Add string suffix to secret group and certificate secret names (#31)

* add random suffix to group and certificates

Signed-off-by: Tim Robinson <[email protected]>

* support Secrets Manager in different region

Signed-off-by: Tim Robinson <[email protected]>

* change SM to standard to unblock automated tests

Signed-off-by: Tim Robinson <[email protected]>

Signed-off-by: Tim Robinson <[email protected]>

README.md

@@ -1,12 +1,12 @@
 # Client 2 Site VPN
 
-This is a terraform module that will provision a client-to-site VPN on IBM Cloud.  _Note: This is a beta offering that is not supported by the IBM cloud Terraform provider yet, so it is implemented using a `local-exec` provisioner with a bash script to handle resource creation and configuration.
+This is a terraform module that will provision a client-to-site VPN on IBM Cloud.  _Note: This is an offering that is not supported by the IBM cloud Terraform provider yet, so it is implemented using a `local-exec` provisioner with a bash script to handle resource creation and configuration.
 
-This module will: 
+This module will:
 
 - Download necessary CLI dependencies (`jq`)
 - Create a group in a secrets manager instance
-- Create a server and a client certificate and import them into the secrets manager group
+- Create a server and a client certificate and import them into the secrets manager group, tagging secrets by the VPN server name
 - Update the ACL for the VPC subnet to allow for VPN ingress & egress
 - Create a security group and security group rules for the VPN server instance
 - Provision a VPN server
@@ -15,20 +15,22 @@ This module will:
 ## Software dependencies
 
 Dependencies:
+
 - [CLIs](https://github.com/cloud-native-toolkit/terraform-util-clis)
-- [Resource Group](https://github.com/cloud-native-toolkit/terraform-ibm-resource-group)
-- [Certificate Manager](https://github.com/cloud-native-toolkit/terraform-ibm-cert-manager)
-- [VPC Subnet](https://github.com/cloud-native-toolkit/terraform-ibm-vpc-subnets)
+- [Resource Group](https://github.com/terraform-ibm-modules/terraform-ibm-toolkit-resource-group)
+- [Secrets Manager](https://github.com/terraform-ibm-modules/terraform-ibm-toolkit-cert-manager)
+- [VPC Subnet](https://github.com/terraform-ibm-modules/terraform-ibm-toolkit-vpc-subnets)
 
 ### Command-line tools
 
-- `terraform` - v1.2.8
+- `terraform` >= v1.2.8
 - `jq`
 - `ibmcloud`
 
 ### Terraform providers
 
-None
+- `ibm-cloud/ibm`
+- `hashicorp/random`
 
 ## Example usage
 
@@ -40,9 +42,8 @@ module "vpn_module" {
   region                = var.region
   ibmcloud_api_key      = var.ibmcloud_api_key
   resource_label        = "client2site"
-  secrets_manager_name  = module.secrets-manager.name
+  secrets_manager_name  = module.secrets-manager.guid
   vpc_id                = module.subnets.vpc_id
   subnet_ids            = module.subnets.ids
 }
 ```
-

main.tf

@@ -3,6 +3,13 @@ locals {
   prefix_name     = var.name_prefix != "" ? var.name_prefix : var.resource_group_name
   name            = lower(replace("${local.prefix_name}-vpn-${var.resource_label}", "_", "-"))
   vpn_profile     = "${path.root}/${local.name}.ovpn"
+  sm_region       = var.sm_region != "" ? var.sm_region : var.region
+}
+
+resource "random_string" "suffix" {
+  length           = 8
+  special          = false
+  upper            = false
 }
 
 module "clis" {
@@ -71,7 +78,7 @@ data "local_file" "client_key" {
 
 # Create group in Security Manager for VPN certificates
 locals {
-  sm_group_name = "vpn-cert-group"
+  sm_group_name = "vpn-cert-group-${random_string.suffix.result}"
 }
 
 resource "null_resource" "security_group" {
@@ -81,7 +88,7 @@ resource "null_resource" "security_group" {
       bin_dir          = module.clis.bin_dir
       name             = local.sm_group_name
       description      = "VPN Certificates Group"
-      region           = var.region
+      region           = local.sm_region
       instance_id      = var.secrets_manager_guid
     }
 
@@ -123,15 +130,15 @@ data "external" "sm_group" {
     ibmcloud_api_key    = var.ibmcloud_api_key
     bin_dir             = module.clis.bin_dir
     group_name          = local.sm_group_name
-    region              = var.region   
+    region              = local.sm_region   
     instance_id         = var.secrets_manager_guid
   }
 }
 
 # Import certificates to security manager group
 locals {
-  server-secret-name = "vpn-server-cert"
-  client-secret-name = "vpn-client-cert"
+  server-secret-name = "vpn-server-cert-${random_string.suffix.result}"
+  client-secret-name = "vpn-client-cert-${random_string.suffix.result}"
 }
 resource "null_resource" "server_cert_secret" {
 
@@ -140,10 +147,10 @@ resource "null_resource" "server_cert_secret" {
         bin_dir          = module.clis.bin_dir
         name             = local.server-secret-name
         description      = "VPN server certificate"
-        region           = var.region
+        region           = local.sm_region
         instance_id      = var.secrets_manager_guid
         group_id         = data.external.sm_group.result.group_id
-        labels           = ""
+        labels           = local.name
         certificate      = replace("${data.local_file.server_cert.content}", "\n", "\\n")
         private_key      = replace("${data.local_file.server_key.content}", "\n", "\\n")
         intermediate     = replace("${data.local_file.ca.content}", "\n", "\\n")
@@ -192,7 +199,7 @@ data "external" "server-secret" {
     ibmcloud_api_key    = var.ibmcloud_api_key
     bin_dir             = module.clis.bin_dir
     group_id            = data.external.sm_group.result.group_id
-    region              = var.region   
+    region              = local.sm_region   
     instance_id         = var.secrets_manager_guid
     name                = local.server-secret-name
   }  
@@ -205,10 +212,10 @@ resource "null_resource" "client_cert_secret" {
         bin_dir          = module.clis.bin_dir
         name             = local.client-secret-name
         description      = "VPN client certificate"
-        region           = var.region
+        region           = local.sm_region
         instance_id      = var.secrets_manager_guid
         group_id         = data.external.sm_group.result.group_id
-        labels           = ""
+        labels           = local.name
         certificate      = replace("${data.local_file.client_cert.content}", "\n", "\\n")
         private_key      = replace("${data.local_file.client_key.content}", "\n", "\\n")
         intermediate     = replace("${data.local_file.ca.content}", "\n", "\\n")
@@ -257,7 +264,7 @@ data "external" "client-secret" {
     ibmcloud_api_key    = var.ibmcloud_api_key
     bin_dir             = module.clis.bin_dir
     group_id            = data.external.sm_group.result.group_id
-    region              = var.region   
+    region              = local.sm_region   
     instance_id         = var.secrets_manager_guid
     name                = local.client-secret-name
   }  

scripts/import-certificate.sh

@@ -15,7 +15,7 @@ if [[ -z "${ACCOUNT_ID}" ]]; then
   exit 1
 fi
 
-DATA="{\"metadata\": {\"collection_type\": \"application/vnd.ibm.secrets-manager.secret+json\",\"collection_total\": 1 }, \"resources\": [ { \"name\": \"${NAME}\", \"description\": \"${DESCRIPTION}\", \"secret_group_id\": \"${GROUP_ID}\", \"labels\": [\"test\",\"eu-gb\"], \"certificate\": \"${CERT}\", \"private_key\": \"${PRIV_KEY}\", \"intermediate\": \"${CA_CERT}\" } ] }"
+DATA="{\"metadata\": {\"collection_type\": \"application/vnd.ibm.secrets-manager.secret+json\",\"collection_total\": 1 }, \"resources\": [ { \"name\": \"${NAME}\", \"description\": \"${DESCRIPTION}\", \"secret_group_id\": \"${GROUP_ID}\", \"labels\": [ \"${LABELS}\" ], \"certificate\": \"${CERT}\", \"private_key\": \"${PRIV_KEY}\", \"intermediate\": \"${CA_CERT}\" } ] }"
 
 BASE_URL="https://${INSTANCE_ID}.${REGION}.secrets-manager.appdomain.cloud"
 

test/stages/stage1-secrets-manager.tf

@@ -4,5 +4,5 @@ module "secrets-manager" {
   resource_group_name = module.resource_group.name
   region              = var.region
   private_endpoint    = false
-  trial               = true
+  trial               = false
 }

variables.tf

@@ -8,6 +8,12 @@ variable "region" {
   description = "The IBM Cloud region where the resources will be provisioned."
 }
 
+variable "sm_region" {
+  type        = string
+  description = "The IBM Cloud region where the Service Manager resides if different from VPC and VPN server"
+  default     = ""
+}
+
 variable "resource_label" {                   
   type        = string                        
   description = "The label for the resource to which the vpe will be connected. Used as a tag and as part of the vpe name."

version.tf

@@ -6,5 +6,9 @@ terraform {
       source = "ibm-cloud/ibm"
       version = ">= 1.22.0"
     }
+    random = {
+      source = "hashicorp/random"
+      version = ">= 3.4.0"
+    }
   }
 }