feat: add support to create resource key

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-10-04T03:55:50Z",
+  "generated_at": "2025-10-06T08:45:19Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

README.md

@@ -160,21 +160,24 @@ You need the following permissions to run this module.
 |------|------|
 | [ibm_resource_instance.cloud_monitoring](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [ibm_resource_key.resource_key](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
+| [ibm_resource_key.resource_keys](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
 | [ibm_resource_tag.cloud_monitoring_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_access_key_name"></a> [access\_key\_name](#input\_access\_key\_name) | The name to give the default IBM Cloud Monitoring Manager access key. | `string` | `"SysdigManagerKey"` | no |
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | Access Management Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_disable_access_key_creation"></a> [disable\_access\_key\_creation](#input\_disable\_access\_key\_creation) | When set to true, disables the creation of the default Manager access key. See `resource_keys` to handle rotation, or even creation of non manager role keys. | `bool` | `false` | no |
 | <a name="input_enable_platform_metrics"></a> [enable\_platform\_metrics](#input\_enable\_platform\_metrics) | Receive platform metrics in the provisioned IBM Cloud Monitoring instance. Only 1 instance in a given region can be enabled for platform metrics. | `bool` | `false` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Monitoring instance to create. Defaults to 'cloud-monitoring-<region>' | `string` | `null` | no |
-| <a name="input_manager_key_name"></a> [manager\_key\_name](#input\_manager\_key\_name) | The name to give the IBM Cloud Monitoring manager key. | `string` | `"SysdigManagerKey"` | no |
 | <a name="input_manager_key_tags"></a> [manager\_key\_tags](#input\_manager\_key\_tags) | Tags associated with the IBM Cloud Monitoring manager key. | `list(string)` | `[]` | no |
 | <a name="input_plan"></a> [plan](#input\_plan) | The IBM Cloud Monitoring plan to provision. Available: lite, graduated-tier and graduated-tier-sysdig-secure-plus-monitor (available in region eu-fr2 only) | `string` | `"lite"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where Cloud Monitoring instance will be created. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the Cloud Monitoring instance will be created. | `string` | n/a | yes |
+| <a name="input_resource_keys"></a> [resource\_keys](#input\_resource\_keys) | List of keys to create for the IBM Cloud Monitoring instance. Each entry defines one resource key. Use this to manage custom keys, rotation, and disable default access key creation using `disable_access_key_creation`. For guidance on access keys, see [here](https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key). | <pre>list(object({<br/>    name                      = string<br/>    key_name                  = optional(string, null)<br/>    generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret<br/>    role                      = optional(string, "Manager")<br/>    service_id_crn            = optional(string, null)<br/>  }))</pre> | `[]` | no |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of the service endpoint that will be set for the Sisdig instance. | `string` | `"public-and-private"` | no |
 
@@ -183,14 +186,15 @@ You need the following permissions to run this module.
 | Name | Description |
 |------|-------------|
 | <a name="output_access_key"></a> [access\_key](#output\_access\_key) | The cloud monitoring access key for agents to use |
+| <a name="output_access_keys"></a> [access\_keys](#output\_access\_keys) | The Cloud Monitoring access keys for agents to use. |
 | <a name="output_account_id"></a> [account\_id](#output\_account\_id) | The account id where cloud monitoring instance is provisioned. |
 | <a name="output_crn"></a> [crn](#output\_crn) | The id of the provisioned cloud monitoring instance. |
 | <a name="output_guid"></a> [guid](#output\_guid) | The guid of the provisioned cloud monitoring instance. |
 | <a name="output_ingestion_endpoint_private"></a> [ingestion\_endpoint\_private](#output\_ingestion\_endpoint\_private) | The Cloud Monitoring private ingestion endpoint. |
 | <a name="output_ingestion_endpoint_public"></a> [ingestion\_endpoint\_public](#output\_ingestion\_endpoint\_public) | The Cloud Monitoring public ingestion endpoint. |
-| <a name="output_manager_key_name"></a> [manager\_key\_name](#output\_manager\_key\_name) | The cloud monitoring manager key name |
 | <a name="output_name"></a> [name](#output\_name) | The name of the provisioned cloud monitoring instance. |
 | <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | The resource group where cloud monitoring monitor instance resides |
+| <a name="output_resource_keys"></a> [resource\_keys](#output\_resource\_keys) | Map of resource keys created for the IBM Cloud Monitoring instance, used by agents for authentication and data forwarding. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 <!-- Leave this section as is so that your module has a link to local development environment set-up steps for contributors to follow -->

examples/advanced/outputs.tf

@@ -33,11 +33,17 @@ output "access_key" {
   sensitive   = true
 }
 
-output "manager_key_name" {
-  value       = module.cloud_monitoring.manager_key_name
+output "access_key_name" {
+  value       = module.cloud_monitoring.name
   description = "The cloud monitoring manager key name."
 }
 
+output "cloud_monitoring_resource_keys" {
+  value       = module.cloud_monitoring.resource_keys
+  description = "The map of resource keys created for the Cloud Monitoring instance."
+  sensitive   = true
+}
+
 output "metrics_router_routes" {
   value       = module.metrics_routing.metrics_router_routes
   description = "The created metrics routing routes."

examples/basic/outputs.tf

@@ -17,6 +17,18 @@ output "resource_group_id" {
   description = "The resource group where cloud monitoring monitor instance resides."
 }
 
+output "cloud_monitoring_resource_keys" {
+  value       = module.cloud_monitoring.resource_keys
+  description = "The map of resource keys created for the Cloud Monitoring instance."
+  sensitive   = true
+}
+
+output "cloud_monitoring_access_key" {
+  value       = module.cloud_monitoring.access_keys["SysdigManagerKey"]
+  description = "The Cloud Monitoring access keys for agents to use."
+  sensitive   = true
+}
+
 output "ingestion_endpoint_private" {
   value       = module.cloud_monitoring.ingestion_endpoint_private
   description = "The Cloud Monitoring private ingestion endpoint."

ibm_catalog.json

@@ -185,6 +185,18 @@
                 }
               }
             },
+            {
+              "key": "cloud_monitoring_resource_keys",
+              "type": "array",
+              "custom_config": {
+                "type": "code_editor",
+                "grouping": "deployment",
+                "original_grouping": "deployment"
+              }
+            },
+            {
+              "key": "disable_access_key_creation"
+            },
             {
               "key": "enable_platform_metrics",
               "required": true

main.tf

@@ -31,13 +31,33 @@ resource "ibm_resource_tag" "cloud_monitoring_tag" {
   tag_type    = "access"
 }
 
+###############################################################################
+# Resource Key (Default Manager Key)
+###############################################################################
+
 resource "ibm_resource_key" "resource_key" {
-  name                 = var.manager_key_name
+  count                = var.disable_access_key_creation ? 0 : 1
+  name                 = var.access_key_name
   resource_instance_id = ibm_resource_instance.cloud_monitoring.id
   role                 = "Manager"
   tags                 = var.manager_key_tags
 }
 
+###############################################################################
+# Resource Keys (Custom Access Keys)
+###############################################################################
+
+resource "ibm_resource_key" "resource_keys" {
+  for_each             = { for key in var.resource_keys : key.name => key }
+  name                 = each.value.key_name == null ? each.key : each.value.key_name
+  resource_instance_id = ibm_resource_instance.cloud_monitoring.id
+  role                 = each.value.role
+  parameters = {
+    "serviceid_crn" = each.value.service_id_crn
+    "HMAC"          = each.value.generate_hmac_credentials
+  }
+}
+
 ########################################################################
 # Context Based Restrictions
 #########################################################################

outputs.tf

@@ -23,15 +23,26 @@ output "resource_group_id" {
   description = "The resource group where cloud monitoring monitor instance resides"
 }
 
+output "resource_keys" {
+  description = "Map of resource keys created for the IBM Cloud Monitoring instance, used by agents for authentication and data forwarding."
+  value       = ibm_resource_key.resource_keys
+  sensitive   = true
+}
+
 output "access_key" {
-  value       = ibm_resource_key.resource_key.credentials["Sysdig Access Key"]
+  value       = !var.disable_access_key_creation ? ibm_resource_key.resource_key[0].credentials["Sysdig Access Key"] : null
   description = "The cloud monitoring access key for agents to use"
   sensitive   = true
 }
 
-output "manager_key_name" {
-  value       = ibm_resource_key.resource_key.name
-  description = "The cloud monitoring manager key name"
+# https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key
+output "access_keys" {
+  description = "The Cloud Monitoring access keys for agents to use."
+  value = length(var.resource_keys) == 0 ? null : {
+    for name, key in ibm_resource_key.resource_keys :
+    name => key.credentials["Sysdig Access Key"]
+  }
+  sensitive = true
 }
 
 # https://cloud.ibm.com/docs/monitoring?topic=monitoring-endpoints#endpoints_ingestion

solutions/fully-configurable/DA-types.md

@@ -4,6 +4,7 @@ Several optional input variables in the IBM Cloud [Cloud Monitoring instances de
 
 * [IBM Cloud Metrics Router Routes](#metrics_router_routes) (`metrics_router_routes`)
 * [Context Based Restrictions Rules](#cbr_rules) (`cbr_rules`)
+* [Cloud Monitoring Resource Keys](#cloud_monitoring_resource_keys) (`cloud_monitoring_resource_keys`)
 
 ## Metrics Router Routes <a name="metrics_router_routes"></a>
 
@@ -105,3 +106,45 @@ The `cbr_rules` input variable allows you to provide a rule for the target servi
   }
 ]
 ```
+
+## Cloud Monitoring Resource Keys <a name="cloud_monitoring_resource_keys"></a>
+
+The `cloud_monitoring_resource_keys` input variable allows you to provide a list of resource key to create that will be configured in the IBM Cloud Monitoring instance. In the configuration, specify the name of the resource key, whether HMAC credentials should be included, the Role of the key and an optional Service ID CRN to create with a Service ID. Refer [here](https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key) for more information.
+
+* Variable name: `cloud_monitoring_resource_keys`.
+* Type: A list of objects that represent a resource key
+* Default value:
+
+  ```
+    {
+      name                      = "SysdigManagerKey"
+      generate_hmac_credentials = false
+      role                      = "Manager"
+      service_id_crn            = null
+    }
+  ```
+
+### Options for cloud_monitoring_resource_keys
+
+* `name` (required): A unique human-readable name that identifies this resource key.
+* `generate_hmac_credentials` (optional, default = `false`): Set to true to include HMAC keys in the resource key. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key#example-to-create-by-using-hmac).
+* `role` (optional, default = `Reader`): The name of the user role.
+* `service_id_crn` (optional, default = `null`): Pass a Service ID CRN to create credentials for a resource with a Service ID. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key#example-to-create-by-using-serviceid).
+
+### Example route for Cloud Monitoring Resource Keys
+
+The following example includes all the configuration options for two resource keys. One is a HMAC key with a `Reader` role, the other with an IAM key with `Manager` role.
+
+```hcl
+[
+  {
+    "name": "icm-resource-key",
+    "generate_hmac_credentials": true,
+    "role": "Reader",
+  },
+  {
+    "name": "icm-resource-key",
+    "role": "Manager"
+  }
+]
+```

solutions/fully-configurable/main.tf

@@ -44,17 +44,19 @@ locals {
 }
 
 module "cloud_monitoring" {
-  count                   = local.create_cloud_monitoring ? 1 : 0
-  source                  = "../.."
-  resource_group_id       = module.resource_group.resource_group_id
-  region                  = var.region
-  instance_name           = local.cloud_monitoring_instance_name
-  plan                    = var.cloud_monitoring_plan
-  resource_tags           = var.cloud_monitoring_resource_tags
-  access_tags             = var.cloud_monitoring_access_tags
-  service_endpoints       = "public-and-private"
-  enable_platform_metrics = var.enable_platform_metrics
-  cbr_rules               = var.cbr_rules
+  count                       = local.create_cloud_monitoring ? 1 : 0
+  source                      = "../.."
+  resource_group_id           = module.resource_group.resource_group_id
+  region                      = var.region
+  instance_name               = local.cloud_monitoring_instance_name
+  plan                        = var.cloud_monitoring_plan
+  resource_tags               = var.cloud_monitoring_resource_tags
+  access_tags                 = var.cloud_monitoring_access_tags
+  resource_keys               = var.cloud_monitoring_resource_keys
+  disable_access_key_creation = var.disable_access_key_creation
+  service_endpoints           = "public-and-private"
+  enable_platform_metrics     = var.enable_platform_metrics
+  cbr_rules                   = var.cbr_rules
 }
 
 module "metrics_routing" {

solutions/fully-configurable/outputs.tf

@@ -33,6 +33,12 @@ output "cloud_monitoring_access_key" {
   sensitive   = true
 }
 
+output "cloud_monitoring_resource_keys" {
+  value       = local.create_cloud_monitoring ? module.cloud_monitoring[0].resource_keys : null
+  description = "Map of resource keys created for the IBM Cloud Monitoring instance, used by agents for authentication and data forwarding."
+  sensitive   = true
+}
+
 output "account_id" {
   value       = local.create_cloud_monitoring ? module.cloud_monitoring[0].account_id : module.existing_cloud_monitoring_crn_parser[0].account_id
   description = "The account id where cloud monitoring instance is provisioned."

solutions/fully-configurable/variables.tf

@@ -77,6 +77,23 @@ variable "cloud_monitoring_access_tags" {
   default     = []
 }
 
+variable "disable_access_key_creation" {
+  type        = bool
+  description = "When set to true, disables the creation of the default Manager access key. See `resource_keys` to handle rotation, or even creation of non manager role keys."
+  default     = false
+}
+
+variable "cloud_monitoring_resource_keys" {
+  description = "List of access keys to create for the IBM Cloud Monitoring instance. Each entry defines one resource key. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-cloud-monitoring/tree/main/solutions/fully-configurable/DA-types.md#cloud-monitoring-resource-keys)."
+  type = list(object({
+    name                      = string
+    generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret
+    role                      = optional(string, "Manager")
+    service_id_crn            = optional(string, null)
+  }))
+  default = []
+}
+
 variable "cloud_monitoring_plan" {
   type        = string
   description = "The IBM Cloud Monitoring plan to provision. Available values are `lite` and `graduated-tier` and graduated-tier-sysdig-secure-plus-monitor (available in region eu-fr2 only)."

variables.tf

@@ -31,9 +31,15 @@ variable "plan" {
   }
 }
 
-variable "manager_key_name" {
+variable "disable_access_key_creation" {
+  type        = bool
+  description = "When set to true, disables the creation of the default Manager access key. See `resource_keys` to handle rotation, or even creation of non manager role keys."
+  default     = false
+}
+
+variable "access_key_name" {
   type        = string
-  description = "The name to give the IBM Cloud Monitoring manager key."
+  description = "The name to give the default IBM Cloud Monitoring Manager access key."
   default     = "SysdigManagerKey"
 }
 
@@ -43,6 +49,32 @@ variable "manager_key_tags" {
   default     = []
 }
 
+# 'name' is the terraform static reference to the object in the list
+# 'key_name' is the IBM Cloud resource key name
+# name MUST not be dynamic, so that it is known at plan time
+# if key_name is not specified, name will be used for the key_name
+# key_name can be a dynamic reference created during apply
+variable "resource_keys" {
+  description = "List of keys to create for the IBM Cloud Monitoring instance. Each entry defines one resource key. Use this to manage custom keys, rotation, and disable default access key creation using `disable_access_key_creation`. For guidance on access keys, see [here](https://cloud.ibm.com/docs/monitoring?topic=monitoring-access_key)."
+  type = list(object({
+    name                      = string
+    key_name                  = optional(string, null)
+    generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret
+    role                      = optional(string, "Manager")
+    service_id_crn            = optional(string, null)
+  }))
+  default = []
+  validation {
+    # From: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key
+    # Service roles (for Cloud Monitoring) https://cloud.ibm.com/iam/roles
+    # Reader, Writer, Manager, Supertenant Metrics Publisher, NONE
+    condition = alltrue([
+      for key in var.resource_keys : contains(["Writer", "Reader", "Manager", "Supertenant Metrics Publisher", "NONE"], key.role)
+    ])
+    error_message = "resource_keys role must be one of 'Writer', 'Reader', 'Manager', 'Supertenant Metrics Publisher', 'NONE', reference https://cloud.ibm.com/iam/roles and `Cloud Monitoring`"
+  }
+}
+
 variable "resource_tags" {
   type        = list(string)
   description = "Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings)."