diff --git a/solutions/standard/DA-types.md b/solutions/standard/DA-types.md index c29d65c5..1854d61d 100644 --- a/solutions/standard/DA-types.md +++ b/solutions/standard/DA-types.md @@ -56,7 +56,7 @@ In the configuration, specify the secret group name, whether it already exists o #### Options for service_credentials - `secret_name`: (required): A unique human-readable name of the secret to create. -- `service_credentials_source_service_role`: (required): The role to give the service credential in the Databases for MySQL service. Acceptable values are `Writer`, `Reader`, `Manager`, and `None` +- `service_credentials_source_service_role_crn`: (required): The CRN of the role to give the service credential in the IBM Cloud Database service. Service credentials role CRNs can be found at https://cloud.ibm.com/iam/roles, select the IBM Cloud Database and select the role. - `secret_labels`: (optional, default = `[]`): Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|). - `secret_auto_rotation`: (optional, default = `true`): Whether to configure automatic rotation of service credential. - `secret_auto_rotation_unit`: (optional, default = `day`): Specifies the unit of time for rotation of a secret. Acceptable values are `day` or `month`. @@ -70,11 +70,11 @@ The following example includes all the configuration options for four service cr { "secret_group_name": "sg-1" "existing_secret_group": true - "service_credentials": [ # pragma: allowlist secret + "service_credentials": [ # pragma: allowlist secret { "secret_name": "cred-1" - "service_credentials_source_service_role": "Writer" - "secret_labels": ["test-writer-1", "test-writer-2"] + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor" + "secret_labels": ["test-editor-1", "test-editor-2"] "secret_auto_rotation": true "secret_auto_rotation_unit": "day" "secret_auto_rotation_interval": 89 @@ -83,20 +83,16 @@ The following example includes all the configuration options for four service cr }, { "secret_name": "cred-2" - "service_credentials_source_service_role": "Reader" + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer" } ] }, { "secret_group_name": "sg-2" - "service_credentials": [ # pragma: allowlist secret + "service_credentials": [ # pragma: allowlist secret { "secret_name": "cred-3" - "service_credentials_source_service_role": "Editor" - }, - { - "secret_name": "cred-4" - "service_credentials_source_service_role": "None" + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer" } ] } diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index dd9934ea..0d832273 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -298,16 +298,16 @@ locals { existing_secret_group = service_credentials.existing_secret_group secrets = [ for secret in service_credentials.service_credentials : { - secret_name = secret.secret_name - secret_labels = secret.secret_labels - secret_auto_rotation = secret.secret_auto_rotation - secret_auto_rotation_unit = secret.secret_auto_rotation_unit - secret_auto_rotation_interval = secret.secret_auto_rotation_interval - service_credentials_ttl = secret.service_credentials_ttl - service_credential_secret_description = secret.service_credential_secret_description - service_credentials_source_service_role = secret.service_credentials_source_service_role - service_credentials_source_service_crn = module.mysql.crn - secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6 + secret_name = secret.secret_name + secret_labels = secret.secret_labels + secret_auto_rotation = secret.secret_auto_rotation + secret_auto_rotation_unit = secret.secret_auto_rotation_unit + secret_auto_rotation_interval = secret.secret_auto_rotation_interval + service_credentials_ttl = secret.service_credentials_ttl + service_credential_secret_description = secret.service_credential_secret_description + service_credentials_source_service_role_crn = secret.service_credentials_source_service_role_crn + service_credentials_source_service_crn = module.mysql.crn + secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6 } ] } @@ -325,7 +325,7 @@ module "secrets_manager_service_credentials" { count = length(local.service_credential_secrets) > 0 ? 1 : 0 depends_on = [time_sleep.wait_for_mysql_authorization_policy] source = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets" - version = "1.19.10" + version = "1.22.0" existing_sm_instance_guid = local.existing_secrets_manager_instance_guid existing_sm_instance_region = local.existing_secrets_manager_instance_region endpoint_type = var.existing_secrets_manager_endpoint_type diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 8c42c7e3..22dd6175 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -263,14 +263,14 @@ variable "service_credential_secrets" { secret_group_description = optional(string) existing_secret_group = optional(bool) service_credentials = list(object({ - secret_name = string - service_credentials_source_service_role = string - secret_labels = optional(list(string)) - secret_auto_rotation = optional(bool) - secret_auto_rotation_unit = optional(string) - secret_auto_rotation_interval = optional(number) - service_credentials_ttl = optional(string) - service_credential_secret_description = optional(string) + secret_name = string + service_credentials_source_service_role_crn = string + secret_labels = optional(list(string)) + secret_auto_rotation = optional(bool) + secret_auto_rotation_unit = optional(string) + secret_auto_rotation_interval = optional(number) + service_credentials_ttl = optional(string) + service_credential_secret_description = optional(string) })) })) @@ -278,15 +278,14 @@ variable "service_credential_secrets" { description = "Service credential secrets configuration for Databases for MySQL. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-mysql/tree/main/solutions/standard/DA-types.md#service-credential-secrets)." validation { + # Service roles CRNs can be found at https://cloud.ibm.com/iam/roles, select the IBM Cloud Database and select the role condition = alltrue([ for group in var.service_credential_secrets : alltrue([ - for credential in group.service_credentials : contains( - ["Writer", "Reader", "Manager", "None"], credential.service_credentials_source_service_role - ) + # crn:v?:bluemix; two non-empty segments; three possibly empty segments; :serviceRole or role: non-empty segment + for credential in group.service_credentials : can(regex("^crn:v[0-9]:bluemix(:..*){2}(:.*){3}:(serviceRole|role):..*$", credential.service_credentials_source_service_role_crn)) ]) ]) - error_message = "service_credentials_source_service_role role must be one of 'Writer', 'Reader', 'Manager', and 'None'." - + error_message = "service_credentials_source_service_role_crn must be a serviceRole CRN. See https://cloud.ibm.com/iam/roles" } } diff --git a/tests/pr_test.go b/tests/pr_test.go index a2989119..b9cd9da0 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -134,11 +134,11 @@ func TestRunStandardSolutionSchematics(t *testing.T) { "service_credentials": []map[string]string{ { "secret_name": fmt.Sprintf("%s-cred-reader", options.Prefix), - "service_credentials_source_service_role": "Reader", + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer", }, { "secret_name": fmt.Sprintf("%s-cred-writer", options.Prefix), - "service_credentials_source_service_role": "Writer", + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor", }, }, },