diff --git a/README.md b/README.md
index 94f19c3..b84967e 100644
--- a/README.md
+++ b/README.md
@@ -24,7 +24,7 @@ The following attributes and parameters are supported for all secret types:
- `secret_type` : The type of the secret.
- `secret_labels` : Any labels to attach to the secret.
-The following attributes and paramters are supported when storing arbitrary secrets:
+The following attributes and parameters are supported when storing arbitrary secrets:
- `secret_payload_password`: The payload (for arbitrary secrets) or password (for username and password credentials) of the secret.
@@ -80,7 +80,7 @@ module "secrets_manager_arbitrary_secret" {
secrets_manager_guid = "42454b3b-5b06-407b-a4b3-34d9ef323901"
secret_group_id = "432b91f1-ff6d-4b47-9f06-82debc236d90"
secret_name = "example-arbitrary-secret"
- secret_description = "Extended description for the arbirtary secret."
+ secret_description = "Extended description for the arbitrary secret."
secret_type = "arbitrary"
secret_payload_password = "secret-data" #pragma: allowlist secret
}
@@ -191,6 +191,7 @@ No modules.
| Name | Type |
|------|------|
| [ibm_sm_arbitrary_secret.arbitrary_secret](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_arbitrary_secret) | resource |
+| [ibm_sm_custom_credentials_secret.custom_credentials_secret](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_custom_credentials_secret) | resource |
| [ibm_sm_imported_certificate.imported_cert](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_imported_certificate) | resource |
| [ibm_sm_kv_secret.kv_secret](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_kv_secret) | resource |
| [ibm_sm_service_credentials_secret.service_credentials_secret](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_service_credentials_secret) | resource |
@@ -200,11 +201,14 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [custom\_credentials\_configurations](#input\_custom\_credentials\_configurations) | The name of the custom credentials secret configuration. | `string` | `null` | no |
+| [custom\_credentials\_parameters](#input\_custom\_credentials\_parameters) | Whether to create parameters for custom credentials secret or not | `bool` | `false` | no |
| [custom\_metadata](#input\_custom\_metadata) | Optional metadata to be added to the secret. | `map(string)` | `null` | no |
| [endpoint\_type](#input\_endpoint\_type) | The endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private` | `string` | `"public"` | no |
| [imported\_cert\_certificate](#input\_imported\_cert\_certificate) | The TLS certificate to import. | `string` | `null` | no |
| [imported\_cert\_intermediate](#input\_imported\_cert\_intermediate) | (optional) The intermediate certificate for the TLS certificate to import. | `string` | `null` | no |
| [imported\_cert\_private\_key](#input\_imported\_cert\_private\_key) | (optional) The private key for the TLS certificate to import. | `string` | `null` | no |
+| [job\_parameters](#input\_job\_parameters) | The parameters that are passed to the Code Engine job. | object({
integer_values = optional(map(number))
string_values = optional(map(string))
boolean_values = optional(map(bool))
}) | `{}` | no |
| [region](#input\_region) | The region where the Secrets Manager instance is deployed. | `string` | n/a | yes |
| [secret\_auto\_rotation](#input\_secret\_auto\_rotation) | Whether to configure automatic rotation. Applies only to the `username_password` and `service_credentials` secret types. | `bool` | `true` | no |
| [secret\_auto\_rotation\_interval](#input\_secret\_auto\_rotation\_interval) | Specifies the rotation interval for the rotation unit. | `number` | `89` | no |
@@ -215,7 +219,7 @@ No modules.
| [secret\_labels](#input\_secret\_labels) | Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (\|). | `list(string)` | `[]` | no |
| [secret\_name](#input\_secret\_name) | Name of the secret to create. | `string` | n/a | yes |
| [secret\_payload\_password](#input\_secret\_payload\_password) | The payload (for arbitrary secrets) or password (for username and password credentials) of the secret. | `string` | `""` | no |
-| [secret\_type](#input\_secret\_type) | Type of secret to create, must be one of: arbitrary, username\_password, imported\_cert, service\_credentials | `string` | n/a | yes |
+| [secret\_type](#input\_secret\_type) | Type of secret to create, must be one of: arbitrary, username\_password, imported\_cert, service\_credentials, custom\_credentials | `string` | n/a | yes |
| [secret\_username](#input\_secret\_username) | Username of the secret to create. Applies only to `username_password` secret types. When `null`, an `arbitrary` secret is created. | `string` | `null` | no |
| [secrets\_manager\_guid](#input\_secrets\_manager\_guid) | The instance ID of the Secrets Manager instance where the secret will be added. | `string` | n/a | yes |
| [service\_credentials\_existing\_serviceid\_crn](#input\_service\_credentials\_existing\_serviceid\_crn) | The optional parameter 'serviceid\_crn' for creating service credentials. If not passed in, a new Service ID will be created. For more information see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_service_credentials_secret#parameters | `string` | `null` | no |
@@ -234,7 +238,7 @@ No modules.
| [secret\_id](#output\_secret\_id) | ID of the created Secret |
| [secret\_next\_rotation\_date](#output\_secret\_next\_rotation\_date) | Next rotation date for secret (if applicable) |
| [secret\_rotation](#output\_secret\_rotation) | Status of auto-rotation for secret |
-| [secret\_rotation\_interval](#output\_secret\_rotation\_interval) | Rotation frecuency for secret (if applicable) |
+| [secret\_rotation\_interval](#output\_secret\_rotation\_interval) | Rotation frequency for secret (if applicable) |
## Contributing
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 1569e62..b3fc45c 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -260,3 +260,152 @@ data "ibm_sm_kv_secret" "kv_secret" {
region = local.sm_region
secret_id = module.secrets_manager_key_value_secret.secret_id
}
+
+##############################################################################
+# Example working with Custom Credential Engine
+##############################################################################
+##############################################################################
+# Code Engine Project
+##############################################################################
+module "code_engine_project" {
+ source = "terraform-ibm-modules/code-engine/ibm//modules/project"
+ version = "4.5.8"
+ name = "${var.prefix}-project"
+ resource_group_id = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Code Engine Secret
+##############################################################################
+module "code_engine_secret" {
+ source = "terraform-ibm-modules/code-engine/ibm//modules/secret"
+ version = "4.5.8"
+ name = "${var.prefix}-rs"
+ project_id = module.code_engine_project.id
+ format = "registry"
+ data = {
+ "server" = "private.us.icr.io",
+ "username" = "iamapikey",
+ "password" = var.ibmcloud_api_key,
+ }
+}
+
+##############################################################################
+# Container Registry Namespace
+##############################################################################
+resource "ibm_cr_namespace" "rg_namespace" {
+ name = "${var.prefix}-crn"
+ resource_group_id = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Code Engine Build
+##############################################################################
+locals {
+ output_image = "private.us.icr.io/${resource.ibm_cr_namespace.rg_namespace.name}/custom-engine-job"
+}
+
+module "code_engine_build" {
+ source = "terraform-ibm-modules/code-engine/ibm//modules/build"
+ version = "4.5.8"
+ name = "${var.prefix}-build"
+ ibmcloud_api_key = var.ibmcloud_api_key
+ project_id = module.code_engine_project.id
+ existing_resource_group_id = module.resource_group.resource_group_id
+ source_url = "https://github.com/IBM/secrets-manager-custom-credentials-providers"
+ source_context_dir = "ibmcloud-iam-user-apikey-provider-go"
+ strategy_type = "dockerfile"
+ output_secret = module.code_engine_secret.name
+ output_image = local.output_image
+}
+
+##############################################################################
+# Code Engine Job
+##############################################################################
+
+data "http" "job_config" {
+ url = "https://raw.githubusercontent.com/IBM/secrets-manager-custom-credentials-providers/refs/heads/main/ibmcloud-iam-user-apikey-provider-go/job_config.json"
+ request_headers = {
+ Accept = "application/json"
+ }
+}
+
+locals {
+ job_env_variables = jsondecode(data.http.job_config.response_body).job_env_variables
+}
+
+module "code_engine_job" {
+ depends_on = [module.code_engine_build]
+ source = "terraform-ibm-modules/code-engine/ibm//modules/job"
+ version = "4.5.8"
+ name = "${var.prefix}-job"
+ image_reference = local.output_image
+ image_secret = module.code_engine_secret.name
+ project_id = module.code_engine_project.id
+ run_env_variables = [
+ for env_var in local.job_env_variables : {
+ type = "literal"
+ name = env_var.name
+ value = tostring(env_var.value)
+ }
+ ]
+}
+
+##############################################################################
+# Custom Credential Engine and secret
+##############################################################################
+
+module "custom_credential_engine" {
+ depends_on = [module.code_engine_job]
+ source = "terraform-ibm-modules/secrets-manager-custom-credentials-engine/ibm"
+ version = "1.0.0"
+ secrets_manager_guid = local.sm_guid
+ secrets_manager_region = local.sm_region
+ custom_credential_engine_name = "${var.prefix}-test-custom-engine"
+ endpoint_type = "public"
+ code_engine_project_id = module.code_engine_project.project_id
+ code_engine_job_name = module.code_engine_job.name
+ code_engine_region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region
+ task_timeout = "10m"
+ service_id_name = "${var.prefix}-test-service-id"
+ iam_credential_secret_name = "${var.prefix}-test-iam-secret"
+}
+
+resource "ibm_iam_api_key" "api_key" {
+ name = "${var.prefix}-api-key"
+ description = "created for secrets-manager-secret complete example"
+}
+
+# create arbitrary secret
+module "secrets_manager_custom_arbitrary_secret" {
+ source = "../.."
+ region = local.sm_region
+ secrets_manager_guid = local.sm_guid
+ secret_group_id = module.secrets_manager_group.secret_group_id
+ secret_name = "${var.prefix}-custom-arbitrary-secret"
+ secret_description = "created by secrets-manager-secret-module complete example"
+ secret_type = "arbitrary" #checkov:skip=CKV_SECRET_6
+ secret_payload_password = ibm_iam_api_key.api_key.apikey
+ secret_labels = local.secret_labels
+ custom_metadata = { "metadata_custom_key" : "metadata_custom_value" } # can add any custom metadata here
+}
+
+# create custom credentials secret
+module "secret_manager_custom_credential" {
+ depends_on = [module.custom_credential_engine]
+ source = "../.."
+ secret_type = "custom_credentials" #checkov:skip=CKV_SECRET_6
+ region = local.sm_region
+ secrets_manager_guid = local.sm_guid
+ secret_name = "${var.prefix}-custom-credentials"
+ secret_group_id = module.secrets_manager_group.secret_group_id
+ secret_description = "created by secrets-manager-secret-module complete example"
+ custom_credentials_configurations = module.custom_credential_engine.custom_config_engine_name
+ custom_metadata = { "metadata_custom_key" : "metadata_custom_value" } # can add any custom metadata here
+ custom_credentials_parameters = true
+ job_parameters = {
+ string_values = {
+ apikey_secret_id = module.secrets_manager_custom_arbitrary_secret.secret_id
+ }
+ }
+}
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
index b669c54..f2b2793 100644
--- a/examples/complete/outputs.tf
+++ b/examples/complete/outputs.tf
@@ -105,3 +105,13 @@ output "kv_secret_payload" {
sensitive = true
description = "accessing key value secret"
}
+
+output "custom_credential_secret_id" {
+ description = "ID of the created custom_credential secret"
+ value = module.secret_manager_custom_credential.secret_id
+}
+
+output "custom_credential_secret_crn" {
+ description = "CRN of the created custom_credential secret"
+ value = module.secret_manager_custom_credential.secret_crn
+}
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
index 207c86e..f71e29d 100644
--- a/examples/complete/variables.tf
+++ b/examples/complete/variables.tf
@@ -7,7 +7,7 @@ variable "ibmcloud_api_key" {
variable "prefix" {
type = string
description = "Prefix to use for naming of all resource created by this example"
- default = "test-sm-secret-module"
+ default = "sm-secret-complete"
}
variable "sm_service_plan" {
@@ -19,7 +19,7 @@ variable "sm_service_plan" {
variable "region" {
type = string
description = "Region to provision Secrets Manager in if not passing a value for var.existing_sm_instance_guid"
- default = "au-syd"
+ default = "us-south" # Region is defaulted to us-south so as to restrict the code engine project to be created in the same region and have a hardcoded output image as `private.us`
}
variable "resource_group" {
@@ -36,7 +36,7 @@ variable "resource_tags" {
variable "existing_sm_instance_guid" {
type = string
- description = "Existing Secrets Manager GUID. If not provided an new instance will be provisioned"
+ description = "Existing Secrets Manager GUID. If not provided an new instance will be provisioned. If existing_sm_instance_guid needs to be used make sure the instance passed belongs to us-south region"
default = null
validation {
diff --git a/examples/complete/version.tf b/examples/complete/version.tf
index f93bc67..bd47e88 100644
--- a/examples/complete/version.tf
+++ b/examples/complete/version.tf
@@ -9,5 +9,9 @@ terraform {
source = "hashicorp/tls"
version = ">= 4.0.4"
}
+ http = {
+ source = "hashicorp/http"
+ version = "3.2.1" # Use a compatible version
+ }
}
}
diff --git a/examples/private/main.tf b/examples/private/main.tf
index 63fdd88..0e4035b 100644
--- a/examples/private/main.tf
+++ b/examples/private/main.tf
@@ -264,3 +264,151 @@ data "ibm_sm_kv_secret" "kv_secret" {
secret_id = module.secrets_manager_key_value_secret.secret_id
endpoint_type = "private"
}
+
+##############################################################################
+# Example working with Custom Credential Engine
+##############################################################################
+##############################################################################
+# Code Engine Project
+##############################################################################
+module "code_engine_project" {
+ source = "terraform-ibm-modules/code-engine/ibm//modules/project"
+ version = "4.5.8"
+ name = "${var.prefix}-project"
+ resource_group_id = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Code Engine Secret
+##############################################################################
+module "code_engine_secret" {
+ source = "terraform-ibm-modules/code-engine/ibm//modules/secret"
+ version = "4.5.8"
+ name = "${var.prefix}-rs"
+ project_id = module.code_engine_project.id
+ format = "registry"
+ data = {
+ "server" = "private.uk.icr.io",
+ "username" = "iamapikey",
+ "password" = var.ibmcloud_api_key,
+ }
+}
+
+##############################################################################
+# Container Registry Namespace
+##############################################################################
+resource "ibm_cr_namespace" "rg_namespace" {
+ name = "${var.prefix}-crn"
+ resource_group_id = module.resource_group.resource_group_id
+}
+
+##############################################################################
+# Code Engine Build
+##############################################################################
+locals {
+ output_image = "private.uk.icr.io/${resource.ibm_cr_namespace.rg_namespace.name}/custom-engine-job"
+}
+
+module "code_engine_build" {
+ source = "terraform-ibm-modules/code-engine/ibm//modules/build"
+ version = "4.5.8"
+ name = "${var.prefix}-build"
+ ibmcloud_api_key = var.ibmcloud_api_key
+ region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region
+ project_id = module.code_engine_project.id
+ existing_resource_group_id = module.resource_group.resource_group_id
+ source_url = "https://github.com/IBM/secrets-manager-custom-credentials-providers"
+ source_context_dir = "ibmcloud-iam-user-apikey-provider-go"
+ strategy_type = "dockerfile"
+ output_secret = module.code_engine_secret.name
+ output_image = local.output_image
+}
+
+##############################################################################
+# Code Engine Job
+##############################################################################
+
+data "http" "job_config" {
+ url = "https://raw.githubusercontent.com/IBM/secrets-manager-custom-credentials-providers/refs/heads/main/ibmcloud-iam-user-apikey-provider-go/job_config.json"
+ request_headers = {
+ Accept = "application/json"
+ }
+}
+
+locals {
+ job_env_variables = jsondecode(data.http.job_config.response_body).job_env_variables
+}
+
+module "code_engine_job" {
+ source = "terraform-ibm-modules/code-engine/ibm//modules/job"
+ version = "4.5.8"
+ name = "${var.prefix}-job"
+ image_reference = local.output_image
+ image_secret = module.code_engine_secret.name
+ project_id = module.code_engine_project.id
+ run_env_variables = [
+ for env_var in local.job_env_variables : {
+ type = "literal"
+ name = env_var.name
+ value = tostring(env_var.value)
+ }
+ ]
+}
+
+##############################################################################
+# Custom Credential Engine and secret
+##############################################################################
+
+module "custom_credential_engine" {
+ source = "terraform-ibm-modules/secrets-manager-custom-credentials-engine/ibm"
+ version = "1.0.0"
+ secrets_manager_guid = module.secrets_manager.secrets_manager_guid
+ secrets_manager_region = local.sm_region
+ custom_credential_engine_name = "${var.prefix}-test-custom-engine"
+ endpoint_type = "private"
+ code_engine_project_id = module.code_engine_project.project_id
+ code_engine_job_name = module.code_engine_job.name
+ code_engine_region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region
+ task_timeout = "10m"
+ service_id_name = "${var.prefix}-test-service-id"
+ iam_credential_secret_name = "${var.prefix}-test-iam-secret"
+}
+
+resource "ibm_iam_api_key" "api_key" {
+ name = "${var.prefix}-api-key"
+ description = "created for secrets-manager-secret complete example"
+}
+
+module "secrets_manager_custom_arbitrary_secret" {
+ source = "../.."
+ region = local.sm_region
+ secrets_manager_guid = module.secrets_manager.secrets_manager_guid
+ secret_group_id = module.secrets_manager_group.secret_group_id
+ secret_name = "${var.prefix}-custom-arbitrary-secret"
+ secret_description = "created by secrets-manager-secret-module private example"
+ secret_type = "arbitrary" #checkov:skip=CKV_SECRET_6
+ secret_payload_password = ibm_iam_api_key.api_key.apikey
+ secret_labels = local.secret_labels
+ endpoint_type = "private"
+}
+
+# create custom credentials secret
+module "secret_manager_custom_credential" {
+ depends_on = [module.custom_credential_engine]
+ source = "../.."
+ secret_type = "custom_credentials" #checkov:skip=CKV_SECRET_6
+ region = local.sm_region
+ secrets_manager_guid = module.secrets_manager.secrets_manager_guid
+ secret_name = "${var.prefix}-custom-credentials"
+ secret_group_id = module.secrets_manager_group.secret_group_id
+ secret_description = "created by secrets-manager-secret-module private example"
+ custom_credentials_configurations = module.custom_credential_engine.custom_config_engine_name
+ custom_metadata = { "metadata_custom_key" : "metadata_custom_value" } # can add any custom metadata here
+ custom_credentials_parameters = true
+ job_parameters = {
+ string_values = {
+ apikey_secret_id = module.secrets_manager_custom_arbitrary_secret.secret_id
+ }
+ }
+ endpoint_type = "private"
+}
diff --git a/examples/private/outputs.tf b/examples/private/outputs.tf
index b669c54..f2b2793 100644
--- a/examples/private/outputs.tf
+++ b/examples/private/outputs.tf
@@ -105,3 +105,13 @@ output "kv_secret_payload" {
sensitive = true
description = "accessing key value secret"
}
+
+output "custom_credential_secret_id" {
+ description = "ID of the created custom_credential secret"
+ value = module.secret_manager_custom_credential.secret_id
+}
+
+output "custom_credential_secret_crn" {
+ description = "CRN of the created custom_credential secret"
+ value = module.secret_manager_custom_credential.secret_crn
+}
diff --git a/examples/private/provider.tf b/examples/private/provider.tf
index df45ef5..f5dc922 100644
--- a/examples/private/provider.tf
+++ b/examples/private/provider.tf
@@ -1,4 +1,4 @@
provider "ibm" {
ibmcloud_api_key = var.ibmcloud_api_key
- region = var.region
+ region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region
}
diff --git a/examples/private/variables.tf b/examples/private/variables.tf
index fbf0c09..50165ab 100644
--- a/examples/private/variables.tf
+++ b/examples/private/variables.tf
@@ -7,7 +7,7 @@ variable "ibmcloud_api_key" {
variable "prefix" {
type = string
description = "Prefix to use for naming of all resource created by this example"
- default = "test-sm-secret-module"
+ default = "sm-secret-private"
}
variable "sm_service_plan" {
@@ -19,7 +19,7 @@ variable "sm_service_plan" {
variable "region" {
type = string
description = "Region to provision Secrets Manager in if not passing a value for var.existing_sm_instance_guid"
- default = "au-syd"
+ default = "eu-gb" # Region is defaulted to eu-gb so as to restrict the code engine project to be created in the same region and have a hardcoded output image as `private.uk`
}
variable "resource_group" {
@@ -36,7 +36,7 @@ variable "resource_tags" {
variable "existing_sm_instance_crn" {
type = string
- description = "An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned."
+ description = "An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned. If existing_sm_instance_guid needs to be used make sure the instance passed belongs to eu-gb region"
default = null
validation {
diff --git a/examples/private/version.tf b/examples/private/version.tf
index f93bc67..bd47e88 100644
--- a/examples/private/version.tf
+++ b/examples/private/version.tf
@@ -9,5 +9,9 @@ terraform {
source = "hashicorp/tls"
version = ">= 4.0.4"
}
+ http = {
+ source = "hashicorp/http"
+ version = "3.2.1" # Use a compatible version
+ }
}
}
diff --git a/main.tf b/main.tf
index d1a3dcc..b085251 100644
--- a/main.tf
+++ b/main.tf
@@ -6,6 +6,7 @@
locals {
auto_rotation_enabled = var.secret_auto_rotation == true ? [1] : []
+ parameters_enabled = var.custom_credentials_parameters == true ? [1] : []
}
resource "ibm_sm_arbitrary_secret" "arbitrary_secret" {
@@ -129,6 +130,36 @@ resource "ibm_sm_kv_secret" "kv_secret" {
custom_metadata = var.custom_metadata
}
+resource "ibm_sm_custom_credentials_secret" "custom_credentials_secret" {
+ count = var.secret_type == "custom_credentials" ? 1 : 0 #checkov:skip=CKV_SECRET_6
+ instance_id = var.secrets_manager_guid
+ region = var.region
+ name = var.secret_name
+ endpoint_type = var.endpoint_type
+ secret_group_id = var.secret_group_id
+ custom_metadata = var.custom_metadata
+ description = var.secret_description
+ labels = var.secret_labels
+ configuration = var.custom_credentials_configurations
+ dynamic "parameters" {
+ for_each = local.parameters_enabled
+ content {
+ integer_values = var.job_parameters.integer_values
+ string_values = var.job_parameters.string_values
+ boolean_values = var.job_parameters.boolean_values
+ }
+ }
+ dynamic "rotation" {
+ for_each = local.auto_rotation_enabled
+ content {
+ auto_rotate = var.secret_auto_rotation
+ interval = var.secret_auto_rotation_interval
+ unit = var.secret_auto_rotation_unit
+ }
+ }
+ ttl = var.service_credentials_ttl
+}
+
# Parse secret ID and generate data header for secrets
locals {
secret_id = (
@@ -136,21 +167,24 @@ locals {
var.secret_type == "imported_cert" ? ibm_sm_imported_certificate.imported_cert[0].secret_id :
var.secret_type == "service_credentials" ? ibm_sm_service_credentials_secret.service_credentials_secret[0].secret_id :
var.secret_type == "arbitrary" ? ibm_sm_arbitrary_secret.arbitrary_secret[0].secret_id :
- var.secret_type == "key_value" ? ibm_sm_kv_secret.kv_secret[0].secret_id : null
+ var.secret_type == "key_value" ? ibm_sm_kv_secret.kv_secret[0].secret_id :
+ var.secret_type == "custom_credentials" ? ibm_sm_custom_credentials_secret.custom_credentials_secret[0].secret_id : null
)
secret_crn = (
var.secret_type == "username_password" ? ibm_sm_username_password_secret.username_password_secret[0].crn :
var.secret_type == "imported_cert" ? ibm_sm_imported_certificate.imported_cert[0].crn :
var.secret_type == "service_credentials" ? ibm_sm_service_credentials_secret.service_credentials_secret[0].crn :
var.secret_type == "arbitrary" ? ibm_sm_arbitrary_secret.arbitrary_secret[0].crn :
- var.secret_type == "key_value" ? ibm_sm_kv_secret.kv_secret[0].crn : null
+ var.secret_type == "key_value" ? ibm_sm_kv_secret.kv_secret[0].crn :
+ var.secret_type == "custom_credentials" ? ibm_sm_custom_credentials_secret.custom_credentials_secret[0].crn : null
)
#tfsec:ignore:general-secrets-no-plaintext-exposure
secret_auto_rotation_frequency = var.secret_auto_rotation == true ? "${var.secret_auto_rotation_interval} ${var.secret_auto_rotation_unit}(s)" : null #tfsec:ignore:general-secrets-no-plaintext-exposure
secret_next_rotation_date = (
var.secret_auto_rotation == true ?
var.secret_type == "username_password" ? ibm_sm_username_password_secret.username_password_secret[0].next_rotation_date :
- var.secret_type == "service_credentials" ? ibm_sm_service_credentials_secret.service_credentials_secret[0].next_rotation_date : null : null
+ var.secret_type == "service_credentials" ? ibm_sm_service_credentials_secret.service_credentials_secret[0].next_rotation_date :
+ var.secret_type == "custom_credentials" ? ibm_sm_custom_credentials_secret.custom_credentials_secret[0].next_rotation_date : null : null
)
secret_auto_rotation = (var.secret_type == "username_password" || var.secret_type == "service_credentials") ? var.secret_auto_rotation : null
}
diff --git a/outputs.tf b/outputs.tf
index e592eb5..9ccf8e4 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -23,7 +23,7 @@ output "secret_rotation" {
}
output "secret_rotation_interval" {
- description = "Rotation frecuency for secret (if applicable)"
+ description = "Rotation frequency for secret (if applicable)"
value = local.secret_auto_rotation_frequency
}
diff --git a/tests/pr_test.go b/tests/pr_test.go
index ff7cfe1..6f03964 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -66,6 +66,13 @@ func setupOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptio
},
})
+ // need to ignore because of a provider issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4719
+ options.IgnoreUpdates = testhelper.Exemptions{
+ List: []string{
+ "module.code_engine_job.ibm_code_engine_job.ce_job",
+ },
+ }
+
return options
}
@@ -119,6 +126,13 @@ func TestPrivateInSchematics(t *testing.T) {
{Name: "skip_iam_authorization_policy", Value: true, DataType: "bool"},
}
+ // need to ignore because of a provider issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4719
+ options.IgnoreUpdates = testhelper.Exemptions{
+ List: []string{
+ "module.code_engine_job.ibm_code_engine_job.ce_job",
+ },
+ }
+
err := options.RunSchematicTest()
assert.Nil(t, err, "This should not have errored")
}
diff --git a/variables.tf b/variables.tf
index 3592d82..b8eb68b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -20,11 +20,11 @@ variable "secret_group_id" {
variable "secret_type" {
type = string
- description = "Type of secret to create, must be one of: arbitrary, username_password, imported_cert, service_credentials"
+ description = "Type of secret to create, must be one of: arbitrary, username_password, imported_cert, service_credentials, custom_credentials"
validation {
- condition = contains(["arbitrary", "username_password", "imported_cert", "key_value", "service_credentials"], var.secret_type) #checkov:skip=CKV_SECRET_6
- error_message = "Only supported secrets types are arbitrary, username_password, key_value , imported_cert, or service_credentials"
+ condition = contains(["arbitrary", "username_password", "imported_cert", "key_value", "service_credentials", "custom_credentials"], var.secret_type) #checkov:skip=CKV_SECRET_6
+ error_message = "Only supported secrets types are arbitrary, username_password, key_value , imported_cert, service_credentials or custom_credentials"
}
validation {
@@ -46,6 +46,11 @@ variable "secret_type" {
condition = var.secret_type == "service_credentials" ? var.service_credentials_source_service_crn != null && var.service_credentials_source_service_role_crn != null : true
error_message = "When creating a service_credentials secret, values for `service_credentials_source_service_crn` and `service_credentials_source_service_role_crn` are required."
}
+
+ validation {
+ condition = var.secret_type != "custom_credentials" || var.custom_credentials_configurations != null
+ error_message = "The 'custom_credentials_configurations' variable must be set when 'secret_type' is 'custom_credentials'."
+ }
}
variable "imported_cert_certificate" {
@@ -198,4 +203,25 @@ variable "custom_metadata" {
default = null
}
+variable "custom_credentials_configurations" {
+ type = string
+ description = "The name of the custom credentials secret configuration."
+ default = null
+}
+
+variable "custom_credentials_parameters" {
+ type = bool
+ description = "Whether to create parameters for custom credentials secret or not"
+ default = false
+}
+
+variable "job_parameters" {
+ description = "The parameters that are passed to the Code Engine job."
+ type = object({
+ integer_values = optional(map(number))
+ string_values = optional(map(string))
+ boolean_values = optional(map(bool))
+ })
+ default = {}
+}
##############################################################################