.github/workflows/ci.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   call-terraform-ci-pipeline:
-    uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/common-terraform-module-ci-v2.yml@v1.22.3
+    uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/common-terraform-module-ci-v2.yml@v1.22.5
     secrets: inherit
     with:
       craSCCv2: true

.github/workflows/release.yml

@@ -8,5 +8,5 @@ on:
 
 jobs:
   call-terraform-release-pipeline:
-    uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/common-release.yml@v1.22.3
+    uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/common-release.yml@v1.22.5
     secrets: inherit

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-12-09T07:19:06Z",
+  "generated_at": "2025-01-28T11:35:27Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -82,7 +82,7 @@
         "hashed_secret": "ff9ee043d85595eb255c05dfe32ece02a53efbb2",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 15,
+        "line_number": 17,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -92,7 +92,7 @@
         "hashed_secret": "2a66dd6b2184e0722c4f448eaac79a1897987a30",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 20,
+        "line_number": 21,
         "type": "Secret Keyword",
         "verified_result": null
       }

README.md

@@ -9,6 +9,8 @@
 
 This module creates a secret group in an IBM Cloud Secrets Manager instance. For more information, see [Best practices for organizing secrets and assigning access](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-best-practices-organize-secrets#best-practices-secret-groups).
 
+![Secrets Manager secret group module](./images/sm_secret-group.svg)
+
 ## Usage
 ```hcl
 provider "ibm" {
@@ -44,7 +46,7 @@ You need the following permissions to run this module.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
-| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.51.0, <2.0.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.76.0, <2.0.0 |
 
 ### Modules
 
@@ -77,6 +79,7 @@ No modules.
 ## Examples
 
 - [ Basic example](examples/basic)
+- [ Private-Only Secret Manager example](examples/private)
 <!-- END EXAMPLES HOOK -->
 
 <!-- BEGIN CONTRIBUTING HOOK -->

cra-config.yaml

@@ -9,3 +9,4 @@ CRA_TARGETS:
     # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.
     # SCC_REGION: "" # The IBM Cloud region that the SCC instance is in. If not provided, a default global value will be used.
     # PROFILE_ID: "" # The Profile ID input for CRA SCC scan. If not provided, a default global value will be used.
+    PROFILE_ID: "fe96bd4d-9b37-40f2-b39f-a62760e326a3"         # SCC profile ID (currently set to 'IBM Cloud Framework for Financial Services' '1.7.0' profile).

examples/basic/main.tf

@@ -1,5 +1,5 @@
 locals {
-  sm_guid   = var.existing_sm_instance_guid == null ? ibm_resource_instance.secrets_manager[0].guid : var.existing_sm_instance_guid
+  sm_guid   = var.existing_sm_instance_guid == null ? module.secrets_manager[0].secrets_manager_guid : var.existing_sm_instance_guid
   sm_region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region
 }
 
@@ -9,7 +9,7 @@ locals {
 
 module "resource_group" {
   source  = "terraform-ibm-modules/resource-group/ibm"
-  version = "1.1.5"
+  version = "1.1.6"
   # if an existing resource group is not set (null) create a new one using prefix
   resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
   existing_resource_group_name = var.resource_group
@@ -19,17 +19,15 @@ module "resource_group" {
 ## Create prerequisite.  Secrets Manager and Secret Group
 ##################################################################
 
-resource "ibm_resource_instance" "secrets_manager" {
-  count             = var.existing_sm_instance_guid == null ? 1 : 0
-  name              = "${var.prefix}-sm-instance"
-  service           = "secrets-manager"
-  plan              = var.sm_service_plan
-  location          = var.region
-  resource_group_id = module.resource_group.resource_group_id
-  tags              = var.resource_tags
-  timeouts {
-    create = "20m" # Extending provisioning time to 20 minutes
-  }
+module "secrets_manager" {
+  count                = var.existing_sm_instance_guid != null ? 0 : 1
+  source               = "terraform-ibm-modules/secrets-manager/ibm"
+  version              = "1.25.1"
+  secrets_manager_name = "${var.prefix}-sm-instance"
+  sm_service_plan      = var.sm_service_plan
+  region               = local.sm_region
+  resource_group_id    = module.resource_group.resource_group_id
+  sm_tags              = var.resource_tags
 }
 
 ##################################################################

examples/basic/version.tf

@@ -4,7 +4,7 @@ terraform {
     # Pin to the lowest provider version of the range defined in the main module to ensure lowest version still works
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.51.0"
+      version = "1.76.0"
     }
   }
 }

examples/private/README.md

@@ -0,0 +1,9 @@
+# Private-Only Secret Manager example
+
+An end-to-end example that uses a private-only Secret Manager. This example uses the IBM Cloud terraform provider to:
+ - Create a new resource group if one is not passed in.
+ - Create a new secrets manager if one is not passed in.
+ - Create a new secrets manager group and private secret engine if existing secrets manager is not passed in.
+ - Create a new private certifcate inside a secrets manager.
+
+<!-- Add your example and link to it from the module's main readme file. -->

examples/private/main.tf

@@ -0,0 +1,55 @@
+##################################################################
+## Create RG
+##################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.6"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##################################################################
+## Create prerequisite.  Secrets Manager and Secret Group
+##################################################################
+
+locals {
+  validate_sm_region_cnd = var.existing_sm_instance_crn != null && var.existing_sm_instance_region == null
+  validate_sm_region_msg = "existing_sm_instance_region must also be set when value given for existing_sm_instance_guid."
+  # tflint-ignore: terraform_unused_declarations
+  validate_sm_region_chk = regex(
+    "^${local.validate_sm_region_msg}$",
+    (!local.validate_sm_region_cnd
+      ? local.validate_sm_region_msg
+  : ""))
+
+  sm_region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region
+}
+
+module "secrets_manager" {
+  source                   = "terraform-ibm-modules/secrets-manager/ibm"
+  version                  = "1.25.1"
+  existing_sm_instance_crn = var.existing_sm_instance_crn
+  resource_group_id        = module.resource_group.resource_group_id
+  region                   = local.sm_region
+  secrets_manager_name     = "${var.prefix}-sm"
+  sm_service_plan          = "trial"
+  allowed_network          = "private-only"
+  endpoint_type            = "private"
+  sm_tags                  = var.resource_tags
+}
+
+##################################################################
+## Example creating secret group
+##################################################################
+
+module "secrets_manager_group_acct" {
+  source               = "../.."
+  region               = local.sm_region
+  secrets_manager_guid = module.secrets_manager.secrets_manager_guid
+  #tfsec:ignore:general-secrets-no-plaintext-exposure
+  secret_group_name        = "${var.prefix}-example-group"    #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
+  secret_group_description = "secret group used for examples" #tfsec:ignore:general-secrets-no-plaintext-exposure
+  endpoint_type            = "private"
+}

examples/private/outputs.tf

@@ -0,0 +1,10 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "secret_group_id" {
+  description = "ID of the created Secret Group"
+  value       = module.secrets_manager_group_acct.secret_group_id
+}
+
+##############################################################################

examples/private/provider.tf

@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}

examples/private/variables.tf

@@ -0,0 +1,41 @@
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Token"
+  sensitive   = true
+}
+
+variable "region" {
+  type        = string
+  description = "Region to deploy resources in"
+  default     = "us-south"
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix for name of all resource created by this example"
+  default     = "test-sm-sg"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "An existing resource group name to use for this example, if unset a new resource group will be created"
+  default     = null
+}
+
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
+}
+
+variable "existing_sm_instance_crn" {
+  type        = string
+  description = "An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned."
+  default     = null
+}
+
+variable "existing_sm_instance_region" {
+  type        = string
+  description = "The region of the existing Secrets Manager instance. Only required if value is passed into var.existing_sm_instance_guid"
+  default     = null
+}

examples/private/version.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    # Pin to the lowest provider version of the range defined in the main module to ensure lowest version still works
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = "1.76.0"
+    }
+  }
+}

ibm_catalog.json

@@ -8,7 +8,8 @@
         "dev_ops",
         "target_terraform",
         "terraform",
-        "module"
+        "module",
+        "ibm_created"
       ],
       "keywords": [
         "terraform",