From cca66373c6622debf91d3a4996972b237c4238fb Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Mon, 25 Nov 2024 14:33:32 -0500 Subject: [PATCH 1/6] feat: s2s auth iam engine --- README.md | 3 +++ main.tf | 21 +++++++++++++++++++++ variables.tf | 6 ++++++ 3 files changed, 30 insertions(+) diff --git a/README.md b/README.md index 48751b9..d728c8a 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,8 @@ You need the following permissions to run this module. | Name | Type | |------|------| | [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | +| [ibm_iam_authorization_policy.iam_groups_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | +| [ibm_iam_authorization_policy.iam_identity_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_resource_instance.secrets_manager_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource | | [ibm_sm_en_registration.sm_en_registration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_en_registration) | resource | @@ -95,6 +97,7 @@ You need the following permissions to run this module. |------|-------------|------|---------|:--------:| | [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"public-and-private"` | no | | [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create |
list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
}))
| `[]` | no | +| [create\_iam\_engine](#input\_create\_iam\_engine) | Whether to create an IAM credential engine using sserice to service (s2s) authentication. | `bool` | `true` | no | | [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null. | `bool` | `false` | no | | [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no | | [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no | diff --git a/main.tf b/main.tf index 92cba99..589da9d 100644 --- a/main.tf +++ b/main.tf @@ -52,6 +52,27 @@ resource "ibm_resource_instance" "secrets_manager_instance" { } } +# Create IAM credentials engine using s2s auth +resource "ibm_iam_authorization_policy" "iam_identity_policy" { + count = var.create_iam_engine ? 1 : 0 + source_service_name = "secrets-manager" + source_resource_instance_id = local.secrets_manager_guid + target_service_name = "iam-identity" + roles = ["Operator"] + description = "Authorization Policy" + transaction_id = "terraformAuthorizationPolicy" +} + +resource "ibm_iam_authorization_policy" "iam_groups_policy" { + count = var.create_iam_engine ? 1 : 0 + source_service_name = "secrets-manager" + source_resource_instance_id = local.secrets_manager_guid + target_service_name = "iam-groups" + roles = ["Groups Service Member Manage"] + description = "Authorization Policy" + transaction_id = "terraformAuthorizationPolicy" +} + locals { # determine which service name to use for the policy kms_service_name = var.kms_encryption_enabled && var.kms_key_crn != null ? ( diff --git a/variables.tf b/variables.tf index ca0d105..113d206 100644 --- a/variables.tf +++ b/variables.tf @@ -27,6 +27,12 @@ variable "sm_service_plan" { } } +variable "create_iam_engine" { + type = bool + description = "Whether to create an IAM credential engine using sserice to service (s2s) authentication." + default = true +} + variable "sm_tags" { type = list(string) description = "The list of resource tags that you want to associate with your Secrets Manager instance." From b9734e2fffec553dad6721239d8028cdeec1ae5f Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Mon, 2 Dec 2024 15:16:33 -0500 Subject: [PATCH 2/6] SKIP UPGRADE TEST From e9807534fc5339ddd8b1d676a4f6af7da391d931 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Wed, 4 Dec 2024 10:52:42 -0500 Subject: [PATCH 3/6] test: get existing resource test passing --- tests/existing-resources/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/existing-resources/main.tf b/tests/existing-resources/main.tf index a334989..475647d 100644 --- a/tests/existing-resources/main.tf +++ b/tests/existing-resources/main.tf @@ -59,4 +59,5 @@ module "secrets_manager" { secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure sm_service_plan = "trial" sm_tags = var.resource_tags + create_iam_engine = false } From 4c73db5a9cb0d422754458e27f54c0f02f9cd860 Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Mon, 2 Dec 2024 15:16:33 -0500 Subject: [PATCH 4/6] SKIP UPGRADE TEST From c2ef6bd02872dbb86168156946c224ead5d5a4ce Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Thu, 12 Dec 2024 16:27:56 -0500 Subject: [PATCH 5/6] feat: feedback --- README.md | 2 +- main.tf | 10 ++++------ tests/existing-resources/main.tf | 14 +++++++------- variables.tf | 6 +++--- 4 files changed, 15 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 372adb1..acda85d 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,6 @@ You need the following permissions to run this module. |------|-------------|------|---------|:--------:| | [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"public-and-private"` | no | | [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create |
list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
}))
| `[]` | no | -| [create\_iam\_engine](#input\_create\_iam\_engine) | Whether to create an IAM credential engine using sserice to service (s2s) authentication. | `bool` | `true` | no | | [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null. | `bool` | `false` | no | | [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no | | [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no | @@ -110,6 +109,7 @@ You need the following permissions to run this module. | [secrets](#input\_secrets) | Secret Manager secrets configurations. |
list(object({
secret_group_name = string
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
secrets = optional(list(object({
secret_name = string
secret_description = optional(string)
secret_type = optional(string)
imported_cert_certificate = optional(string)
imported_cert_private_key = optional(string)
imported_cert_intermediate = optional(string)
secret_username = optional(string)
secret_labels = optional(list(string), [])
secret_payload_password = optional(string, "")
secret_auto_rotation = optional(bool, true)
secret_auto_rotation_unit = optional(string, "day")
secret_auto_rotation_interval = optional(number, 89)
service_credentials_ttl = optional(string, "7776000") # 90 days
service_credentials_source_service_crn = optional(string)
service_credentials_source_service_role = optional(string)
})))
}))
| `[]` | no | | [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name of the Secrets Manager instance to create | `string` | n/a | yes | | [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no | +| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Skip creating 2 auth policies, one between this Secrets Manager instance and the IAM Identity service and the other between this Secrets Manager instance and the IAM Groups service to enable creation of IAM credentials. | `bool` | `false` | no | | [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_guid` variable. In addition, no policy is created if `kms_encryption_enabled` is set to false. | `bool` | `false` | no | | [sm\_service\_plan](#input\_sm\_service\_plan) | The Secrets Manager plan to provision. | `string` | `"standard"` | no | | [sm\_tags](#input\_sm\_tags) | The list of resource tags that you want to associate with your Secrets Manager instance. | `list(string)` | `[]` | no | diff --git a/main.tf b/main.tf index a0fc6d0..c641613 100644 --- a/main.tf +++ b/main.tf @@ -54,23 +54,21 @@ resource "ibm_resource_instance" "secrets_manager_instance" { # Create IAM credentials engine using s2s auth resource "ibm_iam_authorization_policy" "iam_identity_policy" { - count = var.create_iam_engine ? 1 : 0 + count = var.skip_iam_authorization_policy ? 0 : 1 source_service_name = "secrets-manager" source_resource_instance_id = local.secrets_manager_guid target_service_name = "iam-identity" roles = ["Operator"] - description = "Authorization Policy" - transaction_id = "terraformAuthorizationPolicy" + description = "Allows Secrets Manager instance ${local.secrets_manager_guid} `Operator` access to the IAM Identity service to enable creating IAM credentials." } resource "ibm_iam_authorization_policy" "iam_groups_policy" { - count = var.create_iam_engine ? 1 : 0 + count = var.skip_iam_authorization_policy ? 0 : 1 source_service_name = "secrets-manager" source_resource_instance_id = local.secrets_manager_guid target_service_name = "iam-groups" roles = ["Groups Service Member Manage"] - description = "Authorization Policy" - transaction_id = "terraformAuthorizationPolicy" + description = "Allows Secrets Manager instance ${local.secrets_manager_guid} `Groups Service Member Manage` access to the IAM Groups service to enable creating IAM credentials." } locals { diff --git a/tests/existing-resources/main.tf b/tests/existing-resources/main.tf index 475647d..4272c89 100644 --- a/tests/existing-resources/main.tf +++ b/tests/existing-resources/main.tf @@ -53,11 +53,11 @@ module "key_protect" { ############################################################################## module "secrets_manager" { - source = "../.." - resource_group_id = module.resource_group.resource_group_id - region = var.region - secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure - sm_service_plan = "trial" - sm_tags = var.resource_tags - create_iam_engine = false + source = "../.." + resource_group_id = module.resource_group.resource_group_id + region = var.region + secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure + sm_service_plan = "trial" + sm_tags = var.resource_tags + skip_iam_authorization_policy = true } diff --git a/variables.tf b/variables.tf index 113d206..f629732 100644 --- a/variables.tf +++ b/variables.tf @@ -27,10 +27,10 @@ variable "sm_service_plan" { } } -variable "create_iam_engine" { +variable "skip_iam_authorization_policy" { type = bool - description = "Whether to create an IAM credential engine using sserice to service (s2s) authentication." - default = true + description = "Skip creating 2 auth policies, one between this Secrets Manager instance and the IAM Identity service and the other between this Secrets Manager instance and the IAM Groups service to enable creation of IAM credentials." + default = false } variable "sm_tags" { From b7e3cbaa8a44533075d873e03a5ab61c29aa12bf Mon Sep 17 00:00:00 2001 From: Alex Reiff Date: Tue, 17 Dec 2024 16:24:02 -0500 Subject: [PATCH 6/6] fix: variable desc --- README.md | 2 +- variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index acda85d..ac62e51 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ You need the following permissions to run this module. | [secrets](#input\_secrets) | Secret Manager secrets configurations. |
list(object({
secret_group_name = string
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
secrets = optional(list(object({
secret_name = string
secret_description = optional(string)
secret_type = optional(string)
imported_cert_certificate = optional(string)
imported_cert_private_key = optional(string)
imported_cert_intermediate = optional(string)
secret_username = optional(string)
secret_labels = optional(list(string), [])
secret_payload_password = optional(string, "")
secret_auto_rotation = optional(bool, true)
secret_auto_rotation_unit = optional(string, "day")
secret_auto_rotation_interval = optional(number, 89)
service_credentials_ttl = optional(string, "7776000") # 90 days
service_credentials_source_service_crn = optional(string)
service_credentials_source_service_role = optional(string)
})))
}))
| `[]` | no | | [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name of the Secrets Manager instance to create | `string` | n/a | yes | | [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no | -| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Skip creating 2 auth policies, one between this Secrets Manager instance and the IAM Identity service and the other between this Secrets Manager instance and the IAM Groups service to enable creation of IAM credentials. | `bool` | `false` | no | +| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, a policies will be created that grants the Secrets Manager instance Operator access to the IAM identity service, and Groups Service Member Manage access to the IAM groups service. | `bool` | `false` | no | | [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_guid` variable. In addition, no policy is created if `kms_encryption_enabled` is set to false. | `bool` | `false` | no | | [sm\_service\_plan](#input\_sm\_service\_plan) | The Secrets Manager plan to provision. | `string` | `"standard"` | no | | [sm\_tags](#input\_sm\_tags) | The list of resource tags that you want to associate with your Secrets Manager instance. | `list(string)` | `[]` | no | diff --git a/variables.tf b/variables.tf index f629732..0dc86b7 100644 --- a/variables.tf +++ b/variables.tf @@ -29,7 +29,7 @@ variable "sm_service_plan" { variable "skip_iam_authorization_policy" { type = bool - description = "Skip creating 2 auth policies, one between this Secrets Manager instance and the IAM Identity service and the other between this Secrets Manager instance and the IAM Groups service to enable creation of IAM credentials." + description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, a policies will be created that grants the Secrets Manager instance Operator access to the IAM identity service, and Groups Service Member Manage access to the IAM groups service." default = false }