fix: fix issue that was causing secrets manager managed service credential re-creation<br><br>NOTE: When upgrading from previous version, you will see the following destroy and re-create, however there is no impact to any deployed infrastructure: (#539)

Author: vkuma17

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-10-04T04:24:13Z",
+  "generated_at": "2025-10-11T11:57:05Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -110,7 +110,7 @@
         "hashed_secret": "8c7c51db5075ebd0369c51e9f14737d9b4c1c21d",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 379,
+        "line_number": 413,
         "type": "Base64 High Entropy String",
         "verified_result": null
       }

solutions/fully-configurable/main.tf

@@ -367,6 +367,10 @@ resource "time_sleep" "wait_for_elasticsearch_authorization_policy" {
   count           = local.create_secrets_manager_auth_policy
   depends_on      = [ibm_iam_authorization_policy.secrets_manager_key_manager]
   create_duration = "30s"
+  triggers = {
+    secrets_manager_region = local.existing_secrets_manager_instance_region
+    secrets_manager_guid   = local.existing_secrets_manager_instance_guid
+  }
 }
 
 locals {
@@ -412,12 +416,12 @@ locals {
 }
 
 module "secrets_manager_service_credentials" {
-  count                       = length(local.service_credential_secrets) > 0 ? 1 : 0
-  depends_on                  = [time_sleep.wait_for_elasticsearch_authorization_policy]
-  source                      = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
-  version                     = "2.10.2"
-  existing_sm_instance_guid   = local.existing_secrets_manager_instance_guid
-  existing_sm_instance_region = local.existing_secrets_manager_instance_region
+  count   = length(local.service_credential_secrets) > 0 ? 1 : 0
+  source  = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
+  version = "2.10.2"
+  # converted into implicit dependency and removed explicit depends_on time_sleep.wait_for_elasticsearch_authorization_policy for this module because of issue https://github.com/terraform-ibm-modules/terraform-ibm-icd-redis/issues/608
+  existing_sm_instance_guid   = local.create_secrets_manager_auth_policy > 0 ? time_sleep.wait_for_elasticsearch_authorization_policy[0].triggers["secrets_manager_guid"] : local.existing_secrets_manager_instance_guid
+  existing_sm_instance_region = local.create_secrets_manager_auth_policy > 0 ? time_sleep.wait_for_elasticsearch_authorization_policy[0].triggers["secrets_manager_region"] : local.existing_secrets_manager_instance_region
   endpoint_type               = var.existing_secrets_manager_endpoint_type
   secrets                     = local.secrets
 }

tests/pr_test.go

@@ -4,6 +4,7 @@ package test
 import (
 	"crypto/rand"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"log"
 	"math/big"
@@ -146,15 +147,48 @@ func TestRunSecurityEnforcedUpgradeSolutionSchematics(t *testing.T) {
 		CheckApplyResultForUpgrade: true,
 	})
 
+	serviceCredentialSecrets := []map[string]any{
+		{
+			"secret_group_name": fmt.Sprintf("%s-secret-group", options.Prefix),
+			"service_credentials": []map[string]string{
+				{
+					"secret_name": fmt.Sprintf("%s-cred-reader", options.Prefix),
+					"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer",
+				},
+				{
+					"secret_name": fmt.Sprintf("%s-cred-writer", options.Prefix),
+					"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor",
+				},
+			},
+		},
+	}
+
+	serviceCredentialNames := map[string]string{
+		"admin": "Administrator",
+		"user1": "Viewer",
+		"user2": "Editor",
+	}
+
+	serviceCredentialNamesJSON, err := json.Marshal(serviceCredentialNames)
+	if err != nil {
+		log.Fatalf("Error converting to JSON: %s", err)
+	}
+
 	options.TerraformVars = []testschematic.TestSchematicTerraformVar{
 		{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
 		{Name: "prefix", Value: options.Prefix, DataType: "string"},
 		{Name: "deletion_protection", Value: false, DataType: "bool"},
 		{Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"},
 		{Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
+		{Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"},
+		{Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"},
+		{Name: "service_credential_names", Value: string(serviceCredentialNamesJSON), DataType: "map(string)"},
+		{Name: "admin_pass_secrets_manager_secret_name", Value: options.Prefix, DataType: "string"},
+		{Name: "admin_pass", Value: GetRandomAdminPassword(t), DataType: "string"},
+		{Name: "admin_pass_secrets_manager_secret_group", Value: fmt.Sprintf("es-%s-admin-secrets", options.Prefix), DataType: "string"},
 	}
 
-	err := options.RunSchematicUpgradeTest()
+	err = options.RunSchematicUpgradeTest()
 	assert.Nil(t, err, "This should not have errored")
 }