diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml
index a73239bf..8b1b246c 100644
--- a/.catalog-onboard-pipeline.yaml
+++ b/.catalog-onboard-pipeline.yaml
@@ -9,8 +9,6 @@ offerings:
- name: security-enforced
mark_ready: true
install_type: fullstack
- pre_validation: "tests/scripts/pre-validate.sh solutions/security-enforced"
- post_validation: "tests/scripts/post-validate.sh"
scc:
instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
region: us-south
@@ -18,8 +16,6 @@ offerings:
- name: fully-configurable
mark_ready: true
install_type: fullstack
- pre_validation: "tests/scripts/pre-validate.sh solutions/fully-configurable"
- post_validation: "tests/scripts/post-validate.sh"
scc:
instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
region: us-south
diff --git a/README.md b/README.md
index 1cd4be7b..79146fd0 100644
--- a/README.md
+++ b/README.md
@@ -19,8 +19,8 @@ This module is used to provision and configure an IBM Cloud [Secrets Manager](ht
* [fscloud](./modules/fscloud)
* [secrets](./modules/secrets)
* [Examples](./examples)
+ * [Advanced example](./examples/advanced)
* [Basic example](./examples/basic)
- * [Complete example with BYOK encryption](./examples/complete)
* [Financial Services Cloud profile example with KYOK encryption](./examples/fscloud)
* [Contributing](#contributing)
diff --git a/common-dev-assets b/common-dev-assets
index c70a81e9..03fd242c 160000
--- a/common-dev-assets
+++ b/common-dev-assets
@@ -1 +1 @@
-Subproject commit c70a81e9fdbcea23cd85546089c4524fe6ccdab6
+Subproject commit 03fd242c14074713be00c371ed86971093163e4e
diff --git a/examples/advanced/README.md b/examples/advanced/README.md
new file mode 100644
index 00000000..8f6bc0c6
--- /dev/null
+++ b/examples/advanced/README.md
@@ -0,0 +1,14 @@
+# Advanced example
+
+An example that configures:
+
+- A new resource group if one is not passed in.
+- A new Key Protect instance and root key
+- A new Event Notifications instance
+- An s2s auth policy to allow Secrets Manager to manage Event Notifications service credentials
+- A new Secretes Manager instance
+- A new secret group with a new Event Notifications service credential secret and an arbitrary secret
+- A new arbitrary secret in the default secret group
+- A sample code engine project that builds a code engine job and outputs User IBM Cloud IAM API Keys
+- A custom credential engine using the code engine project
+- A custom credential secret
diff --git a/examples/complete/main.tf b/examples/advanced/main.tf
similarity index 84%
rename from examples/complete/main.tf
rename to examples/advanced/main.tf
index 9170d017..e82d5328 100644
--- a/examples/complete/main.tf
+++ b/examples/advanced/main.tf
@@ -1,3 +1,7 @@
+##############################################################################
+# Resource group
+##############################################################################
+
module "resource_group" {
source = "terraform-ibm-modules/resource-group/ibm"
version = "1.3.0"
@@ -6,6 +10,10 @@ module "resource_group" {
existing_resource_group_name = var.resource_group
}
+##############################################################################
+# Key Protect instance and root key
+##############################################################################
+
module "key_protect" {
source = "terraform-ibm-modules/kms-all-inclusive/ibm"
version = "5.1.25"
@@ -25,7 +33,11 @@ module "key_protect" {
]
}
-module "event_notification" {
+##############################################################################
+# Event Notifications
+##############################################################################
+
+module "event_notifications" {
source = "terraform-ibm-modules/event-notifications/ibm"
version = "2.7.0"
resource_group_id = module.resource_group.resource_group_id
@@ -35,14 +47,13 @@ module "event_notification" {
region = var.en_region
}
+# s2s auth policy required for Secrets Manager to manage Event Notifications service credentials
resource "ibm_iam_authorization_policy" "en_policy" {
source_service_name = "secrets-manager"
roles = ["Key Manager"]
target_service_name = "event-notifications"
- target_resource_instance_id = module.event_notification.guid
- description = "Allow the Secret manager Key Manager role access to event-notifications with guid ${module.event_notification.guid}."
- # Scope of policy now includes the key, so ensure to create new policy before
- # destroying old one to prevent any disruption to every day services.
+ target_resource_instance_id = module.event_notifications.guid
+ description = "Grant Secret Manager a 'Key Manager' role to the Event Notifications instance ${module.event_notifications.guid} for managing service credentials."
lifecycle {
create_before_destroy = true
}
@@ -53,6 +64,10 @@ resource "time_sleep" "wait_for_en_policy" {
create_duration = "30s"
}
+##############################################################################
+# Secrets Manager
+##############################################################################
+
module "secrets_manager" {
depends_on = [time_sleep.wait_for_en_policy]
source = "../.."
@@ -65,30 +80,29 @@ module "secrets_manager" {
is_hpcs_key = false
kms_key_crn = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn
enable_event_notification = true
- existing_en_instance_crn = module.event_notification.crn
+ existing_en_instance_crn = module.event_notifications.crn
secrets = [
+ # Example creating new secrets group with secrets in it
{
secret_group_name = "${var.prefix}-secret-group"
- secrets = [{
- secret_name = "${var.prefix}-kp-key-crn"
- secret_type = "arbitrary"
- secret_payload_password = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn
- },
+ secrets = [
+ # Example creating Event Notifications service credential secret
{
- # Arbitrary service credential for source service event notifications, with role Event-Notification-Publisher
secret_name = "${var.prefix}-service-credential"
secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6
- secret_description = "Created by secrets-manager-module complete example"
- service_credentials_source_service_crn = module.event_notification.crn
+ secret_description = "Created by secrets-manager-module advanced example"
+ service_credentials_source_service_crn = module.event_notifications.crn
service_credentials_source_service_role_crn = "crn:v1:bluemix:public:event-notifications::::serviceRole:Event-Notification-Publisher"
},
+ # Example creating arbitrary secret
{
- secret_name = "${var.prefix}-custom-service-credential"
+ secret_name = "${var.prefix}-arbitrary-example"
secret_type = "arbitrary"
secret_payload_password = var.ibmcloud_api_key
}
]
},
+ # Example creating secret in existing secret group
{
secret_group_name = "default"
existing_secret_group = true
@@ -103,8 +117,11 @@ module "secrets_manager" {
}
##############################################################################
-# Code Engine Project
+# Code Engine configuration
+# (required to use create a custom credential)
##############################################################################
+
+# Create new code engine project
module "code_engine_project" {
source = "terraform-ibm-modules/code-engine/ibm//modules/project"
version = "4.5.13"
@@ -112,9 +129,7 @@ module "code_engine_project" {
resource_group_id = module.resource_group.resource_group_id
}
-##############################################################################
-# Code Engine Secret
-##############################################################################
+# Create new code engine secret
locals {
registry_hostname = "private.de.icr.io"
output_image = "${local.registry_hostname}/${resource.ibm_cr_namespace.rg_namespace.name}/custom-engine-job"
@@ -133,19 +148,13 @@ module "code_engine_secret" {
}
}
-##############################################################################
-# Container Registry Namespace
-##############################################################################
+# Create new Container Registry namespace
resource "ibm_cr_namespace" "rg_namespace" {
name = "${var.prefix}-crn"
resource_group_id = module.resource_group.resource_group_id
}
-##############################################################################
-# Code Engine Build
-##############################################################################
-
-# For example the region is hardcoded to us-south in order to hardcode the output image and region for creating Code Engine Project and build
+# Build example Go application in Code Engine project which dynamically generates User IBM Cloud IAM API Keys
module "code_engine_build" {
source = "terraform-ibm-modules/code-engine/ibm//modules/build"
version = "4.5.13"
@@ -161,10 +170,7 @@ module "code_engine_build" {
output_image = local.output_image
}
-##############################################################################
-# Code Engine Job
-##############################################################################
-
+# Pull the sample job config from github
data "http" "job_config" {
url = "https://raw.githubusercontent.com/IBM/secrets-manager-custom-credentials-providers/refs/heads/main/ibmcloud-iam-user-apikey-provider-go/job_config.json"
request_headers = {
@@ -176,6 +182,7 @@ locals {
job_env_variables = jsondecode(data.http.job_config.response_body).job_env_variables
}
+# Run the Code Engine job
module "code_engine_job" {
depends_on = [module.code_engine_build]
source = "terraform-ibm-modules/code-engine/ibm//modules/job"
@@ -194,7 +201,7 @@ module "code_engine_job" {
}
##############################################################################
-# Custom Credential Engine and secret
+# Create Custom Credential engine
##############################################################################
module "custom_credential_engine" {
@@ -213,8 +220,12 @@ module "custom_credential_engine" {
iam_credential_secret_name = "${var.prefix}-test-iam-secret"
}
-# Currently the main module cannot be called again as some of the count for resources depends on a computable input existing_en_instance_crn which will give error if the value is not available during planning
-# As a workaround the secret manager secret is directly being created via module call
+##############################################################################
+# Create Custom Credential secret
+# (using secrets-manager-secret to create the custom credential secret as it
+# can only be done after the Custom Credential engine is configured)
+##############################################################################
+
module "secret_manager_custom_credential" {
depends_on = [module.secrets_manager, module.custom_credential_engine]
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
diff --git a/examples/complete/outputs.tf b/examples/advanced/outputs.tf
similarity index 100%
rename from examples/complete/outputs.tf
rename to examples/advanced/outputs.tf
diff --git a/examples/complete/provider.tf b/examples/advanced/provider.tf
similarity index 100%
rename from examples/complete/provider.tf
rename to examples/advanced/provider.tf
diff --git a/examples/complete/variables.tf b/examples/advanced/variables.tf
similarity index 100%
rename from examples/complete/variables.tf
rename to examples/advanced/variables.tf
diff --git a/examples/complete/version.tf b/examples/advanced/version.tf
similarity index 100%
rename from examples/complete/version.tf
rename to examples/advanced/version.tf
diff --git a/examples/complete/README.md b/examples/complete/README.md
deleted file mode 100644
index cc6e3602..00000000
--- a/examples/complete/README.md
+++ /dev/null
@@ -1,56 +0,0 @@
-# Complete example with BYOK encryption
-
-This examples handles the provisioning of a new Secrets Manager instance.
-
-
-### Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= v1.9.0 |
-| [http](#requirement\_http) | 3.2.1 |
-| [ibm](#requirement\_ibm) | >=1.79.0 |
-| [time](#requirement\_time) | 0.12.1 |
-
-### Modules
-
-| Name | Source | Version |
-|------|--------|---------|
-| [code\_engine\_build](#module\_code\_engine\_build) | terraform-ibm-modules/code-engine/ibm//modules/build | 4.5.13 |
-| [code\_engine\_job](#module\_code\_engine\_job) | terraform-ibm-modules/code-engine/ibm//modules/job | 4.5.13 |
-| [code\_engine\_project](#module\_code\_engine\_project) | terraform-ibm-modules/code-engine/ibm//modules/project | 4.5.13 |
-| [code\_engine\_secret](#module\_code\_engine\_secret) | terraform-ibm-modules/code-engine/ibm//modules/secret | 4.5.13 |
-| [custom\_credential\_engine](#module\_custom\_credential\_engine) | terraform-ibm-modules/secrets-manager-custom-credentials-engine/ibm | 1.0.1 |
-| [event\_notification](#module\_event\_notification) | terraform-ibm-modules/event-notifications/ibm | 2.7.0 |
-| [key\_protect](#module\_key\_protect) | terraform-ibm-modules/kms-all-inclusive/ibm | 5.1.25 |
-| [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.3.0 |
-| [secret\_manager\_custom\_credential](#module\_secret\_manager\_custom\_credential) | terraform-ibm-modules/secrets-manager-secret/ibm | 1.9.0 |
-| [secrets\_manager](#module\_secrets\_manager) | ../.. | n/a |
-
-### Resources
-
-| Name | Type |
-|------|------|
-| [ibm_cr_namespace.rg_namespace](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cr_namespace) | resource |
-| [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
-| [time_sleep.wait_for_en_policy](https://registry.terraform.io/providers/hashicorp/time/0.12.1/docs/resources/sleep) | resource |
-| [http_http.job_config](https://registry.terraform.io/providers/hashicorp/http/3.2.1/docs/data-sources/http) | data source |
-
-### Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [en\_region](#input\_en\_region) | Region where event notification will be created | `string` | `"au-syd"` | no |
-| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key this account authenticates to | `string` | n/a | yes |
-| [prefix](#input\_prefix) | Prefix for sm instance | `string` | `"sm-com"` | no |
-| [region](#input\_region) | Region where resources will be created | `string` | `"eu-de"` | no |
-| [resource\_group](#input\_resource\_group) | An existing resource group name to use for this example, if unset a new resource group will be created | `string` | `null` | no |
-| [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to created resources | `list(string)` | `[]` | no |
-| [sm\_service\_plan](#input\_sm\_service\_plan) | The Secrets Manager service plan to provision | `string` | `"trial"` | no |
-
-### Outputs
-
-| Name | Description |
-|------|-------------|
-| [secrets\_manager\_guid](#output\_secrets\_manager\_guid) | GUID of Secrets Manager instance. |
-
diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md
index 1ba51463..3471c3f9 100644
--- a/examples/fscloud/README.md
+++ b/examples/fscloud/README.md
@@ -2,16 +2,13 @@
An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/modules/fscloud) to deploy a private only Secrets-Manager instance with KYOK encryption
-This examples handles the provisioning of Secrets-Manager instance, the IAM engine configuration in the recently created instance and a context-based restriction (CBR) rule to only allow Secret Manager to be accessible from within the VPC..
-
-Only private service endpoints are enabled, public are disabled. Secrets Manager instances that are private only do not offer a UI management experience.
-The example uses the IBM Cloud Terraform provider to create the following infrastructure:
+The example creates the following infrastructure:
- A resource group, if one is not passed in.
-- A sample virtual private cloud (VPC).
-- A sample event notification service.
-- A secrets manager instance.
-- A context-based restriction (CBR) rule to only allow Secrets Manager to be accessible from within the VPC.
+- A CBR zone for Schematics
+- An Event Notifications instance.
+- A Secrets Manager instance.
+- A context-based restriction (CBR) rule to only allow Secrets Manager to be accessible from the Schematics service.
:exclamation: **Important:** In this example, only the IBM Secrets Manager instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
index c2c0e9fe..4e2e2b9c 100644
--- a/examples/fscloud/main.tf
+++ b/examples/fscloud/main.tf
@@ -1,6 +1,7 @@
##############################################################################
# Resource Group
##############################################################################
+
module "resource_group" {
source = "terraform-ibm-modules/resource-group/ibm"
version = "1.3.0"
@@ -9,37 +10,33 @@ module "resource_group" {
existing_resource_group_name = var.resource_group
}
+
##############################################################################
-# Get Cloud Account ID
+# Create CBR Zone for Schematics
##############################################################################
data "ibm_iam_account_settings" "iam_account_settings" {
}
-##############################################################################
-# VPC
-##############################################################################
-resource "ibm_is_vpc" "vpc" {
- name = "${var.prefix}-vpc"
- resource_group = module.resource_group.resource_group_id
- tags = var.resource_tags
-}
-
-##############################################################################
-# Create CBR Zone
-##############################################################################
-module "cbr_zone" {
+module "cbr_zone_schematics" {
source = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
version = "1.33.2"
- name = "${var.prefix}-CBR-zone"
- zone_description = "CBR Network zone representing VPC"
+ name = "${var.prefix}-schematics-zone"
+ zone_description = "CBR Network zone containing Schematics"
account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
addresses = [{
- type = "vpc", # to bind a specific vpc to the zone
- value = ibm_is_vpc.vpc.crn,
+ type = "serviceRef",
+ ref = {
+ account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
+ service_name = "schematics"
+ }
}]
}
+##############################################################################
+# Event Notifications
+##############################################################################
+
module "event_notification" {
source = "terraform-ibm-modules/event-notifications/ibm"
version = "2.7.0"
@@ -47,7 +44,6 @@ module "event_notification" {
name = "${var.prefix}-en"
tags = var.resource_tags
plan = "lite"
- service_endpoints = "public"
region = var.region
}
@@ -65,6 +61,10 @@ locals {
kms_service = module.kms_key_crn_parser.service_name
}
+##############################################################################
+# Secrets Manager
+##############################################################################
+
module "secrets_manager" {
source = "../../modules/fscloud"
resource_group_id = module.resource_group.resource_group_id
@@ -76,7 +76,7 @@ module "secrets_manager" {
existing_en_instance_crn = module.event_notification.crn
cbr_rules = [
{
- description = "${var.prefix}-secrets-manager access only from vpc"
+ description = "${var.prefix}-secrets-manager access only from Schematics"
enforcement_mode = "enabled"
account_id = data.ibm_iam_account_settings.iam_account_settings.account_id
rule_contexts = [{
@@ -87,7 +87,7 @@ module "secrets_manager" {
},
{
name = "networkZoneId"
- value = module.cbr_zone.zone_id
+ value = module.cbr_zone_schematics.zone_id
}]
}]
operations = [{
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 2bdc54f6..26b4d3e2 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -415,7 +415,7 @@
],
"optional": true,
"on_by_default": false,
- "version": "v3.0.7"
+ "version": "v3.0.23"
},
{
"name": "deploy-arch-ibm-kms",
@@ -447,7 +447,7 @@
],
"optional": true,
"on_by_default": true,
- "version": "v5.1.19"
+ "version": "v5.1.27"
},
{
"name": "deploy-arch-ibm-cloud-logs",
@@ -476,7 +476,7 @@
],
"optional": true,
"on_by_default": true,
- "version": "v1.6.11"
+ "version": "v1.6.28"
},
{
"name": "deploy-arch-ibm-cloud-monitoring",
@@ -509,7 +509,7 @@
],
"optional": true,
"on_by_default": true,
- "version": "v1.6.4"
+ "version": "v1.7.2"
},
{
"name": "deploy-arch-ibm-activity-tracker",
@@ -533,7 +533,7 @@
],
"optional": true,
"on_by_default": true,
- "version": "v1.2.25"
+ "version": "v1.2.34"
},
{
"name": "deploy-arch-ibm-event-notifications",
@@ -561,7 +561,7 @@
],
"optional": true,
"on_by_default": true,
- "version": "v2.6.11"
+ "version": "v2.7.2"
}
],
"dependency_version_2": true,
diff --git a/main.tf b/main.tf
index c19406f5..777b9a08 100644
--- a/main.tf
+++ b/main.tf
@@ -6,7 +6,7 @@
locals {
# Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
# tflint-ignore: terraform_unused_declarations
- validate_is_hpcs_key = var.is_hpcs_key && local.kms_service_name != "hs-crypto" ? tobool("When is_hpcs_key is set to true then the key provided through kms_key_crn must be a Hyper Protect Crypto Services key") : true
+ validate_is_hpcs_key = var.existing_sm_instance_crn == null ? var.is_hpcs_key && local.kms_service_name != "hs-crypto" ? tobool("When is_hpcs_key is set to true then the key provided through kms_key_crn must be a Hyper Protect Crypto Services key") : true : true
}
locals {
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index 5d04b73b..a78aef11 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -68,13 +68,9 @@ variable "service_plan" {
type = string
description = "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)."
validation {
- condition = contains(["standard", "trial"], var.service_plan)
+ condition = var.existing_secrets_manager_crn == null ? contains(["standard", "trial"], var.service_plan) : true
error_message = "Only 'standard' and 'trial' are allowed values for 'service_plan'. Applies only if not providing a value for the 'existing_secrets_manager_crn' input."
}
- validation {
- condition = var.existing_secrets_manager_crn == null ? var.service_plan != null : true
- error_message = "A value for 'service_plan' is required if not providing a value for 'existing_secrets_manager_crn'"
- }
}
variable "skip_secrets_manager_iam_auth_policy" {
@@ -171,21 +167,11 @@ variable "kms_encryption_enabled" {
description = "Set to true to enable Secrets Manager Secrets Encryption using customer managed keys. When set to true, a value must be passed for either `existing_kms_instance_crn` or `existing_secrets_manager_kms_key_crn`. Cannot be set to true if passing a value for `existing_secrets_manager_crn`."
default = false
- validation {
- condition = var.kms_encryption_enabled ? var.existing_secrets_manager_crn == null : true
- error_message = "'kms_encryption_enabled' should be false if passing a value for 'existing_secrets_manager_crn'."
- }
-
validation {
condition = var.existing_secrets_manager_kms_key_crn != null ? var.kms_encryption_enabled : true
error_message = "If passing a value for 'existing_secrets_manager_kms_key_crn', you should set 'kms_encryption_enabled' to true."
}
- validation {
- condition = var.existing_kms_instance_crn != null ? var.kms_encryption_enabled : true
- error_message = "If passing a value for 'existing_kms_instance_crn', you should set 'kms_encryption_enabled' to true."
- }
-
validation {
condition = var.kms_encryption_enabled ? ((var.existing_kms_instance_crn != null || var.existing_secrets_manager_kms_key_crn != null) ? true : false) : true
error_message = "Either 'existing_kms_instance_crn' or `existing_secrets_manager_kms_key_crn` is required if 'kms_encryption_enabled' is set to true."
@@ -204,11 +190,6 @@ variable "existing_kms_instance_crn" {
])
error_message = "The provided KMS instance CRN in the input 'existing_kms_instance_crn' in not valid."
}
-
- validation {
- condition = var.existing_kms_instance_crn != null ? var.existing_secrets_manager_crn == null : true
- error_message = "A value should not be passed for 'existing_kms_instance_crn' when passing an existing secrets manager instance using the 'existing_secrets_manager_crn' input."
- }
}
variable "kms_endpoint_type" {
diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf
index 3982a11c..4480eab2 100644
--- a/solutions/security-enforced/variables.tf
+++ b/solutions/security-enforced/variables.tf
@@ -57,7 +57,7 @@ variable "service_plan" {
type = string
description = "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)."
validation {
- condition = contains(["standard", "trial"], var.service_plan)
+ condition = var.existing_secrets_manager_crn == null ? contains(["standard", "trial"], var.service_plan) : true
error_message = "Only 'standard' and 'trial' are allowed values for 'service_plan'. Applies only if not providing a value for the 'existing_secrets_manager_crn' input."
}
validation {
@@ -146,11 +146,6 @@ variable "existing_kms_instance_crn" {
])
error_message = "The provided KMS instance CRN in the input 'existing_kms_instance_crn' in not valid."
}
-
- validation {
- condition = var.existing_kms_instance_crn != null ? var.existing_secrets_manager_crn == null : true
- error_message = "A value should not be passed for 'existing_kms_instance_crn' when passing an existing secrets manager instance using the 'existing_secrets_manager_crn' input."
- }
}
variable "kms_key_ring_name" {
diff --git a/tests/existing-resources/main.tf b/tests/existing-resources/main.tf
index 18459d96..4723fe52 100644
--- a/tests/existing-resources/main.tf
+++ b/tests/existing-resources/main.tf
@@ -35,15 +35,4 @@ module "key_protect" {
key_protect_instance_name = "${var.prefix}-key-protect"
resource_group_id = module.resource_group.resource_group_id
region = var.region
- keys = [
- {
- key_ring_name = "${var.prefix}-sm"
- keys = [
- {
- key_name = "${var.prefix}-sm-key"
- force_delete = true
- }
- ]
- }
- ]
}
diff --git a/tests/existing-resources/outputs.tf b/tests/existing-resources/outputs.tf
index c7665074..9f5ae4bc 100644
--- a/tests/existing-resources/outputs.tf
+++ b/tests/existing-resources/outputs.tf
@@ -8,11 +8,6 @@ output "resource_group_id" {
description = "Resource group ID"
}
-output "secrets_manager_kms_key_crn" {
- value = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn
- description = "CRN of created secret manager KMS key"
-}
-
output "secrets_manager_kms_instance_crn" {
value = module.key_protect.key_protect_id
description = "CRN of created secret manager KMS instance"
diff --git a/tests/new-resources/README.md b/tests/new-resources/README.md
deleted file mode 100644
index 790e3ba3..00000000
--- a/tests/new-resources/README.md
+++ /dev/null
@@ -1 +0,0 @@
-# Existing Resource Group For use in tests
diff --git a/tests/new-resources/main.tf b/tests/new-resources/main.tf
deleted file mode 100644
index 8030de0d..00000000
--- a/tests/new-resources/main.tf
+++ /dev/null
@@ -1,25 +0,0 @@
-##############################################################################
-# Resource Group
-##############################################################################
-
-module "resource_group" {
- source = "terraform-ibm-modules/resource-group/ibm"
- version = "1.3.0"
- # if an existing resource group is not set (null) create a new one using prefix
- resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null
- existing_resource_group_name = var.resource_group
-}
-
-##############################################################################
-# Secrets Manager
-##############################################################################
-
-module "secrets_manager" {
- count = var.provision_secrets_manager == true ? 1 : 0
- source = "../.."
- resource_group_id = module.resource_group.resource_group_id
- region = var.region
- secrets_manager_name = "${var.prefix}-tsm"
- sm_service_plan = "trial"
- skip_iam_authorization_policy = true
-}
diff --git a/tests/new-resources/outputs.tf b/tests/new-resources/outputs.tf
deleted file mode 100644
index 5baba608..00000000
--- a/tests/new-resources/outputs.tf
+++ /dev/null
@@ -1,14 +0,0 @@
-output "resource_group_name" {
- value = module.resource_group.resource_group_name
- description = "Resource group name"
-}
-
-output "resource_group_id" {
- value = module.resource_group.resource_group_id
- description = "Resource group ID"
-}
-
-output "secrets_manager_crn" {
- value = var.provision_secrets_manager == true ? module.secrets_manager[0].secrets_manager_crn : null
- description = "CRN of the secrets manager instance"
-}
diff --git a/tests/new-resources/provider.tf b/tests/new-resources/provider.tf
deleted file mode 100644
index 4a12678d..00000000
--- a/tests/new-resources/provider.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-provider "ibm" {
- ibmcloud_api_key = var.ibmcloud_api_key
-}
diff --git a/tests/new-resources/variables.tf b/tests/new-resources/variables.tf
deleted file mode 100644
index d041bc29..00000000
--- a/tests/new-resources/variables.tf
+++ /dev/null
@@ -1,27 +0,0 @@
-variable "ibmcloud_api_key" {
- type = string
- description = "The IBM Cloud API Key"
- sensitive = true
-}
-
-variable "prefix" {
- type = string
- description = "Prefix to append to all resources"
-}
-
-variable "resource_group" {
- type = string
- description = "The name of an existing resource group to provision resources in to. If not set a new resource group will be created using the prefix variable"
- default = null
-}
-
-variable "region" {
- type = string
- description = "Region"
-}
-
-variable "provision_secrets_manager" {
- type = bool
- description = "Set it to true to provision a secrets manager"
- default = false
-}
diff --git a/tests/new-resources/version.tf b/tests/new-resources/version.tf
deleted file mode 100644
index 8abdbce5..00000000
--- a/tests/new-resources/version.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-terraform {
- required_version = ">= 1.3.0"
- required_providers {
- ibm = {
- source = "ibm-cloud/ibm"
- version = ">= 1.79.0"
- }
- }
-}
diff --git a/tests/new-rg/README.md b/tests/new-rg/README.md
deleted file mode 100644
index 9afda9d8..00000000
--- a/tests/new-rg/README.md
+++ /dev/null
@@ -1 +0,0 @@
-The terraform code in this directory is used for by catalog pipeline
diff --git a/tests/new-rg/main.tf b/tests/new-rg/main.tf
deleted file mode 100644
index d58e7f97..00000000
--- a/tests/new-rg/main.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-##############################################################################
-# Resource Group
-##############################################################################
-
-module "resource_group" {
- source = "terraform-ibm-modules/resource-group/ibm"
- version = "1.3.0"
- # if an existing resource group is not set (null) create a new one using prefix
- resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null
- existing_resource_group_name = var.resource_group
-}
diff --git a/tests/new-rg/outputs.tf b/tests/new-rg/outputs.tf
deleted file mode 100644
index 7143446e..00000000
--- a/tests/new-rg/outputs.tf
+++ /dev/null
@@ -1,13 +0,0 @@
-##############################################################################
-# Outputs
-##############################################################################
-
-output "resource_group_id" {
- value = module.resource_group.resource_group_id
- description = "Resource group ID."
-}
-
-output "resource_group_name" {
- value = module.resource_group.resource_group_name
- description = "Resource group name."
-}
diff --git a/tests/new-rg/provider.tf b/tests/new-rg/provider.tf
deleted file mode 100644
index 4a12678d..00000000
--- a/tests/new-rg/provider.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-provider "ibm" {
- ibmcloud_api_key = var.ibmcloud_api_key
-}
diff --git a/tests/new-rg/variables.tf b/tests/new-rg/variables.tf
deleted file mode 100644
index e8146795..00000000
--- a/tests/new-rg/variables.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-variable "ibmcloud_api_key" {
- type = string
- description = "The IBM Cloud API Key."
- sensitive = true
-}
-
-variable "prefix" {
- type = string
- description = "Prefix to append to all resources created by this example."
- default = "sm"
-}
-
-variable "resource_group" {
- type = string
- description = "The name of an existing resource group to provision resources in. If not specified, a new resource group is created with the `prefix` variable."
- default = null
-}
diff --git a/tests/new-rg/version.tf b/tests/new-rg/version.tf
deleted file mode 100644
index cb783436..00000000
--- a/tests/new-rg/version.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-terraform {
- required_version = ">= 1.9.0"
- required_providers {
- ibm = {
- source = "ibm-cloud/ibm"
- version = ">= 1.79.0"
- }
- }
-}
diff --git a/tests/other_test.go b/tests/other_test.go
index 7aba4f5f..135745d0 100644
--- a/tests/other_test.go
+++ b/tests/other_test.go
@@ -9,8 +9,7 @@ import (
"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic"
)
-func TestRunBasicExample(t *testing.T) {
- t.Parallel()
+func setupOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions {
var validRegions = []string{
"eu-de",
@@ -18,22 +17,37 @@ func TestRunBasicExample(t *testing.T) {
"au-syd",
}
+ var region = validRegions[rand.Intn(len(validRegions))]
+
options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
Testing: t,
- TerraformDir: "examples/basic",
- Prefix: "secrets-mgr-def",
- Region: validRegions[rand.Intn(len(validRegions))],
+ TerraformDir: dir,
+ Prefix: prefix,
+ Region: region,
+ /*
+ Comment out the 'ResourceGroup' input to force this tests to create a unique resource group. This is because
+ there is a restriction with the Event Notification service, which allows only one Lite plan instance per resource group.
+ */
+ // ResourceGroup: resourceGroup,
})
+ return options
+}
+
+func TestRunBasicExample(t *testing.T) {
+ t.Parallel()
+
+ options := setupOptions(t, "sm-adv", "examples/basic")
+
output, err := options.RunTestConsistency()
assert.Nil(t, err, "This should not have errored")
assert.NotNil(t, output, "Expected some output")
}
-func TestRunCompleteExample(t *testing.T) {
+func TestRunAdvancedExample(t *testing.T) {
t.Parallel()
- options := setupOptions(t, "secrets-mgr", false)
+ options := setupOptions(t, "sm-adv", "examples/advanced")
// need to ignore because of a provider issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4719
options.IgnoreUpdates = testhelper.Exemptions{
@@ -41,6 +55,8 @@ func TestRunCompleteExample(t *testing.T) {
"module.code_engine_job.ibm_code_engine_job.ce_job",
},
}
+ // all tests using KMS should run in the same region https://github.ibm.com/GoldenEye/issues/issues/12725
+ options.Region = "eu-de"
output, err := options.RunTestConsistency()
assert.Nil(t, err, "This should not have errored")
@@ -59,11 +75,16 @@ func TestFSCloudInSchematics(t *testing.T) {
"modules/fscloud/*.tf",
"modules/secrets/*.tf",
},
+ /*
+ Comment out the 'ResourceGroup' input to force this tests to create a unique resource group. This is because
+ there is a restriction with the Event Notification service, which allows only one Lite plan instance per resource group.
+ */
// ResourceGroup: resourceGroup,
TemplateFolder: fscloudExampleTerraformDir,
Tags: []string{"test-schematic"},
DeleteWorkspaceOnFail: false,
WaitJobCompleteMinutes: 60,
+ TerraformVersion: terraformVersion,
})
options.TerraformVars = []testschematic.TestSchematicTerraformVar{
diff --git a/tests/pr_test.go b/tests/pr_test.go
index 03016786..661ac829 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -12,6 +12,7 @@ import (
"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/cloudinfo"
"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testaddons"
+ "github.com/IBM/go-sdk-core/v5/core"
"github.com/gruntwork-io/terratest/modules/files"
"github.com/gruntwork-io/terratest/modules/logger"
"github.com/gruntwork-io/terratest/modules/random"
@@ -19,28 +20,22 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common"
- "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic"
)
-const completeExampleTerraformDir = "examples/complete"
+/*
+Global variables
+*/
const fscloudExampleTerraformDir = "examples/fscloud"
const fullyConfigurableTerraformDir = "solutions/fully-configurable"
const securityEnforcedTerraformDir = "solutions/security-enforced"
-
const resourceGroup = "geretain-test-secrets-manager"
-
-// Define a struct with fields that match the structure of the YAML data
const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml"
+const terraformVersion = "terraform_v1.10" // This should match the version in the ibm_catalog.json
var permanentResources map[string]interface{}
-
-// Current supported Event Notification regions
var validRegions = []string{
- // "us-south", # do not run secrets manager tests in us regions
"eu-de", // all tests using KMS should run in the same region https://github.ibm.com/GoldenEye/issues/issues/12725
- // "eu-gb",
- // "au-syd",
}
// TestMain will be run before any parallel tests, used to read data from yaml for use with tests
@@ -55,220 +50,11 @@ func TestMain(m *testing.M) {
os.Exit(m.Run())
}
-func setupOptions(t *testing.T, prefix string, checkApplyResultForUpgrade bool) *testhelper.TestOptions {
- options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
- Testing: t,
- TerraformDir: completeExampleTerraformDir,
- Prefix: prefix,
- Region: validRegions[rand.Intn(len(validRegions))],
- CheckApplyResultForUpgrade: checkApplyResultForUpgrade,
- /*
- Comment out the 'ResourceGroup' input to force this tests to create a unique resource group. This is because
- there is a restriction with the Event Notification service, which allows only one Lite plan instance per resource group.
- */
- // ResourceGroup: resourceGroup,
- })
-
- return options
-}
-
-func TestRunFullyConfigurableSchematics(t *testing.T) {
- t.Parallel()
-
- // Set up a schematics test
- options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
- Testing: t,
- TarIncludePatterns: []string{
- "*.tf",
- fmt.Sprintf("%s/*.tf", fullyConfigurableTerraformDir),
- fmt.Sprintf("%s/*.tf", fscloudExampleTerraformDir),
- fmt.Sprintf("%s/*.tf", "modules/secrets"),
- fmt.Sprintf("%s/*.tf", "modules/fscloud"),
- },
- TemplateFolder: fullyConfigurableTerraformDir,
- ResourceGroup: resourceGroup,
- Prefix: "sm-fc",
- Tags: []string{"test-schematic"},
- DeleteWorkspaceOnFail: false,
- WaitJobCompleteMinutes: 60,
- })
-
- options.TerraformVars = []testschematic.TestSchematicTerraformVar{
- {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
- {Name: "prefix", Value: options.Prefix, DataType: "string"},
- {Name: "region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"},
- {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"},
- {Name: "service_plan", Value: "trial", DataType: "string"},
- }
-
- err := options.RunSchematicTest()
- assert.NoError(t, err, "Schematic Test had unexpected error")
-}
-
-func TestRunExistingResourcesInstancesFullyConfigurable(t *testing.T) {
- t.Parallel()
-
- // ------------------------------------------------------------------------------------
- // Provision Event Notification, KMS key and resource group first
- // ------------------------------------------------------------------------------------
- region := validRegions[rand.Intn(len(validRegions))]
- prefix := fmt.Sprintf("sm-exist-%s", strings.ToLower(random.UniqueId()))
- realTerraformDir := ".."
- tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId())))
- tags := common.GetTagsFromTravis()
-
- // Verify ibmcloud_api_key variable is set
- checkVariable := "TF_VAR_ibmcloud_api_key"
- val, present := os.LookupEnv(checkVariable)
- require.True(t, present, checkVariable+" environment variable not set")
- require.NotEqual(t, "", val, checkVariable+" environment variable is empty")
- logger.Log(t, "Tempdir: ", tempTerraformDir)
- existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
- TerraformDir: tempTerraformDir + "/tests/existing-resources",
- Vars: map[string]interface{}{
- "prefix": prefix,
- "region": region,
- "resource_tags": tags,
- },
- // Set Upgrade to true to ensure latest version of providers and modules are used by terratest.
- // This is the same as setting the -upgrade=true flag with terraform.
- Upgrade: true,
- })
-
- terraform.WorkspaceSelectOrNew(t, existingTerraformOptions, prefix)
- _, existErr := terraform.InitAndApplyE(t, existingTerraformOptions)
- if existErr != nil {
- assert.True(t, existErr == nil, "Init and Apply of temp existing resource failed")
- } else {
-
- // ------------------------------------------------------------------------------------
- // Test passing existing RG, EN, and KMS key
- // ------------------------------------------------------------------------------------
- options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
- Testing: t,
- TarIncludePatterns: []string{
- "*.tf",
- fmt.Sprintf("%s/*.tf", fullyConfigurableTerraformDir),
- fmt.Sprintf("%s/*.tf", "modules/secrets"),
- fmt.Sprintf("%s/*.tf", "modules/fscloud"),
- },
- TemplateFolder: fullyConfigurableTerraformDir,
- ResourceGroup: resourceGroup,
- Prefix: "ex-fc",
- Tags: []string{"test-schematic"},
- DeleteWorkspaceOnFail: false,
- WaitJobCompleteMinutes: 60,
- })
-
- options.TerraformVars = []testschematic.TestSchematicTerraformVar{
- {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
- {Name: "prefix", Value: options.Prefix, DataType: "string"},
- {Name: "region", Value: region, DataType: "string"},
- {Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"},
- {Name: "existing_event_notifications_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "event_notifications_instance_crn"), DataType: "string"},
- {Name: "existing_secrets_manager_kms_key_crn", Value: terraform.Output(t, existingTerraformOptions, "secrets_manager_kms_key_crn"), DataType: "string"},
- {Name: "kms_encryption_enabled", Value: true, DataType: "bool"},
- {Name: "service_plan", Value: "trial", DataType: "string"},
- }
-
- err := options.RunSchematicTest()
- assert.NoError(t, err, "Schematic Test had unexpected error")
- }
-
- // Check if "DO_NOT_DESTROY_ON_FAILURE" is set
- envVal, _ := os.LookupEnv("DO_NOT_DESTROY_ON_FAILURE")
- // Destroy the temporary existing resources if required
- if t.Failed() && strings.ToLower(envVal) == "true" {
- fmt.Println("Terratest failed. Debug the test and delete resources manually.")
- } else {
- logger.Log(t, "START: Destroy (existing resources)")
- terraform.Destroy(t, existingTerraformOptions)
- terraform.WorkspaceDelete(t, existingTerraformOptions, prefix)
- logger.Log(t, "END: Destroy (existing resources)")
- }
-}
-
-func TestRunExistingSMInstanceFullyConfigurable(t *testing.T) {
+func TestRunSecurityEnforced(t *testing.T) {
t.Parallel()
// ------------------------------------------------------------------------------------
- // Provision new RG
- // ------------------------------------------------------------------------------------
- region := validRegions[rand.Intn(len(validRegions))]
- prefix := fmt.Sprintf("ex-scm-%s", strings.ToLower(random.UniqueId()))
- realTerraformDir := ".."
- tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId())))
-
- // Verify ibmcloud_api_key variable is set
- checkVariable := "TF_VAR_ibmcloud_api_key"
- val, present := os.LookupEnv(checkVariable)
- require.True(t, present, checkVariable+" environment variable not set")
- require.NotEqual(t, "", val, checkVariable+" environment variable is empty")
- logger.Log(t, "Tempdir: ", tempTerraformDir)
- existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
- TerraformDir: tempTerraformDir + "/tests/new-resources",
- Vars: map[string]interface{}{
- "prefix": prefix,
- "region": region,
- "provision_secrets_manager": true,
- },
- // Set Upgrade to true to ensure latest version of providers and modules are used by terratest.
- // This is the same as setting the -upgrade=true flag with terraform.
- Upgrade: true,
- })
-
- terraform.WorkspaceSelectOrNew(t, existingTerraformOptions, prefix)
- _, existErr := terraform.InitAndApplyE(t, existingTerraformOptions)
- if existErr != nil {
- assert.True(t, existErr == nil, "Init and Apply of new resources failed failed")
- } else {
- options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
- Testing: t,
- TarIncludePatterns: []string{
- "*.tf",
- fmt.Sprintf("%s/*.tf", fullyConfigurableTerraformDir),
- fmt.Sprintf("%s/*.tf", "modules/secrets"),
- fmt.Sprintf("%s/*.tf", "modules/fscloud"),
- },
- TemplateFolder: fullyConfigurableTerraformDir,
- ResourceGroup: resourceGroup,
- Prefix: "ex-scm",
- Tags: []string{"test-schematic"},
- DeleteWorkspaceOnFail: false,
- WaitJobCompleteMinutes: 60,
- })
-
- options.TerraformVars = []testschematic.TestSchematicTerraformVar{
- {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
- {Name: "prefix", Value: options.Prefix, DataType: "string"},
- {Name: "region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"},
- {Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"},
- {Name: "existing_secrets_manager_crn", Value: terraform.Output(t, existingTerraformOptions, "secrets_manager_crn"), DataType: "string"},
- {Name: "service_plan", Value: "trial", DataType: "string"},
- }
-
- err := options.RunSchematicTest()
- assert.NoError(t, err, "Schematic Test had unexpected error")
- }
-
- // Check if "DO_NOT_DESTROY_ON_FAILURE" is set
- envVal, _ := os.LookupEnv("DO_NOT_DESTROY_ON_FAILURE")
- // Destroy the temporary existing resources if required
- if t.Failed() && strings.ToLower(envVal) == "true" {
- fmt.Println("Terratest failed. Debug the test and delete resources manually.")
- } else {
- logger.Log(t, "START: Destroy (existing resources)")
- terraform.Destroy(t, existingTerraformOptions)
- terraform.WorkspaceDelete(t, existingTerraformOptions, prefix)
- logger.Log(t, "END: Destroy (existing resources)")
- }
-}
-
-func TestRunSecurityEnforcedSchematics(t *testing.T) {
- t.Parallel()
-
- // ------------------------------------------------------------------------------------
- // Provision new RG
+ // Provision new RG, Event Notifications and Key Protect instance + root key
// ------------------------------------------------------------------------------------
prefix := fmt.Sprintf("sm-se-%s", strings.ToLower(random.UniqueId()))
realTerraformDir := ".."
@@ -281,9 +67,10 @@ func TestRunSecurityEnforcedSchematics(t *testing.T) {
require.NotEqual(t, "", val, checkVariable+" environment variable is empty")
logger.Log(t, "Tempdir: ", tempTerraformDir)
existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
- TerraformDir: tempTerraformDir + "/tests/new-rg",
+ TerraformDir: tempTerraformDir + "/tests/existing-resources",
Vars: map[string]interface{}{
"prefix": prefix,
+ "region": validRegions[rand.Intn(len(validRegions))],
},
// Set Upgrade to true to ensure latest version of providers and modules are used by terratest.
// This is the same as setting the -upgrade=true flag with terraform.
@@ -305,7 +92,6 @@ func TestRunSecurityEnforcedSchematics(t *testing.T) {
fmt.Sprintf("%s/*.tf", fullyConfigurableTerraformDir),
fmt.Sprintf("%s/*.tf", fscloudExampleTerraformDir),
fmt.Sprintf("%s/*.tf", "modules/secrets"),
- fmt.Sprintf("%s/*.tf", "modules/fscloud"),
},
TemplateFolder: securityEnforcedTerraformDir,
ResourceGroup: resourceGroup,
@@ -313,6 +99,7 @@ func TestRunSecurityEnforcedSchematics(t *testing.T) {
Tags: []string{"test-schematic"},
DeleteWorkspaceOnFail: false,
WaitJobCompleteMinutes: 60,
+ TerraformVersion: terraformVersion,
})
options.TerraformVars = []testschematic.TestSchematicTerraformVar{
@@ -321,7 +108,8 @@ func TestRunSecurityEnforcedSchematics(t *testing.T) {
{Name: "region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"},
{Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"},
{Name: "service_plan", Value: "trial", DataType: "string"},
- {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
+ {Name: "existing_kms_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "secrets_manager_kms_instance_crn"), DataType: "string"},
+ {Name: "existing_event_notifications_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "event_notifications_instance_crn"), DataType: "string"},
}
err := options.RunSchematicTest()
assert.NoError(t, err, "Schematic Test had unexpected error")
@@ -340,7 +128,7 @@ func TestRunSecurityEnforcedSchematics(t *testing.T) {
}
}
-func TestRunSecretsManagerSecurityEnforcedUpgradeSchematic(t *testing.T) {
+func TestRunSecurityEnforcedUpgrade(t *testing.T) {
t.Parallel()
// ------------------------------------------------------------------------------------
@@ -357,9 +145,10 @@ func TestRunSecretsManagerSecurityEnforcedUpgradeSchematic(t *testing.T) {
require.NotEqual(t, "", val, checkVariable+" environment variable is empty")
logger.Log(t, "Tempdir: ", tempTerraformDir)
existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
- TerraformDir: tempTerraformDir + "/tests/new-rg",
+ TerraformDir: tempTerraformDir + "/tests/existing-resources",
Vars: map[string]interface{}{
"prefix": prefix,
+ "region": validRegions[rand.Intn(len(validRegions))],
},
// Set Upgrade to true to ensure latest version of providers and modules are used by terratest.
// This is the same as setting the -upgrade=true flag with terraform.
@@ -379,14 +168,15 @@ func TestRunSecretsManagerSecurityEnforcedUpgradeSchematic(t *testing.T) {
fmt.Sprintf("%s/*.tf", securityEnforcedTerraformDir),
fmt.Sprintf("%s/*.tf", fullyConfigurableTerraformDir),
fmt.Sprintf("%s/*.tf", "modules/secrets"),
- fmt.Sprintf("%s/*.tf", "modules/fscloud"),
},
- TemplateFolder: securityEnforcedTerraformDir,
- ResourceGroup: resourceGroup,
- Prefix: "sm-se-ug",
- Tags: []string{"test-schematic"},
- DeleteWorkspaceOnFail: false,
- WaitJobCompleteMinutes: 60,
+ TemplateFolder: securityEnforcedTerraformDir,
+ ResourceGroup: resourceGroup,
+ Prefix: "sm-se-ug",
+ Tags: []string{"test-schematic"},
+ DeleteWorkspaceOnFail: false,
+ WaitJobCompleteMinutes: 60,
+ CheckApplyResultForUpgrade: true,
+ TerraformVersion: terraformVersion,
})
options.TerraformVars = []testschematic.TestSchematicTerraformVar{
@@ -395,7 +185,8 @@ func TestRunSecretsManagerSecurityEnforcedUpgradeSchematic(t *testing.T) {
{Name: "region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"},
{Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"},
{Name: "service_plan", Value: "trial", DataType: "string"},
- {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
+ {Name: "existing_kms_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "secrets_manager_kms_instance_crn"), DataType: "string"},
+ {Name: "existing_event_notifications_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "event_notifications_instance_crn"), DataType: "string"},
}
err := options.RunSchematicUpgradeTest()
@@ -418,7 +209,7 @@ func TestRunSecretsManagerSecurityEnforcedUpgradeSchematic(t *testing.T) {
}
-func TestSecretsManagerDefaultConfiguration(t *testing.T) {
+func TestAddonsDefaultConfiguration(t *testing.T) {
t.Parallel()
options := testaddons.TestAddonsOptionsDefault(&testaddons.TestAddonOptions{
@@ -433,36 +224,82 @@ func TestSecretsManagerDefaultConfiguration(t *testing.T) {
"deploy-arch-ibm-secrets-manager",
"fully-configurable",
map[string]interface{}{
- "prefix": options.Prefix,
- "region": validRegions[rand.Intn(len(validRegions))],
- "enable_platform_metrics": "false", // Disable platform metrics for addon tests
- "service_plan": "standard",
+ "prefix": options.Prefix,
+ "region": validRegions[rand.Intn(len(validRegions))],
+ "service_plan": "trial",
},
)
+ // Disable target / route creation to prevent hitting quota in account
+ options.AddonConfig.Dependencies = []cloudinfo.AddonConfig{
+ {
+ OfferingName: "deploy-arch-ibm-cloud-monitoring",
+ OfferingFlavor: "fully-configurable",
+ Inputs: map[string]interface{}{
+ "enable_metrics_routing_to_cloud_monitoring": false,
+ },
+ Enabled: core.BoolPtr(true),
+ },
+ {
+ OfferingName: "deploy-arch-ibm-activity-tracker",
+ OfferingFlavor: "fully-configurable",
+ Inputs: map[string]interface{}{
+ "enable_activity_tracker_event_routing_to_cos_bucket": false,
+ "enable_activity_tracker_event_routing_to_cloud_logs": false,
+ },
+ Enabled: core.BoolPtr(true),
+ },
+ }
+
err := options.RunAddonTest()
require.NoError(t, err)
}
-// TestDependencyPermutations runs dependency permutations for the Secrets Manager and all its dependencies
-func TestDependencyPermutations(t *testing.T) {
- t.Skip() // skipping permutations test until we do a refactor
+func TestAddonsExistingSecretsManager(t *testing.T) {
+ t.Parallel()
options := testaddons.TestAddonsOptionsDefault(&testaddons.TestAddonOptions{
- Testing: t,
- Prefix: "sm-perm",
- AddonConfig: cloudinfo.AddonConfig{
- OfferingName: "deploy-arch-ibm-secrets-manager",
+ Testing: t,
+ Prefix: "extsm",
+ ResourceGroup: resourceGroup,
+ QuietMode: true, // Suppress logs except on failure
+ })
+
+ options.AddonConfig = cloudinfo.NewAddonConfigTerraform(
+ options.Prefix,
+ "deploy-arch-ibm-secrets-manager",
+ "fully-configurable",
+ map[string]interface{}{
+ "prefix": options.Prefix,
+ "region": permanentResources["privateOnlySecMgrRegion"],
+ "existing_secrets_manager_crn": permanentResources["privateOnlySecMgrCRN"],
+ "service_plan": "__NULL__", // Plan not needed if using existing instance
+ "skip_secrets_manager_iam_auth_policy": true, // Skip s2s auth policy for IAM engine - it already exists for the existing Secrets Manager instance
+ "secret_groups": []string{}, // Don't create any secret groups in existing instance (The default 'General' group already exists)
+ },
+ )
+
+ // Disable target / route creation to prevent hitting quota in account
+ options.AddonConfig.Dependencies = []cloudinfo.AddonConfig{
+ {
+ OfferingName: "deploy-arch-ibm-cloud-monitoring",
OfferingFlavor: "fully-configurable",
Inputs: map[string]interface{}{
- "prefix": "sm-perm",
- "region": validRegions[rand.Intn(len(validRegions))],
- "existing_resource_group_name": resourceGroup,
- "service_plan": "standard",
+ "enable_metrics_routing_to_cloud_monitoring": false,
},
+ Enabled: core.BoolPtr(true),
},
- })
+ {
+ OfferingName: "deploy-arch-ibm-activity-tracker",
+ OfferingFlavor: "fully-configurable",
+ Inputs: map[string]interface{}{
+ "enable_activity_tracker_event_routing_to_cos_bucket": false,
+ "enable_activity_tracker_event_routing_to_cloud_logs": false,
+ },
+ Enabled: core.BoolPtr(true),
+ },
+ }
- err := options.RunAddonPermutationTest()
- assert.NoError(t, err, "Dependency permutation test should not fail")
+ err := options.RunAddonTest()
+ require.NoError(t, err)
}
diff --git a/tests/scripts/post-validate.sh b/tests/scripts/post-validate.sh
deleted file mode 100755
index f5808710..00000000
--- a/tests/scripts/post-validate.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#! /bin/bash
-
-########################################################################################################################
-## This script is used by the catalog pipeline to destroy prerequisite resource required for catalog validation ##
-########################################################################################################################
-
-set -e
-
-TERRAFORM_SOURCE_DIR="tests/new-rg"
-TF_VARS_FILE="terraform.tfvars"
-
-(
- cd ${TERRAFORM_SOURCE_DIR}
- echo "Destroying resource group .."
- terraform destroy -input=false -auto-approve -var-file=${TF_VARS_FILE} || exit 1
- rm -f "${TF_VARS_FILE}"
-
- echo "Post-validation completed successfully"
-)
diff --git a/tests/scripts/pre-validate.sh b/tests/scripts/pre-validate.sh
deleted file mode 100755
index 709a2785..00000000
--- a/tests/scripts/pre-validate.sh
+++ /dev/null
@@ -1,38 +0,0 @@
-#! /bin/bash
-
-############################################################################################################
-## This script is used by the catalog pipeline to provision a new resource group
-## (required to ensure auth policies don't clash in account)
-############################################################################################################
-
-set -e
-
-DA_DIR="${1}"
-TERRAFORM_SOURCE_DIR="tests/new-rg"
-JSON_FILE="${DA_DIR}/catalogValidationValues.json"
-TF_VARS_FILE="terraform.tfvars"
-
-(
- cwd=$(pwd)
- cd ${TERRAFORM_SOURCE_DIR}
- echo "Provisioning new resource group .."
- terraform init || exit 1
- # $VALIDATION_APIKEY is available in the catalog runtime
- {
- echo "ibmcloud_api_key=\"${VALIDATION_APIKEY}\""
- echo "prefix=\"ocp-$(openssl rand -hex 2)\""
- } >> ${TF_VARS_FILE}
- terraform apply -input=false -auto-approve -var-file=${TF_VARS_FILE} || exit 1
-
- rg_var_name="existing_resource_group_name"
- rg_value=$(terraform output -state=terraform.tfstate -raw resource_group_name)
-
- echo "Appending '${rg_var_name}', input variable value to ${JSON_FILE}.."
-
- cd "${cwd}"
- jq -r --arg rg_var_name "${rg_var_name}" \
- --arg rg_value "${rg_value}" \
- '. + {($rg_var_name): $rg_value}' "${JSON_FILE}" > tmpfile && mv tmpfile "${JSON_FILE}" || exit 1
-
- echo "Pre-validation complete successfully"
-)
diff --git a/variables.tf b/variables.tf
index 182a854e..02d234da 100644
--- a/variables.tf
+++ b/variables.tf
@@ -22,7 +22,7 @@ variable "sm_service_plan" {
description = "The Secrets Manager plan to provision."
default = "standard"
validation {
- condition = contains(["standard", "trial"], var.sm_service_plan)
+ condition = var.existing_sm_instance_crn == null ? contains(["standard", "trial"], var.sm_service_plan) : true
error_message = "The specified `sm_service_plan` is not valid. Possible values are `standard` or `trial`."
}
}
@@ -72,8 +72,8 @@ variable "kms_key_crn" {
}
validation {
- condition = var.kms_encryption_enabled == true && var.kms_key_crn == null ? false : true
- error_message = "When setting `var.kms_encryption_enabled` to `tru`e, a value must be passed for `var.kms_key_crn`."
+ condition = var.existing_sm_instance_crn == null ? var.kms_encryption_enabled == true && var.kms_key_crn == null ? false : true : true
+ error_message = "When setting `var.kms_encryption_enabled` to `true`, a value must be passed for `var.kms_key_crn`."
}
}