terraform-ibm-modules · ocofaigh · Jun 12, 2025 · Jun 6, 2025 · Jun 6, 2025 · Jun 6, 2025
@@ -299,7 +299,13 @@
               }
             },
             {
-              "key": "secret_groups"
+              "key": "secret_groups",
+              "type": "array",
+              "custom_config": {
+                "type": "textarea",
+                "grouping": "deployment",
+                "original_grouping": "deployment"
+              }
             },
             {
               "key": "existing_secrets_manager_crn"
@@ -366,31 +372,7 @@
             "features": [
               {
                 "title": " ",
-                "description": "Provision preconfigured resources according to IBM secure by default standards. Configurations in this variation can be edited from the default to fit your specific use case."
-              },
-              {
-                "title": "Creates or configures an IBM Cloud Secrets Manager instance",
-                "description": "Creates a Secrets Manager instance. Optionally, configures an exising Secrets Manager instance."
-              },
-              {
-                "title": "Creates secret groups",
-                "description": "Provisioning secrets groups inside a new or pre-existing Secrets Manager instance."
-              },
-              {
-                "title": "Creates key rings and keys",
-                "description": "Configuring KMS encryption using a newly created key, or passing an existing key."
-              },
-              {
-                "title": "Creates access groups",
-                "description": "Provisioning access groups to the secrets groups of the Secrets Manager instance."
-              },
-              {
-                "title": "Configures event notifications",
-                "description": "Configures lifecycle notifications for the Secrets Manager instance using the Event Notifications service."
-              },
-              {
-                "title": "Configures IBM Cloud Logs",
-                "description": "Configures IBM Cloud Logs for processing platform logs generated by the Secrets Manager instance."
+                "description": "Configured to use IBM secure by default standards, but can be edited to fit your use case."
               }
             ],
             "diagrams": [
@@ -682,7 +664,16 @@
               "key": "skip_secrets_manager_event_notifications_iam_auth_policy"
             },
             {
-              "key": "secrets_manager_cbr_rules"
+              "key": "secrets_manager_cbr_rules",
+              "type": "array",
+              "custom_config": {
+                "type": "textarea",
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "type": "string"
+                }
+              }
             },
             {
               "key": "secret_groups",
@@ -710,48 +701,8 @@
           "architecture": {
             "features": [
               {
-                "title": "Secrets manager instance creation",
-                "description": "Yes"
-              },
-              {
-                "title": "Use existing secrets manager instance",
-                "description": "Yes"
-              },
-              {
-                "title": "New resource group creation",
-                "description": "No"
-              },
-              {
-                "title": "Use existing resource group",
-                "description": "Yes"
-              },
-              {
-                "title": "Enforced private-only endpoint communication",
-                "description": "Yes"
-              },
-              {
-                "title": "Enforced KMS encryption",
-                "description": "Yes"
-              },
-              {
-                "title": "KMS instance creation",
-                "description": "No"
-              },
-              {
-                "title": "KMS key ring and key creation",
-                "description": "Yes"
-              },
-              {
-                "title": "Use existing KMS key",
-                "description": "Yes"
-              },
-              {
-                "title": "IAM s2s auth policies creation",
-                "description": "Yes"
-              },
-              {
-                "title": "Event Notifications integration",
-                "description": "Yes"
+                "title": "",
+                "description": "Configured to use IBM secure by default standards that can't be changed."
               }
             ],
             "diagrams": [

@@ -33,24 +33,22 @@ The `secrets_manager_cbr_rules` input variable allows you to provide a rule for
 
 ### Example Rule For Context-Based Restrictions Configuration
 
+The following example defines a **Context-Based Restrictions (CBR) rule** that restricts access to a **Secrets Manager instance** in a specific **IBM Cloud account**, based on contextual attributes like network zone and endpoint type.
+
 ```hcl
 [
   {
   description = "Secrets Manager can be accessed from xyz"
-  account_id = "defc0df06b644a9cabc6e44f55b3880s."
+  account_id = "<REPLACE ME>"
   rule_contexts= [{
-      attributes = [
-                {
-                              "name" : "endpointType",
-                              "value" : "private"
-                },
-                {
-                  name  = "networkZoneId"
-                  value = "93a51a1debe2674193217209601dde6f" # pragma: allowlist secret
-                }
-        ]
-     }
-   ]
+    attributes = [{
+      name : "endpointType",
+      value : "private"
+    },{
+      name  = "networkZoneId"
+      value = "<REPLACE ME>" # pragma: allowlist secret
+    }]
+  }]
   enforcement_mode = "enabled"
   operations = [{
     api_types = [{

@@ -26,13 +26,15 @@ variable "prefix" {
   description = "The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: sm-0205. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md)."
 
   validation {
-    condition = (var.prefix == null ? true :
-      alltrue([
-        can(regex("^[a-z]{0,1}[-a-z0-9]{0,14}[a-z0-9]{0,1}$", var.prefix)),
-        length(regexall("^.*--.*", var.prefix)) == 0
-      ])
-    )
-    error_message = "Prefix must begin with a lowercase letter, contain only lowercase letters, numbers, and - characters. Prefixes must end with a lowercase letter or number and be 16 or fewer characters."
+    condition = var.prefix == null || var.prefix == "" ? true : alltrue([
+      can(regex("^[a-z][-a-z0-9]*[a-z0-9]$", var.prefix)), length(regexall("--", var.prefix)) == 0
+    ])
+    error_message = "Prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It must not end with a hyphen('-'), and cannot contain consecutive hyphens ('--')."
+  }
+
+  validation {
+    condition     = var.prefix == null || var.prefix == "" ? true : length(var.prefix) <= 16
+    error_message = "Prefix must not exceed 16 characters."
   }
 }