fix: added a new attribute service_endpoints to the key_management object to address issue where service_endpoints variable value was not being used for Key Protect (#723)

Author: MatthewLemmond

README.md

@@ -908,13 +908,13 @@ module "cluster_pattern" {
 | <a name="input_enable_transit_gateway"></a> [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Create transit gateway | `bool` | `true` | no |
 | <a name="input_f5_template_data"></a> [f5\_template\_data](#input\_f5\_template\_data) | Data for all f5 templates | <pre>object({<br>    tmos_admin_password     = optional(string)<br>    license_type            = optional(string)<br>    byol_license_basekey    = optional(string)<br>    license_host            = optional(string)<br>    license_username        = optional(string)<br>    license_password        = optional(string)<br>    license_pool            = optional(string)<br>    license_sku_keyword_1   = optional(string)<br>    license_sku_keyword_2   = optional(string)<br>    license_unit_of_measure = optional(string)<br>    do_declaration_url      = optional(string)<br>    as3_declaration_url     = optional(string)<br>    ts_declaration_url      = optional(string)<br>    phone_home_url          = optional(string)<br>    template_source         = optional(string)<br>    template_version        = optional(string)<br>    app_id                  = optional(string)<br>    tgactive_url            = optional(string)<br>    tgstandby_url           = optional(string)<br>    tgrefresh_url           = optional(string)<br>  })</pre> | <pre>{<br>  "license_type": "none"<br>}</pre> | no |
 | <a name="input_f5_vsi"></a> [f5\_vsi](#input\_f5\_vsi) | A list describing F5 VSI workloads to create | <pre>list(<br>    object({<br>      name                   = string<br>      vpc_name               = string<br>      primary_subnet_name    = string<br>      secondary_subnet_names = list(string)<br>      secondary_subnet_security_group_names = list(<br>        object({<br>          group_name     = string<br>          interface_name = string<br>        })<br>      )<br>      ssh_keys                        = list(string)<br>      f5_image_name                   = string<br>      machine_type                    = string<br>      resource_group                  = optional(string)<br>      enable_management_floating_ip   = optional(bool)<br>      enable_external_floating_ip     = optional(bool)<br>      security_groups                 = optional(list(string))<br>      boot_volume_encryption_key_name = optional(string)<br>      hostname                        = string<br>      domain                          = string<br>      access_tags                     = optional(list(string), [])<br>      security_group = optional(<br>        object({<br>          name = string<br>          rules = list(<br>            object({<br>              name      = string<br>              direction = string<br>              source    = string<br>              tcp = optional(<br>                object({<br>                  port_max = number<br>                  port_min = number<br>                })<br>              )<br>              udp = optional(<br>                object({<br>                  port_max = number<br>                  port_min = number<br>                })<br>              )<br>              icmp = optional(<br>                object({<br>                  type = number<br>                  code = number<br>                })<br>              )<br>            })<br>          )<br>        })<br>      )<br>      block_storage_volumes = optional(list(<br>        object({<br>          name           = string<br>          profile        = string<br>          capacity       = optional(number)<br>          iops           = optional(number)<br>          encryption_key = optional(string)<br>        })<br>      ))<br>      load_balancers = optional(list(<br>        object({<br>          name                    = string<br>          type                    = string<br>          listener_port           = number<br>          listener_protocol       = string<br>          connection_limit        = number<br>          algorithm               = string<br>          protocol                = string<br>          health_delay            = number<br>          health_retries          = number<br>          health_timeout          = number<br>          health_type             = string<br>          pool_member_port        = string<br>          idle_connection_timeout = optional(number)<br>          security_group = optional(<br>            object({<br>              name = string<br>              rules = list(<br>                object({<br>                  name      = string<br>                  direction = string<br>                  source    = string<br>                  tcp = optional(<br>                    object({<br>                      port_max = number<br>                      port_min = number<br>                    })<br>                  )<br>                  udp = optional(<br>                    object({<br>                      port_max = number<br>                      port_min = number<br>                    })<br>                  )<br>                  icmp = optional(<br>                    object({<br>                      type = number<br>                      code = number<br>                    })<br>                  )<br>                })<br>              )<br>            })<br>          )<br>        })<br>      ))<br>    })<br>  )</pre> | `[]` | no |
-| <a name="input_key_management"></a> [key\_management](#input\_key\_management) | Key Protect instance variables | <pre>object({<br>    name           = optional(string)<br>    resource_group = optional(string)<br>    use_data       = optional(bool)<br>    use_hs_crypto  = optional(bool)<br>    access_tags    = optional(list(string), [])<br>    keys = optional(<br>      list(<br>        object({<br>          name             = string<br>          root_key         = optional(bool)<br>          payload          = optional(string)<br>          key_ring         = optional(string) # Any key_ring added will be created<br>          force_delete     = optional(bool)<br>          existing_key_crn = optional(string) # CRN of an existing key in the same or different account.<br>          endpoint         = optional(string) # can be public or private<br>          iv_value         = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br>          encrypted_nonce  = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br>          policies = optional(<br>            object({<br>              rotation = optional(<br>                object({<br>                  interval_month = number<br>                })<br>              )<br>              dual_auth_delete = optional(<br>                object({<br>                  enabled = bool<br>                })<br>              )<br>            })<br>          )<br>        })<br>      )<br>    )<br>  })</pre> | n/a | yes |
+| <a name="input_key_management"></a> [key\_management](#input\_key\_management) | Key Protect instance variables | <pre>object({<br>    name              = optional(string)<br>    resource_group    = optional(string)<br>    use_data          = optional(bool)<br>    use_hs_crypto     = optional(bool)<br>    access_tags       = optional(list(string), [])<br>    service_endpoints = optional(string, "public-and-private")<br>    keys = optional(<br>      list(<br>        object({<br>          name             = string<br>          root_key         = optional(bool)<br>          payload          = optional(string)<br>          key_ring         = optional(string) # Any key_ring added will be created<br>          force_delete     = optional(bool)<br>          existing_key_crn = optional(string) # CRN of an existing key in the same or different account.<br>          endpoint         = optional(string) # can be public or private<br>          iv_value         = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br>          encrypted_nonce  = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br>          policies = optional(<br>            object({<br>              rotation = optional(<br>                object({<br>                  interval_month = number<br>                })<br>              )<br>              dual_auth_delete = optional(<br>                object({<br>                  enabled = bool<br>                })<br>              )<br>            })<br>          )<br>        })<br>      )<br>    )<br>  })</pre> | n/a | yes |
 | <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | A unique identifier for resources. Must begin with a letter and end with a letter or number. This prefix will be prepended to any resources provisioned by this template. Prefixes must be 16 or fewer characters. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | Region where VPC will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions. | `string` | n/a | yes |
 | <a name="input_resource_groups"></a> [resource\_groups](#input\_resource\_groups) | Object describing resource groups to create or reference | <pre>list(<br>    object({<br>      name       = string<br>      create     = optional(bool)<br>      use_prefix = optional(bool)<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | Security groups for VPC | <pre>list(<br>    object({<br>      name           = string<br>      vpc_name       = string<br>      resource_group = optional(string)<br>      access_tags    = optional(list(string), [])<br>      rules = list(<br>        object({<br>          name      = string<br>          direction = string<br>          source    = string<br>          tcp = optional(<br>            object({<br>              port_max = number<br>              port_min = number<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max = number<br>              port_min = number<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = number<br>              code = number<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | `[]` | no |
-| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Service endpoints. Can be `public`, `private`, or `public-and-private` | `string` | `"public-and-private"` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Service endpoints for the App ID resource when created by the module. Can be `public`, `private`, or `public-and-private` | `string` | `"public-and-private"` | no |
 | <a name="input_skip_all_s2s_auth_policies"></a> [skip\_all\_s2s\_auth\_policies](#input\_skip\_all\_s2s\_auth\_policies) | Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning. | `bool` | `false` | no |
 | <a name="input_skip_kms_block_storage_s2s_auth_policy"></a> [skip\_kms\_block\_storage\_s2s\_auth\_policy](#input\_skip\_kms\_block\_storage\_s2s\_auth\_policy) | Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service. | `bool` | `false` | no |
 | <a name="input_ssh_keys"></a> [ssh\_keys](#input\_ssh\_keys) | SSH keys to use to provision a VSI. Must be an RSA key with a key size of either 2048 bits or 4096 bits (recommended). If `public_key` is not provided, the named key will be looked up from data. If a resource group name is added, it must be included in `var.resource_groups`. See https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys. | <pre>list(<br>    object({<br>      name           = string<br>      public_key     = optional(string)<br>      resource_group = optional(string)<br>    })<br>  )</pre> | n/a | yes |

examples/one-vpc-one-vsi/override.json

@@ -77,7 +77,8 @@
     ],
     "name": "slz-kms",
     "resource_group": "slz-service-rg",
-    "use_hs_crypto": false
+    "use_hs_crypto": false,
+    "service_endpoints": "public-and-private"
   },
   "resource_groups": [
     {

examples/override-example/override.json

@@ -177,7 +177,8 @@
     ],
     "name": "slz-kms",
     "resource_group": "slz-service-rg",
-    "use_hs_crypto": false
+    "use_hs_crypto": false,
+    "service_endpoints": "public-and-private"
   },
   "resource_groups": [
     {

kms/main.tf

@@ -8,6 +8,7 @@ locals {
   keys                = module.dynamic_values.keys
   key_rings           = module.dynamic_values.key_rings
   policies            = module.dynamic_values.policies
+  service_endpoints   = var.key_management.service_endpoints == "private" ? "private-only" : "public-and-private"
 }
 
 ##############################################################################
@@ -26,7 +27,7 @@ resource "ibm_resource_instance" "kms" {
   resource_group_id = var.key_management.resource_group_id
   tags              = var.key_management.tags
   parameters = {
-    allowed_network : var.service_endpoints
+    allowed_network : local.service_endpoints
   }
 }
 

kms/variables.tf

@@ -23,6 +23,7 @@ variable "key_management" {
     resource_group_id = optional(string)
     tags              = list(string)
     access_tags       = optional(list(string), [])
+    service_endpoints = optional(string)
   })
 }
 
@@ -83,14 +84,4 @@ variable "keys" {
   }
 }
 
-variable "service_endpoints" {
-  description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
-  type        = string
-  default     = "public-and-private"
-
-  validation {
-    error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."
-    condition     = contains(["public", "private", "public-and-private"], var.service_endpoints)
-  }
-}
 ##############################################################################

patterns/mixed/override.json

@@ -160,7 +160,8 @@
         ],
         "name": "slz-slz-kms",
         "resource_group": "slz-service-rg",
-        "use_hs_crypto": false
+        "use_hs_crypto": false,
+        "service_endpoints": "public-and-private"
     },
     "resource_groups": [
         {

patterns/roks/override.json

@@ -194,7 +194,8 @@
         ],
         "name": "slz-slz-kms",
         "resource_group": "slz-service-rg",
-        "use_hs_crypto": false
+        "use_hs_crypto": false,
+        "service_endpoints": "public-and-private"
     },
     "resource_groups": [
         {

patterns/vpc/override.json

@@ -120,7 +120,8 @@
         ],
         "name": "slz-slz-kms",
         "resource_group": "slz-service-rg",
-        "use_hs_crypto": false
+        "use_hs_crypto": false,
+        "service_endpoints": "public-and-private"
     },
     "resource_groups": [
         {

patterns/vsi/override.json

@@ -120,7 +120,8 @@
         ],
         "name": "slz-slz-kms",
         "resource_group": "slz-service-rg",
-        "use_hs_crypto": false
+        "use_hs_crypto": false,
+        "service_endpoints": "public-and-private"
     },
     "resource_groups": [
         {

services.tf

@@ -11,6 +11,7 @@ module "key_management" {
     use_data          = var.key_management.use_data
     use_hs_crypto     = var.key_management.use_hs_crypto
     tags              = var.tags
+    service_endpoints = var.key_management.service_endpoints
   }
   keys = var.key_management.keys == null ? [] : var.key_management.keys
 }