Secrets Manager Private Cert module

This module creates a private certificate in an existing Secrets Manager instance that has a configured Private Certificate Engine.

The module handles the following resource:

• Secrets Manager private certificate

Overview

• terraform-ibm-secrets-manager-private-cert
• Examples
  • Default example
  • Private-Only Secret Manager example
• Contributing

terraform-ibm-secrets-manager-private-cert

Usage

module "secrets_manager_private_certificate" {
  source  = "terraform-ibm-modules/secrets-manager-private-cert/ibm"
  version = "latest" # Replace "latest" with a release version to lock into a specific release

  cert_name             = "example-private-cert"
  cert_description      = "an example private cert"
  cert_secrets_group_id = "the secret group ID to place the cert"
  cert_template         = "name of the cert template to use"
  cert_common_name      = "example.com"

  secrets_manager_guid   = module.secrets_manager.secrets_manager_guid
  secrets_manager_region = var.region
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • IAM Access Groups service
    • Editor platform access
  • IAM Identity service
    • Operator platform access
  • Resource Group service
    • Viewer platform access
• IAM Services
  • Secrets Manager service
    • Administrator platform access
    • Manager service access

Requirements

Name	Version
terraform	>= 1.3.0
ibm	>=1.79.0, <2.0.0

Modules

No modules.

Resources

Name	Type
ibm_sm_private_certificate.secrets_manager_private_certificate	resource

Inputs

Name	Description	Type	Default	Required
cert_alt_names	Optional, Alternate names for the certificate to be created	list(string)	null	no
cert_common_name	Fully qualified domain name or host domain name for the certificate to be created	string	n/a	yes
cert_csr	Certificate signing request. If you don't include this parameter, the CSR that is used to generate the certificate is created internally	string	null	no
cert_custom_metadata	Optional, Custom metadata for the certificate to be created	map(string)	{ "collection_total": 1, "collection_type": "application/vnd.ibm.secrets-manager.secret+json" }	no
cert_description	Optional, Extended description of certificate to be created. To protect privacy, do not use personal data, such as name or location, as a description for certificate	string	null	no
cert_ip_sans	Optional, IP Subject Alternative Names (SANs) to define for the CA certificate, in a comma-delimited list	string	null	no
cert_labels	Optional, Labels for the certificate to be created	list(string)	[]	no
cert_name	Name of the certificate to be created in Secrets Manager	string	n/a	yes
cert_other_sans	Optional, The custom Object Identifier (OID) or UTF8-string Subject Alternative Names (SANs) to define for the CA certificate. The alternative names must match the values that are specified in the 'allowed_other_sans' field in the associated certificate template	list(string)	[]	no
cert_rotation	Optional, Rotation policy for the certificate to be created	object({ auto_rotate = optional(bool) interval = optional(number) unit = optional(string) })	{ "auto_rotate": true, "interval": 12, "unit": "month" }	no
cert_secrets_group_id	Optional, Id of Secrets Manager secret group to store the certificate in	string	"default"	no
cert_template	Name of the certificate template to use	string	n/a	yes
cert_ttl	Optional, Time-to-live (TTL) to assign to a private certificate	string	"364d"	no
cert_uri_sans	Optional, URI Subject Alternative Names (SANs) to define for the CA certificate, in a comma-delimited list	string	null	no
cert_version_custom_metadata	Optional, Custom version metadata for the certificate to be created	map(string)	{}	no
exclude_cn_from_sans	Optional, Controls whether the common name is excluded from Subject Alternative Names (SANs). If set to true, the common name is not included in DNS or Email SANs if they apply	bool	false	no
private_key_format	Optional, Format of the generated private key	string	"der"	no
return_format	Optional, Format of the returned data	string	"pem"	no
secrets_manager_guid	Secrets Manager GUID	string	n/a	yes
secrets_manager_region	Region the Secrets Manager instance is in	string	n/a	yes
service_endpoints	Service endpoint type to communicate with the provided secrets manager instance. Possible values are public or private	string	"public"	no

Outputs

Name	Description
id	Private certificates secrets manager secret resource ID
secret_crn	Private certificates secrets manager secret CRN
secret_id	Private certificates secrets manager secret unique ID

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.