From 0f5c20460cf7978c1f7a2bd739551848551d0577 Mon Sep 17 00:00:00 2001
From: Rajat Agrawal <rajatatibm@gmail.com>
Date: Wed, 4 Jun 2025 12:15:53 +0100
Subject: [PATCH 1/4] provider visibility

---
 .secrets.baseline                         | 15 +++++++++++++--
 ibm_catalog.json                          | 12 ++++--------
 solutions/fully-configurable/README.md    |  2 +-
 solutions/fully-configurable/main.tf      |  3 ++-
 solutions/fully-configurable/provider.tf  |  4 ++--
 solutions/fully-configurable/variables.tf |  4 ++--
 6 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index 6efdd55a..4c3031ea 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$|^../.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-03-27T22:08:26Z",
+  "generated_at": "2025-06-04T11:15:36Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -76,7 +76,18 @@
       "name": "TwilioKeyDetector"
     }
   ],
-  "results": {},
+  "results": {
+    "ibm_catalog.json": [
+      {
+        "hashed_secret": "05bd7aff5030b2d565a851c3c2509729befbc3bf",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 623,
+        "type": "IBM Cloud IAM Key",
+        "verified_result": null
+      }
+    ]
+  },
   "version": "0.13.1+ibm.62.dss",
   "word_list": {
     "file": null,
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 5bb6aa48..fb1a6f47 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -146,8 +146,12 @@
                 }
               }
             },
+            {
+              "key": "secrets_manager_instance_name"
+            },
             {
               "key": "provider_visibility",
+              "hidden": true,
               "options": [
                 {
                   "displayname": "private",
@@ -163,9 +167,6 @@
                 }
               ]
             },
-            {
-              "key": "secrets_manager_instance_name"
-            },
             {
               "key": "secrets_manager_endpoint_type",
               "hidden": true,
@@ -375,11 +376,6 @@
                 {
                   "dependency_output": "security_resource_group_name",
                   "version_input": "existing_resource_group_name"
-                },
-                {
-                  "dependency_input": "provider_visibility",
-                  "version_input": "provider_visibility",
-                  "reference_version": true
                 }
               ],
               "optional": true,
diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
index 85c4c947..4c7de574 100644
--- a/solutions/fully-configurable/README.md
+++ b/solutions/fully-configurable/README.md
@@ -65,7 +65,7 @@ This solution supports the following:
 | <a name="input_kms_key_name"></a> [kms\_key\_name](#input\_kms\_key\_name) | The name for the new root key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `<prefix>-value` format. | `string` | `"secrets-manager-key"` | no |
 | <a name="input_kms_key_ring_name"></a> [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name for the new key ring to store the key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `<prefix>-value` format. . | `string` | `"secrets-manager-key-ring"` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to add to all resources created by this solution. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
-| <a name="input_provider_visibility"></a> [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
+| <a name="input_provider_visibility"></a> [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision resources to. | `string` | `"us-south"` | no |
 | <a name="input_secret_groups"></a> [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `<prefix>-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    create_access_group      = optional(bool, true)<br/>    access_group_name        = optional(string)<br/>    access_group_roles       = optional(list(string), ["SecretsReader"])<br/>    access_group_tags        = optional(list(string))<br/>  }))</pre> | <pre>[<br/>  {<br/>    "access_group_name": "general-secrets-group-access-group",<br/>    "access_group_roles": [<br/>      "SecretsReader"<br/>    ],<br/>    "create_access_group": true,<br/>    "secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",<br/>    "secret_group_name": "General"<br/>  }<br/>]</pre> | no |
 | <a name="input_secrets_manager_cbr_rules"></a> [secrets\_manager\_cbr\_rules](#input\_secrets\_manager\_cbr\_rules) | (Optional, list) List of CBR rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/solutions/fully-configurable/DA-cbr_rules.md) | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index 46edcc37..48ed7a97 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -2,7 +2,8 @@
 # Resource Group
 ########################################################################################################################
 locals {
-  prefix = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : ""
+  prefix                        = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : ""
+  effective_provider_visibility = var.provider_visibility != null ? var.provider_visibility : (var.region == "ca-mon" ? "vpe" : "private")
 }
 
 module "resource_group" {
diff --git a/solutions/fully-configurable/provider.tf b/solutions/fully-configurable/provider.tf
index 65c38f7d..c3cb1178 100644
--- a/solutions/fully-configurable/provider.tf
+++ b/solutions/fully-configurable/provider.tf
@@ -1,11 +1,11 @@
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.region
-  visibility       = var.provider_visibility
+  visibility       = local.effective_provider_visibility
 }
 provider "ibm" {
   alias            = "kms"
   ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
   region           = local.kms_region
-  visibility       = var.provider_visibility
+  visibility       = local.effective_provider_visibility
 }
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index eeb64d7e..53f3f94d 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -11,10 +11,10 @@ variable "ibmcloud_api_key" {
 variable "provider_visibility" {
   description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)."
   type        = string
-  default     = "private"
+  default     = null
 
   validation {
-    condition     = contains(["public", "private", "public-and-private"], var.provider_visibility)
+    condition     = var.provider_visibility == null || contains(["public", "private", "public-and-private"], var.provider_visibility)
     error_message = "Invalid visibility option. Allowed values are 'public', 'private', or 'public-and-private'."
   }
 }

From 63419f76891b31ea6bb4dae77644d5fa129f7dc2 Mon Sep 17 00:00:00 2001
From: Rajat Agrawal <rajatatibm@gmail.com>
Date: Wed, 4 Jun 2025 14:54:49 +0100
Subject: [PATCH 2/4] provider visibility

---
 solutions/fully-configurable/README.md    |  2 +-
 solutions/fully-configurable/main.tf      |  3 +--
 solutions/fully-configurable/provider.tf  | 16 +++++++++-------
 solutions/fully-configurable/variables.tf |  4 ++--
 4 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
index 4c7de574..85c4c947 100644
--- a/solutions/fully-configurable/README.md
+++ b/solutions/fully-configurable/README.md
@@ -65,7 +65,7 @@ This solution supports the following:
 | <a name="input_kms_key_name"></a> [kms\_key\_name](#input\_kms\_key\_name) | The name for the new root key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `<prefix>-value` format. | `string` | `"secrets-manager-key"` | no |
 | <a name="input_kms_key_ring_name"></a> [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name for the new key ring to store the key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `<prefix>-value` format. . | `string` | `"secrets-manager-key-ring"` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to add to all resources created by this solution. To not use any prefix value, you can set this value to `null` or an empty string. | `string` | n/a | yes |
-| <a name="input_provider_visibility"></a> [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `null` | no |
+| <a name="input_provider_visibility"></a> [provider\_visibility](#input\_provider\_visibility) | Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints). | `string` | `"private"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision resources to. | `string` | `"us-south"` | no |
 | <a name="input_secret_groups"></a> [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `<prefix>-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    create_access_group      = optional(bool, true)<br/>    access_group_name        = optional(string)<br/>    access_group_roles       = optional(list(string), ["SecretsReader"])<br/>    access_group_tags        = optional(list(string))<br/>  }))</pre> | <pre>[<br/>  {<br/>    "access_group_name": "general-secrets-group-access-group",<br/>    "access_group_roles": [<br/>      "SecretsReader"<br/>    ],<br/>    "create_access_group": true,<br/>    "secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",<br/>    "secret_group_name": "General"<br/>  }<br/>]</pre> | no |
 | <a name="input_secrets_manager_cbr_rules"></a> [secrets\_manager\_cbr\_rules](#input\_secrets\_manager\_cbr\_rules) | (Optional, list) List of CBR rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/solutions/fully-configurable/DA-cbr_rules.md) | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index 48ed7a97..46edcc37 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -2,8 +2,7 @@
 # Resource Group
 ########################################################################################################################
 locals {
-  prefix                        = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : ""
-  effective_provider_visibility = var.provider_visibility != null ? var.provider_visibility : (var.region == "ca-mon" ? "vpe" : "private")
+  prefix = var.prefix != null ? trimspace(var.prefix) != "" ? "${var.prefix}-" : "" : ""
 }
 
 module "resource_group" {
diff --git a/solutions/fully-configurable/provider.tf b/solutions/fully-configurable/provider.tf
index c3cb1178..be88f931 100644
--- a/solutions/fully-configurable/provider.tf
+++ b/solutions/fully-configurable/provider.tf
@@ -1,11 +1,13 @@
 provider "ibm" {
-  ibmcloud_api_key = var.ibmcloud_api_key
-  region           = var.region
-  visibility       = local.effective_provider_visibility
+  ibmcloud_api_key      = var.ibmcloud_api_key
+  region                = var.region
+  visibility            = var.provider_visibility
+  private_endpoint_type = var.region == "ca-mon" ? "vpe" : null
 }
 provider "ibm" {
-  alias            = "kms"
-  ibmcloud_api_key = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
-  region           = local.kms_region
-  visibility       = local.effective_provider_visibility
+  alias                 = "kms"
+  ibmcloud_api_key      = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
+  region                = local.kms_region
+  visibility            = var.provider_visibility
+  private_endpoint_type = var.region == "ca-mon" ? "vpe" : null
 }
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index 53f3f94d..eeb64d7e 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -11,10 +11,10 @@ variable "ibmcloud_api_key" {
 variable "provider_visibility" {
   description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)."
   type        = string
-  default     = null
+  default     = "private"
 
   validation {
-    condition     = var.provider_visibility == null || contains(["public", "private", "public-and-private"], var.provider_visibility)
+    condition     = contains(["public", "private", "public-and-private"], var.provider_visibility)
     error_message = "Invalid visibility option. Allowed values are 'public', 'private', or 'public-and-private'."
   }
 }

From dca7884ad56f1ae9be34142008047c4ed6c7b0b3 Mon Sep 17 00:00:00 2001
From: Rajat Agrawal <rajatatibm@gmail.com>
Date: Wed, 4 Jun 2025 15:13:46 +0100
Subject: [PATCH 3/4] provider visibility

---
 solutions/fully-configurable/provider.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/solutions/fully-configurable/provider.tf b/solutions/fully-configurable/provider.tf
index be88f931..46c6f484 100644
--- a/solutions/fully-configurable/provider.tf
+++ b/solutions/fully-configurable/provider.tf
@@ -2,12 +2,12 @@ provider "ibm" {
   ibmcloud_api_key      = var.ibmcloud_api_key
   region                = var.region
   visibility            = var.provider_visibility
-  private_endpoint_type = var.region == "ca-mon" ? "vpe" : null
+  private_endpoint_type = (var.provider_visibility == "private" && var.region == "ca-mon") ? "vpe" : null
 }
 provider "ibm" {
   alias                 = "kms"
   ibmcloud_api_key      = var.ibmcloud_kms_api_key != null ? var.ibmcloud_kms_api_key : var.ibmcloud_api_key
   region                = local.kms_region
   visibility            = var.provider_visibility
-  private_endpoint_type = var.region == "ca-mon" ? "vpe" : null
+  private_endpoint_type = (var.provider_visibility == "private" && var.region == "ca-mon") ? "vpe" : null
 }

From 0f49aa133ec731cf71ec9a2ba33ac0be901ef2f2 Mon Sep 17 00:00:00 2001
From: Rajat Agrawal <rajatatibm@gmail.com>
Date: Wed, 4 Jun 2025 15:14:19 +0100
Subject: [PATCH 4/4] provider visibility

---
 .secrets.baseline | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index 4c3031ea..c9f7ffcb 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$|^../.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-06-04T11:15:36Z",
+  "generated_at": "2025-06-04T14:14:12Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -76,18 +76,7 @@
       "name": "TwilioKeyDetector"
     }
   ],
-  "results": {
-    "ibm_catalog.json": [
-      {
-        "hashed_secret": "05bd7aff5030b2d565a851c3c2509729befbc3bf",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 623,
-        "type": "IBM Cloud IAM Key",
-        "verified_result": null
-      }
-    ]
-  },
+  "results": {},
   "version": "0.13.1+ibm.62.dss",
   "word_list": {
     "file": null,