feat: The DA has been locked down to only support private only instances. So the existing_secrets_endpoint_type and allowed_network inputs have been removed. (#259)

Author: Aayush-Abhyarthi

common-dev-assets

@@ -153,19 +153,6 @@
                 }
               ]
             },
-            {
-              "key": "allowed_network",
-              "options": [
-                {
-                  "displayname": "Public and private",
-                  "value": "public-and-private"
-                },
-                {
-                  "displayname": "Private only",
-                  "value": "private-only"
-                }
-              ]
-            },
             {
               "key": "secret_manager_tags"
             },
@@ -217,6 +204,24 @@
             {
               "key": "skip_kms_iam_authorization_policy"
             },
+            {
+              "key": "enable_event_notification"
+            },
+            {
+              "key": "existing_secrets_manager_crn"
+            },
+            {
+              "key": "ibmcloud_kms_api_key"
+            },
+            {
+              "key": "sm_en_email_list"
+            },
+            {
+              "key": "sm_en_from_email"
+            },
+            {
+              "key": "sm_en_reply_to_email"
+            },
             {
               "key": "existing_secrets_manager_kms_key_crn"
             },

ibm_catalog.json

@@ -51,13 +51,15 @@ No resources.
 | <a name="input_enable_event_notification"></a> [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` variable. | `bool` | `false` | no |
 | <a name="input_existing_en_instance_crn"></a> [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no |
 | <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Hyper Protect Crypto Services instance in which the key specified in `kms_key_crn` is coming from. | `string` | n/a | yes |
+| <a name="input_existing_sm_instance_crn"></a> [existing\_sm\_instance\_crn](#input\_existing\_sm\_instance\_crn) | The CRN of an existing Secrets Manager instance. If not supplied, a new instance is created. | `string` | `null` | no |
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of Hyper Protect Crypto Services (HPCS) that you want to use for encryption. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision the Secrets Manager instance to. | `string` | n/a | yes |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group to provision the Secrets Manager instance to. | `string` | n/a | yes |
 | <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    secrets = optional(list(object({<br/>      secret_name                                 = string<br/>      secret_description                          = optional(string)<br/>      secret_type                                 = optional(string)<br/>      imported_cert_certificate                   = optional(string)<br/>      imported_cert_private_key                   = optional(string)<br/>      imported_cert_intermediate                  = optional(string)<br/>      secret_username                             = optional(string)<br/>      secret_labels                               = optional(list(string), [])<br/>      secret_payload_password                     = optional(string, "")<br/>      secret_auto_rotation                        = optional(bool, true)<br/>      secret_auto_rotation_unit                   = optional(string, "day")<br/>      secret_auto_rotation_interval               = optional(number, 89)<br/>      service_credentials_ttl                     = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn      = optional(string)<br/>      service_credentials_source_service_role_crn = optional(string)<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_secrets_manager_name"></a> [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name to give the Secrets Manager instance. | `string` | n/a | yes |
 | <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The Secrets Manager plan to provision. | `string` | `"standard"` | no |
 | <a name="input_skip_en_iam_authorization_policy"></a> [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
+| <a name="input_skip_kms_iam_authorization_policy"></a> [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
 | <a name="input_sm_tags"></a> [sm\_tags](#input\_sm\_tags) | The list of resource tags that you want to associate with your Secrets Manager instance. | `list(string)` | `[]` | no |
 
 ### Outputs

modules/fscloud/README.md

@@ -1,18 +1,20 @@
 module "secrets_manager" {
-  source                           = "../.."
-  resource_group_id                = var.resource_group_id
-  region                           = var.region
-  secrets_manager_name             = var.secrets_manager_name #tfsec:ignore:general-secrets-no-plaintext-exposure
-  sm_service_plan                  = var.service_plan
-  sm_tags                          = var.sm_tags
-  allowed_network                  = "private-only"
-  endpoint_type                    = "private"
-  kms_encryption_enabled           = true
-  existing_kms_instance_guid       = var.existing_kms_instance_guid
-  enable_event_notification        = var.enable_event_notification
-  existing_en_instance_crn         = var.existing_en_instance_crn
-  skip_en_iam_authorization_policy = var.skip_en_iam_authorization_policy
-  kms_key_crn                      = var.kms_key_crn
-  cbr_rules                        = var.cbr_rules
-  secrets                          = var.secrets
+  source                            = "../.."
+  resource_group_id                 = var.resource_group_id
+  region                            = var.region
+  secrets_manager_name              = var.secrets_manager_name #tfsec:ignore:general-secrets-no-plaintext-exposure
+  existing_sm_instance_crn          = var.existing_sm_instance_crn
+  sm_service_plan                   = var.service_plan
+  sm_tags                           = var.sm_tags
+  allowed_network                   = "private-only"
+  endpoint_type                     = "private"
+  kms_encryption_enabled            = true
+  existing_kms_instance_guid        = var.existing_kms_instance_guid
+  enable_event_notification         = var.enable_event_notification
+  existing_en_instance_crn          = var.existing_en_instance_crn
+  skip_en_iam_authorization_policy  = var.skip_en_iam_authorization_policy
+  skip_kms_iam_authorization_policy = var.skip_kms_iam_authorization_policy
+  kms_key_crn                       = var.kms_key_crn
+  cbr_rules                         = var.cbr_rules
+  secrets                           = var.secrets
 }

modules/fscloud/main.tf

@@ -29,6 +29,18 @@ variable "sm_tags" {
   default     = []
 }
 
+variable "existing_sm_instance_crn" {
+  type        = string
+  description = "The CRN of an existing Secrets Manager instance. If not supplied, a new instance is created."
+  default     = null
+}
+
+variable "skip_kms_iam_authorization_policy" {
+  type        = bool
+  description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account."
+  default     = false
+}
+
 ##############################################################################
 # Key Management Service (KMS)
 ##############################################################################

modules/fscloud/variables.tf

@@ -1,8 +1,3 @@
-moved {
-  from = ibm_iam_authorization_policy.policy
-  to   = ibm_iam_authorization_policy.kms_policy
-}
-
 moved {
   from = ibm_resource_instance.secrets_manager_instance
   to   = ibm_resource_instance.secrets_manager_instance[0]

moved.tf

@@ -97,29 +97,25 @@ locals {
   secrets_manager_guid                = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[7] : null) : module.secrets_manager.secrets_manager_guid
   secrets_manager_crn                 = var.existing_secrets_manager_crn != null ? var.existing_secrets_manager_crn : module.secrets_manager.secrets_manager_crn
   secrets_manager_region              = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[5] : null) : module.secrets_manager.secrets_manager_region
-  sm_endpoint_type                    = var.existing_secrets_manager_crn != null ? var.existing_secrets_endpoint_type : var.allowed_network == "private-only" ? "private" : "public"
 }
 
 module "secrets_manager" {
   depends_on               = [time_sleep.wait_for_authorization_policy]
-  source                   = "../.."
+  source                   = "../../modules/fscloud"
   existing_sm_instance_crn = var.existing_secrets_manager_crn
   resource_group_id        = var.existing_secrets_manager_crn == null ? module.resource_group[0].resource_group_id : data.ibm_resource_instance.existing_sm[0].resource_group_id
   region                   = var.region
   secrets_manager_name     = try("${local.prefix}-${var.secrets_manager_instance_name}", var.secrets_manager_instance_name)
-  sm_service_plan          = var.service_plan
-  allowed_network          = var.allowed_network
+  service_plan             = var.service_plan
   sm_tags                  = var.secret_manager_tags
   # kms dependency
-  kms_encryption_enabled            = true
   existing_kms_instance_guid        = local.existing_kms_guid
   kms_key_crn                       = local.kms_key_crn
   skip_kms_iam_authorization_policy = var.skip_kms_iam_authorization_policy || local.create_cross_account_auth_policy
   # event notifications dependency
   enable_event_notification        = var.enable_event_notification
   existing_en_instance_crn         = var.existing_event_notification_instance_crn
   skip_en_iam_authorization_policy = var.skip_event_notification_iam_authorization_policy
-  endpoint_type                    = local.sm_endpoint_type
   cbr_rules                        = var.cbr_rules
 }
 
@@ -131,7 +127,7 @@ module "iam_secrets_engine" {
   region               = local.secrets_manager_region
   iam_engine_name      = try("${local.prefix}-${var.iam_engine_name}", var.iam_engine_name)
   secrets_manager_guid = local.secrets_manager_guid
-  endpoint_type        = local.sm_endpoint_type
+  endpoint_type        = "private"
 }
 
 locals {
@@ -157,7 +153,7 @@ module "secrets_manager_public_cert_engine" {
   dns_config_name              = var.dns_provider_name
   ca_config_name               = var.ca_name
   acme_letsencrypt_private_key = var.acme_letsencrypt_private_key
-  service_endpoints            = local.sm_endpoint_type
+  service_endpoints            = "private"
 }
 
 
@@ -173,7 +169,7 @@ module "private_secret_engine" {
   root_ca_max_ttl           = var.root_ca_max_ttl
   intermediate_ca_name      = var.intermediate_ca_name
   certificate_template_name = var.certificate_template_name
-  endpoint_type             = local.sm_endpoint_type
+  endpoint_type             = "private"
 }
 
 data "ibm_resource_instance" "existing_sm" {

solutions/standard/main.tf

@@ -0,0 +1,14 @@
+moved {
+  from = module.secrets_manager.ibm_resource_instance.secrets_manager_instance
+  to   = module.secrets_manager.module.secrets_manager.ibm_resource_instance.secrets_manager_instance
+}
+
+moved {
+  from = module.secrets_manager.ibm_iam_authorization_policy.kms_policy
+  to   = module.secrets_manager.module.secrets_manager.ibm_iam_authorization_policy.kms_policy
+}
+
+moved {
+  from = module.secrets_manager.time_sleep.wait_for_authorization_policy
+  to   = module.secrets_manager.module.secrets_manager.time_sleep.wait_for_authorization_policy
+}

solutions/standard/moved.tf

@@ -58,16 +58,6 @@ variable "existing_secrets_manager_crn" {
   default     = null
 }
 
-variable "existing_secrets_endpoint_type" {
-  type        = string
-  description = "The endpoint type to use if existing_secrets_manager_crn is specified. Possible values: public, private."
-  default     = "private"
-  validation {
-    condition     = contains(["public", "private"], var.existing_secrets_endpoint_type)
-    error_message = "Only \"public\" and \"private\" are allowed values for 'existing_secrets_endpoint_type'."
-  }
-}
-
 variable "service_plan" {
   type        = string
   description = "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. Applies only if `provision_sm_instance` is set to `true`."
@@ -78,16 +68,6 @@ variable "service_plan" {
   }
 }
 
-variable "allowed_network" {
-  type        = string
-  description = "The types of service endpoints to set on the Secrets Manager instance. Possible values: `private-only`, `public-and-private`."
-  default     = "private-only"
-  validation {
-    condition     = contains(["private-only", "public-and-private"], var.allowed_network)
-    error_message = "The specified allowed_network is not a valid selection."
-  }
-}
-
 variable "secret_manager_tags" {
   type        = list(any)
   description = "The list of resource tags you want to associate with your Secrets Manager instance."

solutions/standard/variables.tf

@@ -47,16 +47,3 @@ module "key_protect" {
     }
   ]
 }
-
-##############################################################################
-# Secrets Manager
-##############################################################################
-
-module "secrets_manager" {
-  source               = "../.."
-  resource_group_id    = module.resource_group.resource_group_id
-  region               = var.region
-  secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure
-  sm_service_plan      = "trial"
-  sm_tags              = var.resource_tags
-}

tests/existing-resources/main.tf

@@ -22,8 +22,3 @@ output "event_notification_instance_crn" {
   value       = module.event_notifications.crn
   description = "CRN of created event notification"
 }
-
-output "secrets_manager_instance_crn" {
-  value       = module.secrets_manager.secrets_manager_crn
-  description = "CRN of created secret manager instance"
-}

tests/existing-resources/outputs.tf

@@ -93,8 +93,14 @@ func TestRunDASolutionSchematics(t *testing.T) {
 
 	// Set up a schematics test
 	options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
-		Testing:                t,
-		TarIncludePatterns:     []string{"*.tf", fmt.Sprintf("%s/*.tf", solutionsTerraformDir), "modules/secrets/*.tf"},
+		Testing: t,
+		TarIncludePatterns: []string{
+			"*.tf",
+			fmt.Sprintf("%s/*.tf", solutionsTerraformDir),
+			fmt.Sprintf("%s/*.tf", fscloudExampleTerraformDir),
+			fmt.Sprintf("%s/*.tf", "modules/secrets"),
+			fmt.Sprintf("%s/*.tf", "modules/fscloud"),
+		},
 		TemplateFolder:         solutionsTerraformDir,
 		ResourceGroup:          resourceGroup,
 		Prefix:                 "sm-da",
@@ -182,65 +188,41 @@ func TestRunExistingResourcesInstances(t *testing.T) {
 		assert.True(t, existErr == nil, "Init and Apply of temp existing resource failed")
 	} else {
 
-		// ------------------------------------------------------------------------------------
-		// Test passing an existing SM, RG, EN
-		// ------------------------------------------------------------------------------------
-
-		options := testhelper.TestOptionsDefault(&testhelper.TestOptions{
-			Testing:      t,
-			TerraformDir: solutionsTerraformDir,
-			// Do not hard fail the test if the implicit destroy steps fail to allow a full destroy of resource to occur
-			ImplicitRequired: false,
-			TerraformVars: map[string]interface{}{
-				"ibmcloud_api_key":                         os.Getenv("TF_VAR_ibmcloud_api_key"),
-				"region":                                   region,
-				"resource_group_name":                      terraform.Output(t, existingTerraformOptions, "resource_group_name"),
-				"use_existing_resource_group":              true,
-				"enable_event_notification":                true,
-				"existing_event_notification_instance_crn": terraform.Output(t, existingTerraformOptions, "event_notification_instance_crn"),
-				"existing_secrets_manager_crn":             terraform.Output(t, existingTerraformOptions, "secrets_manager_instance_crn"),
-				"iam_engine_enabled":                       true,
-				"private_engine_enabled":                   true,
-				"existing_secrets_endpoint_type":           "public",
-				"provider_visibility":                      "public",
-			},
-		})
-
-		output, err := options.RunTestConsistency()
-		assert.Nil(t, err, "This should not have errored")
-		assert.NotNil(t, output, "Expected some output")
-
 		// ------------------------------------------------------------------------------------
 		// Test passing existing RG, EN, and KMS key
 		// ------------------------------------------------------------------------------------
-
-		options2 := testhelper.TestOptionsDefault(&testhelper.TestOptions{
-			Testing:      t,
-			TerraformDir: solutionsTerraformDir,
-			// Do not hard fail the test if the implicit destroy steps fail to allow a full destroy of resource to occur
-			ImplicitRequired: false,
-			TerraformVars: map[string]interface{}{
-				"ibmcloud_api_key":                         os.Getenv("TF_VAR_ibmcloud_api_key"),
-				"region":                                   region,
-				"resource_group_name":                      terraform.Output(t, existingTerraformOptions, "resource_group_name"),
-				"use_existing_resource_group":              true,
-				"enable_event_notification":                true,
-				"existing_event_notification_instance_crn": terraform.Output(t, existingTerraformOptions, "event_notification_instance_crn"),
-				"existing_secrets_manager_kms_key_crn":     terraform.Output(t, existingTerraformOptions, "secrets_manager_kms_key_crn"),
-				"existing_kms_instance_crn":                terraform.Output(t, existingTerraformOptions, "secrets_manager_kms_instance_crn"),
-				"service_plan":                             "trial",
-				"iam_engine_enabled":                       true,
-				"private_engine_enabled":                   true,
-				"existing_secrets_endpoint_type":           "public",
-				"provider_visibility":                      "public",
-				"allowed_network":                          "public-and-private",
+		options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
+			Testing: t,
+			TarIncludePatterns: []string{
+				"*.tf",
+				fmt.Sprintf("%s/*.tf", solutionsTerraformDir),
+				fmt.Sprintf("%s/*.tf", "modules/secrets"),
+				fmt.Sprintf("%s/*.tf", "modules/fscloud"),
 			},
+			TemplateFolder:         solutionsTerraformDir,
+			ResourceGroup:          resourceGroup,
+			Tags:                   []string{"test-schematic"},
+			DeleteWorkspaceOnFail:  false,
+			WaitJobCompleteMinutes: 60,
 		})
 
-		output2, err := options2.RunTestConsistency()
-		assert.Nil(t, err, "This should not have errored")
-		assert.NotNil(t, output2, "Expected some output")
-
+		options.TerraformVars = []testschematic.TestSchematicTerraformVar{
+			{Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true},
+			{Name: "region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"},
+			{Name: "resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"},
+			{Name: "use_existing_resource_group", Value: true, DataType: "bool"},
+			{Name: "enable_event_notification", Value: true, DataType: "bool"},
+			{Name: "existing_event_notification_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "event_notification_instance_crn"), DataType: "string"},
+			{Name: "existing_secrets_manager_kms_key_crn", Value: permanentResources["hpcs_south_root_key_crn"], DataType: "string"},
+			{Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
+			{Name: "service_plan", Value: "trial", DataType: "string"},
+			{Name: "iam_engine_enabled", Value: true, DataType: "bool"},
+			{Name: "private_engine_enabled", Value: true, DataType: "bool"},
+			{Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
+		}
+
+		err := options.RunSchematicTest()
+		assert.NoError(t, err, "Schematic Test had unexpected error")
 	}
 
 	// Check if "DO_NOT_DESTROY_ON_FAILURE" is set