feat: add guardrails to DA

examples/basic/variables.tf

@@ -7,7 +7,7 @@ variable "ibmcloud_api_key" {
 variable "prefix" {
   type        = string
   description = "Prefix for sm instance"
-  default     = "sm-bas"
+  default     = "sm-bas-alex"
 }
 
 variable "region" {

ibm_catalog.json

@@ -256,6 +256,15 @@
             },
             {
               "key":"cbr_rules"
+            },
+            {
+              "key":"default_secret_group_name"
+            },
+            {
+              "key":"default_access_group_name"
+            },
+            {
+              "key":"access_group_user_ids"
             }
           ],
           "architecture": {

solutions/standard/main.tf

@@ -119,6 +119,38 @@ module "secrets_manager" {
   cbr_rules                        = var.cbr_rules
 }
 
+module "secrets_group" {
+  count                    = var.existing_secrets_manager_crn == null ? 1 : 0
+  source                   = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
+  version                  = "1.2.2"
+  region                   = local.secrets_manager_region
+  secrets_manager_guid     = local.secrets_manager_guid
+  secret_group_name        = var.default_secret_group_name
+  secret_group_description = "Default secrets group"
+  endpoint_type            = "private"
+}
+
+module "iam_service_access_group" {
+  count             = var.existing_secrets_manager_crn == null ? 1 : 0
+  source            = "terraform-ibm-modules/iam-access-group/ibm"
+  version           = "1.4.4"
+  access_group_name = "${var.prefix}-${var.default_access_group_name}"
+  dynamic_rules     = {}
+  policies = {
+    sm_policy = {
+      roles = ["SecretsReader"],
+      tags  = [],
+      resources = [{
+        service       = "secrets-manager"
+        instance_id   = local.secrets_manager_guid,
+        resource_type = "secret-group",
+        resource      = module.secrets_group[0].secret_group_id
+      }]
+    }
+  }
+  ibm_ids = var.access_group_user_ids
+}
+
 # Configure an IBM Secrets Manager IAM credentials engine for an existing IBM Secrets Manager instance.
 module "iam_secrets_engine" {
   count                = var.iam_engine_enabled ? 1 : 0

solutions/standard/variables.tf

@@ -80,6 +80,24 @@ variable "public_engine_enabled" {
   default     = false
 }
 
+variable "default_secret_group_name" {
+  type        = string
+  description = "Name to give the secrets group automatically created when provisioning a new Secrets Manager instance."
+  default     = "default-group"
+}
+
+variable "default_access_group_name" {
+  type        = string
+  description = "Name to give the access group automatically created when provisioning a new Secrets Manager instance."
+  default     = "secrets_manager_secret_reader_access_group"
+}
+
+variable "access_group_user_ids" {
+  type        = list(string)
+  description = "List of IBM IDs to add to the default access group for the new Secrets Manager instance."
+  default     = []
+}
+
 ########################################################################################################################
 # Public cert engine config
 ########################################################################################################################

tests/pr_test.go

@@ -123,6 +123,7 @@ func TestRunDASolutionSchematics(t *testing.T) {
 		{Name: "ca_name", Value: permanentResources["certificateAuthorityName"], DataType: "string"},
 		{Name: "dns_provider_name", Value: permanentResources["dnsProviderName"], DataType: "string"},
 		{Name: "acme_letsencrypt_private_key", Value: *acme_letsencrypt_private_key, DataType: "string"},
+		{Name: "access_group_user_ids", Value: []string{"[email protected]"}, DataType: "list(string)"},
 	}
 
 	err := options.RunSchematicTest()