feat: The service_credentials_source_service_role input has now been replaced by service_credentials_source_service_role_crn to allow consumers to create service specific roles. For example: service_credentials_source_service_role_crn = "crn:v1:bluemix:public:cloud-object-storage::::serviceRole:ObjectReader" (#250)

Author: shemau

README.md

@@ -196,7 +196,7 @@ No modules.
 | <a name="input_service_credentials_parameters"></a> [service\_credentials\_parameters](#input\_service\_credentials\_parameters) | List of all custom parameters for service credential. | `map(string)` | `null` | no |
 | <a name="input_service_credentials_source_service_crn"></a> [service\_credentials\_source\_service\_crn](#input\_service\_credentials\_source\_service\_crn) | The CRN of the source service instance to create the service credential. | `string` | `null` | no |
 | <a name="input_service_credentials_source_service_hmac"></a> [service\_credentials\_source\_service\_hmac](#input\_service\_credentials\_source\_service\_hmac) | The optional boolean parameter 'HMAC' for creating specific kind of credentials. For more information see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_service_credentials_secret#parameters | `bool` | `false` | no |
-| <a name="input_service_credentials_source_service_role"></a> [service\_credentials\_source\_service\_role](#input\_service\_credentials\_source\_service\_role) | The role to give the service credential in the source service. | `string` | `null` | no |
+| <a name="input_service_credentials_source_service_role_crn"></a> [service\_credentials\_source\_service\_role\_crn](#input\_service\_credentials\_source\_service\_role\_crn) | The CRN for the role to give the service credential in the source service. See https://cloud.ibm.com/iam/roles | `string` | `null` | no |
 | <a name="input_service_credentials_ttl"></a> [service\_credentials\_ttl](#input\_service\_credentials\_ttl) | The time-to-live (TTL) to assign to generated service credentials (in seconds). | `number` | `"7776000"` | no |
 
 ### Outputs

examples/complete/main.tf

@@ -225,15 +225,15 @@ resource "ibm_iam_authorization_policy" "policy" {
 
 # create service credentials secret
 module "secret_manager_service_credential" {
-  depends_on                              = [ibm_iam_authorization_policy.policy]
-  source                                  = "../.."
-  region                                  = local.sm_region
-  secrets_manager_guid                    = local.sm_guid
-  secret_name                             = "${var.prefix}-service-credentials"
-  secret_group_id                         = module.secrets_manager_group.secret_group_id
-  secret_description                      = "created by secrets-manager-secret-module complete example"
-  secret_type                             = "service_credentials" #checkov:skip=CKV_SECRET_6
-  service_credentials_source_service_crn  = module.cloud_object_storage.cos_instance_id
-  service_credentials_source_service_role = "Writer"
-  service_credentials_parameters          = { "service-endpoints" : "public" }
+  depends_on                                  = [ibm_iam_authorization_policy.policy]
+  source                                      = "../.."
+  region                                      = local.sm_region
+  secrets_manager_guid                        = local.sm_guid
+  secret_name                                 = "${var.prefix}-service-credentials"
+  secret_group_id                             = module.secrets_manager_group.secret_group_id
+  secret_description                          = "created by secrets-manager-secret-module complete example"
+  secret_type                                 = "service_credentials" #checkov:skip=CKV_SECRET_6
+  service_credentials_source_service_crn      = module.cloud_object_storage.cos_instance_id
+  service_credentials_source_service_role_crn = "crn:v1:bluemix:public:iam::::serviceRole:Writer"
+  service_credentials_parameters              = { "service-endpoints" : "public" }
 }

examples/private/main.tf

@@ -234,15 +234,15 @@ resource "ibm_iam_authorization_policy" "policy" {
 
 # create service credentials secret
 module "secret_manager_service_credential" {
-  depends_on                              = [ibm_iam_authorization_policy.policy]
-  source                                  = "../.."
-  region                                  = local.sm_region
-  secrets_manager_guid                    = module.secrets_manager.secrets_manager_guid
-  secret_name                             = "${var.prefix}-service-credentials"
-  secret_group_id                         = module.secrets_manager_group.secret_group_id
-  secret_description                      = "created by secrets-manager-secret-module complete example"
-  secret_type                             = "service_credentials" #checkov:skip=CKV_SECRET_6
-  service_credentials_source_service_crn  = module.cloud_object_storage.cos_instance_id
-  service_credentials_source_service_role = "Writer"
-  endpoint_type                           = "private"
+  depends_on                                  = [ibm_iam_authorization_policy.policy]
+  source                                      = "../.."
+  region                                      = local.sm_region
+  secrets_manager_guid                        = module.secrets_manager.secrets_manager_guid
+  secret_name                                 = "${var.prefix}-service-credentials"
+  secret_group_id                             = module.secrets_manager_group.secret_group_id
+  secret_description                          = "created by secrets-manager-secret-module complete example"
+  secret_type                                 = "service_credentials" #checkov:skip=CKV_SECRET_6
+  service_credentials_source_service_crn      = module.cloud_object_storage.cos_instance_id
+  service_credentials_source_service_role_crn = "crn:v1:bluemix:public:iam::::serviceRole:Writer"
+  endpoint_type                               = "private"
 }

main.tf

@@ -20,8 +20,8 @@ locals {
   imported_cert_validate_check = regex("^${local.imported_cert_validate_msg}$", (!local.imported_cert_validate_condition ? local.imported_cert_validate_msg : ""))
 
   # validate service credentials has source service information
-  service_credentials_validate_condition = (var.secret_type == "service_credentials" && var.service_credentials_source_service_crn == null) || (var.secret_type == "service_credentials" && var.service_credentials_source_service_role == null) #checkov:skip=CKV_SECRET_6
-  service_credentials_validate_msg       = "When creating a service_credentials secret, values for `service_credentials_source_service_crn` and `service_credentials_source_service_role` are required."
+  service_credentials_validate_condition = (var.secret_type == "service_credentials" && var.service_credentials_source_service_crn == null) || (var.secret_type == "service_credentials" && var.service_credentials_source_service_role_crn == null) #checkov:skip=CKV_SECRET_6
+  service_credentials_validate_msg       = "When creating a service_credentials secret, values for `service_credentials_source_service_crn` and `service_credentials_source_service_role_crn` are required."
   # tflint-ignore: terraform_unused_declarations
   service_credentials_validate_check = regex("^${local.service_credentials_validate_msg}$", (!local.service_credentials_validate_condition ? local.service_credentials_validate_msg : ""))
 
@@ -127,7 +127,7 @@ resource "ibm_sm_service_credentials_secret" "service_credentials_secret" {
       crn = var.service_credentials_source_service_crn
     }
     role {
-      crn = "crn:v1:bluemix:public:iam::::serviceRole:${var.service_credentials_source_service_role}"
+      crn = var.service_credentials_source_service_role_crn
     }
     parameters = local.parameters
   }

variables.tf

@@ -106,9 +106,9 @@ variable "service_credentials_source_service_crn" {
   default     = null
 }
 
-variable "service_credentials_source_service_role" {
+variable "service_credentials_source_service_role_crn" {
   type        = string
-  description = "The role to give the service credential in the source service."
+  description = "The CRN for the role to give the service credential in the source service. See https://cloud.ibm.com/iam/roles"
   default     = null
 }