diff --git a/README.md b/README.md
index 84227bc9..9e06e42e 100644
--- a/README.md
+++ b/README.md
@@ -95,31 +95,31 @@ You need the following permissions to run this module.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints | `string` | `"public-and-private"` | no |
-| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
-| [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null. | `bool` | `false` | no |
+| [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints). | `string` | `"public-and-private"` | no |
+| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restriction rules to create | list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
+| [enable\_event\_notification](#input\_enable\_event\_notification) | Set to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When set to `true`, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be set to `null`. | `bool` | `false` | no |
| [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no |
| [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no |
-| [existing\_sm\_instance\_crn](#input\_existing\_sm\_instance\_crn) | An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned. | `string` | `null` | no |
-| [is\_hpcs\_key](#input\_is\_hpcs\_key) | Set it to true if the key provided through the `kms_key_crn` is Hyper Protect Crypto Services key. | `bool` | `false` | no |
-| [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption. | `bool` | `false` | no |
-| [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if `kms_encryption_enabled` is set to true. | `string` | `null` | no |
-| [region](#input\_region) | The region where the resource will be provisioned.Its not required if passing a value for `existing_sm_instance_crn`. | `string` | `null` | no |
-| [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group | `string` | n/a | yes |
+| [existing\_sm\_instance\_crn](#input\_existing\_sm\_instance\_crn) | An existing Secrets Manager instance CRN. If not provided, a new instance is created. | `string` | `null` | no |
+| [is\_hpcs\_key](#input\_is\_hpcs\_key) | Set to `true` if the key provided through the `kms_key_crn` is a Hyper Protect Crypto Services key. | `bool` | `false` | no |
+| [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set to `true` to control the encryption keys that are used to encrypt the data that you store in Secrets Manager. If set to `false`, the data that you store is encrypted at rest by using envelope encryption. For more details, go to [About customer-managed keys](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption). | `bool` | `false` | no |
+| [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a key management service like Key Protect or Hyper Protect Crypto Services that you want to use for encryption. Only used if `kms_encryption_enabled` is set to `true`. | `string` | `null` | no |
+| [region](#input\_region) | The region where the instance is created. Not required if passing a value for `existing_sm_instance_crn`. | `string` | `null` | no |
+| [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group that contains the Secrets Manager instance. | `string` | n/a | yes |
| [secrets](#input\_secrets) | Secret Manager secrets configurations. | list(object({
secret_group_name = string
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
create_access_group = optional(bool, false)
access_group_name = optional(string)
access_group_roles = optional(list(string))
access_group_tags = optional(list(string))
secrets = optional(list(object({
secret_name = string
secret_description = optional(string)
secret_type = optional(string)
imported_cert_certificate = optional(string)
imported_cert_private_key = optional(string)
imported_cert_intermediate = optional(string)
secret_username = optional(string)
secret_labels = optional(list(string), [])
secret_payload_password = optional(string, "")
secret_auto_rotation = optional(bool, true)
secret_auto_rotation_unit = optional(string, "day")
secret_auto_rotation_interval = optional(number, 89)
service_credentials_ttl = optional(string, "7776000") # 90 days
service_credentials_source_service_crn = optional(string)
service_credentials_source_service_role_crn = optional(string)
})))
})) | `[]` | no |
| [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name of the Secrets Manager instance to create | `string` | n/a | yes |
-| [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
-| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
-| [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
+| [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip creating an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. No policy is created if `enable_event_notification` is set to `false`. | `bool` | `false` | no |
+| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Whether to skip creating the IAM authorization policies that are required to enable the IAM credentials engine. If set to `false`, policies are created that grant the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manager' access to the IAM groups service. | `bool` | `false` | no |
+| [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Whether to skip creating the IAM authorization policies that are required to enable the IAM credentials engine. If set to false, policies are created that grant the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manager' access to the IAM groups service. | `bool` | `false` | no |
| [sm\_service\_plan](#input\_sm\_service\_plan) | The Secrets Manager plan to provision. | `string` | `"standard"` | no |
-| [sm\_tags](#input\_sm\_tags) | The list of resource tags that you want to associate with your Secrets Manager instance. | `list(string)` | `[]` | no |
+| [sm\_tags](#input\_sm\_tags) | The list of resource tags to associate with your Secrets Manager instance. | `list(string)` | `[]` | no |
### Outputs
| Name | Description |
|------|-------------|
-| [secret\_groups](#output\_secret\_groups) | IDs of the created Secret Group |
-| [secrets](#output\_secrets) | List of secret mananger secret config data |
+| [secret\_groups](#output\_secret\_groups) | IDs of the secret groups |
+| [secrets](#output\_secrets) | List of Secrets Manager secret configuration data |
| [secrets\_manager\_crn](#output\_secrets\_manager\_crn) | CRN of the Secrets Manager instance |
| [secrets\_manager\_guid](#output\_secrets\_manager\_guid) | GUID of Secrets Manager instance |
| [secrets\_manager\_id](#output\_secrets\_manager\_id) | ID of the Secrets Manager instance |
diff --git a/ibm_catalog.json b/ibm_catalog.json
index ca4b6d34..fc092e57 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -20,8 +20,8 @@
"terraform",
"solution"
],
- "short_description": "Cloud architecture including Secrets Manager instance and optional security, logging and notification services.",
- "long_description": "This deployable architecture is used to provision and configure an [IBM Cloud Secrets Manager](https://www.ibm.com/products/secrets-manager) instance. **Optionally**, supports creating and/or configuring:\n* [IBM Cloud account](https://cloud.ibm.com/docs/account?topic=account-account-getting-started): To set up IBM Cloud accounts settings.\n* [Key Protect](https://cloud.ibm.com/docs/key-protect?topic=key-protect-getting-started-tutorial): For data encryption using customer-managed keys.\n* [Cloud Logs](https://cloud.ibm.com/docs/cloud-logs?topic=cloud-logs-getting-started): Logging and monitoring platform logs.\n* [Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started):Measure how users and applications interact with the Secrets Manager instance.\n*[Activity Tracker Event Routing](https://cloud.ibm.com/docs/atracker?topic=atracker-getting-started): Configures how to route auditing events.\n* [Event Notifications](https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-getting-started): Send notifications of events to other users, or destinations, by using email, SMS or other supported delivery channels.\n\nℹ️ This Terraform-based automation is part of a broader suite of IBM-maintained Infrastructure as Code (IaC) assets, each following the naming pattern \"Cloud automation for *servicename*\" and focusing on single IBM Cloud service. These single-service deployable architectures can be used on their own to streamline and automate service deployments through an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or assembled together into a broader [automated IaC stack](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to automate the deployment of an end-to-end solution architecture.",
+ "short_description": "Create and configure a Secrets Manager instance with optional security, logging, and notification services",
+ "long_description": "This deployable architecture is used to provision and configure an [IBM Cloud Secrets Manager](https://www.ibm.com/products/secrets-manager) instance. It optionally supports creating and configuring the following:\n* [an IBM Cloud account](https://cloud.ibm.com/docs/account?topic=account-account-getting-started) to set up basic account settings.\n* [Key Protect](https://cloud.ibm.com/docs/key-protect?topic=key-protect-getting-started-tutorial) for data encryption by using your own managed keys.\n* [Cloud Logs](https://cloud.ibm.com/docs/cloud-logs?topic=cloud-logs-getting-started) for logging and monitoring platform logs.\n* [Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-getting-started) to measure how users and applications interact with the Secrets Manager instance.\n* [Event Notifications](https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-getting-started) to send notifications of events to other users, or destinations, by using email, SMS or other supported delivery channels.\n\nℹ️ This deployable architecture is a part of a larger collection that IBM provides. Each deployable architecture focuses on a single IBM Cloud service. You can use these deployable architectures on their own to automate deployments by following an [IaC approach](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-understanding-projects), or you can [combine them together](https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-config-stack) to deploy a more complex end-to-end solution architecture.",
"offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/README.md",
"offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager/main/images/secrets_manager.svg",
"provider_name": "IBM",
@@ -44,11 +44,11 @@
},
{
"title": "Sets up authorization policy",
- "description": "Sets up IBM IAM authorization policy between IBM Secrets Manager instance and IBM Key Management Service (KMS) instance. It also supports Event Notification authorization policy. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-integrations)."
+ "description": "Sets up IBM IAM authorization policy between the Secrets Manager instance and a key management service instance. It also supports Event Notifications authorization policy. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-integrations)."
},
{
"title": "Configures lifecycle notifications",
- "description": "Optionally, you can choose to configure lifecycle notifications by integrating the Event Notifications service. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-event-notifications&interface=ui)."
+ "description": "Optionally, you can choose to configure lifecycle notifications by integrating with the Event Notifications service. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-event-notifications&interface=ui)."
},
{
"title": "Sets up logging for Secrets Manager instance",
@@ -151,7 +151,7 @@
"key": "enable_platform_metrics",
"type": "boolean",
"default_value": false,
- "description": "When set to `true`, the IBM Cloud Monitoring instance will be configured to collect platform metrics from the provided region. You can configure 1 instance only of the IBM Cloud Monitoring service per region to collect platform metrics in that location. Check with the account or service administrator if another monitoring instance has already been configured. You may not have permissions to see all monitoring instances in the region. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-platform_metrics_enabling).",
+ "description": "When set to `true`, the IBM Cloud Monitoring instance is configured to collect platform metrics from the specified region. You can configure only one instance of the IBM Cloud Monitoring service per region to collect platform metrics in that location. Check with the account or service administrator if another Monitoring instance is already configured. You might not have permissions to see all monitoring instances in the region. [Learn more](https://cloud.ibm.com/docs/monitoring?topic=monitoring-platform_metrics_enabling).",
"required": true,
"virtual": true
},
@@ -323,7 +323,7 @@
"crn:v1:bluemix:public:iam::::serviceRole:Manager"
],
"service_name": "secrets-manager",
- "notes": "Required for creating an Secrets Manager instance. 'Manager' access required to create new secret groups."
+ "notes": "Required for creating a Secrets Manager instance. 'Manager' access is required to create secret groups."
},
{
"role_crns": [
@@ -331,7 +331,7 @@
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "event-notifications",
- "notes": "[Optional] Required if you are configuring an Event Notifications Instance."
+ "notes": "[Optional] Required if you are configuring an Event Notifications instance."
},
{
"role_crns": [
@@ -355,7 +355,7 @@
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "hs-crypto",
- "notes": "[Optional] Required if you are creating/configuring keys in an existing Hyper Protect Crypto Services (HPCS) instance for encryption."
+ "notes": "[Optional] Required if you are creating and configuring keys in an existing Hyper Protect Crypto Services instance for key encryption."
},
{
"role_crns": [
@@ -363,21 +363,21 @@
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "kms",
- "notes": "[Optional] Required if you are creating/configuring Key Protect instance and keys for encryption."
+ "notes": "[Optional] Required if you are creating and configuring a Key Protect instance for key encryption."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator"
],
"service_name": "iam-identity",
- "notes": "[Optional] Required if Cloud automation for account configuration is enabled."
+ "notes": "[Optional] Required to deploy Cloud automation for account configuration, which creates foundational IBM Cloud account resources, like IAM settings, trusted profiles, access groups, and resource groups."
}
],
"architecture": {
"features": [
{
"title": " ",
- "description": "Configured to use IBM secure by default standards, but can be edited to fit your use case."
+ "description": "Configured to use IBM secure-by-default standards, but you can edit it to fit your use case."
}
],
"diagrams": [
@@ -387,14 +387,14 @@
"url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager/main/reference-architecture/secrets_manager.svg",
"type": "image/svg+xml"
},
- "description": "This architecture supports creating and configuring a Secrets Manager instance and optional security, logging and notification services."
+ "description": "This architecture supports creating and configuring a Secrets Manager instance and optional security, logging, and notification services."
}
]
},
"dependencies": [
{
"name": "deploy-arch-ibm-account-infra-base",
- "description": "Advanced users can leverage cloud automation for account configuration to configure IBM Cloud account with a ready-made set of resource groups by default. When you enable the \"with account settings\" option, it also applies baseline security and governance settings.",
+ "description": "Advanced users can leverage the Cloud automation for account configuration deployable architecture to configure an IBM Cloud account with a ready-made set of resource groups by default. When you enable the \"with account settings\" option, it also applies baseline security and governance settings.",
"catalog_id": "7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3",
"flavors": [
"resource-group-only",
@@ -756,14 +756,14 @@
"crn:v1:bluemix:public:iam::::serviceRole:Manager"
],
"service_name": "secrets-manager",
- "notes": "Required for creating an Secrets Manager instance. 'Manager' access required to create new secret groups."
+ "notes": "Required to create a Secrets Manager instance. 'Manager' access is required to create secret groups."
}
],
"architecture": {
"features": [
{
"title": " ",
- "description": "Configured to use IBM secure by default standards that can't be changed."
+ "description": "Configured to use IBM secure-by-default standards that can't be changed."
}
],
"diagrams": [
@@ -773,7 +773,7 @@
"url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-secrets-manager/main/reference-architecture/secrets_manager.svg",
"type": "image/svg+xml"
},
- "description": "This architecture supports creating and configuring IBM Secrets Manager instance."
+ "description": "This architecture supports creating and configuring an IBM Secrets Manager instance."
}
]
},
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index 6f2ed221..f8206bdf 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -68,7 +68,7 @@ No resources.
| Name | Description |
|------|-------------|
| [secret\_groups](#output\_secret\_groups) | IDs of the created Secret Group |
-| [secrets](#output\_secrets) | List of secret mananger secret config data |
+| [secrets](#output\_secrets) | List of secret manager secret config data |
| [secrets\_manager\_crn](#output\_secrets\_manager\_crn) | CRN of the Secrets Manager instance |
| [secrets\_manager\_guid](#output\_secrets\_manager\_guid) | GUID of Secrets Manager instance |
| [secrets\_manager\_id](#output\_secrets\_manager\_id) | ID of the Secrets Manager instance |
diff --git a/modules/fscloud/outputs.tf b/modules/fscloud/outputs.tf
index 0f755db8..1ad6b3bf 100644
--- a/modules/fscloud/outputs.tf
+++ b/modules/fscloud/outputs.tf
@@ -34,5 +34,5 @@ output "secret_groups" {
output "secrets" {
value = module.secrets_manager.secrets
- description = "List of secret mananger secret config data"
+ description = "List of secret manager secret config data"
}
diff --git a/modules/secrets/README.md b/modules/secrets/README.md
index 5bca977c..d6265f5a 100644
--- a/modules/secrets/README.md
+++ b/modules/secrets/README.md
@@ -73,5 +73,5 @@ module "secrets_manager" {
| Name | Description |
|------|-------------|
| [secret\_groups](#output\_secret\_groups) | IDs of the created Secret Group |
-| [secrets](#output\_secrets) | List of secret mananger secret config data |
+| [secrets](#output\_secrets) | List of secret manager secret config data |
diff --git a/modules/secrets/outputs.tf b/modules/secrets/outputs.tf
index 8e08adb6..a3bc3a10 100644
--- a/modules/secrets/outputs.tf
+++ b/modules/secrets/outputs.tf
@@ -8,6 +8,6 @@ output "secret_groups" {
}
output "secrets" {
- description = "List of secret mananger secret config data"
+ description = "List of secret manager secret config data"
value = module.secrets
}
diff --git a/outputs.tf b/outputs.tf
index 769d593e..bd38376a 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -30,11 +30,11 @@ output "secrets_manager_region" {
output "secret_groups" {
value = module.secrets.secret_groups
- description = "IDs of the created Secret Group"
+ description = "IDs of the secret groups"
}
output "secrets" {
value = module.secrets.secrets
- description = "List of secret mananger secret config data"
+ description = "List of Secrets Manager secret configuration data"
}
##############################################################################
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index 6b715a65..445f0ca7 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -79,7 +79,7 @@ variable "service_plan" {
variable "skip_secrets_manager_iam_auth_policy" {
type = bool
- description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
+ description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
default = false
}
diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf
index ae5d3706..3982a11c 100644
--- a/solutions/security-enforced/variables.tf
+++ b/solutions/security-enforced/variables.tf
@@ -68,7 +68,7 @@ variable "service_plan" {
variable "skip_secrets_manager_iam_auth_policy" {
type = bool
- description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
+ description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager instance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
default = false
}
diff --git a/tests/pr_test.go b/tests/pr_test.go
index 17849ef3..3e52a1e4 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -3,14 +3,15 @@ package test
import (
"fmt"
- "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/cloudinfo"
- "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testaddons"
"log"
"math/rand"
"os"
"strings"
"testing"
+ "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/cloudinfo"
+ "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testaddons"
+
"github.com/gruntwork-io/terratest/modules/files"
"github.com/gruntwork-io/terratest/modules/logger"
"github.com/gruntwork-io/terratest/modules/random"
@@ -419,6 +420,7 @@ func TestRunSecretsManagerSecurityEnforcedUpgradeSchematic(t *testing.T) {
func TestSecretsManagerDefaultConfiguration(t *testing.T) {
t.Parallel()
+ t.Skip("Remove skip once this issue is resolved- https://github.ibm.com/GoldenEye/issues/issues/15657")
options := testaddons.TestAddonsOptionsDefault(&testaddons.TestAddonOptions{
Testing: t,
@@ -445,6 +447,7 @@ func TestSecretsManagerDefaultConfiguration(t *testing.T) {
// TestDependencyPermutations runs dependency permutations for the Secrets Manager and all its dependencies
func TestDependencyPermutations(t *testing.T) {
+ t.Skip("Remove skip once this issue is resolved- https://github.ibm.com/GoldenEye/issues/issues/15657")
options := testaddons.TestAddonsOptionsDefault(&testaddons.TestAddonOptions{
Testing: t,
diff --git a/variables.tf b/variables.tf
index 632aebec..04956472 100644
--- a/variables.tf
+++ b/variables.tf
@@ -3,12 +3,12 @@
##############################################################################
variable "resource_group_id" {
type = string
- description = "The ID of the resource group"
+ description = "The ID of the resource group that contains the Secrets Manager instance."
}
variable "region" {
type = string
- description = "The region where the resource will be provisioned.Its not required if passing a value for `existing_sm_instance_crn`."
+ description = "The region where the instance is created. Not required if passing a value for `existing_sm_instance_crn`."
default = null
}
@@ -23,74 +23,74 @@ variable "sm_service_plan" {
default = "standard"
validation {
condition = contains(["standard", "trial"], var.sm_service_plan)
- error_message = "The specified sm_service_plan is not a valid selection!"
+ error_message = "The specified `sm_service_plan` is not valid. Possible values are `standard` or `trial`."
}
}
variable "skip_iam_authorization_policy" {
type = bool
- description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
+ description = "Whether to skip creating the IAM authorization policies that are required to enable the IAM credentials engine. If set to `false`, policies are created that grant the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manager' access to the IAM groups service."
default = false
}
variable "sm_tags" {
type = list(string)
- description = "The list of resource tags that you want to associate with your Secrets Manager instance."
+ description = "The list of resource tags to associate with your Secrets Manager instance."
default = []
}
variable "allowed_network" {
type = string
- description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints"
+ description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints)."
default = "public-and-private"
validation {
condition = contains(["private-only", "public-and-private"], var.allowed_network)
- error_message = "The specified allowed_network is not a valid selection!"
+ error_message = "The value is not valid. Possible values are `private-only` or `public-and-private`."
}
}
variable "kms_encryption_enabled" {
type = bool
- description = "Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption."
+ description = "Set to `true` to control the encryption keys that are used to encrypt the data that you store in Secrets Manager. If set to `false`, the data that you store is encrypted at rest by using envelope encryption. For more details, go to [About customer-managed keys](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption)."
default = false
}
variable "skip_kms_iam_authorization_policy" {
type = bool
- description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
+ description = "Whether to skip creating the IAM authorization policies that are required to enable the IAM credentials engine. If set to false, policies are created that grant the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manager' access to the IAM groups service."
default = false
}
variable "kms_key_crn" {
type = string
- description = "The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if `kms_encryption_enabled` is set to true."
+ description = "The root key CRN of a key management service like Key Protect or Hyper Protect Crypto Services that you want to use for encryption. Only used if `kms_encryption_enabled` is set to `true`."
default = null
validation {
condition = var.kms_key_crn != null && var.kms_encryption_enabled == false ? false : true
- error_message = "When passing values for var.kms_key_crn, you must set 'kms_encryption_enabled' to true. Otherwise set 'kms_encryption_enabled' to false to use default encryption."
+ error_message = "When passing values for `var.kms_key_crn`, you must set 'kms_encryption_enabled' to `true`. Otherwise, set 'kms_encryption_enabled' to `false` to use default encryption."
}
validation {
condition = var.kms_encryption_enabled == true && var.kms_key_crn == null ? false : true
- error_message = "When setting var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn."
+ error_message = "When setting `var.kms_encryption_enabled` to `tru`e, a value must be passed for `var.kms_key_crn`."
}
}
variable "is_hpcs_key" {
type = bool
- description = "Set it to true if the key provided through the `kms_key_crn` is Hyper Protect Crypto Services key."
+ description = "Set to `true` if the key provided through the `kms_key_crn` is a Hyper Protect Crypto Services key."
default = false
}
variable "existing_sm_instance_crn" {
type = string
- description = "An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned."
+ description = "An existing Secrets Manager instance CRN. If not provided, a new instance is created."
default = null
validation {
condition = var.existing_sm_instance_crn == null && var.region == null ? false : true
- error_message = "When existing_sm_instance_crn is null, a value must be passed for var.region"
+ error_message = "When `existing_sm_instance_crn` is set to `null`, a value must be passed for `var.region`."
}
}
@@ -114,7 +114,7 @@ variable "cbr_rules" {
}))
})))
}))
- description = "(Optional, list) List of CBR rules to create"
+ description = "(Optional, list) List of context-based restriction rules to create"
default = []
# Validation happens in the rule module
}
@@ -125,18 +125,18 @@ variable "cbr_rules" {
variable "skip_en_iam_authorization_policy" {
type = bool
- description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false."
+ description = "Set to true to skip creating an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. No policy is created if `enable_event_notification` is set to `false`."
default = false
}
variable "enable_event_notification" {
type = bool
default = false
- description = "Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null."
+ description = "Set to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When set to `true`, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be set to `null`."
validation {
condition = var.enable_event_notification == true && var.existing_en_instance_crn == null ? false : true
- error_message = "When setting var.enable_event_notification to true, a value must be passed for var.existing_en_instance_crn"
+ error_message = "When setting `var.enable_event_notification` to `true`, a value must be passed for `var.existing_en_instance_crn`."
}
}
@@ -152,12 +152,12 @@ variable "endpoint_type" {
default = "public"
validation {
condition = contains(["public", "private"], var.endpoint_type)
- error_message = "The specified endpoint_type is not a valid selection!"
+ error_message = "The specified `endpoint_type` is not valid. Possible values are `public` or `private`."
}
validation {
condition = var.endpoint_type == "public" && var.allowed_network == "private-only" ? false : true
- error_message = "It is not allowed to have conflicting `var.endpoint_type` and `var.allowed_network values`."
+ error_message = "It is not allowed to have conflicting `var.endpoint_type` and `var.allowed_network` values."
}
}