diff --git a/README.md b/README.md
index c8421a0d..7e91c494 100644
--- a/README.md
+++ b/README.md
@@ -104,7 +104,7 @@ You need the following permissions to run this module.
| [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if `kms_encryption_enabled` is set to true. | `string` | `null` | no |
| [region](#input\_region) | The region where the resource will be provisioned.Its not required if passing a value for `existing_sm_instance_crn`. | `string` | `null` | no |
| [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group | `string` | n/a | yes |
-| [secrets](#input\_secrets) | Secret Manager secrets configurations. | list(object({
secret_group_name = string
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
secrets = optional(list(object({
secret_name = string
secret_description = optional(string)
secret_type = optional(string)
imported_cert_certificate = optional(string)
imported_cert_private_key = optional(string)
imported_cert_intermediate = optional(string)
secret_username = optional(string)
secret_labels = optional(list(string), [])
secret_payload_password = optional(string, "")
secret_auto_rotation = optional(bool, true)
secret_auto_rotation_unit = optional(string, "day")
secret_auto_rotation_interval = optional(number, 89)
service_credentials_ttl = optional(string, "7776000") # 90 days
service_credentials_source_service_crn = optional(string)
service_credentials_source_service_role = optional(string)
})))
})) | `[]` | no |
+| [secrets](#input\_secrets) | Secret Manager secrets configurations. | list(object({
secret_group_name = string
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
secrets = optional(list(object({
secret_name = string
secret_description = optional(string)
secret_type = optional(string)
imported_cert_certificate = optional(string)
imported_cert_private_key = optional(string)
imported_cert_intermediate = optional(string)
secret_username = optional(string)
secret_labels = optional(list(string), [])
secret_payload_password = optional(string, "")
secret_auto_rotation = optional(bool, true)
secret_auto_rotation_unit = optional(string, "day")
secret_auto_rotation_interval = optional(number, 89)
service_credentials_ttl = optional(string, "7776000") # 90 days
service_credentials_source_service_crn = optional(string)
service_credentials_source_service_role_crn = optional(string)
})))
})) | `[]` | no |
| [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name of the Secrets Manager instance to create | `string` | n/a | yes |
| [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
| [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_guid` variable. In addition, no policy is created if `kms_encryption_enabled` is set to false. | `bool` | `false` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 85d2e99a..e81c9612 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -55,6 +55,14 @@ module "secrets_manager" {
secret_name = "${var.prefix}-kp-key-crn"
secret_type = "arbitrary"
secret_payload_password = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn
+ },
+ {
+ # Arbitrary service credential for source service event notifications, with role Event-Notification-Publisher
+ secret_name = "${var.prefix}-service-credential"
+ secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6
+ secret_description = "Created by secrets-manager-module complete example"
+ service_credentials_source_service_crn = module.event_notification.crn
+ service_credentials_source_service_role_crn = "crn:v1:bluemix:public:event-notifications::::serviceRole:Event-Notification-Publisher"
}
]
},
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index e5e199e7..f9ad0738 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -54,7 +54,7 @@ No resources.
| [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of Hyper Protect Crypto Services (HPCS) that you want to use for encryption. | `string` | n/a | yes |
| [region](#input\_region) | The region to provision the Secrets Manager instance to. | `string` | n/a | yes |
| [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group to provision the Secrets Manager instance to. | `string` | n/a | yes |
-| [secrets](#input\_secrets) | Secret Manager secrets configurations. | list(object({
secret_group_name = string
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
secrets = optional(list(object({
secret_name = string
secret_description = optional(string)
secret_type = optional(string)
imported_cert_certificate = optional(string)
imported_cert_private_key = optional(string)
imported_cert_intermediate = optional(string)
secret_username = optional(string)
secret_labels = optional(list(string), [])
secret_payload_password = optional(string, "")
secret_auto_rotation = optional(bool, true)
secret_auto_rotation_unit = optional(string, "day")
secret_auto_rotation_interval = optional(number, 89)
service_credentials_ttl = optional(string, "7776000") # 90 days
service_credentials_source_service_crn = optional(string)
service_credentials_source_service_role = optional(string)
})))
})) | `[]` | no |
+| [secrets](#input\_secrets) | Secret Manager secrets configurations. | list(object({
secret_group_name = string
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
secrets = optional(list(object({
secret_name = string
secret_description = optional(string)
secret_type = optional(string)
imported_cert_certificate = optional(string)
imported_cert_private_key = optional(string)
imported_cert_intermediate = optional(string)
secret_username = optional(string)
secret_labels = optional(list(string), [])
secret_payload_password = optional(string, "")
secret_auto_rotation = optional(bool, true)
secret_auto_rotation_unit = optional(string, "day")
secret_auto_rotation_interval = optional(number, 89)
service_credentials_ttl = optional(string, "7776000") # 90 days
service_credentials_source_service_crn = optional(string)
service_credentials_source_service_role_crn = optional(string)
})))
})) | `[]` | no |
| [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name to give the Secrets Manager instance. | `string` | n/a | yes |
| [service\_plan](#input\_service\_plan) | The Secrets Manager plan to provision. | `string` | `"standard"` | no |
| [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
index cdbaaa0b..4d741838 100644
--- a/modules/fscloud/variables.tf
+++ b/modules/fscloud/variables.tf
@@ -105,21 +105,21 @@ variable "secrets" {
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
secrets = optional(list(object({
- secret_name = string
- secret_description = optional(string)
- secret_type = optional(string)
- imported_cert_certificate = optional(string)
- imported_cert_private_key = optional(string)
- imported_cert_intermediate = optional(string)
- secret_username = optional(string)
- secret_labels = optional(list(string), [])
- secret_payload_password = optional(string, "")
- secret_auto_rotation = optional(bool, true)
- secret_auto_rotation_unit = optional(string, "day")
- secret_auto_rotation_interval = optional(number, 89)
- service_credentials_ttl = optional(string, "7776000") # 90 days
- service_credentials_source_service_crn = optional(string)
- service_credentials_source_service_role = optional(string)
+ secret_name = string
+ secret_description = optional(string)
+ secret_type = optional(string)
+ imported_cert_certificate = optional(string)
+ imported_cert_private_key = optional(string)
+ imported_cert_intermediate = optional(string)
+ secret_username = optional(string)
+ secret_labels = optional(list(string), [])
+ secret_payload_password = optional(string, "")
+ secret_auto_rotation = optional(bool, true)
+ secret_auto_rotation_unit = optional(string, "day")
+ secret_auto_rotation_interval = optional(number, 89)
+ service_credentials_ttl = optional(string, "7776000") # 90 days
+ service_credentials_source_service_crn = optional(string)
+ service_credentials_source_service_role_crn = optional(string)
})))
}))
description = "Secret Manager secrets configurations."
diff --git a/modules/secrets/README.md b/modules/secrets/README.md
index 009b82ee..0e2120a7 100644
--- a/modules/secrets/README.md
+++ b/modules/secrets/README.md
@@ -51,7 +51,7 @@ module "secrets_manager" {
| Name | Source | Version |
|------|--------|---------|
| [secret\_groups](#module\_secret\_groups) | terraform-ibm-modules/secrets-manager-secret-group/ibm | 1.2.2 |
-| [secrets](#module\_secrets) | terraform-ibm-modules/secrets-manager-secret/ibm | 1.4.0 |
+| [secrets](#module\_secrets) | terraform-ibm-modules/secrets-manager-secret/ibm | 1.6.0 |
### Resources
@@ -66,7 +66,7 @@ module "secrets_manager" {
| [endpoint\_type](#input\_endpoint\_type) | The service endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private` | `string` | `"public"` | no |
| [existing\_sm\_instance\_guid](#input\_existing\_sm\_instance\_guid) | Instance ID of Secrets Manager instance in which the Secret will be added. | `string` | n/a | yes |
| [existing\_sm\_instance\_region](#input\_existing\_sm\_instance\_region) | Region which the Secret Manager is deployed. | `string` | n/a | yes |
-| [secrets](#input\_secrets) | Secret Manager secrets configurations. | list(object({
secret_group_name = string
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
secrets = optional(list(object({
secret_name = string
secret_description = optional(string)
secret_type = optional(string)
imported_cert_certificate = optional(string)
imported_cert_private_key = optional(string)
imported_cert_intermediate = optional(string)
secret_username = optional(string)
secret_labels = optional(list(string), [])
secret_payload_password = optional(string, "")
secret_auto_rotation = optional(bool, true)
secret_auto_rotation_unit = optional(string, "day")
secret_auto_rotation_interval = optional(number, 89)
service_credentials_ttl = optional(string, "7776000") # 90 days
service_credentials_source_service_crn = optional(string)
service_credentials_source_service_role = optional(string)
service_credentials_source_service_hmac = optional(bool, false)
})))
})) | `[]` | no |
+| [secrets](#input\_secrets) | Secret Manager secrets configurations. | list(object({
secret_group_name = string
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
secrets = optional(list(object({
secret_name = string
secret_description = optional(string)
secret_type = optional(string)
imported_cert_certificate = optional(string)
imported_cert_private_key = optional(string)
imported_cert_intermediate = optional(string)
secret_username = optional(string)
secret_labels = optional(list(string), [])
secret_payload_password = optional(string, "")
secret_auto_rotation = optional(bool, true)
secret_auto_rotation_unit = optional(string, "day")
secret_auto_rotation_interval = optional(number, 89)
service_credentials_ttl = optional(string, "7776000") # 90 days
service_credentials_source_service_crn = optional(string)
service_credentials_source_service_role_crn = optional(string)
service_credentials_source_service_hmac = optional(bool, false)
})))
})) | `[]` | no |
### Outputs
diff --git a/modules/secrets/main.tf b/modules/secrets/main.tf
index 29e5fd4d..abf73dc0 100644
--- a/modules/secrets/main.tf
+++ b/modules/secrets/main.tf
@@ -50,27 +50,27 @@ locals {
# create secret
module "secrets" {
- for_each = { for obj in local.secrets : obj.secret_name => obj }
- source = "terraform-ibm-modules/secrets-manager-secret/ibm"
- version = "1.4.0"
- region = var.existing_sm_instance_region
- secrets_manager_guid = var.existing_sm_instance_guid
- secret_group_id = each.value.secret_group_id
- endpoint_type = var.endpoint_type
- secret_name = each.value.secret_name
- secret_description = each.value.secret_description
- secret_type = each.value.secret_type
- imported_cert_certificate = each.value.imported_cert_certificate
- imported_cert_private_key = each.value.imported_cert_private_key
- imported_cert_intermediate = each.value.imported_cert_intermediate
- secret_username = each.value.secret_username
- secret_labels = each.value.secret_labels
- secret_payload_password = each.value.secret_payload_password
- secret_auto_rotation = each.value.secret_auto_rotation
- secret_auto_rotation_unit = each.value.secret_auto_rotation_unit
- secret_auto_rotation_interval = each.value.secret_auto_rotation_interval
- service_credentials_ttl = each.value.service_credentials_ttl
- service_credentials_source_service_crn = each.value.service_credentials_source_service_crn
- service_credentials_source_service_role = each.value.service_credentials_source_service_role
- service_credentials_source_service_hmac = each.value.service_credentials_source_service_hmac
+ for_each = { for obj in local.secrets : obj.secret_name => obj }
+ source = "terraform-ibm-modules/secrets-manager-secret/ibm"
+ version = "1.6.0"
+ region = var.existing_sm_instance_region
+ secrets_manager_guid = var.existing_sm_instance_guid
+ secret_group_id = each.value.secret_group_id
+ endpoint_type = var.endpoint_type
+ secret_name = each.value.secret_name
+ secret_description = each.value.secret_description
+ secret_type = each.value.secret_type
+ imported_cert_certificate = each.value.imported_cert_certificate
+ imported_cert_private_key = each.value.imported_cert_private_key
+ imported_cert_intermediate = each.value.imported_cert_intermediate
+ secret_username = each.value.secret_username
+ secret_labels = each.value.secret_labels
+ secret_payload_password = each.value.secret_payload_password
+ secret_auto_rotation = each.value.secret_auto_rotation
+ secret_auto_rotation_unit = each.value.secret_auto_rotation_unit
+ secret_auto_rotation_interval = each.value.secret_auto_rotation_interval
+ service_credentials_ttl = each.value.service_credentials_ttl
+ service_credentials_source_service_crn = each.value.service_credentials_source_service_crn
+ service_credentials_source_service_role_crn = each.value.service_credentials_source_service_role_crn
+ service_credentials_source_service_hmac = each.value.service_credentials_source_service_hmac
}
diff --git a/modules/secrets/variables.tf b/modules/secrets/variables.tf
index c721a499..80a4d0ba 100644
--- a/modules/secrets/variables.tf
+++ b/modules/secrets/variables.tf
@@ -24,22 +24,22 @@ variable "secrets" {
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
secrets = optional(list(object({
- secret_name = string
- secret_description = optional(string)
- secret_type = optional(string)
- imported_cert_certificate = optional(string)
- imported_cert_private_key = optional(string)
- imported_cert_intermediate = optional(string)
- secret_username = optional(string)
- secret_labels = optional(list(string), [])
- secret_payload_password = optional(string, "")
- secret_auto_rotation = optional(bool, true)
- secret_auto_rotation_unit = optional(string, "day")
- secret_auto_rotation_interval = optional(number, 89)
- service_credentials_ttl = optional(string, "7776000") # 90 days
- service_credentials_source_service_crn = optional(string)
- service_credentials_source_service_role = optional(string)
- service_credentials_source_service_hmac = optional(bool, false)
+ secret_name = string
+ secret_description = optional(string)
+ secret_type = optional(string)
+ imported_cert_certificate = optional(string)
+ imported_cert_private_key = optional(string)
+ imported_cert_intermediate = optional(string)
+ secret_username = optional(string)
+ secret_labels = optional(list(string), [])
+ secret_payload_password = optional(string, "")
+ secret_auto_rotation = optional(bool, true)
+ secret_auto_rotation_unit = optional(string, "day")
+ secret_auto_rotation_interval = optional(number, 89)
+ service_credentials_ttl = optional(string, "7776000") # 90 days
+ service_credentials_source_service_crn = optional(string)
+ service_credentials_source_service_role_crn = optional(string)
+ service_credentials_source_service_hmac = optional(bool, false)
})))
}))
description = "Secret Manager secrets configurations."
diff --git a/solutions/standard/version.tf b/solutions/standard/version.tf
index f7544b0b..e51ef9af 100644
--- a/solutions/standard/version.tf
+++ b/solutions/standard/version.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
ibm = {
source = "IBM-Cloud/ibm"
- version = "1.73.0"
+ version = "1.74.0"
}
time = {
source = "hashicorp/time"
diff --git a/variables.tf b/variables.tf
index 86e8d78d..cf04c6b2 100644
--- a/variables.tf
+++ b/variables.tf
@@ -140,21 +140,21 @@ variable "secrets" {
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
secrets = optional(list(object({
- secret_name = string
- secret_description = optional(string)
- secret_type = optional(string)
- imported_cert_certificate = optional(string)
- imported_cert_private_key = optional(string)
- imported_cert_intermediate = optional(string)
- secret_username = optional(string)
- secret_labels = optional(list(string), [])
- secret_payload_password = optional(string, "")
- secret_auto_rotation = optional(bool, true)
- secret_auto_rotation_unit = optional(string, "day")
- secret_auto_rotation_interval = optional(number, 89)
- service_credentials_ttl = optional(string, "7776000") # 90 days
- service_credentials_source_service_crn = optional(string)
- service_credentials_source_service_role = optional(string)
+ secret_name = string
+ secret_description = optional(string)
+ secret_type = optional(string)
+ imported_cert_certificate = optional(string)
+ imported_cert_private_key = optional(string)
+ imported_cert_intermediate = optional(string)
+ secret_username = optional(string)
+ secret_labels = optional(list(string), [])
+ secret_payload_password = optional(string, "")
+ secret_auto_rotation = optional(bool, true)
+ secret_auto_rotation_unit = optional(string, "day")
+ secret_auto_rotation_interval = optional(number, 89)
+ service_credentials_ttl = optional(string, "7776000") # 90 days
+ service_credentials_source_service_crn = optional(string)
+ service_credentials_source_service_role_crn = optional(string)
})))
}))
description = "Secret Manager secrets configurations."