feat: Module updates:<br>- added the ability to create multiple resource keys using new input resource_keys.<br>- The following module variables have been renamed:<br> - manager_key_name -> access_key_name<br> - manager_key_tags -> access_key_tags<br>The following module outputs have been renamed:<br> - manager_key_name -> access_key_name<br>- A new boolean disable_access_key_creation has been added to disable access key creation.<br><br>DA updates:<br>- Added the ability to create multiple resource keys using new input cloud_monitoring_resource_keys.<br>- A new boolean disable_access_key_creation has been added to disable access key creation. (#90)

iamar7 · web-flow · commit 7c7df6105cf2 · 2025-10-24T12:41:36.000+01:00
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-10-04T03:55:50Z",
+  "generated_at": "2025-10-06T08:45:19Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
diff --git a/README.md b/README.md
@@ -160,37 +160,41 @@ You need the following permissions to run this module.
 |------|------|
 | [ibm_resource_instance.cloud_monitoring](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [ibm_resource_key.resource_key](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
+| [ibm_resource_key.resource_keys](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
 | [ibm_resource_tag.cloud_monitoring_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_access_key_name"></a> [access\_key\_name](#input\_access\_key\_name) | The name to give the default IBM Cloud Monitoring Manager access key. Use `disable_access_key_creation` to disable access key creation. For guidance on access keys, see [here](https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key). | `string` | `"SysdigManagerKey"` | no |
+| <a name="input_access_key_tags"></a> [access\_key\_tags](#input\_access\_key\_tags) | Tags associated with the IBM Cloud Monitoring access key. | `list(string)` | `[]` | no |
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | Access Management Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_disable_access_key_creation"></a> [disable\_access\_key\_creation](#input\_disable\_access\_key\_creation) | When set to true, disables the creation of a default manager access key which is required by agents to ingest metrics. | `bool` | `false` | no |
 | <a name="input_enable_platform_metrics"></a> [enable\_platform\_metrics](#input\_enable\_platform\_metrics) | Receive platform metrics in the provisioned IBM Cloud Monitoring instance. Only 1 instance in a given region can be enabled for platform metrics. | `bool` | `false` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Monitoring instance to create. Defaults to 'cloud-monitoring-<region>' | `string` | `null` | no |
-| <a name="input_manager_key_name"></a> [manager\_key\_name](#input\_manager\_key\_name) | The name to give the IBM Cloud Monitoring manager key. | `string` | `"SysdigManagerKey"` | no |
-| <a name="input_manager_key_tags"></a> [manager\_key\_tags](#input\_manager\_key\_tags) | Tags associated with the IBM Cloud Monitoring manager key. | `list(string)` | `[]` | no |
 | <a name="input_plan"></a> [plan](#input\_plan) | The IBM Cloud Monitoring plan to provision. Available: lite, graduated-tier and graduated-tier-sysdig-secure-plus-monitor (available in region eu-fr2 only) | `string` | `"lite"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where Cloud Monitoring instance will be created. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the Cloud Monitoring instance will be created. | `string` | n/a | yes |
+| <a name="input_resource_keys"></a> [resource\_keys](#input\_resource\_keys) | A list of maps representing resource keys to create for the IBM Cloud Monitoring instance. Each entry defines a single resource key. Use this list to manage custom keys and handle key rotation. | <pre>list(object({<br/>    name                      = string<br/>    key_name                  = optional(string, null)<br/>    generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret<br/>    role                      = optional(string, "Manager")<br/>    service_id_crn            = optional(string, null)<br/>  }))</pre> | `[]` | no |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of the service endpoint that will be set for the Sisdig instance. | `string` | `"public-and-private"` | no |
 
 ### Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_access_key"></a> [access\_key](#output\_access\_key) | The cloud monitoring access key for agents to use |
+| <a name="output_access_key"></a> [access\_key](#output\_access\_key) | The Cloud Monitoring access key for agents to use |
+| <a name="output_access_key_name"></a> [access\_key\_name](#output\_access\_key\_name) | The Cloud Monitoring access key name |
 | <a name="output_account_id"></a> [account\_id](#output\_account\_id) | The account id where cloud monitoring instance is provisioned. |
 | <a name="output_crn"></a> [crn](#output\_crn) | The id of the provisioned cloud monitoring instance. |
 | <a name="output_guid"></a> [guid](#output\_guid) | The guid of the provisioned cloud monitoring instance. |
 | <a name="output_ingestion_endpoint_private"></a> [ingestion\_endpoint\_private](#output\_ingestion\_endpoint\_private) | The Cloud Monitoring private ingestion endpoint. |
 | <a name="output_ingestion_endpoint_public"></a> [ingestion\_endpoint\_public](#output\_ingestion\_endpoint\_public) | The Cloud Monitoring public ingestion endpoint. |
-| <a name="output_manager_key_name"></a> [manager\_key\_name](#output\_manager\_key\_name) | The cloud monitoring manager key name |
 | <a name="output_name"></a> [name](#output\_name) | The name of the provisioned cloud monitoring instance. |
 | <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | The resource group where cloud monitoring monitor instance resides |
+| <a name="output_resource_keys"></a> [resource\_keys](#output\_resource\_keys) | A list of maps representing resource keys created for the IBM Cloud Monitoring instance. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 <!-- Leave this section as is so that your module has a link to local development environment set-up steps for contributors to follow -->
diff --git a/examples/advanced/outputs.tf b/examples/advanced/outputs.tf
@@ -9,33 +9,39 @@
 
 output "cloud_monitoring_crn" {
   value       = module.cloud_monitoring.crn
-  description = "The CRN of the provisioned IBM cloud monitoring instance."
+  description = "The CRN of the provisioned IBM Cloud Monitoring instance."
 }
 
 output "cloud_monitoring_guid" {
   value       = module.cloud_monitoring.guid
-  description = "The GUID of the provisioned IBM cloud monitoring instance."
+  description = "The GUID of the provisioned IBM Cloud Monitoring instance."
 }
 
 output "cloud_monitoring_name" {
   value       = module.cloud_monitoring.name
-  description = "The name of the provisioned IBM cloud monitoring instance."
+  description = "The name of the provisioned IBM Cloud Monitoring instance."
 }
 
 output "resource_group_id" {
   value       = module.resource_group.resource_group_id
-  description = "The resource group where cloud monitoring monitor instance resides."
+  description = "The resource group where Cloud Monitoring monitor instance resides."
 }
 
 output "access_key" {
   value       = module.cloud_monitoring.access_key
-  description = "The cloud monitoring access key for agents to use."
+  description = "The Cloud Monitoring access key for agents to use."
   sensitive   = true
 }
 
-output "manager_key_name" {
-  value       = module.cloud_monitoring.manager_key_name
-  description = "The cloud monitoring manager key name."
+output "access_key_name" {
+  value       = module.cloud_monitoring.access_key_name
+  description = "The Cloud Monitoring access key name."
+}
+
+output "cloud_monitoring_resource_keys" {
+  value       = module.cloud_monitoring.resource_keys
+  description = "A list of maps containing resource keys created for the Cloud Monitoring instance."
+  sensitive   = true
 }
 
 output "metrics_router_routes" {
diff --git a/examples/basic/outputs.tf b/examples/basic/outputs.tf
@@ -4,17 +4,29 @@
 
 output "cloud_monitoring_crn" {
   value       = module.cloud_monitoring.crn
-  description = "The CRN of the provisioned IBM cloud monitoring instance."
+  description = "The CRN of the provisioned IBM Cloud Monitoring instance."
 }
 
 output "cloud_monitoring_name" {
   value       = module.cloud_monitoring.name
-  description = "The name of the provisioned IBM cloud monitoring instance."
+  description = "The name of the provisioned IBM Cloud Monitoring instance."
 }
 
 output "resource_group_id" {
   value       = module.resource_group.resource_group_id
-  description = "The resource group where cloud monitoring monitor instance resides."
+  description = "The resource group where Cloud Monitoring monitor instance resides."
+}
+
+output "cloud_monitoring_resource_keys" {
+  value       = module.cloud_monitoring.resource_keys
+  description = "A list of maps containing resource keys created for the Cloud Monitoring instance."
+  sensitive   = true
+}
+
+output "cloud_monitoring_access_key" {
+  value       = module.cloud_monitoring.access_key
+  description = "The Cloud Monitoring access key for agents to use."
+  sensitive   = true
 }
 
 output "ingestion_endpoint_private" {
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -185,6 +185,18 @@
                 }
               }
             },
+            {
+              "key": "cloud_monitoring_resource_keys",
+              "type": "array",
+              "custom_config": {
+                "type": "code_editor",
+                "grouping": "deployment",
+                "original_grouping": "deployment"
+              }
+            },
+            {
+              "key": "disable_access_key_creation"
+            },
             {
               "key": "enable_platform_metrics",
               "required": true
diff --git a/main.tf b/main.tf
@@ -31,11 +31,31 @@ resource "ibm_resource_tag" "cloud_monitoring_tag" {
   tag_type    = "access"
 }
 
+###############################################################################
+# Resource Key (Default Manager Key)
+###############################################################################
+
 resource "ibm_resource_key" "resource_key" {
-  name                 = var.manager_key_name
+  count                = var.disable_access_key_creation ? 0 : 1
+  name                 = var.access_key_name
   resource_instance_id = ibm_resource_instance.cloud_monitoring.id
   role                 = "Manager"
-  tags                 = var.manager_key_tags
+  tags                 = var.access_key_tags
+}
+
+###############################################################################
+# Resource Keys
+###############################################################################
+
+resource "ibm_resource_key" "resource_keys" {
+  for_each             = { for key in var.resource_keys : key.name => key }
+  name                 = each.value.key_name == null ? each.key : each.value.key_name
+  resource_instance_id = ibm_resource_instance.cloud_monitoring.id
+  role                 = each.value.role
+  parameters = {
+    "serviceid_crn" = each.value.service_id_crn
+    "HMAC"          = each.value.generate_hmac_credentials
+  }
 }
 
 ########################################################################
diff --git a/outputs.tf b/outputs.tf
@@ -23,15 +23,22 @@ output "resource_group_id" {
   description = "The resource group where cloud monitoring monitor instance resides"
 }
 
-output "access_key" {
-  value       = ibm_resource_key.resource_key.credentials["Sysdig Access Key"]
-  description = "The cloud monitoring access key for agents to use"
+output "resource_keys" {
+  description = "A list of maps representing resource keys created for the IBM Cloud Monitoring instance."
+  value       = ibm_resource_key.resource_keys
   sensitive   = true
 }
 
-output "manager_key_name" {
-  value       = ibm_resource_key.resource_key.name
-  description = "The cloud monitoring manager key name"
+output "access_key_name" {
+  value       = !var.disable_access_key_creation ? ibm_resource_key.resource_key[0].name : null
+  description = "The Cloud Monitoring access key name"
+}
+
+# https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key
+output "access_key" {
+  value       = !var.disable_access_key_creation ? ibm_resource_key.resource_key[0].credentials["Sysdig Access Key"] : null
+  description = "The Cloud Monitoring access key for agents to use"
+  sensitive   = true
 }
 
 # https://cloud.ibm.com/docs/monitoring?topic=monitoring-endpoints#endpoints_ingestion
diff --git a/solutions/fully-configurable/DA-types.md b/solutions/fully-configurable/DA-types.md
@@ -4,6 +4,7 @@ Several optional input variables in the IBM Cloud [Cloud Monitoring instances de
 
 * [IBM Cloud Metrics Router Routes](#metrics_router_routes) (`metrics_router_routes`)
 * [Context Based Restrictions Rules](#cbr_rules) (`cbr_rules`)
+* [Cloud Monitoring Resource Keys](#cloud_monitoring_resource_keys) (`cloud_monitoring_resource_keys`)
 
 ## Metrics Router Routes <a name="metrics_router_routes"></a>
 
@@ -105,3 +106,45 @@ The `cbr_rules` input variable allows you to provide a rule for the target servi
   }
 ]
 ```
+
+## Cloud Monitoring Resource Keys <a name="cloud_monitoring_resource_keys"></a>
+
+The `cloud_monitoring_resource_keys` input variable allows you to provide a list of resource key to create that will be configured in the IBM Cloud Monitoring instance. In the configuration, specify the name of the resource key, whether HMAC credentials should be included, the Role of the key and an optional Service ID CRN to create with a Service ID. Refer [here](https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key) for more information.
+
+* Variable name: `cloud_monitoring_resource_keys`.
+* Type: A list of objects that represent a resource key
+* Default value:
+
+  ```
+    {
+      name                      = "SysdigManagerKey"
+      generate_hmac_credentials = false
+      role                      = "Manager"
+      service_id_crn            = null
+    }
+  ```
+
+### Options for cloud_monitoring_resource_keys
+
+* `name` (required): A unique human-readable name that identifies this resource key.
+* `generate_hmac_credentials` (optional, default = `false`): Set to true to include HMAC keys in the resource key. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key#example-to-create-by-using-hmac).
+* `role` (optional, default = `Reader`): The name of the user role.
+* `service_id_crn` (optional, default = `null`): Pass a Service ID CRN to create credentials for a resource with a Service ID. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key#example-to-create-by-using-serviceid).
+
+### Example route for Cloud Monitoring Resource Keys
+
+The following example includes all the configuration options for two resource keys. One is a HMAC key with a `Reader` role, the other with an IAM key with `Manager` role.
+
+```hcl
+[
+  {
+    "name": "icm-resource-key",
+    "generate_hmac_credentials": true,
+    "role": "Reader",
+  },
+  {
+    "name": "icm-resource-key",
+    "role": "Manager"
+  }
+]
+```
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
@@ -44,17 +44,19 @@ locals {
 }
 
 module "cloud_monitoring" {
-  count                   = local.create_cloud_monitoring ? 1 : 0
-  source                  = "../.."
-  resource_group_id       = module.resource_group.resource_group_id
-  region                  = var.region
-  instance_name           = local.cloud_monitoring_instance_name
-  plan                    = var.cloud_monitoring_plan
-  resource_tags           = var.cloud_monitoring_resource_tags
-  access_tags             = var.cloud_monitoring_access_tags
-  service_endpoints       = "public-and-private"
-  enable_platform_metrics = var.enable_platform_metrics
-  cbr_rules               = var.cbr_rules
+  count                       = local.create_cloud_monitoring ? 1 : 0
+  source                      = "../.."
+  resource_group_id           = module.resource_group.resource_group_id
+  region                      = var.region
+  instance_name               = local.cloud_monitoring_instance_name
+  plan                        = var.cloud_monitoring_plan
+  resource_tags               = var.cloud_monitoring_resource_tags
+  access_tags                 = var.cloud_monitoring_access_tags
+  resource_keys               = var.cloud_monitoring_resource_keys
+  disable_access_key_creation = var.disable_access_key_creation
+  service_endpoints           = "public-and-private"
+  enable_platform_metrics     = var.enable_platform_metrics
+  cbr_rules                   = var.cbr_rules
 }
 
 module "metrics_routing" {
diff --git a/solutions/fully-configurable/outputs.tf b/solutions/fully-configurable/outputs.tf
@@ -15,27 +15,38 @@ output "resource_group_id" {
 
 output "cloud_monitoring_crn" {
   value       = local.cloud_monitoring_crn
-  description = "The id of the provisioned IBM cloud monitoring instance."
+  description = "The id of the provisioned IBM Cloud Monitoring instance."
 }
 output "cloud_monitoring_name" {
   value       = local.create_cloud_monitoring ? module.cloud_monitoring[0].name : null
-  description = "The name of the provisioned IBM cloud monitoring instance."
+  description = "The name of the provisioned IBM Cloud Monitoring instance."
 }
 
 output "cloud_monitoring_guid" {
   value       = local.create_cloud_monitoring ? module.cloud_monitoring[0].guid : module.existing_cloud_monitoring_crn_parser[0].service_instance
-  description = "The guid of the provisioned IBM cloud monitoring instance."
+  description = "The guid of the provisioned IBM Cloud Monitoring instance."
+}
+
+output "cloud_monitoring_access_key_name" {
+  value       = local.create_cloud_monitoring ? module.cloud_monitoring[0].access_key_name : null
+  description = "The name of the IBM Cloud Monitoring access key for agents to use"
 }
 
 output "cloud_monitoring_access_key" {
   value       = local.create_cloud_monitoring ? module.cloud_monitoring[0].access_key : null
-  description = "IBM cloud monitoring access key for agents to use"
+  description = "The IBM Cloud Monitoring access key for agents to use"
+  sensitive   = true
+}
+
+output "cloud_monitoring_resource_keys" {
+  value       = local.create_cloud_monitoring ? module.cloud_monitoring[0].resource_keys : null
+  description = "A list of maps representing resource keys created for the IBM Cloud Monitoring instance."
   sensitive   = true
 }
 
 output "account_id" {
   value       = local.create_cloud_monitoring ? module.cloud_monitoring[0].account_id : module.existing_cloud_monitoring_crn_parser[0].account_id
-  description = "The account id where cloud monitoring instance is provisioned."
+  description = "The account id where Cloud Monitoring instance is provisioned."
 }
 
 # https://cloud.ibm.com/docs/monitoring?topic=monitoring-endpoints#endpoints_ingestion
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"files": "go.sum\|^.secrets.baseline$",`
`4`	`4`	`"lines": null`
`5`	`5`	`},`
`6`		`- "generated_at": "2025-10-04T03:55:50Z",`
	`6`	`+ "generated_at": "2025-10-06T08:45:19Z",`
`7`	`7`	`"plugins_used": [`
`8`	`8`	`{`
`9`	`9`	`"name": "AWSKeyDetector"`
Original file line number	Diff line number	Diff line change
`@@ -185,6 +185,18 @@`
`185`	`185`	`}`
`186`	`186`	`}`
`187`	`187`	`},`
	`188`	`+ {`
	`189`	`+ "key": "cloud_monitoring_resource_keys",`
	`190`	`+ "type": "array",`
	`191`	`+ "custom_config": {`
	`192`	`+ "type": "code_editor",`
	`193`	`+ "grouping": "deployment",`
	`194`	`+ "original_grouping": "deployment"`
	`195`	`+ }`
	`196`	`+ },`
	`197`	`+ {`
	`198`	`+ "key": "disable_access_key_creation"`
	`199`	`+ },`
`188`	`200`	`{`
`189`	`201`	`"key": "enable_platform_metrics",`
`190`	`202`	`"required": true`