terraform-ibm-modules · toddgiguere · Dec 19, 2024 · Nov 19, 2024 · Nov 19, 2024 · Dec 12, 2024
@@ -55,6 +55,7 @@ The following attributes and parameters are supported when creating service cred
 * [terraform-ibm-secrets-manager-secret](#terraform-ibm-secrets-manager-secret)
 * [Examples](./examples)
     * [Example creating arbitrary, username_password and imported_cert type secrets](./examples/complete)
+    * [Private-Only Secret Manager example](./examples/private)
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 

@@ -0,0 +1,7 @@
+# Private-Only Secret Manager example
+
+An end-to-end example that uses a private-only Secret Manager. This example uses the IBM Cloud terraform provider to:
+ - Create a new resource group if one is not passed in.
+ - Create a new secrets manager if one is not passed in.
+ - Create a new secrets manager group and private secret engine if existing secrets manager is not passed in.
+ - Create a new private certifcate inside a secrets manager.
@@ -0,0 +1,248 @@
+##############################################################################
+# Local variables
+##############################################################################
+
+locals {
+  payload       = sensitive("secret-payload-example")
+  secret_labels = [var.prefix, var.region]
+
+  validate_sm_region_cnd = var.existing_sm_instance_crn != null && var.existing_sm_instance_region == null
+  validate_sm_region_msg = "existing_sm_instance_region must also be set when value given for existing_sm_instance_guid."
+  # tflint-ignore: terraform_unused_declarations
+  validate_sm_region_chk = regex(
+    "^${local.validate_sm_region_msg}$",
+    (!local.validate_sm_region_cnd
+      ? local.validate_sm_region_msg
+  : ""))
+
+  sm_region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region
+}
+
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.6"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+##############################################################################
+# Secrets Manager
+##############################################################################
+
+module "secrets_manager" {
+  source                   = "terraform-ibm-modules/secrets-manager/ibm"
+  version                  = "1.18.13"
+  existing_sm_instance_crn = var.existing_sm_instance_crn
+  resource_group_id        = module.resource_group.resource_group_id
+  region                   = local.sm_region
+  secrets_manager_name     = "${var.prefix}-sm"
+  sm_service_plan          = var.sm_service_plan
+  allowed_network          = "private-only"
+  endpoint_type            = "private"
+  sm_tags                  = var.resource_tags
+}
+
+##############################################################################
+# Secret Group
+##############################################################################
+
+module "secrets_manager_group" {
+  source                   = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
+  version                  = "1.2.2"
+  region                   = local.sm_region
+  secrets_manager_guid     = module.secrets_manager.secrets_manager_guid
+  secret_group_name        = "${var.prefix}-group"
+  secret_group_description = "created by secrets-manager-secret-module complete example"
+  endpoint_type            = "private"
+}
+
+##############################################################################
+# Example working with arbitrary secret
+##############################################################################
+
+# create arbitrary secret
+module "secrets_manager_arbitrary_secret" {
+  source                  = "../.."
+  region                  = local.sm_region
+  secrets_manager_guid    = module.secrets_manager.secrets_manager_guid
+  secret_group_id         = module.secrets_manager_group.secret_group_id
+  secret_name             = "${var.prefix}-arbitrary-secret"
+  secret_description      = "created by secrets-manager-secret-module complete example"
+  secret_type             = "arbitrary" #checkov:skip=CKV_SECRET_6
+  secret_payload_password = local.payload
+  secret_labels           = local.secret_labels
+  endpoint_type           = "private"
+}
+
+# retrieving information about the arbitrary secret
+data "ibm_sm_arbitrary_secret" "arbitrary_secret" {
+  instance_id   = module.secrets_manager.secrets_manager_guid
+  region        = local.sm_region
+  secret_id     = module.secrets_manager_arbitrary_secret.secret_id
+  endpoint_type = "private"
+}
+
+##############################################################################
+# Example working with username / password secret
+##############################################################################
+
+# create username / password secret
+module "secrets_manager_user_pass_secret" {
+  source                  = "../.."
+  region                  = local.sm_region
+  secrets_manager_guid    = module.secrets_manager.secrets_manager_guid
+  secret_group_id         = module.secrets_manager_group.secret_group_id
+  secret_name             = "${var.prefix}-user-pass-secret"
+  secret_description      = "created by secrets-manager-secret-module complete example"
+  secret_type             = "username_password" #checkov:skip=CKV_SECRET_6
+  secret_payload_password = local.payload
+  secret_username         = "terraform-user" #checkov:skip=CKV_SECRET_6
+  secret_labels           = local.secret_labels
+  endpoint_type           = "private"
+}
+
+# retrieving information about the userpass secret
+data "ibm_sm_username_password_secret" "user_pass_secret" {
+  instance_id   = module.secrets_manager.secrets_manager_guid
+  region        = local.sm_region
+  secret_id     = module.secrets_manager_user_pass_secret.secret_id
+  endpoint_type = "private"
+}
+
+##############################################################################
+# Example working with username / password secret (without password rotation)
+##############################################################################
+
+# create username / password secret
+module "secrets_manager_user_pass_no_rotate_secret" {
+  source                  = "../.."
+  region                  = local.sm_region
+  secrets_manager_guid    = module.secrets_manager.secrets_manager_guid
+  secret_group_id         = module.secrets_manager_group.secret_group_id
+  secret_name             = "${var.prefix}-user-pass-no-rotate-secret"
+  secret_description      = "created by secrets-manager-secret-module complete example"
+  secret_type             = "username_password" #checkov:skip=CKV_SECRET_6
+  secret_payload_password = local.payload
+  secret_username         = "terraform-user" #checkov:skip=CKV_SECRET_6
+  secret_labels           = local.secret_labels
+  secret_auto_rotation    = false
+  endpoint_type           = "private"
+}
+
+# retrieving information about the userpass secret
+data "ibm_sm_username_password_secret" "user_pass_no_rotate_secret" {
+  instance_id   = module.secrets_manager.secrets_manager_guid
+  region        = local.sm_region
+  secret_id     = module.secrets_manager_user_pass_no_rotate_secret.secret_id
+  endpoint_type = "private"
+}
+
+##############################################################################
+# Example working with imported cert secret
+##############################################################################
+
+resource "tls_private_key" "ca_key" {
+  algorithm = "RSA"
+}
+
+resource "tls_private_key" "key" {
+  algorithm = "RSA"
+}
+
+resource "tls_self_signed_cert" "ca_cert" {
+  is_ca_certificate = true
+  private_key_pem   = tls_private_key.ca_key.private_key_pem
+
+  subject {
+    common_name  = "goldeneye.com"
+    organization = "GoldenEye self signed cert"
+  }
+
+  validity_period_hours = 1 * 24 * 90
+  allowed_uses          = ["key_encipherment", "digital_signature", "server_auth"]
+}
+
+resource "tls_cert_request" "request" {
+  private_key_pem = tls_private_key.key.private_key_pem
+
+  subject {
+    common_name  = "goldeneye.com"
+    organization = "GoldenEye self signed cert"
+  }
+}
+
+resource "tls_locally_signed_cert" "cert" {
+  cert_request_pem   = tls_cert_request.request.cert_request_pem
+  ca_private_key_pem = tls_private_key.ca_key.private_key_pem
+  ca_cert_pem        = tls_self_signed_cert.ca_cert.cert_pem
+
+  validity_period_hours = 1 * 24 * 90
+  allowed_uses          = ["key_encipherment", "digital_signature", "server_auth"]
+}
+
+# create imported cert secret
+module "secret_manager_imported_cert" {
+  source                     = "../.."
+  region                     = local.sm_region
+  secrets_manager_guid       = module.secrets_manager.secrets_manager_guid
+  secret_name                = "${var.prefix}-imported-cert"
+  secret_group_id            = module.secrets_manager_group.secret_group_id
+  secret_description         = "created by secrets-manager-secret-module complete example"
+  secret_type                = "imported_cert" #checkov:skip=CKV_SECRET_6
+  imported_cert_certificate  = resource.tls_locally_signed_cert.cert.cert_pem
+  imported_cert_private_key  = resource.tls_private_key.key.private_key_pem
+  imported_cert_intermediate = resource.tls_self_signed_cert.ca_cert.cert_pem
+  endpoint_type              = "private"
+}
+
+##############################################################################
+# Example working with service credentials secret
+##############################################################################
+
+# create a COS instance to create the service credential for
+module "cloud_object_storage" {
+  source                              = "terraform-ibm-modules/cos/ibm"
+  version                             = "8.14.3"
+  resource_group_id                   = module.resource_group.resource_group_id
+  region                              = local.sm_region
+  cos_instance_name                   = "${var.prefix}-cos"
+  cos_tags                            = var.resource_tags
+  bucket_name                         = "${var.prefix}-bucket"
+  management_endpoint_type_for_bucket = "private"
+  activity_tracker_read_data_events   = false
+  activity_tracker_write_data_events  = false
+  request_metrics_enabled             = false
+  retention_enabled                   = false # disable retention for test environments - enable for stage/prod
+  kms_encryption_enabled              = false
+  usage_metrics_enabled               = false
+}
+
+#create a service authorization between Secrets Manager and the target service (COS)
+resource "ibm_iam_authorization_policy" "policy" {
+  depends_on                  = [module.cloud_object_storage]
+  source_service_name         = "secrets-manager"
+  source_resource_instance_id = module.secrets_manager.secrets_manager_guid
+  target_service_name         = "cloud-object-storage"
+  target_resource_instance_id = module.cloud_object_storage.cos_instance_guid
+  roles                       = ["Key Manager"]
+}
+
+# create service credentials secret
+module "secret_manager_service_credential" {
+  depends_on                              = [ibm_iam_authorization_policy.policy]
+  source                                  = "../.."
+  region                                  = local.sm_region
+  secrets_manager_guid                    = module.secrets_manager.secrets_manager_guid
+  secret_name                             = "${var.prefix}-service-credentials"
+  secret_group_id                         = module.secrets_manager_group.secret_group_id
+  secret_description                      = "created by secrets-manager-secret-module complete example"
+  secret_type                             = "service_credentials" #checkov:skip=CKV_SECRET_6
+  service_credentials_source_service_crn  = module.cloud_object_storage.cos_instance_id
+  service_credentials_source_service_role = "Writer"
+  endpoint_type                           = "private"
+}
@@ -0,0 +1,85 @@
+output "arbitrary_secret_id" {
+  description = "ID of the created arbitrary_secret_id secret"
+  value       = module.secrets_manager_arbitrary_secret.secret_id
+}
+
+output "arbitrary_secret_crn" {
+  description = "CRN of the created arbitrary_secret_id secret"
+  value       = module.secrets_manager_arbitrary_secret.secret_crn
+}
+
+output "arbitrary_secret_nonsensitive_payload" {
+  value       = nonsensitive(data.ibm_sm_arbitrary_secret.arbitrary_secret.payload)
+  description = "accessing arbitrary secret"
+  sensitive   = false
+}
+
+output "arbitrary_secret_payload" {
+  value       = data.ibm_sm_arbitrary_secret.arbitrary_secret.payload
+  sensitive   = true
+  description = "accessing arbitrary secret"
+}
+
+output "user_pass_secret_id" {
+  description = "ID of the created username_password secret"
+  value       = module.secrets_manager_user_pass_secret.secret_id
+}
+
+output "user_pass_secret_crn" {
+  description = "CRN of the created username_password secret"
+  value       = module.secrets_manager_user_pass_secret.secret_crn
+}
+
+output "user_pass_secret_nonsensitive_payload" {
+  value       = nonsensitive(data.ibm_sm_username_password_secret.user_pass_secret.password)
+  description = "accessing username_password secret"
+  sensitive   = false
+}
+
+output "user_pass_secret_payload" {
+  value       = data.ibm_sm_username_password_secret.user_pass_secret.password
+  sensitive   = true
+  description = "accessing arbitrary secret"
+}
+
+output "user_pass_no_rotate_secret_id" {
+  description = "ID of the created username_password secret"
+  value       = module.secrets_manager_user_pass_no_rotate_secret.secret_id
+}
+
+output "user_pass_no_rotate_secret_crn" {
+  description = "CRN of the created username_password secret"
+  value       = module.secrets_manager_user_pass_no_rotate_secret.secret_crn
+}
+
+output "user_pass_no_rotate_secret_nonsensitive_payload" {
+  value       = nonsensitive(data.ibm_sm_username_password_secret.user_pass_no_rotate_secret.password)
+  description = "accessing username_password secret"
+  sensitive   = false
+}
+
+output "user_pass_no_rotate_secret_payload" {
+  value       = data.ibm_sm_username_password_secret.user_pass_no_rotate_secret.password
+  sensitive   = true
+  description = "accessing arbitrary secret"
+}
+
+output "imported_cert_secret_id" {
+  description = "ID of the created imported_cert secret"
+  value       = module.secret_manager_imported_cert.secret_id
+}
+
+output "imported_cert_secret_crn" {
+  description = "CRN of the created imported_cert secret"
+  value       = module.secret_manager_imported_cert.secret_crn
+}
+
+output "service_credential_secret_id" {
+  description = "ID of the created service_credential secret"
+  value       = module.secret_manager_service_credential.secret_id
+}
+
+output "service_credential_secret_crn" {
+  description = "CRN of the created service_credential secret"
+  value       = module.secret_manager_service_credential.secret_crn
+}
@@ -0,0 +1,4 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}