Identity of the apikey created in prereq

[in-1911]

When using the module with create_ibmcloud_api_key = true, the new apikey always assumes the identity of the credentials used to run the terraform. In a context of Cloud Project that may lead to unintended results, especially when using trusted profiles authorization.

terraform-ibm-devsecops-alm/prereqs/main.tf

Line 86 in 869f353

payload = (var.iam_api_key_secret == "") ? ibm_iam_api_key.iam_api_key[0].apikey : var.iam_api_key_secret

The credentials / identity designated for the pipelines may need to be different from the one used to deploy the ALM components.

It would be helpful if the user can supply a combination of parameters to use one of the following options:

• A service ID that the new apikey should be generated for.
• A literal value of the apikey (separate form the one used for deployment or provider configuration). E.g. Cloud Projects can reference a secret in a secrets manager, which would be resolved to the secret value when validating / deploying. The prereq module seems to have a parameter for that but it's not exposed at the top level.
• A new apikey for the identity used with the provider (current behavior)

[padraic-edwards]

Will consider including additional variables to parameterize the creation of the API key for use in the pipeline.