terraform-ibm-modules
diff --git a/‎.secrets.baseline‎
Lines changed: 1 addition & 1 deletion b/‎.secrets.baseline‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 59 additions & 21 deletions b/‎README.md‎
Lines changed: 59 additions & 21 deletions
diff --git a/‎cra-tf-validate-ignore-rules.json‎
Lines changed: 14 additions & 1 deletion b/‎cra-tf-validate-ignore-rules.json‎
Lines changed: 14 additions & 1 deletion
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-12-09T07:18:15Z",
+  "generated_at": "2024-01-18T16:31:21Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
 
@@ -13,28 +13,42 @@ The module supports the following secret types:
 - [Arbitrary](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-arbitrary-secrets&interface=ui)
 - [User credentials](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-user-credentials&interface=ui)
 - [Imported Certificate](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-certificates&interface=api#import-certificates)
+- [Service Credentials](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-service-credentials&interface=api)
 
-The following attributes and parameters are supported for both secret types:
+The following attributes and parameters are supported for all secret types:
 
 - `secret_group_id`: When `null`, the `default` secret-group is used.
 - `secret_name`: The name of the secret that is created.
 - `secret_description`: The description of the secret.
+- `secret_type` : The type of the secret.
+- `secret_labels` : Any labels to attach to the secret.
+
+The following attributes and paramters are supported when storing arbitrary secrets:
+
 - `secret_payload_password`: The payload (for arbitrary secrets) or password (for username and password credentials) of the secret.
 
-The following attributes and parameters are supported only when storing user credentials:
+The following attributes and parameters are supported when storing user credentials:
 
+- `secret_payload_password`: The payload (for arbitrary secrets) or password (for username and password credentials) of the secret.
 - `secret_username`: The username of the secret that is created. Applicable only to the `username_password` secret type. When the parameter is `null`, an `arbitrary` secret is created.
-- `secret_user_pass_auto_rotation`: Configures automatic rotation. Default is `true`.
-- `secret_user_pass_auto_rotation_unit`: Specifies the unit type for the secret rotation. Accepted values are `day` or `month`. Default is `day`.
-- `secret_user_pass_auto_rotation_interval`: Specifies the rotation interval for the rotation unit. Default is `90`.
+- `secret_auto_rotation`: Configures automatic rotation. Default is `true`.
+- `secret_auto_rotation_unit`: Specifies the unit type for the secret rotation. Accepted values are `day` or `month`. Default is `day`.
+- `secret_auto_rotation_interval`: Specifies the rotation interval for the rotation unit. Default is `89`.
 
-The following attributes and parameters are supported only when creating imported certificates:
+The following attributes and parameters are supported when creating imported certificates:
 
-- `imported_cert`: specify if imported certificate secret type will be created, defaults to `false`.
 - `imported_cert_certificate`: The TLS certificate to be imported. Defaults to `null`.
 - `imported_cert_private_key`: Optional private key for the TLS certificate to be imported. Defaults to `null`.
 - `imported_cert_intermediate`: Optional intermediate certificate for the TLS certificate to be imported. Defaults to `null`.
 
+The following attributes and parameters are supported when creating service credentials:
+
+- `service_credentials_source_service_crn`: The CRN of the target service instance to create the service credentials.
+- `service_credentials_source_service_role`: The service specific role to give the service credentials.
+- `secret_auto_rotation`: Configures automatic rotation. Default is `true`.
+- `secret_auto_rotation_unit`: Specifies the unit type for the secret rotation. Accepted values are `day` or `month`. Default is `day`.
+- `secret_auto_rotation_interval`: Specifies the rotation interval for the rotation unit. Default is `89`.
+
 <!-- Below content is automatically populated via pre-commit hook -->
 <!-- BEGIN OVERVIEW HOOK -->
 ## Overview
@@ -53,14 +67,14 @@ The following attributes and parameters are supported only when creating importe
 ##############################################################################
 
 module "secrets_manager_arbitrary_secret" {
-  # Replace "master" with a GIT release version to lock into a specific release
   source                  = "terraform-ibm-modules/secrets-manager-secret/ibm"
-  version                 = "3.1.1"
+  version                 = "latest" # Replace "latest" with a release version to lock into a specific release
   region                  = "us-south"
   secrets_manager_guid    = "42454b3b-5b06-407b-a4b3-34d9ef323901"
   secret_group_id         = "432b91f1-ff6d-4b47-9f06-82debc236d90"
   secret_name             = "example-arbitrary-secret"
   secret_description      = "Extended description for the arbirtary secret."
+  secret_type             = "arbitrary"
   secret_payload_password = "secret-data" #pragma: allowlist secret
 }
 ```
@@ -71,14 +85,14 @@ module "secrets_manager_arbitrary_secret" {
 ##############################################################################
 
 module "secrets_manager_user_pass_secret" {
-  # Replace "master" with a GIT release version to lock into a specific release
   source                  = "terraform-ibm-modules/secrets-manager-secret/ibm"
-  version                 = "3.1.1"
+  version                 = "latest" # Replace "latest" with a release version to lock into a specific release
   region                  = "us-south"
   secrets_manager_guid    = "42454b3b-5b06-407b-a4b3-34d9ef323901"
   secret_group_id         = "432b91f1-ff6d-4b47-9f06-82debc236d90"
   secret_name             = "example-user-pass-secret"
   secret_description      = "Extended description for the user pass secret."
+  secret_type             = "username_password"
   secret_payload_password = "secret-data" #pragma: allowlist secret
   secret_username         = "terraform-user"
 }
@@ -90,21 +104,41 @@ module "secrets_manager_user_pass_secret" {
 ##############################################################################
 
 module "secret_manager_imported_cert secret" {
-  # Replace "master" with a GIT release version to lock into a specific release
   source                     = "terraform-ibm-modules/secrets-manager-secret/ibm"
-  version                    = "3.1.1"
+  version                    = "latest" # Replace "latest" with a release version to lock into a specific release
   region                     = "us-south
   secrets_manager_guid       = "42454b3b-5b06-407b-a4b3-34d9ef323901"
   secret_group_id            = "432b91f1-ff6d-4b47-9f06-82debc236d90"
   secret_name                = "example-imported-cert-secret"
   secret_description         = "Extended description for the imported cert secret."
-  imported_cert              = true
+  secret_type                = "imported_cert"
   imported_cert_certificate  = module.certificate.cert_pem
   imported_cert_private_key  = module.certificate.private_key #pragma: allowlist secret
   imported_cert_intermediate = module.certificate.ca_cert_pem
 }
 ```
 
+```hcl
+##############################################################################
+# Create Service Credentials
+##############################################################################
+
+# A service authorization between Secrets Manager and the target service is required. The "complete" example includes a sample service authorization.
+
+module "secret_manager_service_credential" {
+  source                                  = "terraform-ibm-modules/secrets-manager-secret/ibm"
+  version                                 = "latest" # Replace "latest" with a release version to lock into a specific release
+  region                                  = "us-south
+  secrets_manager_guid                    = "42454b3b-5b06-407b-a4b3-34d9ef323901"
+  secret_group_id                         = "432b91f1-ff6d-4b47-9f06-82debc236d90"
+  secret_name                             = "example-service-credential"
+  secret_description                      = "Extended description for the service credentials secret."
+  secret_type                             = "service_credentials"
+  service_credentials_source_service_crn  = module.cloud_object_storage.cos_instance_id
+  service_credentials_source_service_role = "Writer"
+}
+```
+
 ### Required IAM access policies
 You need the following permissions to run this module.
 
@@ -134,6 +168,7 @@ No modules.
 |------|------|
 | [ibm_sm_arbitrary_secret.arbitrary_secret](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_arbitrary_secret) | resource |
 | [ibm_sm_imported_certificate.imported_cert](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_imported_certificate) | resource |
+| [ibm_sm_service_credentials_secret.service_credentials_secret](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_service_credentials_secret) | resource |
 | [ibm_sm_username_password_secret.username_password_secret](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_username_password_secret) | resource |
 
 ### Inputs
@@ -144,17 +179,20 @@ No modules.
 | <a name="input_imported_cert_intermediate"></a> [imported\_cert\_intermediate](#input\_imported\_cert\_intermediate) | (optional) The intermediate certificate for the TLS certificate to import. | `string` | `null` | no |
 | <a name="input_imported_cert_private_key"></a> [imported\_cert\_private\_key](#input\_imported\_cert\_private\_key) | (optional) The private key for the TLS certificate to import. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region where the Secrets Manager instance is deployed. | `string` | n/a | yes |
+| <a name="input_secret_auto_rotation"></a> [secret\_auto\_rotation](#input\_secret\_auto\_rotation) | Whether to configure automatic rotation. Applies only to the `username_password` and `service_credentials` secret types. | `bool` | `true` | no |
+| <a name="input_secret_auto_rotation_interval"></a> [secret\_auto\_rotation\_interval](#input\_secret\_auto\_rotation\_interval) | Specifies the rotation interval for the rotation unit. | `number` | `89` | no |
+| <a name="input_secret_auto_rotation_unit"></a> [secret\_auto\_rotation\_unit](#input\_secret\_auto\_rotation\_unit) | Specifies the unit of time for rotation of a username\_password secret. Acceptable values are `day` or `month`. | `string` | `"day"` | no |
 | <a name="input_secret_description"></a> [secret\_description](#input\_secret\_description) | Description of the secret to create. | `string` | n/a | yes |
 | <a name="input_secret_group_id"></a> [secret\_group\_id](#input\_secret\_group\_id) | The ID of the secret group for the secret. If `null`, the `default` secret group is used. | `string` | `"default"` | no |
 | <a name="input_secret_labels"></a> [secret\_labels](#input\_secret\_labels) | Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (\|). | `list(string)` | `[]` | no |
 | <a name="input_secret_name"></a> [secret\_name](#input\_secret\_name) | Name of the secret to create. | `string` | n/a | yes |
 | <a name="input_secret_payload_password"></a> [secret\_payload\_password](#input\_secret\_payload\_password) | The payload (for arbitrary secrets) or password (for username and password credentials) of the secret. | `string` | `""` | no |
-| <a name="input_secret_type"></a> [secret\_type](#input\_secret\_type) | Type of secret to create, must be one of: arbitrary, username\_password, imported\_cert | `string` | n/a | yes |
-| <a name="input_secret_user_pass_auto_rotation"></a> [secret\_user\_pass\_auto\_rotation](#input\_secret\_user\_pass\_auto\_rotation) | Whether to configure automatic rotation. Applies only to the `username_password` secret type. | `bool` | `true` | no |
-| <a name="input_secret_user_pass_auto_rotation_interval"></a> [secret\_user\_pass\_auto\_rotation\_interval](#input\_secret\_user\_pass\_auto\_rotation\_interval) | Specifies the rotation interval for the rotation unit. | `number` | `90` | no |
-| <a name="input_secret_user_pass_auto_rotation_unit"></a> [secret\_user\_pass\_auto\_rotation\_unit](#input\_secret\_user\_pass\_auto\_rotation\_unit) | Specifies the unit of time for rotation of a username\_password secret. Acceptable values are `day` or `month`. | `string` | `"day"` | no |
+| <a name="input_secret_type"></a> [secret\_type](#input\_secret\_type) | Type of secret to create, must be one of: arbitrary, username\_password, imported\_cert, service\_credentials | `string` | n/a | yes |
 | <a name="input_secret_username"></a> [secret\_username](#input\_secret\_username) | Username of the secret to create. Applies only to `username_password` secret types. When `null`, an `arbitrary` secret is created. | `string` | `null` | no |
 | <a name="input_secrets_manager_guid"></a> [secrets\_manager\_guid](#input\_secrets\_manager\_guid) | The instance ID of the Secrets Manager instance where the secret will be added. | `string` | n/a | yes |
+| <a name="input_service_credentials_source_service_crn"></a> [service\_credentials\_source\_service\_crn](#input\_service\_credentials\_source\_service\_crn) | The CRN of the source service instance to create the service credential. | `string` | `null` | no |
+| <a name="input_service_credentials_source_service_role"></a> [service\_credentials\_source\_service\_role](#input\_service\_credentials\_source\_service\_role) | The role to give the service credential in the source service. | `string` | `null` | no |
+| <a name="input_service_credentials_ttl"></a> [service\_credentials\_ttl](#input\_service\_credentials\_ttl) | The time-to-live (TTL) to assign to generated service credentials (in seconds). | `number` | `"7776000"` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The service endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private` | `string` | `"public"` | no |
 
 ### Outputs
@@ -163,9 +201,9 @@ No modules.
 |------|-------------|
 | <a name="output_secret_crn"></a> [secret\_crn](#output\_secret\_crn) | CRN of the created Secret |
 | <a name="output_secret_id"></a> [secret\_id](#output\_secret\_id) | ID of the created Secret |
-| <a name="output_user_pass_next_rotation_date"></a> [user\_pass\_next\_rotation\_date](#output\_user\_pass\_next\_rotation\_date) | Next rotation data for username\_password secret |
-| <a name="output_user_pass_rotation"></a> [user\_pass\_rotation](#output\_user\_pass\_rotation) | Status of auto-rotation for username\_password secret |
-| <a name="output_user_pass_rotation_interval"></a> [user\_pass\_rotation\_interval](#output\_user\_pass\_rotation\_interval) | Rotation frecuency for username\_password secret |
+| <a name="output_secret_next_rotation_date"></a> [secret\_next\_rotation\_date](#output\_secret\_next\_rotation\_date) | Next rotation date for secret (if applicable) |
+| <a name="output_secret_rotation"></a> [secret\_rotation](#output\_secret\_rotation) | Status of auto-rotation for secret |
+| <a name="output_secret_rotation_interval"></a> [secret\_rotation\_interval](#output\_secret\_rotation\_interval) | Rotation frecuency for secret (if applicable) |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Contributing
 
@@ -1,3 +1,16 @@
 {
-    "scc_rules": []
+    "scc_rules": [
+      {
+        "scc_rule_id": "rule-8cbd597c-7471-42bd-9c88-36b2696456e9",
+        "description": "Check whether Cloud Object Storage network access is restricted to a specific IP range",
+        "ignore_reason": "This rule is not relevant to the module itself, just the COS instance that is used in the example that is scanned",
+        "is_valid": false
+      },
+      {
+        "scc_rule_id": "rule-c97259ee-336d-4c5f-b436-1868107a9558",
+        "description": "Check whether Cloud Object Storage is enabled with customer-managed encryption and Keep Your Own Key (KYOK)",
+        "ignore_reason": "This rule is not relevant to the module itself, just the COS instance that is used in the example that is scanned",
+        "is_valid": false
+      }
+    ]
 }
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"files": "go.sum\|^.secrets.baseline$",`
`4`	`4`	`"lines": null`
`5`	`5`	`},`
`6`		`- "generated_at": "2023-12-09T07:18:15Z",`
	`6`	`+ "generated_at": "2024-01-18T16:31:21Z",`
`7`	`7`	`"plugins_used": [`
`8`	`8`	`{`
`9`	`9`	`"name": "AWSKeyDetector"`