terraform-ibm-modules · iamar7 · Aug 21, 2025
@@ -6,3 +6,7 @@ output "cluster_name" {
   value       = module.ocp_base.cluster_name
   description = "The name of the provisioned cluster."
 }
+
+output "data_block_ocp_version" {
+  value = module.ocp_base.data_source_external_ocp_version
+}
@@ -96,6 +96,18 @@ data "ibm_container_cluster_versions" "cluster_versions" {
   resource_group_id = var.resource_group_id
 }
 
+locals {
+  current_ocp_version = tonumber(data.external.get_ocp_cluster_version.result.ocp_version)
+}
+
+data "external" "get_ocp_cluster_version" {
+  program = ["bash", "${path.module}/scripts/get_ocp_cluster_version.sh"]
+
+  query = {
+    cluster_name = var.cluster_name
+  }
+}
+
 module "cos_instance" {
   count = var.enable_registry_storage && !var.use_existing_cos ? 1 : 0
 
@@ -153,7 +165,10 @@ resource "ibm_container_vpc_cluster" "cluster" {
   security_groups = local.cluster_security_groups
 
   lifecycle {
-    ignore_changes = [kube_version]
+    precondition {
+      condition     = local.current_ocp_version < 0 || local.ocp_version_num <= local.current_ocp_version || var.allow_kube_version_upgrade
+      error_message = "Kube version changes are disabled unless allow_kube_upgrade is set to true."
+    }
   }
 
   # default workers are mapped to the subnets that are "private"
@@ -224,7 +239,11 @@ resource "ibm_container_vpc_cluster" "autoscaling_cluster" {
   security_groups = local.cluster_security_groups
 
   lifecycle {
-    ignore_changes = [worker_count, kube_version]
+    ignore_changes = [worker_count]
+    precondition {
+      condition     = local.current_ocp_version < 0 || local.ocp_version_num <= local.current_ocp_version || var.allow_kube_version_upgrade
+      error_message = "Kube version changes are disabled unless allow_kube_upgrade is set to true."
+    }
   }
 
   # default workers are mapped to the subnets that are "private"

@@ -109,3 +109,7 @@ output "secrets_manager_integration_config" {
   description = "Information about the Secrets Manager instance that is used to store the Ingress certificates."
   value       = var.enable_secrets_manager_integration ? ibm_container_ingress_instance.instance[0] : null
 }
+
+output "data_source_external_ocp_version" {
+  value = tonumber(data.external.get_ocp_cluster_version.result.ocp_version)
+}
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+CLUSTER_NAME="$1"
+
+# Login with API key
+ibmcloud login --apikey "$IBMCLOUD_API_KEY" >/dev/null 2>&1
+
+# Search for the cluster
+OUTPUT=$(ibmcloud oc cluster get -c "$CLUSTER_NAME" 2>/dev/null)
+
+# Extract OCP version
+OCP_VERSION=$(echo "$OUTPUT" | grep -i "^Version:" | awk '{print $2}' | cut -d. -f1,2)
+
+# If nothing was found, return "0"
+if [ -z "$OCP_VERSION" ]; then
+  OCP_VERSION="-1"
+fi
+
+# Return the OCP version in JSON format
+echo "{ \"ocp_version\": \"${OCP_VERSION}\" }"
+
+exit 0
@@ -40,6 +40,12 @@ variable "vpc_subnets" {
   description = "Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster is created."
 }
 
+variable "allow_kube_version_upgrade" {
+  type        = bool
+  description = "Set to true to allow the module to upgrade the kube version of the cluster. If you wish to make any change to the kube version, set this variable to true."
+  default     = false
+}
+
 variable "allow_default_worker_pool_replacement" {
   type        = bool
   description = "(Advanced users) Set to true to allow the module to recreate a default worker pool. If you wish to make any change to the default worker pool which requires the re-creation of the default pool follow these [steps](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc?tab=readme-ov-file#important-considerations-for-terraform-and-default-worker-pool)."