From ae1042962875018b6ea760532a4c865769e02716 Mon Sep 17 00:00:00 2001
From: Tim Robinson <timroster@gmail.com>
Date: Thu, 19 Jan 2023 05:56:30 -0800
Subject: [PATCH] Add string suffix to secret group and certificate secret
 names (#31)

* add random suffix to group and certificates

Signed-off-by: Tim Robinson <timroster@gmail.com>

* support Secrets Manager in different region

Signed-off-by: Tim Robinson <timroster@gmail.com>

* change SM to standard to unblock automated tests

Signed-off-by: Tim Robinson <timroster@gmail.com>

Signed-off-by: Tim Robinson <timroster@gmail.com>
---
 README.md                             | 21 ++++++++++---------
 main.tf                               | 29 +++++++++++++++++----------
 scripts/import-certificate.sh         |  2 +-
 test/stages/stage1-secrets-manager.tf |  2 +-
 variables.tf                          |  6 ++++++
 version.tf                            |  4 ++++
 6 files changed, 41 insertions(+), 23 deletions(-)

diff --git a/README.md b/README.md
index f5f50ff..2deb7ea 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,12 @@
 # Client 2 Site VPN
 
-This is a terraform module that will provision a client-to-site VPN on IBM Cloud.  _Note: This is a beta offering that is not supported by the IBM cloud Terraform provider yet, so it is implemented using a `local-exec` provisioner with a bash script to handle resource creation and configuration.
+This is a terraform module that will provision a client-to-site VPN on IBM Cloud.  _Note: This is an offering that is not supported by the IBM cloud Terraform provider yet, so it is implemented using a `local-exec` provisioner with a bash script to handle resource creation and configuration.
 
-This module will: 
+This module will:
 
 - Download necessary CLI dependencies (`jq`)
 - Create a group in a secrets manager instance
-- Create a server and a client certificate and import them into the secrets manager group
+- Create a server and a client certificate and import them into the secrets manager group, tagging secrets by the VPN server name
 - Update the ACL for the VPC subnet to allow for VPN ingress & egress
 - Create a security group and security group rules for the VPN server instance
 - Provision a VPN server
@@ -15,20 +15,22 @@ This module will:
 ## Software dependencies
 
 Dependencies:
+
 - [CLIs](https://github.com/cloud-native-toolkit/terraform-util-clis)
-- [Resource Group](https://github.com/cloud-native-toolkit/terraform-ibm-resource-group)
-- [Certificate Manager](https://github.com/cloud-native-toolkit/terraform-ibm-cert-manager)
-- [VPC Subnet](https://github.com/cloud-native-toolkit/terraform-ibm-vpc-subnets)
+- [Resource Group](https://github.com/terraform-ibm-modules/terraform-ibm-toolkit-resource-group)
+- [Secrets Manager](https://github.com/terraform-ibm-modules/terraform-ibm-toolkit-cert-manager)
+- [VPC Subnet](https://github.com/terraform-ibm-modules/terraform-ibm-toolkit-vpc-subnets)
 
 ### Command-line tools
 
-- `terraform` - v1.2.8
+- `terraform` >= v1.2.8
 - `jq`
 - `ibmcloud`
 
 ### Terraform providers
 
-None
+- `ibm-cloud/ibm`
+- `hashicorp/random`
 
 ## Example usage
 
@@ -40,9 +42,8 @@ module "vpn_module" {
   region                = var.region
   ibmcloud_api_key      = var.ibmcloud_api_key
   resource_label        = "client2site"
-  secrets_manager_name  = module.secrets-manager.name
+  secrets_manager_name  = module.secrets-manager.guid
   vpc_id                = module.subnets.vpc_id
   subnet_ids            = module.subnets.ids
 }
 ```
-
diff --git a/main.tf b/main.tf
index 7237895..a3831ae 100644
--- a/main.tf
+++ b/main.tf
@@ -3,6 +3,13 @@ locals {
   prefix_name     = var.name_prefix != "" ? var.name_prefix : var.resource_group_name
   name            = lower(replace("${local.prefix_name}-vpn-${var.resource_label}", "_", "-"))
   vpn_profile     = "${path.root}/${local.name}.ovpn"
+  sm_region       = var.sm_region != "" ? var.sm_region : var.region
+}
+
+resource "random_string" "suffix" {
+  length           = 8
+  special          = false
+  upper            = false
 }
 
 module "clis" {
@@ -71,7 +78,7 @@ data "local_file" "client_key" {
 
 # Create group in Security Manager for VPN certificates
 locals {
-  sm_group_name = "vpn-cert-group"
+  sm_group_name = "vpn-cert-group-${random_string.suffix.result}"
 }
 
 resource "null_resource" "security_group" {
@@ -81,7 +88,7 @@ resource "null_resource" "security_group" {
       bin_dir          = module.clis.bin_dir
       name             = local.sm_group_name
       description      = "VPN Certificates Group"
-      region           = var.region
+      region           = local.sm_region
       instance_id      = var.secrets_manager_guid
     }
 
@@ -123,15 +130,15 @@ data "external" "sm_group" {
     ibmcloud_api_key    = var.ibmcloud_api_key
     bin_dir             = module.clis.bin_dir
     group_name          = local.sm_group_name
-    region              = var.region   
+    region              = local.sm_region   
     instance_id         = var.secrets_manager_guid
   }
 }
 
 # Import certificates to security manager group
 locals {
-  server-secret-name = "vpn-server-cert"
-  client-secret-name = "vpn-client-cert"
+  server-secret-name = "vpn-server-cert-${random_string.suffix.result}"
+  client-secret-name = "vpn-client-cert-${random_string.suffix.result}"
 }
 resource "null_resource" "server_cert_secret" {
 
@@ -140,10 +147,10 @@ resource "null_resource" "server_cert_secret" {
         bin_dir          = module.clis.bin_dir
         name             = local.server-secret-name
         description      = "VPN server certificate"
-        region           = var.region
+        region           = local.sm_region
         instance_id      = var.secrets_manager_guid
         group_id         = data.external.sm_group.result.group_id
-        labels           = ""
+        labels           = local.name
         certificate      = replace("${data.local_file.server_cert.content}", "\n", "\\n")
         private_key      = replace("${data.local_file.server_key.content}", "\n", "\\n")
         intermediate     = replace("${data.local_file.ca.content}", "\n", "\\n")
@@ -192,7 +199,7 @@ data "external" "server-secret" {
     ibmcloud_api_key    = var.ibmcloud_api_key
     bin_dir             = module.clis.bin_dir
     group_id            = data.external.sm_group.result.group_id
-    region              = var.region   
+    region              = local.sm_region   
     instance_id         = var.secrets_manager_guid
     name                = local.server-secret-name
   }  
@@ -205,10 +212,10 @@ resource "null_resource" "client_cert_secret" {
         bin_dir          = module.clis.bin_dir
         name             = local.client-secret-name
         description      = "VPN client certificate"
-        region           = var.region
+        region           = local.sm_region
         instance_id      = var.secrets_manager_guid
         group_id         = data.external.sm_group.result.group_id
-        labels           = ""
+        labels           = local.name
         certificate      = replace("${data.local_file.client_cert.content}", "\n", "\\n")
         private_key      = replace("${data.local_file.client_key.content}", "\n", "\\n")
         intermediate     = replace("${data.local_file.ca.content}", "\n", "\\n")
@@ -257,7 +264,7 @@ data "external" "client-secret" {
     ibmcloud_api_key    = var.ibmcloud_api_key
     bin_dir             = module.clis.bin_dir
     group_id            = data.external.sm_group.result.group_id
-    region              = var.region   
+    region              = local.sm_region   
     instance_id         = var.secrets_manager_guid
     name                = local.client-secret-name
   }  
diff --git a/scripts/import-certificate.sh b/scripts/import-certificate.sh
index 1f8a3ca..533a891 100755
--- a/scripts/import-certificate.sh
+++ b/scripts/import-certificate.sh
@@ -15,7 +15,7 @@ if [[ -z "${ACCOUNT_ID}" ]]; then
   exit 1
 fi
 
-DATA="{\"metadata\": {\"collection_type\": \"application/vnd.ibm.secrets-manager.secret+json\",\"collection_total\": 1 }, \"resources\": [ { \"name\": \"${NAME}\", \"description\": \"${DESCRIPTION}\", \"secret_group_id\": \"${GROUP_ID}\", \"labels\": [\"test\",\"eu-gb\"], \"certificate\": \"${CERT}\", \"private_key\": \"${PRIV_KEY}\", \"intermediate\": \"${CA_CERT}\" } ] }"
+DATA="{\"metadata\": {\"collection_type\": \"application/vnd.ibm.secrets-manager.secret+json\",\"collection_total\": 1 }, \"resources\": [ { \"name\": \"${NAME}\", \"description\": \"${DESCRIPTION}\", \"secret_group_id\": \"${GROUP_ID}\", \"labels\": [ \"${LABELS}\" ], \"certificate\": \"${CERT}\", \"private_key\": \"${PRIV_KEY}\", \"intermediate\": \"${CA_CERT}\" } ] }"
 
 BASE_URL="https://${INSTANCE_ID}.${REGION}.secrets-manager.appdomain.cloud"
 
diff --git a/test/stages/stage1-secrets-manager.tf b/test/stages/stage1-secrets-manager.tf
index 53a19e8..71a44e2 100644
--- a/test/stages/stage1-secrets-manager.tf
+++ b/test/stages/stage1-secrets-manager.tf
@@ -4,5 +4,5 @@ module "secrets-manager" {
   resource_group_name = module.resource_group.name
   region              = var.region
   private_endpoint    = false
-  trial               = true
+  trial               = false
 }
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 1852f65..e3b9474 100644
--- a/variables.tf
+++ b/variables.tf
@@ -8,6 +8,12 @@ variable "region" {
   description = "The IBM Cloud region where the resources will be provisioned."
 }
 
+variable "sm_region" {
+  type        = string
+  description = "The IBM Cloud region where the Service Manager resides if different from VPC and VPN server"
+  default     = ""
+}
+
 variable "resource_label" {                   
   type        = string                        
   description = "The label for the resource to which the vpe will be connected. Used as a tag and as part of the vpe name."
diff --git a/version.tf b/version.tf
index 1d75fa2..2a26db8 100644
--- a/version.tf
+++ b/version.tf
@@ -6,5 +6,9 @@ terraform {
       source = "ibm-cloud/ibm"
       version = ">= 1.22.0"
     }
+    random = {
+      source = "hashicorp/random"
+      version = ">= 3.4.0"
+    }
   }
 }