feat: do not create Event Notification related resources in the Deployable Architecture solution when an existing Secrets Manager instance is passed (#201)

akocbek · web-flow · commit 9203610bdedc · 2024-09-12T14:00:37.000+01:00
diff --git a/README.md b/README.md
@@ -95,7 +95,7 @@ You need the following permissions to run this module.
 |------|-------------|------|---------|:--------:|
 | <a name="input_allowed_network"></a> [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"public-and-private"` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
-| <a name="input_enable_event_notification"></a> [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` variable. | `bool` | `false` | no |
+| <a name="input_enable_event_notification"></a> [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null. | `bool` | `false` | no |
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no |
 | <a name="input_existing_en_instance_crn"></a> [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no |
 | <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in `kms_key_crn` is coming from. Required only if `kms_encryption_enabled` is set to true, and `skip_kms_iam_authorization_policy` is set to false. | `string` | `null` | no |
diff --git a/main.tf b/main.tf
@@ -14,7 +14,7 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   validate_event_notification = var.enable_event_notification && var.existing_en_instance_crn == null ? tobool("When setting var.enable_event_notification to true, a value must be passed for var.existing_en_instance_crn") : true
   # tflint-ignore: terraform_unused_declarations
-  validate_endpoint = var.enable_event_notification && var.endpoint_type == "public" && var.allowed_network == "private-only" && var.existing_sm_instance_crn == null ? tobool("It is not allowed to have conflicting var.endpoint_type and var.allowed_network values.") : true
+  validate_endpoint = var.endpoint_type == "public" && var.allowed_network == "private-only" && var.existing_sm_instance_crn == null ? tobool("It is not allowed to have conflicting var.endpoint_type and var.allowed_network values.") : true
   # tflint-ignore: terraform_unused_declarations
   validate_region = var.existing_sm_instance_crn == null && var.region == null ? tobool("When existing_sm_instance_crn is null, a value must be passed for var.region") : true
 }
@@ -126,7 +126,8 @@ module "cbr_rule" {
 
 # Create IAM Authorization Policies to allow SM to access event notification
 resource "ibm_iam_authorization_policy" "en_policy" {
-  count                       = var.enable_event_notification == false || var.skip_en_iam_authorization_policy ? 0 : 1
+  # if existing SM instance CRN is passed (!= null), then never create a policy
+  count                       = var.existing_sm_instance_crn != null || (var.enable_event_notification == false || var.skip_en_iam_authorization_policy) ? 0 : 1
   source_service_name         = "secrets-manager"
   source_resource_group_id    = var.resource_group_id
   target_service_name         = "event-notifications"
@@ -136,7 +137,8 @@ resource "ibm_iam_authorization_policy" "en_policy" {
 }
 
 resource "ibm_sm_en_registration" "sm_en_registration" {
-  count                                  = var.enable_event_notification ? 1 : 0
+  # if existing SM instance CRN is passed (!= null), then never register EN
+  count                                  = var.existing_sm_instance_crn == null && var.enable_event_notification ? 1 : 0
   depends_on                             = [time_sleep.wait_for_authorization_policy]
   instance_id                            = local.secrets_manager_guid
   region                                 = local.secrets_manager_region
diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
@@ -190,20 +190,23 @@ locals {
 }
 
 data "ibm_en_destinations" "en_destinations" {
-  count         = var.enable_event_notification ? 1 : 0
+  # if existing SM instance CRN is passed (!= null), then never do data lookup for EN destinations
+  count         = var.existing_secrets_manager_crn == null && var.enable_event_notification ? 1 : 0
   instance_guid = local.existing_en_guid
 }
 
 # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5533
 resource "time_sleep" "wait_for_secrets_manager" {
-  count      = var.enable_event_notification ? 1 : 0
+  # if existing SM instance CRN is passed (!= null), then never work with EN
+  count      = var.existing_secrets_manager_crn == null && var.enable_event_notification ? 1 : 0
   depends_on = [module.secrets_manager]
 
   create_duration = "30s"
 }
 
 resource "ibm_en_topic" "en_topic" {
-  count         = var.enable_event_notification ? 1 : 0
+  # if existing SM instance CRN is passed (!= null), then never create EN topic
+  count         = var.existing_secrets_manager_crn == null && var.enable_event_notification ? 1 : 0
   depends_on    = [time_sleep.wait_for_secrets_manager]
   instance_guid = local.existing_en_guid
   name          = "Secrets Manager Topic"
@@ -218,7 +221,8 @@ resource "ibm_en_topic" "en_topic" {
 }
 
 resource "ibm_en_subscription_email" "email_subscription" {
-  count          = var.enable_event_notification && length(var.sm_en_email_list) > 0 ? 1 : 0
+  # if existing SM instance CRN is passed (!= null), then never create EN email subscription
+  count          = var.existing_secrets_manager_crn == null && var.enable_event_notification && length(var.sm_en_email_list) > 0 ? 1 : 0
   instance_guid  = local.existing_en_guid
   name           = "Email for Secrets Manager Subscription"
   description    = "Subscription for Secret Manager Events"
diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf
@@ -249,7 +249,7 @@ variable "ibmcloud_kms_api_key" {
 variable "enable_event_notification" {
   type        = bool
   default     = false
-  description = "Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` variable."
+  description = "Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null."
 }
 
 variable "existing_event_notification_instance_crn" {
diff --git a/variables.tf b/variables.tf
@@ -106,7 +106,7 @@ variable "skip_en_iam_authorization_policy" {
 variable "enable_event_notification" {
   type        = bool
   default     = false
-  description = "Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` variable."
+  description = "Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null."
 }
 
 variable "existing_en_instance_crn" {

Original file line number	Diff line number	Diff line change
`@@ -249,7 +249,7 @@ variable "ibmcloud_kms_api_key" {`
`249`	`249`	`variable "enable_event_notification" {`
`250`	`250`	`type = bool`
`251`	`251`	`default = false`
`252`		- description = "Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` variable."
	`252`	+ description = "Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null."
`253`	`253`	`}`
`254`	`254`
`255`	`255`	`variable "existing_event_notification_instance_crn" {`
Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ variable "skip_en_iam_authorization_policy" {`
`106`	`106`	`variable "enable_event_notification" {`
`107`	`107`	`type = bool`
`108`	`108`	`default = false`
`109`		- description = "Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` variable."
	`109`	+ description = "Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null."
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`variable "existing_en_instance_crn" {`