fix: enable event notifications in secrets manager DA (#178)

shemau · Steve Peggs · web-flow · commit 7a98602ff1bf · 2024-08-21T15:36:58.000-04:00
* fix: enable eveent notifications in DA

* fix: add en crn validation check

* fix: update existing resource test

* fix: update existing resource test

* fix: update existing resource test

---------

Co-authored-by: Steve Peggs &lt;peggs@uk.ibm.com&gt;
diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
@@ -4,6 +4,10 @@
 locals {
   # tflint-ignore: terraform_unused_declarations
   validate_resource_group = (var.existing_secrets_manager_crn == null && var.resource_group_name == null) ? tobool("Resource group name can not be null if existing secrets manager CRN is not set.") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_event_notifications = (var.existing_event_notification_instance_crn == null && var.enable_event_notification) ? tobool("To enable event notifications, an existing event notifications CRN must be set.") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_event_notifications_disabled = (var.existing_event_notification_instance_crn != null && !var.enable_event_notification) ? tobool("When an existing event notifications CRN is set, enable_event_notification should be true.") : true
 }
 
 module "resource_group" {
@@ -113,7 +117,7 @@ module "secrets_manager" {
   kms_key_crn                       = local.kms_key_crn
   skip_kms_iam_authorization_policy = var.skip_kms_iam_authorization_policy || local.create_cross_account_auth_policy
   # event notifications dependency
-  enable_event_notification        = var.existing_event_notification_instance_crn != null ? true : false
+  enable_event_notification        = var.enable_event_notification
   existing_en_instance_crn         = var.existing_event_notification_instance_crn
   skip_en_iam_authorization_policy = var.skip_event_notification_iam_authorization_policy
   endpoint_type                    = local.sm_endpoint_type
@@ -187,7 +191,7 @@ locals {
 }
 
 data "ibm_en_destinations" "en_destinations" {
-  count         = var.existing_event_notification_instance_crn != null ? 1 : 0
+  count         = var.enable_event_notification ? 1 : 0
   instance_guid = local.existing_en_guid
 }
 
@@ -199,7 +203,7 @@ resource "time_sleep" "wait_for_secrets_manager" {
 }
 
 resource "ibm_en_topic" "en_topic" {
-  count         = var.existing_event_notification_instance_crn != null ? 1 : 0
+  count         = var.enable_event_notification ? 1 : 0
   depends_on    = [time_sleep.wait_for_secrets_manager]
   instance_guid = local.existing_en_guid
   name          = "Secrets Manager Topic"
@@ -214,7 +218,7 @@ resource "ibm_en_topic" "en_topic" {
 }
 
 resource "ibm_en_subscription_email" "email_subscription" {
-  count          = var.existing_event_notification_instance_crn != null && length(var.sm_en_email_list) > 0 ? 1 : 0
+  count          = var.enable_event_notification && length(var.sm_en_email_list) > 0 ? 1 : 0
   instance_guid  = local.existing_en_guid
   name           = "Email for Secrets Manager Subscription"
   description    = "Subscription for Secret Manager Events"
diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf
@@ -90,7 +90,10 @@ variable "public_engine_enabled" {
   default     = false
 }
 
+########################################################################################################################
 # Public cert engine config
+########################################################################################################################
+
 variable "public_engine_name" {
   type        = string
   description = "The name of the IAM engine used to configure a Secrets Manager public certificate engine for an existing instance."
@@ -122,7 +125,10 @@ variable "acme_letsencrypt_private_key" {
   default     = null
 }
 
+########################################################################################################################
 # Private cert engine config
+########################################################################################################################
+
 variable "private_engine_enabled" {
   type        = bool
   description = "Set this to true to configure a Secrets Manager private certificate engine for an existing instance. If set to false, no private certificate engine will be configured for your instance."
@@ -165,6 +171,10 @@ variable "certificate_template_name" {
   default     = "default-cert-template"
 }
 
+########################################################################################################################
+# IAM engine config
+########################################################################################################################
+
 variable "iam_engine_enabled" {
   type        = bool
   description = "Set this to true to to configure a Secrets Manager IAM credentials engine. If set to false, no IAM engine will be configured for your instance."
@@ -236,6 +246,12 @@ variable "ibmcloud_kms_api_key" {
 # Event Notifications
 ########################################################################################################################
 
+variable "enable_event_notification" {
+  type        = bool
+  default     = false
+  description = "Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` variable."
+}
+
 variable "existing_event_notification_instance_crn" {
   type        = string
   description = "The CRN of the Event Notifications service used to enable lifecycle notifications for your Secrets Manager instance."
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -195,6 +195,7 @@ func TestRunExistingResourcesInstances(t *testing.T) {
 				"region":                                   region,
 				"resource_group_name":                      terraform.Output(t, existingTerraformOptions, "resource_group_name"),
 				"use_existing_resource_group":              true,
+				"enable_event_notification":                true,
 				"existing_event_notification_instance_crn": terraform.Output(t, existingTerraformOptions, "event_notification_instance_crn"),
 				"existing_secrets_manager_crn":             terraform.Output(t, existingTerraformOptions, "secrets_manager_instance_crn"),
 				"iam_engine_enabled":                       true,
@@ -221,6 +222,7 @@ func TestRunExistingResourcesInstances(t *testing.T) {
 				"region":                                   region,
 				"resource_group_name":                      terraform.Output(t, existingTerraformOptions, "resource_group_name"),
 				"use_existing_resource_group":              true,
+				"enable_event_notification":                true,
 				"existing_event_notification_instance_crn": terraform.Output(t, existingTerraformOptions, "event_notification_instance_crn"),
 				"existing_secrets_manager_kms_key_crn":     terraform.Output(t, existingTerraformOptions, "secrets_manager_kms_key_crn"),
 				"existing_kms_instance_crn":                terraform.Output(t, existingTerraformOptions, "secrets_manager_kms_instance_crn"),
