Skip to content

Sm addon migration #341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
May 28, 2025
Merged

Sm addon migration #341

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
16ba073
sm migration
rajatagarwal-ibm May 23, 2025
70ae449
pin cos version
rajatagarwal-ibm May 23, 2025
a597651
pin cos version
rajatagarwal-ibm May 26, 2025
883985b
Merge branch 'main' into sm-addon-migration
rajatagarwal-ibm May 26, 2025
84da4b0
pin cos version
rajatagarwal-ibm May 28, 2025
9340e84
Merge branch 'sm-addon-migration' of github.com:terraform-ibm-modules…
rajatagarwal-ibm May 28, 2025
71ab71f
Update ibm_catalog.json
rajatagarwal-ibm May 28, 2025
474dd85
Update ibm_catalog.json
rajatagarwal-ibm May 28, 2025
5e37854
Update ibm_catalog.json
rajatagarwal-ibm May 28, 2025
1bb207c
Update ibm_catalog.json
rajatagarwal-ibm May 28, 2025
b2d429b
Update ibm_catalog.json
rajatagarwal-ibm May 28, 2025
a987562
Update ibm_catalog.json
rajatagarwal-ibm May 28, 2025
bc8ecc9
Update ibm_catalog.json
rajatagarwal-ibm May 28, 2025
ef582f1
Apply suggestions from code review
rajatagarwal-ibm May 28, 2025
eaeb935
sm
rajatagarwal-ibm May 28, 2025
ffc77c0
Merge branch 'sm-addon-migration' of github.com:terraform-ibm-modules…
rajatagarwal-ibm May 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cra-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,5 @@ CRA_TARGETS:
TF_VAR_kms_encryption_enabled: "true"
TF_VAR_existing_resource_group_name: "geretain-test-secrets-manager"
TF_VAR_provider_visibility: "public"
TF_VAR_prefix: "test"
TF_VAR_prefix: "test-fc"
TF_VAR_service_plan: "trial"
279 changes: 222 additions & 57 deletions ibm_catalog.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,35 +19,35 @@
"terraform",
"solution"
],
"short_description": "Creates and configures a Secrets Manager instance.",
"long_description": "This deployable architecture is used to provision and configure an [IBM Cloud Secrets Manager](https://www.ibm.com/products/secrets-manager) instance. Centrally manage your secrets in a single-tenant, dedicated instance. This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
"short_description": "Creates and configures an IBM Cloud Secrets Manager instance.",
"long_description": "This deployable architecture is used to provision and configure an [IBM Cloud Secrets Manager](https://www.ibm.com/products/secrets-manager) instance. This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) asset collection, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
"offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/README.md",
"offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager/main/images/secrets_manager.svg",
"provider_name": "IBM",
"features": [
{
"title": "Creates a Secrets Manager instance.",
"description": "Creates an IBM Secrets Manager instance."
"description": "For more details on an IBM Cloud Secrets Manager instance, [see here](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-getting-started)."
},
{
"title": "Create secret groups.",
"description": "Optionally create secret groups inside your IBM Secrets Manager instance."
"description": "For more details on creating optional secret groups inside the Secrets Manager instance, [see here](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-secret-groups&interface=ui)."
},
{
"title": "Create access groups for your secret groups.",
"description": "Optionally create access groups for the secret groups inside your IBM Secrets Manager instance."
"description": "For more details on optional configuring access groups for the secret groups, [see here](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-assign-access#assign-access-secret-group-console)."
},
{
"title": "Optionally configure an IBM Secrets Manager IAM credentials engine to an IBM Secrets Manager instance.",
"description": "Optionally configure an IBM Secrets Manager IAM credentials engine to an IBM Secrets Manager instance."
"title": "Configure an IAM credentials engine to an IBM Secrets Manager instance.",
"description": "For more details on optionally configure an IBM Secrets Manager IAM credentials engine to an IBM Secrets Manager instance, [see here](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-configure-iam-engine&interface=ui)."
},
{
"title": "Sets up authorization policy.",
"description": "Sets up IBM IAM authorization policy between IBM Secrets Manager instance and IBM Key Management Service (KMS) instance. It also supports Event Notification authorization policy."
},
{
"title": "Configures lifecycle notifications for the Secrets Manager instance.",
"description": "Configures lifecycle notifications for the IBM Secrets Manager instance by connecting an IBM Event Notifications service. The automation supports optionally creating a KMS key ring and key, or using an already existing one to encrypt data."
"title": "Configures lifecycle notifications for the Secrets Manager instance using an IBM Event Notifications service.",
"description": "For more details on optionally configuring lifecycle notifications for the IBM Secrets Manager instance by connecting an IBM Event Notifications service, [see here](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-event-notifications&interface=ui). The automation supports optionally creates a KMS key ring and key, or using an already existing one to encrypt data."
}
],
"support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in that repository [https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/issues](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/issues). Please note this product is not supported via the IBM Cloud Support Center.",
Expand Down Expand Up @@ -136,7 +136,7 @@
},
{
"key": "existing_resource_group_name",
"required": true,
"display_name": "resource_group",
"custom_config": {
"type": "resource_group",
"grouping": "deployment",
Expand All @@ -148,7 +148,6 @@
},
{
"key": "provider_visibility",
"hidden": true,
"options": [
{
"displayname": "private",
Expand Down Expand Up @@ -265,51 +264,84 @@
"key": "existing_secrets_manager_crn"
}
],
"iam_permissions": [
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator",
"crn:v1:bluemix:public:iam::::serviceRole:Manager"
],
"service_name": "secrets-manager",
"notes": "[Optional] Required if you are creating an IBM Cloud Secrets Manager instance. 'Manager' access required if new secrets group creation is needed."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "event-notifications",
"notes": "[Optional] Required if you are configuring an Event Notifications Instance."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "sysdig-monitor",
"notes": "[Optional] Required if you are consuming Observability DA which sets up Cloud monitoring."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "logs",
"notes": "[Optional] Required if you are consuming Observability DA which sets up Cloud logs."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "hs-crypto",
"notes": "[Optional] Required if you are creating/configuring keys in an existing Hyper Protect Crypto Services (HPCS) instance for encryption."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "kms",
"notes": "[Optional] Required if you are creating/configuring Key Protect (KP) instance and keys for encryption."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator"
],
"service_name": "iam-identity",
"notes": "[Optional] Required if Cloud automation for account configuration is enabled."
}
],
"architecture": {
"features": [
{
"title": "Secrets manager instance creation",
"description": "Yes"
"title": "Creates or configures an IBM Cloud Secrets Manager instance",
"description": "Creates a Secrets Manager instance. Optionally, configures an exising Secrets Manager instance."
},
{
"title": "Use existing secrets manager instance",
"description": "Yes"
"title": "Creates secret groups",
"description": "Provisioning secrets groups inside a new or pre-existing Secrets Manager instance."
},
{
"title": "New resource group creation",
"description": "No"
"title": "Creates key rings and keys",
"description": "Configuring KMS encryption using a newly created key, or passing an existing key."
},
{
"title": "Use existing resource group",
"description": "Yes"
"title": "Creates access groups",
"description": "Provisioning access groups to the secrets groups of the Secrets Manager instance."
},
{
"title": "Enforced private-only endpoint communication",
"description": "No"
},
{
"title": "Enforced KMS encryption",
"description": "No"
},
{
"title": "KMS instance creation",
"description": "No"
},
{
"title": "KMS key ring and key creation",
"description": "Yes"
},
{
"title": "Use existing KMS key",
"description": "Yes"
},
{
"title": "IAM s2s auth policies creation",
"description": "Yes"
},
{
"title": "Event Notifications integration",
"description": "Yes"
"title": "Integrates an Event Notifications service",
"description": "Configures lifecycle notifications for the Secrets Manager instance using an IBM Event Notifications service."
}
],
"diagrams": [
Expand All @@ -322,7 +354,129 @@
"description": "This architecture supports creating and configuring IBM Secrets Manager instance."
}
]
}
},
"dependencies": [
{
"name": "deploy-arch-ibm-account-infra-base",
"description": "Cloud automation for Account Configuration organizes your IBM Cloud account with a ready-made set of resource groups by default—and, when you enable the “with Account Settings” option, it also applies baseline security and governance settings.",
"catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
"flavors": [
"resource-group-only",
"resource-groups-with-account-settings"
],
"default_flavour": "resource-group-only",
"id": "63641cec-6093-4b4f-b7b0-98d2f4185cd6-global",
"input_mapping": [
{
"dependency_input": "prefix",
"version_input": "prefix",
"reference_version": true
},
{
"dependency_output": "security_resource_group_name",
"version_input": "existing_resource_group_name"
},
{
"dependency_input": "provider_visibility",
"version_input": "provider_visibility",
"reference_version": true
}
],
"optional": true,
"on_by_default": false,
"version": "v3.0.7"
},
{
"name": "deploy-arch-ibm-kms",
"id": "2cad4789-fa90-4886-9c9e-857081c273ee-global",
"description": "Enable Cloud Automation for Key Protect when you want services to use your own managed encryption keys. If disabled, it will fall back on IBM Cloud's default service-managed encryption.",
"flavors": [
"fully-configurable"
],
"catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
"input_mapping": [
{
"dependency_output": "kms_instance_crn",
"version_input": "existing_kms_instance_crn"
},
{
"version_input": "kms_encryption_enabled",
"value": true
},
{
"dependency_input": "prefix",
"version_input": "prefix",
"reference_version": true
},
{
"dependency_input": "region",
"version_input": "region",
"reference_version": true
}
],
"optional": true,
"on_by_default": true,
"version": "v5.1.4"
},
{
"name": "deploy-arch-ibm-observability",
"description": "Enable to provisions and configures IBM Cloud Monitoring, Activity Tracker, and Log Analysis services for analysing events generated from the Events Notification instance.",
Copy link
Contributor

@ocofaigh ocofaigh May 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Description need to be fixed. It is inaccurate and referencing deprecated service. See the update I made in EN DA. But also docs team should review final proposal.

Copy link

@smguilia smguilia May 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a link to your proposal?

Copy link
Contributor

@ocofaigh ocofaigh May 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@smguilia This is it: https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/blob/d58829d40a4ea6abd3a101bcede35121c5c107b6/ibm_catalog.json#L613

"flavors": [
"instances"
],
"id": "a3137d28-79e0-479d-8a24-758ebd5a0eab-global",
"catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
"input_mapping": [
{
"dependency_input": "prefix",
"version_input": "prefix",
"reference_version": true
},
{
"dependency_input": "region",
"version_input": "region",
"reference_version": true
}
],
"optional": true,
"on_by_default": true,
"version": "v3.0.3"
},
{
"name": "deploy-arch-ibm-event-notifications",
"description": "Enable Cloud Automation for Events Notification when you want to enable lifecycle notifications for your Secrets Manager instance using an existing IBM Cloud Events Notification service.",
"catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
"flavors": [
"fully-configurable"
],
"id": "c7ac3ee6-4f48-4236-b974-b0cd8c624a46-global",
"input_mapping": [
{
"dependency_output": "crn",
"version_input": "existing_event_notifications_instance_crn"
},
{
"version_input": "enable_event_notification",
"value": true
},
{
"dependency_input": "prefix",
"version_input": "prefix",
"reference_version": true
},
{
"dependency_input": "region",
"version_input": "region",
"reference_version": true
}
],
"optional": true,
"on_by_default": true,
"version": "v2.3.1"
}
],
"dependency_version_2": true,
"terraform_version": "1.10.5"
},
{
"label": "Security-enforced",
Expand Down Expand Up @@ -411,33 +565,33 @@
"required": true
},
{
"key": "secrets_manager_instance_name"
},
{
"key": "secrets_manager_resource_tags",
"key": "existing_resource_group_name",
"display_name": "resource_group",
"custom_config": {
"type": "resource_group",
"grouping": "deployment",
"original_grouping": "deployment",
"config_constraints": {
"type": "string"
"identifier": "rg_name"
}
}
},
{
"key": "skip_secrets_manager_iam_auth_policy"
"key": "secrets_manager_instance_name"
},
{
"key": "existing_resource_group_name",
"required": true,
"key": "secrets_manager_resource_tags",
"custom_config": {
"type": "resource_group",
"grouping": "deployment",
"original_grouping": "deployment",
"config_constraints": {
"identifier": "rg_name"
"type": "string"
}
}
},
{
"key": "skip_secrets_manager_iam_auth_policy"
},
{
"key": "existing_secrets_manager_kms_key_crn"
},
Expand Down Expand Up @@ -486,6 +640,16 @@
"key": "existing_secrets_manager_crn"
}
],
"iam_permissions": [
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator",
"crn:v1:bluemix:public:iam::::serviceRole:Manager"
],
"service_name": "secrets-manager",
"notes": "[Optional] Required if you are creating an IBM Cloud Secrets Manager instance. 'Manager' access required if new secrets group creation is needed."
}
],
"architecture": {
"features": [
{
Expand Down Expand Up @@ -543,7 +707,8 @@
"description": "This architecture supports creating and configuring IBM Secrets Manager instance."
}
]
}
},
"terraform_version": "1.10.5"
}
]
}
Expand Down