feat : Add support to specify endpoint of service credentials

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-02-19T14:44:49Z",
+  "generated_at": "2026-03-17T13:29:01Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -92,15 +92,15 @@
         "hashed_secret": "44cdfc3615970ada14420caaaa5c5745fca06002",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 124,
+        "line_number": 131,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "bd0d0d73a240c29656fb8ae0dfa5f863077788dc",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 129,
+        "line_number": 136,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -110,7 +110,7 @@
         "hashed_secret": "0b4fa8c4bcd22d61d35ced7462e18292e87ff633",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 384,
+        "line_number": 394,
         "type": "Base64 High Entropy String",
         "verified_result": null
       }

README.md

@@ -130,7 +130,7 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="input_region"></a> [region](#input\_region) | The region where you want to deploy your instance. | `string` | `"us-south"` | no |
 | <a name="input_remote_leader_crn"></a> [remote\_leader\_crn](#input\_remote\_leader\_crn) | A CRN of the leader database to make the replica(read-only) deployment. The leader database is created by a database deployment with the same service ID. A read-only replica is set up to replicate all of your data from the leader deployment to the replica deployment by using asynchronous replication. For more information, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-read-only-replicas | `string` | `null` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the PostgreSQL instance will be created. | `string` | n/a | yes |
-| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the database | `map(string)` | `{}` | no |
+| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | List of service credentials to create for the database, including name and optionally role and endpoint type. | <pre>list(object({<br/>    name     = string<br/>    role     = optional(string, "Viewer")<br/>    endpoint = optional(string, "private")<br/>  }))</pre> | `[]` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. | `string` | `"private"` | no |
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of IAM authorization policies that permits all Databases for PostgreSQL instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the `kms_key_crn` and `backup_encryption_key_crn` inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if `use_ibm_owned_encryption_key` is true. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Optional list of tags to be added to the PostgreSQL instance. | `list(string)` | `[]` | no |

examples/basic/main.tf

@@ -28,12 +28,28 @@ module "database" {
   service_endpoints   = var.service_endpoints
   member_host_flavor  = var.member_host_flavor
   deletion_protection = false
-  service_credential_names = {
-    "postgresql_admin" : "Administrator",
-    "postgresql_operator" : "Operator",
-    "postgresql_viewer" : "Viewer",
-    "postgresql_editor" : "Editor",
-  }
+  service_credential_names = [
+    {
+      name     = "postgresql_admin"
+      role     = "Administrator"
+      endpoint = "public"
+    },
+    {
+      name     = "postgresql_operator"
+      role     = "Operator"
+      endpoint = "public"
+    },
+    {
+      name     = "postgresql_viewer"
+      role     = "Viewer"
+      endpoint = "public"
+    },
+    {
+      name     = "postgresql_editor"
+      role     = "Editor"
+      endpoint = "public"
+    }
+  ]
 }
 
 # On destroy, we are seeing that even though the replica has been returned as

examples/complete/main.tf

@@ -118,12 +118,28 @@ module "icd_postgresql" {
   kms_key_crn                  = module.key_protect_all_inclusive.keys["icd.${local.data_key_name}"].crn
   backup_encryption_key_crn    = module.key_protect_all_inclusive.keys["icd.${local.backups_key_name}"].crn
   tags                         = var.resource_tags
-  service_credential_names = {
-    "postgresql_admin" : "Administrator",
-    "postgresql_operator" : "Operator",
-    "postgresql_viewer" : "Viewer",
-    "postgresql_editor" : "Editor",
-  }
+  service_credential_names = [
+    {
+      name     = "postgresql_admin"
+      role     = "Administrator"
+      endpoint = "private"
+    },
+    {
+      name     = "postgresql_operator"
+      role     = "Operator"
+      endpoint = "private"
+    },
+    {
+      name     = "postgresql_viewer"
+      role     = "Viewer"
+      endpoint = "private"
+    },
+    {
+      name     = "postgresql_editor"
+      role     = "Editor"
+      endpoint = "private"
+    }
+  ]
   access_tags         = var.access_tags
   member_host_flavor  = "multitenant"
   deletion_protection = false

examples/fscloud/main.tf

@@ -66,12 +66,28 @@ module "postgresql_db" {
   backup_encryption_key_crn = var.backup_encryption_key_crn
   backup_crn                = var.backup_crn
   tags                      = var.resource_tags
-  service_credential_names = {
-    "postgresql_admin" : "Administrator",
-    "postgresql_operator" : "Operator",
-    "postgresql_viewer" : "Viewer",
-    "postgresql_editor" : "Editor",
-  }
+  service_credential_names = [
+    {
+      name     = "postgresql_admin"
+      role     = "Administrator"
+      endpoint = "private"
+    },
+    {
+      name     = "postgresql_operator"
+      role     = "Operator"
+      endpoint = "private"
+    },
+    {
+      name     = "postgresql_viewer"
+      role     = "Viewer"
+      endpoint = "private"
+    },
+    {
+      name     = "postgresql_editor"
+      role     = "Editor"
+      endpoint = "private"
+    }
+  ]
   access_tags         = var.access_tags
   deletion_protection = false
   auto_scaling = {

ibm_catalog.json

@@ -302,6 +302,7 @@
             },
             {
               "key": "service_credential_names",
+              "type": "array",
               "custom_config": {
                 "type": "code_editor",
                 "grouping": "deployment",
@@ -713,6 +714,7 @@
             },
             {
               "key": "service_credential_names",
+              "type": "array",
               "custom_config": {
                 "type": "code_editor",
                 "grouping": "deployment",

main.tf

@@ -378,10 +378,13 @@ module "cbr_rule" {
 ##############################################################################
 
 resource "ibm_resource_key" "service_credentials" {
-  for_each             = var.service_credential_names
+  for_each             = { for key in var.service_credential_names : key.name => key }
   name                 = each.key
-  role                 = each.value
+  role                 = each.value.role
   resource_instance_id = ibm_database.postgresql_db.id
+  parameters = {
+    service-endpoints = each.value.endpoint
+  }
 }
 
 locals {
@@ -392,9 +395,9 @@ locals {
   } : null
 
   service_credentials_object = length(var.service_credential_names) > 0 ? {
-    hostname    = ibm_resource_key.service_credentials[keys(var.service_credential_names)[0]].credentials["connection.postgres.hosts.0.hostname"]
-    certificate = ibm_resource_key.service_credentials[keys(var.service_credential_names)[0]].credentials["connection.postgres.certificate.certificate_base64"]
-    port        = ibm_resource_key.service_credentials[keys(var.service_credential_names)[0]].credentials["connection.postgres.hosts.0.port"]
+    hostname    = ibm_resource_key.service_credentials[var.service_credential_names[0].name].credentials["connection.postgres.hosts.0.hostname"]
+    certificate = ibm_resource_key.service_credentials[var.service_credential_names[0].name].credentials["connection.postgres.certificate.certificate_base64"]
+    port        = ibm_resource_key.service_credentials[var.service_credential_names[0].name].credentials["connection.postgres.hosts.0.port"]
     credentials = {
       for service_credential in ibm_resource_key.service_credentials :
       service_credential["name"] => {

modules/fscloud/README.md

@@ -50,7 +50,7 @@ No resources.
 | <a name="input_region"></a> [region](#input\_region) | The region where you want to deploy your instance. Must be the same region as the Hyper Protect Crypto Services instance. | `string` | `"us-south"` | no |
 | <a name="input_remote_leader_crn"></a> [remote\_leader\_crn](#input\_remote\_leader\_crn) | A CRN of the leader database to make the replica(read-only) deployment. The leader database is created by a database deployment with the same service ID. A read-only replica is set up to replicate all of your data from the leader deployment to the replica deployment by using asynchronous replication. For more information, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-read-only-replicas | `string` | `null` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the PostgreSQL instance will be created. | `string` | n/a | yes |
-| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the database | `map(string)` | `{}` | no |
+| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | A list of service credential resource keys to be created for the PostgreSQL instance. | <pre>list(object({<br/>    name     = string<br/>    role     = optional(string, "Viewer")<br/>    endpoint = optional(string, "private")<br/>  }))</pre> | `[]` | no |
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of IAM authorization policies that permits all Databases for PostgreSQL instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the `kms_key_crn` and `backup_encryption_key_crn` inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if `use_ibm_owned_encryption_key` is true. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Optional list of tags to be added to the PostgreSQL instance. | `list(string)` | `[]` | no |
 | <a name="input_update_timeout"></a> [update\_timeout](#input\_update\_timeout) | A database update may require a longer timeout for the update to complete. The default is 120 minutes. Set this variable to change the `update` value in the `timeouts` block. [Learn more](https://developer.hashicorp.com/terraform/language/resources/syntax#operation-timeouts). | `string` | `"120m"` | no |

modules/fscloud/variables.tf

@@ -78,9 +78,13 @@ variable "users" {
 }
 
 variable "service_credential_names" {
-  type        = map(string)
-  description = "Map of name, role for service credentials that you want to create for the database"
-  default     = {}
+  description = "A list of service credential resource keys to be created for the PostgreSQL instance."
+  type = list(object({
+    name     = string
+    role     = optional(string, "Viewer")
+    endpoint = optional(string, "private")
+  }))
+  default = []
 }
 
 variable "tags" {

solutions/fully-configurable/DA-types.md

@@ -9,26 +9,33 @@ Several optional input variables in the IBM Cloud [Databases for PostgreSQL depl
 
 ## Service credentials <a name="svc-credential-name"></a>
 
-You can specify a set of IAM credentials to connect to the database with the `service_credential_names` input variable. Include a credential name and IAM service role for each key-value pair. Each role provides a specific level of access to the database. For more information, see [Adding and viewing credentials](https://cloud.ibm.com/docs/account?topic=account-service_credentials&interface=ui).
+
+You can specify a set of IAM credentials to connect to the database with the `service_credential_names` input variable. Include a resource key name and IAM service role, and optionally set the endpoint type (`private` or `public`) for each key. Each role provides a specific level of access to the database. For more information, see [Adding and viewing credentials](https://cloud.ibm.com/docs/account?topic=account-service_credentials&interface=ui). If you want to add service credentials to secret manager and to allow secret manager to manage it, you should use `service_credential_secrets` , see [Service credential secrets](#service-credential-secrets)
 
 - Variable name: `service_credential_names`.
-- Type: A map. The key is the name of the service credential. The value is the role that is assigned to that credential.
-- Default value: An empty map (`{}`).
+- Type: A list of objects that represent resource keys.
+- Default value: An empty list (`[]`).
 
 ### Options for service_credential_names
 
-- Key (required): The name of the service credential.
-- Value (required): The IAM service role that is assigned to the credential. For more information, see [IBM Cloud IAM roles](https://cloud.ibm.com/docs/account?topic=account-userroles).
+- `name` (required): A unique human-readable name that identifies this resource key.
+- `role` (optional, default = `Viewer`): The IAM service role assigned to the credential. Valid values are `Administrator`, `Operator`, `Viewer`, and `Editor`.
+- `endpoint` (optional, default = `private`): The endpoint type for the resource key. Valid values are `private` and `public`.
 
-### Example service credential
+### Example service credentials
 
 ```hcl
+[
   {
-      "postgres_admin" : "Administrator",
-      "postgres_reader" : "Operator",
-      "postgres_viewer" : "Viewer",
-      "postgres_editor" : "Editor"
+    "name": "postgresql-admin-resource-key",
+    "role": "Administrator",
+    "endpoint": "private"
+  },
+  {
+    "name": "postgresql-viewer-resource-key",
+    "role": "Viewer"
   }
+]
 ```
 
 ## Service credential secrets <a name="service-credential-secrets"></a>

solutions/fully-configurable/variables.tf

@@ -182,9 +182,13 @@ variable "configuration" {
 }
 
 variable "service_credential_names" {
-  description = "Map of name, role for service credentials that you want to create for the database. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-postgresql/blob/main/solutions/fully-configurable/DA-types.md#svc-credential-name)"
-  type        = map(string)
-  default     = {}
+  description = "A list of service credential resource keys to be created for the PostgreSQL instance. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-postgresql/blob/main/solutions/fully-configurable/DA-types.md#svc-credential-name)"
+  type = list(object({
+    name     = string
+    role     = optional(string, "Viewer")
+    endpoint = optional(string, "private")
+  }))
+  default = []
 }
 
 variable "admin_pass" {

solutions/security-enforced/variables.tf

@@ -166,9 +166,13 @@ variable "configuration" {
 }
 
 variable "service_credential_names" {
-  description = "Map of name, role for service credentials that you want to create for the database. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-postgresql/blob/main/solutions/fully-configurable/DA-types.md#svc-credential-name)"
-  type        = map(string)
-  default     = {}
+  description = "A list of service credential resource keys to be created for the PostgreSQL instance. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-postgresql/blob/main/solutions/fully-configurable/DA-types.md#svc-credential-name)"
+  type = list(object({
+    name     = string
+    role     = optional(string, "Viewer")
+    endpoint = optional(string, "private")
+  }))
+  default = []
 }
 
 variable "admin_pass" {