terraform-ibm-modules
diff --git a/‎README.md‎
Lines changed: 5 additions & 0 deletions b/‎README.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎examples/complete/main.tf‎
Lines changed: 2 additions & 0 deletions b/‎examples/complete/main.tf‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎examples/complete/outputs.tf‎
Lines changed: 10 additions & 0 deletions b/‎examples/complete/outputs.tf‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎examples/complete/variables.tf‎
Lines changed: 19 additions & 0 deletions b/‎examples/complete/variables.tf‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎main.tf‎
Lines changed: 19 additions & 0 deletions b/‎main.tf‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎module-metadata.json‎
Lines changed: 77 additions & 10 deletions b/‎module-metadata.json‎
Lines changed: 77 additions & 10 deletions
diff --git a/‎outputs.tf‎
Lines changed: 10 additions & 0 deletions b/‎outputs.tf‎
Lines changed: 10 additions & 0 deletions
@@ -62,11 +62,13 @@ You need the following permissions to run this module.
 | [ibm_database.mongodb](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database) | resource |
 | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource |
+| [ibm_database_connection.database_connection](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/database_connection) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_admin_pass"></a> [admin\_pass](#input\_admin\_pass) | The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block. The admin password must be in the range of 10-32 characters. | `string` | `null` | no |
 | <a name="input_auto_scaling"></a> [auto\_scaling](#input\_auto\_scaling) | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-autoscaling&interface=cli#autoscaling-considerations in the IBM Cloud Docs. | <pre>object({<br>    disk = object({<br>      capacity_enabled             = optional(bool, false)<br>      free_space_less_than_percent = optional(number, 10)<br>      io_above_percent             = optional(number, 90)<br>      io_enabled                   = optional(bool, false)<br>      io_over_period               = optional(string, "15m")<br>      rate_increase_percent        = optional(number, 10)<br>      rate_limit_mb_per_member     = optional(number, 3670016)<br>      rate_period_seconds          = optional(number, 900)<br>      rate_units                   = optional(string, "mb")<br>    })<br>    memory = object({<br>      io_above_percent         = optional(number, 90)<br>      io_enabled               = optional(bool, false)<br>      io_over_period           = optional(string, "15m")<br>      rate_increase_percent    = optional(number, 10)<br>      rate_limit_mb_per_member = optional(number, 114688)<br>      rate_period_seconds      = optional(number, 900)<br>      rate_units               = optional(string, "mb")<br>    })<br>  })</pre> | `null` | no |
 | <a name="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn) | The CRN of a Key Protect key that you want to use for encrypting the disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. BYOK for backups is available only in US regions us-south and us-east, and in eu-de. Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, use a key from us-south or eu-de. Hyper Protect Crypto Services for IBM Cloud Databases backups is not currently supported. If no value is passed here, the value passed for the 'kms\_key\_crn' variable is used. And if a HPCS value is passed for var.kms\_key\_crn, the database backup encryption uses the default encryption keys. | `string` | `null` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
@@ -88,6 +90,7 @@ You need the following permissions to run this module.
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the database | `map(string)` | `{}` | no |
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all MongoDB database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing\_kms\_instance\_guid variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Optional list of tags to be added to the MongoDB instance and the associated service credentials (if creating). | `list(any)` | `[]` | no |
+| <a name="input_users"></a> [users](#input\_users) | A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service\_credential\_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users, more info on that can be found here https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-user-management&interface=ui | <pre>list(object({<br>    name     = string<br>    password = string # pragma: allowlist secret<br>    type     = string # "type" is required to generate the connection string for the outputs.<br>    role     = optional(string)<br>  }))</pre> | `[]` | no |
 
 ## Outputs
 
@@ -96,7 +99,9 @@ You need the following permissions to run this module.
 | <a name="output_cbr_rule_ids"></a> [cbr\_rule\_ids](#output\_cbr\_rule\_ids) | CBR rule ids created to restrict MongoDB |
 | <a name="output_crn"></a> [crn](#output\_crn) | MongoDB instance crn |
 | <a name="output_guid"></a> [guid](#output\_guid) | MongoDB instance guid |
+| <a name="output_hostname"></a> [hostname](#output\_hostname) | Database hostname. Only contains value when var.service\_credential\_names or var.users are set. |
 | <a name="output_id"></a> [id](#output\_id) | MongoDB instance ID |
+| <a name="output_port"></a> [port](#output\_port) | Database port. Only contains value when var.service\_credential\_names or var.users are set. |
 | <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | Service credentials json map |
 | <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | Service credentials object |
 | <a name="output_version"></a> [version](#output\_version) | MongoDB instance version |
 
@@ -72,6 +72,8 @@ module "mongodb" {
   mongodb_version            = var.mongodb_version
   instance_name              = "${var.prefix}-mongodb"
   kms_encryption_enabled     = true
+  admin_pass                 = var.admin_pass
+  users                      = var.users
   existing_kms_instance_guid = module.key_protect_all_inclusive.key_protect_guid
   region                     = var.region
   kms_key_crn                = module.key_protect_all_inclusive.keys["icd.${var.prefix}-mongodb"].crn
 
@@ -28,3 +28,13 @@ output "service_credentials_object" {
   value       = module.mongodb.service_credentials_object
   sensitive   = true
 }
+
+output "hostname" {
+  description = "Postgresql instance hostname"
+  value       = module.mongodb.hostname
+}
+
+output "port" {
+  description = "Postgresql instance port"
+  value       = module.mongodb.port
+}
@@ -44,3 +44,22 @@ variable "service_credential_names" {
     "mongodb_editor" : "Editor",
   }
 }
+
+variable "admin_pass" {
+  type        = string
+  default     = null
+  sensitive   = true
+  description = "The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block. The admin password must be in the range of 10-32 characters."
+}
+
+variable "users" {
+  type = list(object({
+    name     = string
+    password = string
+    type     = string
+    role     = optional(string)
+  }))
+  default     = []
+  sensitive   = true
+  description = "A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters."
+}
@@ -44,13 +44,24 @@ resource "ibm_database" "mongodb" {
   service                   = "databases-for-mongodb"
   version                   = var.mongodb_version
   resource_group_id         = var.resource_group_id
+  adminpassword             = var.admin_pass
   tags                      = var.tags
   service_endpoints         = var.endpoints
   plan_validation           = var.plan_validation
   configuration             = var.configuration != null ? jsonencode(var.configuration) : null
   key_protect_key           = var.kms_key_crn
   backup_encryption_key_crn = local.backup_encryption_key_crn
 
+  dynamic "users" {
+    for_each = nonsensitive(var.users != null ? var.users : [])
+    content {
+      name     = users.value.name
+      password = users.value.password
+      type     = users.value.type
+      role     = (users.value.role != "" ? users.value.role : null)
+    }
+  }
+
   group {
     group_id = "member"
     memory {
@@ -180,3 +191,11 @@ locals {
     }
   } : null
 }
+
+data "ibm_database_connection" "database_connection" {
+  count         = length(var.users) > 0 ? 1 : 0
+  endpoint_type = var.endpoints
+  deployment_id = ibm_database.mongodb.id
+  user_id       = var.users[0].name
+  user_type     = var.users[0].type
+}
@@ -1,13 +1,26 @@
 {
   "path": ".",
   "variables": {
+    "admin_pass": {
+      "name": "admin_pass",
+      "type": "string",
+      "description": "The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block. The admin password must be in the range of 10-32 characters.",
+      "sensitive": true,
+      "source": [
+        "ibm_database.mongodb.adminpassword"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 122
+      }
+    },
     "auto_scaling": {
       "name": "auto_scaling",
       "type": "object({\n    disk = object({\n      capacity_enabled             = optional(bool, false)\n      free_space_less_than_percent = optional(number, 10)\n      io_above_percent             = optional(number, 90)\n      io_enabled                   = optional(bool, false)\n      io_over_period               = optional(string, \"15m\")\n      rate_increase_percent        = optional(number, 10)\n      rate_limit_mb_per_member     = optional(number, 3670016)\n      rate_period_seconds          = optional(number, 900)\n      rate_units                   = optional(string, \"mb\")\n    })\n    memory = object({\n      io_above_percent         = optional(number, 90)\n      io_enabled               = optional(bool, false)\n      io_over_period           = optional(string, \"15m\")\n      rate_increase_percent    = optional(number, 10)\n      rate_limit_mb_per_member = optional(number, 114688)\n      rate_period_seconds      = optional(number, 900)\n      rate_units               = optional(string, \"mb\")\n    })\n  })",
       "description": "Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-autoscaling\u0026interface=cli#autoscaling-considerations in the IBM Cloud Docs.",
       "pos": {
         "filename": "variables.tf",
-        "line": 122
+        "line": 141
       }
     },
     "backup_encryption_key_crn": {
@@ -16,7 +29,7 @@
       "description": "The CRN of a Key Protect key that you want to use for encrypting the disk that holds deployment backups. Only used if var.kms_encryption_enabled is set to true. BYOK for backups is available only in US regions us-south and us-east, and in eu-de. Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, use a key from us-south or eu-de. Hyper Protect Crypto Services for IBM Cloud Databases backups is not currently supported. If no value is passed here, the value passed for the 'kms_key_crn' variable is used. And if a HPCS value is passed for var.kms_key_crn, the database backup encryption uses the default encryption keys.",
       "pos": {
         "filename": "variables.tf",
-        "line": 173
+        "line": 192
       }
     },
     "cbr_rules": {
@@ -33,7 +46,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 199
+        "line": 218
       }
     },
     "configuration": {
@@ -73,7 +86,9 @@
       "type": "string",
       "description": "Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'.",
       "default": "private",
+      "required": true,
       "source": [
+        "data.ibm_database_connection.database_connection.endpoint_type",
         "ibm_database.mongodb.service_endpoints"
       ],
       "pos": {
@@ -91,7 +106,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 189
+        "line": 208
       },
       "immutable": true,
       "computed": true
@@ -119,7 +134,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 153
+        "line": 172
       }
     },
     "kms_key_crn": {
@@ -131,7 +146,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 159
+        "line": 178
       },
       "immutable": true
     },
@@ -253,7 +268,7 @@
       "default": false,
       "pos": {
         "filename": "variables.tf",
-        "line": 183
+        "line": 202
       }
     },
     "tags": {
@@ -269,6 +284,22 @@
         "filename": "variables.tf",
         "line": 66
       }
+    },
+    "users": {
+      "name": "users",
+      "type": "list(object({\n    name     = string\n    password = string # pragma: allowlist secret\n    type     = string # \"type\" is required to generate the connection string for the outputs.\n    role     = optional(string)\n  }))",
+      "description": "A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the MongoDB instance. This blocks creates native MongoDB database users, more info on that can be found here https://cloud.ibm.com/docs/databases-for-mongodb?topic=databases-for-mongodb-user-management\u0026interface=ui",
+      "default": [],
+      "sensitive": true,
+      "source": [
+        "data.ibm_database_connection.database_connection.count",
+        "data.ibm_database_connection.database_connection.user_id",
+        "data.ibm_database_connection.database_connection.user_type"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 129
+      }
     }
   },
   "outputs": {
@@ -300,6 +331,14 @@
       },
       "type": "TypeString"
     },
+    "hostname": {
+      "name": "hostname",
+      "description": "Database hostname. Only contains value when var.service_credential_names or var.users are set.",
+      "pos": {
+        "filename": "outputs.tf",
+        "line": 42
+      }
+    },
     "id": {
       "name": "id",
       "description": "MongoDB instance ID",
@@ -309,6 +348,14 @@
         "line": 5
       }
     },
+    "port": {
+      "name": "port",
+      "description": "Database port. Only contains value when var.service_credential_names or var.users are set.",
+      "pos": {
+        "filename": "outputs.tf",
+        "line": 47
+      }
+    },
     "service_credentials_json": {
       "name": "service_credentials_json",
       "description": "Service credentials json map",
@@ -357,6 +404,7 @@
       "type": "ibm_database",
       "name": "mongodb",
       "attributes": {
+        "adminpassword": "admin_pass",
         "configuration": "configuration",
         "key_protect_key": "kms_key_crn",
         "location": "region",
@@ -406,11 +454,30 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 155
+        "line": 166
+      }
+    }
+  },
+  "data_resources": {
+    "data.ibm_database_connection.database_connection": {
+      "mode": "data",
+      "type": "ibm_database_connection",
+      "name": "database_connection",
+      "attributes": {
+        "count": "users",
+        "endpoint_type": "endpoints",
+        "user_id": "users",
+        "user_type": "users"
+      },
+      "provider": {
+        "name": "ibm"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 195
       }
     }
   },
-  "data_resources": {},
   "module_calls": {
     "cbr_rule": {
       "name": "cbr_rule",
@@ -485,7 +552,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 116
+        "line": 127
       }
     }
   }
 
@@ -38,3 +38,13 @@ output "service_credentials_object" {
   value       = local.service_credentials_object
   sensitive   = true
 }
+
+output "hostname" {
+  description = "Database hostname. Only contains value when var.service_credential_names or var.users are set."
+  value       = length(var.service_credential_names) > 0 ? nonsensitive(ibm_resource_key.service_credentials[keys(var.service_credential_names)[0]].credentials["connection.mongodb.hosts.0.hostname"]) : length(var.users) > 0 ? nonsensitive(flatten(data.ibm_database_connection.database_connection[0].mongodb[0].hosts[0].hostname)) : null
+}
+
+output "port" {
+  description = "Database port. Only contains value when var.service_credential_names or var.users are set."
+  value       = length(var.service_credential_names) > 0 ? nonsensitive(ibm_resource_key.service_credentials[keys(var.service_credential_names)[0]].credentials["connection.mongodb.hosts.0.port"]) : length(var.users) > 0 ? nonsensitive(flatten(data.ibm_database_connection.database_connection[0].mongodb[0].hosts[0].port)) : null
+}