feat : 13662 custom engine

README.md

@@ -29,7 +29,7 @@ These components are needed in order to create the custom credentials secret in
 
 ## Reference architectures
 
-Refer [here](./reference-architecture/secrets_manager_custom_credentials_engine.svg) for reference architecture.
+[Secrets Manager Custom Credential Engine](./reference-architecture/secrets_manager_custom_credentials_engine.svg)
 
 
 ## terraform-ibm-secrets-manager-custom-credentials-engine
@@ -38,18 +38,18 @@ Refer [here](./reference-architecture/secrets_manager_custom_credentials_engine.
 
 ```hcl
 module "custom_credential_engine" {
-  source                                       = "terraform-ibm-modules/secrets-manager-custom-credentials-engine/ibm"
-  version                                      = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
-  secrets_manager_guid                         = "<secrets_manager_instance_id>"
-  secrets_manager_region                       = "<secrets_manager_instance_region>"
-  custom_credential_engine_name                = "My Custom Credentials Engine"
-  endpoint_type                                = "public"
-  code_engine_project_id                       = "<code_engine_project_id>"
-  code_engine_job_name                         = "<code_engine_project_job_name>"
-  code_engine_region                           = "<code_engine_region>"
-  task_timeout                                 = "5m"
-  service_id_name                              = "My Service ID"
-  iam_credential_secret_name                   = "My Credentials Secret"
+  source                        = "terraform-ibm-modules/secrets-manager-custom-credentials-engine/ibm"
+  version                       = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
+  secrets_manager_guid          = "<secrets_manager_instance_id>"
+  secrets_manager_region        = "<secrets_manager_instance_region>"
+  custom_credential_engine_name = "My Custom Credentials Engine"
+  endpoint_type                 = "public"
+  code_engine_project_id        = "<code_engine_project_id>"
+  code_engine_job_name          = "<code_engine_project_job_name>"
+  code_engine_region            = "<code_engine_region>"
+  task_timeout                  = "5m"
+  service_id_name               = "My Service ID"
+  iam_credential_secret_name    = "My Credentials Secret"
 }
 
 ```
@@ -95,6 +95,7 @@ You need the following permissions to run this module.
 | [ibm_iam_service_policy.sm_service_id_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_service_policy) | resource |
 | [ibm_sm_custom_credentials_configuration.custom_credentials_configuration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_custom_credentials_configuration) | resource |
 | [time_sleep.wait_for_service_id](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.wait_for_sm_ce_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 
 ### Inputs
 
@@ -114,6 +115,7 @@ You need the following permissions to run this module.
 | <a name="input_secrets_manager_guid"></a> [secrets\_manager\_guid](#input\_secrets\_manager\_guid) | GUID of secrets manager instance to create the secret engine in. | `string` | n/a | yes |
 | <a name="input_secrets_manager_region"></a> [secrets\_manager\_region](#input\_secrets\_manager\_region) | The region of the secrets manager instance. | `string` | n/a | yes |
 | <a name="input_service_id_name"></a> [service\_id\_name](#input\_service\_id\_name) | The name of the service ID to be created to allow code engine job to pull secrets from Secrets Manager. | `string` | n/a | yes |
+| <a name="input_skip_secrets_manager_iam_auth_policy"></a> [skip\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance(if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project. | `bool` | `false` | no |
 | <a name="input_task_timeout"></a> [task\_timeout](#input\_task\_timeout) | The maximum allowed time for a code engine job to be completed. | `string` | `"5m"` | no |
 
 ### Outputs

cra-config.yaml

@@ -7,11 +7,18 @@
 
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/complete" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "solutions/fully-configurable" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json"
     PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3" # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).
     # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.
     # SCC_REGION: "" # The IBM Cloud region that the SCC instance is in. If not provided, a default global value will be used.
     CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
       TF_VAR_prefix: "mock"
       TF_VAR_region: "us-south"
+      TF_VAR_existing_secrets_manager_crn: "crn:v1:bluemix:public:secrets-manager:us-south:a/abac0df06b644a9cabc6e44f55b3880e:79c6d411-c18f-4670-b009-b0044a238667::"
+      TF_VAR_custom_credential_engine_name": "test-engine"
+      TF_VAR"service_id_name": "test-service-id"
+      TF_VAR_iam_credential_secret_name": "test-credential-secret"
+      TF_VAR_existing_code_engine_project_id: "d731565f-835d-4c1b-b116-a03fa4e703df"
+      TF_VAR_existing_code_engine_job_name: "ce-job-name"
+      TF_VAR_existing_code_engine_region: "us-south"

examples/complete/variables.tf

@@ -11,13 +11,11 @@ variable "ibmcloud_api_key" {
 variable "region" {
   type        = string
   description = "Region to provision all resources created by this example."
-  default     = "us-south"
 }
 
 variable "prefix" {
   type        = string
   description = "A string value to prefix to all resources created by this example."
-  default     = "sm-custom-cred"
 }
 
 variable "resource_group" {

ibm_catalog.json

@@ -47,15 +47,6 @@
           "index": 1,
           "install_type": "fullstack",
           "working_directory": "solutions/fully-configurable",
-          "compliance": {
-            "authority": "scc-v3",
-            "profiles": [
-              {
-                "profile_name": "IBM Cloud Framework for Financial Services",
-                "profile_version": "1.7.0"
-              }
-            ]
-          },
           "configuration": [
             {
               "key": "ibmcloud_api_key"
@@ -173,6 +164,9 @@
               "default_value": "standard",
               "description": "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)."
             },
+            {
+              "key": "skip_secrets_manager_iam_auth_policy"
+            },
             {
               "key": "service_id_name"
             },

main.tf

@@ -51,19 +51,27 @@ module "sm_iam_credential_secret" {
 ##############################################################################
 
 resource "ibm_iam_authorization_policy" "sm_ce_policy" {
+  count                       = var.skip_secrets_manager_iam_auth_policy ? 0 : 1
   source_service_name         = "secrets-manager"
   source_resource_instance_id = var.secrets_manager_guid
   target_service_name         = "codeengine"
   target_resource_instance_id = var.code_engine_project_id
   roles                       = ["Viewer", "Writer"]
 }
 
+# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
+resource "time_sleep" "wait_for_sm_ce_authorization_policy" {
+  count           = var.skip_secrets_manager_iam_auth_policy ? 0 : 1
+  depends_on      = [ibm_iam_authorization_policy.sm_ce_policy]
+  create_duration = "30s"
+}
+
 ##############################################################################
 # Secrets Manager Custom Credentials Engine Module
 ##############################################################################
 
 resource "ibm_sm_custom_credentials_configuration" "custom_credentials_configuration" {
-  depends_on    = [ibm_iam_authorization_policy.sm_ce_policy]
+  depends_on    = [time_sleep.wait_for_sm_ce_authorization_policy]
   instance_id   = var.secrets_manager_guid
   region        = var.secrets_manager_region
   name          = var.custom_credential_engine_name

solutions/fully-configurable/main.tf

@@ -22,6 +22,7 @@ module "custom_credential_engine" {
   secrets_manager_guid                         = local.existing_secrets_manager_guid
   secrets_manager_region                       = local.existing_secrets_manager_region
   custom_credential_engine_name                = "${local.prefix}${var.custom_credential_engine_name}"
+  skip_secrets_manager_iam_auth_policy         = var.skip_secrets_manager_iam_auth_policy
   endpoint_type                                = var.endpoint_type
   code_engine_project_id                       = var.existing_code_engine_project_id
   code_engine_job_name                         = var.existing_code_engine_job_name

solutions/fully-configurable/variables.tf

@@ -56,6 +56,12 @@ variable "custom_credential_engine_name" {
   description = "The name of the custom credentials engine to be created."
 }
 
+variable "skip_secrets_manager_iam_auth_policy" {
+  type        = bool
+  description = "Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance(if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project."
+  default     = false
+}
+
 variable "endpoint_type" {
   type        = string
   description = "The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private`"

tests/other_test.go

@@ -2,16 +2,32 @@
 package test
 
 import (
+	"math/rand"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
 )
 
+var validRegions = []string{
+	"jp-osa",
+	"au-syd",
+	"jp-tok",
+	"eu-de",
+	"eu-gb",
+	"eu-es",
+	"us-south",
+	"ca-mon",
+	"ca-tor",
+	"us-east",
+	"br-sao",
+}
+
 func setupCompleteOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions {
 	options := testhelper.TestOptionsDefault(&testhelper.TestOptions{
 		Testing:      t,
 		TerraformDir: dir,
+		Region:       validRegions[rand.Intn(len(validRegions))],
 		Prefix:       prefix,
 	})
 
@@ -24,6 +40,7 @@ func setupCompleteOptions(t *testing.T, prefix string, dir string) *testhelper.T
 
 	options.TerraformVars = map[string]interface{}{
 		"prefix":             options.Prefix,
+		"region":             options.Region,
 		"existing_sm_guid":   permanentResources["secretsManagerGuid"],
 		"existing_sm_region": permanentResources["secretsManagerRegion"],
 	}

variables.tf

@@ -17,6 +17,12 @@ variable "custom_credential_engine_name" {
   description = "The name of the custom credentials engine to be created."
 }
 
+variable "skip_secrets_manager_iam_auth_policy" {
+  type        = bool
+  description = "Whether to skip the creation of the IAM authorization policies required between the Code engine project and Secrets Manager instance(if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Viewer' and 'Writer' access to the Code engine project."
+  default     = false
+}
+
 variable "endpoint_type" {
   type        = string
   description = "The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private`."