terraform-ibm-modules · ocofaigh · Jun 20, 2025 · Jun 20, 2025 · Jun 20, 2025 · Jun 20, 2025
@@ -61,7 +61,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
   provider                 = ibm.kms
   source_service_account   = data.ibm_iam_account_settings.iam_account_settings[0].account_id
   source_service_name      = "secrets-manager"
-  source_resource_group_id = module.resource_group[0].resource_group_id
+  source_resource_group_id = module.resource_group.resource_group_id
   roles                    = ["Reader"]
   description              = "Allow all Secrets Manager instances in the resource group ${local.kms_account_id} to read the ${local.kms_service_name} key ${local.kms_key_id} from the instance GUID ${local.kms_instance_guid}"
   resource_attributes {
@@ -109,11 +109,11 @@ resource "ibm_iam_authorization_policy" "secrets_manager_hpcs_policy" {
   provider                    = ibm.kms
   source_service_account      = data.ibm_iam_account_settings.iam_account_settings[0].account_id
   source_service_name         = "secrets-manager"
-  source_resource_group_id    = module.resource_group[0].resource_group_id
+  source_resource_group_id    = module.resource_group.resource_group_id
   target_service_name         = local.kms_service_name
   target_resource_instance_id = local.kms_instance_guid
   roles                       = ["Viewer"]
-  description                 = "Allow all Secrets Manager instances in the resource group ${module.resource_group[0].resource_group_id} in the account ${local.kms_account_id} to view from the ${local.kms_service_name} instance GUID ${local.kms_instance_guid}"
+  description                 = "Allow all Secrets Manager instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.kms_account_id} to view from the ${local.kms_service_name} instance GUID ${local.kms_instance_guid}"
 }
 
 # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
@@ -162,7 +162,7 @@ locals {
   secrets_manager_guid                = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[7] : null) : module.secrets_manager.secrets_manager_guid
   secrets_manager_crn                 = var.existing_secrets_manager_crn != null ? var.existing_secrets_manager_crn : module.secrets_manager.secrets_manager_crn
   secrets_manager_region              = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[5] : null) : module.secrets_manager.secrets_manager_region
-  enable_event_notifications          = var.existing_event_notifications_instance_crn != null ? true : false
+  enable_event_notifications          = var.existing_event_notifications_instance_crn == null || var.existing_event_notifications_instance_crn == "" ? false : true
   secret_groups_with_prefix = [
     for group in var.secret_groups : merge(group, {
       access_group_name = group.access_group_name != null ? "${local.prefix}${group.access_group_name}" : null
@@ -187,7 +187,7 @@ module "secrets_manager" {
   skip_kms_iam_authorization_policy = var.skip_secrets_manager_kms_iam_auth_policy || local.create_cross_account_auth_policy
   # event notifications dependency
   enable_event_notification        = local.enable_event_notifications
-  existing_en_instance_crn         = var.existing_event_notifications_instance_crn
+  existing_en_instance_crn         = local.enable_event_notifications ? var.existing_event_notifications_instance_crn : null
   skip_en_iam_authorization_policy = var.skip_secrets_manager_event_notifications_iam_auth_policy
   cbr_rules                        = var.secrets_manager_cbr_rules
   endpoint_type                    = var.secrets_manager_endpoint_type
@@ -205,7 +205,7 @@ data "ibm_resource_instance" "existing_sm" {
 #######################################################################################################################
 
 locals {
-  parsed_existing_en_instance_crn = var.existing_event_notifications_instance_crn != null ? split(":", var.existing_event_notifications_instance_crn) : []
+  parsed_existing_en_instance_crn = var.existing_event_notifications_instance_crn == null || var.existing_event_notifications_instance_crn == "" ? [] : split(":", var.existing_event_notifications_instance_crn)
   existing_en_guid                = length(local.parsed_existing_en_instance_crn) > 0 ? local.parsed_existing_en_instance_crn[7] : null
 }
 

@@ -85,7 +85,7 @@ variable "skip_secrets_manager_iam_auth_policy" {
 }
 
 variable "secrets_manager_resource_tags" {
-  type        = list(any)
+  type        = list(string)
   description = "The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided."
   default     = []
 }
@@ -119,7 +119,7 @@ variable "secret_groups" {
     access_group_roles       = optional(list(string), ["SecretsReader"])
     access_group_tags        = optional(list(string))
   }))
-  description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `<prefix>-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)."
+  description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `<prefix>-value` format. If you do not wish to create any groups, set the value to `[]`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)."
   nullable    = false
   default = [
     {

@@ -42,10 +42,10 @@ No resources.
 | <a name="input_kms_key_ring_name"></a> [kms\_key\_ring\_name](#input\_kms\_key\_ring\_name) | The name for the new key ring to store the key. Applies only if `existing_secrets_manager_kms_key_crn` is not specified. If a prefix input variable is passed, it is added to the value in the `<prefix>-value` format. . | `string` | `"secrets-manager-key-ring"` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to be added to all resources created by this solution. To skip using a prefix, set this value to null or an empty string. The prefix must begin with a lowercase letter and may contain only lowercase letters, digits, and hyphens '-'. It should not exceed 16 characters, must not end with a hyphen('-'), and can not contain consecutive hyphens ('--'). Example: sm-0205. [Learn more](https://terraform-ibm-modules.github.io/documentation/#/prefix.md). | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision resources to. | `string` | `"us-south"` | no |
-| <a name="input_secret_groups"></a> [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `<prefix>-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    create_access_group      = optional(bool, true)<br/>    access_group_name        = optional(string)<br/>    access_group_roles       = optional(list(string), ["SecretsReader"])<br/>    access_group_tags        = optional(list(string))<br/>  }))</pre> | <pre>[<br/>  {<br/>    "access_group_name": "general-secrets-group-access-group",<br/>    "access_group_roles": [<br/>      "SecretsReader"<br/>    ],<br/>    "create_access_group": true,<br/>    "secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",<br/>    "secret_group_name": "General"<br/>  }<br/>]</pre> | no |
+| <a name="input_secret_groups"></a> [secret\_groups](#input\_secret\_groups) | Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `<prefix>-value` format. If you do not wish to create any groups, set the value to `[]`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md). | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    create_access_group      = optional(bool, true)<br/>    access_group_name        = optional(string)<br/>    access_group_roles       = optional(list(string), ["SecretsReader"])<br/>    access_group_tags        = optional(list(string))<br/>  }))</pre> | <pre>[<br/>  {<br/>    "access_group_name": "general-secrets-group-access-group",<br/>    "access_group_roles": [<br/>      "SecretsReader"<br/>    ],<br/>    "create_access_group": true,<br/>    "secret_group_description": "A general purpose secrets group with an associated access group which has a secrets reader role",<br/>    "secret_group_name": "General"<br/>  }<br/>]</pre> | no |
 | <a name="input_secrets_manager_cbr_rules"></a> [secrets\_manager\_cbr\_rules](#input\_secrets\_manager\_cbr\_rules) | (Optional, list) List of CBR rules to create. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/solutions/fully-configurable/DA-cbr_rules.md) | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_secrets_manager_instance_name"></a> [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `<prefix>-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no |
-| <a name="input_secrets_manager_resource_tags"></a> [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no |
+| <a name="input_secrets_manager_resource_tags"></a> [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(string)` | `[]` | no |
 | <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes |
 | <a name="input_skip_secrets_manager_event_notifications_iam_auth_policy"></a> [skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no |
 | <a name="input_skip_secrets_manager_iam_auth_policy"></a> [skip\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |

@@ -74,7 +74,7 @@ variable "skip_secrets_manager_iam_auth_policy" {
 }
 
 variable "secrets_manager_resource_tags" {
-  type        = list(any)
+  type        = list(string)
   description = "The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided."
   default     = []
 }
@@ -88,7 +88,7 @@ variable "secret_groups" {
     access_group_roles       = optional(list(string), ["SecretsReader"])
     access_group_tags        = optional(list(string))
   }))
-  description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `<prefix>-value` format. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)."
+  description = "Secret Manager secret group and access group configurations. If a prefix input variable is specified, it is added to the `access_group_name` value in the `<prefix>-value` format. If you do not wish to create any groups, set the value to `[]`. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/fully-configurable/provisioning_secrets_groups.md)."
   nullable    = false
   default = [
     {