diff --git a/ibm_catalog.json b/ibm_catalog.json index 8e629431..115d11e2 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -458,6 +458,12 @@ { "key": "kibana_image_port" }, + { + "key": "kibana_system_secret_name" + }, + { + "key": "kibana_app_secret_name" + }, { "key": "cbr_code_engine_kibana_project_rules" }, @@ -841,6 +847,12 @@ { "key": "kibana_image_port" }, + { + "key": "kibana_system_secret_name" + }, + { + "key": "kibana_app_secret_name" + }, { "key": "cbr_rules", "type": "array", diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 479b34c1..9145fa35 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -396,20 +396,34 @@ locals { } ] + # Prepare locally generated secrets + system_secrets = [{ + "secret_name" = "${local.prefix}${var.admin_pass_secrets_manager_secret_name}" + "secret_type" = "arbitrary" + "secret_payload_password" = local.admin_pass + }] + kibana_secrets = var.enable_kibana_dashboard ? [{ + "secret_name" = "${local.prefix}${var.kibana_system_secret_name}" + "secret_type" = "arbitrary" + "secret_payload_password" = local.kibana_system_password + }, + { + "secret_name" = "${local.prefix}${var.kibana_app_secret_name}" + "secret_type" = "arbitrary" + "secret_payload_password" = local.kibana_app_login_password + }] : [] + password_secrets = concat(local.system_secrets, local.kibana_secrets) + + # Build the structure of the arbitrary credential type secret for admin password - admin_pass_secret = [{ + user_secrets = [{ secret_group_name = "${local.prefix}${var.admin_pass_secrets_manager_secret_group}" existing_secret_group = var.use_existing_admin_pass_secrets_manager_secret_group - secrets = [{ - secret_name = "${local.prefix}${var.admin_pass_secrets_manager_secret_name}" - secret_type = "arbitrary" - secret_payload_password = local.admin_pass - } - ] + secrets = local.password_secrets }] # Concatenate into 1 secrets object - secrets = concat(local.service_credential_secrets, local.admin_pass_secret) + secrets = concat(local.service_credential_secrets, local.user_secrets) # Parse Secrets Manager details from the CRN existing_secrets_manager_instance_guid = var.existing_secrets_manager_instance_crn != null ? module.sm_instance_crn_parser[0].service_instance : null existing_secrets_manager_instance_region = var.existing_secrets_manager_instance_crn != null ? module.sm_instance_crn_parser[0].region : null diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index b036876c..af657131 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -581,6 +581,32 @@ variable "kibana_registry_personal_access_token" { } } +variable "kibana_system_secret_name" { + type = string + description = "The Secrets Manager secret name of a new kibana system secret. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + default = "kibana-system-password" + + validation { + condition = ( + !(var.enable_kibana_dashboard && var.existing_secrets_manager_instance_crn != null && length(var.kibana_system_secret_name) == 0) + ) + error_message = "`kibana_system_secret_name` is required when `existing_secrets_manager_instance_crn` and `enable_kibana_dashboard` are set." + } +} + +variable "kibana_app_secret_name" { + type = string + description = "The Secrets Manager secret name of a new kibana application secret. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + default = "kibana-app-password" + + validation { + condition = ( + !(var.enable_kibana_dashboard && var.existing_secrets_manager_instance_crn != null && length(var.kibana_app_secret_name) == 0) + ) + error_message = "`kibana_app_secret_name` is required when `existing_secrets_manager_instance_crn` and `enable_kibana_dashboard` are set." + } +} + ############################################################## # Context-based restriction (CBR) ############################################################## diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf index 4597ff50..4d1f3e3c 100644 --- a/solutions/security-enforced/main.tf +++ b/solutions/security-enforced/main.tf @@ -53,5 +53,7 @@ module "elasticsearch" { kibana_image_digest = var.kibana_image_digest kibana_image_port = var.kibana_image_port kibana_visibility = "local_private" + kibana_system_secret_name = var.kibana_system_secret_name + kibana_app_secret_name = var.kibana_app_secret_name cbr_rules = var.cbr_rules } diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index f1dd1658..73f2f046 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -431,15 +431,26 @@ variable "kibana_image_digest" { condition = var.kibana_image_digest == null || can(regex("^sha256:", var.kibana_image_digest)) error_message = "If provided, the value of kibana_image_digest must start with 'sha256:'." } - - } + variable "kibana_image_port" { description = "Specify the port number used to connect to the Kibana service exposed by the container image. Default port is 5601 and it is only applicable if `enable_kibana_dashboard` is true" type = number default = 5601 } +variable "kibana_system_secret_name" { + type = string + description = "The Secrets Manager secret name of a new kibana system secret. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + default = "kibana-system-password" +} + +variable "kibana_app_secret_name" { + type = string + description = "The Secrets Manager secret name of a new kibana application secret. If a prefix input variable is specified, the prefix is added to the name in the `-` format." + default = "kibana-app-password" +} + ############################################################## # Context-based restriction (CBR) ##############################################################