Merge branch 'main' into test-coverage

Author: ocofaigh

.secrets.baseline

@@ -103,14 +103,6 @@
         "line_number": 64,
         "type": "Secret Keyword",
         "verified_result": null
-      },
-      {
-        "hashed_secret": "1e5c2f367f02e47a8c160cda1cd9d91decbac441",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 192,
-        "type": "Secret Keyword",
-        "verified_result": null
       }
     ]
   },

examples/complete/main.tf

@@ -95,7 +95,7 @@ module "icd_elasticsearch" {
 module "secrets_manager" {
   count                = var.existing_sm_instance_guid == null ? 1 : 0
   source               = "terraform-ibm-modules/secrets-manager/ibm"
-  version              = "1.20.0"
+  version              = "1.22.0"
   resource_group_id    = module.resource_group.resource_group_id
   region               = var.region
   secrets_manager_name = "${var.prefix}-secrets-manager"

ibm_catalog.json

@@ -351,6 +351,26 @@
                 },
                 {
                   "key": "kibana_image_digest"
+                },
+                {
+                  "key": "kibana_image_port"
+                },
+                {
+                  "key": "kibana_visibility",
+                  "options": [
+                    {
+                      "displayname": "local_public",
+                      "value": "local_public"
+                    },
+                    {
+                      "displayname": "local_private",
+                      "value": "local_private"
+                    },
+                    {
+                      "displayname": "local",
+                      "value": "local"
+                    }
+                  ]
                 }
               ]
           }

solutions/standard/DA-types.md

@@ -156,7 +156,7 @@ To enter a custom value, use the edit action to open the "Edit Array" panel. Add
 ### Options for service_credentials
 
 - `secret_name`: (required): A unique human-readable name of the secret to create.
-- `service_credentials_source_service_role`: (required): The role to give the service credential in the Databases for Elasticsearch service. Acceptable values are `Writer`, `Reader`, `Manager`, and `None`
+- `service_credentials_source_service_role_crn`: (required): The CRN of the role to give the service credential in the IBM Cloud Database service. Service credentials role CRNs can be found at https://cloud.ibm.com/iam/roles, select the IBM Cloud Database and select the role.
 - `secret_labels`: (optional, default = `[]`): Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|).
 - `secret_auto_rotation`: (optional, default = `true`): Whether to configure automatic rotation of service credential.
 - `secret_auto_rotation_unit`: (optional, default = `day`): Specifies the unit of time for rotation of a secret. Acceptable values are `day` or `month`.
@@ -170,11 +170,11 @@ The following example includes all the configuration options for four service cr
   {
     "secret_group_name": "sg-1"
     "existing_secret_group": true
-    "service_credentials": [
+    "service_credentials": [                                              # pragma: allowlist secret
       {
         "secret_name": "cred-1"
-        "service_credentials_source_service_role":  "Writer"
-        "secret_labels": ["test-writer-1", "test-writer-2"]
+        "service_credentials_source_service_role_crn":  "crn:v1:bluemix:public:iam::::role:Editor"
+        "secret_labels": ["test-editor-1", "test-editor-2"]
         "secret_auto_rotation": true
         "secret_auto_rotation_unit": "day"
         "secret_auto_rotation_interval": 89
@@ -183,22 +183,22 @@ The following example includes all the configuration options for four service cr
       },
       {
         "secret_name": "cred-2"
-        "service_credentials_source_service_role": "Reader"
+        "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer"
       }
     ]
   },
   {
     "secret_group_name": "sg-2"
-    "service_credentials": [
+    "service_credentials": [                                              # pragma: allowlist secret
       {
         "secret_name": "cred-3"
-        "service_credentials_source_service_role": "Editor"
-      },
-      {
-        "secret_name": "cred-4"
-        "service_credentials_source_service_role": "None"
+        "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer"
       }
     ]
   }
 ]
 ```
+### Options for kibana_visibility
+
+When the Kibana application visibility is changed from private to public using `kibana_visibility` variable, it will become accessible from the public Internet. However, access via the IBM Cloud private network will no longer be available. This change takes effect immediately, potentially impacting active users or integrations. It is important to consider the associated security implications before proceeding, [learn more](https://cloud.ibm.com/docs/codeengine?topic=codeengine-application-workloads#optionsvisibility).
+If Kibana is enabled, you can access the Kibana application over a IBM private network using the method outlined [here](https://cloud.ibm.com/docs/codeengine?topic=codeengine-vpe).

solutions/standard/README.md

@@ -6,7 +6,12 @@ This architecture creates an instance of IBM Cloud Databases for Elasticsearch a
 - A KMS root key, if one is not passed in.
 - An IBM Cloud Databases for Elasticsearch instance with KMS encryption.
 - Autoscaling rules for the database instance, if provided.
-- Kibana dashboard for Elasticsearch.
+- Install and start the Elastic's Natural Language Processing model, if enabled.
+- Kibana dashboard for Elasticsearch, if enabled.
+
+**Note on accessing Kibana:** If Kibana is enabled, you can access the Kibana application over a IBM private network using the method outlined [here](https://cloud.ibm.com/docs/codeengine?topic=codeengine-vpe).
+
+**Note on setting kibana_visibility:** When the Kibana application visibility is changed from private to public using kibana_visibility variable, it will become accessible from the public Internet. However, access via the IBM Cloud private network will no longer be available. This change takes effect immediately, potentially impacting active users or integrations. It is important to consider the associated security implications before proceeding.
 
 ![fscloud-elastic-search](../../reference-architecture/deployable-architecture-elasticsearch.svg)
 

solutions/standard/main.tf

@@ -381,16 +381,16 @@ locals {
       existing_secret_group    = service_credentials.existing_secret_group
       secrets = [
         for secret in service_credentials.service_credentials : {
-          secret_name                             = secret.secret_name
-          secret_labels                           = secret.secret_labels
-          secret_auto_rotation                    = secret.secret_auto_rotation
-          secret_auto_rotation_unit               = secret.secret_auto_rotation_unit
-          secret_auto_rotation_interval           = secret.secret_auto_rotation_interval
-          service_credentials_ttl                 = secret.service_credentials_ttl
-          service_credential_secret_description   = secret.service_credential_secret_description
-          service_credentials_source_service_role = secret.service_credentials_source_service_role
-          service_credentials_source_service_crn  = local.elasticsearch_crn
-          secret_type                             = "service_credentials" #checkov:skip=CKV_SECRET_6
+          secret_name                                 = secret.secret_name
+          secret_labels                               = secret.secret_labels
+          secret_auto_rotation                        = secret.secret_auto_rotation
+          secret_auto_rotation_unit                   = secret.secret_auto_rotation_unit
+          secret_auto_rotation_interval               = secret.secret_auto_rotation_interval
+          service_credentials_ttl                     = secret.service_credentials_ttl
+          service_credential_secret_description       = secret.service_credential_secret_description
+          service_credentials_source_service_role_crn = secret.service_credentials_source_service_role_crn
+          service_credentials_source_service_crn      = local.elasticsearch_crn
+          secret_type                                 = "service_credentials" #checkov:skip=CKV_SECRET_6
         }
       ]
     }
@@ -420,7 +420,7 @@ module "secrets_manager_service_credentials" {
   count                       = var.existing_secrets_manager_instance_crn == null ? 0 : 1
   depends_on                  = [time_sleep.wait_for_es_authorization_policy]
   source                      = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
-  version                     = "1.20.0"
+  version                     = "1.22.0"
   existing_sm_instance_guid   = local.existing_secrets_manager_instance_guid
   existing_sm_instance_region = local.existing_secrets_manager_instance_region
   endpoint_type               = var.existing_secrets_manager_endpoint_type
@@ -463,7 +463,7 @@ module "code_engine_kibana" {
   apps = {
     (local.code_engine_app_name) = {
       image_reference = var.kibana_image_digest != null ? "${var.kibana_registry_namespace_image}@${var.kibana_image_digest}" : "${var.kibana_registry_namespace_image}:${local.kibana_version}"
-      image_port      = 5601
+      image_port      = var.kibana_image_port
       run_env_variables = [{
         type  = "literal"
         name  = "ELASTICSEARCH_HOSTS"
@@ -496,8 +496,9 @@ module "code_engine_kibana" {
           value = "none"
         }
       ]
-      scale_min_instances = 1
-      scale_max_instances = 3
+      scale_min_instances     = 1
+      scale_max_instances     = 3
+      managed_domain_mappings = var.kibana_visibility
     }
   }
 }

solutions/standard/variables.tf

@@ -296,30 +296,29 @@ variable "service_credential_secrets" {
     secret_group_description = optional(string)
     existing_secret_group    = optional(bool)
     service_credentials = list(object({
-      secret_name                             = string
-      service_credentials_source_service_role = string
-      secret_labels                           = optional(list(string))
-      secret_auto_rotation                    = optional(bool)
-      secret_auto_rotation_unit               = optional(string)
-      secret_auto_rotation_interval           = optional(number)
-      service_credentials_ttl                 = optional(string)
-      service_credential_secret_description   = optional(string)
+      secret_name                                 = string
+      service_credentials_source_service_role_crn = string
+      secret_labels                               = optional(list(string))
+      secret_auto_rotation                        = optional(bool)
+      secret_auto_rotation_unit                   = optional(string)
+      secret_auto_rotation_interval               = optional(number)
+      service_credentials_ttl                     = optional(string)
+      service_credential_secret_description       = optional(string)
 
     }))
   }))
   default     = []
   description = "Service credential secrets configuration for Databases for Elasticsearch. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/blob/main/solutions/standard/DA-types.md#service-credential-secrets)."
 
   validation {
+    # Service roles CRNs can be found at https://cloud.ibm.com/iam/roles, select the IBM Cloud Database and select the role
     condition = alltrue([
       for group in var.service_credential_secrets : alltrue([
-        for credential in group.service_credentials : contains(
-          ["Writer", "Reader", "Manager", "None"], credential.service_credentials_source_service_role
-        )
+        # crn:v?:bluemix; two non-empty segments; three possibly empty segments; :serviceRole or role: non-empty segment
+        for credential in group.service_credentials : can(regex("^crn:v[0-9]:bluemix(:..*){2}(:.*){3}:(serviceRole|role):..*$", credential.service_credentials_source_service_role_crn))
       ])
     ])
-    error_message = "service_credentials_source_service_role role must be one of 'Writer', 'Reader', 'Manager', and 'None'."
-
+    error_message = "service_credentials_source_service_role_crn must be a serviceRole CRN. See https://cloud.ibm.com/iam/roles"
   }
 }
 
@@ -380,3 +379,18 @@ variable "kibana_image_digest" {
 
 
 }
+variable "kibana_image_port" {
+  description = "Specify the port number used to connect to the Kibana service exposed by the container image. Default port is 5601 and it is only applicable if `enable_kibana_dashboard` is true"
+  type        = number
+  default     = 5601
+}
+
+variable "kibana_visibility" {
+  description = "Specify the visibility of Kibana application in order to define which endpoint is available for receiving the requests. Valid values are 'local_public', 'local_private' and 'local' and it is only applicable if `enable_kibana_dashboard` is true. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/blob/main/solutions/standard/DA-types.md#options-for-kibana_visibility)."
+  type        = string
+  default     = "local_private"
+  validation {
+    condition     = can(regex("local_public|local_private|local", var.kibana_visibility))
+    error_message = "Valid values are 'local_public', 'local_private', or 'local'."
+  }
+}

tests/pr_test.go

@@ -81,11 +81,11 @@ func TestRunStandardSolutionSchematics(t *testing.T) {
 			"service_credentials": []map[string]string{
 				{
 					"secret_name": fmt.Sprintf("%s-cred-reader", options.Prefix),
-					"service_credentials_source_service_role": "Reader",
+					"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer",
 				},
 				{
 					"secret_name": fmt.Sprintf("%s-cred-writer", options.Prefix),
-					"service_credentials_source_service_role": "Writer",
+					"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor",
 				},
 			},
 		},