terraform-ibm-modules · ocofaigh · Sep 26, 2025 · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025
@@ -32,7 +32,7 @@ External Secrets Operator synchronizes secrets in the Kubernetes cluster with se
 
 The module provides the following features:
 - Install and configure External Secrets Operator (ESO).
-- Customise External Secret Operator deployment on specific cluster workers by configuration approriate NodeSelector and Tolerations in the ESO helm release [More details below](#customise-eso-deployment-on-specific-cluster-nodes)
+- Customise External Secret Operator deployment on specific cluster workers by configuration appropriate NodeSelector and Tolerations in the ESO helm release [More details below](#customise-eso-deployment-on-specific-cluster-nodes)
 
 The submodules automate the configuration of an operator, providing the following features:
 - Deploy and configure [ClusterSecretStore](https://external-secrets.io/latest/api/clustersecretstore/) resources for cluster scope secrets store [eso-clusterstore](./eso-clusterstore/README.md)
@@ -116,7 +116,6 @@ will make the External Secret Operator to run on clusters nodes labeled with `de
 The resulting helm release configuration, according to the `terraform plan` output would be like
 
 ```bash
-
 (...)
 # module.external_secrets_operator.helm_release.external_secrets_operator[0] will be created
   + resource "helm_release" "external_secrets_operator" {
@@ -520,18 +519,18 @@ You need the following permissions to run this module.
 | <a name="input_eso_cluster_nodes_configuration"></a> [eso\_cluster\_nodes\_configuration](#input\_eso\_cluster\_nodes\_configuration) | Configuration to use to customise ESO deployment on specific cluster nodes. Setting appropriate values will result in customising ESO helm release. Default value is null to keep ESO standard deployment. | <pre>object({<br/>    nodeSelector = object({<br/>      label = string<br/>      value = string<br/>    })<br/>    tolerations = object({<br/>      key      = string<br/>      operator = string<br/>      value    = string<br/>      effect   = string<br/>    })<br/>  })</pre> | `null` | no |
 | <a name="input_eso_enroll_in_servicemesh"></a> [eso\_enroll\_in\_servicemesh](#input\_eso\_enroll\_in\_servicemesh) | Flag to enroll ESO into istio servicemesh | `bool` | `false` | no |
 | <a name="input_eso_image"></a> [eso\_image](#input\_eso\_image) | The External Secrets Operator image in the format of `[registry-url]/[namespace]/[image]`. | `string` | `"ghcr.io/external-secrets/external-secrets"` | no |
-| <a name="input_eso_image_version"></a> [eso\_image\_version](#input\_eso\_image\_version) | The version or digest for the external secrets image to deploy. If changing the value, ensure it is compatible with the chart version set in eso\_chart\_version. | `string` | `"v0.19.2-ubi@sha256:b85e577e14c0a943e5eda57d631012d8fe7cea0e747069bfd9fdf3736cdad3ad"` | no |
+| <a name="input_eso_image_version"></a> [eso\_image\_version](#input\_eso\_image\_version) | The version or digest for the external secrets image to deploy. If changing the value, ensure it is compatible with the chart version set in eso\_chart\_version. | `string` | `"v0.20.1-ubi@sha256:33dc5f563339e6332e1549c9e3c2b362d1e1b03acada1386a6f2c6f2d5af4a6e"` | no |
 | <a name="input_eso_namespace"></a> [eso\_namespace](#input\_eso\_namespace) | Namespace to create and be used to install ESO components including helm releases. | `string` | `null` | no |
 | <a name="input_eso_pod_configuration"></a> [eso\_pod\_configuration](#input\_eso\_pod\_configuration) | Configuration to use to customise ESO deployment on specific pods. Setting appropriate values will result in customising ESO helm release. Default value is {} to keep ESO standard deployment. Ignore the key if not required. | <pre>object({<br/>    annotations = optional(object({<br/>      # The annotations for external secret controller pods.<br/>      external_secrets = optional(map(string), {})<br/>      # The annotations for external secret cert controller pods.<br/>      external_secrets_cert_controller = optional(map(string), {})<br/>      # The annotations for external secret controller pods.<br/>      external_secrets_webhook = optional(map(string), {})<br/>    }), {})<br/><br/>    labels = optional(object({<br/>      # The labels for external secret controller pods.<br/>      external_secrets = optional(map(string), {})<br/>      # The labels for external secret cert controller pods.<br/>      external_secrets_cert_controller = optional(map(string), {})<br/>      # The labels for external secret controller pods.<br/>      external_secrets_webhook = optional(map(string), {})<br/>    }), {})<br/>  })</pre> | `{}` | no |
 | <a name="input_existing_eso_namespace"></a> [existing\_eso\_namespace](#input\_existing\_eso\_namespace) | Existing Namespace to be used to install ESO components including helm releases. | `string` | `null` | no |
 | <a name="input_reloader_chart_location"></a> [reloader\_chart\_location](#input\_reloader\_chart\_location) | The location of the Reloader Helm chart. | `string` | `"https://stakater.github.io/stakater-charts"` | no |
-| <a name="input_reloader_chart_version"></a> [reloader\_chart\_version](#input\_reloader\_chart\_version) | The version of the Reloader Helm chart. Ensure that the chart version is compatible with the image version specified in reloader\_image\_version. | `string` | `"2.2.0"` | no |
+| <a name="input_reloader_chart_version"></a> [reloader\_chart\_version](#input\_reloader\_chart\_version) | The version of the Reloader Helm chart. Ensure that the chart version is compatible with the image version specified in reloader\_image\_version. | `string` | `"2.2.3"` | no |
 | <a name="input_reloader_custom_values"></a> [reloader\_custom\_values](#input\_reloader\_custom\_values) | String containing custom values to be used for reloader helm chart. See https://github.com/stakater/Reloader/blob/master/deployments/kubernetes/chart/reloader/values.yaml | `string` | `null` | no |
 | <a name="input_reloader_deployed"></a> [reloader\_deployed](#input\_reloader\_deployed) | Whether to deploy reloader or not https://github.com/stakater/Reloader | `bool` | `true` | no |
 | <a name="input_reloader_ignore_configmaps"></a> [reloader\_ignore\_configmaps](#input\_reloader\_ignore\_configmaps) | Whether to ignore configmap changes or not | `bool` | `false` | no |
 | <a name="input_reloader_ignore_secrets"></a> [reloader\_ignore\_secrets](#input\_reloader\_ignore\_secrets) | Whether to ignore secret changes or not | `bool` | `false` | no |
 | <a name="input_reloader_image"></a> [reloader\_image](#input\_reloader\_image) | The reloader image repository in the format of `[registry-url]/[namespace]/[image]`. | `string` | `"ghcr.io/stakater/reloader"` | no |
-| <a name="input_reloader_image_version"></a> [reloader\_image\_version](#input\_reloader\_image\_version) | The version or digest for the reloader image to deploy. If changing the value, ensure it is compatible with the chart version set in reloader\_chart\_version. | `string` | `"v1.4.6-ubi@sha256:98403ed026af2eac04796f8e3d99530ed7f251a5d40b50ac172a008933338d48"` | no |
+| <a name="input_reloader_image_version"></a> [reloader\_image\_version](#input\_reloader\_image\_version) | The version or digest for the reloader image to deploy. If changing the value, ensure it is compatible with the chart version set in reloader\_chart\_version. | `string` | `"v1.4.8-ubi@sha256:d87801fae5424f347d34b776ba25ea0c1ba80a8b50ba91ece0777206a47d91d3"` | no |
 | <a name="input_reloader_is_argo_rollouts"></a> [reloader\_is\_argo\_rollouts](#input\_reloader\_is\_argo\_rollouts) | Enable Argo Rollouts | `bool` | `false` | no |
 | <a name="input_reloader_is_openshift"></a> [reloader\_is\_openshift](#input\_reloader\_is\_openshift) | Enable OpenShift DeploymentConfigs | `bool` | `true` | no |
 | <a name="input_reloader_log_format"></a> [reloader\_log\_format](#input\_reloader\_log\_format) | The log format to use for reloader. Possible values are `json` or `text`. Default value is `json` | `string` | `"text"` | no |

@@ -39,7 +39,7 @@ locals {
 # Create username_password secret and store in secret manager
 module "sm_userpass_secret" {
   source               = "terraform-ibm-modules/secrets-manager-secret/ibm"
-  version              = "1.7.0"
+  version              = "1.9.0"
   region               = local.sm_region
   secrets_manager_guid = local.sm_guid
   secret_group_id      = module.secrets_manager_group.secret_group_id
@@ -51,8 +51,8 @@ module "sm_userpass_secret" {
   #tfsec:ignore:general-secrets-no-plaintext-exposure
   secret_username               = "artifactory-user" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
   secret_auto_rotation          = false
-  secret_auto_rotation_interval = 0
-  secret_auto_rotation_unit     = null
+  secret_auto_rotation_interval = 1
+  secret_auto_rotation_unit     = "day"
   providers = {
     ibm = ibm.ibm-sm
   }

@@ -79,7 +79,7 @@ module "zone_subnet_addrs" {
 
 module "vpc" {
   source                      = "terraform-ibm-modules/vpc/ibm"
-  version                     = "1.5.1"
+  version                     = "1.5.2"
   vpc_name                    = "${var.prefix}-vpc"
   resource_group_id           = module.resource_group.resource_group_id
   locations                   = []
@@ -96,7 +96,7 @@ module "vpc" {
 
 module "subnet_prefix" {
   source   = "terraform-ibm-modules/vpc/ibm//modules/vpc-address-prefix"
-  version  = "1.5.1"
+  version  = "1.5.2"
   count    = length(local.subnet_prefix)
   name     = "${var.prefix}-z-${local.subnet_prefix[count.index].label}-${split("-", local.subnet_prefix[count.index].zone)[2]}"
   location = local.subnet_prefix[count.index].zone
@@ -108,7 +108,7 @@ module "subnet_prefix" {
 module "subnets" {
   depends_on                 = [module.subnet_prefix]
   source                     = "terraform-ibm-modules/vpc/ibm//modules/subnet"
-  version                    = "1.5.1"
+  version                    = "1.5.2"
   count                      = length(local.subnet_prefix)
   location                   = local.subnet_prefix[count.index].zone
   vpc_id                     = module.vpc.vpc.vpc_id
@@ -120,7 +120,7 @@ module "subnets" {
 
 module "public_gateways" {
   source            = "terraform-ibm-modules/vpc/ibm//modules/public-gateway"
-  version           = "1.5.1"
+  version           = "1.5.2"
   count             = length(var.zones)
   vpc_id            = module.vpc.vpc.vpc_id
   location          = "${var.region}-${var.zones[count.index]}"
@@ -130,7 +130,7 @@ module "public_gateways" {
 
 module "security_group" {
   source                = "terraform-ibm-modules/vpc/ibm//modules/security-group"
-  version               = "1.5.1"
+  version               = "1.5.2"
   depends_on            = [module.vpc]
   create_security_group = false
   resource_group_id     = module.resource_group.resource_group_id
@@ -176,7 +176,7 @@ locals {
 
 module "network_acl" {
   source            = "terraform-ibm-modules/vpc/ibm//modules/network-acl"
-  version           = "1.5.1"
+  version           = "1.5.2"
   name              = "${var.prefix}-vpc-acl"
   vpc_id            = module.vpc.vpc.vpc_id
   resource_group_id = module.resource_group.resource_group_id
@@ -186,7 +186,7 @@ module "network_acl" {
 # OCP CLUSTER creation
 module "ocp_base" {
   source               = "terraform-ibm-modules/base-ocp-vpc/ibm"
-  version              = "3.55.4"
+  version              = "3.60.0"
   cluster_name         = "${var.prefix}-vpc"
   resource_group_id    = module.resource_group.resource_group_id
   region               = var.region
@@ -231,7 +231,7 @@ data "ibm_cis" "cis_instance" {
 
 module "vpes" {
   source   = "terraform-ibm-modules/vpe-gateway/ibm"
-  version  = "4.7.5"
+  version  = "4.7.7"
   count    = var.service_endpoints == "private" ? 1 : 0
   region   = var.region
   prefix   = "vpe"

@@ -13,7 +13,7 @@ locals {
 # private certificate engine
 module "secrets_manager_private_secret_engine" {
   source                    = "terraform-ibm-modules/secrets-manager-private-cert-engine/ibm"
-  version                   = "1.6.7"
+  version                   = "1.6.11"
   secrets_manager_guid      = local.sm_guid
   region                    = local.sm_region
   root_ca_name              = var.pvt_ca_name != null ? var.pvt_ca_name : "pvt-${var.prefix}-project-root-ca"
@@ -30,7 +30,7 @@ module "secrets_manager_private_secret_engine" {
 module "secrets_manager_private_certificate" {
   depends_on             = [module.secrets_manager_private_secret_engine]
   source                 = "terraform-ibm-modules/secrets-manager-private-cert/ibm"
-  version                = "1.4.4"
+  version                = "1.4.7"
   cert_name              = "${var.prefix}-sm-private-cert"
   cert_description       = "Private certificate for ${local.pvt_cert_common_name}"
   cert_secrets_group_id  = module.secrets_manager_group.secret_group_id

@@ -8,7 +8,7 @@
 module "secrets_manager_public_cert_engine" {
   count                                     = (var.acme_letsencrypt_private_key != null || (var.acme_letsencrypt_private_key_sm_id != null && var.acme_letsencrypt_private_key_secret_id != null && var.acme_letsencrypt_private_key_sm_region != null)) ? 1 : 0
   source                                    = "terraform-ibm-modules/secrets-manager-public-cert-engine/ibm"
-  version                                   = "1.1.9"
+  version                                   = "1.1.14"
   secrets_manager_guid                      = local.sm_guid
   region                                    = local.sm_region
   internet_services_crn                     = data.ibm_cis.cis_instance.id

@@ -36,7 +36,7 @@ resource "ibm_resource_instance" "secrets_manager" {
 # create secrets group for secrets
 module "secrets_manager_group" {
   source                   = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
-  version                  = "1.3.13"
+  version                  = "1.3.15"
   region                   = local.sm_region
   secrets_manager_guid     = local.sm_guid
   secret_group_name        = "${var.prefix}-secret-group"                   #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
@@ -49,7 +49,7 @@ module "secrets_manager_group" {
 # additional secrets manager secret group for service level secrets
 module "secrets_manager_group_acct" {
   source               = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
-  version              = "1.3.13"
+  version              = "1.3.15"
   region               = local.sm_region
   secrets_manager_guid = local.sm_guid
   #tfsec:ignore:general-secrets-no-plaintext-exposure

@@ -50,7 +50,7 @@ locals {
 # create the arbitrary secret and store in secret manager
 module "sm_arbitrary_imagepull_secret" {
   source               = "terraform-ibm-modules/secrets-manager-secret/ibm"
-  version              = "1.7.0"
+  version              = "1.9.0"
   region               = local.sm_region
   secrets_manager_guid = local.sm_guid
   secret_group_id      = module.secrets_manager_group.secret_group_id

@@ -7,7 +7,7 @@
 # creating a secrets group for clustersecretstore with trustedprofile auth
 module "tp_clusterstore_secrets_manager_group" {
   source                   = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
-  version                  = "1.3.13"
+  version                  = "1.3.15"
   region                   = local.sm_region
   secrets_manager_guid     = local.sm_guid
   secret_group_name        = "${var.prefix}-cpstore-tp-secret-group"                                           #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
@@ -53,7 +53,7 @@ module "eso_clusterstore_tpauth" {
 # arbitrary secret to be synched through the clustersecretstore with TP authentication
 module "sm_cstore_arbitrary_secret_tp" {
   source               = "terraform-ibm-modules/secrets-manager-secret/ibm"
-  version              = "1.7.0"
+  version              = "1.9.0"
   region               = local.sm_region
   secrets_manager_guid = local.sm_guid
   secret_group_id      = module.tp_clusterstore_secrets_manager_group.secret_group_id