fix(deps): update DA dependencies + example / tests cleanup

README.md

@@ -19,8 +19,8 @@ This module is used to provision and configure an IBM Cloud [Secrets Manager](ht
     * [fscloud](./modules/fscloud)
     * [secrets](./modules/secrets)
 * [Examples](./examples)
+    * [Advanced example](./examples/advanced)
     * [Basic example](./examples/basic)
-    * [Complete example with BYOK encryption](./examples/complete)
     * [Financial Services Cloud profile example with KYOK encryption](./examples/fscloud)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->

examples/advanced/README.md

@@ -0,0 +1,14 @@
+# Advanced example
+
+An example that configures:
+
+- A new resource group if one is not passed in.
+- A new Key Protect instance and root key
+- A new Event Notifications instance
+- An s2s auth policy to allow Secrets Manager to manage Event Notifications service credentials
+- A new Secretes Manager instance
+- A new secret group with a new Event Notifications service credential secret and an arbitrary secret
+- A new arbitrary secret in the default secret group
+- A sample code engine project that builds a code engine job and outputs User IBM Cloud IAM API Keys
+- A custom credential engine using the code engine project
+- A custom credential secret

examples/complete/main.tf → examples/advanced/main.tf

@@ -1,3 +1,7 @@
+##############################################################################
+# Resource group
+##############################################################################
+
 module "resource_group" {
   source  = "terraform-ibm-modules/resource-group/ibm"
   version = "1.3.0"
@@ -6,6 +10,10 @@ module "resource_group" {
   existing_resource_group_name = var.resource_group
 }
 
+##############################################################################
+# Key Protect instance and root key
+##############################################################################
+
 module "key_protect" {
   source                    = "terraform-ibm-modules/kms-all-inclusive/ibm"
   version                   = "5.1.25"
@@ -25,7 +33,11 @@ module "key_protect" {
   ]
 }
 
-module "event_notification" {
+##############################################################################
+# Event Notifications
+##############################################################################
+
+module "event_notifications" {
   source            = "terraform-ibm-modules/event-notifications/ibm"
   version           = "2.7.0"
   resource_group_id = module.resource_group.resource_group_id
@@ -35,14 +47,13 @@ module "event_notification" {
   region            = var.en_region
 }
 
+# s2s auth policy required for Secrets Manager to manage Event Notifications service credentials
 resource "ibm_iam_authorization_policy" "en_policy" {
   source_service_name         = "secrets-manager"
   roles                       = ["Key Manager"]
   target_service_name         = "event-notifications"
-  target_resource_instance_id = module.event_notification.guid
-  description                 = "Allow the Secret manager Key Manager role access to event-notifications with guid ${module.event_notification.guid}."
-  # Scope of policy now includes the key, so ensure to create new policy before
-  # destroying old one to prevent any disruption to every day services.
+  target_resource_instance_id = module.event_notifications.guid
+  description                 = "Grant Secret Manager a 'Key Manager' role to the Event Notifications instance ${module.event_notifications.guid} for managing service credentials."
   lifecycle {
     create_before_destroy = true
   }
@@ -53,6 +64,10 @@ resource "time_sleep" "wait_for_en_policy" {
   create_duration = "30s"
 }
 
+##############################################################################
+# Secrets Manager
+##############################################################################
+
 module "secrets_manager" {
   depends_on                = [time_sleep.wait_for_en_policy]
   source                    = "../.."
@@ -65,30 +80,29 @@ module "secrets_manager" {
   is_hpcs_key               = false
   kms_key_crn               = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn
   enable_event_notification = true
-  existing_en_instance_crn  = module.event_notification.crn
+  existing_en_instance_crn  = module.event_notifications.crn
   secrets = [
+    # Example creating new secrets group with secrets in it
     {
       secret_group_name = "${var.prefix}-secret-group"
-      secrets = [{
-        secret_name             = "${var.prefix}-kp-key-crn"
-        secret_type             = "arbitrary"
-        secret_payload_password = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn
-        },
+      secrets = [
+        # Example creating Event Notifications service credential secret
         {
-          # Arbitrary service credential for source service event notifications, with role Event-Notification-Publisher
           secret_name                                 = "${var.prefix}-service-credential"
           secret_type                                 = "service_credentials" #checkov:skip=CKV_SECRET_6
-          secret_description                          = "Created by secrets-manager-module complete example"
-          service_credentials_source_service_crn      = module.event_notification.crn
+          secret_description                          = "Created by secrets-manager-module advanced example"
+          service_credentials_source_service_crn      = module.event_notifications.crn
           service_credentials_source_service_role_crn = "crn:v1:bluemix:public:event-notifications::::serviceRole:Event-Notification-Publisher"
         },
+        # Example creating arbitrary secret
         {
-          secret_name             = "${var.prefix}-custom-service-credential"
+          secret_name             = "${var.prefix}-arbitrary-example"
           secret_type             = "arbitrary"
           secret_payload_password = var.ibmcloud_api_key
         }
       ]
     },
+    # Example creating secret in existing secret group
     {
       secret_group_name     = "default"
       existing_secret_group = true
@@ -103,18 +117,19 @@ module "secrets_manager" {
 }
 
 ##############################################################################
-# Code Engine Project
+# Code Engine configuration
+# (required to use create a custom credential)
 ##############################################################################
+
+# Create new code engine project
 module "code_engine_project" {
   source            = "terraform-ibm-modules/code-engine/ibm//modules/project"
   version           = "4.5.13"
   name              = "${var.prefix}-project"
   resource_group_id = module.resource_group.resource_group_id
 }
 
-##############################################################################
-# Code Engine Secret
-##############################################################################
+# Create new code engine secret
 locals {
   registry_hostname = "private.de.icr.io"
   output_image      = "${local.registry_hostname}/${resource.ibm_cr_namespace.rg_namespace.name}/custom-engine-job"
@@ -133,19 +148,13 @@ module "code_engine_secret" {
   }
 }
 
-##############################################################################
-# Container Registry Namespace
-##############################################################################
+# Create new Container Registry namespace
 resource "ibm_cr_namespace" "rg_namespace" {
   name              = "${var.prefix}-crn"
   resource_group_id = module.resource_group.resource_group_id
 }
 
-##############################################################################
-# Code Engine Build
-##############################################################################
-
-# For example the region is hardcoded to us-south in order to hardcode the output image and region for creating Code Engine Project and build
+# Build example Go application in Code Engine project which dynamically generates User IBM Cloud IAM API Keys
 module "code_engine_build" {
   source                     = "terraform-ibm-modules/code-engine/ibm//modules/build"
   version                    = "4.5.13"
@@ -161,10 +170,7 @@ module "code_engine_build" {
   output_image               = local.output_image
 }
 
-##############################################################################
-# Code Engine Job
-##############################################################################
-
+# Pull the sample job config from github
 data "http" "job_config" {
   url = "https://raw.githubusercontent.com/IBM/secrets-manager-custom-credentials-providers/refs/heads/main/ibmcloud-iam-user-apikey-provider-go/job_config.json"
   request_headers = {
@@ -176,6 +182,7 @@ locals {
   job_env_variables = jsondecode(data.http.job_config.response_body).job_env_variables
 }
 
+# Run the Code Engine job
 module "code_engine_job" {
   depends_on      = [module.code_engine_build]
   source          = "terraform-ibm-modules/code-engine/ibm//modules/job"
@@ -194,7 +201,7 @@ module "code_engine_job" {
 }
 
 ##############################################################################
-# Custom Credential Engine and secret
+# Create Custom Credential engine
 ##############################################################################
 
 module "custom_credential_engine" {
@@ -213,8 +220,12 @@ module "custom_credential_engine" {
   iam_credential_secret_name    = "${var.prefix}-test-iam-secret"
 }
 
-# Currently the main module cannot be called again as some of the count for resources depends on a computable input existing_en_instance_crn which will give error if the value is not available during planning
-# As a workaround the secret manager secret is directly being created via module call
+##############################################################################
+# Create Custom Credential secret
+# (using secrets-manager-secret to create the custom credential secret as it
+#  can only be done after the Custom Credential engine is configured)
+##############################################################################
+
 module "secret_manager_custom_credential" {
   depends_on                        = [module.secrets_manager, module.custom_credential_engine]
   source                            = "terraform-ibm-modules/secrets-manager-secret/ibm"

examples/fscloud/README.md

@@ -2,16 +2,13 @@
 
 An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/modules/fscloud) to deploy a private only Secrets-Manager instance with KYOK encryption
 
-This examples handles the provisioning of Secrets-Manager instance, the IAM engine configuration in the recently created instance and a context-based restriction (CBR) rule to only allow Secret Manager to be accessible from within the VPC..
-
-Only private service endpoints are enabled, public are disabled. Secrets Manager instances that are private only do not offer a UI management experience.
-The example uses the IBM Cloud Terraform provider to create the following infrastructure:
+The example creates the following infrastructure:
 
 - A resource group, if one is not passed in.
-- A sample virtual private cloud (VPC).
-- A sample event notification service.
-- A secrets manager instance.
-- A context-based restriction (CBR) rule to only allow Secrets Manager to be accessible from within the VPC.
+- A CBR zone for Schematics
+- An Event Notifications instance.
+- A Secrets Manager instance.
+- A context-based restriction (CBR) rule to only allow Secrets Manager to be accessible from the Schematics service.
 
 :exclamation: **Important:** In this example, only the IBM Secrets Manager instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply.
 

examples/fscloud/main.tf

@@ -1,6 +1,7 @@
 ##############################################################################
 # Resource Group
 ##############################################################################
+
 module "resource_group" {
   source  = "terraform-ibm-modules/resource-group/ibm"
   version = "1.3.0"
@@ -9,45 +10,40 @@ module "resource_group" {
   existing_resource_group_name = var.resource_group
 }
 
+
 ##############################################################################
-# Get Cloud Account ID
+# Create CBR Zone for Schematics
 ##############################################################################
 
 data "ibm_iam_account_settings" "iam_account_settings" {
 }
 
-##############################################################################
-# VPC
-##############################################################################
-resource "ibm_is_vpc" "vpc" {
-  name           = "${var.prefix}-vpc"
-  resource_group = module.resource_group.resource_group_id
-  tags           = var.resource_tags
-}
-
-##############################################################################
-# Create CBR Zone
-##############################################################################
-module "cbr_zone" {
+module "cbr_zone_schematics" {
   source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
   version          = "1.33.2"
-  name             = "${var.prefix}-CBR-zone"
-  zone_description = "CBR Network zone representing VPC"
+  name             = "${var.prefix}-schematics-zone"
+  zone_description = "CBR Network zone containing Schematics"
   account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
   addresses = [{
-    type  = "vpc", # to bind a specific vpc to the zone
-    value = ibm_is_vpc.vpc.crn,
+    type = "serviceRef",
+    ref = {
+      account_id   = data.ibm_iam_account_settings.iam_account_settings.account_id
+      service_name = "schematics"
+    }
   }]
 }
 
+##############################################################################
+# Event Notifications
+##############################################################################
+
 module "event_notification" {
   source            = "terraform-ibm-modules/event-notifications/ibm"
   version           = "2.7.0"
   resource_group_id = module.resource_group.resource_group_id
   name              = "${var.prefix}-en"
   tags              = var.resource_tags
   plan              = "lite"
-  service_endpoints = "public"
   region            = var.region
 }
 
@@ -65,6 +61,10 @@ locals {
   kms_service = module.kms_key_crn_parser.service_name
 }
 
+##############################################################################
+# Secrets Manager
+##############################################################################
+
 module "secrets_manager" {
   source                   = "../../modules/fscloud"
   resource_group_id        = module.resource_group.resource_group_id
@@ -76,7 +76,7 @@ module "secrets_manager" {
   existing_en_instance_crn = module.event_notification.crn
   cbr_rules = [
     {
-      description      = "${var.prefix}-secrets-manager access only from vpc"
+      description      = "${var.prefix}-secrets-manager access only from Schematics"
       enforcement_mode = "enabled"
       account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
       rule_contexts = [{
@@ -87,7 +87,7 @@ module "secrets_manager" {
           },
           {
             name  = "networkZoneId"
-            value = module.cbr_zone.zone_id
+            value = module.cbr_zone_schematics.zone_id
         }]
       }]
       operations = [{