cluster-prod.tfvars  # Phase 1: production cluster\n│       └── gitops-prod.tfvars   # Phase 2: production GitOps\n│\n├── modules/\n│   ├── networking/              # VPC, Jump Host, Client VPN\n│   ├── security/                # KMS, IAM (Classic + HCP)\n│   ├── cluster/                 # ROSA clusters, Machine Pools\n│   └── gitops-layers/           # Day 2 operations (native providers)\n│       ├── operator/            # Kubernetes manifests (kubectl_manifest)\n│       ├── certmanager/         # IAM + Route53 for cert-manager\n│       ├── oadp/                # IAM + S3 for Velero backups\n│       ├── monitoring/          # IAM + S3 for Loki log storage\n│       └── virtualization/      # Resource configuration\n│\n├── gitops-layers/layers/        # YAML templates for kubectl_manifest\n└── docs/                        # Operations, FedRAMP, Roadmap\n```\n\n## Prerequisites\n\n**Required:**\n- [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) \u003e= 1.6\n- [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) v2\n- [ROSA CLI](https://docs.openshift.com/rosa/cli_reference/rosa_cli/rosa-get-started-cli.html) \u003e= 1.2.39\n- [OpenShift CLI (oc)](https://docs.openshift.com/rosa/cli_reference/openshift_cli/getting-started-cli.html) -- for cluster access and verification\n\n\u003e **Note:** GitOps layers use native Terraform providers (`kubernetes`, `kubectl`) and do not require `jq`, `curl`, or shell scripts.\n\n## RHCS Authentication\n\n**Never store credentials in Terraform files or version control.**\n\n### Commercial AWS (Service Accounts)\n\nCommercial environments use RHCS service accounts for authentication. Service account credentials do not expire, making them ideal for CI/CD pipelines and automation.\n\nIf you see authentication errors during `terraform plan` or `apply`:\n1. Verify your service account exists at [console.redhat.com/iam/service-accounts](https://console.redhat.com/iam/service-accounts)\n2. Verify it has **OpenShift Cluster Manager** permissions\n3. If the secret was lost, delete and recreate the service account\n\n```bash\n# Set credentials\nexport TF_VAR_rhcs_client_id=\"your-client-id\"\nexport TF_VAR_rhcs_client_secret=\"your-client-secret\"\n\n# Re-login to ROSA CLI\nrosa login --use-auth-code\n```\n\n### GovCloud (Offline Token)\n\nGovCloud environments continue to use offline OCM tokens. Tokens expire periodically and must be refreshed.\n\n```bash\n# Refresh token from: https://console.openshiftusgov.com/openshift/token\nexport TF_VAR_ocm_token=\"your-new-token\"\n\n# Clear conflicting variables\nunset RHCS_TOKEN RHCS_URL\n\n# Re-login to ROSA CLI\nrosa login --govcloud --token=\"\u003cyour_token_from_console.openshiftusgov.com_here\u003e\"\n```\n\n## Deployment\n\n### Phase 1: Create a Cluster\n\n```bash\ncd environments/\u003cenvironment\u003e\n\n# Development (single-AZ, cost-optimized)\nterraform init\nterraform plan  -var-file=cluster-dev.tfvars\nterraform apply -var-file=cluster-dev.tfvars\n\n# Production (multi-AZ, HA)\nterraform plan  -var-file=cluster-prod.tfvars\nterraform apply -var-file=cluster-prod.tfvars\n```\n\n### Phase 2: Apply GitOps Layers (Optional)\n\nAfter the cluster is provisioned, apply the GitOps overlay by stacking both tfvars files. The gitops tfvars sets `install_gitops = true` and enables layers.\n\n```bash\n# Development\nterraform plan  -var-file=cluster-dev.tfvars -var-file=gitops-dev.tfvars\nterraform apply -var-file=cluster-dev.tfvars -var-file=gitops-dev.tfvars\n\n# Production\nterraform plan  -var-file=cluster-prod.tfvars -var-file=gitops-prod.tfvars\nterraform apply -var-file=cluster-prod.tfvars -var-file=gitops-prod.tfvars\n```\n\n\u003e **Note:** The gitops tfvars overrides `install_gitops = true` and layer flags on top of the cluster tfvars. Both files must be passed together so all cluster configuration remains consistent. See [Operations Guide](docs/OPERATIONS.md) for full details.\n\n### Access Private Clusters\n\nPrivate clusters (all GovCloud, prod Commercial) require VPN or jump host access.\n\n**Jump Host (SSM) - Included by default:**\n```bash\naws ssm start-session --target $(terraform output -raw jumphost_instance_id)\n\n# From jump host\noc login $(terraform output -raw cluster_api_url) \\\n  -u cluster-admin \\\n  -p $(terraform output -raw cluster_admin_password)\n```\n\n**Client VPN - Optional:**\n```bash\n# Enable in tfvars\ncreate_client_vpn = true\n\n# Apply then download config\nterraform apply -var-file=prod.tfvars\naws ec2 export-client-vpn-client-configuration \\\n  --client-vpn-endpoint-id $(terraform output -raw vpn_endpoint_id) \\\n  --output text \u003e vpn-config.ovpn\n```\n\n### Destroy a Cluster\n\nIf GitOps layers were applied (Phase 2), destroy with both tfvars so the Kubernetes provider has the real API URL:\n\n```bash\ncd environments/\u003cenvironment\u003e\nterraform destroy -var-file=cluster-dev.tfvars -var-file=gitops-dev.tfvars\n```\n\nIf GitOps was **never applied**, destroy with just the cluster tfvars:\n\n```bash\nterraform destroy -var-file=cluster-dev.tfvars\n```\n\n\u003e **Note:** All GitOps resources (SA, CRBs, namespaces) are fully deletable -- no manual `state rm` steps needed. The `rosa-terraform` namespace and `openshift-gitops` are both allowed by ROSA's webhook. To remove individual layers while keeping the cluster, disable them in the gitops tfvars and re-apply. See [Operations Guide](docs/OPERATIONS.md) for details.\n\n## Features\n\n| Feature | Description |\n|---------|-------------|\n| **VPC** | Multi-AZ with NAT/TGW/Proxy egress options |\n| **IAM** | Account roles, operator roles, OIDC provider |\n| **KMS** | Three modes: provider-managed, create, or existing |\n| **Jump Host** | SSM-enabled EC2 for private cluster access |\n| **Client VPN** | Optional OpenVPN-compatible VPN |\n| **Machine Pools** | GPU, high memory, spot instances (Classic) |\n| **GitOps Layers** | Day 2 operations via ArgoCD |\n\n## KMS Encryption Modes\n\nTwo separate KMS keys with **strict separation** for blast radius containment:\n\n| Key | Purpose | Used For |\n|-----|---------|----------|\n| **Cluster KMS** | ROSA resources ONLY | Worker EBS, etcd encryption |\n| **Infrastructure KMS** | Non-ROSA resources ONLY | Jump host, CloudWatch, S3/OADP, VPN |\n\n### Mode Options\n\n| Mode | Commercial | GovCloud | Description |\n|------|------------|----------|-------------|\n| `provider_managed` | ✅ DEFAULT | ❌ | AWS managed `aws/ebs` key |\n| `create` | ✅ | ✅ DEFAULT | Terraform creates customer-managed key |\n| `existing` | ✅ | ✅ | Use your own KMS key ARN |\n\n\u003e **⚠️ FedRAMP Compliance Warning**\n\u003e\n\u003e In GovCloud, this module defaults to customer-managed KMS keys to align with FedRAMP Moderate/High expectations.\n\u003e Supplying an AWS-managed key (e.g., `aws/ebs`) may not satisfy FedRAMP key-management controls.\n\u003e If you choose to do so, you are responsible for documenting and justifying compliance exceptions with your 3PAO.\n\n### Commercial Configuration\n\n```hcl\n# dev.tfvars - Use AWS default encryption (simplest)\ncluster_kms_mode = \"provider_managed\"\ninfra_kms_mode   = \"provider_managed\"\netcd_encryption  = false\n\n# prod.tfvars - Customer-managed keys\ncluster_kms_mode = \"create\"\ninfra_kms_mode   = \"create\"\netcd_encryption  = true\n```\n\n### GovCloud Configuration\n\n```hcl\n# All GovCloud environments - Customer-managed required\ncluster_kms_mode = \"create\"  # or \"existing\" with your key ARN\ninfra_kms_mode   = \"create\"  # or \"existing\" with your key ARN\netcd_encryption  = true\n```\n\n\n### Bring Your Own Key\n\n```hcl\n# Use existing keys from centralized key management\ncluster_kms_mode    = \"existing\"\ncluster_kms_key_arn = \"arn:aws:kms:us-east-1:123456789012:key/...\"\n\ninfra_kms_mode    = \"existing\"\ninfra_kms_key_arn = \"arn:aws:kms:us-east-1:123456789012:key/...\"\n```\n\n### Key Separation Benefits\n\n- **Blast radius containment**: Cluster key compromise doesn't affect infrastructure\n- **Independent rotation**: Different rotation policies for each key\n- **Simplified audit**: Clear separation in CloudTrail logs\n- **Compliance**: Meets FedRAMP and security framework requirements\n\n## Cost Estimates\n\n### ROSA Classic Architecture\n\nClassic clusters run control plane and infrastructure nodes in your account:\n\n| Configuration | Control Plane | Infra Nodes | Workers | Total Nodes |\n|---------------|---------------|-------------|---------|-------------|\n| Single-AZ (dev) | 3x m6i.xlarge | 2x r5.xlarge | 2x m6i.xlarge | **7 nodes** |\n| Multi-AZ (prod) | 3x m6i.xlarge | 3x r5.xlarge | 3x m6i.xlarge | **9 nodes** |\n\n**Classic Single-AZ Cost Breakdown (~$1,100/mo):**\n| Component | Instances | Cost |\n|-----------|-----------|------|\n| Control Plane | 3x m6i.xlarge | ~$420/mo |\n| Infra Nodes | 2x r5.xlarge | ~$370/mo |\n| Workers | 2x m6i.xlarge | ~$280/mo |\n| NAT Gateway | 1x | ~$35/mo |\n\n**Classic Multi-AZ Cost Breakdown (~$1,500/mo):**\n| Component | Instances | Cost |\n|-----------|-----------|------|\n| Control Plane | 3x m6i.xlarge | ~$420/mo |\n| Infra Nodes | 3x r5.xlarge | ~$550/mo |\n| Workers | 3x m6i.xlarge | ~$420/mo |\n| NAT Gateways | 3x (1 per AZ) | ~$100/mo |\n\n### ROSA HCP Architecture\n\nHCP control plane is always multi-AZ (managed by Red Hat). You only pay for worker nodes in your account.\n\n| Component | Default |\n|-----------|---------|\n| Control Plane | Red Hat managed (multi-AZ) |\n| Workers | 2x m6i.xlarge |\n| Total in Account | **2 nodes** |\n\n**HCP Default Cost Breakdown (~$440/mo):**\n| Component | Cost |\n|-----------|------|\n| HCP Control Plane Fee | ~$125/mo |\n| Workers (2x m6i.xlarge) | ~$280/mo |\n| NAT Gateway | ~$35/mo |\n\n\u003e **Note:** Scale workers based on workload needs. Add NAT gateways for multi-AZ VPC (~$65/mo more).\n\n### Summary\n\n| Architecture | Classic (Single-AZ) | Classic (Multi-AZ) | HCP |\n|--------------|---------------------|--------------------|----|\n| Nodes in Account | 7 | 9 | **2** |\n| Monthly Cost | ~$1,100 | ~$1,500 | **~$440** |\n| Savings vs Classic | — | — | **60-70%** |\n\n\u003e **Note:** HCP is significantly cheaper due to no control plane or infra nodes in your account.\n\u003e Prices based on us-east-1 on-demand rates. Excludes data transfer, additional machine pools, EBS storage, and VPN costs (~$116/mo if enabled).\n\n## Documentation\n\n| Document | Description |\n|----------|-------------|\n| [Operations Guide](docs/OPERATIONS.md) | Day-to-day operations, troubleshooting, credentials |\n| [FedRAMP Guide](docs/FEDRAMP.md) | FedRAMP deployment, telemetry, provider vendoring |\n| [Security Scanning](docs/SECURITY.md) | Security tools, skipped checks, compliance notes |\n| [Roadmap](docs/ROADMAP.md) | Feature status and planned work |\n| [Client VPN](modules/networking/client-vpn/README.md) | VPN setup and costs |\n| [Machine Pools (Classic)](modules/cluster/machine-pools/README.md) | GPU, spot, autoscaling |\n| [Machine Pools (HCP)](modules/cluster/machine-pools-hcp/README.md) | HCP-specific pools |\n| [GitOps Layers](gitops-layers/README.md) | Day 2 operations |\n\n## Security\n\n### Pre-commit Hooks\n\n```bash\npip install pre-commit\npre-commit install\npre-commit run --all-files\n```\n\n### Security Scanning\n\n```bash\nmake security  # Runs checkov, trivy, shellcheck, gitleaks\n```\n\n## Contributing\n\n1. Fork the repository\n2. Create a feature branch from `main`\n3. Run `make test` (lint, security, validate)\n4. Submit a pull request\n\nSee [CONTRIBUTING.md](docs/CONTRIBUTING.md) for detailed guidelines.\n\n## License\n\nApache 2.0 - See [LICENSE](LICENSE) for details.\n\n## References\n\n- [ROSA Documentation](https://docs.openshift.com/rosa/welcome/index.html)\n- [ROSA GovCloud Guide](https://cloud.redhat.com/experts/rosa/rosa-govcloud/)\n- [RHCS Terraform Provider](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest)\n- [Commercial Console](https://console.redhat.com)\n- [GovCloud Console](https://console.openshiftusgov.com)\n\n---\n\n## Acknowledgments\n\nBuilt with ❤️ using [Cursor](https://cursor.sh/).\n\nThis project was developed with AI assistance. In accordance with Red Hat's [guidance on AI-assisted development](https://www.redhat.com/en/blog/ai-assisted-development-and-open-source-navigating-legal-issues), we disclose this to maintain transparency and trust within the open source community. All AI-generated contributions have been reviewed, tested, and validated by human maintainers.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsupernovae%2Frosa-tf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsupernovae%2Frosa-tf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsupernovae%2Frosa-tf/lists"}