generated from terraform-ibm-modules/terraform-ibm-module-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
150 lines (136 loc) · 8.29 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
##############################################################################
# Secrets Manager Secret
#
# Creates Secret within existing Secret Manager instance and Secret Manager Group
##############################################################################
# Validation
# Approach based on https://stackoverflow.com/a/66682419
locals {
# validate username_password or arbitrary secret has a password payload
userpass_validate_condition = (var.secret_type == "username_password" || var.secret_type == "arbitrary") && var.secret_payload_password == "" #checkov:skip=CKV_SECRET_6
userpass_validate_msg = "When creating a username_password or arbitrary secret, a value for `secret_payload_password` is required."
# tflint-ignore: terraform_unused_declarations
userpass_validate_check = regex("^${local.userpass_validate_msg}$", (!local.userpass_validate_condition ? local.userpass_validate_msg : ""))
# validate imported certificate has a TLS certificate
imported_cert_validate_condition = var.secret_type == "imported_cert" && var.imported_cert_certificate == null #checkov:skip=CKV_SECRET_6
imported_cert_validate_msg = "When creating an imported_cert secret, value for `imported_cert_certificate` cannot be null."
# tflint-ignore: terraform_unused_declarations
imported_cert_validate_check = regex("^${local.imported_cert_validate_msg}$", (!local.imported_cert_validate_condition ? local.imported_cert_validate_msg : ""))
# validate service credentials has source service information
service_credentials_validate_condition = (var.secret_type == "service_credentials" && var.service_credentials_source_service_crn == null) || (var.secret_type == "service_credentials" && var.service_credentials_source_service_role == null) #checkov:skip=CKV_SECRET_6
service_credentials_validate_msg = "When creating a service_credentials secret, values for `service_credentials_source_service_crn` and `service_credentials_source_service_role` are required."
# tflint-ignore: terraform_unused_declarations
service_credentials_validate_check = regex("^${local.service_credentials_validate_msg}$", (!local.service_credentials_validate_condition ? local.service_credentials_validate_msg : ""))
# validate auto rotation format
auto_rotation_validate_condition = var.secret_auto_rotation == true && var.secret_auto_rotation_unit != "month" && var.secret_auto_rotation == true && var.secret_auto_rotation_unit != "day" || var.secret_auto_rotation == true && var.secret_auto_rotation_interval == 0
auto_rotation_validate_msg = "Value for `secret_auto_rotation_unit' must be either `day` or `month` and value for `secret_auto_rotation_interval` must be higher than 0"
# tflint-ignore: terraform_unused_declarations
auto_rotation_validate_check = regex("^${local.auto_rotation_validate_msg}$", (!local.auto_rotation_validate_condition ? local.auto_rotation_validate_msg : ""))
auto_rotation_enabled = var.secret_auto_rotation == true ? [1] : []
}
resource "ibm_sm_arbitrary_secret" "arbitrary_secret" {
count = var.secret_type == "arbitrary" ? 1 : 0
region = var.region
instance_id = var.secrets_manager_guid
secret_group_id = var.secret_group_id
name = var.secret_name
description = var.secret_description
labels = var.secret_labels
payload = var.secret_payload_password
endpoint_type = var.endpoint_type
}
resource "ibm_sm_username_password_secret" "username_password_secret" {
count = var.secret_type == "username_password" ? 1 : 0 #checkov:skip=CKV_SECRET_6
region = var.region
instance_id = var.secrets_manager_guid
secret_group_id = var.secret_group_id
name = var.secret_name
description = var.secret_description
labels = var.secret_labels
username = var.secret_username
password = var.secret_payload_password
endpoint_type = var.endpoint_type
## This for_each block is NOT a loop to attach to multiple rotation blocks.
## This block is only used to conditionally add rotation block depending on var.sm_iam_secret_auto_rotation
dynamic "rotation" {
for_each = local.auto_rotation_enabled
content {
auto_rotate = var.secret_auto_rotation
interval = var.secret_auto_rotation_interval
unit = var.secret_auto_rotation_unit
}
}
}
locals {
# There is a provider bug generating "module-metadata.json" where variable value is not access directly.
# https://github.com/IBM-Cloud/terraform-config-inspect/issues/19
imported_cert_certificate = var.imported_cert_certificate != null ? trimspace(var.imported_cert_certificate) : null
imported_cert_private_key = var.imported_cert_private_key != null ? trimspace(var.imported_cert_private_key) : null
imported_cert_intermediate = var.imported_cert_intermediate != null ? trimspace(var.imported_cert_intermediate) : null
}
resource "ibm_sm_imported_certificate" "imported_cert" {
count = var.secret_type == "imported_cert" ? 1 : 0 #checkov:skip=CKV_SECRET_6
region = var.region
instance_id = var.secrets_manager_guid
secret_group_id = var.secret_group_id
name = var.secret_name
description = var.secret_description
labels = var.secret_labels
certificate = local.imported_cert_certificate
private_key = local.imported_cert_private_key
intermediate = local.imported_cert_intermediate
endpoint_type = var.endpoint_type
}
resource "ibm_sm_service_credentials_secret" "service_credentials_secret" {
count = var.secret_type == "service_credentials" ? 1 : 0 #checkov:skip=CKV_SECRET_6
region = var.region
instance_id = var.secrets_manager_guid
secret_group_id = var.secret_group_id
name = var.secret_name
description = var.secret_description
labels = var.secret_labels
ttl = var.service_credentials_ttl
endpoint_type = var.endpoint_type
source_service {
instance {
crn = var.service_credentials_source_service_crn
}
role {
crn = "crn:v1:bluemix:public:iam::::serviceRole:${var.service_credentials_source_service_role}"
}
parameters = var.service_credentials_source_service_hmac ? { "HMAC" : var.service_credentials_source_service_hmac } : null
}
## This for_each block is NOT a loop to attach to multiple rotation blocks.
## This block is only used to conditionally add rotation block depending on var.sm_iam_secret_auto_rotation
dynamic "rotation" {
for_each = local.auto_rotation_enabled
content {
auto_rotate = var.secret_auto_rotation
interval = var.secret_auto_rotation_interval
unit = var.secret_auto_rotation_unit
}
}
}
# Parse secret ID and generate data header for secrets
locals {
secret_id = (
var.secret_type == "username_password" ? ibm_sm_username_password_secret.username_password_secret[0].secret_id :
var.secret_type == "imported_cert" ? ibm_sm_imported_certificate.imported_cert[0].secret_id :
var.secret_type == "service_credentials" ? ibm_sm_service_credentials_secret.service_credentials_secret[0].secret_id :
var.secret_type == "arbitrary" ? ibm_sm_arbitrary_secret.arbitrary_secret[0].secret_id : null
)
secret_crn = (
var.secret_type == "username_password" ? ibm_sm_username_password_secret.username_password_secret[0].crn :
var.secret_type == "imported_cert" ? ibm_sm_imported_certificate.imported_cert[0].crn :
var.secret_type == "service_credentials" ? ibm_sm_service_credentials_secret.service_credentials_secret[0].crn :
var.secret_type == "arbitrary" ? ibm_sm_arbitrary_secret.arbitrary_secret[0].crn : null
)
#tfsec:ignore:general-secrets-no-plaintext-exposure
secret_auto_rotation_frequency = var.secret_auto_rotation == true ? "${var.secret_auto_rotation_interval} ${var.secret_auto_rotation_unit}(s)" : null #tfsec:ignore:general-secrets-no-plaintext-exposure
secret_next_rotation_date = (
var.secret_auto_rotation == true ?
var.secret_type == "username_password" ? ibm_sm_username_password_secret.username_password_secret[0].next_rotation_date :
var.secret_type == "service_credentials" ? ibm_sm_service_credentials_secret.service_credentials_secret[0].next_rotation_date : null : null
)
secret_auto_rotation = (var.secret_type == "username_password" || var.secret_type == "service_credentials") ? var.secret_auto_rotation : null
}