feat: added support to add custom metadata to a secret using new input custom_metadata (#251)

Author: alex-reiff

README.md

@@ -176,6 +176,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_custom_metadata"></a> [custom\_metadata](#input\_custom\_metadata) | Optional metadata to be added to the secret. | `map(string)` | `null` | no |
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private` | `string` | `"public"` | no |
 | <a name="input_imported_cert_certificate"></a> [imported\_cert\_certificate](#input\_imported\_cert\_certificate) | The TLS certificate to import. | `string` | `null` | no |
 | <a name="input_imported_cert_intermediate"></a> [imported\_cert\_intermediate](#input\_imported\_cert\_intermediate) | (optional) The intermediate certificate for the TLS certificate to import. | `string` | `null` | no |
@@ -204,6 +205,7 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_secret_crn"></a> [secret\_crn](#output\_secret\_crn) | CRN of the created Secret |
+| <a name="output_secret_group_id"></a> [secret\_group\_id](#output\_secret\_group\_id) | Secret group ID of the created secret |
 | <a name="output_secret_id"></a> [secret\_id](#output\_secret\_id) | ID of the created Secret |
 | <a name="output_secret_next_rotation_date"></a> [secret\_next\_rotation\_date](#output\_secret\_next\_rotation\_date) | Next rotation date for secret (if applicable) |
 | <a name="output_secret_rotation"></a> [secret\_rotation](#output\_secret\_rotation) | Status of auto-rotation for secret |

examples/complete/main.tf

@@ -75,6 +75,7 @@ module "secrets_manager_arbitrary_secret" {
   secret_type             = "arbitrary" #checkov:skip=CKV_SECRET_6
   secret_payload_password = local.payload
   secret_labels           = local.secret_labels
+  custom_metadata         = { "metadata_custom_key" : "metadata_custom_value" } # can add any custom metadata here
 }
 
 # retrieving information about the arbitrary secret
@@ -100,6 +101,7 @@ module "secrets_manager_user_pass_secret" {
   secret_payload_password = local.payload
   secret_username         = "terraform-user" #checkov:skip=CKV_SECRET_6
   secret_labels           = local.secret_labels
+  custom_metadata         = { "metadata_custom_key" : "metadata_custom_value" } # can add any custom metadata here
 }
 
 # retrieving information about the userpass secret
@@ -126,6 +128,7 @@ module "secrets_manager_user_pass_no_rotate_secret" {
   secret_username         = "terraform-user" #checkov:skip=CKV_SECRET_6
   secret_labels           = local.secret_labels
   secret_auto_rotation    = false
+  custom_metadata         = { "metadata_custom_key" : "metadata_custom_value" } # can add any custom metadata here
 }
 
 # retrieving information about the userpass secret
@@ -190,6 +193,7 @@ module "secret_manager_imported_cert" {
   imported_cert_certificate  = resource.tls_locally_signed_cert.cert.cert_pem
   imported_cert_private_key  = resource.tls_private_key.key.private_key_pem
   imported_cert_intermediate = resource.tls_self_signed_cert.ca_cert.cert_pem
+  custom_metadata            = { "metadata_custom_key" : "metadata_custom_value" } # can add any custom metadata here
 }
 
 ##############################################################################
@@ -236,4 +240,5 @@ module "secret_manager_service_credential" {
   service_credentials_source_service_crn      = module.cloud_object_storage.cos_instance_id
   service_credentials_source_service_role_crn = "crn:v1:bluemix:public:iam::::serviceRole:Writer"
   service_credentials_parameters              = { "service-endpoints" : "public" }
+  custom_metadata                             = { "metadata_custom_key" : "metadata_custom_value" } # can add any custom metadata here
 }

main.tf

@@ -50,6 +50,7 @@ resource "ibm_sm_arbitrary_secret" "arbitrary_secret" {
   labels          = var.secret_labels
   payload         = var.secret_payload_password
   endpoint_type   = var.endpoint_type
+  custom_metadata = var.custom_metadata
 }
 
 resource "ibm_sm_username_password_secret" "username_password_secret" {
@@ -63,6 +64,7 @@ resource "ibm_sm_username_password_secret" "username_password_secret" {
   username        = var.secret_username
   password        = var.secret_payload_password
   endpoint_type   = var.endpoint_type
+  custom_metadata = var.custom_metadata
 
   ## This for_each block is NOT a loop to attach to multiple rotation blocks.
   ## This block is only used to conditionally add rotation block depending on var.sm_iam_secret_auto_rotation
@@ -96,6 +98,7 @@ resource "ibm_sm_imported_certificate" "imported_cert" {
   private_key     = local.imported_cert_private_key
   intermediate    = local.imported_cert_intermediate
   endpoint_type   = var.endpoint_type
+  custom_metadata = var.custom_metadata
 }
 
 locals {
@@ -121,6 +124,7 @@ resource "ibm_sm_service_credentials_secret" "service_credentials_secret" {
   labels          = var.secret_labels
   ttl             = var.service_credentials_ttl
   endpoint_type   = var.endpoint_type
+  custom_metadata = var.custom_metadata
 
   source_service {
     instance {

outputs.tf

@@ -12,6 +12,11 @@ output "secret_crn" {
   value       = local.secret_crn
 }
 
+output "secret_group_id" {
+  description = "Secret group ID of the created secret"
+  value       = var.secret_group_id
+}
+
 output "secret_rotation" {
   description = "Status of auto-rotation for secret"
   value       = local.secret_auto_rotation

variables.tf

@@ -140,5 +140,10 @@ variable "endpoint_type" {
   }
 }
 
+variable "custom_metadata" {
+  type        = map(string)
+  description = "Optional metadata to be added to the secret."
+  default     = null
+}
 
 ##############################################################################