terraform-ibm-modules · ocofaigh · Oct 24, 2025 · Sep 16, 2025 · Sep 16, 2025 · Sep 16, 2025
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-10-04T03:55:50Z",
+  "generated_at": "2025-10-06T08:45:19Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

@@ -160,37 +160,40 @@ You need the following permissions to run this module.
 |------|------|
 | [ibm_resource_instance.cloud_monitoring](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [ibm_resource_key.resource_key](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
+| [ibm_resource_key.resource_keys](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
 | [ibm_resource_tag.cloud_monitoring_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_access_key_name"></a> [access\_key\_name](#input\_access\_key\_name) | The name to give the default IBM Cloud Monitoring Manager access key. Use `disable_access_key_creation` to disable access key creation. For guidance on access keys, see [here](https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key). | `string` | `"SysdigManagerKey"` | no |
+| <a name="input_access_key_tags"></a> [access\_key\_tags](#input\_access\_key\_tags) | Tags associated with the IBM Cloud Monitoring access key. | `list(string)` | `[]` | no |
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | Access Management Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_disable_access_key_creation"></a> [disable\_access\_key\_creation](#input\_disable\_access\_key\_creation) | When set to true, disables the creation of a default manager access key which is required by agents to ingest metrics. | `bool` | `false` | no |
 | <a name="input_enable_platform_metrics"></a> [enable\_platform\_metrics](#input\_enable\_platform\_metrics) | Receive platform metrics in the provisioned IBM Cloud Monitoring instance. Only 1 instance in a given region can be enabled for platform metrics. | `bool` | `false` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Monitoring instance to create. Defaults to 'cloud-monitoring-<region>' | `string` | `null` | no |
-| <a name="input_manager_key_name"></a> [manager\_key\_name](#input\_manager\_key\_name) | The name to give the IBM Cloud Monitoring manager key. | `string` | `"SysdigManagerKey"` | no |
-| <a name="input_manager_key_tags"></a> [manager\_key\_tags](#input\_manager\_key\_tags) | Tags associated with the IBM Cloud Monitoring manager key. | `list(string)` | `[]` | no |
 | <a name="input_plan"></a> [plan](#input\_plan) | The IBM Cloud Monitoring plan to provision. Available: lite, graduated-tier and graduated-tier-sysdig-secure-plus-monitor (available in region eu-fr2 only) | `string` | `"lite"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where Cloud Monitoring instance will be created. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the Cloud Monitoring instance will be created. | `string` | n/a | yes |
+| <a name="input_resource_keys"></a> [resource\_keys](#input\_resource\_keys) | A list of maps representing resource keys to create for the IBM Cloud Monitoring instance. Each entry defines a single resource key. Use this list to manage custom keys and handle key rotation. | <pre>list(object({<br/>    name                      = string<br/>    key_name                  = optional(string, null)<br/>    generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret<br/>    role                      = optional(string, "Manager")<br/>    service_id_crn            = optional(string, null)<br/>  }))</pre> | `[]` | no |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of the service endpoint that will be set for the Sisdig instance. | `string` | `"public-and-private"` | no |
 
 ### Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_access_key"></a> [access\_key](#output\_access\_key) | The cloud monitoring access key for agents to use |
+| <a name="output_access_key"></a> [access\_key](#output\_access\_key) | The Cloud Monitoring access key for agents to use |
 | <a name="output_account_id"></a> [account\_id](#output\_account\_id) | The account id where cloud monitoring instance is provisioned. |
 | <a name="output_crn"></a> [crn](#output\_crn) | The id of the provisioned cloud monitoring instance. |
 | <a name="output_guid"></a> [guid](#output\_guid) | The guid of the provisioned cloud monitoring instance. |
 | <a name="output_ingestion_endpoint_private"></a> [ingestion\_endpoint\_private](#output\_ingestion\_endpoint\_private) | The Cloud Monitoring private ingestion endpoint. |
 | <a name="output_ingestion_endpoint_public"></a> [ingestion\_endpoint\_public](#output\_ingestion\_endpoint\_public) | The Cloud Monitoring public ingestion endpoint. |
-| <a name="output_manager_key_name"></a> [manager\_key\_name](#output\_manager\_key\_name) | The cloud monitoring manager key name |
 | <a name="output_name"></a> [name](#output\_name) | The name of the provisioned cloud monitoring instance. |
 | <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | The resource group where cloud monitoring monitor instance resides |
+| <a name="output_resource_keys"></a> [resource\_keys](#output\_resource\_keys) | A list of maps representing resource keys created for the IBM Cloud Monitoring instance. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 <!-- Leave this section as is so that your module has a link to local development environment set-up steps for contributors to follow -->

@@ -33,9 +33,15 @@ output "access_key" {
   sensitive   = true
 }
 
-output "manager_key_name" {
-  value       = module.cloud_monitoring.manager_key_name
-  description = "The cloud monitoring manager key name."
+output "access_key_name" {
+  value       = module.cloud_monitoring.name
+  description = "The cloud monitoring access key name."
+}
+
+output "cloud_monitoring_resource_keys" {
+  value       = module.cloud_monitoring.resource_keys
+  description = "A list of maps containing resource keys created for the Cloud Monitoring instance."
+  sensitive   = true
 }
 
 output "metrics_router_routes" {

@@ -17,6 +17,18 @@ output "resource_group_id" {
   description = "The resource group where cloud monitoring monitor instance resides."
 }
 
+output "cloud_monitoring_resource_keys" {
+  value       = module.cloud_monitoring.resource_keys
+  description = "A list of maps containing resource keys created for the Cloud Monitoring instance."
+  sensitive   = true
+}
+
+output "cloud_monitoring_access_key" {
+  value       = module.cloud_monitoring.access_key
+  description = "The Cloud Monitoring access key for agents to use."
+  sensitive   = true
+}
+
 output "ingestion_endpoint_private" {
   value       = module.cloud_monitoring.ingestion_endpoint_private
   description = "The Cloud Monitoring private ingestion endpoint."

@@ -185,6 +185,18 @@
                 }
               }
             },
+            {
+              "key": "cloud_monitoring_resource_keys",
+              "type": "array",
+              "custom_config": {
+                "type": "code_editor",
+                "grouping": "deployment",
+                "original_grouping": "deployment"
+              }
+            },
+            {
+              "key": "disable_access_key_creation"
+            },
             {
               "key": "enable_platform_metrics",
               "required": true

@@ -31,11 +31,31 @@ resource "ibm_resource_tag" "cloud_monitoring_tag" {
   tag_type    = "access"
 }
 
+###############################################################################
+# Resource Key (Default Manager Key)
+###############################################################################
+
 resource "ibm_resource_key" "resource_key" {
-  name                 = var.manager_key_name
+  count                = var.disable_access_key_creation ? 0 : 1
+  name                 = var.access_key_name
   resource_instance_id = ibm_resource_instance.cloud_monitoring.id
   role                 = "Manager"
-  tags                 = var.manager_key_tags
+  tags                 = var.access_key_tags
+}
+
+###############################################################################
+# Resource Keys
+###############################################################################
+
+resource "ibm_resource_key" "resource_keys" {
+  for_each             = { for key in var.resource_keys : key.name => key }
+  name                 = each.value.key_name == null ? each.key : each.value.key_name
+  resource_instance_id = ibm_resource_instance.cloud_monitoring.id
+  role                 = each.value.role
+  parameters = {
+    "serviceid_crn" = each.value.service_id_crn
+    "HMAC"          = each.value.generate_hmac_credentials
+  }
 }
 
 ########################################################################

@@ -23,15 +23,17 @@ output "resource_group_id" {
   description = "The resource group where cloud monitoring monitor instance resides"
 }
 
-output "access_key" {
-  value       = ibm_resource_key.resource_key.credentials["Sysdig Access Key"]
-  description = "The cloud monitoring access key for agents to use"
+output "resource_keys" {
+  description = "A list of maps representing resource keys created for the IBM Cloud Monitoring instance."
+  value       = ibm_resource_key.resource_keys
   sensitive   = true
 }
 
-output "manager_key_name" {
-  value       = ibm_resource_key.resource_key.name
-  description = "The cloud monitoring manager key name"
+# https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key
+output "access_key" {
+  value       = !var.disable_access_key_creation ? ibm_resource_key.resource_key[0].credentials["Sysdig Access Key"] : null
+  description = "The Cloud Monitoring access key for agents to use"
+  sensitive   = true
 }
 
 # https://cloud.ibm.com/docs/monitoring?topic=monitoring-endpoints#endpoints_ingestion

@@ -4,6 +4,7 @@ Several optional input variables in the IBM Cloud [Cloud Monitoring instances de
 
 * [IBM Cloud Metrics Router Routes](#metrics_router_routes) (`metrics_router_routes`)
 * [Context Based Restrictions Rules](#cbr_rules) (`cbr_rules`)
+* [Cloud Monitoring Resource Keys](#cloud_monitoring_resource_keys) (`cloud_monitoring_resource_keys`)
 
 ## Metrics Router Routes <a name="metrics_router_routes"></a>
 
@@ -105,3 +106,45 @@ The `cbr_rules` input variable allows you to provide a rule for the target servi
   }
 ]
 ```
+
+## Cloud Monitoring Resource Keys <a name="cloud_monitoring_resource_keys"></a>
+
+The `cloud_monitoring_resource_keys` input variable allows you to provide a list of resource key to create that will be configured in the IBM Cloud Monitoring instance. In the configuration, specify the name of the resource key, whether HMAC credentials should be included, the Role of the key and an optional Service ID CRN to create with a Service ID. Refer [here](https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key) for more information.
+
+* Variable name: `cloud_monitoring_resource_keys`.
+* Type: A list of objects that represent a resource key
+* Default value:
+
+  ```
+    {
+      name                      = "SysdigManagerKey"
+      generate_hmac_credentials = false
+      role                      = "Manager"
+      service_id_crn            = null
+    }
+  ```
+
+### Options for cloud_monitoring_resource_keys
+
+* `name` (required): A unique human-readable name that identifies this resource key.
+* `generate_hmac_credentials` (optional, default = `false`): Set to true to include HMAC keys in the resource key. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key#example-to-create-by-using-hmac).
+* `role` (optional, default = `Reader`): The name of the user role.
+* `service_id_crn` (optional, default = `null`): Pass a Service ID CRN to create credentials for a resource with a Service ID. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key#example-to-create-by-using-serviceid).
+
+### Example route for Cloud Monitoring Resource Keys
+
+The following example includes all the configuration options for two resource keys. One is a HMAC key with a `Reader` role, the other with an IAM key with `Manager` role.
+
+```hcl
+[
+  {
+    "name": "icm-resource-key",
+    "generate_hmac_credentials": true,
+    "role": "Reader",
+  },
+  {
+    "name": "icm-resource-key",
+    "role": "Manager"
+  }
+]
+```
@@ -44,17 +44,19 @@ locals {
 }
 
 module "cloud_monitoring" {
-  count                   = local.create_cloud_monitoring ? 1 : 0
-  source                  = "../.."
-  resource_group_id       = module.resource_group.resource_group_id
-  region                  = var.region
-  instance_name           = local.cloud_monitoring_instance_name
-  plan                    = var.cloud_monitoring_plan
-  resource_tags           = var.cloud_monitoring_resource_tags
-  access_tags             = var.cloud_monitoring_access_tags
-  service_endpoints       = "public-and-private"
-  enable_platform_metrics = var.enable_platform_metrics
-  cbr_rules               = var.cbr_rules
+  count                       = local.create_cloud_monitoring ? 1 : 0
+  source                      = "../.."
+  resource_group_id           = module.resource_group.resource_group_id
+  region                      = var.region
+  instance_name               = local.cloud_monitoring_instance_name
+  plan                        = var.cloud_monitoring_plan
+  resource_tags               = var.cloud_monitoring_resource_tags
+  access_tags                 = var.cloud_monitoring_access_tags
+  resource_keys               = var.cloud_monitoring_resource_keys
+  disable_access_key_creation = var.disable_access_key_creation
+  service_endpoints           = "public-and-private"
+  enable_platform_metrics     = var.enable_platform_metrics
+  cbr_rules                   = var.cbr_rules
 }
 
 module "metrics_routing" {

@@ -33,6 +33,12 @@ output "cloud_monitoring_access_key" {
   sensitive   = true
 }
 
+output "cloud_monitoring_resource_keys" {
+  value       = local.create_cloud_monitoring ? module.cloud_monitoring[0].resource_keys : null
+  description = "A list of maps representing resource keys created for the IBM Cloud Monitoring instance."
+  sensitive   = true
+}
+
 output "account_id" {
   value       = local.create_cloud_monitoring ? module.cloud_monitoring[0].account_id : module.existing_cloud_monitoring_crn_parser[0].account_id
   description = "The account id where cloud monitoring instance is provisioned."

@@ -77,6 +77,23 @@ variable "cloud_monitoring_access_tags" {
   default     = []
 }
 
+variable "disable_access_key_creation" {
+  type        = bool
+  description = "When set to true, disables the creation of a default manager access key which is required by agents to ingest metrics."
+  default     = false
+}
+
+variable "cloud_monitoring_resource_keys" {
+  description = "A list of maps representing resource keys to create for the IBM Cloud Monitoring instance. Each entry defines a single resource key. Use this list to manage custom keys and handle key rotation."
+  type = list(object({
+    name                      = string
+    generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret
+    role                      = optional(string, "Manager")
+    service_id_crn            = optional(string, null)
+  }))
+  default = []
+}
+
 variable "cloud_monitoring_plan" {
   type        = string
   description = "The IBM Cloud Monitoring plan to provision. Available values are `lite` and `graduated-tier` and graduated-tier-sysdig-secure-plus-monitor (available in region eu-fr2 only)."

@@ -31,18 +31,50 @@ variable "plan" {
   }
 }
 
-variable "manager_key_name" {
+variable "disable_access_key_creation" {
+  type        = bool
+  description = "When set to true, disables the creation of a default manager access key which is required by agents to ingest metrics."
+  default     = false
+}
+
+variable "access_key_name" {
   type        = string
-  description = "The name to give the IBM Cloud Monitoring manager key."
+  description = "The name to give the default IBM Cloud Monitoring Manager access key. Use `disable_access_key_creation` to disable access key creation. For guidance on access keys, see [here](https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key)."
   default     = "SysdigManagerKey"
 }
 
-variable "manager_key_tags" {
+variable "access_key_tags" {
   type        = list(string)
-  description = "Tags associated with the IBM Cloud Monitoring manager key."
+  description = "Tags associated with the IBM Cloud Monitoring access key."
   default     = []
 }
 
+# 'name' is the terraform static reference to the object in the list
+# 'key_name' is the IBM Cloud resource key name
+# name MUST not be dynamic, so that it is known at plan time
+# if key_name is not specified, name will be used for the key_name
+# key_name can be a dynamic reference created during apply
+variable "resource_keys" {
+  description = "A list of maps representing resource keys to create for the IBM Cloud Monitoring instance. Each entry defines a single resource key. Use this list to manage custom keys and handle key rotation."
+  type = list(object({
+    name                      = string
+    key_name                  = optional(string, null)
+    generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret
+    role                      = optional(string, "Manager")
+    service_id_crn            = optional(string, null)
+  }))
+  default = []
+  validation {
+    # From: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key
+    # Service roles (for Cloud Monitoring) https://cloud.ibm.com/iam/roles
+    # Reader, Writer, Manager, Supertenant Metrics Publisher, NONE
+    condition = alltrue([
+      for key in var.resource_keys : contains(["Writer", "Reader", "Manager", "Supertenant Metrics Publisher", "NONE"], key.role)
+    ])
+    error_message = "resource_keys role must be one of 'Writer', 'Reader', 'Manager', 'Supertenant Metrics Publisher', 'NONE', reference https://cloud.ibm.com/iam/roles and `Cloud Monitoring`"
+  }
+}
+
 variable "resource_tags" {
   type        = list(string)
   description = "Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings)."