diff --git a/README.md b/README.md
index 85924a91..9172b847 100644
--- a/README.md
+++ b/README.md
@@ -98,7 +98,7 @@ You need the following permissions to run this module.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"public-and-private"` | no |
+| [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints | `string` | `"public-and-private"` | no |
| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
| [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null. | `bool` | `false` | no |
| [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no |
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 102eb5c8..1981efd3 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -192,7 +192,7 @@
}
},
{
- "key": "skip_sm_ce_iam_authorization_policy"
+ "key": "skip_secrets_manager_iam_auth_policy"
},
{
"key": "allowed_network",
@@ -217,24 +217,11 @@
"key": "existing_secrets_manager_kms_key_crn"
},
{
- "key": "skip_sm_kms_iam_authorization_policy"
+ "key": "skip_secrets_manager_kms_iam_auth_policy"
},
{
"key": "ibmcloud_kms_api_key"
},
- {
- "key": "kms_endpoint_type",
- "options": [
- {
- "displayname": "Public",
- "value": "public"
- },
- {
- "displayname": "Private",
- "value": "private"
- }
- ]
- },
{
"key": "kms_key_ring_name"
},
@@ -242,7 +229,19 @@
"key": "kms_key_name"
},
{
- "key": "event_notifications_email_list"
+ "key": "kms_endpoint_type",
+ "hidden": true
+ },
+ {
+ "key": "event_notifications_email_list",
+ "type": "array",
+ "custom_config": {
+ "grouping": "deployment",
+ "original_grouping": "deployment",
+ "config_constraints": {
+ "type": "string"
+ }
+ }
},
{
"key": "event_notifications_from_email"
@@ -254,7 +253,7 @@
"key": "existing_event_notifications_instance_crn"
},
{
- "key": "skip_event_notifications_iam_authorization_policy"
+ "key": "skip_secrets_manager_event_notifications_iam_auth_policy"
},
{
"key": "secrets_manager_cbr_rules"
@@ -425,7 +424,7 @@
}
},
{
- "key": "skip_sm_ce_iam_authorization_policy"
+ "key": "skip_secrets_manager_iam_auth_policy"
},
{
"key": "existing_resource_group_name",
@@ -443,7 +442,7 @@
"key": "existing_secrets_manager_kms_key_crn"
},
{
- "key": "skip_sm_kms_iam_authorization_policy"
+ "key": "skip_secrets_manager_kms_iam_auth_policy"
},
{
"key": "ibmcloud_kms_api_key"
@@ -455,7 +454,15 @@
"key": "kms_key_name"
},
{
- "key": "event_notifications_email_list"
+ "key": "event_notifications_email_list",
+ "type": "array",
+ "custom_config": {
+ "grouping": "deployment",
+ "original_grouping": "deployment",
+ "config_constraints": {
+ "type": "string"
+ }
+ }
},
{
"key": "event_notifications_from_email"
@@ -467,7 +474,7 @@
"key": "existing_event_notifications_instance_crn"
},
{
- "key": "skip_event_notifications_iam_authorization_policy"
+ "key": "skip_secrets_manager_event_notifications_iam_auth_policy"
},
{
"key": "secrets_manager_cbr_rules"
diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
index f2d5ba34..fed29a39 100644
--- a/solutions/fully-configurable/README.md
+++ b/solutions/fully-configurable/README.md
@@ -49,7 +49,7 @@ This solution supports the following:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"private-only"` | no |
+| [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints). | `string` | `"private-only"` | no |
| [event\_notifications\_email\_list](#input\_event\_notifications\_email\_list) | The list of email address to target out when Secrets Manager triggers an event | `list(string)` | `[]` | no |
| [event\_notifications\_from\_email](#input\_event\_notifications\_from\_email) | The email address used to send any Secrets Manager event coming via Event Notifications | `string` | `"compliancealert@ibm.com"` | no |
| [event\_notifications\_reply\_to\_email](#input\_event\_notifications\_reply\_to\_email) | The email address specified in the 'reply\_to' section for any Secret Manager event coming via Event Notifications | `string` | `"no-reply@ibm.com"` | no |
@@ -73,9 +73,9 @@ This solution supports the following:
| [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no |
| [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no |
| [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes |
-| [skip\_event\_notifications\_iam\_authorization\_policy](#input\_skip\_event\_notifications\_iam\_authorization\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no |
-| [skip\_sm\_ce\_iam\_authorization\_policy](#input\_skip\_sm\_ce\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
-| [skip\_sm\_kms\_iam\_authorization\_policy](#input\_skip\_sm\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
+| [skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no |
+| [skip\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
+| [skip\_secrets\_manager\_kms\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_kms\_iam\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
### Outputs
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index 379692c4..6cd6ae7c 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -24,7 +24,7 @@ locals {
parsed_service_name = var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].service_name : (var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : null)
is_hpcs_key = local.parsed_service_name == "hs-crypto" ? true : false
- create_cross_account_auth_policy = var.existing_secrets_manager_crn == null && !var.skip_sm_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null
+ create_cross_account_auth_policy = var.existing_secrets_manager_crn == null && !var.skip_secrets_manager_kms_iam_auth_policy && var.ibmcloud_kms_api_key != null
create_cross_account_hpcs_auth_policy = local.create_cross_account_auth_policy == true && local.is_hpcs_key ? 1 : 0
kms_service_name = var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : (var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].service_name : null)
@@ -174,16 +174,16 @@ module "secrets_manager" {
secrets_manager_name = "${local.prefix}${var.secrets_manager_instance_name}"
sm_service_plan = var.service_plan
sm_tags = var.secrets_manager_resource_tags
- skip_iam_authorization_policy = var.skip_sm_ce_iam_authorization_policy
+ skip_iam_authorization_policy = var.skip_secrets_manager_iam_auth_policy
# kms dependency
is_hpcs_key = local.is_hpcs_key
kms_encryption_enabled = var.kms_encryption_enabled
kms_key_crn = local.kms_key_crn
- skip_kms_iam_authorization_policy = var.skip_sm_kms_iam_authorization_policy || local.create_cross_account_auth_policy
+ skip_kms_iam_authorization_policy = var.skip_secrets_manager_kms_iam_auth_policy || local.create_cross_account_auth_policy
# event notifications dependency
enable_event_notification = local.enable_event_notifications
existing_en_instance_crn = var.existing_event_notifications_instance_crn
- skip_en_iam_authorization_policy = var.skip_event_notifications_iam_authorization_policy
+ skip_en_iam_authorization_policy = var.skip_secrets_manager_event_notifications_iam_auth_policy
cbr_rules = var.secrets_manager_cbr_rules
endpoint_type = var.secrets_manager_endpoint_type
allowed_network = var.allowed_network
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index 176b4c0d..1fa319d3 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -76,9 +76,9 @@ variable "service_plan" {
}
}
-variable "skip_sm_ce_iam_authorization_policy" {
+variable "skip_secrets_manager_iam_auth_policy" {
type = bool
- description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
+ description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
default = false
}
@@ -100,7 +100,7 @@ variable "secrets_manager_endpoint_type" {
variable "allowed_network" {
type = string
- description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`."
+ description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints)."
default = "private-only"
validation {
condition = contains(["private-only", "public-and-private"], var.allowed_network)
@@ -149,7 +149,7 @@ variable "secret_groups" {
# Key Protect
########################################################################################################################
-variable "skip_sm_kms_iam_authorization_policy" {
+variable "skip_secrets_manager_kms_iam_auth_policy" {
type = bool
description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account."
default = false
@@ -249,7 +249,7 @@ variable "existing_event_notifications_instance_crn" {
default = null
}
-variable "skip_event_notifications_iam_authorization_policy" {
+variable "skip_secrets_manager_event_notifications_iam_auth_policy" {
type = bool
description = "If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created."
default = false
diff --git a/solutions/security-enforced/README.md b/solutions/security-enforced/README.md
index 323edac3..ac6040b3 100644
--- a/solutions/security-enforced/README.md
+++ b/solutions/security-enforced/README.md
@@ -37,7 +37,7 @@ No resources.
| [existing\_secrets\_manager\_crn](#input\_existing\_secrets\_manager\_crn) | The CRN of an existing Secrets Manager instance. If not supplied, a new instance is created. | `string` | `null` | no |
| [existing\_secrets\_manager\_kms\_key\_crn](#input\_existing\_secrets\_manager\_kms\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services key to use for Secrets Manager. If not specified, a key ring and key are created. | `string` | `null` | no |
| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key used to provision resources. | `string` | n/a | yes |
-| [ibmcloud\_kms\_api\_key](#input\_ibmcloud\_kms\_api\_key) | The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud\_api\_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Secrets Manager instance. Leave this input empty if the same account owns both instances. | `string` | `null` | no |
+| [ibmcloud\_kms\_api\_key](#input\_ibmcloud\_kms\_api\_key) | Leave this input empty if the same account owns both the Secrets Manager and KMS instances. Otherwise, specify an IBM Cloud API key in the account containing the key management service (KMS) instance that can create a root key and key ring. If not specified, the 'ibmcloud\_api\_key' variable is used. | `string` | `null` | no |
| [kms\_key\_name](#input\_kms\_key\_name) | The name for the new root key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `-value` format. | `string` | `"secrets-manager-key"` | no |
| [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name for the new key ring to store the key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `-value` format. . | `string` | `"secrets-manager-key-ring"` | no |
| [prefix](#input\_prefix) | The prefix to add to all resources created by this solution. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
@@ -47,9 +47,9 @@ No resources.
| [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no |
| [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no |
| [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes |
-| [skip\_event\_notifications\_iam\_authorization\_policy](#input\_skip\_event\_notifications\_iam\_authorization\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no |
-| [skip\_sm\_ce\_iam\_authorization\_policy](#input\_skip\_sm\_ce\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
-| [skip\_sm\_kms\_iam\_authorization\_policy](#input\_skip\_sm\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
+| [skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no |
+| [skip\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
+| [skip\_secrets\_manager\_kms\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_kms\_iam\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
### Outputs
diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf
index 5f6172b0..ae0da3cc 100644
--- a/solutions/security-enforced/main.tf
+++ b/solutions/security-enforced/main.tf
@@ -1,30 +1,30 @@
module "secrets_manager" {
- source = "../fully-configurable"
- ibmcloud_api_key = var.ibmcloud_api_key
- existing_resource_group_name = var.existing_resource_group_name
- prefix = var.prefix
- provider_visibility = "private"
- region = var.region
- secrets_manager_instance_name = var.secrets_manager_instance_name
- existing_secrets_manager_crn = var.existing_secrets_manager_crn
- service_plan = var.service_plan
- skip_sm_ce_iam_authorization_policy = var.skip_sm_ce_iam_authorization_policy
- secrets_manager_resource_tags = var.secrets_manager_resource_tags
- secrets_manager_endpoint_type = "private"
- allowed_network = "private-only"
- skip_sm_kms_iam_authorization_policy = var.skip_sm_kms_iam_authorization_policy
- existing_secrets_manager_kms_key_crn = var.existing_secrets_manager_kms_key_crn
- kms_encryption_enabled = true
- existing_kms_instance_crn = var.existing_kms_instance_crn
- kms_endpoint_type = "private"
- kms_key_ring_name = var.kms_key_ring_name
- kms_key_name = var.kms_key_name
- ibmcloud_kms_api_key = var.ibmcloud_kms_api_key
- existing_event_notifications_instance_crn = var.existing_event_notifications_instance_crn
- skip_event_notifications_iam_authorization_policy = var.skip_event_notifications_iam_authorization_policy
- event_notifications_email_list = var.event_notifications_email_list
- event_notifications_from_email = var.event_notifications_from_email
- event_notifications_reply_to_email = var.event_notifications_reply_to_email
- secrets_manager_cbr_rules = var.secrets_manager_cbr_rules
- secret_groups = var.secret_groups
+ source = "../fully-configurable"
+ ibmcloud_api_key = var.ibmcloud_api_key
+ existing_resource_group_name = var.existing_resource_group_name
+ prefix = var.prefix
+ provider_visibility = "private"
+ region = var.region
+ secrets_manager_instance_name = var.secrets_manager_instance_name
+ existing_secrets_manager_crn = var.existing_secrets_manager_crn
+ service_plan = var.service_plan
+ skip_secrets_manager_iam_auth_policy = var.skip_secrets_manager_iam_auth_policy
+ secrets_manager_resource_tags = var.secrets_manager_resource_tags
+ secrets_manager_endpoint_type = "private"
+ allowed_network = "private-only"
+ skip_secrets_manager_kms_iam_auth_policy = var.skip_secrets_manager_kms_iam_auth_policy
+ existing_secrets_manager_kms_key_crn = var.existing_secrets_manager_kms_key_crn
+ kms_encryption_enabled = true
+ existing_kms_instance_crn = var.existing_kms_instance_crn
+ kms_endpoint_type = "private"
+ kms_key_ring_name = var.kms_key_ring_name
+ kms_key_name = var.kms_key_name
+ ibmcloud_kms_api_key = var.ibmcloud_kms_api_key
+ existing_event_notifications_instance_crn = var.existing_event_notifications_instance_crn
+ skip_secrets_manager_event_notifications_iam_auth_policy = var.skip_secrets_manager_event_notifications_iam_auth_policy
+ event_notifications_email_list = var.event_notifications_email_list
+ event_notifications_from_email = var.event_notifications_from_email
+ event_notifications_reply_to_email = var.event_notifications_reply_to_email
+ secrets_manager_cbr_rules = var.secrets_manager_cbr_rules
+ secret_groups = var.secret_groups
}
diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf
index 8ebd4dbd..29f32ca7 100644
--- a/solutions/security-enforced/variables.tf
+++ b/solutions/security-enforced/variables.tf
@@ -65,9 +65,9 @@ variable "service_plan" {
}
}
-variable "skip_sm_ce_iam_authorization_policy" {
+variable "skip_secrets_manager_iam_auth_policy" {
type = bool
- description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
+ description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
default = false
}
@@ -117,7 +117,7 @@ variable "secret_groups" {
# Key Protect
########################################################################################################################
-variable "skip_sm_kms_iam_authorization_policy" {
+variable "skip_secrets_manager_kms_iam_auth_policy" {
type = bool
description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account."
default = false
@@ -166,7 +166,7 @@ variable "kms_key_name" {
variable "ibmcloud_kms_api_key" {
type = string
- description = "The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud_api_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Secrets Manager instance. Leave this input empty if the same account owns both instances."
+ description = "Leave this input empty if the same account owns both the Secrets Manager and KMS instances. Otherwise, specify an IBM Cloud API key in the account containing the key management service (KMS) instance that can create a root key and key ring. If not specified, the 'ibmcloud_api_key' variable is used."
sensitive = true
default = null
}
@@ -181,7 +181,7 @@ variable "existing_event_notifications_instance_crn" {
default = null
}
-variable "skip_event_notifications_iam_authorization_policy" {
+variable "skip_secrets_manager_event_notifications_iam_auth_policy" {
type = bool
description = "If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created."
default = false
diff --git a/variables.tf b/variables.tf
index c39ef832..632aebec 100644
--- a/variables.tf
+++ b/variables.tf
@@ -41,7 +41,7 @@ variable "sm_tags" {
variable "allowed_network" {
type = string
- description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`."
+ description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints"
default = "public-and-private"
validation {
condition = contains(["private-only", "public-and-private"], var.allowed_network)