Skip to content

Commit 95d5474

Browse files
vkuma17vkuma17
authored
fix: fix issue that was causing secrets manager managed service credential re-creation<br><br>NOTE: When upgrading from previous version, you will see time_sleep resource getting recreated. This doesn't destroy any actual infrastructure and is an expected change. (#463)
1 parent e7f18b6 commit 95d5474

File tree

2 files changed

+44
-7
lines changed

2 files changed

+44
-7
lines changed

solutions/fully-configurable/main.tf

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -350,6 +350,10 @@ resource "time_sleep" "wait_for_rabbitmq_authorization_policy" {
350350
count = local.create_sm_auth_policy
351351
depends_on = [ibm_iam_authorization_policy.secrets_manager_key_manager]
352352
create_duration = "30s"
353+
triggers = {
354+
secrets_manager_region = local.existing_secrets_manager_instance_region
355+
secrets_manager_guid = local.existing_secrets_manager_instance_guid
356+
}
353357
}
354358

355359
locals {
@@ -395,12 +399,12 @@ locals {
395399
}
396400

397401
module "secrets_manager_service_credentials" {
398-
count = length(local.service_credential_secrets) > 0 ? 1 : 0
399-
depends_on = [time_sleep.wait_for_rabbitmq_authorization_policy]
400-
source = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
401-
version = "2.10.2"
402-
existing_sm_instance_guid = local.existing_secrets_manager_instance_guid
403-
existing_sm_instance_region = local.existing_secrets_manager_instance_region
402+
count = length(local.service_credential_secrets) > 0 ? 1 : 0
403+
source = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
404+
version = "2.10.2"
405+
# converted into implicit dependency and removed explicit depends_on time_sleep.wait_for_rabbitmq_authorization_policy for this module because of issue https://github.com/terraform-ibm-modules/terraform-ibm-icd-redis/issues/608
406+
existing_sm_instance_guid = local.create_sm_auth_policy > 0 ? time_sleep.wait_for_rabbitmq_authorization_policy[0].triggers["secrets_manager_guid"] : local.existing_secrets_manager_instance_guid
407+
existing_sm_instance_region = local.create_sm_auth_policy > 0 ? time_sleep.wait_for_rabbitmq_authorization_policy[0].triggers["secrets_manager_region"] : local.existing_secrets_manager_instance_region
404408
endpoint_type = var.existing_secrets_manager_endpoint_type
405409
secrets = local.secrets
406410
}

tests/pr_test.go

Lines changed: 34 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -145,15 +145,48 @@ func TestRunSecurityEnforcedUpgradeSolutionSchematics(t *testing.T) {
145145
CheckApplyResultForUpgrade: true,
146146
})
147147

148+
serviceCredentialSecrets := []map[string]any{
149+
{
150+
"secret_group_name": fmt.Sprintf("%s-secret-group", options.Prefix),
151+
"service_credentials": []map[string]string{
152+
{
153+
"secret_name": fmt.Sprintf("%s-cred-reader", options.Prefix),
154+
"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Viewer",
155+
},
156+
{
157+
"secret_name": fmt.Sprintf("%s-cred-writer", options.Prefix),
158+
"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor",
159+
},
160+
},
161+
},
162+
}
163+
164+
serviceCredentialNames := map[string]string{
165+
"admin": "Administrator",
166+
"user1": "Viewer",
167+
"user2": "Editor",
168+
}
169+
170+
serviceCredentialNamesJSON, err := json.Marshal(serviceCredentialNames)
171+
if err != nil {
172+
log.Fatalf("Error converting to JSON: %s", err)
173+
}
174+
148175
options.TerraformVars = []testschematic.TestSchematicTerraformVar{
149176
{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
150177
{Name: "prefix", Value: options.Prefix, DataType: "string"},
151178
{Name: "deletion_protection", Value: false, DataType: "bool"},
152179
{Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"},
153180
{Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
181+
{Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"},
182+
{Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"},
183+
{Name: "service_credential_names", Value: string(serviceCredentialNamesJSON), DataType: "map(string)"},
184+
{Name: "admin_pass_secrets_manager_secret_name", Value: options.Prefix, DataType: "string"},
185+
{Name: "admin_pass", Value: GetRandomAdminPassword(t), DataType: "string"},
186+
{Name: "admin_pass_secrets_manager_secret_group", Value: fmt.Sprintf("rabbitmq-%s-admin-secrets", options.Prefix), DataType: "string"},
154187
}
155188

156-
err := options.RunSchematicUpgradeTest()
189+
err = options.RunSchematicUpgradeTest()
157190
assert.Nil(t, err, "This should not have errored")
158191
}
159192

0 commit comments

Comments
 (0)