terraform-ibm-modules · ocofaigh · Mar 5, 2025 · Nov 25, 2024 · Nov 25, 2024 · Dec 2, 2024
@@ -83,6 +83,8 @@ You need the following permissions to run this module.
 | Name | Type |
 |------|------|
 | [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
+| [ibm_iam_authorization_policy.iam_groups_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
+| [ibm_iam_authorization_policy.iam_identity_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_resource_instance.secrets_manager_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [ibm_sm_en_registration.sm_en_registration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_en_registration) | resource |
@@ -95,6 +97,7 @@ You need the following permissions to run this module.
 |------|-------------|------|---------|:--------:|
 | <a name="input_allowed_network"></a> [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"public-and-private"` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_create_iam_engine"></a> [create\_iam\_engine](#input\_create\_iam\_engine) | Whether to create an IAM credential engine using sserice to service (s2s) authentication. | `bool` | `true` | no |
 | <a name="input_enable_event_notification"></a> [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null. | `bool` | `false` | no |
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no |
 | <a name="input_existing_en_instance_crn"></a> [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no |

@@ -52,6 +52,27 @@ resource "ibm_resource_instance" "secrets_manager_instance" {
   }
 }
 
+# Create IAM credentials engine using s2s auth
+resource "ibm_iam_authorization_policy" "iam_identity_policy" {
+  count                       = var.create_iam_engine ? 1 : 0
+  source_service_name         = "secrets-manager"
+  source_resource_instance_id = local.secrets_manager_guid
+  target_service_name         = "iam-identity"
+  roles                       = ["Operator"]
+  description                 = "Authorization Policy"
+  transaction_id              = "terraformAuthorizationPolicy"
+}
+
+resource "ibm_iam_authorization_policy" "iam_groups_policy" {
+  count                       = var.create_iam_engine ? 1 : 0
+  source_service_name         = "secrets-manager"
+  source_resource_instance_id = local.secrets_manager_guid
+  target_service_name         = "iam-groups"
+  roles                       = ["Groups Service Member Manage"]
+  description                 = "Authorization Policy"
+  transaction_id              = "terraformAuthorizationPolicy"
+}
+
 locals {
   # determine which service name to use for the policy
   kms_service_name = var.kms_encryption_enabled && var.kms_key_crn != null ? (

diff --git a/tests/existing-resources/main.tf b/tests/existing-resources/main.tf
@@ -59,4 +59,5 @@ module "secrets_manager" {
   secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure
   sm_service_plan      = "trial"
   sm_tags              = var.resource_tags
+  create_iam_engine    = false
 }
@@ -27,6 +27,12 @@ variable "sm_service_plan" {
   }
 }
 
+variable "create_iam_engine" {
+  type        = bool
+  description = "Whether to create an IAM credential engine using sserice to service (s2s) authentication."
+  default     = true
+}
+
 variable "sm_tags" {
   type        = list(string)
   description = "The list of resource tags that you want to associate with your Secrets Manager instance."