diff --git a/ibm_catalog.json b/ibm_catalog.json index 808b180..3f9ae48 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -236,6 +236,24 @@ "description": "The CRN of an existing Secrets Manager instance to use in this solution. If not set, a new Secrets Manager instance is provisioned.", "required": false }, + { + "key": "existing_secrets_endpoint_type", + "type": "string", + "default_value": "private", + "description": "The endpoint type to use if `existing_secrets_manager_crn` is specified.", + "required": false, + "options": [ + { + "displayname": "public", + "value": "public" + }, + { + "displayname": "private", + "value": "private" + } + ] + + }, { "key": "sm_service_plan", "type": "string", @@ -260,6 +278,42 @@ "description": "Set this to true to to configure a Secrets Manager IAM credentials engine. If set to false, no IAM engine will be configured for your instance.", "required": false }, + { + "key": "secret_manager_public_engine_enabled", + "type": "boolean", + "default_value": false, + "description": "Whether to configure a Secrets Manager public certificate engine for an existing Secrets Manager instance. If `false`, no public certificate engine is configured for your instance.", + "required": false + }, + { + "key": "cis_id", + "type": "string", + "default_value": "__NULL__", + "description": "Cloud Internet Service ID. Required if `secret_manager_public_engine_enabled` is set to true.", + "required": false + }, + { + "key": "ca_name", + "type": "string", + "default_value": "__NULL__", + "description": "The name of the certificate authority for Secrets Manager. Required if `secret_manager_public_engine_enabled` is set to true.", + "required": false + }, + { + "key": "dns_provider_name", + "type": "string", + "default_value": "__NULL__", + "description": "The name of the DNS provider for the public certificate secrets engine configuration. Required if `secret_manager_public_engine_enabled` is set to true.", + "required": false + }, + { + "key": "acme_letsencrypt_private_key", + "type": "string", + "default_value": "__NULL__", + "description": "The private key generated by the ACME protocol. For more information, see [Preparing to order public certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-prepare-order-certificates).", + "required": false, + "sensitive": true + }, { "key": "scc_service_plan", "type": "string", diff --git a/stack_definition.json b/stack_definition.json index 7e3bcca..9a7203f 100644 --- a/stack_definition.json +++ b/stack_definition.json @@ -84,7 +84,56 @@ "required": false, "type": "boolean", "hidden": false, - "default": false + "default": false, + "custom_config": {} + }, + { + "name": "secret_manager_public_engine_enabled", + "required": false, + "type": "boolean", + "hidden": false, + "default": false, + "custom_config": {} + }, + { + "name": "existing_secrets_endpoint_type", + "required": false, + "type": "string", + "hidden": false, + "default": "private", + "custom_config": {} + }, + { + "name": "cis_id", + "required": false, + "type": "string", + "hidden": false, + "default": "__NULL__", + "custom_config": {} + }, + { + "name": "ca_name", + "required": false, + "type": "string", + "hidden": false, + "default": "__NULL__", + "custom_config": {} + }, + { + "name": "dns_provider_name", + "required": false, + "type": "string", + "hidden": false, + "default": "__NULL__", + "custom_config": {} + }, + { + "name": "acme_letsencrypt_private_key", + "required": false, + "type": "string", + "hidden": true, + "default": "__NULL__", + "custom_config": {} } ], "members": [ @@ -325,10 +374,30 @@ { "name": "service_plan", "value": "ref:../../inputs/sm_service_plan" + }, + { + "name": "iam_engine_enabled", + "value": "ref:../../inputs/secret_manager_iam_engine_enabled" + }, + { + "name": "public_engine_enabled", + "value": "ref:../../inputs/secret_manager_public_engine_enabled" + }, + { + "name": "cis_id", + "value": "ref:../../inputs/cis_id" + }, + { + "name": "ca_name", + "value": "ref:../../inputs/ca_name" + }, + { + "name": "dns_provider_name", + "value": "ref:../../inputs/dns_provider_name" }, { - "name": "iam_engine_enabled", - "value": "ref:../../inputs/secret_manager_iam_engine_enabled" + "name": "acme_letsencrypt_private_key", + "value": "ref:../../inputs/acme_letsencrypt_private_key" }, { "name": "enable_event_notification", diff --git a/tests/go.mod b/tests/go.mod index f9ec128..d8103dc 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -22,6 +22,7 @@ require ( github.com/IBM/go-sdk-core/v5 v5.17.5 // indirect github.com/IBM/platform-services-go-sdk v0.69.0 // indirect github.com/IBM/project-go-sdk v0.3.0 // indirect + github.com/IBM/secrets-manager-go-sdk/v2 v2.0.4 github.com/IBM/vpc-go-sdk v0.57.0 // indirect github.com/Microsoft/go-winio v0.6.1 // indirect github.com/agext/levenshtein v1.2.3 // indirect diff --git a/tests/go.sum b/tests/go.sum index cbe5b4d..21abcd6 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -199,6 +199,8 @@ github.com/IBM/platform-services-go-sdk v0.69.0 h1:SYpLydPWawyhfFxgDTAc5JqWHywkr github.com/IBM/platform-services-go-sdk v0.69.0/go.mod h1:6rYd3stLSnotYmZlxclw45EJPaQuLmh5f7c+Mg7rOg4= github.com/IBM/project-go-sdk v0.3.0 h1:lZR4wT6UCsOZ8QkEBITrfM6OZkLlL70/HXiPxF/Olt4= github.com/IBM/project-go-sdk v0.3.0/go.mod h1:FOJM9ihQV3EEAY6YigcWiTNfVCThtdY8bLC/nhQHFvo= +github.com/IBM/secrets-manager-go-sdk/v2 v2.0.4 h1:xa9e+POVqaXxXHXkSMCOVAbKdUNEu86jQmo5hcpd+L4= +github.com/IBM/secrets-manager-go-sdk/v2 v2.0.4/go.mod h1:5gq8D8uWOIbqOm1uztay6lpOysgJaxxEsaVZLWGWb40= github.com/IBM/vpc-go-sdk v0.57.0 h1:E8CPDpUE4z0cvvmFZzqUthMtGJx71Fne6vdvkjZdXfg= github.com/IBM/vpc-go-sdk v0.57.0/go.mod h1:swmxiYLT+OfBsBYqJWGeRd6NPmBk4u/het2PZdtzIaw= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= diff --git a/tests/pr_test.go b/tests/pr_test.go index a1e92e4..63d916a 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -8,6 +8,8 @@ import ( "strings" "testing" + "github.com/IBM/go-sdk-core/v5/core" + "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" "github.com/gruntwork-io/terratest/modules/files" "github.com/gruntwork-io/terratest/modules/logger" "github.com/gruntwork-io/terratest/modules/random" @@ -26,6 +28,8 @@ const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-res var permanentResources map[string]interface{} +var acme_letsencrypt_private_key *string + // Current supported regions (NOTE: eu-es is not being used as we don't have extended trial plan quota in that region currently) var validRegions = []string{ "us-south", @@ -36,6 +40,13 @@ func TestMain(m *testing.M) { // Read the YAML file contents var err error permanentResources, err = common.LoadMapFromYaml(yamlLocation) + + acme_letsencrypt_private_key = GetSecretsManagerKey( // pragma: allowlist secret + permanentResources["acme_letsencrypt_private_key_sm_id"].(string), + permanentResources["acme_letsencrypt_private_key_sm_region"].(string), + permanentResources["acme_letsencrypt_private_key_secret_id"].(string), + ) + if err != nil { log.Fatal(err) } @@ -45,6 +56,7 @@ func TestMain(m *testing.M) { func TestProjectsFullTest(t *testing.T) { t.Parallel() + options := testprojects.TestProjectOptionsDefault(&testprojects.TestProjectsOptions{ Testing: t, Prefix: "cs", // setting prefix here gets a random string appended to it @@ -52,14 +64,20 @@ func TestProjectsFullTest(t *testing.T) { }) options.StackInputs = map[string]interface{}{ - "prefix": options.Prefix, - "region": validRegions[rand.Intn(len(validRegions))], - "existing_resource_group_name": resourceGroup, - "sm_service_plan": "trial", - "secret_manager_iam_engine_enabled": true, - "ibmcloud_api_key": options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], // always required by the stack - "enable_platform_logs_metrics": false, - "en_email_list": []string{"GoldenEye.Operations@ibm.com"}, + "prefix": options.Prefix, + "region": validRegions[rand.Intn(len(validRegions))], + "existing_resource_group_name": resourceGroup, + "sm_service_plan": "trial", + "secret_manager_iam_engine_enabled": true, + "secret_manager_public_engine_enabled": true, + "existing_secrets_endpoint_type": "private", + "cis_id": permanentResources["cisInstanceId"], + "ca_name": permanentResources["certificateAuthorityName"], + "dns_provider_name": permanentResources["dnsProviderName"], + "acme_letsencrypt_private_key": *acme_letsencrypt_private_key, // pragma: allowlist secret + "ibmcloud_api_key": options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], // always required by the stack + "enable_platform_logs_metrics": false, + "en_email_list": []string{"GoldenEye.Operations@ibm.com"}, } err := options.RunProjectsTest() @@ -70,6 +88,28 @@ func TestProjectsFullTest(t *testing.T) { } } +func GetSecretsManagerKey(sm_id string, sm_region string, sm_key_id string) *string { + secretsManagerService, err := secretsmanagerv2.NewSecretsManagerV2(&secretsmanagerv2.SecretsManagerV2Options{ + URL: fmt.Sprintf("https://%s.%s.secrets-manager.appdomain.cloud", sm_id, sm_region), + Authenticator: &core.IamAuthenticator{ + ApiKey: os.Getenv("TF_VAR_ibmcloud_api_key"), + }, + }) + if err != nil { + panic(err) + } + + getSecretOptions := secretsManagerService.NewGetSecretOptions( + sm_key_id, + ) + + secret, _, err := secretsManagerService.GetSecret(getSecretOptions) + if err != nil { + panic(err) + } + return secret.(*secretsmanagerv2.ArbitrarySecret).Payload +} + func TestProjectsExistingResourcesTest(t *testing.T) { t.Parallel() @@ -115,15 +155,21 @@ func TestProjectsExistingResourcesTest(t *testing.T) { }) options.StackInputs = map[string]interface{}{ - "prefix": terraform.Output(t, existingTerraformOptions, "prefix"), - "region": terraform.Output(t, existingTerraformOptions, "region"), - "existing_resource_group_name": terraform.Output(t, existingTerraformOptions, "resource_group_name"), - "ibmcloud_api_key": options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], // always required by the stack - "enable_platform_logs_metrics": false, - "existing_secrets_manager_crn": terraform.Output(t, existingTerraformOptions, "secrets_manager_instance_crn"), - "secret_manager_iam_engine_enabled": true, - "existing_kms_instance_crn": permanentResources["hpcs_south_crn"], - "en_email_list": []string{"GoldenEye.Operations@ibm.com"}, + "prefix": terraform.Output(t, existingTerraformOptions, "prefix"), + "region": terraform.Output(t, existingTerraformOptions, "region"), + "existing_resource_group_name": terraform.Output(t, existingTerraformOptions, "resource_group_name"), + "ibmcloud_api_key": options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], // always required by the stack + "enable_platform_logs_metrics": false, + "existing_secrets_manager_crn": terraform.Output(t, existingTerraformOptions, "secrets_manager_instance_crn"), + "secret_manager_iam_engine_enabled": true, + "secret_manager_public_engine_enabled": true, + "existing_secrets_endpoint_type": "private", + "cis_id": permanentResources["cisInstanceId"], + "ca_name": permanentResources["certificateAuthorityName"], + "dns_provider_name": permanentResources["dnsProviderName"], + "acme_letsencrypt_private_key": *acme_letsencrypt_private_key, // pragma: allowlist secret + "existing_kms_instance_crn": permanentResources["hpcs_south_crn"], + "en_email_list": []string{"GoldenEye.Operations@ibm.com"}, } err := options.RunProjectsTest()