From 53b325e091f137e07e2fd39a998f680c8b2f8920 Mon Sep 17 00:00:00 2001 From: shemau Date: Fri, 24 Jan 2025 15:31:41 +0000 Subject: [PATCH 1/2] fix: service credentials source service role --- solutions/standard/DA-types.md | 12 ++++-------- solutions/standard/main.tf | 22 +++++++++++----------- solutions/standard/variables.tf | 25 ++++++++++++------------- tests/pr_test.go | 8 ++++++-- 4 files changed, 33 insertions(+), 34 deletions(-) diff --git a/solutions/standard/DA-types.md b/solutions/standard/DA-types.md index e26d5e25..348adb89 100644 --- a/solutions/standard/DA-types.md +++ b/solutions/standard/DA-types.md @@ -53,7 +53,7 @@ In the configuration, specify the secret group name, whether it already exists o #### Options for service_credentials - `secret_name`: (required): A unique human-readable name of the secret to create. - - `service_credentials_source_service_role`: (required): The role to give the service credential in the Event Notification service. Acceptable values are `Writer`, `Reader`, `Manager`, `None`, `Event Source Manager`, `Channel Editor`, `Event Notification Publisher`, `Status Reporter`, `Device Manager`, `Email Sender`, `Custom Email Status Reporter` , and `Pool ID Manager` + - `service_credentials_source_service_role_crn`: (required): The CRN of the role to give the service credential in the Event Nofication service. Service credentials role CRNs can be found at https://cloud.ibm.com/iam/roles, select Event Notifications and select the role. Role CRNs can be for the roles `Writer`, `Reader`, `Manager`, `Event Source Manager`, `Channel Editor`, `Event Notification Publisher`, `Status Reporter`, `Device Manager`, `Email Sender`, `Custom Email Status Reporter` , or `Pool ID Manager` - `secret_labels`: (optional, default = `[]`): Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|). - `secret_auto_rotation`: (optional, default = `true`): Whether to configure automatic rotation of service credential. - `secret_auto_rotation_unit`: (optional, default = `day`): Specifies the unit of time for rotation of a secret. Acceptable values are `day` or `month`. @@ -70,7 +70,7 @@ In the configuration, specify the secret group name, whether it already exists o "service_credentials": [ { "secret_name": "cred-1" - "service_credentials_source_service_role": "Writer" + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Writer" "secret_labels": ["test-writer-1", "test-writer-2"] "secret_auto_rotation": true "secret_auto_rotation_unit": "day" @@ -80,7 +80,7 @@ In the configuration, specify the secret group name, whether it already exists o }, { "secret_name": "cred-2" - "service_credentials_source_service_role": "Reader" + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Reader" } ] }, @@ -89,11 +89,7 @@ In the configuration, specify the secret group name, whether it already exists o "service_credentials": [ { "secret_name": "cred-3" - "service_credentials_source_service_role": "Editor" - }, - { - "secret_name": "cred-4" - "service_credentials_source_service_role": "None" + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor" } ] } diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 00dfbc24..3ebb866e 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -352,16 +352,16 @@ locals { existing_secret_group = service_credentials.existing_secret_group secrets = [ for secret in service_credentials.service_credentials : { - secret_name = secret.secret_name - secret_labels = secret.secret_labels - secret_auto_rotation = secret.secret_auto_rotation - secret_auto_rotation_unit = secret.secret_auto_rotation_unit - secret_auto_rotation_interval = secret.secret_auto_rotation_interval - service_credentials_ttl = secret.service_credentials_ttl - service_credential_secret_description = secret.service_credential_secret_description - service_credentials_source_service_role = secret.service_credentials_source_service_role - service_credentials_source_service_crn = local.eventnotification_crn - secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6 + secret_name = secret.secret_name + secret_labels = secret.secret_labels + secret_auto_rotation = secret.secret_auto_rotation + secret_auto_rotation_unit = secret.secret_auto_rotation_unit + secret_auto_rotation_interval = secret.secret_auto_rotation_interval + service_credentials_ttl = secret.service_credentials_ttl + service_credential_secret_description = secret.service_credential_secret_description + _crn = secret.service_credentials_source_service_role_crn + service_credentials_source_service_crn = local.eventnotification_crn + secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6 } ] } @@ -389,7 +389,7 @@ module "secrets_manager_service_credentials" { count = length(local.service_credential_secrets) > 0 ? 1 : 0 depends_on = [time_sleep.wait_for_en_authorization_policy] source = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets" - version = "1.20.0" + version = "1.22.0" existing_sm_instance_guid = local.existing_secrets_manager_instance_guid existing_sm_instance_region = local.existing_secrets_manager_instance_region endpoint_type = var.existing_secrets_manager_endpoint_type diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 083f7786..c7fb5df5 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -311,14 +311,14 @@ variable "service_credential_secrets" { secret_group_description = optional(string) existing_secret_group = optional(bool) service_credentials = list(object({ - secret_name = string - service_credentials_source_service_role = string - secret_labels = optional(list(string)) - secret_auto_rotation = optional(bool) - secret_auto_rotation_unit = optional(string) - secret_auto_rotation_interval = optional(number) - service_credentials_ttl = optional(string) - service_credential_secret_description = optional(string) + secret_name = string + service_credentials_source_service_role_crn = string + secret_labels = optional(list(string)) + secret_auto_rotation = optional(bool) + secret_auto_rotation_unit = optional(string) + secret_auto_rotation_interval = optional(number) + service_credentials_ttl = optional(string) + service_credential_secret_description = optional(string) })) })) @@ -326,15 +326,14 @@ variable "service_credential_secrets" { description = "Service credential secrets configuration for Event Notification. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/solutions/standard/DA-types.md#service-credential-secrets)." validation { + # Service roles CRNs can be found at https://cloud.ibm.com/iam/roles, select Event Notifications and select the role condition = alltrue([ for group in var.service_credential_secrets : alltrue([ - for credential in group.service_credentials : contains( - ["Writer", "Reader", "Manager", "None", "Event Source Manager", "Channel Editor", "Event Notification Publisher", "Status Reporter", "Device Manager", "Email Sender", "Custom Email Status Reporter", "Pool ID Manager"], credential.service_credentials_source_service_role - ) + # crn:v?:bluemix; two non-empty segments; three possibly empty segments; :serviceRole or role: non-empty segment + for credential in group.service_credentials : can(regex("^crn:v[0-9]:bluemix(:..*){2}(:.*){3}:(serviceRole|role):..*$", credential.service_credentials_source_service_role_crn)) ]) ]) - error_message = "service_credentials_source_service_role role must be one of 'Writer', 'Reader', 'Manager', 'None', 'Event Source Manager', 'Channel Editor', 'Event Notification Publisher', 'Status Reporter', 'Device Manager', 'Email Sender', 'Custom Email Status Reporter' and 'Pool ID Manager'." - + error_message = "service_credentials_source_service_role_crn must be a serviceRole CRN. See https://cloud.ibm.com/iam/roles" } } diff --git a/tests/pr_test.go b/tests/pr_test.go index a3085365..49c13a8e 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -124,11 +124,15 @@ func TestDAInSchematics(t *testing.T) { "service_credentials": []map[string]string{ { "secret_name": fmt.Sprintf("%s-cred-reader", options.Prefix), - "service_credentials_source_service_role": "Reader", + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Reader", }, { "secret_name": fmt.Sprintf("%s-cred-writer", options.Prefix), - "service_credentials_source_service_role": "Writer", + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Writer", + }, + { + "secret_name": fmt.Sprintf("%s-cred-editor", options.Prefix), + "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor", }, }, }, From 0c910d7b4c905a97e57935cb6c3fa7b29181cc62 Mon Sep 17 00:00:00 2001 From: shemau Date: Fri, 24 Jan 2025 17:08:52 +0000 Subject: [PATCH 2/2] fix: correct service_credentials_source_service_role_crn use --- solutions/standard/main.tf | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 3ebb866e..e5f8276e 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -352,16 +352,16 @@ locals { existing_secret_group = service_credentials.existing_secret_group secrets = [ for secret in service_credentials.service_credentials : { - secret_name = secret.secret_name - secret_labels = secret.secret_labels - secret_auto_rotation = secret.secret_auto_rotation - secret_auto_rotation_unit = secret.secret_auto_rotation_unit - secret_auto_rotation_interval = secret.secret_auto_rotation_interval - service_credentials_ttl = secret.service_credentials_ttl - service_credential_secret_description = secret.service_credential_secret_description - _crn = secret.service_credentials_source_service_role_crn - service_credentials_source_service_crn = local.eventnotification_crn - secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6 + secret_name = secret.secret_name + secret_labels = secret.secret_labels + secret_auto_rotation = secret.secret_auto_rotation + secret_auto_rotation_unit = secret.secret_auto_rotation_unit + secret_auto_rotation_interval = secret.secret_auto_rotation_interval + service_credentials_ttl = secret.service_credentials_ttl + service_credential_secret_description = secret.service_credential_secret_description + service_credentials_source_service_role_crn = secret.service_credentials_source_service_role_crn + service_credentials_source_service_crn = local.eventnotification_crn + secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6 } ] }