terraform-ibm-modules · alex-reiff · Jan 22, 2025
@@ -99,10 +99,11 @@ You need the following permissions to run this module.
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no |
 | <a name="input_existing_en_instance_crn"></a> [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no |
 | <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in `kms_key_crn` is coming from. Required only if `kms_encryption_enabled` is set to true, and `skip_kms_iam_authorization_policy` is set to false. | `string` | `null` | no |
-| <a name="input_existing_sm_instance_crn"></a> [existing\_sm\_instance\_crn](#input\_existing\_sm\_instance\_crn) | An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned. | `string` | `null` | no |
+| <a name="input_existing_sm_instance_crn"></a> [existing\_sm\_instance\_crn](#input\_existing\_sm\_instance\_crn) | An existing Secrets Manager instance CRN. If not providing a CRN or GUID, a new instance will be provisioned. | `string` | `null` | no |
+| <a name="input_existing_sm_instance_guid"></a> [existing\_sm\_instance\_guid](#input\_existing\_sm\_instance\_guid) | An existing Secrets Manager instance GUID. Make sure to also set the region. If not providing a CRN or GUID, a new instance will be provisioned. | `string` | `null` | no |
 | <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption. | `bool` | `false` | no |
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if `kms_encryption_enabled` is set to true. | `string` | `null` | no |
-| <a name="input_region"></a> [region](#input\_region) | The region where the resource will be provisioned.Its not required if passing a value for `existing_sm_instance_crn`. | `string` | `null` | no |
+| <a name="input_region"></a> [region](#input\_region) | The region where the resource will be provisioned or the region matching the existing GUID provided. It is not required if passing a value for `existing_sm_instance_crn`. | `string` | `null` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group | `string` | n/a | yes |
 | <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    secrets = optional(list(object({<br/>      secret_name                             = string<br/>      secret_description                      = optional(string)<br/>      secret_type                             = optional(string)<br/>      imported_cert_certificate               = optional(string)<br/>      imported_cert_private_key               = optional(string)<br/>      imported_cert_intermediate              = optional(string)<br/>      secret_username                         = optional(string)<br/>      secret_labels                           = optional(list(string), [])<br/>      secret_payload_password                 = optional(string, "")<br/>      secret_auto_rotation                    = optional(bool, true)<br/>      secret_auto_rotation_unit               = optional(string, "day")<br/>      secret_auto_rotation_interval           = optional(number, 89)<br/>      service_credentials_ttl                 = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn  = optional(string)<br/>      service_credentials_source_service_role = optional(string)<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_secrets_manager_name"></a> [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name of the Secrets Manager instance to create | `string` | n/a | yes |

@@ -17,23 +17,26 @@ locals {
   validate_endpoint = var.endpoint_type == "public" && var.allowed_network == "private-only" && var.existing_sm_instance_crn == null ? tobool("It is not allowed to have conflicting var.endpoint_type and var.allowed_network values.") : true
   # tflint-ignore: terraform_unused_declarations
   validate_region = var.existing_sm_instance_crn == null && var.region == null ? tobool("When existing_sm_instance_crn is null, a value must be passed for var.region") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_existing_instance = var.existing_sm_instance_crn != null && var.existing_sm_instance_guid != null ? tobool("Do not provide both an existing instance GUID and CRN. Either provider a GUID and region or a CRN.") : true
 }
 
 locals {
+  is_existing_sm_instance         = (var.existing_sm_instance_crn != null || var.existing_sm_instance_crn != null) ? true : false
   parsed_existing_sm_instance_crn = var.existing_sm_instance_crn != null ? split(":", var.existing_sm_instance_crn) : []
-  existing_sm_guid                = length(local.parsed_existing_sm_instance_crn) > 0 ? local.parsed_existing_sm_instance_crn[7] : null
-  existing_sm_region              = length(local.parsed_existing_sm_instance_crn) > 0 ? local.parsed_existing_sm_instance_crn[5] : null
+  existing_sm_guid                = var.existing_sm_instance_guid != null ? var.existing_sm_instance_guid : length(local.parsed_existing_sm_instance_crn) > 0 ? local.parsed_existing_sm_instance_crn[7] : null
+  existing_sm_region              = var.existing_sm_instance_guid != null ? var.region : length(local.parsed_existing_sm_instance_crn) > 0 ? local.parsed_existing_sm_instance_crn[5] : null
 }
 
 
 data "ibm_resource_instance" "sm_instance" {
-  count      = var.existing_sm_instance_crn == null ? 0 : 1
-  identifier = var.existing_sm_instance_crn
+  count      = local.is_existing_sm_instance ? 1 : 0
+  identifier = local.existing_sm_guid
 }
 
 # Create Secrets Manager Instance
 resource "ibm_resource_instance" "secrets_manager_instance" {
-  count             = var.existing_sm_instance_crn == null ? 1 : 0
+  count             = local.is_existing_sm_instance ? 0 : 1
   depends_on        = [time_sleep.wait_for_authorization_policy]
   name              = var.secrets_manager_name
   service           = "secrets-manager"
@@ -62,7 +65,7 @@ locals {
 }
 
 resource "ibm_iam_authorization_policy" "kms_policy" {
-  count                       = var.kms_encryption_enabled && !var.skip_kms_iam_authorization_policy && var.existing_sm_instance_crn == null ? 1 : 0
+  count                       = var.kms_encryption_enabled && !var.skip_kms_iam_authorization_policy && !local.is_existing_sm_instance ? 1 : 0
   source_service_name         = "secrets-manager"
   source_resource_group_id    = var.resource_group_id
   target_service_name         = local.kms_service_name
@@ -81,8 +84,8 @@ resource "time_sleep" "wait_for_authorization_policy" {
 
 
 locals {
-  secrets_manager_guid   = var.existing_sm_instance_crn != null ? local.existing_sm_guid : tolist(ibm_resource_instance.secrets_manager_instance[*].guid)[0]
-  secrets_manager_region = var.existing_sm_instance_crn != null ? local.existing_sm_region : var.region
+  secrets_manager_guid   = local.is_existing_sm_instance ? local.existing_sm_guid : tolist(ibm_resource_instance.secrets_manager_instance[*].guid)[0]
+  secrets_manager_region = local.is_existing_sm_instance ? local.existing_sm_region : var.region
 }
 
 ##############################################################################
@@ -128,7 +131,7 @@ module "cbr_rule" {
 # Create IAM Authorization Policies to allow SM to access event notification
 resource "ibm_iam_authorization_policy" "en_policy" {
   # if existing SM instance CRN is passed (!= null), then never create a policy
-  count                       = var.existing_sm_instance_crn != null || (var.enable_event_notification == false || var.skip_en_iam_authorization_policy) ? 0 : 1
+  count                       = local.is_existing_sm_instance || (var.enable_event_notification == false || var.skip_en_iam_authorization_policy) ? 0 : 1
   source_service_name         = "secrets-manager"
   source_resource_group_id    = var.resource_group_id
   target_service_name         = "event-notifications"
@@ -139,7 +142,7 @@ resource "ibm_iam_authorization_policy" "en_policy" {
 
 resource "ibm_sm_en_registration" "sm_en_registration" {
   # if existing SM instance CRN is passed (!= null), then never register EN
-  count                                  = var.existing_sm_instance_crn == null && var.enable_event_notification ? 1 : 0
+  count                                  = !local.is_existing_sm_instance && var.enable_event_notification ? 1 : 0
   depends_on                             = [time_sleep.wait_for_authorization_policy]
   instance_id                            = local.secrets_manager_guid
   region                                 = local.secrets_manager_region

@@ -8,7 +8,7 @@ variable "resource_group_id" {
 
 variable "region" {
   type        = string
-  description = "The region where the resource will be provisioned.Its not required if passing a value for `existing_sm_instance_crn`."
+  description = "The region where the resource will be provisioned or the region matching the existing GUID provided. It is not required if passing a value for `existing_sm_instance_crn`."
   default     = null
 }
 
@@ -69,7 +69,13 @@ variable "kms_key_crn" {
 
 variable "existing_sm_instance_crn" {
   type        = string
-  description = "An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned."
+  description = "An existing Secrets Manager instance CRN. If not providing a CRN or GUID, a new instance will be provisioned."
+  default     = null
+}
+
+variable "existing_sm_instance_guid" {
+  type        = string
+  description = "An existing Secrets Manager instance GUID. Make sure to also set the region. If not providing a CRN or GUID, a new instance will be provisioned."
   default     = null
 }