terraform-ibm-modules · toddgiguere · Jun 30, 2025 · Jun 3, 2025 · Jun 6, 2025 · Jun 6, 2025
@@ -12,9 +12,11 @@ offerings:
         scc:
           instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
           region: us-south
+          scope_resource_group_var_name: existing_resource_group_name
       - name: security-enforced
         mark_ready: true
         install_type: fullstack
         scc:
           instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
           region: us-south
+          scope_resource_group_var_name: existing_resource_group_name
@@ -8,6 +8,6 @@ CRA_TARGETS:
       TF_VAR_existing_kms_instance_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::"
       TF_VAR_existing_kms_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:1368d2eb-3ed0-4a8b-b09c-2155895f01ea"
       TF_VAR_existing_resource_group_name: "geretain-test-rabbitmq"
+      TF_VAR_kms_encryption_enabled: true
       TF_VAR_provider_visibility: "public"
-      TF_VAR_use_ibm_owned_encryption_key: false
       TF_VAR_prefix: "test"
@@ -17,7 +17,6 @@
         "infrastructure as code",
         "terraform",
         "solution",
-        "rabbitmq standard",
         "cache",
         "in memory"
       ],
@@ -30,24 +29,25 @@
       "features": [
         {
           "title": "KMS encryption",
-          "description": "Provides KMS encryption for the data that you store in the database."
+          "description": "Provides [KMS encryption](https://cloud.ibm.com/docs/messages-for-rabbitmq?topic=messages-for-rabbitmq-key-protect&interface=ui) for the data that you store in the database, enhancing data security."
+
         },
         {
           "title": "Autoscaling",
-          "description": "Provides the autoscaling to allow the database to increase resources in response to usage."
-        },
-        {
-          "title": "Backup restoration",
-          "description": "Provides database restoration using a backup created by a deployment with the same service ID."
+          "description": "Provides the [autoscaling](https://cloud.ibm.com/docs/messages-for-rabbitmq?topic=messages-for-rabbitmq-autoscaling&interface=ui) to allow the database to increase resources in response to usage."
         },
         {
           "title": "Access tags",
           "description": "Attaches access tags to the RabbitMQ instance."
+        },
+        {
+          "title": "Backup restoration",
+          "description": "Provides [database restoration](https://cloud.ibm.com/docs/messages-for-rabbitmq?topic=messages-for-rabbitmq-backups-for-rabbitmq&interface=ui) using a backup created by a deployment with the same service ID."
         }
       ],
       "flavors": [
         {
-          "label": "Fully Configurable",
+          "label": "Fully configurable",
           "name": "fully-configurable",
           "index": 1,
           "install_type": "fullstack",
@@ -71,22 +71,23 @@
             },
             {
               "role_crns": [
-                "crn:v1:bluemix:public:iam::::role:Administrator"
+                "crn:v1:bluemix:public:iam::::role:Editor"
               ],
-              "service_name": "all-account-management-services"
+              "service_name": "messages-for-rabbitmq"
             },
             {
               "role_crns": [
                 "crn:v1:bluemix:public:iam::::role:Editor"
               ],
-              "service_name": "messages-for-rabbitmq"
+              "service_name": "kms",
+              "notes": "[Optional] Editor access is required to create keys. It is only required when using Key Protect for encryption."
             },
             {
               "role_crns": [
-                "crn:v1:bluemix:public:iam::::serviceRole:Manager",
                 "crn:v1:bluemix:public:iam::::role:Editor"
               ],
-              "service_name": "kms"
+              "service_name": "hs-crypto",
+              "notes": "[Optional] Editor access is required to create keys in HPCS. It is only required when using HPCS for encryption."
             }
           ],
           "architecture": {
@@ -143,13 +144,11 @@
               }
             },
             {
-              "key": "prefix",
-              "required": true
+              "key": "prefix"
             },
             {
               "key": "region",
               "required": true,
-              "default_value": "us-south",
               "options": [
                 {
                   "displayname": "Chennai (che01)",
@@ -219,7 +218,8 @@
               "key": "name"
             },
             {
-              "key": "tags",
+              "key": "resource_tags",
+              "type": "array",
               "custom_config": {
                 "grouping": "deployment",
                 "original_grouping": "deployment",
@@ -230,6 +230,7 @@
             },
             {
               "key": "access_tags",
+              "type": "array",
               "custom_config": {
                 "grouping": "deployment",
                 "original_grouping": "deployment",
@@ -257,7 +258,21 @@
               "key": "auto_scaling"
             },
             {
-              "key": "service_endpoints"
+              "key": "service_endpoints",
+              "options": [
+                {
+                  "displayname": "private",
+                  "value": "private"
+                },
+                {
+                  "displayname": "public",
+                  "value": "public"
+                },
+                {
+                  "displayname": "public-and-private",
+                  "value": "public-and-private"
+                }
+              ]
             },
             {
               "key": "service_credential_names"
@@ -365,7 +380,7 @@
           ]
         },
         {
-          "label": "Security-Enforced",
+          "label": "Security-enforced",
           "name": "security-enforced",
           "index": 2,
           "install_type": "fullstack",
@@ -389,22 +404,23 @@
             },
             {
               "role_crns": [
-                "crn:v1:bluemix:public:iam::::role:Administrator"
+                "crn:v1:bluemix:public:iam::::role:Editor"
               ],
-              "service_name": "all-account-management-services"
+              "service_name": "messages-for-rabbitmq"
             },
             {
               "role_crns": [
                 "crn:v1:bluemix:public:iam::::role:Editor"
               ],
-              "service_name": "messages-for-rabbitmq"
+              "service_name": "kms",
+              "notes": "[Optional] Editor access is required to create keys. It is only required when using Key Protect for encryption."
             },
             {
               "role_crns": [
-                "crn:v1:bluemix:public:iam::::serviceRole:Manager",
                 "crn:v1:bluemix:public:iam::::role:Editor"
               ],
-              "service_name": "kms"
+              "service_name": "hs-crypto",
+              "notes": "[Optional] Editor access is required to create keys in HPCS. It is only required when using HPCS for encryption."
             }
           ],
           "architecture": {
@@ -442,13 +458,11 @@
               }
             },
             {
-              "key": "prefix",
-              "required": true
+              "key": "prefix"
             },
             {
               "key": "region",
               "required": true,
-              "default_value": "us-south",
               "options": [
                 {
                   "displayname": "Chennai (che01)",
@@ -518,7 +532,8 @@
               "key": "name"
             },
             {
-              "key": "tags",
+              "key": "resource_tags",
+              "type": "array",
               "custom_config": {
                 "grouping": "deployment",
                 "original_grouping": "deployment",
@@ -529,6 +544,7 @@
             },
             {
               "key": "access_tags",
+              "type": "array",
               "custom_config": {
                 "grouping": "deployment",
                 "original_grouping": "deployment",

@@ -1,7 +1,9 @@
 {
   "ibmcloud_api_key": $VALIDATION_APIKEY,
   "region": "us-south",
-  "tags": $TAGS,
+  "resource_tags": $TAGS,
   "name": $PREFIX,
-  "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN
+  "existing_resource_group_name":"geretain-test-rabbitmq",
+  "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN,
+  "kms_encryption_enabled": true
 }
@@ -5,7 +5,6 @@ locals {
   prefix = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : ""
 }
 
-
 module "resource_group" {
   source                       = "terraform-ibm-modules/resource-group/ibm"
   version                      = "1.2.0"
@@ -49,7 +48,7 @@ module "kms" {
           standard_key             = false
           rotation_interval_month  = 3
           dual_auth_delete_enabled = false
-          force_delete             = true
+          force_delete             = true # Force delete must be set to true, or the terraform destroy will fail since the service does not de-register itself from the key until the reclamation period has expired.
         }
       ]
     }
@@ -291,7 +290,7 @@ module "rabbitmq" {
   use_same_kms_key_for_backups      = local.use_same_kms_key_for_backups
   use_default_backup_encryption_key = var.use_default_backup_encryption_key
   access_tags                       = var.access_tags
-  tags                              = var.tags
+  tags                              = var.resource_tags
   admin_pass                        = local.admin_pass
   users                             = var.users
   members                           = var.members
@@ -365,7 +364,7 @@ locals {
           service_credentials_ttl                     = secret.service_credentials_ttl
           service_credential_secret_description       = secret.service_credential_secret_description
           service_credentials_source_service_role_crn = secret.service_credentials_source_service_role_crn
-          service_credentials_source_service_crn      = module.rabbitmq[0].crn
+          service_credentials_source_service_crn      = local.rabbitmq_crn
           secret_type                                 = "service_credentials" #checkov:skip=CKV_SECRET_6
         }
       ]
@@ -377,7 +376,7 @@ locals {
     secret_group_name     = "${local.prefix}${var.admin_pass_secrets_manager_secret_group}"
     existing_secret_group = var.use_existing_admin_pass_secrets_manager_secret_group
     secrets = [{
-      secret_name             = "${var.prefix}${var.admin_pass_secrets_manager_secret_name}"
+      secret_name             = "${local.prefix}${var.admin_pass_secrets_manager_secret_name}"
       secret_type             = "arbitrary"
       secret_payload_password = local.admin_pass
       }

diff --git a/solutions/fully-configurable/moved.tf b/solutions/fully-configurable/moved.tf
@@ -58,16 +58,16 @@ variable "region" {
   }
 }
 
-variable "rabbitmq_version" {
-  description = "The version of the Databases for RabbitMQ instance. If no value is specified, the current preferred version of Databases for RabbitMQ is used."
+variable "existing_rabbitmq_instance_crn" {
   type        = string
   default     = null
+  description = "The CRN of an existing Messages for RabbitMQ instance. If no value is specified, a new instance is created."
 }
 
-variable "existing_rabbitmq_instance_crn" {
+variable "rabbitmq_version" {
+  description = "The version of the Messages for RabbitMQ instance."
   type        = string
   default     = null
-  description = "The CRN of an existing Messages for RabbitMQ instance. If no value is specified, a new instance is created."
 }
 
 ##############################################################################
@@ -76,7 +76,7 @@ variable "existing_rabbitmq_instance_crn" {
 
 variable "service_endpoints" {
   type        = string
-  description = "Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'."
+  description = "The type of endpoint of the database instance. Possible values: `public`, `private`, `public-and-private`."
   default     = "private"
 
   validation {
@@ -85,11 +85,10 @@ variable "service_endpoints" {
   }
 }
 
-
 variable "members" {
   type        = number
   description = "The number of members that are allocated. [Learn more](https://cloud.ibm.com/docs/messages-for-rabbitmq?topic=messages-for-rabbitmq-resources-scaling)."
-  default     = 3
+  default     = 2
 }
 
 variable "member_memory_mb" {
@@ -124,7 +123,7 @@ variable "service_credential_names" {
 
 variable "admin_pass" {
   type        = string
-  description = "The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block."
+  description = "The password for the database administrator. If no admin password is provided (i.e., it is null), one will be generated automatically. Additional users can be added using a user block."
   default     = null
   sensitive   = true
 }
@@ -141,15 +140,15 @@ variable "users" {
   description = "A list of users that you want to create on the database. Users block is supported by RabbitMQ version >= 6.0. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the RabbitMQ instance. This blocks creates native RabbitMQ database users. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-icd-rabbitmq/blob/main/solutions/standard/DA-types.md#users)"
 }
 
-variable "tags" {
+variable "resource_tags" {
   type        = list(any)
-  description = "The list of tags to be added to the Databases for RabbitMQ instance."
+  description = "The list of tags to be added to the Messages for RabbitMQ instance."
   default     = []
 }
 
 variable "access_tags" {
   type        = list(string)
-  description = "A list of access tags to apply to the Databases for RabbitMQ instance created by the solution. [Learn more](https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial)."
+  description = "A list of access tags to apply to the Messages for RabbitMQ instance created by the solution. [Learn more](https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial)."
   default     = []
 }
 
@@ -180,13 +179,13 @@ variable "kms_encryption_enabled" {
 
 variable "existing_kms_instance_crn" {
   type        = string
-  description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. Applies only if `use_ibm_owned_encryption_key` is false. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
+  description = "The CRN of a Key Protect or Hyper Protect Crypto Services instance. Required to create a new encryption key and key ring which will be used to encrypt both deployment data and backups. To use an existing key, pass values for `existing_kms_key_crn` and/or `existing_backup_kms_key_crn`. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
   default     = null
 }
 
 variable "existing_kms_key_crn" {
   type        = string
-  description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the optional `existing_backup_kms_key_crn` input. If no value is passed a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
+  description = "The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. By default this key is used for both deployment data and backups, but this behaviour can be altered using the optional `existing_backup_kms_key_crn` input. If no value is passed a new key will be created in the instance specified in the `existing_kms_instance_crn` input. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups)."
   default     = null
 }
 
@@ -233,7 +232,7 @@ variable "existing_backup_kms_key_crn" {
 
 variable "use_default_backup_encryption_key" {
   type        = bool
-  description = "When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `existing_kms_key_crn`, in `existing_backup_kms_key_crn`, or with a new key that will be created in the instance specified in the `existing_kms_instance_crn` input. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data."
+  description = "When `kms_encryption_enabled` is set to true, backups will be encrypted with either the key specified in `existing_kms_key_crn`, in `existing_backup_kms_key_crn`, or with a new key that will be created in the instance specified in the `existing_kms_instance_crn` input. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `kms_encryption_enabled` to false to use the default encryption for both backups and deployment data."
   default     = false
 }
 
@@ -250,6 +249,7 @@ variable "backup_crn" {
     error_message = "backup_crn must be null OR starts with 'crn:' and contains ':backup:'"
   }
 }
+
 variable "provider_visibility" {
   description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)."
   type        = string

@@ -1,7 +1,8 @@
 {
   "ibmcloud_api_key": $VALIDATION_APIKEY,
   "region": "us-south",
-  "tags": $TAGS,
+  "resource_tags": $TAGS,
   "name": $PREFIX,
+  "existing_resource_group_name": "geretain-test-rabbitmq",
   "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN
 }