fix: cleanup DA inputs (#332)

Author: ocofaigh

cra-config.yaml

@@ -10,3 +10,4 @@ CRA_TARGETS:
       TF_VAR_existing_resource_group_name: "geretain-test-secrets-manager"
       TF_VAR_provider_visibility: "public"
       TF_VAR_prefix: "test"
+      TF_VAR_service_plan: "trial"

ibm_catalog.json

@@ -121,19 +121,16 @@
               "required": true
             },
             {
-              "key": "provider_visibility",
+              "key": "service_plan",
+              "required": true,
               "options": [
                 {
-                  "displayname": "private",
-                  "value": "private"
-                },
-                {
-                  "displayname": "public",
-                  "value": "public"
+                  "displayname": "Standard",
+                  "value": "standard"
                 },
                 {
-                  "displayname": "public-and-private",
-                  "value": "public-and-private"
+                  "displayname": "Trial",
+                  "value": "trial"
                 }
               ]
             },
@@ -150,13 +147,29 @@
               }
             },
             {
-              "key": "secrets_manager_instance_name"
+              "key": "provider_visibility",
+              "hidden": true,
+              "options": [
+                {
+                  "displayname": "private",
+                  "value": "private"
+                },
+                {
+                  "displayname": "public",
+                  "value": "public"
+                },
+                {
+                  "displayname": "public-and-private",
+                  "value": "public-and-private"
+                }
+              ]
             },
             {
-              "key": "existing_secrets_manager_crn"
+              "key": "secrets_manager_instance_name"
             },
             {
               "key": "secrets_manager_endpoint_type",
+              "hidden": true,
               "options": [
                 {
                   "displayname": "public",
@@ -178,19 +191,6 @@
                 }
               }
             },
-            {
-              "key": "service_plan",
-              "options": [
-                {
-                  "displayname": "Standard",
-                  "value": "standard"
-                },
-                {
-                  "displayname": "Trial",
-                  "value": "trial"
-                }
-              ]
-            },
             {
               "key": "skip_sm_ce_iam_authorization_policy"
             },
@@ -211,8 +211,7 @@
               "key": "kms_encryption_enabled"
             },
             {
-              "key": "existing_kms_instance_crn",
-              "required": true
+              "key": "existing_kms_instance_crn"
             },
             {
               "key": "existing_secrets_manager_kms_key_crn"
@@ -262,6 +261,9 @@
             },
             {
               "key": "secret_groups"
+            },
+            {
+              "key": "existing_secrets_manager_crn"
             }
           ],
           "architecture": {
@@ -285,11 +287,11 @@
               },
               {
                 "title": "Enforced private-only endpoint communication",
-                "description": "Yes"
+                "description": "No"
               },
               {
                 "title": "Enforced KMS encryption",
-                "description": "Yes"
+                "description": "No"
               },
               {
                 "title": "KMS instance creation",
@@ -392,16 +394,27 @@
               "key": "prefix",
               "required": true
             },
+            {
+              "key": "service_plan",
+              "required": true,
+              "options": [
+                {
+                  "displayname": "Standard",
+                  "value": "standard"
+                },
+                {
+                  "displayname": "Trial",
+                  "value": "trial"
+                }
+              ]
+            },
             {
               "key": "existing_kms_instance_crn",
               "required": true
             },
             {
               "key": "secrets_manager_instance_name"
             },
-            {
-              "key": "existing_secrets_manager_crn"
-            },
             {
               "key": "secrets_manager_resource_tags",
               "custom_config": {
@@ -412,19 +425,6 @@
                 }
               }
             },
-            {
-              "key": "service_plan",
-              "options": [
-                {
-                  "displayname": "Standard",
-                  "value": "standard"
-                },
-                {
-                  "displayname": "Trial",
-                  "value": "trial"
-                }
-              ]
-            },
             {
               "key": "skip_sm_ce_iam_authorization_policy"
             },
@@ -475,6 +475,9 @@
             },
             {
               "key": "secret_groups"
+            },
+            {
+              "key": "existing_secrets_manager_crn"
             }
           ],
           "architecture": {

solutions/fully-configurable/README.md

@@ -72,7 +72,7 @@ This solution supports the following:
 | <a name="input_secrets_manager_endpoint_type"></a> [secrets\_manager\_endpoint\_type](#input\_secrets\_manager\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"private"` | no |
 | <a name="input_secrets_manager_instance_name"></a> [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `<prefix>-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no |
 | <a name="input_secrets_manager_resource_tags"></a> [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no |
-| <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. | `string` | `"standard"` | no |
+| <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes |
 | <a name="input_skip_event_notifications_iam_authorization_policy"></a> [skip\_event\_notifications\_iam\_authorization\_policy](#input\_skip\_event\_notifications\_iam\_authorization\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no |
 | <a name="input_skip_sm_ce_iam_authorization_policy"></a> [skip\_sm\_ce\_iam\_authorization\_policy](#input\_skip\_sm\_ce\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
 | <a name="input_skip_sm_kms_iam_authorization_policy"></a> [skip\_sm\_kms\_iam\_authorization\_policy](#input\_skip\_sm\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |

solutions/fully-configurable/variables.tf

@@ -65,11 +65,14 @@ variable "existing_secrets_manager_crn" {
 
 variable "service_plan" {
   type        = string
-  description = "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`."
-  default     = "standard"
+  description = "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)."
   validation {
     condition     = contains(["standard", "trial"], var.service_plan)
-    error_message = "Only \"standard\" and \"trial\" are allowed values for secrets_manager_service_plan.Applies only if not providing a value for the `existing_secrets_manager_crn` input."
+    error_message = "Only 'standard' and 'trial' are allowed values for 'service_plan'. Applies only if not providing a value for the 'existing_secrets_manager_crn' input."
+  }
+  validation {
+    condition     = var.existing_secrets_manager_crn == null ? var.service_plan != null : true
+    error_message = "A value for 'service_plan' is required if not providing a value for 'existing_secrets_manager_crn'"
   }
 }
 

solutions/security-enforced/README.md

@@ -46,7 +46,7 @@ No resources.
 | <a name="input_secrets_manager_cbr_rules"></a> [secrets\_manager\_cbr\_rules](#input\_secrets\_manager\_cbr\_rules) | (Optional, list) List of CBR rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/solutions/fully-configurable/DA-cbr_rules.md) | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_secrets_manager_instance_name"></a> [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `<prefix>-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no |
 | <a name="input_secrets_manager_resource_tags"></a> [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no |
-| <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. | `string` | `"standard"` | no |
+| <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes |
 | <a name="input_skip_event_notifications_iam_authorization_policy"></a> [skip\_event\_notifications\_iam\_authorization\_policy](#input\_skip\_event\_notifications\_iam\_authorization\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no |
 | <a name="input_skip_sm_ce_iam_authorization_policy"></a> [skip\_sm\_ce\_iam\_authorization\_policy](#input\_skip\_sm\_ce\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
 | <a name="input_skip_sm_kms_iam_authorization_policy"></a> [skip\_sm\_kms\_iam\_authorization\_policy](#input\_skip\_sm\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |

solutions/security-enforced/variables.tf

@@ -54,11 +54,14 @@ variable "existing_secrets_manager_crn" {
 
 variable "service_plan" {
   type        = string
-  description = "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`."
-  default     = "standard"
+  description = "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)."
   validation {
     condition     = contains(["standard", "trial"], var.service_plan)
-    error_message = "Only \"standard\" and \"trial\" are allowed values for secrets_manager_service_plan.Applies only if not providing a value for the `existing_secrets_manager_crn` input."
+    error_message = "Only 'standard' and 'trial' are allowed values for 'service_plan'. Applies only if not providing a value for the 'existing_secrets_manager_crn' input."
+  }
+  validation {
+    condition     = var.existing_secrets_manager_crn == null ? var.service_plan != null : true
+    error_message = "A value for 'service_plan' is required if not providing a value for 'existing_secrets_manager_crn'"
   }
 }