From 08291c65329178920d0a090dfe70e5d4c22b0807 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Conall=20=C3=93=20Cofaigh?= Date: Fri, 20 Jun 2025 12:35:20 +0100 Subject: [PATCH 1/9] fix: add fix for KMS cross account bug --- solutions/fully-configurable/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 46edcc37..8f802963 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -61,7 +61,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" { provider = ibm.kms source_service_account = data.ibm_iam_account_settings.iam_account_settings[0].account_id source_service_name = "secrets-manager" - source_resource_group_id = module.resource_group[0].resource_group_id + source_resource_group_id = module.resource_group.resource_group_id roles = ["Reader"] description = "Allow all Secrets Manager instances in the resource group ${local.kms_account_id} to read the ${local.kms_service_name} key ${local.kms_key_id} from the instance GUID ${local.kms_instance_guid}" resource_attributes { @@ -109,11 +109,11 @@ resource "ibm_iam_authorization_policy" "secrets_manager_hpcs_policy" { provider = ibm.kms source_service_account = data.ibm_iam_account_settings.iam_account_settings[0].account_id source_service_name = "secrets-manager" - source_resource_group_id = module.resource_group[0].resource_group_id + source_resource_group_id = module.resource_group.resource_group_id target_service_name = local.kms_service_name target_resource_instance_id = local.kms_instance_guid roles = ["Viewer"] - description = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${local.kms_account_id} to view from the ${local.kms_service_name} instance GUID ${local.kms_instance_guid}" + description = "Allow all Secrets Manager instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.kms_account_id} to view from the ${local.kms_service_name} instance GUID ${local.kms_instance_guid}" } # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478 From fe94b371c73781309558bf1485506e0f2f2d4ac1 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 20 Jun 2025 13:47:24 +0100 Subject: [PATCH 2/9] handle use case where empty string passed for secret_groups --- solutions/fully-configurable/main.tf | 3 ++- solutions/fully-configurable/variables.tf | 2 +- solutions/security-enforced/README.md | 2 +- solutions/security-enforced/variables.tf | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 8f802963..b2e44511 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -163,8 +163,9 @@ locals { secrets_manager_crn = var.existing_secrets_manager_crn != null ? var.existing_secrets_manager_crn : module.secrets_manager.secrets_manager_crn secrets_manager_region = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[5] : null) : module.secrets_manager.secrets_manager_region enable_event_notifications = var.existing_event_notifications_instance_crn != null ? true : false + secret_groups = var.secret_groups == "" ? [] : var.secret_groups secret_groups_with_prefix = [ - for group in var.secret_groups : merge(group, { + for group in local.secret_groups : merge(group, { access_group_name = group.access_group_name != null ? "${local.prefix}${group.access_group_name}" : null }) ] diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 621f767d..136ec280 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -85,7 +85,7 @@ variable "skip_secrets_manager_iam_auth_policy" { } variable "secrets_manager_resource_tags" { - type = list(any) + type = list(string) description = "The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided." default = [] } diff --git a/solutions/security-enforced/README.md b/solutions/security-enforced/README.md index 47a003da..c2e4abb9 100644 --- a/solutions/security-enforced/README.md +++ b/solutions/security-enforced/README.md @@ -45,7 +45,7 @@ No resources. | [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | 
list(object({
    secret_group_name        = string
    secret_group_description = optional(string)
    create_access_group      = optional(bool, true)
    access_group_name        = optional(string)
    access_group_roles       = optional(list(string), ["SecretsReader"])
    access_group_tags        = optional(list(string))
  }))
| 
[
  {
    "access_group_name": "general-secrets-group-access-group",
    "access_group_roles": [
      "SecretsReader"
    ],
    "create_access_group": true,
    "secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",
    "secret_group_name": "General"
  }
]
| no | | [secrets\_manager\_cbr\_rules](#input\_secrets\_manager\_cbr\_rules) | (Optional, list) List of CBR rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/solutions/fully-configurable/DA-cbr_rules.md) | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | | [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no | -| [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no | +| [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(string)` | `[]` | no | | [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes | | [skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no | | [skip\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no | diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 490f62a5..f5d12bd4 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -74,7 +74,7 @@ variable "skip_secrets_manager_iam_auth_policy" { } variable "secrets_manager_resource_tags" { - type = list(any) + type = list(string) description = "The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided." default = [] } From 580f0df577f4cd28860444811c54c5fb45f007d9 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 20 Jun 2025 14:39:17 +0100 Subject: [PATCH 3/9] add variable validation instead --- solutions/fully-configurable/main.tf | 3 +-- solutions/fully-configurable/variables.tf | 6 +++++- solutions/security-enforced/README.md | 2 +- solutions/security-enforced/variables.tf | 6 +++++- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index b2e44511..8f802963 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -163,9 +163,8 @@ locals { secrets_manager_crn = var.existing_secrets_manager_crn != null ? var.existing_secrets_manager_crn : module.secrets_manager.secrets_manager_crn secrets_manager_region = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[5] : null) : module.secrets_manager.secrets_manager_region enable_event_notifications = var.existing_event_notifications_instance_crn != null ? true : false - secret_groups = var.secret_groups == "" ? [] : var.secret_groups secret_groups_with_prefix = [ - for group in local.secret_groups : merge(group, { + for group in var.secret_groups : merge(group, { access_group_name = group.access_group_name != null ? "${local.prefix}${group.access_group_name}" : null }) ] diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 136ec280..fa11be22 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -119,7 +119,7 @@ variable "secret_groups" { access_group_roles = optional(list(string), ["SecretsReader"]) access_group_tags = optional(list(string)) })) - description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)." + description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. If you do not wish to create any groups, et the value to `[]`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)." nullable = false default = [ { @@ -130,6 +130,10 @@ variable "secret_groups" { access_group_roles = ["SecretsReader"] } ] + validation { + error_message = "The value of secret_groups cannot be an empty string. If you do not want to create any groups, set the value to []." + condition = var.secret_groups == "" + } validation { error_message = "The name of the secret group cannot be null or empty string." condition = length([ diff --git a/solutions/security-enforced/README.md b/solutions/security-enforced/README.md index c2e4abb9..9a8f6c2d 100644 --- a/solutions/security-enforced/README.md +++ b/solutions/security-enforced/README.md @@ -42,7 +42,7 @@ No resources. | [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name for the new key ring to store the key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `-value` format. . | `string` | `"secrets-manager-key-ring"` | no | | [prefix](#input\_prefix) | The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: sm-0205. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md). | `string` | n/a | yes | | [region](#input\_region) | The region to provision resources to. | `string` | `"us-south"` | no | -| [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | 
list(object({
    secret_group_name        = string
    secret_group_description = optional(string)
    create_access_group      = optional(bool, true)
    access_group_name        = optional(string)
    access_group_roles       = optional(list(string), ["SecretsReader"])
    access_group_tags        = optional(list(string))
  }))
| 
[
  {
    "access_group_name": "general-secrets-group-access-group",
    "access_group_roles": [
      "SecretsReader"
    ],
    "create_access_group": true,
    "secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",
    "secret_group_name": "General"
  }
]
| no | +| [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. If you do not wish to create any groups, et the value to `[]`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | 
list(object({
    secret_group_name        = string
    secret_group_description = optional(string)
    create_access_group      = optional(bool, true)
    access_group_name        = optional(string)
    access_group_roles       = optional(list(string), ["SecretsReader"])
    access_group_tags        = optional(list(string))
  }))
| 
[
  {
    "access_group_name": "general-secrets-group-access-group",
    "access_group_roles": [
      "SecretsReader"
    ],
    "create_access_group": true,
    "secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",
    "secret_group_name": "General"
  }
]
| no | | [secrets\_manager\_cbr\_rules](#input\_secrets\_manager\_cbr\_rules) | (Optional, list) List of CBR rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/solutions/fully-configurable/DA-cbr_rules.md) | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | | [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no | | [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(string)` | `[]` | no | diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index f5d12bd4..b16df498 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -88,7 +88,7 @@ variable "secret_groups" { access_group_roles = optional(list(string), ["SecretsReader"]) access_group_tags = optional(list(string)) })) - description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)." + description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. If you do not wish to create any groups, et the value to `[]`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)." nullable = false default = [ { @@ -99,6 +99,10 @@ variable "secret_groups" { access_group_roles = ["SecretsReader"] } ] + validation { + error_message = "The value of secret_groups cannot be an empty string. If you do not want to create any groups, set the value to []." + condition = var.secret_groups == "" + } validation { error_message = "The name of the secret group cannot be null or empty string." condition = length([ From aa8076ff61c697b56ab26e0cc9a9b761a7565cf3 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 20 Jun 2025 14:53:01 +0100 Subject: [PATCH 4/9] typo --- solutions/fully-configurable/variables.tf | 2 +- solutions/security-enforced/README.md | 2 +- solutions/security-enforced/variables.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index fa11be22..5a23d04f 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -119,7 +119,7 @@ variable "secret_groups" { access_group_roles = optional(list(string), ["SecretsReader"]) access_group_tags = optional(list(string)) })) - description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. If you do not wish to create any groups, et the value to `[]`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)." + description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. If you do not wish to create any groups, set the value to `[]`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)." nullable = false default = [ { diff --git a/solutions/security-enforced/README.md b/solutions/security-enforced/README.md index 9a8f6c2d..85f59797 100644 --- a/solutions/security-enforced/README.md +++ b/solutions/security-enforced/README.md @@ -42,7 +42,7 @@ No resources. | [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name for the new key ring to store the key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `-value` format. . | `string` | `"secrets-manager-key-ring"` | no | | [prefix](#input\_prefix) | The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: sm-0205. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md). | `string` | n/a | yes | | [region](#input\_region) | The region to provision resources to. | `string` | `"us-south"` | no | -| [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. If you do not wish to create any groups, et the value to `[]`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | 
list(object({
    secret_group_name        = string
    secret_group_description = optional(string)
    create_access_group      = optional(bool, true)
    access_group_name        = optional(string)
    access_group_roles       = optional(list(string), ["SecretsReader"])
    access_group_tags        = optional(list(string))
  }))
| 
[
  {
    "access_group_name": "general-secrets-group-access-group",
    "access_group_roles": [
      "SecretsReader"
    ],
    "create_access_group": true,
    "secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",
    "secret_group_name": "General"
  }
]
| no | +| [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. If you do not wish to create any groups, set the value to `[]`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | 
list(object({
    secret_group_name        = string
    secret_group_description = optional(string)
    create_access_group      = optional(bool, true)
    access_group_name        = optional(string)
    access_group_roles       = optional(list(string), ["SecretsReader"])
    access_group_tags        = optional(list(string))
  }))
| 
[
  {
    "access_group_name": "general-secrets-group-access-group",
    "access_group_roles": [
      "SecretsReader"
    ],
    "create_access_group": true,
    "secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",
    "secret_group_name": "General"
  }
]
| no | | [secrets\_manager\_cbr\_rules](#input\_secrets\_manager\_cbr\_rules) | (Optional, list) List of CBR rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/solutions/fully-configurable/DA-cbr_rules.md) | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
| `[]` | no | | [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no | | [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(string)` | `[]` | no | diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index b16df498..a9e46d2b 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -88,7 +88,7 @@ variable "secret_groups" { access_group_roles = optional(list(string), ["SecretsReader"]) access_group_tags = optional(list(string)) })) - description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. If you do not wish to create any groups, et the value to `[]`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)." + description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `-value` format. If you do not wish to create any groups, set the value to `[]`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)." nullable = false default = [ { From e46d8fb7cfdab835d6d2541d00652449e564ea6a Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 20 Jun 2025 15:03:04 +0100 Subject: [PATCH 5/9] handle use case where 'existing_event_notifications_instance_crn' might be empty string --- solutions/fully-configurable/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 8f802963..a8dd99e9 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -162,7 +162,7 @@ locals { secrets_manager_guid = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[7] : null) : module.secrets_manager.secrets_manager_guid secrets_manager_crn = var.existing_secrets_manager_crn != null ? var.existing_secrets_manager_crn : module.secrets_manager.secrets_manager_crn secrets_manager_region = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[5] : null) : module.secrets_manager.secrets_manager_region - enable_event_notifications = var.existing_event_notifications_instance_crn != null ? true : false + enable_event_notifications = var.existing_event_notifications_instance_crn != null || var.existing_event_notifications_instance_crn == "" ? true : false secret_groups_with_prefix = [ for group in var.secret_groups : merge(group, { access_group_name = group.access_group_name != null ? "${local.prefix}${group.access_group_name}" : null From 7ccf681f1a6cc9334249bd33ece97a79d04fcdb6 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 20 Jun 2025 15:25:31 +0100 Subject: [PATCH 6/9] remove validation --- solutions/fully-configurable/variables.tf | 4 ---- solutions/security-enforced/variables.tf | 4 ---- 2 files changed, 8 deletions(-) diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 5a23d04f..cbf4c605 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -130,10 +130,6 @@ variable "secret_groups" { access_group_roles = ["SecretsReader"] } ] - validation { - error_message = "The value of secret_groups cannot be an empty string. If you do not want to create any groups, set the value to []." - condition = var.secret_groups == "" - } validation { error_message = "The name of the secret group cannot be null or empty string." condition = length([ diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index a9e46d2b..9255536e 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -99,10 +99,6 @@ variable "secret_groups" { access_group_roles = ["SecretsReader"] } ] - validation { - error_message = "The value of secret_groups cannot be an empty string. If you do not want to create any groups, set the value to []." - condition = var.secret_groups == "" - } validation { error_message = "The name of the secret group cannot be null or empty string." condition = length([ From 151b2e9c631b26c46c2715a5fc0380f2e2eebf20 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 20 Jun 2025 15:46:37 +0100 Subject: [PATCH 7/9] fix logic --- solutions/fully-configurable/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index a8dd99e9..e5dcbf20 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -162,7 +162,7 @@ locals { secrets_manager_guid = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[7] : null) : module.secrets_manager.secrets_manager_guid secrets_manager_crn = var.existing_secrets_manager_crn != null ? var.existing_secrets_manager_crn : module.secrets_manager.secrets_manager_crn secrets_manager_region = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[5] : null) : module.secrets_manager.secrets_manager_region - enable_event_notifications = var.existing_event_notifications_instance_crn != null || var.existing_event_notifications_instance_crn == "" ? true : false + enable_event_notifications = var.existing_event_notifications_instance_crn == null || var.existing_event_notifications_instance_crn == "" ? false : true secret_groups_with_prefix = [ for group in var.secret_groups : merge(group, { access_group_name = group.access_group_name != null ? "${local.prefix}${group.access_group_name}" : null From c0e3ad6d5c16be20962f9654cb8ca25a1f31f138 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 20 Jun 2025 16:14:10 +0100 Subject: [PATCH 8/9] add 1 more fix for EN --- solutions/fully-configurable/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index e5dcbf20..b8eeea2a 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -187,7 +187,7 @@ module "secrets_manager" { skip_kms_iam_authorization_policy = var.skip_secrets_manager_kms_iam_auth_policy || local.create_cross_account_auth_policy # event notifications dependency enable_event_notification = local.enable_event_notifications - existing_en_instance_crn = var.existing_event_notifications_instance_crn + existing_en_instance_crn = local.enable_event_notifications ? var.existing_event_notifications_instance_crn : null skip_en_iam_authorization_policy = var.skip_secrets_manager_event_notifications_iam_auth_policy cbr_rules = var.secrets_manager_cbr_rules endpoint_type = var.secrets_manager_endpoint_type @@ -205,7 +205,7 @@ data "ibm_resource_instance" "existing_sm" { ####################################################################################################################### locals { - parsed_existing_en_instance_crn = var.existing_event_notifications_instance_crn != null ? split(":", var.existing_event_notifications_instance_crn) : [] + parsed_existing_en_instance_crn = var.existing_event_notifications_instance_crn != null || var.existing_event_notifications_instance_crn != "" ? split(":", var.existing_event_notifications_instance_crn) : [] existing_en_guid = length(local.parsed_existing_en_instance_crn) > 0 ? local.parsed_existing_en_instance_crn[7] : null } From 306ad18c743216eeb22646d4c7b0789dfb21c017 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 20 Jun 2025 16:28:00 +0100 Subject: [PATCH 9/9] logic update --- solutions/fully-configurable/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index b8eeea2a..020b42b8 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -205,7 +205,7 @@ data "ibm_resource_instance" "existing_sm" { ####################################################################################################################### locals { - parsed_existing_en_instance_crn = var.existing_event_notifications_instance_crn != null || var.existing_event_notifications_instance_crn != "" ? split(":", var.existing_event_notifications_instance_crn) : [] + parsed_existing_en_instance_crn = var.existing_event_notifications_instance_crn == null || var.existing_event_notifications_instance_crn == "" ? [] : split(":", var.existing_event_notifications_instance_crn) existing_en_guid = length(local.parsed_existing_en_instance_crn) > 0 ? local.parsed_existing_en_instance_crn[7] : null }