diff --git a/README.md b/README.md
index cc663d19..fe2618a5 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ External Secrets Operator synchronizes secrets in the Kubernetes cluster with se
The module provides the following features:
- Install and configure External Secrets Operator (ESO).
-- Customise External Secret Operator deployment on specific cluster workers by configuration approriate NodeSelector and Tolerations in the ESO helm release [More details below](#customise-eso-deployment-on-specific-cluster-nodes)
+- Customise External Secret Operator deployment on specific cluster workers by configuration appropriate NodeSelector and Tolerations in the ESO helm release [More details below](#customise-eso-deployment-on-specific-cluster-nodes)
The submodules automate the configuration of an operator, providing the following features:
- Deploy and configure [ClusterSecretStore](https://external-secrets.io/latest/api/clustersecretstore/) resources for cluster scope secrets store [eso-clusterstore](./eso-clusterstore/README.md)
@@ -116,7 +116,6 @@ will make the External Secret Operator to run on clusters nodes labeled with `de
The resulting helm release configuration, according to the `terraform plan` output would be like
```bash
-
(...)
# module.external_secrets_operator.helm_release.external_secrets_operator[0] will be created
+ resource "helm_release" "external_secrets_operator" {
@@ -520,18 +519,18 @@ You need the following permissions to run this module.
| [eso\_cluster\_nodes\_configuration](#input\_eso\_cluster\_nodes\_configuration) | Configuration to use to customise ESO deployment on specific cluster nodes. Setting appropriate values will result in customising ESO helm release. Default value is null to keep ESO standard deployment. | object({
nodeSelector = object({
label = string
value = string
})
tolerations = object({
key = string
operator = string
value = string
effect = string
})
}) | `null` | no |
| [eso\_enroll\_in\_servicemesh](#input\_eso\_enroll\_in\_servicemesh) | Flag to enroll ESO into istio servicemesh | `bool` | `false` | no |
| [eso\_image](#input\_eso\_image) | The External Secrets Operator image in the format of `[registry-url]/[namespace]/[image]`. | `string` | `"ghcr.io/external-secrets/external-secrets"` | no |
-| [eso\_image\_version](#input\_eso\_image\_version) | The version or digest for the external secrets image to deploy. If changing the value, ensure it is compatible with the chart version set in eso\_chart\_version. | `string` | `"v0.19.2-ubi@sha256:b85e577e14c0a943e5eda57d631012d8fe7cea0e747069bfd9fdf3736cdad3ad"` | no |
+| [eso\_image\_version](#input\_eso\_image\_version) | The version or digest for the external secrets image to deploy. If changing the value, ensure it is compatible with the chart version set in eso\_chart\_version. | `string` | `"v0.20.1-ubi@sha256:33dc5f563339e6332e1549c9e3c2b362d1e1b03acada1386a6f2c6f2d5af4a6e"` | no |
| [eso\_namespace](#input\_eso\_namespace) | Namespace to create and be used to install ESO components including helm releases. | `string` | `null` | no |
| [eso\_pod\_configuration](#input\_eso\_pod\_configuration) | Configuration to use to customise ESO deployment on specific pods. Setting appropriate values will result in customising ESO helm release. Default value is {} to keep ESO standard deployment. Ignore the key if not required. | object({
annotations = optional(object({
# The annotations for external secret controller pods.
external_secrets = optional(map(string), {})
# The annotations for external secret cert controller pods.
external_secrets_cert_controller = optional(map(string), {})
# The annotations for external secret controller pods.
external_secrets_webhook = optional(map(string), {})
}), {})
labels = optional(object({
# The labels for external secret controller pods.
external_secrets = optional(map(string), {})
# The labels for external secret cert controller pods.
external_secrets_cert_controller = optional(map(string), {})
# The labels for external secret controller pods.
external_secrets_webhook = optional(map(string), {})
}), {})
}) | `{}` | no |
| [existing\_eso\_namespace](#input\_existing\_eso\_namespace) | Existing Namespace to be used to install ESO components including helm releases. | `string` | `null` | no |
| [reloader\_chart\_location](#input\_reloader\_chart\_location) | The location of the Reloader Helm chart. | `string` | `"https://stakater.github.io/stakater-charts"` | no |
-| [reloader\_chart\_version](#input\_reloader\_chart\_version) | The version of the Reloader Helm chart. Ensure that the chart version is compatible with the image version specified in reloader\_image\_version. | `string` | `"2.2.0"` | no |
+| [reloader\_chart\_version](#input\_reloader\_chart\_version) | The version of the Reloader Helm chart. Ensure that the chart version is compatible with the image version specified in reloader\_image\_version. | `string` | `"2.2.3"` | no |
| [reloader\_custom\_values](#input\_reloader\_custom\_values) | String containing custom values to be used for reloader helm chart. See https://github.com/stakater/Reloader/blob/master/deployments/kubernetes/chart/reloader/values.yaml | `string` | `null` | no |
| [reloader\_deployed](#input\_reloader\_deployed) | Whether to deploy reloader or not https://github.com/stakater/Reloader | `bool` | `true` | no |
| [reloader\_ignore\_configmaps](#input\_reloader\_ignore\_configmaps) | Whether to ignore configmap changes or not | `bool` | `false` | no |
| [reloader\_ignore\_secrets](#input\_reloader\_ignore\_secrets) | Whether to ignore secret changes or not | `bool` | `false` | no |
| [reloader\_image](#input\_reloader\_image) | The reloader image repository in the format of `[registry-url]/[namespace]/[image]`. | `string` | `"ghcr.io/stakater/reloader"` | no |
-| [reloader\_image\_version](#input\_reloader\_image\_version) | The version or digest for the reloader image to deploy. If changing the value, ensure it is compatible with the chart version set in reloader\_chart\_version. | `string` | `"v1.4.6-ubi@sha256:98403ed026af2eac04796f8e3d99530ed7f251a5d40b50ac172a008933338d48"` | no |
+| [reloader\_image\_version](#input\_reloader\_image\_version) | The version or digest for the reloader image to deploy. If changing the value, ensure it is compatible with the chart version set in reloader\_chart\_version. | `string` | `"v1.4.8-ubi@sha256:d87801fae5424f347d34b776ba25ea0c1ba80a8b50ba91ece0777206a47d91d3"` | no |
| [reloader\_is\_argo\_rollouts](#input\_reloader\_is\_argo\_rollouts) | Enable Argo Rollouts | `bool` | `false` | no |
| [reloader\_is\_openshift](#input\_reloader\_is\_openshift) | Enable OpenShift DeploymentConfigs | `bool` | `true` | no |
| [reloader\_log\_format](#input\_reloader\_log\_format) | The log format to use for reloader. Possible values are `json` or `text`. Default value is `json` | `string` | `"text"` | no |
diff --git a/examples/all-combined/clusterstore.tf b/examples/all-combined/clusterstore.tf
index 795e59e6..8cb49760 100644
--- a/examples/all-combined/clusterstore.tf
+++ b/examples/all-combined/clusterstore.tf
@@ -39,7 +39,7 @@ locals {
# Create username_password secret and store in secret manager
module "sm_userpass_secret" {
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
- version = "1.7.0"
+ version = "1.9.0"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_id = module.secrets_manager_group.secret_group_id
@@ -51,8 +51,8 @@ module "sm_userpass_secret" {
#tfsec:ignore:general-secrets-no-plaintext-exposure
secret_username = "artifactory-user" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
secret_auto_rotation = false
- secret_auto_rotation_interval = 0
- secret_auto_rotation_unit = null
+ secret_auto_rotation_interval = 1
+ secret_auto_rotation_unit = "day"
providers = {
ibm = ibm.ibm-sm
}
diff --git a/examples/all-combined/main.tf b/examples/all-combined/main.tf
index cbbc5537..fa5f5ca9 100644
--- a/examples/all-combined/main.tf
+++ b/examples/all-combined/main.tf
@@ -79,7 +79,7 @@ module "zone_subnet_addrs" {
module "vpc" {
source = "terraform-ibm-modules/vpc/ibm"
- version = "1.5.1"
+ version = "1.5.2"
vpc_name = "${var.prefix}-vpc"
resource_group_id = module.resource_group.resource_group_id
locations = []
@@ -96,7 +96,7 @@ module "vpc" {
module "subnet_prefix" {
source = "terraform-ibm-modules/vpc/ibm//modules/vpc-address-prefix"
- version = "1.5.1"
+ version = "1.5.2"
count = length(local.subnet_prefix)
name = "${var.prefix}-z-${local.subnet_prefix[count.index].label}-${split("-", local.subnet_prefix[count.index].zone)[2]}"
location = local.subnet_prefix[count.index].zone
@@ -108,7 +108,7 @@ module "subnet_prefix" {
module "subnets" {
depends_on = [module.subnet_prefix]
source = "terraform-ibm-modules/vpc/ibm//modules/subnet"
- version = "1.5.1"
+ version = "1.5.2"
count = length(local.subnet_prefix)
location = local.subnet_prefix[count.index].zone
vpc_id = module.vpc.vpc.vpc_id
@@ -120,7 +120,7 @@ module "subnets" {
module "public_gateways" {
source = "terraform-ibm-modules/vpc/ibm//modules/public-gateway"
- version = "1.5.1"
+ version = "1.5.2"
count = length(var.zones)
vpc_id = module.vpc.vpc.vpc_id
location = "${var.region}-${var.zones[count.index]}"
@@ -130,7 +130,7 @@ module "public_gateways" {
module "security_group" {
source = "terraform-ibm-modules/vpc/ibm//modules/security-group"
- version = "1.5.1"
+ version = "1.5.2"
depends_on = [module.vpc]
create_security_group = false
resource_group_id = module.resource_group.resource_group_id
@@ -176,7 +176,7 @@ locals {
module "network_acl" {
source = "terraform-ibm-modules/vpc/ibm//modules/network-acl"
- version = "1.5.1"
+ version = "1.5.2"
name = "${var.prefix}-vpc-acl"
vpc_id = module.vpc.vpc.vpc_id
resource_group_id = module.resource_group.resource_group_id
@@ -186,7 +186,7 @@ module "network_acl" {
# OCP CLUSTER creation
module "ocp_base" {
source = "terraform-ibm-modules/base-ocp-vpc/ibm"
- version = "3.55.4"
+ version = "3.60.0"
cluster_name = "${var.prefix}-vpc"
resource_group_id = module.resource_group.resource_group_id
region = var.region
@@ -231,7 +231,7 @@ data "ibm_cis" "cis_instance" {
module "vpes" {
source = "terraform-ibm-modules/vpe-gateway/ibm"
- version = "4.7.5"
+ version = "4.7.7"
count = var.service_endpoints == "private" ? 1 : 0
region = var.region
prefix = "vpe"
diff --git a/examples/all-combined/privatecertificate.tf b/examples/all-combined/privatecertificate.tf
index 7bc971f4..f3fa9b32 100644
--- a/examples/all-combined/privatecertificate.tf
+++ b/examples/all-combined/privatecertificate.tf
@@ -13,7 +13,7 @@ locals {
# private certificate engine
module "secrets_manager_private_secret_engine" {
source = "terraform-ibm-modules/secrets-manager-private-cert-engine/ibm"
- version = "1.6.7"
+ version = "1.6.11"
secrets_manager_guid = local.sm_guid
region = local.sm_region
root_ca_name = var.pvt_ca_name != null ? var.pvt_ca_name : "pvt-${var.prefix}-project-root-ca"
@@ -30,7 +30,7 @@ module "secrets_manager_private_secret_engine" {
module "secrets_manager_private_certificate" {
depends_on = [module.secrets_manager_private_secret_engine]
source = "terraform-ibm-modules/secrets-manager-private-cert/ibm"
- version = "1.4.4"
+ version = "1.4.7"
cert_name = "${var.prefix}-sm-private-cert"
cert_description = "Private certificate for ${local.pvt_cert_common_name}"
cert_secrets_group_id = module.secrets_manager_group.secret_group_id
diff --git a/examples/all-combined/publiccertificate.tf b/examples/all-combined/publiccertificate.tf
index 36435cc9..9b7cdba5 100644
--- a/examples/all-combined/publiccertificate.tf
+++ b/examples/all-combined/publiccertificate.tf
@@ -8,7 +8,7 @@
module "secrets_manager_public_cert_engine" {
count = (var.acme_letsencrypt_private_key != null || (var.acme_letsencrypt_private_key_sm_id != null && var.acme_letsencrypt_private_key_secret_id != null && var.acme_letsencrypt_private_key_sm_region != null)) ? 1 : 0
source = "terraform-ibm-modules/secrets-manager-public-cert-engine/ibm"
- version = "1.1.9"
+ version = "1.1.14"
secrets_manager_guid = local.sm_guid
region = local.sm_region
internet_services_crn = data.ibm_cis.cis_instance.id
diff --git a/examples/all-combined/secretsmanager.tf b/examples/all-combined/secretsmanager.tf
index b58de8d3..0685bbb0 100644
--- a/examples/all-combined/secretsmanager.tf
+++ b/examples/all-combined/secretsmanager.tf
@@ -36,7 +36,7 @@ resource "ibm_resource_instance" "secrets_manager" {
# create secrets group for secrets
module "secrets_manager_group" {
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_name = "${var.prefix}-secret-group" #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
@@ -49,7 +49,7 @@ module "secrets_manager_group" {
# additional secrets manager secret group for service level secrets
module "secrets_manager_group_acct" {
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
region = local.sm_region
secrets_manager_guid = local.sm_guid
#tfsec:ignore:general-secrets-no-plaintext-exposure
diff --git a/examples/all-combined/secretstore.tf b/examples/all-combined/secretstore.tf
index 3c16d26a..71c0ee96 100644
--- a/examples/all-combined/secretstore.tf
+++ b/examples/all-combined/secretstore.tf
@@ -50,7 +50,7 @@ locals {
# create the arbitrary secret and store in secret manager
module "sm_arbitrary_imagepull_secret" {
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
- version = "1.7.0"
+ version = "1.9.0"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_id = module.secrets_manager_group.secret_group_id
diff --git a/examples/all-combined/tpauth_cluster_sstore.tf b/examples/all-combined/tpauth_cluster_sstore.tf
index 832afbc9..5bbcbd41 100644
--- a/examples/all-combined/tpauth_cluster_sstore.tf
+++ b/examples/all-combined/tpauth_cluster_sstore.tf
@@ -7,7 +7,7 @@
# creating a secrets group for clustersecretstore with trustedprofile auth
module "tp_clusterstore_secrets_manager_group" {
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_name = "${var.prefix}-cpstore-tp-secret-group" #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
@@ -53,7 +53,7 @@ module "eso_clusterstore_tpauth" {
# arbitrary secret to be synched through the clustersecretstore with TP authentication
module "sm_cstore_arbitrary_secret_tp" {
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
- version = "1.7.0"
+ version = "1.9.0"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_id = module.tp_clusterstore_secrets_manager_group.secret_group_id
diff --git a/examples/all-combined/tpauth_namespaced_sstore.tf b/examples/all-combined/tpauth_namespaced_sstore.tf
index a70abf01..19e3a23c 100644
--- a/examples/all-combined/tpauth_namespaced_sstore.tf
+++ b/examples/all-combined/tpauth_namespaced_sstore.tf
@@ -40,7 +40,7 @@ module "eso_tp_namespace_secretstores" {
# creating a secrets group for each namespace to be used for namespaced secretstores with trustedprofile auth
module "tp_secrets_manager_groups" {
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
count = length(var.es_namespaces_tp)
region = local.sm_region
secrets_manager_guid = local.sm_guid
@@ -67,7 +67,7 @@ module "external_secrets_trusted_profiles" {
module "sm_arbitrary_secrets_tp" {
count = length(var.es_namespaces_tp)
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
- version = "1.7.0"
+ version = "1.9.0"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_id = module.tp_secrets_manager_groups[count.index].secret_group_id
@@ -140,7 +140,7 @@ module "eso_tp_namespace_secretstore_multisg" {
# creating two secrets groups for a single namespace to test trusted profile policy on multiple secrets groups
module "tp_secrets_manager_group_multi_1" {
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_name = "${var.prefix}-tp-secret-group-multisg-1" #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
@@ -152,7 +152,7 @@ module "tp_secrets_manager_group_multi_1" {
module "tp_secrets_manager_group_multi_2" {
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_name = "${var.prefix}-tp-secret-group-multisg-21" #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
@@ -165,7 +165,7 @@ module "tp_secrets_manager_group_multi_2" {
# arbitrary secret for secrets group 1
module "sm_arbitrary_secret_tp_multisg_1" {
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
- version = "1.7.0"
+ version = "1.9.0"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_id = module.tp_secrets_manager_group_multi_1.secret_group_id
@@ -182,7 +182,7 @@ module "sm_arbitrary_secret_tp_multisg_1" {
# arbitrary secret for secrets group 2
module "sm_arbitrary_secret_tp_multisg_2" {
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
- version = "1.7.0"
+ version = "1.9.0"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_id = module.tp_secrets_manager_group_multi_2.secret_group_id
@@ -285,7 +285,7 @@ module "eso_tp_namespace_secretstore_nosecgroup" {
# creating secrets group for a single namespace to test trusted profile policy without any secret group in the TP policy
module "tp_secrets_manager_group_not_for_policy" {
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_name = "${var.prefix}-tp-secret-group-not-for-policy" #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
@@ -298,7 +298,7 @@ module "tp_secrets_manager_group_not_for_policy" {
# arbitrary secret to use with external secret with auth using TP and policy not restricted to secrets group
module "sm_arbitrary_secret_tp_nosecgroup" {
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
- version = "1.7.0"
+ version = "1.9.0"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_id = module.tp_secrets_manager_group_not_for_policy.secret_group_id
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
index 0d863367..37c62828 100644
--- a/examples/basic/main.tf
+++ b/examples/basic/main.tf
@@ -91,7 +91,7 @@ module "zone_subnet_addrs" {
module "vpc" {
source = "terraform-ibm-modules/vpc/ibm"
- version = "1.5.1"
+ version = "1.5.2"
vpc_name = "${var.prefix}-vpc"
resource_group_id = module.resource_group.resource_group_id
locations = []
@@ -108,7 +108,7 @@ module "vpc" {
module "subnet_prefix" {
source = "terraform-ibm-modules/vpc/ibm//modules/vpc-address-prefix"
- version = "1.5.1"
+ version = "1.5.2"
count = length(local.subnet_prefix)
name = "${var.prefix}-z-${local.subnet_prefix[count.index].label}-${split("-", local.subnet_prefix[count.index].zone)[2]}"
location = local.subnet_prefix[count.index].zone
@@ -120,7 +120,7 @@ module "subnet_prefix" {
module "subnets" {
depends_on = [module.subnet_prefix]
source = "terraform-ibm-modules/vpc/ibm//modules/subnet"
- version = "1.5.1"
+ version = "1.5.2"
count = length(local.subnet_prefix)
location = local.subnet_prefix[count.index].zone
vpc_id = module.vpc.vpc.vpc_id
@@ -132,7 +132,7 @@ module "subnets" {
module "public_gateways" {
source = "terraform-ibm-modules/vpc/ibm//modules/public-gateway"
- version = "1.5.1"
+ version = "1.5.2"
count = length(var.zones)
vpc_id = module.vpc.vpc.vpc_id
location = "${var.region}-${var.zones[count.index]}"
@@ -142,7 +142,7 @@ module "public_gateways" {
module "security_group" {
source = "terraform-ibm-modules/vpc/ibm//modules/security-group"
- version = "1.5.1"
+ version = "1.5.2"
depends_on = [module.vpc]
create_security_group = false
resource_group_id = module.resource_group.resource_group_id
@@ -188,7 +188,7 @@ locals {
module "network_acl" {
source = "terraform-ibm-modules/vpc/ibm//modules/network-acl"
- version = "1.5.1"
+ version = "1.5.2"
name = "${var.prefix}-vpc-acl"
vpc_id = module.vpc.vpc.vpc_id
resource_group_id = module.resource_group.resource_group_id
@@ -198,7 +198,7 @@ module "network_acl" {
# OCP CLUSTER creation
module "ocp_base" {
source = "terraform-ibm-modules/base-ocp-vpc/ibm"
- version = "3.55.4"
+ version = "3.60.0"
cluster_name = "${var.prefix}-vpc"
resource_group_id = module.resource_group.resource_group_id
region = var.region
@@ -267,7 +267,7 @@ resource "ibm_resource_instance" "secrets_manager" {
# Additional Secrets-Manager Secret-Group for SERVICE level secrets
module "secrets_manager_group_acct" {
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
region = local.sm_region
secrets_manager_guid = local.sm_guid
#tfsec:ignore:general-secrets-no-plaintext-exposure
@@ -370,7 +370,7 @@ locals {
# Create username_password secret and store in secret manager
module "sm_userpass_secret" {
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
- version = "1.7.0"
+ version = "1.9.0"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_id = module.secrets_manager_group_acct.secret_group_id
@@ -382,8 +382,8 @@ module "sm_userpass_secret" {
#tfsec:ignore:general-secrets-no-plaintext-exposure
secret_username = "artifactory-user" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
secret_auto_rotation = false
- secret_auto_rotation_interval = 0
- secret_auto_rotation_unit = null
+ secret_auto_rotation_interval = 1
+ secret_auto_rotation_unit = "day"
providers = {
ibm = ibm.ibm-sm
}
diff --git a/examples/basic/version.tf b/examples/basic/version.tf
index 0d085ccc..f3de3ba8 100644
--- a/examples/basic/version.tf
+++ b/examples/basic/version.tf
@@ -15,7 +15,7 @@ terraform {
}
ibm = {
source = "IBM-Cloud/ibm"
- version = "= 1.79.0"
+ version = "= 1.79.2"
}
null = {
source = "hashicorp/null"
diff --git a/examples/trusted-profiles-authentication/main.tf b/examples/trusted-profiles-authentication/main.tf
index 3c60bbe3..5a570f11 100644
--- a/examples/trusted-profiles-authentication/main.tf
+++ b/examples/trusted-profiles-authentication/main.tf
@@ -41,7 +41,7 @@ resource "ibm_resource_instance" "secrets_manager" {
module "secrets_manager_groups" {
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
count = length(kubernetes_namespace.examples)
region = local.sm_region
secrets_manager_guid = local.sm_guid
@@ -71,7 +71,7 @@ resource "kubernetes_namespace" "examples" {
module "sm_arbitrary_secrets" {
count = length(kubernetes_namespace.examples)
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
- version = "1.7.0"
+ version = "1.9.0"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_id = module.secrets_manager_groups[count.index].secret_group_id
@@ -166,7 +166,7 @@ module "external_secrets" {
module "vpes" {
source = "terraform-ibm-modules/vpe-gateway/ibm"
- version = "4.7.5"
+ version = "4.7.7"
count = var.service_endpoints == "private" ? 1 : 0
region = var.region
prefix = "vpe"
diff --git a/solutions/fully-configurable/DA-details.md b/solutions/fully-configurable/DA-details.md
index 2c4cf667..f0ac3016 100644
--- a/solutions/fully-configurable/DA-details.md
+++ b/solutions/fully-configurable/DA-details.md
@@ -6,7 +6,7 @@ External Secrets Operator synchronizes secrets in the Kubernetes cluster with se
The architecture provides the following features:
- Install and configure External Secrets Operator (ESO).
-- Customise External Secret Operator deployment on specific cluster workers by configuration approriate NodeSelector and Tolerations in the ESO helm release [More details below](#customise-eso-deployment-on-specific-cluster-nodes)
+- Customise External Secret Operator deployment on specific cluster workers by configuration appropriate NodeSelector and Tolerations in the ESO helm release [More details below](#customise-eso-deployment-on-specific-cluster-nodes)
- Deploy and configure [ClusterSecretStore](https://external-secrets.io/latest/api/clustersecretstore/) resources for cluster scope secrets store
- Deploy and configure [SecretStore](https://external-secrets.io/latest/api/secretstore/) resources for namespace scope secrets store
- Leverage on two authentication methods to be configured on the single stores instances:
diff --git a/solutions/fully-configurable/example-secrets-configuration.md b/solutions/fully-configurable/example-secrets-configuration.md
index 1f8e337c..f4958b6b 100644
--- a/solutions/fully-configurable/example-secrets-configuration.md
+++ b/solutions/fully-configurable/example-secrets-configuration.md
@@ -29,8 +29,8 @@ module "sm_userpass_secret" {
#tfsec:ignore:general-secrets-no-plaintext-exposure
secret_username = "artifactory-user" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
secret_auto_rotation = false
- secret_auto_rotation_interval = 0
- secret_auto_rotation_unit = null
+ secret_auto_rotation_interval = 1
+ secret_auto_rotation_unit = "day"
providers = {
ibm = ibm.ibm-sm
}
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index 28cdfafa..0012682a 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -107,7 +107,7 @@ module "cluster_secrets_stores_service_secrets_groups" {
for idx, element in local.cluster_secrets_stores_service_secrets_groups_list : element.key => element
})
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_name = each.value.name # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
@@ -167,7 +167,7 @@ module "cluster_secrets_stores_account_secrets_groups" {
} if(cluster_secrets_store.existing_account_secrets_group_id == null || cluster_secrets_store.existing_account_secrets_group_id == "") && cluster_secrets_store.account_secrets_group_name != null
})
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_name = each.value.name # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
@@ -366,7 +366,7 @@ module "secrets_stores_service_secrets_groups" {
for idx, element in local.secrets_stores_service_secrets_groups_list : element.key => element
})
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_name = each.value.name # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
@@ -426,7 +426,7 @@ module "secrets_stores_account_secrets_groups" {
} if(secrets_store.existing_account_secrets_group_id == null || secrets_store.existing_account_secrets_group_id == "") && secrets_store.account_secrets_group_name != null
})
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
- version = "1.3.13"
+ version = "1.3.15"
region = local.sm_region
secrets_manager_guid = local.sm_guid
secret_group_name = each.value.name # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index ed6b44ae..1c37ac4c 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -146,7 +146,7 @@ variable "eso_image" {
variable "eso_image_version" {
type = string
description = "The version or digest for the external secrets image to deploy. If changing the value, ensure it is compatible with the chart version set in eso_chart_version."
- default = "v0.19.2-ubi@sha256:b85e577e14c0a943e5eda57d631012d8fe7cea0e747069bfd9fdf3736cdad3ad" # datasource: ghcr.io/external-secrets/external-secrets
+ default = "v0.20.1-ubi@sha256:33dc5f563339e6332e1549c9e3c2b362d1e1b03acada1386a6f2c6f2d5af4a6e" # datasource: ghcr.io/external-secrets/external-secrets
nullable = false
validation {
condition = can(regex("(^v\\d+\\.\\d+.\\d+(\\-\\w+)?(\\@sha256\\:\\w+){0,1})$", var.eso_image_version))
@@ -288,7 +288,7 @@ variable "reloader_image" {
variable "reloader_image_version" {
type = string
description = "The version or digest for the reloader image to deploy. If changing the value, ensure it is compatible with the chart version set in reloader_chart_version."
- default = "v1.4.6-ubi@sha256:98403ed026af2eac04796f8e3d99530ed7f251a5d40b50ac172a008933338d48" # datasource: ghcr.io/stakater/reloader
+ default = "v1.4.8-ubi@sha256:d87801fae5424f347d34b776ba25ea0c1ba80a8b50ba91ece0777206a47d91d3" # datasource: ghcr.io/stakater/reloader
nullable = false
validation {
condition = can(regex("(^v\\d+\\.\\d+.\\d+(\\-\\w+)?(\\@sha256\\:\\w+){0,1})$", var.reloader_image_version))
@@ -306,7 +306,7 @@ variable "reloader_chart_location" {
variable "reloader_chart_version" {
type = string
description = "The version of the Reloader Helm chart. Ensure that the chart version is compatible with the image version specified in reloader_image_version."
- default = "2.2.0" # registryUrl: stakater.github.io/stakater-charts
+ default = "2.2.3" # registryUrl: stakater.github.io/stakater-charts
nullable = false
}
diff --git a/solutions/fully-configurable/version.tf b/solutions/fully-configurable/version.tf
index 78896629..af2336d2 100644
--- a/solutions/fully-configurable/version.tf
+++ b/solutions/fully-configurable/version.tf
@@ -11,7 +11,7 @@ terraform {
}
ibm = {
source = "IBM-Cloud/ibm"
- version = "1.81.1"
+ version = "1.82.1"
}
}
}
diff --git a/tests/existing-resources/main.tf b/tests/existing-resources/main.tf
index 8b902e19..96a5616d 100644
--- a/tests/existing-resources/main.tf
+++ b/tests/existing-resources/main.tf
@@ -77,7 +77,7 @@ module "zone_subnet_addrs" {
module "vpc" {
source = "terraform-ibm-modules/vpc/ibm"
- version = "1.5.1"
+ version = "1.5.2"
vpc_name = "${var.prefix}-vpc"
resource_group_id = module.resource_group.resource_group_id
locations = []
@@ -94,7 +94,7 @@ module "vpc" {
module "subnet_prefix" {
source = "terraform-ibm-modules/vpc/ibm//modules/vpc-address-prefix"
- version = "1.5.1"
+ version = "1.5.2"
count = length(local.subnet_prefix)
name = "${var.prefix}-z-${local.subnet_prefix[count.index].label}-${split("-", local.subnet_prefix[count.index].zone)[2]}"
location = local.subnet_prefix[count.index].zone
@@ -106,7 +106,7 @@ module "subnet_prefix" {
module "subnets" {
depends_on = [module.subnet_prefix]
source = "terraform-ibm-modules/vpc/ibm//modules/subnet"
- version = "1.5.1"
+ version = "1.5.2"
count = length(local.subnet_prefix)
location = local.subnet_prefix[count.index].zone
vpc_id = module.vpc.vpc.vpc_id
@@ -118,7 +118,7 @@ module "subnets" {
module "public_gateways" {
source = "terraform-ibm-modules/vpc/ibm//modules/public-gateway"
- version = "1.5.1"
+ version = "1.5.2"
count = length(var.zones)
vpc_id = module.vpc.vpc.vpc_id
location = "${var.region}-${var.zones[count.index]}"
@@ -128,7 +128,7 @@ module "public_gateways" {
module "security_group" {
source = "terraform-ibm-modules/vpc/ibm//modules/security-group"
- version = "1.5.1"
+ version = "1.5.2"
depends_on = [module.vpc]
create_security_group = false
resource_group_id = module.resource_group.resource_group_id
@@ -174,7 +174,7 @@ locals {
module "network_acl" {
source = "terraform-ibm-modules/vpc/ibm//modules/network-acl"
- version = "1.5.1"
+ version = "1.5.2"
name = "${var.prefix}-vpc-acl"
vpc_id = module.vpc.vpc.vpc_id
resource_group_id = module.resource_group.resource_group_id
@@ -184,7 +184,7 @@ module "network_acl" {
# OCP CLUSTER creation
module "ocp_base" {
source = "terraform-ibm-modules/base-ocp-vpc/ibm"
- version = "3.55.4"
+ version = "3.60.0"
cluster_name = "${var.prefix}-vpc"
resource_group_id = module.resource_group.resource_group_id
region = var.region
diff --git a/tests/go.mod b/tests/go.mod
index 61e1628a..296db52b 100644
--- a/tests/go.mod
+++ b/tests/go.mod
@@ -2,12 +2,12 @@ module github.com/terraform-ibm-modules/terraform-ibm-external-secrets-operator
go 1.24.0
-toolchain go1.25.0
+toolchain go1.25.1
require (
github.com/gruntwork-io/terratest v0.50.0
- github.com/stretchr/testify v1.10.0
- github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.59.0
+ github.com/stretchr/testify v1.11.1
+ github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.6
gopkg.in/yaml.v3 v3.0.1
k8s.io/apimachinery v0.33.4
)
@@ -19,7 +19,7 @@ require (
github.com/IBM-Cloud/power-go-client v1.12.0 // indirect
github.com/IBM/cloud-databases-go-sdk v0.8.0 // indirect
github.com/IBM/go-sdk-core/v5 v5.21.0 // indirect
- github.com/IBM/platform-services-go-sdk v0.85.1 // indirect
+ github.com/IBM/platform-services-go-sdk v0.86.1 // indirect
github.com/IBM/project-go-sdk v0.3.6 // indirect
github.com/IBM/schematics-go-sdk v0.4.0 // indirect
github.com/IBM/vpc-go-sdk v1.0.2 // indirect
@@ -161,7 +161,7 @@ require (
golang.org/x/mod v0.26.0 // indirect
golang.org/x/net v0.42.0 // indirect
golang.org/x/oauth2 v0.24.0 // indirect
- golang.org/x/sync v0.16.0 // indirect
+ golang.org/x/sync v0.17.0 // indirect
golang.org/x/sys v0.35.0 // indirect
golang.org/x/term v0.34.0 // indirect
golang.org/x/text v0.28.0 // indirect
diff --git a/tests/go.sum b/tests/go.sum
index e2158364..08a6af68 100644
--- a/tests/go.sum
+++ b/tests/go.sum
@@ -13,8 +13,8 @@ github.com/IBM/cloud-databases-go-sdk v0.8.0/go.mod h1:JYucI1PdwqbAd8XGdDAchxzxR
github.com/IBM/go-sdk-core/v5 v5.9.2/go.mod h1:YlOwV9LeuclmT/qi/LAK2AsobbAP42veV0j68/rlZsE=
github.com/IBM/go-sdk-core/v5 v5.21.0 h1:DUnYhvC4SoC8T84rx5omnhY3+xcQg/Whyoa3mDPIMkk=
github.com/IBM/go-sdk-core/v5 v5.21.0/go.mod h1:Q3BYO6iDA2zweQPDGbNTtqft5tDcEpm6RTuqMlPcvbw=
-github.com/IBM/platform-services-go-sdk v0.85.1 h1:lrBEeGaIajhSPMB6cPVAx53XTtVGrKOeA36gIXh2FYI=
-github.com/IBM/platform-services-go-sdk v0.85.1/go.mod h1:aGD045m6I8pfcB77wft8w2cHqWOJjcM3YSSV55BX0Js=
+github.com/IBM/platform-services-go-sdk v0.86.1 h1:ngBpaXvUF3gmLvbU1Z4lX1wowOSYgGoKBEBaR/urt30=
+github.com/IBM/platform-services-go-sdk v0.86.1/go.mod h1:aGD045m6I8pfcB77wft8w2cHqWOJjcM3YSSV55BX0Js=
github.com/IBM/project-go-sdk v0.3.6 h1:DRiANKnAePevFsIKSvR89SUaMa2xsd7YKK71Ka1eqKI=
github.com/IBM/project-go-sdk v0.3.6/go.mod h1:FOJM9ihQV3EEAY6YigcWiTNfVCThtdY8bLC/nhQHFvo=
github.com/IBM/schematics-go-sdk v0.4.0 h1:x01f/tPquYJYLQzJLGuxWfCbV/EdSMXRikOceNy/JLM=
@@ -451,10 +451,10 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.59.0 h1:h+CvNQyeiieMXBSNESrHNVPJXj388T+sa4paV48nfl8=
-github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.59.0/go.mod h1:6Wz8vnBelmRZxD5qjm5K4MpvPPWpoCWRPzG76j0B36g=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.6 h1:Tr7AlrQ+s1Nc9VOwB+It8sItnDOXhfXTxKqI2KtdyFA=
+github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.60.6/go.mod h1:YBrRYc+5y5Pr9CXmY35lOqTQdlIjA4x4+3iVObXGOCE=
github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
github.com/tmccombs/hcl2json v0.6.4 h1:/FWnzS9JCuyZ4MNwrG4vMrFrzRgsWEOVi+1AyYUVLGw=
github.com/tmccombs/hcl2json v0.6.4/go.mod h1:+ppKlIW3H5nsAsZddXPy2iMyvld3SHxyjswOZhavRDk=
@@ -564,8 +564,8 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
diff --git a/variables.tf b/variables.tf
index 76da6562..894fac13 100644
--- a/variables.tf
+++ b/variables.tf
@@ -77,7 +77,7 @@ variable "eso_image" {
variable "eso_image_version" {
type = string
description = "The version or digest for the external secrets image to deploy. If changing the value, ensure it is compatible with the chart version set in eso_chart_version."
- default = "v0.19.2-ubi@sha256:b85e577e14c0a943e5eda57d631012d8fe7cea0e747069bfd9fdf3736cdad3ad" # datasource: ghcr.io/external-secrets/external-secrets
+ default = "v0.20.1-ubi@sha256:33dc5f563339e6332e1549c9e3c2b362d1e1b03acada1386a6f2c6f2d5af4a6e" # datasource: ghcr.io/external-secrets/external-secrets
nullable = false
validation {
condition = can(regex("(^v\\d+\\.\\d+.\\d+(\\-\\w+)?(\\@sha256\\:\\w+){0,1})$", var.eso_image_version))
@@ -204,7 +204,7 @@ variable "reloader_image" {
variable "reloader_image_version" {
type = string
description = "The version or digest for the reloader image to deploy. If changing the value, ensure it is compatible with the chart version set in reloader_chart_version."
- default = "v1.4.6-ubi@sha256:98403ed026af2eac04796f8e3d99530ed7f251a5d40b50ac172a008933338d48" # datasource: ghcr.io/stakater/reloader
+ default = "v1.4.8-ubi@sha256:d87801fae5424f347d34b776ba25ea0c1ba80a8b50ba91ece0777206a47d91d3" # datasource: ghcr.io/stakater/reloader
nullable = false
validation {
condition = can(regex("(^v\\d+\\.\\d+.\\d+(\\-\\w+)?(\\@sha256\\:\\w+){0,1})$", var.reloader_image_version))
@@ -222,6 +222,6 @@ variable "reloader_chart_location" {
variable "reloader_chart_version" {
type = string
description = "The version of the Reloader Helm chart. Ensure that the chart version is compatible with the image version specified in reloader_image_version."
- default = "2.2.0" # registryUrl: stakater.github.io/stakater-charts
+ default = "2.2.3" # registryUrl: stakater.github.io/stakater-charts
nullable = false
}