terraform-ibm-modules · ocofaigh · Mar 20, 2025 · Mar 6, 2025 · Mar 12, 2025 · Mar 12, 2025
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -156,7 +156,7 @@
                 "config_constraints": {
                   "type": "string"
                 }
-            }
+              }
             },
             {
               "key": "service_plan",
@@ -172,10 +172,7 @@
               ]
             },
             {
-              "key": "iam_engine_enabled"
-            },
-            {
-              "key": "iam_engine_name"
+              "key": "skip_iam_authorization_policy"
             },
             {
               "key": "public_cert_engine_enabled"
@@ -257,7 +254,7 @@
               "key": "skip_event_notifications_iam_authorization_policy"
             },
             {
-              "key":"cbr_rules"
+              "key": "cbr_rules"
             }
           ],
           "architecture": {

@@ -59,6 +59,7 @@ No resources.
 | <a name="input_secrets_manager_name"></a> [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name to give the Secrets Manager instance. | `string` | n/a | yes |
 | <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The Secrets Manager plan to provision. | `string` | `"standard"` | no |
 | <a name="input_skip_en_iam_authorization_policy"></a> [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
+| <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set this to true to skip the creation of a Secrets Manager IAM credentials engine. If set to false, an IAM engine will be configured for your instance. | `bool` | `false` | no |
 | <a name="input_skip_kms_iam_authorization_policy"></a> [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
 | <a name="input_sm_tags"></a> [sm\_tags](#input\_sm\_tags) | The list of resource tags that you want to associate with your Secrets Manager instance. | `list(string)` | `[]` | no |
 

@@ -12,6 +12,7 @@ module "secrets_manager" {
   existing_kms_instance_guid        = var.existing_kms_instance_guid
   enable_event_notification         = var.enable_event_notification
   existing_en_instance_crn          = var.existing_en_instance_crn
+  skip_iam_authorization_policy     = var.skip_iam_authorization_policy
   skip_en_iam_authorization_policy  = var.skip_en_iam_authorization_policy
   skip_kms_iam_authorization_policy = var.skip_kms_iam_authorization_policy
   kms_key_crn                       = var.kms_key_crn

@@ -35,6 +35,12 @@ variable "existing_sm_instance_crn" {
   default     = null
 }
 
+variable "skip_iam_authorization_policy" {
+  type        = bool
+  description = "Set this to true to skip the creation of a Secrets Manager IAM credentials engine. If set to false, an IAM engine will be configured for your instance."
+  default     = false
+}
+
 variable "skip_kms_iam_authorization_policy" {
   type        = bool
   description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account."

diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
@@ -100,14 +100,15 @@ locals {
 }
 
 module "secrets_manager" {
-  depends_on               = [time_sleep.wait_for_authorization_policy]
-  source                   = "../../modules/fscloud"
-  existing_sm_instance_crn = var.existing_secrets_manager_crn
-  resource_group_id        = var.existing_secrets_manager_crn == null ? module.resource_group[0].resource_group_id : data.ibm_resource_instance.existing_sm[0].resource_group_id
-  region                   = var.region
-  secrets_manager_name     = try("${local.prefix}-${var.secrets_manager_instance_name}", var.secrets_manager_instance_name)
-  service_plan             = var.service_plan
-  sm_tags                  = var.secrets_manager_tags
+  depends_on                    = [time_sleep.wait_for_authorization_policy]
+  source                        = "../../modules/fscloud"
+  existing_sm_instance_crn      = var.existing_secrets_manager_crn
+  resource_group_id             = var.existing_secrets_manager_crn == null ? module.resource_group[0].resource_group_id : data.ibm_resource_instance.existing_sm[0].resource_group_id
+  region                        = var.region
+  secrets_manager_name          = try("${local.prefix}-${var.secrets_manager_instance_name}", var.secrets_manager_instance_name)
+  service_plan                  = var.service_plan
+  sm_tags                       = var.secrets_manager_tags
+  skip_iam_authorization_policy = var.skip_iam_authorization_policy
   # kms dependency
   existing_kms_instance_guid        = local.existing_kms_guid
   kms_key_crn                       = local.kms_key_crn
@@ -119,18 +120,6 @@ module "secrets_manager" {
   cbr_rules                        = var.cbr_rules
 }
 
-# Configure an IBM Secrets Manager IAM credentials engine for an existing IBM Secrets Manager instance.
-module "iam_secrets_engine" {
-  count                = var.iam_engine_enabled ? 1 : 0
-  source               = "terraform-ibm-modules/secrets-manager-iam-engine/ibm"
-  version              = "1.2.8"
-  region               = local.secrets_manager_region
-  iam_engine_name      = try("${local.prefix}-${var.iam_engine_name}", var.iam_engine_name)
-  secrets_manager_guid = local.secrets_manager_guid
-  endpoint_type        = "private"
-}
-
-
 # Configure an IBM Secrets Manager public certificate engine for an existing IBM Secrets Manager instance.
 module "secrets_manager_public_cert_engine" {
   count   = var.public_cert_engine_enabled ? 1 : 0

diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf
@@ -154,16 +154,10 @@ variable "private_cert_engine_config_template_name" {
 # IAM engine config
 ########################################################################################################################
 
-variable "iam_engine_enabled" {
+variable "skip_iam_authorization_policy" {
   type        = bool
-  description = "Set this to true to to configure a Secrets Manager IAM credentials engine. If set to false, no IAM engine will be configured for your instance."
-  default     = false
-}
-
-variable "iam_engine_name" {
-  type        = string
-  description = "The name of the IAM engine used to configure a Secrets Manager IAM credentials engine. If the prefix input variable is passed it is attached before the value in the format of '<prefix>-value'."
-  default     = "iam-engine"
+  description = "Set this to false to enable a Secrets Manager IAM credentials engine. If set to true, no IAM engine will be configured for your instance."
+  default     = true
 }
 
 ########################################################################################################################