diff --git a/cra-config.yaml b/cra-config.yaml
index 09907102..094d2116 100644
--- a/cra-config.yaml
+++ b/cra-config.yaml
@@ -9,5 +9,5 @@ CRA_TARGETS:
TF_VAR_kms_encryption_enabled: "true"
TF_VAR_existing_resource_group_name: "geretain-test-secrets-manager"
TF_VAR_provider_visibility: "public"
- TF_VAR_prefix: "test"
+ TF_VAR_prefix: "test-fc"
TF_VAR_service_plan: "trial"
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 1981efd3..aaefb8d5 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -20,34 +20,34 @@
"solution"
],
"short_description": "Creates and configures a Secrets Manager instance.",
- "long_description": "This deployable architecture is used to provision and configure an [IBM Cloud Secrets Manager](https://www.ibm.com/products/secrets-manager) instance. Centrally manage your secrets in a single-tenant, dedicated instance. This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
+ "long_description": "This deployable architecture is used to provision and configure an [IBM Cloud Secrets Manager](https://www.ibm.com/products/secrets-manager) instance. This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
"offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/README.md",
"offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager/main/images/secrets_manager.svg",
"provider_name": "IBM",
"features": [
{
"title": "Creates a Secrets Manager instance.",
- "description": "Creates an IBM Secrets Manager instance."
+ "description": "Get started with Secrets Manager by creating an instance. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-getting-started)."
},
{
"title": "Create secret groups.",
- "description": "Optionally create secret groups inside your IBM Secrets Manager instance."
+ "description": "Secret groups help you to organize and manage your secrets. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-secret-groups&interface=ui)."
},
{
- "title": "Create access groups for your secret groups.",
- "description": "Optionally create access groups for the secret groups inside your IBM Secrets Manager instance."
+ "title": "Manage access to your secrets.",
+ "description": "Manage access for secret groups by creating access groups. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-assign-access#assign-access-secret-group-console)."
},
{
- "title": "Optionally configure an IBM Secrets Manager IAM credentials engine to an IBM Secrets Manager instance.",
- "description": "Optionally configure an IBM Secrets Manager IAM credentials engine to an IBM Secrets Manager instance."
+ "title": "Configure an IAM credentials engine.",
+ "description": "An IAM credentials engine can be used to manage the lifecycle of your IBM Cloud resources through Secrets Manager. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-configure-iam-engine&interface=ui)."
},
{
"title": "Sets up authorization policy.",
"description": "Sets up IBM IAM authorization policy between IBM Secrets Manager instance and IBM Key Management Service (KMS) instance. It also supports Event Notification authorization policy."
},
{
- "title": "Configures lifecycle notifications for the Secrets Manager instance.",
- "description": "Configures lifecycle notifications for the IBM Secrets Manager instance by connecting an IBM Event Notifications service. The automation supports optionally creating a KMS key ring and key, or using an already existing one to encrypt data."
+ "title": "Configures lifecycle notifications.",
+ "description": "Optionally, you can choose to configure lifecycle notifications by integrating the Event Notifications service. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-event-notifications&interface=ui)."
}
],
"support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/issues](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/issues). Please note this product is not supported via the IBM Cloud Support Center.",
@@ -136,7 +136,7 @@
},
{
"key": "existing_resource_group_name",
- "required": true,
+ "display_name": "resource_group",
"custom_config": {
"type": "resource_group",
"grouping": "deployment",
@@ -148,7 +148,6 @@
},
{
"key": "provider_visibility",
- "hidden": true,
"options": [
{
"displayname": "private",
@@ -265,51 +264,84 @@
"key": "existing_secrets_manager_crn"
}
],
+ "iam_permissions": [
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::role:Administrator",
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager"
+ ],
+ "service_name": "secrets-manager",
+ "notes": "[Optional] Required if you are creating an Secrets Manager instance. 'Manager' access required to create new secret groups."
+ },
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+ "crn:v1:bluemix:public:iam::::role:Editor"
+ ],
+ "service_name": "event-notifications",
+ "notes": "[Optional] Required if you are configuring an Event Notifications Instance."
+ },
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+ "crn:v1:bluemix:public:iam::::role:Editor"
+ ],
+ "service_name": "sysdig-monitor",
+ "notes": "[Optional] Required if you are consuming the Observability deployable architecture which sets up Cloud Monitoring."
+ },
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+ "crn:v1:bluemix:public:iam::::role:Editor"
+ ],
+ "service_name": "logs",
+ "notes": "[Optional] Required if you are consuming the Observability deployable architecture which sets up Cloud Logs."
+ },
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+ "crn:v1:bluemix:public:iam::::role:Editor"
+ ],
+ "service_name": "hs-crypto",
+ "notes": "[Optional] Required if you are creating/configuring keys in an existing Hyper Protect Crypto Services (HPCS) instance for encryption."
+ },
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager",
+ "crn:v1:bluemix:public:iam::::role:Editor"
+ ],
+ "service_name": "kms",
+ "notes": "[Optional] Required if you are creating/configuring Key Protect instance and keys for encryption."
+ },
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::role:Administrator"
+ ],
+ "service_name": "iam-identity",
+ "notes": "[Optional] Required if Cloud automation for account configuration is enabled."
+ }
+ ],
"architecture": {
"features": [
{
- "title": "Secrets manager instance creation",
- "description": "Yes"
+ "title": "Creates or configures an IBM Cloud Secrets Manager instance",
+ "description": "Creates a Secrets Manager instance. Optionally, configures an exising Secrets Manager instance."
},
{
- "title": "Use existing secrets manager instance",
- "description": "Yes"
+ "title": "Creates secret groups",
+ "description": "Provisioning secrets groups inside a new or pre-existing Secrets Manager instance."
},
{
- "title": "New resource group creation",
- "description": "No"
+ "title": "Creates key rings and keys",
+ "description": "Configuring KMS encryption using a newly created key, or passing an existing key."
},
{
- "title": "Use existing resource group",
- "description": "Yes"
+ "title": "Creates access groups",
+ "description": "Provisioning access groups to the secrets groups of the Secrets Manager instance."
},
{
- "title": "Enforced private-only endpoint communication",
- "description": "No"
- },
- {
- "title": "Enforced KMS encryption",
- "description": "No"
- },
- {
- "title": "KMS instance creation",
- "description": "No"
- },
- {
- "title": "KMS key ring and key creation",
- "description": "Yes"
- },
- {
- "title": "Use existing KMS key",
- "description": "Yes"
- },
- {
- "title": "IAM s2s auth policies creation",
- "description": "Yes"
- },
- {
- "title": "Event Notifications integration",
- "description": "Yes"
+ "title": "Configures event notifications",
+ "description": "Configures lifecycle notifications for the Secrets Manager instance using the Event Notifications service."
}
],
"diagrams": [
@@ -319,10 +351,128 @@
"url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager/main/reference-architecture/secrets_manager.svg",
"type": "image/svg+xml"
},
- "description": "This architecture supports creating and configuring IBM Secrets Manager instance."
+ "description": "This architecture supports creating and configuring a Secrets Manager instance."
}
]
- }
+ },
+ "dependencies": [
+ {
+ "name": "deploy-arch-ibm-account-infra-base",
+ "description": "Cloud automation for account configuration organizes your IBM Cloud account with a ready-made set of resource groups by default. When you enable the “with account settings” option, it also applies baseline security and governance settings.",
+ "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
+ "flavors": [
+ "resource-group-only",
+ "resource-groups-with-account-settings"
+ ],
+ "default_flavour": "resource-group-only",
+ "id": "63641cec-6093-4b4f-b7b0-98d2f4185cd6-global",
+ "input_mapping": [
+ {
+ "dependency_input": "prefix",
+ "version_input": "prefix",
+ "reference_version": true
+ },
+ {
+ "dependency_output": "security_resource_group_name",
+ "version_input": "existing_resource_group_name"
+ },
+ {
+ "dependency_input": "provider_visibility",
+ "version_input": "provider_visibility",
+ "reference_version": true
+ }
+ ],
+ "optional": true,
+ "on_by_default": false,
+ "version": "v3.0.7"
+ },
+ {
+ "name": "deploy-arch-ibm-kms",
+ "id": "2cad4789-fa90-4886-9c9e-857081c273ee-global",
+ "description": "Enable Cloud automation for Key Protect to use your own managed encryption keys. If disabled, IBM Cloud's default service-managed encryption is used.",
+ "flavors": [
+ "fully-configurable"
+ ],
+ "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
+ "input_mapping": [
+ {
+ "dependency_output": "kms_instance_crn",
+ "version_input": "existing_kms_instance_crn"
+ },
+ {
+ "version_input": "kms_encryption_enabled",
+ "value": true
+ },
+ {
+ "dependency_input": "prefix",
+ "version_input": "prefix",
+ "reference_version": true
+ },
+ {
+ "dependency_input": "region",
+ "version_input": "region",
+ "reference_version": true
+ }
+ ],
+ "optional": true,
+ "on_by_default": true,
+ "version": "v5.1.4"
+ },
+ {
+ "name": "deploy-arch-ibm-observability",
+ "description": "Enable to provisions and configures IBM Cloud Monitoring, Activity Tracker, and Log Analysis services for analysing events generated from the Events Notification instance.",
+ "flavors": [
+ "instances"
+ ],
+ "id": "a3137d28-79e0-479d-8a24-758ebd5a0eab-global",
+ "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
+ "input_mapping": [
+ {
+ "dependency_input": "prefix",
+ "version_input": "prefix",
+ "reference_version": true
+ },
+ {
+ "dependency_input": "region",
+ "version_input": "region",
+ "reference_version": true
+ }
+ ],
+ "optional": true,
+ "on_by_default": true,
+ "version": "v3.0.3"
+ },
+ {
+ "name": "deploy-arch-ibm-event-notifications",
+ "description": "Enable Cloud Automation for Event Notifications to configure lifecycle notifications for your Secrets Manager instance.",
+ "catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
+ "flavors": [
+ "fully-configurable"
+ ],
+ "id": "c7ac3ee6-4f48-4236-b974-b0cd8c624a46-global",
+ "input_mapping": [
+ {
+ "dependency_output": "crn",
+ "version_input": "existing_event_notifications_instance_crn"
+ },
+ {
+ "dependency_input": "prefix",
+ "version_input": "prefix",
+ "reference_version": true
+ },
+ {
+ "dependency_input": "region",
+ "version_input": "region",
+ "reference_version": true
+ }
+ ],
+ "optional": true,
+ "on_by_default": true,
+ "version": "v2.3.7"
+ }
+ ],
+ "dependency_version_2": true,
+ "terraform_version": "1.10.5"
},
{
"label": "Security-enforced",
@@ -411,33 +561,33 @@
"required": true
},
{
- "key": "secrets_manager_instance_name"
- },
- {
- "key": "secrets_manager_resource_tags",
+ "key": "existing_resource_group_name",
+ "display_name": "resource_group",
"custom_config": {
+ "type": "resource_group",
"grouping": "deployment",
"original_grouping": "deployment",
"config_constraints": {
- "type": "string"
+ "identifier": "rg_name"
}
}
},
{
- "key": "skip_secrets_manager_iam_auth_policy"
+ "key": "secrets_manager_instance_name"
},
{
- "key": "existing_resource_group_name",
- "required": true,
+ "key": "secrets_manager_resource_tags",
"custom_config": {
- "type": "resource_group",
"grouping": "deployment",
"original_grouping": "deployment",
"config_constraints": {
- "identifier": "rg_name"
+ "type": "string"
}
}
},
+ {
+ "key": "skip_secrets_manager_iam_auth_policy"
+ },
{
"key": "existing_secrets_manager_kms_key_crn"
},
@@ -486,6 +636,16 @@
"key": "existing_secrets_manager_crn"
}
],
+ "iam_permissions": [
+ {
+ "role_crns": [
+ "crn:v1:bluemix:public:iam::::role:Administrator",
+ "crn:v1:bluemix:public:iam::::serviceRole:Manager"
+ ],
+ "service_name": "secrets-manager",
+ "notes": "[Optional] Required if you are creating an IBM Cloud Secrets Manager instance. 'Manager' access required to create new secret groups."
+ }
+ ],
"architecture": {
"features": [
{
@@ -543,7 +703,8 @@
"description": "This architecture supports creating and configuring IBM Secrets Manager instance."
}
]
- }
+ },
+ "terraform_version": "1.10.5"
}
]
}
diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
index d7c7674c..85c4c947 100644
--- a/solutions/fully-configurable/README.md
+++ b/solutions/fully-configurable/README.md
@@ -67,7 +67,7 @@ This solution supports the following:
| [prefix](#input\_prefix) | The prefix to add to all resources created by this solution. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
| [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
| [region](#input\_region) | The region to provision resources to. | `string` | `"us-south"` | no |
-| [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | list(object({
secret_group_name = string
secret_group_description = optional(string)
create_access_group = optional(bool, true)
access_group_name = optional(string)
access_group_roles = optional(list(string), ["SecretsReader"])
access_group_tags = optional(list(string))
})) | [
{
"access_group_name": "general-secrets-group-access-group",
"access_group_roles": [
"SecretsReader"
],
"create_access_group": true,
"secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",
"secret_group_name": "General"
}
]
| no |
+| [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | list(object({
secret_group_name = string
secret_group_description = optional(string)
create_access_group = optional(bool, true)
access_group_name = optional(string)
access_group_roles = optional(list(string), ["SecretsReader"])
access_group_tags = optional(list(string))
})) | [
{
"access_group_name": "general-secrets-group-access-group",
"access_group_roles": [
"SecretsReader"
],
"create_access_group": true,
"secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",
"secret_group_name": "General"
}
]
| no |
| [secrets\_manager\_cbr\_rules](#input\_secrets\_manager\_cbr\_rules) | (Optional, list) List of CBR rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/solutions/fully-configurable/DA-cbr_rules.md) | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
| [secrets\_manager\_endpoint\_type](#input\_secrets\_manager\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"private"` | no |
| [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no |
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index c726a74d..46edcc37 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -163,6 +163,11 @@ locals {
secrets_manager_crn = var.existing_secrets_manager_crn != null ? var.existing_secrets_manager_crn : module.secrets_manager.secrets_manager_crn
secrets_manager_region = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[5] : null) : module.secrets_manager.secrets_manager_region
enable_event_notifications = var.existing_event_notifications_instance_crn != null ? true : false
+ secret_groups_with_prefix = [
+ for group in var.secret_groups : merge(group, {
+ access_group_name = group.access_group_name != null ? "${local.prefix}${group.access_group_name}" : null
+ })
+ ]
}
module "secrets_manager" {
@@ -187,7 +192,7 @@ module "secrets_manager" {
cbr_rules = var.secrets_manager_cbr_rules
endpoint_type = var.secrets_manager_endpoint_type
allowed_network = var.allowed_network
- secrets = var.secret_groups
+ secrets = local.secret_groups_with_prefix
}
data "ibm_resource_instance" "existing_sm" {
diff --git a/solutions/fully-configurable/provisioning_secrets_groups.md b/solutions/fully-configurable/provisioning_secrets_groups.md
index 0a5a33f6..56ae7f3e 100644
--- a/solutions/fully-configurable/provisioning_secrets_groups.md
+++ b/solutions/fully-configurable/provisioning_secrets_groups.md
@@ -28,6 +28,6 @@ It is a list of objects, so you can specify as many secrets groups as you wish.
- `secret_group_name` (required) - the name of secrets group
- `secret_group_description` (optional, default = `null`) - the description of secrets group
- `create_access_group` (optional, default = `false`) - Whether to create an access group associated to this secrets group
-- `access_group_name` (optional, default = `null`) - Name of the access group to create. If you are creating an access group and a name is not passed, the name will become `-access-group`
+- `access_group_name` (optional, default = `null`) - Name of the access group to create. If you are creating an access group and a name is not passed, the name will become `-access-group`. If a prefix input variable is specified, it is added to the value in the `-value` format.
- `access_group_roles` (optional, default = `null`) - The list of roles to give to the created access group. If `create_access_group` is true, there must be a value here. Valid values: ["Reader", "Writer", "Manager", "SecretsReader", "Viewer", "Operator", "Editor", "Administrator", "Service Configuration Reader", "Key Manager"]
- `access_group_tags` (optional, default = `[]`) - Tags that should be applied to the access group.
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index 1fa319d3..eeb64d7e 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -117,7 +117,7 @@ variable "secret_groups" {
access_group_roles = optional(list(string), ["SecretsReader"])
access_group_tags = optional(list(string))
}))
- description = "Secret Manager secret group and access group configurations. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)."
+ description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)."
nullable = false
default = [
{
diff --git a/solutions/security-enforced/README.md b/solutions/security-enforced/README.md
index ac6040b3..a18d88d6 100644
--- a/solutions/security-enforced/README.md
+++ b/solutions/security-enforced/README.md
@@ -42,7 +42,7 @@ No resources.
| [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name for the new key ring to store the key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `-value` format. . | `string` | `"secrets-manager-key-ring"` | no |
| [prefix](#input\_prefix) | The prefix to add to all resources created by this solution. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
| [region](#input\_region) | The region to provision resources to. | `string` | `"us-south"` | no |
-| [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | list(object({
secret_group_name = string
secret_group_description = optional(string)
create_access_group = optional(bool, true)
access_group_name = optional(string)
access_group_roles = optional(list(string), ["SecretsReader"])
access_group_tags = optional(list(string))
})) | [
{
"access_group_name": "general-secrets-group-access-group",
"access_group_roles": [
"SecretsReader"
],
"create_access_group": true,
"secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",
"secret_group_name": "General"
}
]
| no |
+| [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | list(object({
secret_group_name = string
secret_group_description = optional(string)
create_access_group = optional(bool, true)
access_group_name = optional(string)
access_group_roles = optional(list(string), ["SecretsReader"])
access_group_tags = optional(list(string))
})) | [
{
"access_group_name": "general-secrets-group-access-group",
"access_group_roles": [
"SecretsReader"
],
"create_access_group": true,
"secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",
"secret_group_name": "General"
}
]
| no |
| [secrets\_manager\_cbr\_rules](#input\_secrets\_manager\_cbr\_rules) | (Optional, list) List of CBR rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/solutions/fully-configurable/DA-cbr_rules.md) | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
| [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no |
| [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no |
diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf
index 29f32ca7..9a753d9b 100644
--- a/solutions/security-enforced/variables.tf
+++ b/solutions/security-enforced/variables.tf
@@ -86,7 +86,7 @@ variable "secret_groups" {
access_group_roles = optional(list(string), ["SecretsReader"])
access_group_tags = optional(list(string))
}))
- description = "Secret Manager secret group and access group configurations. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)."
+ description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)."
nullable = false
default = [
{
diff --git a/tests/pr_test.go b/tests/pr_test.go
index b5711e0e..1801e2ed 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -40,18 +40,6 @@ var validRegions = []string{
// "au-syd",
}
-func _secret_group_config(prefix string) []map[string]interface{} {
- var secretGroupConfig = []map[string]interface{}{
- {
- "secret_group_name": "General",
- "secret_group_description": "default description",
- "create_access_group": true,
- "access_group_name": prefix + "-general-secrets-group-access-group", // this needs to be unique
- "access_group_roles": []string{"SecretsReader"},
- }}
- return secretGroupConfig
-}
-
// TestMain will be run before any parallel tests, used to read data from yaml for use with tests
func TestMain(m *testing.M) {
@@ -108,7 +96,6 @@ func TestRunFullyConfigurableSchematics(t *testing.T) {
{Name: "region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"},
{Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"},
{Name: "service_plan", Value: "trial", DataType: "string"},
- {Name: "secret_groups", Value: _secret_group_config(options.Prefix), DataType: "list(object)"},
}
err := options.RunSchematicTest()
@@ -179,7 +166,6 @@ func TestRunExistingResourcesInstancesFullyConfigurable(t *testing.T) {
{Name: "existing_secrets_manager_kms_key_crn", Value: terraform.Output(t, existingTerraformOptions, "secrets_manager_kms_key_crn"), DataType: "string"},
{Name: "kms_encryption_enabled", Value: true, DataType: "bool"},
{Name: "service_plan", Value: "trial", DataType: "string"},
- {Name: "secret_groups", Value: _secret_group_config(options.Prefix), DataType: "list(object)"},
}
err := options.RunSchematicTest()
@@ -256,7 +242,6 @@ func TestRunExistingSMInstanceFullyConfigurable(t *testing.T) {
{Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"},
{Name: "existing_secrets_manager_crn", Value: terraform.Output(t, existingTerraformOptions, "secrets_manager_crn"), DataType: "string"},
{Name: "service_plan", Value: "trial", DataType: "string"},
- {Name: "secret_groups", Value: _secret_group_config(options.Prefix), DataType: "list(object)"},
}
err := options.RunSchematicTest()
@@ -334,7 +319,6 @@ func TestRunSecurityEnforcedSchematics(t *testing.T) {
{Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"},
{Name: "service_plan", Value: "trial", DataType: "string"},
{Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
- {Name: "secret_groups", Value: _secret_group_config(options.Prefix), DataType: "list(object)"},
}
err := options.RunSchematicTest()
assert.NoError(t, err, "Schematic Test had unexpected error")
@@ -409,7 +393,6 @@ func TestRunSecretsManagerSecurityEnforcedUpgradeSchematic(t *testing.T) {
{Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"},
{Name: "service_plan", Value: "trial", DataType: "string"},
{Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
- {Name: "secret_groups", Value: _secret_group_config(options.Prefix), DataType: "list(object)"},
}
err := options.RunSchematicUpgradeTest()