diff --git a/examples/basic/variables.tf b/examples/basic/variables.tf index 18664df2..bacffca5 100644 --- a/examples/basic/variables.tf +++ b/examples/basic/variables.tf @@ -7,7 +7,7 @@ variable "ibmcloud_api_key" { variable "prefix" { type = string description = "Prefix for sm instance" - default = "sm-bas" + default = "sm-bas-alex" } variable "region" { diff --git a/ibm_catalog.json b/ibm_catalog.json index 12e7f913..1e2c5741 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -256,6 +256,15 @@ }, { "key":"cbr_rules" + }, + { + "key":"default_secret_group_name" + }, + { + "key":"default_access_group_name" + }, + { + "key":"access_group_user_ids" } ], "architecture": { diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 6b6eddd7..13fcc347 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -119,6 +119,38 @@ module "secrets_manager" { cbr_rules = var.cbr_rules } +module "secrets_group" { + count = var.existing_secrets_manager_crn == null ? 1 : 0 + source = "terraform-ibm-modules/secrets-manager-secret-group/ibm" + version = "1.2.2" + region = local.secrets_manager_region + secrets_manager_guid = local.secrets_manager_guid + secret_group_name = var.default_secret_group_name + secret_group_description = "Default secrets group" + endpoint_type = "private" +} + +module "iam_service_access_group" { + count = var.existing_secrets_manager_crn == null ? 1 : 0 + source = "terraform-ibm-modules/iam-access-group/ibm" + version = "1.4.4" + access_group_name = "${var.prefix}-${var.default_access_group_name}" + dynamic_rules = {} + policies = { + sm_policy = { + roles = ["SecretsReader"], + tags = [], + resources = [{ + service = "secrets-manager" + instance_id = local.secrets_manager_guid, + resource_type = "secret-group", + resource = module.secrets_group[0].secret_group_id + }] + } + } + ibm_ids = var.access_group_user_ids +} + # Configure an IBM Secrets Manager IAM credentials engine for an existing IBM Secrets Manager instance. module "iam_secrets_engine" { count = var.iam_engine_enabled ? 1 : 0 diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index d1e92009..c5ee0b5a 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -80,6 +80,24 @@ variable "public_engine_enabled" { default = false } +variable "default_secret_group_name" { + type = string + description = "Name to give the secrets group automatically created when provisioning a new Secrets Manager instance." + default = "default-group" +} + +variable "default_access_group_name" { + type = string + description = "Name to give the access group automatically created when provisioning a new Secrets Manager instance." + default = "secrets_manager_secret_reader_access_group" +} + +variable "access_group_user_ids" { + type = list(string) + description = "List of IBM IDs to add to the default access group for the new Secrets Manager instance." + default = [] +} + ######################################################################################################################## # Public cert engine config ######################################################################################################################## diff --git a/tests/pr_test.go b/tests/pr_test.go index 362af949..ef77b26a 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -123,6 +123,7 @@ func TestRunDASolutionSchematics(t *testing.T) { {Name: "ca_name", Value: permanentResources["certificateAuthorityName"], DataType: "string"}, {Name: "dns_provider_name", Value: permanentResources["dnsProviderName"], DataType: "string"}, {Name: "acme_letsencrypt_private_key", Value: *acme_letsencrypt_private_key, DataType: "string"}, + {Name: "access_group_user_ids", Value: []string{"GoldenEye.Development@ibm.com"}, DataType: "list(string)"}, } err := options.RunSchematicTest()