terraform-ibm-modules · alex-reiff · Feb 10, 2025 · Feb 10, 2025 · Feb 10, 2025 · Feb 10, 2025
@@ -256,6 +256,15 @@
             },
             {
               "key":"cbr_rules"
+            },
+            {
+              "key":"default_secret_group_name"
+            },
+            {
+              "key":"default_access_group_name"
+            },
+            {
+              "key":"access_group_ids"
             }
           ],
           "architecture": {

@@ -119,6 +119,38 @@ module "secrets_manager" {
   cbr_rules                        = var.cbr_rules
 }
 
+module "secrets_group" {
+  count                    = var.existing_secrets_manager_crn == null ? 1 : 0
+  source                   = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
+  version                  = "1.2.2"
+  region                   = local.secrets_manager_region
+  secrets_manager_guid     = local.secrets_manager_guid
+  secret_group_name        = var.default_secret_group_name
+  secret_group_description = "Default secrets group"
+  endpoint_type            = "private"
+}
+
+module "iam_service_access_group" {
+  count             = var.existing_secrets_manager_crn == null ? 1 : 0
+  source            = "terraform-ibm-modules/iam-access-group/ibm"
+  version           = "1.4.4"
+  access_group_name = var.default_access_group_name
+  dynamic_rules     = {}
+  policies = {
+    sm_policy = {
+      roles = ["SecretsReader"],
+      tags  = [],
+      resources = [{
+        service       = "secrets-manager"
+        instance_id   = local.secrets_manager_guid,
+        resource_type = "secret-group",
+        resource      = module.secrets_group[0].secret_group_id
+      }]
+    }
+  }
+  ibm_ids = var.access_group_ids
+}
+
 # Configure an IBM Secrets Manager IAM credentials engine for an existing IBM Secrets Manager instance.
 module "iam_secrets_engine" {
   count                = var.iam_engine_enabled ? 1 : 0

@@ -11,7 +11,7 @@ variable "ibmcloud_api_key" {
 variable "provider_visibility" {
   description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)."
   type        = string
-  default     = "private"
+  default     = "public"
 
   validation {
     condition     = contains(["public", "private", "public-and-private"], var.provider_visibility)
@@ -80,6 +80,24 @@ variable "public_engine_enabled" {
   default     = false
 }
 
+variable "default_secret_group_name" {
+  type        = string
+  description = "Name to give the secrets group automatically created when provisioning a new Secrets Manager instance."
+  default     = "default-group"
+}
+
+variable "default_access_group_name" {
+  type        = string
+  description = "Name to give the access group automatically created when provisioning a new Secrets Manager instance."
+  default     = "secrets_manager_group"
+}
+
+variable "access_group_ids" {
+  type        = list(string)
+  description = "List of IBM IDs to add to the default access group for the new Secrets Manager instance."
+  default     = []
+}
+
 ########################################################################################################################
 # Public cert engine config
 ########################################################################################################################

@@ -123,6 +123,7 @@ func TestRunDASolutionSchematics(t *testing.T) {
 		{Name: "ca_name", Value: permanentResources["certificateAuthorityName"], DataType: "string"},
 		{Name: "dns_provider_name", Value: permanentResources["dnsProviderName"], DataType: "string"},
 		{Name: "acme_letsencrypt_private_key", Value: *acme_letsencrypt_private_key, DataType: "string"},
+		{Name: "access_group_ids", Value: []string{"[email protected]"}, DataType: "list(string)"},
 	}
 
 	err := options.RunSchematicTest()