-brightgreen){kind=icon}
This module creates a secret in an IBM Secrets Manager secrets group.
The module supports the following secret types:
The following attributes and parameters are supported for all secret types:
secret_group_id: Whennull, thedefaultsecret-group is used.secret_name: The name of the secret that is created.secret_description: The description of the secret.secret_type: The type of the secret.secret_labels: Any labels to attach to the secret.
The following attributes and paramters are supported when storing arbitrary secrets:
secret_payload_password: The payload (for arbitrary secrets) or password (for username and password credentials) of the secret.
The following attributes and parameters are supported when storing user credentials:
secret_payload_password: The payload (for arbitrary secrets) or password (for username and password credentials) of the secret.secret_username: The username of the secret that is created. Applicable only to theusername_passwordsecret type. When the parameter isnull, anarbitrarysecret is created.secret_auto_rotation: Configures automatic rotation. Default istrue.secret_auto_rotation_unit: Specifies the unit type for the secret rotation. Accepted values aredayormonth. Default isday.secret_auto_rotation_interval: Specifies the rotation interval for the rotation unit. Default is89.
The following attributes and parameters are supported when creating imported certificates:
imported_cert_certificate: The TLS certificate to be imported. Defaults tonull.imported_cert_private_key: Optional private key for the TLS certificate to be imported. Defaults tonull.imported_cert_intermediate: Optional intermediate certificate for the TLS certificate to be imported. Defaults tonull.
The following attributes and parameters are supported when creating service credentials:
service_credentials_source_service_crn: The CRN of the target service instance to create the service credentials.service_credentials_source_service_role: The service specific role to give the service credentials.secret_auto_rotation: Configures automatic rotation. Default istrue.secret_auto_rotation_unit: Specifies the unit type for the secret rotation. Accepted values aredayormonth. Default isday.secret_auto_rotation_interval: Specifies the rotation interval for the rotation unit. Default is89.
##############################################################################
# Create Arbitrary Secret
##############################################################################
module "secrets_manager_arbitrary_secret" {
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
version = "latest" # Replace "latest" with a release version to lock into a specific release
region = "us-south"
secrets_manager_guid = "42454b3b-5b06-407b-a4b3-34d9ef323901"
secret_group_id = "432b91f1-ff6d-4b47-9f06-82debc236d90"
secret_name = "example-arbitrary-secret"
secret_description = "Extended description for the arbirtary secret."
secret_type = "arbitrary"
secret_payload_password = "secret-data" #pragma: allowlist secret
}##############################################################################
# Create UserPass Secret
##############################################################################
module "secrets_manager_user_pass_secret" {
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
version = "latest" # Replace "latest" with a release version to lock into a specific release
region = "us-south"
secrets_manager_guid = "42454b3b-5b06-407b-a4b3-34d9ef323901"
secret_group_id = "432b91f1-ff6d-4b47-9f06-82debc236d90"
secret_name = "example-user-pass-secret"
secret_description = "Extended description for the user pass secret."
secret_type = "username_password"
secret_payload_password = "secret-data" #pragma: allowlist secret
secret_username = "terraform-user"
}##############################################################################
# Create Imported Cert
##############################################################################
module "secret_manager_imported_cert secret" {
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
version = "latest" # Replace "latest" with a release version to lock into a specific release
region = "us-south
secrets_manager_guid = "42454b3b-5b06-407b-a4b3-34d9ef323901"
secret_group_id = "432b91f1-ff6d-4b47-9f06-82debc236d90"
secret_name = "example-imported-cert-secret"
secret_description = "Extended description for the imported cert secret."
secret_type = "imported_cert"
imported_cert_certificate = module.certificate.cert_pem
imported_cert_private_key = module.certificate.private_key #pragma: allowlist secret
imported_cert_intermediate = module.certificate.ca_cert_pem
}##############################################################################
# Create Service Credentials
##############################################################################
# A service authorization between Secrets Manager and the target service is required. The "complete" example includes a sample service authorization.
module "secret_manager_service_credential" {
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
version = "latest" # Replace "latest" with a release version to lock into a specific release
region = "us-south
secrets_manager_guid = "42454b3b-5b06-407b-a4b3-34d9ef323901"
secret_group_id = "432b91f1-ff6d-4b47-9f06-82debc236d90"
secret_name = "example-service-credential"
secret_description = "Extended description for the service credentials secret."
secret_type = "service_credentials"
service_credentials_source_service_crn = module.cloud_object_storage.cos_instance_id
service_credentials_source_service_role = "Writer"
}You need the following permissions to run this module.
- Account Management
- Resource Group service
Viewerplatform access
- Resource Group service
- IAM Services
- Secrets Manager service
Editorplatform accessManagerservice access
- Secrets Manager service
| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| ibm | >= 1.70.0, <2.0.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| endpoint_type | The endpoint type to communicate with the provided secrets manager instance. Possible values are public or private |
string |
"public" |
no |
| imported_cert_certificate | The TLS certificate to import. | string |
null |
no |
| imported_cert_intermediate | (optional) The intermediate certificate for the TLS certificate to import. | string |
null |
no |
| imported_cert_private_key | (optional) The private key for the TLS certificate to import. | string |
null |
no |
| region | The region where the Secrets Manager instance is deployed. | string |
n/a | yes |
| secret_auto_rotation | Whether to configure automatic rotation. Applies only to the username_password and service_credentials secret types. |
bool |
true |
no |
| secret_auto_rotation_interval | Specifies the rotation interval for the rotation unit. | number |
89 |
no |
| secret_auto_rotation_unit | Specifies the unit of time for rotation of a username_password secret. Acceptable values are day or month. |
string |
"day" |
no |
| secret_description | Description of the secret to create. | string |
n/a | yes |
| secret_group_id | The ID of the secret group for the secret. If null, the default secret group is used. |
string |
"default" |
no |
| secret_labels | Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|). | list(string) |
[] |
no |
| secret_name | Name of the secret to create. | string |
n/a | yes |
| secret_payload_password | The payload (for arbitrary secrets) or password (for username and password credentials) of the secret. | string |
"" |
no |
| secret_type | Type of secret to create, must be one of: arbitrary, username_password, imported_cert, service_credentials | string |
n/a | yes |
| secret_username | Username of the secret to create. Applies only to username_password secret types. When null, an arbitrary secret is created. |
string |
null |
no |
| secrets_manager_guid | The instance ID of the Secrets Manager instance where the secret will be added. | string |
n/a | yes |
| service_credentials_source_service_crn | The CRN of the source service instance to create the service credential. | string |
null |
no |
| service_credentials_source_service_hmac | The optional boolean parameter HMAC for creating specific kind of credentials. For more information see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_service_credentials_secret#parameters | bool |
false |
no |
| service_credentials_source_service_role | The role to give the service credential in the source service. | string |
null |
no |
| service_credentials_ttl | The time-to-live (TTL) to assign to generated service credentials (in seconds). | number |
"7776000" |
no |
| Name | Description |
|---|---|
| secret_crn | CRN of the created Secret |
| secret_id | ID of the created Secret |
| secret_next_rotation_date | Next rotation date for secret (if applicable) |
| secret_rotation | Status of auto-rotation for secret |
| secret_rotation_interval | Rotation frecuency for secret (if applicable) |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.