fix: fix issue that was causing secrets manager managed service credential re-creation<br><br>NOTE: When upgrading from previous version, you will see the following destroy and re-create, however there is no impact to any deployed infrastructure: (#646)

vkuma17 · web-flow · commit 9895e5afdd6e · 2025-10-13T10:34:28.000+01:00
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
@@ -348,6 +348,10 @@ resource "time_sleep" "wait_for_mongodb_authorization_policy" {
   count           = local.create_secrets_manager_auth_policy
   depends_on      = [ibm_iam_authorization_policy.secrets_manager_key_manager]
   create_duration = "30s"
+  triggers = {
+    secrets_manager_region = local.existing_secrets_manager_instance_region
+    secrets_manager_guid   = local.existing_secrets_manager_instance_guid
+  }
 }
 
 locals {
@@ -393,12 +397,12 @@ locals {
 }
 
 module "secrets_manager_service_credentials" {
-  count                       = length(local.service_credential_secrets) > 0 ? 1 : 0
-  depends_on                  = [time_sleep.wait_for_mongodb_authorization_policy]
-  source                      = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
-  version                     = "2.10.2"
-  existing_sm_instance_guid   = local.existing_secrets_manager_instance_guid
-  existing_sm_instance_region = local.existing_secrets_manager_instance_region
+  count   = length(local.service_credential_secrets) > 0 ? 1 : 0
+  source  = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
+  version = "2.10.2"
+  # converted into implicit dependency and removed explicit depends_on time_sleep.wait_for_mongodb_authorization_policy for this module because of issue https://github.com/terraform-ibm-modules/terraform-ibm-icd-redis/issues/608
+  existing_sm_instance_guid   = local.create_secrets_manager_auth_policy > 0 ? time_sleep.wait_for_mongodb_authorization_policy[0].triggers["secrets_manager_guid"] : local.existing_secrets_manager_instance_guid
+  existing_sm_instance_region = local.create_secrets_manager_auth_policy > 0 ? time_sleep.wait_for_mongodb_authorization_policy[0].triggers["secrets_manager_region"] : local.existing_secrets_manager_instance_region
   endpoint_type               = var.existing_secrets_manager_endpoint_type
   secrets                     = local.secrets
 }
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -2,6 +2,7 @@
 package test
 
 import (
+	"encoding/json"
 	"fmt"
 	"log"
 	"math/rand"
@@ -136,15 +137,47 @@ func TestRunSecurityEnforcedUpgradeSolutionSchematics(t *testing.T) {
 		CheckApplyResultForUpgrade: true,
 	})
 
+	serviceCredentialSecrets := []map[string]any{
+		{
+			"secret_group_name": fmt.Sprintf("%s-secret-group", options.Prefix),
+			"service_credentials": []map[string]string{
+				{
+					"secret_name": fmt.Sprintf("%s-cred-reader", options.Prefix),
+					"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer",
+				},
+				{
+					"secret_name": fmt.Sprintf("%s-cred-writer", options.Prefix),
+					"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor",
+				},
+			},
+		},
+	}
+
+	serviceCredentialNames := map[string]string{
+		"admin": "Administrator",
+		"user1": "Viewer",
+		"user2": "Editor",
+	}
+
+	serviceCredentialNamesJSON, err := json.Marshal(serviceCredentialNames)
+	if err != nil {
+		log.Fatalf("Error converting to JSON: %s", err)
+	}
+
 	options.TerraformVars = []testschematic.TestSchematicTerraformVar{
 		{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
 		{Name: "prefix", Value: options.Prefix, DataType: "string"},
 		{Name: "deletion_protection", Value: false, DataType: "bool"},
 		{Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"},
 		{Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
+		{Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"},
+		{Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"},
+		{Name: "service_credential_names", Value: string(serviceCredentialNamesJSON), DataType: "map(string)"},
+		{Name: "admin_pass_secrets_manager_secret_name", Value: options.Prefix, DataType: "string"},
+		{Name: "admin_pass_secrets_manager_secret_group", Value: fmt.Sprintf("mongodb-%s-admin-secrets", options.Prefix), DataType: "string"},
 	}
 
-	err := options.RunSchematicUpgradeTest()
+	err = options.RunSchematicUpgradeTest()
 	assert.Nil(t, err, "This should not have errored")
 }
 
