terraform-ibm-modules · ocofaigh · Jan 24, 2025 · Jan 23, 2025
@@ -104,7 +104,7 @@ You need the following permissions to run this module.
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if `kms_encryption_enabled` is set to true. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region where the resource will be provisioned.Its not required if passing a value for `existing_sm_instance_crn`. | `string` | `null` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group | `string` | n/a | yes |
-| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    secrets = optional(list(object({<br/>      secret_name                             = string<br/>      secret_description                      = optional(string)<br/>      secret_type                             = optional(string)<br/>      imported_cert_certificate               = optional(string)<br/>      imported_cert_private_key               = optional(string)<br/>      imported_cert_intermediate              = optional(string)<br/>      secret_username                         = optional(string)<br/>      secret_labels                           = optional(list(string), [])<br/>      secret_payload_password                 = optional(string, "")<br/>      secret_auto_rotation                    = optional(bool, true)<br/>      secret_auto_rotation_unit               = optional(string, "day")<br/>      secret_auto_rotation_interval           = optional(number, 89)<br/>      service_credentials_ttl                 = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn  = optional(string)<br/>      service_credentials_source_service_role = optional(string)<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    secrets = optional(list(object({<br/>      secret_name                                 = string<br/>      secret_description                          = optional(string)<br/>      secret_type                                 = optional(string)<br/>      imported_cert_certificate                   = optional(string)<br/>      imported_cert_private_key                   = optional(string)<br/>      imported_cert_intermediate                  = optional(string)<br/>      secret_username                             = optional(string)<br/>      secret_labels                               = optional(list(string), [])<br/>      secret_payload_password                     = optional(string, "")<br/>      secret_auto_rotation                        = optional(bool, true)<br/>      secret_auto_rotation_unit                   = optional(string, "day")<br/>      secret_auto_rotation_interval               = optional(number, 89)<br/>      service_credentials_ttl                     = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn      = optional(string)<br/>      service_credentials_source_service_role_crn = optional(string)<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_secrets_manager_name"></a> [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name of the Secrets Manager instance to create | `string` | n/a | yes |
 | <a name="input_skip_en_iam_authorization_policy"></a> [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
 | <a name="input_skip_kms_iam_authorization_policy"></a> [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_guid` variable. In addition, no policy is created if `kms_encryption_enabled` is set to false. | `bool` | `false` | no |

@@ -55,6 +55,14 @@ module "secrets_manager" {
         secret_name             = "${var.prefix}-kp-key-crn"
         secret_type             = "arbitrary"
         secret_payload_password = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn
+        },
+        {
+          # Arbitrary service credential for source service event notifications, with role Event-Notification-Publisher
+          secret_name                                 = "${var.prefix}-service-credential"
+          secret_type                                 = "service_credentials" #checkov:skip=CKV_SECRET_6
+          secret_description                          = "Created by secrets-manager-module complete example"
+          service_credentials_source_service_crn      = module.event_notification.crn
+          service_credentials_source_service_role_crn = "crn:v1:bluemix:public:event-notifications::::serviceRole:Event-Notification-Publisher"
         }
       ]
     },

@@ -54,7 +54,7 @@ No resources.
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of Hyper Protect Crypto Services (HPCS) that you want to use for encryption. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision the Secrets Manager instance to. | `string` | n/a | yes |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group to provision the Secrets Manager instance to. | `string` | n/a | yes |
-| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    secrets = optional(list(object({<br/>      secret_name                             = string<br/>      secret_description                      = optional(string)<br/>      secret_type                             = optional(string)<br/>      imported_cert_certificate               = optional(string)<br/>      imported_cert_private_key               = optional(string)<br/>      imported_cert_intermediate              = optional(string)<br/>      secret_username                         = optional(string)<br/>      secret_labels                           = optional(list(string), [])<br/>      secret_payload_password                 = optional(string, "")<br/>      secret_auto_rotation                    = optional(bool, true)<br/>      secret_auto_rotation_unit               = optional(string, "day")<br/>      secret_auto_rotation_interval           = optional(number, 89)<br/>      service_credentials_ttl                 = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn  = optional(string)<br/>      service_credentials_source_service_role = optional(string)<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    secrets = optional(list(object({<br/>      secret_name                                 = string<br/>      secret_description                          = optional(string)<br/>      secret_type                                 = optional(string)<br/>      imported_cert_certificate                   = optional(string)<br/>      imported_cert_private_key                   = optional(string)<br/>      imported_cert_intermediate                  = optional(string)<br/>      secret_username                             = optional(string)<br/>      secret_labels                               = optional(list(string), [])<br/>      secret_payload_password                     = optional(string, "")<br/>      secret_auto_rotation                        = optional(bool, true)<br/>      secret_auto_rotation_unit                   = optional(string, "day")<br/>      secret_auto_rotation_interval               = optional(number, 89)<br/>      service_credentials_ttl                     = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn      = optional(string)<br/>      service_credentials_source_service_role_crn = optional(string)<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_secrets_manager_name"></a> [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name to give the Secrets Manager instance. | `string` | n/a | yes |
 | <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The Secrets Manager plan to provision. | `string` | `"standard"` | no |
 | <a name="input_skip_en_iam_authorization_policy"></a> [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |

@@ -105,21 +105,21 @@ variable "secrets" {
     secret_group_description = optional(string)
     existing_secret_group    = optional(bool, false)
     secrets = optional(list(object({
-      secret_name                             = string
-      secret_description                      = optional(string)
-      secret_type                             = optional(string)
-      imported_cert_certificate               = optional(string)
-      imported_cert_private_key               = optional(string)
-      imported_cert_intermediate              = optional(string)
-      secret_username                         = optional(string)
-      secret_labels                           = optional(list(string), [])
-      secret_payload_password                 = optional(string, "")
-      secret_auto_rotation                    = optional(bool, true)
-      secret_auto_rotation_unit               = optional(string, "day")
-      secret_auto_rotation_interval           = optional(number, 89)
-      service_credentials_ttl                 = optional(string, "7776000") # 90 days
-      service_credentials_source_service_crn  = optional(string)
-      service_credentials_source_service_role = optional(string)
+      secret_name                                 = string
+      secret_description                          = optional(string)
+      secret_type                                 = optional(string)
+      imported_cert_certificate                   = optional(string)
+      imported_cert_private_key                   = optional(string)
+      imported_cert_intermediate                  = optional(string)
+      secret_username                             = optional(string)
+      secret_labels                               = optional(list(string), [])
+      secret_payload_password                     = optional(string, "")
+      secret_auto_rotation                        = optional(bool, true)
+      secret_auto_rotation_unit                   = optional(string, "day")
+      secret_auto_rotation_interval               = optional(number, 89)
+      service_credentials_ttl                     = optional(string, "7776000") # 90 days
+      service_credentials_source_service_crn      = optional(string)
+      service_credentials_source_service_role_crn = optional(string)
     })))
   }))
   description = "Secret Manager secrets configurations."

@@ -51,7 +51,7 @@ module "secrets_manager" {
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_secret_groups"></a> [secret\_groups](#module\_secret\_groups) | terraform-ibm-modules/secrets-manager-secret-group/ibm | 1.2.2 |
-| <a name="module_secrets"></a> [secrets](#module\_secrets) | terraform-ibm-modules/secrets-manager-secret/ibm | 1.4.0 |
+| <a name="module_secrets"></a> [secrets](#module\_secrets) | terraform-ibm-modules/secrets-manager-secret/ibm | 1.6.0 |
 
 ### Resources
 
@@ -66,7 +66,7 @@ module "secrets_manager" {
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The service endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private` | `string` | `"public"` | no |
 | <a name="input_existing_sm_instance_guid"></a> [existing\_sm\_instance\_guid](#input\_existing\_sm\_instance\_guid) | Instance ID of Secrets Manager instance in which the Secret will be added. | `string` | n/a | yes |
 | <a name="input_existing_sm_instance_region"></a> [existing\_sm\_instance\_region](#input\_existing\_sm\_instance\_region) | Region which the Secret Manager is deployed. | `string` | n/a | yes |
-| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    secrets = optional(list(object({<br/>      secret_name                             = string<br/>      secret_description                      = optional(string)<br/>      secret_type                             = optional(string)<br/>      imported_cert_certificate               = optional(string)<br/>      imported_cert_private_key               = optional(string)<br/>      imported_cert_intermediate              = optional(string)<br/>      secret_username                         = optional(string)<br/>      secret_labels                           = optional(list(string), [])<br/>      secret_payload_password                 = optional(string, "")<br/>      secret_auto_rotation                    = optional(bool, true)<br/>      secret_auto_rotation_unit               = optional(string, "day")<br/>      secret_auto_rotation_interval           = optional(number, 89)<br/>      service_credentials_ttl                 = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn  = optional(string)<br/>      service_credentials_source_service_role = optional(string)<br/>      service_credentials_source_service_hmac = optional(bool, false)<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    secrets = optional(list(object({<br/>      secret_name                                 = string<br/>      secret_description                          = optional(string)<br/>      secret_type                                 = optional(string)<br/>      imported_cert_certificate                   = optional(string)<br/>      imported_cert_private_key                   = optional(string)<br/>      imported_cert_intermediate                  = optional(string)<br/>      secret_username                             = optional(string)<br/>      secret_labels                               = optional(list(string), [])<br/>      secret_payload_password                     = optional(string, "")<br/>      secret_auto_rotation                        = optional(bool, true)<br/>      secret_auto_rotation_unit                   = optional(string, "day")<br/>      secret_auto_rotation_interval               = optional(number, 89)<br/>      service_credentials_ttl                     = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn      = optional(string)<br/>      service_credentials_source_service_role_crn = optional(string)<br/>      service_credentials_source_service_hmac     = optional(bool, false)<br/>    })))<br/>  }))</pre> | `[]` | no |
 
 ### Outputs