feat: expose access group support in DA

README.md

@@ -109,7 +109,7 @@ You need the following permissions to run this module.
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if `kms_encryption_enabled` is set to true. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region where the resource will be provisioned.Its not required if passing a value for `existing_sm_instance_crn`. | `string` | `null` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group | `string` | n/a | yes |
-| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    secrets = optional(list(object({<br/>      secret_name                                 = string<br/>      secret_description                          = optional(string)<br/>      secret_type                                 = optional(string)<br/>      imported_cert_certificate                   = optional(string)<br/>      imported_cert_private_key                   = optional(string)<br/>      imported_cert_intermediate                  = optional(string)<br/>      secret_username                             = optional(string)<br/>      secret_labels                               = optional(list(string), [])<br/>      secret_payload_password                     = optional(string, "")<br/>      secret_auto_rotation                        = optional(bool, true)<br/>      secret_auto_rotation_unit                   = optional(string, "day")<br/>      secret_auto_rotation_interval               = optional(number, 89)<br/>      service_credentials_ttl                     = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn      = optional(string)<br/>      service_credentials_source_service_role_crn = optional(string)<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    create_access_group      = optional(bool, false)<br/>    access_group_name        = optional(string)<br/>    access_group_roles       = optional(list(string))<br/>    access_group_tags        = optional(list(string))<br/>    secrets = optional(list(object({<br/>      secret_name                                 = string<br/>      secret_description                          = optional(string)<br/>      secret_type                                 = optional(string)<br/>      imported_cert_certificate                   = optional(string)<br/>      imported_cert_private_key                   = optional(string)<br/>      imported_cert_intermediate                  = optional(string)<br/>      secret_username                             = optional(string)<br/>      secret_labels                               = optional(list(string), [])<br/>      secret_payload_password                     = optional(string, "")<br/>      secret_auto_rotation                        = optional(bool, true)<br/>      secret_auto_rotation_unit                   = optional(string, "day")<br/>      secret_auto_rotation_interval               = optional(number, 89)<br/>      service_credentials_ttl                     = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn      = optional(string)<br/>      service_credentials_source_service_role_crn = optional(string)<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_secrets_manager_name"></a> [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name of the Secrets Manager instance to create | `string` | n/a | yes |
 | <a name="input_skip_en_iam_authorization_policy"></a> [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |

ibm_catalog.json

@@ -134,12 +134,12 @@
               "key": "existing_resource_group_name",
               "required": true,
               "custom_config": {
-                  "type": "resource_group",
-                  "grouping": "deployment",
-                  "original_grouping": "deployment",
-                  "config_constraints": {
-                      "identifier": "rg_name"
-                  }
+                "type": "resource_group",
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "identifier": "rg_name"
+                }
               }
             },
             {
@@ -169,7 +169,7 @@
                 "config_constraints": {
                   "type": "string"
                 }
-            }
+              }
             },
             {
               "key": "service_plan",
@@ -252,6 +252,9 @@
             },
             {
               "key": "secrets_manager_cbr_rules"
+            },
+            {
+              "key": "secret_groups"
             }
           ],
           "architecture": {
@@ -401,7 +404,7 @@
                 "config_constraints": {
                   "type": "string"
                 }
-            }
+              }
             },
             {
               "key": "service_plan",
@@ -423,12 +426,12 @@
               "key": "existing_resource_group_name",
               "required": true,
               "custom_config": {
-                  "type": "resource_group",
-                  "grouping": "deployment",
-                  "original_grouping": "deployment",
-                  "config_constraints": {
-                      "identifier": "rg_name"
-                  }
+                "type": "resource_group",
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "identifier": "rg_name"
+                }
               }
             },
             {

modules/secrets/README.md

@@ -50,7 +50,7 @@ module "secrets_manager" {
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_secret_groups"></a> [secret\_groups](#module\_secret\_groups) | terraform-ibm-modules/secrets-manager-secret-group/ibm | 1.2.3 |
+| <a name="module_secret_groups"></a> [secret\_groups](#module\_secret\_groups) | terraform-ibm-modules/secrets-manager-secret-group/ibm | 1.3.2 |
 | <a name="module_secrets"></a> [secrets](#module\_secrets) | terraform-ibm-modules/secrets-manager-secret/ibm | 1.7.0 |
 
 ### Resources
@@ -66,7 +66,7 @@ module "secrets_manager" {
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The service endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private` | `string` | `"public"` | no |
 | <a name="input_existing_sm_instance_guid"></a> [existing\_sm\_instance\_guid](#input\_existing\_sm\_instance\_guid) | Instance ID of Secrets Manager instance in which the Secret will be added. | `string` | n/a | yes |
 | <a name="input_existing_sm_instance_region"></a> [existing\_sm\_instance\_region](#input\_existing\_sm\_instance\_region) | Region which the Secret Manager is deployed. | `string` | n/a | yes |
-| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    secrets = optional(list(object({<br/>      secret_name                                 = string<br/>      secret_description                          = optional(string)<br/>      secret_type                                 = optional(string)<br/>      imported_cert_certificate                   = optional(string)<br/>      imported_cert_private_key                   = optional(string)<br/>      imported_cert_intermediate                  = optional(string)<br/>      secret_username                             = optional(string)<br/>      secret_labels                               = optional(list(string), [])<br/>      secret_payload_password                     = optional(string, "")<br/>      secret_auto_rotation                        = optional(bool, true)<br/>      secret_auto_rotation_unit                   = optional(string, "day")<br/>      secret_auto_rotation_interval               = optional(number, 89)<br/>      service_credentials_ttl                     = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn      = optional(string)<br/>      service_credentials_source_service_role_crn = optional(string)<br/>      service_credentials_source_service_hmac     = optional(bool, false)<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    create_access_group      = optional(bool, false)<br/>    access_group_name        = optional(string)<br/>    access_group_roles       = optional(list(string))<br/>    access_group_tags        = optional(list(string))<br/>    secrets = optional(list(object({<br/>      secret_name                                 = string<br/>      secret_description                          = optional(string)<br/>      secret_type                                 = optional(string)<br/>      imported_cert_certificate                   = optional(string)<br/>      imported_cert_private_key                   = optional(string)<br/>      imported_cert_intermediate                  = optional(string)<br/>      secret_username                             = optional(string)<br/>      secret_labels                               = optional(list(string), [])<br/>      secret_payload_password                     = optional(string, "")<br/>      secret_auto_rotation                        = optional(bool, true)<br/>      secret_auto_rotation_unit                   = optional(string, "day")<br/>      secret_auto_rotation_interval               = optional(number, 89)<br/>      service_credentials_ttl                     = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn      = optional(string)<br/>      service_credentials_source_service_role_crn = optional(string)<br/>      service_credentials_source_service_hmac     = optional(bool, false)<br/>    })))<br/>  }))</pre> | `[]` | no |
 
 ### Outputs
 

modules/secrets/main.tf

@@ -6,8 +6,12 @@ locals {
   secret_groups = flatten([
     for secret_group in var.secrets :
     secret_group.existing_secret_group ? [] : [{
-      secret_group_name        = secret_group.secret_group_name
-      secret_group_description = secret_group.secret_group_description
+      secret_group_name                = secret_group.secret_group_name
+      secret_group_description         = secret_group.secret_group_description
+      secret_group_create_access_group = secret_group.create_access_group
+      secret_group_access_group_name   = secret_group.access_group_name
+      secret_group_access_group_roles  = secret_group.access_group_roles
+      secret_group_access_group_tags   = secret_group.access_group_tags
     }]
   ])
 }
@@ -21,12 +25,16 @@ data "ibm_sm_secret_groups" "existing_secret_groups" {
 module "secret_groups" {
   for_each                 = { for obj in local.secret_groups : obj.secret_group_name => obj }
   source                   = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
-  version                  = "1.2.3"
+  version                  = "1.3.2"
   region                   = var.existing_sm_instance_region
   secrets_manager_guid     = var.existing_sm_instance_guid
   secret_group_name        = each.value.secret_group_name
   secret_group_description = each.value.secret_group_description
   endpoint_type            = var.endpoint_type
+  create_access_group      = each.value.secret_group_create_access_group
+  access_group_name        = each.value.secret_group_access_group_name
+  access_group_roles       = each.value.secret_group_access_group_roles
+  access_group_tags        = each.value.secret_group_access_group_tags
 }
 
 ##############################################################################

modules/secrets/variables.tf

@@ -23,6 +23,10 @@ variable "secrets" {
     secret_group_name        = string
     secret_group_description = optional(string)
     existing_secret_group    = optional(bool, false)
+    create_access_group      = optional(bool, false)
+    access_group_name        = optional(string)
+    access_group_roles       = optional(list(string))
+    access_group_tags        = optional(list(string))
     secrets = optional(list(object({
       secret_name                                 = string
       secret_description                          = optional(string)
@@ -58,4 +62,11 @@ variable "secrets" {
       true if(secret.secret_group_name == "default" && secret.existing_secret_group == false)
     ]) == 0
   }
+  validation {
+    error_message = "When creating an access group, a list of roles must be specified."
+    condition = length([
+      for secret in var.secrets :
+      true if(secret.create_access_group && secret.access_group_roles == null)
+    ]) == 0
+  }
 }

solutions/fully-configurable/README.md

@@ -65,6 +65,7 @@ This solution supports the following:
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to add to all resources created by this solution. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
 | <a name="input_provider_visibility"></a> [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision resources to. | `string` | `"us-south"` | no |
+| <a name="input_secret_groups"></a> [secret\_groups](#input\_secret\_groups) | Secret Manager secret group configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    create_access_group      = optional(bool, false)<br/>    access_group_name        = optional(string)<br/>    access_group_roles       = optional(list(string))<br/>    access_group_tags        = optional(list(string))<br/>  }))</pre> | <pre>[<br/>  {<br/>    "access_group_name": "general-secrets-group-access-group",<br/>    "access_group_roles": [<br/>      "SecretsReader"<br/>    ],<br/>    "create_access_group": true,<br/>    "secret_group_name": "General"<br/>  }<br/>]</pre> | no |
 | <a name="input_secrets_manager_cbr_rules"></a> [secrets\_manager\_cbr\_rules](#input\_secrets\_manager\_cbr\_rules) | (Optional, list) List of CBR rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/solutions/fully-configurable/DA-cbr_rules.md) | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_secrets_manager_endpoint_type"></a> [secrets\_manager\_endpoint\_type](#input\_secrets\_manager\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"private"` | no |
 | <a name="input_secrets_manager_instance_name"></a> [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `<prefix>-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no |

solutions/fully-configurable/main.tf

@@ -187,6 +187,7 @@ module "secrets_manager" {
   cbr_rules                        = var.secrets_manager_cbr_rules
   endpoint_type                    = var.secrets_manager_endpoint_type
   allowed_network                  = var.allowed_network
+  secrets                          = var.secret_groups
 }
 
 data "ibm_resource_instance" "existing_sm" {

solutions/fully-configurable/variables.tf

@@ -105,6 +105,49 @@ variable "allowed_network" {
   }
 }
 
+variable "secret_groups" {
+  type = list(object({
+    secret_group_name        = string
+    secret_group_description = optional(string)
+    existing_secret_group    = optional(bool, false)
+    create_access_group      = optional(bool, false)
+    access_group_name        = optional(string)
+    access_group_roles       = optional(list(string))
+    access_group_tags        = optional(list(string))
+  }))
+  description = "Secret Manager secret group configurations."
+  default = [
+    {
+      secret_group_name   = "General"
+      create_access_group = true
+      access_group_name   = "general-secrets-group-access-group"
+      access_group_roles  = ["SecretsReader"]
+    }
+  ]
+  validation {
+    error_message = "The name of the secret group cannot be null or empty string."
+    condition = length([
+      for group in var.secret_groups :
+      true if(group.secret_group_name == "" || group.secret_group_name == null)
+    ]) == 0
+  }
+  validation {
+    error_message = "The `default` secret group already exist, set `existing_secret_group` flag to true."
+    condition = length([
+      for group in var.secret_groups :
+      true if(group.secret_group_name == "default" && group.existing_secret_group == false)
+    ]) == 0
+  }
+  validation {
+    error_message = "When creating an access group, a list of roles must be specified."
+    condition = length([
+      for group in var.secret_groups :
+      true if(group.create_access_group && group.access_group_roles == null)
+    ]) == 0
+  }
+}
+
+
 ########################################################################################################################
 # Key Protect
 ########################################################################################################################