SKIP UPGRADE TEST, add kms_encryption_enabled variable

Author: whoffler

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-05-02T09:58:59Z",
+  "generated_at": "2025-05-02T13:16:14Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -110,7 +110,7 @@
         "hashed_secret": "8c7c51db5075ebd0369c51e9f14737d9b4c1c21d",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 356,
+        "line_number": 361,
         "type": "Base64 High Entropy String",
         "verified_result": null
       }

cra-config.yaml

@@ -6,6 +6,7 @@ CRA_TARGETS:
     PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3"  # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
     CRA_ENVIRONMENT_VARIABLES:
       TF_VAR_prefix: "test"
+      TF_VAR_kms_encryption_enabled: true
       TF_VAR_use_ibm_owned_encryption_key: false
       TF_VAR_existing_kms_instance_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::"
       TF_VAR_provider_visibility: "public"

ibm_catalog.json

@@ -317,6 +317,9 @@
                 }
               ]
             },
+            {
+              "key": "kms_encryption_enabled"
+            },
             {
               "key": "use_ibm_owned_encryption_key"
             },

solutions/fully-configurable/variables.tf

@@ -227,28 +227,32 @@ variable "auto_scaling" {
 # Encryption
 ##############################################################
 
-variable "use_ibm_owned_encryption_key" {
+variable "kms_encryption_enabled" {
   type        = bool
-  description = "IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for `existing_kms_instance_crn` to create a new key, or `existing_kms_key_crn` and/or `existing_backup_kms_key_crn` to use an existing key."
-  default     = true
+  description = "Set to true to enable KMS Encryption using customer managed keys. When set to true, a value must be passed for either 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn'."
+  default     = false
 
   validation {
-    condition = (
-      !var.use_ibm_owned_encryption_key ? length(compact([var.existing_kms_instance_crn, var.existing_kms_key_crn, var.existing_backup_kms_key_crn])) > 0 : true
-    )
-    error_message = "When not using ibm owned encryption keys by setting variable 'use_ibm_owned_encryption_key' to false, 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn' must be set."
+    condition     = var.kms_encryption_enabled ? var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null : true
+    error_message = "When variable `kms_encryption_enabled` is true and KMS encryption is enabled, you must provide either an existing KMS instance with variable `existing_kms_instance_crn` or an existing KMS key using variable `existing_kms_key_crn` or `existing_backup_kms_key_crn`"
   }
+}
+
+variable "use_ibm_owned_encryption_key" {
+  type        = bool
+  description = "IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for `existing_kms_instance_crn` to create a new key, or `existing_kms_key_crn` and/or `existing_backup_kms_key_crn` to use an existing key."
+  default     = true
 
   validation {
-    condition     = !var.use_ibm_owned_encryption_key && var.existing_kms_instance_crn == null ? (var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) : true
-    error_message = "When not using ibm owned encryption, you must provide either an existing KMS instance with variable `existing_kms_instance_crn` or an existing KMS key using variable `existing_kms_key_crn` or `existing_backup_kms_key_crn`"
+    condition     = var.use_ibm_owned_encryption_key ? !var.kms_encryption_enabled : true
+    error_message = "When variable `use_ibm_owned_encryption_key` is true, `kms_encryption_enabled` should be set to false"
   }
 
   validation {
     condition = (
       var.use_ibm_owned_encryption_key ? length(compact([var.existing_kms_instance_crn, var.existing_kms_key_crn, var.existing_backup_kms_key_crn])) == 0 : true
     )
-    error_message = "When using ibm owned encryption keys by setting variable 'use_ibm_owned_encryption_key' to true, 'existing_kms_instance_crn', 'existing_kms_key_crn' and 'existing_backup_kms_key_crn' must not be set."
+    error_message = "When using ibm owned encryption keys by setting variable 'use_ibm_owned_encryption_key' to true, 'existing_kms_instance_crn', 'existing_kms_key_crn' and 'existing_backup_kms_key_crn' should not be set."
   }
 }
 

solutions/security-enforced/main.tf

@@ -26,6 +26,7 @@ module "elasticsearch" {
   # Auto Scaling
   auto_scaling = var.auto_scaling
   # Encryption
+  kms_encryption_enabled            = true
   use_ibm_owned_encryption_key      = false
   existing_kms_instance_crn         = var.existing_kms_instance_crn
   existing_kms_key_crn              = var.existing_kms_key_crn

tests/pr_test.go

@@ -96,6 +96,7 @@ func TestRunFullyConfigurableSolutionSchematics(t *testing.T) {
 	options.TerraformVars = []testschematic.TestSchematicTerraformVar{
 		{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
 		{Name: "elasticsearch_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"},
+		{Name: "kms_encryption_enabled", Value: true, DataType: "bool"},
 		{Name: "use_ibm_owned_encryption_key", Value: false, DataType: "bool"},
 		{Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
 		{Name: "kms_endpoint_type", Value: "private", DataType: "string"},
@@ -132,6 +133,7 @@ func TestRunFullyConfigurableUpgradeSolution(t *testing.T) {
 	options.TerraformVars = map[string]interface{}{
 		"prefix":                       options.Prefix,
 		"elasticsearch_access_tags":    permanentResources["accessTags"],
+		"kms_encryption_enabled":       true,
 		"use_ibm_owned_encryption_key": false,
 		"existing_kms_instance_crn":    permanentResources["hpcs_south_crn"],
 		"kms_endpoint_type":            "public",
@@ -187,6 +189,7 @@ func TestRunSecurityEnforcedSolutionSchematics(t *testing.T) {
 
 	options.TerraformVars = []testschematic.TestSchematicTerraformVar{
 		{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
+		{Name: "kms_encryption_enabled", Value: true, DataType: "bool"},
 		{Name: "use_ibm_owned_encryption_key", Value: false, DataType: "bool"},
 		{Name: "elasticsearch_access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"},
 		{Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
@@ -330,6 +333,7 @@ func TestPlanValidation(t *testing.T) {
 
 	// Test the DA when using Elser model
 	var fullyConfigurableSolutionWithElserModelVars = map[string]interface{}{
+		"kms_encryption_enabled":       true,
 		"use_ibm_owned_encryption_key": false,
 		"existing_kms_instance_crn":    permanentResources["hpcs_south_crn"],
 		"enable_elser_model":           true,
@@ -339,6 +343,7 @@ func TestPlanValidation(t *testing.T) {
 	// Test the DA when using Kibana dashboard and existing KMS instance
 	var fullyConfigurableSolutionWithKibanaDashboardVars = map[string]interface{}{
 		"enable_kibana_dashboard":      true,
+		"kms_encryption_enabled":       true,
 		"use_ibm_owned_encryption_key": false,
 		"existing_kms_instance_crn":    permanentResources["hpcs_south_crn"],
 		"plan":                         "enterprise",