From 06717bfad8eee49b31598ef2658eb95799a75843 Mon Sep 17 00:00:00 2001 From: Vipin Kumar Date: Sat, 11 Oct 2025 15:36:31 +0530 Subject: [PATCH 1/5] fix: implicit dependency for service credentials on time sleep --- solutions/fully-configurable/main.tf | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index b2b0a879..a4b8a184 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -367,6 +367,10 @@ resource "time_sleep" "wait_for_elasticsearch_authorization_policy" { count = local.create_secrets_manager_auth_policy depends_on = [ibm_iam_authorization_policy.secrets_manager_key_manager] create_duration = "30s" + triggers = { + secrets_manager_region = local.existing_secrets_manager_instance_region + secrets_manager_guid = local.existing_secrets_manager_instance_guid + } } locals { @@ -412,12 +416,12 @@ locals { } module "secrets_manager_service_credentials" { - count = length(local.service_credential_secrets) > 0 ? 1 : 0 - depends_on = [time_sleep.wait_for_elasticsearch_authorization_policy] - source = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets" - version = "2.10.1" - existing_sm_instance_guid = local.existing_secrets_manager_instance_guid - existing_sm_instance_region = local.existing_secrets_manager_instance_region + count = length(local.service_credential_secrets) > 0 ? 1 : 0 + source = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets" + version = "2.10.1" + # converted into implicit dependency and removed explicit depends_on time_sleep.wait_for_elasticsearch_authorization_policy for this module because of issue https://github.com/terraform-ibm-modules/terraform-ibm-icd-redis/issues/608 + existing_sm_instance_guid = local.create_secrets_manager_auth_policy > 0 ? time_sleep.wait_for_elasticsearch_authorization_policy[0].triggers["secrets_manager_guid"] : local.existing_secrets_manager_instance_guid + existing_sm_instance_region = local.create_secrets_manager_auth_policy > 0 ? time_sleep.wait_for_elasticsearch_authorization_policy[0].triggers["secrets_manager_region"] : local.existing_secrets_manager_instance_region endpoint_type = var.existing_secrets_manager_endpoint_type secrets = local.secrets } From 0fbd5d78c201515c2482e6a40d2fdc4e6917dab3 Mon Sep 17 00:00:00 2001 From: Vipin Kumar Date: Sat, 11 Oct 2025 17:21:42 +0530 Subject: [PATCH 2/5] closed test gap --- tests/pr_test.go | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/tests/pr_test.go b/tests/pr_test.go index 04d68318..474972b7 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -4,6 +4,7 @@ package test import ( "crypto/rand" "encoding/base64" + "encoding/json" "fmt" "log" "math/big" @@ -146,15 +147,48 @@ func TestRunSecurityEnforcedUpgradeSolutionSchematics(t *testing.T) { CheckApplyResultForUpgrade: true, }) + serviceCredentialSecrets := []map[string]any{ + { + "secret_group_name": fmt.Sprintf("%s-secret-group", options.Prefix), + "service_credentials": []map[string]string{ + { + "secret_name": fmt.Sprintf("%s-cred-reader", options.Prefix), + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer", + }, + { + "secret_name": fmt.Sprintf("%s-cred-writer", options.Prefix), + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor", + }, + }, + }, + } + + serviceCredentialNames := map[string]string{ + "admin": "Administrator", + "user1": "Viewer", + "user2": "Editor", + } + + serviceCredentialNamesJSON, err := json.Marshal(serviceCredentialNames) + if err != nil { + log.Fatalf("Error converting to JSON: %s", err) + } + options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, {Name: "prefix", Value: options.Prefix, DataType: "string"}, {Name: "deletion_protection", Value: false, DataType: "bool"}, {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, + {Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"}, + {Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"}, + {Name: "service_credential_names", Value: string(serviceCredentialNamesJSON), DataType: "map(string)"}, + {Name: "admin_pass_secrets_manager_secret_name", Value: options.Prefix, DataType: "string"}, + {Name: "admin_pass", Value: GetRandomAdminPassword(t), DataType: "string"}, + {Name: "admin_pass_secrets_manager_secret_group", Value: fmt.Sprintf("es-%s-admin-secrets", options.Prefix), DataType: "string"}, } - err := options.RunSchematicUpgradeTest() + err = options.RunSchematicUpgradeTest() assert.Nil(t, err, "This should not have errored") } From 7f1ddb0e69c267dbde80c1fee6d9222c16e99974 Mon Sep 17 00:00:00 2001 From: Vipin Kumar Date: Sat, 11 Oct 2025 17:28:17 +0530 Subject: [PATCH 3/5] fix --- .secrets.baseline | 4 ++-- tests/pr_test.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 8460b61c..8085ebd9 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-10-04T04:24:13Z", + "generated_at": "2025-10-11T11:57:05Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -110,7 +110,7 @@ "hashed_secret": "8c7c51db5075ebd0369c51e9f14737d9b4c1c21d", "is_secret": false, "is_verified": false, - "line_number": 379, + "line_number": 413, "type": "Base64 High Entropy String", "verified_result": null } diff --git a/tests/pr_test.go b/tests/pr_test.go index 474972b7..2438d02e 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -184,7 +184,7 @@ func TestRunSecurityEnforcedUpgradeSolutionSchematics(t *testing.T) { {Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"}, {Name: "service_credential_names", Value: string(serviceCredentialNamesJSON), DataType: "map(string)"}, {Name: "admin_pass_secrets_manager_secret_name", Value: options.Prefix, DataType: "string"}, - {Name: "admin_pass", Value: GetRandomAdminPassword(t), DataType: "string"}, + {Name: "admin_pass", Value: options.Prefix, DataType: "string"}, {Name: "admin_pass_secrets_manager_secret_group", Value: fmt.Sprintf("es-%s-admin-secrets", options.Prefix), DataType: "string"}, } From 641ba6847689287bd3ee630aa2bd905c0a86dc57 Mon Sep 17 00:00:00 2001 From: Vipin Kumar Date: Sat, 11 Oct 2025 18:24:23 +0530 Subject: [PATCH 4/5] use random password in test --- tests/pr_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/pr_test.go b/tests/pr_test.go index 2438d02e..474972b7 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -184,7 +184,7 @@ func TestRunSecurityEnforcedUpgradeSolutionSchematics(t *testing.T) { {Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"}, {Name: "service_credential_names", Value: string(serviceCredentialNamesJSON), DataType: "map(string)"}, {Name: "admin_pass_secrets_manager_secret_name", Value: options.Prefix, DataType: "string"}, - {Name: "admin_pass", Value: options.Prefix, DataType: "string"}, + {Name: "admin_pass", Value: GetRandomAdminPassword(t), DataType: "string"}, {Name: "admin_pass_secrets_manager_secret_group", Value: fmt.Sprintf("es-%s-admin-secrets", options.Prefix), DataType: "string"}, } From f942883bd854aa818eef92cdd26d1447ac6e11bc Mon Sep 17 00:00:00 2001 From: Vipin Kumar Date: Sun, 12 Oct 2025 16:02:58 +0530 Subject: [PATCH 5/5] SKIP UPGRADE TEST