Skip to content

feat: Add KMS and EN integration #279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Sep 15, 2025
Merged

feat: Add KMS and EN integration #279

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f5786c8
feat: Add KMS and EN integration
mukulpalit-ibm Sep 8, 2025
380785f
changes
mukulpalit-ibm Sep 8, 2025
e16313b
PR changes
mukulpalit-ibm Sep 11, 2025
85c90a8
PR changes
mukulpalit-ibm Sep 12, 2025
7f865b2
PR changes
mukulpalit-ibm Sep 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ For more information on access and permissions, see <https://cloud.ibm.com/docs/
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.79.1, < 2.0.0 |
| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1, < 1.0.0 |

### Modules

Expand All @@ -89,21 +90,33 @@ For more information on access and permissions, see <https://cloud.ibm.com/docs/
| <a name="module_config_aggregator_trusted_profile"></a> [config\_aggregator\_trusted\_profile](#module\_config\_aggregator\_trusted\_profile) | terraform-ibm-modules/trusted-profile/ibm | 3.1.1 |
| <a name="module_config_aggregator_trusted_profile_enterprise"></a> [config\_aggregator\_trusted\_profile\_enterprise](#module\_config\_aggregator\_trusted\_profile\_enterprise) | terraform-ibm-modules/trusted-profile/ibm | 3.1.1 |
| <a name="module_config_aggregator_trusted_profile_template"></a> [config\_aggregator\_trusted\_profile\_template](#module\_config\_aggregator\_trusted\_profile\_template) | terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template | 3.1.1 |
| <a name="module_en_crn_parser"></a> [en\_crn\_parser](#module\_en\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.2.0 |
| <a name="module_kms_key_crn_parser"></a> [kms\_key\_crn\_parser](#module\_kms\_key\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.2.0 |

### Resources

| Name | Type |
|------|------|
| [ibm_app_config_collection.collections](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/app_config_collection) | resource |
| [ibm_app_config_integration_en.app_config_integration_en](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/app_config_integration_en) | resource |
| [ibm_app_config_integration_kms.app_config_integration_kms](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/app_config_integration_kms) | resource |
| [ibm_config_aggregator_settings.config_aggregator_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/config_aggregator_settings) | resource |
| [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
| [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
| [ibm_iam_custom_role.template_assignment_reader](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_custom_role) | resource |
| [ibm_resource_instance.app_config](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
| [time_sleep.wait_for_en_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [time_sleep.wait_for_kms_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |

### Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_app_config_collections"></a> [app\_config\_collections](#input\_app\_config\_collections) | A list of collections to be added to the App Configuration instance | <pre>list(object({<br/> name = string<br/> collection_id = string<br/> description = optional(string, null)<br/> tags = optional(string, null)<br/> }))</pre> | `[]` | no |
| <a name="input_app_config_event_notifications_integration_id"></a> [app\_config\_event\_notifications\_integration\_id](#input\_app\_config\_event\_notifications\_integration\_id) | The unique ID for App Configuration and Event Notification Service integration. | `string` | `"ac-en-integration"` | no |
| <a name="input_app_config_event_notifications_source_name"></a> [app\_config\_event\_notifications\_source\_name](#input\_app\_config\_event\_notifications\_source\_name) | The name by which EN source will be created in the existing Event Notification instance. | `string` | `"apprapp-en-source-name"` | no |
| <a name="input_app_config_kms_integration_id"></a> [app\_config\_kms\_integration\_id](#input\_app\_config\_kms\_integration\_id) | The unique ID for App Configuration and Key Management Service integration. | `string` | `"ac-kms-integration"` | no |
| <a name="input_app_config_kms_key_crn"></a> [app\_config\_kms\_key\_crn](#input\_app\_config\_kms\_key\_crn) | The CRN of the KMS key used to encrypt data from app configuration instance. | `string` | `null` | no |
| <a name="input_app_config_name"></a> [app\_config\_name](#input\_app\_config\_name) | Name for the App Configuration service instance | `string` | n/a | yes |
| <a name="input_app_config_plan"></a> [app\_config\_plan](#input\_app\_config\_plan) | Plan for the App Configuration service instance, valid plans are lite, basic, standardv2, and enterprise. | `string` | `"lite"` | no |
| <a name="input_app_config_service_endpoints"></a> [app\_config\_service\_endpoints](#input\_app\_config\_service\_endpoints) | Service Endpoints for the App Configuration service instance, valid endpoints are public or public-and-private. | `string` | `"public-and-private"` | no |
Expand All @@ -117,8 +130,16 @@ For more information on access and permissions, see <https://cloud.ibm.com/docs/
| <a name="input_config_aggregator_resource_collection_regions"></a> [config\_aggregator\_resource\_collection\_regions](#input\_config\_aggregator\_resource\_collection\_regions) | From which region do you want to collect configuration data? Only applies if `enable_config_aggregator` is set to true. | `list(string)` | <pre>[<br/> "all"<br/>]</pre> | no |
| <a name="input_config_aggregator_trusted_profile_name"></a> [config\_aggregator\_trusted\_profile\_name](#input\_config\_aggregator\_trusted\_profile\_name) | The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`. | `string` | `"config-aggregator-trusted-profile"` | no |
| <a name="input_enable_config_aggregator"></a> [enable\_config\_aggregator](#input\_enable\_config\_aggregator) | Set to true to enable configuration aggregator. By setting to true a trusted profile will be created with the required access to record configuration data from all resources across regions in your account. [Learn more](https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator). | `bool` | `false` | no |
| <a name="input_enable_event_notification"></a> [enable\_event\_notification](#input\_enable\_event\_notification) | Flag to enable the event notification when the configured plan is 'enterprise'. | `bool` | `false` | no |
| <a name="input_enable_kms_encryption"></a> [enable\_kms\_encryption](#input\_enable\_kms\_encryption) | Flag to enable the KMS encryption when the configured plan is 'enterprise'. | `bool` | `false` | no |
| <a name="input_event_notifications_integration_description"></a> [event\_notifications\_integration\_description](#input\_event\_notifications\_integration\_description) | The description of integration between Event Notification and App Configuration service. | `string` | `"The app configuration integration to send notifications of events of users"` | no |
| <a name="input_existing_event_notifications_instance_crn"></a> [existing\_event\_notifications\_instance\_crn](#input\_existing\_event\_notifications\_instance\_crn) | The CRN of the existing Event Notifications instance to enable notifications for your App Configuration instance. | `string` | `null` | no |
| <a name="input_existing_event_notifications_instance_endpoint"></a> [existing\_event\_notifications\_instance\_endpoint](#input\_existing\_event\_notifications\_instance\_endpoint) | The API endpoint of the existing Event Notifications instance. | `string` | `null` | no |
| <a name="input_existing_kms_instance_crn"></a> [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of the existing key management service (KMS) that is used to create keys for encrypting the app config instance. If you are not using an existing KMS root key, you must specify this CRN. If you are using an existing KMS root key and auth policy is not set for app config to KMS, you must specify this CRN. This is applicable only for Enterprise plan. | `string` | `null` | no |
| <a name="input_existing_kms_instance_endpoint"></a> [existing\_kms\_instance\_endpoint](#input\_existing\_kms\_instance\_endpoint) | The API endpoint of the existing KMS instance. | `string` | `null` | no |
| <a name="input_region"></a> [region](#input\_region) | The region to provision the App Configuration service, valid regions are au-syd, jp-osa, jp-tok, eu-de, eu-gb, eu-es, us-east, us-south, ca-tor, br-sao, eu-fr2, ca-mon. | `string` | `"us-south"` | no |
| <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where resources will be provisioned. | `string` | n/a | yes |
| <a name="input_skip_app_config_kms_same_account_auth_policy"></a> [skip\_app\_config\_kms\_same\_account\_auth\_policy](#input\_skip\_app\_config\_kms\_same\_account\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits App configuration instances in the resource group to read the encryption key from the KMS instance in the same account. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the other account. | `bool` | `false` | no |

### Outputs

Expand Down
58 changes: 57 additions & 1 deletion examples/advanced/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,53 @@ module "cbr_zone" {
}]
}

##############################################################################
# Create KMS Instance
##############################################################################

locals {
key_ring_name = "${var.prefix}-ring"
key_name = "${var.prefix}-root-key"
}

module "key_protect_all_inclusive" {
source = "terraform-ibm-modules/kms-all-inclusive/ibm"
version = "5.1.22"
resource_group_id = module.resource_group.resource_group_id
key_protect_instance_name = "${var.prefix}-kms"
region = var.region
resource_tags = var.resource_tags
key_ring_endpoint_type = "public"
key_endpoint_type = "public"
keys = [
{
key_ring_name = local.key_ring_name
keys = [
{
key_name = local.key_name
force_delete = true # Setting it to true for testing purpose
}
]
}
]
}

##############################################################################
# Create EN Instance
##############################################################################

module "event_notification" {
source = "terraform-ibm-modules/event-notifications/ibm"
version = "2.6.18"
resource_group_id = module.resource_group.resource_group_id
name = "${var.prefix}-en"
tags = var.resource_tags
plan = "lite"
service_endpoints = "public-and-private"
region = var.region
}


########################################################################################################################
# App Config
########################################################################################################################
Expand All @@ -53,7 +100,7 @@ module "app_config" {
app_config_name = "${var.prefix}-app-config"
app_config_tags = var.resource_tags
enable_config_aggregator = true # See https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator
app_config_plan = "standardv2"
app_config_plan = "enterprise"
config_aggregator_trusted_profile_name = "${var.prefix}-config-aggregator-trusted-profile"
app_config_collections = [
{
Expand Down Expand Up @@ -86,4 +133,13 @@ module "app_config" {
}]
}
]
enable_kms_encryption = true
app_config_kms_integration_id = "${var.prefix}-kms-integration"
existing_kms_instance_crn = module.key_protect_all_inclusive.key_protect_crn
app_config_kms_key_crn = module.key_protect_all_inclusive.keys["${local.key_ring_name}.${local.key_name}"].crn
existing_kms_instance_endpoint = module.key_protect_all_inclusive.kms_public_endpoint
enable_event_notification = true
app_config_event_notifications_integration_id = "${var.prefix}-en-integration"
existing_event_notifications_instance_crn = module.event_notification.crn
existing_event_notifications_instance_endpoint = "https://${var.region}.event-notifications.cloud.ibm.com"
}
2 changes: 1 addition & 1 deletion examples/basic/version.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ terraform {
required_providers {
ibm = {
source = "IBM-Cloud/ibm"
version = "1.79.1"
version = ">= 1.79.1, < 2.0.0"
}
}
}
138 changes: 138 additions & 0 deletions ibm_catalog.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,75 @@
"original_grouping": "deployment"
}
},
{
"key": "enable_kms_encryption"
},
{
"key": "skip_app_config_kms_iam_auth_policy"
},
{
"key": "ibmcloud_kms_api_key"
},
{
"key": "app_config_kms_integration_id"
},
{
"key": "existing_kms_instance_crn"
},
{
"key": "existing_kms_key_crn"
},
{
"key": "kms_endpoint_type",
"options": [
{
"displayname": "Public",
"value": "public"
},
{
"displayname": "Private",
"value": "private"
}
]
},
{
"key": "app_config_key_ring_name"
},
{
"key": "app_config_key_name"
},
{
"key": "enable_event_notification"
},
{
"key": "app_config_event_notifications_integration_id"
},
{
"key": "existing_event_notifications_instance_crn"
},
{
"key": "event_notifications_endpoint_type",
"options": [
{
"displayname": "public",
"value": "public"
},
{
"displayname": "private",
"value": "private"
},
{
"displayname": "public-and-private",
"value": "public-and-private"
}
]
},
{
"key": "app_config_event_notifications_source_name"
},
{
"key": "event_notifications_integration_description"
},
{
"key": "provider_visibility",
"hidden": true,
Expand Down Expand Up @@ -487,6 +556,75 @@
"reference_version": true
}
]
},
{
"name": "deploy-arch-ibm-kms",
"description": "Configure KMS to encrypt the data from app configuration instance stored in database.",
"id": "2cad4789-fa90-4886-9c9e-857081c273ee-global",
"version": "v5.1.19",
"flavors": [
"fully-configurable"
],
"catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
"optional": true,
"on_by_default": true,
"input_mapping": [
{
"dependency_output": "kms_instance_crn",
"version_input": "existing_kms_instance_crn"
},
{
"version_input": "enable_kms_encryption",
"value": true
},
{
"dependency_input": "kms_endpoint_type",
"version_input": "kms_endpoint_type",
"reference_version": true
},
{
"dependency_input": "prefix",
"version_input": "prefix",
"reference_version": true
},
{
"dependency_input": "region",
"version_input": "region",
"reference_version": true
}
]
},
{
"name": "deploy-arch-ibm-event-notifications",
"description": "Configure Event Notifications to notify any configuration change events.",
"id": "c7ac3ee6-4f48-4236-b974-b0cd8c624a46-global",
"version": "v2.6.11",
"flavors": [
"fully-configurable"
],
"catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
"optional": true,
"on_by_default": true,
"input_mapping": [
{
"dependency_output": "crn",
"version_input": "existing_event_notifications_instance_crn"
},
{
"version_input": "enable_event_notification",
"value": true
},
{
"dependency_input": "prefix",
"version_input": "prefix",
"reference_version": true
},
{
"dependency_input": "region",
"version_input": "region",
"reference_version": true
}
]
}
],
"dependency_version_2": true,
Expand Down
Loading