feat: s2s auth iam engine

README.md

@@ -83,6 +83,8 @@ You need the following permissions to run this module.
 | Name | Type |
 |------|------|
 | [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
+| [ibm_iam_authorization_policy.iam_groups_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
+| [ibm_iam_authorization_policy.iam_identity_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_resource_instance.secrets_manager_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [ibm_sm_en_registration.sm_en_registration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_en_registration) | resource |
@@ -107,6 +109,7 @@ You need the following permissions to run this module.
 | <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br/>    secret_group_name        = string<br/>    secret_group_description = optional(string)<br/>    existing_secret_group    = optional(bool, false)<br/>    secrets = optional(list(object({<br/>      secret_name                             = string<br/>      secret_description                      = optional(string)<br/>      secret_type                             = optional(string)<br/>      imported_cert_certificate               = optional(string)<br/>      imported_cert_private_key               = optional(string)<br/>      imported_cert_intermediate              = optional(string)<br/>      secret_username                         = optional(string)<br/>      secret_labels                           = optional(list(string), [])<br/>      secret_payload_password                 = optional(string, "")<br/>      secret_auto_rotation                    = optional(bool, true)<br/>      secret_auto_rotation_unit               = optional(string, "day")<br/>      secret_auto_rotation_interval           = optional(number, 89)<br/>      service_credentials_ttl                 = optional(string, "7776000") # 90 days<br/>      service_credentials_source_service_crn  = optional(string)<br/>      service_credentials_source_service_role = optional(string)<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_secrets_manager_name"></a> [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name of the Secrets Manager instance to create | `string` | n/a | yes |
 | <a name="input_skip_en_iam_authorization_policy"></a> [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
+| <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, a policies will be created that grants the Secrets Manager instance Operator access to the IAM identity service, and Groups Service Member Manage access to the IAM groups service. | `bool` | `false` | no |
 | <a name="input_skip_kms_iam_authorization_policy"></a> [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_guid` variable. In addition, no policy is created if `kms_encryption_enabled` is set to false. | `bool` | `false` | no |
 | <a name="input_sm_service_plan"></a> [sm\_service\_plan](#input\_sm\_service\_plan) | The Secrets Manager plan to provision. | `string` | `"standard"` | no |
 | <a name="input_sm_tags"></a> [sm\_tags](#input\_sm\_tags) | The list of resource tags that you want to associate with your Secrets Manager instance. | `list(string)` | `[]` | no |

main.tf

@@ -52,6 +52,25 @@ resource "ibm_resource_instance" "secrets_manager_instance" {
   }
 }
 
+# Create IAM credentials engine using s2s auth
+resource "ibm_iam_authorization_policy" "iam_identity_policy" {
+  count                       = var.skip_iam_authorization_policy ? 0 : 1
+  source_service_name         = "secrets-manager"
+  source_resource_instance_id = local.secrets_manager_guid
+  target_service_name         = "iam-identity"
+  roles                       = ["Operator"]
+  description                 = "Allows Secrets Manager instance ${local.secrets_manager_guid} `Operator` access to the IAM Identity service to enable creating IAM credentials."
+}
+
+resource "ibm_iam_authorization_policy" "iam_groups_policy" {
+  count                       = var.skip_iam_authorization_policy ? 0 : 1
+  source_service_name         = "secrets-manager"
+  source_resource_instance_id = local.secrets_manager_guid
+  target_service_name         = "iam-groups"
+  roles                       = ["Groups Service Member Manage"]
+  description                 = "Allows Secrets Manager instance ${local.secrets_manager_guid} `Groups Service Member Manage` access to the IAM Groups service to enable creating IAM credentials."
+}
+
 locals {
   # determine which service name to use for the policy
   kms_service_name = var.kms_encryption_enabled && var.kms_key_crn != null ? (

tests/existing-resources/main.tf

@@ -53,10 +53,11 @@ module "key_protect" {
 ##############################################################################
 
 module "secrets_manager" {
-  source               = "../.."
-  resource_group_id    = module.resource_group.resource_group_id
-  region               = var.region
-  secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure
-  sm_service_plan      = "trial"
-  sm_tags              = var.resource_tags
+  source                        = "../.."
+  resource_group_id             = module.resource_group.resource_group_id
+  region                        = var.region
+  secrets_manager_name          = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure
+  sm_service_plan               = "trial"
+  sm_tags                       = var.resource_tags
+  skip_iam_authorization_policy = true
 }

variables.tf

@@ -27,6 +27,12 @@ variable "sm_service_plan" {
   }
 }
 
+variable "skip_iam_authorization_policy" {
+  type        = bool
+  description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, a policies will be created that grants the Secrets Manager instance Operator access to the IAM identity service, and Groups Service Member Manage access to the IAM groups service."
+  default     = false
+}
+
 variable "sm_tags" {
   type        = list(string)
   description = "The list of resource tags that you want to associate with your Secrets Manager instance."