From ff7e91670ddc5287cc66e58b38e9b678e73e721d Mon Sep 17 00:00:00 2001 From: shemau Date: Mon, 27 Jan 2025 10:09:52 +0000 Subject: [PATCH 1/2] fix: service credential source service role --- examples/complete/main.tf | 2 +- solutions/standard/DA-types.md | 14 +++++--------- solutions/standard/main.tf | 22 +++++++++++----------- solutions/standard/variables.tf | 25 ++++++++++++------------- tests/pr_test.go | 4 ++-- 5 files changed, 31 insertions(+), 36 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 729f126a..22a314dd 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -95,7 +95,7 @@ module "icd_elasticsearch" { module "secrets_manager" { count = var.existing_sm_instance_guid == null ? 1 : 0 source = "terraform-ibm-modules/secrets-manager/ibm" - version = "1.20.0" + version = "1.22.0" resource_group_id = module.resource_group.resource_group_id region = var.region secrets_manager_name = "${var.prefix}-secrets-manager" diff --git a/solutions/standard/DA-types.md b/solutions/standard/DA-types.md index 6ec03c13..ed1df404 100644 --- a/solutions/standard/DA-types.md +++ b/solutions/standard/DA-types.md @@ -156,7 +156,7 @@ To enter a custom value, use the edit action to open the "Edit Array" panel. Add ### Options for service_credentials - `secret_name`: (required): A unique human-readable name of the secret to create. -- `service_credentials_source_service_role`: (required): The role to give the service credential in the Databases for Elasticsearch service. Acceptable values are `Writer`, `Reader`, `Manager`, and `None` +- `service_credentials_source_service_role_crn`: (required): The CRN of the role to give the service credential in the IBM Cloud Database service. Service credentials role CRNs can be found at https://cloud.ibm.com/iam/roles, select the IBM Cloud Database and select the role. - `secret_labels`: (optional, default = `[]`): Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|). - `secret_auto_rotation`: (optional, default = `true`): Whether to configure automatic rotation of service credential. - `secret_auto_rotation_unit`: (optional, default = `day`): Specifies the unit of time for rotation of a secret. Acceptable values are `day` or `month`. @@ -173,8 +173,8 @@ The following example includes all the configuration options for four service cr "service_credentials": [ { "secret_name": "cred-1" - "service_credentials_source_service_role": "Writer" - "secret_labels": ["test-writer-1", "test-writer-2"] + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor" + "secret_labels": ["test-editor-1", "test-editor-2"] "secret_auto_rotation": true "secret_auto_rotation_unit": "day" "secret_auto_rotation_interval": 89 @@ -183,7 +183,7 @@ The following example includes all the configuration options for four service cr }, { "secret_name": "cred-2" - "service_credentials_source_service_role": "Reader" + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer" } ] }, @@ -192,11 +192,7 @@ The following example includes all the configuration options for four service cr "service_credentials": [ { "secret_name": "cred-3" - "service_credentials_source_service_role": "Editor" - }, - { - "secret_name": "cred-4" - "service_credentials_source_service_role": "None" + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer" } ] } diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 64b4f0d9..3d053e70 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -381,16 +381,16 @@ locals { existing_secret_group = service_credentials.existing_secret_group secrets = [ for secret in service_credentials.service_credentials : { - secret_name = secret.secret_name - secret_labels = secret.secret_labels - secret_auto_rotation = secret.secret_auto_rotation - secret_auto_rotation_unit = secret.secret_auto_rotation_unit - secret_auto_rotation_interval = secret.secret_auto_rotation_interval - service_credentials_ttl = secret.service_credentials_ttl - service_credential_secret_description = secret.service_credential_secret_description - service_credentials_source_service_role = secret.service_credentials_source_service_role - service_credentials_source_service_crn = local.elasticsearch_crn - secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6 + secret_name = secret.secret_name + secret_labels = secret.secret_labels + secret_auto_rotation = secret.secret_auto_rotation + secret_auto_rotation_unit = secret.secret_auto_rotation_unit + secret_auto_rotation_interval = secret.secret_auto_rotation_interval + service_credentials_ttl = secret.service_credentials_ttl + service_credential_secret_description = secret.service_credential_secret_description + service_credentials_source_service_role_crn = secret.service_credentials_source_service_role_crn + service_credentials_source_service_crn = local.elasticsearch_crn + secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6 } ] } @@ -420,7 +420,7 @@ module "secrets_manager_service_credentials" { count = var.existing_secrets_manager_instance_crn == null ? 0 : 1 depends_on = [time_sleep.wait_for_es_authorization_policy] source = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets" - version = "1.20.0" + version = "1.22.0" existing_sm_instance_guid = local.existing_secrets_manager_instance_guid existing_sm_instance_region = local.existing_secrets_manager_instance_region endpoint_type = var.existing_secrets_manager_endpoint_type diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 541091de..7c80dcfd 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -296,14 +296,14 @@ variable "service_credential_secrets" { secret_group_description = optional(string) existing_secret_group = optional(bool) service_credentials = list(object({ - secret_name = string - service_credentials_source_service_role = string - secret_labels = optional(list(string)) - secret_auto_rotation = optional(bool) - secret_auto_rotation_unit = optional(string) - secret_auto_rotation_interval = optional(number) - service_credentials_ttl = optional(string) - service_credential_secret_description = optional(string) + secret_name = string + service_credentials_source_service_role_crn = string + secret_labels = optional(list(string)) + secret_auto_rotation = optional(bool) + secret_auto_rotation_unit = optional(string) + secret_auto_rotation_interval = optional(number) + service_credentials_ttl = optional(string) + service_credential_secret_description = optional(string) })) })) @@ -311,15 +311,14 @@ variable "service_credential_secrets" { description = "Service credential secrets configuration for Databases for Elasticsearch. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-elasticsearch/blob/main/solutions/standard/DA-types.md#service-credential-secrets)." validation { + # Service roles CRNs can be found at https://cloud.ibm.com/iam/roles, select the IBM Cloud Database and select the role condition = alltrue([ for group in var.service_credential_secrets : alltrue([ - for credential in group.service_credentials : contains( - ["Writer", "Reader", "Manager", "None"], credential.service_credentials_source_service_role - ) + # crn:v?:bluemix; two non-empty segments; three possibly empty segments; :serviceRole or role: non-empty segment + for credential in group.service_credentials : can(regex("^crn:v[0-9]:bluemix(:..*){2}(:.*){3}:(serviceRole|role):..*$", credential.service_credentials_source_service_role_crn)) ]) ]) - error_message = "service_credentials_source_service_role role must be one of 'Writer', 'Reader', 'Manager', and 'None'." - + error_message = "service_credentials_source_service_role_crn must be a serviceRole CRN. See https://cloud.ibm.com/iam/roles" } } diff --git a/tests/pr_test.go b/tests/pr_test.go index 0e678276..c90d2007 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -106,11 +106,11 @@ func TestRunStandardSolutionSchematics(t *testing.T) { "service_credentials": []map[string]string{ { "secret_name": fmt.Sprintf("%s-cred-reader", options.Prefix), - "service_credentials_source_service_role": "Reader", + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer", }, { "secret_name": fmt.Sprintf("%s-cred-writer", options.Prefix), - "service_credentials_source_service_role": "Writer", + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor", }, }, }, From b3c3d9ab36236a701a735b6922201eca9a07c17b Mon Sep 17 00:00:00 2001 From: shemau Date: Mon, 27 Jan 2025 10:26:39 +0000 Subject: [PATCH 2/2] fix: consistency with mongodb --- .secrets.baseline | 10 +--------- solutions/standard/DA-types.md | 4 ++-- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index e3ea8dfc..b704e2cd 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2024-12-09T17:04:45Z", + "generated_at": "2025-01-27T10:25:29Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -103,14 +103,6 @@ "line_number": 64, "type": "Secret Keyword", "verified_result": null - }, - { - "hashed_secret": "1e5c2f367f02e47a8c160cda1cd9d91decbac441", - "is_secret": false, - "is_verified": false, - "line_number": 192, - "type": "Secret Keyword", - "verified_result": null } ] }, diff --git a/solutions/standard/DA-types.md b/solutions/standard/DA-types.md index ed1df404..e46fa384 100644 --- a/solutions/standard/DA-types.md +++ b/solutions/standard/DA-types.md @@ -170,7 +170,7 @@ The following example includes all the configuration options for four service cr { "secret_group_name": "sg-1" "existing_secret_group": true - "service_credentials": [ + "service_credentials": [ # pragma: allowlist secret { "secret_name": "cred-1" "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor" @@ -189,7 +189,7 @@ The following example includes all the configuration options for four service cr }, { "secret_group_name": "sg-2" - "service_credentials": [ + "service_credentials": [ # pragma: allowlist secret { "secret_name": "cred-3" "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer"