terraform-ibm-modules · ocofaigh · Oct 24, 2025 · Sep 16, 2025 · Sep 16, 2025 · Sep 16, 2025
@@ -159,7 +159,7 @@ You need the following permissions to run this module.
 | Name | Type |
 |------|------|
 | [ibm_resource_instance.cloud_monitoring](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource |
-| [ibm_resource_key.resource_key](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
+| [ibm_resource_key.resource_keys](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
 | [ibm_resource_tag.cloud_monitoring_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
 
 ### Inputs
@@ -170,27 +170,25 @@ You need the following permissions to run this module.
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_enable_platform_metrics"></a> [enable\_platform\_metrics](#input\_enable\_platform\_metrics) | Receive platform metrics in the provisioned IBM Cloud Monitoring instance. Only 1 instance in a given region can be enabled for platform metrics. | `bool` | `false` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Monitoring instance to create. Defaults to 'cloud-monitoring-<region>' | `string` | `null` | no |
-| <a name="input_manager_key_name"></a> [manager\_key\_name](#input\_manager\_key\_name) | The name to give the IBM Cloud Monitoring manager key. | `string` | `"SysdigManagerKey"` | no |
-| <a name="input_manager_key_tags"></a> [manager\_key\_tags](#input\_manager\_key\_tags) | Tags associated with the IBM Cloud Monitoring manager key. | `list(string)` | `[]` | no |
 | <a name="input_plan"></a> [plan](#input\_plan) | The IBM Cloud Monitoring plan to provision. Available: lite, graduated-tier and graduated-tier-sysdig-secure-plus-monitor (available in region eu-fr2 only) | `string` | `"lite"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where Cloud Monitoring instance will be created. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the Cloud Monitoring instance will be created. | `string` | n/a | yes |
+| <a name="input_resource_keys"></a> [resource\_keys](#input\_resource\_keys) | The definition of the resource keys to generate. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key). | <pre>list(object({<br/>    name                      = string<br/>    key_name                  = optional(string, null)<br/>    generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret<br/>    role                      = optional(string, "Manager")<br/>    service_id_crn            = optional(string, null)<br/>  }))</pre> | <pre>[<br/>  {<br/>    "name": "SysdigManagerKey"<br/>  }<br/>]</pre> | no |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of the service endpoint that will be set for the Sisdig instance. | `string` | `"public-and-private"` | no |
 
 ### Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_access_key"></a> [access\_key](#output\_access\_key) | The cloud monitoring access key for agents to use |
 | <a name="output_account_id"></a> [account\_id](#output\_account\_id) | The account id where cloud monitoring instance is provisioned. |
 | <a name="output_crn"></a> [crn](#output\_crn) | The id of the provisioned cloud monitoring instance. |
 | <a name="output_guid"></a> [guid](#output\_guid) | The guid of the provisioned cloud monitoring instance. |
 | <a name="output_ingestion_endpoint_private"></a> [ingestion\_endpoint\_private](#output\_ingestion\_endpoint\_private) | The Cloud Monitoring private ingestion endpoint. |
 | <a name="output_ingestion_endpoint_public"></a> [ingestion\_endpoint\_public](#output\_ingestion\_endpoint\_public) | The Cloud Monitoring public ingestion endpoint. |
-| <a name="output_manager_key_name"></a> [manager\_key\_name](#output\_manager\_key\_name) | The cloud monitoring manager key name |
 | <a name="output_name"></a> [name](#output\_name) | The name of the provisioned cloud monitoring instance. |
 | <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | The resource group where cloud monitoring monitor instance resides |
+| <a name="output_resource_keys"></a> [resource\_keys](#output\_resource\_keys) | List of resource resource\_keys |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 <!-- Leave this section as is so that your module has a link to local development environment set-up steps for contributors to follow -->

@@ -27,17 +27,12 @@ output "resource_group_id" {
   description = "The resource group where cloud monitoring monitor instance resides."
 }
 
-output "access_key" {
-  value       = module.cloud_monitoring.access_key
-  description = "The cloud monitoring access key for agents to use."
+output "cloud_monitoring_resource_keys" {
+  value       = module.cloud_monitoring.resource_keys
+  description = "IBM Cloud Monitoring resource keys for agents to use"
   sensitive   = true
 }
 
-output "manager_key_name" {
-  value       = module.cloud_monitoring.manager_key_name
-  description = "The cloud monitoring manager key name."
-}
-
 output "metrics_router_routes" {
   value       = module.metrics_routing.metrics_router_routes
   description = "The created metrics routing routes."

@@ -31,11 +31,15 @@ resource "ibm_resource_tag" "cloud_monitoring_tag" {
   tag_type    = "access"
 }
 
-resource "ibm_resource_key" "resource_key" {
-  name                 = var.manager_key_name
+resource "ibm_resource_key" "resource_keys" {
+  for_each             = { for key in var.resource_keys : key.name => key }
+  name                 = each.value.key_name == null ? each.key : each.value.key_name
   resource_instance_id = ibm_resource_instance.cloud_monitoring.id
-  role                 = "Manager"
-  tags                 = var.manager_key_tags
+  role                 = each.value.role
+  parameters = {
+    "serviceid_crn" = each.value.service_id_crn
+    "HMAC"          = each.value.generate_hmac_credentials
+  }
 }
 
 ########################################################################

diff --git a/moved.tf b/moved.tf
@@ -0,0 +1,4 @@
+moved {
+  from = ibm_resource_key.resource_key
+  to   = ibm_resource_key.resource_keys["SysdigManagerKey"]
+}
@@ -23,17 +23,12 @@ output "resource_group_id" {
   description = "The resource group where cloud monitoring monitor instance resides"
 }
 
-output "access_key" {
-  value       = ibm_resource_key.resource_key.credentials["Sysdig Access Key"]
-  description = "The cloud monitoring access key for agents to use"
+output "resource_keys" {
+  description = "List of resource resource_keys"
+  value       = ibm_resource_key.resource_keys
   sensitive   = true
 }
 
-output "manager_key_name" {
-  value       = ibm_resource_key.resource_key.name
-  description = "The cloud monitoring manager key name"
-}
-
 # https://cloud.ibm.com/docs/monitoring?topic=monitoring-endpoints#endpoints_ingestion
 output "ingestion_endpoint_private" {
   value       = "ingest.private.${var.region}.monitoring.cloud.ibm.com"

@@ -27,9 +27,9 @@ output "cloud_monitoring_guid" {
   description = "The guid of the provisioned IBM cloud monitoring instance."
 }
 
-output "cloud_monitoring_access_key" {
-  value       = local.create_cloud_monitoring ? module.cloud_monitoring[0].access_key : null
-  description = "IBM cloud monitoring access key for agents to use"
+output "cloud_monitoring_resource_keys" {
+  value       = local.create_cloud_monitoring ? module.cloud_monitoring[0].resource_keys : null
+  description = "IBM cloud monitoring resource keys for agents to use"
   sensitive   = true
 }
 

@@ -31,16 +31,34 @@ variable "plan" {
   }
 }
 
-variable "manager_key_name" {
-  type        = string
-  description = "The name to give the IBM Cloud Monitoring manager key."
-  default     = "SysdigManagerKey"
-}
-
-variable "manager_key_tags" {
-  type        = list(string)
-  description = "Tags associated with the IBM Cloud Monitoring manager key."
-  default     = []
+# 'name' is the terraform static reference to the object in the list
+# 'key_name' is the IBM Cloud resource key name
+# name MUST not be dynamic, so that it is known at plan time
+# if key_name is not specified, name will be used for the key_name
+# key_name can be a dynamic reference created during apply
+variable "resource_keys" {
+  description = "The definition of the resource keys to generate. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key)."
+  type = list(object({
+    name                      = string
+    key_name                  = optional(string, null)
+    generate_hmac_credentials = optional(bool, false) # pragma: allowlist secret
+    role                      = optional(string, "Manager")
+    service_id_crn            = optional(string, null)
+  }))
+  default = [
+    {
+      name = "SysdigManagerKey"
+    }
+  ]
+  validation {
+    # From: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key
+    # Service roles (for Cloud Monitoring) https://cloud.ibm.com/iam/roles
+    # Reader, Writer, Manager, Supertenant Metrics Publisher, NONE
+    condition = alltrue([
+      for key in var.resource_keys : contains(["Writer", "Reader", "Manager", "Supertenant Metrics Publisher", "NONE"], key.role)
+    ])
+    error_message = "resource_keys role must be one of 'Writer', 'Reader', 'Manager', 'Supertenant Metrics Publisher', 'NONE', reference https://cloud.ibm.com/iam/roles and `Cloud Monitoring`"
+  }
 }
 
 variable "resource_tags" {