rebase on redis

whoffler · whoffler · commit 882a1ea656fa · 2025-06-25T15:13:47.000+01:00
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -65,9 +65,10 @@
           "iam_permissions": [
             {
               "role_crns": [
-                "crn:v1:bluemix:public:iam::::role:Administrator"
+                "crn:v1:bluemix:public:iam::::role:Viewer"
               ],
-              "service_name": "all-account-management-services"
+              "service_name": "Resource group only",
+              "notes": "Viewer access is required in the resource group you want to provision in."
             },
             {
               "role_crns": [
@@ -132,7 +133,7 @@
             },
             {
               "key": "existing_resource_group_name",
-              "required": true,
+              "display_name": "resource_group",
               "custom_config": {
                 "type": "resource_group",
                 "grouping": "deployment",
@@ -143,8 +144,7 @@
               }
             },
             {
-              "key": "prefix",
-              "required": true
+              "key": "prefix"
             },
             {
               "key": "region",
@@ -471,6 +471,13 @@
             ]
           },
           "iam_permissions": [
+            {
+              "role_crns": [
+                "crn:v1:bluemix:public:iam::::role:Viewer"
+              ],
+              "service_name": "Resource group only",
+              "notes": "Viewer access is required in the resource group you want to provision in."
+            },
             {
               "role_crns": [
                 "crn:v1:bluemix:public:iam::::role:Editor"
@@ -489,7 +496,7 @@
                 "crn:v1:bluemix:public:iam::::role:Editor"
               ],
               "service_name": "hs-crypto",
-              "notes": "[Optional] Editor access is required to create keys in HPCS. It is required only if KMS encryption is enabled."
+              "notes": "[Optional] Editor access is required to create keys in HPCS. It is only required when using HPCS for encryption."
             }
           ],
           "architecture": {
@@ -516,7 +523,7 @@
             },
             {
               "key": "existing_resource_group_name",
-              "required": true,
+              "display_name": "resource_group",
               "custom_config": {
                 "type": "resource_group",
                 "grouping": "deployment",
@@ -527,9 +534,7 @@
               }
             },
             {
-              "key": "prefix",
-              "required": true,
-              "description": "Prefix to add to all resources created by this solution. To not use any prefix value, you can enter the string `__NULL__`."
+              "key": "prefix"
             },
             {
               "key": "region",
@@ -707,7 +712,8 @@
               "key": "ibmcloud_kms_api_key"
             },
             {
-              "key": "existing_kms_instance_crn"
+              "key": "existing_kms_instance_crn",
+              "required": true
             },
             {
               "key": "existing_kms_key_crn"
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
@@ -57,8 +57,8 @@ variable "existing_elasticsearch_instance_crn" {
 }
 
 variable "elasticsearch_version" {
-  type        = string
   description = "The version of the Databases for Elasticsearch instance. If no value is specified, the current preferred version of Databases for Elasticsearch is used."
+  type        = string
   default     = null
 }
 
@@ -202,7 +202,7 @@ variable "kms_encryption_enabled" {
 
 variable "existing_kms_instance_crn" {
   type        = string
-  description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. Applies only if `kms_encryption` is true. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
+  description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
   default     = null
 
   validation {
@@ -213,7 +213,7 @@ variable "existing_kms_instance_crn" {
 
 variable "existing_kms_key_crn" {
   type        = string
-  description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `kms_encryption_enabled` is true. By default this key is used for both deployment data and backups, but this behaviour can be altered using the optional `existing_backup_kms_key_crn` input. If no value is passed a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
+  description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. By default this key is used for both deployment data and backups, but this behaviour can be altered using the optional `existing_backup_kms_key_crn` input. If no value is passed a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
   default     = null
 
   validation {
@@ -224,7 +224,7 @@ variable "existing_kms_key_crn" {
 
 variable "kms_endpoint_type" {
   type        = string
-  description = "The type of endpoint to use for communicating with the Key Protect or Hyper Protect Crypto Services instance. Possible values: `public`, `private`."
+  description = "The type of endpoint to use for communicating with the Key Protect or Hyper Protect Crypto Services instance. Possible values: `public`, `private`. Applies only if `existing_kms_key_crn` is not specified."
   default     = "private"
   validation {
     condition     = can(regex("public|private", var.kms_endpoint_type))
@@ -287,7 +287,7 @@ variable "provider_visibility" {
   description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)."
   type        = string
   default     = "private"
-  nullable    = false
+
   validation {
     condition     = contains(["public", "private", "public-and-private"], var.provider_visibility)
     error_message = "Invalid visibility option. Allowed values are 'public', 'private', or 'public-and-private'."
diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf
@@ -165,25 +165,25 @@ variable "elasticsearch_access_tags" {
 
 variable "existing_kms_instance_crn" {
   type        = string
-  description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. Applies only if `use_ibm_owned_encryption_key` is false. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
+  description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
   default     = null
 }
 
 variable "existing_kms_key_crn" {
   type        = string
-  description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the optional `existing_backup_kms_key_crn` input. If no value is passed a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
+  description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. By default this key is used for both deployment data and backups, but this behaviour can be altered using the optional `existing_backup_kms_key_crn` input. If no value is passed a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
   default     = null
 }
 
 variable "skip_elasticsearch_kms_auth_policy" {
   type        = bool
-  description = "Set to true to skip the creation of IAM authorization policies that permits all Databases for Elasticsearch instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if `use_ibm_owned_encryption_key` is true."
+  description = "Whether to create an IAM authorization policy that permits all Databases for Elasticsearch instances in the resource group to read the encryption key from the Hyper Protect Crypto Services instance specified in the `existing_kms_instance_crn` variable."
   default     = false
 }
 
 variable "ibmcloud_kms_api_key" {
   type        = string
-  description = "The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud_api_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Elastic Search instance. Leave this input empty if the same account owns both instances."
+  description = "The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud_api_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the ElasticSearch instance. Leave this input empty if the same account owns both instances."
   sensitive   = true
   default     = null
 }

Original file line number	Diff line number	Diff line change
`@@ -65,9 +65,10 @@`
`65`	`65`	`"iam_permissions": [`
`66`	`66`	`{`
`67`	`67`	`"role_crns": [`
`68`		`- "crn:v1:bluemix:public:iam::::role:Administrator"`
	`68`	`+ "crn:v1:bluemix:public:iam::::role:Viewer"`
`69`	`69`	`],`
`70`		`- "service_name": "all-account-management-services"`
	`70`	`+ "service_name": "Resource group only",`
	`71`	`+ "notes": "Viewer access is required in the resource group you want to provision in."`
`71`	`72`	`},`
`72`	`73`	`{`
`73`	`74`	`"role_crns": [`
`@@ -132,7 +133,7 @@`
`132`	`133`	`},`
`133`	`134`	`{`
`134`	`135`	`"key": "existing_resource_group_name",`
`135`		`- "required": true,`
	`136`	`+ "display_name": "resource_group",`
`136`	`137`	`"custom_config": {`
`137`	`138`	`"type": "resource_group",`
`138`	`139`	`"grouping": "deployment",`
`@@ -143,8 +144,7 @@`
`143`	`144`	`}`
`144`	`145`	`},`
`145`	`146`	`{`
`146`		`- "key": "prefix",`
`147`		`- "required": true`
	`147`	`+ "key": "prefix"`
`148`	`148`	`},`
`149`	`149`	`{`
`150`	`150`	`"key": "region",`
`@@ -471,6 +471,13 @@`
`471`	`471`	`]`
`472`	`472`	`},`
`473`	`473`	`"iam_permissions": [`
	`474`	`+ {`
	`475`	`+ "role_crns": [`
	`476`	`+ "crn:v1:bluemix:public:iam::::role:Viewer"`
	`477`	`+ ],`
	`478`	`+ "service_name": "Resource group only",`
	`479`	`+ "notes": "Viewer access is required in the resource group you want to provision in."`
	`480`	`+ },`
`474`	`481`	`{`
`475`	`482`	`"role_crns": [`
`476`	`483`	`"crn:v1:bluemix:public:iam::::role:Editor"`
`@@ -489,7 +496,7 @@`
`489`	`496`	`"crn:v1:bluemix:public:iam::::role:Editor"`
`490`	`497`	`],`
`491`	`498`	`"service_name": "hs-crypto",`
`492`		`- "notes": "[Optional] Editor access is required to create keys in HPCS. It is required only if KMS encryption is enabled."`
	`499`	`+ "notes": "[Optional] Editor access is required to create keys in HPCS. It is only required when using HPCS for encryption."`
`493`	`500`	`}`
`494`	`501`	`],`
`495`	`502`	`"architecture": {`
`@@ -516,7 +523,7 @@`
`516`	`523`	`},`
`517`	`524`	`{`
`518`	`525`	`"key": "existing_resource_group_name",`
`519`		`- "required": true,`
	`526`	`+ "display_name": "resource_group",`
`520`	`527`	`"custom_config": {`
`521`	`528`	`"type": "resource_group",`
`522`	`529`	`"grouping": "deployment",`
`@@ -527,9 +534,7 @@`
`527`	`534`	`}`
`528`	`535`	`},`
`529`	`536`	`{`
`530`		`- "key": "prefix",`
`531`		`- "required": true,`
`532`		- "description": "Prefix to add to all resources created by this solution. To not use any prefix value, you can enter the string `__NULL__`."
	`537`	`+ "key": "prefix"`
`533`	`538`	`},`
`534`	`539`	`{`
`535`	`540`	`"key": "region",`
`@@ -707,7 +712,8 @@`
`707`	`712`	`"key": "ibmcloud_kms_api_key"`
`708`	`713`	`},`
`709`	`714`	`{`
`710`		`- "key": "existing_kms_instance_crn"`
	`715`	`+ "key": "existing_kms_instance_crn",`
	`716`	`+ "required": true`
`711`	`717`	`},`
`712`	`718`	`{`
`713`	`719`	`"key": "existing_kms_key_crn"`