feat: added support to enable the secrets manager public cert engine

ibm_catalog.json

@@ -236,6 +236,24 @@
 							"description": "The CRN of an existing Secrets Manager instance to use in this solution. If not set, a new Secrets Manager instance is provisioned.",
 							"required": false
 						},
+						{
+							"key": "existing_secrets_endpoint_type",
+							"type": "string",
+							"default_value": "private",
+							"description": "The endpoint type to use if `existing_secrets_manager_crn` is specified.",
+							"required": false,
+							"options": [
+								{
+									"displayname": "public",
+									"value": "public"
+								},
+								{
+									"displayname": "private",
+									"value": "private"
+								}
+							]
+
+						},
 						{
 							"key": "sm_service_plan",
 							"type": "string",
@@ -260,6 +278,42 @@
 							"description": "Set this to true to to configure a Secrets Manager IAM credentials engine. If set to false, no IAM engine will be configured for your instance.",
 							"required": false
 						},
+						{
+							"key": "secret_manager_public_engine_enabled",
+							"type": "boolean",
+							"default_value": false,
+							"description": "Whether to configure a Secrets Manager public certificate engine for an existing Secrets Manager instance. If `false`, no public certificate engine is configured for your instance.",
+							"required": false
+						},
+						{
+							"key": "cis_id",
+							"type": "string",
+							"default_value": "__NULL__",
+							"description": "Cloud Internet Service ID. Required if `secret_manager_public_engine_enabled` is set to true.",
+							"required": false
+						},
+						{
+							"key": "ca_name",
+							"type": "string",
+							"default_value": "__NULL__",
+							"description": "The name of the certificate authority for Secrets Manager. Required if `secret_manager_public_engine_enabled` is set to true.",
+							"required": false
+						},
+						{
+							"key": "dns_provider_name",
+							"type": "string",
+							"default_value": "__NULL__",
+							"description": "The name of the DNS provider for the public certificate secrets engine configuration. Required if `secret_manager_public_engine_enabled` is set to true.",
+							"required": false
+						},
+						{
+							"key": "acme_letsencrypt_private_key",
+							"type": "string",
+							"default_value": "__NULL__",
+							"description": "The private key generated by the ACME protocol. For more information, see [Preparing to order public certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-prepare-order-certificates).",
+							"required": false,
+							"sensitive": true
+						},
 						{
 							"key": "scc_service_plan",
 							"type": "string",

stack_definition.json

@@ -84,7 +84,56 @@
       "required": false,
       "type": "boolean",
       "hidden": false,
-      "default": false
+      "default": false,
+      "custom_config": {}
+    },
+    {
+      "name": "secret_manager_public_engine_enabled",
+      "required": false,
+      "type": "boolean",
+      "hidden": false,
+      "default": false,
+      "custom_config": {}
+    },
+    {
+      "name": "existing_secrets_endpoint_type",
+      "required": false,
+      "type": "string",
+      "hidden": false,
+      "default": "private",
+      "custom_config": {}
+    },
+    {
+      "name": "cis_id",
+      "required": false,
+      "type": "string",
+      "hidden": false,
+      "default": "__NULL__",
+      "custom_config": {}
+    },
+    {
+      "name": "ca_name",
+      "required": false,
+      "type": "string",
+      "hidden": false,
+      "default": "__NULL__",
+      "custom_config": {}
+    },
+    {
+      "name": "dns_provider_name",
+      "required": false,
+      "type": "string",
+      "hidden": false,
+      "default": "__NULL__",
+      "custom_config": {}
+    },
+    {
+      "name": "acme_letsencrypt_private_key",
+      "required": false,
+      "type": "string",
+      "hidden": true,
+      "default": "__NULL__",
+      "custom_config": {}
     }
   ],
   "members": [
@@ -325,10 +374,30 @@
         {
           "name": "service_plan",
           "value": "ref:../../inputs/sm_service_plan"
+        },
+		    {
+			    "name": "iam_engine_enabled",
+			    "value": "ref:../../inputs/secret_manager_iam_engine_enabled"
+		    },
+        {
+          "name": "public_engine_enabled",
+			    "value": "ref:../../inputs/secret_manager_public_engine_enabled"
+        },
+        {
+          "name": "cis_id",
+          "value": "ref:../../inputs/cis_id"
+        },
+        {
+          "name": "ca_name",
+          "value": "ref:../../inputs/ca_name"
+        },
+        {
+          "name": "dns_provider_name",
+          "value": "ref:../../inputs/dns_provider_name"
         },
         {
-          "name": "iam_engine_enabled",
-          "value": "ref:../../inputs/secret_manager_iam_engine_enabled"
+          "name": "acme_letsencrypt_private_key",
+          "value": "ref:../../inputs/acme_letsencrypt_private_key"
         },
         {
           "name": "enable_event_notification",

tests/go.mod

@@ -22,6 +22,7 @@ require (
 	github.com/IBM/go-sdk-core/v5 v5.17.5 // indirect
 	github.com/IBM/platform-services-go-sdk v0.69.0 // indirect
 	github.com/IBM/project-go-sdk v0.3.0 // indirect
+	github.com/IBM/secrets-manager-go-sdk/v2 v2.0.4
 	github.com/IBM/vpc-go-sdk v0.57.0 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect

tests/go.sum

@@ -199,6 +199,8 @@ github.com/IBM/platform-services-go-sdk v0.69.0 h1:SYpLydPWawyhfFxgDTAc5JqWHywkr
 github.com/IBM/platform-services-go-sdk v0.69.0/go.mod h1:6rYd3stLSnotYmZlxclw45EJPaQuLmh5f7c+Mg7rOg4=
 github.com/IBM/project-go-sdk v0.3.0 h1:lZR4wT6UCsOZ8QkEBITrfM6OZkLlL70/HXiPxF/Olt4=
 github.com/IBM/project-go-sdk v0.3.0/go.mod h1:FOJM9ihQV3EEAY6YigcWiTNfVCThtdY8bLC/nhQHFvo=
+github.com/IBM/secrets-manager-go-sdk/v2 v2.0.4 h1:xa9e+POVqaXxXHXkSMCOVAbKdUNEu86jQmo5hcpd+L4=
+github.com/IBM/secrets-manager-go-sdk/v2 v2.0.4/go.mod h1:5gq8D8uWOIbqOm1uztay6lpOysgJaxxEsaVZLWGWb40=
 github.com/IBM/vpc-go-sdk v0.57.0 h1:E8CPDpUE4z0cvvmFZzqUthMtGJx71Fne6vdvkjZdXfg=
 github.com/IBM/vpc-go-sdk v0.57.0/go.mod h1:swmxiYLT+OfBsBYqJWGeRd6NPmBk4u/het2PZdtzIaw=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=

tests/pr_test.go

@@ -8,6 +8,8 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/IBM/go-sdk-core/v5/core"
+	"github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2"
 	"github.com/gruntwork-io/terratest/modules/files"
 	"github.com/gruntwork-io/terratest/modules/logger"
 	"github.com/gruntwork-io/terratest/modules/random"
@@ -26,6 +28,8 @@ const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-res
 
 var permanentResources map[string]interface{}
 
+var acme_letsencrypt_private_key *string
+
 // Current supported regions (NOTE: eu-es is not being used as we don't have extended trial plan quota in that region currently)
 var validRegions = []string{
 	"us-south",
@@ -36,6 +40,13 @@ func TestMain(m *testing.M) {
 	// Read the YAML file contents
 	var err error
 	permanentResources, err = common.LoadMapFromYaml(yamlLocation)
+
+	acme_letsencrypt_private_key = GetSecretsManagerKey( // pragma: allowlist secret
+		permanentResources["acme_letsencrypt_private_key_sm_id"].(string),
+		permanentResources["acme_letsencrypt_private_key_sm_region"].(string),
+		permanentResources["acme_letsencrypt_private_key_secret_id"].(string),
+	)
+
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -45,21 +56,28 @@ func TestMain(m *testing.M) {
 
 func TestProjectsFullTest(t *testing.T) {
 	t.Parallel()
+
 	options := testprojects.TestProjectOptionsDefault(&testprojects.TestProjectsOptions{
 		Testing:        t,
 		Prefix:         "cs", // setting prefix here gets a random string appended to it
 		ParallelDeploy: true,
 	})
 
 	options.StackInputs = map[string]interface{}{
-		"prefix":                            options.Prefix,
-		"region":                            validRegions[rand.Intn(len(validRegions))],
-		"existing_resource_group_name":      resourceGroup,
-		"sm_service_plan":                   "trial",
-		"secret_manager_iam_engine_enabled": true,
-		"ibmcloud_api_key":                  options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], // always required by the stack
-		"enable_platform_logs_metrics":      false,
-		"en_email_list":                     []string{"[email protected]"},
+		"prefix":                               options.Prefix,
+		"region":                               validRegions[rand.Intn(len(validRegions))],
+		"existing_resource_group_name":         resourceGroup,
+		"sm_service_plan":                      "trial",
+		"secret_manager_iam_engine_enabled":    true,
+		"secret_manager_public_engine_enabled": true,
+		"existing_secrets_endpoint_type":       "private",
+		"cis_id":                               permanentResources["cisInstanceId"],
+		"ca_name":                              permanentResources["certificateAuthorityName"],
+		"dns_provider_name":                    permanentResources["dnsProviderName"],
+		"acme_letsencrypt_private_key":         *acme_letsencrypt_private_key,                              // pragma: allowlist secret
+		"ibmcloud_api_key":                     options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], // always required by the stack
+		"enable_platform_logs_metrics":         false,
+		"en_email_list":                        []string{"[email protected]"},
 	}
 
 	err := options.RunProjectsTest()
@@ -70,6 +88,28 @@ func TestProjectsFullTest(t *testing.T) {
 	}
 }
 
+func GetSecretsManagerKey(sm_id string, sm_region string, sm_key_id string) *string {
+	secretsManagerService, err := secretsmanagerv2.NewSecretsManagerV2(&secretsmanagerv2.SecretsManagerV2Options{
+		URL: fmt.Sprintf("https://%s.%s.secrets-manager.appdomain.cloud", sm_id, sm_region),
+		Authenticator: &core.IamAuthenticator{
+			ApiKey: os.Getenv("TF_VAR_ibmcloud_api_key"),
+		},
+	})
+	if err != nil {
+		panic(err)
+	}
+
+	getSecretOptions := secretsManagerService.NewGetSecretOptions(
+		sm_key_id,
+	)
+
+	secret, _, err := secretsManagerService.GetSecret(getSecretOptions)
+	if err != nil {
+		panic(err)
+	}
+	return secret.(*secretsmanagerv2.ArbitrarySecret).Payload
+}
+
 func TestProjectsExistingResourcesTest(t *testing.T) {
 	t.Parallel()
 
@@ -115,15 +155,21 @@ func TestProjectsExistingResourcesTest(t *testing.T) {
 		})
 
 		options.StackInputs = map[string]interface{}{
-			"prefix":                            terraform.Output(t, existingTerraformOptions, "prefix"),
-			"region":                            terraform.Output(t, existingTerraformOptions, "region"),
-			"existing_resource_group_name":      terraform.Output(t, existingTerraformOptions, "resource_group_name"),
-			"ibmcloud_api_key":                  options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], // always required by the stack
-			"enable_platform_logs_metrics":      false,
-			"existing_secrets_manager_crn":      terraform.Output(t, existingTerraformOptions, "secrets_manager_instance_crn"),
-			"secret_manager_iam_engine_enabled": true,
-			"existing_kms_instance_crn":         permanentResources["hpcs_south_crn"],
-			"en_email_list":                     []string{"[email protected]"},
+			"prefix":                               terraform.Output(t, existingTerraformOptions, "prefix"),
+			"region":                               terraform.Output(t, existingTerraformOptions, "region"),
+			"existing_resource_group_name":         terraform.Output(t, existingTerraformOptions, "resource_group_name"),
+			"ibmcloud_api_key":                     options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], // always required by the stack
+			"enable_platform_logs_metrics":         false,
+			"existing_secrets_manager_crn":         terraform.Output(t, existingTerraformOptions, "secrets_manager_instance_crn"),
+			"secret_manager_iam_engine_enabled":    true,
+			"secret_manager_public_engine_enabled": true,
+			"existing_secrets_endpoint_type":       "private",
+			"cis_id":                               permanentResources["cisInstanceId"],
+			"ca_name":                              permanentResources["certificateAuthorityName"],
+			"dns_provider_name":                    permanentResources["dnsProviderName"],
+			"acme_letsencrypt_private_key":         *acme_letsencrypt_private_key, // pragma: allowlist secret
+			"existing_kms_instance_crn":            permanentResources["hpcs_south_crn"],
+			"en_email_list":                        []string{"[email protected]"},
 		}
 
 		err := options.RunProjectsTest()