Merge branch 'main' into jor2-patch-1

Author: ocofaigh

ibm_catalog.json

@@ -287,6 +287,9 @@
               },
               {
                 "key": "backup_crn"
+              },
+              {
+                "key": "remote_leader_crn"
               }
             ]
           }

main.tf

@@ -33,30 +33,35 @@ locals {
 # Parse info from KMS key CRNs
 ########################################################################################################################
 
+locals {
+  parse_kms_key        = !var.use_ibm_owned_encryption_key
+  parse_backup_kms_key = !var.use_ibm_owned_encryption_key && !var.use_default_backup_encryption_key
+}
+
 module "kms_key_crn_parser" {
-  count   = var.use_ibm_owned_encryption_key ? 0 : 1
+  count   = local.parse_kms_key ? 1 : 0
   source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
   version = "1.1.0"
   crn     = var.kms_key_crn
 }
 
 module "backup_key_crn_parser" {
-  count   = var.use_ibm_owned_encryption_key ? 0 : 1
+  count   = local.parse_backup_kms_key ? 1 : 0
   source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
   version = "1.1.0"
   crn     = local.backup_encryption_key_crn
 }
 
 # Put parsed values into locals
 locals {
-  kms_service                  = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].service_name : null
-  kms_account_id               = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].account_id : null
-  kms_key_id                   = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].resource : null
-  kms_key_instance_guid        = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].service_instance : null
-  backup_kms_service           = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].service_name : null
-  backup_kms_account_id        = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].account_id : null
-  backup_kms_key_id            = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].resource : null
-  backup_kms_key_instance_guid = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].service_instance : null
+  kms_service                  = local.parse_kms_key ? module.kms_key_crn_parser[0].service_name : null
+  kms_account_id               = local.parse_kms_key ? module.kms_key_crn_parser[0].account_id : null
+  kms_key_id                   = local.parse_kms_key ? module.kms_key_crn_parser[0].resource : null
+  kms_key_instance_guid        = local.parse_kms_key ? module.kms_key_crn_parser[0].service_instance : null
+  backup_kms_service           = local.parse_backup_kms_key ? module.backup_key_crn_parser[0].service_name : null
+  backup_kms_account_id        = local.parse_backup_kms_key ? module.backup_key_crn_parser[0].account_id : null
+  backup_kms_key_id            = local.parse_backup_kms_key ? module.backup_key_crn_parser[0].resource : null
+  backup_kms_key_instance_guid = local.parse_backup_kms_key ? module.backup_key_crn_parser[0].service_instance : null
 }
 
 ########################################################################################################################

modules/fscloud/README.md

@@ -45,6 +45,7 @@ No resources.
 | <a name="input_members"></a> [members](#input\_members) | Allocated number of members. Members can be scaled up but not down. | `number` | `3` | no |
 | <a name="input_mysql_version"></a> [mysql\_version](#input\_mysql\_version) | Version of the MySQL instance. If no value is passed, the current preferred version of IBM Cloud Databases is used. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region where you want to deploy your instance. Must be the same region as the Hyper Protect Crypto Services instance. | `string` | `"us-south"` | no |
+| <a name="input_remote_leader_crn"></a> [remote\_leader\_crn](#input\_remote\_leader\_crn) | A CRN of the leader database to make the replica(read-only) deployment. The leader database is created by a database deployment with the same service ID. A read-only replica is set up to replicate all of your data from the leader deployment to the replica deployment by using asynchronous replication. For more information, see https://cloud.ibm.com/docs/databases-for-mysql?topic=databases-for-mysql-read-replicas | `string` | `null` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the MySQL instance will be created. | `string` | n/a | yes |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to the MySQL instance. | `list(string)` | `[]` | no |
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the database | `map(string)` | `{}` | no |

modules/fscloud/main.tf

@@ -24,4 +24,5 @@ module "mysql_db" {
   users                             = var.users
   service_credential_names          = var.service_credential_names
   auto_scaling                      = var.auto_scaling
+  remote_leader_crn                 = var.remote_leader_crn
 }

modules/fscloud/variables.tf

@@ -24,6 +24,12 @@ variable "region" {
   default     = "us-south"
 }
 
+variable "remote_leader_crn" {
+  type        = string
+  description = "A CRN of the leader database to make the replica(read-only) deployment. The leader database is created by a database deployment with the same service ID. A read-only replica is set up to replicate all of your data from the leader deployment to the replica deployment by using asynchronous replication. For more information, see https://cloud.ibm.com/docs/databases-for-mysql?topic=databases-for-mysql-read-replicas"
+  default     = null
+}
+
 ##############################################################################
 # ICD hosting model properties
 ##############################################################################

solutions/standard/DA-types.md

@@ -56,7 +56,7 @@ In the configuration, specify the secret group name, whether it already exists o
 #### Options for service_credentials
 
 - `secret_name`: (required): A unique human-readable name of the secret to create.
-- `service_credentials_source_service_role`: (required): The role to give the service credential in the Databases for MySQL service. Acceptable values are `Writer`, `Reader`, `Manager`, and `None`
+- `service_credentials_source_service_role_crn`: (required): The CRN of the role to give the service credential in the IBM Cloud Database service. Service credentials role CRNs can be found at https://cloud.ibm.com/iam/roles, select the IBM Cloud Database and select the role.
 - `secret_labels`: (optional, default = `[]`): Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|).
 - `secret_auto_rotation`: (optional, default = `true`): Whether to configure automatic rotation of service credential.
 - `secret_auto_rotation_unit`: (optional, default = `day`): Specifies the unit of time for rotation of a secret. Acceptable values are `day` or `month`.
@@ -70,11 +70,11 @@ The following example includes all the configuration options for four service cr
   {
     "secret_group_name": "sg-1"
     "existing_secret_group": true
-    "service_credentials": [                                          # pragma: allowlist secret
+    "service_credentials": [                                              # pragma: allowlist secret
       {
         "secret_name": "cred-1"
-        "service_credentials_source_service_role":  "Writer"
-        "secret_labels": ["test-writer-1", "test-writer-2"]
+        "service_credentials_source_service_role_crn":  "crn:v1:bluemix:public:iam::::role:Editor"
+        "secret_labels": ["test-editor-1", "test-editor-2"]
         "secret_auto_rotation": true
         "secret_auto_rotation_unit": "day"
         "secret_auto_rotation_interval": 89
@@ -83,20 +83,16 @@ The following example includes all the configuration options for four service cr
       },
       {
         "secret_name": "cred-2"
-        "service_credentials_source_service_role": "Reader"
+        "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer"
       }
     ]
   },
   {
     "secret_group_name": "sg-2"
-    "service_credentials": [                                          # pragma: allowlist secret
+    "service_credentials": [                                              # pragma: allowlist secret
       {
         "secret_name": "cred-3"
-        "service_credentials_source_service_role": "Editor"
-      },
-      {
-        "secret_name": "cred-4"
-        "service_credentials_source_service_role": "None"
+        "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer"
       }
     ]
   }

solutions/standard/main.tf

@@ -266,6 +266,7 @@ module "mysql" {
   auto_scaling                      = var.auto_scaling
   service_credential_names          = var.service_credential_names
   backup_crn                        = var.backup_crn
+  remote_leader_crn                 = var.remote_leader_crn
 }
 
 locals {
@@ -298,16 +299,16 @@ locals {
       existing_secret_group    = service_credentials.existing_secret_group
       secrets = [
         for secret in service_credentials.service_credentials : {
-          secret_name                             = secret.secret_name
-          secret_labels                           = secret.secret_labels
-          secret_auto_rotation                    = secret.secret_auto_rotation
-          secret_auto_rotation_unit               = secret.secret_auto_rotation_unit
-          secret_auto_rotation_interval           = secret.secret_auto_rotation_interval
-          service_credentials_ttl                 = secret.service_credentials_ttl
-          service_credential_secret_description   = secret.service_credential_secret_description
-          service_credentials_source_service_role = secret.service_credentials_source_service_role
-          service_credentials_source_service_crn  = module.mysql.crn
-          secret_type                             = "service_credentials" #checkov:skip=CKV_SECRET_6
+          secret_name                                 = secret.secret_name
+          secret_labels                               = secret.secret_labels
+          secret_auto_rotation                        = secret.secret_auto_rotation
+          secret_auto_rotation_unit                   = secret.secret_auto_rotation_unit
+          secret_auto_rotation_interval               = secret.secret_auto_rotation_interval
+          service_credentials_ttl                     = secret.service_credentials_ttl
+          service_credential_secret_description       = secret.service_credential_secret_description
+          service_credentials_source_service_role_crn = secret.service_credentials_source_service_role_crn
+          service_credentials_source_service_crn      = module.mysql.crn
+          secret_type                                 = "service_credentials" #checkov:skip=CKV_SECRET_6
         }
       ]
     }
@@ -325,7 +326,7 @@ module "secrets_manager_service_credentials" {
   count                       = length(local.service_credential_secrets) > 0 ? 1 : 0
   depends_on                  = [time_sleep.wait_for_mysql_authorization_policy]
   source                      = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
-  version                     = "1.19.10"
+  version                     = "1.22.0"
   existing_sm_instance_guid   = local.existing_secrets_manager_instance_guid
   existing_sm_instance_region = local.existing_secrets_manager_instance_region
   endpoint_type               = var.existing_secrets_manager_endpoint_type

solutions/standard/variables.tf

@@ -36,6 +36,12 @@ variable "region" {
   default     = "us-south"
 }
 
+variable "remote_leader_crn" {
+  type        = string
+  description = "A CRN of the leader database to make the replica(read-only) deployment. The leader database is created by a database deployment with the same service ID. A read-only replica is set up to replicate all of your data from the leader deployment to the replica deployment by using asynchronous replication. [Learn more](https://cloud.ibm.com/docs/databases-for-mysql?topic=databases-for-mysql-read-replicas)"
+  default     = null
+}
+
 variable "mysql_version" {
   description = "The version of the Databases for MySQL instance. If no value is specified, the current preferred version of Databases for MySQL is used."
   type        = string
@@ -263,30 +269,29 @@ variable "service_credential_secrets" {
     secret_group_description = optional(string)
     existing_secret_group    = optional(bool)
     service_credentials = list(object({
-      secret_name                             = string
-      service_credentials_source_service_role = string
-      secret_labels                           = optional(list(string))
-      secret_auto_rotation                    = optional(bool)
-      secret_auto_rotation_unit               = optional(string)
-      secret_auto_rotation_interval           = optional(number)
-      service_credentials_ttl                 = optional(string)
-      service_credential_secret_description   = optional(string)
+      secret_name                                 = string
+      service_credentials_source_service_role_crn = string
+      secret_labels                               = optional(list(string))
+      secret_auto_rotation                        = optional(bool)
+      secret_auto_rotation_unit                   = optional(string)
+      secret_auto_rotation_interval               = optional(number)
+      service_credentials_ttl                     = optional(string)
+      service_credential_secret_description       = optional(string)
 
     }))
   }))
   default     = []
   description = "Service credential secrets configuration for Databases for MySQL. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mysql/tree/main/solutions/standard/DA-types.md#service-credential-secrets)."
 
   validation {
+    # Service roles CRNs can be found at https://cloud.ibm.com/iam/roles, select the IBM Cloud Database and select the role
     condition = alltrue([
       for group in var.service_credential_secrets : alltrue([
-        for credential in group.service_credentials : contains(
-          ["Writer", "Reader", "Manager", "None"], credential.service_credentials_source_service_role
-        )
+        # crn:v?:bluemix; two non-empty segments; three possibly empty segments; :serviceRole or role: non-empty segment
+        for credential in group.service_credentials : can(regex("^crn:v[0-9]:bluemix(:..*){2}(:.*){3}:(serviceRole|role):..*$", credential.service_credentials_source_service_role_crn))
       ])
     ])
-    error_message = "service_credentials_source_service_role role must be one of 'Writer', 'Reader', 'Manager', and 'None'."
-
+    error_message = "service_credentials_source_service_role_crn must be a serviceRole CRN. See https://cloud.ibm.com/iam/roles"
   }
 }
 

tests/pr_test.go

@@ -134,11 +134,11 @@ func TestRunStandardSolutionSchematics(t *testing.T) {
 			"service_credentials": []map[string]string{
 				{
 					"secret_name": fmt.Sprintf("%s-cred-reader", options.Prefix),
-					"service_credentials_source_service_role": "Reader",
+					"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer",
 				},
 				{
 					"secret_name": fmt.Sprintf("%s-cred-writer", options.Prefix),
-					"service_credentials_source_service_role": "Writer",
+					"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor",
 				},
 			},
 		},