fix: reuse secrets manager instance along with creating new certificates and templates

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-05-14T08:56:32Z",
+  "generated_at": "2025-05-19T21:33:07Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -100,15 +100,23 @@
         "hashed_secret": "a67ef662b9a11a96b15936764d77e118c9f155dd",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 58,
+        "line_number": 60,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "6aa42ddb8d86de967d322e6fdde293bf1344c852",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 72,
+        "line_number": 73,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "9ceaacf8f9b3c35bd235b307d91a5bf7cff2c669",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 81,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -136,7 +144,7 @@
         "hashed_secret": "fa501f2ceec739604d621b521446b88d41a7f76b",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 81,
+        "line_number": 80,
         "type": "Secret Keyword",
         "verified_result": null
       }

ibm_catalog.json

@@ -349,9 +349,6 @@
               ],
               "custom_config": {}
             },
-            {
-              "key": "certificate_template_name"
-            },
             {
               "key": "IC_SCHEMATICS_WORKSPACE_ID",
               "hidden": true
@@ -560,7 +557,7 @@
               {
                 "diagram": {
                   "caption": "Power Virtual Server with VPC landing zone 'Standard Landscape' variation",
-                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v8.4.2/reference-architectures/standard/deploy-arch-ibm-pvs-inf-standard.svg",
+                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v8.4.3/reference-architectures/standard/deploy-arch-ibm-pvs-inf-standard.svg",
                   "type": "image/svg+xml"
                 },
                 "description": "The Power Virtual Server with VPC landing zone as variation 'Create a new architecture' deploys VPC services and a Power Virtual Server workspace and interconnects them.\n \nRequired and optional management components are configured."
@@ -1004,9 +1001,6 @@
               ],
               "custom_config": {}
             },
-            {
-              "key": "certificate_template_name"
-            },
             {
               "key": "IC_SCHEMATICS_WORKSPACE_ID",
               "hidden": true
@@ -1221,7 +1215,7 @@
               {
                 "diagram": {
                   "caption": "Power Virtual Server with VPC landing zone 'Quickstart' variation",
-                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v8.4.2/reference-architectures/standard-plus-vsi/deploy-arch-ibm-pvs-inf-standard-plus-vsi.svg",
+                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v8.4.3/reference-architectures/standard-plus-vsi/deploy-arch-ibm-pvs-inf-standard-plus-vsi.svg",
                   "type": "image/svg+xml"
                 },
                 "description": "The Power Virtual Server with VPC landing zone as 'Quickstart' variation of 'Create a new architecture' option deploys VPC services and a Power Virtual Server workspace and interconnects them. It also creates one Power virtual server instance of chosen t-shirt size or custom configuration.\n \nRequired and optional management components are configured."
@@ -1548,7 +1542,7 @@
               {
                 "diagram": {
                   "caption": "Power Virtual Server with VPC landing zone 'Extend Standard Landscape' variation",
-                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v8.4.2/reference-architectures/standard-extend/deploy-arch-ibm-pvs-inf-standard-extend.svg",
+                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-powervs-infrastructure/refs/tags/v8.4.3/reference-architectures/standard-extend/deploy-arch-ibm-pvs-inf-standard-extend.svg",
                   "type": "image/svg+xml"
                 },
                 "description": "The Power Virtual Server with VPC landing zone as variation 'Extend Power Virtual Server with VPC landing zone' creates an additional Power Virtual Server workspace and connects it with already created Power Virtual Server with VPC landing zone. It builds on existing Power Virtual Server with VPC landing zone deployed as a variation 'Create a new architecture'."

modules/powervs-vpc-landing-zone/README.md

@@ -52,30 +52,33 @@ module "powervs-vpc-landing-zone" {
   providers = { ibm.ibm-is = ibm.ibm-is, ibm.ibm-pi = ibm.ibm-pi }
 
   powervs_zone                                 = var.powervs_zone
+  powervs_resource_group_name                  = var.powervs_resource_group_name
   prefix                                       = var.prefix
   external_access_ip                           = var.external_access_ip
+  vpc_intel_images                             = var.vpc_intel_images
   ssh_public_key                               = var.ssh_public_key
   ssh_private_key                              = var.ssh_private_key
-  client_to_site_vpn                           = var.client_to_site_vpn                           #(optional.  default check vars)
+  transit_gateway_global                       = var.transit_gateway_global                       #(optional,  default false)
+  network_services_vsi_profile                 = var.network_services_vsi_profile                 #(optional.  default check vars)
   configure_dns_forwarder                      = var.configure_dns_forwarder                      #(optional,  default false)
   configure_ntp_forwarder                      = var.configure_ntp_forwarder                      #(optional,  default false)
   configure_nfs_server                         = var.configure_nfs_server                         #(optional.  default false)
-  nfs_server_config                            = var.nfs_server_config                            #(optional.  default check vars)
   dns_forwarder_config                         = var.dns_forwarder_config                         #(optional.  default check vars)
-  powervs_resource_group_name                  = var.powervs_resource_group_name                  #(optional.  default check vars)
+  nfs_server_config                            = var.nfs_server_config                            #(optional.  default check vars)
   powervs_management_network                   = var.powervs_management_network                   #(optional.  default check vars)
   powervs_backup_network                       = var.powervs_backup_network                       #(optional.  default check vars)
-  tags                                         = var.tags                                         #(optional.  default check vars)
-  sm_service_plan                              = var.sm_service_plan
-  powervs_custom_images                        = var.powervs_custom_images                        #(optional, default null)
-  powervs_custom_image_cos_configuration       = var.powervs_custom_image_cos_configuration       #(optional, default null)
-  powervs_custom_image_cos_service_credentials = var.powervs_custom_image_cos_service_credentials #(optional, default null)
-  existing_sm_instance_guid                    = var.existing_sm_instance_guid                    #(optional.  default check vars)
-  existing_sm_instance_region                  = var.existing_sm_instance_region                  #(optional.  default check vars)
-  certificate_template_name                    = var.certificate_template_name                    #(optional.  default check vars)
-  network_services_vsi_profile                 = var.network_services_vsi_profile                 #(optional.  default check vars)
-  enable_monitoring                            = var.enable_monitoring                            #(optional.  default true)
+  tags                                         = var.tags                                         #(optional.  default [])
+  powervs_custom_images                        = var.powervs_custom_images                        #(optional,  default null)
+  powervs_custom_image_cos_configuration       = var.powervs_custom_image_cos_configuration       #(optional,  default null)
+  powervs_custom_image_cos_service_credentials = var.powervs_custom_image_cos_service_credentials #(optional,  default null)
+  client_to_site_vpn                           = var.client_to_site_vpn                           #(optional.  default check vars)
+  sm_service_plan                              = var.sm_service_plan                              #(optional.  default standard)
+  existing_sm_instance_guid                    = var.existing_sm_instance_guid                    #(optional.  default null)
+  existing_sm_instance_region                  = var.existing_sm_instance_region                  #(optional.  default null)
+  enable_monitoring                            = var.enable_monitoring                            #(optional.  default false)
   existing_monitoring_instance_crn             = var.existing_monitoring_instance_crn             #(optional.  default null)
+  enable_scc_wp                                = var.enable_scc_wp                                #(optional.  default false)
+  ansible_vault_password                       = var.ansible_vault_password                       #(optional.  default null)
 }
 ```
 
@@ -130,16 +133,15 @@ Creates VPC Landing Zone | Performs VPC VSI OS Config | Creates PowerVS Infrastr
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_ansible_vault_password"></a> [ansible\_vault\_password](#input\_ansible\_vault\_password) | Vault password to encrypt ansible playbooks that contain sensitive information. Required when SCC workload Protection is enabled. Password requirements: 15-100 characters and at least one uppercase letter, one lowercase letter, one number, and one special character. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]\_{\|}~. | `string` | `null` | no |
-| <a name="input_certificate_template_name"></a> [certificate\_template\_name](#input\_certificate\_template\_name) | The name of the Certificate Template to create for a private\_cert secret engine. When `var.existing_sm_instance_guid` is not null, then it has to be the existing template name that exists in the private cert engine. | `string` | `"my-template"` | no |
-| <a name="input_client_to_site_vpn"></a> [client\_to\_site\_vpn](#input\_client\_to\_site\_vpn) | VPN configuration - the client ip pool and list of users email ids to access the environment. If enabled, then a Secret Manager instance is also provisioned with certificates generated. See optional parameters to reuse existing certificate from secrets manager instance. | <pre>object({<br/>    enable                        = bool<br/>    client_ip_pool                = string<br/>    vpn_client_access_group_users = list(string)<br/>  })</pre> | <pre>{<br/>  "client_ip_pool": "192.168.0.0/16",<br/>  "enable": true,<br/>  "vpn_client_access_group_users": []<br/>}</pre> | no |
+| <a name="input_client_to_site_vpn"></a> [client\_to\_site\_vpn](#input\_client\_to\_site\_vpn) | VPN configuration - the client ip pool and list of users email ids to access the environment. If enabled, then a Secret Manager instance is also provisioned with certificates generated. See optional parameters to reuse an existing Secrets manager instance. | <pre>object({<br/>    enable                        = bool<br/>    client_ip_pool                = string<br/>    vpn_client_access_group_users = list(string)<br/>  })</pre> | <pre>{<br/>  "client_ip_pool": "192.168.0.0/16",<br/>  "enable": false,<br/>  "vpn_client_access_group_users": []<br/>}</pre> | no |
 | <a name="input_configure_dns_forwarder"></a> [configure\_dns\_forwarder](#input\_configure\_dns\_forwarder) | Specify if DNS forwarder will be configured. This will allow you to use central DNS servers (e.g. IBM Cloud DNS servers) sitting outside of the created IBM PowerVS infrastructure. If yes, ensure 'dns\_forwarder\_config' optional variable is set properly. DNS forwarder will be installed on the network-services vsi. | `bool` | `false` | no |
 | <a name="input_configure_nfs_server"></a> [configure\_nfs\_server](#input\_configure\_nfs\_server) | Specify if NFS server will be configured. This will allow you easily to share files between PowerVS instances (e.g., SAP installation files). [File storage share and mount target](https://cloud.ibm.com/docs/vpc?topic=vpc-file-storage-create&interface=ui) in VPC will be created.. If yes, ensure 'nfs\_server\_config' optional variable is set properly below. Default value is '200GB' which will be mounted on specified directory in network-service vsi. | `bool` | `false` | no |
 | <a name="input_configure_ntp_forwarder"></a> [configure\_ntp\_forwarder](#input\_configure\_ntp\_forwarder) | Specify if NTP forwarder will be configured. This will allow you to synchronize time between IBM PowerVS instances. NTP forwarder will be installed on the network-services vsi. | `bool` | `false` | no |
 | <a name="input_dns_forwarder_config"></a> [dns\_forwarder\_config](#input\_dns\_forwarder\_config) | Configuration for the DNS forwarder to a DNS service that is not reachable directly from PowerVS. | <pre>object({<br/>    dns_servers = string<br/>  })</pre> | <pre>{<br/>  "dns_servers": "161.26.0.7; 161.26.0.8; 9.9.9.9;"<br/>}</pre> | no |
-| <a name="input_enable_monitoring"></a> [enable\_monitoring](#input\_enable\_monitoring) | Specify whether Monitoring will be enabled. This includes the creation of an IBM Cloud Monitoring Instance and an Intel Monitoring Instance to host the services. If you already have an existing monitoring instance then specify in optional parameter 'existing\_monitoring\_instance\_crn'. | `bool` | `true` | no |
+| <a name="input_enable_monitoring"></a> [enable\_monitoring](#input\_enable\_monitoring) | Specify whether Monitoring will be enabled. This includes the creation of an IBM Cloud Monitoring Instance and an Intel Monitoring Instance to host the services. If you already have an existing monitoring instance then specify in optional parameter 'existing\_monitoring\_instance\_crn'. | `bool` | `false` | no |
 | <a name="input_enable_scc_wp"></a> [enable\_scc\_wp](#input\_enable\_scc\_wp) | Set to true to enable SCC Workload Protection and install and configure the SCC Workload Protection agent on all VSIs and PowerVS instances in this deployment. | `bool` | `false` | no |
 | <a name="input_existing_monitoring_instance_crn"></a> [existing\_monitoring\_instance\_crn](#input\_existing\_monitoring\_instance\_crn) | Existing CRN of IBM Cloud Monitoring Instance. If value is null, then an IBM Cloud Monitoring Instance will not be created but an intel VSI instance will be created if 'enable\_monitoring' is true. | `string` | `null` | no |
-| <a name="input_existing_sm_instance_guid"></a> [existing\_sm\_instance\_guid](#input\_existing\_sm\_instance\_guid) | An existing Secrets Manager GUID. The existing Secret Manager instance must have private certificate engine configured. If not provided an new instance will be provisioned. | `string` | `null` | no |
+| <a name="input_existing_sm_instance_guid"></a> [existing\_sm\_instance\_guid](#input\_existing\_sm\_instance\_guid) | An existing Secrets Manager GUID. If not provided a new instance will be provisioned. | `string` | `null` | no |
 | <a name="input_existing_sm_instance_region"></a> [existing\_sm\_instance\_region](#input\_existing\_sm\_instance\_region) | Required if value is passed into `var.existing_sm_instance_guid`. | `string` | `null` | no |
 | <a name="input_external_access_ip"></a> [external\_access\_ip](#input\_external\_access\_ip) | Specify the source IP address or CIDR for login through SSH to the environment after deployment. Access to the environment will be allowed only from this IP address. Can be set to 'null' if you choose to use client to site vpn. | `string` | n/a | yes |
 | <a name="input_network_services_vsi_profile"></a> [network\_services\_vsi\_profile](#input\_network\_services\_vsi\_profile) | Compute profile configuration of the network services vsi (cpu and memory configuration). Must be one of the supported profiles. See [here](https://cloud.ibm.com/docs/vpc?topic=vpc-profiles&interface=ui). | `string` | `"cx2-2x4"` | no |

modules/powervs-vpc-landing-zone/client2sitevpn.tf

@@ -11,8 +11,9 @@
 
 locals {
 
-  sm_guid   = var.client_to_site_vpn.enable && var.existing_sm_instance_guid == null ? ibm_resource_instance.secrets_manager[0].guid : var.existing_sm_instance_guid
-  sm_region = var.client_to_site_vpn.enable && var.existing_sm_instance_region == null ? lookup(local.ibm_powervs_zone_cloud_region_map, var.powervs_zone, null) : var.existing_sm_instance_region
+  sm_guid                   = var.client_to_site_vpn.enable && var.existing_sm_instance_guid == null ? ibm_resource_instance.secrets_manager[0].guid : var.existing_sm_instance_guid
+  sm_region                 = var.client_to_site_vpn.enable && var.existing_sm_instance_region == null ? lookup(local.ibm_powervs_zone_cloud_region_map, var.powervs_zone, null) : var.existing_sm_instance_region
+  certificate_template_name = "${var.prefix}-template"
 
   root_ca_name         = "${var.prefix}-root-ca"
   root_ca_common_name  = "example.com"
@@ -78,7 +79,7 @@ module "private_secret_engine" {
   source     = "terraform-ibm-modules/secrets-manager-private-cert-engine/ibm"
   version    = "1.5.1"
   providers  = { ibm = ibm.ibm-sm }
-  count      = var.client_to_site_vpn.enable && var.existing_sm_instance_guid == null ? 1 : 0
+  count      = var.client_to_site_vpn.enable ? 1 : 0
   depends_on = [ibm_resource_instance.secrets_manager]
 
   secrets_manager_guid      = local.sm_guid
@@ -87,7 +88,7 @@ module "private_secret_engine" {
   root_ca_common_name       = local.root_ca_common_name
   root_ca_max_ttl           = "8760h"
   intermediate_ca_name      = local.intermediate_ca_name
-  certificate_template_name = var.certificate_template_name
+  certificate_template_name = local.certificate_template_name
 }
 
 # Create a secret group to place the certificate in
@@ -115,7 +116,7 @@ module "secrets_manager_private_certificate" {
 
   cert_name              = "${var.prefix}-cts-vpn-private-cert"
   cert_description       = "an example private cert"
-  cert_template          = var.certificate_template_name
+  cert_template          = local.certificate_template_name
   cert_secrets_group_id  = module.secrets_manager_group[0].secret_group_id
   cert_common_name       = local.cert_common_name
   secrets_manager_guid   = local.sm_guid