Secrets Manager custom credentials engine module

This module configures a custom credentials engine for a Secrets Manager instance. For more information about enabling Secrets Manager for custom credentials engine, see Preparing to create custom credentials engine.

The module handles the following components:

• IAM service authorization policy creation between Secrets Manager as source and Code Engine Project as target
• IAM credentials secret creation for allowing code engine job to fetch secrets
• Custom credentials engine

These components are needed in order to create the custom credentials secret in SM instance.

Overview

• terraform-ibm-secrets-manager-custom-credentials-engine
• Examples
  • Complete example
• Contributing

Reference architectures

Secrets Manager Custom Credential Engine

terraform-ibm-secrets-manager-custom-credentials-engine

Usage

module "custom_credential_engine" {
  source                        = "terraform-ibm-modules/secrets-manager-custom-credentials-engine/ibm"
  version                       = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  secrets_manager_guid          = "<secrets_manager_instance_id>"
  secrets_manager_region        = "<secrets_manager_instance_region>"
  custom_credential_engine_name = "My Custom Credentials Engine"
  endpoint_type                 = "private"
  code_engine_project_id        = "<code_engine_project_id>"
  code_engine_job_name          = "<code_engine_project_job_name>"
  code_engine_region            = "<code_engine_region>"
  task_timeout                  = "5m"
  service_id_name               = "My Service ID"
  iam_credential_secret_name    = "My Credentials Secret"
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • IAM Identity services
    • Administrator platform access
    • Service ID Creator service access
  • All Identity and Access enabled services
    • Administrator platform access
• IAM Services
  • Secrets Manager service
    • Administrator platform access
    • Manager service access

Requirements

Name	Version
terraform	>= 1.9.0
ibm	>= 1.79.2, < 2.0.0
time	>= 0.9.1, < 1.0.0

Modules

Name	Source	Version
sm_iam_credential_secret	terraform-ibm-modules/iam-serviceid-apikey-secrets-manager/ibm	1.2.0

Resources

Name	Type
ibm_iam_authorization_policy.sm_ce_policy	resource
ibm_iam_service_id.sm_service_id	resource
ibm_iam_service_policy.sm_service_id_policy	resource
ibm_sm_custom_credentials_configuration.custom_credentials_configuration	resource
time_sleep.wait_for_service_id	resource
time_sleep.wait_for_sm_ce_authorization_policy	resource

Inputs

Name	Description	Type	Default	Required
code_engine_job_name	The code engine job name used by this custom credentials configuration.	string	n/a	yes
code_engine_project_id	The Project ID of the code engine project used by the custom credentials configuration.	string	n/a	yes
code_engine_region	The region of the code engine project.	string	n/a	yes
custom_credential_engine_name	The name of the custom credentials engine to be created.	string	n/a	yes
endpoint_type	The endpoint type to communicate with the provided secrets manager instance. Possible values are public or private.	string	"private"	no
iam_credential_secret_auto_rotation_interval	The rotation interval for the rotation policy.	string	60	no
iam_credential_secret_auto_rotation_unit	The unit of time for rotation policy. Acceptable values are day or month.	string	"day"	no
iam_credential_secret_group_id	Secret Group ID of secret where IAM Secret will be added to, leave default (null) to add in the default secret group.	string	null	no
iam_credential_secret_labels	Optional list of up to 30 labels to be created on the secret. Labels can be used to search for secrets in the Secrets Manager instance.	list(string)	[]	no
iam_credential_secret_name	The name of the IAM credential secret to allow code engine job to pull secrets from Secrets Manager.	string	n/a	yes
iam_credential_secret_ttl	Specify validity / lease duration of ServiceID API key. Accepted values and formats are: SECONDS, Xm or Xh (where X is the number of minutes or hours appended to m or h respectively).	string	"7776000"	no
secrets_manager_guid	GUID of secrets manager instance to create the secret engine in.	string	n/a	yes
secrets_manager_region	The region of the secrets manager instance.	string	n/a	yes
service_id_name	The name of the service ID to be created to allow code engine job to pull secrets from Secrets Manager.	string	n/a	yes
skip_secrets_manager_code_engine_auth_policy	Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance. If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project.	bool	false	no
task_timeout	The maximum allowed time for a code engine job to be completed.	string	"5m"	no

Outputs

Name	Description
code_engine_key_ref	The IAM API key used by the credentials system to access the secrets manager instance.
custom_config_engine_id	The unique identifier of the engine created.
custom_config_engine_name	The name of the engine created.
secrets_manager_custom_credentials_configuration_schema	The schema that defines the format of the input and output parameters.

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.