From fb0e7f4a3ccd29b275f5230177752475306798ef Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Mon, 10 Feb 2025 11:39:45 -0500 Subject: [PATCH 01/11] feat: add guardrails to DA --- ibm_catalog.json | 9 +++++++++ solutions/standard/main.tf | 31 +++++++++++++++++++++++++++++++ solutions/standard/variables.tf | 20 +++++++++++++++++++- 3 files changed, 59 insertions(+), 1 deletion(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 12e7f913..075a2ba5 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -256,6 +256,15 @@ }, { "key":"cbr_rules" + }, + { + "key":"default_secret_group_name" + }, + { + "key":"default_access_group_name" + }, + { + "key":"access_group_ids" } ], "architecture": { diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index ca315ab1..2f1fa045 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -119,6 +119,37 @@ module "secrets_manager" { cbr_rules = var.cbr_rules } +module "secrets_group" { + count = var.existing_secrets_manager_crn == null ? 1 : 0 + source = "terraform-ibm-modules/secrets-manager-secret-group/ibm" + version = "1.2.2" + region = local.secrets_manager_region + secrets_manager_guid = local.secrets_manager_guid + secret_group_name = var.default_secret_group_name + secret_group_description = "Default secrets group" +} + +module "iam_service_access_group" { + count = var.existing_secrets_manager_crn == null ? 1 : 0 + source = "terraform-ibm-modules/iam-access-group/ibm" + version = "1.4.4" + access_group_name = var.default_access_group_name + dynamic_rules = {} + policies = { + sm_policy = { + roles = ["SecretsReader"], + tags = [], + resources = [{ + service = "secrets-manager" + instance_id = local.secrets_manager_guid, + resource_type = "secret-group", + resource = module.secrets_manager.secret_groups["trust"].secret_group_id + }] + } + } + ibm_ids = var.access_group_ids +} + # Configure an IBM Secrets Manager IAM credentials engine for an existing IBM Secrets Manager instance. module "iam_secrets_engine" { count = var.iam_engine_enabled ? 1 : 0 diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index d1e92009..70ff59bd 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -11,7 +11,7 @@ variable "ibmcloud_api_key" { variable "provider_visibility" { description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)." type = string - default = "private" + default = "public" validation { condition = contains(["public", "private", "public-and-private"], var.provider_visibility) @@ -80,6 +80,24 @@ variable "public_engine_enabled" { default = false } +variable "default_secret_group_name" { + type = string + description = "Name to give the secrets group automatically created when provisioning a new Secrets Manager instance." + default = "default" +} + +variable "default_access_group_name" { + type = string + description = "Name to give the access group automatically created when provisioning a new Secrets Manager instance." + default = "secrets_manager_group" +} + +variable "access_group_ids" { + type = list(string) + description = "List of IBM IDs to add to the default access group for the new Secrets Manager instance." + default = null +} + ######################################################################################################################## # Public cert engine config ######################################################################################################################## From 93d033a70da1b98b13d564a1329ddd9327874d17 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Mon, 10 Feb 2025 12:01:16 -0500 Subject: [PATCH 02/11] fix: variable path --- solutions/standard/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 2f1fa045..6bbf024d 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -143,7 +143,7 @@ module "iam_service_access_group" { service = "secrets-manager" instance_id = local.secrets_manager_guid, resource_type = "secret-group", - resource = module.secrets_manager.secret_groups["trust"].secret_group_id + resource = module.secrets_group[0].secret_group_id }] } } From 3243d6b05afea25ed3d04d12820c0358dacf6d6c Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Mon, 10 Feb 2025 13:09:15 -0500 Subject: [PATCH 03/11] fix: change defaukt --- solutions/standard/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 70ff59bd..4d030406 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -95,7 +95,7 @@ variable "default_access_group_name" { variable "access_group_ids" { type = list(string) description = "List of IBM IDs to add to the default access group for the new Secrets Manager instance." - default = null + default = [] } ######################################################################################################################## From 06d09d7e3c25dd03ac185a8798213bb3b16dd6d1 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Mon, 10 Feb 2025 13:53:10 -0500 Subject: [PATCH 04/11] fix: add default user to access group --- tests/pr_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/pr_test.go b/tests/pr_test.go index 56e84e37..837cdc87 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -123,6 +123,7 @@ func TestRunDASolutionSchematics(t *testing.T) { {Name: "ca_name", Value: permanentResources["certificateAuthorityName"], DataType: "string"}, {Name: "dns_provider_name", Value: permanentResources["dnsProviderName"], DataType: "string"}, {Name: "acme_letsencrypt_private_key", Value: *acme_letsencrypt_private_key, DataType: "string"}, + {Name: "access_group_ids", Value: []string{"GoldenEye.Development@ibm.com"}, DataType: "list(string)"}, } err := options.RunSchematicTest() From a7b69a37cfcb4d90d348e970b73ce6bfc07f5d28 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Tue, 11 Feb 2025 10:46:02 -0500 Subject: [PATCH 05/11] test: en instance also private --- tests/existing-resources/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/existing-resources/main.tf b/tests/existing-resources/main.tf index a82c37d1..8a041996 100644 --- a/tests/existing-resources/main.tf +++ b/tests/existing-resources/main.tf @@ -21,7 +21,7 @@ module "event_notifications" { name = "${var.prefix}-en" tags = var.resource_tags plan = "lite" - service_endpoints = "public" + service_endpoints = "private" region = var.region } From c7936d9c3805f7dde5a305d0e579e684c203a8d0 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Tue, 11 Feb 2025 13:57:51 -0500 Subject: [PATCH 06/11] fix: secret group endpoint type --- solutions/standard/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 6bbf024d..11e9048c 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -127,6 +127,7 @@ module "secrets_group" { secrets_manager_guid = local.secrets_manager_guid secret_group_name = var.default_secret_group_name secret_group_description = "Default secrets group" + endpoint_type = "private" } module "iam_service_access_group" { From a7f0d193077857c0413c8575faff518dab23aaa4 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Tue, 11 Feb 2025 15:03:41 -0500 Subject: [PATCH 07/11] fix: secret group endpoint type --- solutions/standard/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 4d030406..20e60dcf 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -83,7 +83,7 @@ variable "public_engine_enabled" { variable "default_secret_group_name" { type = string description = "Name to give the secrets group automatically created when provisioning a new Secrets Manager instance." - default = "default" + default = "default-group" } variable "default_access_group_name" { From b8b088ea43d4cf56e8ea700bd4af94471da24bb5 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Tue, 11 Feb 2025 10:46:02 -0500 Subject: [PATCH 08/11] test: en instance also private --- tests/existing-resources/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/existing-resources/main.tf b/tests/existing-resources/main.tf index bb9579a9..92709485 100644 --- a/tests/existing-resources/main.tf +++ b/tests/existing-resources/main.tf @@ -21,7 +21,7 @@ module "event_notifications" { name = "${var.prefix}-en" tags = var.resource_tags plan = "lite" - service_endpoints = "public-and-private" + service_endpoints = "private" region = var.region } From f04762e89b552c089ed53d2ad611c6830685fa62 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Tue, 18 Feb 2025 13:56:09 -0500 Subject: [PATCH 09/11] fix: various fixes --- examples/basic/variables.tf | 2 +- ibm_catalog.json | 2 +- solutions/standard/main.tf | 4 ++-- solutions/standard/variables.tf | 6 +++--- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/examples/basic/variables.tf b/examples/basic/variables.tf index 18664df2..bacffca5 100644 --- a/examples/basic/variables.tf +++ b/examples/basic/variables.tf @@ -7,7 +7,7 @@ variable "ibmcloud_api_key" { variable "prefix" { type = string description = "Prefix for sm instance" - default = "sm-bas" + default = "sm-bas-alex" } variable "region" { diff --git a/ibm_catalog.json b/ibm_catalog.json index 075a2ba5..1e2c5741 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -264,7 +264,7 @@ "key":"default_access_group_name" }, { - "key":"access_group_ids" + "key":"access_group_user_ids" } ], "architecture": { diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index 7e66ecac..13fcc347 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -134,7 +134,7 @@ module "iam_service_access_group" { count = var.existing_secrets_manager_crn == null ? 1 : 0 source = "terraform-ibm-modules/iam-access-group/ibm" version = "1.4.4" - access_group_name = var.default_access_group_name + access_group_name = "${var.prefix}-${var.default_access_group_name}" dynamic_rules = {} policies = { sm_policy = { @@ -148,7 +148,7 @@ module "iam_service_access_group" { }] } } - ibm_ids = var.access_group_ids + ibm_ids = var.access_group_user_ids } # Configure an IBM Secrets Manager IAM credentials engine for an existing IBM Secrets Manager instance. diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 20e60dcf..c5ee0b5a 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -11,7 +11,7 @@ variable "ibmcloud_api_key" { variable "provider_visibility" { description = "Set the visibility value for the IBM terraform provider. Supported values are `public`, `private`, `public-and-private`. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/guides/custom-service-endpoints)." type = string - default = "public" + default = "private" validation { condition = contains(["public", "private", "public-and-private"], var.provider_visibility) @@ -89,10 +89,10 @@ variable "default_secret_group_name" { variable "default_access_group_name" { type = string description = "Name to give the access group automatically created when provisioning a new Secrets Manager instance." - default = "secrets_manager_group" + default = "secrets_manager_secret_reader_access_group" } -variable "access_group_ids" { +variable "access_group_user_ids" { type = list(string) description = "List of IBM IDs to add to the default access group for the new Secrets Manager instance." default = [] From 0798c16d3956d0a1eaa0b5926d7301dd6d675a37 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Tue, 18 Feb 2025 15:07:46 -0500 Subject: [PATCH 10/11] fix: variable name --- tests/pr_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/pr_test.go b/tests/pr_test.go index c4a82ada..ef77b26a 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -123,7 +123,7 @@ func TestRunDASolutionSchematics(t *testing.T) { {Name: "ca_name", Value: permanentResources["certificateAuthorityName"], DataType: "string"}, {Name: "dns_provider_name", Value: permanentResources["dnsProviderName"], DataType: "string"}, {Name: "acme_letsencrypt_private_key", Value: *acme_letsencrypt_private_key, DataType: "string"}, - {Name: "access_group_ids", Value: []string{"GoldenEye.Development@ibm.com"}, DataType: "list(string)"}, + {Name: "access_group_user_ids", Value: []string{"GoldenEye.Development@ibm.com"}, DataType: "list(string)"}, } err := options.RunSchematicTest() From a14e027cc00d1f2070b373feee6b33601dba89c0 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Tue, 18 Feb 2025 15:42:29 -0500 Subject: [PATCH 11/11] fix: variable name --- tests/existing-resources/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/existing-resources/main.tf b/tests/existing-resources/main.tf index 92709485..bb9579a9 100644 --- a/tests/existing-resources/main.tf +++ b/tests/existing-resources/main.tf @@ -21,7 +21,7 @@ module "event_notifications" { name = "${var.prefix}-en" tags = var.resource_tags plan = "lite" - service_endpoints = "private" + service_endpoints = "public-and-private" region = var.region }