feat: Add support to store ElasticSearch service credentials in Secrets Manager (#247)

* add service credential to secrets manager in DA

* tests: skipping tests other than TestRunStandardSolutionSchematics

* fix: update secret_manager_service_credential

* feat support  to store service credentials in secrets manager

* update test

* test failure work around

* fix: pre-commit failure

* add condition to not create sm credentials

* added back connectionstrings lifecycle ignore

* fix test failure

* update description

* fix: resolve review comments

* fix: add validation

---------

Co-authored-by: Soaib024 <[email protected]>
Co-authored-by: Soaib024 <[email protected]>

Author: dishankkalra23

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-07-10T14:07:34Z",
+  "generated_at": "2024-08-07T07:25:45Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -92,15 +92,23 @@
         "hashed_secret": "44cdfc3615970ada14420caaaa5c5745fca06002",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 58,
+        "line_number": 59,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "bd0d0d73a240c29656fb8ae0dfa5f863077788dc",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 63,
+        "line_number": 64,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "1e5c2f367f02e47a8c160cda1cd9d91decbac441",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 192,
         "type": "Secret Keyword",
         "verified_result": null
       }

solutions/standard/DA-types.md

@@ -5,6 +5,7 @@ Several optional input variables in the IBM Cloud [Databases for Elasticsearch d
 - [Service credentials](#svc-credential-name) (`service_credential_names`)
 - [Users](#users) (`users`)
 - [Autoscaling](#autoscaling) (`auto_scaling`)
+- [Service credential secrets](#service-credential-secrets) (`service_credential_secrets`)
 
 ## Service credentials <a name="svc-credential-name"></a>
 
@@ -130,3 +131,74 @@ The following example shows values for both disk and memory for the `auto_scalin
   }
 }
 ```
+
+## Service credential secrets <a name="service-credential-secrets"></a>
+
+When you add an IBM Databases for Elasticsearch service from the IBM Cloud catalog to an IBM Cloud Projects service, you can configure service credentials. In the edit mode for the projects configuration, select the Configure panel and then click the optional tab.
+
+In the configuration, specify the secret group name, whether it already exists or will be created and include all the necessary service credential secrets that need to be created within that secret group.
+
+To enter a custom value, use the edit action to open the "Edit Array" panel. Add the service credential secrets configurations to the array here.
+
+ [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/sm_service_credentials_secret) about service credential secrets.
+
+- Variable name: `service_credential_secrets`.
+- Type: A list of objects that represent a service credential secret groups and secrets
+- Default value: An empty list (`[]`)
+
+### Options for service_credential_secrets
+
+- `secret_group_name` (required): A unique human-readable name that identifies this service credential secret group.
+- `secret_group_description` (optional, default = `null`): A human-readable description for this secret group.
+- `existing_secret_group`: (optional, default = `false`): Set to true, if secret group name provided in the variable `secret_group_name` already exists.
+- `service_credentials`: (optional, default = `[]`): A list of object that represents a service credential secret.
+
+### Options for service_credentials
+
+- `secret_name`: (required): A unique human-readable name of the secret to create.
+- `service_credentials_source_service_role`: (required): The role to give the service credential in the Databases for Elasticsearch service. Acceptable values are `Writer`, `Reader`, `Manager`, and `None`
+- `secret_labels`: (optional, default = `[]`): Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|).
+- `secret_auto_rotation`: (optional, default = `true`): Whether to configure automatic rotation of service credential.
+- `secret_auto_rotation_unit`: (optional, default = `day`): Specifies the unit of time for rotation of a secret. Acceptable values are `day` or `month`.
+- `secret_auto_rotation_interval`: (optional, default = `89`): Specifies the rotation interval for the rotation unit.
+- `service_credentials_ttl`: (optional, default = `7776000`): The time-to-live (TTL) to assign to generated service credentials (in seconds).
+- `service_credential_secret_description`: (optional, default = `null`): Description of the secret to create.
+
+The following example includes all the configuration options for four service credentials and two secret groups.
+```hcl
+[
+  {
+    "secret_group_name": "sg-1"
+    "existing_secret_group": true
+    "service_credentials": [
+      {
+        "secret_name": "cred-1"
+        "service_credentials_source_service_role":  "Writer"
+        "secret_labels": ["test-writer-1", "test-writer-2"]
+        "secret_auto_rotation": true
+        "secret_auto_rotation_unit": "day"
+        "secret_auto_rotation_interval": 89
+        "service_credentials_ttl": 7776000
+        "service_credential_secret_description": "sample description"
+      },
+      {
+        "secret_name": "cred-2"
+        "service_credentials_source_service_role": "Reader"
+      }
+    ]
+  },
+  {
+    "secret_group_name": "sg-2"
+    "service_credentials": [
+      {
+        "secret_name": "cred-3"
+        "service_credentials_source_service_role": "Editor"
+      },
+      {
+        "secret_name": "cred-4"
+        "service_credentials_source_service_role": "None"
+      }
+    ]
+  }
+]
+```

solutions/standard/main.tf

@@ -20,6 +20,8 @@ locals {
   kms_service_name = local.kms_key_crn != null ? (
     can(regex(".*kms.*", local.kms_key_crn)) ? "kms" : can(regex(".*hs-crypto.*", local.kms_key_crn)) ? "hs-crypto" : null
   ) : null
+
+  elasticsearch_guid = local.use_existing_db_instance ? data.ibm_database.existing_db_instance[0].guid : module.elasticsearch[0].guid
 }
 
 #######################################################################################################################
@@ -59,7 +61,6 @@ resource "time_sleep" "wait_for_authorization_policy" {
   create_duration = "30s"
 }
 
-
 module "kms" {
   providers = {
     ibm = ibm.kms
@@ -121,6 +122,66 @@ module "elasticsearch" {
   elser_model_type              = var.elser_model_type
 }
 
+# create a service authorization between Secrets Manager and the target service (Elastic Search)
+resource "ibm_iam_authorization_policy" "secrets_manager_key_manager" {
+  count                       = var.skip_es_sm_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1
+  depends_on                  = [module.elasticsearch]
+  source_service_name         = "secrets-manager"
+  source_resource_instance_id = local.existing_secrets_manager_instance_guid
+  target_service_name         = "databases-for-elasticsearch"
+  target_resource_instance_id = local.elasticsearch_guid
+  roles                       = ["Key Manager"]
+  description                 = "Allow Secrets Manager with instance id ${local.existing_secrets_manager_instance_guid} to manage key for the databases-for-elasticsearch instance"
+}
+
+# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
+resource "time_sleep" "wait_for_es_authorization_policy" {
+  depends_on      = [ibm_iam_authorization_policy.secrets_manager_key_manager]
+  create_duration = "30s"
+}
+
+locals {
+  service_credential_secrets = [
+    for service_credentials in var.service_credential_secrets : {
+      secret_group_name        = service_credentials.secret_group_name
+      secret_group_description = service_credentials.secret_group_description
+      existing_secret_group    = service_credentials.existing_secret_group
+      secrets = [
+        for secret in service_credentials.service_credentials : {
+          secret_name                             = secret.secret_name
+          secret_labels                           = secret.secret_labels
+          secret_auto_rotation                    = secret.secret_auto_rotation
+          secret_auto_rotation_unit               = secret.secret_auto_rotation_unit
+          secret_auto_rotation_interval           = secret.secret_auto_rotation_interval
+          service_credentials_ttl                 = secret.service_credentials_ttl
+          service_credential_secret_description   = secret.service_credential_secret_description
+          service_credentials_source_service_role = secret.service_credentials_source_service_role
+          service_credentials_source_service_crn  = local.use_existing_db_instance ? data.ibm_database.existing_db_instance[0].id : module.elasticsearch[0].crn
+          secret_type                             = "service_credentials" #checkov:skip=CKV_SECRET_6
+        }
+      ]
+    }
+  ]
+
+  existing_secrets_manager_instance_crn_split = var.existing_secrets_manager_instance_crn != null ? split(":", var.existing_secrets_manager_instance_crn) : null
+  existing_secrets_manager_instance_guid      = var.existing_secrets_manager_instance_crn != null ? element(local.existing_secrets_manager_instance_crn_split, length(local.existing_secrets_manager_instance_crn_split) - 3) : null
+  existing_secrets_manager_instance_region    = var.existing_secrets_manager_instance_crn != null ? element(local.existing_secrets_manager_instance_crn_split, length(local.existing_secrets_manager_instance_crn_split) - 5) : null
+
+  # tflint-ignore: terraform_unused_declarations
+  validate_sm_crn = length(local.service_credential_secrets) > 0 && var.existing_secrets_manager_instance_crn == null ? tobool("`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret.") : false
+}
+
+module "secrets_manager_service_credentials" {
+  count                       = length(local.service_credential_secrets) > 0 ? 1 : 0
+  depends_on                  = [time_sleep.wait_for_es_authorization_policy]
+  source                      = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
+  version                     = "1.17.4"
+  existing_sm_instance_guid   = local.existing_secrets_manager_instance_guid
+  existing_sm_instance_region = local.existing_secrets_manager_instance_region
+  endpoint_type               = var.existing_secrets_manager_endpoint_type
+  secrets                     = local.service_credential_secrets
+}
+
 # this extra block is needed when passing in an existing ES instance - the database data block
 # requires a name and resource_id to retrieve the data
 data "ibm_resource_instance" "existing_instance_resource" {

solutions/standard/outputs.tf

@@ -9,7 +9,7 @@ output "id" {
 
 output "guid" {
   description = "Elasticsearch instance guid"
-  value       = local.use_existing_db_instance ? data.ibm_database.existing_db_instance[0].guid : module.elasticsearch[0].guid
+  value       = local.elasticsearch_guid
 }
 
 output "version" {
@@ -48,3 +48,13 @@ output "port" {
   description = "Elasticsearch instance port"
   value       = local.use_existing_db_instance ? data.ibm_database_connection.existing_connection[0].https[0].hosts[0].port : module.elasticsearch[0].port
 }
+
+output "service_credential_secrets" {
+  description = "Service credential secrets"
+  value       = length(local.service_credential_secrets) > 0 ? module.secrets_manager_service_credentials[0].secrets : null
+}
+
+output "service_credential_secret_groups" {
+  description = "Service credential secret groups"
+  value       = length(local.service_credential_secrets) > 0 ? module.secrets_manager_service_credentials[0].secret_groups : null
+}

solutions/standard/variables.tf

@@ -179,7 +179,6 @@ variable "auto_scaling" {
 # Encryption
 ##############################################################
 
-
 variable "existing_kms_key_crn" {
   type        = string
   description = "The CRN of a Hyper Protect Crypto Services or Key Protect root key to use for disk encryption. If not specified, a root key is created in the KMS instance."
@@ -238,6 +237,65 @@ variable "enable_elser_model" {
   default     = false
 }
 
+##############################################################################
+## Secrets Manager Service Credentials
+##############################################################################
+
+variable "existing_secrets_manager_instance_crn" {
+  type        = string
+  default     = null
+  description = "The CRN of existing secrets manager to use to create service credential secrets for Databases for Elasticsearch instance."
+}
+
+variable "existing_secrets_manager_endpoint_type" {
+  type        = string
+  description = "The endpoint type to use if `existing_secrets_manager_instance_crn` is specified. Possible values: public, private."
+  default     = "private"
+  validation {
+    condition     = contains(["public", "private"], var.existing_secrets_manager_endpoint_type)
+    error_message = "Only \"public\" and \"private\" are allowed values for 'existing_secrets_endpoint_type'."
+  }
+}
+
+variable "service_credential_secrets" {
+  type = list(object({
+    secret_group_name        = string
+    secret_group_description = optional(string)
+    existing_secret_group    = optional(bool)
+    service_credentials = list(object({
+      secret_name                             = string
+      service_credentials_source_service_role = string
+      secret_labels                           = optional(list(string))
+      secret_auto_rotation                    = optional(bool)
+      secret_auto_rotation_unit               = optional(string)
+      secret_auto_rotation_interval           = optional(number)
+      service_credentials_ttl                 = optional(string)
+      service_credential_secret_description   = optional(string)
+
+    }))
+  }))
+  default     = []
+  description = "Service credential secrets configuration for Databases for Elasticsearch. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-elasticsearch/tree/main/solutions/instance/DA-types.md#service-credential-secrets)."
+
+  validation {
+    condition = alltrue([
+      for group in var.service_credential_secrets : alltrue([
+        for credential in group.service_credentials : contains(
+          ["Writer", "Reader", "Manager", "None"], credential.service_credentials_source_service_role
+        )
+      ])
+    ])
+    error_message = "service_credentials_source_service_role role must be one of 'Writer', 'Reader', 'Manager', and 'None'."
+
+  }
+}
+
+variable "skip_es_sm_auth_policy" {
+  type        = bool
+  default     = false
+  description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Databases for Elasticsearch. Set to `true` to use an existing policy."
+}
+
 variable "elser_model_type" {
   type        = string
   description = "Trained ELSER model to be used for Elastic's Natural Language Processing. Possible values: `.elser_model_1`, `.elser_model_2` and `.elser_model_2_linux-x86_64`. [Learn more](https://www.elastic.co/guide/en/machine-learning/current/ml-nlp-elser.html)"

tests/pr_test.go

@@ -151,18 +151,34 @@ func TestRunStandardSolutionSchematics(t *testing.T) {
 
 	// if error producing tar patterns (very unexpected) fail test immediately
 	require.NoError(t, recurseErr, "Schematic Test had unexpected error traversing directory tree")
-
+	prefix := "els-sr-da"
 	options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
 		Testing:                t,
 		TarIncludePatterns:     tarIncludePatterns,
 		TemplateFolder:         standardSolutionTerraformDir,
 		BestRegionYAMLPath:     regionSelectionPath,
-		Prefix:                 "els-sr-da",
+		Prefix:                 prefix,
 		ResourceGroup:          resourceGroup,
 		DeleteWorkspaceOnFail:  false,
 		WaitJobCompleteMinutes: 60,
 	})
 
+	serviceCredentialSecrets := []map[string]interface{}{
+		{
+			"secret_group_name": fmt.Sprintf("%s-secret-group", prefix),
+			"service_credentials": []map[string]string{
+				{
+					"secret_name": fmt.Sprintf("%s-cred-reader", prefix),
+					"service_credentials_source_service_role": "Reader",
+				},
+				{
+					"secret_name": fmt.Sprintf("%s-cred-writer", prefix),
+					"service_credentials_source_service_role": "Writer",
+				},
+			},
+		},
+	}
+
 	options.TerraformVars = []testschematic.TestSchematicTerraformVar{
 		{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
 		{Name: "access_tags", Value: permanentResources["accessTags"], DataType: "list(string)"},
@@ -172,6 +188,8 @@ func TestRunStandardSolutionSchematics(t *testing.T) {
 		{Name: "plan", Value: "platinum", DataType: "string"},
 		{Name: "enable_elser_model", Value: true, DataType: "bool"},
 		{Name: "service_credential_names", Value: "{\"admin_test\": \"Administrator\", \"editor_test\": \"Editor\"}", DataType: "map(string)"},
+		{Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"},
+		{Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"},
 	}
 	err := options.RunSchematicTest()
 	assert.Nil(t, err, "This should not have errored")