feat: added support to create service credentials using existing service ID with new input service_credentials_existing_serviceid_crn<br>* added support to pass a a list of custom parameters to the service credential creation using new input service_credentials_parameters<br>- Example: service_credentials_parameters = { "service-endpoints" : "public" } (#221)

Author: alex-reiff

README.md

@@ -192,8 +192,10 @@ No modules.
 | <a name="input_secret_type"></a> [secret\_type](#input\_secret\_type) | Type of secret to create, must be one of: arbitrary, username\_password, imported\_cert, service\_credentials | `string` | n/a | yes |
 | <a name="input_secret_username"></a> [secret\_username](#input\_secret\_username) | Username of the secret to create. Applies only to `username_password` secret types. When `null`, an `arbitrary` secret is created. | `string` | `null` | no |
 | <a name="input_secrets_manager_guid"></a> [secrets\_manager\_guid](#input\_secrets\_manager\_guid) | The instance ID of the Secrets Manager instance where the secret will be added. | `string` | n/a | yes |
+| <a name="input_service_credentials_existing_serviceid_crn"></a> [service\_credentials\_existing\_serviceid\_crn](#input\_service\_credentials\_existing\_serviceid\_crn) | The optional parameter 'serviceid\_crn' for creating service credentials. If not passed in, a new Service ID will be created. For more information see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_service_credentials_secret#parameters | `string` | `null` | no |
+| <a name="input_service_credentials_parameters"></a> [service\_credentials\_parameters](#input\_service\_credentials\_parameters) | List of all custom parameters for service credential. | `map(string)` | `null` | no |
 | <a name="input_service_credentials_source_service_crn"></a> [service\_credentials\_source\_service\_crn](#input\_service\_credentials\_source\_service\_crn) | The CRN of the source service instance to create the service credential. | `string` | `null` | no |
-| <a name="input_service_credentials_source_service_hmac"></a> [service\_credentials\_source\_service\_hmac](#input\_service\_credentials\_source\_service\_hmac) | The optional boolean parameter HMAC for creating specific kind of credentials. For more information see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_service_credentials_secret#parameters | `bool` | `false` | no |
+| <a name="input_service_credentials_source_service_hmac"></a> [service\_credentials\_source\_service\_hmac](#input\_service\_credentials\_source\_service\_hmac) | The optional boolean parameter 'HMAC' for creating specific kind of credentials. For more information see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_service_credentials_secret#parameters | `bool` | `false` | no |
 | <a name="input_service_credentials_source_service_role"></a> [service\_credentials\_source\_service\_role](#input\_service\_credentials\_source\_service\_role) | The role to give the service credential in the source service. | `string` | `null` | no |
 | <a name="input_service_credentials_ttl"></a> [service\_credentials\_ttl](#input\_service\_credentials\_ttl) | The time-to-live (TTL) to assign to generated service credentials (in seconds). | `number` | `"7776000"` | no |
 

examples/complete/main.tf

@@ -235,4 +235,5 @@ module "secret_manager_service_credential" {
   secret_type                             = "service_credentials" #checkov:skip=CKV_SECRET_6
   service_credentials_source_service_crn  = module.cloud_object_storage.cos_instance_id
   service_credentials_source_service_role = "Writer"
+  service_credentials_parameters          = { "service-endpoints" : "public" }
 }

main.tf

@@ -32,6 +32,12 @@ locals {
   auto_rotation_validate_check = regex("^${local.auto_rotation_validate_msg}$", (!local.auto_rotation_validate_condition ? local.auto_rotation_validate_msg : ""))
 
   auto_rotation_enabled = var.secret_auto_rotation == true ? [1] : []
+
+  # Prevent user from inputting a custom set of service credential parameters while also enabling specific parameter inputs
+  custom_parameters_validate_condition = var.service_credentials_parameters != null && (var.service_credentials_source_service_hmac == true || var.service_credentials_existing_serviceid_crn != null)
+  custom_parameters_validate_msg       = "You are passing in a custom set of service credential parameters while also using variables that auto-set parameters."
+  # tflint-ignore: terraform_unused_declarations
+  custom_parameters_validate_check = regex("^${local.custom_parameters_validate_msg}$", (!local.custom_parameters_validate_condition ? local.custom_parameters_validate_msg : ""))
 }
 
 resource "ibm_sm_arbitrary_secret" "arbitrary_secret" {
@@ -92,6 +98,19 @@ resource "ibm_sm_imported_certificate" "imported_cert" {
   endpoint_type   = var.endpoint_type
 }
 
+locals {
+  # there is a known issue with ternaries in merge, moved them out: https://github.com/hashicorp/terraform/issues/33310
+  local_service_credentials_source_service_hmac = var.service_credentials_source_service_hmac ? { "HMAC" : var.service_credentials_source_service_hmac } : null
+  local_service_credentials_serviceid_crn       = var.service_credentials_existing_serviceid_crn != null ? { "serviceid_crn" : var.service_credentials_existing_serviceid_crn } : null
+  parameters = (
+    var.service_credentials_parameters != null ? var.service_credentials_parameters :
+    merge(
+      local.local_service_credentials_source_service_hmac,
+      local.local_service_credentials_serviceid_crn,
+    )
+  )
+}
+
 resource "ibm_sm_service_credentials_secret" "service_credentials_secret" {
   count           = var.secret_type == "service_credentials" ? 1 : 0 #checkov:skip=CKV_SECRET_6
   region          = var.region
@@ -110,7 +129,7 @@ resource "ibm_sm_service_credentials_secret" "service_credentials_secret" {
     role {
       crn = "crn:v1:bluemix:public:iam::::serviceRole:${var.service_credentials_source_service_role}"
     }
-    parameters = var.service_credentials_source_service_hmac ? { "HMAC" : var.service_credentials_source_service_hmac } : null
+    parameters = local.parameters
   }
 
   ## This for_each block is NOT a loop to attach to multiple rotation blocks.

variables.tf

@@ -112,6 +112,24 @@ variable "service_credentials_source_service_role" {
   default     = null
 }
 
+variable "service_credentials_parameters" {
+  type        = map(string)
+  description = "List of all custom parameters for service credential."
+  default     = null
+}
+
+variable "service_credentials_source_service_hmac" {
+  type        = bool
+  description = "The optional boolean parameter 'HMAC' for creating specific kind of credentials. For more information see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_service_credentials_secret#parameters"
+  default     = false
+}
+
+variable "service_credentials_existing_serviceid_crn" {
+  type        = string
+  description = "The optional parameter 'serviceid_crn' for creating service credentials. If not passed in, a new Service ID will be created. For more information see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_service_credentials_secret#parameters"
+  default     = null
+}
+
 variable "endpoint_type" {
   type        = string
   description = "The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private`"
@@ -122,10 +140,5 @@ variable "endpoint_type" {
   }
 }
 
-variable "service_credentials_source_service_hmac" {
-  type        = bool
-  description = "The optional boolean parameter HMAC for creating specific kind of credentials. For more information see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_service_credentials_secret#parameters"
-  default     = false
-}
 
 ##############################################################################