From 4be4056e020cbf54e242132f876923b926bd29e0 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Thu, 15 May 2025 13:50:01 -0400 Subject: [PATCH 1/4] DA rally feedback --- README.md | 2 +- ibm_catalog.json | 31 +++++-------- solutions/fully-configurable/README.md | 7 ++- solutions/fully-configurable/main.tf | 12 ++--- solutions/fully-configurable/variables.tf | 18 ++------ solutions/security-enforced/README.md | 8 ++-- solutions/security-enforced/main.tf | 55 +++++++++++------------ solutions/security-enforced/variables.tf | 10 ++--- variables.tf | 2 +- 9 files changed, 61 insertions(+), 84 deletions(-) diff --git a/README.md b/README.md index 85924a91..9172b847 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,7 @@ You need the following permissions to run this module. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"public-and-private"` | no | +| [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints | `string` | `"public-and-private"` | no | | [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | | [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null. | `bool` | `false` | no | | [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no | diff --git a/ibm_catalog.json b/ibm_catalog.json index 102eb5c8..f5334099 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -192,7 +192,7 @@ } }, { - "key": "skip_sm_ce_iam_authorization_policy" + "key": "skip_secrets_manager_certificate_engine_iam_authorization_policy" }, { "key": "allowed_network", @@ -217,24 +217,11 @@ "key": "existing_secrets_manager_kms_key_crn" }, { - "key": "skip_sm_kms_iam_authorization_policy" + "key": "skip_secrets_manager_kms_iam_authorization_policy" }, { "key": "ibmcloud_kms_api_key" }, - { - "key": "kms_endpoint_type", - "options": [ - { - "displayname": "Public", - "value": "public" - }, - { - "displayname": "Private", - "value": "private" - } - ] - }, { "key": "kms_key_ring_name" }, @@ -242,7 +229,8 @@ "key": "kms_key_name" }, { - "key": "event_notifications_email_list" + "key": "event_notifications_email_list", + "type": "array" }, { "key": "event_notifications_from_email" @@ -254,7 +242,7 @@ "key": "existing_event_notifications_instance_crn" }, { - "key": "skip_event_notifications_iam_authorization_policy" + "key": "skip_secrets_manager_event_notifications_iam_authorization_policy" }, { "key": "secrets_manager_cbr_rules" @@ -425,7 +413,7 @@ } }, { - "key": "skip_sm_ce_iam_authorization_policy" + "key": "skip_secrets_manager_certificate_engine_iam_authorization_policy" }, { "key": "existing_resource_group_name", @@ -443,7 +431,7 @@ "key": "existing_secrets_manager_kms_key_crn" }, { - "key": "skip_sm_kms_iam_authorization_policy" + "key": "skip_secrets_manager_kms_iam_authorization_policy" }, { "key": "ibmcloud_kms_api_key" @@ -455,7 +443,8 @@ "key": "kms_key_name" }, { - "key": "event_notifications_email_list" + "key": "event_notifications_email_list", + "type": "array" }, { "key": "event_notifications_from_email" @@ -467,7 +456,7 @@ "key": "existing_event_notifications_instance_crn" }, { - "key": "skip_event_notifications_iam_authorization_policy" + "key": "skip_secrets_manager_event_notifications_iam_authorization_policy" }, { "key": "secrets_manager_cbr_rules" diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index 3777c9cb..d0a5b674 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -61,7 +61,6 @@ This solution supports the following: | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key used to provision resources. | `string` | n/a | yes | | [ibmcloud\_kms\_api\_key](#input\_ibmcloud\_kms\_api\_key) | The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud\_api\_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Secrets Manager instance. Leave this input empty if the same account owns both instances. | `string` | `null` | no | | [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set to true to enable Secrets Manager Secrets Encryption using customer managed keys. When set to true, a value must be passed for either `existing_kms_instance_crn` or `existing_secrets_manager_kms_key_crn`. Cannot be set to true if passing a value for `existing_secrets_manager_crn`. | `bool` | `false` | no | -| [kms\_endpoint\_type](#input\_kms\_endpoint\_type) | The endpoint for communicating with the Key Protect or Hyper Protect Crypto Services instance. Possible values: `public`, `private`. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. | `string` | `"private"` | no | | [kms\_key\_name](#input\_kms\_key\_name) | The name for the new root key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `-value` format. | `string` | `"secrets-manager-key"` | no | | [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name for the new key ring to store the key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `-value` format. . | `string` | `"secrets-manager-key-ring"` | no | | [prefix](#input\_prefix) | The prefix to add to all resources created by this solution. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes | @@ -73,9 +72,9 @@ This solution supports the following: | [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no | | [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no | | [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes | -| [skip\_event\_notifications\_iam\_authorization\_policy](#input\_skip\_event\_notifications\_iam\_authorization\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no | -| [skip\_sm\_ce\_iam\_authorization\_policy](#input\_skip\_sm\_ce\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | -| [skip\_sm\_kms\_iam\_authorization\_policy](#input\_skip\_sm\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no | +| [skip\_secrets\_manager\_certificate\_engine\_iam\_authorization\_policy](#input\_skip\_secrets\_manager\_certificate\_engine\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | +| [skip\_secrets\_manager\_event\_notifications\_iam\_authorization\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_authorization\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no | +| [skip\_secrets\_manager\_kms\_iam\_authorization\_policy](#input\_skip\_secrets\_manager\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no | ### Outputs diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index b0e07ab4..46e0b544 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -24,7 +24,7 @@ locals { parsed_service_name = var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].service_name : (var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : null) is_hpcs_key = local.parsed_service_name == "hs-crypto" ? true : false - create_cross_account_auth_policy = var.existing_secrets_manager_crn == null && !var.skip_sm_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null + create_cross_account_auth_policy = var.existing_secrets_manager_crn == null && !var.skip_secrets_manager_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null create_cross_account_hpcs_auth_policy = local.create_cross_account_auth_policy == true && local.is_hpcs_key ? 1 : 0 kms_service_name = var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : (var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].service_name : null) @@ -134,8 +134,8 @@ module "kms" { create_key_protect_instance = false region = local.kms_region existing_kms_instance_crn = var.existing_kms_instance_crn - key_ring_endpoint_type = var.kms_endpoint_type - key_endpoint_type = var.kms_endpoint_type + key_ring_endpoint_type = "private" + key_endpoint_type = "private" keys = [ { key_ring_name = local.kms_key_ring_name @@ -174,16 +174,16 @@ module "secrets_manager" { secrets_manager_name = "${local.prefix}${var.secrets_manager_instance_name}" sm_service_plan = var.service_plan sm_tags = var.secrets_manager_resource_tags - skip_iam_authorization_policy = var.skip_sm_ce_iam_authorization_policy + skip_iam_authorization_policy = var.skip_secrets_manager_certificate_engine_iam_authorization_policy # kms dependency is_hpcs_key = local.is_hpcs_key kms_encryption_enabled = var.kms_encryption_enabled kms_key_crn = local.kms_key_crn - skip_kms_iam_authorization_policy = var.skip_sm_kms_iam_authorization_policy || local.create_cross_account_auth_policy + skip_kms_iam_authorization_policy = var.skip_secrets_manager_kms_iam_authorization_policy || local.create_cross_account_auth_policy # event notifications dependency enable_event_notification = local.enable_event_notifications existing_en_instance_crn = var.existing_event_notifications_instance_crn - skip_en_iam_authorization_policy = var.skip_event_notifications_iam_authorization_policy + skip_en_iam_authorization_policy = var.skip_secrets_manager_event_notifications_iam_authorization_policy cbr_rules = var.secrets_manager_cbr_rules endpoint_type = var.secrets_manager_endpoint_type allowed_network = var.allowed_network diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 176b4c0d..7ea5fa81 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -76,9 +76,9 @@ variable "service_plan" { } } -variable "skip_sm_ce_iam_authorization_policy" { +variable "skip_secrets_manager_certificate_engine_iam_authorization_policy" { type = bool - description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service." + description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service." default = false } @@ -149,7 +149,7 @@ variable "secret_groups" { # Key Protect ######################################################################################################################## -variable "skip_sm_kms_iam_authorization_policy" { +variable "skip_secrets_manager_kms_iam_authorization_policy" { type = bool description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account." default = false @@ -210,16 +210,6 @@ variable "existing_kms_instance_crn" { } } -variable "kms_endpoint_type" { - type = string - description = "The endpoint for communicating with the Key Protect or Hyper Protect Crypto Services instance. Possible values: `public`, `private`. Applies only if `existing_secrets_manager_kms_key_crn` is not specified." - default = "private" - validation { - condition = can(regex("public|private", var.kms_endpoint_type)) - error_message = "The kms_endpoint_type value must be 'public' or 'private'." - } -} - variable "kms_key_ring_name" { type = string default = "secrets-manager-key-ring" @@ -249,7 +239,7 @@ variable "existing_event_notifications_instance_crn" { default = null } -variable "skip_event_notifications_iam_authorization_policy" { +variable "skip_secrets_manager_event_notifications_iam_authorization_policy" { type = bool description = "If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created." default = false diff --git a/solutions/security-enforced/README.md b/solutions/security-enforced/README.md index 323edac3..efcc9220 100644 --- a/solutions/security-enforced/README.md +++ b/solutions/security-enforced/README.md @@ -37,7 +37,7 @@ No resources. | [existing\_secrets\_manager\_crn](#input\_existing\_secrets\_manager\_crn) | The CRN of an existing Secrets Manager instance. If not supplied, a new instance is created. | `string` | `null` | no | | [existing\_secrets\_manager\_kms\_key\_crn](#input\_existing\_secrets\_manager\_kms\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services key to use for Secrets Manager. If not specified, a key ring and key are created. | `string` | `null` | no | | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key used to provision resources. | `string` | n/a | yes | -| [ibmcloud\_kms\_api\_key](#input\_ibmcloud\_kms\_api\_key) | The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud\_api\_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Secrets Manager instance. Leave this input empty if the same account owns both instances. | `string` | `null` | no | +| [ibmcloud\_kms\_api\_key](#input\_ibmcloud\_kms\_api\_key) | Leave this input empty if the same account owns both the Secrets Manager and KMS instances. Otherwise, specify an IBM Cloud API key in the account containing the key management service (KMS) instance that can create a root key and key ring. If not specified, the 'ibmcloud\_api\_key' variable is used. | `string` | `null` | no | | [kms\_key\_name](#input\_kms\_key\_name) | The name for the new root key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `-value` format. | `string` | `"secrets-manager-key"` | no | | [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name for the new key ring to store the key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `-value` format. . | `string` | `"secrets-manager-key-ring"` | no | | [prefix](#input\_prefix) | The prefix to add to all resources created by this solution. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes | @@ -47,9 +47,9 @@ No resources. | [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no | | [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no | | [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes | -| [skip\_event\_notifications\_iam\_authorization\_policy](#input\_skip\_event\_notifications\_iam\_authorization\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no | -| [skip\_sm\_ce\_iam\_authorization\_policy](#input\_skip\_sm\_ce\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | -| [skip\_sm\_kms\_iam\_authorization\_policy](#input\_skip\_sm\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no | +| [skip\_secrets\_manager\_certificate\_engine\_iam\_authorization\_policy](#input\_skip\_secrets\_manager\_certificate\_engine\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | +| [skip\_secrets\_manager\_event\_notifications\_iam\_authorization\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_authorization\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no | +| [skip\_secrets\_manager\_kms\_iam\_authorization\_policy](#input\_skip\_secrets\_manager\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no | ### Outputs diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf index 5f6172b0..d9b2d166 100644 --- a/solutions/security-enforced/main.tf +++ b/solutions/security-enforced/main.tf @@ -1,30 +1,29 @@ module "secrets_manager" { - source = "../fully-configurable" - ibmcloud_api_key = var.ibmcloud_api_key - existing_resource_group_name = var.existing_resource_group_name - prefix = var.prefix - provider_visibility = "private" - region = var.region - secrets_manager_instance_name = var.secrets_manager_instance_name - existing_secrets_manager_crn = var.existing_secrets_manager_crn - service_plan = var.service_plan - skip_sm_ce_iam_authorization_policy = var.skip_sm_ce_iam_authorization_policy - secrets_manager_resource_tags = var.secrets_manager_resource_tags - secrets_manager_endpoint_type = "private" - allowed_network = "private-only" - skip_sm_kms_iam_authorization_policy = var.skip_sm_kms_iam_authorization_policy - existing_secrets_manager_kms_key_crn = var.existing_secrets_manager_kms_key_crn - kms_encryption_enabled = true - existing_kms_instance_crn = var.existing_kms_instance_crn - kms_endpoint_type = "private" - kms_key_ring_name = var.kms_key_ring_name - kms_key_name = var.kms_key_name - ibmcloud_kms_api_key = var.ibmcloud_kms_api_key - existing_event_notifications_instance_crn = var.existing_event_notifications_instance_crn - skip_event_notifications_iam_authorization_policy = var.skip_event_notifications_iam_authorization_policy - event_notifications_email_list = var.event_notifications_email_list - event_notifications_from_email = var.event_notifications_from_email - event_notifications_reply_to_email = var.event_notifications_reply_to_email - secrets_manager_cbr_rules = var.secrets_manager_cbr_rules - secret_groups = var.secret_groups + source = "../fully-configurable" + ibmcloud_api_key = var.ibmcloud_api_key + existing_resource_group_name = var.existing_resource_group_name + prefix = var.prefix + provider_visibility = "private" + region = var.region + secrets_manager_instance_name = var.secrets_manager_instance_name + existing_secrets_manager_crn = var.existing_secrets_manager_crn + service_plan = var.service_plan + skip_secrets_manager_certificate_engine_iam_authorization_policy = var.skip_secrets_manager_certificate_engine_iam_authorization_policy + secrets_manager_resource_tags = var.secrets_manager_resource_tags + secrets_manager_endpoint_type = "private" + allowed_network = "private-only" + skip_secrets_manager_kms_iam_authorization_policy = var.skip_secrets_manager_kms_iam_authorization_policy + existing_secrets_manager_kms_key_crn = var.existing_secrets_manager_kms_key_crn + kms_encryption_enabled = true + existing_kms_instance_crn = var.existing_kms_instance_crn + kms_key_ring_name = var.kms_key_ring_name + kms_key_name = var.kms_key_name + ibmcloud_kms_api_key = var.ibmcloud_kms_api_key + existing_event_notifications_instance_crn = var.existing_event_notifications_instance_crn + skip_secrets_manager_event_notifications_iam_authorization_policy = var.skip_secrets_manager_event_notifications_iam_authorization_policy + event_notifications_email_list = var.event_notifications_email_list + event_notifications_from_email = var.event_notifications_from_email + event_notifications_reply_to_email = var.event_notifications_reply_to_email + secrets_manager_cbr_rules = var.secrets_manager_cbr_rules + secret_groups = var.secret_groups } diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 8ebd4dbd..93c7c45b 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -65,9 +65,9 @@ variable "service_plan" { } } -variable "skip_sm_ce_iam_authorization_policy" { +variable "skip_secrets_manager_certificate_engine_iam_authorization_policy" { type = bool - description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service." + description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service." default = false } @@ -117,7 +117,7 @@ variable "secret_groups" { # Key Protect ######################################################################################################################## -variable "skip_sm_kms_iam_authorization_policy" { +variable "skip_secrets_manager_kms_iam_authorization_policy" { type = bool description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account." default = false @@ -166,7 +166,7 @@ variable "kms_key_name" { variable "ibmcloud_kms_api_key" { type = string - description = "The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud_api_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Secrets Manager instance. Leave this input empty if the same account owns both instances." + description = "Leave this input empty if the same account owns both the Secrets Manager and KMS instances. Otherwise, specify an IBM Cloud API key in the account containing the key management service (KMS) instance that can create a root key and key ring. If not specified, the 'ibmcloud_api_key' variable is used." sensitive = true default = null } @@ -181,7 +181,7 @@ variable "existing_event_notifications_instance_crn" { default = null } -variable "skip_event_notifications_iam_authorization_policy" { +variable "skip_secrets_manager_event_notifications_iam_authorization_policy" { type = bool description = "If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created." default = false diff --git a/variables.tf b/variables.tf index c39ef832..632aebec 100644 --- a/variables.tf +++ b/variables.tf @@ -41,7 +41,7 @@ variable "sm_tags" { variable "allowed_network" { type = string - description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`." + description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints" default = "public-and-private" validation { condition = contains(["private-only", "public-and-private"], var.allowed_network) From c8cfb32d8f824bd5c28097ffe47a7c905f02a3dc Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Mon, 19 May 2025 16:49:37 -0400 Subject: [PATCH 2/4] updated feedback --- ibm_catalog.json | 22 ++++++++++++++++++++-- solutions/fully-configurable/README.md | 1 + solutions/fully-configurable/main.tf | 4 ++-- solutions/fully-configurable/variables.tf | 10 ++++++++++ solutions/security-enforced/main.tf | 1 + 5 files changed, 34 insertions(+), 4 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index f5334099..6b8ccfab 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -228,9 +228,20 @@ { "key": "kms_key_name" }, + { + "key": "kms_endpoint_type", + "hidden": true + }, { "key": "event_notifications_email_list", - "type": "array" + "type": "array", + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } }, { "key": "event_notifications_from_email" @@ -444,7 +455,14 @@ }, { "key": "event_notifications_email_list", - "type": "array" + "type": "array", + "custom_config": { + "grouping": "deployment", + "original_grouping": "deployment", + "config_constraints": { + "type": "string" + } + } }, { "key": "event_notifications_from_email" diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index c6346510..2a2ef716 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -61,6 +61,7 @@ This solution supports the following: | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key used to provision resources. | `string` | n/a | yes | | [ibmcloud\_kms\_api\_key](#input\_ibmcloud\_kms\_api\_key) | The IBM Cloud API key that can create a root key and key ring in the key management service (KMS) instance. If not specified, the 'ibmcloud\_api\_key' variable is used. Specify this key if the instance in `existing_kms_instance_crn` is in an account that's different from the Secrets Manager instance. Leave this input empty if the same account owns both instances. | `string` | `null` | no | | [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set to true to enable Secrets Manager Secrets Encryption using customer managed keys. When set to true, a value must be passed for either `existing_kms_instance_crn` or `existing_secrets_manager_kms_key_crn`. Cannot be set to true if passing a value for `existing_secrets_manager_crn`. | `bool` | `false` | no | +| [kms\_endpoint\_type](#input\_kms\_endpoint\_type) | The endpoint for communicating with the Key Protect or Hyper Protect Crypto Services instance. Possible values: `public`, `private`. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. | `string` | `"private"` | no | | [kms\_key\_name](#input\_kms\_key\_name) | The name for the new root key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `-value` format. | `string` | `"secrets-manager-key"` | no | | [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name for the new key ring to store the key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `-value` format. . | `string` | `"secrets-manager-key-ring"` | no | | [prefix](#input\_prefix) | The prefix to add to all resources created by this solution. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes | diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index d15ffa51..4ccdaaeb 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -134,8 +134,8 @@ module "kms" { create_key_protect_instance = false region = local.kms_region existing_kms_instance_crn = var.existing_kms_instance_crn - key_ring_endpoint_type = "private" - key_endpoint_type = "private" + key_ring_endpoint_type = var.kms_endpoint_type + key_endpoint_type = var.kms_endpoint_type keys = [ { key_ring_name = local.kms_key_ring_name diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 7ea5fa81..f65f6b01 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -210,6 +210,16 @@ variable "existing_kms_instance_crn" { } } +variable "kms_endpoint_type" { + type = string + description = "The endpoint for communicating with the Key Protect or Hyper Protect Crypto Services instance. Possible values: `public`, `private`. Applies only if `existing_secrets_manager_kms_key_crn` is not specified." + default = "private" + validation { + condition = can(regex("public|private", var.kms_endpoint_type)) + error_message = "The kms_endpoint_type value must be 'public' or 'private'." + } +} + variable "kms_key_ring_name" { type = string default = "secrets-manager-key-ring" diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf index d9b2d166..17e9b455 100644 --- a/solutions/security-enforced/main.tf +++ b/solutions/security-enforced/main.tf @@ -16,6 +16,7 @@ module "secrets_manager" { existing_secrets_manager_kms_key_crn = var.existing_secrets_manager_kms_key_crn kms_encryption_enabled = true existing_kms_instance_crn = var.existing_kms_instance_crn + kms_endpoint_type = "private" kms_key_ring_name = var.kms_key_ring_name kms_key_name = var.kms_key_name ibmcloud_kms_api_key = var.ibmcloud_kms_api_key From 5a8c8829ac75e3d9f16fda169fc6e7675cbe796b Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Tue, 20 May 2025 00:28:06 -0400 Subject: [PATCH 3/4] more feedbacl --- ibm_catalog.json | 12 ++--- solutions/fully-configurable/README.md | 8 ++-- solutions/fully-configurable/main.tf | 8 ++-- solutions/fully-configurable/variables.tf | 8 ++-- solutions/security-enforced/README.md | 6 +-- solutions/security-enforced/main.tf | 56 +++++++++++------------ solutions/security-enforced/variables.tf | 6 +-- 7 files changed, 52 insertions(+), 52 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 6b8ccfab..59fd03f9 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -192,7 +192,7 @@ } }, { - "key": "skip_secrets_manager_certificate_engine_iam_authorization_policy" + "key": "skip_secrets_manager_certificate_engine_iam_auth_policy" }, { "key": "allowed_network", @@ -217,7 +217,7 @@ "key": "existing_secrets_manager_kms_key_crn" }, { - "key": "skip_secrets_manager_kms_iam_authorization_policy" + "key": "skip_secrets_manager_kms_iam_auth_policy" }, { "key": "ibmcloud_kms_api_key" @@ -253,7 +253,7 @@ "key": "existing_event_notifications_instance_crn" }, { - "key": "skip_secrets_manager_event_notifications_iam_authorization_policy" + "key": "skip_secrets_manager_event_notifications_iam_auth_policy" }, { "key": "secrets_manager_cbr_rules" @@ -424,7 +424,7 @@ } }, { - "key": "skip_secrets_manager_certificate_engine_iam_authorization_policy" + "key": "skip_secrets_manager_certificate_engine_iam_auth_policy" }, { "key": "existing_resource_group_name", @@ -442,7 +442,7 @@ "key": "existing_secrets_manager_kms_key_crn" }, { - "key": "skip_secrets_manager_kms_iam_authorization_policy" + "key": "skip_secrets_manager_kms_iam_auth_policy" }, { "key": "ibmcloud_kms_api_key" @@ -474,7 +474,7 @@ "key": "existing_event_notifications_instance_crn" }, { - "key": "skip_secrets_manager_event_notifications_iam_authorization_policy" + "key": "skip_secrets_manager_event_notifications_iam_auth_policy" }, { "key": "secrets_manager_cbr_rules" diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index 2a2ef716..2285b300 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -49,7 +49,7 @@ This solution supports the following: | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"private-only"` | no | +| [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints). | `string` | `"private-only"` | no | | [event\_notifications\_email\_list](#input\_event\_notifications\_email\_list) | The list of email address to target out when Secrets Manager triggers an event | `list(string)` | `[]` | no | | [event\_notifications\_from\_email](#input\_event\_notifications\_from\_email) | The email address used to send any Secrets Manager event coming via Event Notifications | `string` | `"compliancealert@ibm.com"` | no | | [event\_notifications\_reply\_to\_email](#input\_event\_notifications\_reply\_to\_email) | The email address specified in the 'reply\_to' section for any Secret Manager event coming via Event Notifications | `string` | `"no-reply@ibm.com"` | no | @@ -73,9 +73,9 @@ This solution supports the following: | [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no | | [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no | | [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes | -| [skip\_secrets\_manager\_certificate\_engine\_iam\_authorization\_policy](#input\_skip\_secrets\_manager\_certificate\_engine\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | -| [skip\_secrets\_manager\_event\_notifications\_iam\_authorization\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_authorization\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no | -| [skip\_secrets\_manager\_kms\_iam\_authorization\_policy](#input\_skip\_secrets\_manager\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no | +| [skip\_secrets\_manager\_certificate\_engine\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_certificate\_engine\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | +| [skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no | +| [skip\_secrets\_manager\_kms\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_kms\_iam\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no | ### Outputs diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 4ccdaaeb..71e53c02 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -24,7 +24,7 @@ locals { parsed_service_name = var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].service_name : (var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : null) is_hpcs_key = local.parsed_service_name == "hs-crypto" ? true : false - create_cross_account_auth_policy = var.existing_secrets_manager_crn == null && !var.skip_secrets_manager_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null + create_cross_account_auth_policy = var.existing_secrets_manager_crn == null && !var.skip_secrets_manager_kms_iam_auth_policy && var.ibmcloud_kms_api_key != null create_cross_account_hpcs_auth_policy = local.create_cross_account_auth_policy == true && local.is_hpcs_key ? 1 : 0 kms_service_name = var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : (var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].service_name : null) @@ -174,16 +174,16 @@ module "secrets_manager" { secrets_manager_name = "${local.prefix}${var.secrets_manager_instance_name}" sm_service_plan = var.service_plan sm_tags = var.secrets_manager_resource_tags - skip_iam_authorization_policy = var.skip_secrets_manager_certificate_engine_iam_authorization_policy + skip_iam_authorization_policy = var.skip_secrets_manager_certificate_engine_iam_auth_policy # kms dependency is_hpcs_key = local.is_hpcs_key kms_encryption_enabled = var.kms_encryption_enabled kms_key_crn = local.kms_key_crn - skip_kms_iam_authorization_policy = var.skip_secrets_manager_kms_iam_authorization_policy || local.create_cross_account_auth_policy + skip_kms_iam_authorization_policy = var.skip_secrets_manager_kms_iam_auth_policy || local.create_cross_account_auth_policy # event notifications dependency enable_event_notification = local.enable_event_notifications existing_en_instance_crn = var.existing_event_notifications_instance_crn - skip_en_iam_authorization_policy = var.skip_secrets_manager_event_notifications_iam_authorization_policy + skip_en_iam_authorization_policy = var.skip_secrets_manager_event_notifications_iam_auth_policy cbr_rules = var.secrets_manager_cbr_rules endpoint_type = var.secrets_manager_endpoint_type allowed_network = var.allowed_network diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index f65f6b01..86c5b576 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -76,7 +76,7 @@ variable "service_plan" { } } -variable "skip_secrets_manager_certificate_engine_iam_authorization_policy" { +variable "skip_secrets_manager_certificate_engine_iam_auth_policy" { type = bool description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service." default = false @@ -100,7 +100,7 @@ variable "secrets_manager_endpoint_type" { variable "allowed_network" { type = string - description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`." + description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints)." default = "private-only" validation { condition = contains(["private-only", "public-and-private"], var.allowed_network) @@ -149,7 +149,7 @@ variable "secret_groups" { # Key Protect ######################################################################################################################## -variable "skip_secrets_manager_kms_iam_authorization_policy" { +variable "skip_secrets_manager_kms_iam_auth_policy" { type = bool description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account." default = false @@ -249,7 +249,7 @@ variable "existing_event_notifications_instance_crn" { default = null } -variable "skip_secrets_manager_event_notifications_iam_authorization_policy" { +variable "skip_secrets_manager_event_notifications_iam_auth_policy" { type = bool description = "If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created." default = false diff --git a/solutions/security-enforced/README.md b/solutions/security-enforced/README.md index efcc9220..8acb63f1 100644 --- a/solutions/security-enforced/README.md +++ b/solutions/security-enforced/README.md @@ -47,9 +47,9 @@ No resources. | [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no | | [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no | | [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes | -| [skip\_secrets\_manager\_certificate\_engine\_iam\_authorization\_policy](#input\_skip\_secrets\_manager\_certificate\_engine\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | -| [skip\_secrets\_manager\_event\_notifications\_iam\_authorization\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_authorization\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no | -| [skip\_secrets\_manager\_kms\_iam\_authorization\_policy](#input\_skip\_secrets\_manager\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no | +| [skip\_secrets\_manager\_certificate\_engine\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_certificate\_engine\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | +| [skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no | +| [skip\_secrets\_manager\_kms\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_kms\_iam\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no | ### Outputs diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf index 17e9b455..eb127506 100644 --- a/solutions/security-enforced/main.tf +++ b/solutions/security-enforced/main.tf @@ -1,30 +1,30 @@ module "secrets_manager" { - source = "../fully-configurable" - ibmcloud_api_key = var.ibmcloud_api_key - existing_resource_group_name = var.existing_resource_group_name - prefix = var.prefix - provider_visibility = "private" - region = var.region - secrets_manager_instance_name = var.secrets_manager_instance_name - existing_secrets_manager_crn = var.existing_secrets_manager_crn - service_plan = var.service_plan - skip_secrets_manager_certificate_engine_iam_authorization_policy = var.skip_secrets_manager_certificate_engine_iam_authorization_policy - secrets_manager_resource_tags = var.secrets_manager_resource_tags - secrets_manager_endpoint_type = "private" - allowed_network = "private-only" - skip_secrets_manager_kms_iam_authorization_policy = var.skip_secrets_manager_kms_iam_authorization_policy - existing_secrets_manager_kms_key_crn = var.existing_secrets_manager_kms_key_crn - kms_encryption_enabled = true - existing_kms_instance_crn = var.existing_kms_instance_crn - kms_endpoint_type = "private" - kms_key_ring_name = var.kms_key_ring_name - kms_key_name = var.kms_key_name - ibmcloud_kms_api_key = var.ibmcloud_kms_api_key - existing_event_notifications_instance_crn = var.existing_event_notifications_instance_crn - skip_secrets_manager_event_notifications_iam_authorization_policy = var.skip_secrets_manager_event_notifications_iam_authorization_policy - event_notifications_email_list = var.event_notifications_email_list - event_notifications_from_email = var.event_notifications_from_email - event_notifications_reply_to_email = var.event_notifications_reply_to_email - secrets_manager_cbr_rules = var.secrets_manager_cbr_rules - secret_groups = var.secret_groups + source = "../fully-configurable" + ibmcloud_api_key = var.ibmcloud_api_key + existing_resource_group_name = var.existing_resource_group_name + prefix = var.prefix + provider_visibility = "private" + region = var.region + secrets_manager_instance_name = var.secrets_manager_instance_name + existing_secrets_manager_crn = var.existing_secrets_manager_crn + service_plan = var.service_plan + skip_secrets_manager_certificate_engine_iam_auth_policy = var.skip_secrets_manager_certificate_engine_iam_auth_policy + secrets_manager_resource_tags = var.secrets_manager_resource_tags + secrets_manager_endpoint_type = "private" + allowed_network = "private-only" + skip_secrets_manager_kms_iam_auth_policy = var.skip_secrets_manager_kms_iam_auth_policy + existing_secrets_manager_kms_key_crn = var.existing_secrets_manager_kms_key_crn + kms_encryption_enabled = true + existing_kms_instance_crn = var.existing_kms_instance_crn + kms_endpoint_type = "private" + kms_key_ring_name = var.kms_key_ring_name + kms_key_name = var.kms_key_name + ibmcloud_kms_api_key = var.ibmcloud_kms_api_key + existing_event_notifications_instance_crn = var.existing_event_notifications_instance_crn + skip_secrets_manager_event_notifications_iam_auth_policy = var.skip_secrets_manager_event_notifications_iam_auth_policy + event_notifications_email_list = var.event_notifications_email_list + event_notifications_from_email = var.event_notifications_from_email + event_notifications_reply_to_email = var.event_notifications_reply_to_email + secrets_manager_cbr_rules = var.secrets_manager_cbr_rules + secret_groups = var.secret_groups } diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 93c7c45b..b4ab4ec5 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -65,7 +65,7 @@ variable "service_plan" { } } -variable "skip_secrets_manager_certificate_engine_iam_authorization_policy" { +variable "skip_secrets_manager_certificate_engine_iam_auth_policy" { type = bool description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service." default = false @@ -117,7 +117,7 @@ variable "secret_groups" { # Key Protect ######################################################################################################################## -variable "skip_secrets_manager_kms_iam_authorization_policy" { +variable "skip_secrets_manager_kms_iam_auth_policy" { type = bool description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account." default = false @@ -181,7 +181,7 @@ variable "existing_event_notifications_instance_crn" { default = null } -variable "skip_secrets_manager_event_notifications_iam_authorization_policy" { +variable "skip_secrets_manager_event_notifications_iam_auth_policy" { type = bool description = "If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created." default = false From 188410d2e51dadc1d741abab8fecbd1c08fc7b63 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Tue, 20 May 2025 11:17:46 -0400 Subject: [PATCH 4/4] more feedback --- ibm_catalog.json | 4 ++-- solutions/fully-configurable/README.md | 2 +- solutions/fully-configurable/main.tf | 2 +- solutions/fully-configurable/variables.tf | 2 +- solutions/security-enforced/README.md | 2 +- solutions/security-enforced/main.tf | 2 +- solutions/security-enforced/variables.tf | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 59fd03f9..1981efd3 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -192,7 +192,7 @@ } }, { - "key": "skip_secrets_manager_certificate_engine_iam_auth_policy" + "key": "skip_secrets_manager_iam_auth_policy" }, { "key": "allowed_network", @@ -424,7 +424,7 @@ } }, { - "key": "skip_secrets_manager_certificate_engine_iam_auth_policy" + "key": "skip_secrets_manager_iam_auth_policy" }, { "key": "existing_resource_group_name", diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index 2285b300..fed29a39 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -73,8 +73,8 @@ This solution supports the following: | [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no | | [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no | | [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes | -| [skip\_secrets\_manager\_certificate\_engine\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_certificate\_engine\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | | [skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no | +| [skip\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | | [skip\_secrets\_manager\_kms\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_kms\_iam\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no | ### Outputs diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 71e53c02..6cd6ae7c 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -174,7 +174,7 @@ module "secrets_manager" { secrets_manager_name = "${local.prefix}${var.secrets_manager_instance_name}" sm_service_plan = var.service_plan sm_tags = var.secrets_manager_resource_tags - skip_iam_authorization_policy = var.skip_secrets_manager_certificate_engine_iam_auth_policy + skip_iam_authorization_policy = var.skip_secrets_manager_iam_auth_policy # kms dependency is_hpcs_key = local.is_hpcs_key kms_encryption_enabled = var.kms_encryption_enabled diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 86c5b576..1fa319d3 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -76,7 +76,7 @@ variable "service_plan" { } } -variable "skip_secrets_manager_certificate_engine_iam_auth_policy" { +variable "skip_secrets_manager_iam_auth_policy" { type = bool description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service." default = false diff --git a/solutions/security-enforced/README.md b/solutions/security-enforced/README.md index 8acb63f1..ac6040b3 100644 --- a/solutions/security-enforced/README.md +++ b/solutions/security-enforced/README.md @@ -47,8 +47,8 @@ No resources. | [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no | | [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no | | [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes | -| [skip\_secrets\_manager\_certificate\_engine\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_certificate\_engine\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | | [skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no | +| [skip\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | | [skip\_secrets\_manager\_kms\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_kms\_iam\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no | ### Outputs diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf index eb127506..ae0da3cc 100644 --- a/solutions/security-enforced/main.tf +++ b/solutions/security-enforced/main.tf @@ -8,7 +8,7 @@ module "secrets_manager" { secrets_manager_instance_name = var.secrets_manager_instance_name existing_secrets_manager_crn = var.existing_secrets_manager_crn service_plan = var.service_plan - skip_secrets_manager_certificate_engine_iam_auth_policy = var.skip_secrets_manager_certificate_engine_iam_auth_policy + skip_secrets_manager_iam_auth_policy = var.skip_secrets_manager_iam_auth_policy secrets_manager_resource_tags = var.secrets_manager_resource_tags secrets_manager_endpoint_type = "private" allowed_network = "private-only" diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index b4ab4ec5..29f32ca7 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -65,7 +65,7 @@ variable "service_plan" { } } -variable "skip_secrets_manager_certificate_engine_iam_auth_policy" { +variable "skip_secrets_manager_iam_auth_policy" { type = bool description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service." default = false