From d89960aec8e3a09a5ce86e1560ae44cdee29fcf0 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Thu, 27 Feb 2025 12:05:58 +0530 Subject: [PATCH 01/16] feat: Scope KMS policy to the exact KMS key --- main.tf | 85 ++++++++++++++++++++++++----- outputs.tf | 4 +- solutions/standard/main.tf | 96 ++++++++++++++++++++++++++++----- solutions/standard/outputs.tf | 10 ++++ solutions/standard/variables.tf | 16 ++++-- 5 files changed, 178 insertions(+), 33 deletions(-) diff --git a/main.tf b/main.tf index 38767923..7c4b5e97 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,7 @@ data "ibm_resource_instance" "sm_instance" { # Create Secrets Manager Instance resource "ibm_resource_instance" "secrets_manager_instance" { count = var.existing_sm_instance_crn == null ? 1 : 0 - depends_on = [time_sleep.wait_for_authorization_policy] + depends_on = [time_sleep.wait_for_authorization_policy_1, time_sleep.wait_for_authorization_policy_2] name = var.secrets_manager_name service = "secrets-manager" plan = var.sm_service_plan @@ -54,30 +54,87 @@ resource "ibm_resource_instance" "secrets_manager_instance" { locals { # determine which service name to use for the policy - kms_service_name = var.kms_encryption_enabled && var.kms_key_crn != null ? ( - can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : ( - can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null - ) + create_auth_policy = var.kms_encryption_enabled && !var.skip_kms_iam_authorization_policy && var.existing_sm_instance_crn == null + kms_service_name = var.kms_key_crn != null ? ( + can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null ) : null + kms_account_id = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_crn_parser[0].account_id : null + kms_key_id = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_crn_parser[0].resource : null + instance = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_crn_parser[0].service_instance : null + create_auth = local.create_auth_policy && local.kms_service_name == "hs-crypto" ? 1 : 0 + #instance = (var.kms_encryption_enabled && var.kms_key_crn != null && length(module.kms_crn_parser) > 0) ? module.kms_crn_parser[0].service_instance : null } -resource "ibm_iam_authorization_policy" "kms_policy" { - count = var.kms_encryption_enabled && !var.skip_kms_iam_authorization_policy && var.existing_sm_instance_crn == null ? 1 : 0 +module "kms_crn_parser" { + count = var.kms_key_crn != null ? 1 : 0 + source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" + version = "1.1.0" + crn = var.kms_key_crn +} + +resource "ibm_iam_authorization_policy" "kms_policy_1" { + count = local.create_auth_policy ? 1 : 0 + source_service_name = "secrets-manager" + source_resource_group_id = var.resource_group_id + roles = ["Reader"] + #description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service_name} instance GUID ${var.existing_kms_instance_guid}" + resource_attributes { + name = "serviceName" + operator = "stringEquals" + value = local.kms_service_name + } + resource_attributes { + name = "accountId" + operator = "stringEquals" + value = local.kms_account_id + } + resource_attributes { + name = "serviceInstance" + operator = "stringEquals" + value = local.instance + } + resource_attributes { + name = "resourceType" + operator = "stringEquals" + value = "key" + } + resource_attributes { + name = "resource" + operator = "stringEquals" + value = local.kms_key_id + } + # Scope of policy now includes the key, so ensure to create new policy before + # destroying old one to prevent any disruption to every day services. + lifecycle { + create_before_destroy = true + } + +} +resource "time_sleep" "wait_for_authorization_policy_1" { + count = var.existing_sm_instance_crn == null ? 1 : 0 + depends_on = [ibm_iam_authorization_policy.kms_policy_1, ibm_iam_authorization_policy.en_policy] + + create_duration = "30s" +} + + +resource "ibm_iam_authorization_policy" "kms_policy_2" { + count = local.create_auth source_service_name = "secrets-manager" source_resource_group_id = var.resource_group_id target_service_name = local.kms_service_name target_resource_instance_id = var.existing_kms_instance_guid - roles = ["Reader"] - description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service_name} instance GUID ${var.existing_kms_instance_guid}" + roles = ["Viewer"] + #description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service_name} instance GUID ${var.existing_kms_instance_guid}" } -# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 -resource "time_sleep" "wait_for_authorization_policy" { - count = var.existing_sm_instance_crn == null ? 1 : 0 - depends_on = [ibm_iam_authorization_policy.kms_policy, ibm_iam_authorization_policy.en_policy] +resource "time_sleep" "wait_for_authorization_policy_2" { + count = local.create_auth + depends_on = [ibm_iam_authorization_policy.kms_policy_2] create_duration = "30s" } +# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 locals { @@ -140,7 +197,7 @@ resource "ibm_iam_authorization_policy" "en_policy" { resource "ibm_sm_en_registration" "sm_en_registration" { # if existing SM instance CRN is passed (!= null), then never register EN count = var.existing_sm_instance_crn == null && var.enable_event_notification ? 1 : 0 - depends_on = [time_sleep.wait_for_authorization_policy] + depends_on = [time_sleep.wait_for_authorization_policy_1] instance_id = local.secrets_manager_guid region = local.secrets_manager_region event_notifications_instance_crn = var.existing_en_instance_crn diff --git a/outputs.tf b/outputs.tf index 941dbdf2..cccb8eaa 100644 --- a/outputs.tf +++ b/outputs.tf @@ -37,5 +37,7 @@ output "secrets" { value = module.secrets.secrets description = "List of secret mananger secret config data" } - +# output "kms_account_id" { +# value = local.kms_account_id +# } ############################################################################## diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index b3335941..140d42a1 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -21,7 +21,7 @@ module "resource_group" { # KMS Key ####################################################################################################################### locals { - kms_key_crn = var.existing_secrets_manager_crn == null ? (var.existing_secrets_manager_kms_key_crn != null ? var.existing_secrets_manager_kms_key_crn : module.kms[0].keys[format("%s.%s", local.kms_key_ring_name, local.kms_key_name)].crn) : var.existing_secrets_manager_kms_key_crn + kms_key_crn = var.existing_secrets_manager_crn == null ? (var.existing_secrets_manager_kms_key_crn != null ? var.existing_secrets_manager_kms_key_crn : var.existing_kms_instance_crn) : var.existing_secrets_manager_kms_key_crn kms_key_ring_name = try("${local.prefix}-${var.kms_key_ring_name}", var.kms_key_ring_name) kms_key_name = try("${local.prefix}-${var.kms_key_name}", var.kms_key_name) @@ -30,31 +30,99 @@ locals { existing_kms_guid = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[7] : null create_cross_account_auth_policy = !var.skip_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null - kms_service_name = local.kms_key_crn != null ? ( - can(regex(".*kms.*", local.kms_key_crn)) ? "kms" : can(regex(".*hs-crypto.*", local.kms_key_crn)) ? "hs-crypto" : null - ) : null + kms_service_name = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : module.kms_instance_crn_parser[0].service_name : null + kms_key_id = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].resource : module.kms_instance_crn_parser[0].resource : null + instance = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_instance : module.kms_instance_crn_parser[0].service_instance : null + kms_account_id = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : module.kms_instance_crn_parser[0].account_id : null + create_auth = local.create_cross_account_auth_policy == true && local.kms_service_name == "hs-crypto" ? 1 : 0 + account_id = length(data.ibm_iam_account_settings.iam_account_settings) > 0 ? data.ibm_iam_account_settings.iam_account_settings[0].account_id : null } data "ibm_iam_account_settings" "iam_account_settings" { - count = local.create_cross_account_auth_policy ? 1 : 0 + count = local.create_cross_account_auth_policy ? 1 : 0 +} +module "kms_instance_crn_parser" { + count = var.existing_kms_instance_crn != null ? 1 : 0 + source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" + version = "1.1.0" + crn = var.existing_kms_instance_crn +} + +module "kms_key_crn_parser" { + count = var.existing_secrets_manager_kms_key_crn != null ? 1 : 0 + source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" + version = "1.1.0" + crn = var.existing_secrets_manager_kms_key_crn +} + +# module "kms_crn_parser" { +# count = local.create_cross_account_auth_policy ? 1 : 0 +# source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" +# version = "1.1.0" +# crn = var.existing_kms_instance_crn +# } +resource "ibm_iam_authorization_policy" "kms_policy_1" { + count = local.create_cross_account_auth_policy ? 1 : 0 + provider = ibm.kms + source_service_account = local.account_id + source_service_name = "secrets-manager" + source_resource_group_id = module.resource_group[0].resource_group_id + roles = ["Reader"] + #description = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${data.ibm_iam_account_settings.iam_account_settings[0].account_id} to read from the ${local.kms_service_name} instance GUID ${local.existing_kms_guid}" + resource_attributes { + name = "serviceName" + operator = "stringEquals" + value = local.kms_service_name + } + resource_attributes { + name = "accountId" + operator = "stringEquals" + value = local.kms_account_id + } + resource_attributes { + name = "serviceInstance" + operator = "stringEquals" + value = local.instance + } + resource_attributes { + name = "resourceType" + operator = "stringEquals" + value = "key" + } + resource_attributes { + name = "resource" + operator = "stringEquals" + value = local.kms_key_id + } + # Scope of policy now includes the key, so ensure to create new policy before + # destroying old one to prevent any disruption to every day services. + lifecycle { + create_before_destroy = true + } + +} +resource "time_sleep" "wait_for_authorization_policy_1" { + count = local.create_cross_account_auth_policy ? 1 : 0 + depends_on = [ibm_iam_authorization_policy.kms_policy_1] + create_duration = "30s" } -resource "ibm_iam_authorization_policy" "kms_policy" { - count = local.create_cross_account_auth_policy ? 1 : 0 +resource "ibm_iam_authorization_policy" "kms_policy_2" { + count = local.create_auth provider = ibm.kms - source_service_account = data.ibm_iam_account_settings.iam_account_settings[0].account_id + source_service_account = local.account_id source_service_name = "secrets-manager" source_resource_group_id = module.resource_group[0].resource_group_id target_service_name = local.kms_service_name target_resource_instance_id = local.existing_kms_guid - roles = ["Reader"] - description = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${data.ibm_iam_account_settings.iam_account_settings[0].account_id} to read from the ${local.kms_service_name} instance GUID ${local.existing_kms_guid}" + roles = ["Viewer"] + # description = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${data.ibm_iam_account_settings.iam_account_settings[0].account_id} to view from the ${local.kms_service_name} instance GUID ${local.existing_kms_guid}" } # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 -resource "time_sleep" "wait_for_authorization_policy" { - count = local.create_cross_account_auth_policy ? 1 : 0 - depends_on = [ibm_iam_authorization_policy.kms_policy] +resource "time_sleep" "wait_for_authorization_policy_2" { + count = local.create_auth + depends_on = [ibm_iam_authorization_policy.kms_policy_2] create_duration = "30s" } @@ -100,7 +168,7 @@ locals { } module "secrets_manager" { - depends_on = [time_sleep.wait_for_authorization_policy] + depends_on = [time_sleep.wait_for_authorization_policy_1,time_sleep.wait_for_authorization_policy_2] source = "../../modules/fscloud" existing_sm_instance_crn = var.existing_secrets_manager_crn resource_group_id = var.existing_secrets_manager_crn == null ? module.resource_group[0].resource_group_id : data.ibm_resource_instance.existing_sm[0].resource_group_id diff --git a/solutions/standard/outputs.tf b/solutions/standard/outputs.tf index 9c4d0c8f..a10c21e8 100644 --- a/solutions/standard/outputs.tf +++ b/solutions/standard/outputs.tf @@ -32,3 +32,13 @@ output "secrets_manager_region" { value = local.secrets_manager_region description = "Region of the Secrets Manager instance" } +output "kms_service_name" { + value = local.kms_service_name +} +output "create_auth" { + value = local.create_auth +} + +output "kms_key_crn"{ + value =local.kms_key_crn +} diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index de0173c2..4b6d2dc9 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -11,7 +11,7 @@ variable "ibmcloud_api_key" { variable "provider_visibility" { description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)." type = string - default = "private" + default = "public" validation { condition = contains(["public", "private", "public-and-private"], var.provider_visibility) @@ -28,7 +28,7 @@ variable "use_existing_resource_group" { variable "resource_group_name" { type = string description = "The name of a new or existing resource group to provision resources to. If a prefix input variable is specified, it's added to the value in the `-value` format. Optional if `existing_secrets_manager_crn` is not specified." - default = null + default = "aryrg" } variable "region" { @@ -188,14 +188,14 @@ variable "existing_secrets_manager_kms_key_crn" { variable "existing_kms_instance_crn" { type = string - default = null + default = "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::" description = "The CRN of the KMS instance (Hyper Protect Crypto Services or Key Protect). Required only if `existing_secrets_manager_crn` or `existing_secrets_manager_kms_key_crn` is not specified. If the KMS instance is in different account you must also provide a value for `ibmcloud_kms_api_key`." } variable "kms_endpoint_type" { type = string description = "The type of endpoint to use for communicating with the Key Protect or Hyper Protect Crypto Services instance. Possible values: `public`, `private`. Applies only if `existing_secrets_manager_kms_key_crn` is not specified." - default = "private" + default = "public" validation { condition = can(regex("public|private", var.kms_endpoint_type)) error_message = "The kms_endpoint_type value must be 'public' or 'private'." @@ -285,3 +285,11 @@ variable "cbr_rules" { default = [] # Validation happens in the rule module } +variable "kms_encryption_enabled" { + type = bool + description = "Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption." + default = true +} +output "kms_account_id" { + value = local.kms_account_id +} \ No newline at end of file From 341eeed0e67c72b94e4357bdb46731159e8556fa Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Thu, 27 Feb 2025 12:12:45 +0530 Subject: [PATCH 02/16] Updated the code --- outputs.tf | 3 --- solutions/standard/outputs.tf | 10 ---------- solutions/standard/variables.tf | 11 ++++------- 3 files changed, 4 insertions(+), 20 deletions(-) diff --git a/outputs.tf b/outputs.tf index cccb8eaa..769d593e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -37,7 +37,4 @@ output "secrets" { value = module.secrets.secrets description = "List of secret mananger secret config data" } -# output "kms_account_id" { -# value = local.kms_account_id -# } ############################################################################## diff --git a/solutions/standard/outputs.tf b/solutions/standard/outputs.tf index a10c21e8..9c4d0c8f 100644 --- a/solutions/standard/outputs.tf +++ b/solutions/standard/outputs.tf @@ -32,13 +32,3 @@ output "secrets_manager_region" { value = local.secrets_manager_region description = "Region of the Secrets Manager instance" } -output "kms_service_name" { - value = local.kms_service_name -} -output "create_auth" { - value = local.create_auth -} - -output "kms_key_crn"{ - value =local.kms_key_crn -} diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 4b6d2dc9..9e0f4b00 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -11,7 +11,7 @@ variable "ibmcloud_api_key" { variable "provider_visibility" { description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)." type = string - default = "public" + default = "private" validation { condition = contains(["public", "private", "public-and-private"], var.provider_visibility) @@ -28,7 +28,7 @@ variable "use_existing_resource_group" { variable "resource_group_name" { type = string description = "The name of a new or existing resource group to provision resources to. If a prefix input variable is specified, it's added to the value in the `-value` format. Optional if `existing_secrets_manager_crn` is not specified." - default = "aryrg" + default = null } variable "region" { @@ -188,14 +188,14 @@ variable "existing_secrets_manager_kms_key_crn" { variable "existing_kms_instance_crn" { type = string - default = "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9::" + default = null description = "The CRN of the KMS instance (Hyper Protect Crypto Services or Key Protect). Required only if `existing_secrets_manager_crn` or `existing_secrets_manager_kms_key_crn` is not specified. If the KMS instance is in different account you must also provide a value for `ibmcloud_kms_api_key`." } variable "kms_endpoint_type" { type = string description = "The type of endpoint to use for communicating with the Key Protect or Hyper Protect Crypto Services instance. Possible values: `public`, `private`. Applies only if `existing_secrets_manager_kms_key_crn` is not specified." - default = "public" + default = "private" validation { condition = can(regex("public|private", var.kms_endpoint_type)) error_message = "The kms_endpoint_type value must be 'public' or 'private'." @@ -290,6 +290,3 @@ variable "kms_encryption_enabled" { description = "Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption." default = true } -output "kms_account_id" { - value = local.kms_account_id -} \ No newline at end of file From f4ec644883af3a8b5591b4ba29bdaeb951e952eb Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Fri, 28 Feb 2025 11:15:59 +0530 Subject: [PATCH 03/16] Testing --- examples/complete/main.tf | 1 + main.tf | 17 +++++++---------- outputs.tf | 4 ++++ solutions/standard/main.tf | 4 ++-- solutions/standard/outputs.tf | 4 ++++ solutions/standard/variables.tf | 4 ++++ variables.tf | 4 ++++ 7 files changed, 26 insertions(+), 12 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 50819d4f..a78e5166 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -63,6 +63,7 @@ module "secrets_manager" { sm_service_plan = var.sm_service_plan sm_tags = var.resource_tags kms_encryption_enabled = true + is_hpcs = false existing_kms_instance_guid = module.key_protect.kms_guid kms_key_crn = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn enable_event_notification = true diff --git a/main.tf b/main.tf index 7c4b5e97..699715a0 100644 --- a/main.tf +++ b/main.tf @@ -55,18 +55,15 @@ resource "ibm_resource_instance" "secrets_manager_instance" { locals { # determine which service name to use for the policy create_auth_policy = var.kms_encryption_enabled && !var.skip_kms_iam_authorization_policy && var.existing_sm_instance_crn == null - kms_service_name = var.kms_key_crn != null ? ( - can(regex(".*kms.*", var.kms_key_crn)) ? "kms" : can(regex(".*hs-crypto.*", var.kms_key_crn)) ? "hs-crypto" : null - ) : null + kms_service_name = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_crn_parser[0].service_name : null kms_account_id = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_crn_parser[0].account_id : null kms_key_id = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_crn_parser[0].resource : null instance = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_crn_parser[0].service_instance : null - create_auth = local.create_auth_policy && local.kms_service_name == "hs-crypto" ? 1 : 0 - #instance = (var.kms_encryption_enabled && var.kms_key_crn != null && length(module.kms_crn_parser) > 0) ? module.kms_crn_parser[0].service_instance : null + create_auth = local.create_auth_policy && var.is_hpcs ? 1 : 0 } -module "kms_crn_parser" { - count = var.kms_key_crn != null ? 1 : 0 +module "kms_key_crn_parser" { + count = local.create_auth_policy ? 1 : 0 source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" version = "1.1.0" crn = var.kms_key_crn @@ -77,7 +74,7 @@ resource "ibm_iam_authorization_policy" "kms_policy_1" { source_service_name = "secrets-manager" source_resource_group_id = var.resource_group_id roles = ["Reader"] - #description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service_name} instance GUID ${var.existing_kms_instance_guid}" + description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service_name} instance GUID ${local.instance}" resource_attributes { name = "serviceName" operator = "stringEquals" @@ -123,9 +120,9 @@ resource "ibm_iam_authorization_policy" "kms_policy_2" { source_service_name = "secrets-manager" source_resource_group_id = var.resource_group_id target_service_name = local.kms_service_name - target_resource_instance_id = var.existing_kms_instance_guid + target_resource_instance_id = local.instance roles = ["Viewer"] - #description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service_name} instance GUID ${var.existing_kms_instance_guid}" + description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service_name} instance GUID ${local.instance}" } resource "time_sleep" "wait_for_authorization_policy_2" { diff --git a/outputs.tf b/outputs.tf index 769d593e..efbb0edd 100644 --- a/outputs.tf +++ b/outputs.tf @@ -37,4 +37,8 @@ output "secrets" { value = module.secrets.secrets description = "List of secret mananger secret config data" } +output "kms_key_crn" { + value = var.kms_key_crn + description = "List of secret mananger secret config data" +} ############################################################################## diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 140d42a1..1ba9557d 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -21,7 +21,7 @@ module "resource_group" { # KMS Key ####################################################################################################################### locals { - kms_key_crn = var.existing_secrets_manager_crn == null ? (var.existing_secrets_manager_kms_key_crn != null ? var.existing_secrets_manager_kms_key_crn : var.existing_kms_instance_crn) : var.existing_secrets_manager_kms_key_crn + kms_key_crn = var.existing_secrets_manager_crn == null ? (var.existing_secrets_manager_kms_key_crn != null ? var.existing_secrets_manager_kms_key_crn : module.kms[0].keys[format("%s.%s", local.kms_key_ring_name, local.kms_key_name)].crn) : var.existing_secrets_manager_kms_key_crn kms_key_ring_name = try("${local.prefix}-${var.kms_key_ring_name}", var.kms_key_ring_name) kms_key_name = try("${local.prefix}-${var.kms_key_name}", var.kms_key_name) @@ -34,7 +34,7 @@ locals { kms_key_id = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].resource : module.kms_instance_crn_parser[0].resource : null instance = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_instance : module.kms_instance_crn_parser[0].service_instance : null kms_account_id = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : module.kms_instance_crn_parser[0].account_id : null - create_auth = local.create_cross_account_auth_policy == true && local.kms_service_name == "hs-crypto" ? 1 : 0 + create_auth = local.create_cross_account_auth_policy == true && var.is_hpcs ? 1 : 0 account_id = length(data.ibm_iam_account_settings.iam_account_settings) > 0 ? data.ibm_iam_account_settings.iam_account_settings[0].account_id : null } diff --git a/solutions/standard/outputs.tf b/solutions/standard/outputs.tf index 9c4d0c8f..b1b6d1ae 100644 --- a/solutions/standard/outputs.tf +++ b/solutions/standard/outputs.tf @@ -32,3 +32,7 @@ output "secrets_manager_region" { value = local.secrets_manager_region description = "Region of the Secrets Manager instance" } +output "kms_key_crn" { + value = local.kms_key_crn + description = "List of secret mananger secret config data" +} \ No newline at end of file diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 9e0f4b00..7f9a3ab5 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -290,3 +290,7 @@ variable "kms_encryption_enabled" { description = "Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption." default = true } +variable "is_hpcs"{ + type = bool + default = true +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index cf04c6b2..b8001ef9 100644 --- a/variables.tf +++ b/variables.tf @@ -160,3 +160,7 @@ variable "secrets" { description = "Secret Manager secrets configurations." default = [] } +variable "is_hpcs"{ + type = bool + default = true +} \ No newline at end of file From 62a25f9bb08767d81d9b3e41c11e7bc5e5c61fb1 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Tue, 4 Mar 2025 09:01:22 +0530 Subject: [PATCH 04/16] Added comments --- README.md | 8 +++-- examples/complete/main.tf | 1 - main.tf | 61 +++++++++++++++++++-------------- solutions/standard/main.tf | 60 +++++++++++++++++--------------- solutions/standard/outputs.tf | 2 +- solutions/standard/variables.tf | 15 ++++---- variables.tf | 4 --- 7 files changed, 80 insertions(+), 71 deletions(-) diff --git a/README.md b/README.md index 7e91c494..5531fe1d 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ You need the following permissions to run this module. | Name | Source | Version | |------|--------|---------| | [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.29.0 | +| [kms\_key\_crn\_parser](#module\_kms\_key\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 | | [secrets](#module\_secrets) | ./modules/secrets | n/a | ### Resources @@ -83,10 +84,12 @@ You need the following permissions to run this module. | Name | Type | |------|------| | [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | -| [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | +| [ibm_iam_authorization_policy.secrets_manager_hpcs_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | +| [ibm_iam_authorization_policy.secrets_manager_kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_resource_instance.secrets_manager_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource | | [ibm_sm_en_registration.sm_en_registration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_en_registration) | resource | -| [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [time_sleep.wait_for_sm_hpcs_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [time_sleep.wait_for_sm_kms_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [ibm_resource_instance.sm_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/resource_instance) | data source | ### Inputs @@ -115,6 +118,7 @@ You need the following permissions to run this module. | Name | Description | |------|-------------| +| [kms\_key\_crn](#output\_kms\_key\_crn) | List of secret mananger secret config data | | [secret\_groups](#output\_secret\_groups) | IDs of the created Secret Group | | [secrets](#output\_secrets) | List of secret mananger secret config data | | [secrets\_manager\_crn](#output\_secrets\_manager\_crn) | CRN of the Secrets Manager instance | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 52223e7a..0238d975 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -63,7 +63,6 @@ module "secrets_manager" { sm_service_plan = var.sm_service_plan sm_tags = var.resource_tags kms_encryption_enabled = true - is_hpcs = false existing_kms_instance_guid = module.key_protect.kms_guid kms_key_crn = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn enable_event_notification = true diff --git a/main.tf b/main.tf index 699715a0..a2f5daff 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,7 @@ data "ibm_resource_instance" "sm_instance" { # Create Secrets Manager Instance resource "ibm_resource_instance" "secrets_manager_instance" { count = var.existing_sm_instance_crn == null ? 1 : 0 - depends_on = [time_sleep.wait_for_authorization_policy_1, time_sleep.wait_for_authorization_policy_2] + depends_on = [time_sleep.wait_for_sm_kms_authorization_policy, time_sleep.wait_for_sm_hpcs_authorization_policy] name = var.secrets_manager_name service = "secrets-manager" plan = var.sm_service_plan @@ -52,29 +52,37 @@ resource "ibm_resource_instance" "secrets_manager_instance" { } } +####################################################################################################################### +# KMS Key +####################################################################################################################### locals { - # determine which service name to use for the policy - create_auth_policy = var.kms_encryption_enabled && !var.skip_kms_iam_authorization_policy && var.existing_sm_instance_crn == null - kms_service_name = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_crn_parser[0].service_name : null - kms_account_id = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_crn_parser[0].account_id : null - kms_key_id = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_crn_parser[0].resource : null - instance = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_crn_parser[0].service_instance : null - create_auth = local.create_auth_policy && var.is_hpcs ? 1 : 0 + create_kms_auth_policy = var.kms_encryption_enabled && !var.skip_kms_iam_authorization_policy && var.existing_sm_instance_crn == null + create_hpcs_auth_policy = local.create_kms_auth_policy == true && local.kms_service_name == "hs-crypto" ? 1 : 0 + + kms_service_name = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : null + kms_account_id = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : null + kms_key_id = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_key_crn_parser[0].resource : null + kms_instance_guid = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_key_crn_parser[0].service_instance : null } +######################################################################################################################## +# Parse KMS info from CRN +######################################################################################################################## + module "kms_key_crn_parser" { - count = local.create_auth_policy ? 1 : 0 + count = local.create_kms_auth_policy ? 1 : 0 source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" version = "1.1.0" crn = var.kms_key_crn } -resource "ibm_iam_authorization_policy" "kms_policy_1" { - count = local.create_auth_policy ? 1 : 0 +# Create auth policy (scoped to exact KMS key) +resource "ibm_iam_authorization_policy" "secrets_manager_kms_policy" { + count = local.create_kms_auth_policy ? 1 : 0 source_service_name = "secrets-manager" source_resource_group_id = var.resource_group_id roles = ["Reader"] - description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service_name} instance GUID ${local.instance}" + description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} to read the ${local.kms_service_name} key ${local.kms_key_id} from the instance GUID ${local.kms_instance_guid}." resource_attributes { name = "serviceName" operator = "stringEquals" @@ -88,7 +96,7 @@ resource "ibm_iam_authorization_policy" "kms_policy_1" { resource_attributes { name = "serviceInstance" operator = "stringEquals" - value = local.instance + value = local.kms_instance_guid } resource_attributes { name = "resourceType" @@ -107,32 +115,33 @@ resource "ibm_iam_authorization_policy" "kms_policy_1" { } } -resource "time_sleep" "wait_for_authorization_policy_1" { + +# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 +resource "time_sleep" "wait_for_sm_kms_authorization_policy" { count = var.existing_sm_instance_crn == null ? 1 : 0 - depends_on = [ibm_iam_authorization_policy.kms_policy_1, ibm_iam_authorization_policy.en_policy] + depends_on = [ibm_iam_authorization_policy.secrets_manager_kms_policy, ibm_iam_authorization_policy.en_policy] create_duration = "30s" } - -resource "ibm_iam_authorization_policy" "kms_policy_2" { - count = local.create_auth +# if using HPCS ,create a second IAM authorization that assigns the Viewer platform access in Hyper Protect Crypto Services .[Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data#using-byok) +resource "ibm_iam_authorization_policy" "secrets_manager_hpcs_policy" { + count = local.create_hpcs_auth_policy source_service_name = "secrets-manager" source_resource_group_id = var.resource_group_id target_service_name = local.kms_service_name - target_resource_instance_id = local.instance + target_resource_instance_id = local.kms_instance_guid roles = ["Viewer"] - description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service_name} instance GUID ${local.instance}" + description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service_name} instance GUID ${local.kms_instance_guid}." } -resource "time_sleep" "wait_for_authorization_policy_2" { - count = local.create_auth - depends_on = [ibm_iam_authorization_policy.kms_policy_2] +# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 +resource "time_sleep" "wait_for_sm_hpcs_authorization_policy" { + count = local.create_hpcs_auth_policy + depends_on = [ibm_iam_authorization_policy.secrets_manager_hpcs_policy] create_duration = "30s" } -# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 - locals { secrets_manager_guid = var.existing_sm_instance_crn != null ? local.existing_sm_guid : tolist(ibm_resource_instance.secrets_manager_instance[*].guid)[0] @@ -194,7 +203,7 @@ resource "ibm_iam_authorization_policy" "en_policy" { resource "ibm_sm_en_registration" "sm_en_registration" { # if existing SM instance CRN is passed (!= null), then never register EN count = var.existing_sm_instance_crn == null && var.enable_event_notification ? 1 : 0 - depends_on = [time_sleep.wait_for_authorization_policy_1] + depends_on = [time_sleep.wait_for_sm_kms_authorization_policy] instance_id = local.secrets_manager_guid region = local.secrets_manager_region event_notifications_instance_crn = var.existing_en_instance_crn diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 3f790f14..afeb33d9 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -28,19 +28,26 @@ locals { parsed_existing_kms_instance_crn = var.existing_kms_instance_crn != null ? split(":", var.existing_kms_instance_crn) : [] kms_region = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[5] : null existing_kms_guid = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[7] : null - create_cross_account_auth_policy = !var.skip_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null - kms_service_name = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : module.kms_instance_crn_parser[0].service_name : null - kms_key_id = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].resource : module.kms_instance_crn_parser[0].resource : null - instance = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_instance : module.kms_instance_crn_parser[0].service_instance : null - kms_account_id = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : module.kms_instance_crn_parser[0].account_id : null - create_auth = local.create_cross_account_auth_policy == true && var.is_hpcs ? 1 : 0 - account_id = length(data.ibm_iam_account_settings.iam_account_settings) > 0 ? data.ibm_iam_account_settings.iam_account_settings[0].account_id : null -} + create_cross_account_auth_policy = !var.skip_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null + create_cross_account_hpcs_auth_policy = local.create_cross_account_auth_policy == true && local.kms_service_name == "hs-crypto" ? 1 : 0 + + kms_service_name = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : module.kms_instance_crn_parser[0].service_name : null + kms_key_id = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].resource : module.kms_instance_crn_parser[0].resource : null + kms_instance_guid = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_instance : module.kms_instance_crn_parser[0].service_instance : null + kms_account_id = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : module.kms_instance_crn_parser[0].account_id : null + account_id = data.ibm_iam_account_settings.iam_account_settings[0].account_id +} +# Lookup account ID data "ibm_iam_account_settings" "iam_account_settings" { - count = local.create_cross_account_auth_policy ? 1 : 0 + count = local.create_cross_account_auth_policy ? 1 : 0 } + +######################################################################################################################## +# Parse KMS info from given CRNs +######################################################################################################################## + module "kms_instance_crn_parser" { count = var.existing_kms_instance_crn != null ? 1 : 0 source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" @@ -55,20 +62,15 @@ module "kms_key_crn_parser" { crn = var.existing_secrets_manager_kms_key_crn } -# module "kms_crn_parser" { -# count = local.create_cross_account_auth_policy ? 1 : 0 -# source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" -# version = "1.1.0" -# crn = var.existing_kms_instance_crn -# } -resource "ibm_iam_authorization_policy" "kms_policy_1" { +# Create auth policy (scoped to exact KMS key) +resource "ibm_iam_authorization_policy" "secrets_manager_kms_policy" { count = local.create_cross_account_auth_policy ? 1 : 0 provider = ibm.kms source_service_account = local.account_id source_service_name = "secrets-manager" source_resource_group_id = module.resource_group[0].resource_group_id roles = ["Reader"] - #description = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${data.ibm_iam_account_settings.iam_account_settings[0].account_id} to read from the ${local.kms_service_name} instance GUID ${local.existing_kms_guid}" + description = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${local.account_id} to read the ${local.kms_service_name} key ${local.kms_key_id} from the instance GUID ${local.kms_instance_guid}" resource_attributes { name = "serviceName" operator = "stringEquals" @@ -82,7 +84,7 @@ resource "ibm_iam_authorization_policy" "kms_policy_1" { resource_attributes { name = "serviceInstance" operator = "stringEquals" - value = local.instance + value = local.kms_instance_guid } resource_attributes { name = "resourceType" @@ -101,28 +103,30 @@ resource "ibm_iam_authorization_policy" "kms_policy_1" { } } -resource "time_sleep" "wait_for_authorization_policy_1" { +# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 +resource "time_sleep" "wait_for_sm_kms_authorization_policy" { count = local.create_cross_account_auth_policy ? 1 : 0 - depends_on = [ibm_iam_authorization_policy.kms_policy_1] + depends_on = [ibm_iam_authorization_policy.secrets_manager_kms_policy] create_duration = "30s" } -resource "ibm_iam_authorization_policy" "kms_policy_2" { - count = local.create_auth +# if using HPCS ,create a second IAM authorization that assigns the Viewer platform access in Hyper Protect Crypto Services .[Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data#using-byok) +resource "ibm_iam_authorization_policy" "secrets_manager_hpcs_policy" { + count = local.create_cross_account_hpcs_auth_policy provider = ibm.kms source_service_account = local.account_id source_service_name = "secrets-manager" source_resource_group_id = module.resource_group[0].resource_group_id target_service_name = local.kms_service_name - target_resource_instance_id = local.existing_kms_guid + target_resource_instance_id = local.kms_instance_guid roles = ["Viewer"] - # description = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${data.ibm_iam_account_settings.iam_account_settings[0].account_id} to view from the ${local.kms_service_name} instance GUID ${local.existing_kms_guid}" + description = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${local.account_id} to view from the ${local.kms_service_name} instance GUID ${local.kms_instance_guid}" } # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 -resource "time_sleep" "wait_for_authorization_policy_2" { - count = local.create_auth - depends_on = [ibm_iam_authorization_policy.kms_policy_2] +resource "time_sleep" "wait_for_sm_hpcs_authorization_policy" { + count = local.create_cross_account_hpcs_auth_policy + depends_on = [ibm_iam_authorization_policy.secrets_manager_hpcs_policy] create_duration = "30s" } @@ -168,7 +172,7 @@ locals { } module "secrets_manager" { - depends_on = [time_sleep.wait_for_authorization_policy_1,time_sleep.wait_for_authorization_policy_2] + depends_on = [time_sleep.wait_for_sm_kms_authorization_policy, time_sleep.wait_for_sm_hpcs_authorization_policy] source = "../../modules/fscloud" existing_sm_instance_crn = var.existing_secrets_manager_crn resource_group_id = var.existing_secrets_manager_crn == null ? module.resource_group[0].resource_group_id : data.ibm_resource_instance.existing_sm[0].resource_group_id diff --git a/solutions/standard/outputs.tf b/solutions/standard/outputs.tf index b1b6d1ae..79d15615 100644 --- a/solutions/standard/outputs.tf +++ b/solutions/standard/outputs.tf @@ -35,4 +35,4 @@ output "secrets_manager_region" { output "kms_key_crn" { value = local.kms_key_crn description = "List of secret mananger secret config data" -} \ No newline at end of file +} diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 7f9a3ab5..17379e86 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -186,6 +186,12 @@ variable "existing_secrets_manager_kms_key_crn" { # KMS properties required when creating an encryption key, rather than passing an existing key CRN. ######################################################################################################################## +variable "kms_encryption_enabled" { + type = bool + description = "Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption." + default = true +} + variable "existing_kms_instance_crn" { type = string default = null @@ -285,12 +291,3 @@ variable "cbr_rules" { default = [] # Validation happens in the rule module } -variable "kms_encryption_enabled" { - type = bool - description = "Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption." - default = true -} -variable "is_hpcs"{ - type = bool - default = true -} \ No newline at end of file diff --git a/variables.tf b/variables.tf index b8001ef9..cf04c6b2 100644 --- a/variables.tf +++ b/variables.tf @@ -160,7 +160,3 @@ variable "secrets" { description = "Secret Manager secrets configurations." default = [] } -variable "is_hpcs"{ - type = bool - default = true -} \ No newline at end of file From 13527a40b8237d5e0d62e1ab734a38c8328c414b Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Tue, 18 Mar 2025 18:04:59 +0530 Subject: [PATCH 05/16] Updated Branch --- main.tf | 9 +++++---- modules/fscloud/main.tf | 1 - solutions/standard/main.tf | 23 +++++++++++------------ variables.tf | 6 ------ 4 files changed, 16 insertions(+), 23 deletions(-) diff --git a/main.tf b/main.tf index 7a294742..0c8cb4b5 100644 --- a/main.tf +++ b/main.tf @@ -6,11 +6,9 @@ locals { # Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400) # tflint-ignore: terraform_unused_declarations - validate_kms_values = (!var.kms_encryption_enabled && var.kms_key_crn != null && var.existing_sm_instance_crn == null) ? tobool("When passing values for var.kms_key_crn, you must set 'kms_encryption_enabled' to true. Otherwise set 'kms_encryption_enabled' to false to use default encryption") : (!var.kms_encryption_enabled && var.existing_kms_instance_guid != null) ? tobool("When passing values for var.existing_kms_instance_guid, you must set var.kms_encryption_enabled to true. Otherwise unset them to use default encryption") : true - # tflint-ignore: terraform_unused_declarations validate_kms_vars = var.kms_encryption_enabled && var.kms_key_crn == null && var.existing_sm_instance_crn == null ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn") : true # tflint-ignore: terraform_unused_declarations - validate_auth_policy = var.kms_encryption_enabled && var.skip_kms_iam_authorization_policy == false && var.existing_kms_instance_guid == null && var.existing_sm_instance_crn == null ? tobool("When var.skip_kms_iam_authorization_policy is set to false, and var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_guid in order to create the auth policy.") : true + validate_auth_policy = var.kms_encryption_enabled && var.skip_kms_iam_authorization_policy == false && var.kms_key_crn == null && var.existing_sm_instance_crn == null ? tobool("When var.skip_kms_iam_authorization_policy is set to false, and var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn in order to create the auth policy.") : true # tflint-ignore: terraform_unused_declarations validate_event_notification = var.enable_event_notification && var.existing_en_instance_crn == null ? tobool("When setting var.enable_event_notification to true, a value must be passed for var.existing_en_instance_crn") : true # tflint-ignore: terraform_unused_declarations @@ -43,7 +41,7 @@ resource "ibm_resource_instance" "secrets_manager_instance" { tags = var.sm_tags parameters = { "allowed_network" = var.allowed_network - "kms_instance" = var.existing_kms_instance_guid + "kms_instance" = var.kms_instance_guid "kms_key" = var.kms_key_crn } @@ -71,6 +69,9 @@ resource "ibm_iam_authorization_policy" "iam_groups_policy" { description = "Allows Secrets Manager instance ${local.secrets_manager_guid} `Groups Service Member Manage` access to the IAM Groups service to enable creating IAM credentials." } +####################################################################################################################### +# KMS Key +####################################################################################################################### locals { create_kms_auth_policy = var.kms_encryption_enabled && !var.skip_kms_iam_authorization_policy && var.existing_sm_instance_crn == null create_hpcs_auth_policy = local.create_kms_auth_policy == true && local.kms_service_name == "hs-crypto" ? 1 : 0 diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf index 5cda0cb2..a3da8d4d 100644 --- a/modules/fscloud/main.tf +++ b/modules/fscloud/main.tf @@ -9,7 +9,6 @@ module "secrets_manager" { allowed_network = "private-only" endpoint_type = "private" kms_encryption_enabled = true - existing_kms_instance_guid = var.existing_kms_instance_guid enable_event_notification = var.enable_event_notification existing_en_instance_crn = var.existing_en_instance_crn skip_en_iam_authorization_policy = var.skip_en_iam_authorization_policy diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index afeb33d9..0b98d2e1 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -21,7 +21,7 @@ module "resource_group" { # KMS Key ####################################################################################################################### locals { - kms_key_crn = var.existing_secrets_manager_crn == null ? (var.existing_secrets_manager_kms_key_crn != null ? var.existing_secrets_manager_kms_key_crn : module.kms[0].keys[format("%s.%s", local.kms_key_ring_name, local.kms_key_name)].crn) : var.existing_secrets_manager_kms_key_crn + kms_key_crn = var.existing_secrets_manager_crn == null ? (var.existing_secrets_manager_kms_key_crn != null ? var.existing_secrets_manager_kms_key_crn : module.kms[0].keys[format("%s.%s", local.kms_key_ring_name, local.kms_key_name)].crn) : null kms_key_ring_name = try("${local.prefix}-${var.kms_key_ring_name}", var.kms_key_ring_name) kms_key_name = try("${local.prefix}-${var.kms_key_name}", var.kms_key_name) @@ -29,15 +29,14 @@ locals { kms_region = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[5] : null existing_kms_guid = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[7] : null - create_cross_account_auth_policy = !var.skip_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null + create_cross_account_auth_policy = var.existing_secrets_manager_crn == null && !var.skip_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null create_cross_account_hpcs_auth_policy = local.create_cross_account_auth_policy == true && local.kms_service_name == "hs-crypto" ? 1 : 0 - kms_service_name = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : module.kms_instance_crn_parser[0].service_name : null - kms_key_id = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].resource : module.kms_instance_crn_parser[0].resource : null - kms_instance_guid = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_instance : module.kms_instance_crn_parser[0].service_instance : null - kms_account_id = var.kms_encryption_enabled ? var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : module.kms_instance_crn_parser[0].account_id : null + kms_service_name = var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : module.kms_instance_crn_parser[0].service_name + kms_key_id = var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].resource : module.kms_instance_crn_parser[0].resource + kms_instance_guid = var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_instance : module.kms_instance_crn_parser[0].service_instance + kms_account_id = var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : module.kms_instance_crn_parser[0].account_id - account_id = data.ibm_iam_account_settings.iam_account_settings[0].account_id } # Lookup account ID data "ibm_iam_account_settings" "iam_account_settings" { @@ -66,11 +65,11 @@ module "kms_key_crn_parser" { resource "ibm_iam_authorization_policy" "secrets_manager_kms_policy" { count = local.create_cross_account_auth_policy ? 1 : 0 provider = ibm.kms - source_service_account = local.account_id + source_service_account = data.ibm_iam_account_settings.iam_account_settings[0].account_id source_service_name = "secrets-manager" source_resource_group_id = module.resource_group[0].resource_group_id roles = ["Reader"] - description = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${local.account_id} to read the ${local.kms_service_name} key ${local.kms_key_id} from the instance GUID ${local.kms_instance_guid}" + description = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${data.ibm_iam_account_settings.iam_account_settings[0].account_id} to read the ${local.kms_service_name} key ${local.kms_key_id} from the instance GUID ${local.kms_instance_guid}" resource_attributes { name = "serviceName" operator = "stringEquals" @@ -114,13 +113,13 @@ resource "time_sleep" "wait_for_sm_kms_authorization_policy" { resource "ibm_iam_authorization_policy" "secrets_manager_hpcs_policy" { count = local.create_cross_account_hpcs_auth_policy provider = ibm.kms - source_service_account = local.account_id + source_service_account = data.ibm_iam_account_settings.iam_account_settings[0].account_id source_service_name = "secrets-manager" source_resource_group_id = module.resource_group[0].resource_group_id target_service_name = local.kms_service_name target_resource_instance_id = local.kms_instance_guid roles = ["Viewer"] - description = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${local.account_id} to view from the ${local.kms_service_name} instance GUID ${local.kms_instance_guid}" + description = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${data.ibm_iam_account_settings.iam_account_settings[0].account_id} to view from the ${local.kms_service_name} instance GUID ${local.kms_instance_guid}" } # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 @@ -130,6 +129,7 @@ resource "time_sleep" "wait_for_sm_hpcs_authorization_policy" { create_duration = "30s" } + # KMS root key for Secrets Manager secret encryption module "kms" { providers = { @@ -181,7 +181,6 @@ module "secrets_manager" { service_plan = var.service_plan sm_tags = var.secrets_manager_tags # kms dependency - existing_kms_instance_guid = local.existing_kms_guid kms_key_crn = local.kms_key_crn skip_kms_iam_authorization_policy = var.skip_kms_iam_authorization_policy || local.create_cross_account_auth_policy # event notifications dependency diff --git a/variables.tf b/variables.tf index 3bb88f14..480fe95c 100644 --- a/variables.tf +++ b/variables.tf @@ -61,12 +61,6 @@ variable "skip_kms_iam_authorization_policy" { default = false } -variable "existing_kms_instance_guid" { - type = string - description = "The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in `kms_key_crn` is coming from. Required only if `kms_encryption_enabled` is set to true, and `skip_kms_iam_authorization_policy` is set to false." - default = null -} - variable "kms_key_crn" { type = string description = "The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if `kms_encryption_enabled` is set to true." From b84fbda3def82b4b463458cf4b0e4cc7bda4637a Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Tue, 18 Mar 2025 18:06:57 +0530 Subject: [PATCH 06/16] Updated Code --- solutions/standard/main.tf | 2 +- solutions/standard/variables.tf | 6 ------ 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 0b98d2e1..9ce422e7 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -21,7 +21,7 @@ module "resource_group" { # KMS Key ####################################################################################################################### locals { - kms_key_crn = var.existing_secrets_manager_crn == null ? (var.existing_secrets_manager_kms_key_crn != null ? var.existing_secrets_manager_kms_key_crn : module.kms[0].keys[format("%s.%s", local.kms_key_ring_name, local.kms_key_name)].crn) : null + kms_key_crn = var.existing_secrets_manager_crn == null ? (var.existing_secrets_manager_kms_key_crn != null ? var.existing_secrets_manager_kms_key_crn : module.kms[0].keys[format("%s.%s", local.kms_key_ring_name, local.kms_key_name)].crn) : var.existing_secrets_manager_kms_key_crn kms_key_ring_name = try("${local.prefix}-${var.kms_key_ring_name}", var.kms_key_ring_name) kms_key_name = try("${local.prefix}-${var.kms_key_name}", var.kms_key_name) diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 17379e86..de0173c2 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -186,12 +186,6 @@ variable "existing_secrets_manager_kms_key_crn" { # KMS properties required when creating an encryption key, rather than passing an existing key CRN. ######################################################################################################################## -variable "kms_encryption_enabled" { - type = bool - description = "Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption." - default = true -} - variable "existing_kms_instance_crn" { type = string default = null From de816951fb6afa2685321604799e4082fd9774c9 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Tue, 18 Mar 2025 18:28:11 +0530 Subject: [PATCH 07/16] Resolved Comments --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 0c8cb4b5..44fb5909 100644 --- a/main.tf +++ b/main.tf @@ -94,7 +94,7 @@ module "kms_key_crn_parser" { } # Create auth policy (scoped to exact KMS key) -resource "ibm_iam_authorization_policy" "secrets_manager_kms_policy" { +resource "ibm_iam_authorization_policy" "kms_policy" { count = local.create_kms_auth_policy ? 1 : 0 source_service_name = "secrets-manager" source_resource_group_id = var.resource_group_id @@ -136,7 +136,7 @@ resource "ibm_iam_authorization_policy" "secrets_manager_kms_policy" { # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 resource "time_sleep" "wait_for_sm_kms_authorization_policy" { count = var.existing_sm_instance_crn == null ? 1 : 0 - depends_on = [ibm_iam_authorization_policy.secrets_manager_kms_policy, ibm_iam_authorization_policy.en_policy] + depends_on = [ibm_iam_authorization_policy.kms_policy, ibm_iam_authorization_policy.en_policy] create_duration = "30s" } @@ -149,7 +149,7 @@ resource "ibm_iam_authorization_policy" "secrets_manager_hpcs_policy" { target_service_name = local.kms_service_name target_resource_instance_id = local.kms_instance_guid roles = ["Viewer"] - description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} to read from the ${local.kms_service_name} instance GUID ${local.kms_instance_guid}." + description = "Allow all Secrets Manager instances in the resource group ${var.resource_group_id} viewer access to the ${local.kms_service_name} instance GUID ${local.kms_instance_guid}." } # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 From a0c420fa1fb31b7cc8f04498e19227f9b4083638 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Fri, 21 Mar 2025 18:40:29 +0530 Subject: [PATCH 08/16] Resolved comments,Added boolean value --- README.md | 7 +++---- examples/basic/main.tf | 1 + examples/complete/main.tf | 25 ++++++++++++------------- examples/fscloud/main.tf | 16 ++++++++-------- examples/fscloud/variables.tf | 5 ----- ibm_catalog.json | 3 +++ main.tf | 12 +++++++----- modules/fscloud/README.md | 2 +- modules/fscloud/main.tf | 1 + modules/fscloud/variables.tf | 10 ++++------ outputs.tf | 4 ---- solutions/standard/main.tf | 13 +++++++------ solutions/standard/outputs.tf | 4 ---- solutions/standard/variables.tf | 6 ++++++ variables.tf | 4 ++++ 15 files changed, 57 insertions(+), 56 deletions(-) diff --git a/README.md b/README.md index c9c72cc9..8258a58e 100644 --- a/README.md +++ b/README.md @@ -86,12 +86,12 @@ You need the following permissions to run this module. | [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_iam_authorization_policy.iam_groups_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_iam_authorization_policy.iam_identity_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | +| [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_iam_authorization_policy.secrets_manager_hpcs_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | -| [ibm_iam_authorization_policy.secrets_manager_kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_resource_instance.secrets_manager_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource | | [ibm_sm_en_registration.sm_en_registration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_en_registration) | resource | +| [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [time_sleep.wait_for_sm_hpcs_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | -| [time_sleep.wait_for_sm_kms_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [ibm_resource_instance.sm_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/resource_instance) | data source | ### Inputs @@ -103,8 +103,8 @@ You need the following permissions to run this module. | [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null. | `bool` | `false` | no | | [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no | | [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no | -| [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in `kms_key_crn` is coming from. Required only if `kms_encryption_enabled` is set to true, and `skip_kms_iam_authorization_policy` is set to false. | `string` | `null` | no | | [existing\_sm\_instance\_crn](#input\_existing\_sm\_instance\_crn) | An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned. | `string` | `null` | no | +| [is\_hpcs\_key](#input\_is\_hpcs\_key) | Set it to true if the key is Hyper Protect Crypto Services key | `bool` | n/a | yes | | [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption. | `bool` | `false` | no | | [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if `kms_encryption_enabled` is set to true. | `string` | `null` | no | | [region](#input\_region) | The region where the resource will be provisioned.Its not required if passing a value for `existing_sm_instance_crn`. | `string` | `null` | no | @@ -121,7 +121,6 @@ You need the following permissions to run this module. | Name | Description | |------|-------------| -| [kms\_key\_crn](#output\_kms\_key\_crn) | List of secret mananger secret config data | | [secret\_groups](#output\_secret\_groups) | IDs of the created Secret Group | | [secrets](#output\_secrets) | List of secret mananger secret config data | | [secrets\_manager\_crn](#output\_secrets\_manager\_crn) | CRN of the Secrets Manager instance | diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 7fb4eb54..36b446b9 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -13,4 +13,5 @@ module "secrets_manager" { secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure sm_service_plan = "trial" sm_tags = var.resource_tags + is_hpcs_key = true } diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 0238d975..f5f99885 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -32,7 +32,6 @@ module "event_notification" { name = "${var.prefix}-en" tags = var.resource_tags plan = "lite" - service_endpoints = "public" region = var.en_region } @@ -55,18 +54,18 @@ resource "time_sleep" "wait_for_en_policy" { } module "secrets_manager" { - depends_on = [time_sleep.wait_for_en_policy] - source = "../.." - resource_group_id = module.resource_group.resource_group_id - region = var.region - secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure - sm_service_plan = var.sm_service_plan - sm_tags = var.resource_tags - kms_encryption_enabled = true - existing_kms_instance_guid = module.key_protect.kms_guid - kms_key_crn = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn - enable_event_notification = true - existing_en_instance_crn = module.event_notification.crn + depends_on = [time_sleep.wait_for_en_policy] + source = "../.." + resource_group_id = module.resource_group.resource_group_id + region = var.region + secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure + sm_service_plan = var.sm_service_plan + sm_tags = var.resource_tags + kms_encryption_enabled = true + is_hpcs_key = false + kms_key_crn = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn + enable_event_notification = true + existing_en_instance_crn = module.event_notification.crn secrets = [ { secret_group_name = "${var.prefix}-secret-group" diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf index ffdea185..f77324f0 100644 --- a/examples/fscloud/main.tf +++ b/examples/fscloud/main.tf @@ -52,14 +52,14 @@ module "event_notification" { } module "secrets_manager" { - source = "../../modules/fscloud" - resource_group_id = module.resource_group.resource_group_id - region = var.region - secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure - sm_tags = var.resource_tags - existing_kms_instance_guid = var.existing_kms_instance_guid - kms_key_crn = var.kms_key_crn - existing_en_instance_crn = module.event_notification.crn + source = "../../modules/fscloud" + resource_group_id = module.resource_group.resource_group_id + region = var.region + secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure + sm_tags = var.resource_tags + is_hpcs_key = true + kms_key_crn = var.kms_key_crn + existing_en_instance_crn = module.event_notification.crn cbr_rules = [ { description = "${var.prefix}-secrets-manager access only from vpc" diff --git a/examples/fscloud/variables.tf b/examples/fscloud/variables.tf index 7bd97882..e3657595 100644 --- a/examples/fscloud/variables.tf +++ b/examples/fscloud/variables.tf @@ -32,11 +32,6 @@ variable "resource_tags" { # Key Management Service (KMS) ############################################################################## -variable "existing_kms_instance_guid" { - type = string - description = "The GUID of the Hyper Protect Crypto Services instance in which the key specified in `kms_key_crn` is coming from." -} - variable "kms_key_crn" { type = string description = "The root key CRN of Hyper Protect Crypto Services (HPCS) that you want to use for encryption." diff --git a/ibm_catalog.json b/ibm_catalog.json index e0182bf6..d71c3d06 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -232,6 +232,9 @@ } ] }, + { + "key":"is_hpcs_key" + }, { "key": "kms_key_ring_name" }, diff --git a/main.tf b/main.tf index 44fb5909..e2aa89f3 100644 --- a/main.tf +++ b/main.tf @@ -6,6 +6,8 @@ locals { # Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400) # tflint-ignore: terraform_unused_declarations + validate_kms_values = (!var.kms_encryption_enabled && var.kms_key_crn != null && var.existing_sm_instance_crn == null) ? tobool("When passing values for var.kms_key_crn, you must set 'kms_encryption_enabled' to true. Otherwise set 'kms_encryption_enabled' to false to use default encryption") : true + # tflint-ignore: terraform_unused_declarations validate_kms_vars = var.kms_encryption_enabled && var.kms_key_crn == null && var.existing_sm_instance_crn == null ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn") : true # tflint-ignore: terraform_unused_declarations validate_auth_policy = var.kms_encryption_enabled && var.skip_kms_iam_authorization_policy == false && var.kms_key_crn == null && var.existing_sm_instance_crn == null ? tobool("When var.skip_kms_iam_authorization_policy is set to false, and var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn in order to create the auth policy.") : true @@ -32,7 +34,7 @@ data "ibm_resource_instance" "sm_instance" { # Create Secrets Manager Instance resource "ibm_resource_instance" "secrets_manager_instance" { count = var.existing_sm_instance_crn == null ? 1 : 0 - depends_on = [time_sleep.wait_for_sm_kms_authorization_policy, time_sleep.wait_for_sm_hpcs_authorization_policy] + depends_on = [time_sleep.wait_for_authorization_policy, time_sleep.wait_for_sm_hpcs_authorization_policy] name = var.secrets_manager_name service = "secrets-manager" plan = var.sm_service_plan @@ -41,7 +43,7 @@ resource "ibm_resource_instance" "secrets_manager_instance" { tags = var.sm_tags parameters = { "allowed_network" = var.allowed_network - "kms_instance" = var.kms_instance_guid + "kms_instance" = local.kms_instance_guid "kms_key" = var.kms_key_crn } @@ -74,7 +76,7 @@ resource "ibm_iam_authorization_policy" "iam_groups_policy" { ####################################################################################################################### locals { create_kms_auth_policy = var.kms_encryption_enabled && !var.skip_kms_iam_authorization_policy && var.existing_sm_instance_crn == null - create_hpcs_auth_policy = local.create_kms_auth_policy == true && local.kms_service_name == "hs-crypto" ? 1 : 0 + create_hpcs_auth_policy = local.create_kms_auth_policy == true && var.is_hpcs_key ? 1 : 0 kms_service_name = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : null kms_account_id = var.kms_encryption_enabled && var.kms_key_crn != null ? module.kms_key_crn_parser[0].account_id : null @@ -134,7 +136,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" { } # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 -resource "time_sleep" "wait_for_sm_kms_authorization_policy" { +resource "time_sleep" "wait_for_authorization_policy" { count = var.existing_sm_instance_crn == null ? 1 : 0 depends_on = [ibm_iam_authorization_policy.kms_policy, ibm_iam_authorization_policy.en_policy] @@ -220,7 +222,7 @@ resource "ibm_iam_authorization_policy" "en_policy" { resource "ibm_sm_en_registration" "sm_en_registration" { # if existing SM instance CRN is passed (!= null), then never register EN count = var.existing_sm_instance_crn == null && var.enable_event_notification ? 1 : 0 - depends_on = [time_sleep.wait_for_sm_kms_authorization_policy] + depends_on = [time_sleep.wait_for_authorization_policy] instance_id = local.secrets_manager_guid region = local.secrets_manager_region event_notifications_instance_crn = var.existing_en_instance_crn diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md index 2c640fa3..36ee7ff3 100644 --- a/modules/fscloud/README.md +++ b/modules/fscloud/README.md @@ -50,8 +50,8 @@ No resources. | [cbr\_rules](#input\_cbr\_rules) | (list) List of CBR rules to create | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | | [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` variable. | `bool` | `false` | no | | [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no | -| [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Key Management Service (KMS) instance in which the key specified in `kms_key_crn` is coming from. | `string` | n/a | yes | | [existing\_sm\_instance\_crn](#input\_existing\_sm\_instance\_crn) | The CRN of an existing Secrets Manager instance. If not supplied, a new instance is created. | `string` | `null` | no | +| [is\_hpcs\_key](#input\_is\_hpcs\_key) | Set to true if the key is hpcs, otherwise false. | `bool` | n/a | yes | | [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of Key Management Service (KMS) key that you want to use for encryption. | `string` | n/a | yes | | [region](#input\_region) | The region to provision the Secrets Manager instance to. | `string` | n/a | yes | | [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group to provision the Secrets Manager instance to. | `string` | n/a | yes | diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf index fbfa1abe..00e9535c 100644 --- a/modules/fscloud/main.tf +++ b/modules/fscloud/main.tf @@ -14,6 +14,7 @@ module "secrets_manager" { skip_iam_authorization_policy = var.skip_iam_authorization_policy skip_en_iam_authorization_policy = var.skip_en_iam_authorization_policy skip_kms_iam_authorization_policy = var.skip_kms_iam_authorization_policy + is_hpcs_key = var.is_hpcs_key kms_key_crn = var.kms_key_crn cbr_rules = var.cbr_rules secrets = var.secrets diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf index 9a116957..bb6306ea 100644 --- a/modules/fscloud/variables.tf +++ b/modules/fscloud/variables.tf @@ -50,17 +50,15 @@ variable "skip_kms_iam_authorization_policy" { ############################################################################## # Key Management Service (KMS) ############################################################################## - -variable "existing_kms_instance_guid" { - type = string - description = "The GUID of the Key Management Service (KMS) instance in which the key specified in `kms_key_crn` is coming from." -} - variable "kms_key_crn" { type = string description = "The root key CRN of Key Management Service (KMS) key that you want to use for encryption." } +variable "is_hpcs_key" { + type = bool + description = "Set to true if the key is hpcs, otherwise false." +} ############################################################################## # Event Notification ############################################################################## diff --git a/outputs.tf b/outputs.tf index efbb0edd..769d593e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -37,8 +37,4 @@ output "secrets" { value = module.secrets.secrets description = "List of secret mananger secret config data" } -output "kms_key_crn" { - value = var.kms_key_crn - description = "List of secret mananger secret config data" -} ############################################################################## diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 9ce422e7..7f72e1e8 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -27,10 +27,10 @@ locals { parsed_existing_kms_instance_crn = var.existing_kms_instance_crn != null ? split(":", var.existing_kms_instance_crn) : [] kms_region = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[5] : null - existing_kms_guid = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[7] : null + #existing_kms_guid = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[7] : null create_cross_account_auth_policy = var.existing_secrets_manager_crn == null && !var.skip_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null - create_cross_account_hpcs_auth_policy = local.create_cross_account_auth_policy == true && local.kms_service_name == "hs-crypto" ? 1 : 0 + create_cross_account_hpcs_auth_policy = local.create_cross_account_auth_policy == true && var.is_hpcs_key ? 1 : 0 kms_service_name = var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : module.kms_instance_crn_parser[0].service_name kms_key_id = var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].resource : module.kms_instance_crn_parser[0].resource @@ -62,7 +62,7 @@ module "kms_key_crn_parser" { } # Create auth policy (scoped to exact KMS key) -resource "ibm_iam_authorization_policy" "secrets_manager_kms_policy" { +resource "ibm_iam_authorization_policy" "kms_policy" { count = local.create_cross_account_auth_policy ? 1 : 0 provider = ibm.kms source_service_account = data.ibm_iam_account_settings.iam_account_settings[0].account_id @@ -103,9 +103,9 @@ resource "ibm_iam_authorization_policy" "secrets_manager_kms_policy" { } # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 -resource "time_sleep" "wait_for_sm_kms_authorization_policy" { +resource "time_sleep" "wait_for_authorization_policy" { count = local.create_cross_account_auth_policy ? 1 : 0 - depends_on = [ibm_iam_authorization_policy.secrets_manager_kms_policy] + depends_on = [ibm_iam_authorization_policy.kms_policy] create_duration = "30s" } @@ -172,7 +172,7 @@ locals { } module "secrets_manager" { - depends_on = [time_sleep.wait_for_sm_kms_authorization_policy, time_sleep.wait_for_sm_hpcs_authorization_policy] + depends_on = [time_sleep.wait_for_authorization_policy, time_sleep.wait_for_sm_hpcs_authorization_policy] source = "../../modules/fscloud" existing_sm_instance_crn = var.existing_secrets_manager_crn resource_group_id = var.existing_secrets_manager_crn == null ? module.resource_group[0].resource_group_id : data.ibm_resource_instance.existing_sm[0].resource_group_id @@ -180,6 +180,7 @@ module "secrets_manager" { secrets_manager_name = try("${local.prefix}-${var.secrets_manager_instance_name}", var.secrets_manager_instance_name) service_plan = var.service_plan sm_tags = var.secrets_manager_tags + is_hpcs_key = var.is_hpcs_key # kms dependency kms_key_crn = local.kms_key_crn skip_kms_iam_authorization_policy = var.skip_kms_iam_authorization_policy || local.create_cross_account_auth_policy diff --git a/solutions/standard/outputs.tf b/solutions/standard/outputs.tf index 79d15615..9c4d0c8f 100644 --- a/solutions/standard/outputs.tf +++ b/solutions/standard/outputs.tf @@ -32,7 +32,3 @@ output "secrets_manager_region" { value = local.secrets_manager_region description = "Region of the Secrets Manager instance" } -output "kms_key_crn" { - value = local.kms_key_crn - description = "List of secret mananger secret config data" -} diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index de0173c2..ba28f059 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -192,6 +192,12 @@ variable "existing_kms_instance_crn" { description = "The CRN of the KMS instance (Hyper Protect Crypto Services or Key Protect). Required only if `existing_secrets_manager_crn` or `existing_secrets_manager_kms_key_crn` is not specified. If the KMS instance is in different account you must also provide a value for `ibmcloud_kms_api_key`." } +variable "is_hpcs_key" { + type = bool + default = true + description = "value" +} + variable "kms_endpoint_type" { type = string description = "The type of endpoint to use for communicating with the Key Protect or Hyper Protect Crypto Services instance. Possible values: `public`, `private`. Applies only if `existing_secrets_manager_kms_key_crn` is not specified." diff --git a/variables.tf b/variables.tf index 480fe95c..36661cac 100644 --- a/variables.tf +++ b/variables.tf @@ -67,6 +67,10 @@ variable "kms_key_crn" { default = null } +variable "is_hpcs_key" { + type = bool + description = "Set it to true if the key is Hyper Protect Crypto Services key" +} variable "existing_sm_instance_crn" { type = string description = "An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned." From 2bef449593e0b5e08d13a6205643e112f0405765 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Mon, 24 Mar 2025 10:02:45 +0530 Subject: [PATCH 09/16] Updated description --- solutions/standard/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index ba28f059..373fa86b 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -195,7 +195,7 @@ variable "existing_kms_instance_crn" { variable "is_hpcs_key" { type = bool default = true - description = "value" + description = "Set to true if the key is hpcs, otherwise false." } variable "kms_endpoint_type" { From 44a045528dc901d5942d86a9ceed85731f0d4b5f Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Mon, 24 Mar 2025 11:29:09 +0530 Subject: [PATCH 10/16] Resolved Precommit error --- common-dev-assets | 2 +- solutions/standard/main.tf | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/common-dev-assets b/common-dev-assets index 8c7a97cb..746dc8bd 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 8c7a97cb00b128503d2c81380be904b6d196cc02 +Subproject commit 746dc8bdcd148e0a1eff04fdfc2da774dba4a784 diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 7f72e1e8..5a95bcb2 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -27,7 +27,6 @@ locals { parsed_existing_kms_instance_crn = var.existing_kms_instance_crn != null ? split(":", var.existing_kms_instance_crn) : [] kms_region = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[5] : null - #existing_kms_guid = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[7] : null create_cross_account_auth_policy = var.existing_secrets_manager_crn == null && !var.skip_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null create_cross_account_hpcs_auth_policy = local.create_cross_account_auth_policy == true && var.is_hpcs_key ? 1 : 0 From 801bab830277e7127fa79bdc4b31fca8c28b5584 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Mon, 24 Mar 2025 12:20:55 +0530 Subject: [PATCH 11/16] SKIP UPGRADE TEST From 8f6d74f370bc18e01834a07cd62093063232b2b2 Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Tue, 25 Mar 2025 17:31:42 +0530 Subject: [PATCH 12/16] resolve comments --- README.md | 2 +- examples/basic/main.tf | 1 - examples/fscloud/main.tf | 16 +++++++++++++++- .../catalogValidationValues.json.template | 2 +- solutions/standard/variables.tf | 4 ++-- tests/pr_test.go | 3 +++ variables.tf | 4 +++- 7 files changed, 25 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 8258a58e..8f046f71 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,7 @@ You need the following permissions to run this module. | [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no | | [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no | | [existing\_sm\_instance\_crn](#input\_existing\_sm\_instance\_crn) | An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned. | `string` | `null` | no | -| [is\_hpcs\_key](#input\_is\_hpcs\_key) | Set it to true if the key is Hyper Protect Crypto Services key | `bool` | n/a | yes | +| [is\_hpcs\_key](#input\_is\_hpcs\_key) | Set it to true if the key provided through the `kms_key_crn` is Hyper Protect Crypto Services key. | `bool` | `false` | no | | [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption. | `bool` | `false` | no | | [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if `kms_encryption_enabled` is set to true. | `string` | `null` | no | | [region](#input\_region) | The region where the resource will be provisioned.Its not required if passing a value for `existing_sm_instance_crn`. | `string` | `null` | no | diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 36b446b9..7fb4eb54 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -13,5 +13,4 @@ module "secrets_manager" { secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure sm_service_plan = "trial" sm_tags = var.resource_tags - is_hpcs_key = true } diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf index f6cd7e55..58efac39 100644 --- a/examples/fscloud/main.tf +++ b/examples/fscloud/main.tf @@ -51,13 +51,27 @@ module "event_notification" { region = var.region } +############################################################################## +# Parse info from KMS key crn +############################################################################## + +module "kms_key_crn_parser" { + source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser" + version = "1.1.0" + crn = var.kms_key_crn +} + +locals { + kms_service = module.kms_key_crn_parser.service_name +} + module "secrets_manager" { source = "../../modules/fscloud" resource_group_id = module.resource_group.resource_group_id region = var.region secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure sm_tags = var.resource_tags - is_hpcs_key = true + is_hpcs_key = local.kms_service == "hs-crypto" ? true : false kms_key_crn = var.kms_key_crn existing_en_instance_crn = module.event_notification.crn cbr_rules = [ diff --git a/solutions/standard/catalogValidationValues.json.template b/solutions/standard/catalogValidationValues.json.template index 069d9f92..5a9fe734 100644 --- a/solutions/standard/catalogValidationValues.json.template +++ b/solutions/standard/catalogValidationValues.json.template @@ -3,5 +3,5 @@ "resource_group_name": $PREFIX, "service_plan": "trial", "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN, - "region": "ca-tor" + "region": "eu-de" } diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 373fa86b..b648577d 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -194,8 +194,8 @@ variable "existing_kms_instance_crn" { variable "is_hpcs_key" { type = bool - default = true - description = "Set to true if the key is hpcs, otherwise false." + default = false + description = "Set it to true if the key provided through the `existing_kms_instance_crn` is Hyper Protect Crypto Services key" } variable "kms_endpoint_type" { diff --git a/tests/pr_test.go b/tests/pr_test.go index 02678123..eca3363c 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -104,6 +104,7 @@ func TestRunDASolutionSchematics(t *testing.T) { {Name: "resource_group_name", Value: options.Prefix, DataType: "string"}, {Name: "service_plan", Value: "trial", DataType: "string"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, + {Name: "is_hpcs_key", Value: true, DataType: "bool"}, {Name: "iam_engine_enabled", Value: true, DataType: "bool"}, {Name: "public_engine_enabled", Value: true, DataType: "bool"}, {Name: "private_engine_enabled", Value: true, DataType: "bool"}, @@ -203,6 +204,7 @@ func TestRunExistingResourcesInstances(t *testing.T) { {Name: "existing_event_notification_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "event_notification_instance_crn"), DataType: "string"}, {Name: "existing_secrets_manager_kms_key_crn", Value: permanentResources["hpcs_south_root_key_crn"], DataType: "string"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, + {Name: "is_hpcs_key", Value: true, DataType: "bool"}, {Name: "service_plan", Value: "trial", DataType: "string"}, {Name: "iam_engine_enabled", Value: true, DataType: "bool"}, {Name: "private_engine_enabled", Value: true, DataType: "bool"}, @@ -260,6 +262,7 @@ func TestRunSecretsManagerSolutionUpgradeSchematic(t *testing.T) { {Name: "resource_group_name", Value: options.Prefix, DataType: "string"}, {Name: "service_plan", Value: "trial", DataType: "string"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, + {Name: "is_hpcs_key", Value: true, DataType: "bool"}, {Name: "iam_engine_enabled", Value: true, DataType: "bool"}, {Name: "public_engine_enabled", Value: true, DataType: "bool"}, {Name: "private_engine_enabled", Value: true, DataType: "bool"}, diff --git a/variables.tf b/variables.tf index 36661cac..11da4ec8 100644 --- a/variables.tf +++ b/variables.tf @@ -69,8 +69,10 @@ variable "kms_key_crn" { variable "is_hpcs_key" { type = bool - description = "Set it to true if the key is Hyper Protect Crypto Services key" + description = "Set it to true if the key provided through the `kms_key_crn` is Hyper Protect Crypto Services key." + default = false } + variable "existing_sm_instance_crn" { type = string description = "An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned." From 4de807ba08f3e0f0dcdbefe418f846c86dc17e3a Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Tue, 25 Mar 2025 17:36:21 +0530 Subject: [PATCH 13/16] fix: default value --- modules/fscloud/README.md | 2 +- modules/fscloud/variables.tf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md index 36ee7ff3..fc02cb5d 100644 --- a/modules/fscloud/README.md +++ b/modules/fscloud/README.md @@ -51,7 +51,7 @@ No resources. | [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` variable. | `bool` | `false` | no | | [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no | | [existing\_sm\_instance\_crn](#input\_existing\_sm\_instance\_crn) | The CRN of an existing Secrets Manager instance. If not supplied, a new instance is created. | `string` | `null` | no | -| [is\_hpcs\_key](#input\_is\_hpcs\_key) | Set to true if the key is hpcs, otherwise false. | `bool` | n/a | yes | +| [is\_hpcs\_key](#input\_is\_hpcs\_key) | Set to true if the key is hpcs, otherwise false. | `bool` | `false` | no | | [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of Key Management Service (KMS) key that you want to use for encryption. | `string` | n/a | yes | | [region](#input\_region) | The region to provision the Secrets Manager instance to. | `string` | n/a | yes | | [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group to provision the Secrets Manager instance to. | `string` | n/a | yes | diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf index bb6306ea..481de08f 100644 --- a/modules/fscloud/variables.tf +++ b/modules/fscloud/variables.tf @@ -58,6 +58,7 @@ variable "kms_key_crn" { variable "is_hpcs_key" { type = bool description = "Set to true if the key is hpcs, otherwise false." + default = false } ############################################################################## # Event Notification From 0888e2b617718c28320bedcb29cb51b9c098d42d Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Tue, 25 Mar 2025 18:48:26 +0530 Subject: [PATCH 14/16] remove boolean from DA --- ibm_catalog.json | 3 --- solutions/standard/main.tf | 7 +++++-- solutions/standard/variables.tf | 6 ------ tests/pr_test.go | 3 --- 4 files changed, 5 insertions(+), 14 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index d71c3d06..e0182bf6 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -232,9 +232,6 @@ } ] }, - { - "key":"is_hpcs_key" - }, { "key": "kms_key_ring_name" }, diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 3b442d82..0942cddb 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -28,8 +28,11 @@ locals { parsed_existing_kms_instance_crn = var.existing_kms_instance_crn != null ? split(":", var.existing_kms_instance_crn) : [] kms_region = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[5] : null + parsed_service_name = var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser.service_name : module.kms_key_crn_parser.service_name + is_hpcs_key = local.parsed_service_name == "hs-crypto" ? true : false + create_cross_account_auth_policy = var.existing_secrets_manager_crn == null && !var.skip_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null - create_cross_account_hpcs_auth_policy = local.create_cross_account_auth_policy == true && var.is_hpcs_key ? 1 : 0 + create_cross_account_hpcs_auth_policy = local.create_cross_account_auth_policy == true && local.is_hpcs_key ? 1 : 0 kms_service_name = var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : module.kms_instance_crn_parser[0].service_name kms_key_id = var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].resource : module.kms_instance_crn_parser[0].resource @@ -179,7 +182,7 @@ module "secrets_manager" { secrets_manager_name = try("${local.prefix}-${var.secrets_manager_instance_name}", var.secrets_manager_instance_name) service_plan = var.service_plan sm_tags = var.secrets_manager_tags - is_hpcs_key = var.is_hpcs_key + is_hpcs_key = local.is_hpcs_key # kms dependency kms_key_crn = local.kms_key_crn skip_kms_iam_authorization_policy = var.skip_kms_iam_authorization_policy || local.create_cross_account_auth_policy diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index b648577d..de0173c2 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -192,12 +192,6 @@ variable "existing_kms_instance_crn" { description = "The CRN of the KMS instance (Hyper Protect Crypto Services or Key Protect). Required only if `existing_secrets_manager_crn` or `existing_secrets_manager_kms_key_crn` is not specified. If the KMS instance is in different account you must also provide a value for `ibmcloud_kms_api_key`." } -variable "is_hpcs_key" { - type = bool - default = false - description = "Set it to true if the key provided through the `existing_kms_instance_crn` is Hyper Protect Crypto Services key" -} - variable "kms_endpoint_type" { type = string description = "The type of endpoint to use for communicating with the Key Protect or Hyper Protect Crypto Services instance. Possible values: `public`, `private`. Applies only if `existing_secrets_manager_kms_key_crn` is not specified." diff --git a/tests/pr_test.go b/tests/pr_test.go index eca3363c..02678123 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -104,7 +104,6 @@ func TestRunDASolutionSchematics(t *testing.T) { {Name: "resource_group_name", Value: options.Prefix, DataType: "string"}, {Name: "service_plan", Value: "trial", DataType: "string"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, - {Name: "is_hpcs_key", Value: true, DataType: "bool"}, {Name: "iam_engine_enabled", Value: true, DataType: "bool"}, {Name: "public_engine_enabled", Value: true, DataType: "bool"}, {Name: "private_engine_enabled", Value: true, DataType: "bool"}, @@ -204,7 +203,6 @@ func TestRunExistingResourcesInstances(t *testing.T) { {Name: "existing_event_notification_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "event_notification_instance_crn"), DataType: "string"}, {Name: "existing_secrets_manager_kms_key_crn", Value: permanentResources["hpcs_south_root_key_crn"], DataType: "string"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, - {Name: "is_hpcs_key", Value: true, DataType: "bool"}, {Name: "service_plan", Value: "trial", DataType: "string"}, {Name: "iam_engine_enabled", Value: true, DataType: "bool"}, {Name: "private_engine_enabled", Value: true, DataType: "bool"}, @@ -262,7 +260,6 @@ func TestRunSecretsManagerSolutionUpgradeSchematic(t *testing.T) { {Name: "resource_group_name", Value: options.Prefix, DataType: "string"}, {Name: "service_plan", Value: "trial", DataType: "string"}, {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, - {Name: "is_hpcs_key", Value: true, DataType: "bool"}, {Name: "iam_engine_enabled", Value: true, DataType: "bool"}, {Name: "public_engine_enabled", Value: true, DataType: "bool"}, {Name: "private_engine_enabled", Value: true, DataType: "bool"}, From 13775ed6d2c0d530692aee0872ff3c70d24a71a6 Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Tue, 25 Mar 2025 19:03:09 +0530 Subject: [PATCH 15/16] fix: cra-scan --- solutions/standard/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 0942cddb..da932fdb 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -28,7 +28,7 @@ locals { parsed_existing_kms_instance_crn = var.existing_kms_instance_crn != null ? split(":", var.existing_kms_instance_crn) : [] kms_region = length(local.parsed_existing_kms_instance_crn) > 0 ? local.parsed_existing_kms_instance_crn[5] : null - parsed_service_name = var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser.service_name : module.kms_key_crn_parser.service_name + parsed_service_name = var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].service_name : module.kms_key_crn_parser[0].service_name is_hpcs_key = local.parsed_service_name == "hs-crypto" ? true : false create_cross_account_auth_policy = var.existing_secrets_manager_crn == null && !var.skip_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null From b326517fd617da2b367d9d3f71e5b8662559e0c9 Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Wed, 26 Mar 2025 00:53:14 +0530 Subject: [PATCH 16/16] fix: add validation around is_hpcs_key --- main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/main.tf b/main.tf index e2aa89f3..3d3da9eb 100644 --- a/main.tf +++ b/main.tf @@ -17,6 +17,8 @@ locals { validate_endpoint = var.endpoint_type == "public" && var.allowed_network == "private-only" && var.existing_sm_instance_crn == null ? tobool("It is not allowed to have conflicting var.endpoint_type and var.allowed_network values.") : true # tflint-ignore: terraform_unused_declarations validate_region = var.existing_sm_instance_crn == null && var.region == null ? tobool("When existing_sm_instance_crn is null, a value must be passed for var.region") : true + # tflint-ignore: terraform_unused_declarations + validate_is_hpcs_key = var.is_hpcs_key && local.kms_service_name != "hs-crypto" ? tobool("When is_hpcs_key is set to true then the key provided through kms_key_crn must be a Hyper Protect Crypto Services key") : true } locals {