From eab9adae577c397eb6233de6c10fa4772f61b5f4 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Tue, 12 Aug 2025 14:41:02 +0530 Subject: [PATCH 01/27] feat:custom credential engine --- .secrets.baseline | 4 +- README.md | 28 ++-- examples/advanced/README.md | 4 - examples/advanced/main.tf | 32 ----- examples/advanced/outputs.tf | 38 ------ examples/advanced/provider.tf | 8 -- examples/basic/main.tf | 31 ----- examples/basic/outputs.tf | 38 ------ examples/basic/variables.tf | 39 ------ examples/basic/version.tf | 16 --- examples/{basic => complete}/README.md | 0 examples/complete/main.tf | 121 ++++++++++++++++++ examples/complete/outputs.tf | 24 ++++ examples/{basic => complete}/provider.tf | 0 examples/{advanced => complete}/variables.tf | 10 +- examples/{advanced => complete}/version.tf | 6 +- main.tf | 26 ++-- outputs.tf | 32 ++--- solutions/fully-configurable/README.md | 3 + .../catalogValidationValues.json.template | 5 + solutions/fully-configurable/main.tf | 43 +++++++ solutions/fully-configurable/outputs.tf | 20 +++ solutions/fully-configurable/provider.tf | 6 + solutions/fully-configurable/variables.tf | 93 ++++++++++++++ solutions/fully-configurable/version.tf | 9 ++ variables.tf | 55 +++++--- version.tf | 10 +- 27 files changed, 414 insertions(+), 287 deletions(-) delete mode 100644 examples/advanced/README.md delete mode 100644 examples/advanced/main.tf delete mode 100644 examples/advanced/outputs.tf delete mode 100644 examples/advanced/provider.tf delete mode 100644 examples/basic/main.tf delete mode 100644 examples/basic/outputs.tf delete mode 100644 examples/basic/variables.tf delete mode 100644 examples/basic/version.tf rename examples/{basic => complete}/README.md (100%) create mode 100644 examples/complete/main.tf create mode 100644 examples/complete/outputs.tf rename examples/{basic => complete}/provider.tf (100%) rename examples/{advanced => complete}/variables.tf (69%) rename examples/{advanced => complete}/version.tf (77%) create mode 100644 solutions/fully-configurable/README.md create mode 100644 solutions/fully-configurable/catalogValidationValues.json.template create mode 100644 solutions/fully-configurable/main.tf create mode 100644 solutions/fully-configurable/outputs.tf create mode 100644 solutions/fully-configurable/provider.tf create mode 100644 solutions/fully-configurable/variables.tf create mode 100644 solutions/fully-configurable/version.tf diff --git a/.secrets.baseline b/.secrets.baseline index 0a4efa4..a14d8aa 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2024-11-22T17:36:38Z", + "generated_at": "2025-08-12T09:08:09Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -82,7 +82,7 @@ "hashed_secret": "ff9ee043d85595eb255c05dfe32ece02a53efbb2", "is_secret": false, "is_verified": false, - "line_number": 74, + "line_number": 73, "type": "Secret Keyword", "verified_result": null } diff --git a/README.md b/README.md index a5b9d3f..665e408 100644 --- a/README.md +++ b/README.md @@ -28,8 +28,7 @@ TODO: Replace this with a description of the modules in this repo. ## Overview * [terraform-ibm-secrets-manager-custom-credentials-engine](#terraform-ibm-secrets-manager-custom-credentials-engine) * [Examples](./examples) - * [Advanced example](./examples/advanced) - * [Basic example](./examples/basic) + * [Basic example](./examples/complete) * [Contributing](#contributing) @@ -123,7 +122,7 @@ statement instead the previous block. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.9.0 | -| [ibm](#requirement\_ibm) | >= 1.71.2, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.79.2, < 2.0.0 | ### Modules @@ -133,25 +132,30 @@ No modules. | Name | Type | |------|------| -| [ibm_resource_instance.cos_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource | +| [ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_custom_credentials_configuration) | resource | ### Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [name](#input\_name) | A descriptive name used to identify the resource instance. | `string` | n/a | yes | -| [plan](#input\_plan) | The name of the plan type supported by service. | `string` | `"standard"` | no | -| [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group where you want to create the service. | `string` | n/a | yes | -| [resource\_tags](#input\_resource\_tags) | List of resource tag to associate with the instance. | `list(string)` | `[]` | no | +| [code\_engine\_job\_name](#input\_code\_engine\_job\_name) | The code engine job name used by this custom credentials configuration. | `string` | n/a | yes | +| [code\_engine\_project\_id](#input\_code\_engine\_project\_id) | The Project ID of the code engine project used by the custom credentials configuration. | `string` | n/a | yes | +| [code\_engine\_region](#input\_code\_engine\_region) | The region of the code engine project. | `string` | n/a | yes | +| [custom\_credential\_engine\_name](#input\_custom\_credential\_engine\_name) | The name of the custom credentials engine to be created. | `string` | n/a | yes | +| [endpoint\_type](#input\_endpoint\_type) | The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private`. | `string` | `"public"` | no | +| [iam\_credentials\_secret\_id](#input\_iam\_credentials\_secret\_id) | The IAM credentials secret ID that is used for setting up a custom credentials secret configuration. | `string` | n/a | yes | +| [secrets\_manager\_guid](#input\_secrets\_manager\_guid) | GUID of secrets manager instance to create the secret engine in. | `string` | n/a | yes | +| [sm\_region](#input\_sm\_region) | The region of the secrets manager instance. | `string` | n/a | yes | +| [task\_timeout](#input\_task\_timeout) | The maximum allowed time for a code engine job to be completed. | `string` | n/a | yes | ### Outputs | Name | Description | |------|-------------| -| [account\_id](#output\_account\_id) | An alpha-numeric value identifying the account ID. | -| [crn](#output\_crn) | The CRN of the resource instance. | -| [guid](#output\_guid) | The GUID of the resource instance. | -| [id](#output\_id) | The unique identifier of the resource instance. | +| [code\_engine\_key\_ref](#output\_code\_engine\_key\_ref) | The IAM API key used by the credentials system to access the secrets manager instance. | +| [custom\_config\_engine\_id](#output\_custom\_config\_engine\_id) | The unique identifier of the engine created. | +| [custom\_config\_engine\_name](#output\_custom\_config\_engine\_name) | The name of the engine created. | +| [sm\_custom\_credentials\_configuration\_schema](#output\_sm\_custom\_credentials\_configuration\_schema) | The schema that defines the format of the input and output parameters. | diff --git a/examples/advanced/README.md b/examples/advanced/README.md deleted file mode 100644 index d52511a..0000000 --- a/examples/advanced/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# Advanced example - - - diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf deleted file mode 100644 index 88360af..0000000 --- a/examples/advanced/main.tf +++ /dev/null @@ -1,32 +0,0 @@ -######################################################################################################################## -# Resource group -######################################################################################################################## - -module "resource_group" { - source = "terraform-ibm-modules/resource-group/ibm" - version = "1.2.0" - # if an existing resource group is not set (null) create a new one using prefix - resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null - existing_resource_group_name = var.resource_group -} - -######################################################################################################################## -# COS -######################################################################################################################## - -# -# Developer tips: -# - Call the local module / modules in the example to show how they can be consumed -# - Include the actual module source as a code comment like below so consumers know how to consume from correct location -# - -module "cos" { - source = "../.." - # remove the above line and uncomment the below 2 lines to consume the module from the registry - # source = "terraform-ibm-modules//ibm" - # version = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release - name = "${var.prefix}-cos" - resource_group_id = module.resource_group.resource_group_id - resource_tags = var.resource_tags - plan = "cos-one-rate-plan" -} diff --git a/examples/advanced/outputs.tf b/examples/advanced/outputs.tf deleted file mode 100644 index 316751f..0000000 --- a/examples/advanced/outputs.tf +++ /dev/null @@ -1,38 +0,0 @@ -############################################################################## -# Outputs -############################################################################## - -# -# Developer tips: -# - Include all relevant outputs from the modules being called in the example -# - -output "account_id" { - description = "An alpha-numeric value identifying the account ID." - value = module.cos.account_id -} - -output "guid" { - description = "The GUID of the resource instance." - value = module.cos.account_id -} - -output "id" { - description = "The unique identifier of the resource instance." - value = module.cos.id -} - -output "crn" { - description = "The CRN of the resource instance." - value = module.cos.crn -} - -output "resource_group_name" { - description = "Resource group name." - value = module.resource_group.resource_group_name -} - -output "resource_group_id" { - description = "Resource group ID." - value = module.resource_group.resource_group_id -} diff --git a/examples/advanced/provider.tf b/examples/advanced/provider.tf deleted file mode 100644 index 2080946..0000000 --- a/examples/advanced/provider.tf +++ /dev/null @@ -1,8 +0,0 @@ -############################################################################## -# Provider config -############################################################################## - -provider "ibm" { - ibmcloud_api_key = var.ibmcloud_api_key - region = var.region -} diff --git a/examples/basic/main.tf b/examples/basic/main.tf deleted file mode 100644 index cf665db..0000000 --- a/examples/basic/main.tf +++ /dev/null @@ -1,31 +0,0 @@ -######################################################################################################################## -# Resource group -######################################################################################################################## - -module "resource_group" { - source = "terraform-ibm-modules/resource-group/ibm" - version = "1.2.0" - # if an existing resource group is not set (null) create a new one using prefix - resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null - existing_resource_group_name = var.resource_group -} - -######################################################################################################################## -# COS -######################################################################################################################## - -# -# Developer tips: -# - Call the local module / modules in the example to show how they can be consumed -# - include the actual module source as a code comment like below so consumers know how to consume from correct location -# - -module "cos" { - source = "../.." - # remove the above line and uncomment the below 2 lines to consume the module from the registry - # source = "terraform-ibm-modules//ibm" - # version = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release - name = "${var.prefix}-cos" - resource_group_id = module.resource_group.resource_group_id - resource_tags = var.resource_tags -} diff --git a/examples/basic/outputs.tf b/examples/basic/outputs.tf deleted file mode 100644 index 552db48..0000000 --- a/examples/basic/outputs.tf +++ /dev/null @@ -1,38 +0,0 @@ -######################################################################################################################## -# Outputs -######################################################################################################################## - -# -# Developer tips: -# - Include all relevant outputs from the modules being called in the example -# - -output "account_id" { - description = "An alpha-numeric value identifying the account ID." - value = module.cos.account_id -} - -output "guid" { - description = "The GUID of the resource instance." - value = module.cos.account_id -} - -output "id" { - description = "The unique identifier of the resource instance." - value = module.cos.id -} - -output "crn" { - description = "The CRN of the resource instance." - value = module.cos.crn -} - -output "resource_group_name" { - description = "Resource group name." - value = module.resource_group.resource_group_name -} - -output "resource_group_id" { - description = "Resource group ID." - value = module.resource_group.resource_group_id -} diff --git a/examples/basic/variables.tf b/examples/basic/variables.tf deleted file mode 100644 index d460364..0000000 --- a/examples/basic/variables.tf +++ /dev/null @@ -1,39 +0,0 @@ -######################################################################################################################## -# Input variables -######################################################################################################################## - -# -# Module developer tips: -# - Examples are references that consumers can use to see how the module can be consumed. They are not designed to be -# flexible re-usable solutions for general consumption, so do not expose any more variables here and instead hard -# code things in the example main.tf with code comments explaining the different configurations. -# - For the same reason as above, do not add default values to the example inputs. -# - -variable "ibmcloud_api_key" { - type = string - description = "The IBM Cloud API Key." - sensitive = true -} - -variable "region" { - type = string - description = "Region to provision all resources created by this example." -} - -variable "prefix" { - type = string - description = "A string value to prefix to all resources created by this example." -} - -variable "resource_group" { - type = string - description = "The name of an existing resource group to provision resources in to. If not set a new resource group will be created using the prefix variable." - default = null -} - -variable "resource_tags" { - type = list(string) - description = "List of resource tag to associate with all resource instances created by this example." - default = [] -} diff --git a/examples/basic/version.tf b/examples/basic/version.tf deleted file mode 100644 index 401504c..0000000 --- a/examples/basic/version.tf +++ /dev/null @@ -1,16 +0,0 @@ -terraform { - required_version = ">= 1.9.0" - - # - # Developer tips: - # - Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main - # module's version.tf (usually a basic example), and 1 example that will always use the latest provider version. - # - - required_providers { - ibm = { - source = "IBM-Cloud/ibm" - version = "1.71.2" - } - } -} diff --git a/examples/basic/README.md b/examples/complete/README.md similarity index 100% rename from examples/basic/README.md rename to examples/complete/README.md diff --git a/examples/complete/main.tf b/examples/complete/main.tf new file mode 100644 index 0000000..24cc90b --- /dev/null +++ b/examples/complete/main.tf @@ -0,0 +1,121 @@ +############################################################################## +# Resource Group +############################################################################## + +module "resource_group" { + source = "terraform-ibm-modules/resource-group/ibm" + version = "1.3.0" + # if an existing resource group is not set (null) create a new one using prefix + resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null + existing_resource_group_name = var.resource_group +} + +############################################################################## +# Code Engine +############################################################################## + +module "code_engine" { + source = "terraform-ibm-modules/code-engine/ibm" + version = "4.5.7" + resource_group_id = module.resource_group.resource_group_id + project_name = "${var.prefix}-project" + jobs = { + "${var.prefix}-job" = { + image_reference = "icr.io/codeengine/helloworld" + run_env_variables = [{ + type = "literal" + name = "SMOUT_TEST" # The code engine job must have an environment variable of type SMOUT_XXX to be added to custom engine configuration + value = "type:string, required:true" # The code engine job env variable must have a value containing the required:true attribute + }] + run_arguments = ["echo \"hello world\""] + run_commands = ["/bin/sh"] + } + } +} + +############################################################################## +# Secrets Manager +############################################################################## + +module "secrets_manager" { + source = "terraform-ibm-modules/secrets-manager/ibm" + version = "2.7.5" + resource_group_id = module.resource_group.resource_group_id + region = var.region + secrets_manager_name = "${var.prefix}-secrets-manager" + sm_service_plan = "standard" + allowed_network = "public-and-private" + sm_tags = var.resource_tags +} + +############################################################################## +# ServiceIDs and Policy +############################################################################## + +resource "ibm_iam_service_id" "sm_service_id" { + name = "${var.prefix}-sm_custom_credential_service_id" + description = "ServiceID that can pull secrets from Secret Manager" +} + +resource "ibm_iam_service_policy" "sm_service_id_policy" { + iam_service_id = ibm_iam_service_id.sm_service_id.id + roles = ["Manager", "Operator"] + + resources { + service = "secrets-manager" + resource_instance_id = module.secrets_manager.secrets_manager_guid + } +} + +resource "time_sleep" "wait_for_authorization_policy" { + depends_on = [ibm_iam_service_id.sm_service_id, ibm_iam_service_policy.sm_service_id_policy] + create_duration = "30s" +} + +############################################################################## +# IAM Credential Secret +############################################################################## + +module "sm_iam_credential_secret" { + depends_on = [time_sleep.wait_for_authorization_policy] + source = "terraform-ibm-modules/iam-serviceid-apikey-secrets-manager/ibm" + version = "1.2.0" + region = var.region + secrets_manager_guid = module.secrets_manager.secrets_manager_guid + serviceid_id = ibm_iam_service_id.sm_service_id.id + sm_iam_secret_description = "the iam credential secret to provides sm access to code engine" + sm_iam_secret_name = "${var.prefix}-iam-secret-for-custom-credential" + sm_iam_secret_api_key_persistence = true # Set to true as a requirement to be used for custom credential + sm_iam_secret_auto_rotation = true # Set to true as a requirement to be used for custom credential + sm_iam_secret_auto_rotation_interval = 60 + sm_iam_secret_auto_rotation_unit = "day" +} + +############################################################################## +# Authorization Policy between Code Engine project and secrets manager +############################################################################## + +resource "ibm_iam_authorization_policy" "sm_ce_policy" { + source_service_name = "secrets-manager" + source_resource_instance_id = module.secrets_manager.secrets_manager_guid + target_service_name = "codeengine" + target_resource_instance_id = module.code_engine.project_id + roles = ["Viewer", "Writer"] +} + +############################################################################## +# Custom Credentials Engine Instance +############################################################################## + +module "custom_engine" { + depends_on = [module.code_engine, module.sm_iam_credential_secret, ibm_iam_authorization_policy.sm_ce_policy] + source = "../.." + secrets_manager_guid = module.secrets_manager.secrets_manager_guid + sm_region = var.region + custom_credential_engine_name = "sm_custom_cred_engine" + iam_credentials_secret_id = module.sm_iam_credential_secret.secret_id + code_engine_project_id = module.code_engine.project_id + code_engine_job_name = module.code_engine.job["${var.prefix}-job"].name + code_engine_region = var.region + task_timeout = "5m" +} diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf new file mode 100644 index 0000000..0e2628e --- /dev/null +++ b/examples/complete/outputs.tf @@ -0,0 +1,24 @@ +######################################################################################################################## +# Outputs +######################################################################################################################## + +output "custom_config_engine_id" { + description = "The unique identifier of the engine created." + value = module.custom_engine.custom_config_engine_id +} + +output "custom_config_engine_name" { + description = "The name of the engine created." + value = module.custom_engine.custom_config_engine_name +} + +output "code_engine_key_ref" { + description = "The IAM API key used by the credentials system to access the secrets manager instance." + sensitive = true + value = module.custom_engine.code_engine_key_ref +} + +output "sm_custom_credentials_configuration_schema" { + description = "The schema that defines the format of the input and output parameters." + value = module.custom_engine.sm_custom_credentials_configuration_schema +} diff --git a/examples/basic/provider.tf b/examples/complete/provider.tf similarity index 100% rename from examples/basic/provider.tf rename to examples/complete/provider.tf diff --git a/examples/advanced/variables.tf b/examples/complete/variables.tf similarity index 69% rename from examples/advanced/variables.tf rename to examples/complete/variables.tf index d460364..7ece7be 100644 --- a/examples/advanced/variables.tf +++ b/examples/complete/variables.tf @@ -2,14 +2,6 @@ # Input variables ######################################################################################################################## -# -# Module developer tips: -# - Examples are references that consumers can use to see how the module can be consumed. They are not designed to be -# flexible re-usable solutions for general consumption, so do not expose any more variables here and instead hard -# code things in the example main.tf with code comments explaining the different configurations. -# - For the same reason as above, do not add default values to the example inputs. -# - variable "ibmcloud_api_key" { type = string description = "The IBM Cloud API Key." @@ -19,11 +11,13 @@ variable "ibmcloud_api_key" { variable "region" { type = string description = "Region to provision all resources created by this example." + default = "us-south" } variable "prefix" { type = string description = "A string value to prefix to all resources created by this example." + default = "sm-custom-cred" } variable "resource_group" { diff --git a/examples/advanced/version.tf b/examples/complete/version.tf similarity index 77% rename from examples/advanced/version.tf rename to examples/complete/version.tf index ecfa978..a6e11af 100644 --- a/examples/advanced/version.tf +++ b/examples/complete/version.tf @@ -10,7 +10,11 @@ terraform { required_providers { ibm = { source = "IBM-Cloud/ibm" - version = ">= 1.71.2, < 2.0.0" + version = "1.79.2" + } + time = { + source = "hashicorp/time" + version = ">= 0.9.1, < 1.0.0" } } } diff --git a/main.tf b/main.tf index b6b879e..f196869 100644 --- a/main.tf +++ b/main.tf @@ -1,13 +1,17 @@ -# -# Developer tips: -# - Below code should be replaced with the code for the root level module -# +############################################################################## +# Secrets Manager Custom Credentials Engine Module +############################################################################## -resource "ibm_resource_instance" "cos_instance" { - name = var.name - resource_group_id = var.resource_group_id - service = "cloud-object-storage" - plan = var.plan - location = "global" - tags = var.resource_tags +resource "ibm_sm_custom_credentials_configuration" "custom_credentials_configuration_instance" { + instance_id = var.secrets_manager_guid + region = var.sm_region + name = var.custom_credential_engine_name + endpoint_type = var.endpoint_type + api_key_ref = var.iam_credentials_secret_id + code_engine { + project_id = var.code_engine_project_id + job_name = var.code_engine_job_name + region = var.code_engine_region + } + task_timeout = var.task_timeout } diff --git a/outputs.tf b/outputs.tf index 0286200..5bb2962 100644 --- a/outputs.tf +++ b/outputs.tf @@ -2,29 +2,23 @@ # Outputs ######################################################################################################################## -# -# Developer tips: -# - Below are some good practise sample outputs -# - They should be updated for outputs applicable to the module being added -# - Use variable validation when possible -# - -output "account_id" { - description = "An alpha-numeric value identifying the account ID." - value = ibm_resource_instance.cos_instance.account_id +output "custom_config_engine_id" { + description = "The unique identifier of the engine created." + value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance.id } -output "guid" { - description = "The GUID of the resource instance." - value = ibm_resource_instance.cos_instance.guid +output "custom_config_engine_name" { + description = "The name of the engine created." + value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance.name } -output "id" { - description = "The unique identifier of the resource instance." - value = ibm_resource_instance.cos_instance.id +output "code_engine_key_ref" { + description = "The IAM API key used by the credentials system to access the secrets manager instance." + sensitive = true + value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance.code_engine_key_ref } -output "crn" { - description = "The CRN of the resource instance." - value = ibm_resource_instance.cos_instance.crn +output "sm_custom_credentials_configuration_schema" { + description = "The schema that defines the format of the input and output parameters." + value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance.schema } diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md new file mode 100644 index 0000000..e78ef13 --- /dev/null +++ b/solutions/fully-configurable/README.md @@ -0,0 +1,3 @@ +# Cloud automation for Secrets Manager Custom Credential Engine (Fully configurable) + +:exclamation: **Important:** This solution is not intended to be called by other modules because it contains a provider configuration and is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information, see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers). diff --git a/solutions/fully-configurable/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template new file mode 100644 index 0000000..6a7b9fc --- /dev/null +++ b/solutions/fully-configurable/catalogValidationValues.json.template @@ -0,0 +1,5 @@ +{ + "ibmcloud_api_key": $VALIDATION_APIKEY, + "existing_secrets_manager_crn": $SM_CRN, + "prefix": $PREFIX +} diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf new file mode 100644 index 0000000..7efb6ec --- /dev/null +++ b/solutions/fully-configurable/main.tf @@ -0,0 +1,43 @@ +######################################################################################################################## +# Custom Credential Engine +######################################################################################################################## + +locals { + prefix = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : "" +} + +module "crn_parser" { + source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" + version = "1.2.0" + crn = var.existing_secrets_manager_crn +} + +locals { + existing_secrets_manager_guid = module.crn_parser.service_instance + existing_secrets_manager_region = module.crn_parser.region + + # crn_parts = split(":", data.ibm_sm_iam_credentials_secret.iam_secret.crn) + # secret_id = local.crn_parts[length(local.crn_parts) - 1] +} + +resource "ibm_iam_authorization_policy" "sm_ce_policy" { + source_service_name = "secrets-manager" + source_resource_instance_id = local.existing_secrets_manager_guid + target_service_name = "codeengine" + target_resource_instance_id = var.code_engine_project_id + roles = ["Viewer", "Writer"] +} + +module "custom_credential_engine" { + depends_on = [ibm_iam_authorization_policy.sm_ce_policy] + source = "../.." + secrets_manager_guid = local.existing_secrets_manager_guid + sm_region = local.existing_secrets_manager_region + custom_credential_engine_name = "${local.prefix}-${var.custom_credential_engine_name}" + endpoint_type = var.endpoint_type + iam_credentials_secret_id = var.iam_credentials_secret_id + code_engine_project_id = var.code_engine_project_id + code_engine_job_name = var.code_engine_job_name + code_engine_region = var.code_engine_region + task_timeout = var.task_timeout +} diff --git a/solutions/fully-configurable/outputs.tf b/solutions/fully-configurable/outputs.tf new file mode 100644 index 0000000..3adfca3 --- /dev/null +++ b/solutions/fully-configurable/outputs.tf @@ -0,0 +1,20 @@ +output "custom_config_engine_id" { + description = "The unique identifier of the engine created." + value = module.custom_credential_engine.custom_config_engine_id +} + +output "custom_config_engine_name" { + description = "The name of the engine created." + value = module.custom_credential_engine.custom_config_engine_name +} + +output "code_engine_key_ref" { + description = "The IAM API key used by the credentials system to access the secrets manager instance." + sensitive = true + value = module.custom_credential_engine.code_engine_key_ref +} + +output "sm_custom_credentials_configuration_schema" { + description = "The schema that defines the format of the input and output parameters." + value = module.custom_credential_engine.sm_custom_credentials_configuration_schema +} diff --git a/solutions/fully-configurable/provider.tf b/solutions/fully-configurable/provider.tf new file mode 100644 index 0000000..f2902a0 --- /dev/null +++ b/solutions/fully-configurable/provider.tf @@ -0,0 +1,6 @@ +provider "ibm" { + ibmcloud_api_key = var.ibmcloud_api_key + region = local.existing_secrets_manager_region + visibility = var.provider_visibility + private_endpoint_type = (var.provider_visibility == "private" && local.existing_secrets_manager_region == "ca-mon") ? "vpe" : null +} diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf new file mode 100644 index 0000000..bb9f004 --- /dev/null +++ b/solutions/fully-configurable/variables.tf @@ -0,0 +1,93 @@ +######################################################################################################################## +# common variables +######################################################################################################################## + +variable "ibmcloud_api_key" { + type = string + description = "The IBM Cloud API key used to provision resources." + sensitive = true +} + +variable "provider_visibility" { + description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)." + type = string + default = "private" + nullable = false + + validation { + condition = contains(["public", "private", "public-and-private"], var.provider_visibility) + error_message = "Invalid value for 'provider_visibility'. Allowed values are 'public', 'private', or 'public-and-private'." + } +} + +variable "prefix" { + type = string + nullable = true + description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: prod-us-south. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)." + + validation { + # - null and empty string is allowed + # - Must not contain consecutive hyphens (--): length(regexall("--", var.prefix)) == 0 + # - Starts with a lowercase letter: [a-z] + # - Contains only lowercase letters (a–z), digits (0–9), and hyphens (-) and must not exceed 16 characters in length: [a-z0-9-]{0,14} + # - Must not end with a hyphen (-): [a-z0-9] + condition = (var.prefix == null || var.prefix == "" ? true : + alltrue([ + can(regex("^[a-z][-a-z0-9]{0,14}[a-z0-9]$", var.prefix)), + length(regexall("--", var.prefix)) == 0 + ]) + ) + error_message = "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--')." + } +} + +variable "existing_secrets_manager_crn" { + type = string + description = "The CRN of secrets manager instance to create the secret engine in." + nullable = false +} + +######################################################################################################################## +# custom credential engine variables +######################################################################################################################## + +variable "custom_credential_engine_name" { + type = string + description = "The name of the custom credentials engine to be created." +} + +variable "endpoint_type" { + type = string + description = "The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private`" + default = "public" + + validation { + condition = contains(["public", "private"], var.endpoint_type) + error_message = "The specified endpoint_type is not a valid selection!" + } +} + +variable "iam_credentials_secret_id" { + type = string + description = "The IAM credentials secret ID that is used for setting up a custom credentials secret configuration." +} + +variable "code_engine_project_id" { + type = string + description = "The Project ID of the code engine project used by the custom credentials configuration." +} + +variable "code_engine_job_name" { + type = string + description = "The code engine job name used by this custom credentials configuration." +} + +variable "code_engine_region" { + type = string + description = "The region of the code engine project." +} + +variable "task_timeout" { + type = string + description = "The maximum allowed time for a code engine job to be completed." +} diff --git a/solutions/fully-configurable/version.tf b/solutions/fully-configurable/version.tf new file mode 100644 index 0000000..a7da027 --- /dev/null +++ b/solutions/fully-configurable/version.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= v1.9.0" + required_providers { + ibm = { + source = "IBM-Cloud/ibm" + version = "1.79.2" + } + } +} diff --git a/variables.tf b/variables.tf index a9d9899..92f2e35 100644 --- a/variables.tf +++ b/variables.tf @@ -2,35 +2,52 @@ # Input Variables ######################################################################################################################## -# -# Developer tips: -# - Below are some common module input variables -# - They should be updated for input variables applicable to the module being added -# - Use variable validation when possible -# +variable "secrets_manager_guid" { + type = string + description = "GUID of secrets manager instance to create the secret engine in." +} + +variable "sm_region" { + type = string + description = "The region of the secrets manager instance." +} -variable "name" { +variable "custom_credential_engine_name" { type = string - description = "A descriptive name used to identify the resource instance." + description = "The name of the custom credentials engine to be created." } -variable "plan" { +variable "endpoint_type" { type = string - description = "The name of the plan type supported by service." - default = "standard" + description = "The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private`." + default = "public" validation { - condition = contains(["standard", "cos-one-rate-plan"], var.plan) - error_message = "The specified pricing plan is not available. The following plans are supported: 'standard', 'cos-one-rate-plan'" + condition = contains(["public", "private"], var.endpoint_type) + error_message = "The specified endpoint_type is not a valid selection!" } } -variable "resource_group_id" { +variable "iam_credentials_secret_id" { + type = string + description = "The IAM credentials secret ID that is used for setting up a custom credentials secret configuration." +} + +variable "code_engine_project_id" { type = string - description = "The ID of the resource group where you want to create the service." + description = "The Project ID of the code engine project used by the custom credentials configuration." } -variable "resource_tags" { - type = list(string) - description = "List of resource tag to associate with the instance." - default = [] +variable "code_engine_job_name" { + type = string + description = "The code engine job name used by this custom credentials configuration." +} + +variable "code_engine_region" { + type = string + description = "The region of the code engine project." +} + +variable "task_timeout" { + type = string + description = "The maximum allowed time for a code engine job to be completed." } diff --git a/version.tf b/version.tf index e51de7f..94c0935 100644 --- a/version.tf +++ b/version.tf @@ -1,18 +1,10 @@ terraform { - # require 1.9 or later to make use of cross-object referencing for input variable validations - # more info: https://www.hashicorp.com/blog/terraform-1-9-enhances-input-variable-validations required_version = ">= 1.9.0" - # - # Developer tips: - # - If your module requires any terraform providers, add them the "required_providers" section below. - # - Each required provider's version should be a flexible range to future proof the module's usage with upcoming minor and patch versions. - # - required_providers { ibm = { source = "IBM-Cloud/ibm" - version = ">= 1.71.2, < 2.0.0" + version = ">= 1.79.2, < 2.0.0" } } } From 264edf5f5726f3c5b666e5056cd39d2f4b33708d Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Wed, 13 Aug 2025 14:45:20 +0530 Subject: [PATCH 02/27] Update complete example with existing instance for SM --- README.md | 2 +- examples/complete/main.tf | 29 +++++++--- examples/complete/variables.tf | 12 ++++ main.tf | 2 +- solutions/fully-configurable/main.tf | 10 +--- solutions/fully-configurable/variables.tf | 5 ++ tests/pr_test.go | 70 ++++++++++++----------- variables.tf | 7 ++- 8 files changed, 84 insertions(+), 53 deletions(-) diff --git a/README.md b/README.md index 665e408..e625b90 100644 --- a/README.md +++ b/README.md @@ -144,7 +144,7 @@ No modules. | [custom\_credential\_engine\_name](#input\_custom\_credential\_engine\_name) | The name of the custom credentials engine to be created. | `string` | n/a | yes | | [endpoint\_type](#input\_endpoint\_type) | The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private`. | `string` | `"public"` | no | | [iam\_credentials\_secret\_id](#input\_iam\_credentials\_secret\_id) | The IAM credentials secret ID that is used for setting up a custom credentials secret configuration. | `string` | n/a | yes | -| [secrets\_manager\_guid](#input\_secrets\_manager\_guid) | GUID of secrets manager instance to create the secret engine in. | `string` | n/a | yes | +| [sm\_guid](#input\_sm\_guid) | GUID of secrets manager instance to create the secret engine in. | `string` | n/a | yes | | [sm\_region](#input\_sm\_region) | The region of the secrets manager instance. | `string` | n/a | yes | | [task\_timeout](#input\_task\_timeout) | The maximum allowed time for a code engine job to be completed. | `string` | n/a | yes | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 24cc90b..27b4afa 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -33,6 +33,15 @@ module "code_engine" { } } +######################################################################################################################## +# Locals +######################################################################################################################## + +locals { + sm_guid = var.existing_sm_instance_guid == null ? module.secrets_manager[0].secrets_manager_guid : var.existing_sm_instance_guid + sm_region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region +} + ############################################################################## # Secrets Manager ############################################################################## @@ -40,6 +49,7 @@ module "code_engine" { module "secrets_manager" { source = "terraform-ibm-modules/secrets-manager/ibm" version = "2.7.5" + count = var.existing_sm_instance_guid == null ? 1 : 0 resource_group_id = module.resource_group.resource_group_id region = var.region secrets_manager_name = "${var.prefix}-secrets-manager" @@ -59,11 +69,11 @@ resource "ibm_iam_service_id" "sm_service_id" { resource "ibm_iam_service_policy" "sm_service_id_policy" { iam_service_id = ibm_iam_service_id.sm_service_id.id - roles = ["Manager", "Operator"] + roles = ["SecretsReader", "SecretTaskUpdater"] resources { service = "secrets-manager" - resource_instance_id = module.secrets_manager.secrets_manager_guid + resource_instance_id = local.sm_guid } } @@ -76,12 +86,13 @@ resource "time_sleep" "wait_for_authorization_policy" { # IAM Credential Secret ############################################################################## +# module.secrets_manager is added in depends_on in order to prevent s2s auth policies from getting destroyed before sm_iam_credential_secret is destroyed module "sm_iam_credential_secret" { - depends_on = [time_sleep.wait_for_authorization_policy] + depends_on = [time_sleep.wait_for_authorization_policy, module.secrets_manager] source = "terraform-ibm-modules/iam-serviceid-apikey-secrets-manager/ibm" version = "1.2.0" - region = var.region - secrets_manager_guid = module.secrets_manager.secrets_manager_guid + region = local.sm_region + secrets_manager_guid = local.sm_guid serviceid_id = ibm_iam_service_id.sm_service_id.id sm_iam_secret_description = "the iam credential secret to provides sm access to code engine" sm_iam_secret_name = "${var.prefix}-iam-secret-for-custom-credential" @@ -97,7 +108,7 @@ module "sm_iam_credential_secret" { resource "ibm_iam_authorization_policy" "sm_ce_policy" { source_service_name = "secrets-manager" - source_resource_instance_id = module.secrets_manager.secrets_manager_guid + source_resource_instance_id = local.sm_guid target_service_name = "codeengine" target_resource_instance_id = module.code_engine.project_id roles = ["Viewer", "Writer"] @@ -110,9 +121,9 @@ resource "ibm_iam_authorization_policy" "sm_ce_policy" { module "custom_engine" { depends_on = [module.code_engine, module.sm_iam_credential_secret, ibm_iam_authorization_policy.sm_ce_policy] source = "../.." - secrets_manager_guid = module.secrets_manager.secrets_manager_guid - sm_region = var.region - custom_credential_engine_name = "sm_custom_cred_engine" + sm_guid = local.sm_guid + sm_region = local.sm_region + custom_credential_engine_name = "${var.prefix}-engine" iam_credentials_secret_id = module.sm_iam_credential_secret.secret_id code_engine_project_id = module.code_engine.project_id code_engine_job_name = module.code_engine.job["${var.prefix}-job"].name diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 7ece7be..f94b79d 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -31,3 +31,15 @@ variable "resource_tags" { description = "List of resource tag to associate with all resource instances created by this example." default = [] } + +variable "existing_sm_instance_guid" { + type = string + description = "Existing Secrets Manager GUID. The existing Secret Manager instance must have private certificate engine configured. If not provided an new instance will be provisioned." + default = null +} + +variable "existing_sm_instance_region" { + type = string + description = "Required if value is passed into var.existing_sm_instance_guid" + default = null +} diff --git a/main.tf b/main.tf index f196869..f3b4fb5 100644 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ ############################################################################## resource "ibm_sm_custom_credentials_configuration" "custom_credentials_configuration_instance" { - instance_id = var.secrets_manager_guid + instance_id = var.sm_guid region = var.sm_region name = var.custom_credential_engine_name endpoint_type = var.endpoint_type diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 7efb6ec..1bca74c 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -3,7 +3,7 @@ ######################################################################################################################## locals { - prefix = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : "" + prefix = var.prefix != null ? (trimspace(var.prefix) != "" ? "${trimspace(var.prefix)}-" : "") : "" } module "crn_parser" { @@ -15,9 +15,6 @@ module "crn_parser" { locals { existing_secrets_manager_guid = module.crn_parser.service_instance existing_secrets_manager_region = module.crn_parser.region - - # crn_parts = split(":", data.ibm_sm_iam_credentials_secret.iam_secret.crn) - # secret_id = local.crn_parts[length(local.crn_parts) - 1] } resource "ibm_iam_authorization_policy" "sm_ce_policy" { @@ -29,11 +26,10 @@ resource "ibm_iam_authorization_policy" "sm_ce_policy" { } module "custom_credential_engine" { - depends_on = [ibm_iam_authorization_policy.sm_ce_policy] source = "../.." - secrets_manager_guid = local.existing_secrets_manager_guid + sm_guid = local.existing_secrets_manager_guid sm_region = local.existing_secrets_manager_region - custom_credential_engine_name = "${local.prefix}-${var.custom_credential_engine_name}" + custom_credential_engine_name = "${local.prefix}${var.custom_credential_engine_name}" endpoint_type = var.endpoint_type iam_credentials_secret_id = var.iam_credentials_secret_id code_engine_project_id = var.code_engine_project_id diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index bb9f004..765a2fe 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -90,4 +90,9 @@ variable "code_engine_region" { variable "task_timeout" { type = string description = "The maximum allowed time for a code engine job to be completed." + + validation { + condition = can(regex("^\\d+[smh]$", var.task_timeout)) + error_message = "task_timeout must be a string with a number followed by 's', 'm', or 'h' (e.g., '30s', '3m', '1h')." + } } diff --git a/tests/pr_test.go b/tests/pr_test.go index 8867ed0..4d1e156 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -2,59 +2,61 @@ package test import ( + "log" + "os" "testing" "github.com/stretchr/testify/assert" + "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" ) -// Use existing resource group -const resourceGroup = "geretain-test-resources" +const completeExampleDir = "examples/complete" +const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml" -// Ensure every example directory has a corresponding test -const advancedExampleDir = "examples/advanced" -const basicExampleDir = "examples/basic" +var permanentResources map[string]interface{} -func setupOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions { - options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{ - Testing: t, - TerraformDir: dir, - Prefix: prefix, - ResourceGroup: resourceGroup, - }) - return options +// TestMain will be run before any parallel tests, used to read data from yaml for use with tests +func TestMain(m *testing.M) { + + var err error + permanentResources, err = common.LoadMapFromYaml(yamlLocation) + if err != nil { + log.Fatal(err) + } + + os.Exit(m.Run()) } -// Consistency test for the basic example -func TestRunBasicExample(t *testing.T) { - t.Parallel() +func setupCompleteOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions { + options := testhelper.TestOptionsDefault(&testhelper.TestOptions{ + Testing: t, + TerraformDir: dir, + Prefix: prefix, + }) - options := setupOptions(t, "mod-template-basic", basicExampleDir) + // need to ignore because of a provider issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4719 + options.IgnoreUpdates = testhelper.Exemptions{ + List: []string{ + "module.code_engine.module.job[\"" + options.Prefix + "-job\"].ibm_code_engine_job.ce_job", + }, + } - output, err := options.RunTestConsistency() - assert.Nil(t, err, "This should not have errored") - assert.NotNil(t, output, "Expected some output") + options.TerraformVars = map[string]interface{}{ + "prefix": options.Prefix, + "existing_sm_instance_guid": permanentResources["secretsManagerGuid"], + "existing_sm_instance_region": permanentResources["secretsManagerRegion"], + } + + return options } func TestRunAdvancedExample(t *testing.T) { t.Parallel() - options := setupOptions(t, "mod-template-adv", advancedExampleDir) + options := setupCompleteOptions(t, "custom-engine", completeExampleDir) output, err := options.RunTestConsistency() assert.Nil(t, err, "This should not have errored") assert.NotNil(t, output, "Expected some output") } - -// Upgrade test (using advanced example) -func TestRunUpgradeExample(t *testing.T) { - t.Parallel() - - options := setupOptions(t, "mod-template-adv-upg", advancedExampleDir) - - output, err := options.RunTestUpgrade() - if !options.UpgradeTestSkipped { - assert.Nil(t, err, "This should not have errored") - assert.NotNil(t, output, "Expected some output") - } -} diff --git a/variables.tf b/variables.tf index 92f2e35..3599542 100644 --- a/variables.tf +++ b/variables.tf @@ -2,7 +2,7 @@ # Input Variables ######################################################################################################################## -variable "secrets_manager_guid" { +variable "sm_guid" { type = string description = "GUID of secrets manager instance to create the secret engine in." } @@ -50,4 +50,9 @@ variable "code_engine_region" { variable "task_timeout" { type = string description = "The maximum allowed time for a code engine job to be completed." + + validation { + condition = can(regex("^\\d+[smh]$", var.task_timeout)) + error_message = "task_timeout must be a string with a number followed by 's', 'm', or 'h' (e.g., '30s', '3m', '1h')." + } } From 995157016cc68a3ed41cad87bf0ac1c40fd31ae1 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Mon, 18 Aug 2025 02:58:47 +0530 Subject: [PATCH 03/27] added DA code --- .catalog-onboard-pipeline.yaml | 14 + .releaserc | 3 + README.md | 19 +- examples/complete/main.tf | 62 +--- examples/complete/version.tf | 4 - ibm_catalog.json | 272 ++++++++++++++++++ ...rets_manager_custom_credentials_engine.svg | 4 + main.tf | 62 +++- ...rets_manager_custom_credentials_engine.svg | 4 + solutions/fully-configurable/main.tf | 34 ++- solutions/fully-configurable/variables.tf | 55 +++- variables.tf | 56 +++- version.tf | 4 + 13 files changed, 498 insertions(+), 95 deletions(-) create mode 100644 .catalog-onboard-pipeline.yaml create mode 100644 ibm_catalog.json create mode 100644 images/secrets_manager_custom_credentials_engine.svg create mode 100644 reference-architecture/secrets_manager_custom_credentials_engine.svg diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml new file mode 100644 index 0000000..7d2f4bc --- /dev/null +++ b/.catalog-onboard-pipeline.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +offerings: + - name: deploy-arch-secrets-manager-custom-credentials-engine + kind: solution + catalog_id: + offering_id: + variations: + - name: fully-configurable + mark_ready: true + install_type: fullstack + scc: + instance_id: + region: us-south diff --git a/.releaserc b/.releaserc index 708916f..4160e57 100644 --- a/.releaserc +++ b/.releaserc @@ -10,6 +10,9 @@ }], ["@semantic-release/exec", { "successCmd": "echo \"SEMVER_VERSION=${nextRelease.version}\" >> $GITHUB_ENV" + }], + ["@semantic-release/exec",{ + "publishCmd": "./ci/trigger-catalog-onboarding-pipeline.sh --version=v${nextRelease.version}" }] ] } diff --git a/README.md b/README.md index e625b90..4f2c620 100644 --- a/README.md +++ b/README.md @@ -123,16 +123,23 @@ statement instead the previous block. |------|---------| | [terraform](#requirement\_terraform) | >= 1.9.0 | | [ibm](#requirement\_ibm) | >= 1.79.2, < 2.0.0 | +| [time](#requirement\_time) | >= 0.9.1, < 1.0.0 | ### Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [sm\_iam\_credential\_secret](#module\_sm\_iam\_credential\_secret) | terraform-ibm-modules/iam-serviceid-apikey-secrets-manager/ibm | 1.2.0 | ### Resources | Name | Type | |------|------| +| [ibm_iam_authorization_policy.sm_ce_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | +| [ibm_iam_service_id.sm_service_id](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_service_id) | resource | +| [ibm_iam_service_policy.sm_service_id_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_service_policy) | resource | | [ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_custom_credentials_configuration) | resource | +| [time_sleep.wait_for_service_id](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | ### Inputs @@ -143,10 +150,16 @@ No modules. | [code\_engine\_region](#input\_code\_engine\_region) | The region of the code engine project. | `string` | n/a | yes | | [custom\_credential\_engine\_name](#input\_custom\_credential\_engine\_name) | The name of the custom credentials engine to be created. | `string` | n/a | yes | | [endpoint\_type](#input\_endpoint\_type) | The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private`. | `string` | `"public"` | no | -| [iam\_credentials\_secret\_id](#input\_iam\_credentials\_secret\_id) | The IAM credentials secret ID that is used for setting up a custom credentials secret configuration. | `string` | n/a | yes | +| [iam\_credential\_secret\_auto\_rotation\_interval](#input\_iam\_credential\_secret\_auto\_rotation\_interval) | Specifies the rotation interval for the rotation policy. | `string` | `60` | no | +| [iam\_credential\_secret\_auto\_rotation\_unit](#input\_iam\_credential\_secret\_auto\_rotation\_unit) | Specifies the unit of time for rotation policy. Acceptable values are `day` or `month`. | `string` | `"day"` | no | +| [iam\_credential\_secret\_group\_id](#input\_iam\_credential\_secret\_group\_id) | Secret Group ID of secret where IAM Secret will be added to, leave default (null) to add in default secret-group. | `string` | `null` | no | +| [iam\_credential\_secret\_labels](#input\_iam\_credential\_secret\_labels) | Optional list of up to 30 labels to be created on the secret. Labels can be used to search for secrets in the Secrets Manager instance. | `list(string)` | `[]` | no | +| [iam\_credential\_secret\_name](#input\_iam\_credential\_secret\_name) | The name of the IAM credential secret to allow code engine job to pull secrets from SM. | `string` | n/a | yes | +| [iam\_credential\_secret\_ttl](#input\_iam\_credential\_secret\_ttl) | Specify validity / lease duration of ServiceID API key. Accepted values and formats are: SECONDS, Xm or Xh (where X is the number of minutes or hours appended to m or h respectively). | `string` | `"7776000"` | no | +| [service\_id\_name](#input\_service\_id\_name) | The name of the service ID to be created to allow code engine job to pull secrets from SM. | `string` | n/a | yes | | [sm\_guid](#input\_sm\_guid) | GUID of secrets manager instance to create the secret engine in. | `string` | n/a | yes | | [sm\_region](#input\_sm\_region) | The region of the secrets manager instance. | `string` | n/a | yes | -| [task\_timeout](#input\_task\_timeout) | The maximum allowed time for a code engine job to be completed. | `string` | n/a | yes | +| [task\_timeout](#input\_task\_timeout) | The maximum allowed time for a code engine job to be completed. | `string` | `"5m"` | no | ### Outputs diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 27b4afa..91537cf 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -58,75 +58,19 @@ module "secrets_manager" { sm_tags = var.resource_tags } -############################################################################## -# ServiceIDs and Policy -############################################################################## - -resource "ibm_iam_service_id" "sm_service_id" { - name = "${var.prefix}-sm_custom_credential_service_id" - description = "ServiceID that can pull secrets from Secret Manager" -} - -resource "ibm_iam_service_policy" "sm_service_id_policy" { - iam_service_id = ibm_iam_service_id.sm_service_id.id - roles = ["SecretsReader", "SecretTaskUpdater"] - - resources { - service = "secrets-manager" - resource_instance_id = local.sm_guid - } -} - -resource "time_sleep" "wait_for_authorization_policy" { - depends_on = [ibm_iam_service_id.sm_service_id, ibm_iam_service_policy.sm_service_id_policy] - create_duration = "30s" -} - -############################################################################## -# IAM Credential Secret -############################################################################## - -# module.secrets_manager is added in depends_on in order to prevent s2s auth policies from getting destroyed before sm_iam_credential_secret is destroyed -module "sm_iam_credential_secret" { - depends_on = [time_sleep.wait_for_authorization_policy, module.secrets_manager] - source = "terraform-ibm-modules/iam-serviceid-apikey-secrets-manager/ibm" - version = "1.2.0" - region = local.sm_region - secrets_manager_guid = local.sm_guid - serviceid_id = ibm_iam_service_id.sm_service_id.id - sm_iam_secret_description = "the iam credential secret to provides sm access to code engine" - sm_iam_secret_name = "${var.prefix}-iam-secret-for-custom-credential" - sm_iam_secret_api_key_persistence = true # Set to true as a requirement to be used for custom credential - sm_iam_secret_auto_rotation = true # Set to true as a requirement to be used for custom credential - sm_iam_secret_auto_rotation_interval = 60 - sm_iam_secret_auto_rotation_unit = "day" -} - -############################################################################## -# Authorization Policy between Code Engine project and secrets manager -############################################################################## - -resource "ibm_iam_authorization_policy" "sm_ce_policy" { - source_service_name = "secrets-manager" - source_resource_instance_id = local.sm_guid - target_service_name = "codeengine" - target_resource_instance_id = module.code_engine.project_id - roles = ["Viewer", "Writer"] -} - ############################################################################## # Custom Credentials Engine Instance ############################################################################## module "custom_engine" { - depends_on = [module.code_engine, module.sm_iam_credential_secret, ibm_iam_authorization_policy.sm_ce_policy] + depends_on = [module.code_engine, module.secrets_manager] source = "../.." sm_guid = local.sm_guid sm_region = local.sm_region custom_credential_engine_name = "${var.prefix}-engine" - iam_credentials_secret_id = module.sm_iam_credential_secret.secret_id code_engine_project_id = module.code_engine.project_id code_engine_job_name = module.code_engine.job["${var.prefix}-job"].name code_engine_region = var.region - task_timeout = "5m" + service_id_name = "${var.prefix}-sm_custom_credential_service_id" + iam_credential_secret_name = "${var.prefix}-iam-secret-for-custom-credential" } diff --git a/examples/complete/version.tf b/examples/complete/version.tf index a6e11af..7c44064 100644 --- a/examples/complete/version.tf +++ b/examples/complete/version.tf @@ -12,9 +12,5 @@ terraform { source = "IBM-Cloud/ibm" version = "1.79.2" } - time = { - source = "hashicorp/time" - version = ">= 0.9.1, < 1.0.0" - } } } diff --git a/ibm_catalog.json b/ibm_catalog.json new file mode 100644 index 0000000..c2aae25 --- /dev/null +++ b/ibm_catalog.json @@ -0,0 +1,272 @@ +{ + "products": [ + { + "name": "deploy-arch-secrets-manager-custom-credentials-engine", + "label": "Cloud automation for Secrets Manager custom credentials engine", + "product_kind": "solution", + "tags": [ + "ibm_created", + "target_terraform", + "terraform", + "solution", + "security", + "converged_infra" + ], + "keywords": [ + "Custom credentials engine", + "Secrets Manager", + "IaC", + "infrastructure as code", + "terraform", + "solution" + ], + "short_description": "Creates and configures a Secrets Manager custom credentials engine.", + "long_description": "This deployable architecture is used to provision and configure a custom credentials engine that will be used to store [custom credential secrets](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials&interface=ui) for external systems in IBM Secrets Manager service. It creates an IAM Credentials secret, a service ID and service policy that will allow the job running in code engin to access secrets manager to update the custom secret. The architecture also creates an IAM service authorization between secrets manager and code engine project. In order to use this deployable architecture make sure a secrets manager instance is created with IAM credentials engine configured or if [Cloud automation for Secrets Manager](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager) is being used then [skip_iam_authorization_policy](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/variables.tf#L58) is set to true.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", + "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/blob/main/README.md", + "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/main/images/secrets_manager_custom_credentials_engine.svg", + "provider_name": "IBM", + "features": [ + { + "title": "IAM service authorization", + "description": "Creates a [service authorization policy](https://cloud.ibm.com/docs/account?topic=account-serviceauth&interface=ui) between secrets manager as source and code engine project as target." + }, + { + "title": "IAM credentials secret", + "description": "Creates an [IAM credentials secret](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-iam-credentials&interface=terraform) to allow code engine job to access/update secrets in secrets manager instance." + }, + { + "title": "Custom credentials engine", + "description": "Creates a [custom credentials engine](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials-config&interface=terraform) configuration which acts as a back-end for custom credentials secret." + } + ], + "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [here](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/issues). Please note this product is not supported via the IBM Cloud Support Center.", + "flavors": [ + { + "label": "Fully configurable", + "name": "fully-configurable", + "install_type": "fullstack", + "working_directory": "solutions/fully-configurable", + "architecture": { + "descriptions": "This architecture supports creating and configuring a Secrets Manager Custom Credentials Engine.", + "features": [ + { + "title": " ", + "description": "Configured to use IBM secure-by-default standards, but can be edited to fit your use case." + } + ], + "diagrams": [ + { + "diagram": { + "caption": "Secrets Manager Custom Credentials Engine", + "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/main/reference-architecture/secrets_manager_custom_credentials_engine.svg", + "type": "image/svg+xml" + }, + "description": "This architecture automates the setup of IBM Secrets Manager Custom Credentials Engine. The modular design includes the creation of a service authorization policy and IAM credentials secrets that are needed for provisioning the engine configuration." + } + ] + }, + "configuration": [ + { + "key": "ibmcloud_api_key" + }, + { + "key": "provider_visibility", + "options": [ + { + "displayname": "private", + "value": "private" + }, + { + "displayname": "public", + "value": "public" + }, + { + "displayname": "public-and-private", + "value": "public-and-private" + } + ], + "hidden": true + }, + { + "key": "existing_secrets_manager_crn", + "required": true + }, + { + "key": "prefix", + "required": true + }, + { + "key": "secrets_manager_region", + "required": true, + "virtual": true, + "default_value": "us-south", + "description": "The region to provision a new Secrets Manager instance in.", + "options": [ + { + "displayname": "Osaka (jp-osa)", + "value": "jp-osa" + }, + { + "displayname": "Sydney (au-syd)", + "value": "au-syd" + }, + { + "displayname": "Tokyo (jp-tok)", + "value": "jp-tok" + }, + { + "displayname": "Frankfurt (eu-de)", + "value": "eu-de" + }, + { + "displayname": "London (eu-gb)", + "value": "eu-gb" + }, + { + "displayname": "Madrid (eu-es)", + "value": "eu-es" + }, + { + "displayname": "Dallas (us-south)", + "value": "us-south" + }, + { + "displayname": "Toronto (ca-tor)", + "value": "ca-tor" + }, + { + "displayname": "Washington DC (us-east)", + "value": "us-east" + }, + { + "displayname": "Sao Paulo (br-sao)", + "value": "br-sao" + } + ] + }, + { + "key": "secrets_manager_service_plan", + "required": true, + "virtual": true, + "type": "string", + "options": [ + { + "displayname": "Standard", + "value": "standard" + }, + { + "displayname": "Trial", + "value": "trial" + } + ], + "default_value": "__NOT_SET__", + "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." + }, + { + "key": "endpoint_type", + "options": [ + { + "displayname": "private", + "value": "private" + }, + { + "displayname": "public", + "value": "public" + } + ] + }, + { + "key": "custom_credential_engine_name", + "required":true + }, + { + "key": "code_engine_project_id", + "required":true + }, + { + "key": "code_engine_job_name", + "required":true + }, + { + "key": "code_engine_region", + "required":true + }, + { + "key": "task_timeout", + "required":true + }, + { + "key": "service_id_name", + "required":true + }, + { + "key": "iam_credential_secret_name", + "required":true + }, + { + "key": "iam_credential_secret_group_id" + }, + { + "key": "iam_credential_secret_ttl" + }, + { + "key": "iam_credential_secret_auto_rotation_interval" + }, + { + "key": "iam_credential_secret_auto_rotation_unit" + }, + { + "key": "iam_credential_secret_labels" + } + ], + "iam_permissions": [ + { + "service_name": "secrets-manager", + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Administrator", + "crn:v1:bluemix:public:iam::::serviceRole:Manager" + ] + } + ], + "dependencies": [ + { + "name": "deploy-arch-ibm-secrets-manager", + "description": "Create a new Secrets Manager instance.", + "id": "6d6ebc76-7bbd-42f5-8bc7-78f4fabd5944-global", + "version": "v2.6.3", + "flavors": [ + "fully-configurable" + ], + "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", + "optional": true, + "on_by_default": true, + "input_mapping": [ + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "region", + "version_input": "secrets_manager_region", + "reference_version": true + }, + { + "dependency_input": "service_plan", + "version_input": "secrets_manager_service_plan", + "reference_version": true + }, + { + "dependency_output": "secrets_manager_crn", + "version_input": "existing_secrets_manager_crn" + } + ] + } + ], + "dependency_version_2": true, + "terraform_version": "1.10.5" + } + ] + } + ] +} diff --git a/images/secrets_manager_custom_credentials_engine.svg b/images/secrets_manager_custom_credentials_engine.svg new file mode 100644 index 0000000..0b6e9f7 --- /dev/null +++ b/images/secrets_manager_custom_credentials_engine.svg @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/main.tf b/main.tf index f3b4fb5..381f607 100644 --- a/main.tf +++ b/main.tf @@ -1,13 +1,73 @@ +############################################################################## +# ServiceIDs and Policy +############################################################################## + +resource "ibm_iam_service_id" "sm_service_id" { + name = var.service_id_name + description = "ServiceID that can pull secrets from Secret Manager" +} + +resource "ibm_iam_service_policy" "sm_service_id_policy" { + iam_service_id = ibm_iam_service_id.sm_service_id.id + roles = ["SecretsReader", "SecretTaskUpdater"] + + resources { + service = "secrets-manager" + resource_instance_id = var.sm_guid + } +} + +resource "time_sleep" "wait_for_service_id" { + depends_on = [ibm_iam_service_id.sm_service_id, ibm_iam_service_policy.sm_service_id_policy] + create_duration = "30s" +} + +############################################################################## +# IAM Credential Secret +############################################################################## + +module "sm_iam_credential_secret" { + depends_on = [time_sleep.wait_for_service_id] + source = "terraform-ibm-modules/iam-serviceid-apikey-secrets-manager/ibm" + version = "1.2.0" + region = var.sm_region + secrets_manager_guid = var.sm_guid + secret_group_id = var.iam_credential_secret_group_id + sm_iam_secret_ttl = var.iam_credential_secret_ttl + service_endpoints = var.endpoint_type + serviceid_id = ibm_iam_service_id.sm_service_id.id + sm_iam_secret_description = "The iam credential secret to provides SM access to code engine job" + sm_iam_secret_name = var.iam_credential_secret_name + sm_iam_secret_api_key_persistence = true # Set to true as a requirement to be used for custom credential + sm_iam_secret_auto_rotation = true # Set to true as a requirement to be used for custom credential + sm_iam_secret_auto_rotation_interval = var.iam_credential_secret_auto_rotation_interval + sm_iam_secret_auto_rotation_unit = var.iam_credential_secret_auto_rotation_unit + labels = var.iam_credential_secret_labels +} + +############################################################################## +# Authorization Policy between Secrets Manager and Code Engine project +############################################################################## + +resource "ibm_iam_authorization_policy" "sm_ce_policy" { + source_service_name = "secrets-manager" + source_resource_instance_id = var.sm_guid + target_service_name = "codeengine" + target_resource_instance_id = var.code_engine_project_id + roles = ["Viewer", "Writer"] +} + ############################################################################## # Secrets Manager Custom Credentials Engine Module ############################################################################## resource "ibm_sm_custom_credentials_configuration" "custom_credentials_configuration_instance" { + depends_on = [module.sm_iam_credential_secret, ibm_iam_authorization_policy.sm_ce_policy] instance_id = var.sm_guid region = var.sm_region name = var.custom_credential_engine_name endpoint_type = var.endpoint_type - api_key_ref = var.iam_credentials_secret_id + api_key_ref = module.sm_iam_credential_secret.secret_id code_engine { project_id = var.code_engine_project_id job_name = var.code_engine_job_name diff --git a/reference-architecture/secrets_manager_custom_credentials_engine.svg b/reference-architecture/secrets_manager_custom_credentials_engine.svg new file mode 100644 index 0000000..ab8c751 --- /dev/null +++ b/reference-architecture/secrets_manager_custom_credentials_engine.svg @@ -0,0 +1,4 @@ + + + +
Cloud
Region
Resource Group
Secrets Manager
Secrets Manager Custom Credentials Engine \ No newline at end of file diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 1bca74c..a3b0679 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -17,23 +17,21 @@ locals { existing_secrets_manager_region = module.crn_parser.region } -resource "ibm_iam_authorization_policy" "sm_ce_policy" { - source_service_name = "secrets-manager" - source_resource_instance_id = local.existing_secrets_manager_guid - target_service_name = "codeengine" - target_resource_instance_id = var.code_engine_project_id - roles = ["Viewer", "Writer"] -} - module "custom_credential_engine" { - source = "../.." - sm_guid = local.existing_secrets_manager_guid - sm_region = local.existing_secrets_manager_region - custom_credential_engine_name = "${local.prefix}${var.custom_credential_engine_name}" - endpoint_type = var.endpoint_type - iam_credentials_secret_id = var.iam_credentials_secret_id - code_engine_project_id = var.code_engine_project_id - code_engine_job_name = var.code_engine_job_name - code_engine_region = var.code_engine_region - task_timeout = var.task_timeout + source = "../.." + sm_guid = local.existing_secrets_manager_guid + sm_region = local.existing_secrets_manager_region + custom_credential_engine_name = "${local.prefix}${var.custom_credential_engine_name}" + endpoint_type = var.endpoint_type + code_engine_project_id = var.code_engine_project_id + code_engine_job_name = var.code_engine_job_name + code_engine_region = var.code_engine_region + task_timeout = var.task_timeout + service_id_name = "${local.prefix}${var.service_id_name}" + iam_credential_secret_name = "${local.prefix}${var.iam_credential_secret_name}" + iam_credential_secret_group_id = var.iam_credential_secret_group_id + iam_credential_secret_ttl = var.iam_credential_secret_ttl + iam_credential_secret_auto_rotation_interval = var.iam_credential_secret_auto_rotation_interval + iam_credential_secret_auto_rotation_unit = var.iam_credential_secret_auto_rotation_unit + iam_credential_secret_labels = var.iam_credential_secret_labels } diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 765a2fe..3bf445b 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -67,11 +67,6 @@ variable "endpoint_type" { } } -variable "iam_credentials_secret_id" { - type = string - description = "The IAM credentials secret ID that is used for setting up a custom credentials secret configuration." -} - variable "code_engine_project_id" { type = string description = "The Project ID of the code engine project used by the custom credentials configuration." @@ -96,3 +91,53 @@ variable "task_timeout" { error_message = "task_timeout must be a string with a number followed by 's', 'm', or 'h' (e.g., '30s', '3m', '1h')." } } + +variable "service_id_name" { + type = string + description = "The name of the service ID to be created to allow code engine job to pull secrets from SM." +} + +variable "iam_credential_secret_name" { + type = string + description = "The name of the IAM credential secret to allow code engine job to pull secrets from SM." +} + +variable "iam_credential_secret_group_id" { + type = string + description = "Secret Group ID of secret where IAM Secret will be added to, leave default (null) to add in default secret-group." + default = null #tfsec:ignore:GEN001 +} + +variable "iam_credential_secret_ttl" { + type = string + description = "Specify validity / lease duration of ServiceID API key. Accepted values and formats are: SECONDS, Xm or Xh (where X is the number of minutes or hours appended to m or h respectively)." + default = "7776000" #tfsec:ignore:general-secrets-no-plaintext-exposure Default set to 90days +} + +variable "iam_credential_secret_auto_rotation_interval" { + type = string + description = "Specifies the rotation interval for the rotation policy." + default = 60 + + validation { + condition = var.iam_credential_secret_auto_rotation_interval > 0 + error_message = "Value for `iam_credential_secret_auto_rotation_intervals` must be greater than 0 when auto-rotation is enabled." + } +} + +variable "iam_credential_secret_auto_rotation_unit" { + type = string + description = "Specifies the unit of time for rotation policy. Acceptable values are `day` or `month`." + default = "day" #tfsec:ignore:general-secrets-no-plaintext-exposure + + validation { + condition = contains(["day", "month"], var.iam_credential_secret_auto_rotation_unit) + error_message = "Value for `iam_credential_secret_auto_rotation_unit` must be either 'day' or 'month' when auto-rotation is enabled." + } +} + +variable "iam_credential_secret_labels" { + type = list(string) + description = "Optional list of up to 30 labels to be created on the secret. Labels can be used to search for secrets in the Secrets Manager instance." + default = [] +} diff --git a/variables.tf b/variables.tf index 3599542..4dc3b07 100644 --- a/variables.tf +++ b/variables.tf @@ -27,11 +27,6 @@ variable "endpoint_type" { } } -variable "iam_credentials_secret_id" { - type = string - description = "The IAM credentials secret ID that is used for setting up a custom credentials secret configuration." -} - variable "code_engine_project_id" { type = string description = "The Project ID of the code engine project used by the custom credentials configuration." @@ -50,9 +45,60 @@ variable "code_engine_region" { variable "task_timeout" { type = string description = "The maximum allowed time for a code engine job to be completed." + default = "5m" validation { condition = can(regex("^\\d+[smh]$", var.task_timeout)) error_message = "task_timeout must be a string with a number followed by 's', 'm', or 'h' (e.g., '30s', '3m', '1h')." } } + +variable "service_id_name" { + type = string + description = "The name of the service ID to be created to allow code engine job to pull secrets from SM." +} + +variable "iam_credential_secret_name" { + type = string + description = "The name of the IAM credential secret to allow code engine job to pull secrets from SM." +} + +variable "iam_credential_secret_group_id" { + type = string + description = "Secret Group ID of secret where IAM Secret will be added to, leave default (null) to add in default secret-group." + default = null #tfsec:ignore:GEN001 +} + +variable "iam_credential_secret_ttl" { + type = string + description = "Specify validity / lease duration of ServiceID API key. Accepted values and formats are: SECONDS, Xm or Xh (where X is the number of minutes or hours appended to m or h respectively)." + default = "7776000" #tfsec:ignore:general-secrets-no-plaintext-exposure Default set to 90days +} + +variable "iam_credential_secret_auto_rotation_interval" { + type = string + description = "Specifies the rotation interval for the rotation policy." + default = 60 + + validation { + condition = var.iam_credential_secret_auto_rotation_interval > 0 + error_message = "Value for `iam_credential_secret_auto_rotation_intervals` must be greater than 0 when auto-rotation is enabled." + } +} + +variable "iam_credential_secret_auto_rotation_unit" { + type = string + description = "Specifies the unit of time for rotation policy. Acceptable values are `day` or `month`." + default = "day" #tfsec:ignore:general-secrets-no-plaintext-exposure + + validation { + condition = contains(["day", "month"], var.iam_credential_secret_auto_rotation_unit) + error_message = "Value for `iam_credential_secret_auto_rotation_unit` must be either 'day' or 'month' when auto-rotation is enabled." + } +} + +variable "iam_credential_secret_labels" { + type = list(string) + description = "Optional list of up to 30 labels to be created on the secret. Labels can be used to search for secrets in the Secrets Manager instance." + default = [] +} diff --git a/version.tf b/version.tf index 94c0935..3ec9b06 100644 --- a/version.tf +++ b/version.tf @@ -6,5 +6,9 @@ terraform { source = "IBM-Cloud/ibm" version = ">= 1.79.2, < 2.0.0" } + time = { + source = "hashicorp/time" + version = ">= 0.9.1, < 1.0.0" + } } } From 394e3caef382479ab96118bad3938f69f2681fc6 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Mon, 18 Aug 2025 03:02:12 +0530 Subject: [PATCH 04/27] test tile --- ibm_catalog.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index c2aae25..41fbcd3 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -23,7 +23,7 @@ "short_description": "Creates and configures a Secrets Manager custom credentials engine.", "long_description": "This deployable architecture is used to provision and configure a custom credentials engine that will be used to store [custom credential secrets](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials&interface=ui) for external systems in IBM Secrets Manager service. It creates an IAM Credentials secret, a service ID and service policy that will allow the job running in code engin to access secrets manager to update the custom secret. The architecture also creates an IAM service authorization between secrets manager and code engine project. In order to use this deployable architecture make sure a secrets manager instance is created with IAM credentials engine configured or if [Cloud automation for Secrets Manager](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager) is being used then [skip_iam_authorization_policy](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/variables.tf#L58) is set to true.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/blob/main/README.md", - "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/main/images/secrets_manager_custom_credentials_engine.svg", + "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/refs/heads/13662-custom-engine/images/secrets_manager_custom_credentials_engine.svg", "provider_name": "IBM", "features": [ { @@ -58,7 +58,7 @@ { "diagram": { "caption": "Secrets Manager Custom Credentials Engine", - "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/main/reference-architecture/secrets_manager_custom_credentials_engine.svg", + "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/refs/heads/13662-custom-engine/reference-architecture/secrets_manager_custom_credentials_engine.svg", "type": "image/svg+xml" }, "description": "This architecture automates the setup of IBM Secrets Manager Custom Credentials Engine. The modular design includes the creation of a service authorization policy and IAM credentials secrets that are needed for provisioning the engine configuration." From 50c960118b9ef4352c45627f1951144782e299cf Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Mon, 18 Aug 2025 13:21:18 +0530 Subject: [PATCH 05/27] test catalog --- ibm_catalog.json | 471 +++++++++++----------- solutions/fully-configurable/variables.tf | 1 + 2 files changed, 241 insertions(+), 231 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 41fbcd3..8de26b6 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -1,272 +1,281 @@ { - "products": [ - { - "name": "deploy-arch-secrets-manager-custom-credentials-engine", - "label": "Cloud automation for Secrets Manager custom credentials engine", - "product_kind": "solution", - "tags": [ - "ibm_created", - "target_terraform", - "terraform", - "solution", - "security", - "converged_infra" - ], - "keywords": [ - "Custom credentials engine", - "Secrets Manager", - "IaC", - "infrastructure as code", - "terraform", - "solution" - ], - "short_description": "Creates and configures a Secrets Manager custom credentials engine.", - "long_description": "This deployable architecture is used to provision and configure a custom credentials engine that will be used to store [custom credential secrets](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials&interface=ui) for external systems in IBM Secrets Manager service. It creates an IAM Credentials secret, a service ID and service policy that will allow the job running in code engin to access secrets manager to update the custom secret. The architecture also creates an IAM service authorization between secrets manager and code engine project. In order to use this deployable architecture make sure a secrets manager instance is created with IAM credentials engine configured or if [Cloud automation for Secrets Manager](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager) is being used then [skip_iam_authorization_policy](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/variables.tf#L58) is set to true.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", - "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/blob/main/README.md", - "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/refs/heads/13662-custom-engine/images/secrets_manager_custom_credentials_engine.svg", - "provider_name": "IBM", - "features": [ - { - "title": "IAM service authorization", - "description": "Creates a [service authorization policy](https://cloud.ibm.com/docs/account?topic=account-serviceauth&interface=ui) between secrets manager as source and code engine project as target." - }, - { - "title": "IAM credentials secret", - "description": "Creates an [IAM credentials secret](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-iam-credentials&interface=terraform) to allow code engine job to access/update secrets in secrets manager instance." - }, - { - "title": "Custom credentials engine", - "description": "Creates a [custom credentials engine](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials-config&interface=terraform) configuration which acts as a back-end for custom credentials secret." - } - ], - "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [here](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/issues). Please note this product is not supported via the IBM Cloud Support Center.", - "flavors": [ - { - "label": "Fully configurable", - "name": "fully-configurable", - "install_type": "fullstack", - "working_directory": "solutions/fully-configurable", - "architecture": { - "descriptions": "This architecture supports creating and configuring a Secrets Manager Custom Credentials Engine.", - "features": [ - { - "title": " ", - "description": "Configured to use IBM secure-by-default standards, but can be edited to fit your use case." - } - ], - "diagrams": [ - { - "diagram": { - "caption": "Secrets Manager Custom Credentials Engine", - "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/refs/heads/13662-custom-engine/reference-architecture/secrets_manager_custom_credentials_engine.svg", - "type": "image/svg+xml" - }, - "description": "This architecture automates the setup of IBM Secrets Manager Custom Credentials Engine. The modular design includes the creation of a service authorization policy and IAM credentials secrets that are needed for provisioning the engine configuration." - } - ] - }, - "configuration": [ + "products": [ + { + "name": "deploy-arch-secrets-manager-custom-credentials-engine", + "label": "Cloud automation for Secrets Manager custom credentials engine", + "product_kind": "solution", + "tags": [ + "ibm_created", + "target_terraform", + "terraform", + "solution", + "security", + "converged_infra" + ], + "keywords": [ + "Custom credentials engine", + "Secrets Manager", + "IaC", + "infrastructure as code", + "terraform", + "solution" + ], + "short_description": "Creates and configures a Secrets Manager custom credentials engine.", + "long_description": "This deployable architecture is used to provision and configure a custom credentials engine that will be used to store [custom credential secrets](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials&interface=ui) for external systems in IBM Secrets Manager service. It creates an IAM Credentials secret, a service ID and service policy that will allow the job running in code engin to access secrets manager to update the custom secret. The architecture also creates an IAM service authorization between secrets manager and code engine project. In order to use this deployable architecture make sure a secrets manager instance is created with IAM credentials engine configured or if [Cloud automation for Secrets Manager](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager) is being used then [skip_iam_authorization_policy](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/variables.tf#L58) is set to true.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", + "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/blob/main/README.md", + "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/refs/heads/13662-custom-engine/images/secrets_manager_custom_credentials_engine.svg", + "provider_name": "IBM", + "features": [ { - "key": "ibmcloud_api_key" + "title": "IAM service authorization", + "description": "Creates a [service authorization policy](https://cloud.ibm.com/docs/account?topic=account-serviceauth&interface=ui) between secrets manager as source and code engine project as target." }, { - "key": "provider_visibility", - "options": [ - { - "displayname": "private", - "value": "private" - }, - { - "displayname": "public", - "value": "public" - }, - { - "displayname": "public-and-private", - "value": "public-and-private" - } - ], - "hidden": true + "title": "IAM credentials secret", + "description": "Creates an [IAM credentials secret](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-iam-credentials&interface=terraform) to allow code engine job to access/update secrets in secrets manager instance." }, { - "key": "existing_secrets_manager_crn", - "required": true - }, - { - "key": "prefix", - "required": true + "title": "Custom credentials engine", + "description": "Creates a [custom credentials engine](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials-config&interface=terraform) configuration which acts as a back-end for custom credentials secret." + } + ], + "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [here](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/issues). Please note this product is not supported via the IBM Cloud Support Center.", + "flavors": [ + { + "label": "Fully configurable", + "name": "fully-configurable", + "index": 1, + "install_type": "fullstack", + "working_directory": "solutions/fully-configurable", + "compliance": { + "authority": "scc-v3", + "profiles": [ + { + "profile_name": "IBM Cloud Framework for Financial Services", + "profile_version": "1.7.0" + } + ] }, - { - "key": "secrets_manager_region", - "required": true, - "virtual": true, - "default_value": "us-south", - "description": "The region to provision a new Secrets Manager instance in.", - "options": [ + "configuration": [ { - "displayname": "Osaka (jp-osa)", - "value": "jp-osa" + "key": "ibmcloud_api_key" }, { - "displayname": "Sydney (au-syd)", - "value": "au-syd" + "key": "provider_visibility", + "options": [ + { + "displayname": "private", + "value": "private" + }, + { + "displayname": "public", + "value": "public" + }, + { + "displayname": "public-and-private", + "value": "public-and-private" + } + ], + "hidden": true }, { - "displayname": "Tokyo (jp-tok)", - "value": "jp-tok" + "key": "existing_secrets_manager_crn", + "required": true }, { - "displayname": "Frankfurt (eu-de)", - "value": "eu-de" + "key": "prefix", + "required": true }, { - "displayname": "London (eu-gb)", - "value": "eu-gb" + "key": "secrets_manager_region", + "required": true, + "virtual": true, + "default_value": "us-south", + "description": "The region to provision a new Secrets Manager instance in.", + "options": [ + { + "displayname": "Osaka (jp-osa)", + "value": "jp-osa" + }, + { + "displayname": "Sydney (au-syd)", + "value": "au-syd" + }, + { + "displayname": "Tokyo (jp-tok)", + "value": "jp-tok" + }, + { + "displayname": "Frankfurt (eu-de)", + "value": "eu-de" + }, + { + "displayname": "London (eu-gb)", + "value": "eu-gb" + }, + { + "displayname": "Madrid (eu-es)", + "value": "eu-es" + }, + { + "displayname": "Dallas (us-south)", + "value": "us-south" + }, + { + "displayname": "Toronto (ca-tor)", + "value": "ca-tor" + }, + { + "displayname": "Washington DC (us-east)", + "value": "us-east" + }, + { + "displayname": "Sao Paulo (br-sao)", + "value": "br-sao" + } + ] }, { - "displayname": "Madrid (eu-es)", - "value": "eu-es" + "key": "secrets_manager_service_plan", + "required": true, + "virtual": true, + "type": "string", + "options": [ + { + "displayname": "Standard", + "value": "standard" + }, + { + "displayname": "Trial", + "value": "trial" + } + ], + "default_value": "__NOT_SET__", + "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." }, { - "displayname": "Dallas (us-south)", - "value": "us-south" + "key": "custom_credential_engine_name", + "required":true }, { - "displayname": "Toronto (ca-tor)", - "value": "ca-tor" + "key": "code_engine_project_id", + "required":true }, { - "displayname": "Washington DC (us-east)", - "value": "us-east" + "key": "code_engine_job_name", + "required":true }, { - "displayname": "Sao Paulo (br-sao)", - "value": "br-sao" - } - ] - }, - { - "key": "secrets_manager_service_plan", - "required": true, - "virtual": true, - "type": "string", - "options": [ + "key": "code_engine_region", + "required":true + }, { - "displayname": "Standard", - "value": "standard" + "key": "service_id_name", + "required":true }, { - "displayname": "Trial", - "value": "trial" - } - ], - "default_value": "__NOT_SET__", - "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." - }, - { - "key": "endpoint_type", - "options": [ + "key": "iam_credential_secret_name", + "required":true + }, { - "displayname": "private", - "value": "private" + "key": "task_timeout" }, { - "displayname": "public", - "value": "public" - } - ] - }, - { - "key": "custom_credential_engine_name", - "required":true - }, - { - "key": "code_engine_project_id", - "required":true - }, - { - "key": "code_engine_job_name", - "required":true - }, - { - "key": "code_engine_region", - "required":true - }, - { - "key": "task_timeout", - "required":true - }, - { - "key": "service_id_name", - "required":true - }, - { - "key": "iam_credential_secret_name", - "required":true - }, - { - "key": "iam_credential_secret_group_id" - }, - { - "key": "iam_credential_secret_ttl" - }, - { - "key": "iam_credential_secret_auto_rotation_interval" - }, - { - "key": "iam_credential_secret_auto_rotation_unit" - }, - { - "key": "iam_credential_secret_labels" - } - ], - "iam_permissions": [ - { - "service_name": "secrets-manager", - "role_crns": [ - "crn:v1:bluemix:public:iam::::serviceRole:Administrator", - "crn:v1:bluemix:public:iam::::serviceRole:Manager" - ] - } - ], - "dependencies": [ - { - "name": "deploy-arch-ibm-secrets-manager", - "description": "Create a new Secrets Manager instance.", - "id": "6d6ebc76-7bbd-42f5-8bc7-78f4fabd5944-global", - "version": "v2.6.3", - "flavors": [ - "fully-configurable" - ], - "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", - "optional": true, - "on_by_default": true, - "input_mapping": [ + "key": "endpoint_type", + "options": [ + { + "displayname": "private", + "value": "private" + }, + { + "displayname": "public", + "value": "public" + } + ] + }, { - "dependency_input": "prefix", - "version_input": "prefix", - "reference_version": true + "key": "iam_credential_secret_group_id" }, { - "dependency_input": "region", - "version_input": "secrets_manager_region", - "reference_version": true + "key": "iam_credential_secret_ttl" }, { - "dependency_input": "service_plan", - "version_input": "secrets_manager_service_plan", - "reference_version": true + "key": "iam_credential_secret_auto_rotation_interval" }, { - "dependency_output": "secrets_manager_crn", - "version_input": "existing_secrets_manager_crn" + "key": "iam_credential_secret_auto_rotation_unit" + }, + { + "key": "iam_credential_secret_labels" } - ] - } - ], - "dependency_version_2": true, - "terraform_version": "1.10.5" - } - ] - } - ] + ], + "iam_permissions": [ + { + "service_name": "secrets-manager", + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator", + "crn:v1:bluemix:public:iam::::serviceRole:Manager" + ] + } + ], + "architecture": { + "descriptions": "This architecture supports creating and configuring a Secrets Manager Custom Credentials Engine.", + "features": [ + { + "title": " ", + "description": "Configured to use IBM secure-by-default standards, but can be edited to fit your use case." + } + ], + "diagrams": [ + { + "diagram": { + "caption": "Secrets Manager Custom Credentials Engine", + "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/refs/heads/13662-custom-engine/reference-architecture/secrets_manager_custom_credentials_engine.svg", + "type": "image/svg+xml" + }, + "description": "This architecture automates the setup of IBM Secrets Manager Custom Credentials Engine. The modular design includes the creation of a service authorization policy and IAM credentials secrets that are needed for provisioning the engine configuration." + } + ] + }, + "dependencies": [ + { + "name": "deploy-arch-ibm-secrets-manager", + "description": "Create a new Secrets Manager instance.", + "id": "6d6ebc76-7bbd-42f5-8bc7-78f4fabd5944-global", + "version": "v2.6.3", + "flavors": [ + "fully-configurable" + ], + "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", + "optional": true, + "on_by_default": true, + "input_mapping": [ + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "region", + "version_input": "secrets_manager_region", + "reference_version": true + }, + { + "dependency_input": "service_plan", + "version_input": "secrets_manager_service_plan", + "reference_version": true + }, + { + "dependency_output": "secrets_manager_crn", + "version_input": "existing_secrets_manager_crn" + } + ] + } + ], + "dependency_version_2": true, + "terraform_version": "1.10.5" + } + ] + } + ] } diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 3bf445b..b8c4e93 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -85,6 +85,7 @@ variable "code_engine_region" { variable "task_timeout" { type = string description = "The maximum allowed time for a code engine job to be completed." + default = "5m" validation { condition = can(regex("^\\d+[smh]$", var.task_timeout)) From d8eb4df7c527afdbdb79a570e1a716f9dace07fe Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Mon, 18 Aug 2025 13:32:38 +0530 Subject: [PATCH 06/27] test catalog --- ibm_catalog.json | 106 +---------------------------------------------- 1 file changed, 1 insertion(+), 105 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 8de26b6..7a6d96a 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -86,73 +86,6 @@ "key": "prefix", "required": true }, - { - "key": "secrets_manager_region", - "required": true, - "virtual": true, - "default_value": "us-south", - "description": "The region to provision a new Secrets Manager instance in.", - "options": [ - { - "displayname": "Osaka (jp-osa)", - "value": "jp-osa" - }, - { - "displayname": "Sydney (au-syd)", - "value": "au-syd" - }, - { - "displayname": "Tokyo (jp-tok)", - "value": "jp-tok" - }, - { - "displayname": "Frankfurt (eu-de)", - "value": "eu-de" - }, - { - "displayname": "London (eu-gb)", - "value": "eu-gb" - }, - { - "displayname": "Madrid (eu-es)", - "value": "eu-es" - }, - { - "displayname": "Dallas (us-south)", - "value": "us-south" - }, - { - "displayname": "Toronto (ca-tor)", - "value": "ca-tor" - }, - { - "displayname": "Washington DC (us-east)", - "value": "us-east" - }, - { - "displayname": "Sao Paulo (br-sao)", - "value": "br-sao" - } - ] - }, - { - "key": "secrets_manager_service_plan", - "required": true, - "virtual": true, - "type": "string", - "options": [ - { - "displayname": "Standard", - "value": "standard" - }, - { - "displayname": "Trial", - "value": "trial" - } - ], - "default_value": "__NOT_SET__", - "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." - }, { "key": "custom_credential_engine_name", "required":true @@ -236,44 +169,7 @@ "description": "This architecture automates the setup of IBM Secrets Manager Custom Credentials Engine. The modular design includes the creation of a service authorization policy and IAM credentials secrets that are needed for provisioning the engine configuration." } ] - }, - "dependencies": [ - { - "name": "deploy-arch-ibm-secrets-manager", - "description": "Create a new Secrets Manager instance.", - "id": "6d6ebc76-7bbd-42f5-8bc7-78f4fabd5944-global", - "version": "v2.6.3", - "flavors": [ - "fully-configurable" - ], - "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", - "optional": true, - "on_by_default": true, - "input_mapping": [ - { - "dependency_input": "prefix", - "version_input": "prefix", - "reference_version": true - }, - { - "dependency_input": "region", - "version_input": "secrets_manager_region", - "reference_version": true - }, - { - "dependency_input": "service_plan", - "version_input": "secrets_manager_service_plan", - "reference_version": true - }, - { - "dependency_output": "secrets_manager_crn", - "version_input": "existing_secrets_manager_crn" - } - ] - } - ], - "dependency_version_2": true, - "terraform_version": "1.10.5" + } } ] } From bb0bd2372c12e15a3157d0f61f0ba6e739b32867 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Mon, 18 Aug 2025 17:31:18 +0530 Subject: [PATCH 07/27] SKIP_UPGRADE_TEST --- ibm_catalog.json | 104 +++++++++++ .../catalogValidationValues.json.template | 5 +- tests/existing-resources/README.md | 1 + tests/existing-resources/main.tf | 34 ++++ tests/existing-resources/outputs.tf | 33 ++++ tests/existing-resources/provider.tf | 4 + tests/existing-resources/variables.tf | 26 +++ tests/existing-resources/version.tf | 9 + tests/pr_test.go | 163 ++++++++++++++++++ tests/scripts/post-validation-destroy-ce.sh | 19 ++ tests/scripts/pre-validation-deploy-ce.sh | 48 ++++++ 11 files changed, 445 insertions(+), 1 deletion(-) create mode 100644 tests/existing-resources/README.md create mode 100644 tests/existing-resources/main.tf create mode 100644 tests/existing-resources/outputs.tf create mode 100644 tests/existing-resources/provider.tf create mode 100644 tests/existing-resources/variables.tf create mode 100644 tests/existing-resources/version.tf create mode 100644 tests/scripts/post-validation-destroy-ce.sh create mode 100644 tests/scripts/pre-validation-deploy-ce.sh diff --git a/ibm_catalog.json b/ibm_catalog.json index 7a6d96a..0081537 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -78,6 +78,73 @@ ], "hidden": true }, + { + "key": "secrets_manager_region", + "required": true, + "virtual": true, + "default_value": "us-south", + "description": "The region to provision a new Secrets Manager instance in.", + "options": [ + { + "displayname": "Osaka (jp-osa)", + "value": "jp-osa" + }, + { + "displayname": "Sydney (au-syd)", + "value": "au-syd" + }, + { + "displayname": "Tokyo (jp-tok)", + "value": "jp-tok" + }, + { + "displayname": "Frankfurt (eu-de)", + "value": "eu-de" + }, + { + "displayname": "London (eu-gb)", + "value": "eu-gb" + }, + { + "displayname": "Madrid (eu-es)", + "value": "eu-es" + }, + { + "displayname": "Dallas (us-south)", + "value": "us-south" + }, + { + "displayname": "Toronto (ca-tor)", + "value": "ca-tor" + }, + { + "displayname": "Washington DC (us-east)", + "value": "us-east" + }, + { + "displayname": "Sao Paulo (br-sao)", + "value": "br-sao" + } + ] + }, + { + "key": "secrets_manager_service_plan", + "required": true, + "virtual": true, + "type": "string", + "options": [ + { + "displayname": "Standard", + "value": "standard" + }, + { + "displayname": "Trial", + "value": "trial" + } + ], + "default_value": "__NOT_SET__", + "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." + }, { "key": "existing_secrets_manager_crn", "required": true @@ -169,7 +236,44 @@ "description": "This architecture automates the setup of IBM Secrets Manager Custom Credentials Engine. The modular design includes the creation of a service authorization policy and IAM credentials secrets that are needed for provisioning the engine configuration." } ] + }, + "dependencies": [ + { + "name": "deploy-arch-ibm-secrets-manager", + "description": "Create a new Secrets Manager instance.", + "id": "6d6ebc76-7bbd-42f5-8bc7-78f4fabd5944-global", + "version": "v2.6.3", + "flavors": [ + "fully-configurable" + ], + "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", + "optional": true, + "on_by_default": true, + "input_mapping": [ + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "region", + "version_input": "secrets_manager_region", + "reference_version": true + }, + { + "dependency_input": "service_plan", + "version_input": "secrets_manager_service_plan", + "reference_version": true + }, + { + "dependency_output": "secrets_manager_crn", + "version_input": "existing_secrets_manager_crn" + } + ] } + ], + "dependency_version_2": true, + "terraform_version": "1.10.5" } ] } diff --git a/solutions/fully-configurable/catalogValidationValues.json.template b/solutions/fully-configurable/catalogValidationValues.json.template index 6a7b9fc..abec622 100644 --- a/solutions/fully-configurable/catalogValidationValues.json.template +++ b/solutions/fully-configurable/catalogValidationValues.json.template @@ -1,5 +1,8 @@ { "ibmcloud_api_key": $VALIDATION_APIKEY, "existing_secrets_manager_crn": $SM_CRN, - "prefix": $PREFIX + "prefix": $PREFIX, + "custom_credential_engine_name": "test-engine", + "service_id_name": "test-service-id", + "iam_credential_secret_name": "test-credential-secret" } diff --git a/tests/existing-resources/README.md b/tests/existing-resources/README.md new file mode 100644 index 0000000..4bb3621 --- /dev/null +++ b/tests/existing-resources/README.md @@ -0,0 +1 @@ +The terraform code in this directory is used by the existing resource test in tests/pr_test.go diff --git a/tests/existing-resources/main.tf b/tests/existing-resources/main.tf new file mode 100644 index 0000000..f4626a7 --- /dev/null +++ b/tests/existing-resources/main.tf @@ -0,0 +1,34 @@ +############################################################################## +# Resource Group +############################################################################## + +module "resource_group" { + source = "terraform-ibm-modules/resource-group/ibm" + version = "1.3.0" + # if an existing resource group is not set (null) create a new one using prefix + resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null + existing_resource_group_name = var.resource_group +} + +############################################################################## +# Code Engine +############################################################################## + +module "code_engine" { + source = "terraform-ibm-modules/code-engine/ibm" + version = "4.5.7" + resource_group_id = module.resource_group.resource_group_id + project_name = "${var.prefix}-project" + jobs = { + "${var.prefix}-job" = { + image_reference = "icr.io/codeengine/helloworld" + run_env_variables = [{ + type = "literal" + name = "SMOUT_TEST" # The code engine job must have an environment variable of type SMOUT_XXX to be added to custom engine configuration + value = "type:string, required:true" # The code engine job env variable must have a value containing the required:true attribute + }] + run_arguments = ["echo \"hello world\""] + run_commands = ["/bin/sh"] + } + } +} diff --git a/tests/existing-resources/outputs.tf b/tests/existing-resources/outputs.tf new file mode 100644 index 0000000..2ba5db5 --- /dev/null +++ b/tests/existing-resources/outputs.tf @@ -0,0 +1,33 @@ +######################################################################################################################## +# Outputs +######################################################################################################################## + +output "resource_group_id" { + description = "The id of the resource group where resources are created." + value = module.resource_group.resource_group_id +} + +output "resource_group_name" { + description = "The name of the resource group where resources are created." + value = module.resource_group.resource_group_name +} + +output "code_engine_project_id" { + value = module.code_engine.project_id + description = "Code Engine Project ID." +} + +output "code_engine_job_name" { + value = module.code_engine.job["${var.prefix}-job"].name + description = "Code Engine Job Name" +} + +output "prefix" { + description = "Prefix to append to all resources created by this example." + value = var.prefix +} + +output "region" { + value = var.region + description = "region." +} diff --git a/tests/existing-resources/provider.tf b/tests/existing-resources/provider.tf new file mode 100644 index 0000000..df45ef5 --- /dev/null +++ b/tests/existing-resources/provider.tf @@ -0,0 +1,4 @@ +provider "ibm" { + ibmcloud_api_key = var.ibmcloud_api_key + region = var.region +} diff --git a/tests/existing-resources/variables.tf b/tests/existing-resources/variables.tf new file mode 100644 index 0000000..77b2fdb --- /dev/null +++ b/tests/existing-resources/variables.tf @@ -0,0 +1,26 @@ +############################################################################## +# Input variables +############################################################################## + +variable "ibmcloud_api_key" { + type = string + description = "The IBM Cloud API Key." + sensitive = true +} + +variable "region" { + type = string + description = "Region to provision all resources created by this example." + default = "us-south" +} + +variable "prefix" { + type = string + description = "Prefix to append to all resources created by this example." +} + +variable "resource_group" { + type = string + description = "The name of an existing resource group to provision resources in to. If not set a new resource group will be created using the prefix variable." + default = null +} diff --git a/tests/existing-resources/version.tf b/tests/existing-resources/version.tf new file mode 100644 index 0000000..a7da027 --- /dev/null +++ b/tests/existing-resources/version.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= v1.9.0" + required_providers { + ibm = { + source = "IBM-Cloud/ibm" + version = "1.79.2" + } + } +} diff --git a/tests/pr_test.go b/tests/pr_test.go index 4d1e156..c9925d7 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -2,17 +2,26 @@ package test import ( + "fmt" "log" "os" + "strings" "testing" + "github.com/gruntwork-io/terratest/modules/files" + "github.com/gruntwork-io/terratest/modules/logger" + "github.com/gruntwork-io/terratest/modules/random" + "github.com/gruntwork-io/terratest/modules/terraform" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" + "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic" ) const completeExampleDir = "examples/complete" const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml" +const fullyConfigFlavorDir = "solutions/fully-configurable" var permanentResources map[string]interface{} @@ -51,6 +60,42 @@ func setupCompleteOptions(t *testing.T, prefix string, dir string) *testhelper.T return options } +func provisionPreReq(t *testing.T, p string) (string, *terraform.Options, error) { + // ------------------------------------------------------------------------------------ + // Provision existing resources first + // ------------------------------------------------------------------------------------ + prefix := fmt.Sprintf("%s-%s", p, strings.ToLower(random.UniqueId())) + realTerraformDir := "./existing-resources" + tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId()))) + tags := common.GetTagsFromTravis() + + // Verify ibmcloud_api_key variable is set + checkVariable := "TF_VAR_ibmcloud_api_key" + val, present := os.LookupEnv(checkVariable) + require.True(t, present, checkVariable+" environment variable not set") + require.NotEqual(t, "", val, checkVariable+" environment variable is empty") + + logger.Log(t, "Tempdir: ", tempTerraformDir) + existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ + TerraformDir: tempTerraformDir, + Vars: map[string]interface{}{ + "prefix": prefix, + "resource_tags": tags, + }, + // Set Upgrade to true to ensure latest version of providers and modules are used by terratest. + // This is the same as setting the -upgrade=true flag with terraform. + Upgrade: true, + }) + + terraform.WorkspaceSelectOrNew(t, existingTerraformOptions, prefix) + _, existErr := terraform.InitAndApplyE(t, existingTerraformOptions) + if existErr != nil { + // assert.True(t, existErr == nil, "Init and Apply of temp existing resource failed") + return "", nil, existErr + } + return prefix, existingTerraformOptions, nil +} + func TestRunAdvancedExample(t *testing.T) { t.Parallel() @@ -60,3 +105,121 @@ func TestRunAdvancedExample(t *testing.T) { assert.Nil(t, err, "This should not have errored") assert.NotNil(t, output, "Expected some output") } + +func TestRunSolutionsFullyConfigurableSchematics(t *testing.T) { + t.Parallel() + + prefix, existingTerraformOptions, existErr := provisionPreReq(t, "cus-eng") + + if existErr != nil { + assert.True(t, existErr == nil, "Init and Apply of temp existing resource failed") + } else { + // ------------------------------------------------------------------------------------ + // Deploy DA + // ------------------------------------------------------------------------------------ + options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{ + Testing: t, + Prefix: prefix, + TarIncludePatterns: []string{ + "*.tf", + fullyConfigFlavorDir + "/*.tf", + }, + TemplateFolder: fullyConfigFlavorDir, + Tags: []string{"custom-config-test"}, + DeleteWorkspaceOnFail: false, + WaitJobCompleteMinutes: 60, + }) + + options.TerraformVars = []testschematic.TestSchematicTerraformVar{ + {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, + {Name: "prefix", Value: terraform.Output(t, existingTerraformOptions, "prefix"), DataType: "string"}, + {Name: "existing_secrets_manager_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"}, + {Name: "custom_credential_engine_name", Value: "test-engine", DataType: "string"}, + {Name: "code_engine_project_id", Value: terraform.Output(t, existingTerraformOptions, "code_engine_project_id"), DataType: "string"}, + {Name: "code_engine_job_name", Value: terraform.Output(t, existingTerraformOptions, "code_engine_job_name"), DataType: "string"}, + {Name: "code_engine_region", Value: terraform.Output(t, existingTerraformOptions, "region"), DataType: "string"}, + {Name: "service_id_name", Value: "test-service-id", DataType: "string"}, + {Name: "iam_credential_secret_name", Value: "test-cred-secret", DataType: "string"}, + } + + // need to ignore because of a provider issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4719 + options.IgnoreUpdates = testhelper.Exemptions{ + List: []string{ + "module.code_engine.module.job[\"" + options.Prefix + "-job\"].ibm_code_engine_job.ce_job", + }, + } + err := options.RunSchematicTest() + assert.Nil(t, err, "This should not have errored") + } + + // Check if "DO_NOT_DESTROY_ON_FAILURE" is set + envVal, _ := os.LookupEnv("DO_NOT_DESTROY_ON_FAILURE") + // Destroy the temporary existing resources if required + if t.Failed() && strings.ToLower(envVal) == "true" { + fmt.Println("Terratest failed. Debug the test and delete resources manually.") + } else { + logger.Log(t, "START: Destroy (prereq resources)") + terraform.Destroy(t, existingTerraformOptions) + terraform.WorkspaceDelete(t, existingTerraformOptions, prefix) + logger.Log(t, "END: Destroy (prereq resources)") + } +} + +func TestRunSolutionsFullyConfigurableUpgradeSchematics(t *testing.T) { + t.Parallel() + + prefix, existingTerraformOptions, existErr := provisionPreReq(t, "cus-upg") + + if existErr != nil { + assert.True(t, existErr == nil, "Init and Apply of temp existing resource failed") + } else { + // ------------------------------------------------------------------------------------ + // Deploy DA + // ------------------------------------------------------------------------------------ + options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{ + Testing: t, + Prefix: prefix, + TarIncludePatterns: []string{ + "*.tf", + fullyConfigFlavorDir + "/*.tf", + }, + TemplateFolder: fullyConfigFlavorDir, + Tags: []string{"custom-config-test"}, + DeleteWorkspaceOnFail: false, + WaitJobCompleteMinutes: 60, + }) + + options.TerraformVars = []testschematic.TestSchematicTerraformVar{ + {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, + {Name: "prefix", Value: terraform.Output(t, existingTerraformOptions, "prefix"), DataType: "string"}, + {Name: "existing_secrets_manager_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"}, + {Name: "custom_credential_engine_name", Value: "test-engine", DataType: "string"}, + {Name: "code_engine_project_id", Value: terraform.Output(t, existingTerraformOptions, "code_engine_project_id"), DataType: "string"}, + {Name: "code_engine_job_name", Value: terraform.Output(t, existingTerraformOptions, "code_engine_job_name"), DataType: "string"}, + {Name: "code_engine_region", Value: terraform.Output(t, existingTerraformOptions, "region"), DataType: "string"}, + {Name: "service_id_name", Value: "test-service-id", DataType: "string"}, + {Name: "iam_credential_secret_name", Value: "test-cred-secret", DataType: "string"}, + } + + // need to ignore because of a provider issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4719 + options.IgnoreUpdates = testhelper.Exemptions{ + List: []string{ + "module.code_engine.module.job[\"" + options.Prefix + "-job\"].ibm_code_engine_job.ce_job", + }, + } + err := options.RunSchematicUpgradeTest() + assert.Nil(t, err, "This should not have errored") + } + + // Check if "DO_NOT_DESTROY_ON_FAILURE" is set + envVal, _ := os.LookupEnv("DO_NOT_DESTROY_ON_FAILURE") + // Destroy the temporary existing resources if required + if t.Failed() && strings.ToLower(envVal) == "true" { + fmt.Println("Terratest failed. Debug the test and delete resources manually.") + } else { + logger.Log(t, "START: Destroy (prereq resources)") + terraform.Destroy(t, existingTerraformOptions) + terraform.WorkspaceDelete(t, existingTerraformOptions, prefix) + logger.Log(t, "END: Destroy (prereq resources)") + } +} diff --git a/tests/scripts/post-validation-destroy-ce.sh b/tests/scripts/post-validation-destroy-ce.sh new file mode 100644 index 0000000..b7c4aa9 --- /dev/null +++ b/tests/scripts/post-validation-destroy-ce.sh @@ -0,0 +1,19 @@ +#! /bin/bash + +######################################################################################################################## +## This script is used by the catalog pipeline to destroy the Code Engine, which was provisioned as a ## +## prerequisite for the fully-configurable custom engine that is published to the catalog ## +######################################################################################################################## + +set -e + +TERRAFORM_SOURCE_DIR="tests/existing-resources" +TF_VARS_FILE="terraform.tfvars" + +( + cd ${TERRAFORM_SOURCE_DIR} + echo "Destroying prerequisite VPC .." + terraform destroy -input=false -auto-approve -var-file=${TF_VARS_FILE} || exit 1 + + echo "Post-validation completed successfully" +) diff --git a/tests/scripts/pre-validation-deploy-ce.sh b/tests/scripts/pre-validation-deploy-ce.sh new file mode 100644 index 0000000..116bf74 --- /dev/null +++ b/tests/scripts/pre-validation-deploy-ce.sh @@ -0,0 +1,48 @@ +#! /bin/bash + +############################################################################################################ +## This script is used by the catalog pipeline to deploy the VPC +## which are the prerequisites for the fully-configurable vsi +############################################################################################################ + +set -e + +DA_DIR="solutions/fully-configurable" +TERRAFORM_SOURCE_DIR="tests/existing-resources" +JSON_FILE="${DA_DIR}/catalogValidationValues.json" +REGION="us-south" +TF_VARS_FILE="terraform.tfvars" + +( + cwd=$(pwd) + cd ${TERRAFORM_SOURCE_DIR} + echo "Provisioning prerequisite code engine.." + terraform init || exit 1 + # $VALIDATION_APIKEY is available in the catalog runtime + { + echo "ibmcloud_api_key=\"${VALIDATION_APIKEY}\"" + echo "region=\"${REGION}\"" + echo "prefix=\"vsi-$(openssl rand -hex 2)\"" + } >>${TF_VARS_FILE} + terraform apply -input=false -auto-approve -var-file=${TF_VARS_FILE} || exit 1 + + code_engine_project_id="code_engine_project_id" + code_engine_project_id_value=$(terraform output -state=terraform.tfstate -raw code_engine_project_id) + code_engine_job_name="code_engine_job_name" + code_engine_job_name_value=$(terraform output -state=terraform.tfstate -raw code_engine_job_name) + code_engine_region="code_engine_region" + code_engine_region_value=$(terraform output -state=terraform.tfstate -raw region) + + echo "Appending '${code_engine_project_id}', '${code_engine_job_name}' and '${code_engine_region}' input variable values to ${JSON_FILE}.." + + cd "${cwd}" + jq -r --arg code_engine_project_id "${code_engine_project_id}" \ + --arg code_engine_project_id_value "${code_engine_project_id_value}" \ + --arg code_engine_job_name "${code_engine_job_name}" \ + --arg code_engine_job_name_value "${code_engine_job_name_value}" \ + --arg code_engine_region "${code_engine_region}" \ + --arg code_engine_region_value "${code_engine_region_value}" \ + '. + {($code_engine_project_id): $code_engine_project_id_value, ($code_engine_job_name): $code_engine_job_name_value, ($code_engine_region): $code_engine_region_value}' "${JSON_FILE}" >tmpfile && mv tmpfile "${JSON_FILE}" || exit 1 + + echo "Pre-validation complete successfully" +) From ec673350f6ab3bcecb072188e01f79452830d295 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Mon, 18 Aug 2025 17:45:00 +0530 Subject: [PATCH 08/27] test tile --- ibm_catalog.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ibm_catalog.json b/ibm_catalog.json index 0081537..50c3912 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -80,6 +80,7 @@ }, { "key": "secrets_manager_region", + "type": "string", "required": true, "virtual": true, "default_value": "us-south", From c2e809508cbcdfb1d9ecfcdf25fc5d7081846112 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Tue, 19 Aug 2025 01:46:01 +0530 Subject: [PATCH 09/27] test tile SKIP UPGRADE TEST --- .catalog-onboard-pipeline.yaml | 2 + ibm_catalog.json | 166 ++++++++++---------- solutions/fully-configurable/main.tf | 6 +- solutions/fully-configurable/variables.tf | 10 +- tests/other_test.go | 40 +++++ tests/pr_test.go | 45 +----- tests/scripts/post-validation-destroy-ce.sh | 2 +- tests/scripts/pre-validation-deploy-ce.sh | 34 ++-- 8 files changed, 157 insertions(+), 148 deletions(-) mode change 100644 => 100755 tests/scripts/post-validation-destroy-ce.sh mode change 100644 => 100755 tests/scripts/pre-validation-deploy-ce.sh diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml index 7d2f4bc..4dc51a5 100644 --- a/.catalog-onboard-pipeline.yaml +++ b/.catalog-onboard-pipeline.yaml @@ -12,3 +12,5 @@ offerings: scc: instance_id: region: us-south + pre_validation: "tests/scripts/pre-validation-deploy-ce.sh" + post_validation: "tests/scripts/post-validation-destroy-ce.sh" diff --git a/ibm_catalog.json b/ibm_catalog.json index 50c3912..cfd8bd8 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -21,7 +21,7 @@ "solution" ], "short_description": "Creates and configures a Secrets Manager custom credentials engine.", - "long_description": "This deployable architecture is used to provision and configure a custom credentials engine that will be used to store [custom credential secrets](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials&interface=ui) for external systems in IBM Secrets Manager service. It creates an IAM Credentials secret, a service ID and service policy that will allow the job running in code engin to access secrets manager to update the custom secret. The architecture also creates an IAM service authorization between secrets manager and code engine project. In order to use this deployable architecture make sure a secrets manager instance is created with IAM credentials engine configured or if [Cloud automation for Secrets Manager](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager) is being used then [skip_iam_authorization_policy](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/variables.tf#L58) is set to true.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", + "long_description": "This deployable architecture is used to provision and configure a custom credentials engine that will be used to store [custom credential secrets](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials&interface=ui) for external systems in IBM Secrets Manager service. It creates an IAM Credentials secret, a service ID and service policy that will allow the job running in code engine to access secrets manager to update the custom secret. The architecture also creates an IAM service authorization between secrets manager and code engine project. In order to use this deployable architecture make sure a secrets manager instance is created with IAM credentials engine configured or use [Cloud automation for Secrets Manager](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager) and a code engine Job is present with the required image.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/blob/main/README.md", "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/refs/heads/13662-custom-engine/images/secrets_manager_custom_credentials_engine.svg", "provider_name": "IBM", @@ -79,54 +79,54 @@ "hidden": true }, { - "key": "secrets_manager_region", - "type": "string", - "required": true, - "virtual": true, - "default_value": "us-south", - "description": "The region to provision a new Secrets Manager instance in.", - "options": [ - { - "displayname": "Osaka (jp-osa)", - "value": "jp-osa" - }, - { - "displayname": "Sydney (au-syd)", - "value": "au-syd" - }, - { - "displayname": "Tokyo (jp-tok)", - "value": "jp-tok" - }, - { - "displayname": "Frankfurt (eu-de)", - "value": "eu-de" - }, - { - "displayname": "London (eu-gb)", - "value": "eu-gb" - }, - { - "displayname": "Madrid (eu-es)", - "value": "eu-es" - }, - { - "displayname": "Dallas (us-south)", - "value": "us-south" - }, - { - "displayname": "Toronto (ca-tor)", - "value": "ca-tor" - }, - { - "displayname": "Washington DC (us-east)", - "value": "us-east" - }, - { - "displayname": "Sao Paulo (br-sao)", - "value": "br-sao" - } - ] + "key": "secrets_manager_region", + "type": "string", + "required": true, + "virtual": true, + "default_value": "us-south", + "description": "The region to provision a new Secrets Manager instance in.", + "options": [ + { + "displayname": "Osaka (jp-osa)", + "value": "jp-osa" + }, + { + "displayname": "Sydney (au-syd)", + "value": "au-syd" + }, + { + "displayname": "Tokyo (jp-tok)", + "value": "jp-tok" + }, + { + "displayname": "Frankfurt (eu-de)", + "value": "eu-de" + }, + { + "displayname": "London (eu-gb)", + "value": "eu-gb" + }, + { + "displayname": "Madrid (eu-es)", + "value": "eu-es" + }, + { + "displayname": "Dallas (us-south)", + "value": "us-south" + }, + { + "displayname": "Toronto (ca-tor)", + "value": "ca-tor" + }, + { + "displayname": "Washington DC (us-east)", + "value": "us-east" + }, + { + "displayname": "Sao Paulo (br-sao)", + "value": "br-sao" + } + ] }, { "key": "secrets_manager_service_plan", @@ -159,15 +159,15 @@ "required":true }, { - "key": "code_engine_project_id", + "key": "existing_code_engine_project_id", "required":true }, { - "key": "code_engine_job_name", + "key": "existing_code_engine_job_name", "required":true }, { - "key": "code_engine_region", + "key": "existing_code_engine_region", "required":true }, { @@ -239,38 +239,38 @@ ] }, "dependencies": [ - { - "name": "deploy-arch-ibm-secrets-manager", - "description": "Create a new Secrets Manager instance.", - "id": "6d6ebc76-7bbd-42f5-8bc7-78f4fabd5944-global", - "version": "v2.6.3", - "flavors": [ - "fully-configurable" - ], - "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", - "optional": true, - "on_by_default": true, - "input_mapping": [ - { - "dependency_input": "prefix", - "version_input": "prefix", - "reference_version": true - }, { - "dependency_input": "region", - "version_input": "secrets_manager_region", - "reference_version": true - }, - { - "dependency_input": "service_plan", - "version_input": "secrets_manager_service_plan", - "reference_version": true - }, - { - "dependency_output": "secrets_manager_crn", - "version_input": "existing_secrets_manager_crn" - } - ] + "name": "deploy-arch-ibm-secrets-manager", + "description": "Create a new Secrets Manager instance.", + "id": "6d6ebc76-7bbd-42f5-8bc7-78f4fabd5944-global", + "version": "v2.6.3", + "flavors": [ + "fully-configurable" + ], + "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", + "optional": true, + "on_by_default": true, + "input_mapping": [ + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "region", + "version_input": "secrets_manager_region", + "reference_version": true + }, + { + "dependency_input": "service_plan", + "version_input": "secrets_manager_service_plan", + "reference_version": true + }, + { + "dependency_output": "secrets_manager_crn", + "version_input": "existing_secrets_manager_crn" + } + ] } ], "dependency_version_2": true, diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index a3b0679..634831f 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -23,9 +23,9 @@ module "custom_credential_engine" { sm_region = local.existing_secrets_manager_region custom_credential_engine_name = "${local.prefix}${var.custom_credential_engine_name}" endpoint_type = var.endpoint_type - code_engine_project_id = var.code_engine_project_id - code_engine_job_name = var.code_engine_job_name - code_engine_region = var.code_engine_region + code_engine_project_id = var.existing_code_engine_project_id + code_engine_job_name = var.existing_code_engine_job_name + code_engine_region = var.existing_code_engine_region task_timeout = var.task_timeout service_id_name = "${local.prefix}${var.service_id_name}" iam_credential_secret_name = "${local.prefix}${var.iam_credential_secret_name}" diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index b8c4e93..710134a 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -67,17 +67,17 @@ variable "endpoint_type" { } } -variable "code_engine_project_id" { +variable "existing_code_engine_project_id" { type = string - description = "The Project ID of the code engine project used by the custom credentials configuration." + description = "The Project ID of the code engine project used by the custom credentials configuration. [Learn more](https://cloud.ibm.com/docs/codeengine?topic=codeengine-manage-project)" } -variable "code_engine_job_name" { +variable "existing_code_engine_job_name" { type = string - description = "The code engine job name used by this custom credentials configuration." + description = "The code engine job name used by this custom credentials configuration. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-engine-custom-ce-job&interface=ui)" } -variable "code_engine_region" { +variable "existing_code_engine_region" { type = string description = "The region of the code engine project." } diff --git a/tests/other_test.go b/tests/other_test.go index 88d360d..9136163 100644 --- a/tests/other_test.go +++ b/tests/other_test.go @@ -1,2 +1,42 @@ // Tests in this file are NOT run in the PR pipeline. They are run in the continuous testing pipeline along with the ones in pr_test.go package test + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" +) + +func setupCompleteOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions { + options := testhelper.TestOptionsDefault(&testhelper.TestOptions{ + Testing: t, + TerraformDir: dir, + Prefix: prefix, + }) + + // need to ignore because of a provider issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4719 + options.IgnoreUpdates = testhelper.Exemptions{ + List: []string{ + "module.code_engine.module.job[\"" + options.Prefix + "-job\"].ibm_code_engine_job.ce_job", + }, + } + + options.TerraformVars = map[string]interface{}{ + "prefix": options.Prefix, + "existing_sm_instance_guid": permanentResources["secretsManagerGuid"], + "existing_sm_instance_region": permanentResources["secretsManagerRegion"], + } + + return options +} + +func TestRunAdvancedExample(t *testing.T) { + t.Parallel() + + options := setupCompleteOptions(t, "custom-engine", completeExampleDir) + + output, err := options.RunTestConsistency() + assert.Nil(t, err, "This should not have errored") + assert.NotNil(t, output, "Expected some output") +} diff --git a/tests/pr_test.go b/tests/pr_test.go index c9925d7..a67e3a1 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -37,29 +37,6 @@ func TestMain(m *testing.M) { os.Exit(m.Run()) } -func setupCompleteOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions { - options := testhelper.TestOptionsDefault(&testhelper.TestOptions{ - Testing: t, - TerraformDir: dir, - Prefix: prefix, - }) - - // need to ignore because of a provider issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4719 - options.IgnoreUpdates = testhelper.Exemptions{ - List: []string{ - "module.code_engine.module.job[\"" + options.Prefix + "-job\"].ibm_code_engine_job.ce_job", - }, - } - - options.TerraformVars = map[string]interface{}{ - "prefix": options.Prefix, - "existing_sm_instance_guid": permanentResources["secretsManagerGuid"], - "existing_sm_instance_region": permanentResources["secretsManagerRegion"], - } - - return options -} - func provisionPreReq(t *testing.T, p string) (string, *terraform.Options, error) { // ------------------------------------------------------------------------------------ // Provision existing resources first @@ -96,16 +73,6 @@ func provisionPreReq(t *testing.T, p string) (string, *terraform.Options, error) return prefix, existingTerraformOptions, nil } -func TestRunAdvancedExample(t *testing.T) { - t.Parallel() - - options := setupCompleteOptions(t, "custom-engine", completeExampleDir) - - output, err := options.RunTestConsistency() - assert.Nil(t, err, "This should not have errored") - assert.NotNil(t, output, "Expected some output") -} - func TestRunSolutionsFullyConfigurableSchematics(t *testing.T) { t.Parallel() @@ -135,9 +102,9 @@ func TestRunSolutionsFullyConfigurableSchematics(t *testing.T) { {Name: "prefix", Value: terraform.Output(t, existingTerraformOptions, "prefix"), DataType: "string"}, {Name: "existing_secrets_manager_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"}, {Name: "custom_credential_engine_name", Value: "test-engine", DataType: "string"}, - {Name: "code_engine_project_id", Value: terraform.Output(t, existingTerraformOptions, "code_engine_project_id"), DataType: "string"}, - {Name: "code_engine_job_name", Value: terraform.Output(t, existingTerraformOptions, "code_engine_job_name"), DataType: "string"}, - {Name: "code_engine_region", Value: terraform.Output(t, existingTerraformOptions, "region"), DataType: "string"}, + {Name: "existing_code_engine_project_id", Value: terraform.Output(t, existingTerraformOptions, "code_engine_project_id"), DataType: "string"}, + {Name: "existing_code_engine_job_name", Value: terraform.Output(t, existingTerraformOptions, "code_engine_job_name"), DataType: "string"}, + {Name: "existing_code_engine_region", Value: terraform.Output(t, existingTerraformOptions, "region"), DataType: "string"}, {Name: "service_id_name", Value: "test-service-id", DataType: "string"}, {Name: "iam_credential_secret_name", Value: "test-cred-secret", DataType: "string"}, } @@ -194,9 +161,9 @@ func TestRunSolutionsFullyConfigurableUpgradeSchematics(t *testing.T) { {Name: "prefix", Value: terraform.Output(t, existingTerraformOptions, "prefix"), DataType: "string"}, {Name: "existing_secrets_manager_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"}, {Name: "custom_credential_engine_name", Value: "test-engine", DataType: "string"}, - {Name: "code_engine_project_id", Value: terraform.Output(t, existingTerraformOptions, "code_engine_project_id"), DataType: "string"}, - {Name: "code_engine_job_name", Value: terraform.Output(t, existingTerraformOptions, "code_engine_job_name"), DataType: "string"}, - {Name: "code_engine_region", Value: terraform.Output(t, existingTerraformOptions, "region"), DataType: "string"}, + {Name: "existing_code_engine_project_id", Value: terraform.Output(t, existingTerraformOptions, "code_engine_project_id"), DataType: "string"}, + {Name: "existing_code_engine_job_name", Value: terraform.Output(t, existingTerraformOptions, "code_engine_job_name"), DataType: "string"}, + {Name: "existing_code_engine_region", Value: terraform.Output(t, existingTerraformOptions, "region"), DataType: "string"}, {Name: "service_id_name", Value: "test-service-id", DataType: "string"}, {Name: "iam_credential_secret_name", Value: "test-cred-secret", DataType: "string"}, } diff --git a/tests/scripts/post-validation-destroy-ce.sh b/tests/scripts/post-validation-destroy-ce.sh old mode 100644 new mode 100755 index b7c4aa9..4e2aa1f --- a/tests/scripts/post-validation-destroy-ce.sh +++ b/tests/scripts/post-validation-destroy-ce.sh @@ -12,7 +12,7 @@ TF_VARS_FILE="terraform.tfvars" ( cd ${TERRAFORM_SOURCE_DIR} - echo "Destroying prerequisite VPC .." + echo "Destroying prerequisite Code Engine .." terraform destroy -input=false -auto-approve -var-file=${TF_VARS_FILE} || exit 1 echo "Post-validation completed successfully" diff --git a/tests/scripts/pre-validation-deploy-ce.sh b/tests/scripts/pre-validation-deploy-ce.sh old mode 100644 new mode 100755 index 116bf74..d336574 --- a/tests/scripts/pre-validation-deploy-ce.sh +++ b/tests/scripts/pre-validation-deploy-ce.sh @@ -1,8 +1,8 @@ #! /bin/bash ############################################################################################################ -## This script is used by the catalog pipeline to deploy the VPC -## which are the prerequisites for the fully-configurable vsi +## This script is used by the catalog pipeline to deploy the Code Engine +## which are the prerequisites for the fully-configurable custom credentials engine ############################################################################################################ set -e @@ -22,27 +22,27 @@ TF_VARS_FILE="terraform.tfvars" { echo "ibmcloud_api_key=\"${VALIDATION_APIKEY}\"" echo "region=\"${REGION}\"" - echo "prefix=\"vsi-$(openssl rand -hex 2)\"" + echo "prefix=\"cus-eng-$(openssl rand -hex 2)\"" } >>${TF_VARS_FILE} terraform apply -input=false -auto-approve -var-file=${TF_VARS_FILE} || exit 1 - code_engine_project_id="code_engine_project_id" - code_engine_project_id_value=$(terraform output -state=terraform.tfstate -raw code_engine_project_id) - code_engine_job_name="code_engine_job_name" - code_engine_job_name_value=$(terraform output -state=terraform.tfstate -raw code_engine_job_name) - code_engine_region="code_engine_region" - code_engine_region_value=$(terraform output -state=terraform.tfstate -raw region) + existing_code_engine_project_id="existing_code_engine_project_id" + existing_code_engine_project_id_value=$(terraform output -state=terraform.tfstate -raw code_engine_project_id) + existing_code_engine_job_name="existing_code_engine_job_name" + existing_code_engine_job_name_value=$(terraform output -state=terraform.tfstate -raw code_engine_job_name) + existing_code_engine_region="existing_code_engine_region" + existing_code_engine_region_value=$(terraform output -state=terraform.tfstate -raw region) - echo "Appending '${code_engine_project_id}', '${code_engine_job_name}' and '${code_engine_region}' input variable values to ${JSON_FILE}.." + echo "Appending '${existing_code_engine_project_id}', '${existing_code_engine_job_name}' and '${existing_code_engine_region}' input variable values to ${JSON_FILE}.." cd "${cwd}" - jq -r --arg code_engine_project_id "${code_engine_project_id}" \ - --arg code_engine_project_id_value "${code_engine_project_id_value}" \ - --arg code_engine_job_name "${code_engine_job_name}" \ - --arg code_engine_job_name_value "${code_engine_job_name_value}" \ - --arg code_engine_region "${code_engine_region}" \ - --arg code_engine_region_value "${code_engine_region_value}" \ - '. + {($code_engine_project_id): $code_engine_project_id_value, ($code_engine_job_name): $code_engine_job_name_value, ($code_engine_region): $code_engine_region_value}' "${JSON_FILE}" >tmpfile && mv tmpfile "${JSON_FILE}" || exit 1 + jq -r --arg existing_code_engine_project_id "${existing_code_engine_project_id}" \ + --arg existing_code_engine_project_id_value "${existing_code_engine_project_id_value}" \ + --arg existing_code_engine_job_name "${existing_code_engine_job_name}" \ + --arg existing_code_engine_job_name_value "${existing_code_engine_job_name_value}" \ + --arg existing_code_engine_region "${existing_code_engine_region}" \ + --arg existing_code_engine_region_value "${existing_code_engine_region_value}" \ + '. + {($existing_code_engine_project_id): $existing_code_engine_project_id_value, ($existing_code_engine_job_name): $existing_code_engine_job_name_value, ($existing_code_engine_region): $existing_code_engine_region_value}' "${JSON_FILE}" >tmpfile && mv tmpfile "${JSON_FILE}" || exit 1 echo "Pre-validation complete successfully" ) From a2fa4fefbc9dce4ef02bf5893a45485adc1077a8 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Tue, 19 Aug 2025 01:52:09 +0530 Subject: [PATCH 10/27] SKIP UPGRADE TEST --- tests/pr_test.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/pr_test.go b/tests/pr_test.go index a67e3a1..bbe5905 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -44,7 +44,6 @@ func provisionPreReq(t *testing.T, p string) (string, *terraform.Options, error) prefix := fmt.Sprintf("%s-%s", p, strings.ToLower(random.UniqueId())) realTerraformDir := "./existing-resources" tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId()))) - tags := common.GetTagsFromTravis() // Verify ibmcloud_api_key variable is set checkVariable := "TF_VAR_ibmcloud_api_key" @@ -56,8 +55,7 @@ func provisionPreReq(t *testing.T, p string) (string, *terraform.Options, error) existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ TerraformDir: tempTerraformDir, Vars: map[string]interface{}{ - "prefix": prefix, - "resource_tags": tags, + "prefix": prefix, }, // Set Upgrade to true to ensure latest version of providers and modules are used by terratest. // This is the same as setting the -upgrade=true flag with terraform. From ab5fbbc465878170eb6d0283d09f1a71b4f0d648 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Tue, 19 Aug 2025 11:55:26 +0530 Subject: [PATCH 11/27] SKIP UPGRADE TEST --- README.md | 2 +- cra-config.yaml | 2 +- examples/complete/README.md | 10 ++++++---- examples/complete/version.tf | 6 ------ .../secrets_manager_custom_credentials_engine.svg | 2 +- 5 files changed, 9 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 4f2c620..ac7ddf0 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ TODO: Replace this with a description of the modules in this repo. ## Overview * [terraform-ibm-secrets-manager-custom-credentials-engine](#terraform-ibm-secrets-manager-custom-credentials-engine) * [Examples](./examples) - * [Basic example](./examples/complete) + * [Complete example](./examples/complete) * [Contributing](#contributing) diff --git a/cra-config.yaml b/cra-config.yaml index 9a4c7fa..7fd07f7 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -7,7 +7,7 @@ version: "v1" CRA_TARGETS: - - CRA_TARGET: "examples/advanced" # Target directory for CRA scan. If not provided, the CRA Scan will not be run. + - CRA_TARGET: "examples/complete" # Target directory for CRA scan. If not provided, the CRA Scan will not be run. CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3" # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile). # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used. diff --git a/examples/complete/README.md b/examples/complete/README.md index e5977ae..291d9bf 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -1,11 +1,13 @@ -# Basic example +# Complete example -An end-to-end basic example that will provision the following: +An end-to-end complete example that will provision the following: - A new resource group if one is not passed in. -- A new standard plan Cloud Object Storage instance using the root level module. +- A new secrets manager instance with IAM credentials engine configured if an existing instance CRN is not passed. +- A new code engine project with code engine job. +- A custom credentials engine with IAM authorization policy for code engine job and IAM credential secret. diff --git a/examples/complete/version.tf b/examples/complete/version.tf index 7c44064..e4c66ae 100644 --- a/examples/complete/version.tf +++ b/examples/complete/version.tf @@ -1,12 +1,6 @@ terraform { required_version = ">= 1.9.0" - # - # Developer tips: - # - Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main - # module's version.tf (usually a basic example), and 1 example that will always use the latest provider version. - # - required_providers { ibm = { source = "IBM-Cloud/ibm" diff --git a/reference-architecture/secrets_manager_custom_credentials_engine.svg b/reference-architecture/secrets_manager_custom_credentials_engine.svg index ab8c751..1ba9104 100644 --- a/reference-architecture/secrets_manager_custom_credentials_engine.svg +++ b/reference-architecture/secrets_manager_custom_credentials_engine.svg @@ -1,4 +1,4 @@ -
Cloud
Region
Resource Group
Secrets Manager
Secrets Manager Custom Credentials Engine \ No newline at end of file +
Cloud
    Region
Resource Group
Secrets Manager
Secrets Manager Custom Credentials Engine \ No newline at end of file From 43b2764e785aa2771d31b2662b002628a8cc01fe Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Tue, 19 Aug 2025 13:43:52 +0530 Subject: [PATCH 12/27] SKIP UPGRADE TEST --- .secrets.baseline | 15 +---- README.md | 118 +++++++++++------------------------- examples/complete/README.md | 6 -- ibm_catalog.json | 111 +-------------------------------- 4 files changed, 39 insertions(+), 211 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index a14d8aa..eb18f9a 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-08-12T09:08:09Z", + "generated_at": "2025-08-19T08:13:41Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -76,18 +76,7 @@ "name": "TwilioKeyDetector" } ], - "results": { - "README.md": [ - { - "hashed_secret": "ff9ee043d85595eb255c05dfe32ece02a53efbb2", - "is_secret": false, - "is_verified": false, - "line_number": 73, - "type": "Secret Keyword", - "verified_result": null - } - ] - }, + "results": {}, "version": "0.13.1+ibm.62.dss", "word_list": { "file": null, diff --git a/README.md b/README.md index ac7ddf0..0fdac7d 100644 --- a/README.md +++ b/README.md @@ -1,26 +1,20 @@ - -# Secrets Manager custom credentials engine - - -[![Incubating (Not yet consumable)](https://img.shields.io/badge/status-Incubating%20(Not%20yet%20consumable)-red)](https://terraform-ibm-modules.github.io/documentation/#/badge-status) -[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/releases/latest) +# Secrets Manager custom credentials engine module + +[![Graduated (Supported)](https://img.shields.io/badge/Status-Graduated%20(Supported)-brightgreen)](https://terraform-ibm-modules.github.io/documentation/#/badge-status) [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit) +[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/releases/latest) [![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/) [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release) - +- [IAM service authorization]((https://cloud.ibm.com/docs/account?topic=account-serviceauth&interface=ui)) policy creation between Secrets Manager as source and Code Engine Project as target +- [IAM credentials secret](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-iam-credentials&interface=terraform) creation for allowing code engine job to fetch secrets +- [Custom credentials engine](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials-config&interface=terraform) -TODO: Replace this with a description of the modules in this repo. +These components are needed in order to create the custom credentials secret in SM instance. @@ -33,87 +27,43 @@ TODO: Replace this with a description of the modules in this repo. - - +## Reference architectures + +Refer [here](./reference-architecture/secrets_manager_custom_credentials_engine.svg) for reference architecture. - ## terraform-ibm-secrets-manager-custom-credentials-engine ### Usage - - ```hcl -terraform { - required_version = ">= 1.9.0" - required_providers { - ibm = { - source = "IBM-Cloud/ibm" - version = "X.Y.Z" # Lock into a provider version that satisfies the module constraints - } - } +module "custom_credential_engine" { + source = "terraform-ibm-modules/secrets-manager-custom-credentials-engine/ibm" + version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release + sm_guid = "" + sm_region = "" + custom_credential_engine_name = "My Custom Credentials Engine" + endpoint_type = "public" + code_engine_project_id = "" + code_engine_job_name = "" + code_engine_region = "" + task_timeout = "5m" + service_id_name = "My Service ID" + iam_credential_secret_name = "My Credentials Secret" } -locals { - region = "us-south" -} - -provider "ibm" { - ibmcloud_api_key = "XXXXXXXXXX" # replace with apikey value - region = local.region -} - -module "module_template" { - source = "terraform-ibm-modules//ibm" - version = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release - region = local.region - name = "instance-name" - resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX" # Replace with the actual ID of resource group to use -} ``` -### Required access policies - - - - - - +### Required IAM access policies + +You need the following permissions to run this module. +- IAM Services + - **Secrets Manager** service + - `Administrator` platform access + - `Manager` service access diff --git a/examples/complete/README.md b/examples/complete/README.md index 291d9bf..1eb7ae6 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -1,11 +1,5 @@ # Complete example - - An end-to-end complete example that will provision the following: - A new resource group if one is not passed in. - A new secrets manager instance with IAM credentials engine configured if an existing instance CRN is not passed. diff --git a/ibm_catalog.json b/ibm_catalog.json index cfd8bd8..f444854 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -21,9 +21,9 @@ "solution" ], "short_description": "Creates and configures a Secrets Manager custom credentials engine.", - "long_description": "This deployable architecture is used to provision and configure a custom credentials engine that will be used to store [custom credential secrets](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials&interface=ui) for external systems in IBM Secrets Manager service. It creates an IAM Credentials secret, a service ID and service policy that will allow the job running in code engine to access secrets manager to update the custom secret. The architecture also creates an IAM service authorization between secrets manager and code engine project. In order to use this deployable architecture make sure a secrets manager instance is created with IAM credentials engine configured or use [Cloud automation for Secrets Manager](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager) and a code engine Job is present with the required image.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", + "long_description": "This deployable architecture is used to provision and configure a custom credentials engine that will be used to store [custom credential secrets](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials&interface=ui) for external systems in IBM Secrets Manager service. It creates an IAM Credentials secret, a service ID and service policy that will allow the job running in code engine to access secrets manager to update the custom secret. The architecture also creates an IAM service authorization between secrets manager and code engine project. In order to use this deployable architecture make sure a secrets manager instance is created with IAM credentials engine configured or use [Cloud automation for Secrets Manager](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager) and a code engine job is present with the required image.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/blob/main/README.md", - "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/refs/heads/13662-custom-engine/images/secrets_manager_custom_credentials_engine.svg", + "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/main/images/secrets_manager_custom_credentials_engine.svg", "provider_name": "IBM", "features": [ { @@ -78,74 +78,6 @@ ], "hidden": true }, - { - "key": "secrets_manager_region", - "type": "string", - "required": true, - "virtual": true, - "default_value": "us-south", - "description": "The region to provision a new Secrets Manager instance in.", - "options": [ - { - "displayname": "Osaka (jp-osa)", - "value": "jp-osa" - }, - { - "displayname": "Sydney (au-syd)", - "value": "au-syd" - }, - { - "displayname": "Tokyo (jp-tok)", - "value": "jp-tok" - }, - { - "displayname": "Frankfurt (eu-de)", - "value": "eu-de" - }, - { - "displayname": "London (eu-gb)", - "value": "eu-gb" - }, - { - "displayname": "Madrid (eu-es)", - "value": "eu-es" - }, - { - "displayname": "Dallas (us-south)", - "value": "us-south" - }, - { - "displayname": "Toronto (ca-tor)", - "value": "ca-tor" - }, - { - "displayname": "Washington DC (us-east)", - "value": "us-east" - }, - { - "displayname": "Sao Paulo (br-sao)", - "value": "br-sao" - } - ] - }, - { - "key": "secrets_manager_service_plan", - "required": true, - "virtual": true, - "type": "string", - "options": [ - { - "displayname": "Standard", - "value": "standard" - }, - { - "displayname": "Trial", - "value": "trial" - } - ], - "default_value": "__NOT_SET__", - "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." - }, { "key": "existing_secrets_manager_crn", "required": true @@ -231,50 +163,13 @@ { "diagram": { "caption": "Secrets Manager Custom Credentials Engine", - "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/refs/heads/13662-custom-engine/reference-architecture/secrets_manager_custom_credentials_engine.svg", + "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/main/reference-architecture/secrets_manager_custom_credentials_engine.svg", "type": "image/svg+xml" }, "description": "This architecture automates the setup of IBM Secrets Manager Custom Credentials Engine. The modular design includes the creation of a service authorization policy and IAM credentials secrets that are needed for provisioning the engine configuration." } ] - }, - "dependencies": [ - { - "name": "deploy-arch-ibm-secrets-manager", - "description": "Create a new Secrets Manager instance.", - "id": "6d6ebc76-7bbd-42f5-8bc7-78f4fabd5944-global", - "version": "v2.6.3", - "flavors": [ - "fully-configurable" - ], - "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", - "optional": true, - "on_by_default": true, - "input_mapping": [ - { - "dependency_input": "prefix", - "version_input": "prefix", - "reference_version": true - }, - { - "dependency_input": "region", - "version_input": "secrets_manager_region", - "reference_version": true - }, - { - "dependency_input": "service_plan", - "version_input": "secrets_manager_service_plan", - "reference_version": true - }, - { - "dependency_output": "secrets_manager_crn", - "version_input": "existing_secrets_manager_crn" - } - ] } - ], - "dependency_version_2": true, - "terraform_version": "1.10.5" } ] } From c887a46fe1ebea8889bc674ceeb76447b8aef526 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Tue, 19 Aug 2025 15:49:44 +0530 Subject: [PATCH 13/27] IAM permissions --- README.md | 7 +- examples/complete/variables.tf | 2 +- ibm_catalog.json | 171 ++++++++++++++++++++++++++++++++- 3 files changed, 176 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0fdac7d..6a48ba4 100644 --- a/README.md +++ b/README.md @@ -60,12 +60,17 @@ module "custom_credential_engine" { You need the following permissions to run this module. +- Account Management + - **IAM Identity** services + - `Administrator` platform access + - `Service ID Creator` service access + - **All Identity and Access enabled** services + - `Administrator` platform access - IAM Services - **Secrets Manager** service - `Administrator` platform access - `Manager` service access - ### Requirements diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index f94b79d..ae0ac05 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -34,7 +34,7 @@ variable "resource_tags" { variable "existing_sm_instance_guid" { type = string - description = "Existing Secrets Manager GUID. The existing Secret Manager instance must have private certificate engine configured. If not provided an new instance will be provisioned." + description = "Existing Secrets Manager GUID. The existing Secret Manager instance must have IAM credentials engine configured. If not provided an new instance needs to be provisioned." default = null } diff --git a/ibm_catalog.json b/ibm_catalog.json index f444854..cb54b02 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -78,6 +78,73 @@ ], "hidden": true }, + { + "key": "secrets_manager_region", + "required": true, + "virtual": true, + "default_value": "us-south", + "description": "The region to provision a new Secrets Manager instance in.", + "options": [ + { + "displayname": "Osaka (jp-osa)", + "value": "jp-osa" + }, + { + "displayname": "Sydney (au-syd)", + "value": "au-syd" + }, + { + "displayname": "Tokyo (jp-tok)", + "value": "jp-tok" + }, + { + "displayname": "Frankfurt (eu-de)", + "value": "eu-de" + }, + { + "displayname": "London (eu-gb)", + "value": "eu-gb" + }, + { + "displayname": "Madrid (eu-es)", + "value": "eu-es" + }, + { + "displayname": "Dallas (us-south)", + "value": "us-south" + }, + { + "displayname": "Toronto (ca-tor)", + "value": "ca-tor" + }, + { + "displayname": "Washington DC (us-east)", + "value": "us-east" + }, + { + "displayname": "Sao Paulo (br-sao)", + "value": "br-sao" + } + ] + }, + { + "key": "secrets_manager_service_plan", + "required": true, + "virtual": true, + "type": "string", + "options": [ + { + "displayname": "Standard", + "value": "standard" + }, + { + "displayname": "Trial", + "value": "trial" + } + ], + "default_value": "__NOT_SET__", + "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." + }, { "key": "existing_secrets_manager_crn", "required": true @@ -144,11 +211,74 @@ ], "iam_permissions": [ { - "service_name": "secrets-manager", "role_crns": [ "crn:v1:bluemix:public:iam::::role:Administrator", "crn:v1:bluemix:public:iam::::serviceRole:Manager" - ] + ], + "service_name": "secrets-manager", + "notes": "Required for creating secrets manager instance as well as custom credentials engine" + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator", + "crn:v1:bluemix:public:iam-identity::::serviceRole:ServiceIdCreator" + ], + "service_name": "IAM Identity Service", + "notes": "Required for creating service ID for allowing code engine job to fetch secrets from secrets manager instance" + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "service_name": "All Identity and Access enabled services", + "notes": "Required for creating IAM authorization policy between secrets manager and code engine project. Optionally required to deploy Cloud automation for account configuration which creates foundational IBM Cloud account resources, like resource group with account settings " + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "service_name": "All Account Management services", + "notes": "[Optional] Required to deploy Cloud automation for account configuration which creates resource group and to create trusted profile for App Configuration aggregator." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "event-notifications", + "notes": "[Optional] Required if you are configuring an Event Notifications Instance." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "sysdig-monitor", + "notes": "[Optional] Required if you are consuming the Observability deployable architecture which sets up Cloud Monitoring." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "logs", + "notes": "[Optional] Required if you are consuming the Observability deployable architecture which sets up Cloud Logs." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "hs-crypto", + "notes": "[Optional] Required if you are creating/configuring keys in an existing Hyper Protect Crypto Services (HPCS) instance for encryption." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "kms", + "notes": "[Optional] Required if you are creating/configuring Key Protect instance and keys for encryption." } ], "architecture": { @@ -169,7 +299,44 @@ "description": "This architecture automates the setup of IBM Secrets Manager Custom Credentials Engine. The modular design includes the creation of a service authorization policy and IAM credentials secrets that are needed for provisioning the engine configuration." } ] + }, + "dependencies": [ + { + "name": "deploy-arch-ibm-secrets-manager", + "description": "Create a new Secrets Manager instance.", + "id": "6d6ebc76-7bbd-42f5-8bc7-78f4fabd5944-global", + "version": "v2.6.3", + "flavors": [ + "fully-configurable" + ], + "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3", + "optional": true, + "on_by_default": true, + "input_mapping": [ + { + "dependency_input": "prefix", + "version_input": "prefix", + "reference_version": true + }, + { + "dependency_input": "region", + "version_input": "secrets_manager_region", + "reference_version": true + }, + { + "dependency_input": "service_plan", + "version_input": "secrets_manager_service_plan", + "reference_version": true + }, + { + "dependency_output": "secrets_manager_crn", + "version_input": "existing_secrets_manager_crn" + } + ] } + ], + "dependency_version_2": true, + "terraform_version": "1.10.5" } ] } From 4426f569feff0c1aa1ec7eccb9335852e2f3e98d Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Wed, 20 Aug 2025 02:13:26 +0530 Subject: [PATCH 14/27] test catalog --- ibm_catalog.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index cb54b02..73d506d 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -142,7 +142,7 @@ "value": "trial" } ], - "default_value": "__NOT_SET__", + "default_value": "standard", "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." }, { From fc6fa97e87990aa58cfb6014923ff1d51a7918b8 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Thu, 21 Aug 2025 02:35:04 +0530 Subject: [PATCH 15/27] PR changes --- .catalog-onboard-pipeline.yaml | 6 +++--- README.md | 16 ++++++++-------- examples/complete/main.tf | 4 ++-- examples/complete/outputs.tf | 4 ++-- main.tf | 14 +++++++------- outputs.tf | 2 +- solutions/fully-configurable/main.tf | 4 ++-- solutions/fully-configurable/outputs.tf | 4 ++-- solutions/fully-configurable/variables.tf | 10 +++++----- variables.tf | 14 +++++++------- 10 files changed, 39 insertions(+), 39 deletions(-) diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml index 4dc51a5..2cdd1f2 100644 --- a/.catalog-onboard-pipeline.yaml +++ b/.catalog-onboard-pipeline.yaml @@ -3,14 +3,14 @@ apiVersion: v1 offerings: - name: deploy-arch-secrets-manager-custom-credentials-engine kind: solution - catalog_id: - offering_id: + catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd + offering_id: 6a7e04c0-f3ef-439b-9d3c-cdb4e583ae9c variations: - name: fully-configurable mark_ready: true install_type: fullstack scc: - instance_id: + instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37 region: us-south pre_validation: "tests/scripts/pre-validation-deploy-ce.sh" post_validation: "tests/scripts/post-validation-destroy-ce.sh" diff --git a/README.md b/README.md index 6a48ba4..8460026 100644 --- a/README.md +++ b/README.md @@ -105,15 +105,15 @@ You need the following permissions to run this module. | [code\_engine\_region](#input\_code\_engine\_region) | The region of the code engine project. | `string` | n/a | yes | | [custom\_credential\_engine\_name](#input\_custom\_credential\_engine\_name) | The name of the custom credentials engine to be created. | `string` | n/a | yes | | [endpoint\_type](#input\_endpoint\_type) | The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private`. | `string` | `"public"` | no | -| [iam\_credential\_secret\_auto\_rotation\_interval](#input\_iam\_credential\_secret\_auto\_rotation\_interval) | Specifies the rotation interval for the rotation policy. | `string` | `60` | no | -| [iam\_credential\_secret\_auto\_rotation\_unit](#input\_iam\_credential\_secret\_auto\_rotation\_unit) | Specifies the unit of time for rotation policy. Acceptable values are `day` or `month`. | `string` | `"day"` | no | -| [iam\_credential\_secret\_group\_id](#input\_iam\_credential\_secret\_group\_id) | Secret Group ID of secret where IAM Secret will be added to, leave default (null) to add in default secret-group. | `string` | `null` | no | +| [iam\_credential\_secret\_auto\_rotation\_interval](#input\_iam\_credential\_secret\_auto\_rotation\_interval) | The rotation interval for the rotation policy. | `string` | `60` | no | +| [iam\_credential\_secret\_auto\_rotation\_unit](#input\_iam\_credential\_secret\_auto\_rotation\_unit) | The unit of time for rotation policy. Acceptable values are `day` or `month`. | `string` | `"day"` | no | +| [iam\_credential\_secret\_group\_id](#input\_iam\_credential\_secret\_group\_id) | Secret Group ID of secret where IAM Secret will be added to, leave default (null) to add in the default secret group. | `string` | `null` | no | | [iam\_credential\_secret\_labels](#input\_iam\_credential\_secret\_labels) | Optional list of up to 30 labels to be created on the secret. Labels can be used to search for secrets in the Secrets Manager instance. | `list(string)` | `[]` | no | -| [iam\_credential\_secret\_name](#input\_iam\_credential\_secret\_name) | The name of the IAM credential secret to allow code engine job to pull secrets from SM. | `string` | n/a | yes | +| [iam\_credential\_secret\_name](#input\_iam\_credential\_secret\_name) | The name of the IAM credential secret to allow code engine job to pull secrets from Secrets Manager. | `string` | n/a | yes | | [iam\_credential\_secret\_ttl](#input\_iam\_credential\_secret\_ttl) | Specify validity / lease duration of ServiceID API key. Accepted values and formats are: SECONDS, Xm or Xh (where X is the number of minutes or hours appended to m or h respectively). | `string` | `"7776000"` | no | -| [service\_id\_name](#input\_service\_id\_name) | The name of the service ID to be created to allow code engine job to pull secrets from SM. | `string` | n/a | yes | -| [sm\_guid](#input\_sm\_guid) | GUID of secrets manager instance to create the secret engine in. | `string` | n/a | yes | -| [sm\_region](#input\_sm\_region) | The region of the secrets manager instance. | `string` | n/a | yes | +| [secrets\_manager\_guid](#input\_secrets\_manager\_guid) | GUID of secrets manager instance to create the secret engine in. | `string` | n/a | yes | +| [secrets\_manager\_region](#input\_secrets\_manager\_region) | The region of the secrets manager instance. | `string` | n/a | yes | +| [service\_id\_name](#input\_service\_id\_name) | The name of the service ID to be created to allow code engine job to pull secrets from Secrets Manager. | `string` | n/a | yes | | [task\_timeout](#input\_task\_timeout) | The maximum allowed time for a code engine job to be completed. | `string` | `"5m"` | no | ### Outputs @@ -123,7 +123,7 @@ You need the following permissions to run this module. | [code\_engine\_key\_ref](#output\_code\_engine\_key\_ref) | The IAM API key used by the credentials system to access the secrets manager instance. | | [custom\_config\_engine\_id](#output\_custom\_config\_engine\_id) | The unique identifier of the engine created. | | [custom\_config\_engine\_name](#output\_custom\_config\_engine\_name) | The name of the engine created. | -| [sm\_custom\_credentials\_configuration\_schema](#output\_sm\_custom\_credentials\_configuration\_schema) | The schema that defines the format of the input and output parameters. | +| [secrets\_manager\_custom\_credentials\_configuration\_schema](#output\_secrets\_manager\_custom\_credentials\_configuration\_schema) | The schema that defines the format of the input and output parameters. | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 91537cf..2127497 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -65,8 +65,8 @@ module "secrets_manager" { module "custom_engine" { depends_on = [module.code_engine, module.secrets_manager] source = "../.." - sm_guid = local.sm_guid - sm_region = local.sm_region + secrets_manager_guid = local.sm_guid + secrets_manager_region = local.sm_region custom_credential_engine_name = "${var.prefix}-engine" code_engine_project_id = module.code_engine.project_id code_engine_job_name = module.code_engine.job["${var.prefix}-job"].name diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index 0e2628e..2b8f7c8 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -18,7 +18,7 @@ output "code_engine_key_ref" { value = module.custom_engine.code_engine_key_ref } -output "sm_custom_credentials_configuration_schema" { +output "secrets_manager_custom_credentials_configuration_schema" { description = "The schema that defines the format of the input and output parameters." - value = module.custom_engine.sm_custom_credentials_configuration_schema + value = module.custom_engine.secrets_manager_custom_credentials_configuration_schema } diff --git a/main.tf b/main.tf index 381f607..d65229f 100644 --- a/main.tf +++ b/main.tf @@ -13,13 +13,13 @@ resource "ibm_iam_service_policy" "sm_service_id_policy" { resources { service = "secrets-manager" - resource_instance_id = var.sm_guid + resource_instance_id = var.secrets_manager_guid } } resource "time_sleep" "wait_for_service_id" { depends_on = [ibm_iam_service_id.sm_service_id, ibm_iam_service_policy.sm_service_id_policy] - create_duration = "30s" + create_duration = "60s" } ############################################################################## @@ -30,8 +30,8 @@ module "sm_iam_credential_secret" { depends_on = [time_sleep.wait_for_service_id] source = "terraform-ibm-modules/iam-serviceid-apikey-secrets-manager/ibm" version = "1.2.0" - region = var.sm_region - secrets_manager_guid = var.sm_guid + region = var.secrets_manager_region + secrets_manager_guid = var.secrets_manager_guid secret_group_id = var.iam_credential_secret_group_id sm_iam_secret_ttl = var.iam_credential_secret_ttl service_endpoints = var.endpoint_type @@ -51,7 +51,7 @@ module "sm_iam_credential_secret" { resource "ibm_iam_authorization_policy" "sm_ce_policy" { source_service_name = "secrets-manager" - source_resource_instance_id = var.sm_guid + source_resource_instance_id = var.secrets_manager_guid target_service_name = "codeengine" target_resource_instance_id = var.code_engine_project_id roles = ["Viewer", "Writer"] @@ -63,8 +63,8 @@ resource "ibm_iam_authorization_policy" "sm_ce_policy" { resource "ibm_sm_custom_credentials_configuration" "custom_credentials_configuration_instance" { depends_on = [module.sm_iam_credential_secret, ibm_iam_authorization_policy.sm_ce_policy] - instance_id = var.sm_guid - region = var.sm_region + instance_id = var.secrets_manager_guid + region = var.secrets_manager_region name = var.custom_credential_engine_name endpoint_type = var.endpoint_type api_key_ref = module.sm_iam_credential_secret.secret_id diff --git a/outputs.tf b/outputs.tf index 5bb2962..6268f0c 100644 --- a/outputs.tf +++ b/outputs.tf @@ -18,7 +18,7 @@ output "code_engine_key_ref" { value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance.code_engine_key_ref } -output "sm_custom_credentials_configuration_schema" { +output "secrets_manager_custom_credentials_configuration_schema" { description = "The schema that defines the format of the input and output parameters." value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance.schema } diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 634831f..4e6d6e2 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -19,8 +19,8 @@ locals { module "custom_credential_engine" { source = "../.." - sm_guid = local.existing_secrets_manager_guid - sm_region = local.existing_secrets_manager_region + secrets_manager_guid = local.existing_secrets_manager_guid + secrets_manager_region = local.existing_secrets_manager_region custom_credential_engine_name = "${local.prefix}${var.custom_credential_engine_name}" endpoint_type = var.endpoint_type code_engine_project_id = var.existing_code_engine_project_id diff --git a/solutions/fully-configurable/outputs.tf b/solutions/fully-configurable/outputs.tf index 3adfca3..c09638a 100644 --- a/solutions/fully-configurable/outputs.tf +++ b/solutions/fully-configurable/outputs.tf @@ -14,7 +14,7 @@ output "code_engine_key_ref" { value = module.custom_credential_engine.code_engine_key_ref } -output "sm_custom_credentials_configuration_schema" { +output "secrets_manager_custom_credentials_configuration_schema" { description = "The schema that defines the format of the input and output parameters." - value = module.custom_credential_engine.sm_custom_credentials_configuration_schema + value = module.custom_credential_engine.secrets_manager_custom_credentials_configuration_schema } diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 710134a..7680f92 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -95,12 +95,12 @@ variable "task_timeout" { variable "service_id_name" { type = string - description = "The name of the service ID to be created to allow code engine job to pull secrets from SM." + description = "The name of the service ID to be created to allow code engine job to pull secrets from Secrets Manager." } variable "iam_credential_secret_name" { type = string - description = "The name of the IAM credential secret to allow code engine job to pull secrets from SM." + description = "The name of the IAM credential secret to allow code engine job to pull secrets from Secrets Manager." } variable "iam_credential_secret_group_id" { @@ -111,13 +111,13 @@ variable "iam_credential_secret_group_id" { variable "iam_credential_secret_ttl" { type = string - description = "Specify validity / lease duration of ServiceID API key. Accepted values and formats are: SECONDS, Xm or Xh (where X is the number of minutes or hours appended to m or h respectively)." + description = "The validity / lease duration of ServiceID API key. Accepted values and formats are: SECONDS, Xm or Xh (where X is the number of minutes or hours appended to m or h respectively)." default = "7776000" #tfsec:ignore:general-secrets-no-plaintext-exposure Default set to 90days } variable "iam_credential_secret_auto_rotation_interval" { type = string - description = "Specifies the rotation interval for the rotation policy." + description = "The rotation interval for the rotation policy." default = 60 validation { @@ -128,7 +128,7 @@ variable "iam_credential_secret_auto_rotation_interval" { variable "iam_credential_secret_auto_rotation_unit" { type = string - description = "Specifies the unit of time for rotation policy. Acceptable values are `day` or `month`." + description = "The unit of time for rotation policy. Acceptable values are `day` or `month`." default = "day" #tfsec:ignore:general-secrets-no-plaintext-exposure validation { diff --git a/variables.tf b/variables.tf index 4dc3b07..037ca1c 100644 --- a/variables.tf +++ b/variables.tf @@ -2,12 +2,12 @@ # Input Variables ######################################################################################################################## -variable "sm_guid" { +variable "secrets_manager_guid" { type = string description = "GUID of secrets manager instance to create the secret engine in." } -variable "sm_region" { +variable "secrets_manager_region" { type = string description = "The region of the secrets manager instance." } @@ -55,17 +55,17 @@ variable "task_timeout" { variable "service_id_name" { type = string - description = "The name of the service ID to be created to allow code engine job to pull secrets from SM." + description = "The name of the service ID to be created to allow code engine job to pull secrets from Secrets Manager." } variable "iam_credential_secret_name" { type = string - description = "The name of the IAM credential secret to allow code engine job to pull secrets from SM." + description = "The name of the IAM credential secret to allow code engine job to pull secrets from Secrets Manager." } variable "iam_credential_secret_group_id" { type = string - description = "Secret Group ID of secret where IAM Secret will be added to, leave default (null) to add in default secret-group." + description = "Secret Group ID of secret where IAM Secret will be added to, leave default (null) to add in the default secret group." default = null #tfsec:ignore:GEN001 } @@ -77,7 +77,7 @@ variable "iam_credential_secret_ttl" { variable "iam_credential_secret_auto_rotation_interval" { type = string - description = "Specifies the rotation interval for the rotation policy." + description = "The rotation interval for the rotation policy." default = 60 validation { @@ -88,7 +88,7 @@ variable "iam_credential_secret_auto_rotation_interval" { variable "iam_credential_secret_auto_rotation_unit" { type = string - description = "Specifies the unit of time for rotation policy. Acceptable values are `day` or `month`." + description = "The unit of time for rotation policy. Acceptable values are `day` or `month`." default = "day" #tfsec:ignore:general-secrets-no-plaintext-exposure validation { From 05ccbab4b0f613142147e8c9d00b47358239a374 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Thu, 21 Aug 2025 02:58:23 +0530 Subject: [PATCH 16/27] PR changes --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8460026..8e7beff 100644 --- a/README.md +++ b/README.md @@ -40,8 +40,8 @@ Refer [here](./reference-architecture/secrets_manager_custom_credentials_engine. module "custom_credential_engine" { source = "terraform-ibm-modules/secrets-manager-custom-credentials-engine/ibm" version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release - sm_guid = "" - sm_region = "" + secrets_manager_guid = "" + secrets_manager_region = "" custom_credential_engine_name = "My Custom Credentials Engine" endpoint_type = "public" code_engine_project_id = "" From fb1feb9f942131e95fd2f02036c25339bc51cf6a Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Mon, 25 Aug 2025 03:37:08 +0530 Subject: [PATCH 17/27] Update github settings --- .github/CODEOWNERS | 2 +- .github/settings.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index d545b87..ce67cd0 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1,2 @@ # Primary owner should be listed first in list of global owners, followed by any secondary owners -* @ocofaigh @daniel-butler-irl +* @alex-reiff @mukulpalit-ibm diff --git a/.github/settings.yml b/.github/settings.yml index e95112f..86624f7 100644 --- a/.github/settings.yml +++ b/.github/settings.yml @@ -22,7 +22,7 @@ repository: # Uncomment this description property # and update the description to the current repo description. - description: "Configures a custom credentials engine configuration for IBM Cloud Secrets Manager" + description: "Creates a custom credentials engine in a Secrets Manager instance" # Use a comma-separated list of topics to set on the repo (ensure not to use any caps in the topic string). topics: terraform, ibm-cloud, terraform-module, core-team, custom-credentials, secrets-manager From da6837067b59e15300484527f04a75276f5371dd Mon Sep 17 00:00:00 2001 From: Terraform IBM Modules Operations Date: Sun, 24 Aug 2025 22:26:40 +0000 Subject: [PATCH 18/27] chore(deps): update dependencies --- common-dev-assets | 2 +- examples/advanced/main.tf | 2 +- examples/basic/main.tf | 2 +- tests/go.mod | 26 ++++++++++---------- tests/go.sum | 52 +++++++++++++++++++-------------------- 5 files changed, 42 insertions(+), 42 deletions(-) diff --git a/common-dev-assets b/common-dev-assets index 2ba5cc2..7179ae4 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 2ba5cc2c867361e8bcf34bd95f7359cc03d82b25 +Subproject commit 7179ae4f3446b3816fa2d72c873f8f8e86797836 diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf index 88360af..01b4a61 100644 --- a/examples/advanced/main.tf +++ b/examples/advanced/main.tf @@ -4,7 +4,7 @@ module "resource_group" { source = "terraform-ibm-modules/resource-group/ibm" - version = "1.2.0" + version = "1.3.0" # if an existing resource group is not set (null) create a new one using prefix resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null existing_resource_group_name = var.resource_group diff --git a/examples/basic/main.tf b/examples/basic/main.tf index cf665db..4edb813 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -4,7 +4,7 @@ module "resource_group" { source = "terraform-ibm-modules/resource-group/ibm" - version = "1.2.0" + version = "1.3.0" # if an existing resource group is not set (null) create a new one using prefix resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null existing_resource_group_name = var.resource_group diff --git a/tests/go.mod b/tests/go.mod index 7c69e50..5a95b04 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -2,11 +2,11 @@ module github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-cre go 1.24.0 -toolchain go1.24.5 +toolchain go1.25.0 require ( - github.com/stretchr/testify v1.10.0 - github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.58.5 + github.com/stretchr/testify v1.11.0 + github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.59.1 ) require ( @@ -15,7 +15,7 @@ require ( github.com/IBM-Cloud/power-go-client v1.12.0 // indirect github.com/IBM/cloud-databases-go-sdk v0.8.0 // indirect github.com/IBM/go-sdk-core/v5 v5.21.0 // indirect - github.com/IBM/platform-services-go-sdk v0.85.1 // indirect + github.com/IBM/platform-services-go-sdk v0.86.0 // indirect github.com/IBM/project-go-sdk v0.3.6 // indirect github.com/IBM/schematics-go-sdk v0.4.0 // indirect github.com/IBM/vpc-go-sdk v1.0.2 // indirect @@ -37,7 +37,7 @@ require ( github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.23.0 // indirect - github.com/go-openapi/errors v0.22.1 // indirect + github.com/go-openapi/errors v0.22.2 // indirect github.com/go-openapi/jsonpointer v0.21.1 // indirect github.com/go-openapi/jsonreference v0.21.0 // indirect github.com/go-openapi/loads v0.22.0 // indirect @@ -61,7 +61,7 @@ require ( github.com/hashicorp/go-safetemp v1.0.0 // indirect github.com/hashicorp/go-version v1.7.0 // indirect github.com/hashicorp/hcl/v2 v2.22.0 // indirect - github.com/hashicorp/terraform-json v0.25.0 // indirect + github.com/hashicorp/terraform-json v0.26.0 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/jinzhu/copier v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -84,19 +84,19 @@ require ( github.com/tmccombs/hcl2json v0.6.4 // indirect github.com/ulikunitz/xz v0.5.11 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect - github.com/zclconf/go-cty v1.16.2 // indirect + github.com/zclconf/go-cty v1.16.3 // indirect go.mongodb.org/mongo-driver v1.17.3 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect go.opentelemetry.io/otel v1.35.0 // indirect go.opentelemetry.io/otel/metric v1.35.0 // indirect go.opentelemetry.io/otel/trace v1.35.0 // indirect - golang.org/x/crypto v0.40.0 // indirect - golang.org/x/mod v0.25.0 // indirect - golang.org/x/net v0.41.0 // indirect + golang.org/x/crypto v0.41.0 // indirect + golang.org/x/mod v0.26.0 // indirect + golang.org/x/net v0.42.0 // indirect golang.org/x/sync v0.16.0 // indirect - golang.org/x/sys v0.34.0 // indirect - golang.org/x/text v0.27.0 // indirect - golang.org/x/tools v0.34.0 // indirect + golang.org/x/sys v0.35.0 // indirect + golang.org/x/text v0.28.0 // indirect + golang.org/x/tools v0.35.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/tests/go.sum b/tests/go.sum index 53204c9..267a583 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -9,8 +9,8 @@ github.com/IBM/cloud-databases-go-sdk v0.8.0/go.mod h1:JYucI1PdwqbAd8XGdDAchxzxR github.com/IBM/go-sdk-core/v5 v5.9.2/go.mod h1:YlOwV9LeuclmT/qi/LAK2AsobbAP42veV0j68/rlZsE= github.com/IBM/go-sdk-core/v5 v5.21.0 h1:DUnYhvC4SoC8T84rx5omnhY3+xcQg/Whyoa3mDPIMkk= github.com/IBM/go-sdk-core/v5 v5.21.0/go.mod h1:Q3BYO6iDA2zweQPDGbNTtqft5tDcEpm6RTuqMlPcvbw= -github.com/IBM/platform-services-go-sdk v0.85.1 h1:lrBEeGaIajhSPMB6cPVAx53XTtVGrKOeA36gIXh2FYI= -github.com/IBM/platform-services-go-sdk v0.85.1/go.mod h1:aGD045m6I8pfcB77wft8w2cHqWOJjcM3YSSV55BX0Js= +github.com/IBM/platform-services-go-sdk v0.86.0 h1:Uqne0Z/P9e++WfRt1aN8DD55kyo/T15+7EipYktRIDQ= +github.com/IBM/platform-services-go-sdk v0.86.0/go.mod h1:aGD045m6I8pfcB77wft8w2cHqWOJjcM3YSSV55BX0Js= github.com/IBM/project-go-sdk v0.3.6 h1:DRiANKnAePevFsIKSvR89SUaMa2xsd7YKK71Ka1eqKI= github.com/IBM/project-go-sdk v0.3.6/go.mod h1:FOJM9ihQV3EEAY6YigcWiTNfVCThtdY8bLC/nhQHFvo= github.com/IBM/schematics-go-sdk v0.4.0 h1:x01f/tPquYJYLQzJLGuxWfCbV/EdSMXRikOceNy/JLM= @@ -84,8 +84,8 @@ github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC0 github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo= github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= github.com/go-openapi/errors v0.20.3/go.mod h1:Z3FlZ4I8jEGxjUK+bugx3on2mIAk4txuAOhlsB1FSgk= -github.com/go-openapi/errors v0.22.1 h1:kslMRRnK7NCb/CvR1q1VWuEQCEIsBGn5GgKD9e+HYhU= -github.com/go-openapi/errors v0.22.1/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0= +github.com/go-openapi/errors v0.22.2 h1:rdxhzcBUazEcGccKqbY1Y7NS8FDcMyIRr0934jrYnZg= +github.com/go-openapi/errors v0.22.2/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0= github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic= github.com/go-openapi/jsonpointer v0.21.1/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk= github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= @@ -171,8 +171,8 @@ github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKe github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/hcl/v2 v2.22.0 h1:hkZ3nCtqeJsDhPRFz5EA9iwcG1hNWGePOTw6oyul12M= github.com/hashicorp/hcl/v2 v2.22.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA= -github.com/hashicorp/terraform-json v0.25.0 h1:rmNqc/CIfcWawGiwXmRuiXJKEiJu1ntGoxseG1hLhoQ= -github.com/hashicorp/terraform-json v0.25.0/go.mod h1:sMKS8fiRDX4rVlR6EJUMudg1WcanxCMoWwTLkgZP/vc= +github.com/hashicorp/terraform-json v0.26.0 h1:+BnJavhRH+oyNWPnfzrfQwVWCZBFMvjdiH2Vi38Udz4= +github.com/hashicorp/terraform-json v0.26.0/go.mod h1:eyWCeC3nrZamyrKLFnrvwpc3LQPIJsx8hWHQ/nu2/v4= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= @@ -293,10 +293,10 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.58.5 h1:RxWdD+20e5Yb9K8W6iIjgDG1KDMPLnXHw4SlPhtHdf8= -github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.58.5/go.mod h1:2d7vW9ehuOaVZl38OO/aXPPO42EijYfgMe29HPJbI+I= +github.com/stretchr/testify v1.11.0 h1:ib4sjIrwZKxE5u/Japgo/7SJV3PvgjGiRNAvTVGqQl8= +github.com/stretchr/testify v1.11.0/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= +github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.59.1 h1:9/uYvUFFLIH91F16AiJqP/LZeGi4t2CYtc8iz3bBXdQ= +github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper v1.59.1/go.mod h1:kdhZ+FeS71D+tB0E2Sh1ISD3zQ+RThPX5SyFqduo7G8= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tmccombs/hcl2json v0.6.4 h1:/FWnzS9JCuyZ4MNwrG4vMrFrzRgsWEOVi+1AyYUVLGw= github.com/tmccombs/hcl2json v0.6.4/go.mod h1:+ppKlIW3H5nsAsZddXPy2iMyvld3SHxyjswOZhavRDk= @@ -313,8 +313,8 @@ github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7Jul github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -github.com/zclconf/go-cty v1.16.2 h1:LAJSwc3v81IRBZyUVQDUdZ7hs3SYs9jv0eZJDWHD/70= -github.com/zclconf/go-cty v1.16.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= +github.com/zclconf/go-cty v1.16.3 h1:osr++gw2T61A8KVYHoQiFbFd1Lh3JOCXc/jFLJXKTxk= +github.com/zclconf/go-cty v1.16.3/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo= github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM= go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng= @@ -343,8 +343,8 @@ golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98y golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= -golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= -golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= +golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4= +golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -355,8 +355,8 @@ golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w= -golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg= +golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -384,8 +384,8 @@ golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= -golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= -golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= +golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs= +golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -434,8 +434,8 @@ golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA= -golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI= +golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -450,8 +450,8 @@ golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= -golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= -golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= +golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4= +golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -468,8 +468,8 @@ golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= -golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= +golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng= +golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190531172133-b3315ee88b7d/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -485,8 +485,8 @@ golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= -golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo= -golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg= +golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0= +golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 7cf80e24667df25d229c3f04c9db378f6a5a7ec0 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Tue, 26 Aug 2025 15:19:03 +0530 Subject: [PATCH 19/27] remove deprecated value --- main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index d65229f..6dab572 100644 --- a/main.tf +++ b/main.tf @@ -8,8 +8,9 @@ resource "ibm_iam_service_id" "sm_service_id" { } resource "ibm_iam_service_policy" "sm_service_id_policy" { - iam_service_id = ibm_iam_service_id.sm_service_id.id - roles = ["SecretsReader", "SecretTaskUpdater"] + iam_id = ibm_iam_service_id.sm_service_id.iam_id + # iam_service_id = ibm_iam_service_id.sm_service_id.id + roles = ["SecretsReader", "SecretTaskUpdater"] resources { service = "secrets-manager" From f352cb2798a41e25d4f870a1cb558f9298999caf Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Fri, 29 Aug 2025 21:05:45 +0530 Subject: [PATCH 20/27] PR changes --- examples/complete/main.tf | 6 +- examples/complete/variables.tf | 8 +- ibm_catalog.json | 544 +++++++++++----------- solutions/fully-configurable/variables.tf | 2 + tests/other_test.go | 6 +- 5 files changed, 285 insertions(+), 281 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 2127497..7419332 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -38,8 +38,8 @@ module "code_engine" { ######################################################################################################################## locals { - sm_guid = var.existing_sm_instance_guid == null ? module.secrets_manager[0].secrets_manager_guid : var.existing_sm_instance_guid - sm_region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region + sm_guid = var.existing_sm_guid == null ? module.secrets_manager[0].secrets_manager_guid : var.existing_sm_guid + sm_region = var.existing_sm_region == null ? var.region : var.existing_sm_region } ############################################################################## @@ -49,7 +49,7 @@ locals { module "secrets_manager" { source = "terraform-ibm-modules/secrets-manager/ibm" version = "2.7.5" - count = var.existing_sm_instance_guid == null ? 1 : 0 + count = var.existing_sm_guid == null ? 1 : 0 resource_group_id = module.resource_group.resource_group_id region = var.region secrets_manager_name = "${var.prefix}-secrets-manager" diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index ae0ac05..235c679 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -32,14 +32,14 @@ variable "resource_tags" { default = [] } -variable "existing_sm_instance_guid" { +variable "existing_sm_guid" { type = string - description = "Existing Secrets Manager GUID. The existing Secret Manager instance must have IAM credentials engine configured. If not provided an new instance needs to be provisioned." + description = "Existing Secrets Manager GUID. The existing Secret Manager instance must have IAM credentials engine configured. If not provided, a new instance will be provisioned." default = null } -variable "existing_sm_instance_region" { +variable "existing_sm_region" { type = string - description = "Required if value is passed into var.existing_sm_instance_guid" + description = "Required if value is passed into var.existing_sm_guid" default = null } diff --git a/ibm_catalog.json b/ibm_catalog.json index 73d506d..ec8e24b 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -1,311 +1,313 @@ { - "products": [ - { - "name": "deploy-arch-secrets-manager-custom-credentials-engine", - "label": "Cloud automation for Secrets Manager custom credentials engine", - "product_kind": "solution", - "tags": [ - "ibm_created", - "target_terraform", - "terraform", - "solution", - "security", - "converged_infra" - ], - "keywords": [ - "Custom credentials engine", - "Secrets Manager", - "IaC", - "infrastructure as code", - "terraform", - "solution" - ], - "short_description": "Creates and configures a Secrets Manager custom credentials engine.", - "long_description": "This deployable architecture is used to provision and configure a custom credentials engine that will be used to store [custom credential secrets](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials&interface=ui) for external systems in IBM Secrets Manager service. It creates an IAM Credentials secret, a service ID and service policy that will allow the job running in code engine to access secrets manager to update the custom secret. The architecture also creates an IAM service authorization between secrets manager and code engine project. In order to use this deployable architecture make sure a secrets manager instance is created with IAM credentials engine configured or use [Cloud automation for Secrets Manager](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager) and a code engine job is present with the required image.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", - "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/blob/main/README.md", - "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/main/images/secrets_manager_custom_credentials_engine.svg", - "provider_name": "IBM", - "features": [ + "products": [ + { + "name": "deploy-arch-secrets-manager-custom-credentials-engine", + "label": "Cloud automation for Secrets Manager custom credentials engine", + "product_kind": "solution", + "tags": [ + "ibm_created", + "target_terraform", + "terraform", + "solution", + "security", + "converged_infra" + ], + "keywords": [ + "Custom credentials engine", + "Secrets Manager", + "IaC", + "infrastructure as code", + "terraform", + "solution" + ], + "short_description": "Creates and configures a Secrets Manager custom credentials engine.", + "long_description": "This deployable architecture is used to provision and configure a custom credentials engine that will be used to store [custom credential secrets](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials&interface=ui) for external systems in IBM Secrets Manager service. It creates an IAM Credentials secret, a service ID and service policy that will allow the job running in code engine to access secrets manager to update the custom secret. The architecture also creates an IAM service authorization between secrets manager and code engine project. In order to use this deployable architecture make sure a secrets manager instance is created with IAM credentials engine configured or use [Cloud automation for Secrets Manager](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager) and a code engine job is present with the required image.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.", + "offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/blob/main/README.md", + "offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/main/images/secrets_manager_custom_credentials_engine.svg", + "provider_name": "IBM", + "features": [ + { + "title": "IAM service authorization", + "description": "Creates a [service authorization policy](https://cloud.ibm.com/docs/account?topic=account-serviceauth&interface=ui) between secrets manager as source and code engine project as target." + }, + { + "title": "IAM credentials secret", + "description": "Creates an [IAM credentials secret](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-iam-credentials&interface=terraform) to allow code engine job to access/update secrets in secrets manager instance." + }, + { + "title": "Custom credentials engine", + "description": "Creates a [custom credentials engine](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials-config&interface=terraform) configuration which acts as a back-end for custom credentials secret." + } + ], + "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [here](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/issues). Please note this product is not supported via the IBM Cloud Support Center.", + "flavors": [ + { + "label": "Fully configurable", + "name": "fully-configurable", + "index": 1, + "install_type": "fullstack", + "working_directory": "solutions/fully-configurable", + "compliance": { + "authority": "scc-v3", + "profiles": [ + { + "profile_name": "IBM Cloud Framework for Financial Services", + "profile_version": "1.7.0" + } + ] + }, + "configuration": [ { - "title": "IAM service authorization", - "description": "Creates a [service authorization policy](https://cloud.ibm.com/docs/account?topic=account-serviceauth&interface=ui) between secrets manager as source and code engine project as target." + "key": "ibmcloud_api_key" }, { - "title": "IAM credentials secret", - "description": "Creates an [IAM credentials secret](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-iam-credentials&interface=terraform) to allow code engine job to access/update secrets in secrets manager instance." - }, - { - "title": "Custom credentials engine", - "description": "Creates a [custom credentials engine](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-custom-credentials-config&interface=terraform) configuration which acts as a back-end for custom credentials secret." - } - ], - "support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [here](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/issues). Please note this product is not supported via the IBM Cloud Support Center.", - "flavors": [ - { - "label": "Fully configurable", - "name": "fully-configurable", - "index": 1, - "install_type": "fullstack", - "working_directory": "solutions/fully-configurable", - "compliance": { - "authority": "scc-v3", - "profiles": [ - { - "profile_name": "IBM Cloud Framework for Financial Services", - "profile_version": "1.7.0" - } - ] - }, - "configuration": [ - { - "key": "ibmcloud_api_key" - }, - { - "key": "provider_visibility", - "options": [ - { - "displayname": "private", - "value": "private" - }, - { - "displayname": "public", - "value": "public" - }, - { - "displayname": "public-and-private", - "value": "public-and-private" - } - ], - "hidden": true - }, - { - "key": "secrets_manager_region", - "required": true, - "virtual": true, - "default_value": "us-south", - "description": "The region to provision a new Secrets Manager instance in.", - "options": [ - { - "displayname": "Osaka (jp-osa)", - "value": "jp-osa" - }, - { - "displayname": "Sydney (au-syd)", - "value": "au-syd" - }, - { - "displayname": "Tokyo (jp-tok)", - "value": "jp-tok" - }, - { - "displayname": "Frankfurt (eu-de)", - "value": "eu-de" - }, - { - "displayname": "London (eu-gb)", - "value": "eu-gb" - }, - { - "displayname": "Madrid (eu-es)", - "value": "eu-es" - }, - { - "displayname": "Dallas (us-south)", - "value": "us-south" - }, - { - "displayname": "Toronto (ca-tor)", - "value": "ca-tor" - }, - { - "displayname": "Washington DC (us-east)", - "value": "us-east" - }, - { - "displayname": "Sao Paulo (br-sao)", - "value": "br-sao" - } - ] - }, + "key": "provider_visibility", + "options": [ { - "key": "secrets_manager_service_plan", - "required": true, - "virtual": true, - "type": "string", - "options": [ - { - "displayname": "Standard", - "value": "standard" - }, - { - "displayname": "Trial", - "value": "trial" - } - ], - "default_value": "standard", - "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." + "displayname": "private", + "value": "private" }, { - "key": "existing_secrets_manager_crn", - "required": true + "displayname": "public", + "value": "public" }, { - "key": "prefix", - "required": true - }, - { - "key": "custom_credential_engine_name", - "required":true - }, - { - "key": "existing_code_engine_project_id", - "required":true - }, - { - "key": "existing_code_engine_job_name", - "required":true + "displayname": "public-and-private", + "value": "public-and-private" + } + ], + "hidden": true + }, + { + "key": "existing_secrets_manager_crn", + "required": true + }, + { + "key": "prefix", + "required": true + }, + { + "key": "custom_credential_engine_name", + "required": true + }, + { + "key": "existing_code_engine_project_id", + "required": true + }, + { + "key": "existing_code_engine_job_name", + "required": true + }, + { + "key": "existing_code_engine_region", + "required": true + }, + { + "key": "secrets_manager_region", + "required": true, + "virtual": true, + "default_value": "us-south", + "description": "The region to provision a new Secrets Manager instance in.", + "options": [ + { + "displayname": "Osaka (jp-osa)", + "value": "jp-osa" }, { - "key": "existing_code_engine_region", - "required":true + "displayname": "Sydney (au-syd)", + "value": "au-syd" }, { - "key": "service_id_name", - "required":true + "displayname": "Tokyo (jp-tok)", + "value": "jp-tok" }, { - "key": "iam_credential_secret_name", - "required":true + "displayname": "Frankfurt (eu-de)", + "value": "eu-de" }, { - "key": "task_timeout" + "displayname": "London (eu-gb)", + "value": "eu-gb" }, { - "key": "endpoint_type", - "options": [ - { - "displayname": "private", - "value": "private" - }, - { - "displayname": "public", - "value": "public" - } - ] + "displayname": "Madrid (eu-es)", + "value": "eu-es" }, { - "key": "iam_credential_secret_group_id" + "displayname": "Dallas (us-south)", + "value": "us-south" }, { - "key": "iam_credential_secret_ttl" + "displayname": "Montreal (ca-mon)", + "value": "ca-mon" }, { - "key": "iam_credential_secret_auto_rotation_interval" + "displayname": "Toronto (ca-tor)", + "value": "ca-tor" }, { - "key": "iam_credential_secret_auto_rotation_unit" + "displayname": "Washington DC (us-east)", + "value": "us-east" }, { - "key": "iam_credential_secret_labels" + "displayname": "Sao Paulo (br-sao)", + "value": "br-sao" } - ], - "iam_permissions": [ - { - "role_crns": [ - "crn:v1:bluemix:public:iam::::role:Administrator", - "crn:v1:bluemix:public:iam::::serviceRole:Manager" - ], - "service_name": "secrets-manager", - "notes": "Required for creating secrets manager instance as well as custom credentials engine" - }, - { - "role_crns": [ - "crn:v1:bluemix:public:iam::::role:Administrator", - "crn:v1:bluemix:public:iam-identity::::serviceRole:ServiceIdCreator" - ], - "service_name": "IAM Identity Service", - "notes": "Required for creating service ID for allowing code engine job to fetch secrets from secrets manager instance" - }, - { - "role_crns": [ - "crn:v1:bluemix:public:iam::::role:Administrator" - ], - "service_name": "All Identity and Access enabled services", - "notes": "Required for creating IAM authorization policy between secrets manager and code engine project. Optionally required to deploy Cloud automation for account configuration which creates foundational IBM Cloud account resources, like resource group with account settings " - }, - { - "role_crns": [ - "crn:v1:bluemix:public:iam::::role:Administrator" - ], - "service_name": "All Account Management services", - "notes": "[Optional] Required to deploy Cloud automation for account configuration which creates resource group and to create trusted profile for App Configuration aggregator." - }, - { - "role_crns": [ - "crn:v1:bluemix:public:iam::::serviceRole:Manager", - "crn:v1:bluemix:public:iam::::role:Editor" - ], - "service_name": "event-notifications", - "notes": "[Optional] Required if you are configuring an Event Notifications Instance." - }, - { - "role_crns": [ - "crn:v1:bluemix:public:iam::::serviceRole:Manager", - "crn:v1:bluemix:public:iam::::role:Editor" - ], - "service_name": "sysdig-monitor", - "notes": "[Optional] Required if you are consuming the Observability deployable architecture which sets up Cloud Monitoring." + ] + }, + { + "key": "secrets_manager_service_plan", + "required": true, + "virtual": true, + "type": "string", + "options": [ + { + "displayname": "Standard", + "value": "standard" }, { - "role_crns": [ - "crn:v1:bluemix:public:iam::::serviceRole:Manager", - "crn:v1:bluemix:public:iam::::role:Editor" - ], - "service_name": "logs", - "notes": "[Optional] Required if you are consuming the Observability deployable architecture which sets up Cloud Logs." - }, + "displayname": "Trial", + "value": "trial" + } + ], + "default_value": "standard", + "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." + }, + { + "key": "service_id_name" + }, + { + "key": "iam_credential_secret_name" + }, + { + "key": "task_timeout" + }, + { + "key": "endpoint_type", + "options": [ { - "role_crns": [ - "crn:v1:bluemix:public:iam::::serviceRole:Manager", - "crn:v1:bluemix:public:iam::::role:Editor" - ], - "service_name": "hs-crypto", - "notes": "[Optional] Required if you are creating/configuring keys in an existing Hyper Protect Crypto Services (HPCS) instance for encryption." + "displayname": "private", + "value": "private" }, { - "role_crns": [ - "crn:v1:bluemix:public:iam::::serviceRole:Manager", - "crn:v1:bluemix:public:iam::::role:Editor" - ], - "service_name": "kms", - "notes": "[Optional] Required if you are creating/configuring Key Protect instance and keys for encryption." + "displayname": "public", + "value": "public" } - ], - "architecture": { - "descriptions": "This architecture supports creating and configuring a Secrets Manager Custom Credentials Engine.", - "features": [ - { - "title": " ", - "description": "Configured to use IBM secure-by-default standards, but can be edited to fit your use case." - } - ], - "diagrams": [ - { - "diagram": { - "caption": "Secrets Manager Custom Credentials Engine", - "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/main/reference-architecture/secrets_manager_custom_credentials_engine.svg", - "type": "image/svg+xml" - }, - "description": "This architecture automates the setup of IBM Secrets Manager Custom Credentials Engine. The modular design includes the creation of a service authorization policy and IAM credentials secrets that are needed for provisioning the engine configuration." - } - ] + ] + }, + { + "key": "iam_credential_secret_group_id" + }, + { + "key": "iam_credential_secret_ttl" + }, + { + "key": "iam_credential_secret_auto_rotation_interval" + }, + { + "key": "iam_credential_secret_auto_rotation_unit" + }, + { + "key": "iam_credential_secret_labels" + } + ], + "iam_permissions": [ + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator", + "crn:v1:bluemix:public:iam::::serviceRole:Manager" + ], + "service_name": "secrets-manager", + "notes": "Required for creating secrets manager instance as well as custom credentials engine" + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator", + "crn:v1:bluemix:public:iam-identity::::serviceRole:ServiceIdCreator" + ], + "service_name": "IAM Identity Service", + "notes": "Required for creating service ID for allowing code engine job to fetch secrets from secrets manager instance" + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "service_name": "All Identity and Access enabled services", + "notes": "Required for creating IAM authorization policy between secrets manager and code engine project. Optionally required to deploy Cloud automation for account configuration which creates foundational IBM Cloud account resources, like resource group with account settings " + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::role:Administrator" + ], + "service_name": "All Account Management services", + "notes": "[Optional] Required to deploy Cloud automation for account configuration which creates resource group and to create trusted profile for App Configuration aggregator." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "event-notifications", + "notes": "[Optional] Required if you are configuring an Event Notifications Instance." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "sysdig-monitor", + "notes": "[Optional] Required if you are consuming the Observability deployable architecture which sets up Cloud Monitoring." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "logs", + "notes": "[Optional] Required if you are consuming the Observability deployable architecture which sets up Cloud Logs." + }, + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "hs-crypto", + "notes": "[Optional] Required if you are creating/configuring keys in an existing Hyper Protect Crypto Services (HPCS) instance for encryption." }, - "dependencies": [ + { + "role_crns": [ + "crn:v1:bluemix:public:iam::::serviceRole:Manager", + "crn:v1:bluemix:public:iam::::role:Editor" + ], + "service_name": "kms", + "notes": "[Optional] Required if you are creating/configuring Key Protect instance and keys for encryption." + } + ], + "architecture": { + "descriptions": "This architecture supports creating and configuring a Secrets Manager Custom Credentials Engine.", + "features": [ + { + "title": " ", + "description": "Configured to use IBM secure-by-default standards, but can be edited to fit your use case." + } + ], + "diagrams": [ + { + "diagram": { + "caption": "Secrets Manager Custom Credentials Engine", + "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager-custom-credentials-engine/main/reference-architecture/secrets_manager_custom_credentials_engine.svg", + "type": "image/svg+xml" + }, + "description": "This architecture automates the setup of IBM Secrets Manager Custom Credentials Engine. The modular design includes the creation of a service authorization policy and IAM credentials secrets that are needed for provisioning the engine configuration." + } + ] + }, + "dependencies": [ { "name": "deploy-arch-ibm-secrets-manager", "description": "Create a new Secrets Manager instance.", "id": "6d6ebc76-7bbd-42f5-8bc7-78f4fabd5944-global", - "version": "v2.6.3", + "version": "v2.8.0", "flavors": [ "fully-configurable" ], @@ -337,8 +339,8 @@ ], "dependency_version_2": true, "terraform_version": "1.10.5" - } - ] - } - ] + } + ] + } + ] } diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 7680f92..d0bf898 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -96,11 +96,13 @@ variable "task_timeout" { variable "service_id_name" { type = string description = "The name of the service ID to be created to allow code engine job to pull secrets from Secrets Manager." + default = "custom-cred-engine-service-id" } variable "iam_credential_secret_name" { type = string description = "The name of the IAM credential secret to allow code engine job to pull secrets from Secrets Manager." + default = "custom-cred-engine-iam-secret" } variable "iam_credential_secret_group_id" { diff --git a/tests/other_test.go b/tests/other_test.go index 9136163..7066a0f 100644 --- a/tests/other_test.go +++ b/tests/other_test.go @@ -23,9 +23,9 @@ func setupCompleteOptions(t *testing.T, prefix string, dir string) *testhelper.T } options.TerraformVars = map[string]interface{}{ - "prefix": options.Prefix, - "existing_sm_instance_guid": permanentResources["secretsManagerGuid"], - "existing_sm_instance_region": permanentResources["secretsManagerRegion"], + "prefix": options.Prefix, + "existing_sm_guid": permanentResources["secretsManagerGuid"], + "existing_sm_region": permanentResources["secretsManagerRegion"], } return options From c99bc6b7e9281c943c435abb13225fc8707c242b Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Fri, 29 Aug 2025 21:07:52 +0530 Subject: [PATCH 21/27] PR changes --- README.md | 2 +- main.tf | 2 +- outputs.tf | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 8e7beff..ec65110 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,7 @@ You need the following permissions to run this module. | [ibm_iam_authorization_policy.sm_ce_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_iam_service_id.sm_service_id](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_service_id) | resource | | [ibm_iam_service_policy.sm_service_id_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_service_policy) | resource | -| [ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_custom_credentials_configuration) | resource | +| [ibm_sm_custom_credentials_configuration.custom_credentials_configuration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_custom_credentials_configuration) | resource | | [time_sleep.wait_for_service_id](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | ### Inputs diff --git a/main.tf b/main.tf index 6dab572..a219211 100644 --- a/main.tf +++ b/main.tf @@ -62,7 +62,7 @@ resource "ibm_iam_authorization_policy" "sm_ce_policy" { # Secrets Manager Custom Credentials Engine Module ############################################################################## -resource "ibm_sm_custom_credentials_configuration" "custom_credentials_configuration_instance" { +resource "ibm_sm_custom_credentials_configuration" "custom_credentials_configuration" { depends_on = [module.sm_iam_credential_secret, ibm_iam_authorization_policy.sm_ce_policy] instance_id = var.secrets_manager_guid region = var.secrets_manager_region diff --git a/outputs.tf b/outputs.tf index 6268f0c..f0797a1 100644 --- a/outputs.tf +++ b/outputs.tf @@ -4,21 +4,21 @@ output "custom_config_engine_id" { description = "The unique identifier of the engine created." - value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance.id + value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration.id } output "custom_config_engine_name" { description = "The name of the engine created." - value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance.name + value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration.name } output "code_engine_key_ref" { description = "The IAM API key used by the credentials system to access the secrets manager instance." sensitive = true - value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance.code_engine_key_ref + value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration.code_engine_key_ref } output "secrets_manager_custom_credentials_configuration_schema" { description = "The schema that defines the format of the input and output parameters." - value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration_instance.schema + value = ibm_sm_custom_credentials_configuration.custom_credentials_configuration.schema } From 2b4049e161db4827053481f166a81e378cb1fd0b Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Fri, 29 Aug 2025 21:21:40 +0530 Subject: [PATCH 22/27] PR changes --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index a219211..295421d 100644 --- a/main.tf +++ b/main.tf @@ -63,7 +63,7 @@ resource "ibm_iam_authorization_policy" "sm_ce_policy" { ############################################################################## resource "ibm_sm_custom_credentials_configuration" "custom_credentials_configuration" { - depends_on = [module.sm_iam_credential_secret, ibm_iam_authorization_policy.sm_ce_policy] + depends_on = [ibm_iam_authorization_policy.sm_ce_policy] instance_id = var.secrets_manager_guid region = var.secrets_manager_region name = var.custom_credential_engine_name From b8da405da64c752a3086b12e3eabf6a1f3022fcc Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Wed, 3 Sep 2025 19:27:27 +0530 Subject: [PATCH 23/27] PR changes --- README.md | 28 ++++++++++++----------- cra-config.yaml | 9 +++++++- examples/complete/variables.tf | 2 -- ibm_catalog.json | 12 +++------- main.tf | 10 +++++++- solutions/fully-configurable/main.tf | 1 + solutions/fully-configurable/variables.tf | 6 +++++ tests/other_test.go | 17 ++++++++++++++ variables.tf | 6 +++++ 9 files changed, 65 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index ec65110..91574af 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ These components are needed in order to create the custom credentials secret in ## Reference architectures -Refer [here](./reference-architecture/secrets_manager_custom_credentials_engine.svg) for reference architecture. +[Secrets Manager Custom Credential Engine](./reference-architecture/secrets_manager_custom_credentials_engine.svg) ## terraform-ibm-secrets-manager-custom-credentials-engine @@ -38,18 +38,18 @@ Refer [here](./reference-architecture/secrets_manager_custom_credentials_engine. ```hcl module "custom_credential_engine" { - source = "terraform-ibm-modules/secrets-manager-custom-credentials-engine/ibm" - version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release - secrets_manager_guid = "" - secrets_manager_region = "" - custom_credential_engine_name = "My Custom Credentials Engine" - endpoint_type = "public" - code_engine_project_id = "" - code_engine_job_name = "" - code_engine_region = "" - task_timeout = "5m" - service_id_name = "My Service ID" - iam_credential_secret_name = "My Credentials Secret" + source = "terraform-ibm-modules/secrets-manager-custom-credentials-engine/ibm" + version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release + secrets_manager_guid = "" + secrets_manager_region = "" + custom_credential_engine_name = "My Custom Credentials Engine" + endpoint_type = "public" + code_engine_project_id = "" + code_engine_job_name = "" + code_engine_region = "" + task_timeout = "5m" + service_id_name = "My Service ID" + iam_credential_secret_name = "My Credentials Secret" } ``` @@ -95,6 +95,7 @@ You need the following permissions to run this module. | [ibm_iam_service_policy.sm_service_id_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_service_policy) | resource | | [ibm_sm_custom_credentials_configuration.custom_credentials_configuration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_custom_credentials_configuration) | resource | | [time_sleep.wait_for_service_id](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [time_sleep.wait_for_sm_ce_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | ### Inputs @@ -114,6 +115,7 @@ You need the following permissions to run this module. | [secrets\_manager\_guid](#input\_secrets\_manager\_guid) | GUID of secrets manager instance to create the secret engine in. | `string` | n/a | yes | | [secrets\_manager\_region](#input\_secrets\_manager\_region) | The region of the secrets manager instance. | `string` | n/a | yes | | [service\_id\_name](#input\_service\_id\_name) | The name of the service ID to be created to allow code engine job to pull secrets from Secrets Manager. | `string` | n/a | yes | +| [skip\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance(if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project. | `bool` | `false` | no | | [task\_timeout](#input\_task\_timeout) | The maximum allowed time for a code engine job to be completed. | `string` | `"5m"` | no | ### Outputs diff --git a/cra-config.yaml b/cra-config.yaml index 7fd07f7..7ede26a 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -7,7 +7,7 @@ version: "v1" CRA_TARGETS: - - CRA_TARGET: "examples/complete" # Target directory for CRA scan. If not provided, the CRA Scan will not be run. + - CRA_TARGET: "solutions/fully-configurable" # Target directory for CRA scan. If not provided, the CRA Scan will not be run. CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3" # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile). # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used. @@ -15,3 +15,10 @@ CRA_TARGETS: CRA_ENVIRONMENT_VARIABLES: # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs. TF_VAR_prefix: "mock" TF_VAR_region: "us-south" + TF_VAR_existing_secrets_manager_crn: "crn:v1:bluemix:public:secrets-manager:us-south:a/abac0df06b644a9cabc6e44f55b3880e:79c6d411-c18f-4670-b009-b0044a238667::" + TF_VAR_custom_credential_engine_name": "test-engine" + TF_VAR"service_id_name": "test-service-id" + TF_VAR_iam_credential_secret_name": "test-credential-secret" + TF_VAR_existing_code_engine_project_id: "d731565f-835d-4c1b-b116-a03fa4e703df" + TF_VAR_existing_code_engine_job_name: "ce-job-name" + TF_VAR_existing_code_engine_region: "us-south" diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 235c679..ac7c96e 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -11,13 +11,11 @@ variable "ibmcloud_api_key" { variable "region" { type = string description = "Region to provision all resources created by this example." - default = "us-south" } variable "prefix" { type = string description = "A string value to prefix to all resources created by this example." - default = "sm-custom-cred" } variable "resource_group" { diff --git a/ibm_catalog.json b/ibm_catalog.json index ec8e24b..c7292a3 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -47,15 +47,6 @@ "index": 1, "install_type": "fullstack", "working_directory": "solutions/fully-configurable", - "compliance": { - "authority": "scc-v3", - "profiles": [ - { - "profile_name": "IBM Cloud Framework for Financial Services", - "profile_version": "1.7.0" - } - ] - }, "configuration": [ { "key": "ibmcloud_api_key" @@ -173,6 +164,9 @@ "default_value": "standard", "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." }, + { + "key": "skip_secrets_manager_iam_auth_policy" + }, { "key": "service_id_name" }, diff --git a/main.tf b/main.tf index 295421d..bb4a648 100644 --- a/main.tf +++ b/main.tf @@ -51,6 +51,7 @@ module "sm_iam_credential_secret" { ############################################################################## resource "ibm_iam_authorization_policy" "sm_ce_policy" { + count = var.skip_secrets_manager_iam_auth_policy ? 0 : 1 source_service_name = "secrets-manager" source_resource_instance_id = var.secrets_manager_guid target_service_name = "codeengine" @@ -58,12 +59,19 @@ resource "ibm_iam_authorization_policy" "sm_ce_policy" { roles = ["Viewer", "Writer"] } +# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 +resource "time_sleep" "wait_for_sm_ce_authorization_policy" { + count = var.skip_secrets_manager_iam_auth_policy ? 0 : 1 + depends_on = [ibm_iam_authorization_policy.sm_ce_policy] + create_duration = "30s" +} + ############################################################################## # Secrets Manager Custom Credentials Engine Module ############################################################################## resource "ibm_sm_custom_credentials_configuration" "custom_credentials_configuration" { - depends_on = [ibm_iam_authorization_policy.sm_ce_policy] + depends_on = [time_sleep.wait_for_sm_ce_authorization_policy] instance_id = var.secrets_manager_guid region = var.secrets_manager_region name = var.custom_credential_engine_name diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 4e6d6e2..b4bb2a6 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -22,6 +22,7 @@ module "custom_credential_engine" { secrets_manager_guid = local.existing_secrets_manager_guid secrets_manager_region = local.existing_secrets_manager_region custom_credential_engine_name = "${local.prefix}${var.custom_credential_engine_name}" + skip_secrets_manager_iam_auth_policy = var.skip_secrets_manager_iam_auth_policy endpoint_type = var.endpoint_type code_engine_project_id = var.existing_code_engine_project_id code_engine_job_name = var.existing_code_engine_job_name diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index d0bf898..96a957b 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -56,6 +56,12 @@ variable "custom_credential_engine_name" { description = "The name of the custom credentials engine to be created." } +variable "skip_secrets_manager_iam_auth_policy" { + type = bool + description = "Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance(if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project." + default = false +} + variable "endpoint_type" { type = string description = "The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private`" diff --git a/tests/other_test.go b/tests/other_test.go index 7066a0f..026f170 100644 --- a/tests/other_test.go +++ b/tests/other_test.go @@ -2,16 +2,32 @@ package test import ( + "math/rand" "testing" "github.com/stretchr/testify/assert" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" ) +var validRegions = []string{ + "jp-osa", + "au-syd", + "jp-tok", + "eu-de", + "eu-gb", + "eu-es", + "us-south", + "ca-mon", + "ca-tor", + "us-east", + "br-sao", +} + func setupCompleteOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions { options := testhelper.TestOptionsDefault(&testhelper.TestOptions{ Testing: t, TerraformDir: dir, + Region: validRegions[rand.Intn(len(validRegions))], Prefix: prefix, }) @@ -24,6 +40,7 @@ func setupCompleteOptions(t *testing.T, prefix string, dir string) *testhelper.T options.TerraformVars = map[string]interface{}{ "prefix": options.Prefix, + "region": options.Region, "existing_sm_guid": permanentResources["secretsManagerGuid"], "existing_sm_region": permanentResources["secretsManagerRegion"], } diff --git a/variables.tf b/variables.tf index 037ca1c..683917c 100644 --- a/variables.tf +++ b/variables.tf @@ -17,6 +17,12 @@ variable "custom_credential_engine_name" { description = "The name of the custom credentials engine to be created." } +variable "skip_secrets_manager_iam_auth_policy" { + type = bool + description = "Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance(if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project." + default = false +} + variable "endpoint_type" { type = string description = "The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private`." From fddb225f662b4cebc6f3b4e75769605dc68c779d Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Wed, 3 Sep 2025 19:34:22 +0530 Subject: [PATCH 24/27] PR changes --- cra-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cra-config.yaml b/cra-config.yaml index 7ede26a..126441b 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -16,9 +16,9 @@ CRA_TARGETS: TF_VAR_prefix: "mock" TF_VAR_region: "us-south" TF_VAR_existing_secrets_manager_crn: "crn:v1:bluemix:public:secrets-manager:us-south:a/abac0df06b644a9cabc6e44f55b3880e:79c6d411-c18f-4670-b009-b0044a238667::" - TF_VAR_custom_credential_engine_name": "test-engine" - TF_VAR"service_id_name": "test-service-id" - TF_VAR_iam_credential_secret_name": "test-credential-secret" + TF_VAR_custom_credential_engine_name: "test-engine" + TF_VAR"service_id_name: "test-service-id" + TF_VAR_iam_credential_secret_name: "test-credential-secret" TF_VAR_existing_code_engine_project_id: "d731565f-835d-4c1b-b116-a03fa4e703df" TF_VAR_existing_code_engine_job_name: "ce-job-name" TF_VAR_existing_code_engine_region: "us-south" From 2249af1f2034382f32c477455c26ee96b3a13ed4 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Wed, 3 Sep 2025 19:39:50 +0530 Subject: [PATCH 25/27] PR changes --- cra-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cra-config.yaml b/cra-config.yaml index 126441b..c061398 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -17,7 +17,7 @@ CRA_TARGETS: TF_VAR_region: "us-south" TF_VAR_existing_secrets_manager_crn: "crn:v1:bluemix:public:secrets-manager:us-south:a/abac0df06b644a9cabc6e44f55b3880e:79c6d411-c18f-4670-b009-b0044a238667::" TF_VAR_custom_credential_engine_name: "test-engine" - TF_VAR"service_id_name: "test-service-id" + TF_VAR_service_id_name: "test-service-id" TF_VAR_iam_credential_secret_name: "test-credential-secret" TF_VAR_existing_code_engine_project_id: "d731565f-835d-4c1b-b116-a03fa4e703df" TF_VAR_existing_code_engine_job_name: "ce-job-name" From 3bc9c7ffce05f3af031ebc85cad7ac2e091b70c3 Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Wed, 3 Sep 2025 20:05:14 +0530 Subject: [PATCH 26/27] PR changes --- README.md | 2 +- ibm_catalog.json | 2 +- main.tf | 4 ++-- solutions/fully-configurable/main.tf | 2 +- solutions/fully-configurable/variables.tf | 4 ++-- variables.tf | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 91574af..738fa9e 100644 --- a/README.md +++ b/README.md @@ -115,7 +115,7 @@ You need the following permissions to run this module. | [secrets\_manager\_guid](#input\_secrets\_manager\_guid) | GUID of secrets manager instance to create the secret engine in. | `string` | n/a | yes | | [secrets\_manager\_region](#input\_secrets\_manager\_region) | The region of the secrets manager instance. | `string` | n/a | yes | | [service\_id\_name](#input\_service\_id\_name) | The name of the service ID to be created to allow code engine job to pull secrets from Secrets Manager. | `string` | n/a | yes | -| [skip\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance(if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project. | `bool` | `false` | no | +| [skip\_secrets\_manager\_code\_engine\_auth\_policy](#input\_skip\_secrets\_manager\_code\_engine\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance. If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project. | `bool` | `false` | no | | [task\_timeout](#input\_task\_timeout) | The maximum allowed time for a code engine job to be completed. | `string` | `"5m"` | no | ### Outputs diff --git a/ibm_catalog.json b/ibm_catalog.json index c7292a3..e9b2318 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -165,7 +165,7 @@ "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." }, { - "key": "skip_secrets_manager_iam_auth_policy" + "key": "skip_secrets_manager_code_engine_auth_policy" }, { "key": "service_id_name" diff --git a/main.tf b/main.tf index bb4a648..fd7d64e 100644 --- a/main.tf +++ b/main.tf @@ -51,7 +51,7 @@ module "sm_iam_credential_secret" { ############################################################################## resource "ibm_iam_authorization_policy" "sm_ce_policy" { - count = var.skip_secrets_manager_iam_auth_policy ? 0 : 1 + count = var.skip_secrets_manager_code_engine_auth_policy ? 0 : 1 source_service_name = "secrets-manager" source_resource_instance_id = var.secrets_manager_guid target_service_name = "codeengine" @@ -61,7 +61,7 @@ resource "ibm_iam_authorization_policy" "sm_ce_policy" { # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 resource "time_sleep" "wait_for_sm_ce_authorization_policy" { - count = var.skip_secrets_manager_iam_auth_policy ? 0 : 1 + count = var.skip_secrets_manager_code_engine_auth_policy ? 0 : 1 depends_on = [ibm_iam_authorization_policy.sm_ce_policy] create_duration = "30s" } diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index b4bb2a6..fc02962 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -22,7 +22,7 @@ module "custom_credential_engine" { secrets_manager_guid = local.existing_secrets_manager_guid secrets_manager_region = local.existing_secrets_manager_region custom_credential_engine_name = "${local.prefix}${var.custom_credential_engine_name}" - skip_secrets_manager_iam_auth_policy = var.skip_secrets_manager_iam_auth_policy + skip_secrets_manager_code_engine_auth_policy = var.skip_secrets_manager_code_engine_auth_policy endpoint_type = var.endpoint_type code_engine_project_id = var.existing_code_engine_project_id code_engine_job_name = var.existing_code_engine_job_name diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 96a957b..7f34a32 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -56,9 +56,9 @@ variable "custom_credential_engine_name" { description = "The name of the custom credentials engine to be created." } -variable "skip_secrets_manager_iam_auth_policy" { +variable "skip_secrets_manager_code_engine_auth_policy" { type = bool - description = "Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance(if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project." + description = "Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance. If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project." default = false } diff --git a/variables.tf b/variables.tf index 683917c..031c0d5 100644 --- a/variables.tf +++ b/variables.tf @@ -17,9 +17,9 @@ variable "custom_credential_engine_name" { description = "The name of the custom credentials engine to be created." } -variable "skip_secrets_manager_iam_auth_policy" { +variable "skip_secrets_manager_code_engine_auth_policy" { type = bool - description = "Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance(if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project." + description = "Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance. If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project." default = false } From 97c2550fbf2fda363625cecf7ed374e5b1bf6e8e Mon Sep 17 00:00:00 2001 From: mukul-palit Date: Wed, 3 Sep 2025 20:16:29 +0530 Subject: [PATCH 27/27] set provider_visibility --- cra-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cra-config.yaml b/cra-config.yaml index c061398..db62db9 100644 --- a/cra-config.yaml +++ b/cra-config.yaml @@ -15,6 +15,7 @@ CRA_TARGETS: CRA_ENVIRONMENT_VARIABLES: # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs. TF_VAR_prefix: "mock" TF_VAR_region: "us-south" + TF_VAR_provider_visibility: "public" TF_VAR_existing_secrets_manager_crn: "crn:v1:bluemix:public:secrets-manager:us-south:a/abac0df06b644a9cabc6e44f55b3880e:79c6d411-c18f-4670-b009-b0044a238667::" TF_VAR_custom_credential_engine_name: "test-engine" TF_VAR_service_id_name: "test-service-id"