diff --git a/.secrets.baseline b/.secrets.baseline
index 02adfa9..3f75079 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
"files": "go.sum|^.secrets.baseline$",
"lines": null
},
- "generated_at": "2025-10-04T03:55:50Z",
+ "generated_at": "2025-10-06T08:45:19Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
diff --git a/README.md b/README.md
index 57b0089..18b0d9b 100644
--- a/README.md
+++ b/README.md
@@ -160,21 +160,24 @@ You need the following permissions to run this module.
|------|------|
| [ibm_resource_instance.cloud_monitoring](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource |
| [ibm_resource_key.resource_key](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
+| [ibm_resource_key.resource_keys](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
| [ibm_resource_tag.cloud_monitoring_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
### Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [access\_key\_name](#input\_access\_key\_name) | The name to give the default IBM Cloud Monitoring Manager access key. Use `disable_access_key_creation` to disable access key creation. For guidance on access keys, see [here](https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key). | `string` | `"SysdigManagerKey"` | no |
+| [access\_key\_tags](#input\_access\_key\_tags) | Tags associated with the IBM Cloud Monitoring access key. | `list(string)` | `[]` | no |
| [access\_tags](#input\_access\_tags) | Access Management Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no |
| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
+| [disable\_access\_key\_creation](#input\_disable\_access\_key\_creation) | When set to true, disables the creation of a default manager access key which is required by agents to ingest metrics. | `bool` | `false` | no |
| [enable\_platform\_metrics](#input\_enable\_platform\_metrics) | Receive platform metrics in the provisioned IBM Cloud Monitoring instance. Only 1 instance in a given region can be enabled for platform metrics. | `bool` | `false` | no |
| [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Monitoring instance to create. Defaults to 'cloud-monitoring-' | `string` | `null` | no |
-| [manager\_key\_name](#input\_manager\_key\_name) | The name to give the IBM Cloud Monitoring manager key. | `string` | `"SysdigManagerKey"` | no |
-| [manager\_key\_tags](#input\_manager\_key\_tags) | Tags associated with the IBM Cloud Monitoring manager key. | `list(string)` | `[]` | no |
| [plan](#input\_plan) | The IBM Cloud Monitoring plan to provision. Available: lite, graduated-tier and graduated-tier-sysdig-secure-plus-monitor (available in region eu-fr2 only) | `string` | `"lite"` | no |
| [region](#input\_region) | The IBM Cloud region where Cloud Monitoring instance will be created. | `string` | `"us-south"` | no |
| [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the Cloud Monitoring instance will be created. | `string` | n/a | yes |
+| [resource\_keys](#input\_resource\_keys) | A list of maps representing resource keys to create for the IBM Cloud Monitoring instance. Each entry defines a single resource key. Use this list to manage custom keys and handle key rotation. | list(object({
name = string
key_name = optional(string, null)
generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret
role = optional(string, "Manager")
service_id_crn = optional(string, null)
})) | `[]` | no |
| [resource\_tags](#input\_resource\_tags) | Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no |
| [service\_endpoints](#input\_service\_endpoints) | The type of the service endpoint that will be set for the Sisdig instance. | `string` | `"public-and-private"` | no |
@@ -182,15 +185,16 @@ You need the following permissions to run this module.
| Name | Description |
|------|-------------|
-| [access\_key](#output\_access\_key) | The cloud monitoring access key for agents to use |
+| [access\_key](#output\_access\_key) | The Cloud Monitoring access key for agents to use |
+| [access\_key\_name](#output\_access\_key\_name) | The Cloud Monitoring access key name |
| [account\_id](#output\_account\_id) | The account id where cloud monitoring instance is provisioned. |
| [crn](#output\_crn) | The id of the provisioned cloud monitoring instance. |
| [guid](#output\_guid) | The guid of the provisioned cloud monitoring instance. |
| [ingestion\_endpoint\_private](#output\_ingestion\_endpoint\_private) | The Cloud Monitoring private ingestion endpoint. |
| [ingestion\_endpoint\_public](#output\_ingestion\_endpoint\_public) | The Cloud Monitoring public ingestion endpoint. |
-| [manager\_key\_name](#output\_manager\_key\_name) | The cloud monitoring manager key name |
| [name](#output\_name) | The name of the provisioned cloud monitoring instance. |
| [resource\_group\_id](#output\_resource\_group\_id) | The resource group where cloud monitoring monitor instance resides |
+| [resource\_keys](#output\_resource\_keys) | A list of maps representing resource keys created for the IBM Cloud Monitoring instance. |
diff --git a/examples/advanced/outputs.tf b/examples/advanced/outputs.tf
index acde659..4f71ce3 100644
--- a/examples/advanced/outputs.tf
+++ b/examples/advanced/outputs.tf
@@ -9,33 +9,39 @@
output "cloud_monitoring_crn" {
value = module.cloud_monitoring.crn
- description = "The CRN of the provisioned IBM cloud monitoring instance."
+ description = "The CRN of the provisioned IBM Cloud Monitoring instance."
}
output "cloud_monitoring_guid" {
value = module.cloud_monitoring.guid
- description = "The GUID of the provisioned IBM cloud monitoring instance."
+ description = "The GUID of the provisioned IBM Cloud Monitoring instance."
}
output "cloud_monitoring_name" {
value = module.cloud_monitoring.name
- description = "The name of the provisioned IBM cloud monitoring instance."
+ description = "The name of the provisioned IBM Cloud Monitoring instance."
}
output "resource_group_id" {
value = module.resource_group.resource_group_id
- description = "The resource group where cloud monitoring monitor instance resides."
+ description = "The resource group where Cloud Monitoring monitor instance resides."
}
output "access_key" {
value = module.cloud_monitoring.access_key
- description = "The cloud monitoring access key for agents to use."
+ description = "The Cloud Monitoring access key for agents to use."
sensitive = true
}
-output "manager_key_name" {
- value = module.cloud_monitoring.manager_key_name
- description = "The cloud monitoring manager key name."
+output "access_key_name" {
+ value = module.cloud_monitoring.access_key_name
+ description = "The Cloud Monitoring access key name."
+}
+
+output "cloud_monitoring_resource_keys" {
+ value = module.cloud_monitoring.resource_keys
+ description = "A list of maps containing resource keys created for the Cloud Monitoring instance."
+ sensitive = true
}
output "metrics_router_routes" {
diff --git a/examples/basic/outputs.tf b/examples/basic/outputs.tf
index 6a88655..6f262ee 100644
--- a/examples/basic/outputs.tf
+++ b/examples/basic/outputs.tf
@@ -4,17 +4,29 @@
output "cloud_monitoring_crn" {
value = module.cloud_monitoring.crn
- description = "The CRN of the provisioned IBM cloud monitoring instance."
+ description = "The CRN of the provisioned IBM Cloud Monitoring instance."
}
output "cloud_monitoring_name" {
value = module.cloud_monitoring.name
- description = "The name of the provisioned IBM cloud monitoring instance."
+ description = "The name of the provisioned IBM Cloud Monitoring instance."
}
output "resource_group_id" {
value = module.resource_group.resource_group_id
- description = "The resource group where cloud monitoring monitor instance resides."
+ description = "The resource group where Cloud Monitoring monitor instance resides."
+}
+
+output "cloud_monitoring_resource_keys" {
+ value = module.cloud_monitoring.resource_keys
+ description = "A list of maps containing resource keys created for the Cloud Monitoring instance."
+ sensitive = true
+}
+
+output "cloud_monitoring_access_key" {
+ value = module.cloud_monitoring.access_key
+ description = "The Cloud Monitoring access key for agents to use."
+ sensitive = true
}
output "ingestion_endpoint_private" {
diff --git a/ibm_catalog.json b/ibm_catalog.json
index c744174..77e411b 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -185,6 +185,18 @@
}
}
},
+ {
+ "key": "cloud_monitoring_resource_keys",
+ "type": "array",
+ "custom_config": {
+ "type": "code_editor",
+ "grouping": "deployment",
+ "original_grouping": "deployment"
+ }
+ },
+ {
+ "key": "disable_access_key_creation"
+ },
{
"key": "enable_platform_metrics",
"required": true
diff --git a/main.tf b/main.tf
index b5b07c1..ebe74f8 100644
--- a/main.tf
+++ b/main.tf
@@ -31,11 +31,31 @@ resource "ibm_resource_tag" "cloud_monitoring_tag" {
tag_type = "access"
}
+###############################################################################
+# Resource Key (Default Manager Key)
+###############################################################################
+
resource "ibm_resource_key" "resource_key" {
- name = var.manager_key_name
+ count = var.disable_access_key_creation ? 0 : 1
+ name = var.access_key_name
resource_instance_id = ibm_resource_instance.cloud_monitoring.id
role = "Manager"
- tags = var.manager_key_tags
+ tags = var.access_key_tags
+}
+
+###############################################################################
+# Resource Keys
+###############################################################################
+
+resource "ibm_resource_key" "resource_keys" {
+ for_each = { for key in var.resource_keys : key.name => key }
+ name = each.value.key_name == null ? each.key : each.value.key_name
+ resource_instance_id = ibm_resource_instance.cloud_monitoring.id
+ role = each.value.role
+ parameters = {
+ "serviceid_crn" = each.value.service_id_crn
+ "HMAC" = each.value.generate_hmac_credentials
+ }
}
########################################################################
diff --git a/outputs.tf b/outputs.tf
index f7ed581..7bebf82 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -23,15 +23,22 @@ output "resource_group_id" {
description = "The resource group where cloud monitoring monitor instance resides"
}
-output "access_key" {
- value = ibm_resource_key.resource_key.credentials["Sysdig Access Key"]
- description = "The cloud monitoring access key for agents to use"
+output "resource_keys" {
+ description = "A list of maps representing resource keys created for the IBM Cloud Monitoring instance."
+ value = ibm_resource_key.resource_keys
sensitive = true
}
-output "manager_key_name" {
- value = ibm_resource_key.resource_key.name
- description = "The cloud monitoring manager key name"
+output "access_key_name" {
+ value = !var.disable_access_key_creation ? ibm_resource_key.resource_key[0].name : null
+ description = "The Cloud Monitoring access key name"
+}
+
+# https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key
+output "access_key" {
+ value = !var.disable_access_key_creation ? ibm_resource_key.resource_key[0].credentials["Sysdig Access Key"] : null
+ description = "The Cloud Monitoring access key for agents to use"
+ sensitive = true
}
# https://cloud.ibm.com/docs/monitoring?topic=monitoring-endpoints#endpoints_ingestion
diff --git a/solutions/fully-configurable/DA-types.md b/solutions/fully-configurable/DA-types.md
index b2a060e..ea0216d 100644
--- a/solutions/fully-configurable/DA-types.md
+++ b/solutions/fully-configurable/DA-types.md
@@ -4,6 +4,7 @@ Several optional input variables in the IBM Cloud [Cloud Monitoring instances de
* [IBM Cloud Metrics Router Routes](#metrics_router_routes) (`metrics_router_routes`)
* [Context Based Restrictions Rules](#cbr_rules) (`cbr_rules`)
+* [Cloud Monitoring Resource Keys](#cloud_monitoring_resource_keys) (`cloud_monitoring_resource_keys`)
## Metrics Router Routes
@@ -105,3 +106,45 @@ The `cbr_rules` input variable allows you to provide a rule for the target servi
}
]
```
+
+## Cloud Monitoring Resource Keys
+
+The `cloud_monitoring_resource_keys` input variable allows you to provide a list of resource key to create that will be configured in the IBM Cloud Monitoring instance. In the configuration, specify the name of the resource key, whether HMAC credentials should be included, the Role of the key and an optional Service ID CRN to create with a Service ID. Refer [here](https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key) for more information.
+
+* Variable name: `cloud_monitoring_resource_keys`.
+* Type: A list of objects that represent a resource key
+* Default value:
+
+ ```
+ {
+ name = "SysdigManagerKey"
+ generate_hmac_credentials = false
+ role = "Manager"
+ service_id_crn = null
+ }
+ ```
+
+### Options for cloud_monitoring_resource_keys
+
+* `name` (required): A unique human-readable name that identifies this resource key.
+* `generate_hmac_credentials` (optional, default = `false`): Set to true to include HMAC keys in the resource key. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key#example-to-create-by-using-hmac).
+* `role` (optional, default = `Reader`): The name of the user role.
+* `service_id_crn` (optional, default = `null`): Pass a Service ID CRN to create credentials for a resource with a Service ID. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key#example-to-create-by-using-serviceid).
+
+### Example route for Cloud Monitoring Resource Keys
+
+The following example includes all the configuration options for two resource keys. One is a HMAC key with a `Reader` role, the other with an IAM key with `Manager` role.
+
+```hcl
+[
+ {
+ "name": "icm-resource-key",
+ "generate_hmac_credentials": true,
+ "role": "Reader",
+ },
+ {
+ "name": "icm-resource-key",
+ "role": "Manager"
+ }
+]
+```
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index b412692..04f9d8e 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -44,17 +44,19 @@ locals {
}
module "cloud_monitoring" {
- count = local.create_cloud_monitoring ? 1 : 0
- source = "../.."
- resource_group_id = module.resource_group.resource_group_id
- region = var.region
- instance_name = local.cloud_monitoring_instance_name
- plan = var.cloud_monitoring_plan
- resource_tags = var.cloud_monitoring_resource_tags
- access_tags = var.cloud_monitoring_access_tags
- service_endpoints = "public-and-private"
- enable_platform_metrics = var.enable_platform_metrics
- cbr_rules = var.cbr_rules
+ count = local.create_cloud_monitoring ? 1 : 0
+ source = "../.."
+ resource_group_id = module.resource_group.resource_group_id
+ region = var.region
+ instance_name = local.cloud_monitoring_instance_name
+ plan = var.cloud_monitoring_plan
+ resource_tags = var.cloud_monitoring_resource_tags
+ access_tags = var.cloud_monitoring_access_tags
+ resource_keys = var.cloud_monitoring_resource_keys
+ disable_access_key_creation = var.disable_access_key_creation
+ service_endpoints = "public-and-private"
+ enable_platform_metrics = var.enable_platform_metrics
+ cbr_rules = var.cbr_rules
}
module "metrics_routing" {
diff --git a/solutions/fully-configurable/outputs.tf b/solutions/fully-configurable/outputs.tf
index db54849..f3f68af 100644
--- a/solutions/fully-configurable/outputs.tf
+++ b/solutions/fully-configurable/outputs.tf
@@ -15,27 +15,38 @@ output "resource_group_id" {
output "cloud_monitoring_crn" {
value = local.cloud_monitoring_crn
- description = "The id of the provisioned IBM cloud monitoring instance."
+ description = "The id of the provisioned IBM Cloud Monitoring instance."
}
output "cloud_monitoring_name" {
value = local.create_cloud_monitoring ? module.cloud_monitoring[0].name : null
- description = "The name of the provisioned IBM cloud monitoring instance."
+ description = "The name of the provisioned IBM Cloud Monitoring instance."
}
output "cloud_monitoring_guid" {
value = local.create_cloud_monitoring ? module.cloud_monitoring[0].guid : module.existing_cloud_monitoring_crn_parser[0].service_instance
- description = "The guid of the provisioned IBM cloud monitoring instance."
+ description = "The guid of the provisioned IBM Cloud Monitoring instance."
+}
+
+output "cloud_monitoring_access_key_name" {
+ value = local.create_cloud_monitoring ? module.cloud_monitoring[0].access_key_name : null
+ description = "The name of the IBM Cloud Monitoring access key for agents to use"
}
output "cloud_monitoring_access_key" {
value = local.create_cloud_monitoring ? module.cloud_monitoring[0].access_key : null
- description = "IBM cloud monitoring access key for agents to use"
+ description = "The IBM Cloud Monitoring access key for agents to use"
+ sensitive = true
+}
+
+output "cloud_monitoring_resource_keys" {
+ value = local.create_cloud_monitoring ? module.cloud_monitoring[0].resource_keys : null
+ description = "A list of maps representing resource keys created for the IBM Cloud Monitoring instance."
sensitive = true
}
output "account_id" {
value = local.create_cloud_monitoring ? module.cloud_monitoring[0].account_id : module.existing_cloud_monitoring_crn_parser[0].account_id
- description = "The account id where cloud monitoring instance is provisioned."
+ description = "The account id where Cloud Monitoring instance is provisioned."
}
# https://cloud.ibm.com/docs/monitoring?topic=monitoring-endpoints#endpoints_ingestion
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index 5ab511a..8974a89 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -77,6 +77,23 @@ variable "cloud_monitoring_access_tags" {
default = []
}
+variable "disable_access_key_creation" {
+ type = bool
+ description = "When set to true, disables the creation of a default manager access key which is required by agents to ingest metrics."
+ default = false
+}
+
+variable "cloud_monitoring_resource_keys" {
+ description = "A list of maps representing resource keys to create for the IBM Cloud Monitoring instance. Each entry defines a single resource key. Use this list to manage custom keys and handle key rotation."
+ type = list(object({
+ name = string
+ generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret
+ role = optional(string, "Manager")
+ service_id_crn = optional(string, null)
+ }))
+ default = []
+}
+
variable "cloud_monitoring_plan" {
type = string
description = "The IBM Cloud Monitoring plan to provision. Available values are `lite` and `graduated-tier` and graduated-tier-sysdig-secure-plus-monitor (available in region eu-fr2 only)."
diff --git a/variables.tf b/variables.tf
index 07aeed2..1be58ea 100644
--- a/variables.tf
+++ b/variables.tf
@@ -31,18 +31,50 @@ variable "plan" {
}
}
-variable "manager_key_name" {
+variable "disable_access_key_creation" {
+ type = bool
+ description = "When set to true, disables the creation of a default manager access key which is required by agents to ingest metrics."
+ default = false
+}
+
+variable "access_key_name" {
type = string
- description = "The name to give the IBM Cloud Monitoring manager key."
+ description = "The name to give the default IBM Cloud Monitoring Manager access key. Use `disable_access_key_creation` to disable access key creation. For guidance on access keys, see [here](https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key)."
default = "SysdigManagerKey"
}
-variable "manager_key_tags" {
+variable "access_key_tags" {
type = list(string)
- description = "Tags associated with the IBM Cloud Monitoring manager key."
+ description = "Tags associated with the IBM Cloud Monitoring access key."
default = []
}
+# 'name' is the terraform static reference to the object in the list
+# 'key_name' is the IBM Cloud resource key name
+# name MUST not be dynamic, so that it is known at plan time
+# if key_name is not specified, name will be used for the key_name
+# key_name can be a dynamic reference created during apply
+variable "resource_keys" {
+ description = "A list of maps representing resource keys to create for the IBM Cloud Monitoring instance. Each entry defines a single resource key. Use this list to manage custom keys and handle key rotation."
+ type = list(object({
+ name = string
+ key_name = optional(string, null)
+ generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret
+ role = optional(string, "Manager")
+ service_id_crn = optional(string, null)
+ }))
+ default = []
+ validation {
+ # From: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key
+ # Service roles (for Cloud Monitoring) https://cloud.ibm.com/iam/roles
+ # Reader, Writer, Manager, Supertenant Metrics Publisher, NONE
+ condition = alltrue([
+ for key in var.resource_keys : contains(["Writer", "Reader", "Manager", "Supertenant Metrics Publisher", "NONE"], key.role)
+ ])
+ error_message = "resource_keys role must be one of 'Writer', 'Reader', 'Manager', 'Supertenant Metrics Publisher', 'NONE', reference https://cloud.ibm.com/iam/roles and `Cloud Monitoring`"
+ }
+}
+
variable "resource_tags" {
type = list(string)
description = "Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings)."