diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 121ff93d..4eda3ea8 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -242,6 +242,15 @@ module "ocp_base" { skip_cluster_apikey_creation = var.skip_cluster_apikey_creation } +locals { + base_endpoint = var.enable_secrets_manager_integration == false ? null : (var.secrets_manager_endpoint_type == "private" ? "${module.existing_secrets_manager_instance_parser[0].service_instance}.private" : module.existing_secrets_manager_instance_parser[0].service_instance) + + secrets_manager_region = var.enable_secrets_manager_integration ? module.existing_secrets_manager_instance_parser[0].region : local.vpc_region + + secret_id = var.enable_secrets_manager_integration && var.secrets_manager_secret_group_id == null ? jsondecode(data.restapi_object.secrets["0"].api_response).id : null +} + + module "existing_secrets_manager_instance_parser" { count = var.enable_secrets_manager_integration ? 1 : 0 source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" @@ -249,29 +258,40 @@ module "existing_secrets_manager_instance_parser" { crn = var.existing_secrets_manager_instance_crn } -resource "terraform_data" "delete_secrets" { +data "ibm_iam_auth_token" "restapi" { - count = var.enable_secrets_manager_integration && var.secrets_manager_secret_group_id == null ? 1 : 0 - input = { - secret_id = module.secret_group[0].secret_group_id - provider_visibility = var.provider_visibility - secrets_manager_instance_id = module.existing_secrets_manager_instance_parser[0].service_instance - secrets_manager_region = module.existing_secrets_manager_instance_parser[0].region - secrets_manager_endpoint = var.secrets_manager_endpoint_type - } - # api key in triggers_replace to avoid it to be printed out in clear text in terraform_data output - triggers_replace = { - api_key = var.ibmcloud_api_key - } - provisioner "local-exec" { - when = destroy - command = "${path.module}/scripts/delete_secrets.sh ${self.input.secret_id} ${self.input.provider_visibility} ${self.input.secrets_manager_instance_id} ${self.input.secrets_manager_region} ${self.input.secrets_manager_endpoint}" - interpreter = ["/bin/bash", "-c"] + depends_on = [module.ocp_base] + +} + +data "restapi_object" "secrets" { + + + depends_on = [module.ocp_base] + for_each = var.enable_secrets_manager_integration && var.secrets_manager_secret_group_id == null ? { + "0" = module.secret_group[0].secret_group_id + } : {} + + path = "/api/v2/secrets" + query_string = "limit=1000" + results_key = "secrets" + search_key = "secret_group_id" + search_value = each.value +} + +resource "restapi_object" "delete_secret" { + + count = var.enable_secrets_manager_integration && var.secrets_manager_secret_group_id == null ? 1 : 0 + id_attribute = "id" + path = "/api/v2/secrets/{id}" + read_path = "/api/v2/secrets/{id}" + read_method = "GET" + create_method = "PATCH" + create_path = "/api/v2/secrets/${local.secret_id}/metadata" + destroy_method = "DELETE" + destroy_path = "/api/v2/secrets/{id}" + data = jsonencode({}) - environment = { - API_KEY = self.triggers_replace.api_key - } - } } module "secret_group" { diff --git a/solutions/fully-configurable/provider.tf b/solutions/fully-configurable/provider.tf index 3cd334a0..795a6033 100644 --- a/solutions/fully-configurable/provider.tf +++ b/solutions/fully-configurable/provider.tf @@ -38,3 +38,13 @@ provider "kubernetes" { token = data.ibm_container_cluster_config.cluster_config[0].token cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config[0].ca_certificate } + +provider "restapi" { + uri = "https://${local.base_endpoint}.${local.secrets_manager_region}.secrets-manager.appdomain.cloud" + write_returns_object = true + debug = true + headers = { + Authorization = data.ibm_iam_auth_token.restapi.iam_access_token + Content-Type = "application/merge-patch+json" + } +} diff --git a/solutions/fully-configurable/version.tf b/solutions/fully-configurable/version.tf index e7bdd4f6..c534badb 100644 --- a/solutions/fully-configurable/version.tf +++ b/solutions/fully-configurable/version.tf @@ -3,6 +3,10 @@ terraform { # Lock DA into an exact provider version - renovate automation will keep it updated required_providers { + restapi = { + source = "Mastercard/restapi" + version = "1.20.0" + } ibm = { source = "IBM-Cloud/ibm" version = "1.84.3"