terraform-ibm-modules · ocofaigh · May 7, 2025 · Apr 29, 2025 · May 1, 2025 · May 1, 2025
@@ -3,8 +3,8 @@
 ##############################################################################
 
 locals {
-  secret_manager_guid   = var.existing_secret_manager_instance_guid == null ? module.secrets_manager[0].secrets_manager_guid : var.existing_secret_manager_instance_guid
-  secret_manager_region = var.existing_secret_manager_instance_region == null ? var.region : var.existing_secret_manager_instance_region
+  secrets_manager_guid   = var.existing_secrets_manager_instance_guid == null ? module.secrets_manager[0].secrets_manager_guid : var.existing_secrets_manager_instance_guid
+  secrets_manager_region = var.existing_secrets_manager_instance_region == null ? var.region : var.existing_secrets_manager_instance_region
   service_credential_names = {
     "es_admin" : "Administrator",
     "es_operator" : "Operator",
@@ -131,7 +131,7 @@ module "icd_mongodb" {
 
 # Create Secrets Manager Instance (if not using existing one)
 module "secrets_manager" {
-  count                = var.existing_secret_manager_instance_guid == null ? 1 : 0
+  count                = var.existing_secrets_manager_instance_guid == null ? 1 : 0
   source               = "terraform-ibm-modules/secrets-manager/ibm"
   version              = "2.2.1"
   resource_group_id    = module.resource_group.resource_group_id
@@ -146,8 +146,8 @@ module "secrets_manager" {
 module "secrets_manager_secrets_group" {
   source               = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
   version              = "1.3.3"
-  region               = local.secret_manager_region
-  secrets_manager_guid = local.secret_manager_guid
+  region               = local.secrets_manager_region
+  secrets_manager_guid = local.secrets_manager_guid
   #tfsec:ignore:general-secrets-no-plaintext-exposure
   secret_group_name        = "${var.prefix}-es-secrets"
   secret_group_description = "service secret-group" #tfsec:ignore:general-secrets-no-plaintext-exposure
@@ -158,8 +158,8 @@ module "secrets_manager_service_credentials_user_pass" {
   source                  = "terraform-ibm-modules/secrets-manager-secret/ibm"
   version                 = "1.7.0"
   for_each                = local.service_credential_names
-  region                  = local.secret_manager_region
-  secrets_manager_guid    = local.secret_manager_guid
+  region                  = local.secrets_manager_region
+  secrets_manager_guid    = local.secrets_manager_guid
   secret_group_id         = module.secrets_manager_secrets_group.secret_group_id
   secret_name             = "${var.prefix}-${each.key}-credentials"
   secret_description      = "MongoDB Service Credentials for ${each.key}"
@@ -172,8 +172,8 @@ module "secrets_manager_service_credentials_user_pass" {
 module "secrets_manager_service_credentials_cert" {
   source                    = "terraform-ibm-modules/secrets-manager-secret/ibm"
   version                   = "1.7.0"
-  region                    = local.secret_manager_region
-  secrets_manager_guid      = local.secret_manager_guid
+  region                    = local.secrets_manager_region
+  secrets_manager_guid      = local.secrets_manager_guid
   secret_group_id           = module.secrets_manager_secrets_group.secret_group_id
   secret_name               = "${var.prefix}-es-cert"
   secret_description        = "MongoDB Service Credential Certificate"

@@ -47,15 +47,15 @@ variable "plan" {
   default     = "enterprise"
 }
 
-variable "existing_secret_manager_instance_guid" {
+variable "existing_secrets_manager_instance_guid" {
   type        = string
   description = "Existing Secrets Manager GUID. If not provided an new instance will be provisioned"
   default     = null
 }
 
-variable "existing_secret_manager_instance_region" {
+variable "existing_secrets_manager_instance_region" {
   type        = string
-  description = "Required if value is passed into var.existing_secret_manager_instance_guid"
+  description = "Required if value is passed into var.existing_secrets_manager_instance_guid"
   default     = null
 }
 

@@ -226,16 +226,16 @@
               "key": "admin_pass"
             },
             {
-              "key": "admin_pass_secret_manager_secret_group"
+              "key": "admin_pass_secrets_manager_secret_group"
             },
             {
-              "key": "admin_pass_secret_manager_secret_name"
+              "key": "admin_pass_secrets_manager_secret_name"
             },
             {
               "key": "existing_mongodb_instance_crn"
             },
             {
-              "key": "use_existing_admin_pass_secret_manager_secret_group"
+              "key": "use_existing_admin_pass_secrets_manager_secret_group"
             },
             {
               "key": "users"
@@ -292,7 +292,7 @@
               "key": "service_credential_secrets"
             },
             {
-              "key": "skip_mongodb_secret_manager_auth_policy"
+              "key": "skip_mongodb_secrets_manager_auth_policy"
             }
           ]
         }

@@ -315,11 +315,19 @@ locals {
 #######################################################################################################################
 
 locals {
-  create_secret_manager_auth_policy = var.skip_mongodb_secret_manager_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1
+  ## Variable validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
+  # tflint-ignore: terraform_unused_declarations
+  validate_secrets_manager_crn = length(local.service_credential_secrets) > 0 && var.existing_secrets_manager_instance_crn == null ? tobool("`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret.") : false
+  # tflint-ignore: terraform_unused_declarations
+  validate_secrets_manager_sg = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_group == null ? tobool("`admin_pass_secrets_manager_secret_group` is required when `existing_secrets_manager_instance_crn` is set.") : false
+  # tflint-ignore: terraform_unused_declarations
+  validate_secrets_manager_sn = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_name == null ? tobool("`admin_pass_secrets_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set.") : false
+
+  create_secrets_manager_auth_policy = var.skip_mongodb_secrets_manager_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1
 }
 
 # Parse the Secrets Manager CRN
-module "secret_manager_instance_crn_parser" {
+module "secrets_manager_instance_crn_parser" {
   count   = var.existing_secrets_manager_instance_crn != null ? 1 : 0
   source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
   version = "1.1.0"
@@ -329,7 +337,7 @@ module "secret_manager_instance_crn_parser" {
 
 # create a service authorization between Secrets Manager and the target service (Databases for MongoDB)
 resource "ibm_iam_authorization_policy" "secrets_manager_key_manager" {
-  count                       = local.create_secret_manager_auth_policy
+  count                       = local.create_secrets_manager_auth_policy
   depends_on                  = [module.mongodb]
   source_service_name         = "secrets-manager"
   source_resource_instance_id = local.existing_secrets_manager_instance_guid
@@ -341,7 +349,7 @@ resource "ibm_iam_authorization_policy" "secrets_manager_key_manager" {
 
 # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
 resource "time_sleep" "wait_for_mongodb_authorization_policy" {
-  count           = local.create_secret_manager_auth_policy
+  count           = local.create_secrets_manager_auth_policy
   depends_on      = [ibm_iam_authorization_policy.secrets_manager_key_manager]
   create_duration = "30s"
 }
@@ -371,10 +379,10 @@ locals {
 
   # Build the structure of the arbitrary credential type secret for admin password
   admin_pass_secret = [{
-    secret_group_name     = (var.prefix != null && var.prefix != "") && var.admin_pass_secret_manager_secret_group != null ? "${var.prefix}-${var.admin_pass_secret_manager_secret_group}" : var.admin_pass_secret_manager_secret_group
-    existing_secret_group = var.use_existing_admin_pass_secret_manager_secret_group
+    secret_group_name     = (var.prefix != null && var.prefix != "") && var.admin_pass_secrets_manager_secret_group != null ? "${var.prefix}-${var.admin_pass_secrets_manager_secret_group}" : var.admin_pass_secrets_manager_secret_group
+    existing_secret_group = var.use_existing_admin_pass_secrets_manager_secret_group
     secrets = [{
-      secret_name             = (var.prefix != null && var.prefix != "") && var.admin_pass_secret_manager_secret_name != null ? "${var.prefix}-${var.admin_pass_secret_manager_secret_name}" : var.admin_pass_secret_manager_secret_name
+      secret_name             = (var.prefix != null && var.prefix != "") && var.admin_pass_secrets_manager_secret_name != null ? "${var.prefix}-${var.admin_pass_secrets_manager_secret_name}" : var.admin_pass_secrets_manager_secret_name
       secret_type             = "arbitrary"
       secret_payload_password = local.admin_pass
       }
@@ -384,8 +392,8 @@ locals {
   # Concatinate into 1 secrets object
   secrets = concat(local.service_credential_secrets, local.admin_pass_secret)
   # Parse Secrets Manager details from the CRN
-  existing_secrets_manager_instance_guid   = var.existing_secrets_manager_instance_crn != null ? module.secret_manager_instance_crn_parser[0].service_instance : null
-  existing_secrets_manager_instance_region = var.existing_secrets_manager_instance_crn != null ? module.secret_manager_instance_crn_parser[0].region : null
+  existing_secrets_manager_instance_guid   = var.existing_secrets_manager_instance_crn != null ? module.secrets_manager_instance_crn_parser[0].service_instance : null
+  existing_secrets_manager_instance_region = var.existing_secrets_manager_instance_crn != null ? module.secrets_manager_instance_crn_parser[0].region : null
 }
 
 module "secrets_manager_service_credentials" {

@@ -350,41 +350,41 @@ variable "service_credential_secrets" {
   }
 }
 
-variable "skip_mongodb_secret_manager_auth_policy" {
+variable "skip_mongodb_secrets_manager_auth_policy" {
   type        = bool
   description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Databases for MongoDB. If set to false, the Secrets Manager instance passed by the user is granted the Key Manager access to the MongoDB instance created by the Deployable Architecture. Set to `true` to use an existing policy. The value of this is ignored if any value for 'existing_secrets_manager_instance_crn' is not passed."
   default     = false
 }
 
-variable "admin_pass_secret_manager_secret_group" {
+variable "admin_pass_secrets_manager_secret_group" {
   type        = string
   description = "The name of a new or existing secrets manager secret group for admin password. To use existing secret group, `use_existing_admin_pass_secrets_manager_secret_group` must be set to `true`. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
   default     = "mongodb-secrets"
 
   validation {
     condition = (
       var.existing_secrets_manager_instance_crn == null ||
-      var.admin_pass_secret_manager_secret_group != null
+      var.admin_pass_secrets_manager_secret_group != null
     )
-    error_message = "`admin_pass_secret_manager_secret_group` is required when `existing_secrets_manager_instance_crn` is set."
+    error_message = "`admin_pass_secrets_manager_secret_group` is required when `existing_secrets_manager_instance_crn` is set."
   }
 }
 
-variable "use_existing_admin_pass_secret_manager_secret_group" {
+variable "use_existing_admin_pass_secrets_manager_secret_group" {
   type        = bool
   description = "Whether to use an existing secrets manager secret group for admin password."
   default     = false
 }
 
-variable "admin_pass_secret_manager_secret_name" {
+variable "admin_pass_secrets_manager_secret_name" {
   type        = string
   description = "The name of a new mongodb administrator secret. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
   default     = "mongodb-admin-password"
   validation {
     condition = (
       var.existing_secrets_manager_instance_crn == null ||
-      var.admin_pass_secret_manager_secret_name != null
+      var.admin_pass_secrets_manager_secret_name != null
     )
-    error_message = "`admin_pass_secret_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set."
+    error_message = "`admin_pass_secrets_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set."
   }
 }
@@ -103,8 +103,8 @@ func TestRunStandardSolutionSchematics(t *testing.T) {
 		{Name: "service_credential_names", Value: "{\"admin_test\": \"Administrator\", \"editor_test\": \"Editor\"}", DataType: "map(string)"},
 		{Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"},
 		{Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"},
-		{Name: "admin_pass_secret_manager_secret_group", Value: options.Prefix, DataType: "string"},
-		{Name: "admin_pass_secret_manager_secret_name", Value: options.Prefix, DataType: "string"},
+		{Name: "admin_pass_secrets_manager_secret_group", Value: options.Prefix, DataType: "string"},
+		{Name: "admin_pass_secrets_manager_secret_name", Value: options.Prefix, DataType: "string"},
 		{Name: "provider_visibility", Value: "private", DataType: "string"},
 		{Name: "prefix", Value: options.Prefix, DataType: "string"},
 	}