terraform-ibm-modules · iamar7 · Jul 30, 2024 · Jul 30, 2024 · Jul 30, 2024 · Aug 2, 2024
@@ -229,6 +229,13 @@
 							"description": "The CRN of an existing Secrets Manager instance to use in this solution. If not set, a new Secrets Manager instance is provisioned.",
 							"required": false
 						},
+						{
+							"key": "existing_secrets_endpoint_type",
+							"type": "string",
+							"default_value": "__NULL__",
+							"description": "The endpoint type to use if existing_secrets_manager_crn is specified.",
+							"required": false
+						},
 						{
 							"key": "sm_service_plan",
 							"type": "string",
@@ -253,6 +260,41 @@
 							"description": "Set this to true to to configure a Secrets Manager IAM credentials engine. If set to false, no IAM engine will be configured for your instance.",
 							"required": false
 						},
+						{
+							"key": "secret_manager_public_engine_enabled",
+							"type": "boolean",
+							"default_value": false,
+							"description": "Set this to true to configure a Secrets Manager public certificate engine for an existing Secrets Manager instance. If set to false, no public certificate engine will be configured for your instance.",
+							"required": false
+						},
+						{
+							"key": "cis_id",
+							"type": "string",
+							"default_value": "__NULL__",
+							"description": "Cloud Internet Service ID.",
+							"required": false
+						},
+						{
+							"key": "ca_name",
+							"type": "string",
+							"default_value": "cert-auth",
+							"description": "The name of the certificate authority for Secrets Manager.",
+							"required": false
+						},
+						{
+							"key": "dns_provider_name",
+							"type": "string",
+							"default_value": "certificate-dns",
+							"description": "The name of the DNS provider for the public certificate secrets engine configuration.",
+							"required": false
+						},
+						{
+							"key": "acme_letsencrypt_private_key",
+							"type": "string",
+							"default_value": "__NULL__",
+							"description": "The private key generated by the ACME account creation tool.",
+							"required": false
+						},
 						{
 							"key": "scc_service_plan",
 							"type": "string",

@@ -77,8 +77,57 @@
 		"required": false,
 		"type": "boolean",
 		"hidden": false,
-		"default": false
-	}
+		"default": false,
+    "custom_config": {}
+	},
+  {
+    "name": "secret_manager_public_engine_enabled",
+		"required": false,
+		"type": "boolean",
+		"hidden": false,
+		"default": false,
+    "custom_config": {}
+  },
+  {
+    "name": "existing_secrets_endpoint_type",
+		"required": false,
+		"type": "string",
+		"hidden": false,
+		"default": "__NULL__",
+    "custom_config": {}
+  },
+  {
+    "name": "cis_id",
+		"required": false,
+		"type": "string",
+		"hidden": false,
+		"default": "__NULL__",
+    "custom_config": {}
+  },
+  {
+    "name": "ca_name",
+		"required": false,
+		"type": "string",
+		"hidden": false,
+		"default": "__NULL__",
+    "custom_config": {}
+  },
+  {
+    "name": "dns_provider_name",
+		"required": false,
+		"type": "string",
+		"hidden": false,
+		"default": "__NULL__",
+    "custom_config": {}
+  },
+  {
+    "name": "acme_letsencrypt_private_key",
+		"required": false,
+		"type": "string",
+		"hidden": true,
+		"default": "__NULL__",
+    "custom_config": {}
+  }
   ],
   "members": [
     {
@@ -311,10 +360,30 @@
           "name": "service_plan",
           "value": "ref:../../inputs/sm_service_plan"
         },
-		{
-			"name": "iam_engine_enabled",
-			"value": "ref:../../inputs/secret_manager_iam_engine_enabled"
-		}
+		    {
+			    "name": "iam_engine_enabled",
+			    "value": "ref:../../inputs/secret_manager_iam_engine_enabled"
+		    },
+        {
+          "name": "public_engine_enabled",
+			    "value": "ref:../../inputs/secret_manager_public_engine_enabled"
+        },
+        {
+          "name": "cis_id",
+          "value": "ref:../../inputs/cis_id"
+        },
+        {
+          "name": "ca_name",
+          "value": "ref:../../inputs/ca_name"
+        },
+        {
+          "name": "dns_provider_name",
+          "value": "ref:../../inputs/dns_provider_name"
+        },
+        {
+          "name": "acme_letsencrypt_private_key",
+          "value": "ref:../../inputs/acme_letsencrypt_private_key"
+        }
       ],
       "name": "4b - Secrets Manager",
       "version_locator": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3.e806bb05-dfb9-40a8-99bf-1b9272cf8d82-global"

@@ -22,6 +22,7 @@ require (
 	github.com/IBM/go-sdk-core/v5 v5.17.3 // indirect
 	github.com/IBM/platform-services-go-sdk v0.63.1 // indirect
 	github.com/IBM/project-go-sdk v0.3.0 // indirect
+	github.com/IBM/secrets-manager-go-sdk/v2 v2.0.4
 	github.com/IBM/vpc-go-sdk v0.51.0 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect

@@ -199,6 +199,8 @@ github.com/IBM/platform-services-go-sdk v0.63.1 h1:F5mZU1hKDHqpZa85twUeSYmM9g9gw
 github.com/IBM/platform-services-go-sdk v0.63.1/go.mod h1:16nYqb16KRNSnBFVjHzI+9XfEWcooh0WxklA5VWUuzY=
 github.com/IBM/project-go-sdk v0.3.0 h1:lZR4wT6UCsOZ8QkEBITrfM6OZkLlL70/HXiPxF/Olt4=
 github.com/IBM/project-go-sdk v0.3.0/go.mod h1:FOJM9ihQV3EEAY6YigcWiTNfVCThtdY8bLC/nhQHFvo=
+github.com/IBM/secrets-manager-go-sdk/v2 v2.0.4 h1:xa9e+POVqaXxXHXkSMCOVAbKdUNEu86jQmo5hcpd+L4=
+github.com/IBM/secrets-manager-go-sdk/v2 v2.0.4/go.mod h1:5gq8D8uWOIbqOm1uztay6lpOysgJaxxEsaVZLWGWb40=
 github.com/IBM/vpc-go-sdk v0.51.0 h1:JfeE/TnPm/NFU59UctiPzjxEhHtmBqXxG6zHH5eTI8I=
 github.com/IBM/vpc-go-sdk v0.51.0/go.mod h1:3+zQ0dqiv46ALjRXXVrser+dCdAVXOHVwlYkCCX4bNU=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=

@@ -8,6 +8,8 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/IBM/go-sdk-core/v5/core"
+	"github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2"
 	"github.com/gruntwork-io/terratest/modules/files"
 	"github.com/gruntwork-io/terratest/modules/logger"
 	"github.com/gruntwork-io/terratest/modules/random"
@@ -46,21 +48,34 @@ func TestMain(m *testing.M) {
 
 func TestProjectsFullTest(t *testing.T) {
 	t.Parallel()
+
+	acme_letsencrypt_private_key := GetSecretsManagerKey( // pragma: allowlist secret
+		permanentResources["acme_letsencrypt_private_key_sm_id"].(string),
+		permanentResources["acme_letsencrypt_private_key_sm_region"].(string),
+		permanentResources["acme_letsencrypt_private_key_secret_id"].(string),
+	)
+
 	options := testprojects.TestProjectOptionsDefault(&testprojects.TestProjectsOptions{
 		Testing:        t,
 		Prefix:         "cs", // setting prefix here gets a random string appended to it
 		ParallelDeploy: true,
 	})
 
 	options.StackInputs = map[string]interface{}{
-		"prefix":                            options.Prefix,
-		"region":                            validRegions[rand.Intn(len(validRegions))],
-		"existing_resource_group_name":      resourceGroup,
-		"sm_service_plan":                   "trial",
-		"secret_manager_iam_engine_enabled": true,
-		"ibmcloud_api_key":                  options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], // always required by the stack
-		"enable_platform_logs_metrics":      false,
-		"en_email_list":                     []string{"[email protected]"},
+		"prefix":                               options.Prefix,
+		"region":                               validRegions[rand.Intn(len(validRegions))],
+		"existing_resource_group_name":         resourceGroup,
+		"sm_service_plan":                      "trial",
+		"secret_manager_iam_engine_enabled":    true,
+		"secret_manager_public_engine_enabled": true,
+		"existing_secrets_endpoint_type":       "private",
+		"cis_id":                               permanentResources["cisInstanceId"],
+		"ca_name":                              permanentResources["certificateAuthorityName"],
+		"dns_provider_name":                    permanentResources["dnsProviderName"],
+		"acme_letsencrypt_private_key":         *acme_letsencrypt_private_key,                              // pragma: allowlist secret
+		"ibmcloud_api_key":                     options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], // always required by the stack
+		"enable_platform_logs_metrics":         false,
+		"en_email_list":                        []string{"[email protected]"},
 	}
 
 	err := options.RunProjectsTest()
@@ -71,9 +86,37 @@ func TestProjectsFullTest(t *testing.T) {
 	}
 }
 
+func GetSecretsManagerKey(sm_id string, sm_region string, sm_key_id string) *string {
+	secretsManagerService, err := secretsmanagerv2.NewSecretsManagerV2(&secretsmanagerv2.SecretsManagerV2Options{
+		URL: fmt.Sprintf("https://%s.%s.secrets-manager.appdomain.cloud", sm_id, sm_region),
+		Authenticator: &core.IamAuthenticator{
+			ApiKey: os.Getenv("TF_VAR_ibmcloud_api_key"),
+		},
+	})
+	if err != nil {
+		panic(err)
+	}
+
+	getSecretOptions := secretsManagerService.NewGetSecretOptions(
+		sm_key_id,
+	)
+
+	secret, _, err := secretsManagerService.GetSecret(getSecretOptions)
+	if err != nil {
+		panic(err)
+	}
+	return secret.(*secretsmanagerv2.ArbitrarySecret).Payload
+}
+
 func TestProjectsExistingResourcesTest(t *testing.T) {
 	t.Parallel()
 
+	acme_letsencrypt_private_key := GetSecretsManagerKey( // pragma: allowlist secret
+		permanentResources["acme_letsencrypt_private_key_sm_id"].(string),
+		permanentResources["acme_letsencrypt_private_key_sm_region"].(string),
+		permanentResources["acme_letsencrypt_private_key_secret_id"].(string),
+	)
+
 	// ------------------------------------------------------------------------------------
 	// Provision RG, EN and SM
 	// ------------------------------------------------------------------------------------
@@ -116,15 +159,21 @@ func TestProjectsExistingResourcesTest(t *testing.T) {
 		})
 
 		options.StackInputs = map[string]interface{}{
-			"prefix":                            terraform.Output(t, existingTerraformOptions, "prefix"),
-			"region":                            terraform.Output(t, existingTerraformOptions, "region"),
-			"existing_resource_group_name":      terraform.Output(t, existingTerraformOptions, "resource_group_name"),
-			"ibmcloud_api_key":                  options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], // always required by the stack
-			"enable_platform_logs_metrics":      false,
-			"existing_secrets_manager_crn":      terraform.Output(t, existingTerraformOptions, "secrets_manager_instance_crn"),
-			"secret_manager_iam_engine_enabled": true,
-			"existing_kms_instance_crn":         permanentResources["hpcs_south_crn"],
-			"en_email_list":                     []string{"[email protected]"},
+			"prefix":                               terraform.Output(t, existingTerraformOptions, "prefix"),
+			"region":                               terraform.Output(t, existingTerraformOptions, "region"),
+			"existing_resource_group_name":         terraform.Output(t, existingTerraformOptions, "resource_group_name"),
+			"ibmcloud_api_key":                     options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], // always required by the stack
+			"enable_platform_logs_metrics":         false,
+			"existing_secrets_manager_crn":         terraform.Output(t, existingTerraformOptions, "secrets_manager_instance_crn"),
+			"secret_manager_iam_engine_enabled":    true,
+			"secret_manager_public_engine_enabled": true,
+			"existing_secrets_endpoint_type":       "private",
+			"cis_id":                               permanentResources["cisInstanceId"],
+			"ca_name":                              permanentResources["certificateAuthorityName"],
+			"dns_provider_name":                    permanentResources["dnsProviderName"],
+			"acme_letsencrypt_private_key":         *acme_letsencrypt_private_key, // pragma: allowlist secret
+			"existing_kms_instance_crn":            permanentResources["hpcs_south_crn"],
+			"en_email_list":                        []string{"[email protected]"},
 		}
 
 		err := options.RunProjectsTest()