diff --git a/README.md b/README.md
index b788c8b4..94d1d06a 100644
--- a/README.md
+++ b/README.md
@@ -162,25 +162,25 @@ For more info, see [Understanding user roles and resources](https://cloud.ibm.co
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [access\_tags](#input\_access\_tags) | A list of access tags to apply to the Key Protect instance created by the module. Only used if 'create\_key\_protect\_instance' is true. | `list(string)` | `[]` | no |
+| [access\_tags](#input\_access\_tags) | A list of access tags that you want to apply to the instance. Not required if 'create\_key\_protect\_instance' is set to false. | `list(string)` | `[]` | no |
| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
-| [create\_key\_protect\_instance](#input\_create\_key\_protect\_instance) | A flag to control whether a Key Protect instance is created, defaults to true. | `bool` | `true` | no |
-| [dual\_auth\_delete\_enabled](#input\_dual\_auth\_delete\_enabled) | If set to true, Key Protect enables a dual authorization policy on the instance. Note: Once the dual authorization policy is set on the instance, it cannot be reverted. An instance with dual authorization policy enabled cannot be destroyed using Terraform. Only used if 'create\_key\_protect\_instance' is true. | `bool` | `false` | no |
-| [enable\_metrics](#input\_enable\_metrics) | Set to true to enable metrics on the Key Protect instance. Only used if 'create\_key\_protect\_instance' is true. In order to view metrics, you will need a Monitoring (Sysdig) instance that is located in the same region as the Key Protect instance. Once you provision the Monitoring instance, you will need to enable platform metrics. | `bool` | `true` | no |
-| [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of an existing Key Protect or Hyper Protect Crypto Services instance. Required if 'create\_key\_protect\_instance' is false. | `string` | `null` | no |
-| [key\_create\_import\_access\_enabled](#input\_key\_create\_import\_access\_enabled) | If set to true, Key Protect enables a key create import access policy on the instance. Only used if 'create\_key\_protect\_instance' is true. | `bool` | `true` | no |
-| [key\_create\_import\_access\_settings](#input\_key\_create\_import\_access\_settings) | Key create import access policy settings to configure if 'enable\_key\_create\_import\_access\_policy' is true. Only used if 'create\_key\_protect\_instance' is true. For more info see https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess | object({
create_root_key = optional(bool, true)
create_standard_key = optional(bool, true)
import_root_key = optional(bool, true)
import_standard_key = optional(bool, true)
enforce_token = optional(bool, false)
}) | `{}` | no |
-| [key\_endpoint\_type](#input\_key\_endpoint\_type) | The type of endpoint to be used for creating keys. Accepts 'public' or 'private' | `string` | `"public"` | no |
-| [key\_protect\_allowed\_network](#input\_key\_protect\_allowed\_network) | The type of the allowed network to be set for the Key Protect instance. Possible values are 'private-only', or 'public-and-private'. Only used if 'create\_key\_protect\_instance' is true. | `string` | `"public-and-private"` | no |
-| [key\_protect\_instance\_name](#input\_key\_protect\_instance\_name) | The name to give the Key Protect instance that will be provisioned by this module. Only used if 'create\_key\_protect\_instance' is true. | `string` | `"key-protect"` | no |
-| [key\_protect\_plan](#input\_key\_protect\_plan) | Plan for the Key Protect instance. Supported values are 'tiered-pricing' and 'cross-region-resiliency'. Only used if 'create\_key\_protect\_instance' is true. | `string` | `"tiered-pricing"` | no |
-| [key\_ring\_endpoint\_type](#input\_key\_ring\_endpoint\_type) | The type of endpoint to be used for creating key rings. Accepts 'public' or 'private' | `string` | `"public"` | no |
-| [keys](#input\_keys) | A list of objects which contain the key ring name, a flag indicating if this key ring already exists, and a flag to enable force deletion of the key ring. In addition, this object contains a list of keys with all of the information on the keys to be created in that key ring. | list(object({
key_ring_name = string
existing_key_ring = optional(bool, false)
keys = list(object({
key_name = string
standard_key = optional(bool, false)
rotation_interval_month = optional(number, 1)
dual_auth_delete_enabled = optional(bool, false)
force_delete = optional(bool, false)
kmip = optional(list(object({
name = string
description = optional(string)
certificates = optional(list(object({
name = optional(string)
certificate = string
})), [])
})), [])
}))
})) | `[]` | no |
-| [region](#input\_region) | The IBM Cloud region where all resources will be provisioned. | `string` | n/a | yes |
-| [resource\_group\_id](#input\_resource\_group\_id) | The ID of the Resource Group to provision the Key Protect instance in. Not required if 'create\_key\_protect\_instance' is false. | `string` | `null` | no |
-| [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to the Key Protect instance. Only used if 'create\_key\_protect\_instance' is true. | `list(string)` | `[]` | no |
-| [rotation\_enabled](#input\_rotation\_enabled) | If set to true, Key Protect enables a rotation policy on the Key Protect instance. Only used if 'create\_key\_protect\_instance' is true. | `bool` | `true` | no |
-| [rotation\_interval\_month](#input\_rotation\_interval\_month) | Specifies the key rotation time interval in months. Must be between 1 and 12 inclusive. Only used if 'create\_key\_protect\_instance' is true. | `number` | `1` | no |
+| [create\_key\_protect\_instance](#input\_create\_key\_protect\_instance) | A boolean that determines whether a Key Protect instance is created. By default, this is set to true. | `bool` | `true` | no |
+| [dual\_auth\_delete\_enabled](#input\_dual\_auth\_delete\_enabled) | If set to true, Key Protect enables a dual authorization policy on the instance. Once the dual authorization policy is set it cannot be reverted. An instance with dual authorization policy enabled cannot be destroyed by using Terraform. Not required if 'create\_key\_protect\_instance' is set to false. | `bool` | `false` | no |
+| [enable\_metrics](#input\_enable\_metrics) | Set to true to enable metrics on the instance. Not required if 'create\_key\_protect\_instance' is set to false. To view metrics, you will need a Monitoring instance that is located in the same region as the Key Protect instance. Once you provision the Monitoring instance, you will need to enable platform metrics. | `bool` | `true` | no |
+| [existing\_kms\_instance\_crn](#input\_existing\_kms\_instance\_crn) | The CRN of an existing instance. Required if 'create\_key\_protect\_instance' is false. | `string` | `null` | no |
+| [key\_create\_import\_access\_enabled](#input\_key\_create\_import\_access\_enabled) | If set to true, Key Protect enables a key create import access policy on the instance. Not required if 'create\_key\_protect\_instance' is set to false. | `bool` | `true` | no |
+| [key\_create\_import\_access\_settings](#input\_key\_create\_import\_access\_settings) | Key create import access policy settings to configure if 'enable\_key\_create\_import\_access\_policy' is true. Not required if 'create\_key\_protect\_instance' is set to false. For more information see https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess | object({
create_root_key = optional(bool, true)
create_standard_key = optional(bool, true)
import_root_key = optional(bool, true)
import_standard_key = optional(bool, true)
enforce_token = optional(bool, false)
}) | `{}` | no |
+| [key\_endpoint\_type](#input\_key\_endpoint\_type) | The type of endpoint that you want to use to create keys in your instance. Supported values are 'public' or 'private'. | `string` | `"public"` | no |
+| [key\_protect\_allowed\_network](#input\_key\_protect\_allowed\_network) | The type of the network connection that is allowed for the instance. Supported values are 'private-only', or 'public-and-private'. Not required if 'create\_key\_protect\_instance' is set to false. | `string` | `"public-and-private"` | no |
+| [key\_protect\_instance\_name](#input\_key\_protect\_instance\_name) | The name to give the Key Protect instance that will be provisioned by this module. Not required if 'create\_key\_protect\_instance' is set to false. | `string` | `"key-protect"` | no |
+| [key\_protect\_plan](#input\_key\_protect\_plan) | The pricing plan for the Key Protect instance. Supported values are 'tiered-pricing' and 'cross-region-resiliency'. Not required if 'create\_key\_protect\_instance' is set to false. | `string` | `"tiered-pricing"` | no |
+| [key\_ring\_endpoint\_type](#input\_key\_ring\_endpoint\_type) | The type of endpoint that you want to use to create key rings in your instance. Supported values are 'public' or 'private'. | `string` | `"public"` | no |
+| [keys](#input\_keys) | A list of objects that contains the key ring name, a flag indicating if this key ring already exists, and a flag to enable force deletion of the key ring. In addition, this object contains a list of keys with all of the information on the keys that will be created in that key ring. | list(object({
key_ring_name = string
existing_key_ring = optional(bool, false)
keys = list(object({
key_name = string
standard_key = optional(bool, false)
rotation_interval_month = optional(number, 1)
dual_auth_delete_enabled = optional(bool, false)
force_delete = optional(bool, false)
kmip = optional(list(object({
name = string
description = optional(string)
certificates = optional(list(object({
name = optional(string)
certificate = string
})), [])
})), [])
}))
})) | `[]` | no |
+| [region](#input\_region) | The IBM Cloud region in which your resources will be provisioned. | `string` | n/a | yes |
+| [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group in which you want to provision your instance of Key Protext. Not required if 'create\_key\_protect\_instance' is set to false. | `string` | `null` | no |
+| [resource\_tags](#input\_resource\_tags) | An optional list of tags to be added to the instance. Not required if 'create\_key\_protect\_instance' is set to false. | `list(string)` | `[]` | no |
+| [rotation\_enabled](#input\_rotation\_enabled) | If set to true, Key Protect enables a rotation policy for the instance. Not required if 'create\_key\_protect\_instance' is set to false. | `bool` | `true` | no |
+| [rotation\_interval\_month](#input\_rotation\_interval\_month) | Specifies the key rotation time interval in months. Must be between 1 and 12 inclusive. Not required if 'create\_key\_protect\_instance' is set to false. | `number` | `1` | no |
### Outputs
diff --git a/ibm_catalog.json b/ibm_catalog.json
index f6d09e97..5a06c2fe 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -15,33 +15,33 @@
"keywords": [
"KMS",
"Key",
- "Key Ring",
+ "Key ring",
"Key Protect",
"IaC",
"infrastructure as code",
"terraform",
"solution"
],
- "short_description": "Creates and configures IBM Cloud Key Management resources",
- "long_description": "This architecture supports creating and configuring an IBM Key Protect instance, Key Rings, and Keys. For more details on Key Protect, [see here](https://cloud.ibm.com/docs/key-protect/index.html).",
+ "short_description": "Create and configure IBM Cloud key management resources",
+ "long_description": "With this architecture, you can create and configure an instance of the Key Protect service that is preconfigured with keys and key rings that meet IBM Cloud secure by default standards. For more information about the Key Protect service, see [the documentation](https://cloud.ibm.com/docs/key-protect).",
"offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/blob/main/solutions/fully-configurable/README.md",
"offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/main/images/key_protect_icon.svg",
"provider_name": "IBM",
"features": [
{
- "title": "Creates a Key Protect instance",
- "description": "For more details on Key Protect instances, [see here](https://cloud.ibm.com/catalog/services/key-protect#about)."
+ "title": "Create an instance of Key Protect",
+ "description": "For more information about the Key Protect service, see [the catalog tile](https://cloud.ibm.com/catalog/services/key-protect#about)."
},
{
- "title": "Creates Key Rings and Keys",
- "description": "For more details on Key Rings and Keys in a KMS instance (Key Protect or HPCS), [see here](https://github.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/blob/main/solutions/fully-configurable/DA-keys.md)."
+ "title": "Create secure key rings and keys",
+ "description": "To learn more about how key rings and keys are configured, see [the architecture](https://github.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/blob/main/solutions/fully-configurable/DA-keys.md)."
},
{
- "title": "Creates Context-Based Restriction rules for Key Protect instance",
- "description": "For more details on Context-Based Restriction rules, [see here](https://github.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/blob/main/solutions/fully-configurable/DA-cbr_rules.md)."
+ "title": "Create context-based restrictions for the instance",
+ "description": "Learn more about the rules that are created in [the architecture code](https://github.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/blob/main/solutions/fully-configurable/DA-cbr_rules.md)."
}
],
- "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [https://github.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/issues](https://github.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/issues). Please note this product is not supported via the IBM Cloud Support Center.",
+ "support_details": "This product is in the community registry. As such, support is handled through the originated repo. If you experience issues please open an issue in that repository: [https://github.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/issues](https://github.com/terraform-ibm-modules/terraform-ibm-kms-all-inclusive/issues). Please note this product is not supported via the IBM Cloud Support Center.",
"flavors": [
{
"label": "Fully configurable",
@@ -64,7 +64,7 @@
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "kms",
- "notes": "[Optional] Required if you are creating a new Key Protect instance or provisioning associated resources like key rings and keys."
+ "notes": "[Optional] Required if you are creating a new Key Protect instance or provisioning associated resources such as key rings and keys."
},
{
"role_crns": [
diff --git a/variables.tf b/variables.tf
index 2b451ae7..e4efa462 100644
--- a/variables.tf
+++ b/variables.tf
@@ -4,18 +4,18 @@
variable "resource_group_id" {
type = string
- description = "The ID of the Resource Group to provision the Key Protect instance in. Not required if 'create_key_protect_instance' is false."
+ description = "The ID of the resource group in which you want to provision your instance of Key Protext. Not required if 'create_key_protect_instance' is set to false."
default = null
}
variable "region" {
type = string
- description = "The IBM Cloud region where all resources will be provisioned."
+ description = "The IBM Cloud region in which your resources will be provisioned."
}
variable "create_key_protect_instance" {
type = bool
- description = "A flag to control whether a Key Protect instance is created, defaults to true."
+ description = "A boolean that determines whether a Key Protect instance is created. By default, this is set to true."
default = true
validation {
@@ -26,44 +26,44 @@ variable "create_key_protect_instance" {
variable "key_protect_instance_name" {
type = string
- description = "The name to give the Key Protect instance that will be provisioned by this module. Only used if 'create_key_protect_instance' is true."
+ description = "The name to give the Key Protect instance that will be provisioned by this module. Not required if 'create_key_protect_instance' is set to false."
default = "key-protect"
}
variable "key_protect_plan" {
type = string
- description = "Plan for the Key Protect instance. Supported values are 'tiered-pricing' and 'cross-region-resiliency'. Only used if 'create_key_protect_instance' is true."
+ description = "The pricing plan for the Key Protect instance. Supported values are 'tiered-pricing' and 'cross-region-resiliency'. Not required if 'create_key_protect_instance' is set to false."
default = "tiered-pricing"
# validation performed in terraform-ibm-key-protect module
}
variable "rotation_enabled" {
type = bool
- description = "If set to true, Key Protect enables a rotation policy on the Key Protect instance. Only used if 'create_key_protect_instance' is true."
+ description = "If set to true, Key Protect enables a rotation policy for the instance. Not required if 'create_key_protect_instance' is set to false."
default = true
}
variable "rotation_interval_month" {
type = number
- description = "Specifies the key rotation time interval in months. Must be between 1 and 12 inclusive. Only used if 'create_key_protect_instance' is true."
+ description = "Specifies the key rotation time interval in months. Must be between 1 and 12 inclusive. Not required if 'create_key_protect_instance' is set to false."
default = 1
}
variable "dual_auth_delete_enabled" {
type = bool
- description = "If set to true, Key Protect enables a dual authorization policy on the instance. Note: Once the dual authorization policy is set on the instance, it cannot be reverted. An instance with dual authorization policy enabled cannot be destroyed using Terraform. Only used if 'create_key_protect_instance' is true."
+ description = "If set to true, Key Protect enables a dual authorization policy on the instance. Once the dual authorization policy is set it cannot be reverted. An instance with dual authorization policy enabled cannot be destroyed by using Terraform. Not required if 'create_key_protect_instance' is set to false."
default = false
}
variable "enable_metrics" {
type = bool
- description = "Set to true to enable metrics on the Key Protect instance. Only used if 'create_key_protect_instance' is true. In order to view metrics, you will need a Monitoring (Sysdig) instance that is located in the same region as the Key Protect instance. Once you provision the Monitoring instance, you will need to enable platform metrics."
+ description = "Set to true to enable metrics on the instance. Not required if 'create_key_protect_instance' is set to false. To view metrics, you will need a Monitoring instance that is located in the same region as the Key Protect instance. Once you provision the Monitoring instance, you will need to enable platform metrics."
default = true
}
variable "key_create_import_access_enabled" {
type = bool
- description = "If set to true, Key Protect enables a key create import access policy on the instance. Only used if 'create_key_protect_instance' is true."
+ description = "If set to true, Key Protect enables a key create import access policy on the instance. Not required if 'create_key_protect_instance' is set to false."
default = true
}
@@ -75,33 +75,33 @@ variable "key_create_import_access_settings" {
import_standard_key = optional(bool, true)
enforce_token = optional(bool, false)
})
- description = "Key create import access policy settings to configure if 'enable_key_create_import_access_policy' is true. Only used if 'create_key_protect_instance' is true. For more info see https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess"
+ description = "Key create import access policy settings to configure if 'enable_key_create_import_access_policy' is true. Not required if 'create_key_protect_instance' is set to false. For more information see https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess"
default = {}
}
variable "key_protect_allowed_network" {
type = string
- description = "The type of the allowed network to be set for the Key Protect instance. Possible values are 'private-only', or 'public-and-private'. Only used if 'create_key_protect_instance' is true."
+ description = "The type of the network connection that is allowed for the instance. Supported values are 'private-only', or 'public-and-private'. Not required if 'create_key_protect_instance' is set to false."
default = "public-and-private"
validation {
condition = can(regex("private-only|public-and-private", var.key_protect_allowed_network))
- error_message = "The key_protect_allowed_network value must be 'private-only' or 'public-and-private'."
+ error_message = "The 'key_protect_allowed_network' value must be set to either 'private-only' or 'public-and-private'."
}
}
variable "existing_kms_instance_crn" {
type = string
- description = "The CRN of an existing Key Protect or Hyper Protect Crypto Services instance. Required if 'create_key_protect_instance' is false."
+ description = "The CRN of an existing instance. Required if 'create_key_protect_instance' is false."
default = null
validation {
condition = !(var.create_key_protect_instance && var.existing_kms_instance_crn != null)
- error_message = "'create_key_protect_instance' cannot be true when passing a value for 'existing_kms_instance_crn'"
+ error_message = "If you provide a value for 'existing_kms_instance_crn', then 'create_key_protect_instance' cannot be set to 'true'."
}
validation {
condition = var.create_key_protect_instance || var.existing_kms_instance_crn != null
- error_message = "A value must be provided for 'existing_kms_instance_crn' when 'create_key_protect_instance' is false"
+ error_message = "If 'create_key_protect_instance' is false, then a value must be provided for 'existing_kms_instance_crn'."
}
}
@@ -125,14 +125,14 @@ variable "keys" {
})), [])
}))
}))
- description = "A list of objects which contain the key ring name, a flag indicating if this key ring already exists, and a flag to enable force deletion of the key ring. In addition, this object contains a list of keys with all of the information on the keys to be created in that key ring."
+ description = "A list of objects that contains the key ring name, a flag indicating if this key ring already exists, and a flag to enable force deletion of the key ring. In addition, this object contains a list of keys with all of the information on the keys that will be created in that key ring."
sensitive = true
default = []
}
variable "key_ring_endpoint_type" {
type = string
- description = "The type of endpoint to be used for creating key rings. Accepts 'public' or 'private'"
+ description = "The type of endpoint that you want to use to create key rings in your instance. Supported values are 'public' or 'private'."
default = "public"
validation {
condition = can(regex("public|private", var.key_ring_endpoint_type))
@@ -142,7 +142,7 @@ variable "key_ring_endpoint_type" {
variable "key_endpoint_type" {
type = string
- description = "The type of endpoint to be used for creating keys. Accepts 'public' or 'private'"
+ description = "The type of endpoint that you want to use to create keys in your instance. Supported values are 'public' or 'private'."
default = "public"
validation {
condition = can(regex("public|private", var.key_endpoint_type))
@@ -152,13 +152,13 @@ variable "key_endpoint_type" {
variable "resource_tags" {
type = list(string)
- description = "Optional list of tags to be added to the Key Protect instance. Only used if 'create_key_protect_instance' is true."
+ description = "An optional list of tags to be added to the instance. Not required if 'create_key_protect_instance' is set to false."
default = []
}
variable "access_tags" {
type = list(string)
- description = "A list of access tags to apply to the Key Protect instance created by the module. Only used if 'create_key_protect_instance' is true."
+ description = "A list of access tags that you want to apply to the instance. Not required if 'create_key_protect_instance' is set to false."
default = []
}